CEHv13 Notes – Module 03: Scanning Networks

congcong 好物分享

Learning Objectives

  • ▪ Describe the network scanning concepts 
  • ▪ Use various scanning tools 
  • ▪ Perform host discovery to check for live systems 
  • ▪ Perform port and service discovery using various scanning techniques 
  • ▪ Perform operating system (OS) discovery 
  • ▪ Scan beyond intrusion detection systems (IDS) and firewalls 
  • ▪ Explain various network scanning countermeasures

 

1. Network Scanning Concepts

Network Scanning Concepts
As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. He/she then uses this information in the scanning phase to gather more details about the target.

Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of information gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer.

The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy.
Types of Scanning 
▪ Port Scanning – Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities.
▪ Network Scanning – Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.
▪ Vulnerability Scanning – Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document.

TCP Communication Flags 

The TCP header contains various flags that control the transmission of data across a TCP connection. 

Six TCP control flags manage the connection between hosts and give instructions to the system. Four of these flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. The other two flags (PSH and URG) provide instructions to the system. The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this section is 6 bits. When a flag value is set to “1,” that flag is automatically turned on.

The following are the TCP communication flags: 
▪ Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.
▪ Acknowledgement or “ACK”: It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to “1,” thus implying that the receiver should pay attention to it.
▪ Push or “PSH”: When it is set to “1,” it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
▪ Urgent or “URG”: It instructs the system to process the data contained in packets as soon as possible. When the system sets the flag to “1,” priority is given to processing the urgent data first and all the other data processing is stopped.
▪ Finish or “FIN”: It is set to “1” to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.
▪ Reset or “RST”: When there is an error in the current connection, this flag is set to “1” and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
SYN scanning mainly deals with three flags: SYN, ACK, and RST. 
TCP/IP Communication
TCP is connection oriented, i.e., it prioritizes connection establishment before data transfer between applications. This connection between protocols is possible through the three-way handshake.
A TCP session initiates using a three-way handshake mechanism: 
▪ To launch a TCP connection, the source (10.0.0.2:21) sends a SYN packet to the destination (10.0.0.3:21).
▪ On receiving the SYN packet, the destination responds by sending a SYN/ACK packet back to the source.
▪ The ACK packet confirms the arrival of the first SYN packet to the source. ▪ Finally, the source sends an ACK packet for the ACK/SYN packet transmitted by the destination.
▪ This triggers an "OPEN" connection, thereby allowing communication between the source and destination, which continues until one of them issues a "FIN" or "RST" packet to close the connection.

TCP Session Termination

2. Scanning Tools

 

Scanning Tools

Scanning tools are used to scan and identify live hosts, open ports, running services on a target network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The information obtained from these tools will help an ethical hacker in creating the profile of the target organization and scanning the network for open ports of the devices connected. 
▪ Nmap Source: https://nmap.org 

▪ Hping3 Source: https://salsa.debian.org

o ICMP ping Ex. hping3 -1 10.0.0.25
o ACK scan on port 80 Ex. hping3 –A 10.0.0.25 –p 80
o UDP scan on port 80 Ex. hping3 -2 10.0.0.25 –p 80

o Collecting Initial Sequence Number Ex. hping3 192.168.1.103 -Q -p 139
o Firewalls and Timestamps Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

o SYN scan on port 50-60 Ex. hping3 -8 50-60 –S 10.0.0.25 –V
o FIN, PUSH and URG scan on port 80 Ex. hping3 –F –P –U 10.0.0.25 –p 80
o Scan entire subnet for live host Ex. hping3 -1 10.0.1.x --rand-dest –I eth0
o Intercept all traffic containing HTTP signature Ex. hping3 -9 HTTP –I eth0
o SYN flooding a victim Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
▪ Hping Scan with AI
Attackers can leverage AI-powered technologies to enhance and automate their network scanning tasks. With the aid of AI, attackers can effortlessly perform network scanning using the Hping3 tool to acquire valuable insights about their target.
Example #1:
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Hping3 to perform ICMP scanning on the target IP address 10.10.1.11 and stop after 10 iterations”
The command `hping3 --icmp --count 10 10.10.1.11` is used to execute the Hping3 tool with specific parameters. 
Example #2:
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Run an hping3 ACK scan on port 80 of target IP 10.10.1.11”
The command `sudo hping3 --ack -p 80 10.10.1.11` is used to execute the Hping3 tool with specific parameters.
▪ Metasploit Source: https://www.metasploit.com
Metasploit is an open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. It provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploits writers, and payload writers. A major advantage of the framework is the modular approach, i.e., allowing the combination of any exploit with any payload.
▪ NetScanTools Pro Source: https://www.netscantools.com
NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. Using this tool, you can easily gather information about the local LAN as well as Internet users, IP addresses, ports, and so on. Attackers can find vulnerabilities and exposed ports in the target system. It helps the attackers to list IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or manually (using manual tools). NetScanTools Pro combines many network tools and utilities categorized by their functions, such as active, passive, DNS, and local computer.
Some additional scanning tools are listed below: ▪ sx (https://github.com) ▪ RustScan (https://github.com) ▪ MegaPing (http://magnetosoft.com) ▪ SolarWinds®Engineer's Toolset (https://www.solarwinds.com) ▪ PRTG Network Monitor (https://www.paessler.com)

3. Host Discovery

Demonstrate Various Scanning Techniques for Host Discovery
Host Discovery
Scanning is the process of gathering information about systems that are “alive” and responding on the network. Host discovery is considered as the primary task in the network scanning process. To perform a complete scan and identify open ports and services, it is necessary to check for live systems. Host discovery provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system in a list of IP addresses to identify whether the target host is up. Host discovery is the first step in network scanning. This section highlights how to check for live systems in a network using various ping scan techniques. It also discusses how to ping sweep a network to detect live hosts/systems along with various ping sweep tools.

