A thief wanted to rob a bank; he started watching the bank since a week now, and he started to take notes about when the employees come, when they leave, when there is big cash in the bank, when this cash is gone, and he decided to rob the bank on the X day.
What do you think is missing here?
The thief has gathered his information from the outside, but he missed the inside part. He didn’t report where the entrances and exits are, where the guards are located, where the monitoring cameras are, and how to disable or evade them; he didn’t see where cash is, what kind of vault they have, how he will escape, what Plan B is…
Wow, this guy missed so many things, and this is what hackers try to avoid. And this is what we call “Scanning and Enumeration”.
In “Scanning and Enumeration” we are trying to gather more information – but this time by a partial delving into our target and grabbing the information that will help us prepare our attack.
From the previous phase, we were able to gather general information about our target, this time we will scan our system to find out:
1- Live systems
2- Open ports
3- Services running
4- Operating systems used
5- Vulnerabilities
Any “Penetration Testing” scanning starts with defining the live systems and drawing a network topology for your target, our mission here is to find host, routers, firewalls…
Both requirements can be achieved using some methods like “Tracerouting” – which we already discussed in a previous article; another method is “Ping Sweeping” – which is technique used by attackers where you send ICMP Echo Request to multiple hosts, trying to find who of these hosts are alive.
Some of the tools that can accomplish “Ping Sweeping” are Nmap, Hping3, netenum, Fping…
Let’s see what we can get from Nmap:
As we have seen, the command used was
nmap –sP 207.x.x.0/24
Or
nmap –sP 207.x.x.1-255
Both commands are the same, but in the first we used CIDR or Classless Inter-Domain Routing, while in the second we added manually the range we want to scan.
Let’s see the result in the Protocol Analyzer “Wireshark”
At the end of the Nmap command, you will see the result of the Ping Sweeping
The good thing about “Ping Sweeping” is:
* You will be able to detect all the live hosts (if ICMP Echo requests are allowed)
* You can run the ICMP scanning in parallel, which means you can scan so many hosts at the same time. And this will be very helpful if you are scanning an entire network
The bad thing about “Ping Sweeping” is:
* This technique is detectable; either by IDS or awaken administrators :), because of the huge amount of ICMP Echo Requests against so many machines at a small time range.
Would you like to know how to avoid that?
Search for “Nmap Timing Options” and enjoy reading :)
* If ICMP Echo Requests are blocked at the perimeter zone, then you are stuck, because Ping Sweeping using ICMP won’t work then.
Note – In this case, we will use a TCP Ping Sweep to scan our target’s network. What happens is that we send an ACK to the targets, and the live ones should respond with a RST.
For example with Nmap, the command will be:
nmap –sP –PT 207.x.x.0/24
Or
nmap –sP –PT80 207.x.x.0/24 (where 80 here is a port number that is allowable through the firewall, and it doesn’t mean that this port should be opened on the scanned machines)
Now after we were able to see the live hosts on the target network, let’s see which of these systems have open doors for our entry, and what services might be running on these systems.
I will tell you the types of scans, and with each scan I will describe how it is accomplished and what’s going on behind the scenes.
But before that, I would like to talk remind you about TCP connections.
We said before that all TCP connections are established using a 3 way handshake SYN, SYN / ACK and finally ACK. And we said that TCP is a Transport Protocol that is responsible for transferring data from one system to another, and it divides the data into pieces and label them with sequence numbers for proper order upon delivery.
“My Computer” sends a packet with Initial Sequence Number or ISN (Let’s call it A) and the SYN flag is set to 1.
“My Target” will respond with a packet that has both the SYN and ACK flags set to 1. The Acknowledgment will add 1 to the sequence it got from “My Computer”, and will create another ISN special for responses (Let’s call it B).
“My Computer” will establish now the 3-Way handshake by sending an ACK, using the ISN of “My Target and adding 1 to it.
From now on, whenever “My Computer” sends any packet to “My Target”, it will be based on the ISN(A)+1. While whenever “My Target” send any packet to “My Computer”, it will be based on the ISN(B)+1.
Now to the scan types :)
TCP Connect Scan (Plain Vanilla):
“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it responded with a SYN/ACK, then the attacker will send the last ACK and tear down the connection using the RST.
As we said previously, that this scan can be detected easily, because it will generate a huge amount of scan targeting all of the ports on our Target, trying to detect what the opened ports are.
Let’s see what we can get from Nmap:
The command used is
nmap –sT 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The yellow lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line)
TCP SYN Scan (Half Open):
TCP SYN scan is a little bit stealthier than the previous scan, because it uses a different technique.
The attacker sends a SYN to the targets, if the target’s port is open and it responded with a SYN/ACK, then the attacker will immediately tear down the connection using the RST.
The good thing about TCP SYN scan is:
* It doesn’t establish a connection (as it sends an immediate RST before the connection is established), therefore these scans are not logged
Note – Though the target itself doesn’t log these types of scans, the perimeter devices has the ability to report such scans, so be aware of that
* Speed, because it sends fewer packets than the previous scan.
Let’s see what we can get from Nmap:
The command used is
nmap –sS 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The yellow lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line).
Notice the Red line directly after the Green line; you will notice that the attacker sends an immediate RST after the SYN/ACK of the target.
TCP FIN, XMAS, NULL Scans (Stealth):
I decided to gather these 3 scans together because they are really working in the same manner; they break the rule of TCP connection establishment.
We have seen that the normal TCP connection establishment starts with a SYN, and then goes further, whether you complete the connection establishment (TCP Connect Scan) or terminate it (TCP SYN Scan).
But these 3 scans (FIN, XMAS, NULL), are acting totally in a different manner; they send an unexpected packet at the start of the connection.
The FIN Scan starts with a FIN packet, the XMAS Scan starts with a packet that has the Flags URG, ACK and PSH set to 1, while the NULL Scan starts with a packet that has all the Flags set to 0.
But why are they doing that? The reason is to confuse the targets, because each target expects a SYN packet for connection establishment. When the target receives a FIN packet (which indicates a normal TCP Connection termination), it will take it because it will think that it’s coming from a previous established connection. While the other 2 (XMAS and NULL) are violating the rules of flag settings, because the target is expecting a 1 flag packet which indicates 1 thing. So when the target receives a packet with all flags set, or all flags removed, then this is confusing.
Note – One important thing you have to know here, these scans are not going to work if your target is a WINDOS based.
Remember in the last article, our homework was to read the RFC793. In this RFC it is indicated that when a port is closed, then a RST is sent back. And no response is sent when the port is open.
Unfortunately, Microsoft doesn’t follow this RFC :) and whenever they receive any of these scans, the response is always RST. That’s why these scans will not work against Windows based systems.
Let’s start with the TCP FIN Scan:
The command used is
nmap –sF 192.168.2.31
Notice that the result indicates Open|Filtered, do you know why?
The reason is that some Firewalls (such as Stateful Firewalls) can drop this kind of packets without sending a response back (so the port might be open, or it might be filtered by the firewall)
From “Wireshark”, we can see that the attacker is sending a FIN to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)
Now, let’s examine the XMAS Scan
The command used is
nmap –sX 192.168.2.31
Notice that result indicates open|filtered, I’m sure you know why :)
From “Wireshark”, we can see that the attacker is sending a packet with all Flags set (FIN, PSH, URG) to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)
Now let’s examine the NULL Scan
The command used is
nmap –sN 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a packet with no Flags set (can you see the 2 empty brackets []) to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)
Now I'm tired and need a break :)
Don't worry, our talking about Nmap is not finished. But you have to wait till Part 2 :)
Take care guys.
Scanning using Nmap - Part 1
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment