CSF3203 Intrusion Detection and Ethical Hacking (Chapter 7) - Higher Colleges of Technology

Summary

This document is a chapter from a course on intrusion detection and ethical hacking. It covers topics such as scanning and enumeration techniques. The provided summary will help the reader understand the main concepts of the chapter.

Full Transcript

CSF3203
Intrusion Detection and Ethical Hacking
Chapter 7: Scanning and Enumeration (CLO2, 4, 5)
1
Credits and Revision Control

Change description: Existing material is revised and
updated; related lab activities are updated
Change level: Minor

Versi
Author Effective Date Change Description DRC No
on
1.0 Unknown NA Define the first version 001
1.1 Dr. Samer Aoudi Fall 2022 (Aug 2022) Revise the first version 002

2
Chapter Learning Objectives

Upon completing this chapter, students will be able to:
Discuss the objectives and types of scanning in pentesting
Discuss Identify various scanning and enumeration techniques
Discuss enumeration and enumeration techniques
Implement vulnerability scanning against virtual machines
Utilize standard scanning and enumeration tools
Perform network and port scanning
Perform vulnerability scanning
Apply countermeasures against scanning techniques

3
Scanning
Now that we have collected basic information about
the target network, we are ready to dig deeper by
scanning the network for hosts, ports (services), and
vulnerabilities

Pre-Engagement

Vulnerability Penetration
Planning & Info Gathering Analysis &
Detection Attempt (Gaining Cleaning Up
Preparation (Recon) Reporting
(Scanning) Access)

Scanning may lead to detecting vulnerabilities in the
target system

4
From Footprinting to Scanning

In Footprinting, we collect high-level information about the
network such as network address range Amazon Site Report from
netcraft.com

Scanning is more focused and allows us to get specific
network information

Running services on a target
host
5
What is Scanning?

Scanning is the process of discovering systems on a
network including open ports and running services
(applications)

10.1.1.1 10.1.1.2 10.1.1.3 WIN10 LINUX WIN SERVER RDP SSH APACHE

IP Addresses & Open Ports of Live Hosts OS & System Architecture Services Running on Hosts

Scanning refers to collecting more information using
complex and aggressive reconnaissance
Crafted Packets (TCP | UDP |
ICMP)
techniques
Network Information

6
Types of Scanning

1. Network Scanning
Discover active hosts on a network and produce a network map
(network sweeping + network tracing)

2. Port Scanning
For each discovered host, identify open ports (i.e. running
services)
Additionally, we can identify the version of each running service
(version scanning)

3. Vulnerability Scanning
Identify vulnerabilities (MBSA and Nessus) 7
Why Scanning?

Network security assessment

Evaluating and auditing existing security controls
Firewall Penetration Test (Policy auditing)
IDS proof/evaluation What techniques and tools do we
Identifying unexpected new servers use?
 Ping Sweeps (e.g. nping)
 Tracerouting (e.g. scapy)
Identifying open ports to:  Network Scans (e.g. nmap)

Proactively protect the network (Network and security admin)
Attack the network (Hackers)

8
Network Scanning Process

Step 1: Specify Target Network
Examples:
192.168.1.1/24
128.45.12.2/16
17.122.33.1/8

Step 2: Scan for Live Hosts
Called Host Discovery
Typically done with a ping scan or a ping sweep (AKA network sweep)
Sweep
Techniques
Step 3: Discover Network Topology  ICMP Sweep
This is done using network tracing  TCP Sweep
 UDP Sweep

9
Ping (Single-Host Scan)

A Ping command sends ICMP echo requests to a single host
If the host is up it will return an ICMP echo reply

1 Echo
Request

2 Echo Reply

Wireshark output

10
Ping Scan (Ping Sweep)

Instead of sending an echo request to
single host, you can use tools to send
requests to multiple hosts across a
network
This is used to determine the live hosts within
an IP range
Only live hosts will reply with an ICMP ECHO
reply
Echo requests to multiple hosts
Attackers can create an inventory of the
network

11
Host Discovery: ICMP Sweeps

Technique
Sending an ICMP ECHO request (ICMP type 8)
If an ICMP ECHO reply (ICMP type 0) is received : target is alive;
No response: target is down

Pros & Cons
Easy to implement
Fairly slow
Most networks block ICMP traffic so we don’t get a response back