Host Discovery Techniques Host discovery techniques can be adopted to discover the active/live hosts in the network. As an ethical hacker, you must be aware of the various types of host discovery techniques. Some host discovery techniques are listed below: 
▪ ARP Ping Scan 
▪ UDP Ping Scan 
▪ ICMP Ping Scan 
o ICMP ECHO Ping 
• ICMP ECHO Ping Sweep
o ICMP Timestamp Ping 
o ICMP Address Mask Ping
▪ TCP Ping Scan 
o TCP SYN Ping 
o TCP ACK Ping
▪ IP Protocol Scan
ARP Ping Scan 
In the ARP ping scan, the ARP packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls. In most networks, many IP addresses are unused at any given time, specifically in the private address ranges of the LAN. 
Attackers use the Nmap tool to perform ARP ping scan for discovering live hosts in the network. In Zenmap, the -PR option is used to perform ARP ping scan.
Note: -sn is the Nmap command to disable the port scan. Since Nmap uses ARP ping scan as the default ping scan, to disable it and perform other desired ping scans, you can use --disable-arp-ping.
Advantages: 
▪ ARP ping scan is considered to be more efficient and accurate than other host discovery techniques
▪ ARP ping scan automatically handles ARP requests, retransmission, and timeout at its own discretion
▪ ARP ping scan is useful for system discovery, where you may need to scan large address spaces
▪ ARP ping scan can display the response time or latency of a device to an ARP packet
UDP Ping Scan 
UDP ping scan is similar to TCP ping scan; however, in the UDP ping scan, Nmap sends UDP packets to the target host. The default port number used by Nmap for the UDP ping scan is 40,125. This highly uncommon port is used as the default for sending UDP packets to the target. This default port number can be configured using DEFAULT_UDP_PROBE_PORT_SPEC during compile time in Nmap. Attackers send UDP packets to the target host, and a UDP response means that the target host is active. If the target host is offline or unreachable, various error messages such as host/network unreachable or TTL exceeded could be returned. In Zenmap, the -PU option is used to perform the UDP ping scan.
Advantages: ▪ UDP ping scans have the advantage of detecting systems behind firewalls with strict TCP filtering, leaving the UDP traffic forgotten.
ICMP ECHO
Ping Scan Attackers use the ICMP ping scan to send ICMP packets to the destination system to gather all necessary information about it. This is because ICMP does not include port abstraction, and it is different from port scanning. However, it is useful to determine what hosts in a network are running by pinging them all. ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
ICMP ECHO Ping Sweep 
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts (computers). Although a single ping will tell the user whether a specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods used to scan a network. This utility is distributed across nearly all platforms, and it acts as a roll call for systems; a system that is active on the network answers the ping query that another system sends out. 
ICMP ECHO Ping Sweep Using Nmap Source: https://nmap.org Nmap helps an attacker to perform a ping sweep that determines live hosts from a range of IP addresses. In Zenmap, the -PE option with a list of IP addresses is used to perform ICMP ECHO ping sweep.
ICMP Timestamp Ping Scan 
Besides the traditional ICMP ECHO ping, there are some other types of ICMP pinging techniques such as ICMP timestamp ping scan and ICMP address mask ping scan, which an attacker can adopt in specific conditions.
ICMP Address Mask Ping Scan 
ICMP address mask ping is another alternative to the traditional ICMP ECHO ping, where the attackers send an ICMP address mask query to the target host to acquire information related to the subnet mask. However, the address mask response from the destination host is conditional, and it may or may not respond with the appropriate subnet value depending on its configuration by the administrator at the target’s end. This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping. In Zenmap, the -PM option is used to perform an ICMP address mask ping scan.
TCP SYN Ping Scan TCP SYN ping is a host discovery technique for probing different ports to determine if the port is online and to check if it encounters any firewall rule sets. In this type of host discovery technique, an attacker uses the Nmap tool to initiate the three-way handshake by sending the empty TCP SYN flag to the target host. After receiving SYN, the target host acknowledges the receipt with an ACK flag. After reception of the ACK flag, the attacker confirms that the target host is active and terminates the connection by sending an RST flag to the target host machine (since his/her objective of host discovery is accomplished). Port 80 is used as the default destination port. A range of ports can also be specified in this type of pinging format without inserting a space between -PS and the port number (e.g., PS22-25,80,113,1050,35000), where the probe will be performed against each port parallelly. In Zenmap, the -PS option is used to perform a TCP SYN ping scan.
IP Protocol Ping Scan IP protocol ping is the latest host discovery option that sends IP ping packets with the IP header of any specified protocol number. It has the same format as the TCP and UDP ping. This technique tries to send different packets using different IP protocols, hoping to get a response indicating that a host is online. 

