Scanning N etw orks Module 03 Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 2-50 C ertified Ethical H acker ScanningNetworks M o d u le Engineered by Hackers Presented by Professionals CEH © E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v M o d u l e : S c a n n in g N e t w o r k s E xa m -5 M o d u le Page 263 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker SecurityNews H one Services Company Networks Contact Oct 18 2012 S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v A d d r e s s S p a c e r The w ell known b o tn e t Sality, w hich locates vulne rab le voice-over-IP (VoIP) servers can be trolled to fin d th e e n tire IPv4 address space w ith o u t alerting, claim ed a new study, published by Paritynews.com on O ctober 10, 2012 Sality is a piece o f m alw are whose prim ary aim is to infe ct w eb servers, disperse spam, and steal data But the latest research disclosed o th e r purposes o f the same including r r ■ 1 recognizing susceptible VoIP targets, which could be used in to ll fraud attacks Through a m ethod called "reverse-byte ord e r scanning," sality has adm inistered tow ards scanning possibly the w hole IPv4 space devoid o f being recognized That's on ly the reason th e technique uses very less num ber o f packets th a t com e fro m various sources The selection o f the target IP addresses is generated in re verse-byte-order increm ents Also, th e re are large am ounts o f bots tributin g in the scan http://www.spamfighter.com l- l Copyright © by EG-G*ancil All Rights Reserved Reproduction is S trictly Prohibited S e c u r ity N e w s N fu js S a lie n tly S a lity B o tn e t T r a p p e d S c a n n in g IP v A d d r e s s S p a c e Source: h ttp ://w w w s p a m fig h te r.c o m A sem i-fam ous b otn et, Sality, used fo r locating vulnerable vo ice ־o v e r־IP (VoIP) servers has been co ntro lle d to w a rd d e te rm in in g the e ntire IPv4 address space w ith o u t setting o ff alerts, claims a new study, published by Paritynews.com , on O ctober 10, 2012 Sality is a piece o f m alw are w ith the prim a ry aim o f infecting w eb servers, dispersing spam, and stealing data But the latest research has disclosed o th e r purposes, including recognizing susceptible VoIP targets th a t could be used in to ll fraud attacks Through a m ethod called "reve rse -b yte o rd e r scanning," Sality can be adm inistered to w a rd scanning possibly the w hole IPv4 space, devoid o f being recognized That's the only reason the tech n iq ue uses a very small num ber o f packets th a t come fro m various sources The selection o f the ta rg e t IP addresses develops in re ve rse -b yte -o rd e r in cre m e nts Also, there are many bots co n trib u tin g in the scan The conclusion is th a t a solitary n e tw o rk w o u ld obtain scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various M o d u le Page 264 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker sources, U n ive rsity o f C a lifornia, San Diego (UCSD), claim ed one o f the researchers, A listair King, as published by Softpedia.com on O ctober 9, 2012) According to A lb e rto D a in o tti, it's n ot th a t this stealth-scanning m ethod is exceptional, b ut it's the firs t tim e th a t such a happening has been both noticed and docum ented, as re p orte d by Darkreading.com on O ctober 4, 2012 M any o th e r experts hold fa ith th a t this m anner has been accepted by o th e r botnets Nevertheless, the team at UCSD is n ot aware o f any data verifying any event like this one According to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be the firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses The b o tn e t use classy "o rc h e s tra tio n " m ethods to evade d e te ctio n It can be sim ply stated th a t the b o tn e t o p e to r categorized the scans at around m illio n bots fo r scanning the fu ll IPv4 address space throu g h a scanning p atte rn th a t disperses coverage and p artly covers, b ut is unable to be noticed by present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012 Copyright © S P A M fig h te r 03 -201 h ttp ://w w w s p a m fig h te r.c o m /N e w s -1 9 -S a lie r1 tlv -S a litv -B o tn e t-T p p e d -S c a n n in g -IP v A dd ress-S p ace h tm M o d u le Page 265 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker Module Objectives CEH J Overview o f N etw ork Scanning J Use o f Proxies fo r Attack J CEH Scanning M ethodology J Proxy Chaining J Checking fo r Live Systems J HTTP Tunneling Techniques J Scanning Techniques J SSH Tunneling J IDS Evasion Techniques J Anonymizers J Banner Grabbing J IP Spoofing Detection Techniques J Vulnerability Scanning J Scanning Countermeasures J Drawing N etw ork Diagrams J Scanning Pen Testing ^ Copyright © by EG-G*ancil