Learning Objectives
- ▪ Describe the network scanning concepts
- ▪ Use various scanning tools
- ▪ Perform host discovery to check for live systems
- ▪ Perform port and service discovery using various scanning techniques
- ▪ Perform operating system (OS) discovery
- ▪ Scan beyond intrusion detection systems (IDS) and firewalls
- ▪ Explain various network scanning countermeasures
1. Network Scanning Concepts
Network Scanning Concepts
As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. He/she then uses this information in the scanning phase to gather more details about the target.
Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of information gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer.
The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy.
Types of Scanning
▪ Port Scanning – Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities.
▪ Network Scanning – Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.
▪ Vulnerability Scanning – Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document.
TCP Communication Flags
The TCP header contains various flags that control the transmission of data across a TCP connection.
Six TCP control flags manage the connection between hosts and give instructions to the system. Four of these flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. The other two flags (PSH and URG) provide instructions to the system. The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this section is 6 bits. When a flag value is set to “1,” that flag is automatically turned on.
The following are the TCP communication flags:
▪ Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.
▪ Acknowledgement or “ACK”: It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to “1,” thus implying that the receiver should pay attention to it.
▪ Push or “PSH”: When it is set to “1,” it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
▪ Urgent or “URG”: It instructs the system to process the data contained in packets as soon as possible. When the system sets the flag to “1,” priority is given to processing the urgent data first and all the other data processing is stopped.
▪ Finish or “FIN”: It is set to “1” to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.
▪ Reset or “RST”: When there is an error in the current connection, this flag is set to “1” and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
SYN scanning mainly deals with three flags: SYN, ACK, and RST.
TCP/IP Communication
TCP is connection oriented, i.e., it prioritizes connection establishment before data transfer between applications. This connection between protocols is possible through the three-way handshake.
A TCP session initiates using a three-way handshake mechanism:
▪ To launch a TCP connection, the source (10.0.0.2:21) sends a SYN packet to the destination (10.0.0.3:21).
▪ On receiving the SYN packet, the destination responds by sending a SYN/ACK packet back to the source.
▪ The ACK packet confirms the arrival of the first SYN packet to the source. ▪ Finally, the source sends an ACK packet for the ACK/SYN packet transmitted by the destination.
▪ This triggers an "OPEN" connection, thereby allowing communication between the source and destination, which continues until one of them issues a "FIN" or "RST" packet to close the connection.
TCP Session Termination
2. Scanning Tools
Scanning Tools
Scanning tools are used to scan and identify live hosts, open ports, running services on a target network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The information obtained from these tools will help an ethical hacker in creating the profile of the target organization and scanning the network for open ports of the devices connected.
▪ Nmap Source: https://nmap.org
▪ Hping3 Source: https://salsa.debian.orgo ICMP ping Ex. hping3 -1 10.0.0.25
o ACK scan on port 80 Ex. hping3 –A 10.0.0.25 –p 80
o UDP scan on port 80 Ex. hping3 -2 10.0.0.25 –p 80
o Collecting Initial Sequence Number Ex. hping3 192.168.1.103 -Q -p 139o Firewalls and Timestamps Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
o SYN scan on port 50-60 Ex. hping3 -8 50-60 –S 10.0.0.25 –V
o FIN, PUSH and URG scan on port 80 Ex. hping3 –F –P –U 10.0.0.25 –p 80
o Scan entire subnet for live host Ex. hping3 -1 10.0.1.x --rand-dest –I eth0
o Intercept all traffic containing HTTP signature Ex. hping3 -9 HTTP –I eth0
o SYN flooding a victim Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
▪ Hping Scan with AI
Attackers can leverage AI-powered technologies to enhance and automate their network scanning tasks. With the aid of AI, attackers can effortlessly perform network scanning using the Hping3 tool to acquire valuable insights about their target.
Example #1:
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Hping3 to perform ICMP scanning on the target IP address 10.10.1.11 and stop after 10 iterations”
The command `hping3 --icmp --count 10 10.10.1.11` is used to execute the Hping3 tool with specific parameters.
