Week-12 PDF - Ethical Hacking Lecture Notes

Summary

These lecture notes cover the NMAP tool, a crucial security scanning and network discovery utility. The document details the basics of NMAP and its key features, along with its history, various methods of host discovery, and specific examples using the NMAP commands.

Full Transcript

04/10/19

Course Name: Ethical Hacking
Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 56: The NMAP Tool: A Relook (Part I)

q Introduc/on to NMAP

q Basic NMAP features

q Host discovery using NMAP

1
 04/10/19

IntroducJon to Network Mapper (NMAP)

NMAP is a free, open-source tool for vulnerability scanning and network discovery.
Network administrators use NMAP for a variety of reasons:
Essen/ally a port scanning tool.
The packets that are sent out return with IP addresses and a wealth of other data.
Can be used to:
Discover hosts that are available on a network, and services that they offer.
Find open ports and detect security risks.
Determine OS versions.
Variety of other things …

3

The History

NMAP is a well-known and freely available security scanner developed by Gordon
Lyon in 1997.
Available on: hLps://nmap.org
Several versions released since then.

Generic command to run NMAP on command prompt:
nmap [scan types] [options]

4

2
 04/10/19

The Main NMAP Features

A. Host Discovery
Which hosts are alive? --- Various approaches are available
B. Port Scanning
What services are available? --- By enumera/ng the open ports
C. Service and Version DetecJon
Which version is running? --- Iden/fy applica/on name and version number
D. OS DetecJon
Which OS version is running? --- Also iden/fy some hardware characteris/cs

5

(A) Host Discovery using NMAP

6

3
 04/10/19

What is Host Discovery?

The most basic step in network mapping.
Mul/ple hosts are queried (called ping sweep opera/on)

Various host scan techniques are supported by NMAP:
a) ICMP sweep
b) Broadcast ICMP
c) Non-Echo ICMP
d) TCP sweep
e) UDP sweep

7

(a) Host discovery using ICMP Sweep
Easy to implement
How it works? Rather slow
Easy to block
Send out an ICMP ECHO request (ICMP type 8)
If an ICMP ECHO reply (ICMP type 0) is received à TARGET IS ALIVE
No response is received à TARGET IS DOWN
ICMP ECHO request

ICMP ECHO reply
Scanner Target
TARGET is alive
ICMP ECHO request

No response
Scanner TARGET is down/filtered Target

8

4
 04/10/19

To perform ICMP echo sweep -PE op/on is used.
We send an ICMP echo request from 10.5.23.251 to 10.5.23.209.
In response to this 10.5.23.209 replies with an ICMP echo reply.

9

(b) Host discovery using Broadcast ICMP Most routers block
this.
Windows ignore
How it works? these requests.
Send out an ICMP ECHO request to the network and/or broadcast address.
All the hosts in the network will simultaneously send back ICMP ECHO reply packets.
Faster than previous method.

Broadcast ICMP ECHO request

Scanner

10

5
 04/10/19

(c) Host discovery using Non-ECHO ICMP

How it works?
Instead of ICMP ECHO request, the scanner sends out other types of ICMP messages.
The target will respond to such messages.
Approach 1: Send ICMP type 13 messages (TIMESTAMP)
The scanner queries current /me to the target.
Approach 2: Send ICMP type 17 messages (ADDRESS MASK REQUEST)
The scanner queries subnet mask to the target (this feature is used by diskless worksta/ons
during boo/ng)

11

To perform ICMP non echo sweep -PP and -PM op/on are used.
-PP is used for ICMP /mestamp request (type 13)
-PM is used for address mask request (type 17)

12

6
 04/10/19

13

(d) Host discovery using TCP Sweep

How it works?
The scanner sends out TCP SYN or TCP ACK packet to the target.
The port number can be suitably selected to prevent blocking by firewall.
Typical port numbers used: 21, 22, 23, 25, 80

A drawback:
Firewalls can spoof a RESET packet for an IP address, so TCP Sweep may not be reliable.

