CEHv8 module 03 scanning networks

Reproduction is S trictly Prohibited... Checking for Live Systems - J Ping scan involves sending ICMP ECHO requests to a host... If the host is live, the n the host sends an ICMP ECHO r

Trang 1

Scanning N etw orks

Module 03

Trang 2

Scanning Networks

M o d u le 0 3

© CEH

Trang 3

Security News r

H o n e S e r v i c e s C o m p a n y N e t w o r k s C o n t a c t

Oct 18 2012

S a l i e n t l y S a l i t y B o t n e t T r a p p e d S c a n n i n g

I P v 4 A d d r e s s S p a c eThe w ell know n b o tn e t Sality, w hich locates vu lne rab le voice-over-IP (VoIP) servers can

be co n tro lle d to fin d th e e n tire IPv4 address space w ith o u t a lerting, claim ed a new study, published by Paritynews.com on O ctober 10, 2012

Sality is a piece o f m alw are whose p rim ary aim is to in fe ct w eb servers, disperse spam, and steal data But th e latest research disclosed o th e r purposes o f th e same including recognizing susceptible VoIP targets, which could be used in to ll fraud attacks

Through a m e thod called "reverse-byte o rd e r scanning," sality has adm inistered tow ards scanning possibly the w hole IPv4 space devoid o f being recognized That's o n ly th e reason th e tech nique uses very less num ber o f packets th a t com e fro m various sources

The selection o f th e target IP addresses is generated in re ve rse-byte-ord er incre m en ts Also, th e re are large am ounts o f bots co n trib u tin g in th e scan

A sem i-fam ous b o tn e t, Sality, used fo r locating vuln era b le vo ice ־o v e r־IP (VoIP) servers has been

co ntro lle d to w a rd d e te rm in in g the e n tire IPv4 address space w ith o u t setting o ff alerts, claims a new study, published by P aritynew s.com , on O ctober 10, 2012.

Sality is a piece o f m alw are w ith th e p rim a ry aim o f in fectin g w eb servers, dispersing spam, and stea ling data But the latest research has disclosed o th e r purposes, including recognizing susceptible VoIP targets th a t could be used in to ll fra ud attacks.

Through a m e tho d called "rev e rs e -b y te o rd e r scanning," Sality can be a dm inistered to w a rd scanning possibly th e w h o le IPv4 space, devoid o f being recognized That's the only reason th e tech n iq ue uses a very small num be r o f packets th a t com e fro m various sources.

The selection o f th e ta rg e t IP addresses develops in re v e rs e -b y te -o rd e r in cre m e n ts Also, the re are m any bots c o n trib u tin g in the scan The conclusion is th a t a so lita ry n e tw o rk w o u ld obtain scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various

Ethical H acking a n d C o u n te rm e a s u re s C o p yright © by EC-COUIICil

M o d u le 0 3 P ag e 264

Trang 4

sources, U n iv e rs ity o f C a lifo rn ia , San Diego (UCSD), claim ed one o f the researchers, A listair King, as published by Softpedia.com on O ctober 9, 2012).

A ccording to A lb e rto D a in o tti, it's n o t th a t this stealth-scanning m ethod is exceptional, b u t it's

th e firs t tim e th a t such a happening has been both noticed and d ocum ented, as re p orte d by

D arkreading.com on O ctober 4, 2012 M any o th e r experts hold fa ith th a t this m anner has been accepted by o th e r botnets Nevertheless, the team at UCSD is n o t aw are o f any data ve rifyin g any event like this one.

A ccording to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be

th e firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by

em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses The b o tn e t use classy

"o rc h e s tra tio n " m ethods to evade d e te c tio n It can be sim ply stated th a t th e b o tn e t o p e ra to r categorized th e scans at around 3 m illio n bots fo r scanning th e fu ll IPv4 address space th ro u g h

a scanning p atte rn th a t disperses coverage and p a rtly covers, b u t is unable to be noticed by present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012.

Trang 5

Module Objectives CEH

M o d u l e O b j e c t i v e s

Once an a tta cke r id e ntifie s h is /h e r ta rg e t system and does th e in itia l reconnaissance,

as discussed in th e fo o tp rin tin g and reconnaissance m odule, th e a tta cke r concentrates on

g e ttin g a m ode o f e n try in to the ta rg e t system It should be noted th a t scanning is n o t lim ite d

to in tru sion alone It can be an extended fo rm o f reconnaissance w h e re th e a tta cke r learns

m ore abo u t h is /h e r targe t, such as w h a t o pe ra tin g system is used, th e services th a t are being run on th e systems, and c o n fig u ra tio n lapses if any can be id e n tifie d The a tta c k e r can then strategize h is /h e r attack, fac to rin g in these aspects.

