Network Scanning Techniques

Questions and Answers

Which of the following best describes the primary function of network scanning?

• To identify vulnerabilities in a target system.
• To identify open ports on a machine.
• To identify 'alive' machines in a network. (correct)
• To determine the operating system of a machine.

Port scanning solely focuses on identifying the operating system of a target machine.

False (B)

What type of scanning is also referred to as ICMP scanning?

• TCP scanning
• ARP scanning
• Ping sweeping (correct)
• UDP scanning

Ping sweepers are difficult to detect by IDS and firewalls.

False (B)

Which of the following is NOT a type of ICMP message used in ping sweepers?

DNS lookup request (C)

Which command-line tool, released in 1997, is known as the richest scanning tool?

Nmap

Which Nmap option is used to perform ICMP echo (ping) scans?

-PE (B)

In the context of Nmap host discovery, what does the -PP option do?

Scans using ICMP timestamps. (C)

Nmap's -PO option, by default, sends only ICMP packets.

False (B)

Which of the following is the function of the Nmap command nmap -p 179 10.0-255.0-255.1,254?

Scans specific IP addresses to identify routers using BGP. (C)

Using the flag ______ with Nmap allows you to monitor its network activity, including the packets it sends and receives.

-packet-trace

What happens if a non-privileged user uses Nmap with the -sn option?

Nmap attempts TCP connect to ports 80 and 443. (D)

Ports 0-1023 are known as Registered Ports.

False (B)

Match the port number with the corresponding service:

20 = FTP (data) 25 = SMTP 80 = HTTP 443 = HTTPS

Which of the following is the range for Registered Ports?

1024-49151 (A)

What is the significance of the TCP SYN scan in port scanning?

It can be undetected if only established TCP connections are logged. (B)

In TCP communication, the SYN flag is used only to acknowledge the received packets.

False (B)

What is the purpose of the RST flag in TCP communication?

To reset the connection. (D)

In TCP/UDP scans, what happens if a TCP RST packet is received?

Port closed

Why is UDP scanning generally considered more difficult than TCP scanning?

The response depends on the application layer. (A)

What Nmap option is used to specify port ranges for scanning?

-p (D)

The Nmap command nmap -p T:21-25,80,139,8080 only scans UDP ports.

False (B)

Which Nmap scan type establishes a full TCP connection with the target?

Connect scan (B)

When is the TCP SYN scan (-sS) the default scan type in Nmap?

When running Nmap as root. (D)

What is the significance of an unfiltered port in the context of an Nmap ACK scan (-sA)?

It indicates the port will reply with a RST message. (D)

Inverse TCP flag scanning involves sending properly formed TCP packets.

False (B)

Which of the following Nmap scans sends a packet with the FIN, PSH, and URG flags set?

Xmas scan (C)

In the context of UDP scanning, what does 'Port Unreachable' typically indicate?

Port closed

What does Nmap's application fingerprinting (-sV) try to identify?

The applications running on the open ports. (A)

Nmap -sV application fingerprinting relies exclusively on the responses it receives from the scanned ports and does not consult any external databases.

False (B)

To identify an application when Nmap is unable to do so, which action can be performed?

Opening a session using 'telnet IP port' and checking the banner. (C)

What is the primary goal of Nmap OS fingerprinting?

To identify the operating system of the target machine. (D)

What is the significance of CVE in vulnerability scanning?

It is a list of Common Vulnerabilities and Exposures. (D)

CVE list feeds into NVD's, then NVD removes extra info.

False (B)

Once a vulnerability is found, one can use an ______ to exploit it.

exploit

When no specific exploit for a discovered vulnerability exists, what is recommended?

Include the vulnerability in the penetration test report and move to the next vulnerability. (C)

Match the following vulnerability scanners with their function:

Nessus = Vulnerability Scanner Metasploit = Vulnerability Exploiter

Which of the following is not essential for vulnerability scanning tools?

