Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Transcription

1 UNIT III STUDY GUIDE Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to: 1. Recall the terms port scanning, network scanning, and vulnerability scanning. 2. Identify Nmap command switches. 3. Identify SYN, XMAS, NULL, IDLE, and FIN scans. 4. List TCP communication flag types. 5. Utilize Nmap software. 6. Utilize Nessus software. 7. Perform network scans. Reading Assignment Chapter 3: Unit Lesson is used to locate systems and determine if they are available and responding to the network. A hacker can use scanning to identify a target system s Internet Protocol (IP) address. In addition to IP addresses, scanning tools can be used to collect information regarding a target s operating system and services running (Graves, 2010). Port scanning is used to determine open ports and services. Network scanning is used to identify IP addresses on a given network. Vulnerability scanning is used to discover any known weaknesses on target systems. Port : Port scanning is used to identify open and available Transmission Control Protocol (TCP)/IP ports on a system. A hacker can find out about the services available on a system by using port scanning tools. All the services and applications on a machine are associated with a well-known port number (Graves, 2010). Port Numbers are divided into three ranges: Well-Known Ports: Registered Ports: Dynamic Ports: Some common port numbers: FTP, 21 Telnet, 23 HTTP, 80 SMTP, 25 POP3, 110 HTTPS, 443 Some additional port numbers: Global Catalog Server (TCP), 3269 and 3268 LDAP Server (TCP/UDP), 389 CYB 4302, Cyber Warfare and Application 1

2 LDAP SSL (TCP/UDP), 636 IPsec ISAKMP (UDP), 500 NAT-T (UDP), 4500 RPC (TCP), 135 ASP.NET Session State (TCP), NetBIOS Datagram Service (UDP), 137 and 138 NetBIOS Session Service (TCP), 139 DHCP Server (UDP), 67 LDAP Server (TCP/UDP), 389 SMB (TCP), 445 RPC (TCP), 135 DNS (TCP/UDP), 53 IMAP (TCP), 143 IMAP over SSL (TCP), 993 POP3 (TCP), 110 POP3 over SSL (TCP), 995 RPC (TCP), 135 RPC over HTTPS (TCP), 443 or 80 SMTP (TCP/UDP), 25 Network scanning: Network scanning is used to identify active hosts on a network. Hosts are identified by their individual IP addresses. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses either to attack them or as a network security assessment (Graves, 2010). Vulnerability scanning: Vulnerability scanning is the proactive identification of vulnerabilities on computer systems in a network. A vulnerability scanner will first attempt to identify the operating system and version number, including service packs that may be installed. Once the operating system has been identified, the scanner will identify any weaknesses or vulnerabilities in the operating system. These weaknesses may then be used by a hacker in order to exploit the system (Graves, 2010). Although scanning tools can be used to quickly identify active hosts on a network, they can also can be identified by an Intrusion Detection System (IDS). tools may be detected because they interact with the target system when searching for ports, networks, and vulnerabilities. It is important to note that not all scans may be detectable as some scans have been created to be undetectable in an attempt to defeat an IDS (Graves, 2010). Ping Sweep Techniques Before you begin scanning for open ports, networks, and vulnerabilities, you first need to determine that the systems on a network are alive. This is done by sending an Internet Control Message Protocol (ICMP) request or ping and is known as ICMP scanning, or a ping sweep. When a system responds to a ping, the sender knows that the system is live. ICMP originated as a protocol that was used to send test and error messages between hosts. Now it has evolved into a protocol used by all operating systems, routers, and switch or IP-based devices. The ICMP Echo request and Echo reply is a connectivity test built into IP-enabled devices through the ping command to see if two hosts have connectivity. It is used extensively for troubleshooting (Graves, 2007). One of the benefits of a ping sweep is that it can be performed quickly and run in parallel, which means all systems are scanned at the same time on an entire network. Most hacking tools include a ping sweep option. The drawbacks with this method are that firewalls can block a system from responding to ping sweeps and a computer must be on to be scanned. Many systems are being configured with firewall software that will block the ping attempt and notify the user that a scanning program is running on the network. When ping responses are blocked, a hacker cannot accurately determine if systems are available. In this case, more intense port scanning should be used; just because a ping sweep does not return any active hosts does not mean they are not available (Graves, 2007). CYB 4302, Cyber Warfare and Application 2