Example #2:
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Run an hping3 ACK scan on port 80 of target IP 10.10.1.11”
The command `sudo hping3 --ack -p 80 10.10.1.11` is used to execute the Hping3 tool with specific parameters.
▪ Metasploit Source: https://www.metasploit.com
Metasploit is an open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. It provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploits writers, and payload writers. A major advantage of the framework is the modular approach, i.e., allowing the combination of any exploit with any payload.
▪ NetScanTools Pro Source: https://www.netscantools.com
NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. Using this tool, you can easily gather information about the local LAN as well as Internet users, IP addresses, ports, and so on. Attackers can find vulnerabilities and exposed ports in the target system. It helps the attackers to list IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or manually (using manual tools). NetScanTools Pro combines many network tools and utilities categorized by their functions, such as active, passive, DNS, and local computer.
Some additional scanning tools are listed below: ▪ sx (https://github.com) ▪ RustScan (https://github.com) ▪ MegaPing (http://magnetosoft.com) ▪ SolarWinds®Engineer's Toolset (https://www.solarwinds.com) ▪ PRTG Network Monitor (https://www.paessler.com)
3. Host Discovery
Demonstrate Various Scanning Techniques for Host Discovery
Host Discovery
Scanning is the process of gathering information about systems that are “alive” and responding on the network. Host discovery is considered as the primary task in the network scanning process. To perform a complete scan and identify open ports and services, it is necessary to check for live systems. Host discovery provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system in a list of IP addresses to identify whether the target host is up. Host discovery is the first step in network scanning. This section highlights how to check for live systems in a network using various ping scan techniques. It also discusses how to ping sweep a network to detect live hosts/systems along with various ping sweep tools.
Host Discovery Techniques Host discovery techniques can be adopted to discover the active/live hosts in the network. As an ethical hacker, you must be aware of the various types of host discovery techniques. Some host discovery techniques are listed below:
▪ ARP Ping Scan
▪ UDP Ping Scan
▪ ICMP Ping Scan
o ICMP ECHO Ping
• ICMP ECHO Ping Sweep
o ICMP Timestamp Ping
o ICMP Address Mask Ping
▪ TCP Ping Scan
o TCP SYN Ping
o TCP ACK Ping
▪ IP Protocol Scan
ARP Ping Scan
In the ARP ping scan, the ARP packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls. In most networks, many IP addresses are unused at any given time, specifically in the private address ranges of the LAN.
Attackers use the Nmap tool to perform ARP ping scan for discovering live hosts in the network. In Zenmap, the -PR option is used to perform ARP ping scan.
Note: -sn is the Nmap command to disable the port scan. Since Nmap uses ARP ping scan as the default ping scan, to disable it and perform other desired ping scans, you can use --disable-arp-ping.
Advantages:
▪ ARP ping scan is considered to be more efficient and accurate than other host discovery techniques
▪ ARP ping scan automatically handles ARP requests, retransmission, and timeout at its own discretion
▪ ARP ping scan is useful for system discovery, where you may need to scan large address spaces
▪ ARP ping scan can display the response time or latency of a device to an ARP packet
UDP Ping Scan
UDP ping scan is similar to TCP ping scan; however, in the UDP ping scan, Nmap sends UDP packets to the target host. The default port number used by Nmap for the UDP ping scan is 40,125. This highly uncommon port is used as the default for sending UDP packets to the target. This default port number can be configured using DEFAULT_UDP_PROBE_PORT_SPEC during compile time in Nmap. Attackers send UDP packets to the target host, and a UDP response means that the target host is active. If the target host is offline or unreachable, various error messages such as host/network unreachable or TTL exceeded could be returned. In Zenmap, the -PU option is used to perform the UDP ping scan.
Advantages: ▪ UDP ping scans have the advantage of detecting systems behind firewalls with strict TCP filtering, leaving the UDP traffic forgotten.