14

7
 04/10/19

TCP sweep can be performed using two op/ons:
-PS : for TCP SYN sweep
-PA : for TCP ACK sweep
We show example with the -PS op/on.
We just show the command and final output.
Many other lines of informa/on may be generated.
We can also see why any port is closed/open using --reason op/on.
TCP sweep is also used by default port scanning op/ons:
–sT, -p, -Pn

15

(i) TCP Sweep using -PS (TCP SYN) : closed port

16

8
 04/10/19

(ii) TCP Sweep using -PS (TCP SYN) : open port
Port 135: MSRPC
(Microsog
Remote
Procedure Call)

17

(iii) TCP Sweep using -PS with --reason opJon

18

9
 04/10/19

(e) Host discovery using UDP Sweep

How it works?
The scanner sends a UDP datagram to the target.
If no ICMP PORT UNREACHABLE message is received à TARGET IS ALIVE
If an ICMP PORT UNREACHABLE message is received à TARGET IS DOWN

Routers can drop UDP packets as they cross the Internet.
Many UDP services do not respond.
Firewalls typically drop UDP packets (except DNS).
Not very reliable

19

To perform UDP sweep -PU op/on is used.
The -sU op/on also uses UDP sweep.
In the example, unreachable means the UDP port is considered as closed.

20

10
 04/10/19

More on Host DetecJon

By default NMAP uses all types of sweep opera/ons in common scanning
op/ons such that it can get beher details about any system.
Commands that use all types (except UDP sweep) are -sP, -sn, -sl, -Pn, etc.
We will show example of -sP command.
This is used to print whether all or specific hosts are up and running.

21

22

11
 04/10/19

All type of sweep opJons are
used with –sn except UDP.
“--packet-trace” gives
the details.

23

Some other NMAP commands for host discovery

-sL: lis/ng the IP of
any range or subnet
(list scan)

24

12
 04/10/19

-PN : Check firewall
and print open ports if
firewall is off; else print
the ac/ve IPs.

25

Mul/ple host discovery
(by specifying list)

Mul/ple host discovery
(by specifying range)

26

13
 04/10/19

NMAP Command OpJons for Host Discovery

sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, /mestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolu/on/Always resolve [default: some/mes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
-sU: UDP Scan

27

28

14
 04/10/19

Course Name: Ethical Hacking
Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 57: The NMAP Tool: A Relook (Part II)

q Post scanning using NMAP

q Various ways to carry out port scan

1
 04/10/19

Port Scanning using NMAP

3

IntroducJon

To determine what services are running or LISTENing.
Each running TCP service is associated with a port number, which listens for incoming
connecJons.
Each running UDP service is associated with a port number.

Various port scanning techniques in NMAP:
a) TCP Connect scan
b) TCP SYN scan
c) TCP Stealth scan
d) FTP Bounce scan

4

2
 04/10/19

Client Server

(a) TCP Connect scan SYN

How it works? SYN/ACK
Use basic TCP connecJon establishment mechanism.
Complete 3-way handshake. ACK

Easy to detect by inspecJng the system log.
ConnecJon
SYN
Established
SYN/ACK
ACK
Scanner Target
The port is OPEN
SYN
RST/ACK

Scanner The port is CLOSED Target

5

Client Server

(b) TCP SYN scan SYN

How it works?
SYN/ACK
Do not establish complete connecJon (half-open scanning).
SYN/ACK is received à The port is LISTENING
ACK
Immediately terminate connecJon by sending RST.
RST/ACK is received à The port is NON-LISTENING ConnecJon
SYN
Established
SYN/ACK
RST
Scanner Target
The port is OPEN
SYN
RST/ACK

Scanner The port is CLOSED Target

6

3
 04/10/19

The -sT scan uses both
TCP SYN and TCP ACK
packets.
It also uses ICMP ECHO
sweep for checking if host is
up or not.

