Module 3: Network Scanning Concepts PDF
Document Details
Uploaded by BestPerformingSnail6897
Tags
Related
- Certified Cybersecurity Technician Information Security Attacks Exam 212-82 PDF
- Troubleshooting Basic Network Issues using Utilities and Tools 212-82 PDF
- Week-12 PDF - Ethical Hacking Lecture Notes
- Troubleshooting Common Network Issues PDF
- Week 5 Notes - Networking Concepts
- LAN Technologies - Spanning Tree Protocol (STP) PDF
Summary
This document details network scanning concepts, including objectives, types of scanning, and the network scanning process. It also discusses TCP communication flags and various tools used in network security.
Full Transcript
Module 3 Network Scanning Concepts Network scanning is the second phase in an attack, following footprinting. In this phase, attackers use network scanning techniques to gather detailed information about a target, including identifying hosts, open ports, and services in the network. This helps attac...
Module 3 Network Scanning Concepts Network scanning is the second phase in an attack, following footprinting. In this phase, attackers use network scanning techniques to gather detailed information about a target, including identifying hosts, open ports, and services in the network. This helps attackers develop a profile and find vulnerabilities to exploit. Objectives of Network Scanning 1. Discover Live Hosts: Identify active machines and their IP addresses. 2. Identify Open Ports: Find open ports and services running on hosts, which can be used as entry points for attacks. 3. Operating System Discovery (Fingerprinting): Detect the target’s operating system and system architecture to plan specific attacks. 4. Service and Application Identification: Identify services or specific versions of applications running on the target system. 5. Vulnerability Detection: Uncover potential vulnerabilities in systems that can be exploited. Types of Scanning 1. Port Scanning: Lists open ports and services by sending messages to target ports. Helps identify services running on the system and their potential vulnerabilities. 2. Network Scanning: Identifies active hosts and their IP addresses. Used to assess the security of the network or target active hosts for attacks. 3. Vulnerability Scanning: Identifies known vulnerabilities in the target system by comparing it with a database of exploits. Useful for detecting outdated software or misconfigured systems. Network Scanning Process Attackers send TCP/IP probes to the target network and receive information back, revealing details about live hosts, services, operating systems, and potential vulnerabilities. This process enables attackers to map the network and find exploitable entry points. TCP Communication Flags TCP flags help manage network connections and control the flow of data during communication. Attackers use certain TCP flags to gather information about the target system: 1. SYN (Synchronize): Starts a connection (used in the three-way handshake). 2. ACK (Acknowledgement): Confirms the receipt of data. 3. PSH (Push): Sends all buffered data immediately. 4. URG (Urgent): Prioritizes processing of urgent data. 5. FIN (Finish): Closes a connection. 6. RST (Reset): Resets the connection, often used by attackers to identify open ports. TCP/IP Communication Start End I’ll reorganize the content into a clearer structure, including a detailed table for hping3 examples as requested, while preserving most of the details. Here's a more organized and comprehensive version: LO#02: Use Various Network Scanning Tools 1. Nmap Nmap is one of the most popular network scanning tools, widely used for: Inventorying networks. Managing service upgrade schedules. Monitoring host or service uptime. Attackers use Nmap to gather: Information about live hosts on a network. Open ports. Services running on those ports (including the application name and version). Information about packet filters or firewalls. Operating system details and versions. Command Example: nmap -p 1-65535 -T4 -A -v Example Output: Port 3389: Service - Microsoft Terminal Services Port 80: Service - HTTP (possibly Microsoft IIS) Security Info: HTTP methods (GET, POST, TRACE) that could indicate risks. 2. Hping3 Hping3 is a versatile command-line tool that can be used for: Network security auditing. Firewall testing. Path MTU discovery. Advanced traceroute. Remote OS fingerprinting. Remote uptime guessing. TCP/IP stack auditing. Common Hping3 Commands and Uses: Purpose Command Example Description ICMP Ping hping3 -1 10.0.0.25 Sends an ICMP echo request (Ping) to the target. SYN Scan on Port Range hping3 -8 50-60 -S 10.0.0.25 - Scans ports 50-60 for SYN responses, verbose output. V ACK Scan on Port 80 hping3 -A 10.0.0.25 -p 80 Sends ACK packets to port 80, typically used to test firewall rules. FIN Scan on Port 80 hping3 -F 10.0.0.25 -p 80 Sends FIN packets to port 80. Helps identify open/closed ports (stealthy scan). SYN Flood hping3 -S 10.0.0.25 -p 80 -- Floods the target with SYN packets on port 80 (DoS flood testing). Traceroute with Hping3 hping3 --traceroute -V -p 80 Performs a traceroute using TCP SYN packets on port 80. 10.0.0.25 Scan with Random hping3 -S 10.0.0.25 -p 80 -s Sends SYN packets to port 80 using source port 1024. Source Port 1024 UDP Scan hping3 -2 10.0.0.25 -p 53 Performs a UDP scan on port 53. 