Determines the Remote Host OS
Diferent Vendors implement TCP diferently Based Upon
Reply determines OS Special crafted packets sent Active Stack Fingerprinting
NMap uses 8 tests
And look at the responses Rather than send packets to the host
Captures trafc coming from the host Types of Fingerprinting Fingerprinting What is the TTL on the outbound packet? TTL
What is the TCP Window Size? Window Size Passive Fingerprinting
Mainly four areas Does the OS set the Don't Fragment bit? DF
If so, what is it? Is a Type of Service set? TOS
If ICMP is blocked To determine live hosts Next step after ICMP discovery fails
To identify potential ports for These ports are the basis of the next attack stages furthering the attacks Why? To understand what applications are running on the ports To discover the OS
Sent from client SYN
Sent from server SYN/ACK TCP Three Way Handshake Sent from client ACK
Not UDP ONLY TCP
Discovers services Most popular Potential targets run many services reconnaissance technique Finds potential vulnerabilities
Also known as a TCP Connect Scan Also known as a Vanilla scan Full connection is opened to the target SYN SYN/ACK Uses three way handshake ACK Open scan Easy to detect Easy to block Problems Cannot be spoofed
Provides great information Best scan for Benefits determining port state
Difers from the full connect scan SYN SYN/ACK Three way handshake is not completed Motivation and Study Techniques to help RST is sent to tear down the connection Cisco RST you learn, remember, and pass your CISSP Connection is never established technical exams! Half-open scan CEH Sophisticated IDS and Firewalls can now detect these More coming soon... Problems Admin/Root access is required You have to make a custom IP Packet Visit us www.mindcert.com Harder to log Benefits Does not establish a connection
All have the SYN flag omitted Group of scans considered stealth Subscribe via RSS All use Inverse mapping
SYN+ACK Operation ARIN RST Information can be obtained from After gathering information, next step is to IANA Providers APNIC Closed Ports reply with an RST find the network range of the target SYN+ACK is sent to all ports SYN/ACK Scan RIPE Open ports do not reply
Packets dropped by inline devices can be Exploits the IP TTL incorrectly assumed to be open ports Can register large false positives Reveals path IP packets take Sends out consecutive UDP packets Locate the Network Range Trace the route between your FIN Traceroute with ever increasing TTLs Operation network and the target ACK Device sends back an ICMP TTL Works like SYN/ACK scan Exceeded message Some devices will also reply with DNS information As RFC 793 Closed ports reply with a RST FIN sent to all ports FIN Scan Open ports ignore 1 - Unearth Initial Information Exploits a BSD flaw 2 - Locate the network range Some machines are patched Does NOT work against Windows 3 - Ascertain active machines Scanning ACK Operation 4 - Discover open ports / access RST Information Gathering points Scanning Takes Advantage of IP routing function Methodology 5 - Detect operating systems Filtered ports are open Deduces port from TTL value ACK Scan 6 - Uncover services on ports Any TTL value less than 64 is filtered 7 - Map the Works on most UNIX machines network Filtered by an inline device Shows filtered state Does not show open or closed state Understanding Port Scanning To Determine the Perimeter of the network Packet sent with NO flags To Facilitate network mapping Why? Operation Does not cover how to respond Accessible systems On target network RFC 793 Stealth scan To build an inventory Port Scanning Techniques If the port is open Scans Respond with RST Tool used to scan a large pool of Most UNIX machines Scanning classifications telephone numbers
