SCANNING

PHASE 2

Ethical Hacking
Steve Bolt

PHASE 2
Scanning

PHASE 2: SETTING THE

STAGE
At this point:
Have identified a target
Have conducted some research on the target

Technology
Personnel
Maybe some corporate culture
Social Media
Focused on IT personnel or Sr Managers
Focused on HR

PHASE 2: SCANNING
Introduction to scanning:
Goal:
Expand on what we have learned already
Find openings by engaging the target
Determine:
Live Hosts, network appliances
Topology
OS types
Open Ports
Services
Potential Vulnerabilities

SCANNING
Types of scans:
Network sweep
Network trace
Port Scanning
OS fingerprinting
Version Scan
Vulnerability Scan

SCANNING
Cautions:
Scan IP not name
Large scans
Limit Scope
Smaller part of the network
Sample hosts
Review Firewall
Scan only ports and services allowed
Not perfect and Target needs to know

SCANNING
Cautions:
Many of the tools wait for a response
You can force them to move on without waiting
Speeding up the process

SCANNING
Network Sweep:
Sends probe packets to identify live hosts
Ping Sweep
ICMP ping

Network Trace
Goal:
Get a map of the network
Topology of the target network

SCANNING
While scanning:
You should run a network sniffer
I recommend this to all my students
Some do,m some dont
Running a sniffer, allows review of the actions later
Can dissect the hack afterwards.
Provides a network trace of your actions
Dont have to stop and note what you did.
Generates a business record

SCANNING
Scanners/Network Sniffers
Wireshark

Probably one of the better known outside of community

Easy to use
Visual/Graphical
Attempts to help
Interprets the data

SCANNING
TCPDump
Command line tool
Console or Windows cmd

Many command line switches

Running with just default gathers a lot of information
$sudo tcpdump

Example:
$tcpdump i etho nn (host IP) and net 192.168.1.*

SCANNING
Determining network topology
TraceRoute
Tracert
Manipulates the ttl to report back information on the devices it travels through to get to the target

There are switches to configure the tool to your needs

SCANNING
TCP and UDP scans
3 way handshake
Manipulation

Connection vs connectionless

SCANNING
NMAP
Network Mapper
Not just a mapper
Many features that go unused
NSE = Nmap Scripting engine
Provides vulnerability scan capability

SCANNING
Nmap
Have to use nmap, dont you
How do you use it?
ZENMAP?
Is that cheating?

Nmap syntax
./nmap -<scan type> <IP address> -p (port range) packet-trace

SCANNING
NMAP resources
Youtube
SANS publications
NMAP cheat sheet

SCANNING
Nmap options
Timing T
Output o

N = normal
G = Grepable
X = XML
S = Script kiddie format (no real purpose)
A = store in all 3 major formats

SCANNING
LAB TIME......

SCANNING
Scapy
Packet manipulation tool
Can be used to craft packets to test network responses
Can be used to carve/analyze packet captures

SCANNING
We have covered some methods to perform scanning
Can be very useful
Have more granular control

But time consuming

SCANNING
Vulnerability scanning
Purpose is to identify vulnerabilities
How to determine if vulnerable:

Check version number

Check protocol version
Behavior
Configuration
Run an exploit against it

SCANNING
NSE
Invoke with nmap sC <ip> -p <ports>
Runs all scripts in default category
Plenty more categories for you to see and play with.
Some are dangerous
Some attempt to break into systems
Be Careful

SCANNING
Automated Vulnerability scanners
Nessus
Core Impact
Rapid 7 Nexpose
Perform the same steps we have
Automate many of the steps
Can be more invasive than default
Have to learn to work with the management interface

SCANNING
LAB TIME......

SCANNING
Recap
There are plenty more topics to cover
Not enough time this week
Each are could cover weeks worth of training
Critical that you understand this is just a start