Acknowledgement Content from the book:

Slides:



Advertisements
Similar presentations
Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.
Advertisements

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Transport Layer3-1 TCP. Transport Layer3-2 TCP: Overview RFCs: 793, 1122, 1323, 2018, 2581 r full duplex data: m bi-directional data flow in same connection.
1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July A note on the use.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Transport Layer Lecture 9 Imran Ahmed University of Management & Technology.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Computer Security and Penetration Testing
Gursharan Singh Tatla Transport Layer 16-May
Port Scanning.
Ana Chanaba Robert Huylo
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
3: Transport Layer3b-1 TCP: Overview RFCs: 793, 1122, 1323, 2018, 2581 r full duplex data: m bi-directional data flow in same connection m MSS: maximum.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 04_b Transport Protocols - TCP Instructor: Dr. Li-Chuan Chen Date: 09/22/2003 Based in part upon slides.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
Transmission Control Protocol TCP. Transport layer function.
Fall 2005 By: H. Veisi Computer networks course Olum-fonoon Babol Chapter 6 The Transport Layer.
Transport Layer3-1 Chapter 3: Transport Layer Our goals: r understand principles behind transport layer services: m multiplexing/demultipl exing m reliable.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
Hands-On Ethical Hacking and Network Defense
1 CSE 5346 Spring Network Simulator Project.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
CITA 352 Chapter 2 TCP/IP Concepts Review. Overview of TCP/IP Protocol –Language used by computers –Transmission Control Protocol/Internet Protocol (TCP/IP)
Network and Port Scanning Chien-Chung Shen
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Penetration Testing Reconnaissance 2
Protection (tools).
Hands-On Ethical Hacking and Network Defense
Penetration Testing Scanning
Port Scanning James Tate II
09-Transport Layer: TCP Transport Layer.
Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
CITA 352 Chapter 5 Port Scanning.
Port Scanning (based on nmap tool)
Information Gathering
Module 18 (More Network Discovery)
Overview of Networking & Operating System Security
Topic 5: Communication and the Internet
CCNA 2 v3.1 Module 10 Intermediate TCP/IP
Process-to-Process Delivery:
Chapter 3 outline 3.1 Transport-layer services
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Lecture 3: Secure Network Architecture
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
Virtual Machine and VirtualBox
Acknowledgement Content from the book:
Cyber Operation and Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack Cliff Zou University of Central Florida.
Transportation Layer.
Process-to-Process Delivery: UDP, TCP
EVAPI - Enumeration Auburn Hacking club
Transport Layer 9/22/2019.
TCP Connection Management
Presentation transcript:

Cyber Operation and Penetration Testing Scanning Cliff Zou University of Central Florida

Acknowledgement Content from the book: “The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy”, Second Edition

Acknowledgement Presentation slides: “Using Nessus and Nmap to Audit Large Networks” By Greg Johnson, Principal Security Analyst University of Missouri – Columbia https://www.cs.uaf.edu/2003/fall/cs493/refs/JohnsonAudit.ppt

Checking Machine Online Status? root@kali: ping IPaddress Windows with firewall enabled blocks PING by default for not home network (subnet) Enable PING response in Windows: Search “firewall”, click “Windows Firewall” in control panel Click “Advanced settings” on the left From the left panel, click “Inbound Rules” Find the rules titled “File and Printer Sharing (Echo Request - ICMPv4-In)” Right-click each rule and choose “Enable Rule”.

Ping and Ping Sweep Ping Sweep: series of pings sent to a range of IP addresses Tool: fping (preinstalled in Kali Linux) fping -a -r 0 -g 192.168.0.1 192.168.0.254 -a: only show live -r 0: retry ping number (0 means only 1 ping per IP) -g: the IP range Con: only can find computers that respond to ICMP echo request message

Port Scanning Discover what services are running on a target computer See the “common port number” sheet: http://packetlife.net/me dia/library/23/common _ports.pdf

Pre-Knowledge: Network Layered Structure What is the Internet? Application Web, Email, VOIP Application Transport TCP, UDP Transport Network IP Network Data Link Ethernet, cellular Data Link Physical link

Pre-Knowledge: TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) counting by bytes of data (not segments!) ACK: ACK # valid PSH: push data now # bytes rcvr willing to accept RST, SYN, FIN: connection estab (setup, teardown commands) Internet checksum (as in UDP)