12
Host Discovery: TCP Sweeps

Sending TCP ACK or TCP SYN packets

The port number can be selected to avoid block in by
firewall
Usually a good pick would be 21 / 22 / 23 / 25 / 80

But.. firewalls can spoof a RESET packet for an IP address,
so TCP Sweeps may not be reliable

13
Host Discovery: UDP Sweeps

Relies on the ICMP PORT (i.e., destination) UNREACHABLE
When a host is active, it will respond with ICMP PORT UNREACHABLE message to say that
the port is not open
https://youtu.be/K0_kHaJVcv4
2. https://youtu.be/iyqt8DHYYec
3.
Cons:
Routers can drop UDP packets as they cross the Internet
Many UDP services do not respond when correctly probed
Firewalls are usually configured to drop UDP packets (except for DNS)
UDP sweep relies on the fact that a non-active UDP port will
respond with an ICMP PORT UNREACHABLE message

14
Ping Tools (ping; fping; nping; hping3)
There are many tools to perform ICMP scanning

ping 192.168.40.19

If host is active
Send ICMP fping and responding,
Echo we receive Echo
Request 192.168.40.19 Reply

nping --icmp 192.168.40.19

hping3 -1
192.168.40.19
15
Quick Activity: Ping Tools (fping & nping)

Using the man pages in Kali Linux, get information about
fping and nping
Answer the following questions:
1. What protocol does fping use?
2. How does fping differ from ping?
3. What is nping and what can you do with it?

16
Network Tracing

In ICMP, the TTL (Time To Live) field
of an IP packet represents the
maximum number of IP routers that
the packet can go through before
being getting dropped

Traceroute uses the TTL field to
discover the routers on the path to a
destination Source: https://www.loriotpro.com
Each router will decrement the TTL by 1

17
Scanning Video Demo

Watch a video demonstrating scanning a network to discover
live hosts

https://youtu.be/QTR_7ybAQcw

18
HPING3

HPING3 is a command line network tool able to send custom TCP/IP
packets and to display target replies like ping program does with ICMP
replies

If ICMP is blocked (ping) then HPING3 can be used to get information
(through TCP)

HPING3 can:
Scan ports using SYN, ACK and other flags One host at a time!
Discover hosts
Perform foot printing
Can perform sniffing
Perform file transfers

19
HPING3 Modes

HPING3 is available in Kali. Command:
hping3 host [options]
By default HPING3 uses TCP (with no flags set). You can
change the mode using the following modes:
-0 (Raw IP mode)
hping3 192.168.44.36 -1
-1 (ICMP mode)
-2 (UDP mode) hping3 192.168.44.36 -2
-8 (Scan mode)
-9 (Listen mode) hping3 192.168.44.36 -9

20
HPING3 TCP Flags

To set a flag in HPING3, you simply specify it as an option
-S (SYN)
-A (ACK) hping3 192.168.44.36 -S
-R (RST)
-F (FIN) hping3 192.168.44.36 -A
-P (PUSH)
-U (URG) hping3 192.168.44.36 -F
-X (XMAS)
-Y (YMAS)

21
HPING3 Port Specification

By default, HPING3 uses sends packets to port 0
(destination) from a random/dynamic port (source)
You can specify the source with the –s option
Small s (capital S is for SYN)
You can specify the destination with the –p option

hping3 192.168.44.36 -S -s 44567 -p 80
SYN From this
To port 80
Scan port

22
 Useful HPING3 Probes: Scan Mode
Scan TCP scan with no flags set:
Verbose
mode Closed ports respond with
RST/ACK
ng3 192.168.135.138 -8 20-25 -V Open ports will not respond
Ports 20 to
25

ng3 192.168. 35.138 -S -8 20-25 -V
SYN flag is
set
If SYN flags is set:
Closed ports respond with
RST/ACK
Open ports will respond with
23
SYN/ACK
 Useful HPING3 Probes: FIN, PUSH and URG
Set F, P, and U Count = 5 (send 5
flags packets)

ng3 192.168.135.138 -FPU -p 21 Closed
-c 5ports respond with
Target port RST/ACK
21 Open ports will not respond

Port 21 is
open

ng3 192.168.135.138 -FPU -p 20 -c 2

Port 20 is
closed
24
 Useful HPING3 Probes: Listen Mode
Listen on this
Listen mode
interface

ing3 -9 HTTP -I eth0 > output_file
Intercept HTTP Send output to this
traffic file

To test this command, open a
web browser and visit any
website. Examine the output
in the generated file.

25
 Useful HPING3 Probes: DoS Attack
10,000 SY Target Flood
packets N port mode

192.168.135.138 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand
TCP header window From a random
Size of each packet port
size

To test this command, test the FTP
service on the Metasploitable target
before and during.
Notice that while in flood mode, hping3
does not show replies.

Non-responsive FTP
26
Network Scanning

One of the very first steps in network reconnaissance is to
reduce a set of IP ranges into a list of active or interesting
hosts
Perform Host Discovery

Live Hosts

After discovering live hosts, hackers would want to know
more about each one of these hosts: Ports &
Services
Open Ports and Running Services
Operating System
And more… OS

27
Port Scanning

A port scanner is a software application designed to scan a
host for open ports
Example: NMAP

Many ISPs restrict their customers' ability to perform port
scans

Port scanning programs report:
Ports (open, closed, or filtered)
Associated services (e.g. HTTP Web Server)
Best-guess running OS
28
Computer Ports
A Port is
 An endpoint of communication
 Logical number between 0-65,535
 Represents a running service 8
 HTTP  80 2 0
1
 POP3  110
2
…
2
 There are ~1,000 common ports
 i.e. default numbers 5
 Default ports can be changed 3

13
9

44
Computer Network Services 3 …
 Provide services to other computers
 Listen on dedicated ports
 Should be reachable via a network
connection
 Respond to communication requests
29
Port Scanning Overview

Authorized users access network services using certain
software applications. Examples:
Web browser  Web server (HTTP 80)
Email Client  Email server (SMTP 25)
Command Shell  SSH Server (SSH 22)

Hackers can test if a port is open by sending specially
crafted packets. Example:
Send a SYN packet:
If the target responds with a SYN/ACK, the port is open
If the target responds with an RST packet, the port is closed

30
Port Scanning: TCP Connect Scan

This scan uses basic TCP connection establishment
mechanism
It complete 3-ways handshake
Easy to detect by inspecting the system log

By default, NMAP performs a SYN Stealth scan which does
not complete the 3-way handshake 31
Network Scanning Using NMAP

Using NMAP, you can perform Host Discovery by specifying
a target network or a range of IP addresses. Example:

nmap 192.168.135.138/24
Scans Class-C network (i.e. 256
hosts)

You can also target a single host
nmap 192.168.135.138
Scans a single
host
32
 NMAP

NMAP is a powerful network exploration tool and security /
port scanner tool that performs the task of a network
mapper and can show running services on computer
Nmap is available on Kali
Zenmap is a GUI version for Windows
Command line syntax:
map [scan type(s)] [options] {target}
SYN; TCP Connect; Null; IP, hostname,
etc. networks

33
NMAP Port States

NMAP without any options scans 1,000 ports on the target
You can specify which ports to scan using the –p option
NMAP reports the following port states:
Open
An application is actively accepting connections
Closed
A closed port is accessible (it receives and responds to NMAP probe packets), but there is no application
listening on it
Filtered
NMAP can’t determine if the port is open because of packet filtering (e.g. firewall)
Unfiltered
Port is accessible, but NMAP is unable to determine whether it is open or closed
Open|Filtered
NMAP unable to determine whether a port is open or filtered. Open port may not respond
Closed|Filtered
NMAP is unable to determine whether a port is closed or filtered

34
 Scan Types

nmap
SYN Scan -sS 192.168.135.138
Stealthy scan (doesn’t complete TCP connections)

map -sT 192.168.135.138
TCP Connect Scan
Completes three-way handshake

nmap
NULL Scan -sN 192.168.135.138
Packet flags are turned off (no flag is set)

map -sF 192.168.135.138
FIN Scan
Closed port responds with an RST packet
35
 Scan Types –Continued

nmap
ACK Scan -sA 192.168.135.138
Used to get past firewall

map -sX 192.168.135.138
TCP Connect Scan
FIN, PSH and URG flags are set

nmap
UDP Scan -sU 192.168.135.138
Closed ports respond with ICMP “Port Unreachable” message (type 3, code 3

map -sF 192.168.135.138
FIN Scan
Closed port responds with an RST packet
36
 Scan Types –Continued

nmap
Service Version -sV 192.168.135.138/24
Very powerful option that enumerates the versions of running services