Performing ping sweeps (C)

Nessus has two components: a server and a _____.

client

Nessus clients and servers must be installed on the same operating system.

False (B)

What is the function of the 'safe checks' option in Nessus?

To avoid security checks that could crash the scanned target. (A)

Which statement best summarizes host discovery?

Identifying active machines on a network. (D)

Which of the following is a primary function of vulnerability scanning?

Identifying vulnerabilities on a target system (B)

A TCP SYN scan establishes a full TCP connection, making it easily detectable.

False (B)

What type of ICMP message is sent by a ping to detect if a machine is on the network?

Echo request

Using the nmap flag ___ allows one to monitor the network activity

-packet-trace

Match the following Nmap scan types with their descriptions:

-sS = TCP SYN scan (Half-open scan) -sA = TCP ACK scan -sU = UDP scan -sT = TCP connect scan

Flashcards

Network Scanning

Process of identifying active machines on a network.

Port Scanning

Determining which ports are open and 'listening' on a target system.

OS Fingerprinting

Process of identifying the operating system, version, and service pack of a target.

Vulnerability Scanning

Identifying potential security weaknesses on a target system.

Ping Sweepers

Using ping to detect if a device exists on the network.

ICMP Scanning

ICMP scan done to find live hosts. Equivalent to pinging each IP.

Host Discovery

Detects network hosts

Nmap

Tool used for network discovery and security auditing with command line and GUI versions.

Nmap -PE

Nmap command to perform ICMP echo scans.

Nmap -PP

Nmap command to perform ICMP timestamp scans

Nmap -PM

Nmap command to perform ICMP netmask request scans.

Nmap '-packet-trace' flag

Used to monitor network activity.

Nmap port scanning

Determines open ports and services running.

Well-known TCP ports

Commonly used lower numbered ports for network services.

Port 20

Port used for FTP data transfer.

Port 21

Port used for FTP control.

Port 22

Port for Secure Shell service.

Port 23

Unencrypted remote access port.

Port 25

Port for Simple Mail Transfer Protocol.

Port 80

Port for Hypertext Transfer Protocol.

Port 110

Port for Post Office Protocol version 3.

Ports 137-139

Ports for Network Basic Input/Output System.

Port 443

Port for Hypertext Transfer Protocol Secure.

Port 3389

Remote Desktop Protocol Port.

SYN Flag

TCP flag, used to initiate a connection.

ACK Flag

TCP flag, used to acknowledge received data.

URG Flag

TCP flag, indicates urgent data.

PSH Flag

TCP flag, requests immediate processing.

RST Flag

TCP flag, resets the connection.

FIN Flag

TCP flag, closes a connection.

TCP Connect Scan

TCP scan that completes the full TCP handshake.

TCP SYN Scan

TCP scan that doesn't complete the full TCP handshake.

TCP ACK Scan

TCP scan used to analyze firewall rules.

Inverse TCP flag scanning

TCP scan that sends malformed TCP packets.

Nmap UDP Scan

UDP scan sends empty packets to each UDP port.

Software Fingerprinting

identifying applications running on open ports.

Nmap -sV

Nmap technique to identify applications and versions.

Nmap OS fingerprinting

Uses extra packets and compares signatures in a database.

Vulnerability Scanning

Identifying potential security flaws.

CVE

Common Vulnerabilities and Exposures.

Exploit Database

Database of exploits to known vulnerabilities.

Vulnerability Scanners

Software to automate vulnerability finding.

Vulnerability Exploiters

Software to automate vulnerability exploitation.

Nessus

Nessus components

NASL

Scripting language used inNessus

Study Notes

• Scanning is performed for network scanning to identify "alive" machines in a network.
• Port scanning to determines which ports are open and "listening".
• OS Fingerprinting to identify the OS, version, and service pack.
• Vulnerability scanning to identify vulnerabilities on a target system.