7

-sT packet trace
for closed port

8

4
 04/10/19

-sT packet trace
for open port

9

(c) TCP Stealth scan

Basic idea:
Carry out port scanning while avoiding detecJon.
Try to hide themselves among normal network traffic.
Not to be logged (stealth).
How it works?
Flag probe packets (also known as Inverse Mapping)
Response is sent back only by closed port.
Intruder determines what services do not exist, and can infer the ones that exist.
Slow scan rate
Difficult to detect, and needs long history log.

10

5
 04/10/19

How it can be done?
RFC793 talks about how to handle wrong packets.
Closed ports à Reply with a RESET packet
Open ports à Ignore any packet in quesJon
Various ways:
Send a RST scan packet.
Send a FIN probe with FIN flag set.
Send an XMAS probe with FIN,Probe
URG,packet
SYN, RST, PSH flags set.
No response

Scanner The port is OPEN Target
Probe packet
RST/ACK

Scanner The port is CLOSED Target

11

(d) FTP Bounce scan
How it works?
Connect to a FTP server, and establish a control connecJon, and ask the FTP server to iniJate
an acJve data transfer process.
Quite slow.

PORT 10.0.0.5,0,22
Scanner FTP Server Target
(10.0.0.4) (10.0.0.5)
TCP SYN
RST
425 Cannot build data connecJon

12

6
 04/10/19

Other port scanning opJons in NMAP

Specify the port
numbers to be
scanned using –p
opJon

13

Scan fewer ports
that the default
scan using –F
opJon (fast mode)

14

7
 04/10/19

Scan most common
ports using
--top-ports opJon

15

IP protocol scan using
-sO opJon

16

8
 04/10/19

NMAP Command OpJons for Port Scanning
Scan Techniques:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-b : FTP bounce scan

Port specificaJon and Scan Order:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecuJvely - don't randomize
--top-ports : Scan most common ports

17

18

9
 04/10/19

Course Name: Ethical Hacking
Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 58: The NMAP Tool: A Relook (Part III)

q Services, version and OS detec5on

q Use of scripts in NMAP

1
 04/10/19

(C) Services, Version and OS DetecNon

3

IntroducNon

Some opera5ng systems respond with specific messages in response to certain
requests.
Helps in iden5fica5on.
TCP/IP fingerprin5ng (IP stack implementa5on will response differently).
FIN probe, Bogus Flag probe
TCP ini5al sequence number sampling, TCP ini5al window, ACK value
ICMP error quenching, message quo5ng, ICMP echo integrity
IP: DF, TOS, Fragmenta5on

4

2
 04/10/19

Some Specific Examples

ACK: sending FIN|PSH|URG to a closed port
Most OS à ACK with the same sequence number.
Windows à ACK with sequence number + 1
Type of Service: Probing with ICMP_PORT_UNREACHABLE message
Most OS à Returns with TOS = 0.
Linux à Returns with TOS = 0xC0.

5

OS detec5on using the
-O op5on

6

3
 04/10/19

Version detec5on using
the -sV op5on

7

NMAP Command OpNons for OS DetecNon

Service / Version Detec5on:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan ac5vity (for debugging)
OS Detec5on:
-O: Enables OS detec5on
--osscan-limit: Limit OS detec5on to promising targets
--osscan-guess: Guess OS more aggressively

8

4
 04/10/19

Use of Scripts in NMAP

9

What are NMAP Scripts?

There are 1000s of scripts available with NMAP to perform various opera5on.
The scripts can have there own specific requirements, like some services running,
port requirements, etc.
We have already seen an example earlier:
--script vuln to check vulnerability in a system.
Any script can be run using the command:
--script

10

5
 04/10/19

Vulnerability scan using
the --script vuln
op5on

11

Detec5ng malware infec5on
using --script http-
malware-host op5on

12

6
 04/10/19

Check whether a host is
running web server on a
par5cular port using
--script http-
methods op5on

13

Guess username and password using
--script smb-brute.nse
op5on
(This is possible only if port 445 is
open, and takes a long 5me)

