Module 3: Network Scanning Concepts PDF

Summary

This document details network scanning concepts, including objectives, types of scanning, and the network scanning process. It also discusses TCP communication flags and various tools used in network security.

Full Transcript

Module 3
Network Scanning Concepts
Network scanning is the second phase in an attack, following footprinting. In this phase, attackers use network scanning
techniques to gather detailed information about a target, including identifying hosts, open ports, and services in the network. This
helps attackers develop a profile and find vulnerabilities to exploit.

Objectives of Network Scanning
1. Discover Live Hosts: Identify active machines and their IP addresses.
2. Identify Open Ports: Find open ports and services running on hosts, which can be used as entry points for attacks.
3. Operating System Discovery (Fingerprinting): Detect the target’s operating system and system architecture to plan
specific attacks.
4. Service and Application Identification: Identify services or specific versions of applications running on the target system.
5. Vulnerability Detection: Uncover potential vulnerabilities in systems that can be exploited.

Types of Scanning
1. Port Scanning:
Lists open ports and services by sending messages to target ports.
Helps identify services running on the system and their potential vulnerabilities.
2. Network Scanning:
Identifies active hosts and their IP addresses.
Used to assess the security of the network or target active hosts for attacks.
3. Vulnerability Scanning:
Identifies known vulnerabilities in the target system by comparing it with a database of exploits.
Useful for detecting outdated software or misconfigured systems.

Network Scanning Process
Attackers send TCP/IP probes to the target network and receive information back, revealing details about live hosts,
services, operating systems, and potential vulnerabilities.
This process enables attackers to map the network and find exploitable entry points.

TCP Communication Flags
TCP flags help manage network connections and control the flow of data during communication. Attackers use certain TCP flags
to gather information about the target system:

1. SYN (Synchronize): Starts a connection (used in the three-way handshake).
2. ACK (Acknowledgement): Confirms the receipt of data.
3. PSH (Push): Sends all buffered data immediately.
4. URG (Urgent): Prioritizes processing of urgent data.
5. FIN (Finish): Closes a connection.
6. RST (Reset): Resets the connection, often used by attackers to identify open ports.

TCP/IP Communication
Start
End

I’ll reorganize the content into a clearer structure, including a detailed table for hping3 examples as requested, while preserving
most of the details. Here's a more organized and comprehensive version:

LO#02: Use Various Network Scanning Tools

1. Nmap
Nmap is one of the most popular network scanning tools, widely used for:

Inventorying networks.
Managing service upgrade schedules.
Monitoring host or service uptime.

Attackers use Nmap to gather:

Information about live hosts on a network.
Open ports.
Services running on those ports (including the application name and version).
 Information about packet filters or firewalls.
Operating system details and versions.

Command Example:

nmap -p 1-65535 -T4 -A -v

Example Output:

Port 3389: Service - Microsoft Terminal Services
Port 80: Service - HTTP (possibly Microsoft IIS)
Security Info: HTTP methods (GET, POST, TRACE) that could indicate risks.

2. Hping3
Hping3 is a versatile command-line tool that can be used for:

Network security auditing.
Firewall testing.
Path MTU discovery.
Advanced traceroute.
Remote OS fingerprinting.
Remote uptime guessing.
TCP/IP stack auditing.

Common Hping3 Commands and Uses:

Purpose Command Example Description
ICMP Ping hping3 -1 10.0.0.25 Sends an ICMP echo request (Ping) to the target.
SYN Scan on Port Range hping3 -8 50-60 -S 10.0.0.25 - Scans ports 50-60 for SYN responses, verbose output.
V

ACK Scan on Port 80 hping3 -A 10.0.0.25 -p 80 Sends ACK packets to port 80, typically used to test
firewall rules.
FIN Scan on Port 80 hping3 -F 10.0.0.25 -p 80 Sends FIN packets to port 80. Helps identify open/closed
ports (stealthy scan).
SYN Flood hping3 -S 10.0.0.25 -p 80 -- Floods the target with SYN packets on port 80 (DoS
flood testing).
Traceroute with Hping3 hping3 --traceroute -V -p 80 Performs a traceroute using TCP SYN packets on port 80.
10.0.0.25

Scan with Random hping3 -S 10.0.0.25 -p 80 -s Sends SYN packets to port 80 using source port 1024.
Source Port 1024

UDP Scan hping3 -2 10.0.0.25 -p 53 Performs a UDP scan on port 53.

3. Metasploit Framework
Metasploit is a powerful penetration testing platform used for:

Discovering vulnerabilities.
Exploiting those vulnerabilities.
Automating network attacks.

Attackers use Metasploit to gain access to systems by exploiting known vulnerabilities in various services.

Metasploit's capabilities:

Vulnerability scanning.
 Exploit development and execution.
Post-exploitation tasks (privilege escalation, data extraction, etc.).

Source: Metasploit

4. NetScanTools Pro
NetScanTools Pro is designed for discovering:

IPv4 and IPv6 addresses.
Hostnames and domain names.