This m odule w ill fam ilia rize you w ith :

0 O verview o f N e tw o rk Scanning 0 Use o f Proxies fo r A ttack

M o d u le 0 3 P ag e 2 6 6

Trang 6

Overview of Network Scanning CEH(•rtift•* ttkujl lUckM

S en d s TCP /IP p ro b e s

G e ts n e tw o r k

in fo r m a tio n

A ttacker

N e tw o rk scanning refers to a set o f

p ro cedures fo r id e n tify in g hosts, p o rts , and

services in a n e tw o rk

N e tw o rk scanning is one o f th e c o m p o n e n ts

o f in te llig e n c e g a th e rin g an a tta c ke r uses to

create a p ro file o f th e ta rg e t org a n iza tio n

O b je c t iv e s o f N e t w o r k S c a n n in g

To discover

v u ln e ra b ilitie s in live hosts

To discover live hosts, To discover op eratin g To discover services

IP address, and open systems and system ru nning on hosts

p o rts o f live hosts architecture

O v e r v i e w o f N e t w o r k S c a n n i n g

As w e already discussed, fo o tp rin tin g is th e firs t phase o f hacking in w hich the

a tta cke r gains in fo rm a tio n abo u t a p o te n tia l targe t F o o tp rin tin g alone is n o t enough fo r hacking because here you w ill gath er only th e p rim a ry in fo rm a tio n abo u t th e targ e t You can use this p rim a ry in fo rm a tio n in th e next phase to gath er m any m ore details a b o u t th e targe t The process o f g a th e rin g a d d itio n a l d e ta ils abo u t th e ta rg e t using highly com plex and aggressive reconnaissance techniques is called scanning.

The idea is to discover e x p lo ita b le c o m m u n ic a tio n channels, to probe as m any listeners as possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking In th e scanning phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system You can also discover

m ore abo u t th e ta rg e t system , such as w h a t o p e ra tin g system is used, w h a t services are

ru n nin g , and w h e th e r or n o t th e re are any c o n fig u ra tio n lapses in th e ta rg e t system Based on

th e facts th a t you gather, you can fo rm a strategy to launch an attack.

Types o f Scanning

9 P ort scanning - Open ports and services

e N e tw o rk scanning - IP addresses

6 V u ln e ra b ility scanning - Presence o f know n weaknesses

Trang 7

In a tra d itio n a l sense, th e access p o in ts th a t a th ie f looks fo r are the doors and w in d ow s These are usually th e house's points o f v u ln e ra b ility because o f th e ir re la tive ly easy accessibility

W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w in d ow s o f th e system th a t an in tru d e r uses to gain access The m ore the ports are open, the m ore points o f

v u ln e ra b ility , and th e fe w e r the ports open, th e m ore secure the system is This is sim ply a general rule In some cases, the level o f v u ln e ra b ility may be high even tho u gh fe w ports are open.

N e tw o rk scanning is one o f th e m ost im p o rta n t phases o f intelligence gathering During the

n e tw o rk scanning process, you can gath er in fo rm a tio n a b o u t specific IP addresses th a t can be accessed over th e In te rn e t, th e ir ta rge ts' o pe ra tin g systems, system a rch ite ctu re , and th e services running on each c o m p ute r In a d d itio n , the a tta cke r also gathers details abo u t the netw o rks and th e ir individual host systems.

Sends TCP /IP probes

Before launching th e attack, th e a tta cke r observes and analyzes the ta rg e t n e tw o rk fro m

d iffe re n t perspectives by p e rfo rm in g d iffe re n t types o f reconnaissance How to p erfo rm scanning and w h a t type o f in fo rm a tio n to be achieved during th e scanning process e n tire ly depends on th e hacker's v ie w p o in t There m ay be m any objectives fo r p e rfo rm in g scanning,

b u t here w e w ill discuss th e m ost com m on objectives th a t are e ncountered during the hacking phase:

D iscovering live hosts, IP address, and open p o rts o f live hosts ru n n in g on th e

n e tw o rk

D iscovering open p o rts : Open ports are th e best means to break in to a system or

n e tw o rk You can fin d easy ways to break in to th e ta rg e t o rganization's n e tw o rk by discovering open ports on its n etw o rk.

D iscovering o p e ra tin g system s and system a rc h ite c tu re o f th e ta rg e te d system : This is also re ferre d to as fin g e rp rin tin g Here the a tta cke r w ill try to launch th e a ttack based

on th e o pe ra tin g system 's vu ln era b ilitie s.

©

E thical H acking a n d C o u n te rm e a s u re s C o p yright © by EC-C0UnCil

Trang 8

9 Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system You can compromise the system or network by exploiting these vulnerabilities and threats.

