Chapter 4 Scanning - Network Security

Summary

This document provides an overview of network scanning techniques and tools, covering topics such as network scanning concepts, scanning tools, host discovery, port and service discovery, OS discovery, and scanning beyond IDS/firewalls. It also details different scan types, tasks, and various network scanning methods, including ICMP scans, ARP scans, and specific tools like Nmap and Hping3.

Full Transcript

Chapter -4
Scanning
Topics Covered
Scanning Networks
Network Scanning Concepts
Scanning Tools
Host Discovery
Port and Service Discovery
OS Discovery (Banner Grabbing / OS Fingerprinting)
Scanning beyond IDS/Firewall
Scanning Networks
Search the network for potential targets to
 Discover live hosts
 Discover services and listening ports
 Fingerprint OSes and services
 Identify targets for a vulnerability scan

Fingerprinting: identifying an OS or service version through actively
engaging the target
The goal of scanning is to ultimately find vulnerable targets that you
can exploit!
 Can be:
 Active (engage the target for information)
 Passive (sniff traffic for information)
And……
 Discovery Scan
 Find potential targets
 Port Scan
 See what services hosts are running
 Vulnerability Scan
 See if those services are vulnerable to hacking
 Other Scans
 Map hostnames - IP addresses - MAC addresses
 Identify additional supported protocols
 Stealthy alternatives to port scans
Network Scanning Tasks
Task Description
Check for live systems Ping or ARP to discover live hosts
Check for open ports Scan live IPs for listening ports
Evade IDS (Intrusion If necessary, evade detection using
Detection System) and proxies, spoofing, fragmented packets,
Firewalls etc.
Perform banner grabbing Grab from servers
Perform OS and service fingerprinting
Scan for vulnerabilities Test services and OSes for vulnerabilities
Draw network diagrams Show logical and physical pathways into
networks
Pentest Report Document everything that you find
Identify next steps for exploiting vulnerabilities
 IPv6 addresses are 128 bits
 Traditional scanning techniques are not feasible because of the larger
search space (64 bits)
 Some scanning tools do not support scanning IPv6 networks
 Attackers may gather IPv6 addresses from:
 network traffic
 recorded logs
 header lines in archived emails
 Usenet news messages
 If an attacker does discover and compromise one host:
 They can probe the “all hosts” through link local multicast address
FF01::1
 Discover additional targets on the link
 Advanced Scanning using crafted Packets
 You take a typical IP/ICMP/TCP/UDP packet and:
1. Specify what settings or values should be in the header fields or payload
(actual data sent in the packet)
1. Send the packet to the target
2. See how the target responds to “illegal” or unexpected packet settings

 Different OSes respond in different ways
 You can often identify the OS based on the response:
 IP - TTL, Don’t Fragment (DF) flag / Don’t Fragment ICMP (DFI)
 TCP - Starting window size, Explicit congestion notification (ECN) flag
 Sequence number generation
 ICMP - echo request / echo reply padding
 Tools
 -Nmap -Hping3 -Colasoft -NetScan Tools Pro -Cat Karat
ICMP Discovery Scans
ICMP - Internet Control Messaging Protocol(Used in PING Command)
 Layer 3 protocol
 Direct payload of IP
 Protocol ID 1
 Has message types
 Each message type in turn may have codes for further information

What is a Discover y Scan?
A type of scan that discovers live IP addresses on a network
A Ping Sweep is the simplest network scanning method
It uses ICMP ECHO REQUEST packets to search for live hosts
Few discovery scans use ARP instead of ICMP to bypass host-based
firewalls
Can also use specially crafted TCP or UDP packets
 The easiest protocol to use to scan for live systems
 Scanner sends ICMP ECHO requests to one or more IP addresses
 If live, hosts will return an ICMP ECHO REPLY
 Useful for locating local devices
 Often blocked by:
 Software firewall on the host
 Packet filtering router/firewall between the scanner and target network
 Useful for determining if a firewall is permitting ICMP
 Example:
 ICMP Echo returns Type 3 Code of 13 “Destination unreachable administratively
prohibited”
 This type of message is typically returned from a device blocking a port
 ARP – Address Resolution Protocol. When a device wants to
communicate with another device but only knows it’s IP address it
uses ARP to find the corresponding MAC address

 Use ARP requests/replies to discover live hosts
 Cannot be blocked by a personal firewall
 ARP is required to discover MAC addresses and map them to IP
addresses
 Used on an Ethernet or Wi-Fi LAN

