3.1 Understand the term port scanning, network scanning, and vulnerability scanning Exam Focus: Understand the term port scanning, network scanning, and vulnerability scanning. Objective includes:

Understand the objectives of scanning. Learn the CEH scanning methodology.

  Scanning Scanning refers to a set of procedures used to identify hosts, ports, and services in a network. Along with enumeration, it is the first phases of hacking. A hacker uses scanning as a method of intelligence gathering to create a profile of the target organization.

Types of scanning:

Port scanning: is a software application designed to probe a server or host for open ports, by a series of messages sent by an attacker trying to break into a computer to know about network services of the computer.

Vulnerability scanning: is automated software designed to proactively assess computers, computer systems, networks or applications for weaknesses

Network scanning: is a procedure used to identify the active hosts on a network.

  Port scanning Port scanning is the process by which an attacker connects to TCP and UDP ports to find the services and applications running on the target system. In port scanning, data packets are sent to a port to gather information about it.

Port scanning tools:

Floppyscan: is a hacking tool that is used for port scanning. It uses a floppy disk for performing port scanning a computer. Floppyscan uses Bootsup mini Linux that displays a blue screen. Floppyscan uses the nmap tool to port scan the network. After performing the port scanning, it sends the results by e-mail to a remote server.

Icmpenum: is a port scanner that uses not only ICMP Echo packets to probe networks, but also ICMP timestamp and ICMP information packets. Besides this, it supports spoofing and promiscuous listening for reply packets. This tool is useful to enumerate networks that have blocked ICMP Echo packets.

  Vulnerability scanning Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess computers, computer systems, networks, or applications for weaknesses. There are different types of vulnerability scanners available today, distinguished from one another by a focus on particular targets. While the functionality varies between different types of vulnerability scanners, they share a common core purpose of enumerating the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of vulnerability management.

SAINT:

SAINT (Security Administrator's Integrated Network Tool is a vulnerability scanning tool. It collects information about the type of OS running on a system and the ports that are open. The network vulnerabilities can be detected by attackers on any remote target in a non-intrusive manner.  Network scanning Network scanning includes using a port scanner to identify all hosts. All these hosts are connected to an organization's network. The network services operating on those hosts are FTP, HTTP, and IIS, and Apache for the HTTP service. The outcome of the scan is a list of active hosts and services, printers, switches, and routers. Network scanning can also disrupt network operations as it consumes bandwidth.

Network scanning tools:

VisioLANsurveyor: automatically discovers the network and generates comprehensive and easy-to-view network maps that can be exported into Microsoft Office. The following are the features of LANsurveyor:

o It automatically discovers and diagrams the network topology.o It produces network maps in Microsoft Office Visio.o It detects new devices and modifications in the network topology.o It performs inventory management for hardware and software assets.o It directly addresses PCI compliance and other regulatory requirements.

Netcat: is a freely available networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat has the following features:

o It provides outbound and inbound connections for TCP and UDP ports.o It provides special tunneling, such as UDP to TCP, with the possibility of

specifying all network parameters.o It is also a good port scanner.

o It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data.

o It is an optional RFC854 telnet code parser and responder.

The common Netcat switches are as follows:

Commands Descriptionnc -d It is used to detach Netcat from the console.

nc -l -p [port] It is used to create a simple listening TCP port; adding u will put it in UDP mode.

nc -e [program] It is used to redirect stdin/stdout from a program.nc -z It is used for port scanning.nc -g or nc -G It is used to specify source routing flags.nc -t It is used for Telnet negotiation.nc -w [timeout] It is used to set a timeout before Netcat automatically quits.nc -v It is used to put Netcat into verbose mode.

Security Manager Plus: is a network security scanner that is used to report on network vulnerabilities, help remediate them, and ensure compliance. It is also used to protect a network from security threats and malicious attacks with vulnerability scanning, patch management, open ports detection, and vulnerability reporting capabilities.

  Objectives of scanning

To detect the live systems running on the network To discover which ports are active/running To discover the O/S running on the target system (also known as fingerprinting) To discover the services running/listening on the system To discover the IP address of the target system

  CEH scanning methodology

1. Check for live systems.2. Check for open ports.3. Grab system banners.4. Scan for vulnerability.5. Draw network diagrams.6. Prepare proxies.

  Scanning tools

The following are some important scanning tools:

Global Network Inventory: It is a flexible software and hardware inventory system that can be used as an audit scanner in agent-free and zero deployment environments. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc.

Advanced Port Scanner: It is used to check a computer for open ports that can be used in attacks against the computer. It uses the multi-thread technique to scan ports very fast. It also contains descriptions for common ports. Advanced Port Scanner can also perform scanning on predefined port ranges.

MegaPing: It is used to provide all essential network utilities for information system specialists, system administrators, or individuals. It also includes comprehensive security scanner, host and port monitor, and network utilities. All these scanners can scan individual computers, domains, any range of IP addresses, selected types of computers inside domains, and a user specified host lists.

Network Inventory Explorer: It allows administrators to quickly generate complete hardware and software inventory of all Windows-based computers and SNMP network devices. It can create the inventory database with the hardware installed on remote computers. It also creates reports on the availability of particular software programs.