9 Detecting the associated network service of each port

Trang 9

ם ש

□

Scanning Pen Testing

Prepare Proxies

Draw N e tw o rk Diagrams

Scan for Vulnerability

Live Systems Open Ports Beyond IDS Grabbing

The firs t step in scanning th e n e tw o rk is to check fo r live system s.

This section highlights how to check fo r live systems w ith th e help o f ICMP scanning, how to ping a system and various ping sweep tools.

M o d u le 0 3 P ag e 2 7 0

Trang 10

Checking for Live Systems -

J Ping scan involves sending ICMP ECHO requests to a host If the host is live, it will return

an ICMP ECHO reply

J This scan is useful for locating active devices or determining if ICMP is passing through a

firewall

D e stin a tio n (1 9 2.168.168.5) ICMP Echo Reply

ICMP Echo Request

Nmap 0utp14 Pciti ׳ H oiti Topology HojI Detail! Scans

פ־ד

Command: |n rr* p •wi 192.168.168.3 Hosts Service!

nmap ■jn 192.168.163.5

S t a r t i n g fJTap 6 0 1 ( h t t p : / / n1r o p o r g ) a t 2 0 1 2 - 0 8 0 8

1 3 :0 2 EOT Swap scan re p o rt fo r 192.168.168.5

most i s up ( 0 0 0 5 l a t e n c y )

MAC f l d d r e t t : ( D e l l) M!ap d o n g : 1 IP a d d re s s (1 h o s t up ) scanned i n 0 1 0

s e c o rd s

Host * 192.16S 168.1 192.168.1663 192.168.1685 192.168.166.1S

H owever, it is useful to d e te rm in e w hich hosts in a n e tw o rk are up by pinging th e m all (the -P

o p tio n does this; ICMP scanning is now in parallel, so it can be quick) The user can also increase

th e n um be r o f pings in parallel w ith th e -L o p tio n It can also be helpful to tw e a k th e ping tim e o u t value w ith the -T o ptio n

ICMP Q uery

The UNIX to o l IC M P query o r ICMPush can be used to request th e tim e on the system (to find

o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP) The netm ask on a p a rticu la r system can also be d e te rm in e d w ith ICMP type 17 messages (ADDRESS MARK REQUEST) A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d e te rm in e all th e subnets in use A fte r gaining in fo rm a tio n abo u t th e subnets, one can ta rg e t only one p a rticu la r subnet and avoid h ittin g th e broadcast addresses.

ICM Pquery has both a tim e s ta m p and address mask request o p tio n :

icm p query <-query-> [-B] [-f fro m h o s t] [־d delay] [-T tim e ] ta rg e t

Trang 11

W here

<query> is one of:

-t: icm p tim e s ta m p request (default) -m : icm p address mask request -d: delay to sleep betw een packets is in m icroseconds.

-T - specifies th e n um be r o f seconds to w a it fo r a host to respond The d e fa u lt is 5.

A ta rg e t is a list o f hostnam es or addresses.

FIGURE 3.2: ICMP Q u e ry Diagram

Ping Scan O u tp u t Using Nm ap

Source: h ttp ://n m a p o rg

N m ap is a to o l th a t can be used fo r ping scans, also know n as host discovery Using this to o l you can d e te rm in e th e live hosts on a n etw o rk It perfo rm s ping scans by sending th e ICMP ECHO requests to all th e hosts on th e n etw o rk If the host is live, the n the host sends an ICMP ECHO reply This scan is useful fo r locating active devices or d e te rm in in g if ICMP is passing th ro u g h a fire w a ll.

The fo llo w in g screenshot shows th e sample o u tp u t o f a ping scan using Zenm ap, th e official cross-platform GUI fo r th e Nmap Security Scanner:

Zenmap

Scan Jo o ls Profile Help

FIGURE 3.3: Z enm ap S how ing Ping Scan O u tp u t

M o d u le 0 3 P ag e 272 E thical H acking a n d C o u n te r m e a s u r e s C o p y rig h t © by EC-C0l1nCll

Trang 12

Ping Sweep CEH

J Ping sweep is used to determ ine the live hosts fro m a range o f IP addresses by sending ICMP

ECHO requests to m ultiple hosts If a host is live, it w ill return an ICMP ECHO reply

J Attackers calculate subnet masks using Subnet Mask Calculators to identify the num ber o f

hosts present in the subnet

_l Attackers then use ping sweep to create an inventory o f live systems in the subnet

ICM P Echo R equest

A ping sweep (also know n as an ICMP sw eep) is a basic n e tw o rk scanning technique

to d e te rm in e w hich range o f IP addresses map to live hosts (com puters) W hile a single ping tells th e user w h e th e r one specified host c o m p u te r exists on th e n etw o rk, a ping sweep consists

o f ICMP ECHO requests sent to m u ltip le hosts.

