omotam img

Skip to main content
  1. Posts/

CEH v10: 03 Scanning Networks

··729 words·4 mins·

Protocols #

These definitions is must-know !

TCP Flags #

  • SYN: Initiates a connection between two hosts to facilitate communication
  • ACK: Acknowledge the receipt of a packet
  • URG: Indicates that the data contained in the packet is urgent and should process it immediately
  • PSH: Instructs the sending system to send all buffered data immediately
  • FIN: Tells te remote system about the end of the communication. In essence, this gracefully closes the connection
  • RST: Reset a connection

Three-way handshake #

  • Establish a TCP connection
sequenceDiagram
    Computer1->>Computer2: SYN
    Computer2->>Computer1: SYN+ACK
    Computer1->>Computer2: ACK

OSI Model #

LayerNameExample protocols
7Application layerHTTP, SNMP
6Presentation layerMIME, ASCII
5Session layerSOCKS, NetBIOS
4Transport layerTCP, UDP
3Network layerIP, ICMP
2Data link layerMAC, ARP
1Physical layerethernet, Wi-Fi

TCP/IP Model #

LayerNameExample protocols
4Application layerHTTP, SNMP
3Transport layerTCP, UDP
2Internet layerIP, ICMP
1Link layerARP, MAC

Scanning Techniques #

TCP Connect() / Full Open Scan #

  • Three-way handshake
  • Completed connection
  • Logged and detected
  • Don’t need ROOT
  • nmap: -sT

Open port:

sequenceDiagram
    Attacker->>Target: SYN
    Target->>Attacker: SYN+ACK
    Attacker->>Target: ACK
    Target->>Attacker: RST

Closed port:

sequenceDiagram
    Attacker->>Target: SYN
    Target->>Attacker: RST

Example:

nmap -sT danielgorbe.com

Stealth Scan / Half-Open Scan #

  • Half Three-way Handshake
  • Nmap: -sS

Open Port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: SYN
    Target->>Attacker: SYN+ACK
    Attacker->>Target: RST

Closed port:

sequenceDiagram
    Attacker->>Target: SYN
    Target->>Attacker: RST

Example:

nmap -sS danielgorbe.com

Inverse TCP Flag Scanning #

  • Send TCP probe with TCP flags (i.e. FIN, URG, PSH, without flag)
  • Xmas and Null scan

Xmas Scan #

  • PSH+URG+FIN flag or ALL flag
  • Create abnormal situation
  • Nmap: -sX

Open port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: FIN+URG+PSH
    Target->>Attacker: No Response

Closed port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: FIN+URG+PSH
    Target->>Attacker: RST

Example:

nmap -sX danielgorbe.com

NULL Scan #

  • No flag
  • Easy to detect
  • Nmap: -sN

Open port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: NULL
    Target->>Attacker: No Response

Closed port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: NULL
    Target->>Attacker: RST

Example:

nmap -sT danielgorbe.com

FIN Scan #

  • FIN scan work with RFC-793 based TCP/IP (before Win XP)
  • Only FIN flag
  • Probably pass firewalls
  • Nmap: -sF

Open port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: FIN
    Target->>Attacker: No Response

Closed port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: FIN
    Target->>Attacker: RST

Example:

nmap -sF danielgorbe.com

ACK Flag probe scanning #

  • Only ACK flag
  • The response is always an RST
  • Examine the RST header (i.e. TTL, WINDOW), the decide if port open or not
  • Help identify filtering system: RST mean no firewall, No response mean there is a firewall
  • Nmap: -sA

Example:

nmap -sA danielgorbe.com

IDLE / IPID Header scan #

  • Remaining low profile
  • Scanning done by a zombie
  • Based on Full Open scan
  • The unsolicited SYN+ACK packet is ignored or responded with RST
  • Every IP packet has Fragment Identification Number (IPID)
  • OS increment IPID for each packet
  • Nmap: -sI <zombie host[:probeport]>
  • Explanation on Nmap’s website

UDP Scan #

  • Connectionless protocol
  • nmap: -sU

Open port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: UDP Port Probe
    Target->>Attacker: No Response

Closed port:

sequenceDiagram
    participant Attacker
    participant Target
    Attacker->>Target: UDP Port Probe
    Target->>Attacker: ICMP Port Unreachable

Example:

nmap -sA danielgorbe.com

IDS / IPS evasion #

  • Packet fragmentation:
  • Nmap: -f
  • The IDS have to reassemble the packets to detect an attack
  • Sending packet with delay

Example:

nmap -f danielgorbe.com

OS Fingerprinting #

Active OS fingerprinting #

  • Nmap: -O
  • Send TCP and UDP packets and observe the response from the host

Example:

nmap -O danielgorbe.com

Passive OS fingerprinting #

  • Detail assessment of the traffic (TTL, TCP Window Size)
  • Common values:
OSTTLTCP Window Size
Linux645840
Windows XP12865535
Windows 20081288192
FreeBSD645840
  • Determine the service
  • Typically uses Telnet

Example:

nmap -sV danielgorbe.com

Proxy #

  • System between the attacker and the target
  • Hiding source IP address
  • Impersonating
  • Hide identity

Proxy chaining #

  • Using multiple proxy server
  • Most used proxy chains: Tor

Spoofing IP address #

  • Modify packet header
  • nmap has a decoy scan option, this option send packets with spoofed source IP to cloak the your address.

Example:

nmap -D 192.168.1.1,192.168.1.2 danielgorbe.com

This option sends 3 packets with source IP:

  1. 192.168.1.1
  2. 192.168.1.2
  3. Your IP

Detect Spoofing #

  • Direct TTL probe (on same subnet)
  • IP Identification Number