Tải bản đầy đủ
Idle Scan: Step 2.2 (Closed Port)

Idle Scan: Step 2.2 (Closed Port)

Tải bản đầy đủ

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

n o t se nd a n y t h i n g back.
SYN Packet to p ort 80

m

spoofing zombie IP address

Attacker
I-4 ‫״״‬

........... ......... ....................

Target

P o r t is c lo s e d

Zombie

FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed
I d l e S c a n : S te p 3
P ro b e t h e " z o m b i e " I PI D again.

IPID P r o b e S Y N / A C K Packet

R e sponse: IP I D = 3 1 3 3 9 R S T Packet

Attacker

IPID incremented by 2 since Step 1,

Zombie

so p o r t 8 0 m u s t b e o p e n

FIGURE 3.32: IPID Probe Request and Response

M o d u le 0 3 Page 319

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

I C

J

M

Exam 3 1 2-50 C ertified Ethical H acker

P

E c h o

S c a n n i n g / L i s t

T h is is n o t r e a l ly p o r t s c a n n i n g , s i n c e IC M P

J

J

C E H

T h is t y p e o f s c a n s i m p l y g e n e r a t e s a n d

d o e s n o t h a v e a p o r t a b s tra c tio n

p r i n t s a li s t o f I P s / N a m e s w i t h o u t a c t u a l l y

B u t it is s o m e t i m e s u s e f u l t o d e t e r m i n e

p in g in g o r p o r t s c a n n in g t h e m

w h i c h h o s t s in a n e t w o r k a r e u p b y p i n g i n g

J

t h e m all

J

S c a n

A D N S n a m e r e s o l u t i o n w ill a l s o b e c a r r i e d
out

nmap -P cert.org/24 152.148.0.0/16
Zenmap

1 ^ 2

Zenmap
V|n look £rofit* fcl«*p
Target ‫»ו‬.‫ו‬68.‫ז‬60.‫צ‬
- ProMt
jj«ianj
Command n,n»ptl •v192I68.I66S
Mott* S*rvK«» NmapOutput Po‫׳‬tt/Me«t Tepol&y,
Scam
‫׳י‬
OS- Moit
« nmap•11•vI92.IM.16&5
S
ta
rtin
g
M
ra
p
6
.6
1
<
h
ttp
://n
a
a
p
.o
rf
)
a
t
M
l?
Ml•
lltM •• •duraTin*
Initiating
rall•)
llelD0M
NSreressoolulutio
tionno0
C
aaplatedPP
aara
f♦11hh
oo
»t.«.a•tt 11
3J:5S
44,
e.«41flapvtd
W
rap*canraport for 1*2.166.161.5
Nmb don■; 1IP•ddrats <0hoitt up) icannadin 6.66
Mtondt
Ml«rHoitt

U M

Scan loots Profile M
«lp
Ttrgtc

192.166.1^6

v| Profile: [

[«j |$
C*nc<

Command nmap tn192.16&1.26
Moat

Sffvktt

NmapOutput Ports/HoM‫ ׳‬Topology Hort D*ta* Snm


0$ « Ho*

‫״‬

CM
**

Start Inc Nrwp 6.61 ( tittplZ/nMp.o*? ) *r 2612 61 15
IB:17 •• ‫־‬.tnnflnra rlnr
K
im
u

1 IP *iftlr«h'v (lnott ut>) tCM
M
MIn 16.37

f ‫!׳‬UrH
oM
S

V

List Scan

\

A

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited

IC M P

E c h o

S c a n n in g /L is t S c a n

IC M P e c h o s c a n n in g is u sed t o d is c o v e r liv e m a c h in e s b y p i n g i n g a ll t h e m a c h in e s in
t h e t a r g e t n e t w o r k . A t t a c k e r s s e n d IC M P p r o b e s t o t h e b r o a d c a s t o r n e t w o r k a d d re s s w h i c h is
r e la y e d t o all t h e h o s t a d d re s s e s in t h e s u b n e t . T h e live s y s te m s w i ll s e n d IC M P e c h o r e p ly
m e s s a g e t o t h e s o u r c e o f IC M P e c h o p r o b e .
IC M P e c h o s c a n n in g is used
im p le m e n ta tio n s