It provides attackers with the ability to identify open ports and vulnerabilities in a target system.

Source: NetScanTools

5. Other Scanning Tools

Tool Description Source
Unicornscan High-performance scanner for large-scale network audits. N/A
SolarWinds Port Scanner Scans open ports and identifies vulnerabilities in network devices. N/A
PRTG Network Monitor Monitors network availability and usage, tracks uptime/downtime, bandwidth, etc. N/A
OmniPeek Network Provides packet-level network analysis for troubleshooting and performance N/A
Analyzer monitoring.

6. Mobile Device Scanning Tools

Tool Platform Description Source
IP Scanner iOS Scans local networks to identify active devices, showing IP and MAC IP Scanner
addresses.
Fing iOS/Android Provides details like IP addresses, device vendor, MAC addresses, etc. Fing
Network Android Displays IP addresses, MAC addresses, hostnames, and performs port Network
Scanner scans. Scanner

Here's an organized, simplified version of LO#03: Demonstrate Various Scanning Techniques for Host Discovery. I've
maintained the clarity and structure, while ensuring that every important method and example is mentioned.

LO#03 Host Discovery Techniques
Host Discovery involves identifying active or live systems within a network. This is a crucial first step in network scanning,
helping avoid scanning every port on every IP address. Various methods and tools are used to identify live systems, which I'll
outline below:

Host Discovery Techniques Summary

Technique Description Tools/Command Response
ARP Ping Scan Sends ARP requests to discover active nmap -sn -PR ARP Response = Active,
devices. Efficient and accurate, often used in No Response = Inactive
LANs.
UDP Ping Scan Sends UDP packets to check for active hosts. nmap -sn -PU UDP Response = Active,
Effective for systems behind firewalls. Host Unreachable =
Inactive
 Technique Description Tools/Command Response
ICMP Echo Ping Sends ICMP Echo requests. Identifies active nmap -sn -PE Echo Reply = Active, No
Scan systems through replies. Response = Inactive
ICMP Echo Ping Sends ICMP Echo requests to multiple hosts. nmap -sn -PE ICMP Echo Replies =
Sweep Useful for identifying live hosts in a network. Active Hosts
ICMP Timestamp Requests time from the target. Useful when nmap -sn -PP Timestamp Reply = Active,
Ping Scan ICMP Echo is blocked. No Response = Inactive
ICMP Address Sends ICMP Address Mask requests. Effective nmap -sn -PM Address Mask Reply =
Mask Ping Scan when Echo is blocked. Active, No Response =
Inactive
TCP SYN Ping Sends TCP SYN requests, initiating a 3-way nmap -sn -PS SYN-ACK = Active, No
Scan handshake. Does not create actual Response = Inactive
connections, avoiding detection.
TCP ACK Ping Sends TCP ACK requests, often used to nmap -sn -PA RST Response = Active,
Scan bypass firewalls that block SYN scans. No Response = Inactive
IP Protocol Ping Sends packets using different IP protocols nmap -sn -PO Any Response = Active,
Scan (ICMP, IGMP, etc.) to detect active systems. No Response = Inactive

ICMP Methods Overview
1. ICMP Echo Request (Ping)
What it does: Sends a request to a specific host to see if it’s alive.
How it works: The host responds back with an echo reply if it’s active.
Used for: Basic connectivity checks (like saying "Are you there?").
2. ICMP Ping Sweep
What it does: Sends echo requests to a range of IP addresses to find which ones are alive.
How it works: By sending multiple echo requests, the sender identifies which hosts respond.
Used for: Scanning a network to discover live hosts (like saying "Are you there?" to many addresses at once).
3. ICMP Timestamp Request
What it does: Asks a host for the current time.
How it works: The host replies with its time, helping the requester know it's alive and the round-trip time.
Used for: Timing measurements and checking if a host is responsive.
4. ICMP Address Mask Request
What it does: Requests the subnet mask of a host.
How it works: The host replies with its subnet mask, which tells the requester how the network is structured.
Used for: Understanding the network configuration of the host.
5. ICMP Destination Unreachable
What it does: Informs the sender that a destination is unreachable.
How it works: If a packet can’t reach a host, the router sends this message back to the sender.
Used for: Troubleshooting network issues (like saying "I can't find that address!").
6. ICMP Time Exceeded
What it does: Informs that a packet took too long to reach its destination.
How it works: If a packet hops through too many routers (exceeding its "time to live"), this message is sent back.
Used for: Diagnosing routing loops or overly long paths (like saying "This took too long!").

