Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Reconnaissance and Enumeration

Published byFinn Ipsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Network Reconnaissance and Enumeration"— Presentation transcript:

1 Network Reconnaissance and Enumeration
Section 3 9/20/2018

2 Outline – Passive Enumeration
ARP Network Sniffing The outline for our talk on passive network enumeration techniques 9/20/2018

3 Outline – Active Enumeration
Ping Traceroute Port/Service Scanning Banner Grabbing OS Fingerprinting Firewalking SNMP Routing Daemons 9/20/2018

4 Objective Targeted Network Reconnaissance Network topology
Host systems Host applications/services Host configuration Host users accounts Naming conventions These are the things that we want to get out of performing network reconage 9/20/2018

5 Passive Enumeration Generally LAN based Generally undetectable
Remote ARP information may be obtained from SNMP (this is not Passive) Remote Sniffing can be performed on some routers equipped with RMON (Remote Monitoring) – pretty rare 9/20/2018

6 ARP Enumeration All systems with IP stacks will have ARP
Local ARP table contains a list of all MAC addresses mapped to IP addresses First 6 bytes of MAC address identify card/system vendor (e.g) 00067Cxxxxxx : Cisco 080020xxxxxx : Sun ARP mappings are gathered and released automatically by the system 9/20/2018

7 ARP Enumeration Use the ‘arp -a’ command to get access to the local ARP table C:\>arp -a Interface: on Interface 4 Internet Address Physical Address Type c-07-ac dynamic d0-d dynamic d0-d dynamic d d dynamic 9/20/2018

8 Network Sniffing Placing a network adapter in ‘promiscuous mode’ enables the reception of all network traffic passing the adapter. Most effective on non-switched networks Even on switched networks all broadcast traffic may be received No valid IP address required 9/20/2018

9 Network Sniffing – What do we get?
MAC addresses IP addresses and IP structure RIP, OSPF packets System names NetBIOS broadcasts Cisco Discovery Protocol IPX service announcements Default gateways Not to mention usernames, passwords and data…but more on that later This is what we want to get out of network sniffage 9/20/2018

10 Network Sniffing – The Tools
Windows NetMon (Microsoft) Sniffer Pro (NAI) Tcpdump + winpcap (GPL) UNIX Tcpdump (GPL) Etherreal (GPL) Dsniff (more attack than recon – GPL) GPL = GNU General Public License Dsniff is more geared towards gathering confidential info such as user/passwords… 9/20/2018

11 Network Sniffing - Filtering
On high throughput networks use capture filters Whole packet is usually not needed – just headers and start of data portion Any IP or TCP/UDP protocol may be included or excluded from a capture filter ‘Noisy’ addresses may be filtered out All network sniffing tools support filtering to some degree For extended periods of sniffing filters will be essential 9/20/2018

12 Network Sniffing - tcpdump
Console based, highly configurable, low resource usage. This is a sample of tcpdump output showing an FTP session between two systems, this is a sumary view just showing address and header information 9/20/2018

13 Network Sniffing – Ethereal
9/20/2018

14 Active Enumeration Can yield a great deal of data Can be detected
May require specialised software/OS 9/20/2018

15 The Mighty Ping Used to determine host reachability
Nearly all systems with an IP stack have a ping facility Uses the ICMP protocol Provides Round trip time (RTT) Time to live (TTL) – indicates hop-count Generally unnoticed if used in moderation 9/20/2018

16 Ping test H A C K E R T A R G E ICMP Echo Request ICMP Echo Response
9/20/2018

17 Ping - Usage Ping is used on one system at a time
It is possible to ping a broadcast address, sometimes multiple responses are returned C:\>ping Pinging with 32 bytes of data: Reply from : bytes=32 time=1ms TTL=255 Reply from : bytes=32 time<10ms TTL=255 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss) RTT: Minimum = 0ms, Maximum = 1ms, Average = 0ms 9/20/2018

18 Ping – Sweeping Ping-sweeping is a term for sweeping multiple addresses with a ping query to determine host reachability. Used for finding targets within a network range. Will not work on targets that have ICMP traffic filtered or blocked. Tools such as NMAP, MingSweeper and Pinger will perform a ping-sweep. We’ll get on to ping-sweeping tools later 9/20/2018

19 More with ping Identifying the Firewall
Good commercial firewalls block time stamp requests and source routed packets. Use ping to send them, and it will show there is a firewall in the way # ping -v -T tsandaddr PING ( ) from : 56(124) bytes of data. ping statistics --- 16 packets transmitted, 0 received, 100% loss # ping -v -T tsandaddr PING ( ) from : 56(124) bytes of data. ping statistics --- 8 packets transmitted, 0 received, 100% loss 9/20/2018

20 More fun with ICMP Identifying the Firewall
W Richard Stevens – a god amongst men and author of TCP/IP Illustrated etc left us with the ability to to generate ICMP address mask requests and ICMP time requests # icmpaddrmask Received mask fffff00, from # 9/20/2018