in th e s e

in U N IX /L in u x a n d

o p e ra tin g

s y s te m

BSD -based

responds to

m a c h in e s as t h e TCP/IP sta c k

th e

ICMP e c h o

r e q u e s ts t o t h e

b r o a d c a s t a d d re sse s. This t e c h n i q u e c a n n o t be used in W i n d o w s b ase d n e t w o r k s as t h e TCP/IP
s ta c k i m p l e m e n t a t i o n in w i n d o w s m a c h in e s is c o n f i g u r e d , b y d e f a u l t , n o t t o r e p ly IC M P p r o b e s
d ir e c t e d t o t h e b r o a d c a s t a d d re ss.
IC M P e c h o

s c a n n in g

is n o t r e f e r r e d

to

as p o r t s c a n n in g since

it d o e s

not

h a ve

a p ort

a b s t r a c t io n . IC M P e c h o s c a n n in g is u s e fu l t o d e t e r m i n e w h i c h h o s ts in a n e t w o r k a re a c tiv e by
p in g in g t h e m all. T h e a c tiv e h o s ts in t h e n e t w o r k is d is p la y e d in Z e n m a p as " H o s t is u p (0 .0 2 0 s
l a t e n c y ) . " You can o b s e r v e t h a t in t h e s c r e e n s h o t :

M o d u le 0 3 Page 3 20

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

^ L - r e —l

Zenmap
Scan

T o o ls

T a rg et:

P ro file

H elp

192.168.1.26

C om m and:

H o sts

Profile:

S can

C an c el

n m a p -s n 192.168.1.26

S ervices

N m a p O u tp u t

P o rts /H o s ts

T o p o lo g y

H o s t D etails

S can s

*| i

n m a p -s n 192.168.1.26

OS < H o st

D etails

192.168.1.26
S t a r t i n g Nmap 6 . 0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 - 0 8 - 1 3
1 8 :3 7
S t a n d a r d T im e
Nmap s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 . 2 6
|H o s t i s u p ( 0 . 0 0 2 0 s l a t e n c y ) ■~|
Nmap d o n e : 1 I P a d d r e s s ( 1 h o s t u p ) s c a n n e d i n 1 6 . 5 7
seconds

Filter H o sts

FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result
In a list scan, d is c o v e r y o f t h e a c tiv e h o s t in t h e n e t w o r k is d o n e in d i r e c t l y . A list scan s im p ly
g e n e r a t e s a nd p r i n t s a list o f IP s /N a m e s w i t h o u t a c t u a lly p in g in g t h e h o s t n a m e s o r p o r t
s c a n n in g t h e m . As a re s u lt, t h e list scan o u t p u t o f all t h e IP a d d re s s e s w ill be s h o w n as " n o t
s c a n n e d ," i.e., (0 h o s ts up). By d e f a u l t , a r e v e r s e DNS r e s o lu t i o n is still b e in g c a r r ie d o u t o n t h e
h o s t b y N m a p f o r le a r n in g t h e i r n a m e s .

Zenmap
Scan

lo o ls

{Help

192.168.168.5

Target

C om m and:

H o sts
OS -

E ro file

Profile:

C ancel

n m a p -sL -v 192.168.168.5

S ervices

H o st

N m a p O u tp u t

P o rts /H o s ts

T o p o lo g y

H o s t D etails

n m a p - s L - v 192.168.168.5

S can s
"vj

|

D etails

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-10
13:54
idard Tit!*
Initiating Parallel DNS resolution of 1 host, at 13:54
Completed Parallel DNS resolution of 1 host, at 13:54,
0.04s elapsed
Nmap scan report for 192.168.168.5
Nmap done: 1 IP address (0 hosts up) scanned in O.06
seconds
Filter H o sts

FIGURE 3.34: Zenmap showing List Scanning Result

Advantage:
9

A list scan can p e r f o r m a g o o d s a n ity ch eck.

