Scanning and Enumeration
What is scanning?
Scanning is the process of discovering systems on the network and taking a look at what open ports and applications may be running.
In scanning you go into the network and start touching each device to find out more about it
Three categories of scanning techniques
ICMP Scanning - most basic scan for live systems
TCP Scanning
Open TCP Scanning Methods
TCP Connect / Full Open Scan
Stealth TCP Scanning Methods
Half-open Scan
Inverse TCP Flag Scanning
Xmas Scan
FIN Scan
NULL Scan
ACK Flag Probe Scanning
Third Party and Spoofed TCP Scanning Methods
IDLE /IP ID Header Scanning
UDP Scanning
UDP Scanning
Refresher on TCP/IP fundamentals
TCP header flags
SYN (Synchronize) - flag is set during initial communication establishment and indicates negotiation of parameters and sequence numbers.
ACK (Acknowledgment) - flag is set as an acknowledgment to SYN flags and is set on all segments after the initial SYN flag.
RST (Reset) - flag forces a termination of communications (in both directions)
FIN (Finish) - flag signifies and ordered close to communications.
PSH (Push) - this flag forces the delivery of data without concern for any buffering, the receiving device does not need to wait for the buffer to fill up before processing the data.
URG (Urgent) - when this is set the data inside is being sent out of band, for example when cancelling a message mid-stream
Sequence number - a semi random number that helps maintain legitimacy and uniqueness of this session.
The source and destination port fields in TCP or UDP communication define the protocols that will be used to process the data
Port numbers inside the Transport layer protocol header (TCP or UDP), identifies which upper-layer protocol should receive the information contained within.
well-known ports : 0 - 1023
Registered ports: 1024 - 49,151
Dynamic ports: 49,152 - 65,535
Port states
Listening - port is one that is waiting for a connection
Established - port is one that is connected to a remote computer
CLOSE_WAIT - shows that the remote side of your connection has closed the connection
TIME_WAIT - state shows that your side has closed the connection.
Three IPv4 main address types
unicast
broadcast
multicast
What is the ECC's scanning methodology?
Check for live systems - is as simple as a ping and just gets you a list of what is alive on the network subnet
Check for open ports - find what ports they are listening on
Scan beyond IDS - sometimes you have to change you scanning tactic to avoid being detected by IDS systems
Perform banner grabbing - banner grabbing and OS fingerprinting will tell you what OS is running on the machines and which services they are running
Scan for vulnerabilities - focused look at the vulnerabilities that might have not been patched yet
Draw network diagrams - shows you all the logical and physical pathways to targets you might like
Prepare proxies - obscures your efforts to keep you hidden
What does ICMP do?
ICMP provides error messaging for TCP
ICMP packets could wind up being the perfect cover channel for hackers to communicate with each other
What is a ping sweep?
A ping sweep is the easiest method available to identify active machines on the network.
Administrators usually disable ping responses on many networks systems and devices and will configure firewalls to block them.
ICMP Echo scanning - pinging the network itself (sending ICMP Echo Request packets to the network IP address)
List scan - running a reverse DNS lookup on all IPs in the subnet
List of ping sweep / scanning tools
Nmap
Angry IP Scanner
SolarWinds Engineer Toolset
Network Ping
OPUtils
SuperScan
Advanced IP Scanner
Pinkie
How do port scanners work?
Port scanners work by manipulating Transport layer protocol flags in order to identify active hosts and scan their ports
What three things define port scan types?
what flags are set in the packets before delivery
what responses you expect from ports
how stealthily the scan works
What are the seven generic port scanning types?
Full connect
Also known as a TCP connect or full open scan
runs through a full connection (three-way handshake) on ports, tearing it down with an RST at the end
It is the easiest one to detect but the most reliable
Open ports respond with a SYN / ACK
Closed ports respond with an RST
Stealth
Also known as half-open scan or SYN scan
Only sends SYN packets to ports
Responses are the same as in full connect scans
Good at hiding your scanning efforts, bypassing firewalls and monitoring by hiding as normal traffic
Inverse TCP flag
uses the FIN, URG, PDSH flag to poke at system ports
If port is open there will be no response at all
If the port if closed an RST/ACK will be sent in response
This does not work against Windows systems
XMAS
All flags are turned on
Port responses are the same as with an inverse TCP scan
These do not work against Microsoft machines because of Microsoft's TCP/IP stack implementation
ACK flag probe
two versions of this scan (both use the same method)
attacker sends the ACK flag and looks at the return header (TTL or Windows fields) to determine the port status.