Host Discovery with AI

An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as 
  • “Scan the target network 10.10.1.0/24 for active hosts and place only the IP addresses into a file scan1.txt” 
    • `nmap -sn 10.10.1.0/24 -OG-| awk '/Up$/{print $2}' > scan1.txt`
  • “Run a fast but comprehensive Nmap scan against scan1.txt with low verbosity and write the results to scan2.txt” 
    • nmap -T4 -iL scan.txt -oN scan2.txt -v0
  • “Use Nmap to perform ICMP ECHO ping sweep on the target network 10.10.1.0/24”
    • nmap -sn -PE 10.10.1.0/24

Ping Sweep Tools 

Ping sweep tools ping an entire range of network IP addresses to identify the live systems. The following are ping sweep tools that enable one to determine live hosts on the target network by sending multiple ICMP ECHO requests to various hosts on the network at a time. 
▪ Angry IP Scanner Source: https://angryip.org 
▪ SolarWinds Engineer’s Toolset (https://www.solarwinds.com) 
▪ NetScanTools Pro (https://www.netscantools.com) 
▪ Colasoft Ping Tool (https://www.colasoft.com) 
▪ Advanced IP Scanner (https://www.advanced-ip-scanner.com) 
▪ OpUtils (https://www.manageengine.com)

4. Port and Service Discovery

 The next step in the network scanning process involves checking the open ports and services in live systems. This discovery of open ports and services can be performed via various port scanning techniques. Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Moreover, sometimes, users unknowingly keep unnecessary open ports on their systems. An attacker takes advantage of such open ports to launch attacks.

Commom ports.

Port Scanning Techniques

Port scanning techniques are further categorized as described below. This categorization is based on the type of protocol used for communication in the network.

TCP Connect/Full-Open Scan 
Source: https://insecure.org 
TCP Connect/Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning, the OS’s TCP connect() system call tries to open a connection to every port of interest on the target machine. If the port is listening, the connect() call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable.

Stealth Scan (Half-Open Scan) 
The stealth scan involves resetting the TCP connection between the client and the server abruptly before completion of the three-way handshake signals, hence making the connection half-open. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This type of scan sends a single frame with the expectation of a single response. The half-open scan partially opens a connection but stops halfway through. The stealth scan is also called a “SYN scan,” because it only sends the SYN packet. This prevents the service from notifying the incoming connection. TCP SYN or half-open scanning is a stealth method of port scanning. The stealth scan also implements the three-way handshake methodology. In the last stage, it examines the packets entering the interface and terminates the connection before triggering a new initialization to identify remote ports. 

Inverse TCP Flag Scan 
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.

Xmas Scan 
Xmas scan is a type of inverse TCP scanning technique with the FIN, URG, and PUSH flags set to send a TCP frame to a remote device. If the target has opened the port, then you will receive no response from the remote system. If the target has closed the port, then you will receive a remote system reply with an RST. You can use this port scanning technique to scan large networks and find which host is up and what services it is offering. This technique describes all TCP flag sets. When all flags are set, some systems hang; hence, the flags are often set in the nonsense pattern URG-PSH-FIN. Attackers use the TCP Xmas scan to determine if ports are closed on the target machine via the RST packet. This scan only works when systems are compliant with RFC 793-based TCP/IP implementation. It will not work against any current version of Microsoft Windows.

BSD Networking Code
This method relies on the BSD networking code. Thus, you can use this only for UNIX hosts; it does not support Windows NT. If the user scans any Microsoft system, it will show that all the ports on the host are open.
You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts the packet and does not send any response, it means that the port is open. If the target system sends an RST flag, then it implies that the port is closed. 
In Zenmap, the -sX option is used to perform Xmas scan whereas the -sF and -sN options are used to perform FIN scan and NULL scan, respectively.
nmap -sX -v 192.168.2.79
TCP Maimon Scan
This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe. 

5. OS Discovery (Banner Grabbing/OS Fingerprinting)

 

An attacker uses OS discovery or banner grabbing techniques to identify network hosts running applications and OS versions with known exploits. This section introduces you to banner grabbing, its types, and banner grabbing tools.

 Two types of banner grabbing techniques are described below: 

▪ Active Banner Grabbing 
Active banner grabbing applies the principle that an OS’s IP stack has a unique way of responding to specially crafted TCP packets. This happens because of different interpretations that vendors apply while implementing the TCP/IP stack on a particular OS. In active banner grabbing, the attacker sends a variety of malformed packets to the remote host, and the responses are compared with a database. Responses from different OS vary because of differences in TCP/IP stack implementation.
For instance, the scanning utility Nmap uses a series of nine tests to determine an OS fingerprint or banner grabbing. The tests listed below provide some insights into an active banner grabbing attack, as described at https://nmap.org/book/osdetect-methods.html#osdetect-probes

▪ Passive Banner Grabbing Source: https://www.broadcom.com
Like active banner grabbing, passive banner grabbing also depends on the differential implementation of the stack and the various ways in which an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study telltale signs that can reveal an OS.