Scanning Outline

• Host Discovery: Identifying active hosts on a network.
• Port Scanning: Determining open ports and services on target hosts.
• Software Fingerprinting: Identifying software and versions running on target hosts.
• Vulnerability Scanning: Identifying potential vulnerabilities on target systems.

Host Discovery

• Host Discovery: The process of identifying active hosts on a network.
• Ping sweepers ping a machine to detect if it is on the network.
• ICMP scanning is another name for pinging
• Ping sweepers can scan different machines in parallel
• Ping sweepers can be easily detected and blocked by IDS firewalls and can use TCP/UDP or ARP scans instead

ICMP Message Types

• Echo request (8): A ping message to check if a host is reachable.
• Timestamp request (13): Obtains the system time of the target, with the response indicating the number of milliseconds since 00:00 GMT.
• Subnet Mask Request (17): Obtains the subnet mask used by the target.
• Transport level "ping” a port and if there is a reply, the host is up

Nmap

• Available at https://www.youtube.com/watch?v=0PxTAn4g20U
• Nmap was first released in 1997
• Command line and GUI versions exist for *nix and Windows
• Nmap is noted as the richest scanning tool.
• Downloadable at https://nmap.org/download.html
• Other scanners include Unicornscan, which specializes in advanced UDP scans

Nmap Host Discovery Scan Types

• -P: Used for various ICMP scans.
• -PE: Scans using ICMP echo (ping).
• -PP: Scans using ICMP timestamps instead of ICMP ping.
• -PM: Scans using ICMP netmask requests.
• IP Higher-level Protocol Pings:
• -PO : Sends ICMP, IGMP, and IP-in-IP packets; ICMP, IGMP, and IP-in-IP are sent by default.

TCP's Handshake

• Reminds of the TCP’s handshake of the client(Alice), server(bob)
• SYN(SequenceNum=x)
• SYN+ACK(SequenceNum=y, AcknowledgNum=x+1)
• ACK(AcknowledgeNum=y+1)

Nmap Host Discovery - Scan Type

• -PS ports: TCP SYN scans a list of ports.
• -PA ports: TCP ACK scans a list of ports.
• -PU ports: UDP scans a list of ports.
• -PY ports: SCTP scans a list of ports.
• Multiple –P scans can be combined.
• https://nmap.org/book/man-host-discovery.html

Nmap Targets

• Single IP address or domain name: Scans a specific target.
• Classless Inter-Domain Routing (CIDR) notation: Scans a range of IP addresses (e.g., 10.0.0.1/24 covers all hosts on the 10.0.0.1-255 network with a 255.255.255.0 netmask).
• Ranges: Use nmap -p 179 10.0-255.0-255.1,254 to scan specific IP ranges. Scans all .1 and .254 to identify those that use BGP.
• -iL: Parse hosts from a list.
• -n: No reverse DNS resolution for discovered IPs.

Nmap Behavior

• Use the flag "-packet-trace" to monitor network activity, for example: sudo nmap -sn 192.168.231.2 -packet-trace
• -sn (used to be -sP):
  • If the user has privileges, Nmap sends a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request.
  • If the user lacks privileges, Nmap falls back to TCP connect to ports 80 and 443.
  • If the scanned hosts are on the same LAN, ARP is used, which is detect faster and harder to detect.

Port Scanning Overview

• Port Scanning: Process of identifying open ports and services on a target system.
• Ports numbers are from 0 to 65,535
• http://www.iana.org/assignments/port-numbers

Well-known TCP Ports (0-1023)

• ECHO: 7
• FTP: data 20, control: 21
• SSH: 22
• Telnet: 23
• SMTP: 25
• HTTP: 80
• POP3: 110
• NetBIOS: 137-139
• HTTPS: 443

Port Categories

• Registered Ports: 1024 – 49151
  • Window Internet Name Service, WINS: 1512
  • Remote Desktop: 3389
• Recommended Dynamic and/or Private Ports: 49152 – 65535