9

T h e i n c o r r e c t l y d e f i n e d IP a d d re s s e s o n t h e c o m m a n d lin e o r in an o p t i o n file

a re

d e t e c t e d b y t h e list scan. T h e d e t e c t e d e r r o r s s h o u ld be r e p a i r e d p r i o r t o r u n n i n g

any

" a c t i v e " scan.

M o d u le 0 3 Page 321

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

CEH

U D P S c a n n in g
Are you open on UDP Port 29?

.............................................*■
No response if port is

...................

*

1

%

........... I s s ______ j

If Port is Closed, an ICMP Port unreachable message is received

S erv er

UDP Port Open
T h e r e is n o t h r e e - w a y TCP h a n d s h a kke
fo r UDP sc a n
©

T h e s y s t e m d o e s n o t r e s p o n d w ith a
m e s s a g e w h e n t h e p o r t is o p e n

UDP Port Closed
e

if a U D P p a c k e t is s e n t t o c l o s e d p o r t , t h e
s y s t e m r e s p o n d s w ith IC M P p o r t
u n re a c h a b le m e ss a g e

©

S p y w a r e s , T ro ja n h o r s e s , a n d o t h e r
m a lic io u s a p p l i c a t i o n s u s e U D P p o r t s

U D P S c a n n in g

UDP Raw ICMP Port Unreachable Scanning
UDP p o r t s c a n n e rs use t h e U DP p r o t o c o l in s te a d o f TCP, a n d can be m o r e d i f f i c u l t t h a n TCP
s c a n n in g . You can s e n d a p a c k e t, b u t y o u c a n n o t d e t e r m i n e t h a t t h e h o s t is a liv e o r d e a d o r
f i l t e r e d . H o w e v e r , t h e r e is o n e IC M P t h a t y o u can use t o d e t e r m i n e w h e t h e r p o r ts a re o p e n o r
c lo s e d . If y o u s e n d a UDP p a c k e t t o a p o r t w i t h o u t an a p p li c a t i o n b o u n d t o it, t h e IP sta c k w ill
r e t u r n an IC M P p o r t u n r e a c h a b l e p a c k e t . If a n y p o r t r e t u r n s an IC M P e r r o r , t h e n it's clo s e d ,
w h i l e t h e p o r ts t h a t d i d n ' t a n s w e r a re e i t h e r o p e n o r f i l t e r e d by t h e f i r e w a l l .
T his h a p p e n s b e c a u s e o p e n p o r ts d o n o t h a ve t o s e n d an a c k n o w l e d g e m e n t in re s p o n s e t o a
p r o b e , a n d c lo s e d p o r ts a re n o t e v e n r e q u i r e d t o se n d an e r r o r p a c k e t.

UDP Packets
S o u rc e : h t t p : / / n m a p . o r g
W hen

you

se n d

a

packet

to

a

c lo s e d

UDP

p o rt,

m ost

of

th e

h o s ts

se nd

an

IC M P _ P O R T _ U N R E A C H e r r o r . T hu s, y o u can f i n d o u t if a p o r t is N O T o p e n . N e i t h e r UDP p a c k e ts
n o r t h e IC M P e r r o r s a re g u a r a n t e e d t o a rr iv e , so UDP s c a n n e rs o f th is s o r t m u s t also i m p l e m e n t
t h e r e t r a n s m is s io n o f p a c k e ts t h a t a p p e a r lost. UDP s c a n n e rs i n t e r p r e t lo s t t r a f f i c as o p e n p o r ts .

M o d u le 0 3 Page 322

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

In a d d it io n , t h is s c a n n in g t e c h n i q u e is s lo w b e c a u s e o f l i m i t i n g t h e IC M P e r r o r m e s s a g e r a te as
c o m p e n s a t io n t o m a c h in e s t h a t a p p ly RFC 1 8 1 2 s e c tio n 4 .3 .2 .8 . A r e m o t e h o s t w i ll n e e d t o
access t h e r a w IC M P s o c k e t t o d is t in g u is h c lo s e d f r o m u n r e a c h a b l e p o r ts .

