Presentation on theme: "Presenter BIO Strengths Weakness Security Interests Something Fun."— Presentation transcript:
1 Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning
2 Presenter BIOStrengthsWeaknessSecurity InterestsSomething Fun
3 User group ObjectiveGive students offensive knowledge to better defend computer networksHands-on security training to compliment theory, put theories into practice“Tell me and I'll forget; show me and I may remember; involve me and I'll understand.”Knowledge sharing: the power of group learning
4 USER GROUP OBJECTIVE Contd. Group Exercise: What do you seen in the following pictures?Face, bridge and womenJohn Lennon4
5 USER GROUP OBJECTIVE Contd. Increase experience with a multitude of security aspectsNetwork with other security-minded professionalsPlay in a safe lab environment not offered at work or homeEarn CPEs to maintain certifications without high costsFor CISSPPreparing and presenting 2 hour presentation = 8 CPEsParticipating 1 hour = 1 CPEUpdating existing presentation (see ISC2 chart for specifics)5
6 USER GROUP OBJECTIVE Contd. Have your questions answered, bring hard issues that require solutionsImprove public speaking and training skills6
7 CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010 Course Chapters:Chapter 1: Introduction to Ethical Hacking, Ethics, and LegalityChapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social EngineeringChapter 3: Gathering Network and Host Information: Scanning and EnumerationChapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding FilesChapter 5: Trojans, Backdoors, Viruses, and WormsChapter 6: Gathering Data from Networks: SniffersChapter 7: Denial of Service and Session HijackingChapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking TechniquesChapter 9: Attacking Applications: SQL Injection and Buffer OverflowsChapter 10: Wireless Network HackingWi-Fi and EthernetChapter 11: Physical Site SecurityChapter 12: Hacking Linux SystemsChapter 14: CryptographyChapter 15: Performing a Penetration TestAmazon.com
8 Course Agenda Class 1: Methodologies and Lab Setup Class 2: Passive Information GatheringClass 3: Active Information Gathering (Nessus)Class 4: Wireless and Wired Network EnumerationClass 5: Target System PenetrationClass 6: Privilege Escalation, Maintaining Access, and MalwareClass 7: Web Application PenetrationClass 8: Covering Tracks, IDS, Reporting, and CleanupClass 9: MetasploitClass 10: Physical Security (Lock Picking etc.)Class 11: Capture the Flag
9 Agenda Active Information Gathering Exercises Ping Port Scan Operating System FingerprintingIntrusion Detection SystemsExercises
10 DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission!Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment.
11 Information Systems Security Assessment Framework (ISSAF)
12 What We Know via Passive Information Gathering? Critical ServicesKey EmployeesPartner CompaniesCompany Website, IP and addressesPhysical address and locationDomain namesTypes of operating systems, databases, servers, protocols, and programming languages used (basic)
13 What is Active Information Gathering? The process of searching for information that an attacker could potentially use to exploit the target networkIdentify live systemsMap the networkTypes of operating systems, databases, servers, protocols, and programming languages used (in-depth)Identify system vulnerabilities
14 Why Do Active Information Gathering? More information about the target can make the penetration test easier during the later phases“Know your enemies and know yourself, you will not be imperiled in a hundred battles.” –Sun Tzu, Art of War“Generally, a hacker spends 90 percent of the time profiling and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves“Good hackers will spend 90 – 95 percent of their time gathering information for an attack.” -WalkerIncreases success rate tenfold.In the Art of War the importance of spies to obtain information (watch/listen/report) is stressed, similarly it should not be overlooked as a means to gather information about the target.
15 Why Do Active Information Gathering? Timing the AttackExample around patch releases Microsoft Patch Tuesday or Oracle CPU etc.Off hours such as holidays, vacations, or peak hoursIncreases success rate tenfold.In the Art of War the importance of spies to obtain information (watch/listen/report) is stressed, similarly it should not be overlooked as a means to gather information about the target.
16 Active Vs. Passive Information Gathering Touch the device/network or talk to employees (vulnerability scan)PassiveDo not communicate/touch the target such as google searching for publicly available information.