Act diferently Dials one after another Windows machines Starts with one number Until it gets a modem NULL Scan FIN The Hackers Choice Scan XMAS Tree Scans show no open ports War Dialers MSDOS Program Null Can be used with THC Login Hacker to Good way of OS detecting THC-Scan Hacking Tool brute force systems SYN Shows open ports Contains a "Boss Key" that changes the Probably Windows machine screen to a bitmap Does NOT work against Windows Sends out an ICMP Echo Request ACK Awaits for an ICMP Echo Reply FIN Can also send TCP/UDP packets if RST ICMP is blocked All flags are set SYN Operation Timestamps each packet URG Can resolve host names PSH Ping Windows XMAS Scan Built in program Linux Hence the name Ornamental Look Certified Ethical OSX
Works on UNIX Hacker Diferent from port scanning ICMP has no ports Sends RST Closed port Module 3 - Scanning Ping Sweeps Sees if the TCP/IP Stack is loaded Does NOT work against Windows Does not guarantee that the machine is operable Discovering Services on Splits TCP header into small fragments Ping Sweeps are the basic step in Target Systems network mapping Due to reassembly May cause abnormal results TCP Fragmenting Normally the precursor to an attacks
Linux Some Firewalls block fragments Can be detected with tools Can detect sweeps on the network segment Snort Snort is an IDS System that can detect ping sweeps ICMP Ping Sweeps Delphi application Detect the host based upon ICMP Echo Sweeps Genius Contains a Port Scan Detection Routine and Echo replies Detecting Ping Sweeps Also performs scanning One of the first stealth scans Detection Tools Personal Firewall By the absence of a response Indicated if the machine is alive Detecting Live Systems Personal IDS Inverse Mapping Scan on Target Network BlackICE Uses customised flags Types of Tools Can report against ping sweeps Only on the host it is installed on Not really to port scan Used to map out networks Detects port scans UNIX only Scanlogd Writes to syslog Port 113 Ident Scanning IDENT Fast ICMP sweep scanner Queries the running services Ping Utilities Pinger Identifies live hosts between given IP Addresses With read/write access Can resolve hostnames Uses FTP servers Often scripted and attacks padded Great Tool Try to initiate outbound connections Connect to an FTP server 32 bit graphical Ping client Windows FTP Bounce Misc Port is open 150 Tracert Responses DNS Lookup Port is closed 225 WS_Ping Pro Pack Finger Includes Whois So no three way handshake UDP has no connection LDAP Subtopic SNMP Sent to the target Zero Byte UDP packet SCAN IP UDP Scan An integrated collection of internet Does not respond Open port Operation information gathering utilities for Windows 2003/XP/2000 NetScan Tools Replies with ICMP HOST UNREACHABLE Closed Port Hacking Tools Contains a custom ICMP Packet Generator
ICMP can be rate limited CLI TCP/IP packet assembler/analyzer TCP Command line Port Scanner UDP Supports 2000/XP Windows Only ICMP hping RAW-IP Not as powerful Firewall testing SYN ipEye Can be used for Port scanning FIN Similar to NMAP Can do Scan Types Network testing NULL XMAS ICMP Echo Uses ICMP Timestamp Looks for machines that are IPSec enabled ICMP Information AH 50 icmpenum Uses diferent ICMP packets that may IP Protocol be allowed if ICMP Echo is blocked ESP ipSecScan 51 Scans the IPSec Ports Supports spoofing Promiscuous listening for return packets
ISAKMP UDP 500
An integrated collection of Internet information gathering utilities for Windows 2003/XP/2000 NetScan Tools Contains a custom ICMP Packet Generator
And Versatile Extremely Fast
Pinger Connect Based TCP port scanner SuperScan Hostname Resolver Windows Only
The best port scanning tool MAC OSX Originally UNIX only but now Linux supported on Windows MAC OSX Windows Also now has GUIs Linux Port Scanning Tools nmap -S 172.18.1.1 nmap -sS
nmap -sT
nmap -sF
nmap -sA
nmap -sP 172.16.0.0/16 nmap -sP
nmap -sU
nmap -sI
nmap -sW
nmap -sR
nmap -sS SYN Scan Root User Default Scans namp -sT Connect Scan Normal User
Spoof source IP Spoofing -S
Spoofed scans from Decoy machines Actual scan is injected in between Decoy Other Features Better the more decoys used -D
Fragments the packets Fragmentation