Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scanning.

Published byCharity Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Scanning."— Presentation transcript:

1 Scanning

2 Determining If The System Is Alive

3 Determining If The System Is Alive
Network Ping Sweeps Ping is traditionally used to send ICMP ECHO (Type 8) packets to a target system Response is ICMP ECHO_REPLY (Type 0) indicating the target system is alive Traffic can be ICMP, ARP, TCP, or UDP

4 ARP Host Discovery Cain

5 ARP Host Discovery

6 ARP Scan Advantages Disadvantage Operates at layer 2
A firewall will not conceal a device from an ARP scan Disadvantage Must be on target’s network segment Cannot scan through routers

7 ARP Scanning Tools arp-scan Nmap Cain Linux command-line tool
-PR to do ARP scan -sn to skip host discovery Cain Sniffer tab Enable sniffer Click +

8 Nmap

9 ICMP Packet Types Message Type: 0 - Echo Reply
Message Type: 3 - Destination Unreachable Message Type: 4 - Source Quench Message Type: 5 - Redirect Message Type: 8 – Echo Request Message Type: 11 - Time Exceeded Message Type: 12 - Parameter Problem Message Type: 13 - Timestamp Message Type: 14 - Timestamp Reply Message Type: 15 - Information Request Message Type: 16 - Information Reply Message Type: 17 – Address Mask Request Message Type: 18 – Address Mask Reply

10 ICMP Queries icmpquery uses ICMP type 13 (TIMESTAMP) to find the system time, which shows its timezone ICMP type 17 (ADDRESS MASK REQUEST) shows the subnet mask

11 Network Discovery Tools

12 Nmap ICMP Options

13 SuperScan Windows freeware Not so fast anymore
Does PING scanning, using several types of ICMP packets Also does port scanning, banner grabbing, whois, and enumeration

14 Unix Ping Detection Tools
Scanlogd Courtney Ippl Protolog

15 ICMP Blocking ICMP is often blocked these days
Blocked by default in Win XP SP2, Win SP 1, and Vista If ICMP is blocked, use port scanning Slower than ping sweeping SuperScan for Windows Nmap for Linux, Unix, or Windows Hping2 for Unix (can fragment packets)

16 Ping Sweeps Countermeasures
Detecting Ping Sweeps Network-based Intrusion Detection Systems like Snort detect ping sweeps Ping scans will be in the host logs Firewalls can detect ping scans

17 Blocking ICMP Routers may require some ICMP packets, but not all types
Safest procedure would be to allow ICMP only from your ISP, and only to public servers on your DMZ

18 Other ICMP Threats ICMP can be used for a Denial of Service attack
ICMP can be used as a covert channel with Loki Allowing unauthorized data transfer Such as control signals for a back-door trojan

19 Determining Which Services are Running or Listening

20 Port scanning Now that we have a map with some hosts, let’s find out what ports are open on a target host 65,535 TCP ports; 65,535 UDP ports Web server: TCP port 80 DNS server: UDP port 53 Mail server: TCP port 25 Port scanning tools can scan: List of ports Range of ports All possible TCP and UDP ports Attacker may scan a limited set of ports, to avoid detection

21 TCP: Reset packet If machine receives a TCP packet it is not expecting, it responds with TCP packet with RST bit set. For example when no process is listening on destination port For UDP, machine returns ICMP “port unreachable” instead

22 Nmap (1) Extremely popular Ping sweeping Port scanning
usually run over linux rich feature set, exploiting raw sockets need root to use all features Ping sweeping over any range of IP addresses with ICMP, SYN, ACK OS determination Port scanning Over any range of ports Almost any type of TCP, UDP packet Source IP address spoofing Decoy scanning Packet fragmentation Timing Options Excellent reference: Nmap man page

23 Nmap (2) Input: Output: open ports: syn/ack returned; port is open
nmap [Scan Type] [Options] <target hosts> Default for port scanning: ports plus ports listed in nmap service file Output: open ports: syn/ack returned; port is open unfiltered ports: RST returned: port is closed but not blocked by firewall filtered ports: nothing returned; port is blocked by firewall Attacks

24 Nmap (3): ping sweep Nmap –sP –v 116.27.38/24
Sends ICMP echo request (ping) to 256 addresses Can change options so that pings with SYNs, ACKs… -sP = ping -v = verbose

25 Nmap (4): polite port scan
nmap –sT -v target.com Attempts to complete 3-way handshake with each target port Sends SYN, waits for SYNACK, sends ACK, then sends FIN to close connection If target port is closed, no SYNACK returned Instead RST packet is typically returned TCP connect scans are easy to detect Target (e.g. Web server) may log completed connections Gives away attacker’s IP address

26 Nmap (5) : TCP SYN port scan
nmap –sS -v target.com Stealthier than polite scan Send SYN, receive SYNACK, send RST Send RST segment to avoid an accidental DoS attack Stealthier: hosts do not record connection But routers with logging enabled will record the SYN packet Faster: don’t need to send FIN packet