ICMP ECHO Reply

If a host is active, it returns an ICMP ECHO reply Ping sweeps are am ong the oldest and slow est

m ethods to scan a n etw o rk This u tility is d is trib u te d across alm ost all p la tfo rm s, and acts like a roll call fo r systems; a system th a t is live on th e n e tw o rk answers th e ping q uery th a t is sent by

a n o th e r system.

Trang 13

ICMP Echo R equest

1 9 2 1 6 8 1 6 8 5ICMP Echo R equest

ICMP Echo Reply

<

a

1 9 2 1 6 8 1 6 8 6

> WICMP Echo R equest

To understand ping, you should be able to understand th e TCP/IP packet W hen a system pings,

a single packet is sent across th e n e tw o rk to a specific IP address This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes o f p ro to co l header in fo rm a tio n The sender the n w aits fo r a

re tu rn packet fro m th e ta rg e t system A good re tu rn packet is expected only w hen the connections are good and w hen th e targe te d system is active Ping also d ete rm ine s th e num be r

o f hops th a t lie betw een th e tw o co m p ute rs and th e ro u n d -trip tim e , i.e., th e to ta l tim e taken

by a packet fo r co m p letin g a trip Ping can also be used fo r resolving host names In this case, if

th e packet bounces back w hen sent to th e IP address, b u t not w hen sent to th e nam e, the n it is

Using N m ap S ecurity Scanner you can p e rfo rm ping sweep Ping sweep d ete rm ine s th e IP addresses o f live hosts This provides in fo rm a tio n a b o u t th e live host IP addresses as w ell as

th e ir MAC address It allow s you to scan m u ltip le hosts at a tim e and d e te rm in e active hosts on

th e n etw o rk The fo llo w in g screenshot shows th e result o f a ping sweep using Zenm ap, the

an ind icatio n th a t th e system is unable to resolve th e nam e to th e specific IP address

Source: h ttp ://n m a p o rg

official cross-platform GUI fo r th e Nmap Security Scanner:

Trang 14

OS « Host

* 192 . 168 . 168.1

* 192 . 168 . 168.3 S tarting Mrap 12:41 6.01 ( http://nmap.org ) at 2012 - 08-08

<■ 192 . 168 . 168.5 Map scan report fo r 192 . 168 . 168.1

Host is up ( 0 . 00 s latency).

192 . 168 . 168.14 f*rap scan report fo r Host is up ( 0 . 00 s latency). 192 . 168 . 168.3

FIGURE 3.5: Z enm ap sh o w in g ping sweep o u tp u t

E thical H acking a n d C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil

Trang 15

CEH Ping Sweep Tools

SolarW inds Engineer Toolset's Ping Sweep enables scanning a range o f IP addresses to identify which

IP addresses are in use and which ones are currently free It also performs reverse DNS lookup

A ngry IP Scanner pings each IP address to check if

it's alive, then optionally resolves its hostname,

determ ines the MAC address, scans ports, etc

o IP Range Angry IP Scanner ם x

D eterm ining live hosts on a ta rg e t n e tw o rk is th e firs t step in th e process o f hacking

o r bre akin g in to a n etw o rk This can be done using ping sweep tools There are a num be r o f ping sweep too ls readily available in th e m a rke t using w hich you can p e rfo rm ping sweeps easily These too ls a llo w you to d e te rm in e the live hosts by sending ICMP ECHO requests to

m u ltip le hosts at a tim e A ngry IP Scanner and S olarw inds Engineer's T o olset are a fe w

co m m o n ly used ping sweep tools.

is m u ltip le ports scanning, config u rin g scanning colum ns Its m ain goal is to fin d th e active hosts

in th e n e tw o rk by scanning all th e IP addresses as w ell as ports It runs on Linux, W indow s, Mac

OS X, etc It can scan IP addresses ranging fro m 1.1.1.1 to 255.255.255.255.

Trang 16

IP Range - Angry IP Scanner

Scan £0 י° Commands Favorites loots Help

IP Range | 10.0.0.1 | to | 10.0.0.50 | | IF Range v א Hostname | WIN-LXQN3WR3R9I # IP I | Netmask r J C+ Start i |

IP Ping Hostname Ports [2000•.]