 Tools include:
 Nmap
 Ettercap
 Metasploit
 Cain & Abel
PORT Scans
 What is a PORT
 A number (0 - 65535) that represents a process on a network
 Well-known services use specific port numbers by convention

 Both TCP and UDP use port numbers
 Source and destination each have a port
 Embedded in the header

 A client and server will each have its own port in a conversation
 Usually not the same port
 Some services are only “loosely bound” to a port
 It is possible for another process to “get in front of” that service
 Take over the port
 This happens in hacking
 Example: netcat getting in front of IIS
 Intercepts and redirects web traffic
 Well-known ports(ports - 0 – 1023, NOTE:- 0 is not used)
 Reserved by convention for well-known services
Server listens on well-known port for incoming connection attempts
Client process, identified by its own port, attempts to make a connection
The server can accept or reject the connection attempt
 Usually based on if there is a listening service on that port
 Can also have firewall filtering or other policies that block connections from specific clients

 Registered(ports - 1024 – 49151)
 Services can additionally request the use of these ports from the operating
system
 Dynamic(ports - 49152 – 65535)
 Operating system temporarily assigns a dynamic port to a client process
 The port is “returned” to the OS when the client process ends
 Common Port Numbers and Services
Port Numbers Ser vice Port Numbers (TCP, Ser vice
(TCP, unless unless noted)
135 Microsoft Remote
noted)
Procedure Call (RPC)
21 FTP commands 139 SMB (legacy)
22 SSH 143 IMAP4
23 Telnet 161 SNMP
25 SMTP (TCP or UDP; only UDP is
used at this time)
53 (TCP or DNS
162 SNMP traps
UDP) (TCP or UDP; only UDP is
80 HTTP used at this time)
88 Kerberos 389 LDAP
110 POP3 443 HTTPS
111 (TCP or *nix portmapper 445 Microsoft-ds (authentication
used by SMB)
UDP)
3389 RDP
TCP
HEADER

Flag Name Function
SYN Synchronize Set during initial communication Negotiate parameters and
sequence numbers
ACK Acknowledgment Set as an acknowledgement to the SYN flag. Always set after
initial SYN
RST Reset Forces the termination of a connection (in both directions)
FIN Finish Part of the close session handshake
PSH Push Forces the delivery of data without concern for buffering

URG Urgent Data in the Segment is urgent and the receiver should process it
immediately.
Scanning for Open Ports
 Look for open TCP or UDP ports
 An open port indicates a listening service
 Might have exploitable vulnerabilities
 TCP and UDP respond differently to scans

 What is a TCP PORT SCAN
 The most common type of port scan
 Attacker sends TCP packet to the target
 Based on the response from the target the scanner can determine
 Open Ports: If a port is open, the target responds, with a SYN-ACK packet
 Closed Ports: If a port is closed, the target responds with a RST (reset) packet.
 Filtered Ports: If no response is received, the port may be filtered by a firewall.
 TCP 3-Way Handshake TCP 4-Way Goodbye Handshake
 Establish session (Establish a reliable  Terminates a TCP connection between a client and a
connection before client and server data server.
transmission begins)
 FIN-ACK - FIN-ACK
 SYN - SYN-ACK - ACK
 Both sides FIN and ACK the other
 Set starting sequence numbers

(Client) (Server)
(Client) (Server)

Client → Server:
FIN, Seq = X
Client → Server: Server → Client:
SYN, Seq = X ACK, Ack = X + 1

Server → Client: Server → Client:
SYN-ACK, Seq = Y, FIN, Seq = Y
Ack = X + 1

Client → Server: Client → Server:
ACK, Ack = Y + 1 ACK, Ack = Y + 1
 * Discover open TCP ports on a
target system
 Most common type of port scan
 aka Stealth Scan or Half-Open Scan
 Client sends SYN packet to server
 Server responds with SYN/ACK packet (If the port is open)
 Server responds with RST packet (if the port is closed)
 Client sends RST packet to close the initiation before connection is
established (reducing the liklihood of detection)
 Resets TCP connection between client and server in midstream
 Connection is only “half open”
 * Discover open TCP ports on a target system

