Ethical Hacking

1
Ethical Hacking

• Phase III
• Scanning

2
Module Objective

• Detecting live systems on target network.
• Discovering services running/ listening on target
  systems.
• Understanding port scanning techniques.
• Identifying TCP and UDP services running on
  target network.
• Discovering the operating system
• Understanding active and passive fingerprinting.
• Automated discovery tools.

3
Detecting Live Systems On Target Network

• Why?
• To determine the perimeter of the target network
  /system
• To facilitate network mapping
• To build an inventory of accessible systems on
  target network
• Tools
• Ping utilities
• Nmap (we'll see it soon)
• Hping apt-get install hping3.

4
Ping

• Ping send out an ICMP Echo Request packet and
  awaits an ICMP Echo Reply message from an active
  machine.
• Alternatively, TCP/UDP packets are sent if
  incoming ICMP messages are blocked.
• Ping helps in assessing network traffic by time
  stamping each packet.
• Ping can also be used for resolving host names.
• Tools include ping, Pinger, hping (ping sweeps),
  nmap.

5
Ping

• ping options in Linux
• -c 4 number of packets sent.
• -i 0.01 time between two packets (only root
  lt0.2)
• -t 200 ttl (by default 64 in the request)
• DoS death ping.
• LAB 2 Monitoring ping using ethereal
• Arp resolution
• ICMP
• request / reply

6
Tool Pinger
7
Detecting Ping Sweeps

• Attention Pings are always blocked...
• and detected
• Ping Sweep Detection Utilities include
• Network based IDS (www.snort.org)

8
Discovering services running/ listening on target
systems.

• Why?
• To determine live hosts in the event of ICMP
  requests being blocked by host.
• To identify potential ports for furthering the
  attack.
• To understand specific applications / versions of
  a service.
• To discover operating system details.
• Tools
• Port Scanners

9
TCP three-way handshake
10
Understanding Port Scanning Techniques

• Port Scanning is one of the most popular
  reconnaissance techniques used by hackers to
  discover services that can be compromised.
• A potential target computer runs many 'services'
  that listen at well-known 'ports'.
• By scanning which ports are available on the
  victim, the hacker finds potential
  vulnerabilities that can be exploited.
• Scan techniques can be differentiated broadly
  into Vanilla, Strobe, Stealth, FTP Bounce,
  Fragmented Packets, Sweep and UDP Scans.

11
Port Scanning Techniques

• Port Scanning Techniques can be broadly
  classified into
• Open scan
• Half- open scan
• Stealth scan
• Sweeps
• Misc

12
Active Stack Fingerprinting

• Fingerprinting is done to determine the remote OS
• Allows attacker to leave smaller footprint and
  have greater chance to succeed
• Based on the fact that various OS vendors
  implement the TCP stack differently

13
Tool NMap (Network Mapper)
The TOOL Nmap and nmapfe (gui)
Visit the website http//insecure.org/nmap
14
Scanning types

• TCP connect (-sT) we try to create a connection
  using the system call connect()
• It the normal call that we do in an aplication.
• Very easy to detect (kept in syslog that no data
  are sent after connect)
• TCP syn (-sS)
• We send a packet with its flag SYN up the other
  host send a SYNACK packet and, instead of
  replying we send an RST (reset) packet.
• Often called half-open scanning
• Difficult to detect.

15
Scanning types

• UDP connect (-sU) the same as TCP connect but
  using UDP
• DNS, DHCP and SNMP are some examples.
• It can be combined with -sS
• Others
• Null scan packets without any flags up
• Xmas scan with all flags up
• Other options available on nmap website.
• Lab 3 Using nmap.

16
Summary

• Scanning is a method adopted by administrators
  and crackers alike to discover more about a
  network
• There are various scan types - SYN, FIN, Connect,
  ACK, RPC, Inverse Mapping, FTP Bounce, Idle Host
  etc. The use of a particular scan type depends on
  the objective at hand.
• Nmap is the supertool that will allow us to do
  almost everything about scanning.