Ethical Hacking PDF

Summary

This document provides an overview of cyber attacks, including motives, goals, methods, and vulnerabilities. It explores various security terminologies and attack vectors, such as misconfiguration, kernel flaws, and buffer overflows, while discussing types of malware (worms, viruses, Trojan horses, etc.). The document also analyzes objectives of security, including confidentiality, integrity, availability, and authenticity. Security controls, layered defenses, and strategies for deceiving, frustrating, and resisting adversaries are also covered. Finally, it emphasizes the importance of recognizing and responding to attacks.

Full Transcript

Cyber Attacks
› Motives: financial, political, activism, hobby, etc.
› Goals: ethical vs. non-ethical (steal, destroy,
manipulate, block, test)
› Methods/vectors: various attacking techniques that
involve exploiting one or more vulnerabilities
(phishing, ransomware)
› Vulnerabilities: a weakness in a software or hardware
due to bad design or configuration (weak encryption)
› Live cyber attack trackers:
https://threatmap.checkpoint.com/
https://www.fireeye.com/cyber-map/threat-map.html

1
Terminologies
› Information security violations arise when an actor
takes advantage of vulnerabilities in a computer that
handles information.
▪ An actor, in this sense, is some entity or process that
serves as a proximate cause for the violation (malware)
▪ An adversary is a human actor working against a specific
organization.
▪ A threat is a potential for violation of security, which exists
when there is an entity, circumstance, capability, action, or
event that could cause harm.
▪ A vulnerability is a flaw in the system (including its
operation) that can be exploited to violate the system’s
security policy
2
Terminologies
› Vulnerabilities can be introduced throughout the
system life cycle, such as:
▪ A specified lack of authentication in an embedded control
system (due to space issues on the device).
▪ A design choice for a simple (and weak) form of encryption
can be a vulnerability if the encrypted data is available to
unauthorized actors.
▪ A programmer’s use of unguarded input (where the length
of the input is not restricted to the available storage).
▪ A lack of secured storage for backup media can be a
vulnerability if unauthorized actors can copy, delete, or
steal backups of confidential information.

3
Attack Vector
› Misconfiguration: the attacker uses a flaw in a
configuration to gain access to the device
› Kernel flaw: the attacker uses a flaw in the kernel of
the operating system
› Buffer overflow: a piece of code writes data outside of
its allotted memory
› Insufficient input validation: the application does not
sufficiently check its input. An attacker can use this
to input arbitrary code, like an SQL injection
› Social engineering: The attacker uses interaction
with a person to gain access to the system.
4
Types of Malwares
› There are several types of malware that have been developed:
▪ A worm is a standalone program that copies itself from system to
system. Some worms will carry a payload, a set of instructions to
execute when a set of conditions have been met.
▪ A virus is much like a worm, except that it is not a standalone
program, but rather propagates by modifying some other piece of
software. Like a worm, it carries a payload.
▪ A Trojan horse is a program that has a benign public purpose, but
hides a malicious payload.
▪ A logic bomb is a program or program fragment set to violate
security when accessed using external commands.
▪ A Spyware is designed to hide information, gather information, and
export that information from the systems on which it executes.
▪ Bots are programs that execute commands in a distributed fashion.
Malicious bots are designed to hide commands, to receive commands
from an adversary, and to execute those commands, exploiting the
resources of the systems.
5
Objectives of Security
› Confidentiality: Information only available to
authorized users
› Integrity: Information retains intended content and
semantics
› Availability: Information retains access and presence
› Authenticity: Information remains linked to its
originator

Importance of these is shifting depends on organization
6
Classes of Threat
› Interception 🡪🡪 Confidentiality
› Modification 🡪🡪 Integrity
› Masquerade 🡪🡪 Authenticity
› Interruption 🡪🡪 Availability

Most Security Problems Are People Related

7
Forms of Security

Intertwined in current practice
› Physical security – protection of infrastructure,
installations, and physical objects
Only authorized people get to secured assets Why might
› Personnel security – protection of people personnel
security be just
Minimize damage to or from people as important as
network
› Information security – protection of data security in
Focus of this course protecting an
organization?

8
Critical Issues
› What must you defend?
Mission of the organization
Assets of the organization
› What can you defend?
Personnel limitations
Information limitations
› What is likely to be attacked?

9
Strategic Goals
Sun Tzu said: Whoever is first in the field and awaits the coming of the
enemy, will be fresh for the fight; whoever is second in the field and
has to hasten to battle will arrive exhausted.

Therefore the clever combatant imposes his will on the enemy, but does
not allow the enemy's will to be imposed on him.

By holding out advantages to him, he can cause the enemy to approach
of his own accord; or, by inflicting damage, he can make it
impossible for the enemy to draw near

10
Defense Strategy

› Deceive the attacker

› Frustrate the attacker

› Resist the attacker

› Recognize and Respond to the attacker

11
Analogous Example
› Arsonist profiling, misdirection = Deceive
› Grounded wiring, reduce trash = Frustrate
› Fire doors, inter-floor barriers = Resist
› Smoke detectors, alarm pulls = Recognize
› Fire-suppression systems = Respond

12
Deceive Adversaries In what scenario
might “deceiving”
› Hide the nature of your organization an attacker be
more effective
› Use obvious targets as alarms, not servers than “resisting”
› Minimize the footprint of critical assets an attack?
› Honeyd/Tarpit – fake servers/services
https://www.youtube.com/watch?v=HCxo1xo0IZY&t
=493s
Hence that general is skillful in attack whose opponent does not know
what to defend; and he is skillful in defense whose opponent does not
know what to attack.

13
Deception
“All warfare is based on deception. Hence,
when able to attack, we must seem unable;
when using our forces, we must seem
inactive; when we are near, we must make
the enemy believe we are far away; when
far away, we must make him believe we are
near.”
Sun Tzu, c. 500 BC
The deception defense strategy is to
either make a network attack “no
one’s problem” or “somebody else’s
problem”.

14
Deception in Information Security
Fake server
› No One’s Problem Strategy:
Focus the adversary on assets that are:
Unproductive for attacks.
Provide no advantage to the attacker.
Example: Fake servers.
› Someone Else’s Problem" Strategy:
Redirect attacks to non-critical assets belonging to another
organization.
Ensure this does not disrupt essential services.
Example: Service-host providers.
› Passive Defense Advantage:
Deceptive methods are mostly passive and require minimal
ongoing action.
Effective as a first line of defense.

15
 Frustrate Adversaries
› Deny the initial access necessary for attack.
(firewalls, routers, wrappers, etc.)
› Block what you can: assert control of either the
target of an attack or the medium used for the access,
configuring the asset to be unreachable or
unassailable to the attack.
› Prevent information flows critical to enemy
› Use obvious attack vectors as alarms
If we do not wish to fight, we can prevent the enemy from engaging us even though the lines of our encampment be
merely traced out on the ground. All we need is to throw something odd and unaccountable in his way.
16
Resist Adversaries
› Goal:
Make attack progression difficult after initial access.
Does not rely on prior knowledge of the attack.
› Key Methods:
Protect Authorized Users:
Use strong authentication (e.g., tokens).
Limit Exploits:
Apply active patches.
Reconfigure hosts to remove vulnerabilities.
› Maintenance Requirement:
Strategies often require active management, such as:
Regular updates of authentication mechanisms.
Continuous host configuration adjustments.

17
Recognize/Respond to Adversaries
› Detection: promptly recognize that an attack is occurring
and diagnose its characteristics.
Detect unauthorized access to data, networks, and
computers
Detect unauthorized changes
Recognize suspicious overuse of resources

› Response: restore the attacked computers and networks
to a secure state.
Analyze the incident
Disseminate information
Contain the damage
Recover from the incident
18
Security Controls
› Challenge:
Security strategies can be expensive if risks are not carefully
assessed.
› Key Steps:
Prioritize Risks: Identify high priority risks linked to critical
assets.
Apply Relevant Strategies: Match strategies to specific risks for
efficiency.
› Tools:
Use tools like spider diagrams to map strategies against risks.
› Benefits of Planning:
Avoid redundant controls.
Focus resources where they are most needed.
Reduce unnecessary costs.