€>10.0.0.1 1 ms [n'a] 80 010.0.0.2 Oms W1N-MSS£LCK4IC41 80.135.139.4

C m 0.0.0.8 [n/a] [n/a] [n/a]

€> 10.0.0.9 [n/a] [n/a] [n/a]

#10.0.0.10 [n/a] [n/a] l"/a]

#10.0.0.16 [n/a] [n/a] [n/a]

# 10.0.0.17 [n/a] In^a] |n/a]

#10.0.0.18 [n/a] In'*] [n/a]

#10.0.0.19 [n/a] In/a] [n/a] v Ready Display: All Threads; 0 1 1

FIGURE 3.6: A ngry IP Scanner Screenshot

S o l a r w i n d s E n g i n e e r ’ s T o o l s e t

Source: h ttp ://w w w s o la rw in d s c o m

The Solarwinds Engineer's Toolset is a collection o f n e tw o rk e ng in e er's to o ls By using this

to o ls e t you can scan a range o f IP addresses and can id e n tify the IP addresses th a t are in use

c u rre n tly and the IP addresses th a t are free It also p erform s reverse DNS lo o kup

u o o Ping Sweep

FIGURE 3.7: S olarw inds Engineer's T oo lse t Screenshot

Trang 17

U ltra P ing Pro

h ttp ://u ltra p in g webs.com

-In a d d itio n to Solarw inds Engineer's Toolset and Angry IP Scanner, th e re are m any

o th e r too ls th a t fe a tu re ping sweep capabilities For exam ple:

9 Colasoft Ping Tool available at h ttp ://w w w c o la s o ft.c o m

9 Visual Ping Tester - Standarad available at h ttp ://w w w p in g te s te r.n e t

9 Ping Scanner Pro available at h ttp ://w w w d ig ile x te c h n o lo g ie s c o m

9 U ltra Ping Pro available at h ttp ://u ltra p in g w e b s c o m

9 P inglnfoV iew available at h ttp ://w w w n irs o ft.n e t

9 PacketTrap MSP available at http://ww w.packettrap.com

9 Ping Sweep available at h ttp ://w w w w h a ts u p g o ld c o m

9 N e tw o rk Ping available at h ttp ://w w w g re e n lin e -s o ft.c o m

9 Ping M o n ito r available at h ttp ://w w w n ilia n d c o m

9 Pinkie available at h ttp ://w w w ip u p tim e n e t

Trang 18

*-— 1 So fa r we discussed how to check fo r live systems Open ports are the doorw ays fo r an atta cke r to launch attacks on systems N ow w e w ill discuss scanning fo r open ports.

ל־^־זי

This section covers th e th re e -w a y handshake, scanning IPv6 netw orks, and various scanning techniques such as FIN scan, SYN scan, and so on.

Trang 19

Three-Way Handshake (•rtifwd CEHitkitjl

TCP uses a th re e-w ay handshake to establish a connection between server and client

T h re e -w a y H a n d sh a k e

P r o c e s s

1 The Computer A (10.0.0.2) initiates

a connection to the server (10.0.0.3)

via a packet w ith only the SYN flag

set

2 The server replies w ith a packet

w ith both the SYN and the ACK flag

set

3 For the final step, the client

responds back to the server w ith a

single ACK packet

4 If these three steps are com pleted

w ith o u t com plication, then a TCP

connection is established between

the client and the server

T h r e e - W a y H a n d s h a k e

TCP is c o n n e c tio n -o rie n te d , w hich im plies co nnection esta b lish m e nt is principal p rio r

to data tra n s fe r betw een applications This co nnection is possible th ro u g h th e process o f the

th re e -w a y handshake The th re e -w a y handshake is im p le m e n te d fo r establishing th e

co n n e ctio n b e tw e e n p ro to co ls.

The three-way handshake process goes as follows:

9 To launch a TCP co n n e ctio n , th e source (10.0.0.2:62000) sends a SYN packet to the

d estin a tion (10.0.0.3:21).

9 The destin a tion , on receiving the SYN packet, i.e., sent by th e source, responds by sending a SYN/ACK packet back to th e source.

9 This ACK packet confirm s th e arrival o f th e firs t SYN packet to th e source.

9 In conclusion, th e source sends an ACK packet fo r th e ACK/SYN packet sent by th e destin a tion

9 This triggers an "OPEN" connection a llow ing co m m u n icatio n betw een th e source and

th e d e stin a tion , u n til e ith e r o f the m issues a "FIN" packet or a "RST" packet to close the connection.

