Skip to main content

CEH v10: 03 Scanning Networks

Certified Ethical Hacker v10 Chapter 03: Scanning Networks

Protocols

These definitions is must-know !

TCP Flags

  • SYN: Initiates a connection between two hosts to facilitate communication
  • ACK: Acknowledge the receipt of a packet
  • URG: Indicates that the data contained in the packet is urgent and should process it immediately
  • PSH: Instructs the sending system to send all buffered data immediately
  • FIN: Tells te remote system about the end of the communication. In essence, this gracefully closes the connection
  • RST: Reset a connection

Three-way handshake

  • Establish a TCP connection

OSI Model

LayerNameExample protocols
7Application layerHTTP, SNMP
6Presentation layerMIME, ASCII
5Session layerSOCKS, NetBIOS
4Transport layerTCP, UDP
3Network layerIP, ICMP
2Data link layerMAC, ARP
1Physical layerethernet, Wi-Fi

TCP/IP Model

LayerNameExample protocols
4Application layerHTTP, SNMP
3Transport layerTCP, UDP
2Internet layerIP, ICMP
1Link layerARP, MAC

Scanning Techniques

TCP Connect() / Full Open Scan

  • Three-way handshake
  • Completed connection
  • Logged and detected
  • Don't need ROOT
  • nmap: -sT

Open port:

Closed port:

Example:

nmap -sT danielgorbe.com

Stealth Scan / Half-Open Scan

  • Half Three-way Handshake
  • Nmap: -sS

Open Port:

Closed port:

Example:

nmap -sS danielgorbe.com

Inverse TCP Flag Scanning

  • Send TCP probe with TCP flags (i.e. FIN, URG, PSH, without flag)
  • Xmas and Null scan

Xmas Scan

  • PSH+URG+FIN flag or ALL flag
  • Create abnormal situation
  • Nmap: -sX

Open port:

Closed port:

Example:

nmap -sX danielgorbe.com

NULL Scan

  • No flag
  • Easy to detect
  • Nmap: -sN

Open port:

Closed port:

Example:

nmap -sT danielgorbe.com

FIN Scan

  • FIN scan work with RFC-793 based TCP/IP (before Win XP)
  • Only FIN flag
  • Probably pass firewalls
  • Nmap: -sF

Open port:

Closed port:

Example:

nmap -sF danielgorbe.com

ACK Flag probe scanning

  • Only ACK flag
  • The response is always an RST
  • Examine the RST header (i.e. TTL, WINDOW), the decide if port open or not
  • Help identify filtering system: RST mean no firewall, No response mean there is a firewall
  • Nmap: -sA

Example:

nmap -sA danielgorbe.com

IDLE / IPID Header scan

  • Remaining low profile
  • Scanning done by a zombie
  • Based on Full Open scan
  • The unsolicited SYN+ACK packet is ignored or responded with RST
  • Every IP packet has Fragment Identification Number (IPID)
  • OS increment IPID for each packet
  • Nmap: -sI <zombie host[:probeport]>
  • Explanation on Nmap's website

UDP Scan

  • Connectionless protocol
  • nmap: -sU

Open port:

Closed port:

Example:

nmap -sA danielgorbe.com

IDS / IPS evasion

  • Packet fragmentation:
  • Nmap: -f
  • The IDS have to reassemble the packets to detect an attack
  • Sending packet with delay

Example:

nmap -f danielgorbe.com

OS Fingerprinting

Active OS fingerprinting

  • Nmap: -O
  • Send TCP and UDP packets and observe the response from the host

Example:

nmap -O danielgorbe.com

Passive OS fingerprinting

  • Detail assessment of the traffic (TTL, TCP Window Size)
  • Common values:
OSTTLTCP Window Size
Linux645840
Windows XP12865535
Windows 20081288192
FreeBSD645840
  • Determine the service
  • Typically uses Telnet

Example:

nmap -sV danielgorbe.com

Proxy

  • System between the attacker and the target
  • Hiding source IP address
  • Impersonating
  • Hide identity

Proxy chaining

  • Using multiple proxy server
  • Most used proxy chains: Tor

Spoofing IP address

  • Modify packet header
  • nmap has a decoy scan option, this option send packets with spoofed source IP to cloak the your address.

Example:

nmap -D 192.168.1.1,192.168.1.2 danielgorbe.com

This option sends 3 packets with source IP:

  1. 192.168.1.1
  2. 192.168.1.2
  3. Your IP

Detect Spoofing

  • Direct TTL probe (on same subnet)
  • IP Identification Number