UDP RECVFROM () and WRITE () Scanning
W h i l e n o n - r o o t users c a n n o t re a d p o r t u n r e a c h a b le e r r o r s d ir e c t ly ; L in ux i n f o r m s y o u i n d i r e c t l y
w h e n t h e y r e c e iv e m essages.

Example
For e x a m p le , a s e c o n d w r i t e () call t o a c lo s e d p o r t w i ll u s u a lly fa il. A l o t o f s ca n n e rs , such as
N e t c a t a n d Pluvial p scan .c d o r e c v f r o m () o n n o n - b l o c k i n g UDP so c k e ts , u s u a lly r e t u r n EAGAIN
( " T r y A g a in ,"

e rrn o

13)

if t h e

IC M P

e rro r

has

not

been

re c e iv e d ,

and

ECONNREFUSED

( " C o n n e c t i o n r e f u s e d , " e r r n o 1 11), if it has. T his is t h e t e c h n i q u e used f o r d e t e r m i n i n g o p e n
p o r t s w h e n n o n - r o o t u sers use -u (UDP). R o o t u sers can also use t h e -I ( la m e r UDP scan) o p t i o n s
t o f o r c e th is .

Advantage:
T h e UDP scan is less i n f o r m a l r e g a r d in g an o p e n p o r t , since t h e r e ' s n o o v e r h e a d o f a TCP
h a n d s h a k e . H o w e v e r , i f IC M P is r e s p o n d i n g t o e a ch u n a v a ila b le p o r t , t h e n u m b e r o f t o t a l
f r a m e s can e x c e e d a TCP scan. M ic r o s o f t - b a s e d o p e r a t i n g s y s te m s d o n o t u s u a lly i m p l e m e n t
a n y t y p e o f IC M P r a te li m i t i n g , so t h i s scan o p e r a t e s v e r y e f f i c i e n t l y o n W i n d o w s - b a s e d d e vice s.

Disadvantage:
T h e UDP scan p r o v id e s p o r t i n f o r m a t i o n o n ly . If a d d it io n a l v e r s io n i n f o r m a t i o n is n e e d e d , t h e
scan m u s t be s u p p l e m e n t e d w i t h

a v e r s io n d e t e c t i o n scan (-sV) o r t h e

o p e r a t i n g s y s te m

fin g e rp rin tin g o p tio n (-0 ).
T h e UDP scan r e q u ir e s p r iv ile g e d access, so th is scan o p t i o n is o n l y a v a ila b le o n s y s te m s w i t h
t h e a p p r o p r i a t e u s e r p e r m is s io n s .
M o s t n e t w o r k s h a v e h u g e a m o u n t s o f TCP t r a f f i c ; as a re s u lt, t h e e f f i c i e n c y o f t h e UDP scan is
lost. T h e UDP scan w ill lo c a te th e s e o p e n p o r ts a n d p r o v id e t h e s e c u r it y m a n a g e r w i t h v a lu a b le
i n f o r m a t i o n t h a t can be used t o i d e n t i f y th e s e in v a s io n s a c h ie v e d by t h e a t t a c k e r o n o p e n UDP
p o r t s ca u s e d b y s p y w a r e a p p lic a tio n s , T r o ja n h orses, a n d o t h e r m a lic io u s s o f t w a r e .
Are you open on UDP Port 29?

No response if port is Open

................................................