TCP Connection Setup --- Three-Way Handshaking Step 1: client host sends TCP SYN segment to server specifies initial seq # no data Step 2: server host receives SYN, replies with SYN/ACK segment server allocates buffers specifies server initial seq. # Step 3: client receives SYN/ACK, replies with ACK segment, which may contain data client server SYN, seq=client_seq SYN/ACK, seq=server_seq, ack=client_seq+1 ACK, seq=client_seq+1 ack=server_seq+1 Transport Layer

TCP Connection Management (cont.) Closing a connection: close(); Step 1: client end system sends TCP/FIN control segment to server Step 2: server receives FIN, replies with ACK. Closes connection, sends FIN. client FIN server ACK close closed timed wait Transport Layer

TCP Connection Management (cont.) Step 3: client receives FIN, replies with ACK. Enters “timed wait” - will respond with ACK to received FINs Step 4: server, receives ACK. Connection closed. client server closing FIN ACK closing FIN ACK Some applications simply send RST to terminate TCP connections immediately timed wait closed closed Transport Layer

Private IP subnets used in NAT 10.0.0.0/8 UCF using this large subnet Many global IPs  this 224 IP space 192.168.0.0/16 Home WiFi and Wifi hotspot use this subnet Home Wifi uses 192.168.0.0/24, or 192.168.1.0/24 Single global IP  this 256 IP space 172.16.0.0/12 Not widely used

TCP based Scan TCP connect scan TCP syn scan (half-open scan) Open port: syn/ack response Closed port: rst/ack response TCP syn scan (half-open scan) TCP fin scan TCP null scan (no flag is set) TCP ack scan TCP XMAS tree scan (all flags are set)

Background: Port Status A port can be: Closed (not in use), Open (listening), or Filtered (the client computer asked for open or closed status report, and the target computer did not reply, usually due to a firewall.)

Port Scanning Tool: Nmap Included in Kali Linux nmap –sT 192.168.0.101 Default scan will scan 1000 TCP ports For safety, try nmap on your own VMs in the same LAN, such as the Metasploitable VM

Nmap Command Options A good online tutorial: -sT: TCP connect scan -sS: TCP SYN scan -sA: TCP ACK scan -sF: TCP FIN scan -sX: XMAS tree scan -sN: NULL scan -sP: Ping scan -sU: UDP scan -sO: protocol scan A good online tutorial: https://hackertarget.com/nmap-cheatsheet-a-quick-reference- guide/

Nmap Target Selection Scan a single IP Scan a host Scan a range of IPs nmap www.testhostname.com Scan a range of IPs nmap 192.168.1.1-20 Scan a subnet nmap 192.168.1.0/24 Scan targets from a text file nmap -iL list-of-ips.txt (one IP per line)

Nmap Port Selection Scan a single Port Scan a range of ports Scan 100 most common ports (Fast) nmap -F 192.168.1.1 Scan all 65535 ports nmap -p- 192.168.1.1 Be careful with this. Generate large amount of scanning traffic!

Nmap Port Scan Types Scan using TCP connect nmap -sT 192.168.1.1 Scan using TCP SYN scan (default) nmap -sS 192.168.1.1 Scan UDP ports nmap -sU -p 123,161,162 192.168.1.1 Scan selected ports - ignore discovery nmap -Pn -F 192.168.1.1

What NMAP Does Not Do NMAP does not determine what program is running at an open port! Whatever service NMAP reports—http, ftp, smtp, etc.—is an assumption based on standards. Hacker trick: disguise a remote control access with the port number normally used by domain name service (53), web service (80), etc. especially if firewalls pass traffic on these ports.

Service and OS Detection Detect OS and Services nmap -A 192.168.1.1 Will setup connection successfully and get the first data packet from the server Standard service detection nmap -sV 192.168.1.1 More aggressive Service Detection nmap -sV --version-intensity 5 192.168.1.1 Lighter banner grabbing detection nmap -sV --version-intensity 0 192.168.1.1

Service and OS Detection The more aggressive service detection is often helpful if there are services running on unusual ports. The lighter version of the service will be much faster as it does not really attempt to detect the service by simply grabbing the banner of the open service.