Port Scanning detection

• Probes each port
• Provides more information but easier to detect
• If only established TCP connections are logged, TCP SYN scan will be undetected as it does not establish full TCP connections

TCP Flags

• SYN: Initiates a communication + counter
• ACK: Acknowledgement
• URG: Message is processed immediately by the receiver ( e.g. abort signal over a remote shell )
• PSH: Message is processed immediately, immediate processing at both sender and receiver
• RST: Reset the connection, sent back when a service that does not exist is requested, can be useful
• FIN: Closes a connection, “= I will stop sending”
• Order : CWR ECE URG ACK PSH RST SYN FIN
  • 0x14 ACK + RST

TCP/UDP scans

• TCP scanner sends a TCP SYN to each port If the port replies: open then Client(Alice)-SYN (SequenceNum=x) to Server(Bob), SYN+ACK(SequenceNum=y, AcknowledgeNum=x+1) is sent back and ACK(AcknowledgeNum=y+1) to the client.
• If a TCP RST is sent: closed
• If no reply: no host or por is filtered

UDP Scans

• UDP scan is harder as it is the application layer that decides on the response
• Then an ICMP port unreachable message is sent if there is no application listening, the If an ICMP port unreachable is received, then port closed
• TCP scans are more common.

Nmap Port Scan

• Will by default, nmap target scan about 1000 ports
• -F flag will make the scan a fast scan thus less ports
• -p specifies the port to scan, can be used to provide ranges and be separated by commas
  • nmap -p 21-25,80, nmap -p10000-, nmap -p-1023, nmap -p-
• -p T scans TCP ports
• -p U scans UDP ports
• sudo nmap 192.168.1.1 -sU -sS -sY -p U:53,111,137,T:21-25,80,139,8080,S:9

Nmap TCP Scans

• Using connect scan, indicated by the -sT flag
• If the port is open, then Alice sends SYN to the server, server sends SYN/ACK to Alice, Alice sends ACK to the server
• If the port is closed, then the server sends a RST/ACK to Alice
• This is easily detected

TCP SYN Scans

• SYN scan (half-open SYN) using the -sS flag
• If the port is open, then Alice sends SYN to the server, server sends SYN/ACK to Alice, Alice sends RST to the server
• If the port is closed, then the then the server sends a RST/ACK to Alice
• Stealthier than connect, but not enough
• When running Nmap as root, the default scan type is TCP SYN (-sS)

Nmap TCP Scan Option

• -SA: ACK scan, an unfiltered port (whether open or closed) replies with a RST message.
• Open ports are shown as "unfiltered", it allows for identifying firewall filtering rules

Nmap TCP Scans Techniques

• Inverse TCP flag scanning involves sending malformed TCP packets.
  • Only closed ports respond with RST/ACK (RFC 793).
• NULL Scan (-sN): All flags disabled.
• FIN Scan (-sF): Only FIN is enabled.
• Xmas Scan (-sX): FIN, PSH, and URG flags are enabled. Different OS may react differently. Maimon Scan (-sM): FIN and ACK flags are enabled. Flags are enabled.
• Stateful firewalls filter these scans.

Nmap UDP Scan

• Sends empty packets
• Run using nmap -sU target
• Unicornscan is an advanced UDP scan option that can distinguish between open and filtered ports.
• Port Unreachable means the port is closed, otherwise open, filtered or no host

Software Fingerprinting

• Software Fingerprinting: Identifying software and versions running on open ports.
  • -sV: tries to identify applications running on all the open ports on a target.
  • uses established database of application behaviors
  • if Nmap is unable to identify the application, insecure.org is notified
  • open a session using telnet IP port to check the banner

Nmap OS Fingerprinting

• sends, extra packets and analyses responses
  • compared to "signatures" in a database
  • nmap -O
  • can send malformed/unexpected packets to trigger error responses (vary more than normal responses; the latter are more standard.