SuperScan: It is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the hostname of the remote system. It can also be used as an enumeration tool for the following:

o NetBIOS informationo User and Group Accounts informationo Network shares o Trusted Domainso Services probing

Other tools such as: AWPTA, AWSPS UDP scanner, Net Tools Suite Pack, Netifera, Network Inventory Explorer<, Nscan, Komodia's PacketCrafter, xCat Portscan, IP Tools, PhatScan and many others

  3.2 Understand ping sweeping, firewalk tool, and nmap command switches Exam Focus: Understand ping sweeping, firewalk tool, and nmap command switches. Objective includes:

Understand ping sweep techniques. Understand the firewalk tool. Gain knowledge on Nmap command switches.

  Ping sweeping Ping sweeping is a technique used to ping a batch of devices and to get the list of active devices. While not the most accurate, the simplest way to determine whether systems are live, is to perform a ping sweep of the IP address range. All systems that respond with a ping reply are considered live on the network. A ping sweep is also known as Internet Control Message

Protocol (ICMP) scanning, as ICMP is the protocol used by the ping command.This technique is favored by hackers, as otherwise, pinging every address on the network would be a very time consuming and tedious task. Ping sweeping on the other hand, can be run in parallel, such that all systems are scanned at the same time. As one might imagine, this technique can scan an entire network in a short period of time. Upon pinging, the remote system sends an ICMP ECHO reply message, which indicates that the remote system is alive. If the attacker does not get any response, it means that the target does not exist, the target system is slow, or the ICMP protocol is disabled.

  Ping sweep tools

Angry IP Scanner SolarWinds Engineer's Toolset Colasoft Ping Tool Ping Scanner Pro SolarWinds Standard Edition Ultra Ping Pro Utility Ping

PingInfoView Visual Ping Tester PacketTrap pt360

  Ping scan During ping scan, ICMP ECHO requests are sent to a host. When the host is live, it will return an ICMP ECHO reply. This scan is useful for the following purposes:

Locating active devices Determining if ICMP is passing through a firewall

Source Destination Summary192.168.168.3 192.168.168.5 ICMP: Echo192.168.168.5 192.168.168.3 ICMP: Echo Reply

  Detecting ping sweeps Almost any Intrusion Detection System (IDS) such as Snort, Genius, BlackICE and others will detect a ping, as will an Intrusion Prevention System (IPS) system. Once detected, the tools will alert the security administrator to a ping sweep occurring on the network. Most firewall and proxy servers block ping responses so a hacker can't accurately determine whether systems are available using a ping sweep alone. More intense port scanning must be used if systems don't respond to a ping sweep. Just because a ping sweep doesn't return any active hosts on the network doesn't mean they aren't available"you need to try an alternate method of identification. Remember, hacking takes time, patience, and persistence.  Firewalk Firewalk is a scanning tool like traceroute that attempts to determine what layer 4 protocols a given IP forwarding device will pass. It sends out TCP or UDP packets with a TTL one greater than the targeted gateway. The gateway will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message if the gateway allows the traffic. If the gateway host does not allow the traffic, the response message will not be sent.  Firewalking

Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective.  Nmap and its command switches Nmap is an active, information gathering tool. The nmap utility, also commonly known as a port scanner, is used to view the open ports on a Linux computer. It is used by administrators to determine which services are available for external users. This utility helps administrators in deciding whether to disable the services that are not being used in order to minimize any security risk. Network administrators can use Nmap for the following purposes:

Maintaining network inventory Managing service upgrade Monitoring host or service uptime

  Common NMAP switches

-sT TCP Connect() scan -sS SYN scan -sF FIN scan -sX Xmas-Tree scan -sN NULL scan -sI Dumb scan (also called an idle scan) -sA ACK scan

Some more NMAP options are as follows:

P0: Do not try to ping hosts before scanning them. -PP: Uses the ICMP timestamp request (ICMP type 13) packet to find listening hosts. -6: Enables IPv6 support. -oN logfilename: Sends the output in the human-readable format to the file of your

choice. -oX logfilename: Same as -oN, but this time send it to the logfile in the XML format. -oG logfilename: Same as -oN, but stores all the results on a single line for querying

through the Grep program. --append_output: Appends the output to the existing log files instead of overwriting

them.

-p: Specifies the port number(s) to scan.

  3.3 Understand scans Exam Focus: Understand scans. Objective includes:

SYN Stealth XMAS NULL IDLE FIN ICMP Echo List TCP Connect Full Open FTP Bounce UDP Reverse Ident RPC

  TCP SYN scanning TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:

1. An attacker sends a SYN packet to the target port.2. If the port is open, the attacker receives the SYN/ACK message.3. Now the attacker breaks the connection by sending an RST packet. 4. If the RST packet is received, it indicates that the port is closed.

This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.  TCP SYN/ACK scanning In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to the target port. If the port is closed, the victim assumes that this packet was mistakenly sent by the attacker, and sends the RST packet to the attacker. If the port is open, the SYN/ACK packet will be ignored and the port will drop the packet. TCP SYN/ACK scanning is stealth scanning, but some intrusion detection systems can detect TCP SYN/ACK scanning.  Stealth scan Stealth scanning techniques are used by attackers to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.