Ethical H acking a n d C o u n te rm e a s u re s C o p yright © by EC-C0UnCil

M o d u le 0 3 P ag e 2 8 0

Trang 20

The TCP p ro to co l m aintains sta te fu l connections fo r all co n n e c tio n -o rie n te d p rotocols across

th e In te rn e t, and w orks th e same as an o rd in a ry te le p h o n e co m m u n icatio n , in w hich one picks

up a te le p h o n e receiver, hears a dial ton e , and dials a num be r th a t triggers ringing at th e o th e r end u n til a person picks up the receiver and says, "H e llo "

Bill

Three-way Handshake

י י

Trang 21

M axim um Segment Size (MSS) to be set, w hich is defined by th e length (len: 4), this o p tio n com m unicates th e m axim um segm ent size th e sender w ants to receive The A cknow ledgem ent fie ld (ack: 0) is set to zero because this is th e firs t p art o f th e th re e -w a y handshake.

1 2 0 7 8 5 NTW3 - - > BDC3 TCP _ S , le n : 4, s e q : 8221822-8221825, a c k : 0, win: 8192, src: 1037 dst: 139 (NBT Session) NTW 3- > BDC3 IP

TCP: S , le n : 4, se q : 8221822-8221825, a c k : 0, w in : 8192, s r c : 1037

d s t : 139 (NBT S e s s io n )

TCP: S ource P o r t = 0x040D

TCP: D e s t in a t io n P o r t = NETBIOS S e s s io n S

TCP: Sequence Number = 8221822 (0x7D747E)

TCP: A cknow ledgem ent Number = 0 (0x0)

Trang 22

Frame 2:

In th e second step, the server, BDC3, sends an ACK and a SYN on this segm ent (TCP A S.) In this segm ent th e server is acknow ledging the request o f th e clie n t fo r synchronization A t the same tim e , th e server is also sending its request to th e clie n t fo r synchronization o f its sequence num bers There is one m ajor d iffe re n ce in this segm ent The server tra nsm its an

a cknow ledgem ent n um be r (8221823) to the client The a cknow ledgem ent is ju s t p ro o f to the clie n t th a t the ACK is specific to th e SYN th e clie n t in itia te d The process o f acknow ledging the client's request allow s th e server to in cre m e n t th e client's sequence num be r by one and uses it

as its ackno w le d ge m e n t num ber.

TCP: Sequence Number = 1109645 (0xl0EE8D)

TCP: A cknow ledgem ent Number = 8221823 (0x7D747F)

Trang 23

00030: 22 38 01 2D 00 00 02 04 05 B4 20 20 8 ״ -

Frame 3:

In th e th ird step, th e clie n t sends an ACK on this segm ent (TCP A ) In this segm ent, th e client

is acknow ledging th e request fro m th e server fo r synchronization The clie n t uses th e same

a lg o rith m th e server im p le m e n te d in p roviding an a cknow ledgem ent num ber The client's

a cknow ledgm ent o f the server's request fo r synchronization com pletes th e process o f establishing a reliable connection, thus th e th re e -w a y handshake.

Trang 24

TCP Communication Flags

Resets a connectionThere w ill be no

moretransmissions

F IN(Finish)

S tandard TCP com m unica tions are c o n tro lle d by flags in th e TCP packet header

T C P C o m m u n i c a t i o n F l a g s

Standard TCP com m u n icatio n s m o n ito r th e TCP packet header th a t holds th e flags These flags govern th e co nnection betw een hosts, and give in stru ction s to th e system The

fo llo w in g are th e TCP c o m m u n icatio n flags:

9 Synchronize alias "SYN": SYN n otifie s transm ission o f a new sequence num ber

9 A ckno w le d ge m e n t alias "ACK": ACK confirm s receipt o f transm ission, and id e ntifie s next expected sequence num ber

9 Push alias "PSH": System accepting requests and fo rw a rd in g b uffered data

9 U rgent alias "U RG ": Instructs data contained in packets to be processed as soon as possible

Q Finish alias "F IN ": Announces no m ore transm issions w ill be sent to re m o te system

Q Reset alias "RST": Resets a connection

SYN scanning m ainly deals w ith th re e o f th e flags, nam ely, SYN, ACK, and RST You can use these th re e flags fo r gathering illegal in fo rm a tio n fro m servers during th e e n u m e ra tio n process.

Trang 25

Acknow ledgem ent No

TCP Checksum Urgent Pointer

Options

\< - 0-31 B its ->

FIGURE 3.9: TCP C o m m u n ic a tio n Flags

Trang 26

Create Custom Packet Using TCP Flags

Colasoft Packet Builder

3ckte Move Up | Chcdcsum| Send ScndAII

-| Packet No -| ־ ג***»«!

