ERIC BRUHN

Network Applications and Network Applications Lab

Chapter Two Notes

 

Other Chapter Notes:

[Chapter One

[Chapter Two

[Chapter Three]

[Hacking Exposed Outline]

[Back to Notes]

[Home]

Scanning

       It is important to remember that even though an IP address is within the IP range, it is not necessarily accessible from the internet.   We will need to test each target system to see if it is alive and if any ports are listening.

  • Determining if a system is alive
    • Automated ping sweep on a range of IP addresses.
    • Use fping in the UNIX environment.
      • Type fping –h for all available options
    • Another utility to use is nmap.
      • Example: nmap –sP 192.168.1.0/24
      • -sP is the ping sweep option.
    • For Windows, use can use Pinger
    • It is not uncommon to come across a security-conscious site that has blocked ICMP at the border router or firewall.
    • To get around an ICMP block, port scanning is the first technique to determine like hosts.
    • We can scan common ports on every IP address to see if there are systems there and if they are listening.
    • TCP ping scan
      • Nmap –sP –PT80 192.186.1.0/24 will scan port 80 forIP addresses in this range.
      • Other common ports:
        • SMPT (25)
        • POP (110)
        • AUTH (113)
        • IMAP (143)
    • hping
      • Allows user to control specific options of the TCP packet that may allow it to pass through certain access control devices.
      • Example: hping 192.168.1.2 –S –p 80 –f
    • icmpenum
    • Ping Sweeps Countermeasures
      • Detection
        • Detecting ping sweeps is critical to understanding who may attack and when they might do it.
      • Prevention
        • You should carefully evaluate the type of ICMP traffic you allow into your networks or into specific systems.
        • ICMP is a powerful protocol for diagnosing network problems, but it is also easily abused.
        • Allowing unrestricted access could result in a denial of service attack.
    • ICMP Queries
      • Ping sweeps are only the tip of the iceberg when it comes to ICMP information about a system.
      • Can request the time to see what time zone the system is in.
        • Do this by sending an ICMP type 13 message (TIMESTAMP)
      • Request the netmask of a particular device with the ICMP type 17 message (ADDRESS MASK REQUEST)
      • Example: icmpquery –t 192.168.1.1
        • -t equals time
      • Example: icmpquery –m 192.168.1.1
        • -m is for netmask
    • ICMP Query Countermeasures
      • Block ICMP types that give out information at your border routers.
      • Should restrict TIMESTAMP (ICMP type 13) and ADDRESS MASK (ICMP type 17)
      • Examples:
        • Access-list 101 deny icmp any any 13 ! timestamp request
        • Access-list 101 deny icmp any any 17 ! address mask request
  • Determine which services are running or listening
    • Port scanning: the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a LISTENING state.
    • Determine the type of operating system and applications in use.
    • Allow unauthorized access to systems and software.
    • Scan Types
      • TCP Connect scan
        • Half-open scanning
        • SYN packet sent to port to determine if it is listening.
        • Stealthier than a full TCP contact.
        •  
      • TCP SYN scan
        • REF 793 (http://www.ieft.org/rfc/rfc0793.txt)
      • TCP FIN scan
        • REF 793
      • TCP Xmas Tree scan
      • TCP Null scan
      • TCP ACK scan
      • TCP windows scan
      • TCP RPC scan
        • Remote procedure scan
      • UDP scan
    • Identifying TCP and UDP services running
      • Strobe
        • Example: strobe 192.168.1.10
        • Strobe is a TCP scanner only and does not provide UDP scanning capabilities
      • udp_scan
        • Example: udp_scan 192.168.1.1 1-1024
      • netcat
        • Example: nc –v –z –w2 192.168.1.1 1-1024
        • -v and –vv options provide verbose and very verbose output
        • -z provide zero mode I/O and is used for port scanning
        • -w2 provides a timeout value for each connection
      • Network Mapper (nmap)
        • namp
        • Example: nmap –h
        • RFC 1519 (http://www.ieft.org/rfc/rfc1519.txt)
        • Ident scanning
          • Used to determine the user os a particular TCP connection by communicating with port 113
          • RFC 1413 (http://www.ieft.org/rfc/rfc1413.txt)
        • FTP bounce scanning
          • FTP Protocol
            • RFC 959 (http://www.ieft.org/rfc/rfc959.txt)
        • If ports 135 and 139 are open, the system is probably Windows
      • Port Scanning Breakdown
  • Detecting the Operating System
    • Active Stack Fingerprinting
      • FIN probe
        • Sent to open port, windows NT will respond with a FIN/ACK
      • Bogus flag probe
      • Initial sequence number (ISN) probe
      • “Don’t fragment bit” monitoring
      • TCP initial window size
      • ACK value
      • ICMP error message quenching
        • Operating systems may follow RFC 1812 (http://www.ieft.org/rfc/rfc1812.txt) and limit the rate at which messages are sent.
      • ICMP message quoting
        • Information varies between operating systems so this may help to figure out which operating system is running.
      • ICMP error message-echoing integrity
      • Type of service (TOS)
      • Fragmentation handling
      • TCP options
        • REF 793 (http://www.ieft.org/rfc/rfc0793.txt)
        • REF 1323 (http://www.ieft.org/rfc/rfc0793.txt)

[Home] [Procedures] [Reading Notes] [Back to Top]

Questions or Comments? Click here to email me.