Scanning & Enumeration

By Sunny Vaghela

Session Flow Why Scanning? Types of Scanning. Objective of Scanning. Port Scanning. Port Scanning Techniques. Banner Grabbing techniques Network Scanning Techniques. Network Auditors. Enumeration

Scanning Scanning is the process of finding out open/close ports, vulnerabilities in remote system, server & networks. Scanning will reveal IP addresses Operating systems Services running on each computer. Services running on each computer.

Types of Scanning There are three types of scanning. 1. Port Scanning 2. Network Scanning 3. Vulnerability Scanning

Port Scanning
Port Scanning is one of the most popular technique attacker use to discover the service they break into. All machines connected to a LAN or connected to Internet via a modem run many services that listen at well-known and not so wellknown ports. There are 1 to 65535 ports are available in the computer. By port scanning the attacker finds which ports are available .

Ports
The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers. The port numbers are divided into three ranges: 1. Well Known Ports (0..1023), 2. The Registered Ports (1024..49151), 3. The Dynamic and/or Private Ports (49152..65535).

Well Known Ports

echo ftp-data ftp ssh telnet domain Smtp Whois 7/tcp 20/udp 21/tcp 22/tcp 23/tcp 53/udp 25/tcp 43/tcp Echo File Transfer [Default Data] File Transfer [Control] SSH Remote Login Protocol Telnet Domain Name Server World Wide Web HTTP. Simple mail transfer protocol whois server

www-http 80/tcp

Well Known Ports

wins radius 1512/tcp 1812/udp Microsoft Windows Internet Name Service RADIUS authentication protocol Yahoo! Messenger

yahoo 5010 x11

6000-6063/tcp X Window System

TCP Packet Header

SYN ACK RST PSH URG FIN TTL WINDOW

SYN Synchronize it is used to initiate connection between hosts. ACk Acknowledgement It is used to establish connection between hosts. PSH push tells receiving system to send all buffer data. URG urgent stats that data contain in packet should be process immediately. FIN finish tells remote system that there will be no more transmission. TTL Time to Live.

Open Scan
Open Scan Known as TCP Scan and normally used to program sockets, this technique is the oldest and works making a full connection with the server. For that it makes an autentication with 3 packets. Is known ast hree-wayhandshake: For the ports opened: Client ----> SYN ----> <---- SYN/ACK <---- Server Client ----> ACK ----> For the ports closed: Client ----> SYN ----> <---- RST <---- Server Advantages : very easy to program. Disadvantages: is very easy to detect and make logs on each connection.

TCP Connect
TCPConnect() The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable.

Stealth Scan
A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Fragmented Scan: The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.

SYN Scan
This technique is called half open scanning because a TCP connection is not completed . A SYN packet is sent to remote computer. the target host responds with a SYN+ACK, this indicates the port is listening and an RST indicates a non- listener.
Host SYN Target Host

Host

SYN/ACK

Target Host

Host

RST

Target Host

FIN Scan
Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. Closed ports reply to fin packets with RST. Open ports ignore packets.
Host FIN Target Host

Host

Ignore if open RST if closed

Target Host

Host

Target Host

XMAS Scan
XMAS uses scans where all flags in the TCP packet are set & sent to target host.

Host FIN/URG/PSH Target Host Ignore if open RST if closed

Host

Target Host

Host

Target Host

NULL Scan
Null Scan used no flags of TCP header & it sent to the target host.

Host TCP/IP No Flags Host Ignore if open RST if closed

Target Host

Target Host

Host

Target Host

FTP Bounce Scan

FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. It requires support for proxy ftp connections. This bouncing through an FTP server hides where the attacker comes from. This technique is similar to IP spoofing in that it hides where the attacker comes from.

UDP Scanning
The attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an "Port Unreachable" message.
Host UDP Target Host

Host

Null/Open

Target Host

Host

RST/Closed

Target Host

Port Scanners
Nmap is powerful utility to scan large number of tools. Provided with GUI as well as Command line interface. It is supported operating systems. by many

It can carry out SYN Scan, FIN Scan, Stealth Scan, Half open scan & many other types.

Nmap options
-sT (TcpConnect) -sS (SYN scan) -sF (Fin Scan) -sX (Xmas Scan) -sN (Null Scan) -sP (Ping Scan) -sU (UDP scans) -sO (Protocol Scan) -sI (Idle Scan) -sA (Ack Scan) -sW (Window Scan) -sR (RPC scan) -sL (List/Dns Scan)

Nmap options
-P0 (dont ping) -PT (TCP ping) -PS (SYN ping) -PI (ICMP ping) -PB (= PT + PI) -PP (ICMP timestamp) -PM (ICMP netmask)

Nmap options
-T Paranoid serial scan & 300 sec wait -T Sneaky - serialize scans & 15 sec wait -T Polite - serialize scans & 0.4 sec wait -T Normal parallel scan -T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe -T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe --host_timeout --max_rtt_timeout (default - 9000) --min_rtt_timeout --initial_rtt_timeout (default 6000) --max_parallelism --scan_delay (between probes)

Other Port Scanners

Networkactive port scanners.

Other Port Scanners

Global Network Inventory port scanners.

Other Port Scanners

NetscanTools

Other Port Scanners

Megaping

Banner Grabbing
Banner Grabbing is the method to dtermine operating system running on the remote computer. It also reveals version of the different technologies used on the server. Active & Passive fingerprinting is two methods of banner grabbing.

Active & Passive Banner Grabbing

In Active banner Grabbing , Specially crafted TCP Stacks are sent to remote systems/servers & record the response. It compared with the database & OS version is determined. In Passive banner grabbing, Sniffing of packets reveal version of operating system running on the remote computer/server. Less Accurate than active sniffing. Passive banner grabbing can easily be detected.

Banner Grabbing
Httprint is banner grabbing utility. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web-enabled devices which do not have a server banner string, such as wireless access points, routers, switches, and cable modems.

HTTprint

Disabling Banner in Linux & Win servers.

Change headers information in httpd.conf in apache 2.X version. In IIS server one can use servermask to block banner.

Enumeration

By Sunny Vaghela

Introduction
Enemeration is method of extracting usernames, netowrk resources, machine names, services from hosts. Simple method to enemurate system using netbion connection is WINDOWS: C:> net use \\10.0.0.1 \IPC$ /u:. This will enter into hidden process share(IPC$) with anonymous username (/u:) with a() Password.

Introduction
NBTstat is command line tool Windows: C:> cmd.exe> nbtstat A <some IP address> Enum Tool

Introduction
NBTstat is command line tool Windows: C:> cmd.exe> nbtstat A <some IP address> Enum Tool