Summary Table

ICMP Method Description Used For
Echo Request (Ping) Checks if a host is alive Basic connectivity checks
Ping Sweep Sends echo requests to multiple IPs Scanning a network for live hosts
Timestamp Request Asks for the current time Timing measurements
Address Mask Request Requests the subnet mask Understanding network structure
Destination Unreachable Notifies the sender that a host is unreachable Troubleshooting network issues
Time Exceeded Informs that a packet took too long Diagnosing routing problems

IP Protocol Ping Scan Overview
The IP Protocol Ping Scan involves sending packets with different protocol types (like TCP, UDP, ICMP) to a target host to
identify which protocols the host supports. Here’s a simple breakdown:
IP Protocol Ping Scan
What it does: Sends packets using different protocols to see which ones the target host responds to.
How it works:
Instead of just sending ICMP echo requests (like a typical ping), it uses various protocols (like TCP or UDP) and checks
for responses.
If the host responds to a specific protocol, it indicates that the host is listening on that protocol and can handle traffic
over it.
Used for:
Discovering which IP protocols (ICMP, TCP, UDP, etc.) are enabled on a target.
Gaining insights into the services or applications running on the host by knowing which protocols are active.

Summary
The IP Protocol Ping Scan is a more comprehensive way of checking for active hosts than a standard ping, as it covers
multiple protocols rather than just ICMP.

Ping Sweep Tools

Tool Description
Angry IP Scanner Scans IP addresses and ports, resolves hostnames, and identifies live systems.
SolarWinds Engineer’s Provides a comprehensive range of network management tools, including ping sweep.
Toolset
NetScanTools Pro Includes advanced network scanning and discovery tools.
Colasoft Ping Tool Sends ICMP requests to probe networks and identify live hosts.
Visual Ping Tester Offers a graphical interface for conducting ping sweeps and testing network response
times.
OpUtils Includes tools to detect live IPs and monitor network performance.

LO#04Port Scanning Techniques Overview

Scanning How It Works Advantages Disadvantages
Technique
TCP Connect/Full- This method involves establishing a full TCP - Simple and - Easily detected and
Open Scan connection. The scanner sends a SYN packet, the reliable logged by firewalls and
target replies with SYN-ACK, and the scanner - No special IDS because it
completes the connection by sending an ACK. privileges required completes the full
Once the connection is established, the scanner handshake
sends an RST packet to close the connection.
Stealth Scan (Half- Sends only a SYN packet to start the TCP - Avoids detection - Requires raw packet
Open Scan) handshake. If the target responds with a SYN- by firewalls and privileges (root access)
ACK, it means the port is open. The scanner then logging systems - Only works if you have
sends a RST (reset) instead of completing the - Faster than a full- direct network access
handshake, making the connection “half-open.” open scan
This prevents logging on the target system. - Can bypass
firewalls
Inverse TCP Flag These methods send TCP packets with unusual - Extremely stealthy - Ineffective on Windows
Scans: - FIN Scan - flag configurations: - Can bypass systems
NULL Scan - Xmas - FIN Scan: Sends a packet with the FIN flag set. some firewalls and - Requires root access
Scan - NULL Scan: Sends a packet with no flags set. IDS to create custom packets
- Xmas Scan: Sends a packet with FIN, URG, - Useful against
and PSH flags set. older systems
If the port is open, no response is sent. If closed, using Unix-based
the target sends a RST packet. OS
ACK Flag Probe Sends an ACK packet to the target and analyzes - Useful for - Doesn't tell whether the
Scan the response. If a RST packet is returned, it means detecting firewalls port is open or closed,
the port is unfiltered (there’s no firewall). If no and their rules only if it's filtered
response, the port is filtered (a firewall is blocking
it).
UDP Scan Sends a UDP packet to each port. If the port is - Can discover - Slow and inefficient
closed, it responds with an ICMP Port services that use - Unreliable because
Scanning How It Works Advantages Disadvantages
Technique
Unreachable message. If there’s no response, the UDP, like DNS and UDP doesn’t guarantee a
port is open or filtered. SNMP response
SCTP INIT Scan This method is used on SCTP (Stream Control - Quick and - Limited to systems that
Transmission Protocol). It sends an INIT chunk to efficient on fast use SCTP
start an association. If the port is open, it responds networks
with an INIT-ACK. If closed, an ABORT chunk is - Can clearly
sent. differentiate
between open,
closed, and filtered
ports
SCTP COOKIE Sends a COOKIE ECHO chunk. If the port is - Stealthier than - Cannot clearly
ECHO Scan open, no response is sent (silent drop). If closed, INIT Scan distinguish between open
the target sends an ABORT chunk. - Can bypass non- and filtered ports
stateful firewalls

Additional Port Scanning Techniques

Scanning How It Works Advantages Disadvantages
Technique
BSD Network Uses old BSD networking code to take - Useful for older Unix - Doesn’t work on modern
Code advantage of its quirks in handling packets. systems systems like Windows
TCP Maimon Sends a FIN/ACK packet. If no response, the port - Can bypass firewalls - Effective mostly on older
Scan is open; if RST is received, the port is closed. - Simple and stealthy BSD-based systems
TTL-Based ACK Sends ACK packets and analyzes the TTL (Time - Helps evade firewalls - Slow and works best on
Flag Probe To Live) value in the RST response. If TTL < 64, - Useful for checking older systems
the port is open. open ports
Window-Based Sends ACK packets and checks the Window - Can identify open - Limited by older BSD-
ACK Flag Probe Size field in the RST response. If the window size ports when TTL scan derived TCP/IP stacks
is non-zero, the port is open. fails
IDLE Scan (IPID Uses a zombie system’s IPID (IP Identifier) to - Complete anonymity - Complex
Header Scan) send spoofed packets to the target. Analyzes IPID - No direct interaction - Needs a suitable
changes to detect open ports. with target "zombie"