5

&

5 $׳

.xpcr:- Add Inser: Copy

- ¥ * Packet Info:

Padrec tta ce r; 000004

—^ Backer Le=ath: 64

Captnred Length: 60 Delta Tine 0.100000 Second

״ ! 4 [ U /1 ] OxFO

i •••0 Me* 1•: length S <20 Bytes) [1<

g>-0 Differentiated Services Field 0000 oaoo [15/1! OxPF

j j 0 S«rvlc«f Cod*pcint 0000 00 [18/1] OxfC

j > Tr«r.*por1 ?101 col w ill 1903c* tii* CC b it 0 (Ignoi• [15/1]

: 9 Coaaastios 0 (Xu Coixjumlon)

p a ckets to byp ass

fire w a lls a n d IDS sys te m s

e d ito r, o r ASCII e d ito r to create a packet In a d d itio n to building packets, C olasoft Packet

B u ild e r also supports saving packets to packet files and sending packets to the n etw o rk.

Trang 27

C olasoft Packet Builder

Packet No 4

File E dit Send H elp

x |

[ 0 / 1 4 ]

00:00:00:00:00:00 00:00:00:00:00:00 0x0800

[ 1 4 / 2 0 ]

[ 1 4 / 1 ] OxFO ( 2 0 B y t e a ) [ 1 4 [ 1 5 / 1 ] O x F F [ 1 5 / 1 ] O xFC ( I g n o r e ) [ 1 5 / 1 ] ( N o C o n g e s t i o n )

Trang 28

Scanning IPv6 Network imttiM CEHtUx*l lUckM

IPv6 increases th e IP address size fro m 32 bits to 128 bits, to sup port m ore levels o f addressing hierarchy

S c a n n i n g I P v 6 N e t w o r k

IPv6 increases th e size o f IP address space fro m 32 bits to 128 bits to su p p o rt m ore levels o f addressing hierarchy T raditional n e tw o rk scanning techniques w ill be c o m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 264 addresses) provided by IPv6 in a subnet Scanning an IPv6 n e tw o rk is m ore d iffic u lt and com plex than IPv4 and also m a jo r scanning too ls such as Nmap do n o t s u p p o rt ping sw eeps on IPv6 n e tw o rk s

A ttackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic , recorded logs, o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages to id e n tify IPv6 addresses

fo r subsequent p o rt scanning Scanning IPv6 n etw o rk, how ever, o ffe rs a large n u m b e r o f hosts

in a su bn e t; if an a tta cke r can com prom ise one host in th e subnet he can probe the "all hosts" link local m u ltica st address.

Trang 29

Scanning Tool: Nmap

J N etw ork adm inistrators can use Nmap fo r n e tw o rk in ven tory, managing service upgrade schedules, and

m o n ito rin g host o r service u p tim e

J Attacker uses Nmap to extract info rm a tio n such as live hosts on th e n e tw o rk , services (application name

and version), typ e o f packet filte rs /fire w a lls , o p eratin g systems and OS versions

N e tw o rk a d m in istra to rs can use Nmap fo r n e tw o rk in v e n to ry , m anaging service upgrade schedules, and m o n ito rin g host o r service uptim e A ttackers use Nmap to e xtract in fo rm a tio n such as live hosts on th e n e tw o rk, services (application nam e and version), type o f packet filte rs /fire w a lls , o p e ra tin g system s, and OS versions.

M o d u le 0 3 P ag e 2 9 0

Trang 30

• י * מ 1

Trang 31

Hping2 / Hping3 UrtifW CEHitkMl lUikw

J Command line packet crafter for the TCP/IP protocol

J Tool for security auditing and testing firewall and networks

J Runs on both Windows and Linux operating systems

H p i n g 2 / H p i n g 3

Source: h ttp ://w w w h p in g o rg

HPing2/HPing3 is a c o m m a n d -lin e -o rie n te d TCP/IP packet assem bler/analyzer th a t sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols It has T ra ce ro ute m ode, and enables you to send files b etw een co vert channels It has th e a b ility to send custom TCP/IP packets and display ta rg e t replies like a ping program does w ith ICMP replies It handles fra g m e n ta tio n , a rb itra ry packets' body and size, and can be used in o rd e r to tra n s fe r encapsulated files under su pported protocols It supports idle host scanning IP spoofing and

n e tw o rk /h o s t scanning can be used to p e rfo rm an anonym ous probe fo r services.

An a tta cke r studies th e behavior o f an idle host to gain in fo rm a tio n a b o u t th e ta rg e t such as the services th a t th e host offers, th e ports su pp o rtin g th e services, and the o pe ra tin g system o f the targ e t This typ e o f scan is a predecessor to e ith e r heavier probing or o u trig h t attacks.