27 I learned port 2032 is open through the firewall
Nmap (6): TCP ACK scans Many filters (in firewalls and routers) only let internal systems hosts initiate TCP connections Drop packets for which ACK=0 (ie SYN packet): no sessions initiated externally To learn what ports are open through firewall, try an ACK scan (segments with ACK=1) ACK dest port 2031 ACK dest port 2032 RST I learned port 2032 is open through the firewall Internal Network firewall

28 Nmap (7): UDP port scans UDP doesn’t have SYN, ACK, RST packets
nmap simply sends UDP packet to target port ICMP Port Unreachable: interpret port closed Nothing comes back: interpret port open False positives common

29 Nmap (8): Obscure source
Attacker can enter list of decoy source IP addresses into Nmap For each packet it sends, Nmap also sends packets from decoy source IP addresses For 4 decoy sources, send five packets Attacker’s actual address must appear in at least one packet, to get a result If there are 30 decoys, victim network will have to investigate 31 different sources!

30 Nmap (9): TCP stack fingerprinting
In addition to determining open ports, attacker wants to know OS on targeted machine: exploit machine’s known vulnerabilities sophisticated hacker may set up lab environment similar to target network TCP implementations in different OSes respond differently to illegal combinations of TCP flag bits.

31 Nmap (10): Fingerprinting
Nmap sends SYN to open port NULL to open port (no flag bits set) SYN/FIN/URG/PSH to open port SYN to closed port ACK to closed port FIN/PSH/URG to closed port UDP to closed port Nmap includes a database of OS fingerprints for hundreds of platforms

32 Nmap (11): examples nmap -v target.com nmap -sS -O target.com/24
Scans all TCP default ports on target.com; verbose mode nmap -sS -O target.com/24 First pings addresses in target network to find hosts that are up. Then scans default ports at these hosts; stealth mode (doesn’t complete the connections); tries to determine OS running on each scanned host nmap -sX -p 22,53,110, *.1-127 Sends an Xmas tree scan to the first half of each of the 255 possible subnets in the /16. Testing whether the systems run ssh, DNS, pop3, or imap nmap -v -p 80 *.*.2.3-5 finds all web servers on machines with IP addresses ending in .2.3, .2.4, or .2.5

33 Defenses against network mapping
Filter using firewalls and packet-filtering capabilities of routers Block incoming ICMP packets, except to the hosts that you want to be pingable Filter Time Exceeded ICMP messages leaving your network Close all unused ports Scan your own systems to verify that unneeded ports are closed Intrusion Detection Systems

34 Windows-Based Port Scanners
SuperScan Four different ICMP host-discovery techniques Accurate UDP scan sending "Data+ICMP" Banner grabbing Many other tools Nmap with the Zenmap GUI Powerful, runs on Windows

35 Command-line Scanners
Scanline For Windows netcat For Windows and Linux nmap Can be run on the command line, on Windows or Linux

36 Port Scanning Countermeasures
Snort ( is a great free IDS (Intrusion Detection System) [**] spp_portscan: PORTSCAN DETECTED from [**] 05/22- 18:48: [**] spp_portscan: portscan status from : 4 connections across 1 hosts: TCP(0), UDP(4) [**] 05/22-18:49: [**] spp_portscan: End of portscan from [**] 05/22-18:49:

37 Other Detection Tools Scanlogd Firewalls can detect port scans
Detects TCP Port Scans on Unix Firewalls can detect port scans Use threshold logging to limit the volume of alerts sent by your firewall That groups similar alerts into a single Attacker Windows tool from Foundstone to detect port scans

38 Preventing Port Scans You can't stop the scans from coming in, but you can mimimize your attack surface Disable unnecessary services

39 Detecting the Operating System
Banner-Grabbing Many services announce what they are in response to requests Banner grabbers just collect those banners But they could be spoofed

40 Active Stack Fingerprinting
Details of the TCP Packets are used to identify the operating system Nmap does this, using these probes: FIN probe Bogus Flag probe Initial Sequence Number (ISN) sampling "Don't fragment bit" monitoring TCP initial window size And many others

41 Operating System Detection Countermeasures
IDS can detect operating system detection scans Hacking the OS to change its TCP stack is dangerous, and not recommended Best policy: Accept that your firewalls and proxy servers will be scanned and fingerprinted, and harden them against attackers who know the OS

42 Passive Operating System Identification
Sniff traffic and guess the OS from that Examine these features TTL (time-to-live) Window size DF (Don't fragment bit) siphon was the first tool to do this, it's out of date p0f is a newer one

43 p0f on Vista Run p0f in a Command Prompt Window Open a Web page
It fingerprints any OS it can see on the LAN

44 Automated Discovery Tool: Cheops-ng
Combines Ping, Traceroute, Port Scans, and OS Detection to draw a network map Windows 7's "Network Map" is similar

Download ppt "Scanning."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.

Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.

Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.

Similar presentations

Ads by Google