Detailed Explanations
1. BSD Network Code

How it works: The Berkeley Software Distribution (BSD) networking code was part of early Unix systems and defined
how packets were handled. Older systems running this code follow specific protocols, and attackers can exploit the way
BSD handles certain TCP flags (like FIN, URG, PSH) to sneak past firewalls or security systems.
Example: Think of it like finding a backdoor in an old building that hasn’t been updated—some old systems don’t respond to
packets the way modern systems do, allowing you to get information without being detected.

2. TCP Maimon Scan

How it works: This scan sends a FIN/ACK packet to the target. Normally, a closed port would respond with an RST packet,
while an open port would send no response. The Maimon scan is useful against systems that follow BSD-derived
protocols. If the port is open or filtered, there will be no response. If it’s closed, an RST packet will be sent.

3. TTL-Based ACK Flag Probe

How it works: In this scan, ACK packets are sent to different TCP ports. The attacker analyzes the TTL (Time To Live)
value in the RST responses. If the TTL value is less than 64, the port is open. If it’s greater than 64, the port is closed.
This technique takes advantage of how packets are routed and how TTL decreases with each hop in a network.

4. Window-Based ACK Flag Probe

How it works: Similar to the TTL-based scan, but instead of analyzing TTL values, this scan looks at the Window Size field
in the RST packet. If the window size is non-zero, the port is open. If it’s zero, the port is closed. This method helps when
TTL analysis doesn’t work.

5. IDLE Scan (IPID Header Scan)
 How it works (in detail): The IDLE scan takes advantage of another machine (called a zombie) to perform the scan. The
attack works by manipulating the IPID (IP Identifier), a unique number assigned to packets. Here’s the step-by-step
breakdown:
1. Find a Zombie: The attacker finds a "zombie" machine that increments its IPID with each packet it sends. This zombie
will be tricked into sending packets to the target.
2. Probe the IPID: The attacker sends a SYN/ACK packet to the zombie to determine its current IPID. If the zombie
responds with an RST, the attacker knows the current IPID value.
3. Spoof the Zombie’s IP: The attacker sends a SYN packet to the target, pretending it’s from the zombie’s IP address. If
the target port is open, it sends a SYN/ACK packet back to the zombie. If it’s closed, it sends an RST.
4. Analyze the IPID: After the target responds to the zombie, the attacker sends another SYN/ACK packet to the zombie
to check its new IPID value. If the IPID has increased by 2 (because the zombie sent an extra RST to the target), the
port is open. If it only increased by 1, the port is closed.
Example: It’s like sending a fake letter from your friend’s address (the zombie), and then secretly checking how many letters
they received. If they got more than expected, you know the target responded

Let’s dive into SSDP Scan, List Scan, and the other concepts you mentioned, explaining each in a simple, detailed way:

SSDP and List Scan Overview

Scanning How It Works Advantages Disadvantages
Technique
SSDP Scan Simple Service Discovery Protocol (SSDP) works - Allows finding devices - Vulnerable to
with Universal Plug and Play (UPnP) to discover like routers, printers, etc. exploitation if UPnP is
devices on the network. Attackers send SSDP M- - Can detect UPnP misconfigured
SEARCH queries to detect vulnerable UPnP services. vulnerabilities (e.g., buffer - Can expose devices
overflow or DoS attacks) to attacks
List Scan Generates a list of IPs/hostnames without actually - Can verify if hosts exist - Does not provide
scanning or pinging them. Reverse DNS resolution is on the network detailed info about the
performed to identify hostnames. - Helps avoid triggering hosts
firewalls - Does not actively
scan services or ports

Detailed Explanations
1. SSDP Scan (Simple Service Discovery Protocol)

How it works:
SSDP is a protocol used by Universal Plug and Play (UPnP) devices to discover each other on a network.
When devices are connected (like routers, printers, smart TVs), they use SSDP to broadcast their availability. Attackers
take advantage of this by sending SSDP M-SEARCH queries, which prompt devices to respond with their services.
If the devices respond, attackers can identify vulnerabilities in UPnP, such as buffer overflow or Denial of Service
(DoS) weaknesses.
Example: Imagine you enter a room and yell, "Who’s here?" All the devices (like smart lights, printers) respond, "I’m here,
and I do this!" An attacker uses these responses to find weak spots in these devices.
Technical Focus:
SSDP uses multicast over IPv4 and IPv6 to communicate.
Vulnerabilities in UPnP can allow attackers to control these devices remotely or crash them with buffer overflow
attacks (when too much data is sent, causing the device to malfunction).