How to Identify Target System OS 

Identifying the target OS is one of the important tasks for an attacker to compromise the target network/machine. In a network, various standards are implemented to allow different OSs to communicate with each other. These standards govern the functioning of various protocols such as IP, TCP, UDP, etc. By analyzing certain parameters/fields in these protocols, one can reveal the details of the OS. Parameters such as Time to Live (TTL) and TCP window size in the IP header of the first packet in a TCP session help identify the OS running on the target machine. The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table:

Attackers can use various tools to perform OS discovery on the target machine, including Wireshark, Nmap, Unicornscan, and Nmap Script Engine. Attackers can also adopt the IPv6 fingerprinting method to grab the target OS details.
OS Discovery using Wireshark Source: https://www.wireshark.org
OS Discovery using Nmap and Unicornscan 
OS Discovery using Nmap Source: https://nmap.org
To exploit the target, it is highly essential to identify the OS running on the target machine. Attackers can employ various tools to acquire the OS details of the target. Nmap is one of the effective tools for performing OS discovery activities. In Zenmap, the -O option is used to perform OS discovery, which displays the OS details of the target machine.
OS Discovery using Unicornscan 
Source: https://sourceforge.net In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan <target IP address> is used. As shown in the screenshot, the ttl value acquired after the scan is 128; hence, the OS is possibly Microsoft Windows.
OS Discovery using Nmap Script Engine 
Source: https://nmap.org Nmap Scripting Engine (NSE) in Nmap can be used to automate a wide variety of networking tasks by allowing users to write and share scripts. These scripts can be executed parallelly with the same efficiency and speed as Nmap. Attackers can also use various scripts in the Nmap Script Engine for performing OS discovery on the target machine. For example, in Nmap, smb-os-discovery is an inbuilt script used for collecting OS information on the target machine through the SMB protocol. In Zenmap, NSE can be generally activated using the -sC option. If the custom scripts are to be specified, then attackers can use the --script option. The NSE results will be displayed with both the Nmap normal and XML outputs.
OS Discovery using IPv6 Fingerprinting Source: https://nmap.org IPv6 Fingerprinting is another technique used to identify the OS running on the target machine. It has the same functionality as IPv4, such as sending probes, waiting and collecting the responses, and matching them with the database of fingerprints. The difference between IPv6 and IPv4 fingerprinting is that IPv6 uses several additional advanced IPv6-specific probes along with a separate IPv6-specifc OS detection engine. Nmap sends nearly 18 probes in the following order to identify the target OS using the IPv6 fingerprinting method. ▪ Sequence generation (S1–S6) ▪ ICMPv6 echo (IE1) ▪ ICMPv6 echo (IE2) ▪ Node Information Query (NI) ▪ Neighbor Solicitation (NS) ▪ UDP (U1) ▪ TCP explicit congestion notification (TECN) ▪ TCP (T2–T7)
In Zenmap, the -6 option along with -O option is used to perform OS discovery using the IPv6 fingerprinting method.
Syntax: # nmap -6 -O <target>

OS Discovery with AI 

An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as
• “Use TTL to identify the operating system running on the target IP address 10.10.1.11”
ping -c 1 10.10.1.11 && echo "Check the TTL value from the response to infer the OS (Linux/Unix: 64, Windows: 128)"
• “Use TTL to identify the operating system running on the target IP address 10.10.1.9”
ping -c 1 10.10.1.9 | grep "ttl" 
• “Use Nmap script engine to perform OS discovery on the target IP addresses in scan1.txt”
nmap -iL scan1.txt -O --script=default --script-args=newtargets -oN os_discovery_results.txt
Create and Run Custom Script to Automate Network Scanning Tasks With AI Attackers can leverage AI-powered technologies to enhance and automate their network scanning tasks. With the aid of AI, attackers can effortlessly create and run custom network scanning scripts and acquire valuable insights about their targets. By developing such custom scripts, attackers can efficiently execute a series of network scanning commands to gather information about a target domain. With this script, attackers can discover live systems, open ports, running services, service versions, and more on the target IP ranges.
For instance, Attackers can use ChatGPT to guide the development of a script by using an appropriate prompt such as: "Develop a script that will automate network scanning efforts and find out live systems, open ports, running services, service versions, etc. on target IP range 10.10.1.0/24"
The following bash script is designed to automate network scanning efforts on the target IP range 10.10.1.0/24: 
#!/bin/bash 
nmap -sP 10.10.1.0/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt && nmap -iL live_hosts.txt -sV -oA scan_results && cat scan_results.nmap