3. Metasploit Framework Metasploit is a powerful penetration testing platform used for: Discovering vulnerabilities. Exploiting those vulnerabilities. Automating network attacks. Attackers use Metasploit to gain access to systems by exploiting known vulnerabilities in various services. Metasploit's capabilities: Vulnerability scanning. Exploit development and execution. Post-exploitation tasks (privilege escalation, data extraction, etc.). Source: Metasploit 4. NetScanTools Pro NetScanTools Pro is designed for discovering: IPv4 and IPv6 addresses. Hostnames and domain names. It provides attackers with the ability to identify open ports and vulnerabilities in a target system. Source: NetScanTools 5. Other Scanning Tools Tool Description Source Unicornscan High-performance scanner for large-scale network audits. N/A SolarWinds Port Scanner Scans open ports and identifies vulnerabilities in network devices. N/A PRTG Network Monitor Monitors network availability and usage, tracks uptime/downtime, bandwidth, etc. N/A OmniPeek Network Provides packet-level network analysis for troubleshooting and performance N/A Analyzer monitoring. 6. Mobile Device Scanning Tools Tool Platform Description Source IP Scanner iOS Scans local networks to identify active devices, showing IP and MAC IP Scanner addresses. Fing iOS/Android Provides details like IP addresses, device vendor, MAC addresses, etc. Fing Network Android Displays IP addresses, MAC addresses, hostnames, and performs port Network Scanner scans. Scanner Here's an organized, simplified version of LO#03: Demonstrate Various Scanning Techniques for Host Discovery. I've maintained the clarity and structure, while ensuring that every important method and example is mentioned. LO#03 Host Discovery Techniques Host Discovery involves identifying active or live systems within a network. This is a crucial first step in network scanning, helping avoid scanning every port on every IP address. Various methods and tools are used to identify live systems, which I'll outline below: Host Discovery Techniques Summary Technique Description Tools/Command Response ARP Ping Scan Sends ARP requests to discover active nmap -sn -PR ARP Response = Active, devices. Efficient and accurate, often used in No Response = Inactive LANs. UDP Ping Scan Sends UDP packets to check for active hosts. nmap -sn -PU UDP Response = Active, Effective for systems behind firewalls. Host Unreachable = Inactive Technique Description Tools/Command Response ICMP Echo Ping Sends ICMP Echo requests. Identifies active nmap -sn -PE Echo Reply = Active, No Scan systems through replies. Response = Inactive ICMP Echo Ping Sends ICMP Echo requests to multiple hosts. nmap -sn -PE ICMP Echo Replies = Sweep Useful for identifying live hosts in a network. Active Hosts ICMP Timestamp Requests time from the target. Useful when nmap -sn -PP Timestamp Reply = Active, Ping Scan ICMP Echo is blocked. No Response = Inactive ICMP Address Sends ICMP Address Mask requests. Effective nmap -sn -PM Address Mask Reply = Mask Ping Scan when Echo is blocked. Active, No Response = Inactive TCP SYN Ping Sends TCP SYN requests, initiating a 3-way nmap -sn -PS SYN-ACK = Active, No Scan handshake. Does not create actual Response = Inactive connections, avoiding detection. TCP ACK Ping Sends TCP ACK requests, often used to nmap -sn -PA RST Response = Active, Scan bypass firewalls that block SYN scans. No Response = Inactive IP Protocol Ping Sends packets using different IP protocols nmap -sn -PO Any Response = Active, Scan (ICMP, IGMP, etc.) to detect active systems. No Response = Inactive ICMP Methods Overview 1. ICMP Echo Request (Ping) What it does: Sends a request to a specific host to see if it’s alive. How it works: The host responds back with an echo reply if it’s active. Used for: Basic connectivity checks (like saying "Are you there?"). 2. ICMP Ping Sweep What it does: Sends echo requests to a range of IP addresses to find which ones are alive. How it works: By sending multiple echo requests, the sender identifies which hosts respond. Used for: Scanning a network to discover live hosts (like saying "Are you there?" to many addresses at once). 3. ICMP Timestamp Request What it does: Asks a host for the current time. How it works: The host replies with its time, helping the requester know it's alive and the round-trip time. Used for: Timing measurements and checking if a host is responsive. 4. ICMP Address Mask Request What it does: Requests the subnet mask of a host. How it works: The host replies with its subnet mask, which tells the requester how the network is structured. Used for: Understanding the network configuration of the host. 5. ICMP Destination Unreachable What it does: Informs the sender that a destination is unreachable. How it works: If a packet can’t reach a host, the router sends this message back to the sender. Used for: Troubleshooting network issues (like saying "I can't find that address!"). 