2. List Scan

How it works:
The List Scan is a passive scan that doesn’t actually probe any devices. It only generates a list of IP addresses and
performs Reverse DNS resolution to find the hostnames associated with these IPs.
It’s essentially a “sanity check” for network administrators to verify which devices exist on the network without touching
them.
Example: It’s like walking down the street and writing down the names of the houses without knocking on any doors to ask
who’s inside.
Technical Focus:
Reverse DNS Resolution: This process queries the Domain Name System (DNS) to find the hostname associated
with an IP address. It’s like looking up someone’s name by their phone number
LO#05OS Discovery/Banner Grabbing Overview

Type How It Works Advantages Disadvantages
Active Banner Sends crafted packets to the target system to - Quickly identifies - Easily detected by
Grabbing analyze its responses based on TCP/IP stack OS and services firewalls and IDS
differences across OS versions. - Detailed
information
Passive Gathers information by analyzing network traffic or - Very stealthy - Slower and less detailed
Banner error messages without interacting with the target - No need to send than active methods
Grabbing system. packets to target

Detailed Explanation of OS Discovery Techniques
1. What is OS Discovery/Banner Grabbing?

How it works: Banner Grabbing (also known as OS Fingerprinting) helps attackers identify the Operating System (OS)
running on a target system. This knowledge allows attackers to pinpoint vulnerabilities specific to that OS and determine
which exploits may succeed.
Active Banner Grabbing: Sends packets to the target to provoke responses, which are compared against a database
of known OS characteristics.
Passive Banner Grabbing: Sniffs network traffic and gleans information about the OS without sending any packets to
the target.

2. Active Banner Grabbing

How it works: Sends specially crafted TCP or UDP packets to the target and looks for variations in how the OS responds.
Each OS interprets these packets differently due to its unique TCP/IP stack implementation.
Example: The tool Nmap sends a range of test packets (e.g., SYN, NULL, ACK) to elicit responses from open and closed
ports, and then compares the results to a database of OS fingerprints.
Common Tests:
SYN/ECN-Echo packet to an open port.
NULL packet (no flags) to an open port.
TCP packet with multiple flags (e.g., URG, PSH, FIN) to a closed port.
UDP packet to closed ports to trigger ICMP responses.
Advantages: Provides detailed and precise information on the target’s OS.
Disadvantages: Easily detectable by firewalls and intrusion detection systems (IDS).

3. Passive Banner Grabbing

How it works: This technique listens to network traffic (without sending any probes) to determine the OS. The attacker
analyzes TTL values, window sizes, or error messages to make an educated guess about the OS.
Example: Observing TTL values in network packets — Linux systems often use a TTL of 64, while Windows typically uses
128.
Advantages: Extremely stealthy since it doesn’t require interaction with the target.
Disadvantages: Less detailed information compared to active methods and takes longer to gather data.

Other Techniques and Tools for OS Discovery
1. OS Discovery Using IPv6 Fingerprinting

How it works:
IPv6 introduces a larger address space (128 bits compared to 32 bits in IPv4), making traditional IPv4 scanning
methods inefficient. However, IPv6 uses its own TCP/IP stack, which can be fingerprinted.
Nmap’s IPv6 Scanning: In Nmap, the -6 and -O options are used to perform OS fingerprinting on IPv6-enabled
networks. It sends specially crafted probes like Neighbor Solicitation and ICMPv6 echo requests.
Example: Nmap sends several probes (e.g., S1-S6, ICMPv6, UDP). Based on how the target system responds, Nmap
matches the results against known IPv6 OS signatures.
 Advantages: Helps attackers discover systems in IPv6 networks, which often have fewer security protections in place.
Disadvantages: Fewer tools are optimized for IPv6 scanning, and networks are harder to scan due to the vast address
space.

2. OS Discovery Using Tools

Nmap:
The -O option performs OS fingerprinting, sending packets and analyzing the responses to determine the OS.
NSE (Nmap Scripting Engine): Allows automation of tasks such as OS discovery using pre-built or custom scripts.
For instance, the smb-os-discovery script gathers OS information via the SMB protocol.
Wireshark:
Captures packets to observe TTL, window sizes, and other signature information to deduce the OS running on a
target system.
Unicornscan:
Another tool that uses TTL values from packet responses to guess the OS. For example, if a packet has a TTL of 128,
it likely originates from a Windows machine.

Parameters for OS Identification

Parameter What It Reveals Examples
TTL (Time to Indicates how long a packet can exist before being Linux: 64
Live) discarded. OSs set different TTL defaults. Windows: 128
Window Size Shows how much data the system is prepared to receive. Linux: 5840
OSs use distinct default values. Windows: 65535
DF (Don’t Determines whether the packet can be fragmented. Most systems use DF, except some like
Fragment) OpenBSD.
TOS (Type of Indicates the quality of service requested for the packet. Mostly session-based, some OSs or services
Service) use specific TOS settings.