The client sends a single SYN packet to the server on the appropriate port. The server responds

with a SYN/ACK packet if the port is open. The remote port is in the 'closed' state if the server responds with a RST packet. To close the initiation before a connection can ever be established, the client sends the RST packet.

  Xmas scan Xmas scan sends a TCP frame to a remote device with the following flags set:

URG ACK RST SYN FIN

  Xmas Tree scanning Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree scanning, all packets are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet. Active monitoring of all incoming packets can help system network administrators detect Xmas Tree scan.  NULL scan The NULL scan only works if OS' TCP/IP implementation is made according to RFC 793. It does not work against any current version of Microsoft Windows. Attackers send a TCP frame to a remote host with NO flags in the NULL scan.

  IDLE scan The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the hacker.  Steps during IDLE scan The following steps are taken during an IDLE scan:

1. Send the SYN/ACK packet to the zombie machine in order to probe its IP ID number. Every IP packet on the Internet has a fragment identification number (IP ID) that is a 4 digit number. When a host sends IP packet, IP ID increases every time.

2. Zombie not expecting a SYN/ACK packet will send the RST packet, disclosing the IP ID.3. Analyze the RST packet from the zombie machine in order to extract IP ID. 4. Send the SYN packet to the target machine (port 80) spoofing the IP address of the

"zombie".5. The target will send RST to the "zombie" if the port is closed, but zombie will not send

anything back.6. Probe "zombie" IP ID again.

  FIN scan The FIN scan sends a TCP frame with the FIN flag set to a remote device. The FIN scan only works with OS TCP/IP that is developed according to RFC 793. The FIN scan does not work against any current version of Microsoft Windows.

  TCP FIN scanning TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is useful only for identifying ports of non-Windows operating systems, because Windows operating systems send only RST packets irrespective of whether the port is open or closed.  ICMP echo scanning ICMP echo scanning can be used to find which hosts in a network are up by pinging them all. Since ICMP does not have a port abstraction, ICMP port scanning is not really port scanning.  ICMP Source Quench ICMP Source Quench is an Internet Control Message Protocol message which requests the sender to decrease the traffic rate of messages to a router or host. This message may be generated if the router or host does not have sufficient buffer space to process the request, or may occur if the router or host's buffer is approaching its limit.  TCP FTP proxy (bounce attack) scanning In TCP FTP proxy (bounce attack) scanning, a scanner connects to an FTP server and requests the server to start data transfer to the third system. The scanner now uses the PORT FTP command to declare whether or not the data transfer process is listening to the target system at the certain port number. The scanner then uses the LIST FTP command to list the current directory. This result is sent over the server. If the data transfer is successful, it is clear that the

port is open. If the port is closed, the attacker receives the connection refused ICMP error message.  List scan The list scan simply lists the IP addresses that would normally be actively scanned. The list scan does not ping the host names or it does not send TCP ACK to the default port number.  TCP Connect/ Full Open scan The TCP Connect scan completes three-way handshake to detect when a port is open. It establishes a full connection and sends a RST packet to tear the connection down.

  UDP port scanning In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote port is open, no such error is generated. Since so many firewalls block TCP port scanning, UDP port scanning may be useful to retrieve information about open ports. Certain IDS and firewalls can detect UDP port scanning easily.

  Reverse ident scan In the reverse ident scan, the attacker takes advantage of the ident protocol to get the username of the owner of any process. The ident protocol allows for the disclosure of the username of the owner of any process connected via TCP, even if that process has not initiated the connection.  RPC scan

The RPC (Remote Procedure Call) scan is used to find the RPC applications. After getting the RPC application port with the help of another port scanner, the RPC port scanner sends a null RPC packet to all the RPC service ports that are open into the target system.  IP protocol scan The IP protocol scan is used for searching additional IP protocols, such as ICMP, TCP, and UDP. The IP protocol scan locates uncommon IP protocols that may be in use on a system. Such protocols are often found on routers and switches configured with additional IP protocol support, such as EGP or IGP. If a hacker locates these additional protocols, this helps in determining if the destination device is a workstation, a printer, or a router. A hacker can do IP scanning easily with the nmap -sO switch.  Inverse TCP flag scanning Attackers send TCP probe packets with FIN, URG, and PSH TCP flags set or with no flags. No response implies that the port is open and RST/ACK implies that the port is closed.

  ACK flag scanning Attackers send an ACK probe packet with a random sequence number. No response implies that the port is filtered (stateful firewall is present) and RST response implies that the port is not filtered.

  Scanning countermeasures The following are scanning countermeasures:

Configure a firewall and IDS rules to detect and block probes. Use a custom rule set to lock down the network. Hide sensitive information from public view. Block unwanted ports at the firewall. Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages

at boarder routers and firewalls. Ensure that routing and filtering mechanisms cannot be bypassed using specific source

ports or source-routing techniques. Understand the network configuration and its accessible ports by launching TCP and

UDP port scans along with ICMP probes against your own IP address space.

  IDS evasion techniques The following are IDS evasion techniques:

Use fragmented IP packets. Spoof your IP address when launching attacks and sniff responses from the server. Use source routing if possible. Connect to proxy servers or compromised trojaned machines in order to launch attacks.