All Rights Reserved Reproduction is S trictly Prohibited M o d u le O b je c tiv e s Once an a ttacker id e ntifies h is/h e r ta rg e t system and does the in itia l reconnaissance, as discussed in the fo o rin tin g and reconnaissance m odule, the a ttacker concentrates on g ettin g a m ode o f e n try into the ta rg e t system It should be noted th a t scanning is n ot lim ited to in tru sion alone It can be an extended fo rm o f reconnaissance w here the a tta cke r learns m ore about h is/h e r target, such as w h a t operating system is used, the services th a t are being run on th e systems, and c o n fig u tio n lapses if any can be id e n tifie d The a tta cke r can then strategize h is/h e r attack, facto rin g in these aspects This m odule w ill fam iliarize you w ith : O verview o f N e tw o rk Scanning Use o f Proxies fo r A ttack CEH Scanning M e tho d olog y Proxy Chaining Checking fo r Live Systems HTTP Tunneling Techniques Scanning Techniques SSH Tunneling IDS Evasion Techniques Anonym izers Banner Grabbing IP Spoofing D etection Techniques V u ln e b ility Scanning Scanning Counterm easures Drawing N e tw o rk Diagrams Scanning Pen Testing M o d u le Page 66 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker OverviewofNetworkScanning CEH (•rtift•* N e tw o rk scanning refers to a set o f ttkujl lUckM Sends TCP procedures fo r id e n tify in g hosts, p o rts, and /IP p ro b e s services in a n e tw o rk G e ts n e tw o r k N e tw o rk scanning is one o f th e c o m p o n e n ts o f in te llig e n c e g a th e rin g an a tta cker uses to create a p ro file o f th e ta rg e t organization S & in fo r m a tio n A ttacker O b je c tiv e s o f N e t w o r k S c a n n in g To discover live hosts, To discover operating To discover services To discover IP address, and open po rts o f live hosts systems and system architecture ru nning on hosts vu ln e b ilitie s in live hosts O v e r v ie w o f N e t w o r k S c a n n in g As we already discussed, fo o rin tin g is the firs t phase o f hacking in w hich the a ttacker gains in fo rm a tio n about a p ote n tia l target F ootp rin tin g alone is n ot enough fo r hacking because here you w ill gather only the prim a ry in fo rm a tio n about the targe t You can use this prim a ry in fo rm a tio n in th e next phase to gather many m ore details abo u t the target The process o f g a th e rin g a d d itio n a l d etails about the ta rg e t using highly com plex and aggressive reconnaissance techniques is called scanning The idea is to discover e x p lo ita b le c o m m u n ica tio n channels, to probe as many listeners as possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking In the scanning phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system You can also discover m ore about the ta rg e t system , such as w h a t o p e tin g system is used, w h a t services are ru n nin g , and w h e th e r or n ot th e re are any co n fig u tio n lapses in the ta rg e t system Based on the facts th a t you gather, you can fo rm a strategy to launch an attack Types o f Scanning P ort scanning - Open ports and services e N e tw o rk scanning - IP addresses V u ln e b ility scanning - Presence o f know n weaknesses M o d u le Page 267 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker In a tra d itio n a l sense, the access p oints th a t a th ie f looks fo r are the doors and w indow s These are usually the house's points o f vu ln e b ility because o f th e ir re la tively easy accessibility W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w indow s o f the system th a t an in tru d e r uses to gain access The m ore the ports are open, the m ore points o f vu ln e b ility, and the fe w e r the ports open, th e m ore secure the system is This is sim ply a general rule In some cases, the level o f vu ln e b ility may be high even though fe w ports are open N e tw o rk scanning is one o f the m ost im p o rta n t phases o f intelligence gathering During the n e tw o rk scanning process, you can gather in fo rm a tio n abo u t specific IP addresses th a t can be accessed over the Inte rn e t, th e ir targets' operating systems, system a rch itectu re , and the services running on each co m puter In a dd ition, the a ttacker also gathers details about the netw orks and th e ir individual host systems Sends TCP /IP probes Gets netw o rk & נ inform a tion Network Attacker FIGURE 3.1: N e tw o rk Scanning Diagram O b je c tiv e s o f N e tw o r k S c a n n in g If you have a large a m o un t o f in fo rm a tio n abo u t a ta rg e t o rg an iza tion , th e re are greater chances fo r you to learn the w eakness and lo o ph o les o f th a t p articula r organization, and consequently, fo r gaining unauthorized access to th e ir