6. Scanning Beyond IDS and Firewall

Intrusion detection systems (IDS) and firewalls are security mechanisms intended to prevent an attacker from accessing a network. However, even IDS and firewalls have some security limitations. Attackers try to launch attacks to exploit these limitations. This section highlights various IDS/firewall evasion techniques such as packet fragmentation, source routing, IP address spoofing, etc.
Although firewalls and IDS can prevent malicious traffic (packets) from entering a network, attackers can send intended packets to the target that evade the IDS/firewall by implementing the following techniques: ▪ Packet Fragmentation ▪ Source Routing ▪ Source Port Manipulation ▪ IP Address Decoy ▪ IP Address Spoofing ▪ MAC Address Spoofing ▪ Creating Custom Packets ▪ Randomizing Host Order ▪ Sending Bad Checksums ▪ Proxy Servers ▪ Anonymizers
Packet Fragmentation 
Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU and network resource consumption, the configuration of most IDS cause them to skip fragmented packets during port scans. Therefore, attackers use packet fragmentation tools such as Nmap to split the probe packet into smaller packets that circumvent the port-scanning techniques employed by IDS. Once these fragments reach the destined host, they are reassembled to form a single packet. 
SYN/FIN Scanning 
Using IP Fragments SYN/FIN scanning using IP fragments is not a new scanning method but a modification of previous techniques. This process of scanning was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.
Source Routing 
An IP datagram contains various fields, including the IP options field, which stores source routing information and includes a list of IP addresses through which the packet travels to its destination. As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination. When attackers send malformed packets to a target, these packets hop through various routers and gateways to reach the destination. In some cases, the routers in the path might include configured firewalls and IDS that block such packets. To avoid them, attackers enforce a loose or strict source routing mechanism, in which they manipulate the IP address path in the IP options field so that the packet takes the attacker-defined path (without firewall-/IDS-configured routers) to reach the destination, thereby evading firewalls and IDS. 
Source Port Manipulation 
Source port manipulation is a technique used for bypassing the IDS/firewall, where the actual port numbers are manipulated with common port numbers for evading certain IDS and firewall rules. The main security misconfigurations occur because of blindly trusting the source port number. The administrator mostly configures the firewall by allowing the incoming traffic from well-known ports such as HTTP, DNS, FTP, etc. The firewall can simply allow the incoming traffic from the packets sent by the attackers using such common ports.
IP Address Decoy 
The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address is actually scanning the network and which IP addresses are decoys. The Nmap scanning tool comes with a built-in scan function called a decoy scan, which cloaks a scan with decoys. This technique generates multiple IP addresses to perform a scan, thus making it difficult for the target security mechanisms such as IDS, firewalls, etc., to identify the original source from the registered logs. The target IDS might report scanning from 5–0 IP addresses; however, it cannot differentiate between the actual scanning IP address and the innocuous decoy IPs.
▪ nmap -D RND:10 [target]
▪ nmap -D decoy1,decoy2,decoy3,...,ME,... [target
IP Address Spoofing 
Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls. 
  • IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7
MAC Address Spoofing 
Network firewalls filter packets based on the source media access control (MAC) address. They examine the MAC address in the packet header and determine whether the packets originate from a legitimate source. Firewalls allow traffic from specific sources using MAC filtering rules and restrict packets that do not satisfy the filtering rules. To avoid these restrictions, attackers use MAC spoofing techniques, in which they employ fake MAC addresses and masquerade as legitimate users to scan the hosts located behind the firewall.
▪ nmap -sT -Pn --spoof-mac 0 [Target IP]
▪ nmap -sT -Pn --spoof-mac [Vendor] [Target IP]
▪ nmap -sT -Pn --spoof-mac [new MAC] [Target IP]
Creating Custom Packets 
The attacker creates and sends custom packets to scan the intended target beyond the IDS/firewalls. Various techniques are used to create custom packets. Some of them are mentioned below: 
▪ Creating Custom Packets by using Packet Crafting Tools Attackers create custom TCP packets to scan the target by bypassing the firewalls. Attackers use various packet crafting tools such as Colasoft packet builder (https://www.colasoft.com), NetScanTools Pro (https://www.netscantools.com), etc., to scan the target that is beyond the firewall. Packet crafting tools craft and send packet streams (custom packets) using different protocols at different transfer rates. 
Randomizing Host Order 
The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. The option used by Nmap to scan with a random host order is --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to network monitoring systems and firewalls. If larger group sizes are randomized, the PING_GROUP_SZ should be increased in nmap.h and it should be compiled again. Another method can be followed by generating the target IP list with the list scan command -sL -n -oN <filename> and then randomizing it with a Perl script and providing the whole list to Nmap using the -iL command.
Sending Bad Checksums
The attacker sends packets with bad or bogus TCP/UDP checksums to the intended target to avoid certain firewall rule sets. TCP/UDP checksums are used to ensure data integrity. Sending packets with incorrect checksums can help attackers to acquire information from improperly configured systems by checking for any response. If there is a response, then it is from the IDS or firewall, which did not verify the obtained checksum. If there is no response or the packets are dropped, then it can be inferred that the system is configured. This technique instructs Nmap to send packets with invalid TCP, UDP, or SCTP checksums to the target host. The option used by Nmap is --badsum.
Proxy Servers 
A proxy server is an application that can serve as an intermediary for connecting with other computers. A proxy server is used: 
▪ As a firewall and to protect the local network from external attacks. ▪ As an IP address multiplexer that allows several computers to connect to the Internet when you have only one IP address (NAT/PAT).
▪ To anonymize web surfing (to some extent). ▪ To extract unwanted content, such as ads or “unsuitable” material (using specialized proxy servers).
▪ To provide some protection against hacking attacks. ▪ To save bandwidth.
Free Proxy Servers
Some free proxy servers available on the Internet, which can help you to access restricted sites without revealing your IP address. In the Google search engine, type “Free Proxy Servers" to see a list of such servers. Select one from this list and download and install it to browse anonymously without revealing your legitimate IP address.
Proxy Chaining 
Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number of proxy servers used, the greater is the attacker’s anonymity. 
Proxy Tools 
Proxy tools are intended to allow users to surf the Internet anonymously by keeping their IP hidden through a chain of SOCKS or HTTP proxies. These tools can also act as HTTP, mail, FTP, SOCKS, news, telnet, and HTTPS proxy servers. 
▪ Proxy Switcher Source: https://www.proxyswitcher.com
▪ CyberGhost VPN Source: https://www.cyberghostvpn.com
In addition to the proxy tools mentioned above, there are many other proxy tools intended to allow users to surf the Internet anonymously. Some additional proxy tools are listed below: ▪ Burp Suite (https://www.portswigger.net) ▪ Tor (https://www.torproject.org) ▪ Hotspot Shield (https://www.hotspotshield.com) ▪ Proxifier (https://www.proxifier.com) ▪ IPRoyal Residential Proxy (https://iproyal.com)
Anonymizers 
An anonymizer is an intermediate server placed between an end user and a website that accesses the website on their behalf and makes web surfing activities untraceable. Anonymizers allow users to bypass Internet censorship. An anonymizer eliminates all identifying information (IP address) from the system while surfing the Internet, thereby ensuring privacy. It encrypts the data transferred from a computer to the Internet service provider (ISP). Most anonymizers can anonymize web (HTTP:), File Transfer Protocol (FTP:), and gopher (gopher:) Internet services. 
Anonymizer tools use various techniques such as SSH, VPN, and HTTP proxies, which allow access to blocked or censored content on the Internet with advertisements omitted. 
▪ Whonix Source: https://www.whonix.org 
Some additional anonymizers are listed below: 
▪ Psiphon (https://psiphon.ca) ▪ TunnelBear (https://www.tunnelbear.com) ▪ Invisible Internet Project (I2P) (https://geti2p.net) ▪ Bright Data Proxy API (https://brightdata.com)
Censorship Circumvention Tools 
▪ AstrillVPN Source: https://www.astrill.com
▪ Tails Source: https://tails.net