19
Layered Defenses
Goal 1
Goal 8
This charting gives an Deceive
Frustrate
overview of network
defenses, highlighting: Resist
Goal 7 Goal 2
The depth of layered
Recognize
controls for specific
risks. Recover
Existing gaps in
defenses. Goal 6 Goal 3
The balance between
passive and active
strategies.
Goal 5 Goal 4
Key considerations for
security planning. Source: Shawn Butler, Security
Attribute Evaluation Method

20
Layered Example
Authenticity
accounts Integrity accounts
receivable receivable
Vi
rt
service ua
ls
Authenticity email es er Availability
ur ve

k

fil File Protections
at
or
rs
ign accounts

te
tw

rin
S
Ne

receivable

g
Network
Monitorin
g
Confidentiality Confidentiality
HR database new products

Integrity marketing Availability marketing

21
Hacking

› Casing the Establishment
Footprinting
Scanning
Enumeration
› Endpoint and Server Hacking
Vulnerability Analysis
System Hacking
Hacking Web Applications

22
What is Footprinting?

› Definition:
A systematic approach to gathering information about an
organization to create a detailed profile of its security
posture.
› Purpose: Identify critical details about the
organization’s:
Internet (publicly available information). Why might a
hacker start
Intranet (internal networks). with
Remote Access (VPNs, RDP, etc.). footprinting
Extranet (partner systems). before
launching an
› Key Elements: attack?
Requires a mix of tools, techniques, and patience to
collect accurate data.

23
Footprinting: Steps
› The systematic and methodical footprinting of an
organization enables attackers to create a near
complete profile of an organization’s security
posture.
› Step 1: Determine the Scope of Your Activity
› Step 2: Get Proper Authorization
› Step 3: Publicly Available Information
› Step 4: WHOIS and DNS Enumeration
› Step 5: DNS Interrogation
› Step 6: Network Reconnaissance

24
25
Scanning
› Purpose: Identify systems that are:
Listening for inbound network traffic (alive).
Reachable using specific tools and techniques.
› Key Techniques:
Active Scanning:
Directly interacts with systems to identify open ports and services.
May attempt to bypass firewalls or filtering rules.
Passive Scanning:
Collects information without directly interacting with the target system.
Helps maintain anonymity.
› Goal:
Use scanning methods to gain a better understanding of
potential entry points into a network.

If Footprinting is the equivalent of casing a place for information, then scanning is equivalent to
inspecting the walls for doors and windows as potential entry points.
26
IPv4 …. IPv6
IPv6: The Future of Network Addressing
IPv4: Limited to 4.2 billion addresses.
IPv6: Offers 340 undecillion (2^128) addresses—practically limitless.
Impact on Network Scanning:
IPv4 Compatibility: Scanning techniques still work for now, as most
networks use both IPv4 and IPv6.
IPv6 Networks: Traditional scanning methods will become less effective
due to the vast address space.
Future Challenges: New techniques for enumerating IPv6 will
emerge as adoption grows.

27
Scanning: Determine IF The System
Is Alive
› Goal: Identify if a host is allocated to a specific
IP and whether it is online.
› Ping Sweep: Send traffic to target IPs and
analyze responses to check for live hosts.
› Methods: Although we may have a list
of ranges and some
ICMP (Traditional "ping") suspected servers, we don’t
actually know if there is a
ARP host allocated for a specific
IP and if that host is
TCP/UDP actually powered up and
online.
28
Enumeration

› Definition: Probing identified services for known
weaknesses.
› More Intrusive: Involves active connections and
directed queries, which may be logged or detected.
› Goals of Enumeration:
User Accounts: Identifying names for password guessing.
Misconfigured Resources: Discovering unsecured file
shares or services.
Outdated Software: Detecting older versions with known
vulnerabilities.
› Dependencies:
Platform specific techniques, relying on information
gathered during Phase 2 (port scans and OS detection).

29
Example Cyber Attacks - Equifax
› Equifax database system lacks the restrictions on the number
of allowable queries; therefore, the hacker can execute more
than 9000 queries.
› The hackers were able to access to a database with the
unencrypted username and password, then they access to
another database.
› The attackers scan the web for the vulnerable servers. Then,
they find a vulnerability within the Equifax dispute portal
servers where all the documents containing personally
identifiable information.
› Finally, Attackers extract data from different database in
small increments to help avoid detection.
› The hackers used an Apache Struts vulnerability to gain
access to login credentials for three servers.

30
Vulnerability Assessment
› Scan targets for known1 vulnerabilities in the
operating systems and applications.
Vulnerabilities could be due to misconfigurations, design
flaws, implementation errors, etc..
› For malicious hackers, the identified vulnerabilities
are used to perform further exploits.
› For ethical hackers, the identified vulnerabilities are
used to craft a plan to secure the organization’s
network and infrastructure.
Patches plan, install anti-malware, change configurations,
and prepare a recovery plan.
1
https://cve.mitre.org/
31
 Vulnerability Assessment
› Vulnerabilities are classified by Severity level1 (low,
medium, high) or Exploit range (local, remote).
Misconfigurations: running uneeded services, ports.
Unpatched Servers: outdated software and OS.
Application Flaws: poor user authorization.
Default installations: focus on keeping it user friendly.
Design Flaws: incorrect encryption, poor validation.
Open services: open ports and services.
Buffer Overflows : insuffient bounds checking.
OS Flaws: unpatched
Default Passwords: keeping initial setup passwords
1
https://www.first.org/cvss/
32
Hacking Systems
› The ultimate goal of an attacker is to hack into the
target’s systems.
› Hacking a system is composed of the following steps:
Gaining Access
Gaining access to a low-privileged user accounts via: brute-force,
social engineering, and guessing.
Escalating Privileges
Maintaining Access
Backdoor, trojan.
Executing Applications
Clearing Logs
Wiping out entries from the log file to avoid detection.

33
Hacking Web Applications
› Web application vulnerability scanners are tools used
to find different types of vulnerabilities in web
applications.
› We can identify three main components in each web
application vulnerability scanner.
Crawling module, What would be some
benefits and challenges of
The attacker module, and using an open-source
The analysis module. vulnerability scanner?

› Open source vs commercial
› Black-box vs. White-box scanning
› WIVET is a benchmarking project that aims to
statistically analyze web link extractors.
34
Hacking Web Applications

Source: https://owasp.org/

35
Twitter

› https://twitter.com/hakl
uke/status/15718684830
00111106

36
Recap of Key Concepts
› Core Terminology
Threats, Vulnerabilities, Attack Vectors, and Security Objectives
(Confidentiality, Integrity, Availability, Authenticity).
› Types of Cyber Attacks
Malware, social engineering, buffer overflows, and
misconfigurations.
› Defense Strategies
Deceive, Frustrate, Resist, and Detect and recover
› Ethical Hacking Steps
Fingerprinting, Scanning, Enumeration, Vulnerability
Assessment, and hacking

37
What is Footprinting?
› Is the first step of an attack where an attacker gathers information
about a target to identify potential entry points for intrusion.
Passive Footprinting:
Gathering information without direct interaction with the target.
Examples: Searching public records, social media, or websites.

Active Footprinting:
Gathering information through direct interaction with the target.
Examples: Sending ping requests, DNS lookups (e.g., nslookup), traceroutes..

› What Information is Gathered?
Organizational Information: Employees, locations, phone numbers, etc.
Network Information: IP addresses, domain names, DNS details, etc.
System Information: Operating systems, servers, user accounts, etc.
38
Active Footprinting
› The information
gathering
activities can be
detected by the
target.
› The traffic flaws
from the hacker’s
device to the
target.
› VPN and Proxies
may help.

39
The nslookup command
› The nslookup command is used in footprinting to
gather DNS (Domain Name System) information
about a target.
› This command allows ethical hackers (and attackers)
to query DNS servers to obtain details about
domains, such as IP addresses and server names:
Resolve Domain Names to IP Addresses:
Identify Mail Servers (MX Records):
Obtain Authoritative Name Servers:
Zone Transfers (Misconfigured DNS Servers)

40
Active Footprinting vs. Scanning

What is the difference between active footprinting and scanning?
41
Passive Footprinting
› The information gathering activities will not be
detected by the target.
› Is technically difficult (no active traffic is sent) and
limited (archived information).
› Some of the used techniques:
Search Engines
Social Networking Sites
Websites and services
Email
WHOIS and DNS
Network
Social Engineering
42
Publicly Available Information
› Company web pages
› Related organizations
› Location details
› Employee information
› Current events
› Privacy and Security policies, and technical details
indicating type of security mechanism in place.
› Archived information
› Search engine and data relationships
› Other information of interest

43
Company Web Pages
› Security configuration details and detailed asset
inventory spreadsheets directly on their Internet web
servers.
› Other sites beyond http://www and https://www
sites as well.
www1, www2, web, web1, test, test1, etc.
› HTML source code for comments
› A couple of tried and true website mirroring tools
are:
Wget(gnu.org/software/wget/wget.html) for UNIX/Linux
Teleport Pro (tenmax.com) for windows

44
Footprinting through Search Engines
Publicly available information:
Location
Foundation date
Names of founders
Number of employees
Official website
Example search engines
www.shodan.io
www.google.com
www.yahoo.com

Give an example on how any of
these information can be useful?

