CEH v10: 03 Scanning Networks
Table of Contents
Protocols #
These definitions is must-know !
- TCP (Transmission Control Protocol)
- UDP (User Datagram Protocol)
- ARP
- ICMP
- Ping Sweep: mass ICMP echo (ping) message
- SSDP
- DHCP
- DNS
- UPnP
TCP Flags #
SYN: Initiates a connection between two hosts to facilitate communicationACK: Acknowledge the receipt of a packetURG: Indicates that the data contained in the packet is urgent and should process it immediatelyPSH: Instructs the sending system to send all buffered data immediatelyFIN: Tells te remote system about the end of the communication. In essence, this gracefully closes the connectionRST: Reset a connection
Three-way handshake #
- Establish a TCP connection
sequenceDiagram
Computer1->>Computer2: SYN
Computer2->>Computer1: SYN+ACK
Computer1->>Computer2: ACK
OSI Model #
| Layer | Name | Example protocols |
|---|---|---|
| 7 | Application layer | HTTP, SNMP |
| 6 | Presentation layer | MIME, ASCII |
| 5 | Session layer | SOCKS, NetBIOS |
| 4 | Transport layer | TCP, UDP |
| 3 | Network layer | IP, ICMP |
| 2 | Data link layer | MAC, ARP |
| 1 | Physical layer | ethernet, Wi-Fi |
TCP/IP Model #
| Layer | Name | Example protocols |
|---|---|---|
| 4 | Application layer | HTTP, SNMP |
| 3 | Transport layer | TCP, UDP |
| 2 | Internet layer | IP, ICMP |
| 1 | Link layer | ARP, MAC |
Scanning Techniques #
TCP Connect() / Full Open Scan #
- Three-way handshake
- Completed connection
- Logged and detected
- Don’t need ROOT
- nmap:
-sT
Open port:
sequenceDiagram
Attacker->>Target: SYN
Target->>Attacker: SYN+ACK
Attacker->>Target: ACK
Target->>Attacker: RST
Closed port:
sequenceDiagram
Attacker->>Target: SYN
Target->>Attacker: RST
Example:
nmap -sT danielgorbe.com
Stealth Scan / Half-Open Scan #
- Half Three-way Handshake
- Nmap:
-sS
Open Port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: SYN
Target->>Attacker: SYN+ACK
Attacker->>Target: RST
Closed port:
sequenceDiagram
Attacker->>Target: SYN
Target->>Attacker: RST
Example:
nmap -sS danielgorbe.com
Inverse TCP Flag Scanning #
- Send TCP probe with TCP flags (i.e. FIN, URG, PSH, without flag)
- Xmas and Null scan
Xmas Scan #
- PSH+URG+FIN flag or ALL flag
- Create abnormal situation
- Nmap:
-sX
Open port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: FIN+URG+PSH
Target->>Attacker: No Response
Closed port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: FIN+URG+PSH
Target->>Attacker: RST
Example:
nmap -sX danielgorbe.com
NULL Scan #
- No flag
- Easy to detect
- Nmap:
-sN
Open port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: NULL
Target->>Attacker: No Response
Closed port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: NULL
Target->>Attacker: RST
Example:
nmap -sT danielgorbe.com
FIN Scan #
- FIN scan work with RFC-793 based TCP/IP (before Win XP)
- Only FIN flag
- Probably pass firewalls
- Nmap:
-sF
Open port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: FIN
Target->>Attacker: No Response
Closed port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: FIN
Target->>Attacker: RST
Example:
nmap -sF danielgorbe.com
ACK Flag probe scanning #
- Only ACK flag
- The response is always an RST
- Examine the RST header (i.e. TTL, WINDOW), the decide if port open or not
- Help identify filtering system: RST mean no firewall, No response mean there is a firewall
- Nmap:
-sA
Example:
nmap -sA danielgorbe.com
IDLE / IPID Header scan #
- Remaining low profile
- Scanning done by a zombie
- Based on Full Open scan
- The unsolicited SYN+ACK packet is ignored or responded with RST
- Every IP packet has Fragment Identification Number (IPID)
- OS increment IPID for each packet
- Nmap:
-sI <zombie host[:probeport]> - Explanation on Nmap’s website
UDP Scan #
- Connectionless protocol
- nmap:
-sU
Open port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: UDP Port Probe
Target->>Attacker: No Response
Closed port:
sequenceDiagram
participant Attacker
participant Target
Attacker->>Target: UDP Port Probe
Target->>Attacker: ICMP Port Unreachable
Example:
nmap -sA danielgorbe.com
IDS / IPS evasion #
- Packet fragmentation:
- Nmap:
-f - The IDS have to reassemble the packets to detect an attack
- Sending packet with delay
Example:
nmap -f danielgorbe.com
OS Fingerprinting #
Active OS fingerprinting #
- Nmap:
-O - Send TCP and UDP packets and observe the response from the host
Example:
nmap -O danielgorbe.com
Passive OS fingerprinting #
- Detail assessment of the traffic (TTL, TCP Window Size)
- Common values:
| OS | TTL | TCP Window Size |
|---|---|---|
| Linux | 64 | 5840 |
| Windows XP | 128 | 65535 |
| Windows 2008 | 128 | 8192 |
| FreeBSD | 64 | 5840 |
- More values here
Banner Grabbing #
- Determine the service
- Typically uses Telnet
Example:
nmap -sV danielgorbe.com
Proxy #
- System between the attacker and the target
- Hiding source IP address
- Impersonating
- Hide identity
Proxy chaining #
- Using multiple proxy server
- Most used proxy chains: Tor
Spoofing IP address #
- Modify packet header
- nmap has a decoy scan option, this option send packets with spoofed source IP to cloak the your address.
Example:
nmap -D 192.168.1.1,192.168.1.2 danielgorbe.com
This option sends 3 packets with source IP:
- 192.168.1.1
- 192.168.1.2
- Your IP
Detect Spoofing #
- Direct TTL probe (on same subnet)
- IP Identification Number