7. Network Scanning Countermeasures


 In ethical hacking, the ethical hacker, also known as the “pen tester,” has to perform an additional task that a normal hacker does not follow (i.e., adopting countermeasures against the respective vulnerabilities determined through hacking). This is essential because knowing security loopholes in your network is worthless unless you adopt measures to protect them against real hackers. This section discusses various countermeasures to defend against network scanning attacks.

Ping Sweep Countermeasures 
Some countermeasures for preventing ping sweep attempts are as follows: ▪ Configure firewalls to block incoming ICMP echo requests from unknown or untrusted sources.
▪ Use intrusion detection systems (IDSes) and intrusion prevention systems (IPSes), such as Snort (https://www.snort.org), to detect and prevent ping-sweep attempts.
▪ Carefully evaluate the type of Internet Control Message Protocol (ICMP) traffic flowing through enterprise networks.
▪ Terminate the connection with any host sending more than 10 ICMP ECHO requests. ▪ Use a demilitarized zone (DMZ) and allow only commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in the DMZ.
▪ Limit ICMP traffic with access-control lists (ACLs) to the ISP’s specific IP addresses. ▪ Implement rate limiting for ICMP packets to reduce the efficacy of ping sweeps and other ICMP-based scanning techniques.
▪ Break the network into smaller, isolated segments. This limits the scope of what an attacker can discover through a ping sweep and makes lateral movement more difficult if the network is compromised.
▪ Utilize private IP address ranges for internal network devices and implement network address translation (NAT) at the network boundary. This hides internal IP addresses from external observers.
Port Scanning Countermeasures 
As discussed previously, port scanning provides a large amount of useful information to attackers, such as IP addresses, host names, open ports, and services running on ports. Open ports specifically offer an easy means for an attacker to break into the network. However, there is no cause for concern, provided that the system or network is secured against port scanning by adopting the following countermeasures: ▪ Configure firewall and intrusion detection system (IDS) rules to detect and block probes. ▪ The firewall should be capable of detecting the probes sent by attackers using port-scanning tools. It should not allow traffic to pass through after simply inspecting the TCP header. The firewall should be able to examine the data contained in each packet before allowing traffic to pass through it.
▪ Run the port scanning tools against hosts on the network to determine whether the firewall accurately detects the port scanning activity.
▪ Ensure that the router, IDS, and firewall firmware are updated with their latest releases/versions.
▪ Configure commercial firewalls to protect the network against fast port scans and SYN floods.
▪ Hackers use tools such as Nmap and perform OS detection to sniff the details of a remote OS. Thus, it is important to employ an IDS in such cases. Snort (https://www.snort.org) is a very useful intrusion detection and prevention technology, mainly because signatures are frequently available from public authors.
▪ Keep as few ports open as possible and filter the rest, as an intruder may attempt to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135–159, 256–258, 389, 445, 1080, 1745, and 3268.
▪ Block unwanted services running on the ports and update the service versions. ▪ Ensure that the versions of services running on the ports are non-vulnerable. ▪ Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of the company’s main firewall.
▪ Attackers attempt to perform source routing and send packets to the targets, which may not be reachable via the Internet, using an intermediate host that can interact with the target. Hence, it is necessary to ensure that the firewall and router can block such source-routing techniques.
▪ Ensure that the mechanisms used for routing and filtering at the routers and firewalls, respectively, cannot be bypassed using a particular source port or source routing methods.
▪ Test the IP address space using TCP and UDP port scans as well as ICMP probes to determine the network configuration and accessible ports.
▪ Ensure that the anti-scanning and anti-spoofing rules are configured. ▪ If a commercial firewall is in use, then ensure the following: o It is patched with the latest updates. o It has correctly defined anti-spoofing rules. o Its fast-mode services are unusable.
▪ Ensure that TCP wrappers limit access to the network based on domain names or IP addresses.
▪ Use proxy servers to block fragmented or malformed packets. ▪ Ensure that the firewalls forward open port scans to empty hosts or honeypots to make the port-scanning task difficult and time-consuming.
▪ Employ an intrusion prevention system (IPS) to identify port scan attempts and blacklist IP addresses.
▪ Implement port knocking to hide open ports. ▪ Use network address translation (NAT) to hide the IP addresses of internal systems. ▪ Implement egress filtering to control outbound traffic, which can help in identifying and stopping malicious internal hosts from scanning external targets.
▪ Implement virtual local area networks (VLANs) to isolate different types of traffic and restrict access between them.
Banner Grabbing Countermeasures 