45 /
Footprinting through Websites & Services
› Use websites and online
services to search for people
Phone numbers
Addresses
Contacts
› Example websites
https://www.privateeye.com/
https://www.peoplesearchnow.c
om/
https://www.anywho.com/
https://www.intelius.com/
https://www.peoplefinders.com/
46
Footprinting through Websites & Services
› Gather information from financial websites
https://www.google.com/finance/
https://finance.yahoo.com/
› Gather information from job sites (company’s info or
individual via posting a fake job posting)
https://www.linkedin.com/
https://www.monster.com/
https://www.indeed.com/
https://www.careerbuilder.com/
› Monitoring a target using alerts
E.g. Google, Linkedin, and Yahoo.
› Gathering information from groups, forums, and blogs
47
 Footprinting using Advanced
Google Hacking Techniques
› For
Google
Advanced
Search, go
to:
› https://w
ww.google.com/adva
nced_sear
ch

Source: https://www.makeuseof.com/tag/best-google-search-tips-pdf/
48
Google Hacking Database (GHDB)
› A combination of computer hacking techniques to
find potential weak points in a target’s network and
systems.
› The database contains numerous Google search
queries.
› To access this database go to:
https://www.exploit-db.com/google-hacking-databas
e
› GHDB is useful in identifying sensitive directories,
vulnerable files, and unguarded login pages.

49
Google Hacking Database (GHDB)

intitle:"index of" admin
filetype:pdf inurl:"password"
inurl:admin login

50
Footprinting using Social Networking Sites
› Use any of the social sites to gather information
about an employee:
Personal information: birthdate, relatives, photos.
Work related: coworkers, office location, nature of
business, platforms, technology.
› Footprinting through social engineering on social
network sites
The information can be used to create fake accounts to join
and connect with other people to gather more information.

How can having detailed information
about an organization, particularly
its employees, be useful?

51
Footprinting Websites
› Gathering information about the target’s main
website such as:
Operating system, database, programming or scripting
language, directories.
› This information is typically gathered through:
Using online services like Netcraft.com and Shodan.io
to gather publicly available data without direct interaction
with the target.
Tools like Website Informer to gather domain details,
hosting information, and traffic data.

52
Footprinting Websites
› Gather sensitive information from websites such as
email addresses, phone numbers, user names, et.c.
using web spiders or crawlers.
› Spiders: programs to perform systematic and
automated browsing on the web.
Web Data Extractor
http://www.webextractor.com/wde.htm
› Download the entire website locally to search it
offline.
Website mirroring tools: GNU Wget, Teleport Pro, Win
HTTrack Website Copier

53
Footprinting Websites
› Archived Website Versions:
Access archived versions of websites using services like Wayback Machine.
Analyze details like MIME-type count, TLD/Host/Domain information,
Sitemap of the website, and the dates of archived content to gather insights
into historical website configurations and structure.

› Monitoring Website Updates:
Use tools to track changes to websites over time, such as:
Website-Watcher application
Watch That Page service to monitor updates and modifications to the target website.

54
Monitoring Website Traffic
› Information Gathered:
Ranking: Website’s position relative to others in terms of traffic and
popularity.
Geographical view: Insights into where the site’s visitors are located,
potentially revealing key regions or markets of interest.
Daily pages viewed: How much traffic the site gets, which can indicate its
popularity and the size of its user base.
Daily time on site: Measures user engagement. Higher time on site may
suggest that users are interacting with sensitive content or performing tasks
that could be targeted.

› Monitoring services and tools Which attack can be
orchestrated based on this?
https://www.dotcom-monitor.com/
https://www.web-stat.com
https://www.contentpowered.com/blog/alexa-com-dead-alternatives/
55
Footprinting Email
› Purpose: Email header tracing helps identify the path an email took from the sender
to the recipient.
› Inbound Email Footprinting: The attacker gathers data from emails sent to them,
analyzing headers, routing paths, and metadata to reveal information about the
target's network, security, or location.
Sender’s IP address
Sender’s Mail server
Time & Date information
Authentication system information of sender’s mail server.
› Outbound Email Footprinting: The attacker sends emails (using social engineering) to
trigger a response from the target, gathering more information through the reply,
attachments, or email headers. (Phishing).
› Tools: Polite Mail, Email Tracker Pro, Email Lookup, Yesware, Who Read Me, Contact
Monkey

56
WHOIS Footprinting
› WHOIS is a service that allows you to obtain detailed
information about a domain or IP address.
› Some of the information available through WHOIS
includes:
IP Address, IP Location, Registrant Country, Registrant
Organization, Domain Name Servers (DNS),
Domain Status: Indicates the current registration status of
the domain (e.g., active, expired, etc.).
WHOIS History: Historical information about the domain,
such as previous owners or changes.

› Websites: WHOIS.com, whois.icann.org
57
DNS Footprinting
› DNS footprinting involves gathering information about a
target's network using DNS records and related resources.
To expand knowledge of the target's hostnames and subdomains.
To understand the scope and structure of the target's network.
To identify technical contacts for further exploitation.
› Approaches:
Passive DNS Footprinting: Gather information without directly
interacting with the target.
Use sources like domain registrars, Internet registries, specialized search
engines, and other web-based resources.

Active DNS Footprinting:
Interact directly with the target's DNS system (e.g., queries to DNS servers).
58
DNS Footprinting
› APNIC (for asia), ARIN (for America), RIPE NCC(for
Europe), LACNIC (for Latin America), and AFRINIC (for
Africa).
Key Uses:
Discover which organization owns a specific range of IP addresses.
Identify technical and administrative contacts associated with the IP
range.

Example – ARIN Advanced Search: URL Search for details on:
Point of Contact (POC)
Networks (IP ranges)
Autonomous System Numbers (ASNs)
Organizations or Customer Names
59
DNS Footprinting

60
DNS Footprinting
› Useful tools include:
whois: Queries domain registration details.
dig: Performs DNS lookups to retrieve detailed DNS
records.
nslookup: Resolves domain names to IP addresses.
› Example Scenario:
Use nslookup to get the IP address of a company's server.
Query the IP address in an RIR database to discover it
belongs to another company?
$ dig comptia.org mx 🡪
comptia-org.mail.protection.outlook.com
Reveals the use of a cloud-based email provider (e.g., Microsoft's
Outlook infrastructure).
61
DNS Footprinting
› Recall from the previous slide: $dig [HOSTNAME]
mx

Source link

62
DNS Footprinting
› Recon-ng: A powerful reconnaissance framework written in Python.
› Features:
Open-source and included in Kali Linux.
Automates the collection of domain-related information, such as DNS records, IP addresses, and
more.

› Usage:
Execute from the command line: `$ recon-ng`.
Access available commands: Type `help` in the framework prompt.

› TheHarvester: A Python-based tool for DNS reconnaissance.
› Features:
Available in Kali Linux.
Supports both passive (e.g., search engines, social media) and active DNS queries.

› Usage: Simple command-line interface with customizable options for different query methods.
63
Network Fingerprinting
› Objective: To map the targeted network and gather
detailed information, including:
Network Address Ranges: Identify IP ranges in use.
Hostnames: Determine the names of devices and systems
within the network.
Exposed Hosts: Detect publicly accessible systems.
Operating System and Application Version Information:
Understand system types and software versions.
Patch State: Identify vulnerabilities in hosts and applications.
Application Structure: Analyze backend servers and application
architecture.
› Common Tools:
Whois, Ping, Nslookup,Tracert

64
Network Fingerprinting
› Purpose of Traceroute:
Reveals the path packets take from the source to the
destination, hop by hop.
Provides latency information for each hop, helping identify
delays or bottlenecks.
› How It Helps:
Maps the Network: Uncovers the path and structure of the
network.
Identifies Gateways: Determines the entry and exit points of
traffic.
Reveals Device Interfaces: By targeting specific IP addresses
(e.g., `tracert IP1 → IP2`), different interfaces of the same
device can be identified.
› Traceroute Tools: Path Analyzer Pro , 3D Traceroute (
Provides a visual representation of network paths). 65
Footprinting via Social Engineering
› Obtaining information from users is easier than
fetching them from systems.
Social engineering techniques:
Eavesdropping
Shoulder Surfing
Dumpster Diving
Impersonation
› Social engineering can be effective in collecting:
Credit card information
Username & passwords
Network information
IP address & name server’s information