If Port is Closed, an ICMP Port unreachable message is received
A tta c k e r

□c
di
S e rv e r

FIGURE 3.35: UDP Scanning

M o d u le 0 3 Page 323

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

L2_‫ו פ ו‬

Zenmap
Jooli

Scant

Cancel

v

Details

* -sll -v nmap 192.168.168.3
N m a p Output Ports /Hosts Topok>9> Host Detaih Scans

Services

OS - Host
192 168.168.5
192.168.168.3

4

1

Hosts

»

Profile:

nmip 192.168.168.3

Command;

x

tjelp

•1

Target

Profile

c
<

S
192.168.168.3

Starting Nmap 6.01 ( http://na1ap.org ) at 2012 08 10 12:47
Standard Time
Initiating ARP Ping Scan at 12:47
Scanning 192.168.168.3 [1 port]
Completed ARP Ping Scan at 12:47, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 12:47
Completed Parallel DNS resolution of 1 host, at 12:47, 0.02s elapsed
Initiating LOP Scan at 12:47
Scanning 192.168.168.9 [1000 ports)
Discovered open port 53S3/udp on 192.168.168.3
Discovered open port 137/udp on 192.168.168.3
Discovered open port 123/udp on 192.168.168.3
Increasing send delay for 192.168.168.3 * r o o t 0 to SO due to 216 out
of 719 dropped probes since last increase.
Completed UOP Scan at 12:47, 19.66s elapsed (1000 total ports)
Nmap scan report for 192.168.168.3
Failed to resolve given hostnaae/IP: nmap. Note that you can't use
,/mask' AND •1-4,7,100-• style IP ranges. If the machine only has
an IPv6 address, add the Nmap -6 flag to scan that.
Host is up (0.000063s latency).
Not shown: 994 closed ports
PORT
STATE
SfRVICf
88/udp
open|filtered kerberos-sec
123/udp
open
ntp
137/udp
open
netbios-ns
138/udp
open|filtered netbios-dga
S3S3/udp
open
zeroconf
S8178/udp open|filtered unknown
MAC Address:

Read data file s fro■; c:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 22.09 seconds
Ra» packets sent: 1839 (52.401KB) I Rcvd: 998 (S6.06SK8)
Filter Host*

FIGURE 3.36: Zenmap showing UDP Scanning Result

M o d u le 0 3 Page 324

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

I n v e r s e

Exam 3 1 2-50 C ertified Ethical H acker

T C

P

F

l a g

S

c a n n i n g

CEH
(•rtifwd

itk itjl

Attackers send TCP probe packets with various TCP flags
(FIN,URG,PSH) set or with no flags, no response means
port is open and RST/ACK means the port is closed

Probe Packet (FIN/URG/PSH/NULL)

No Response

Attacker

Port is open
Probe Packet (FIN/URG/PSH/NULL)

RST/ACK

Attacker

Port is closed

Copyright © by EG-Gtnncil. All Rights Reserved. Reproduction Is Strictly Prohibited.

In v e rs e T C P


F la g

S c a n n in g

A t t a c k e r s se n d t h e TCP p r o b e p a c k e ts b y e n a b lin g v a r io u s TCP fla g (FIN, URG, PSH) o r

w i t h n o fla gs. W h e n t h e p o r t is o p e n , t h e a t t a c k e r d o e s n ' t g e t a n y r e s p o n s e f r o m t h e h o s t,
w h e r e a s w h e n t h e p o r t is c lo s e d , he o r she re c e iv e s t h e R ST /A C K f r o m t h e t a r g e t h o s t.
T h e SYN p a c k e ts t h a t a re s e n t t o t h e s e n s itiv e p o r ts o f t h e t a r g e t e d h o s ts a re d e t e c t e d b y using
s e c u r it y m e c h a n is m s such as f i r e w a l l s a n d IDS. P r o g r a m s such as S y n lo g g e r a n d C o u r t n e y a re
a v a ila b le t o log h a l f - o p e n SYN fla g scan a t t e m p t s . A t t i m e s , t h e p r o b e p a c k e ts e n a b le d w i t h TCP
fla g s can pass t h r o u g h f i l t e r s u n d e t e c t e d , d e p e n d i n g o n t h e s e c u r it y m e c h a n is m s in s ta lle d .
P r o b in g a t a r g e t u s in g a h a l f - o p e n SYN fla g is k n o w n as an in v e r t e d t e c h n i q u e . It is ca lle d th is
b e c a u s e t h e c lo s e d p o r ts can o n l y s e n d t h e r e s p o n s e back. A c c o r d i n g t o RFC 7 9 3 , A n RST/ACK
p a c k e t m u s t be s e n t f o r c o n n e c t i o n re s e t, w h e n t h e p o r t is c lo s e d o n h o s t side.