Features:

The fo llo w in g are some o f th e features o f HPing2/HPing3:

9 D eterm ines w h e th e r th e host is up even w hen th e host blocks ICMP packets

e A dvanced p o rt scanning and te s t net p erform ance using d iffe re n t protocols, packet sizes, TOS, and fra g m e n ta tio n

Trang 32

9 M anual path MTU discovery

9 F irew a lk-like usage allow s discovery o f open ports behind fire w a lls

9 Rem ote OS fin g e rp rin tin g

9 TCP/IP stack aud itin g

ICMP Scanning

A ping sweep o r In te rn e t C o n tro l Message P rotocol (ICMP) scanning is a process o f sending an ICMP request or ping to all hosts on th e n e tw o rk to d e te rm in e w hich one is up.

This p ro to co l is used by o pe ra tin g system , ro u te r, sw itch, in tern e t-p ro to c o l-b a s e d devices via

th e ping co m m a n d to Echo re q ue st and Echo response as a co nn e c tiv ity te s te r betw een

128 id=25908 icmp_seq=0 r t t = 2 2 ms

128 id=25909 icm p_seq=l r t t = 1 0 ms

128 id=25910 icmp_seq=2 r t t = 1 7 ms

128 id=25911 icmp_seq=3 r t t = 0 5 ms

128 id=2591% icmp seq=4 r t t = 0 4 ms

128 id=25913 icmp seq=5 r t t = l l ms

128 id=25914 icmp seq=6 r t t = 0 9 ms

128 id=25916 icmp seq=8 r t t = 0 9 ms

128 id=25918 icmp seq=10 r t t = 0 8 ms

128 id=25919 ic m p _ s e q = ll r t t = 1 2 ms

128 id=25920 icmp seq=12 r t t = 0 7 ms

128 id=25921 icmp seq=13 r t t = 0 8 ms

128 id=25922 icmp seq=14 r t t = 0 7 ms

128 id=25923 icmp seq=15 r t t = 0 7 ms

128 id=25924 icmp seq=16 r t t = 0 8 ms

128 id=25925 icmp seq=17 r t t = 1 0 ms

ng3 -1 10 ( e t h l 10 0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = 0 ^ > t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l = .0 2 t t l =

FIGURE 3.12: Hping3 to o l sh o w in g ICMO scanning o u tp u t

ACK Scanning on P ort 80

You can use this scan tech n iq ue to probe fo r th e existence o f a fire w a ll and its rule sets Simple packet filte rin g w ill a llow you to establish connection (packets w ith the ACK b it set), w hereas a sophisticated state ful fire w a ll w ill not a llo w you to establish a connection.

The fo llo w in g screenshot shows ACK scanning on p o rt 80 using th e Hping3 to o l:

Trang 33

FIGURE 3.13: Hping3 to o l sh o w in g ACK scanning o u tp u t

Trang 34

The fo llo w in g table lists various scanning m ethods and respective Hping com m ands:

Intercept all traffic containing HTTP

TABLE 3.1: Hping C om m ands Table

Trang 35

Scanning Techniques

TCP Connect / Full Open Scan Stealth Scans

IDLE Scan ICMP Echo Scanning/List Scan SYN/FIN Scanning Using IP Fragments UDP Scanning

Inverse TCP Flag Scanning ACK Flag Scanning

D iffe re n t type s o f scanning te ch n iq u e s e m p lo ye d include:

Trang 36

The following is the list of important reserved ports:

Trang 37

b o o t p c 6 8 /u d p b o o tp client

a u t h / i d e n t 1 1 3 /tcp A u th e n tic a tio n Service

n e t b io s - d g m 1 3 8 /tcp NETBIOS Datagram Service

n e t b io s - d g m 1 38 /ud p NETBIOS Datagram Service

Trang 38

im a p 1 43 /ud p In te rn e t Message Access Protocol

a t - r t m p 2 0 1 /tc p AppleTalk Routing M aintenance

a t - r t m p 2 0 1 /u d p AppleTalk Routing M aintenance

a t - z i s 2 0 6 /tc p AppleTalk Zone In fo rm a tio n

Trang 39

im a p 3 2 2 0 /tc p Inte ra ctive M ail Access Protocol v3

im a p 3 2 2 0 /u d p Interactive M ail Access Protocol v3

n e t w a r e - i p 3 9 6 /tc p Novell N etw are over IP

n e t w a r e - i p 3 9 6 /u d p Novell N etw are over IP

M o d u le 0 3 P ag e 3 0 0

Trang 40

n t a l k 5 18 /ud p SunOS talkd(8)

5 6 e r b e r o s - a d m 7 4 9 /tc p Kerberos A d m in is tra tio n

5 6 e r b e r o s - a d m 7 49 /ud p Kerberos A d m in is tra tio n

k e r b e r o s 7 5 0 /tc p kdc Kerberos a u th e n tic a tio n —tcp

5 6 e r b e r o s mas

Định dạng
Số trang	172
Dung lượng	8,33 MB