ICMP ECHO
Ping Scan Attackers use the ICMP ping scan to send ICMP packets to the destination system to gather all necessary information about it. This is because ICMP does not include port abstraction, and it is different from port scanning. However, it is useful to determine what hosts in a network are running by pinging them all. ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
ICMP ECHO Ping Sweep
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts (computers). Although a single ping will tell the user whether a specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods used to scan a network. This utility is distributed across nearly all platforms, and it acts as a roll call for systems; a system that is active on the network answers the ping query that another system sends out.
ICMP ECHO Ping Sweep Using Nmap Source: https://nmap.org Nmap helps an attacker to perform a ping sweep that determines live hosts from a range of IP addresses. In Zenmap, the -PE option with a list of IP addresses is used to perform ICMP ECHO ping sweep.
ICMP Timestamp Ping Scan
Besides the traditional ICMP ECHO ping, there are some other types of ICMP pinging techniques such as ICMP timestamp ping scan and ICMP address mask ping scan, which an attacker can adopt in specific conditions.
ICMP Address Mask Ping Scan
ICMP address mask ping is another alternative to the traditional ICMP ECHO ping, where the attackers send an ICMP address mask query to the target host to acquire information related to the subnet mask. However, the address mask response from the destination host is conditional, and it may or may not respond with the appropriate subnet value depending on its configuration by the administrator at the target’s end. This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping. In Zenmap, the -PM option is used to perform an ICMP address mask ping scan.
TCP SYN Ping Scan TCP SYN ping is a host discovery technique for probing different ports to determine if the port is online and to check if it encounters any firewall rule sets. In this type of host discovery technique, an attacker uses the Nmap tool to initiate the three-way handshake by sending the empty TCP SYN flag to the target host. After receiving SYN, the target host acknowledges the receipt with an ACK flag. After reception of the ACK flag, the attacker confirms that the target host is active and terminates the connection by sending an RST flag to the target host machine (since his/her objective of host discovery is accomplished). Port 80 is used as the default destination port. A range of ports can also be specified in this type of pinging format without inserting a space between -PS and the port number (e.g., PS22-25,80,113,1050,35000), where the probe will be performed against each port parallelly. In Zenmap, the -PS option is used to perform a TCP SYN ping scan.
IP Protocol Ping Scan IP protocol ping is the latest host discovery option that sends IP ping packets with the IP header of any specified protocol number. It has the same format as the TCP and UDP ping. This technique tries to send different packets using different IP protocols, hoping to get a response indicating that a host is online.
Host Discovery with AI
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as
- “Scan the target network 10.10.1.0/24 for active hosts and place only the IP addresses into a file scan1.txt”
- `nmap -sn 10.10.1.0/24 -OG-| awk '/Up$/{print $2}' > scan1.txt`
- “Run a fast but comprehensive Nmap scan against scan1.txt with low verbosity and write the results to scan2.txt”
- nmap -T4 -iL scan.txt -oN scan2.txt -v0
- “Use Nmap to perform ICMP ECHO ping sweep on the target network 10.10.1.0/24”
- nmap -sn -PE 10.10.1.0/24
Ping Sweep Tools
Ping sweep tools ping an entire range of network IP addresses to identify the live systems. The following are ping sweep tools that enable one to determine live hosts on the target network by sending multiple ICMP ECHO requests to various hosts on the network at a time.
▪ Angry IP Scanner Source: https://angryip.org
▪ SolarWinds Engineer’s Toolset (https://www.solarwinds.com)
▪ NetScanTools Pro (https://www.netscantools.com)
▪ Colasoft Ping Tool (https://www.colasoft.com)
▪ Advanced IP Scanner (https://www.advanced-ip-scanner.com)
▪ OpUtils (https://www.manageengine.com)
4. Port and Service Discovery
The next step in the network scanning process involves checking the open ports and services in live systems. This discovery of open ports and services can be performed via various port scanning techniques. Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Moreover, sometimes, users unknowingly keep unnecessary open ports on their systems. An attacker takes advantage of such open ports to launch attacks.Commom ports.
Port Scanning Techniques
Port scanning techniques are further categorized as described below. This categorization is based on the type of protocol used for communication in the network.
TCP Connect/Full-Open Scan
Source: https://insecure.org
TCP Connect/Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning, the OS’s TCP connect() system call tries to open a connection to every port of interest on the target machine. If the port is listening, the connect() call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable.
Stealth Scan (Half-Open Scan)
The stealth scan involves resetting the TCP connection between the client and the server abruptly before completion of the three-way handshake signals, hence making the connection half-open. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This type of scan sends a single frame with the expectation of a single response. The half-open scan partially opens a connection but stops halfway through. The stealth scan is also called a “SYN scan,” because it only sends the SYN packet. This prevents the service from notifying the incoming connection. TCP SYN or half-open scanning is a stealth method of port scanning. The stealth scan also implements the three-way handshake methodology. In the last stage, it examines the packets entering the interface and terminates the connection before triggering a new initialization to identify remote ports.
Inverse TCP Flag Scan
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.
Xmas Scan
Xmas scan is a type of inverse TCP scanning technique with the FIN, URG, and PUSH flags set to send a TCP frame to a remote device. If the target has opened the port, then you will receive no response from the remote system. If the target has closed the port, then you will receive a remote system reply with an RST. You can use this port scanning technique to scan large networks and find which host is up and what services it is offering. This technique describes all TCP flag sets. When all flags are set, some systems hang; hence, the flags are often set in the nonsense pattern URG-PSH-FIN. Attackers use the TCP Xmas scan to determine if ports are closed on the target machine via the RST packet. This scan only works when systems are compliant with RFC 793-based TCP/IP implementation. It will not work against any current version of Microsoft Windows.
BSD Networking Code
This method relies on the BSD networking code. Thus, you can use this only for UNIX hosts; it does not support Windows NT. If the user scans any Microsoft system, it will show that all the ports on the host are open.
You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts the packet and does not send any response, it means that the port is open. If the target system sends an RST flag, then it implies that the port is closed.
In Zenmap, the -sX option is used to perform Xmas scan whereas the -sF and -sN options are used to perform FIN scan and NULL scan, respectively.
nmap -sX -v 192.168.2.79
TCP Maimon Scan
This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.
5. OS Discovery (Banner Grabbing/OS Fingerprinting)
An attacker uses OS discovery or banner grabbing techniques to identify network hosts running applications and OS versions with known exploits. This section introduces you to banner grabbing, its types, and banner grabbing tools.
▪ Active Banner Grabbing
Active banner grabbing applies the principle that an OS’s IP stack has a unique way of responding to specially crafted TCP packets. This happens because of different interpretations that vendors apply while implementing the TCP/IP stack on a particular OS. In active banner grabbing, the attacker sends a variety of malformed packets to the remote host, and the responses are compared with a database. Responses from different OS vary because of differences in TCP/IP stack implementation.
For instance, the scanning utility Nmap uses a series of nine tests to determine an OS fingerprint or banner grabbing. The tests listed below provide some insights into an active banner grabbing attack, as described at https://nmap.org/book/osdetect-methods.html#osdetect-probes
▪ Passive Banner Grabbing Source: https://www.broadcom.com
Like active banner grabbing, passive banner grabbing also depends on the differential implementation of the stack and the various ways in which an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study telltale signs that can reveal an OS.
How to Identify Target System OS
Identifying the target OS is one of the important tasks for an attacker to compromise the target network/machine. In a network, various standards are implemented to allow different OSs to communicate with each other. These standards govern the functioning of various protocols such as IP, TCP, UDP, etc. By analyzing certain parameters/fields in these protocols, one can reveal the details of the OS. Parameters such as Time to Live (TTL) and TCP window size in the IP header of the first packet in a TCP session help identify the OS running on the target machine. The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table:
Attackers can use various tools to perform OS discovery on the target machine, including Wireshark, Nmap, Unicornscan, and Nmap Script Engine. Attackers can also adopt the IPv6 fingerprinting method to grab the target OS details.
OS Discovery using Wireshark Source: https://www.wireshark.org
OS Discovery using Nmap and Unicornscan
OS Discovery using Nmap Source: https://nmap.org
To exploit the target, it is highly essential to identify the OS running on the target machine. Attackers can employ various tools to acquire the OS details of the target. Nmap is one of the effective tools for performing OS discovery activities. In Zenmap, the -O option is used to perform OS discovery, which displays the OS details of the target machine.
OS Discovery using Unicornscan
Source: https://sourceforge.net In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan <target IP address> is used. As shown in the screenshot, the ttl value acquired after the scan is 128; hence, the OS is possibly Microsoft Windows.
OS Discovery using Nmap Script Engine
Source: https://nmap.org Nmap Scripting Engine (NSE) in Nmap can be used to automate a wide variety of networking tasks by allowing users to write and share scripts. These scripts can be executed parallelly with the same efficiency and speed as Nmap. Attackers can also use various scripts in the Nmap Script Engine for performing OS discovery on the target machine. For example, in Nmap, smb-os-discovery is an inbuilt script used for collecting OS information on the target machine through the SMB protocol. In Zenmap, NSE can be generally activated using the -sC option. If the custom scripts are to be specified, then attackers can use the --script option. The NSE results will be displayed with both the Nmap normal and XML outputs.
OS Discovery using IPv6 Fingerprinting Source: https://nmap.org IPv6 Fingerprinting is another technique used to identify the OS running on the target machine. It has the same functionality as IPv4, such as sending probes, waiting and collecting the responses, and matching them with the database of fingerprints. The difference between IPv6 and IPv4 fingerprinting is that IPv6 uses several additional advanced IPv6-specific probes along with a separate IPv6-specifc OS detection engine. Nmap sends nearly 18 probes in the following order to identify the target OS using the IPv6 fingerprinting method. ▪ Sequence generation (S1–S6) ▪ ICMPv6 echo (IE1) ▪ ICMPv6 echo (IE2) ▪ Node Information Query (NI) ▪ Neighbor Solicitation (NS) ▪ UDP (U1) ▪ TCP explicit congestion notification (TECN) ▪ TCP (T2–T7)
In Zenmap, the -6 option along with -O option is used to perform OS discovery using the IPv6 fingerprinting method.
Syntax: # nmap -6 -O <target>
OS Discovery with AI
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as
• “Use TTL to identify the operating system running on the target IP address 10.10.1.11”
ping -c 1 10.10.1.11 && echo "Check the TTL value from the response to infer the OS (Linux/Unix: 64, Windows: 128)"
• “Use TTL to identify the operating system running on the target IP address 10.10.1.9”
ping -c 1 10.10.1.9 | grep "ttl"
• “Use Nmap script engine to perform OS discovery on the target IP addresses in scan1.txt”
nmap -iL scan1.txt -O --script=default --script-args=newtargets -oN os_discovery_results.txt
Create and Run Custom Script to Automate Network Scanning Tasks With AI Attackers can leverage AI-powered technologies to enhance and automate their network scanning tasks. With the aid of AI, attackers can effortlessly create and run custom network scanning scripts and acquire valuable insights about their targets. By developing such custom scripts, attackers can efficiently execute a series of network scanning commands to gather information about a target domain. With this script, attackers can discover live systems, open ports, running services, service versions, and more on the target IP ranges.
For instance, Attackers can use ChatGPT to guide the development of a script by using an appropriate prompt such as: "Develop a script that will automate network scanning efforts and find out live systems, open ports, running services, service versions, etc. on target IP range 10.10.1.0/24"
The following bash script is designed to automate network scanning efforts on the target IP range 10.10.1.0/24:
#!/bin/bash
nmap -sP 10.10.1.0/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt && nmap -iL live_hosts.txt -sV -oA scan_results && cat scan_results.nmap
6. Scanning Beyond IDS and Firewall
Intrusion detection systems (IDS) and firewalls are security mechanisms intended to prevent an attacker from accessing a network. However, even IDS and firewalls have some security limitations. Attackers try to launch attacks to exploit these limitations. This section highlights various IDS/firewall evasion techniques such as packet fragmentation, source routing, IP address spoofing, etc.
Although firewalls and IDS can prevent malicious traffic (packets) from entering a network, attackers can send intended packets to the target that evade the IDS/firewall by implementing the following techniques: ▪ Packet Fragmentation ▪ Source Routing ▪ Source Port Manipulation ▪ IP Address Decoy ▪ IP Address Spoofing ▪ MAC Address Spoofing ▪ Creating Custom Packets ▪ Randomizing Host Order ▪ Sending Bad Checksums ▪ Proxy Servers ▪ Anonymizers
Packet Fragmentation
Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU and network resource consumption, the configuration of most IDS cause them to skip fragmented packets during port scans. Therefore, attackers use packet fragmentation tools such as Nmap to split the probe packet into smaller packets that circumvent the port-scanning techniques employed by IDS. Once these fragments reach the destined host, they are reassembled to form a single packet.
SYN/FIN Scanning
Using IP Fragments SYN/FIN scanning using IP fragments is not a new scanning method but a modification of previous techniques. This process of scanning was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.
Source Routing
An IP datagram contains various fields, including the IP options field, which stores source routing information and includes a list of IP addresses through which the packet travels to its destination. As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination. When attackers send malformed packets to a target, these packets hop through various routers and gateways to reach the destination. In some cases, the routers in the path might include configured firewalls and IDS that block such packets. To avoid them, attackers enforce a loose or strict source routing mechanism, in which they manipulate the IP address path in the IP options field so that the packet takes the attacker-defined path (without firewall-/IDS-configured routers) to reach the destination, thereby evading firewalls and IDS.
Source Port Manipulation
Source port manipulation is a technique used for bypassing the IDS/firewall, where the actual port numbers are manipulated with common port numbers for evading certain IDS and firewall rules. The main security misconfigurations occur because of blindly trusting the source port number. The administrator mostly configures the firewall by allowing the incoming traffic from well-known ports such as HTTP, DNS, FTP, etc. The firewall can simply allow the incoming traffic from the packets sent by the attackers using such common ports.
IP Address Decoy
The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address is actually scanning the network and which IP addresses are decoys. The Nmap scanning tool comes with a built-in scan function called a decoy scan, which cloaks a scan with decoys. This technique generates multiple IP addresses to perform a scan, thus making it difficult for the target security mechanisms such as IDS, firewalls, etc., to identify the original source from the registered logs. The target IDS might report scanning from 5–0 IP addresses; however, it cannot differentiate between the actual scanning IP address and the innocuous decoy IPs.
▪ nmap -D RND:10 [target]
▪ nmap -D decoy1,decoy2,decoy3,...,ME,... [target
IP Address Spoofing
Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls.
- IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7
MAC Address Spoofing
Network firewalls filter packets based on the source media access control (MAC) address. They examine the MAC address in the packet header and determine whether the packets originate from a legitimate source. Firewalls allow traffic from specific sources using MAC filtering rules and restrict packets that do not satisfy the filtering rules. To avoid these restrictions, attackers use MAC spoofing techniques, in which they employ fake MAC addresses and masquerade as legitimate users to scan the hosts located behind the firewall.
▪ nmap -sT -Pn --spoof-mac 0 [Target IP]
▪ nmap -sT -Pn --spoof-mac [Vendor] [Target IP]
▪ nmap -sT -Pn --spoof-mac [new MAC] [Target IP]
Creating Custom Packets
The attacker creates and sends custom packets to scan the intended target beyond the IDS/firewalls. Various techniques are used to create custom packets. Some of them are mentioned below:
▪ Creating Custom Packets by using Packet Crafting Tools Attackers create custom TCP packets to scan the target by bypassing the firewalls. Attackers use various packet crafting tools such as Colasoft packet builder (https://www.colasoft.com), NetScanTools Pro (https://www.netscantools.com), etc., to scan the target that is beyond the firewall. Packet crafting tools craft and send packet streams (custom packets) using different protocols at different transfer rates.