A tta ck e rs ta ke

a d v a n ta g e o f th is f e a t u r e t o s e n d TCP p r o b e p a c k e ts t o e a c h p o r t o f t h e t a r g e t h o s t w i t h v a r io u s
TCP fla gs set.
C o m m o n fla g c o n f i g u r a t io n s used f o r p r o b e p a c k e t in c lu d e :
9

A FIN p r o b e w i t h t h e FIN TCP fla g se t

9

A n X M A S p r o b e w i t h t h e FIN, URG, a n d PUSH TCP fla g s set

9

A NULL p r o b e w i t h n o TCP fla g s se t

M o d u le 0 3 Page 325

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

©

Exam 3 1 2 -5 0 C ertified Ethical H acker

A SYN/ACK p r o b e

All t h e c lo s e d p o r t s o n t h e t a r g e t e d h o s t w i ll s e n d an RST/ACK r e s p o n s e . Since t h e RFC 793
s t a n d a r d is c o m p l e t e l y ig n o r e d in t h e o p e r a t i n g s y s te m such as W i n d o w s , y o u c a n n o t see t h e
RST/ACK r e s p o n s e w h e n c o n n e c t e d t o t h e c lo s e d p o r t o n t h e t a r g e t h o s t. T his t e c h n i q u e is
e f f e c t i v e w h e n u sed w i t h U N IX -b a s e d o p e r a t i n g s y s te m s .

Advantages
Q

A v o id s m a n y IDS a nd lo g g in g s y s te m s , h ig h ly s t e a l t h y

Disadvantages
Q

N e e d s r a w access t o n e t w o r k so c k e ts , t h u s r e q u i r in g s u p e r - u s e r p riv ile g e s

Q

M o s t l y e f f e c t i v e a g a in s t h o s ts u sin g a B S D -d e riv e d TCP/IP sta c k ( n o t e f f e c t i v e a g a in s t
M i c r o s o f t W i n d o w s h o s ts in p a r t ic u la r )
Probe Packet (FIN/URG/PSH/NULL)

No Response

Attacker

P o r t is o p e n

Target Host

FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open
Probe Packet (FIN/URG/PSH/NULL)

RST/ACK

Attacker

Target Host
P o r t is c l o s e d
FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed

M o d u le 0 3 Page 3 26

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

A C K F la g S c a n n in g

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

A C K

F la g

S c a n n in g

A s t e a l t h y t e c h n i q u e is used f o r i d e n t i f y i n g o p e n TCP p o r t s . In t h is t e c h n i q u e a TCP
p a c k e t w i t h ACK fla g ON is s e n t t o t h e r e m o t e h o s t a n d t h e n t h e h e a d e r i n f o r m a t i o n o f t h e RST
p a c k e ts s e n t by r e m o t e h o s t a re a n a ly z e d . U sing t h is t e c h n i q u e o n e can e x p l o i t t h e p o t e n t ia l
v u ln e r a b i l it ie s o f BSD d e r iv e d TCP/IP sta ck. T his t e c h n i q u e g ive s g o o d r e s u lts w h e n used w i t h
c e r t a i n o p e r a t i n g s y s te m s a n d p la t f o r m s .
ACK s c a n n in g can be p e r f o r m e d in t w o w a y s :
Q