66
 Maltego
› Overview: Maltego is an interactive data mining
software that helps users analyze and visualize
relationships using publicly accessible data.
Views:
List View: Displays a table of entities for detailed analysis.
Graph View: Visualizes relationships by plotting entities (nodes) on a
graph.
Entities:
Icons representing data types such as domain names, websites, files, or IP
addresses.
Transforms: A transform is a piece of code that queries a data
source to discover relationships using public data.
Functionality: Transforms identify connections between entities and
return results that are automatically plotted in Maltego.
Use Case: Ideal for conducting online investigations by
connecting diverse data points like DNS records, social media
profiles, or email addresses.
67
 Maltego

› Chaining Transforms: Maltego allows chaining
multiple transforms together to automate complex
information-gathering tasks.
› Account Setup: Create an account and register for a
Maltego license.
A free Community Edition is available for basic use.
› Targeted Information Gathering:
Identify information about target organizations, including:
Websites, Network addresses or ranges, Domain names, Names
of employees
› Supports investigations by integrating diverse data
points into actionable insights.
Many blogs and online resources provide guidance on using
Maltego effectively for uncovering target-related information.
68
 Maltego – Use Cases
› Exploring Digital Profiles: Emails and Social
Media Accounts:
Identify emails and social media profiles linked to a name
or domain.
Resources:
Beginner's Guide: Examining Your Digital Profile
Conducting Person-of-Interest Investigations
› Data Breaches and Password Leaks: Data
Dumps and Dictionary Building:
Search for exposed data dumps and leaked passwords to
generate targeted wordlists.
Transform Resource: Have I Been Pwned Integration
› Endless Possibilities for Passive Recon
Maltego provides numerous tools and integrations to gather data discreetly, offering powerful insights for OSINT investigations.
69
Windows Command Line Utilities
› Step 1: run ping www.amazon.nl
Is alive or not? IP address, Rount Trip Time, TTL value
Packet loss statistics
Identifies hosting providers, such as a cloud service or
internal servers.

70
 Windows Command Line Utilities
› Step 2: run ping amazon.nl –f –l 1500
It means 1500 bits need to be fragmented

› Step 2: run ping amazon.nl –f –l 1450
It means 1450 need not to be fragmented
Detecting Firewall or Intrusion Detection System (IDS) Behavior | Identifying OS and Network Device Characteristics
71
› Step 3: Run Tracert
amazon.nl to trace the
target
Maps the network path
and topology.
Identifies critical devices,
potential security
mechanisms (e.g.,
firewalls), and
infrastructure providers.
Provides latency patterns
that can reveal network
congestion or geographic
distances.

72
FQDN (Fully Qualified Domain Name)
› www1, www2, www3 |.com.net.org.nl

› During the Footprinting step, different values will be
tried out for the subdomain/hostname and TLD
73
Footprinting Countermeasures
› Limit Publicly Available Information:
Avoid revealing sensitive details in public documents (e.g.,
annual reports, press releases).
Evaluate and classify the type of information that is publicly
disseminated.
Configure search engines to prevent caching of sensitive web
pages.
› Restrict Employee Behavior:
Restrict employees from accessing social media sites from the
corporate network.
Educate employees on the risks of footprinting and social
engineering.
Use aliases or generic identifiers that don’t map back to your
organization.
74
Footprinting Countermeasures
› Secure Network and Systems:
Configure devices and servers to minimize information leakage
(e.g., disable unnecessary headers or error messages).
Ensure that information in the WHOIS database is accurate and
minimal.
Consider using toll-free numbers to avoid direct dial-in attacks
or social engineering.
› Leverage Best Practices and Resources:
Refer to The Site Security Handbook (RFC 2196) for
policy-related guidance Link.
Conduct regular audits to identify and mitigate information
exposure.

75
What is Scanning?
Scanning is the second phase in the ethical hacking
lifecycle, following Footprinting.
It involves actively probing a target network to
gather detailed information about:
Live systems.
Open ports and running services.
Operating systems and system architecture.
Security devices and countermeasures.
Scanning bridges the gap between reconnaissance
and actual exploitation by identifying entry points.

76
Ethical Considerations in Scanning
Always obtain explicit permission before scanning
any system.
Be aware of the risks, including:
Triggering alarms on security systems.
Causing unintended downtime or disruption.
Document findings responsibly and suggest
actionable countermeasures.
Practice on real systems legally
Responsible Disclosure Process - Example

77
Overview of Scanning Techniques
› Scanning involves various methods to gather detailed
information about a network:
TCP Scanning:
Reliable, detects live hosts and open ports through full or partial
handshakes.
UDP Scanning:
Identifies open ports without requiring a handshake.
Useful for discovering services like DNS, SNMP, and DHCP.
ICMP Scanning:
Used for live host detection and determining network reachability.
Advanced Techniques:
Stealth scans to evade detection.
Banner grabbing for service identification.

78
 Network Scanning: Overview
› Two types of Internet Protocol (IP) traffic
Transmission Control Protocol (TCP): connection
oriented. Adds reliability, flow-control, or error-recovery
functions to IP packets.
User Datagram Protocol (UDP): connectionless. UDP
headers contain fewer bytes, less network overhead.
› Servers usually provide some sort of network
functionality; because of that, at least one open port
is always available for clients to connect to.
An attacker can leverage that to identify whether or not the
host is alive using TCP and/or UDP packets

Given these basic definitions for TCP and UDP, which is more useful to us?
79
?
Internet Protocols
› Information on the Internet is transmitted in segments,
often referred to as packets, but generically termed
datagrams.
› The datagrams sent over the Internet have a specific
structure.

› IP Header – addresses, routing info, reassembly data,
encapsulated protocol
› Protocol header – more detailed information for
interpreting the data (occasionally, more than one)
› Data – content provided for the application (often empty
if packet is involved just with protocol rather than
application)

80
 Internet Protocol (IP) format
IP Fields Version Header Service Total Identification Flags
Length Type Length
Offset Time to Header Source IP Destination IP
Live Checksum Address Address
Optional routing info

The TCP and IP are two of the network standards that
define the Internet.
IP protocol defines how computers can get data to each
other over a routed, interconnected set of networks.
TCP defines how applications can create reliable
channels of communication across such a network.

81
Encapsulated Protocols
› Different encapsulated protocols format the
information following the IP header
differently:
▪ Transition Control Protocol (TCP) fields
▪ User Datagram Protocol (UDP) fields
▪ Internet Control Message Protocol (ICMP) fields
▪ Authentication Header (AH) and Encapsulated Security
Protocol (ESP) fields

82
 AH/ESP Fields
▪ AH is used for data integrity and authentication of the
packet's origin.
▪ AH is typically used when only authentication and integrity
are needed without encrypting the data.
▪ ESP encrypts the packet’s data for confidentiality,
meaning the contents are hidden from unauthorized
parties. AH Header Fields
Virtual Private
Security Next Protocol Checksum Networks
Parameters Index (Encapsulated) Encrypted
communication

ESP Data Format
Security Seq. Payload Next Checksum
Parameters # Protocol
Index 83
Transition Control Protocol )TCP( Fields

The most common encapsulated protocol is the TCP
There is a three-way handshaking while establishing
a TCP connection between hosts.
SYNC
SYNC + ACK

ACK

TCP Header Fields Source Destination Sequence Acknowledgement
Port Port Number Number
Offset Flags Window Checksum Urgent Pointer
(Length)

CWR ECE URG ACK PSH RST SYN FIN
84
Transition Control Protocol (TCP)
› Three-Way Handshake for Connection
Establishment:
SYN: Client → Server, "Let's start communication.“
SYN-ACK: Server → Client, "Acknowledged, I'm ready.“
ACK: Client → Server, "Confirmed, let's begin.“
› Four-Way Handshake for Connection
Termination:
FIN: "I'm done sending data.“
ACK: "Acknowledged.“
FIN: "I'm also done.“
ACK: "Connection closed."

