ICT2212-Lecture 3-Scanning and Enumeration 2024.pdf

Full Transcript

SIT Internal

ICT2212
Ethical Hacking

Scanning and Enumeration
A/Prof Guo Huaqun (Linda)
 SIT Internal

Acknowledgement

This set of slides is based on
A version from Dr. Raymond Chan (Some slides developed by
Dr Peter Loh)

2
 SIT Internal

Introduction to Scanning and Enumeration
Scanning and 2nd Stage of
Reconnaissance Enumeration Ethical Hacking

Probing Sweeps
Cover Gain
Tracks Access

Keep Port Scans
Access

Enumeration
Determine if system is up and probing for weakness
How is this different from reconnaissance (foot-printing)?
3
 SIT Internal

Reconnaissance vs Foot-printing

Foot-printing: Survey the house;
Reconnaissance: Which house? potential entry points?

Information gathered increases
4
 SIT Internal

Foot-printing vs Scanning
Reconnaissance is like locating a house, foot-printing is like
surveying the house exterior, scanning is like finding the
doors and windows and if they are open or close
During foot-printing, attackers can obtain:
 Domain names and IP addresses
 Server, OS, network info
 Essentially, discovering attack surface
Scanning wants to determine:
 Is the system alive (or not/air-gapped)?
 Which system ports are open and listening for inbound network
traffic?
 What other systems are reachable ?

5
 SIT Internal

Scanning Techniques

Determining if the system is alive:
– Probing sweeps -
Ping sweeps (ICMP ECHO and NON-ECHO requests)
TCP and UDP Sweeps

Determining which ports are open / closed / filtered:
– Basic Port Scanning
– Advanced Port Scanning

Detecting reachable systems:
– Route Tracing
– APT – advance worms

6
 SIT Internal

PROBING SWEEPS
 SIT Internal

PING Overview

PING (Packet INternet Groper)
 A utility designed to determine whether a system at a specific IP address is
alive

Using PING, attackers can send an Internet Control Message Protocol
(ICMP) echo request to a range of addresses to determine which
systems are “up and running”
 Every system that is up will respond with an echo reply, providing a list of
potential targets

8
 SIT Internal

PING Sweeps – ICMP Echo
System Down
or Filtered
10.1.1.9 Echo Request
Attacker

Echo Request

Echo Reply
10.1.1.10 Target List
Echo Request 10.1.1.10
Unused Address
10.1.1.11

KALI LINUX – ping, fping (fping allows you to ping multiple hosts)
WINDOWS – ping
9
 SIT Internal

KALI LINUX – fping Demo

fping uses ICMP protocol to determine if a host is up, can specify any number of
hosts on the command line, or specify a file containing the lists of hosts to ping
Instead of trying one host until it timeouts or replies, fping will send out a ping
packet and move on to the next host in a round-robin fashion
If a host replies, it is noted and removed from the list of hosts to check. If a host
does not respond within time limit and/or retry limit it’ll be considered unreachable
10
 SIT Internal

Kali Linux – ping Demo

11
 SIT Internal

PING Sweep – Kali Linux Demo

Tools – easier way to ping sweep but any false negatives?
12
 SIT Internal

Windows – ping Demo

13
 SIT Internal

PING Sweep – Windows Demo

14
 SIT Internal

PING Sweep – FOR Syntax

15
 SIT Internal

Nmap

Nmap (Network Mapper) is a free and
open-source network scanner created by
Gordon Lyon
Included lots of useful tools, like nc, netcat
A GUI called Zenmap:
– Zenmap: https://nmap.org/zenmap/