6. ICMP Time Exceeded What it does: Informs that a packet took too long to reach its destination. How it works: If a packet hops through too many routers (exceeding its "time to live"), this message is sent back. Used for: Diagnosing routing loops or overly long paths (like saying "This took too long!"). Summary Table ICMP Method Description Used For Echo Request (Ping) Checks if a host is alive Basic connectivity checks Ping Sweep Sends echo requests to multiple IPs Scanning a network for live hosts Timestamp Request Asks for the current time Timing measurements Address Mask Request Requests the subnet mask Understanding network structure Destination Unreachable Notifies the sender that a host is unreachable Troubleshooting network issues Time Exceeded Informs that a packet took too long Diagnosing routing problems IP Protocol Ping Scan Overview The IP Protocol Ping Scan involves sending packets with different protocol types (like TCP, UDP, ICMP) to a target host to identify which protocols the host supports. Here’s a simple breakdown: IP Protocol Ping Scan What it does: Sends packets using different protocols to see which ones the target host responds to. How it works: Instead of just sending ICMP echo requests (like a typical ping), it uses various protocols (like TCP or UDP) and checks for responses. If the host responds to a specific protocol, it indicates that the host is listening on that protocol and can handle traffic over it. Used for: Discovering which IP protocols (ICMP, TCP, UDP, etc.) are enabled on a target. Gaining insights into the services or applications running on the host by knowing which protocols are active. Summary The IP Protocol Ping Scan is a more comprehensive way of checking for active hosts than a standard ping, as it covers multiple protocols rather than just ICMP. Ping Sweep Tools Tool Description Angry IP Scanner Scans IP addresses and ports, resolves hostnames, and identifies live systems. SolarWinds Engineer’s Provides a comprehensive range of network management tools, including ping sweep. Toolset NetScanTools Pro Includes advanced network scanning and discovery tools. Colasoft Ping Tool Sends ICMP requests to probe networks and identify live hosts. Visual Ping Tester Offers a graphical interface for conducting ping sweeps and testing network response times. OpUtils Includes tools to detect live IPs and monitor network performance. LO#04Port Scanning Techniques Overview Scanning How It Works Advantages Disadvantages Technique TCP Connect/Full- This method involves establishing a full TCP - Simple and - Easily detected and Open Scan connection. The scanner sends a SYN packet, the reliable logged by firewalls and target replies with SYN-ACK, and the scanner - No special IDS because it completes the connection by sending an ACK. privileges required completes the full Once the connection is established, the scanner handshake sends an RST packet to close the connection. Stealth Scan (Half- Sends only a SYN packet to start the TCP - Avoids detection - Requires raw packet Open Scan) handshake. If the target responds with a SYN- by firewalls and privileges (root access) ACK, it means the port is open. The scanner then logging systems - Only works if you have sends a RST (reset) instead of completing the - Faster than a full- direct network access handshake, making the connection “half-open.” open scan This prevents logging on the target system. - Can bypass firewalls Inverse TCP Flag These methods send TCP packets with unusual - Extremely stealthy - Ineffective on Windows Scans: - FIN Scan - flag configurations: - Can bypass systems NULL Scan - Xmas - FIN Scan: Sends a packet with the FIN flag set. some firewalls and - Requires root access Scan - NULL Scan: Sends a packet with no flags set. IDS to create custom packets - Xmas Scan: Sends a packet with FIN, URG, - Useful against and PSH flags set. older systems If the port is open, no response is sent. If closed, using Unix-based the target sends a RST packet. OS ACK Flag Probe Sends an ACK packet to the target and analyzes - Useful for - Doesn't tell whether the Scan the response. If a RST packet is returned, it means detecting firewalls port is open or closed, the port is unfiltered (there’s no firewall). If no and their rules only if it's filtered response, the port is filtered (a firewall is blocking it). UDP Scan Sends a UDP packet to each port. If the port is - Can discover - Slow and inefficient closed, it responds with an ICMP Port services that use - Unreliable because Scanning How It Works Advantages Disadvantages Technique Unreachable message. If there’s no response, the UDP, like DNS and UDP doesn’t guarantee a port is open or filtered. SNMP response SCTP INIT Scan This method is used on SCTP (Stream Control - Quick and - Limited to systems that Transmission Protocol). It sends an INIT chunk to efficient on fast use SCTP start an association. If the port is open, it responds networks with an INIT-ACK. If closed, an ABORT chunk is - Can clearly sent. differentiate between open, closed, and filtered ports SCTP COOKIE Sends a COOKIE ECHO chunk. If the port is - Stealthier than - Cannot clearly ECHO Scan open, no response is sent (silent drop). If closed, INIT Scan distinguish between open the target sends an ABORT chunk. - Can bypass non- and filtered ports stateful firewalls Additional Port Scanning Techniques Scanning How It Works Advantages Disadvantages Technique BSD Network Uses old BSD networking code to take - Useful for older Unix - Doesn’t work on modern Code advantage of its quirks in handling packets. systems systems like Windows TCP Maimon Sends a FIN/ACK packet. If no response, the port - Can bypass firewalls - Effective mostly on older Scan is open; if RST is received, the port is closed. - Simple and stealthy BSD-based systems TTL-Based ACK Sends ACK packets and analyzes the TTL (Time - Helps evade firewalls - Slow and works best on Flag Probe To Live) value in the RST response. If TTL < 64, - Useful for checking older systems the port is open. open ports Window-Based Sends ACK packets