Example: A packet with a TTL of 64 and a window size of 5840 suggests that the system is running Linux.

IPv6 vs. IPv4 in OS Discovery
How IPv6 Scanning Works:
IPv6 has a much larger address space (128 bits), which makes traditional scanning difficult. However, Nmap can still
fingerprint systems by sending specific IPv6 probes, such as Neighbor Solicitation, ICMPv6 Echo, and UDP.
Differences:
IPv4 scanning relies on direct ping sweeps or port scans.
IPv6 fingerprinting uses advanced probes and requires IPv6-specific detection engines
Nmap Command for IPv6:
Example: nmap -6 -O to perform IPv6 OS discovery.

LO#06: Verious Techniques for scanning Beyond IDS and firewall

1. Packet Fragmentation
How it works:
This method splits a large packet into smaller fragments. IDS/firewalls often overlook fragmented packets, which allows
the attacker to bypass security mechanisms.
By splitting the TCP header into smaller pieces, the attacker avoids detection by packet filters. The destination host
reassembles the fragmented packets once they arrive.
Example:
In Nmap, use the -f option to fragment packets:
 nmap -sS -T4 -A -f

This sends fragmented packets to bypass detection.
Advantage: Bypasses packet filters by splitting up the packet.
Disadvantage: Some firewalls block fragmented packets, and fragmented data can sometimes crash the target.

2. Source Routing
How it works:
Source routing allows the attacker to dictate the path that packets take through the network, bypassing routers that
have IDS/firewalls. The attacker specifies the route in the IP packet's options field to avoid detection.
Example:
In Nmap, use the --route-mpath option to control the routing path:

nmap --route-mpath

This forces packets to go through a specific route.
Advantage: Helps evade specific IDS/firewalls by routing packets around protected segments.
Disadvantage: Only works if the attacker can manipulate the route successfully.

3. Source Port Manipulation
How it works:
Manipulates the source port of a packet to make it appear as if it’s coming from a trusted service (e.g., HTTP, FTP).
Firewalls often allow traffic from trusted ports, so this technique can bypass them.
Example:
In Nmap, use the -g or --source-port option:

nmap -g 80

This makes the scan appear to come from port 80 (HTTP).
Advantage: Bypasses firewalls that allow traffic from specific trusted ports.
Disadvantage: The firewall might still inspect packet content, not just the port.

4. IP Address Decoy
How it works:
The attacker generates fake IP addresses (decoys) along with their real IP to confuse the IDS/firewall. This technique
hides the real attacker’s IP among multiple decoy IPs.
Example:
In Nmap, use the -D option:

nmap -D RND:10

This generates 10 random decoy IPs for the scan, making it difficult for IDS/firewalls to identify the real attacker.
Advantage: Hides the attacker’s real IP by overwhelming the system with multiple IPs.
Disadvantage: Can slow down the scan and may not work if the IDS/firewall detects the decoys.

5. IP Address Spoofing
How it works:
The attacker forges the source IP address to make the packet appear as though it's coming from a different IP address,
tricking the target and bypassing the firewall.
 This technique is typically used in Denial of Service (DoS) attacks where the attacker doesn't need to receive
responses from the target.
Example:
Using Hping3, an attacker can spoof the source IP:

hping3 -a 7.7.7.7

This sends packets to the target with the spoofed source IP 7.7.7.7.
Advantage: Bypasses firewalls that block specific IPs and can flood targets in DoS attacks.
Disadvantage: Cannot establish TCP connections, as the three-way handshake cannot be completed.

6. MAC Address Spoofing
How it works:
The attacker changes their device’s MAC address to impersonate a legitimate user on the network, allowing them to
bypass MAC-based filters on firewalls and routers.
Example:
In Nmap, use the --spoof-mac option to spoof the MAC address:

nmap --spoof-mac Dell

This spoofs a Dell MAC address while scanning the target.
Advantage: Bypasses MAC-based filters in the firewall.
Disadvantage: Ineffective if the firewall doesn't rely on MAC filtering.

7. Randomizing Host Order
How it works:
The attacker scans a network's hosts in a random order instead of sequentially, reducing the chances of detection by
network monitoring systems that expect sequential scans.
Example:
In Nmap, use the --randomize-hosts option:

nmap --randomize-hosts

This randomizes the order in which hosts are scanned.
Advantage: Evades detection by systems that monitor for sequential scanning.
Disadvantage: Slows down the scan, as the random order can be inefficient.

8. Sending Bad Checksums
How it works:
The attacker sends packets with incorrect TCP/UDP checksums to trick firewalls that don’t verify checksums properly.
Improperly configured systems may still respond to these packets, revealing useful information.
Example:
In Nmap, use the --badsum option:

nmap --badsum

This sends packets with invalid checksums to evade firewalls.
Advantage: Exploits improperly configured systems that do not check checksums.
Disadvantage: Many modern firewalls validate checksums, rendering this method ineffective.