17 ICMP and PingInternet Control Message Protocol (ICMP) is the part of the TCP/IP protocol suite used to send error messages for network diagnosticsPing is the most common type of ICMP messageUsed to verify network connectivitySends an echo request to a system and waits for an echo response (only active systems respond)Cannot show which services a system is running
18 Ping Examples Active system response Inactive system response Question: What does this image tell you?System is downOr BlockedBuild Your Own Security Lab
20 Ping SweepCommand-line pinging only allows one system to be pinged at a timeUse a ping sweep to scan a large number of systemsSuperScanAngry IP ScannerNmapNmap’s –sn option uses ping and TCP packets to find live hostsPing sweep technically is the scanning every address in a subnet and not just a few at a time.Some systems such as windows xp set a limit on number of IP to scan at one time during a ping sweep such as 10
21 Ping DefensesMany administrators block ping from passing the gateway deviceEnsure blocked activity is logged/notificationsConfigure rules, test, and monitorDisable running services to prevent ping from identifying active systemsShields Up is a scan that will show what ports and services are open on a local machineNetstatCurrportsalert tcp any any -> /24 any (flags: A; ack: 0; msg: "TCP ping detected";)
25 Types of Scanning Port Scanning Network Scanning Determine Open Ports and ServicesNetwork ScanningIdentify IP address on a network/subnetVulnerability ScanningDiscover weaknesses on target systems
26 Scanning and the Law Do not scan without permission! Can cause a DOS attack and go to Jail.ISP might drop your scanning attempts and/or blacklist you
27 CEH Scanning Methodology Kimberly Graves CEH Book
28 When to Scan Determine when to scan Don’t risk discovery if you already know the host is easy to hackIf a specific host is well guarded, opt for a less guarded host or implement a different strategy such as social engineering
29 Port ScanningPort scanning probes the 65,535 TCP and UDP ports to discover listening services on a target systemAn attacker can determine the best means of attacking a system by knowing the open services and version numbersMost scans only look at first 1024 ports since those ports are often hackedFTP (20/21)Telnet (23)SMTP (25)DNS (53)TFTP (69)HTTP (80)SNMP (161/162)
30 Ports Malicious software default ports Weak protocol ports port 1095 Remote Administration Tool – RATport 7777 Tiniport Trinooport Back OrificeWeak protocol portsFTP (20/21)Telnet (23)Common Windows portsLocate common ports on windows: c:\windows\system32\drivers\etc\services
31 Ports Common Linux software based ports Common Apple Used Ports: Look for software that only runs on a specific O/SLocate common ports on windows: c:\windows\system32\drivers\etc\services
32 Port States Open – accepting incoming requests Closed – accessible but no application listening on itFiltered – firewall screening the portUnfiltered – determined to be closed, no firewallOpen | Filtered – unsure if open or filteredClosed | Filtered – unsure if closed or filteredThe six port states recognized by Nmapopen An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.unfiltered The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.open|filtered Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.closed|filtered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
33 TCP and UDPApplications use TCP/UDP ports to use the correct protocols for network communicationTCP uses a three-step handshake to open a data link and a four-step shutdown to close the linkA one-byte flag field controls communication (URG, ACK, PSH, RST, SYN, FIN)Nmap manipulates the flags to identify active systemsUDP does not use handshaking, so it is faster but less reliable and easier to spoof. “Fire and Forget”
36 TCP Flags SYN –Initiates connection b/w hosts ACK – Established connection b/w hostsPSH –System is forwarding buffered dataURG –Data in packets processed quicklyFIN –No more transmissionsRST –Resets the connectionSYN – Synchronize. Initiates connection b/w hostsACK- Acknowledge. Established con b/w hostsPSH – Push. System is forwarding buffered dataURG – Urgent. Data in packets processed quicklyFIN – Finish. No more transmissionsRST – Reset. Resets the connection
37 Scan Types and Responses All scans will display RST for closed ports, except for an ACK scan which will return no response.Information about other scan types can be found online at
38 Other Scan Types RPC scan: determine if open ports are RPC ports Idle scan: use idle host to bounce packets and make the scan harder to traceOpen Port Idle ScanClosed Port Idle ScanIPID ProbeIPID ResponseIPID = 12347IPID ProbeIPID ResponseIPID = 12345IPID ProbeIPID ResponseIPID = 12346IPID ProbeIPID ResponseIPID = 12345AttackerIdle HostAttackerIdle HostSYN/ACKRSTSYNSYNRSTIPID = 12346VictimVictim
39 Port Scanning Tools GUI-based Command line-based Nmap, SuperScanCommand line-basedNmap, hping2Nmap is an open source network mapping and security auditing tool that modifies IP packets to gain information about active systems
40 Nmap Basic scan options: -sS (TCP SYN) -sT (TCP Full) TCP Full Connect Example
41 Nmap Nmap switches: Ping options Scan Types Output Scan Speed Can put output in xml for searching via grep or to import into a database. Normal output is just displayed in the screen.Scan Speed
