1. Gathering Network & Host Information: Scanning & Enumeration

2.  Port Scanning  Well known ports  http://www.t1shopper.com/tools/port-scan/  Network Scanning  Not designed to do testing through a firewall  Only as smart as their database  Vulnerability Scanning

3.  1. Check for live systems  2. Check for open ports  3. Service identification  4. Banner Grabbing / OS Fingerprinting  5. Vulnerability scanning  6. Network Diagram  7. Prepare Proxies  8. Attack!

4.  Ping Sweeps using an IP Ping Flood Tool  Pinger,  Friendly Pinger,  WS_Ping_Pro,  AngryIP  Detecting  Use an IDS or IPS

5.  nmap: Free; Open Source (Zenmap: GUI) Ping sweeps: sends ICMP ECHO_REQUEST & TCP ACK Port scanning, service identification, IP address & OS detection Port states: Open, Closed, Unfiltered http://www.youtube.com/watch?v=4WuglJA9H6o http://www.youtube.com/watch?v=XaCzpqIU5-A (10 min)http://www.youtube.com/watch?v=XaCzpqIU5-A www.nmap.org Fport: identify unknown open ports and their associated applications

6. Lsof: ( l ist o pen f iles): Linux command -report a list of all open files and the processes that opened them Switches: -i: display the list of all network sockets -r: display the routing table -g: display multicast group membership information for IPv4 and IPv6 -i: display a table of all network interfaces

7. Netstat Displays protocol-related statistics and the state of current TCP/IP connections Switches: -a: show both listening and non-listening sockets -an: reported in numerical form -l: show only listening sockets -c: print routing information from the route cache -s: display summary statistics for each protocol

8. nmap scan types: TCP Connect: -sT XMAS tree scan: -sX SYN stealth scan: -sS Null scan: -sN Does not work on Windows systems ACK scan: -sA UDP scan: -sU Ex: Scan first 1024 ports: Nmap -sU -p 1-1024 Scan protocols in use: -vO Control timing: -T Paranoid, Sneaky, Polite, Normal, Aggressive, Insane

9. Full / Connect: Noisy; Most easily caught by IDS/IPS SYN: ½ Open; stealth; sends SYN, then RST XMAS: FIN, URG, PSH flags set - Doesn’t work on Windows FIN: FIN flag set NULL: no flags set; doesn’t work on Windows IDLE: uses a spoofed IP address Bounce Attack scanning: connect to an FTP server and request that server to start data transfer to the third system

10.  SYN  ACK  PSH  the system is forwarding the buffered data  URG  data in the packet must be processed quickly  FIN  data packet transaction has completed; no more transmission is required  Uses reverse mapping: closed ports reply with RST, open ports ignore the probe  RST  the connection is being reset

11.  NetScan Tools Pro  Hping2  Icmpenum  enumerate networks that have blocked ICMP Echo packets but failed to block timestamp or information packet  supports spoofing and promiscuous listening for reply packets  SNMP Scanner  P0f : passive OS fingerprinting tool

12.  NetCat (nc)  Provides outbound and inbound connections for TCP and UDP ports.  Provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters.  A good port scanner.  Contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data.

13.  NetCat (nc) common switches  nc –d: detach Netcat from the console.  nc -l -p [port]: create a simple listening TCP port; adding u will put it in UDP mode.  nc -e [program]: redirect stdin/stdout from a program.  nc -z: port scanning.  nc -g or nc -G: specify source routing flags.  nc -t: Telnet negotiation  nc -w [timeout]: set a timeout before Netcat automatically quits.  nc -v: put Netcat into verbose mode

14.  Bypasses normal network detection devices  Tools  ToneLoc  THC-Scan  PhoneSweep  TeleSweep

15.  Banner Grabbing (Windows)  "HEAD / HTTP/1.0"  Pressing enter twice, Adam gets the following results:  C:\> cmd  Microsoft Windows XP [Version 5.1.2600] (C) Copyright Microsoft Corp.  C:\>pwdump pwd.txt  http://www.youtube.com/watch?v=1_ATtFGG2BA http://www.youtube.com/watch?v=1_ATtFGG2BA

16.  Banner Grabbing (Linux)  for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done [where, hostlist.txt file contains the list of IP addresses and request.txt is the output file]  OS Fingerprinting  Nmap & Queso  Netcraft  Web site that periodically polls Web servers to determine the operating system version and the Web-server software version; toolbar would notify a phishing attack