14

7
 04/10/19

Some Issues

For System Administrators to detect scanning:
Examine logs for suspicious packets
Iden5fy connec5ons not properly terminated
Analyze ports usage
For scanners to avoid detec5on:
Randomize the sequence of ports being scanned
Slow scan: exceed the site detec5on threshold in IDS, 2 packets/day/site!
Use spoofed address in aiack
Coordinated Scans: mul5ple scanners probe the same host or network

15

Recall: Some common NMAP scan opNons

Scan a single target with default op5ons (basic scan):
nmap 144.16.192.57
nmap www.someserver.com
Scan mul5ple hosts at the same 5me:
nmap 144.16.192.25 144.16.192.70 10.2.75.38
Scan a range of IP addresses:
nmap 144.16.192.100-150
Scan an en5re subnet:
nmap 144.16.192.0/24

16

8
 04/10/19

Scan a list of targets (IP addresses or host names stored in a file):
nmap –iL scanlist.txt
Scan a specified number of random internet hosts:
nmap –iR 5
Exclude targets from a scan
nmap 144.16.192.0/24 --exclude 144.16.192.60-70
nmap 144.16.192.0/24 --excludefile xfile.txt
Perform an aggressive scan (use most commonly used op5ons):
nmap –A 10.3.100.65

17

18

9
 04/10/19

Course Name: Ethical Hacking
Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 59: Network Analysis using Wireshark

q About Wireshark

q Various menu op8ons in Wireshark

q Packet capturing examples

1
 04/10/19

IntroducHon

What is network analysis or Sniffing?
It is a process of analyzing network ac8vity by capturing network traffic.
Sniffer is a program that monitors the data travelling around the network.
Example tools: Wireshark, Solarwinds, Kismet and many others.

Features of a network analyzer
Support for mul8ple protocols.
Graphical user interface.
Sta8s8cal report genera8on.

3

What is Wireshark?

It is an open source tool for profiling network traffic and analyzing packets.
OTen referred to as a network analyzer, network protocol analyzer or sniffer.
hJp://www.wireshark.org

What is does really?
Captures network data and displays them to readable format.
Log network traffic for forensics and evidence.
Analyze network traffic generated by various applica8ons.

4

2
 04/10/19

How Packet Sniffer works?

Ethernet is the most widely used protocol used in a LAN.
At the data-link layer level.
While running Wireshark the machine’s network interface card (NIC) is put in
promiscuous mode.
In this mode, the sniffer can read all traffic on the network segment to which the NIC is
connected (irrespec8ve of the sender and the receiver).
Requires root privilege to set the NIC to promiscuous mode.
If the LAN uses a switch, then packets from other network segments cannot be
captured.

5

Wireshark
Can be downloaded from: hJp://www.wireshark.org

6

3
 04/10/19

Packet Capture using Wireshark

Method 3: Go to capture menu
and click on start capturing.

Method 2: Select network
and click on capture.

Method 1: To start capturing double
click on the network adapter.

7

Packet Capturing Starts
Packet InformaHon
No: Frame number
Time: Time in second
Source: source address
DesHnaHon: Des8na8on address
Packet summary Protocol: Protocol that is used for
communica8on
Length: Length of packet in bytes
Protocol Window Info: Info of the packet (Type
version etc.)

Offset Data in Hexadecimal Data in ASCII Data
Window

8

4
 04/10/19

Applying Filter

9

Filtering different type of packets

To filter packets put filter name in filter bar and press or the arrow.
Restrict the packets that are displayed in summary window.
For correct filter, bar will convert from white to green and for wrong filter it will be shown as
red.

10

5
 04/10/19

TCP Filter: Summary Window

11

TCP Packet Header Details
When you double click on any of the packets the respec8ve protocol will
highlight, and you can see header details.

12

6
 04/10/19

IP Filter Summary Window

13

IP Packet Header Detail

14

7
 04/10/19

Exploring the Menu

15

File Menu
We can divide File Menu into 3 major sec8ons as per their
func8onality.
Import :
Open: open captured file.
Open recent: open recently captured file.
Merge: merge current capture with other captured file.
Import from hex dump: Import from hexadecimal file.
Save:
Save: save in.pcapng (wireshark format)
Save as: Save in different format such that it can be imported to
other network analyzer (.txt,.dmp,.5vw,.erf etc).

