Skip to content

03.md

Latest commit

 

History

History
211 lines (190 loc) · 6.02 KB

03.md

File metadata and controls

211 lines (190 loc) · 6.02 KB

module 3 - scanning networks

concepts

  • tcp vs udp
  • tcp flags
    • SYN
    • ACK
    • FIN
    • RST
    • PSH
    • URG
  • tcp three-way handshake
    • session estabilishment: SYN, SYN-ACK, ACK
    • session termination: FIN, ACK-FIN, ACK

host discovery

  • ping scan types
    • ARP - network protocol used to find out the hardware (MAC) address of a device from an IP address
      • sends a request packet to all the network elements, asking for the MAC address from a specific IP
      • nmap -sn <host>
        • executed by a privileged user on a local ethernet network it uses ARP scan by default
        • executed by a privileged user it uses ICMP ECHO request + TCP SYN to port 443 + TCP ACK to port 80, and an ICMP timestamp request
        • executed by a unprivileged user it uses TCP SYN to port 80 and 443
    • UDP ping scan - similar to TCP ping scan; however, in the UDP ping scan, Nmap sends UDP packets to the target host
      • nmap -sn -PU <host>
    • ECHO - involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. Useful for locating active devices or determining if ICMP is passing through a firewall
      • nmap -sn -PE <host>
    • ECHO sweep - basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts
      • nmap -sn -PE 10.10.10.5-15 from host 5 to host 15
      • countermeasures
    • ICMP timestamp
      • nmap -sn -PP <host>
      • hping ICMP mode -1
    • ICMP address mask - is effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping
      • nmap -sn -PM <host>
    • SYN
      • nmap -sn -PS <host>
    • ACK
      • nmap -sn -PA <host>
    • IP
      • nmap -sn -PO <host>

port scanning

Different types of port scanning techniques is used to bypass IDSs.

On TCP scans, the target host responds with RST or RST/ACK when the port is closed.

  • TCP Connect/Full Open Scan (nmap -sT, hping -8) - port closed: RST response
  • Stealth TCP Scanning Methods (nmap -sS)
    • Half-open Scan
    • Inverse TCP Flag Scan: : high stealtly, requires superuser privileges, avoids many IDS and logging system, most effective on BSD TCP/IP stack, not very effective on windows hosts.
      • Xmas Scan: FIN, URG, PSH (nmap -sX, hping -FUP)
      • FIN Scan (nmap -sF, hping -F)
      • NULL Scan (nmap -sN)
      • Maimon Scan: FIN/ACK (nmap -sM)
    • ACK Flag Probe Scan: slow and works with older BSD based TCP/IP stacks.
      • TTL-Based Scan (ttl RST < 64 -> port is open)
      • Window Scan (window value RST != 0 -> port is open)
      • used to check if the port is filtered (firewalled)
    • IDLE/IP ID Header Scan: use of zombie host to check open/closed port using IPID number check (nmap -sI, hping -Q)
  • UDP Scanning: no response if port is open, ICMP port unreachable message otherwise (nmap -sU, hping -2)
  • SCTP Scanning:
    • Stream Control Tranport Protocol
    • SCTP INIT Scanning (ABORT chunk means that port is closed, nmap -sY)
    • SCTP COOKIE/ECHO Scanning - no response means that port is open
      • nmap -sZ
  • SSDP Scanning:
    • Simple Service Discovery Protocol
    • SSDP scanning: (metasploit module scanner/upnp/ssdp_msearch)
  • List Scanning (nmap -sL)
  • IPv6 Scanning (nmap -6)
  • service version discovery (nmap -sV)
  • nmap timing options(nmap -T)

Port scanning countermeasures

  1. Configure firewall and IDS to detect probes
  2. run port scanning agains host on the network
  3. check firewalls and routers
  4. update firmwares
  5. custom set of rules to lock down the network
  6. filter all ICMP messages
  7. perform TCP and UDP scanning along with ICMP probes
  8. ensure anti-scanning and anti-spoofing rules are correctly configured

OS discovery/banner grabbing

  • nmap operating system detection options (-O)
  • types of banner grabbing:
    • active: using TCP/IP stack probes
    • passive:
      • from error messages
      • sniffing network traffing
      • from page extensions

Four areas that determine the OS:

  • TTL (time to live)
  • Window Size
  • DF (Don’t Fragment) bit set
  • TOS (Type of Service)
OS TTL Window size
Linux (Kernel 2.4 and 2.6) 64 5840
Google Linux 64 5720
FreeBSD 64 65535
OpenBSD 64 16384
Windows 95 32 8192
Windows 2000 128 16384
Windows XP 128 65535
Windows 98, Vista, and 7 (Server 2008) 128 8192
iOS 12.4 (Cisco Routers) 255 4128
Solaris 7 255 8760
AIX 4.3 64 16384
  • nmap script engine (--script)
  • ipv6 fingerprinting (nmap -6 -O)
  • banner grabbing countermeasures:
    • disabling or changing banner
    • hiding file extensions from web pages (e.g. .asp to .htm)

IDS/Firewall Evasion Techniques

  • packet fragmentation (hping f)
  • source routing (create custom chain of hops)
  • source port manipulation (nmap -g or --source-port)
  • ip address decoy (nmap -D RND:10, -D decoy1,decoy2,decoy3,...,ME,...)
  • ip spoofing (hping3 -a)
  • ip spoofing detection tencniques:
    • ttl may be different
    • ip identification number is different
    • tcp flow
    • egress filtering
  • creating custom packets (nmap --data-string)
  • randomize host address (nmap --randomize-hosts)
  • sending bad checksum (nmap --badsum)
  • proxy servers
  • anonymizer
    • types: networked, single-point

tools

  • hping2/hping3
  • metasploit
  • mobile scanner: ip scanner/fing/network scanner
  • nmap
  • angry ip scanner
  • netcat
  • wireshark
  • packet creation tool:
    • colasfot packet builder
    • netscantool pro
  • network topology mapper

Back to index | Go to next module