and checks the Window - Can identify open - Limited by older BSD- ACK Flag Probe Size field in the RST response. If the window size ports when TTL scan derived TCP/IP stacks is non-zero, the port is open. fails IDLE Scan (IPID Uses a zombie system’s IPID (IP Identifier) to - Complete anonymity - Complex Header Scan) send spoofed packets to the target. Analyzes IPID - No direct interaction - Needs a suitable changes to detect open ports. with target "zombie" Detailed Explanations 1. BSD Network Code How it works: The Berkeley Software Distribution (BSD) networking code was part of early Unix systems and defined how packets were handled. Older systems running this code follow specific protocols, and attackers can exploit the way BSD handles certain TCP flags (like FIN, URG, PSH) to sneak past firewalls or security systems. Example: Think of it like finding a backdoor in an old building that hasn’t been updated—some old systems don’t respond to packets the way modern systems do, allowing you to get information without being detected. 2. TCP Maimon Scan How it works: This scan sends a FIN/ACK packet to the target. Normally, a closed port would respond with an RST packet, while an open port would send no response. The Maimon scan is useful against systems that follow BSD-derived protocols. If the port is open or filtered, there will be no response. If it’s closed, an RST packet will be sent. 3. TTL-Based ACK Flag Probe How it works: In this scan, ACK packets are sent to different TCP ports. The attacker analyzes the TTL (Time To Live) value in the RST responses. If the TTL value is less than 64, the port is open. If it’s greater than 64, the port is closed. This technique takes advantage of how packets are routed and how TTL decreases with each hop in a network. 4. Window-Based ACK Flag Probe How it works: Similar to the TTL-based scan, but instead of analyzing TTL values, this scan looks at the Window Size field in the RST packet. If the window size is non-zero, the port is open. If it’s zero, the port is closed. This method helps when TTL analysis doesn’t work. 5. IDLE Scan (IPID Header Scan) How it works (in detail): The IDLE scan takes advantage of another machine (called a zombie) to perform the scan. The attack works by manipulating the IPID (IP Identifier), a unique number assigned to packets. Here’s the step-by-step breakdown: 1. Find a Zombie: The attacker finds a "zombie" machine that increments its IPID with each packet it sends. This zombie will be tricked into sending packets to the target. 2. Probe the IPID: The attacker sends a SYN/ACK packet to the zombie to determine its current IPID. If the zombie responds with an RST, the attacker knows the current IPID value. 3. Spoof the Zombie’s IP: The attacker sends a SYN packet to the target, pretending it’s from the zombie’s IP address. If the target port is open, it sends a SYN/ACK packet back to the zombie. If it’s closed, it sends an RST. 4. Analyze the IPID: After the target responds to the zombie, the attacker sends another SYN/ACK packet to the zombie to check its new IPID value. If the IPID has increased by 2 (because the zombie sent an extra RST to the target), the port is open. If it only increased by 1, the port is closed. Example: It’s like sending a fake letter from your friend’s address (the zombie), and then secretly checking how many letters they received. If they got more than expected, you know the target responded Let’s dive into SSDP Scan, List Scan, and the other concepts you mentioned, explaining each in a simple, detailed way: SSDP and List Scan Overview Scanning How It Works Advantages Disadvantages Technique SSDP Scan Simple Service Discovery Protocol (SSDP) works - Allows finding devices - Vulnerable to with Universal Plug and Play (UPnP) to discover like routers, printers, etc. exploitation if UPnP is devices on the network. Attackers send SSDP M- - Can detect UPnP misconfigured SEARCH queries to detect vulnerable UPnP services. vulnerabilities (e.g., buffer - Can expose devices overflow or DoS attacks) to attacks List Scan Generates a list of IPs/hostnames without actually - Can verify if hosts exist - Does not provide scanning or pinging them. Reverse DNS resolution is on the network detailed info about the performed to identify hostnames. - Helps avoid triggering hosts firewalls - Does not actively scan services or ports Detailed Explanations 1. SSDP Scan (Simple Service Discovery Protocol) How it works: SSDP is a protocol used by Universal Plug and Play (UPnP) devices to discover each other on a network. When devices are connected (like routers, printers, smart TVs), they use SSDP to broadcast their availability. Attackers take advantage of this by sending SSDP M-SEARCH queries, which prompt devices to respond with their services. If the devices respond, attackers can identify vulnerabilities in UPnP, such as buffer overflow or Denial of Service (DoS) weaknesses. Example: Imagine you enter a room and yell, "Who’s here?" All the devices (like smart lights, printers) respond, "I’m here, and I do this!" An attacker uses these responses to find weak spots in these devices. Technical Focus: SSDP uses multicast over IPv4 and IPv6 to communicate. Vulnerabilities in UPnP can allow attackers to control these devices remotely or crash them with buffer overflow attacks (when too much data is sent, causing the device to malfunction). 