Let’s go into Proxy Servers and Anonymizers, organizing everything in a clear, technical way and providing examples.
9. Proxy Servers

Purpose How It Works Advantages Disadvantages
Serve as Proxy servers forward requests between the - Increases privacy and - Some proxies may log
intermediaries user and the destination server, hiding the anonymity user activity
user's real IP address. - Bypasses firewalls - Can introduce latency
and restrictions
Access restricted Attackers use proxies to access websites - Helps bypass - If proxy logs are kept,
content that might otherwise be blocked by firewalls restrictions and attackers could be traced
or regional restrictions. censorship
- Allows remote access
to intranets
Chain multiple Multiple proxy servers are used in sequence - Increases anonymity - Can introduce
proxies (proxy to enhance anonymity, making it hard to with each additional significant delays
chaining) trace the origin of the request. proxy - The chain is only as
- Obscures the origin of strong as its weakest link
requests

Detailed Explanations
1. What is a Proxy Server?

How it works: A proxy server acts as an intermediary between your computer and the server you’re trying to access.
Instead of connecting directly to the destination, your request first goes to the proxy, which forwards it to the final server. The
server’s response is sent back to the proxy, which relays it to you.
Purpose:
Hide the real source of the request (your IP address).
Bypass restrictions like regional blocks or firewalls.
Reduce bandwidth consumption by caching frequently accessed content.
Example: Let’s say you want to access a website that’s blocked in your country. You can use a proxy server located in
another country to visit the website. The website will think the request is coming from the proxy server and not from your
computer.

2. Why Attackers Use Proxy Servers

How it works: Attackers often use proxies to hide their real identity and mask their IP address. When a proxy is used, the
attacker's request looks like it’s coming from the proxy’s IP address, not the attacker’s actual IP.
Reasons:
To hide the source of a scan: Attackers can evade IDS/firewalls by making it appear that the request is coming from
the proxy server rather than their actual machine.
To access restricted resources: Attackers use proxies to reach resources like intranets or sensitive websites.
To chain multiple proxies: By chaining several proxy servers together, attackers make it harder for anyone to trace
their activities back to the original source.
Example: An attacker could chain multiple proxies like this:
The attacker connects to Proxy A.
Proxy A forwards the request to Proxy B.
Proxy B then sends the request to the final destination.
Command Example:
Using cURL to connect via a proxy:

curl -x http://proxy.example.com:8080 http://targetsite.com

3. Proxy Chaining

How it works: Proxy chaining involves using multiple proxy servers in a sequence. Each proxy strips identifying information
from the request before passing it to the next proxy in the chain, enhancing anonymity.
Steps:
The user sends a request to Proxy 1.
Proxy 1 removes the user’s identifying information and forwards the request to Proxy 2.
This process repeats until the request reaches the final destination.
 Advantage: With every additional proxy in the chain, it becomes harder to trace the origin of the request.
Disadvantage: The more proxies you chain, the slower the connection becomes.
Example:
Command: In Nmap, to specify multiple proxies (using proxy chains), you would configure each proxy in a
configuration file or use chaining tools like ProxyChains.

Free Proxy Servers
How to use them: There are many free proxy services available. Simply searching for “Free Proxy Servers” in Google will
give a list of available servers. To use one, you need to configure your browser or command-line tools to route traffic through
the proxy.
Example:
Search for “free proxy servers” on Google.
Configure your browser to use the proxy:
In Firefox, go to Settings → Network Settings → Manual proxy configuration.
Enter the proxy server’s IP address and port.
Command Example:
Using Nmap with a proxy:

nmap -Pn --proxies

Proxy Tools
Proxy Switcher:
How it works: This tool allows users to switch between proxies easily. It helps attackers mask their IP address and
access blocked sites by routing their requests through different proxies.
CyberGhost VPN:
How it works: Hides the attacker’s IP by replacing it with one of CyberGhost’s IPs. It allows anonymous surfing,
access to blocked content, and encrypted connections.
Example:
CyberGhost can be used to access restricted websites. The attacker selects a VPN server in a different region, and all
traffic is routed through that server, making it appear as if the attacker is browsing from that region.
Command Example:
ProxyChains can be used to route Nmap or other scan tools through multiple proxies:

proxychains nmap

10. Anonymizers

Type How It Works Advantages Disadvantages
Networked Your traffic is routed through multiple - Extremely difficult - Can introduce latency
Anonymizers computers, making it hard to trace. to trace - Each node may pose a risk
- Provides strong
privacy
Single-Point Your traffic passes through a single proxy - Hides IP address - Easier to track than multi-
Anonymizers server before reaching the destination. - Simpler to set up node anonymizers

Detailed Explanations of Anonymizers
1. What is an Anonymizer?
 How it works: An anonymizer acts as an intermediary server between the user and the target website. It removes all
identifying information (like the user’s IP address) before forwarding the request to the destination.
Purpose:
Anonymizers provide privacy by making the user’s browsing activity untraceable.
They help bypass government censorship or restrictions on certain websites.
Example:
Using a website like HideMyAss.com allows a user to visit a blocked or censored website without revealing their IP
address.