  IP fragmentation tools

IP fragmentation is the process of breaking up a single IP datagram into multiple packets of smaller size. Datagrams can be fragmented into pieces small enough to pass over a link with a smaller Maximum Transmission Unit (MTU) than the original datagram size. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.Here are a few IP fragmentation tools:

Fragtest: Determines the types of the fragmented ICMP messages that are processed and responded to by the remote host.

Fragroute: Is a tool that is used to fragment packets before transmission. It can intercept, modify, or rewrite traffic that is destined for any specific host and can be used to perform attacks such as fragmentation, overlap, overwrite, etc. This tool is used for testing vulnerability in IDSs and firewalls. It is also used by attackers for evading an IDS since in most of the cases fragmented packets can bypass IDSs and firewalls.

  3.4 Learn TCP communication flag types, and gain knowledge on War dialing techniques Exam Focus: Learn TCP communication flag types, and gain knowledge on War dialing techniques. Objective includes:

Understand the three way handshake. Learn TCP communication flag types. Gain knowledge on War dialing techniques.

  Three-way handshake method The three-way handshake method is used by the TCP protocol to establish a connection between a client and the server. It involves three steps:

1. In the first step of the three-way handshake method, a SYN message is sent from a client to the server.

2. In the second step of the three-way handshake method, SYN/ACK is sent from the server to the client.

3. In the third step of the three-way handshake method, ACK (usually called SYN-ACK-ACK) is sent from the client to the server. At this point, both the client and server have received an acknowledgment of the TCP connection.

  TCP communication flags TCP communication flags are used to communicate between two systems using TCP protocols. An attacker can use these flags to know whether or not a particular port is open. There are following types of TCP communication flags:

SYN Synchronize: This flag initiates a connection between hosts. ACK Acknowledge: This flag establishes a connection between hosts. PSH Push: This flag indicates that the system is forwarding buffered data. URG Urgent: This flag indicates that data in packets must be processed quickly. FIN Finish: This flag indicates that there should not be any more transmissions. RST Reset: This flag resets the connection.

  Sequence number A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the network, it is broken into fragments (packets) at the source and reassembled at the destination system. Each packet contains a sequence number that is used by the destination system to reassemble the data packets in the correct order. Each time a system boots, it has an initial sequence number (ISN), e.g. 1. After every second, the ISN is incremented by 128,000. When

the system connects to another system and establishes a connection, the ISN is incremented by 64,000. For example, if a host has the ISN 1,254,332,454 and the host sends one SYN packet, the ISN value will be incremented by 1, i.e., the new ISN will be 1,254,332,455.

Conditions Increment in the ISN valueTransfer of a SYN packet 1Transfer of a FIN packet 1Transfer of an ACK packet 0Transfer of a SYN/ACK packet 1Transfer of a FIN/ACK packet 1Passage of 1 second 128,000Establishment of one connection 64,000  HPING3 HPING3 is a multi-purpose tool that can be used for various types of port scanning including idle scanning. The commands used for various types of scanning are as follows:

ICMP Ping: hping3 -1 192.168.1.1 ACK scan on port 8080: hping3 -A 192.168.1.1 -p 8080 UDP scan on port 8080: hping3 -2 192.168.1.1 -p 8080 Collecting initial sequence number: hping3 192.168.1.100 -Q -p 139 -s SYN scan on port 50-100: hping3 -8 50-100 -S 192.168.1.1 -V FIN, PUSH, and URG scan on port 80: hping3 -F -p -U 192.168.1.1 -p 80 Scan entire subnet for host: hping3 -1 192.168.1.1.x --rand-dest -I eth0 Intercept all traffic containing HTTP signature: hping3 -9 HTTP -I eth0 IDLE scan: hping3 192.168.1.1 -r

  War dialer A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems to provide unauthorized access to the system. THC-Scan, ToneLoc, and PhoneSweep are some good examples of war dialer tools. There are various War dialing tools, such as THC Scan, TeleSweep Secure, ToneLoc, iWar, ShokDial, Visual NetTools, etc.  War dialing War dialing is a technique in which an attacker uses a modem to automatically scan a list of telephone numbers, usually by dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers malicious hackers who specialize in computer security for password guessing. Sandtrap can detect War dialing attempts and immediately inform the administrator being called, connected, through HTTP POST to a Web server.

War dialing occurs in the following situations:

When your modems reveal banners with their identity When there is unknown open access to a legacy system When your authorized modems are susceptible to a break-in using a war dialer When someone inside your organization has attached a modem to your network When you are at risk by not conducting regular audits across your organization When your modems still have default manufacturer passwords

The following are War dialing tools:

WarVOX PhoneSweep THC Scan TeleSweep Secure PAW/ PAWS ToneLoc iWar Plax Network Suite ShokDial Visual NetTools

  Countermeasures of War dialing

Developing and implementing security policies Conducting a manual reconnaissance of the network Using phone numbers completely different from internal PBX numbers Checking auto answer configurations on the modem Logging all successful and failed login attempts

Documenting floor plans and all your equipment

  3.5 Understand banner grabbing using fingerprinting and other techniques and tools Exam Focus: Understand banner grabbing using fingerprinting and other techniques and tools. Objective includes:

Understand banner grabbing. Understand OS fingerprinting. Understand active stack fingerprinting. Understand passive fingerprinting and other techniques and tools.