Randomizing Host Order
The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. The option used by Nmap to scan with a random host order is --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to network monitoring systems and firewalls. If larger group sizes are randomized, the PING_GROUP_SZ should be increased in nmap.h and it should be compiled again. Another method can be followed by generating the target IP list with the list scan command -sL -n -oN <filename> and then randomizing it with a Perl script and providing the whole list to Nmap using the -iL command.
Sending Bad Checksums
The attacker sends packets with bad or bogus TCP/UDP checksums to the intended target to avoid certain firewall rule sets. TCP/UDP checksums are used to ensure data integrity. Sending packets with incorrect checksums can help attackers to acquire information from improperly configured systems by checking for any response. If there is a response, then it is from the IDS or firewall, which did not verify the obtained checksum. If there is no response or the packets are dropped, then it can be inferred that the system is configured. This technique instructs Nmap to send packets with invalid TCP, UDP, or SCTP checksums to the target host. The option used by Nmap is --badsum.
Proxy Servers
A proxy server is an application that can serve as an intermediary for connecting with other computers. A proxy server is used:
▪ As a firewall and to protect the local network from external attacks. ▪ As an IP address multiplexer that allows several computers to connect to the Internet when you have only one IP address (NAT/PAT).
▪ To anonymize web surfing (to some extent). ▪ To extract unwanted content, such as ads or “unsuitable” material (using specialized proxy servers).
▪ To provide some protection against hacking attacks. ▪ To save bandwidth.
Free Proxy Servers
Some free proxy servers available on the Internet, which can help you to access restricted sites without revealing your IP address. In the Google search engine, type “Free Proxy Servers" to see a list of such servers. Select one from this list and download and install it to browse anonymously without revealing your legitimate IP address.
Proxy Chaining
Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number of proxy servers used, the greater is the attacker’s anonymity.
Proxy Tools
Proxy tools are intended to allow users to surf the Internet anonymously by keeping their IP hidden through a chain of SOCKS or HTTP proxies. These tools can also act as HTTP, mail, FTP, SOCKS, news, telnet, and HTTPS proxy servers.
▪ Proxy Switcher Source: https://www.proxyswitcher.com
▪ CyberGhost VPN Source: https://www.cyberghostvpn.com
In addition to the proxy tools mentioned above, there are many other proxy tools intended to allow users to surf the Internet anonymously. Some additional proxy tools are listed below: ▪ Burp Suite (https://www.portswigger.net) ▪ Tor (https://www.torproject.org) ▪ Hotspot Shield (https://www.hotspotshield.com) ▪ Proxifier (https://www.proxifier.com) ▪ IPRoyal Residential Proxy (https://iproyal.com)
Anonymizers
An anonymizer is an intermediate server placed between an end user and a website that accesses the website on their behalf and makes web surfing activities untraceable. Anonymizers allow users to bypass Internet censorship. An anonymizer eliminates all identifying information (IP address) from the system while surfing the Internet, thereby ensuring privacy. It encrypts the data transferred from a computer to the Internet service provider (ISP). Most anonymizers can anonymize web (HTTP:), File Transfer Protocol (FTP:), and gopher (gopher:) Internet services.
Anonymizer tools use various techniques such as SSH, VPN, and HTTP proxies, which allow access to blocked or censored content on the Internet with advertisements omitted.
▪ Whonix Source: https://www.whonix.org
Some additional anonymizers are listed below:
▪ Psiphon (https://psiphon.ca) ▪ TunnelBear (https://www.tunnelbear.com) ▪ Invisible Internet Project (I2P) (https://geti2p.net) ▪ Bright Data Proxy API (https://brightdata.com)
Censorship Circumvention Tools
▪ AstrillVPN Source: https://www.astrill.com
▪ Tails Source: https://tails.net
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vjDtk_H9mr6w90IHCbQVZgihpWm0Xdr0kDGXxihlU_nWf9hmiLXNsQwB_eA-jw810L644vgY2Z6g6zKlsmQSJ790UnNxr_crg1I8GEwq3_7Q)
No comments:
Post a Comment