2. Why Attackers Use Anonymizers

How it works: Attackers use anonymizers to hide their identity while performing reconnaissance or attacks on targets. By
using an anonymizer, the attacker’s real IP address is hidden, making it harder to trace the attack back to them.
Reasons:
To maintain privacy: Attackers use anonymizers to make their web browsing and attack activities untraceable.
To bypass restrictions: Anonymizers allow access to blocked websites by making it appear as if the traffic is coming
from a different region.
Command Example:
Using an anonymizer with Tor:

torify curl http://targetsite.com

Types of Anonymizers
1. Networked Anonymizers:
Your data passes through a network of computers, making it extremely hard to trace.
Advantage: Provides robust privacy by routing your traffic through multiple nodes.
Disadvantage: Can introduce latency, and there’s a risk of data being compromised at any node in the network.
2. Single-Point Anonymizers:
Your data passes through a single anonymizing server before reaching the destination.
Advantage: Easier to set up and hides your IP address.
Disadvantage: Less secure than networked anonymizers, as the single proxy server could be compromised.

Example:
Using Whonix: This is a security-focused OS designed for anonymity using the Tor network.

Anonymizer Tools

Tool Description Example
Whonix A security-focused OS that anonymizes all traffic using Use Whonix to browse the web anonymously and
the Tor network. evade censorship.
Psiphon A circumvention tool using VPN, SSH, and HTTP proxy Use Psiphon to access blocked websites in restricted
technologies. regions.
Tor A free software that routes traffic through multiple nodes Use Tor Browser to anonymize browsing activities.
for anonymity.
Tails A live OS designed to run from a USB drive, routing Boot Tails OS from a
traffic through Tor.

Here’s a simplified breakdown of Network Scanning Countermeasures and key points:

LO#07 Network Scanning Countermeasures
1. Port Scanning Countermeasures

Why it's important: Attackers use port scans to find open ports and services on your network, which they can exploit.
 Key Steps:
Configure firewalls and IDS to detect and block port scans. Make sure they inspect not just headers but also packet
contents.
Run port scans on your own network to test your defenses and ensure that firewalls properly detect scanning
attempts.
Update router, IDS, and firewall firmware to the latest versions to close any security holes.
Minimize open ports: Keep only necessary ports open and block others using firewall rules (e.g., block ports 135-159,
445).
Filter ICMP messages: Block unnecessary inbound and outbound ICMP messages to avoid reconnaissance attempts.
Use anti-scanning and anti-spoofing rules: These help block attackers trying to hide their identities.
Use honeypots: Redirect attackers to fake systems (honeypots) to waste their time and gather intelligence.

2. Banner Grabbing Countermeasures

What it is: Banner grabbing reveals information about the OS or service running on an open port (e.g., web servers display
their version info in banners).
Key Steps:
Turn off unnecessary services: Reduce the information available to attackers by disabling services you don’t need.
Display false banners: Trick attackers by sending fake information.
Mask server information: Use tools to hide or change the server banner information (e.g., in Apache, change the
ServerSignature to Off and ServerTokens to Prod ).
Hide file extensions: Avoid using extensions that give away the server technology (e.g., replace.asp with.htm ).

3. IP Spoofing Detection Techniques

What it is: IP spoofing involves an attacker pretending to be another device by forging the IP address in their packets.
Detection Methods:
Direct TTL Probes: Compare the TTL (Time to Live) value of packets from the attacker with a genuine packet from
the target. If the TTLs don’t match, the packet is likely spoofed.
IP Identification Number (IPID): Monitor the IPID field in packet headers. If the IPID in the spoofed packet doesn’t
match the expected value, the packet is spoofed.
TCP Flow Control Method: In a normal connection, when the window size is exhausted, the sender stops sending
packets. Spoofed packets will continue after the window is full, revealing the spoof.

Countermeasures for IP Spoofing
Avoid IP-based trust: Don’t rely solely on IP addresses for authentication.
Use firewalls and filtering: Filter both incoming and outgoing packets. Block any packets with spoofed source addresses.
Randomize initial sequence numbers: Prevent attackers from predicting TCP sequence numbers and hijacking
connections.
Use ingress and egress filtering: Filter packets at the network's entry and exit points to block spoofed IP addresses.
Encrypt traffic: Use protocols like IPsec, TLS, and SSH to encrypt data and reduce the risk of spoofing.

Additional Tools for Scanning Detection
ExtraHop: Provides real-time visibility and detects network scanning by automatically identifying devices and vulnerabilities.
Splunk Enterprise Security: A powerful tool for monitoring and detecting network scanning attempts.
Scanlogd: Detects port scanning and logs suspicious activity.
Vectra Cognito Detect: Identifies network threats like scanning attempts.
IBM Security QRadar: Offers comprehensive security monitoring and scanning detection.
Cynet 360: Detects and blocks malicious scanning activities on networks.