21 Traceroute Used to determine both connectivity AND the IP route used to reach the target. Available on most but not all systems that have an IP stack. Relies on the fact that routers should always decrement the TTL of a packet as it passes. Generally uses ICMP packets on Windows and UDP packets on UNIX systems. However any IP protocol could be used in theory. 9/20/2018

22 Traceroute - Visual route
Probably the Firewall or the perimeter router 9/20/2018

23 Port/Service Scanning
Used to determine what TCP or UDP ports are available on a target system. The scanner will attempt to connect to each port on the target. The scanner should detect the port in one of three states: Closed – port reachable but no service present Open – port is reachable and service is present Filtered – port is non-reachable, possible firewall or packet filter is present 9/20/2018

24 Background to TCP scanning
Determine what ports of a host are listening for connections 4 main types of TCP scans TCP connect() SYN scan FIN scan + Null + ACK + XMAS Fragmentation scanning 9/20/2018

25 TCP Connect Scan Uses a system call provided by the operating system
If the port is listening, connect will succeed Does not require any special privileges Easily detectable Most reliable Cannot usually detect filtered ports 9/20/2018

26 TCP Connect The Three-way handshake Syn C L T I A E R N G T E Syn/Ack
9/20/2018

27 SYN Scan Commonly referred to a half open scanning
Sends a SYN packet and waits for a response A SYN/ACK response indicates port is listening A RST packet indicates the port is not listening Less likely to be logged No response indicates port is filtered Requires raw sockets requiring root or Administrator privileges Some IDS confuse this with a SYN flood 9/20/2018

28 FIN Scan + Null + XMAS More stealthy than a SYN scan
Reply with a proper RST packet indicates that the port is closed Open ports tend to ignore the FIN packet However Microsoft boxes tend to send a RST packet regardless Can be used to differentiate a Unix box from a Microsoft box 9/20/2018

29 ACK Scan Not used to identify open and closed ports
Used to identify filtered ports Can be useful for mapping packet filter rules 9/20/2018

30 Fragmentation scanning
A modification of other techniques of scanning Breaks the probe packet into a couple of small IP fragments Breaking up the TCP header into several smaller packets makes it harder to detect and some packet filters will pass the packet unchecked rather than wait for all of the fragments to arrive. This only works on simple packet filtering devices that cannot hold on to the fragments long enough to get the whole packet 9/20/2018

31 UDP Port Scanning Single UDP packet to each port being tested
Closed ports respond with an ICMP unreachable message. Open ports will NOT respond Filtered ports will NOT respond Results can be ambiguous on filtered targets Can be very slow due to ICMP message rate limiting which is specified within the RFC’s describing IP & ICMP. Some systems do not implement this (e.g. all Windows systems.) Maybe mention using UDP port 53 as the source port for UDP scans. This can make basic packet filters think you are a DNS server responding to queries. Works sometimes…. 9/20/2018

32 Banner Grabbing The process of examining banner strings returned by services bound to open TCP ports Enables identification of service applications including software version. Not effective for non-character based services (e.g. SMB, HTTPS) Some service applications will not send banner information until prompted (e.g. HTTP) Useful for identification of service applications on non-standard ports 9/20/2018

33 Banner Grabbing – Manual Testing
Use netcat or telnet to connect to the port : C:\nc 220 Sendmail/8.8.8 ESMTP Looks like Sendmail mail server - easy Hit a key to animate a netcat session to a sendmail server, ph33r the banners 9/20/2018

34 Banner Grabbing - Automation
Mingsweeper, probably the most amazing piece of software on the planet… 9/20/2018

35 Fingerprinting Stack fingerprinting is used to determine the operating system of a target host Utilises differences in the implementation of the IP stacks Involves sending non-standard packets to the target and examining any responses Not always accurate Very easy to spot for IDS 9/20/2018

36 Fingerprinting – A Simple Test
A single ping can be used to aid in OS detection and is a very basic way of fingerprinting a target. Windows !! # ping PING : 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=128 time=0.280 ms ping statistics --- This demonstrates using the TTL value of a ping reply to determine the OS type (approximately). Because the TTL is 128 we know the target is windoze because Windows is the only common OS that uses 128 as the default TTL (Time to Live) Note that TTL=128 in the reply. That almost guarantees that the target is a Windows system of some description. 9/20/2018

37 Fingerprinting – A Simple Test
Here are the default TTL (Time To Live) values for a few common systems : Cisco Devices Most Windows Systems 128 Windows Linux <= 2.0.x 64 Linux >= 2.1.x 255 Solaris Default TTLs for a few b0xen. Now possibly let the class start pinging to get some TTLs from the lab kit? 9/20/2018

38 Advanced IP Stack Fingerprinting
Involves sending crafted packets to the target Ideally requires >=1 open port and >=1 closed port Packet filters, firewalls and transparent proxies can render IP stack fingerprinting useless when using automated tools such as NMAP, Queso or MingSweeper because they sometimes re-write packets. 9/20/2018