  Banner grabbing Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. An intruder, however, can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25, respectively. Tools commonly used to perform banner grabbing are Telnet, which is included with most operating systems, and Netcat.

For example, one could establish a connection to a target host running a Web service with netcat, then send a bad html request in order to get information about the service on the host:

[root@prober] nc www.targethost.com 80 HEAD / HTTP/1.1 HTTP/1.1 200 OK Date: Mon, 11 May 2009 22:10:40 EST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-Modified: Thu, 16 Apr 2009 11:20:14 PST ETag: "1986-69b-123a4bc6" Accept-Ranges: bytes Content-Length: 1110 Connection: close Content-Type: text/html

The administrator can now catalog this system or an intruder now knows what version of Apache to look for exploits.  Banner grabbling tools The following are banner grabbling tools:

ID Serve: It is used to identify the make, model, and version of server software of any Web site. It is also used to identify non-HTTP (non-Web) Internet servers such as FTP, SMTP, POP, NEWS, etc.

Netcraft: It reports a site's operating system, Web server, and netblock owner, and if present, a graphical view of the time since last reboot for every computer serving the site.

  File extensions File extensions provide information regarding the underlying server technology. This information can be used by attackers to search vulnerabilities and launch attacks. Application mappings such as .asp, .htm, or .foo, etc. are changed to mask the identity of the servers. IIS users use tools such as PageXchanger in order to manage the file extensions.

Hiding file extensions is considered as a good practice for hiding the technology that generates dynamic pages.  OS fingerprinting OS fingerprinting is the easiest way to detect the operating system (OS) of a remote system. OS detection is important because, after knowing the target system's OS, it becomes easier to hack the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system. There are two types of fingerprinting techniques, which are as follows:

1. Active fingerprinting 2. Passive fingerprinting

In active fingerprinting, ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive fingerprinting, the number of hops reveal the OS of the remote system.  Methods of active OS fingerprinting The most common methods of active OS fingerprinting are as follows:

ICMP error message quoting: Since different operating systems quote different types of information in the ICMP error message, an attacker can easily identify the operating system of a remote host by analyzing the ICMP error message quotes.

ICMP error message quenching: In this method, an attacker sends UDP packets to any random unused port of a remote host. When the remote host replies with ICMP error messages, an attacker can identify the operating system by counting the number of ICMP replies sent from the remote host.

Window size: Many operating systems use a unique window size value in all outgoing data packets, so the operating system of a remote host can be easily identified by an attacker after analyzing the window size value.

Studying ISN: Many operating systems follow a particular sequence of ISN. Hence, analyzing ISN is a good clue about the operating system for an attacker.

Sending FIN packets to open ports on the remote system: Some non-UNIX operating systems do not respond to FIN packets. This may provide a good hint to an attacker about which operating system is being used by the remote host.

  Methods of passive OS fingerprinting In passive OS fingerprinting, an attacker installs a sniffer on any third party such as a router on which the victim communicates frequently. Now he studies the sniffer's log and responses, and receives hints about the remote OS with the help of the following parameters:

TTL values: This is Time To Live Value for any packet sent by any host. The window size: For many operating systems, the initial window size value is fixed. Don't Fragment bit (DF): Some operating systems keep the DF bit on, and some do not. Type of service: The type of service value varies from OS to OS.

When an attacker identifies these values from sniffer's logs, he matches them with his database of known signatures of operating systems and receives a clue about which OS is running on the remote computer.  Email header passive OS fingerprinting Email header passive OS fingerprinting is a method by which an attacker can use the email header for remote OS detection. The email header is analyzed to get information about the remote OS. Email headers usually give information about the mail daemon of a remote computer. Since a specific mail daemon is usually used for a particular OS, an attacker can easily guess the OS of the remote computer with the help of the mail daemon information.  TCP/IP stack fingerprinting TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. The TCP/IP fields that may vary include the following:

Initial packet size (16 bits) Initial TTL (8 bits) Window size (16 bits) Max segment size (16 bits) Window scaling value (8 bits) "don't fragment" flag (1 bit) "sackOK" flag (1 bit) "nop" flag (1 bit)

  httprint httprint is a fingerprinting tool that is based on Web server characteristics to accurately identify Web servers. It works even when a Web server may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. It can also be used to detect Web-enabled devices that do not contain a server banner string, such as wireless access

points, routers, switches, cable modems, etc. httprint uses text signature strings for identification, and an attacker can also add signatures to the signature database.  Countermeasures against OS fingerprinting The following are the countermeasures against OS fingerprinting:

Using snort rules to detect the various OS fingerprinting attacks Checking whether any new malicious connection has been established or not Updating antivirus and firewall regularly Changing the default values of various parameters that are used in passive OS

fingerprinting Using secure communication with encrypted protocols

  3.6 Learn vulnerability scanning using BidiBlah and other hacking tools Exam Focus: Learn vulnerability scanning using BidiBlah and other hacking tools. Objective includes:

BidiBlah

  BiDiBLAH BiDiBLAH is a vulnerability scanner that is used mainly in the footprinting step. It uses well-known tools to perform scanning. Its hacking/vulnerability assessment tools include MetaSploit, Nessus, and Google Hacking scripts.  Tabs in BiDiBLAH There are five important tabs in the BiDiBLAH tool. These are as follows:

Subdomain tab: In this tab, a user needs to enter the Google API key. It uses keywords to perform Google hacking.