42 Zenmap The free cross-platform Nmap GUI Additional features: Save scan resultsSave scan options for repetitive scansSort scans by host, port, and serviceDisplay scan results in a more user-friendly formatDisplay a visual interpretation of tracerouteNmap.org
43 Hping2hping2 --scan S localhost Scanning localhost ( ), port ports to scan, use -V to see all the replies |port| serv name | flags |ttl| id | win | 111 sunrpc : .S..A All replies received. Done. Not responding ports:
44 Defend Against Port Scanning Only keep necessary ports openPeriodically check for open ports and close unused portsEmployee policies, training, and rules of behaviorFilter traffic through a stateful inspection firewallIDSChange service banners so that they return incorrect information
45 Active OS Fingerprinting Find high value targets and or weak targetsActively modify and send IP packets to the target to elicit a response that can identify the host operating systemFIN probe, ACK value, Bogus Flag probeMore accurately determine the target OSNmap’s –O and xprobe2’s listening mode can actively identify operating systemsThe target computer can more easily detect active OS fingerprinting scans
46 Passive Stack Fingerprinting Stealthier by examining traffic on the networkSniffing vs. ScanningLess accurate
47 Nmap FingerprintingThe -O option will try to match response packets to a database of known operating system fingerprintsNmap’s -sV option can identify service banners on open portsLimiters to speed up scans:-osscan-limit-max-os-tries
48 Defending Against OS Fingerprinting Block unneeded or suspicious traffic at the firewallUse an Intrusion Detection System (IDS)Set access control lists (ACL) on routers to block suspicious traffic
49 Intrusion Detection Systems Intrusion detection systems (IDSs):Inspect network/host activityIdentify suspicious traffic and anomaliesSnort, SuricataTwo categories of IDS:Network-based intrusion detection systemsHost-based intrusion detection systemsIDSs are usually made of multiple software applications and/or hardware devices with the following systemsNetwork sensorsCentral monitoring systemReport analysisDatabase and storage componentsResponse boxSuricata open source IDS
50 IDS Engines Types of intrusion detection system engines or methods: Signature-basedAnomaly-basedDatabase of attack signaturesGenerate and report alertPattern matchingCurrent ActivityIf matchedSignature-basedLearn and update normal activitiesGenerate and report alertCompare with normal activitiesCurrent dataHistorical dataIf characteristicIf uncharacteristicAnomaly-based
51 Active Information Gathering Tools Ping SweepPort ScanPassive OSActive OSGUICommand LineHost OSNmapWin/LinuxSuperScanWinAngry IP ScannerTHC-AmapLinuxTCPTraceroutep0fxprobe2
52 Scrutinizing Key Employees Useful information to prepare for social engineeringDebt (payoff)Disgruntled (layoffs from Mergers)VacationsEmbarrassing information (blackmail)How to get this information:Run a credit report (illegal without permission)Find out via facebook status etc.Bugs/Cameras/Spies/Stakeout/Pick PocketPositioning of monitors and the use of security/privacy screens
53 Social Engineering Key Employees Kevin Mitnick – Father of social engineeringAt age 12, socially engineered bus driver to circumvent the punch card system for LA busesWent on to hacking phones, systems etc. and was captured and put in solitary confinement due to fears that he could launch a nuclear missile by whistling into a phone
54 WLAN ThreatWardriving – driving around a target with special equipment to record information about WAPsEquipment: laptop with a wireless network interface controller, GPS device, antennae and network discovery tools (Kismet)Warwalking – walking around or sitting near a target with a laptop and other equipment in a backpackWarflying
55 WLAN Threat Sniff Traffic on the WLAN for Operating Systems Ports/Services InformationPasswordsMisc Sensitive Information
56 War Dialing Dial every number until find an unsecured modem Kismet UI Main ViewDial every number until find an unsecured modemStill a problemModem backup connectionOld and never retiredTools THC-Scan, PhoneSweep, and TelesweepPreventionNo Modem PolicyStrong PasswordsTest for Modems using toolsLook for Modems (desk to desk checks)1983 the movie war games showcased the power of wardialingwardialing using THC-Scan
57 Hiding Your Active Information Gathering ProxiesThe proxy is seen as performing bad activities instead of youFree proxies are available to use such as ProxyChainsAnonymizerCaution: choose the right one, Anonymouse.orgUseful for blocked sitesProxyChains uses multiple proxies to cover your tracks.Proxychain via backtrack tutorial
58 Hiding Your Active Information Gathering Spoofing IP AddressNmap can spoof IPCaution: the data you want will go to the spoofed IP instead of youThe Onion Routing (TOR)Anyone can be a TOR endpoint +/-Client bounces internet request via random TOR clientsTunnelingHiding Files
59 SummaryYou should now know specific information about the target system(s)By knowing the active devices, open ports, running services, and device operating system, you can search for vulnerabilities to exploit and use the listening services to gain more informationNext class: Enumerating Target SystemsQuestions?