16

8
 04/10/19

File Menu
Export :
File Set: navigate the directory where file will be stored.
Various Exports OpHons: allow to save report in different format
such as CSV, C array, XML, JSON etc., it also allows to save data
for selected packet or range of packets.
Print: to print report as a plain text.
Close and Quit are used to turn off capturing, and exit
from applica8on.

17

Edit Menu
Edit menu can also be divided into 5 sec8ons:
Find:
Used to search packets by matching hexadecimal string, and to search
for next and previous packets as per requirement.
Mark:
Mark op8ons are used for marking the packets that are displayed in
summary window.

18

9
 04/10/19

Edit Menu
Preferences: Used to set:-
How many packets you want to show at once?
Font and color for packets.
Fields to be displayed (no, 8me, source, dest. etc.).

19

View Menu

View menu is used to manage the look of the
windows.
Expand and collapse op8ons are used to expand/
collapse the detail of header file in protocol
window.
You can handle coloring of packets from view menu
as well.

20

10
 04/10/19

Go Menu

Go menu is used to switch between packets.

21

Capture Menu

Capture menu is used to start/stop capturing as well as to set capture op8ons
(preferred network interface, Wi-Fi, etc.).
It can also provide filtering(ARP/TCP/IP/ICMP etc.) when capturing is running.

Capturing Capture stopped

22

11
 04/10/19

Analyze Menu

This is the most important menu in Wireshark.
This is used to analyze the packets and manage
different filtering op8ons.
Display Filters: To see what commands needs to
be given in filter bar to filter those type of packets.

23

Analyze Menu: Display Filter
To filter packets we
need to give a specific
filter name.

24

12
 04/10/19

Analyze Menu: Enable protocol
We can enable or
disable protocol.
If we don’t want to
see icmp packets,
then uncheck icmp
protocol.

25

Analyze Menu: Conversion Filter
Basically this op8on
directly applies a
filter and shows the
output.

26

13
 04/10/19

Analyze Menu: Follow
Using this op8on we
can see the complete
detail of the packets.

27

StaHsHcs Menu

This is used to check the sta8s8cs of the capturing, like
property of the network, number of packets sent and
received, etc.

28

14
 04/10/19

StaHsHcs Menu: Capture File ProperHes
It show the full
system detail of the
capturing machine.

29

StaHsHcs Menu: Protocol Hierarchy
It will display
sta8s8cs about
packets as per
protocols

30

15
 04/10/19

StaHsHcs Menu: DesHnaHon and Ports
This will give
informa8on about
connec8ons, ports,
and number of
packets to that
des8na8on.

31

Telephony Menu

Provides analysis for telephony and media streaming related
network traffic.
It can track details for VoIP call, i.e. start 8me, end 8me, ini8ator
IP, etc.

32

16
 04/10/19

Wireless Menu

This op8ons is used when you are using
Wireshark to analyze wireless networks.

33

Tools Menu
This menu is used to select the
rules (which type of scanning do
you want to do).
It also provides help for various
tools that are used by Wireshark.

34

17
 04/10/19

Packet Analysis Examples

35

Example:

Start a capture in wireshark.
Open browser and type www.google.com and search.
Save capture and analyze by applying hnp filter.

18
 04/10/19

Packet summary: See how connecHon
has been established

Protocol Window

Data Window

37

Right click to packet à Follow à HTTP/TCP stream to see data

38

19
 04/10/19

Data HTTP Stream

Details

TCP stream: ASCII
Format

You can
switch
between
different
formats

39

Capture Login credenHals of unsecured website:
vulnweb.com
Click on the frame number 106 (userinfo.php frame) for analysis.

40

20
 04/10/19

We can even view username and password from hJp packet

See we
captured
username
and password

41

Packet details for SBI net banking

Making
secure
connecHon
with port 443

42

21
 04/10/19

Key exchange
and encrypted
handshaking
processes
between server
and client

43

44

22