Forwards tab: It searches the . bfdns extensions and uses their contents in the list of names that will be used for the brute force attack.

Portscan tab: This tab is used for port scanning. Nessus tab: In this tab, an attacker needs to select the Nessus server (IP or DNS name)

and Nessus username and password to perform vulnerability scanning with the Nessus vulnerability scanner.

MetaSploit tab: In this tab, an attacker needs to enter the location of Metasploit framework's Web interface. The attacker can test the Metasploit setup by clicking "load exploits" in the MetaSploit tab. It will show the list of exploits.

  Installing BiDiBLAH The primary installation of the BiDiBLAH utility is straight forward. To install this utility, run it in the install.exe format. After completion of the installation, make some changes to the operating system to allow the utility to function. The first step is to load a raw packet driver. This

allows the BiDiBLAH utility to send the packets that are required for port scanning and banner grabbing. When the raw packet driver is loaded, a protocol is added to the network card configuration. The next step is to disable firewalls running on the system and configure BiDiBLAH.  System requirements for installing BiDiBLAH

.NET framework 2.0 Nessus server SPUD for sub domain discovery module 256 MB RAM or higher Raw packet driver for Windows XP or compatible version Office 2003 or higher

  3.7 Understand proxy servers, anonymizers, HTTP tunneling techniques, and IP spoofing techniques Exam Focus: Understand proxy servers, anonymizers, HTTP tunneling techniques, and IP spoofing techniques. Objective includes:

Understand how proxy servers are used in launching an attack. Gain insights on working of anonymizers. Identify HTTP tunneling techniques. Identify IP spoofing techniques. Understand various scanning countermeasures.

  Proxy servers A proxy server is a server (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, Web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it 'caches' responses from the remote server, and returns subsequent requests for the same content directly. The unwanted content, such as ads or unsuitable material, can be filtered out using specialized proxy servers.

Use of proxies for attack

  Benefits of a proxy server A proxy server has a variety of benefits, including:

Protecting the local network from outside access Permitting the connection of a number of computers to the Internet with only one IP

address Anonymizing Web surfing Providing some protection against hacking attacks Keeping machines behind it anonymous (mainly for security) Speeding up access to resources (using caching) Applying access policy to network services or content, e.g. to block undesired sites Logging / auditing usage, i.e., to provide company employee Internet usage reporting Bypassing security / parental controls Scanning transmitted content before delivery for malware Circumventing regional restrictions

  Types of proxy servers A proxy server that passes requests and replies unmodified is usually called a gateway or sometimes tunneling proxy. A proxy server can be placed in the user's local computer or at various points between the user and the destination servers on the Internet.

A reverse proxy is an Internet-facing proxy used as a front-end to control and protect access to a

server on a private network. It also performs tasks such as load-balancing, authentication, decryption, and caching.

Multiproxy is a multifunctional personal proxy server that protects your privacy while on the Internet. It can completely hide your IP address by dynamically connecting to non-transparent anonymizing public proxy servers. You can also test a list of proxy servers and sort them by connection speed and level of anonymity.A multiproxy server

Proxy workbench types of proxy servers resides inside a network and monitor the connection, and support proxy chaining.

SSLProxy is a transparent proxy that can translate between encrypted and unencrypted data transport on socket connections. It also has a non-transparent mode for automatic encryption-detection on netbios. SSLProxy is used to launch exploits using the SSL product, cover the attack path, and evade IDS systems.  Anonymizers Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. In this manner, it ensures the privacy of the user. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Most anonymizers can anonymize at least the Web (http:), file transfer protocol (ftp:), and gopher (gopher:) Internet services. The following are some common anonymizers:

Mowser Anonymizer Anonymous Web Surfing Tool The Cloak Hide Your IP Address IDsecure JAP Anonymity and Privacy Guardster

  Uses of anonymizers The following are the uses of anonymizers:

It provides privacy and anonymity. It protects from online attacks. It accesses government restricted content. It bypasses IDS and firewall rules.

  Networked anonymizers Networked anonymizers transfer communications between a user and destination computers through a network of Internet computers. It has an advantage that traffic analysis becomes complex due to complication of the communications. It has a disadvantage that any multi-node network communications have some degree of risk at each node for compromise of confidentiality.  Single-point anonymizers Single-point anonymizers protect your identity by passing your surfing through a single Website. It has an advantage that the arms-length communications protect user's IP address and related identifying information. It has a disadvantage that it provides less resistance to the sophisticated traffic analysis.  Limitations of anonymizers Anonymizers have the following limitations:

1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser needs to access the site directly to properly maintain secure encryption.

2. Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established independent direct connection from the user computer to a remote site.