2. List Scan How it works: The List Scan is a passive scan that doesn’t actually probe any devices. It only generates a list of IP addresses and performs Reverse DNS resolution to find the hostnames associated with these IPs. It’s essentially a “sanity check” for network administrators to verify which devices exist on the network without touching them. Example: It’s like walking down the street and writing down the names of the houses without knocking on any doors to ask who’s inside. Technical Focus: Reverse DNS Resolution: This process queries the Domain Name System (DNS) to find the hostname associated with an IP address. It’s like looking up someone’s name by their phone number LO#05OS Discovery/Banner Grabbing Overview Type How It Works Advantages Disadvantages Active Banner Sends crafted packets to the target system to - Quickly identifies - Easily detected by Grabbing analyze its responses based on TCP/IP stack OS and services firewalls and IDS differences across OS versions. - Detailed information Passive Gathers information by analyzing network traffic or - Very stealthy - Slower and less detailed Banner error messages without interacting with the target - No need to send than active methods Grabbing system. packets to target Detailed Explanation of OS Discovery Techniques 1. What is OS Discovery/Banner Grabbing? How it works: Banner Grabbing (also known as OS Fingerprinting) helps attackers identify the Operating System (OS) running on a target system. This knowledge allows attackers to pinpoint vulnerabilities specific to that OS and determine which exploits may succeed. Active Banner Grabbing: Sends packets to the target to provoke responses, which are compared against a database of known OS characteristics. Passive Banner Grabbing: Sniffs network traffic and gleans information about the OS without sending any packets to the target. 2. Active Banner Grabbing How it works: Sends specially crafted TCP or UDP packets to the target and looks for variations in how the OS responds. Each OS interprets these packets differently due to its unique TCP/IP stack implementation. Example: The tool Nmap sends a range of test packets (e.g., SYN, NULL, ACK) to elicit responses from open and closed ports, and then compares the results to a database of OS fingerprints. Common Tests: SYN/ECN-Echo packet to an open port. NULL packet (no flags) to an open port. TCP packet with multiple flags (e.g., URG, PSH, FIN) to a closed port. UDP packet to closed ports to trigger ICMP responses. Advantages: Provides detailed and precise information on the target’s OS. Disadvantages: Easily detectable by firewalls and intrusion detection systems (IDS). 3. Passive Banner Grabbing How it works: This technique listens to network traffic (without sending any probes) to determine the OS. The attacker analyzes TTL values, window sizes, or error messages to make an educated guess about the OS. Example: Observing TTL values in network packets — Linux systems often use a TTL of 64, while Windows typically uses 128. Advantages: Extremely stealthy since it doesn’t require interaction with the target. Disadvantages: Less detailed information compared to active methods and takes longer to gather data. Other Techniques and Tools for OS Discovery 1. OS Discovery Using IPv6 Fingerprinting How it works: IPv6 introduces a larger address space (128 bits compared to 32 bits in IPv4), making traditional IPv4 scanning methods inefficient. However, IPv6 uses its own TCP/IP stack, which can be fingerprinted. Nmap’s IPv6 Scanning: In Nmap, the -6 and -O options are used to perform OS fingerprinting on IPv6-enabled networks. It sends specially crafted probes like Neighbor Solicitation and ICMPv6 echo requests. Example: Nmap sends several probes (e.g., S1-S6, ICMPv6, UDP). Based on how the target system responds, Nmap matches the results against known IPv6 OS signatures. Advantages: Helps attackers discover systems in IPv6 networks, which often have fewer security protections in place. Disadvantages: Fewer tools are optimized for IPv6 scanning, and networks are harder to scan due to the vast address space. 2. OS Discovery Using Tools Nmap: The -O option performs OS fingerprinting, sending packets and analyzing the responses to determine the OS. NSE (Nmap Scripting Engine): Allows automation of tasks such as OS discovery using pre-built or custom scripts. For instance, the smb-os-discovery script gathers OS information via the SMB protocol. Wireshark: Captures packets to observe TTL, window sizes, and other signature information to deduce the OS running on a target system. Unicornscan: Another tool that uses TTL values from packet responses to guess the OS. For example, if a packet has a TTL of 128, it likely originates from a Windows machine. Parameters for OS Identification Parameter What It Reveals Examples TTL (Time to Indicates how long a packet can exist before being Linux: 64 Live) discarded. OSs set different TTL defaults. Windows: 128 Window Size Shows how much data the system is prepared to receive. Linux: 5840 OSs use distinct default values. Windows: 65535 DF (Don’t Determines whether the packet can be fragmented. Most systems use DF, except some like Fragment) OpenBSD. TOS (Type of Indicates the quality of service requested for the packet. Mostly session-based, some OSs or services Service) use specific TOS settings. Example: A packet with a TTL of 64 and a window size of 5840 suggests that the system is running Linux. IPv6 vs. IPv4 in OS Discovery How IPv6 Scanning Works: IPv6 has a much