map -sn 192.168.135.138/24
Host Discovery
Skip port scan; quick host discovery

nmap
No Ping -Pn 192.168.135.138/24
No host discovery; probe each host assuming they are up

map -sL 192.168.135.138/24
List Scan
ackets are sent to the targets; Quick reverse-DNS resolution to get IP address (PTR record)
37
 Scan Options

nmap
Port Specification -p 80 192.168.135.138
Single port

map -p20-100 192.168.135.138
Port Range
From port 20 to 100; Deep scan is from 0-65535

nmap
OS Fingerprinting -O 192.168.135.138
Determine the Operating System

ap -oN output_file 192.168.135.138
File Output
Send output to a file
38
OS Fingerprinting (AKA Banner Grabbing)

OS Fingerprinting is the process of determining the
operating system (OS) used by a host on a network
Goal is to guess host role and vulnerabilities

Two types:
Passive
Done via sniffing information (e.g. error messages; TTL; Window size are
analyzed)
Active
Attacker sends a variety of malformed packets to the remote host, and the
responses are compared with a database (e.g. Null scan to an open port)

39
Banner Grabbing Countermeasures

Whenever a port is open, it implies that a service/banner is
running on it

Banner

As a countermeasure, disable or change the banner
Display false banners to mislead or deceive attackers
Turn off unnecessary services on the network host to limit
information disclosure

40
From Scanning to Vulnerability Detection

Scan a
Network Scan a Host
(Discover Ports What Next?
(Discover Live
Hosts) & Services)

41
Vulnerability Detection

Some (i.e., not necessarily all) of the discovered services may be
vulnerable

Web Server DB Server Mail Server

Footprint these discovered services to obtain additional information
such as the version, and use this information to discover
vulnerabilities if any

42
Vulnerability Databases

A tool like NMAP allows you to get a lot of information about
running services on the target

Research the discovered services using vulnerability
databases such as CVE Details

43
Common Vulnerabilities Exposure (CVE)

CVE® is a “list of entries—each containing an identification
number, a description, and at least one public reference—
for publicly known cybersecurity vulnerabilities.”
Source: https://cve.mitre.org/

National Vulnerability Database (NVD)
https://nvd.nist.gov/vuln/search
CVE Details
https://www.cvedetails.com/

44
Searchable Exploit Database (Kali)

SearchSploit - Exploit Database Archive Search

man searchsploit
45
Vulnerability Scanning

Auditors and Security Analysts may use automated
vulnerability scanning tools such as Nessus
Vulnerability-scanning software scans the computer against
the Common Vulnerability and Exposures (CVE) index
Human judgement is still needed to analyze the results

Nessus is a vulnerability
assessment tool that automates
vulnerability scanning
46
Scanning Countermeasures

Ping Sweep Countermeasures
Configure the firewall to detect and prevent ping sweep attempts instantaneously
Use IDS and IPS such as Snort to detect and prevent ping sweep attempts
Port Scanning Countermeasures
Configure firewalls, IDS, and IPS to detect and block probes
Use custom rules to lock down the network and block unwanted ports. The firewall should
be able to examine the data contained in each packet before allowing the traffic to pass
through it
Run port Scanning tools to determine whether the firewall accurately detects the port
scanning activities
Security Experts should ensure the proper configuration of anti-scanners and anti-spoofing
rules
Security experts of an organization must also ensure that the IDS, routers, and firewall
firmware are updated to their latest releases
Block unwanted services running on the ports and update the service versions
Ensure that the versions of services running on the ports are non-vulnerable

47
Enumeration

Enumeration is the process of extracting usernames, machine names,
network resources, shares, and services from a system or network
To perform enumeration, an attacker creates active connections with the
system and sends directed queries to gain more information about the
target, including:
Network resources
Network shares
Routing tables
Audit and service settings
SNMP and fully qualified domain name (FQDN) details
Machine names
Users and groups
Applications and banners

48
Enumeration Techniques (1 of 2)

Extract usernames using email IDs
Every email address contains two parts, a username and a domain name, in the format
“username@domainname”

Extract information using default passwords
Many online resources provide a list of default passwords assigned by manufacturers to
their products. Users often ignore recommendations to change the default usernames and
passwords provided by the manufacturer or developer of a product. This eases an
attacker’s task of enumerating and exploiting the target system.