3. Java: Any Java application accessed through an anonymizer will not be able to bypass the Java security wall.

4. ActiveX: ActiveX applications have almost unlimited access to the user's computer system.

5. JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.

 

TOR (The Onion Routing) TOR (The Onion Routing) includes the following:

Anonymity: Offers anonymous communication over Internet. Privacy: Ensures the privacy of both sender and receipt of a message. Security: Offers multiple layers of security to a message. Encryption: Uses public key encryption to encrypt and decrypt all data packets. Proxy chain: Uses cooperating proxy routers throughout the network. Tor proxy: A TOR client, the initiating onion router, determines the path of

transmission.

  Psiphon Psiphon is a censorship circumvention system. In countries where the Internet is censored, Psiphon permits users to bypass firewalls and access blocked sites. Psiphon uses a secure, encrypted HTTP tunnel connection in order to receive requests from psiphonite to psiphonode. Psiphonode transports the result back to the requested psophonite. Psiphon acts as a Web proxy for authenticated psiphonites, and bypasses the content-filtering systems of countries, such as China, North Korea, Iran, Saudi Arabia, Egypt, and others.

  HTTP tunneling HTTP tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol. Despite the restrictions imposed by a firewall, the HTTP tunneling technology permits users to perform various Internet tasks. This is made possible by sending data via HTTP (port 80). The HTTP protocol, therefore, acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. A hacker using a HTTP tunneling tool can subvert the proxy by hiding potentially destructive

protocols, such as IM or chat, within an innocent-looking protocol packet. The following are the http tunneling tools:

HTTPort: The HTTPort tool is used to create a transparent tunnel through a proxy server or a firewall. It allows a user to use all sorts of Internet software from behind the proxy. This tool bypasses HTTPS and HTTP proxies, transparent accelerators, and firewalls.

Backstealth: The Backstealth tool bypasses outbound restrictions of personal firewalls by embedding an http client in a DLL.

HTTP tunneling is required in the following situation:

The organization has blocked all the ports in your firewall and only allows port 80/443. You need to use FTP to connect to some remote server on the Internet

In this situation, you can send your packets through the HTTP protocol. HTTP-Tunnel and HTTPort are HTTP tunneling tools.  Super Network Tunnel Tool Super Network Tunnel Tool is a two-way http tunnel software that connects two computers. It operates like VPN tunneling but sets up a connection by using the http protocol.  HTTPort tool The HTTPort tool is used to create a transparent tunnel through a proxy server or firewall. It allows a user to use all sorts of Internet software from behind the proxy. This tool bypasses HTTPS and HTTP proxies, transparent accelerators, and firewalls.  IP spoofing techniques In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. The basic protocol for sending data over the Internet and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send a response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response, or the attacker has some way of guessing the response. The various countermeasures of the IP spoofing attack are as follows:

Filtering at the router: A network administrator can stop an IP spoofing attack by filtering the border routers of a network. For this, he needs to implement an ACL (access control list) that blocks private IP addresses on the downstream interface.

Encryption and authentication: A network administrator can use encryption and authentication to reduce spoofing threats. These features are included in IPv6. He can also eliminate all host-based authentication measures, which are often common for all systems on the same subnet.

  DoS attacks IP spoofing is sometimes used in a DoS attack, which is used to consume bandwidth and resources. For the effectiveness of the DoS attack, attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible.  Non-blind spoofing Non-blind spoofing is a type of IP spoofing attack. This attack occurs when the attacker is on the same subnet as the destination computer, or along the path of the destination traffic. Being on the same subnet, it is easy for the attacker to determine the sequence number and acknowledgement number of the data frames. In a non-blind spoofing attack, the attacker can redirect packets to the destination computer using valid sequence numbers and acknowledge numbers. The result is that the computer's browser session is redirected to a malicious Website or compromised legitimate sites that may infect computer with malicious code or allow the attacker to perform other malicious activities.  IP spoofing countermeasures The following are IP spoofing countermeasures:

Limit access: Limits access to configuration information on a machine Ingress filtering: Prevents packets from entering your network by using router filters Sequence number: Uses random initial sequence numbers Egress filtering: Prevents packets from leaving your network by using filters Encryption: Encrypts all network traffic

ption: Encrypts all network traffic  Email spoofing Email spoofing is a term used to describe (usually fraudulent) an email activity in which the sender's address and other parts of the email header are altered to appear as though the email originated from a different source. Email spoofing is a technique commonly used for spam email and phishing to hide the origin of an email message. By changing certain properties of the email, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the email appear to be from someone other than the actual sender. The result is that, although the email appears to come from the address indicated in the From field (found in the email headers) it actually comes from another source.

Occasionally (especially if the spam requires a reply from the recipient, such as the '419' scams), the source of the spam email is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial email is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a Trojan/virus payload, or those advertising a Web site) forge this address too, and replying to it will annoy an innocent third party.

Prior to the advent of unsolicited commercial email as a viable business model, "legitimately

spoofed" email was common. For example, a visiting user might use the local organization's smtp server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to anti-spam techniques.

Various methods of email spoofing

Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the email, it is unlikely that the email address will be active.

The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez, and Sober will often try to perform searches for email addresses within the address book of a mail client, and use those addresses in the From field of emails that they send, so that these emails appear to have been sent by the third party.

For example: User1 is sent an infected email and when the email is opened, it begins to spread. The worm finds the addresses of User2 and User3 within the address book of User1 from the computer of User1. Now, the worm sends an infected email to User2, but the email appears to have been sent from User3.