larger address space (128 bits), which makes traditional scanning difficult. However, Nmap can still fingerprint systems by sending specific IPv6 probes, such as Neighbor Solicitation, ICMPv6 Echo, and UDP. Differences: IPv4 scanning relies on direct ping sweeps or port scans. IPv6 fingerprinting uses advanced probes and requires IPv6-specific detection engines Nmap Command for IPv6: Example: nmap -6 -O to perform IPv6 OS discovery. LO#06: Verious Techniques for scanning Beyond IDS and firewall 1. Packet Fragmentation How it works: This method splits a large packet into smaller fragments. IDS/firewalls often overlook fragmented packets, which allows the attacker to bypass security mechanisms. By splitting the TCP header into smaller pieces, the attacker avoids detection by packet filters. The destination host reassembles the fragmented packets once they arrive. Example: In Nmap, use the -f option to fragment packets: nmap -sS -T4 -A -f This sends fragmented packets to bypass detection. Advantage: Bypasses packet filters by splitting up the packet. Disadvantage: Some firewalls block fragmented packets, and fragmented data can sometimes crash the target. 2. Source Routing How it works: Source routing allows the attacker to dictate the path that packets take through the network, bypassing routers that have IDS/firewalls. The attacker specifies the route in the IP packet's options field to avoid detection. Example: In Nmap, use the --route-mpath option to control the routing path: nmap --route-mpath This forces packets to go through a specific route. Advantage: Helps evade specific IDS/firewalls by routing packets around protected segments. Disadvantage: Only works if the attacker can manipulate the route successfully. 3. Source Port Manipulation How it works: Manipulates the source port of a packet to make it appear as if it’s coming from a trusted service (e.g., HTTP, FTP). Firewalls often allow traffic from trusted ports, so this technique can bypass them. Example: In Nmap, use the -g or --source-port option: nmap -g 80 This makes the scan appear to come from port 80 (HTTP). Advantage: Bypasses firewalls that allow traffic from specific trusted ports. Disadvantage: The firewall might still inspect packet content, not just the port. 4. IP Address Decoy How it works: The attacker generates fake IP addresses (decoys) along with their real IP to confuse the IDS/firewall. This technique hides the real attacker’s IP among multiple decoy IPs. Example: In Nmap, use the -D option: nmap -D RND:10 This generates 10 random decoy IPs for the scan, making it difficult for IDS/firewalls to identify the real attacker. Advantage: Hides the attacker’s real IP by overwhelming the system with multiple IPs. Disadvantage: Can slow down the scan and may not work if the IDS/firewall detects the decoys. 5. IP Address Spoofing How it works: The attacker forges the source IP address to make the packet appear as though it's coming from a different IP address, tricking the target and bypassing the firewall. This technique is typically used in Denial of Service (DoS) attacks where the attacker doesn't need to receive responses from the target. Example: Using Hping3, an attacker can spoof the source IP: hping3 -a 7.7.7.7 This sends packets to the target with the spoofed source IP 7.7.7.7. Advantage: Bypasses firewalls that block specific IPs and can flood targets in DoS attacks. Disadvantage: Cannot establish TCP connections, as the three-way handshake cannot be completed. 6. MAC Address Spoofing How it works: The attacker changes their device’s MAC address to impersonate a legitimate user on the network, allowing them to bypass MAC-based filters on firewalls and routers. Example: In Nmap, use the --spoof-mac option to spoof the MAC address: nmap --spoof-mac Dell This spoofs a Dell MAC address while scanning the target. Advantage: Bypasses MAC-based filters in the firewall. Disadvantage: Ineffective if the firewall doesn't rely on MAC filtering. 7. Randomizing Host Order How it works: The attacker scans a network's hosts in a random order instead of sequentially, reducing the chances of detection by network monitoring systems that expect sequential scans. Example: In Nmap, use the --randomize-hosts option: nmap --randomize-hosts This randomizes the order in which hosts are scanned. Advantage: Evades detection by systems that monitor for sequential scanning. Disadvantage: Slows down the scan, as the random order can be inefficient. 8. Sending Bad Checksums How it works: The attacker sends packets with incorrect TCP/UDP checksums to trick firewalls that don’t verify checksums properly. Improperly configured systems may still respond to these packets, revealing useful information. Example: In Nmap, use the --badsum option: nmap --badsum This sends packets with invalid checksums to evade firewalls. Advantage: Exploits improperly configured systems that do not check checksums. Disadvantage: Many modern firewalls validate checksums, rendering this method ineffective. Let’s go into Proxy Servers and Anonymizers, organizing everything in a clear, technical way and providing examples. 