85
Colasoft Packet Builder
› Colasoft Packet Builder software enables creating
custom network packets [link]
› Used to check network protection against attacks and
intruders.
› It offers Import and Export options for a set of
packet types:
ARP Packet
IP Packet
TCP Packet
UDP Packet
› You can also create a new packet by clicking Add
button.
86
Colasoft Packet Builder

87
Scanning Methodology
1. Host discovery: checking for live systems
2. Port scanning: discovering open ports
3. Scanning techniques
4. Scanning beyond IDS
5. Banner Grabbing / OS Fingerprinting
6. Network diagram
7. Proxies

88
1. Checking for Live Systems
› Finding live hosts in a network is done by ICMP
Packets.
› Target replies ICMP Echo packets with ICMP echo
reply.
› This response verifies that the host is live.
› If the host is not live, you get:

89
 ICMP Fields
› The Internet Control Message Protocol (ICMP)
was created to identify if a system on a network is
alive and reachable.
› ICMP provides a variety of message types to help
diagnosis the status of a host and its network
path.
Deal with routing, availability, service irregularities
Inquire for needed information
Lightweight request/reply methods
Security issues: flooding, information leaks

90
 Message Type Description
ICMP Message Types
0 Echo Reply
3 Destination
Unreachable
The term “ping” traditionally refers
4 Source Quench
to the process of sending ICMP 5 Redirect
ECHO REQUEST packets to a 8 Echo Request
target system in an attempt to elicit 11 Time Exceeded

an ICMP ECHO_REPLY, which 12 Parameter
Problem
indicates the target system is a live. 13 Timestamp
ICMP TIMESTAMP can be used to 14 Timestamp Reply
15 Information
identify the system time of the target. Request
ICMP ADDRESS MASK can be 16 Information Reply
used to identify its local subnet mask.
17 Address Mask
Request
18 Address Mask
Reply

91 /
ICMP Scanning
› Ping Scanning: is a useful tool for not only
identification of live hosts, but also for determining
ICMP packets are passing through firewalls, and TTL
values.
Zenmap: https://nmap.org/zenmap/
› Ping Sweep: determines live hosts on a large scale (a
range of IP addresses).
Angry IP Scanner: https://angryip.org/

92
2. Check for Open Ports
Simple Service Discovery Protocol (SSDP) Overview
Purpose: SSDP is used to discover services and devices on a network
without requiring server-based configurations like DHCP, DNS, or
static network configuration.
Works with both IPv4 and IPv6 networks.
No Server Configuration: Unlike protocols such as DHCP and
DNS, SSDP operates without relying on centralized servers for
device discovery.
The auxiliary/scanner/upnp/ssdp_msearch module in
Metasploit allows for the scanning of SSDP-enabled devices to
identify open ports and potentially vulnerable devices (e.g., those
using
The SSDP protocol has been known to be exploited in DDoS
attacks, notably in incidents like the 2018 100 Gbps DDoS attack,
which leveraged the protocol's amplification potential. Misconfigured
SSDP devices can be used to launch large-scale attacks.
93
 Nmap (Kali)
› Another way to ping a host is by performing a ping
using nmap.
a. Host, port, and service discovery
b. Operating system version information.
c. Hardware (MAC) address information.
d. Service version detection.
› Alive? MAC?
Nmap –sP –v [IP Address] --🡪 (message) & (MAC)
› Quick scan
Nmap –sP –PE – PA [Port Numbers] [Start IP / End IP]
› OS details: nmap –O [IP Address]
What assumption are we making about the location of the scan?
? 94
Hping2 & Hping3 (Kali)
› Is a command-line TCP/IP packet assembler and
analyzer tools that is used to sent customized TCP/IP
› It can also handle fragmentation, arbitrary packets
body, and size and file transfer.
› It supports TCP, UDP, ICMP and RAW-IP protocols.
› Hping features are: ]
ess
Test firewall rules Addr
[IP
Advanced port scanning 3 –A
p i ng
Testing net performance #h

Traceroute-like under different protocols
Remote OS fingerprinting & others

95
 3. Scanning Techniques
I. TCP Scanning
I. Open TCP Scanning
I. Full Open Scan
II. Stealthy TCP Scanning
I. Half Open Scan
II. Inverse TCP Flag Scan
I. Xmas Scan
II. FIN Scan
III. NULL Scan
III. ACK Flag Probe Scan
III. Third-party & Spoofed Scan
I. IDLE/IP ID Header Scan
II. UDP Scanning
I. UDP Scanning
96
Full Open Scan
› Type of scanning technique in which the three-way
handshaking session is done completely.
› It ensures that the targeted host is live and the
connection is complete.
› It can be detected and logged by security devices
such as Firewall and IDS.
Sync

RST

Ports are closed
Nmap –sT [IP Address or range]
97
Stealthy Scan (Half-open Scan)
› In the third step, instead of acknowledging with Ack
packet, it responds with RST.
› In case of closed ports, the interaction is similar to
the full open scan.

Sync

Sync + Ack

RST
Attacker
Target
Ports are open

Nmap –sS [IP Address or range]
98
 Inverse TCP Flag Scanning
› Xmas Scan: sends a packet with URG, PSH, and FIN.
No response 🡪 port is open
RST 🡪 port is closed Nmap –sX –v [IP Address or range]

› FIN Scan: sends a packet with only FIN flag set.
No response 🡪 port is open
RST 🡪 port is closed Nmap –SF [IP Address or range]
› NULL Scan: sends a packet without setting any flag.
No response 🡪 port is open
RST 🡪 port is closed Nmap –sN [IP Address or range]

Which of these three scans is comparatively easier to be detected?
? 99
ACK Flag Probe Scanning
› Sends a TCP packet with ACK flag set towards a
target. Nmap –sA [IP Address or range]
› The target replies with RST packet regardless of the
port being open or closed.
› Though, the attacker inspects the header of the RST
packet, in particular the TTL and WINDOW fields to
determine if the port is open or closed.
› It also helps in identifying the filtering system
If RST is received 🡪 not filtering on that port.
No response 🡪 stateful firewall is present.

How can TTL/ WINDOW determine the status of a port?
?
100
IDLE/IPID Header Scan
› Is a unique, effective and low profile technique to
identify the port status.
› The packets are not send from the attacker’s system,
the scanning is done by bouncing packets from
Zombie’s system.
› Every IP packet has Fragment Identification Number
(IPID), OS increments IPID for each packet.
› Thus, probing an IPID gives an attacker the number
of packets sent after the last probe.
› A machine that receives an unsolicited SYN|ACK
packet will respond with an RST. An unsolicited RST
will be ignored.
101
IDLE/IPID Header Scan
Attacker Target
3 Sync (spoofing zombie’s IP as source)

6 1 4
Sy
nc
+ k
Ac
k Ac
RS pa c +
T ck n
(I et Sy 5)
PI 23
D 5 5
=5 =
52 I D
34 ( I P
) T
RS
2 5
Sync + Ack packet

7
RST (IPID=55236)
Zombie Port is open
102
IDLE/IPID Header Scan
Attacker Target
3 Sync (spoofing zombie’s IP as source

6 1 4
Sy
nc
+
Ac
RS k
pa T
T ck S

X
(I et R
PI
D
=5
52
34
)

5 Port is closed
2
Sync + Ack packet

7
RST (IPID=55235)

?
Zombie
What assumption the attacker is making in this approach? 103
IDLE/IPID Header Scan
› Self study!
How can we do this scan using nmap?

How would you detect an idle scan as a defender?
?
104
UDP Scanning
› Unreliable and Lightweight communication
› Connectionless: No initial or final handshakes, no
flags.
› No response if the targeted port is open.
› If the port is closed, the response message of “Port
unreachable” returned.
› Most malicious programs such Trojans and Spywares
use UPD ports to access the target.
› Nmap –sU -v [IP Address or range]
Source Destination Length Checksum
Port Port
105
4. Scanning Beyond IDS
Ethical hackers use evasion techniques to simulate
how attackers bypass (IDS/IPS) these defenses.
Common techniques include:
Fragmentation: Splitting packets into smaller parts to
evade detection.
Decoy Scanning: Using fake IP addresses to obscure the
real source.
Timing Variations: Spreading scans over time to avoid
triggering alerts.
Proxying: Routing traffic through intermediate systems to
anonymize the source.
Obfuscation: Manipulating payloads to bypass
signature-based detection.
106
4. Scanning Beyond IDS
› Dynamic Decoys:
Generate decoy IPs dynamically during the scan.
Tool Example: Nmap (nmap -D RND:10).
› Packet Fragmentation:
Split payloads into multiple smaller packets.
Tools:
Hping3: Fragment TCP/UDP: hping3 -f [target IP]
Nmap: nmap -f [target IP]
› Randomized Scanning:
Randomize the order of IP addresses and ports during the
scan to reduce detection.
nmap --randomize-hosts -p 1-65535 [target IP]
107
4. Scanning Beyond IDS
› Anonymization via Proxies:
Route scans through Tor or proxy chains.
Tool Example: ProxyChains
proxychains nmap [target IP]
› Obfuscation of Payloads:
Use payload encryption or encoding to bypass detection
systems.
Example: Metasploit encoders.
› Timing Variations:
nmap -T2 [target IP]
-T2: Lowers the scan speed to evade detection.

108
Ethical Considerations for Evasion
Always obtain explicit permission before using
evasion techniques.
Understand the risks, such as:
Triggering alarms unintentionally.
Overloading network systems.
Document findings clearly to help improve defensive
measures.

109
Defense Against Scanning
The goal of defense is to detect, block, or limit
scanning attempts by attackers.
Common defenses against scanning:
Firewalls: Block unauthorized scans by filtering traffic.
Intrusion Detection Systems (IDS): Detect malicious
scanning patterns.
Intrusion Prevention Systems (IPS): Actively block
malicious scanning attempts.
Network Segmentation: Limits the scope of scans to
smaller network zones.
Honeypots: Lure attackers into traps to monitor their
scanning behavior.

110
Firewalls as First Line of Defense
› Firewalls are designed to filter incoming and
outgoing network traffic based on predefined rules.
› Types of Firewalls:
Packet Filtering Firewalls: Inspects packets and blocks
those that don’t match rules.
Stateful Firewalls: Monitors connections and ensures
packets belong to valid sessions.
Application Firewalls: Filters traffic based on specific
applications (e.g., HTTP, DNS).

111
 IDS/IPS: Detect and Block
Malicious Scans
› Intrusion Detection Systems (IDS): Monitors
traffic for suspicious activity and generates alerts.
› Intrusion Prevention Systems (IPS): Actively
blocks malicious traffic based on detected patterns.
› IDS/IPS Techniques:
Signature-Based Detection: Identifies known attack
patterns or signatures (e.g., Nmap scans).
Anomaly-Based Detection: Identifies traffic that
deviates from normal behavior (e.g., too many connection
attempts).
› Example Snort rule to detect SYN scans:
alert tcp any any -> any 80 (msg:"SYN Scan Attempt";
flags:S; sid:1000001;) 112
Network Segmentation and Scanning
› Divides a network into smaller subnets, making it
harder for attackers to scan and map the entire
network.
› Scanning tools can only reach the segment they have
access to, limiting the attacker's visibility.
› Best Practices:
Use VLANs to separate sensitive systems from general
network traffic.
Restrict access between network segments using firewalls.
Example: Configure VLANs to isolate databases and
workstations from public-facing systems.

113
Honeypots and Honeytokens
› Honeypots are decoy systems designed to attract
and trap attackers.
› Honeytokens are fake data or resources placed
within real systems to deceive attackers.
› How Honeypots Help:
Divert attackers’ attention from real targets.
Collect valuable information about attack methods.
Can be used to detect scanning activity in real-time.
› Example:
Deploying a Honeypot: Set up Dionaea or Honeyd to
simulate vulnerable services (e.g., HTTP, SMB).
Honeytokens: Place fake database entries or documents
that alert when accessed by unauthorized users.
114
 Emerging Topics in Scanning and
Defense
› Automated Scanning and Vulnerability Assessment
with AI
DeepScan
Cortex XSOAR
Self exploration!
› Advanced Evasion Techniques:
Protocol Tunneling
TLS/SSL Encryption
› Living off the Land (LoL) Techniques
› Cloud Infrastructure Scanning Challenges
› Scanning in IoT Networks Challenges
› Threat Hunting and Active Scanning
Zeek
115
5. OS Fingerprinting & Banner Grabbing
› Identifying the operating
system that is running on a
target machine and possibly
the running services.
Active Fingerprinting
Send TCP/UDB packets then
inspect the responses
Nmap –O –v [IP Address]
Passive Fingerprinting Source: Click here

Capture traffic (Wireshark)
coming out of the target then
analyze the parameters to guess
the OS
› Banner Grabbing Tools: Maltego, Telnet, Netcat
116
 6. Drawing Network Diagrams
› Objective: Map the network architecture to identify
paths to targets.
Security zones, devices, and routing paths.
Host count and placement.
› Tools for Network Mapping:
Nmap (and Zenmap) → Generates host and path data.
Example Command: nmap -sn --traceroute [IP range]
OpManager → Live network topology generation.
Draw.io or Lucidchart → Manual diagram creation.
Traffic visibility: Mapping tools generate traffic,
which can alert defenders.
› Ethical Note: Only use these techniques on
authorized networks.
117
 7. Prepare Proxies

› What is a Proxy?
A proxy is an intermediary that routes traffic between the attacker and
the target.
It anonymizes the attacker's IP, preventing detection or blocking.
› Why Use Proxies?
Hide Identity: Prevent the target from tracing the attacker’s IP.
Bypass Restrictions: Avoid IP blocking or geo-restrictions.
› Proxy Chaining: Use multiple proxies for added anonymity:
› Tools:
ProxyChains: Chains multiple proxies.
Tor: Routes traffic through a distributed network of relays.
CyberGhost: VPN-based proxy for private access.
› Challenges:
Slower traffic (latency).
Detectable by advanced firewalls.
118
 Scanning - Key Takeaways
› Scanning Overview
Second phase of ethical hacking to probe networks.
Goal: Identify live systems, open ports, services, and
vulnerabilities.
› Scanning Steps
Host Discovery: Detect active systems.
Port Scanning: Find open ports and services.
Advanced Techniques: Bypass IDS/IPS and anonymize traffic.
› Tools & Techniques
Tools: Nmap, Wireshark, ProxyChains, Tor.
Techniques: Stealth scans, decoy scans, and banner grabbing.
› Ethical Guidelines
Scan only authorized systems.
Avoid service disruption.
Report vulnerabilities responsibly.
119
Introduction
› Enumeration is the process of actively gathering
detailed information about a target system to
identify:
Usernames, group memberships
Network resources, shares, and services
Operating systems, software versions, and vulnerabilities
› Key Characteristics:
Enumeration involves direct interaction with the target
system.
Unlike scanning, which identifies open doors,
enumeration focuses on what's behind those doors.
It typically targets specific protocols (e.g., NetBIOS,
SNMP, DNS) and services.
120
 What to enumerate?

› During enumeration, valuable information are gathered:
Users: Identify active users and groups in a system to exploit
weak passwords or configuration. (`net user` (Windows), `enum4linux` (Linux))
Services and Ports: Identify services running on open ports
to discover vulnerabilities. (`Netstat`, `Nmap`)
Shares and File Systems: Identify shared resources that
could be used for lateral movement or data exfiltration. (`smbclient`,
`net view`)

Operating Systems and Version Information: Determine
OS versions to tailor exploit methods (e.g., older versions are
more vulnerable). (`nmap -O`, `finger`)
Group Memberships: Identify users with elevated
privileges or special access. (`net group`, `enum4linux -G`)
Network Shares/Resources: Identify accessible network
resources or files that may contain sensitive information
(`smbclient`, `net share`)
121
How to enumerate?
› Objective: Learn the common techniques used
during the enumeration phase of ethical hacking.
1. Enumeration via Email IDs
2. Enumeration via Default Passwords
3. Enumeration via SNMP
4. Enumeration via Brute Force Attack on Active
Directory
5. Enumeration via DNS Zone Transfer
› Up Next:
We'll dive into the details of these methods and explore the
tools and techniques used in each.

122
Enumeration Techniques
› Enumeration Using Email IDs
Extracting information from email IDs can reveal:
Usernames (e.g., portion before @).
Domain names (e.g., portion after @).
Useful for brute force attacks and phishing campaigns.
› Enumeration Using Default Passwords
Many devices and software have default credentials:
E.g., "admin/admin" or "root/root".
Often overlooked by administrators.
Attackers can exploit unchanged defaults to gain
unauthorized access.

When/how did we get the email IDs? ?
123
SHODAN – Default Credentials

124
 Brute Force Attack on Active Directory
› What is Active Directory (AD)?
Centralized control for managing domain users, computers, and
resources (e.g., printers).
Implements role-based access control (RBAC) to restrict access
to sensitive network resources.
› Why is AD a Target?
High-value information: Usernames, passwords, roles, and
permissions.
A compromise can lead to escalated privileges and network-wide
control.
› Brute Force Attack on AD
Attackers use automated tools to guess valid credentials by generating
numerous username-password combinations.
› Commonly targets:
LDAP services: Exposes data like usernames, roles, and contact info.
Kerberos tickets: Can reveal encrypted password hashes for offline
cracking.
› Objective: Harvest sensitive information such as usernames, addresses, credentials, and privilege details.
125
 Enumeration through DNS Zone
Transfer Risk : If the DNS server is misconfigured to allow unauthorized zone
transfers, attackers can retrieve a wealth of sensitive network information.