Brute force Active Directory
There is a design error in the Microsoft Active Directory implementation. If a user enables
the “logon hours” feature, then all the attempts at service authentication result in different
error messages. Attackers take advantage of this to enumerate valid usernames. An
attacker who succeeds in extracting valid usernames can conduct a brute-force attack to
crack the respective passwords

49
Enumeration Techniques (2 of 2)

Extract information using DNS Zone Transfer
Covered in a previous chapter

Extract user groups from Windows
The attacker can extract information from groups in which a
registered user is a member by using the Windows interface or
command-line method

Extract usernames using SNMP
Attackers can easily guess read-only or read-write community
strings by using the SNMP application programming interface (API)
to extract usernames 50
SNMP Enumeration Video Demo

Watch a video demonstrating enumerating username/password
using SNMP

https://youtu.be/zYqSOcbVZ4k

51
Services and Ports Enumeration

There are several services and ports that provide enumeration
opportunity:
TCP/UDP 53: DNS Zone Transfer
TCP/UDP 135: Microsoft RPC Endpoint Mapper
UDP 137: NetBIOS Name Service (NBNS)
TCP 139: NetBIOS Session Service (SMB over NetBIOS)
TCP/UDP 445: SMB over TCP (Direct Host)
UDP 161: Simple Network Management Protocol (SNMP)
TCP/UDP 162: SNMP Trap
TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
TCP 2049: Network File System (NFS)
TCP 25: Simple Mail Transfer Protocol (SMTP)
And more...

52
NetBIOS Enumeration

The first step in enumerating a Windows system is to take advantage of the NetBIOS API
Windows uses NetBIOS for file and printer sharing
The NetBIOS name is a unique 16-character ASCII string assigned to Windows systems to identify
network devices over TCP/IP; 15 characters are used for the device name, and the 16th is
reserved for the service or record type
NetBIOS uses
UDP port 137 (name services),
UDP port 138 (datagram services), and
TCP port 139 (session services)
Attackers usually target the NetBIOS service because it is easy to exploit and run on Windows
systems even when not in use
Attackers use NetBIOS enumeration to obtain the following:
The list of computers that belong to a domain
The list of shares on the individual hosts in a network
Policies and passwords

53
NetBIOS Name List

54
Nbtstat Utility

Nbtstat is a Windows utility that helps in troubleshooting
NETBIOS name resolution problems

nbtstat

55
NetBIOS Enumeration Using NMAP

nmap --script nbstat.nse

56
Enumerating User Accounts

Enumerating user accounts using the PsTools suite helps in controlling
and managing remote systems from the command line
The suite includes several tools such as:
PsExec is a lightweight Telnet replacement that can execute processes on other
systems
PsFile is a command-line utility that shows a list of files on a system that opened
remotely
PsGetSid translates SIDs to their display name and vice versa
PsKill is a kill utility that can kill processes on remote systems
PsInfo is a command-line tool that gathers key information about local or remote
legacy Windows NT/2000 systems
PsList is a command-line tool that displays central processing unit (CPU) and memory
information
PsPasswd can change an account password on local or remote systems
PsShutdown can shut down or reboot a local or remote computer

57
Enumerating Shared Resources Using Net View

Net View is a command-line utility that displays a list of
computers in a specified workgroup or shared resources
available on a specified computer

net view \\
Host name or IP address
net view \\ /ALL
Display all the shares on this
specific host
net view /domain
The above command displays all the shares in the
domain

58
Quick Quiz (1 of 2)

Scanning may lead to detecting vulnerabilities
_____________ in the target system.

active hosts
The outcome of a network scan is a list of _______________.

running service
An open port often indicates there is a _____________.

ICMP (or PING)
A(n) _______________ sweep involves sending an Echo Request and is easily
blocked.

TCP
A(n) _______________ sweep involves setting SYN or ACK flags in the sent
packets.

59
Quick Quiz (2 of 2)

In a ____________
UDP sweep, non-active ports will respond with an ICMP PORT
UNREACHABLE message.

The __________
TTL
field of an ICMP packet represents the maximum number
of IP routers that the packet can go through before being getting
dropped.

False
TRUE OR FALSE? Hping3 can scan an entire network range.

Active
________ Banner grabbing involves sending malformed packets and
comparing results against database entries.

60
Resources

https://nvd.nist.gov/vuln/search
https://www.cvedetails.com
https://vulners.com/
https://www.securitymetrics.com

61