TTL f ie ld a n a n ly s is

©

W I N D O W fi e ld a na lysis

U sing TTL v a lu e o n e can d e t e r m i n e t h e n u m b e r o f s y s te m s t h e TCP p a c k e t tr a v e r s e s . You can
s e n d an ACK p r o b e p a c k e t w i t h r a n d o m s e q u e n c e n u m b e r : n o r e s p o n s e m e a n s p o r t is f i l t e r e d
(s ta te f u ll f i r e w a l l is p r e s e n t) a n d RST re s p o n s e m e a n s t h e p o r t is n o t f i l t e r e d ,
nm ap - s A

-P 0

S ta r t in g

nm ap 5 . 2 1

A ll

529

1 0 .1 0 .0 .2 5
(h t t p : / / n m a p . o r g )

scanned p o rts

M o d u le 0 3 Page 327

on

1 0 .1 0 .0 .2 5

a t

2 0 1 0 -0 5 -1 6

a re :

filte r e d

1 2 :1 5

EST

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2-50 C ertified Ethical H acker

S t a t e f u l F i r e w a l l is P r e s e n t
Probe Packet (ACK)

‫♦א‬

No Response

Attacker

Target Host

FIGURE 3.39: ACK Flag Scanning when Stateful Firewall is Present
N o F ir e w a ll
Probe Packet (ACK)

I TLT I ...................................................

RST

Attacker

Target Host

FIGURE 3.40: ACK Flag Scanning when No Firewall is Present
Z e n m a p

Scgn

lo o k

T.rgrt:

Profit♦

Help

nm ip 192.168.168.5

Command:
H osts

v

Profile

Scan

Cancel

* ■sA ■v •Pn nmap 1941 68.168.5
Services

N m ap O utput

P o r ts /H o s ts

Topology

H ost Detaih

Scans

* -sA-v -Pn nmap 192.168.168.5

details

Starting M a p 6.01 ( http://nMp.org ) at 2012-08-10 13:09
Standard Tine
Initiating ARP Ping Scan at 13:10
Scanning 192.16*.160.5 [1 port]
Completed ARP Ping Scan at 13:10, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 13:10
Completed Parallel ONS resolution of 1 host, at 13:10, 0.10s elapsed
Initiating ACK Scan at 13:10
Scanning 192.16*.168.5 [1000 ports]
Completed ACK Scan at 13:10, 21.38s elapsed (1000 total ports)
Knap scan report for 192.16*.168.5
Failed to resolve given hostnanc/lP: naap. Note that you can’t use
,/■ask' ANO ■1-4,7,100-• style IP ranges. If the ■achine only has
an IPv6 address, add the Nnap ■6 flag to scan that.
Host

is

*>p

10. W 1es

l a t e n t , ) . _____________________________

IAll 1000 scanned ports on 192.168.168.S are filteredl
MAC Address:
Read

f i l e ! f r v • ; C:\Progr•• Files ( x 8 6 ) \ m m p
done; l IP address (1 host up) scanned in 23.90 seconds
Rax packets sent: 2001 (80.O28K8) | Rcvd: 1 (288)

f la t *

filler Hosts
FIGURE 3.41: Zenmap showing ACK Flag Scanning Result

M o d u le 0 3 Page 328

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

S c a n n in g

T o o l: N e tS c a n

T o o ls

P r o

C E H

myre&uUsdat^base-NetScanToob©Pro11.00
2 fit

Edt

Accesatolly

r»J>

Manual 15‫ד‬0‫כ‬- networkCcnrecton E-dxrts 9

Automated05‫״־‬
( Rsfren

□ciicUyFulPfKessPaths I PsccrrectAl 1CP ]

‫ך‬

Usccrrect nermte1CP‫]”י‬

Jjrp ‫ד‬Autorrcited ]