 AKA TCP Full Scan, or TCP O pen Scan
 Completes the TCP three-way handshake
 Establishes a full connection (Client=>Server: SYN ; Server=>Client: SYN-ACK ;
Client=>Server : ACK;)
 Then tears it down by sending a RST packet (Terminate the Connection)
 Does not require super user privileges on Linux
 Appears “ normal” to intrusion detection
 Least likely to arouse suspicion
 Used to determine if the host is protected by filtering/firewall
 Since (nearly) every TCP segment contains a raised ACK flag, an ACK scan
appears normal
 Can evade IDS in most cases
 Can be used against packet filtering routers to see what’s behind it
 Attacker sends ACK probe packet with a random sequence number to target
 No response = protected (filtered) by firewall
 RST = port is closed
 TTL-based (Bypass access control list using TTL)
 Send 1000s of ACKs to different TCP ports
 Analyze TTL field in RST packets received

 If boundary value < 64, then port is open, If greater than 64, then port is closed
 Window-based
 Send 1000s of ACKS to different TCP ports
 If WINDOW value of RST received has non-zero value, then port is open
 Used to detect open or closed ports
on a target system by sending non
standard tcp packets with certain
flag set.
 Stealthier than a SYN scan
 Does not attempt to start a TCP connection
 Used to discover firewall rules / evade detection by IDS
 TCP flags are raised in an unusual / illegal pattern

A stealth scan refers to a type of
network scan designed to avoid
detection by firewalls, intrusion
detection systems (IDS), or other
security mechanisms
 used to discover open UDP ports on a target system.

 No handshake involved
 UDP is a stateless protocol
 You can send a UDP datagram
 Youoften won’t get a response
 UDP itself cannot determine if host is alive, dead or filtered
Responses:
1) ICMP Port Unreachable: (Port is not available)
2) No Response: If the port is open, there may be no response at all
since UDP does not require a connection or acknowledgment. Poert is open
3) UDP Data Response:If the service actively responds to the UDP packet (e.g., DNS ),
port is open
 nmap -sI zombie.example.com
server.example.com

 “ blind” scan or “ idle” scan
 Map open ports on a remote system without producing any
evidence that you have interacted with that system
 Force target to interact with a third machine (zombie)
 Check Zombie’s IPID to see if it incremented
IP identification (IPID) identifies a packet in a communication session

 Its primary purpose is to recover from IP fragmentation
Stealth Option Example Description
-sI server.example.com (server.example.com) through a 3rd party host (zombie) which
helps to state of target.
-sI nmap -sI -Pn -p- Conduct a blind TCP port scan (idle scan)
zombie.example.com Assume the target is “up”
www.company.com Scan all TCP ports
Use the "zombie" (middle man) host to obtain information
about open ports on the target
-Pn: This option tells Nmap not to ping the target (www.company.com) to check if it's up before scanning. -p-: This specifies that all ports (1-65535)
 OS fingerprinting
 A way to determine the operating system running on the remote target system
 Error messages can reveal information about the service or OS
 You can use banner grabbing to identify the service and/or OS version
 Can also examine TCP and ICMP messages to identify OS

Active Banner Grabbing Passive Banner Grabbing
Specially constructed packets are sent to Error message provide information
the remote O S and responses are captured including type of server, type of OS, and SSL
tools used by target
Responses are compared with a database to Sniffing network traffic on the target
determine the O S allows attacker to determine O S
Response from different Oses vary Page extensions in a URL may assist the
because of differences in the TCP/IP attacker in determining versions
stack
In TCP Layer
 Window Size
 0x7D78 (32120) = Linux
 Cisco & Microsoft constantly change

In IP Layer:
 TTL
 64 = Linux / FreeBSD
 Don’t Fragment (DF) bit
 See if the DF (Don’t Fragment) bit is set(=1)
 SCO & OpenBSD do not use the DF flag
 Type of Service (ToS)
 Indicates the protocol (priority) more than the OS
telnet
// initiates a telnet session, open TCP connection

Example :
telnet 192.168.1.10 80

If the port is open, you’ll receive a blank screen or the service's banner.
If the port is closed, you may receive a connection error or "connection
refused" message.
nc –vv
// This is the command for Netcat. (Networking tool to establish a connection)
-vv: This provides information about the connection process, including
connection attempts, responses, and any errors.
Example :
nc -vv 192.168.1.10 80
nmap -sV -p

// Nmap scan to determine the version of services running on a specific port of a target machine

sV:This flag tells Nmap to perform service version detection, which tries to determine the version of the
software running on the port(s).
- Target IP address you wan to scan
-p 80 – port number you want to scan

Example :
nmap -sV 192.168.1.1 -p 80

nmap -sV --script=banner.