netw ork Before launching the attack, the a ttacker observes and analyzes the ta rg e t n e tw o rk fro m d iffe re n t perspectives by p erfo rm ing d iffe re n t types o f reconnaissance How to p erform scanning and w h a t type o f in fo rm a tio n to be achieved during the scanning process e n tire ly depends on the hacker's v ie w p o in t There may be many objectives fo r p erfo rm ing scanning, b ut here we w ill discuss the m ost com m on objectives th a t are encountered during the hacking phase: © D iscovering live hosts, IP address, and open p orts o f live hosts ru n n in g on th e n e tw o rk © D iscovering open p o rts: Open ports are the best means to break in to a system or n etw o rk You can fin d easy ways to break into the ta rg e t organization's n e tw o rk by discovering open ports on its netw ork D iscovering o p e tin g system s and system a rch ite ctu re o f th e ta rg e te d system : This is also referred to as fin g e rp rin tin g Here the a ttacker w ill try to launch th e attack based on the operating system 's vulnerabilities M o d u le Page 268 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system You can compromise the system or network by exploiting these vulnerabilities and threats Detecting the associated network service of each port M o d u le Page 269 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Gi Exam -5 C ertified Ethical H acker HHH □ שם Check for Live Systems ן,.✓ Check for Open Ports n ■ “ hi Scan for Vulnerability C E H Scanning Beyond IDS n L 1^■ Banner Grabbing W ₪m, U r — י Draw N e tw o rk Diagrams Prepare Proxies wJ Scanning Pen Testing S c a n n in g M e t h o d o lo g y The firs t step in scanning the n e tw o rk is to check fo r live systems Scan for Vulnerability Check fo r Live Systems ft Check for Open Ports Scanning Beyond IDS Banner Grabbing r Q O Draw Network Diagrams Prepare Proxies Scanning Pen Testing This section highlights how to check fo r live systems w ith the help o f ICMP scanning, how to ping a system and various ping sweep tools M o d u le Page 70 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker CheckingforLiveSystemsICMPScanning CEH J Ping scan involves sending ICMP ECHO requests to a host If the host is live, it will return an ICMP ECHO reply J This scan is useful for locating active devices or determining if ICMP is passing through a firewall t o M ICMP Echo Request ICMP Echo Reply Source (192.168.168.3) D e stin a tio n (192.168.168.5) T h e ping s c a n output u sin g Nm ap: Zenmap Sc!n l o o Is Target P 'c fK 192166.168.5 Command: Hosts Profile Ping »c«n |n rr*p •wi 192.168.168.3 Service! Host * Nmap 0utp14 Pciti ׳H oiti Topology H ojI Detail! 192.16S 168.1 192.168.1663 192.168.1685 Scans ד־פ nmap ■jn 192.168.163.5 S t a r t i n g fJTap ( h t t p : / / n r o p o r g ) a t 2 - 08 :0 EOT Swap scan re p o rt fo r 192.168.168.5 i s up ( 0 l a t e n c y ) MAC f l d d r e t t : ( D e l l) M!ap ng : IP ad dre ss (1 h o s t up ) scanned i n se co rd s most 192.168.166.1S ו־ ר ד^־י־ו Piter Hosts http://nmap.org Copyright © by H H rW B C il All Rights Reserved Reproduction is S trictly Prohibited C h e c k in g f o r L iv e S y s te m s ־IC M P S c a n n in g ICMP Scanning All required in fo rm a tio n about a system can be gathered by sending ICMP packets to it Since ICMP does n ot have a p o rt abstraction, this cannot be considered a case o f p o rt scanning However, it is useful to d ete rm ine w hich hosts in a n e tw o rk are up by pinging the m all (the -P o ptio n does this; ICMP scanning is now in parallel, so it can be quick) The user can also increase the n um ber o f pings in parallel w ith the -L o ptio n It can also be helpful to tw e ak the ping tim e o u t value w ith the -T option ICMP Q uery The UNIX to o l IC M P query o r ICMPush can be used to request the tim e on the system (to find o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP) The netm ask on a p articula r system can also be d ete rm ine d w ith ICMP type 17 messages (ADDRESS MARK REQUEST) A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d ete rm ine all the subnets in use A fte r gaining in fo rm a tio n about th e subnets, one can ta rg e t only one p articula r subnet and avoid h ittin g the broadcast addresses ICMPquery has both a tim e sta m p and address mask request o ptio n : icmp query [-B] [-f fro m h o s t] [־d delay] [-T tim e ] targe t M o d u le Page 271 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker S p o o fin g I P A d d r e s s CEH IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else When the victim replies to the address, it goes back to the spoofed address and not to the attacker's real address IP spoofing using Hping 2: H p in g -a www 7 You w ill n o t b e a b l e to c o m p l e