3 Ports and Identifying Services After performing a ping sweep, the next step is to check for open ports; this is the second step in the scanning methodology. Port scanning generally yields more valuable information than a ping sweep about the host and vulnerabilities on the system. The third step in the scanning methodology is service identification, but usually it can be performed using the same tools as port scanning. Once open ports have been identified, services associated with that port number can usually be identified as well (DeFino & Greenblatt, 2012). Port-Scan Countermeasures Security administrators use countermeasures to detect and protect their network form unauthorized port scanning. Countermeasures are a combination of tools and processes set up to prevent a hacker from obtaining information through port scanning (DeFino & Greenblatt, 2012). The following is a list of countermeasures that can help prevent hackers from acquiring information: Run a port-scanning tool after a firewall is in place to make sure the firewall detects and stops the port-scanning activity. The firewall should be able to detect probes and examine the data packet to determine whether the traffic is allowed to pass through the firewall. Set up network IDS to identify OS-detection methods commonly used by some hacking tools. Only needed ports should be kept open. The rest should be filtered or blocked. Provide appropriate training on security awareness and security policies to the staff using the systems (DeFino & Greenblatt, 2012). Scan Types SYN: A SYN is also known as a stealth scan or a half-open scan because it does not complete the TCP three-way handshake. One of the advantages of a SYN stealth scan is that many IDS systems do not recognize this as an attack or connection attempt. When a SYN scan is performed, it sends a SYN packet to the target. The port is identified as open if a SYN/ACK frame is received back. If an RST (reset) is received back from the target, then it is assumed the port is closed (Walker, 2011). XMAS: An Xmas tree scan sends a packet with the FIN, URG, and PSH flags set. A closed port will respond with a RST/ACK packet, and an open port will send no response. It is a good idea to note that Xmas tree scans do not work against any version of Windows and only work on target systems that follow the RFC 793 implementation of TCP/IP. FIN - A FIN scan is similar to an XMAS scan but sends a packet with only the FIN flag set. The response and limitations of the FIN scan are the same as the XMAS scans. NULL - A NULL scan is also similar to XMAS and FIN in its limitations and response, but in this case it sends a packet with no flags set. IDLE - An IDLE scan uses a spoofed IP address and determines port scan response by monitoring IP header sequence numbers. A SYN packet is sent to a target and depending on the response, the port is identified as open or closed (Walker, 2011). TCP Communication Flag Types TCP scan types are built on the TCP three-way handshake. TCP connections require a three-way handshake before a connection can be made and data transferred between the sender and receiver. To complete the three-way handshake and make a successful connection between two hosts, the sender must send a TCP packet with the synchronize or SYN bit set. Then, the receiving system responds with a TCP packet with the synchronize (SYN) and acknowledge (ACK) bit set to indicate that the host is ready to receive data. The source system sends a final packet with the ACK bit set to indicate the connection is complete and data is ready to be sent. CYB 4302, Cyber Warfare and Application 3

4 OS Fingerprinting Techniques Operating system identification, which can also be defined as fingerprinting the TCP/IP stack, is the fourth step in the scanning methodology. The process of fingerprinting allows the hacker to identify particularly vulnerable or high-value targets on the network. Hackers are looking for the easiest way to gain access to a system or network. Banner grabbing is the process of passively opening a connection and reading the banner or response sent by the application. Many , File Transfer Protocol (FTP), and web servers will respond to a telnet connection with the name and version of the software. This aids a hacker in fingerprinting the Operating System (OS) and application software (Greg, 2006). Enumeration Enumeration refers to actively querying or connecting to a target system to acquire information. It takes place after scanning and is used to gather and compile usernames, machine names, network resources, shares, and services (Greg, 2006). References DeFino, S., & Greenblatt, L. (2012). Official certified ethical hacker review guide: For version 7.1. Boston, MA: Course Technology. Graves, K. (2007). CEH: Certified ethical hacker review guide. Indianapolis, IN: Wiley. Graves, K. (2010). CEH: Certified ethical hacker study guide. Indianapolis, IN: Wiley. Gregg, M. (2006). Certified ethical hacker exam prep. Indianapolis, IN: Que Publishing. Walker, M. (2011). CEH certified ethical hacker all-in-one exam guide. New York, NY: McGraw-Hill. Suggested Reading YouTube videos: Port Without Sending Packets: NMAP Network Scanner: Learning Activities (Non-Graded) Explore Nmap capabilities Nmap is great, NSE is even better. Powerful additions that transform functionality and capability of Nmap. Vulnerability scanning, advanced network discovery, backdoor detection, and possibly even exploitation. Additional information can be found at Non-graded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. Key Terms 1. Countermeasures 2. Enumeration 3. Identifying services 4. Nessus 5. Network scanning 6. Nmap CYB 4302, Cyber Warfare and Application 4

5 7. OS fingerprinting 8. Ping sweep 9. (TCP) three-way handshake 10. Vulnerability scanning CYB 4302, Cyber Warfare and Application 5