61 Lab Overview Lab setup Exercises Ping sweep Port scan Banner grabbing Passive OS identificationActive OS identificationManual vulnerability identificationAutomated vulnerability identification (Nessus)
62 Course Lab Setup Host Operating System = Ubuntu (Linux) Virtual Machine = Virtual BoxVM’s = Backtrack, Windows (Guest PC and XP-1), badstoreEach laptop has its own separate standalone lab environmentHow to start the lab environment…1) Open Virtual Box2) Ensure that the Backtrack VM is powered on3) Logon to Backtrack (root/toor) and type startx4) Set the static IP address (.100)5) Ensure that the badstore VM has the badstore CD mounted and then start the VM6) Configure the badstore VM IP address via the following command:ifconfig eth0 up netmask62
63 Lab ScenarioIn the following Scenario, you will need to gather as much information about your target as possible that can be used in planning the attack.Your target is example.com. The company has hired you to confirm that there security awareness programs and policies are working as intended. In other words, they want you to confirm that employees do not open unnecessary ports /services or use unapproved software which increases the attack surface of the company.
64 Lab 3.1 Ping Sweep (nmap)We are going to do a ping sweep of the local subnet. Open a command line terminal in BackTrackType nmap –sn /24 to perform a ping sweep over a range of IP addressesList the IP addresses of running hostsType nmap -sn --send-ip to run the ping scan using ICMP ping.List the IP addresses of running hosts, has the number changed? If so, why?Open another command line terminal and type wiresharkUse the file menu to open a pcap file, FileOpenDesktopLab3ping-blocked-pcapReview the pcap and note that ping is blocked-sn (No port scan)This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.
65 Lab 3.1 Ping Sweep (nmap)Use the file menu to open additional pcap files, FileOpenDesktopLab3ping-blocked-pcapFileOpenDesktopLab3ping-allowed-timestamp-allowed- pcapFileOpenDesktopLab3 ping-blocked-timestamp-allowed- pcapReview and compare the pcap files-sn (No port scan)This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.
66 Lab 3.1 Ping Sweep (superscan) We are going to do a ping sweep of the local subnet. Open the super scan folder on Guest PC, C:\lab-tools\superscanRun superscan SuperScan4.exeType the start IP ( ) and end IP ( ) and press the arrow button.From the “Host and Services Discovery Tab” uncheck “UDP port scan” and “TCP port scan”Then press the play button to perform a ping sweep over a range of IP addressesList the IP addresses of running hosts
67 Lab 3.1 Ping Sweep (superscan contd.) Now try the same IP range again but with the following settingsFrom the “Scan Options” Tab, uncheck “hide systems with no open ports” and rerun the scanNote the number of systems now and the information providedView the final scan via the “view html results” button
68 Lab 3.1 Ping Sweep (angryip) Note windows XP/Vista limitationsTo change it to a port scan from just a host discovery scan, On the “Ports” tab in the port selection box type 1-147, press ok
69 Lab 3.1 Ping Sweep (angryip) We are going to do a ping sweep of the local subnet. Open angryip from the Guest PC. Navigate to c:\lab- tools\angryip, run the .exe fileType the IP rangeFrom the file menu select toolspreferences, on the “scanning” tab check “scan dead hosts”Press the start button to perform a ping sweep over a range of IP addressesList the IP addresses of running hosts and note the duration of the scan and compare it to the nmap scan.To change it to a port scan from just a host discovery scan, On the “Ports” tab in the port selection box type 1-147, press ok
70 Lab 3.1 Ping Sweep (zenmap) We are going to do a ping sweep of the local subnet. Open zenmap via the Backtrack command terminal: zenmapType the subnet to scan /24 and choose the ping scan profile and then press scan to perform a ping sweep over a range of IP addressesList the IP addresses of running hostsPress ctrl+p or from the menuprofilenew profile, review the options and note the hints for each option
71 Lab 3.1 Ping Sweep (nessus) We are going to do a ping sweep of the local subnet. Open nessus via the “Nessus Client” shortcut on the Guest PC desktop. (username = visitor, password= qwerty)From the scan tab, launch the “host discovery” scan to perform a ping sweep over a range of IP addressesList the IP addresses of running hostsReview the scan resultsOpen My Documents and then open the pcap files to compare the pcap of nmap host discovery vs nessus host discovery pcapWhich pcap is larger and nosier?