9. Proxy Servers Purpose How It Works Advantages Disadvantages Serve as Proxy servers forward requests between the - Increases privacy and - Some proxies may log intermediaries user and the destination server, hiding the anonymity user activity user's real IP address. - Bypasses firewalls - Can introduce latency and restrictions Access restricted Attackers use proxies to access websites - Helps bypass - If proxy logs are kept, content that might otherwise be blocked by firewalls restrictions and attackers could be traced or regional restrictions. censorship - Allows remote access to intranets Chain multiple Multiple proxy servers are used in sequence - Increases anonymity - Can introduce proxies (proxy to enhance anonymity, making it hard to with each additional significant delays chaining) trace the origin of the request. proxy - The chain is only as - Obscures the origin of strong as its weakest link requests Detailed Explanations 1. What is a Proxy Server? How it works: A proxy server acts as an intermediary between your computer and the server you’re trying to access. Instead of connecting directly to the destination, your request first goes to the proxy, which forwards it to the final server. The server’s response is sent back to the proxy, which relays it to you. Purpose: Hide the real source of the request (your IP address). Bypass restrictions like regional blocks or firewalls. Reduce bandwidth consumption by caching frequently accessed content. Example: Let’s say you want to access a website that’s blocked in your country. You can use a proxy server located in another country to visit the website. The website will think the request is coming from the proxy server and not from your computer. 2. Why Attackers Use Proxy Servers How it works: Attackers often use proxies to hide their real identity and mask their IP address. When a proxy is used, the attacker's request looks like it’s coming from the proxy’s IP address, not the attacker’s actual IP. Reasons: To hide the source of a scan: Attackers can evade IDS/firewalls by making it appear that the request is coming from the proxy server rather than their actual machine. To access restricted resources: Attackers use proxies to reach resources like intranets or sensitive websites. To chain multiple proxies: By chaining several proxy servers together, attackers make it harder for anyone to trace their activities back to the original source. Example: An attacker could chain multiple proxies like this: The attacker connects to Proxy A. Proxy A forwards the request to Proxy B. Proxy B then sends the request to the final destination. Command Example: Using cURL to connect via a proxy: curl -x http://proxy.example.com:8080 http://targetsite.com 3. Proxy Chaining How it works: Proxy chaining involves using multiple proxy servers in a sequence. Each proxy strips identifying information from the request before passing it to the next proxy in the chain, enhancing anonymity. Steps: The user sends a request to Proxy 1. Proxy 1 removes the user’s identifying information and forwards the request to Proxy 2. This process repeats until the request reaches the final destination. Advantage: With every additional proxy in the chain, it becomes harder to trace the origin of the request. Disadvantage: The more proxies you chain, the slower the connection becomes. Example: Command: In Nmap, to specify multiple proxies (using proxy chains), you would configure each proxy in a configuration file or use chaining tools like ProxyChains. Free Proxy Servers How to use them: There are many free proxy services available. Simply searching for “Free Proxy Servers” in Google will give a list of available servers. To use one, you need to configure your browser or command-line tools to route traffic through the proxy. Example: Search for “free proxy servers” on Google. Configure your browser to use the proxy: In Firefox, go to Settings → Network Settings → Manual proxy configuration. Enter the proxy server’s IP address and port. Command Example: Using Nmap with a proxy: nmap -Pn --proxies Proxy Tools Proxy Switcher: How it works: This tool allows users to switch between proxies easily. It helps attackers mask their IP address and access blocked sites by routing their requests through different proxies. CyberGhost VPN: How it works: Hides the attacker’s IP by replacing it with one of CyberGhost’s IPs. It allows anonymous surfing, access to blocked content, and encrypted connections. Example: CyberGhost can be used to access restricted websites. The attacker selects a VPN server in a different region, and all traffic is routed through that server, making it appear as if the attacker is browsing from that region. Command Example: ProxyChains can be used to route Nmap or other scan tools through multiple proxies: proxychains nmap 10. Anonymizers Type How It Works Advantages Disadvantages Networked Your traffic is routed through multiple - Extremely difficult - Can introduce latency Anonymizers computers, making it hard to trace. to trace - Each node may pose a risk - Provides strong privacy Single-Point Your traffic passes through a single proxy - Hides IP address - Easier to track than multi- Anonymizers server before reaching the destination. - Simpler to set up node anonymizers Detailed Explanations of Anonymizers 1. What is an Anonymizer? How it works: An anonymizer acts as an intermediary server between the user and the target website. It removes all identifying information (like the user’s IP address) before forwarding the request to the destination. Purpose: Anonymizers provide privacy by making the user’s browsing activity untraceable. They help bypass government censorship or restrictions on certain websites. Example: Using a website like HideMyAss.com allows a user to visit a blocked or censored website without revealing their IP address. 