▪ Disabling or Changing Banner An open port indicates that a service/banner is running on it. When attackers connect to an open port using banner grabbing techniques, the system presents a banner containing sensitive information such as the OS, server type, and version. Using the information gathered, the attacker identifies specific vulnerabilities to exploit and then launches attacks. The countermeasures against banner grabbing attacks are as follows: o Display false banners to mislead or deceive attackers. o Turn off unnecessary services on the network host to limit information disclosure. o Use server masking tools to disable or change banner information. o Remove unnecessary HTTP headers and response data and camouflage the server by providing false signatures. This also provides the option of eliminating file extensions such as .asp and .aspx, which clearly indicate that the site is running on a Microsoft server.
o For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to change the banner information header and set the server as New Server Name.
o Alternatively, change the ServerSignature line to ServerSignatureOff in the httpd.conf file.
o Disable the details of the vendor and version in the banners.
o Modify the value of Server Tokens from Full to Prod in Apache’s httpd.conf file to prevent disclosure of the server version.
o Modify the value of RemoveServerHeader from 0 to 1 in the UrlScan.ini config file found at C: WindowsSystem32inetservUrlscan. This method prevents disclosure of the server version.
o Trick attackers by modifying the value of AlternateServerName to values such as xyz or myserver.
o Disable HTTP methods such as Connect, Put, Delete, and Options from web application servers.
o Remove the X-Powered-By header only with the customHeaders option in the <system.webServer> section of the web.config file.
▪ Hiding File Extensions from Web Pages
File extensions reveal information about the underlying server technology that an attacker can use to launch attacks. The countermeasures against such banner grabbing attacks are as follows:
o Hide file extensions to mask the web technology.
o Replace application mappings such as .asp with .htm, .foo, etc. to disguise the identities of servers.
o Apache users can use mod_negotiation directives.
▪ Other Banner Grabbing Countermeasures
o Use packet filtering to block or restrict access to ports that might reveal banner information unnecessarily.
o Use IDS/IPS systems to monitor and alert on scanning activities that could indicate banner grabbing attempts.
o Replace protocols that send clear-text banners (such as HTTP, FTP, and Telnet) with their secure counterparts (HTTPS, SFTP/FTPS, SSH) to encrypt the connection and banner information.
o Use transport layer security (TLS) for services to encrypt the banner information during the handshake process, making it more difficult for unauthorized parties to grab banners.
Note: It is preferable to not use file extensions at all.
IP Spoofing Detection Techniques 
▪ Direct TTL Probes 
In this technique, you initially send a packet (ping request) to the legitimate host and wait for a reply. Check whether the TTL value in the reply matches with that of the packet you are checking. Both will have the same TTL if they are using the same protocol. Although the initial TTL values vary according to the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the values are 64 and 128; for ICMP, they are 128 and 255.
If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. Deduct the TTL value in the reply from the initial TTL value to determine the hop count. The packet is a spoofed packet if the reply TTL does not match the TTL of the packet. It will be very easy to launch an attack if the attacker knows the hop count between the source and the host. In this case, the test result is a false negative. This technique is successful when the attacker is in a different subnet from that of the victim.
Note: Normal traffic from one host can contrast TTLs depending on traffic patterns. 
▪ IP Identification Number
Users can identify spoofed packets by monitoring the IP identification (IPID) number in the IP packet headers. The IPID increases incrementally each time a system sends a packet. Every IP packet on the network has a unique "IP identification" number, which is increased by one for every packet transmission. To identify whether a packet is spoofed, send a probe packet to the source IP address of the packet and observe the IPID number in the reply. The IPID value in the response packet must be close to but slightly greater than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet. This method is effective even when both the attacker and the target are on the same subnet.
▪ TCP Flow Control Method
The TCP can optimize the flow control on both the sender’s and the receiver’s end with its algorithm. The algorithm accomplishes flow control using the sliding window principle. The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps to control data flow. The sender should stop sending data whenever the window size is set to zero.
In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker, who is unaware of the ACK packet containing window size information, might continue to send data to the victim. If the victim receives data packets beyond the window size, they are spoofed packets. For effective flow control and early detection of spoofing, the initial window size must be very small.
Most spoofing attacks occur during the handshake, as it is challenging to build multiple spoofing replies with the correct sequence number. Therefore, apply the flow control spoofed packet detection method to the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting the SYN request from a genuine client or a spoofed one, set SYN-ACK to zero. If the sender sends an ACK with any data, it means that the sender is a spoofed one. This is because when SYN-ACK is set to zero, the sender must respond to it only with the ACK packet, without additional data.
Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets. Attackers cannot respond to changes in the congestion window size. When the received traffic continues after a window size is exhausted, the packets are most likely spoofed.
IP Spoofing Countermeasures 
As mentioned previously, IP spoofing is a technique adopted by a hacker to break into a target network. Therefore, to protect the network from external hackers, IP spoofing countermeasures should be applied in network security settings. Some IP spoofing countermeasures that can be applied are as follows: ▪ Avoid Trust Relationships Do not rely on IP-based authentication. Attackers may masquerade as trusted hosts and
send malicious packets. If these packets are accepted under the assumption that they are “clean” because they are from a trusted host, malicious code will infect the system. Therefore, it is advisable to test all packets, even when they originate from a trusted host. This problem can be avoided by implementing password authentication along with trust relationship–based authentication.
▪ Use Firewalls and Filtering Mechanisms
As stated above, all incoming and outgoing packets should be filtered to avoid attacks and loss of sensitive information. A firewall can restrict malicious packets from entering a private network and prevent severe data loss. Access-control lists (ACLs) can be used to block unauthorized access. However, the possibility of an insider attack also exists. Inside attackers can send sensitive information about the business to competitors, which could lead to financial loss and other issues. Another risk of outgoing packets is that an attacker may succeed in installing a malicious sniffing program running in a hidden mode on the network. These programs gather and send all the network information to the attacker without any notification after filtering out the outgoing packets. Therefore, the scanning of outgoing packets must be assigned the same importance as that of incoming packets.
▪ Use Random Initial Sequence Numbers
Most devices choose their initial sequence numbers (ISNs) based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating an ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then they can establish a malicious connection to the server and sniff network traffic. To avoid this risk, use random ISNs.
▪ Ingress Filtering
Ingress filtering prevents spoofed traffic from entering the Internet. It is applied to routers because it enhances the functionality of the routers and blocks spoofed traffic. Configuring and using ACLs that drop packets with a source address outside the defined range is one method of implementing ingress filtering.
▪ Egress Filtering
Egress filtering is a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address from the outside.
▪ Use Encryption
To maximize network security, use strong encryption for all traffic placed on transmission media without considering its type and location. This is the best method to prevent IP spoofing attacks. IPSec can be used to drastically reduce the IP spoofing risk, as it provides data authentication, integrity, and confidentiality. Encryption sessions should be enabled on the router so that trusted hosts can communicate securely with local hosts. Attackers tend to focus on targets that are easy to compromise. If an attacker desires to break into an encrypted network, they must decrypt the entire slew of encrypted packets, which is a difficult task. Therefore, an attacker is likely to move on and attempt to find another target that is easy to compromise or simply abort the attempt. Moreover, use the latest encryption algorithms that provide strong security.
▪ SYN Flooding Countermeasures Countermeasures against SYN flooding attacks can also help avoid IP spoofing attacks. ▪ Other IP Spoofing Countermeasures
o Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6 during development.
o Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.
o Use a secure VPN while accessing any type of public Internet service such as free Wi-Fi and hotspots.
o Employ application-specific mitigation devices such as Behemoth scrubbers for deep-level packet investigation at a high speed of nearly 100 million packets/s.
reduce the time of active vulnerability.
o Configure routers to send encoded information about fragmented packets entering the network.
o Configure routers to verify the data packets using their signatures by storing the arriving data packet digests.
o Configure routers to hide intranet hosts from the external network by implementing modifications to the network address translation (NAT).
o Configure internal switches to table the DHCP static addresses to filter malicious spoofed traffic.
o Use secure versions of communication protocols (such as HTTPS, SFTP, and SSH) that offer encryption and authentication.
Scanning Detection and Prevention Tools Security professionals use various sophisticated tools such as ExtraHop and Splunk Enterprise Security to detect active networks and port scanning attempts initiated by attackers. 
▪ ExtraHop Source: https://www.extrahop.com
Some of the additional scanning detection and prevention tools are listed below: ▪ Splunk Enterprise Security (https://www.splunk.com) ▪ Scanlogd (https://github.com) ▪ Vectra Detect (https://www.vectra.ai) ▪ IBM Security QRadar XDR (https://www.ibm.com) ▪ Cynet 360 AutoXDRTM (https://www.cynet.com)

References

https://blog.51sec.org

版权声明:
作者:congcong
链接:https://www.techfm.club/p/191851.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>