17.  Additional Tools:  Traceroute:  measuring the route path and transit times of packets across an (IP) network  Cheops:  host/network discovery functionality as well as OS detection of hosts  NeoTrace:  shows you how packets get from your computer to another computer on the Internet by displaying all nodes between your computer and the trace target

18.  Anonymizers  Linux Proxy Server (IPChains, IPTables)  www.anonymizer.com, www.anonymize.com, www.ipriv.com, www.mutemail.com, www.rewebber.de, www.silentfurf.com, www.surfola.com www.anonymizer.comwww.anonymize.com www.ipriv.comwww.mutemail.comwww.rewebber.de www.silentfurf.comwww.surfola.com  Limitations of anonymizers  Secure protocols (HTTPS), JavaScript, Plugins, ActiveX controls, Java applications  Tunneling: Using a protocol for other than its intended purpose  Ptunnel & Itunnel: use ICMP  WinTunnel: uses TCP  HTTPort, Tunneld, BackStealth

19.  Gathering  Usernames: hack SAM file; GetAcct  Machine names: use null sessions  Network resources: SuperScan  Shares: net view command  Services: SNMP port scanning  Tools  PsPasswd  PsFile  UserInfo

20.  “Null” user has no username/password  C:\> net use \\192.21.7.1 \IPC$ “ “ /u: “ “\\192.21.7.1  Admin SID: S-1-5-21….-500  Guest SID: S-1-5-21…..-501  Port 135, 137, 139, 445  Countermeasure  Disable SMB; Disable TCP port 139/445  Editing the registry key HKLM\SYSTEM\CurrentControlSet\Control \ LSA and adding the value RestrictAnonymous  http://www.youtube.com/watch?v=4S_GCSBWSCs http://www.youtube.com/watch?v=4S_GCSBWSCs

21.  Gathering information about host, routers, devices etc. by querying ‘Management Information Base’ (MIB).  Used for remote monitoring and managing hosts, routers, and devices on a network  SNMP version 3 provides data encryption for community strings  http://www.youtube.com/watch?v=MWIWuqouOEE http://www.youtube.com/watch?v=MWIWuqouOEE

22.  Tools: SNMPUtil, IP Network Browser, snmpwalk  snmpwalk example:  sysDescr.0 = STRING: "SunOS zeus.net.cmu.edu 4.1.3_U1 1 sun4m" sysObjectID.0 = OID: enterprises.hp.nm.hpsystem.10.1.1 sysUpTime.0 = Timeticks: (155274552) 17 days, 23:19:05 sysContact.0 = STRING: "" sysName.0 = STRING: "zeus.net.cmu.edu" sysLocation.0 = STRING: "" sysServices.0 = INTEGER: 72  Countermeasures:  Disable SNMP Service  Change default passwords (Public & Private)  Implementing Access control list filtering

23.  Tools  Sam Spade, Host, Dis  NSLOOKUP  nslookup  > server  > set type = any  > ls -d  Windows Service Identifiers  User2SID, SID2User, DumpSec, Enum

24.  SOCKS:  Optional proxy server protocol that uses sockets to keep track of individual connections  Port 1080  IRC servers uses TCP, hence are a frequent target  Port Redirection:  Used to bypass port filtering rules at routers and firewalls  Linux: Datapipe  Windows: Fpipe

25.  0 Echo Reply  3 Destination Unreachable  8 Echo Request  11 Time Exceeded  13 Timestamp Request  14 Timestamp Reply  15 Address mask request  17 Information request (obsolete)  http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

26.  TYPE 3 & CODE 13  a Network Administrator has prohibited communication with the server by using a firewall  ICMP TYPE 3 and CODE 3  port unreachable message  ICMP TYPE 3 and CODE 0  network unreachable error message  ICMP TYPE 0 and CODE 0  ICMP echo reply message

27.  Gathering information about a remote network protected by a firewall  Requirements  ICMP packets leaving the network should be allowed  An attacker should know the IP address of a host located behind the firewall  An attacker should know the IP address of the last known gateway before the firewall  http://www.ethicalhacker.net/component/option,com_smf/Ite mid,54/topic,4062.msg19362/ http://www.ethicalhacker.net/component/option,com_smf/Ite mid,54/topic,4062.msg19362/  http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to- verify-acls-and-check-firewall-rule-sets/5055357 http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to- verify-acls-and-check-firewall-rule-sets/5055357