Nmap Script Engine (NSE) Nmap --script banner 192.168.0.101 Setup TCP connection, get the first response text from the target Nmap --script vuln 192.168.0.101 Run a series of scripts looking for known vulnerabilities

GUI-based Nmap: Zenmap Included in Kali Linux Where? Application menu  “Information Gathering…”  Zenmap You can download Zenmap for Windows and Mac OS as well https://nmap.org/zenmap/

Nessus: a GUI-based Power Network Scanner Nessus is a proprietary vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment ----wikipiedia.com Download home-only FREE version: http://www.tenable.com/products/nessus/select-your- operating-system Request a home-only registration key: http://www.tenable.com/products/nessus-home Tutorial on installing nessus on Kali Linux http://www.tenable.com/blog/installing-and- using-nessus-on-kali-linux

Install Nessus on Kali Linux Download the free home version of nessus for Linux: Debian 6 and 7 / Kali Linux 1 AMD64 (64bit VM) File: Nessus-6.5.6-debian6_amd64.deb Debian 6 and 7 / Kali Linux 1 i386 (32-bit VM) File: Nessus-6.5.6-debian6_i386.deb

Install Nessus on Kali Linux #dpkg –i Nessus-6.5.6-debian6_amd64.deb For programs existed in Kali’s App store, use “apt-get install …” to install them Enable nessus service first: #/etc/init.d/nessusd start Then the nessus demon will start to run Nessus relies on Web Browser for GUI and remote access Local access: https://localhost:8834/ Remote access: https://192.168.0.3:8834/ (if the machine running nessusd has IP of 192.168.0.3)

Web Browser-based GUI and Remote Access Many recent software use this way for implementation Pros: A user can remote access and use the software Remote user does not need any client-side software installation Cons: Rely on the graphic and interaction functions provided by Browsers, may not be beautiful Could suffer the same Web-based attacks

Use of Nessus Why Nessus runs as a webserver (on port 8834)? It enables other computers to do nessus scanning, too, by remote login to the Nessus server machine You can install Nessus server on Linux, or Windows Nice video tutorial on using Nessus: https://www.youtube.com/watch?v=r_pDVhNoYr0

Use of Nessus Assume the Nessus is installed in Kali VM We run Nessus on the Win7 VM in the same LAN The warning is normal Due to the Nessus Server has no valid Digital certificate

Use of Nessus First run, set up an account as you choose the username and password

Use of Nessus First run, after account set up, you need to input your activation code:

Use of Nessus

Use of Nessus The free version comes with a few predefined types of scans The gray entries are only available in commercial version

Use of Nessus Test of Basic Network Scan: You can test to scan your Kali VM, Win7 VM, The best target is the Metasploitable VM since it has many vulnerabilities that can be discovered by Nessus

Metasploitable 2 Virtual Machine Use nmap to see what services are running on this Linux Use Nessus installed on your Kali Linux to check any known vulnerabilities on this Linux

Is Scanning Dangerous? Both NMAP and NESSUS aim to never damage data. In MU’s NMAP and NESSUS scanning of 13,000 connections in its network, no data has ever been lost through scanning.

Is Scanning Dangerous? HOWEVER! NMAP and especially NESSUS can freeze scanning targets. The network application may freeze. The entire system may require restarting. Some devices such as printers or routers may reset themselves—or not.

Is Scanning Dangerous? In MU’s scanning, freezes are rare: about one in six hundred general purpose systems for tests that are not explicitly dangerous. NESSUS designates about 10% of its tests as dangerous, denial of service attacks such as oversize data or flooding. In tests of 200 diverse systems, around one third eventually fell to a denial of service attack.

Is Scanning Dangerous? A full 65,535 TCP port scan and service check generates at least 5 MB of traffic to the target and at least 6 MB in reply. Most of this traffic is small packets. Hence…

Is Scanning Dangerous? Typical testing over a 10 or 100 Mbps connection will noticeably but not painfully slow target system performance for around 15 minutes. Scanning multiple targets through one network device can slow that subnet’s performance. NMAP and NESSUS offer options to scan slowly or aggressively, and to randomize target sequence.

Safe Scans Hence, scan critical infrastructure systems with someone ready to restart systems. Performance monitoring may yield insights. For extra safety, move NESSUS denial of service tests out of their normal directory.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.