39 Advanced IP Stack Fingerprinting
Tools for automated stack fingerprinting NMAP stack fingerprinting Xprobe ICMP stack fingerprinting MingSweeper combined NMAP+ICMP Queso – early stack fingerprinting, NMAP draws tests from this software. 9/20/2018

40 NMAP “Network Mapper” Open source utility for network exploration
Its functions include a wide variety of port scanning mechanisms, OS detection and ping sweeps. Runs on most Unix based operating systems Has a graphical user interface Its FREE! 9/20/2018

41 Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
# nmap -sS -n -p Starting nmap 3.48 ( ) All scanned ports on are: filtered Nmap run completed -- 1 IP address (1 host up) # nmap -sU -n -p 9/20/2018

42 Mingsweeper Windows based network reconnaissance utility
Performs ping sweeps, Reverse DNS sweeps, TCP & UDP port scans, OS identification and application identification. It is also FREE! 9/20/2018

43 Scanning - Ming-sweeper
9/20/2018

44 Stack Fingerprinting Test Probes
NMAP tests comprise of 9 probes TClass TCP Initial Sequence Number probe T1 to T4 Four TCP open port probe T5 to T7 Three TCP closed port probe PU Port Unreachable UDP probe MingSweeper adds 4 probes I1 Four ICMP echo probes I2 Four ICMP timestamp probes I3 Four ICMP address mask probes I4 Four ICMP information query probes Tseq – determining the sequence number predictability and increment T1,T2,T3,T4 – TCP packets with different flags to a port identified in the scan as open T5,T6,T7 – TCP packets with different flags to a port identified in the scan as closed PU – UDP packet to a closed UDP port to ellicit an ICMP Port Unreacdhable message 9/20/2018

45 Firewalking Attempting to route packets through firewall
Vary IP protocol, TCP/UDP port numbers Use decrementing TTL values to illicit responses from devices behind firewall Not particularly successful on modern firewall systems 9/20/2018

46 Firewalking Hping – useful tool for generating many types of hand-crafted IP packets. UNIX only. Mptraceroute – performs traceroutes using multiple IP protocols and allowing port specifications. Win 2000/XP only. 9/20/2018

47 Identifying the FW – Ike-scan
# ike-scan -v Starting ike-scan 1.6 with 1 hosts --- Pass 1 of 3 completed --- Pass 2 of 3 completed --- Pass 3 of 3 completed Ending ike-scan 1.6: 1 hosts scanned in seconds (0.04 hosts/sec). 0 returned handshake; 0 returned notify 9/20/2018

48 Identifying the Firewall - LFT
# lft -vv –E -n Looks like we made it. Everyone responded. Moving on... Will finish TWO Concluding with 2 hops. TTL LFT trace to :80/tcp **[4.2 BSD bug]next gateway may errantly reply with reused TTLs 1 [target] :80 6.5ms **[4.2 BSD bug]next gateway may errantly reply with reused TTLs 2 [target] :80 1.6ms 9/20/2018

49 SNMP Enumeration Community string is equivalent to a password used to control access to node information Very often set to ‘public’ and ‘private’ All transmissions are in clear text SNMP daemons found on many network devices and hosts systems. Generally all SNMP nodes in a network share the same community name 9/20/2018

50 SNMP Enumeration SNMP community names can be brute forced easily
SNMP can yield a huge amount of information ARP tables Routing tables Device specific information Traffic statistics Host based SNMP daemons may yield process, service and user information (e.g. Windows NT SNMP service) 9/20/2018

51 SNMP Enumeration Tools
Snmpget – Unix and Win32 tool for enumerating individual SNMP keys Snmpwalk – unix and Win32 tool for enumerating whole or partial MIB trees 9/20/2018

52 Routing Daemons Network topology is broadcast and may be obtained by network sniffing Routers may be queried directly for routing and topology information Network topology maps may be built using data obtained from routing daemons on hosts and routers Can be more thorough and less intrusive than multiple traceroute queries 9/20/2018

53 Route Analysis Tools Ripquery BGP Ospf_monitor
A diagnostic tool for interrogating RIP gateways – Have a look on the Net for a RIP Spoofing tool I wrote a decade ago BGP looking glass servers divulge BGP information about routes Ospf_monitor A diagnostic tools for interrogating OSPF routers 9/20/2018

54 Network Reconnaissance and Enumeration
Section 3 9/20/2018

Download ppt "Network Reconnaissance and Enumeration"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.

Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
IP Network Scanning.

IP Network Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Port Scanning Prabhaker Mateti. Mateti, Port Scanning2 Port scanning Attackers wish to discover services they can break into. Attackers wish to discover.

Port Scanning Prabhaker Mateti. Mateti, Port Scanning2 Port scanning Attackers wish to discover services they can break into. Attackers wish to discover.

Similar presentations

Ads by Google