‫ ח‬£t«cW fUcftrftwh

MfiC

193C

10'° ‫־‬

0

lol<‫״‬a'ufa‫״‬.re‫־‬
TCF.UOP ComeCQcn Enfant List

Local IP
0.0.0.0

1nec1nfo.exe
flMworitInlctf«e»4rd5\
sycr.osz• cxs
Systea
inee nfo.exe

O.O.0.0

0.0.0.0

1

0 .0 .0 .0

0.0.0.0

STacea
Nstworkl
c*
i \vrrtw
Mn
etrolro'cntrt

s

0.0.0.0

O.O.0.0

Se•Sre.exe
D U lI V U l. t x t

‫־׳‬OKXCO 109b

1

l.‫ ״‬r.wo-HawroL>Mvay locto

1

0.0.0.0

3bacr?.«x«
IVChO K.IXI

CMSfuv»

*XKrt irvd‫ז‬onb

8coeS«zv.«xt
5tot5c1v.exe
s '« rS :rv .c x e

1388 TC
2OS2 TC
2092 TC
2092 TC

0.0.0.0
0.0.0.0
0.0.0.0

0.0.0.0
0.0.0.0
0.0.0.0

127.0.0.1
1 2 7.0.0 .1
1 2 7 .0 .0 .1
127.0.0.1

Syat•®

S73c«i
S v s .w

Local lore

Reaote

|
http| 80

0.0.0.0

)cpxag( 135
)MS (UlCEOSOCt-dS'

102S (blackjack(
!‫)ל‬pptp( 23
)oy M rcanw bccc ( 2638
lc » lh p ( 2069(

‫ח‬4£‫)) ר‬pcsync-https
web5( 9090«(

‫) »ל»ע‬ofll

)unknown! 31038
)unknown! 34571
)unknown| 04572
34S73 !unknown(
80
|http| 00
IhttpI 00

ihttpi 80

1
r

0.0. 0.0
0.0.0.0
0.0.0.0
0.0.0.0

0.0.0.0
0.0.0.0

0.0.0.0

0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0 . 0 . D.O
1 2 7 .0 .0 .1

‫ג‬2‫ד‬.0.0.1
1 2 7 .0 .0 .1
127.0.0.1

txtema! lods

Progmli^o

http://www.netscantoo1s.com
loop
Copyright 6 by EG-CSUICil. A il Rights Reserved. Reproduction is Strictly Prohibited.

S c a n n in g

T o o l: N e tS c a n T o o ls P ro

S o u rc e : h t t p ://w w w .n e ts c a r 1tools.com
N etS can T o o ls Pro is an i n v e s t i g a t i o n t o o l . It a llo w s y o u t o t r o u b l e s h o o t , m o n i t o r , d is c o v e r , a n d
d e t e c t d e v ic e s o n y o u r n e t w o r k . You can g a t h e r i n f o r m a t i o n a b o u t t h e local LAN as w e l l as
I n t e r n e t users, IP a d d re s s e s , p o r ts , e tc . u sin g t h is t o o l . You can f i n d v u ln e r a b i l it ie s a n d e x p o s e d
p o r t s in y o u r s y s te m . It is t h e c o m b i n a t i o n o f m a n y n e t w o r k t o o l s a nd u t i l i t i e s . T h e t o o l s a re
c a te g o r iz e d b y f u n c t i o n s such as a c tiv e , passive, DNS, a n d local c o m p u t e r .

Active Discovery and Diagnostic Tools: U sed f o r t e s t i n g a n d l o c a tin g d e v ic e s t h a t a re
c o n n e c te d to y o u r n e tw o rk .

Passive Discovery Tools: M o n i t o r s t h e a c tiv it ie s o f t h e d e v ic e s t h a t a re c o n n e c t e d t o y o u r
n e t w o r k a n d also g a th e r s i n f o r m a t i o n f r o m t h i r d p a r tie s .

DNS Tools: Used t o d e t e c t p r o b l e m s w i t h DNS.
Local Computer and General Information Tools: P ro v id e s d e ta ils a b o u t y o u r local c o m p u t e r ' s
n e tw o rk .

Benefits:
e

T h e i n f o r m a t i o n g a t h e r i n g p ro c e s s is m a d e s i m p l e r a n d f a s t e r b y a u t o m a t i n g t h e use o f
m a n y n e t w o r k t o o ls

M o d u le 0 3 Page 329

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .