[CEH] Scanning

Ethical Hacking
Module III
Scanning
Module Objective
Detecting ‘live’ systems on target network.
Discovering services running/ listening on target systems.
Understanding port scanning techniques.
Identifying TCP and UDP services running on target network.
Discovering the operating system
Understanding active and passive fingerprinting.
Automated discovery tools.

Detecting ‘Live’ Systems On Target Network
Why?
To determine the perimeter of the target network /system
To facilitate network mapping
To build an inventory of accessible systems on target network
Tools
War Dialers
Ping Utilities
War Dialers
A war dialer is a tool used to scan a large pool of telephone numbers to detect vulnerable modems to provide access to the system.
A demon dialer is a tool used to monitor a specific phone number and target its modem to gain access to the system.
Threat is high in systems with poorly configured remote access products providing entry to larger networks.
Tools include THC-Scan, ToneLoc, TBA etc.
War Dialer
Tool: THC Scan
Ping
Ping send out an ICMP Echo Request packet and awaits an ICMP Echo Reply message from an active machine.
Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked.
Ping helps in assessing network traffic by time stamping each packet.
Ping can also be used for resolving host names.
Tools include Pinger, WS_Ping ProPack, NetScan Tools, HPing, icmpenum
Tool: Pinger
Detecting Ping Sweeps
Ping sweeps form a basic step in network mapping by polling network blocks and/or IP address ranges.
Ping Utilities include:
WS_PingProPack (www.ipswitch.com)
NetScan Tools (www.nwpsw.com)
Hping (http://www.hping.org/download.html)
icmpenum (www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz)
Ping Sweep Detection Utilities include:
Network based IDS (www.snort.org)
Genius (www.indiesoft.com)
BlackICE (www.networkice.com)
Scanlogd (www.openwall.com/scanlogd)
Discovering services running/ listening on target systems.
Why?
To determine live hosts in the event of ICMP requests being blocked by host.
To identify potential ports for furthering the attack.
To understand specific applications / versions of a service.
To discover operating system details.
Tools
Port Scanners
TCP three-way handshake
Understanding Port Scanning Techniques
Port Scanning is one of the most popular reconnaissance techniques used by hackers to discover services that can be compromised.
A potential target computer runs many `services` that listen at ‘well-known’ `ports`.
By scanning which ports are available on the victim, the hacker finds potential vulnerabilities that can be exploited.
Scan techniques can be differentiated broadly into Vanilla, Strobe, Stealth, FTP Bounce, Fragmented Packets, Sweep and UDP Scans.

Port Scanning Techniques
Port Scanning Techniques can be broadly classified into:
Open scan
Half- open scan
Stealth scan
Sweeps
Misc
Tool: ipEye, IPSecScan
Tool: NetScan Tools Pro 2003
Tool: SuperScan
Tool: NMap (Network Mapper)
Active Stack Fingerprinting
Fingerprinting is done to determine the remote OS
Allows attacker to leave smaller footprint and have greater chance to succeed
Based on the fact that various OS vendors implement the TCP stack differently
Specially crafted packets sent to remote OS and response is noted. This is compared with a database to determine the OS
Passive Fingerprinting
Passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it.
However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.
Passive fingerprinting is less accurate than active fingerprinting.
Cheops
SocksChain
SocksChain is a program that allows to work through a chain of SOCKS or HTTP proxies to conceal the actual IP-address.
SocksChain can function as a usual SOCKS-server that transmits queries through a chain of proxies.
Proxy Servers
Proxy is a network computer that can serve as an intermediate for connection with other computers. They are usually used for the following purposes:
As firewall, a proxy protects the local network from outside access.
As IP-addresses multiplexer, a proxy allows to connect a number of computers to Internet when having only one IP-address
Proxy servers can be used (to some extent) to anonymize web surfing.
Specialized proxy servers can filter out unwanted content, such as ads or `unsuitable` material.
Proxy servers can afford some protection against hacking attacks.
Anonymizers
Anonymizers are services that help make your own web surfing anonymous.
The first anonymizer developed was Anonymizer.com, created in 1997 by Lance Cottrell.
An anonymizer removes all the identifying information from a user’s computers while the user surfs the Internet, thereby ensuring the privacy of the user.
Bypassing Firewall using Httptunnel
http://www.nocrew.org/software/httptunnel.html
Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy if so desired.
HTTPort
HTTPort allows you to bypass an HTTP proxy, which is blocking you from the Internet. With HTTPort you may use the following software (just a sample list, not limited to !) from behind an HTTP proxy: e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable software, etc. etc.

Summary
War dialing is the term given to accessing a network illegally over a compromised phone line. Popular tools include THC war dialer and phone sweep.
Scanning is a method adopted by administrators and crackers alike to discover more about a network
There are various scan types - SYN, FIN, Connect, ACK, RPC, Inverse Mapping, FTP Bounce, Idle Host etc. The use of a particular scan type depends on the objective at hand.
Ways to subvert a standard connection include HTTPort, HTTP tunneling, using proxies, SOCKS chains and anonymizers.