2. Why Attackers Use Anonymizers How it works: Attackers use anonymizers to hide their identity while performing reconnaissance or attacks on targets. By using an anonymizer, the attacker’s real IP address is hidden, making it harder to trace the attack back to them. Reasons: To maintain privacy: Attackers use anonymizers to make their web browsing and attack activities untraceable. To bypass restrictions: Anonymizers allow access to blocked websites by making it appear as if the traffic is coming from a different region. Command Example: Using an anonymizer with Tor: torify curl http://targetsite.com Types of Anonymizers 1. Networked Anonymizers: Your data passes through a network of computers, making it extremely hard to trace. Advantage: Provides robust privacy by routing your traffic through multiple nodes. Disadvantage: Can introduce latency, and there’s a risk of data being compromised at any node in the network. 2. Single-Point Anonymizers: Your data passes through a single anonymizing server before reaching the destination. Advantage: Easier to set up and hides your IP address. Disadvantage: Less secure than networked anonymizers, as the single proxy server could be compromised. Example: Using Whonix: This is a security-focused OS designed for anonymity using the Tor network. Anonymizer Tools Tool Description Example Whonix A security-focused OS that anonymizes all traffic using Use Whonix to browse the web anonymously and the Tor network. evade censorship. Psiphon A circumvention tool using VPN, SSH, and HTTP proxy Use Psiphon to access blocked websites in restricted technologies. regions. Tor A free software that routes traffic through multiple nodes Use Tor Browser to anonymize browsing activities. for anonymity. Tails A live OS designed to run from a USB drive, routing Boot Tails OS from a traffic through Tor. Here’s a simplified breakdown of Network Scanning Countermeasures and key points: LO#07 Network Scanning Countermeasures 1. Port Scanning Countermeasures Why it's important: Attackers use port scans to find open ports and services on your network, which they can exploit. Key Steps: Configure firewalls and IDS to detect and block port scans. Make sure they inspect not just headers but also packet contents. Run port scans on your own network to test your defenses and ensure that firewalls properly detect scanning attempts. Update router, IDS, and firewall firmware to the latest versions to close any security holes. Minimize open ports: Keep only necessary ports open and block others using firewall rules (e.g., block ports 135-159, 445). Filter ICMP messages: Block unnecessary inbound and outbound ICMP messages to avoid reconnaissance attempts. Use anti-scanning and anti-spoofing rules: These help block attackers trying to hide their identities. Use honeypots: Redirect attackers to fake systems (honeypots) to waste their time and gather intelligence. 2. Banner Grabbing Countermeasures What it is: Banner grabbing reveals information about the OS or service running on an open port (e.g., web servers display their version info in banners). Key Steps: Turn off unnecessary services: Reduce the information available to attackers by disabling services you don’t need. Display false banners: Trick attackers by sending fake information. Mask server information: Use tools to hide or change the server banner information (e.g., in Apache, change the ServerSignature to Off and ServerTokens to Prod ). Hide file extensions: Avoid using extensions that give away the server technology (e.g., replace.asp with.htm ). 3. IP Spoofing Detection Techniques What it is: IP spoofing involves an attacker pretending to be another device by forging the IP address in their packets. Detection Methods: Direct TTL Probes: Compare the TTL (Time to Live) value of packets from the attacker with a genuine packet from the target. If the TTLs don’t match, the packet is likely spoofed. IP Identification Number (IPID): Monitor the IPID field in packet headers. If the IPID in the spoofed packet doesn’t match the expected value, the packet is spoofed. TCP Flow Control Method: In a normal connection, when the window size is exhausted, the sender stops sending packets. Spoofed packets will continue after the window is full, revealing the spoof. Countermeasures for IP Spoofing Avoid IP-based trust: Don’t rely solely on IP addresses for authentication. Use firewalls and filtering: Filter both incoming and outgoing packets. Block any packets with spoofed source addresses. Randomize initial sequence numbers: Prevent attackers from predicting TCP sequence numbers and hijacking connections. Use ingress and egress filtering: Filter packets at the network's entry and exit points to block spoofed IP addresses. Encrypt traffic: Use protocols like IPsec, TLS, and SSH to encrypt data and reduce the risk of spoofing. Additional Tools for Scanning Detection ExtraHop: Provides real-time visibility and detects network scanning by automatically identifying devices and vulnerabilities. Splunk Enterprise Security: A powerful tool for monitoring and detecting network scanning attempts. Scanlogd: Detects port scanning and logs suspicious activity. Vectra Cognito Detect: Identifies network threats like scanning attempts. IBM Security QRadar: Offers comprehensive security monitoring and scanning detection. Cynet 360: Detects and blocks malicious scanning activities on networks.