72 Lab 3.2 Port ScanningNow that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrackType nmap and hit Enter to view a list of optionsType nmap –sT your_target_IP_address to perform an Nmap full connect scanList the open ports and servicesCan you guess the OS from the services?Use –vv to increase the verbosity of the scan outputRun the other Nmap scan options and note new information-sS, -sA, -sF, -sVSave scan results using –oN and –oX-oN = normal-oX = xmlExamplenmap -sT oX test.xml
73 Lab 3.2 Port ScanningNow that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrackType wireshark and hit EnterUse the file menu to open additional pcap files, FileOpenDesktopLab3tcp-connection-exampleNote the three step handshake capture in the pcap.-oN = normal-oX = xmlExamplenmap -sT oX test.xml
74 Lab 3.2 Port Scanning (Nessus) Open Nessus, and from the “scan” tab luanch the port scanReview the scan results and note the open portsReview the scan policy and note the difference between the host discovery and port scan policiesPing only (no syn)Also ports scan 0-1, to disable port scan
75 Lab 3.2 Port Scanning (CurrPorts) Run CurrPorts C:\lab-tools\currports\cports.exeCurrPorts will run immediately and will display all ports on your machineSelect a port and to to FileProperites. Review the process ID, port number, and other info.You can close a suspicious connection via FileClose Selected TCP Connections.Ensure that XP-1 host is up. From Guest PC, open a command terminal and type: telnetRefresh CurrPorts, and note the suspicious telnet connection. Follow step 4 above to close the connection.
76 Lab 3.2 Port Scanning (netstat) From the Guest PC command prompt type netstat /? And review the help fileType netstat –a –p tcp 10List the open ports and services and compare to the nmap/nessus results(optional) Ensure that XP-1 host is up. From Guest PC, open a command terminal and type: telnet(optional) Review the netstat command and note the telnet connection-a = all connections and listening-p = protocol ex. Tcp, udp10 = interval refresh in seconds
77 Lab 3.3 (a) netcat Banner Grabbing We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrackYou will now use the vi text editor to write a simple text file containing some HTTP commandsType vi head.txt to open a new text file called “head.txt” and hit i to insert textType the following:GET HEAD / 1.0CRHit Esc to stop inserting text, then hit Shift+z+z to save the file and quit the editorYou will now use netcat to try to gain some information from the open port 80 on the target. Type nc –vv < head.txtWhat software and OS is the server running?Type either vi, nano, gedit to learn the basic linux text editorsThe nc is the netcat command, -vv is for very verbose output, the < is to input the file head.txt into the netcat command
78 Lab 3.3 (b) telnet Banner Grabbing We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrackType :telnetGET HEAD / 1.0What software and OS is the server running?HTTP/ Bad RequestDate: Sun, 18 Mar :11:09 GMTServer: Apache/ (Unix) mod_ssl/ OpenSSL/0.9.7cConnection: close
79 Lab 3.4 Passive OS Identification We are going to find out what operating system is running on one of Google’s servers. Open a command line terminal in BackTrack and set the DHCP IP address by typing dhclient eth3Then Type: p0f –AOpen a web browser and go to freebsd.orgTake note of the output in the terminal windowHit Ctrl+C to stop running p0fOpen Ettercap by typing ettercap –G and start unified sniffing on eth3Navigate to ViewProfilesNavigate to StartStart SniffingGo to freebsd.org againTake note of the output in the Ettercap windowCompare toBacktrack with NIC in promiscuous modeP0f does not work most of the time.