16
 SIT Internal

Nmap Demo 1 – Ping Sweep

-sn: Ping Sweep is only used to
find out whether the target is
alive

https://hackertarget.com/nmap-
cheatsheet-a-quick-reference-
guide/

http://resources.infosecinstitute.com/nmap/

17
 SIT Internal

PING Sweeps – Map Target Network
“Live” systems will send ICMP Echo Reply - Type 0
message to attacker source IP after receiving an
ICMP Echo Request – Type 8 have been sent but
slow (RFC 1122)
 http://www.rfc-editor.org/rfc/rfc1122.txt
Less effective today than in the past:
 Scanning and DoS attacks which use ICMP Echo
resulted in admin setting systems
to drop inbound ICMP echo requests
May be effective for insiders or attackers who have
been able to penetrate at least one system
Angry IP Scanner: http://angryip.org/download/
18
 SIT Internal

Ping Sweeps with Non-ECHO ICMP
Ping sweeps can also be performed by:
ICMP type 13 messages (TIMESTAMP REQUEST) and type 14 (REPLY)
The ICMP Time Stamp Request-Reply allows a host to query another for the
current time
Receiving host fills in receive and transmit time
stamps (ms)
RFC 792 - http://www.rfc-editor.org/rfc/rfc792.txt

Receiving an ICMP Timestamp Reply – Type 14 would
reveal a host (or a networking device) that is alive
and has implemented the ICMP Timestamp
messages
Useful when the more commonly used ICMP Echo
packets are specifically blocked or as an alternative

19
 SIT Internal

Nmap Demo 2 – Non-Echo Sweep

-PP: Sweep using ICMP
Non-Echo (timestamp)
includes port scan

20
 SIT Internal

Nmap Demo 2 – ICMP Echo Sweep

-PE: ICMP Echo Request with port scan

21
 SIT Internal

Ping Sweeps with Non-ECHO ICMP

22
 SIT Internal

Summary of ICMP Message Types

Try with an “Intense scan” Profile
What does an Intense scan do?

Experiment with the different options
and option combinations in the lab

http://nmap.org/book/zenmap-command-line.html
http://resources.infosecinstitute.com/nmap/
23
 SIT Internal

KALI LINUX – dnsmap Demo
A network mapper sometimes
referred to as a sub-domain brute
force tool
Scan a domain to provide a list of sub-
domains that may have vulnerabilities
Independent of discovery protocol

DNS Network Mapper – scan domain and provide list of subdomains
A sub-domain is the part of URL before Top- and Second-Level Domain ( e.g. singaporetech is sub-domain in singaporetech.edu.sg )
Brute force tool used by pentesters during scanning and enumeration phase for infrastructure security assessments
Discovering internal (private) addresses within an organization can help an attacker in carrying out network-layer attacks to penetrate
internal infrastructure.
24
 SIT Internal

TCP SWEEPS
 SIT Internal

What Happens If Target Blocks ICMP?
Sometimes, a more security-conscious site will block ICMP at the border router or
firewall

Both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)
provides alternative approaches to perform ping sweeps to find if a host is alive on
the network

TCP is connection-oriented (transport layer) protocol that guarantees packet delivery
in sequence but may be less efficient (slower) than ICMP, a control-oriented
(network layer) protocol

UDP, however, may be less reliable than TCP but may be used to confirm closed ports
26
 SIT Internal

Nmap Demo 3 – TCP Sweep 1/2

-sT: TCP SYN Scan
(connect scan)

27
 SIT Internal

TCP/IP Protocol Stack Review

OSI Reference Model IP Conceptual Layers

Application
DARPA: Defense
Presentation Application
Advanced
Research Projects
Session Agency

Transport Transport

Network Internet

Data Link Network
Ethernet, 802.3,
Interface
Physical 802.5, ATM, FDDI,
and so on

TCP/IP protocols map to the four-layer DARPA conceptual model
28
 SIT Internal

ICMP uses Internet Layer
IP Layer Internet Control Message
Protocol (ICMP)
Internet Protocol (IP)
Application
Address Resolution
Protocol (ARP)

Transport Reverse Address
Resolution Protocol
Internet (RARP)