Nmap –sV --script=banner

//--script=banner: This uses the banner NSE (Nmap Scripting Engine) script, which attempts
to grab the banner information from services running on open ports. Banners include details
like the software version and other service-specific info

Example :
nmap -sV --script=banner 192.168.1.1
Tool-1 Network Mapper(NMAP)
 ZENMAP
 A highly flexible open source
tool for scanning networks  GUI version of NMAP

 C ommand-line based for Linux  Uses NMAP syntax
and Windows  C reated for Windows users
Tool-2 HPING2/HPING3
 Command line network scanning
 Packet crafting
 Can perform various scan types
 Used for:
 Host discovery
 Network security auditing
 Firewall testing
 Manual path MTU discovery
 Advanced traceroute
 Remote OS fingerprinting
 Remote uptime estimating
 TCP/IP stack auditing.

Hping3 is a powerful command-line tool that allows users to craft and send custom TCP/IP packets
and perform various types of network testing.

Features
Ping a host: Just like ping, but can use any TCP, UDP, or ICMP protocol
Example 1 : hping3 -S -p 80 // sends a SYN packet to port 80 of the
target IP, helping you simulate a TCP ping.
Example 2 : hping3 // This will send ICMP Echo Requests, similar to the
ping command.
Tracerouting by analyzing time-to-live (TTL) values.
Example 1 : hping3 --traceroute
Performing Denial-of-Service (DoS) tests.
Monitoring network performance or identifying open/filtered ports
Hping3 is a powerful command-line tool that allows users to craft and send custom TCP/IP packets and
perform various types of network testing.
Packet Count
Source Port

Raise TCP FIN Flag Destination Port

Target responds with TCP RST and ACK
 Each firewall configuration presents its own challenge to
scanning
 If you are scanning a network “black box” style you do
not know which, if any, firewall type you will encounter
 If you can infer which type you’re encountering, this will give
you an advantage in a pentest
 You’ll have a better idea of:
 Which techniques to not spend too much time on
 Other approaches you should consider to break into the network
Reported State Description

Open This port is actively accepting TCP, UDP or SCTP connections
Open ports are the ones that are directly vulnerable to attacks
They show available services on a network.
Closed Target responds (usually with RST) but there is no application
listening on that port
Useful for identifying that the host exists and for OS detection
Filtered Nmap can’t determine if the port is open because the probe is being
blocked by a firewall or router rules
Usually no response or “Destination unreachable”
Unfiltered Port is accessible but Nmap doesn’t know if its open or closed. Only
used in ACK scan which is used to map firewall rulesets. Other scan
types can be used to identify whether the port is open.
Open/filtered Nmap is unable to determine between open and filtered.
The port is open but gives no response.
No response could mean that the probe was dropped by a packet
filter or any response is blocked.
Closed/filtered Nmap is unable to determine whether port is closed or filtered
Only used in the IP ID idle scan
Try to determine:

 The firewall rule set (allowed and blocked ports)
 Firewall type (stateful or stateless)
 Weaknesses in the firewall’s configuration
 Devices behind the firewall
 The attacker splits the probe packets into several smaller
fragments
 Then sends them to the target network
 The packet is then reassembled at the final destination

 The IDS/Firewall processes each packet separately
 Doesn’t recognize that the packet is malicious
 The payload fragments are each too short to match a known signature