80 Lab 3.5 Active OS Identification We are going to perform active OS fingerprinting with Nmap and xprobe2Open a command line terminal in BackTrack and typenmap –O your_target_IP_address (that is a capital O) to perform an operating system fingerprintWhat is the general OS of the Windows machine?Now use xprobe2 to perform host discovery.From backtrack menu, applicationBacktrackInformation GatheringNetwork AnalysisOS Fingerprintingxprobe2Type ./xprobe2 your_target_IP_addressWhat is the best guess OS of the target?
81 Lab 3.5 Active OS Identification (Nessus) We are going to perform active OS fingerprinting with Nessus.From the scan tab, launch the “OS Discovery Scan”Review the results and note which plugin is used for OS discoveryCompare the OS results to the NMAP resultsReview the scan policy to see how OS discovery is enabled
82 Lab 3.6 Anonymous scanning (Spoof IP) From a command line in Backtrack type: wiresharkSniff traffic on eth3Open a command line terminal in BackTrack and type nmap -S e ethNote that the responses do not go to your machineNote that a spoofed IP can be used to frame a competing company and not just to hide your identifyNote the source address and target address in the pcapType wireshark and hit EnterUse the file menu to open additional pcap files, FileOpenDesktopLab3spoofed-ip-example
83 Lab 3.6 Anonymous scanning (Anonymizer) From the ubuntu machine use the web browser and navigate toChoose EnglishClick on Your Calling Card without Anonymouse and Your Calling Card with Anonymouse to compare the results.Enter a website to search anonymously and press the “surf anonymously” button
84 Lab 3.7 (a) Finding Vulnerabilities (US Cert) Review vulnerabilities at US Cert: cert.gov/cas/bulletins/ (released every Monday, always one week behind)Pick a vulnerability based on OS/Service in the environment to review and note the following items:The CVE reference numberImpact Scores (the higher the score the greater the impact)Vulnerable VersionsNational Vulnerability Database (nvd.nist.gov)Exploit-Database (exploit-db.com)Securitytracker (www.securitytracker.com)Securiteam (www.securiteam.com)Hackerstorm Vulnerability Research (www.hackerstorm.com)Hackerwatch (www.hackerwatch.org)SecurityFocus (www.securityfocus.com)Security Magazine (www.securitymagazine.com)SC Magazine (www.scmagazine.com)Impact Score:Metric: AV = AccessVector (Related exploit range) Possible Values: L = Local access, A = Adjacent network, N = Network Metric: AC = AccessComplexity (Required attack complexity) Possible Values: H = High, M = Medium, L = Low Metric: Au = Authentication (Level of authentication needed to exploit) Possible Values: N= None required, S= Requires single instance, M= Requires multiple instances Metric: C = ConfImpact (Confidentiality impact) Possible Values: N = None, P = Partial, C = Complete Metric: I = IntegImpact (Integrity impact) Possible Values: N = None, P = Partial, C = Complete Metric: A = AvailImpact (Availability impact) Possible Values: N = None, P = Partial, C = Complete
85 Lab 3.7 (b) Finding Vulnerabilities (OSVDB) Use Hackerstorm to review vulnerabilitiesGo to to start the OSVDB hackerstorm toolClick the OSVDB search button at the bottom of the home screen. Scroll through the vendors and choose Putty, and then click the view button.From the next screen choose view all. Review the vulnerabilities listed and click one to view details. From the tool you can see the description, solution, references, etc.Note that this tool make it easy to search for vulnerabilities both old and new by vendor etc.
86 Lab 3.7 (c) Finding Vulnerabilities (Nessus) From the Nessus scan tab, launch the “Internal Network Scan”Review the scan results and look for vulnerabilities that are exploitableReview the and investigate patches that can be applied to fix an exploitable vulnerabilityReview the vulnerability via US CERT
91 CEH Certified Ethical Hacker List of ToolsPDF mapping tools to the different phases of Pen testing.Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about.CEH Certified Ethical HackerAll-in-One Exam GuideAmazon.com
92 Parking lot TopicsSocial Engineering ToolkitMaltego