t e t h e t h r e e - w a y h a n d s h a k e a n d o p e n a s u c c e s s f u l TCP c o n n e c tio n b y s p o o f in g a n IP a d d r e s s C o p y rig h t © b y E G -G *ancil A ll R ights R eserved R e p ro d u c tio n Is S tric tly P ro h ib ite d - S p o o fin g IP A d d re s s e s ^ Spoofing IP addresses enables attacks like hijacking When spoofing, an attacker a fake IP in place of the attacker's assigned IP When the attacker sends a connection request to the target host, the target host replys to the attacker's request But the reply is sent to the spoofed address When spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources IP sp oo fin g using Hping2: H p in g w w w c r e t i f i e d h a c k e r c o m -a 7 7 Using Hping2 you can perform IP spoofing It helps you to send arbitrary TCP/IP packets to network hosts FIGURE 3.79: Attacker Sending Spoofed Packet to The Victim M o d u le Page 19 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker IP Spoofing D etectio n Techniques: D ire c t T T L Probes CEH J Send packet to host of s u s p ect spoofed packet th a t triggers reply and c o m p a re TTL with susp ect packet; if th e TTL in t h e reply is n o t th e s a m e as t h e packet being checked, it is a spoofed packet J This te c h n iq u e is successful w h en attacker is in a diffe ren t s u b n e t from victim Sending a packet w ith spoofed 10.0.0.5 IP -T T L 13 ״•״ A tta c k e r a a ' Target (S p o o fe d A d d re s s 10 0 ) 10.0.0.5 N o te : N o r m a l tr a f f ic f r o m o n e h o s t c a n v a r y TTLs d e p e n d i n g o n tr a f f ic p a t t e r n s C o p y rig h t © b y E G -G *ancil A ll R ights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d IP S p o o fin g D e te c tio n T e c h n iq u e s : D ire c t T T L P ro b e s Initially send a packet to the host of suspect spoofed packet and wait for the reply Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking Both will have the same TTL if they are the same protocol Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used For TCP/UDP, the commonly used initial values are 64 and 128 and for ICMP, the values are 128 and 255 If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets The hop count can be determined by deducting the TTL value in the reply from the initial TTL value If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack In this case, the test results in a false negative M o d u le Page Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker S e n d in g a p a c k e t w ith s p o o f e d 0 IP - TTL >•«*־.• Attacker •• (S p o o fed A d d ress 10.0.0.5) y Nf v 10.0.0.5 FIGURE 3.80: Using Direct TTL Probes for IP Spoofing Detection M o d u le Page 421 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam -5 C ertified Ethical H acker IP Spoofing D etectio n Techniques: IP Id e n tific a tio n N u m b e r J S e n d p r o b e t o h o s t o f s u s p e c t s p o o f e d tr a f fic t h a t tr ig g e r s re p ly a n d c o m p a r e IP ID w ith s u s p e c t tra f fic J If IP IDs a r e n o t in t h e n e a r v a l u e o f p a c k e t b e in g c h e c k e d , s u s p e c t tr a f fic is s p o o f e d J T h is te c h n i q u e is s u c c e s s f u l e v e n if t h e a t ta c k e r is in t h e s a m e s u b n e t Send packet w ith spoofed IP 10.0.0.5; IP ID 2586 * מ5 ׳ ־ — ז A tta c k e r *״t ;.*״•״ *יי Ta1־get (S p o o fe d A d d re s s 10 0 ) 10.0.0.5 C o p y rig h t © b y E G -G *ancil A ll R ights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d r 3H1 IP S p o o fin g D e te c tio n T e c h n iq u e s : IP Id e n tific a tio n N u m b e r Spoofed packets can be identified based on the identification number (IP ID) in the IP header that increases each time a packet is sent This method is effective even when both the attacker and victim are on same subnet To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet Sending a packet w ith sp o o fed 0 IP - IP ID 2586 w A tta c k e r T a rg e t (S p o o fe d A d d re s s ״‘ ••?ץ 0 ) 0 FIGURE 3.81: Using IP Identification Number for IP Spoofing Detection M o d u le Page 422 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 2-50 C ertified Ethical H acker IP Spoofing D etectio n Techniques: T C P F lo w C ontrol M e th o d J CEH A tta c k e rs s e n d in g s p o o f e d TCP p a c k e ts , will n o t r e c e iv e t h e t a r g e t 's SYN-ACK p a c k e ts J A tta c k e rs c a n n o t t h e r e f o r e b e r e s p o n s iv e t o c h a n g e in t h e c o n g e s t io n w in d o w s iz e _l W h e n r e c e iv e d tr a f fic c o n t in u e s a f t e r a w in d o w s iz e is e x h a u s t e d , m o s t p ro b a b ly t h e p a c k e ts a r e s p o o fe d Sending a SYN packet with spoofed 10.0.0.5 IP A tta c k e r T a rg e t (Spoo fed Address 10 0 ) *״״ •••'&