If the TTL of the returned RST packet is less than 64 then the port is open
In the Windows version, if the WINDOW size on the RST packet is anything other than 0 then the port is open
this can also be used to check if there is filtering at the remote end.
If an ACK is sent and there is no response it means there is a stateful firewall between the attacked and the host.
If an RST comes back then there is no filtering or firewall in place .
IDLE
Uses a spoofed IP address to get port responses during a scan
Uses a SYN flag and keeps track of responses with a SYN scan
The machine receiving the response from the targets is not you own so the source of the scan is obscured
UDP Scan
Send a datagram to the port
If port is open you won't get a response
If port is closed you will get an ICMP port unreachable message.
What is an IP identifier and what is it for?
Every IP packet is uses it to keep track of fragmentation when packets are fragmented and have to be put back together at the destination
Scanning and Enumeration Tools
What is fingerprinting?
Fingerprinting is port sweeping and enumeration on a machine
What is the difference between active and passive fingerprinting?
Active OS fingerprinting involves sending crafter, nonstandard packets to a remote host and analyzing the replies
Passive OS fingerprinting involves sniffing packets without injecting any packets into the network. Examining things like TTL, window sizes, Don't Fragment flags, and Type of Service (ToS) fields
Tools
Nmap
NetScanTools Pro - contains four sets of tools
Active Discovery and Diagnostic Tools (testing/locating devices on net)
Passive Discovery Tools (monitor activities of devices and gather information)
DNS Tools (self-explanatory)
Local Computer and General Information tools (details about local system)
Hping
Advanced Port Scanner
MegaPing
Net Tools
PRTG Network Monitor
Designed for Mobile use
IP Scanner
Fing
Hackode
zANTi
PortDroid Network Analysis
For information about Evasion refer to Evasion
Enumeration
Windows Account Basics
Linux Account Basics
What is enumeration?
Simply figuring out what's running on a machine
Information we might want to enumerate
Network resources
Network shares
Routing tables
Audit and service settings
SNMP and FQDN details
Machine names
Users and groups
Applications and banners
What are some of the enumeration techniques available?
Enumeration techniques
Extract user names = email addresses
Default passwords
Brute force Active Directory
DNS Zone Transfer
Extract User Groups
Extract user names using SNMP
Other Enumeration options
LDAP
Designed to be queried
LDAP sessions are started by a client on TCP port 389 connecting to a Directory System Agent (DSA)
Requests query the hierarchical/logical structure and returns an answer using Basic Encoding Rules (BER)
Can provide things like valid user names, domain information, addresses and telephone numbers, system data, and organizational structure
Tools
Softerra
JXplorer
Lex
LDAP Admin Tool
Active Directory Explorer
NTP
Runs on port 123
Sets the time across a network
Querying this can give you information such as a list of systems connected to the server and IP addresses of internal systems
Tools
Server Scanner
AtomSync
Nmap
Wireshark
SMTP
Commonly used commands
VRFY - validates user
EXPN - provides the actual delivery addresses of mailing lists and aliases
RCPT TO - defines recipients
IPsec
IPSec uses ESP, AH and IKE to secure communications between VPN endpoints
Most IPsec based VPNs use ISAKMP to establish, negotiate, modify and delete Security Associations (SA) and cryptographic keys in a VPN environment
Simply scanning for ISAKMP on UDP 500 can indicate the presence of a VPN gateway
ike-scan tool can give you
encryption and hashing algorithm
authentication type
key distribution algorithm
SA LifeDuration
VoIP
Uses SIP to enable voice and video calls over an IP network
SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061
Provides information such as:
VoIP gateway/servers
IP-PBX systems
Client software
User agent IP addresses
User extensions
This information can be used to launch VoIP attacks:
DoS
Session Hijacking
Called ID Spoofing
Spamming over Internet Telephony
VoIP phishing
RPC Enumeration
RPC allows client and server to communicate in distributed client/server programs
enables attackers to identify any vulnerable services on the service ports
Last updated