This can be particularly problematic in a corporate setting, where email is sent to organizations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked.

Newer variants of these worms have built on this technique by randomizing all or part of the email address. A worm can employ various methods to achieve this, including:

Random letter generation Built-in wordlists Amalgamating addresses found in address books, for example:

o User1 triggers an email address spoofing worm, and the worm finds the addresses user2@efgh.com, user3@ijkl.com, and user4@mnop.com within the users email address book.

o The worm sends an infected message to user2@efgh.com, but the email appears to have been sent from user3@mnop.com.

  Scanning pen testing Penetration testing a network for scanning attempts determines the network security posture by identifying live systems, discovering open ports, and grabbing system banners from a remote location simulating a network hacking attempt. The penetration testing report will support administrators in the following:

Closing unused ports Disabling unnecessary services

Hiding or customizing banners Troubleshooting service configuration errors Calibrating firewall rules

  Steps during scanning pen testing Take the following steps during scanning pen testing:

1. Check for the live hosts using tools, such as Angry IP Scanner, SolarWinds Engineer's toolset, Colasoft Ping, Utility Ping, Nmap, Netscan, etc.

2. Check for open ports using tools, such as Nmap, Netscan Tools Pro, Net Tools Suite Pack, UDP Scanner, etc.

3. Perform banner grabbing/ OS fingerprinting using tools, such as Telnet, Netcraft, Xprobe, Satori, etc.

4. Scan for vulnerabilities using tools, such as Nessus, SAINT, GFI LANGuard, Core Impact, Nsauditor, MBSA, etc.

5. Draw network diagrams of the vulnerability hosts using tools, such as LAN surveyor, Ipsonar, CartoReso, NetMapper, etc.

6. Prepare proxies using tools, such Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy, ProxyFinder, etc.

7. Document all the findings.

  Chapter Summary In this chapter, we learned about port scanning, network scanning, and vulnerability scanning. In this chapter, we discussed about ping sweeping, firewalk tool, nmap command switches, and various scans, such as SYN, Stealth, XMAS, NULL, IDLE, FIN, ICMP Echo, List, TCP Connect, Full Open, FTP Bounce, UDP, and Reverse Ident. This chapter also focused on TCP communication flag types, War dialing, vulnerability scanning using BidiBlah, proxy servers, anonymizers, HTTP tunneling techniques, and IP spoofing techniques.Glossary  Advanced Port Scanner Advanced Port Scanner is used to check a computer for open ports that can be used in attacks against the computer.  Anonymizers Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet.  Argus Argus is a systems and network monitoring application. It is designed to monitor the status of network services, servers, and other network hardware. It will send alerts when it detects problems. 

AVDS AVDS (Automated Vulnerability Detection System) consists of one or more hardware appliances that run dedicated online-connected software, testing for both internal and external vulnerabilities on your network.  Banner grabbing Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports.  Cookie Cookie is a block of data which a Web server stores on the client computer. If no expiration date is set for the cookie, it expires when the browser closes.  File extensions File extensions provide information about the underlying server technology.  Firewalk Firewalk is a scanning tool like traceroute that attempts to determine what layer 4 protocols a given IP forwarding device will pass.  Firewalking Firewalking is a technique for gathering information about a remote network protected by a firewall.  Footprinting Footprinting is an information gathering technique that is used to gather information about computer systems.  Global Network Inventory Global Network Inventory is a flexible software and hardware inventory system that can be used as an audit scanner in agent-free and zero deployment environments.  HTTPort tool The HTTPort tool is used to create a transparent tunnel through a proxy server or firewall. It allows a user to use all sorts of Internet software from behind the proxy.  httprint httprint is a fingerprinting tool that is based on Web server characteristics to accurately identify Web servers.  ICMP Internet Control Message Protocol  Icmpenum Icmpenum is a port scanner that uses not only ICMP Echo packets to probe networks, but also ICMP timestamp and ICMP information packets.

  IP protocol The IP protocol scan is used for searching additional IP protocols, such as ICMP, TCP, and UDP.  Mail bombing Mail bombing is an attack that is used to overwhelm mail servers and clients by sending a large number of unwanted emails.  MegaPing MegaPing is used to provide all essential network utilities for information system specialists, system administrators, or individuals.  Network scanning Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment.  OS Fingerprinting Fingerprinting is the easiest way to detect the operating system (OS) of a remote system. OS detection is important because, after knowing the target system's OS, it becomes easier to hack into the system.  Ping sweeping Ping sweeping is used to ping a batch of devices and to get the list of active devices.  Scanning Scanning refers to a set of procedures used to identify hosts, ports, and services in a network.  Sequence number A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the network, it is broken into fragments (packets) at the source and reassembled at the destination system.  TCP communication flags TCP communication flags are used to communicate between two systems using TCP protocols.  Vulnerability scanning Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess computers, computer systems, networks or applications for weaknesses.  War dialer A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems to provide unauthorized access to the system.  War dialing

War dialing is a technique in which an attacker uses a modem to automatically scan a list of telephone numbers, usually by dialing every number in a local area code to search for computers, Bulletin board systems and fax machines.