› What is DNS Zone Transfer?
A process to synchronize DNS servers by copying zone files
between a primary (master) DNS server and secondary (slave)
DNS servers.
› What Makes Zone Transfers Valuable to
Attackers?
Zone files contain critical data:
Hostnames and IP addresses.
DNS records: A (address), MX (mail exchange), CNAME
(canonical name), and PTR (reverse DNS).
Information about usernames and network devices.
› How Do Zone Transfers Work?
UDP 53: Handles DNS queries (standard lookup).
TCP 53: Ensures reliable transfer for zone data between
servers.
126
 Key Services and Ports to Enumerate

› Services and Corresponding Ports
DNS Zone Transfer → TCP 53
Used to transfer DNS zone files between servers. Vulnerable if misconfigured.
DNS Queries → UDP 53
Regular DNS lookups. Can be exploited to gather information about a network.
SNMP → UDP 161
Enables monitoring and management of devices on the network.
SNMP Trap → TCP/UDP 162
Receives alerts from SNMP-enabled devices.
Microsoft RPC Endpoint Mapper → TCP/UDP 135
Maps RPC services on a host. Often targeted to enumerate available services.
LDAP → TCP/UDP 389
Directory service protocol used in Active Directory environments for querying user and system
information.
NetBIOS → TCP 139
Enables file and printer sharing in Windows environments.
SMTP → TCP 25
Used for email transmission. Can be abused to enumerate email addresses or for spamming.

127
 NetBIOS Enumeration Overview
› What is NetBIOS?
NetBIOS (Network Basic Input/Output System) is a
program that enables communication between
applications on different systems within a Local Area
Network (LAN).
It uses a unique 16-character ASCII string to identify
devices on a network:
First 15 characters: Identify the device (e.g., computer or server
name).
16th character: Identifies the service (e.g., file sharing or
printing).
NetBIOS uses TCP port 139 for session services, which
provide connection-oriented communication.
What is the largest number of services that can be supported by
NetBIOS?
?
128
NetBIOS Enumeration
› NetBIOS over TCP/IP (NBT or NetBT) uses the
following TCP and UDP ports:
UDP port 137 (name services): name registration and
resolution.
UDP port 138 (datagram services): distribution service
for connectionless communication.
TCP port 139 (session services): for connection-oriented
communication.
› Enumeration: Attackers can discover valuable
information such as:
A list of machines within a domain.
File sharing, usernames, group info, passwords,
and security policies.
129
NetBIOS Enumeration
› Remote and Local NetBIOS Enumeration NetBIOS
enumeration can be done both remotely and locally. Tools like
enum4linux can be used to extract information from
Windows-based systems.
› NetBIOS Names Types:
Unique: Identifies a specific computer.
Group: Used for group identification.
Domain Name: The domain’s name.
Internet Group: For Internet group membership.
Multihomed: A device with multiple network interfaces.

https://www.zubairalexander.com 130
NetBIOS Enumeration Tool
› Using Nbtstat for NetBIOS Information:
The nbtstat command provides valuable NetBIOS over
TCP/IP (NetBT) protocol statistics and NetBIOS name
tables for both local and remote computers.
Usage: nbtstat (without parameters) displays help information.
Available Only: When TCP/IP is installed on the network adapter
through Network Connections.

131
Nbtstat
nbtstat -n command is used
to display the NetBIOS
names registered on the local
machine.
nbtstat -A [IP Address] – to
enumerate NetBIOS
information from a remote
host.
The type indicates file
and print sharing services.
is the workstation
service name.
GROUP names (e.g.,
WORKGROUP) represent
the network group.

132
Enumeration Tool: SoftPefect
› SoftPerfect Network Scanner:
Is a versatile tool for enumerating network devices and retrieving
detailed information.
Ping computers to check availability.
Scan open ports and identify active services.
Access details via protocols like WMI, SNMP, HTTP, and PowerShell.
Detect shared folders and assess potential vulnerabilities.

133
SoftPerfect Network Scanner

134
SNMP Enumeration - UDP 161
› Purpose: Designed to provide detailed information about
network devices, software, and systems.
› Security Concerns: Often nicknamed “Security Not
My Problem” due to its lack of robust security measures.
Relies on a simple authentication mechanism using "community
strings" (default passwords), many of which are widely known.
› Customization: Vendors extend SNMP’s standard
Management Information Base (MIB) with proprietary
implementations.
These custom MIBs can reveal vendor-specific system details.
› Why This Matters for Ethical Hacking:
Weak or misconfigured SNMP setups are prime targets for enumeration.
Exploiting SNMP can uncover sensitive details, such as system configurations and
device roles.

135
SNMP Community Strings
› What is an SNMP Community String?
Functions as a user ID or password sent with SNMP requests.
Determines the level of access to the target device’s data.
› Access Levels:
Read-Only Strings:
Allow attackers to extract data without making changes.
Common for passive reconnaissance.
Read-Write Strings:
Permit data extraction and configuration changes.
Significantly increases the risk of unauthorized control.
SNMP Trap:
A mechanism where devices send alerts (traps) to a monitoring tool (e.g.,
InterMapper).
› Attack Vectors:
Default Strings: Many devices ship with easily guessed default
community strings (e.g., "public" or "private").
136
 SNMP: Key Components
› Management Station
A central system that collects and organizes information about various
network devices.
Purpose: Provides administrators with a consolidated view of the network's
status and performance.
› Management Information Base (MIB)
A virtual database that organizes information hierarchically for easy
retrieval and management.
Types of MIB Objects:
Scalar: Represents a single object instance (e.g., system uptime).
Tabular: Represents multiple related object instances (e.g., a table of network interface
details).

› SNMP Manager
A software application installed on the management station.
Function: Displays collected data, sends requests to agents, and processes
responses or alerts.
› SNMP Agent
Software running on nodes or devices (e.g., routers, switches, printers).
Function: Responds to manager queries and sends traps when significant
events occur.
137
SNMP Tools and Countermeasures
› SNMP Tools
OpUtils
A network monitoring and troubleshooting tool.
SolarWinds Engineer’s Toolset
Comprehensive software suite for network diagnostics and monitoring.
Other SNMP Utilities
Linux Tools: snmputil and snmpget for querying SNMP agents.
onesixtyone: Lightweight SNMP scanner for auditing networks.
Windows Tools:
IP Network Browser and SNScan for device discovery and vulnerability checks.

› Countermeasures
Disable SNMP if Not Required: Avoid exposing unnecessary services to reduce attack
surface.
Use Strong Community Strings: Replace default "public" and "private" community
strings with hard-to-guess, secure names.
Restrict Perimeter Access: Implement network access control lists (ACLs) to limit
SNMP traffic from external networks.
Restrict Agent Access to Specific IPs: Configure SNMP agents to only accept
requests from the designated management console IPs.
138
LDAP Enumeration, TCP/UDP 389 & 3268
› What is LDAP?
Lightweight Directory Access Protocol (LDAP):
An open standard Internet protocol.
Used for accessing and managing distributed directory information in a
hierarchical and logical structure.
› Role of LDAP in Directory Services
Acts as a central repository for:
User information: Usernames, passwords, roles.
System details: Configuration and services.
Network information: Devices and their relationships.
› Importance in Enumeration
Attackers can use LDAP to:
Extract sensitive information such as user accounts, group
memberships, and network configurations.
Leverage weak or misconfigured authentication to gain unauthorized
access. 139
 LDAP Communication and
Enumeration Tools

› LDAP Communication Workflow
Session Initiation:
The client sends an operation request to the Directory System Agent (DSA).
Default port: TCP 389.
Data Encoding:
Communication between client and server uses Basic Encoding Rules (BER)
for structured data transmission.
› Tools for LDAP Enumeration
Active Directory Domain Services Management Pack
Monitors and manages LDAP-based Active Directory environments.
Active Directory Explorer
Offers a graphical interface for navigating LDAP directories.
Jxplorer
A free, open-source LDAP browser for advanced directory exploration.