Vulnerability Scanning

• The identification of vulnerabilities associated with discovered services.
• Vulnerability Identification consists of finding vulnerabilities for discovered services where common vulnerabilities and exposures are handled by Mitre, a non-for-profit project (https://cve.mitre.org/).
• The department of Homeland defense maintains a similar list and the CVE list feeds into NVD’s, then NVD adds extra information.

Exploit Databases

• Exploit databases are utilized to find exploits for discovered vulnerabilities.
• They can be used manually by using the exploit database download, rewrite, compile and run.
• Important to have a database as it is a bad idea to run some code provided by others if you do not understand it !!
• Sometimes the exploit will do more than what is in its description: crash target, delete data, create a zombie for the original code author.

Exploit Unavailability

• It is important to identify what to do when no exploit exists for the vulnerability.
• Nothing!
• Include the vulnerability in the penetration test report and move to the next vulnerability.

Process Automation

• Vulnerability scanners: Nessus, OpenVAS, GFI LANguard, Retina, Core Impact. Vulnerability exploiters: Metasploit, Core Impact, Canvas.
• Top 100 security tools: www.sectools.org
• The ability to schedule tests is an important asset for tools.

VULNERABILITY SCANNING: NESSUS

• Includes 2 components: server and client.

  • either or both can be installed, the can run on different platforms such as Linux server and a client with Win 10
    • Client: defines the scan tasks
      • if installed under windows, must use the admin privileges
  • Plug-in: implements a security check - Communications between the server between the server and clients.
    • Written in Nessus Attack Scripting language (NASL)

• Could run credentials machine to check the security of products installed

• Uses the "safe checks" option by default to avoid crashing

Scan Summary

• Host Discovery: Identifying active hosts using tools like Scapy and Nmap.
• Port Scanning: Identifying open ports using TCP and UDP protocols and tools like Scapy and Nmap.
• OS Fingerprinting: Identifying the operating system by checking banners and triggering error packets.
• Vulnerability Scanning: Checking product versions against CVE databases to identify vulnerabilities.

Nmap Tricks

• Nmap -sL hw.ac.uk/28
• --source-port (or -g) <portnum>: Specify source port number
• -f: Fragments packets to fool naive firewalls
• Scanning timing: -T Sneaky, stealthier
• Choose which TCP flags to set -Syntax: nmap -scanflags FLAGS target -Example: nmap -scanflags SYNURG target --6: to scan IPv6 targets --A: does OS detection, version detection, script scanning, and traceroute -sW:
  • Same as sA but examines the Window size in the response
  • If RST with positive window size, then the port is open
  • -vand -reasonfor more verbosity
  • Scanrand, an alternative to nmap: https://manned.org/scanrand/b9a07a7a
  • nmap -script 'not intrusive' 192.168.231.2

Resources

• Nmap Resources
  • https://danielmiessler.com/study/nmap/
  • https://www.oreilly.com/library/view/network-security-assessment/9780596510305/ch04.html
  • https://nmap.org/book/man-briefoptions.html
  • https://linux.die.net/man/1/nmap
  • https://www.tutorialspoint.com/nmap-cheat-sheet
  • https://nmap.org/book/nmap-phases.html
  • https://nmap.org/book/port-scanning-options.html
  • https://nmap.org/book/scan-methods-udp-scan.html
  • https://nmap.org/book/man-briefoptions.html
  • https://nmap.org/book/host-discovery-techniques.html
  • https://nmap.org/book/host-discovery-controls.html
  • https://nmap.org/book/man-host-discovery.html

Scapy Resources

• https://www.mmu.ac.uk/media/mmuacuk/content/documents/school-of-computing-mathematics-and-digital-technology/blossom/PythonScriptingwithScapyLab.pdf
  • https://thepacketgeek.com/scapy/building-network-tools/part-06/
  • https://scapy.net/html.old/demo.html

  - A bit outdated, but has some useful tricks