Network
Interface

IP Datagram
Type of Total Frag
VERS HLEN ID Flags TTL
Service Length Offset

Header Src IP Dst IP IP Options
Protocol Data
Checksum Address Address

29
 SIT Internal

TCP and UDP uses Transport Layer
Transport Layer
Transmission
Control
Application Protocol (TCP)
User Datagram
Transport Protocol (UDP)
Internet

Network
Interface

TCP Segment Format
Src Dst Code Check Urgent
Seq # Ack # HLEN Reserved Window Option Data
Port Port Bits Sum Ptr

UDP Segment Format
Src Dst Check Data
Length
Port Port Sum
30
 SIT Internal

Establishing a TCP Connection
A B A B

Each host
tells its ISN to
the other host.

Three-way handshake to establish connection
– Host A sends a SYN (open) to the host B
– Host B returns a SYN acknowledgment (SYN ACK) – port open
– Host A sends an ACK to acknowledge the SYN ACK
– If Host B returns an RST acknowledgement (RST ACK) – port closed
31
 SIT Internal

TCP Sweeps – Packets and Ports Used
A scanner sends a SYN packet to the target:
– If the target is alive, then the scanner will receive:
SYN ACK (the port is open)
RST ACK (the port is closed)

With the TCP Sweep technique, instead of sending ICMP request
packets we send TCP SYN packets to the target network:
– Receiving a response is a good indication that some system is up there
– Usually, if one open port is discovered, there is a chance of also discovering
filtered ports

32
 SIT Internal

TCP Sweep – KALI LINUX Demo

nmap is a port scanner that can carry out TCP sweeps
-sT is the TCP connect scan, a basic type of port scan, which attempts to connect to
every port in turn, and notes whether or not the connection succeeded
33
 SIT Internal

TCP Sweep – Windows Demo

Can also use Zenmap (Nmap) or Angry IP Scanner
34
 SIT Internal

Response of TCP Sweeps
The response depends on
 target’s OS adhering to RFC 793 (some OSs don’t follow the TCP/IP protocol in their implementation e.g.
IBM OS/400)
 nature of the packet sent
 any firewalls, routers or packet-filtering devices used

Bear in mind that firewalls (e.g., Iptables) can spoof an RST packet for an IP address or drop it,
so TCP Sweeps may not be 100% reliable

Use a combination of scans (so far, we used scans that depend on target’s positive response)

Can we gather any intelligence if a target responds negatively?
35
 SIT Internal

UDP SWEEPS
 SIT Internal

UDP Sweeps

Depends on ICMP PORT UNREACHABLE message (RFC 768)
UDP datagram

ICMP PORT
UNREACHABLE Target
(port closed) System

Unreliable because:
 Routers can drop UDP packets as they cross Internet
 UDP services may not respond when correctly probed
 Firewalls can be configured to drop UDP packets
 Relies on fact that closed UDP port and UDP services will respond
37
 SIT Internal

UDP Sweep vs TCP Sweep Demo – 1/3

38
 SIT Internal

UDP Sweep vs TCP Sweep Demo – 2/3

39
 SIT Internal

UDP Sweep vs TCP Sweep Demo – 3/3

40
 SIT Internal

UDP Sweep – KALI LINUX Demo 1

Metasploit uses PostgreSQL as its database so it needs to be launched first
Verify that PostgreSQL is running by checking the output of ss -ant
Make sure that port 5432 is listening
41
 SIT Internal

UDP Sweep – KALI LINUX Demo 2

42
 SIT Internal

UDP Sweep – KALI LINUX Demo 3
To configure this module, we need to set the RHOSTS and THREADS values and run it

43
 SIT Internal

Common TCP / UDP ports

TCP Port Number Description
21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet
25 SMTP

80 HTTP

UDP Port Number Description
53 DNS Queries
69 Trivial File Transfer Protocol
137 NetBIOS name service
138 NetBIOS datagram service
161 SNMP
44
 SIT Internal

Summary
Scanning and Enumeration
 2nd Stage of Ethical Hacking
 Footprinting is more of Reconnaissance
 Scanning comprises: Ping Sweeps and Port Scans
Ping Sweeps (ICMP requests may be dropped)
 Ping (ICMP) sweeps – Echo and Non Echo
 DNSmap (Kali Linux) - Subdomains
 Tools – Zenmap (Nmap with GUI), Angry IP Scanner
 TCP and UDP sweeps (when ICMP requests blocked)
TCP Sweeps – depends on OS, may be spoofed by firewall
UDP Sweeps – unreliable; info from negative reply

Next Lecture – Port Scanning
45
 SIT Internal

PORT SCANNING
 SIT Internal

Introduction to TCP Port Scanning

Goal to find out open, closed and filtered ports (filtered means no reply from the remote host)
Open remote port: send SYN, host responds with SYN ACK
Closed remote port: send SYN, host responds with RST ACK
Filtered remote port: send SYN, host may not respond
Attacker’s other goal is to find port(s) with services vulnerable to different security-related
exploits (Enumeration)
47
 SIT Internal

Nmap Demo – Selective Port Scan
nmap -p
IP address

Default is
SYN SCAN

13 48
 SIT Internal

TCP Specs for Port Scan
Port Scanning via TCP adheres to:
 RFC 793 - a protocol specification that defines how TCP should react to FIN, ACK, and
SYN packets

 According to RFC 793 open ports are required to reply with an ACK packet, closed
ports are required to reply with a RESET packet to our probe packets, while filtered
ports must ignore any packet in question

 Unfortunately, not all systems adhere fully to RFC 793 - a number of systems send RST
responses to the probes regardless of whether the port is open or not

49
 SIT Internal

Port Scanning Techniques

TCP Connect() Scan – most basic form
TCP SYN Scan( Half-Open Scan) – don’t establish full TCP connection
TCP FIN Scan – Stealth Scan
Advanced Scanning Techniques
50
 SIT Internal

TCP Connect() Scan

SYN

SYN ACK (port listening)

RST ACK (port not listening)

ACK
Also known as Vanilla scan
If port is reachable, connect to it for further probing
nmap –sT -p
51
 SIT Internal

Pros and Cons of TCP Connect() Scan
PROS:
No special privileges are required to run the TCP connect() scan
Accurate in determining TCP services
Can distinguish among open, closed and filtered (open port focus)

CONS:
Time-Consuming (scanning speed is slow)
This kind of scan is easily detected by IDS / IPS (noisy, involves many packets)
Inspecting the target’s log will show a number of connections and error
messages immediately after each one of them was initiated

52
 SIT Internal

TCP SYN Scan (Half-Open Scan)

SYN

SYN ACK (port listening)

RST (end handshake)

Why is this called Half-Open Scan?

We immediately tear down the connection by sending an
RST but port remains open (nmap –PS)

What happens when port is closed? 53
 SIT Internal

Pros and Cons of TCP SYN Scan
PROS:
Faster than TCP Connect Scan
Stealthy - most target hosts do not log such scan attempts
Able to differentiate among open, closed and filtered ports

CONS:
Requires privileged access (root or admin)
Some firewalls and packet filters watch for SYNs to restricted ports (e.g.
Barracuda, Checkpoint)

54
 SIT Internal

TCP FIN Scan - Stealth Scan

FIN ACK packet

RST packet
(port closed)

FIN ACK packet

Open or filtered port
ignores packet

Scans for closed ports (nmap –sF -p)

Why is FIN Scan considered stealthy?
55
 SIT Internal

TCP FIN Scan Demo

Used for avoiding
firewalls

56
 SIT Internal

Pros and Cons of TCP FIN Scan
PROS:
Fast
Stealthy – very few packets (one packet each time, no connection
established)

CONS:
Cannot differentiate between open and filtered ports (both incur
no response – how does this differ from Half-Open Scan?)
Require special privileges (e.g., root on Unix and Linux systems)

Vulnerable Security Product: Norton Personal Firewall

57
 SIT Internal

ADVANCED SCANNING
 SIT Internal

Advanced Port Scanning Techniques
Random Scan
Randomizing the sequence of targets and ports probed as well as scanning intervals may prevent
detection.
Slow Scan
Some hackers are very patient and can use network scanners that spread out the scan over a long
period of time. The scan rate can be, for example, as low as 2 packets per day per target site. Can
bypass several IDS: eg. Snort, Bro
Fragmentation Scan
In case of TCP the 8 bytes of data (minimum fragment size) are enough to contain the source and
destination port numbers. This will force the TCP flags field into the second fragment. May hide
scan from some firewalls and IDSs.
Decoy Scan
Some network scanners include options for decoys or spoofed addresses in their attacks. If many
decoys are used, determining who the real attacker is, will be nearly impossible
Coordinated Scan
Group scanning based on a strategy or plan
59
 SIT Internal

Fragmentation Scan
All IP packets that carry data can be fragmented
Split probe packet into several IP fragments
Some firewalls and IDSs may incorrectly reassemble or completely miss
portions of the scan. They may assume that this was just another segment of
traffic that has already passed through their access list.
Advantage: difficult to detect scan
Disadvantage: may not work on all OSs; may crash some firewalls and IDSs
nmap –f (experiment and observe in the lab)

60
 SIT Internal

Decoy Scan

Packets from real source
must contain the actual
source address or else the
response from the target
system will not be received

Used to confuse the target
Send spoofed probe packets with fake source address(es) to target (one must be real)
More difficult to determine the actual scanner
More decoys – slower scanning
nmap –sX –D (experiment and observe in the lab; X can be S or T etc.) 61
 SIT Internal

Decoy Scan – KALI LINUX Demo

62
 SIT Internal

Decoy Scan – Windows Demo

63
 SIT Internal

Decoy Scan with Wireshark
nmap -D 192.168.102.125, 192.168.102.126, 192.168.102.127, 192.168.102.128, 192.168.102.129,
192.168.102.130, 192.168.102.132 192.168.102.131

However with directive “ME”: nmap -D 192.168.102.125, 192.168.102.126, 192.168.102.127,
192.168.102.128, 192.168.102.129, 192.168.102.130, ME 192.168.102.131

64
 SIT Internal

Coordinated Scan
When a group of attackers are working together to
achieve a common goal, e.g. get unauthorized access to a
targeted network
Coordinated attacks can be used to target a single host or
Agent
even an entire network
Handler Agent
Coordinated scan can gather host information for further
attack more efficiently and stealthily than single-source Agent Victim
port scans by distributing tasks amongst multiple sources Attacker
Agent
If multiple IPs probe a target network, each probes a
certain service on a certain machine in a different time Handler Agent
period, and therefore it would be nearly impossible to
detect these scans Agent

Detection Possibility: Using Smart Analytics (ML) with HoneyNet
65
 SIT Internal

ROUTE TRACING
 SIT Internal

After Port Scanning …
Especially when target is a networked system

Attacker has to move sideways (laterally) through a network to map system and
eventually locate primary target 67
 SIT Internal

Introduction to Route Tracing

List routers and hops between the client and a remote host
The IP address and domain name (if there is one) of each router is returned to the client
May also calculate and display the hop time
Info may be useful to locate new potential attack vectors
Popular trace routing tool:
Linux and Unix OSs - traceroute
68
Windows (DOS Command) – tracert
 SIT Internal

Trace route – KALI LINUX Demo

It's possible that your network blocks ICMP traffic. Try using traceroute -T to use TCP
rather than ICMP.

69
 SIT Internal

Tracert Command Syntax

Default = 30

1 or more routers between nodes

Default = 4000

70
 SIT Internal

Trace route – Windows Demo

71
 SIT Internal

How does Tracert Work?

TTL = Hop Limit

What if Firewall
Drops / Blocks Probes?

At each hop, tracert sends 3 probe packets by default
and measures time (in milliseconds) of each response
From left:
Column 1 – Hop number
Columns 2 to 4 – Round Trip Time (RTT) for 1st to 3rd probes
Column 5 – Host/router name and/or IP address 72
 SIT Internal

ENUMERATION
 SIT Internal

Introduction to Enumeration
Port-based enumeration (in-depth scanning):
– Determine OS and Services
– Reference http://cve.mitre.org

Enumeration extracts information about:
– Shared resources (or shares) on the network
– User account information (rarely, user authentication)

Enumeration is more intrusive:
– Gathered by queries via active connections to target system

Enumeration Tools:
– NBTScanner, NBTScan, Net View, Reaper, nmap, netcat etc.
74
 SIT Internal

OS Enumeration
TCP/IP Stack Fingerprinting:
 Send specific TCP packets to the target IP to collect
configuration info Determine vulnerabilities to
customize exploits
 Compare response with nmap database of known OS
fingerprints
 OS details displayed if there is match
Fingerprinting Technique - banner grabbing
 acquire networked system info and port services info
Tool and command:
 nmap -sV -v --script banner 172.27.146.242

-sV: Probes open ports to determine service/version info
-v: Increase verbosity
--script banner: Run banner grabbing script
75
 SIT Internal

Banner Grab – KALI Identify Service

76
 SIT Internal

Banner Grab – Zenmap Identify Service

77
 SIT Internal

Banner Grab – Netcat Identify Service

SSH-enabled Cisco gateway

Services detected may suffer from vulnerabilities due to:
o Misconfiguration of the service
o Software version have security flaws
Vulnerabilities can lead to privileged access gained by the attacker 78
 SIT Internal

NBTscan – Scanning Demo

NETBIOS nameserver scanner
nbtscan –f 172.27.146.0-254
Hex code and type identify service being
offered 79
 SIT Internal

NBTscan - Guide

80
 SIT Internal

NetBScanner Enumeration

Computers listed in the network neighbourhood comes from the browser-list
maintained by the computer that is Master Browser. A computer can become
Master Browser through an election where the computer with the highest priority is
elected. Note that the MAC address is also shown. 81
 SIT Internal

Net View Enumeration

82
 SIT Internal

Dumpsec Enumeration
Report -> Dump Permissions for Shares

Report -> Dump Permissions for File System

83
 SIT Internal

Nessus
Nessus: identify vulnerabilities, policy-violating configurations
http://www.tenable.com/products/nessus-vulnerability-scanner

84
 SIT Internal

Additional Enumeration Tools

NetScanTools Pro: internet information gathering
http://www.netscantools.com/nstpromain.html

DumpSec: reporting security, directory, registry, and event info
http://www.systemtools.com/somarsoft/?somarsoft.com

Hyena: http://www.systemtools.com/hyena/

Netcat: https://nmap.org/ncat/ ,
joncraton.org/files/nc111nt.zip
85
 SIT Internal

Summary
Ping Sweeps -> Port Scans
 Protocol Rules – RFC 1122 (ICMP), RFC 793 (TCP), RFC 768 (UDP)
 Scanning Techniques and Tools; Sub-domains list
 Advanced Scanning Techniques and Tools
Route Tracing
 Determine route between source and destination
 May help reveal new pen-test vectors / supports lateral movement
Enumeration
 Determine OS and service vulnerabilities, resource shares, user accounts etc.
 Identified vulnerabilities give indication on gaining access
 Many available tools – must use a combination to obtain
comprehensive enumeration

Next Lecture – Sniffing 86
 SIT Internal

QUESTIONS OR COMMENTS?