 IDSes are often configured to skip fragmented packets during
scanning
Technique Purpose
ACK Scan Map out firewall rulesets
Determine if firewall is stateful or stateless
SYN/FIN Scan Sets both the SYN and FIN bits
A good way to bypass a rule that drops packets with ONLY SYN
raised
Stateful Firewall
Monitors the state of active connections and makes decisions based on the
the state of the connection.
Track of the status of connections (such as TCP handshakes and packet
flows) and uses this information to determine whether a packet should be
allowed or denied.
Tracks connection states, Smart decision-making: Allows packets that are
part of an established connection and can block unsolicited packet, Better
security: By maintaining a connection table, it can ensure that incoming
packets are a valid response to outbound requests.
Stateless Firewall
does not keep track of the state of connection
simply looks at each incoming or outgoing packet independently, using rules
based on IP addresses, ports, and protocols to make allow/deny decisions
 A stateless firewall will be easier to get past than a stateful one
 A stateless firewall will block SYN packets based on port number
 However, it is far less likely to block ACK packets because those could be a
response to an outgoing connection
 Perform separate SYN and ACK scans against the same ports
 IF the SYN shows some ports open and some closed AND the ACK shows all
ports unfiltered, the firewall is likely stateless or disabled.
 A stateful firewall will know from its state table if the ACK is
legitimate or not
 Ifan ACK scan shows at least some ports as “filtered” then it is likely a
stateful firewall
 Network security technique used to gather information about firewall rules, ports
and services that are allowed through a firewall
 Good for probing past a firewall into an internal network
 Firewalking is often used by penetration testers or attackers to map out firewall
rules and access control lists (ACLs) of a target network.
 Can be used to probe past multiple daisy-chained firewalls
 You can manipulate the IP TTL in a scan to distinguish between:
 A protected server that does not have that port open
 An intermediate firewall that blocks the port from being reached by the scanner
 A firewall will return ICMP Type 11, C o de 0 (Time Exceeded) if:
 The port is allowed
 The probe TTL expires at the firewall
 Probe must be sent to a live final target
 Does not matter if the final target actually listens on that port
 Nmap itself will report the port status as filtered
 It’s looking for a TCP response, not an ICMP response
 A firewalker will notice the ICMP response and report the port as permitted
 A proxy server is an intermediary between:
 Internal user and Internet resource
 Internet user and internal resource
 Use an online proxy to:
 Hide source IP address to avoid discovery
 Increase privacy
 Conduct anonymous hacking attacks
 Mask the source of an attack by impersonating a false source
 Remotely access intranets and website resources that are normally protected
 Interrupt all requests sent by a user and re-route them to a different
destination, making it see only the proxy server address
 Chain multiple proxy servers to avoid detection
 AKA The Onion Router
 A free and open-source software for enabling
anonymous communication
 Directs Internet traffic through a worldwide overlay
network
 Over 6000 relays
 Conceals a user’s location and usage from network
surveillance and traffic analysis
 Your route changes every 10 minutes

 Makes it more difficult to trace Internet activity to the
user
 Intended use is to protect personal privacy
 Unfortunately has also become home to “dark web” criminal
activity
 A TOR browser aims to make all users look the same
 Making it difficult to fingerprint you based on your browser
or device
 Easy to set up and use
 Download a TOR browser from
https://www.torproject.org/download/
 Implement a software firewall on all devices
 Limit the number of open ports
 Block ICMP
 Configure routers to disallow vulnerable features such as source routing and
IP fragments
 Use an IDS/IPS to monitor network traffic
 Patch hosts
 Conduct your own scans pre-emptively
 Ensure that the IDS, routers, and firewall firmware are updated to their latest
releases
 Consider using a cloud-based SIEM to leverage more sophisticated/longer
term traffic analysis
 In a high-security environment, consider hard-coding MAC-to-IP
address mappings for each host
 Do not rely on IP-based authentication
 Digitally sign all transmissions
 Use stateful firewalls with deep packet inspection
 Disallow source routing
 Disallow incoming packets that appear to come from your own network
 Spoofed source IP
 Be cautious when allowing traffic based on source port
 Hard-code ARP entries where practical
 Hard-code IP addresses where practical
 Use switchport security
 Secure DNS server cache against pollution
 Disable or change the banner
 Display false/misleading banners
 Make sure banner does not advertise the service version
 Add an “authorized users only” warning to a banner to protect yourself
legally
 Especially for services that require a user to log on

 Turn off unnecessary services
 Hide file extensions from web pages such as.asp or.htm
 IIS can use tools like PageXchanger to manage file extensions
 Apache can edit httpd.conf with mod_negotiation directives
 Use a multilayer defense strategy
 Implement multiple firewall solutions at different levels
 Implement strong change management
 Stay on top of security patches/updates
 Set strong password policies and multifactor authentication
 Look for “side doors” and “back doors” that can bypass the firewall
 Wi-Fi access points
 VPN / Remote Access servers
 Private WAN links / V PNs to other company sites
 “Sneakernet” (physically moving data in and out of the network on removeable media)

 Perform your own firewall tests to ensure rules behave as desired
 Regularly perform penetration tests
THANK YOU
Any Questions!

50