140
SMTP Enumerating - TCP 25
› What is SMTP?
SMTP (Simple Mail Transfer Protocol):
SMTP is the protocol used for communication between email servers, enabling
the sending and receiving of email over port 25.
It is widely used by most email servers for mail transfer.
› SMTP Commands for Enumeration
VRFY (Verify):
Verifies if a specific user exists on the server.
An attacker can use this command to check if a username is valid.
EXPN (Expand):
Reveals email addresses associated with aliases or mailing lists.
This allows attackers to gather information about the structure of email
addresses on the server.
› Enumeration Tools
NetScan Tool Pro
SMTP-user-enum
These tools help automate the process of identifying valid users
through the SMTP server.
nmap -p 25,587
141
SMTP Enumeration - TCP 25
› Using Telnet for SMTP Enumeration
Command: telnet 10.219.100.1 25
After connecting to the SMTP server, you can manually run the following
commands:
vrfy root – Verifies if "root" is a valid user.
expn test – Expands mailing list "test" and reveals associated email addresses.

› Automating Enumeration with VRFY.pl
VRFY.pl Script: An automated tool that tests a list of usernames against the SMTP server
using the VRFY command to determine if users are valid.

› Countermeasures to Prevent SMTP Enumeration
Disable VRFY and EXPN Commands:
Turn off the VRFY and EXPN commands on the SMTP server to prevent attackers from
enumerating users and aliases.
Configuration of Newer SMTP Servers:
Ensure newer versions of SMTP servers disable these commands by default to reduce the risk
of user enumeration.
Restrict Access: Only allow trusted, authorized users to execute these commands.
Authentication Requirements: Enforce strong authentication to prevent unauthorized
access to the server.
142
DNS Zone Transfer – TCP/UDP 53
› What is a DNS Zone Transfer?
DNS Zone Transfer:
A process where a DNS server transfers a copy of its zone data to another DNS server.
This process helps ensure redundancy and load balancing in DNS queries, as multiple servers
can respond to client requests.

› How Does a DNS Zone Transfer Work?
When a DNS server (the master) sends a copy of its zone file to a secondary
DNS server (the slave), it includes database records such as:
Hostnames, IP addresses, and other relevant information for resolving domain queries.

› Other DNS Enumeration Techniques
Bind Enumeration:
version.bind: A common method to query the DNS server for version information using tools
like dig on UNIX-based systems. This can provide valuable details about the DNS server
version.
DNS Cache Snooping:
Forces the DNS server to respond using its cache, revealing the sites that clients have recently
visited. Attackers can infer sensitive browsing activity and potentially identify vulnerable
targets.

143
 DNS Enumeration commands
› Performing a Zone Transfer: dig @
AXFR
Example: dig @8.8.8.8 example.com AXFR
Explanation:
@8.8.8.8 tells dig to query Google’s public DNS server.
example.com is the domain you are querying.
AXFR is the query type that requests a full zone transfer.

› Performing BIND Version Enumeration: dig
@ version.bind chaos txt
Example: dig @8.8.8.8 version.bind chaos txt
Explanation:
version.bind is the query used to retrieve the version of the DNS software.
chaos is a special class used for retrieving version information in BIND.
txt is the record type that returns the version in a text format.

› Performing DNS Cache Snooping: dig @
+norecurse
Example: dig @8.8.8.8 example.com +norecurse
If the queried domain is cached, the response will show a NOERROR status,
indicating that the server has cached information about the domain.
144
https://www.lifewire.com/

145
DNS Enumeration Countermeasures
› Effective Strategies for Protecting DNS Servers
Implement Dual DNS Servers:
Maintain separate internal and external DNS servers to limit
exposure.
External servers should only handle public queries, while internal servers
handle internal network traffic.
Restrict DNS Zone Transfers:
Block unauthorized DNS Zone Transfers or limit them to trusted
devices only (e.g., specific IP addresses or authorized servers).
Prevent BIND Version Disclosure:
Disable the version.bind query to prevent attackers from retrieving
version information about the DNS server. This can be done by
configuring the DNS server to block these types of requests.
Disable DNS Cache Snooping:
Prevent DNS cache snooping by blocking unauthorized access to the
DNS cache, which could otherwise reveal browsing history and sensitive
information about visited websites.
146
 Basic Banner Grabbing

› Banner Grabbing is one of the simplest and most fundamental
enumeration techniques.
It involves connecting to a remote service (usually over a network) and
observing the response or "banner" that the service sends back.
Even basic banners can reveal a lot about the remote server, including:
Service Version: For example, HTTP or FTP servers often disclose the version they're
running.
Operating System: Some services leak the underlying OS type.
Service Configuration: Configuration details can also be revealed through improperly
configured services.

› Common Banner Grabbing Tools:
Telnet: C:\> telnet www.example.com 80
Netcat (nc): nc -v www.example.com 80
› What to Look For in a Banner:
Server Software Version (e.g., Apache, Nginx, IIS)
Operating System Information
Protocol Information
Potential Security Vulnerabilities (e.g., open ports, unpatched software)

147
148
Enumerating Telnet, TCP 23
› Key Enumeration Techniques with Telnet:
System Enumeration via Telnet Banners: (telnet [IP_ADDRESS or
HOSTNAME] [PORT])
Connecting to a Telnet service and inspecting the banner for details.
Observe the server’s greeting message for: OS version, Service type and version, and Any
additional system details.
Account Enumeration:
Purposefully triggering authentication errors to analyze system responses.
Examples: Using valid usernames with incorrect passwords or Using invalid usernames.
Look for differences in error messages to: Identify valid accounts or Understand authentication
mechanisms.

› Security Implications: The plaintext nature of Telnet makes it
easy for attackers to:
Intercept credentials and other sensitive data via network sniffing.
Exploit exposed Telnet services for further reconnaissance or attacks.

What are the Telnet enumeration countermeasures?
? 149
FTP enumeration - TCP 21
› Enumeration Techniques:
Google Dorking (to identify public FTP directories):
intitle:"index of" inurl:ftp
(Search for exposed FTP directories indexed by Google.)
Discovering Anonymous FTP Sites:
Reference: ftp-sites.org.
Using Shodan queries:
To find public FTP servers: port:21 "ftp"
To locate FTP servers allowing anonymous access: port:21 "230 Login successful"
Search within a specific organization's IP range: net:"192.168.0.0/16" port:21
› Risks:
Anonymous access can reveal sensitive files or configurations.
Unrestricted uploading may allow malicious files to be planted.
Unencrypted FTP traffic is susceptible to interception and credential theft.
› Countermeasures:
Regularly audit your public-facing FTP servers using tools like Shodan.
Restrict access with firewall rules or IP whitelisting.
Enforce secure alternatives like SFTP or FTPS for all file transfer needs.

150
 TFTP Enumerating - TCP/UDP 69
› What is TFTP?
A UDP-based protocol for quick, unauthenticated file transfers.
Typically operates on UDP port 69.
Minimal authentication requirements—only the file name is needed.
› Enumeration Techniques:
Copying Files via a Linux TFTP Server: Would this work if the
tftp 192.168.202.34 get /etc/passwd /tmp/passwd.cracklater server runs windows OS?
Accessing Router/Switch Configurations:
Exploiting TFTP to retrieve configuration files from vulnerable devices.

› Risks:
Unauthorized file access (critical configurations or sensitive files).
Lack of authentication makes it a prime target for attackers.
› Countermeasures:
Disable TFTP unless strictly necessary.
If required:
Restrict access using tools like TCP Wrappers.
Limit operations to the /tftpboot directory.
Block TFTP traffic at the border firewall.
Regularly audit file permissions and monitor usage.
151
HTTP Enumerating - TCP 80
› What is HTTP Enumeration?
Identifying the make and model of a web server, and sometimes the OS.
This information can be exploited to target server-specific vulnerabilities.
› Manual Techniques:
Using Netcat (Non-SSL Websites):
nc -v www.example.com 80 HEAD / HTTP/1.1
(Press Enter twice to get the server response.)
Using OpenSSL (SSL Websites):
openssl s_client -quiet -connect www.example.com:443
(Observe the server's response headers.)
› Countermeasures:
Modify Server Banners:
Hide server type and version to reduce information leakage.
Update configurations to present misleading or no information in banners.
Use Tools Like URLScan:
Filters malicious requests before they reach the web server.
Configures deceptive banners to confuse automated attacks and worms.

152
 Rwho-UDP 513, rusers -RPC
Program 10002
› What Are Rwho and Rusers?
Rwho (Remote Who):
Displays the list of users currently logged into a remote host if the rwhod daemon is active.
Example: rwho 192.168.202.34
Rusers (Remote Users):
Similar to rwho but provides more detailed information, such as idle time, if the rpc.rusersd
service is running.
Example: rusers -l 192.168.202.34

› Key Risks of Rwho and Rusers Enumeration
Can expose user activity and session details.
Provides attackers with information about active users and their behavior,
such as idle time.
› Countermeasures
Disable rwhod and rpc.rusersd services on systems