Académique Documents
Professionnel Documents
Culture Documents
By Sunny Vaghela
Session Flow Why Scanning? Types of Scanning. Objective of Scanning. Port Scanning. Port Scanning Techniques. Banner Grabbing techniques Network Scanning Techniques. Network Auditors. Enumeration
Scanning Scanning is the process of finding out open/close ports, vulnerabilities in remote system, server & networks. Scanning will reveal IP addresses Operating systems Services running on each computer. Services running on each computer.
Types of Scanning There are three types of scanning. 1. Port Scanning 2. Network Scanning 3. Vulnerability Scanning
Port Scanning
Port Scanning is one of the most popular technique attacker use to discover the service they break into. All machines connected to a LAN or connected to Internet via a modem run many services that listen at well-known and not so wellknown ports. There are 1 to 65535 ports are available in the computer. By port scanning the attacker finds which ports are available .
Ports
The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers. The port numbers are divided into three ranges: 1. Well Known Ports (0..1023), 2. The Registered Ports (1024..49151), 3. The Dynamic and/or Private Ports (49152..65535).
www-http 80/tcp
SYN Synchronize it is used to initiate connection between hosts. ACk Acknowledgement It is used to establish connection between hosts. PSH push tells receiving system to send all buffer data. URG urgent stats that data contain in packet should be process immediately. FIN finish tells remote system that there will be no more transmission. TTL Time to Live.
Open Scan
Open Scan Known as TCP Scan and normally used to program sockets, this technique is the oldest and works making a full connection with the server. For that it makes an autentication with 3 packets. Is known ast hree-wayhandshake: For the ports opened: Client ----> SYN ----> <---- SYN/ACK <---- Server Client ----> ACK ----> For the ports closed: Client ----> SYN ----> <---- RST <---- Server Advantages : very easy to program. Disadvantages: is very easy to detect and make logs on each connection.
TCP Connect
TCPConnect() The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable.
Stealth Scan
A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Fragmented Scan: The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.
SYN Scan
This technique is called half open scanning because a TCP connection is not completed . A SYN packet is sent to remote computer. the target host responds with a SYN+ACK, this indicates the port is listening and an RST indicates a non- listener.
Host SYN Target Host
Host
SYN/ACK
Target Host
Host
RST
Target Host
FIN Scan
Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. Closed ports reply to fin packets with RST. Open ports ignore packets.
Host FIN Target Host
Host
Target Host
Host
Target Host
XMAS Scan
XMAS uses scans where all flags in the TCP packet are set & sent to target host.
Host
Target Host
Host
Target Host
NULL Scan
Null Scan used no flags of TCP header & it sent to the target host.
Target Host
Target Host
Host
Target Host
UDP Scanning
The attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an "Port Unreachable" message.
Host UDP Target Host
Host
Null/Open
Target Host
Host
RST/Closed
Target Host
Port Scanners
Nmap is powerful utility to scan large number of tools. Provided with GUI as well as Command line interface. It is supported operating systems. by many
It can carry out SYN Scan, FIN Scan, Stealth Scan, Half open scan & many other types.
Nmap options
-sT (TcpConnect) -sS (SYN scan) -sF (Fin Scan) -sX (Xmas Scan) -sN (Null Scan) -sP (Ping Scan) -sU (UDP scans) -sO (Protocol Scan) -sI (Idle Scan) -sA (Ack Scan) -sW (Window Scan) -sR (RPC scan) -sL (List/Dns Scan)
Nmap options
-P0 (dont ping) -PT (TCP ping) -PS (SYN ping) -PI (ICMP ping) -PB (= PT + PI) -PP (ICMP timestamp) -PM (ICMP netmask)
Nmap options
-T Paranoid serial scan & 300 sec wait -T Sneaky - serialize scans & 15 sec wait -T Polite - serialize scans & 0.4 sec wait -T Normal parallel scan -T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe -T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe --host_timeout --max_rtt_timeout (default - 9000) --min_rtt_timeout --initial_rtt_timeout (default 6000) --max_parallelism --scan_delay (between probes)
Banner Grabbing
Banner Grabbing is the method to dtermine operating system running on the remote computer. It also reveals version of the different technologies used on the server. Active & Passive fingerprinting is two methods of banner grabbing.
Banner Grabbing
Httprint is banner grabbing utility. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web-enabled devices which do not have a server banner string, such as wireless access points, routers, switches, and cable modems.
HTTprint
Enumeration
By Sunny Vaghela
Introduction
Enemeration is method of extracting usernames, netowrk resources, machine names, services from hosts. Simple method to enemurate system using netbion connection is WINDOWS: C:> net use \\10.0.0.1 \IPC$ /u:. This will enter into hidden process share(IPC$) with anonymous username (/u:) with a() Password.
Introduction
NBTstat is command line tool Windows: C:> cmd.exe> nbtstat A <some IP address> Enum Tool
Introduction
NBTstat is command line tool Windows: C:> cmd.exe> nbtstat A <some IP address> Enum Tool