Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands-On Ethical Hacking and Network Defense

Published byRoss Matthews Modified over 8 years ago

Similar presentations

Presentation on theme: "Hands-On Ethical Hacking and Network Defense"— Presentation transcript:

1 Hands-On Ethical Hacking and Network Defense
Chapter 5 Port Scanning Last revised

2 New Tool: KonBoot Get into any account without the password
Works on Windows and Linux Link Ch 5r

3 From the Projects: UBCD
Create new administrator user on a Windows computer

4 Objectives Describe port scanning
Describe different types of port scans Describe various port-scanning tools Explain what ping sweeps are used for Explain how shell scripting is used to automate security tasks

5 Introduction to Port Scanning
Finds out which services are offered by a host Identifies vulnerabilities Open services can be used on attacks Identify a vulnerable port Launch an exploit Scan all ports when testing Not just well-known ports

6 AW Security Port Scanner
A commercial tool to identify vulnerabilities

7 Introduction to Port Scanning (continued)
Port scanning programs report Open ports Closed ports Filtered ports Best-guess assessment of which OS is running

8 Is Port Scanning Legal? The legal status of port scanning is unclear
If you have permission, it's legal If you cause damage of $5,000 or more, it may be illegal For more, see links Ch 5a and Ch 5b

9 Normal TCP Handshake After this, you are ready to send data
Client SYN  Server Client  SYN/ACK Server Client ACK  Server After this, you are ready to send data

10 SYN Port Scan Client SYN  Server Client  SYN/ACK Server Client RST  Server The server is ready, but the client decided not to complete the handshake

11 Types of Port Scans SYN scan
Stealthy scan, because session handshakes are never completed That keeps it out of some log files Three states Closed Open Filtered

12 Types of Port Scans Connect scan Completes the three-way handshake
Not stealthy--appears in log files Three states Closed Open Filtered

13 Types of Port Scans NULL scan All the packet flags are turned off
Two results: Closed ports reply with RST Open or filtered ports give no response

14 Types of Port Scans XMAS scan FIN scan FIN, PSH and URG flags are set
Works like a NULL scan – a closed port responds with an RST packet FIN scan Only FIN flag is set Closed port responds with an RST packet

15 Windows Machines NULL, XMAS and FIN scans don't work on Windows machines Win 2000 Pro and Win Server 2003 shows all ports closed Win XP Pro all ports open/filtered See the NMAP tutorial (link Ch 5c)

16 Types of Port Scans Ping scan
Simplest method sends ICMP ECHO REQUEST to the destination(s) TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) Any response shows the target is up

17 Types of Port Scans (continued)
ACK scan Used to get information about a firewall Stateful firewalls track connection and block unsolicited ACK packets Stateless firewalls just block incoming SYN packets, so you get a RST response UDP scan Closed port responds with ICMP “Port Unreachable” message Rarely used--but much improved in latest Nmap version (2010)

18 iClicker Questions

19 If I send a SYN packet to a server, and get no response at all, what state is the target port in?
Open Closed Filtered The answer cannot be determined from the information given Q 1 of 4

20 What type of scan is this?
SYN scan Connect Scan Null Scan ACK Scan The answer cannot be determined from the information given Q 2 of 4

21 What type of scan is this?
SYN scan Connect Scan Null Scan ACK Scan The answer cannot be determined from the information given Q 3 of 4

22 This is a scan of port 4. The complete packet sequence is shown
This is a scan of port 4. The complete packet sequence is shown. What state is this port in? Open Closed Filtered The answer cannot be determined from the information given Q 4 of 4

23 Using Port-Scanning Tools
Nmap Unicornscan NetScanTools Pro 2004 Nessus and OpenVAS (the GPL-licensed fork of Nessus)

24 Nmap Originally written for Phrack magazine
One of the most popular tools GUI versions Xnmap and Ubuntu's NmapFE Open source tool Standard tool for security professionals

25 The Matrix Reloaded Trinity uses Nmap Video at link Ch 4e

26 Unicornscan Developed in 2004 for Linux & UNIX only
Ideal for large networks Scans 65,535 ports in three to seven seconds Optimizes UDP scanning Alco can use TCP, ICMP, or IP Free from (link Ch 5f)

27 NetScanTools Pro Robust easy-to-use commercial tool Runs on Windows
Types of tests Database vulnerabilities DHCP server discovery IP packets viewer Name server lookup OS fingerprinting Many more (see link Ch 5g)

28

29 Nessus First released in 1998 Free, open source tool
Uses a client/server technology Can conduct tests from different locations Can use different OSs for client and network

30 Nessus (continued) Server Client Functions much like a database server
Any *NIX platform Client Can be *NIX or Windows Functions much like a database server Ability to update security checks plug-ins Some plug-ins are considered dangerous

31

32 Nessus (continued) Finds services running on ports
Finds vulnerabilities associated with identified services

33

34 Conducting Ping Sweeps
Identify which IP addresses belong to active hosts Ping a range of IP addresses Problems Computers that are shut down cannot respond Networks may be configured to block ICMP Echo Requests Firewalls may filter out ICMP traffic

35 FPing Ping multiple IP addresses simultaneously www.fping.com/download
Command-line tool Input: multiple IP addresses To enter a range of addresses -g option Input file with addresses -f option See links Ch 5k, 5l

36

37

38 Hping Used to bypass filtering devices www.hping.org/download
Allows users to fragment and manipulate IP packets Powerful tool All security testers must be familiar with tool Supports many parameters (command options) See links Ch 5m, Ch 5n

39

40

41

42 Broadcast Addresses If you PING a broadcast address, that can create a lot of traffic Normally the broadcast address ends in 255 But if your LAN is subnetted with a subnet mask like There are other broadcast addresses ending in 63, 127, and 191

43 Smurf Attack Pinging a broadcast address on an old network resulted in a lot of ping responses So just put the victim's IP address in the "From" field The victim is attacked by a flood of pings, none of them directly from you Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks Windows XP and Ubuntu don't respond to broadcast PINGs See links Ch 5o, 5p

44 Crafting IP Packets Packet components
Source IP address Destination IP address Flags Crafting packets helps you obtain more information about a service Tools Fping Hping

45 Understanding Shell Scripting
Modify tools to better suit your needs Script Computer program that automates tasks Time-saving solution

46 Scripting Basics Similar to DOS batch programming Script or batch file
Text file Contains multiple commands Repetitive commands are good candidate for scripting Practice is the key

47

48 iClicker Questions

49 Which tool scans a target with many plug-ins and gives a comprehensive vulnerability report?
Nmap Nessus Hping Fping Shell scripting

50 Which tool gives you the most freedom to adjust a scan to meet a specific need?
Nmap Nessus Hping Fping Shell scripting

51 Which technique below sends traffic to a broadcast address?
Connect scan Null scan Nessus scan Smurf attack Ping sweep

Download ppt "Hands-On Ethical Hacking and Network Defense"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Nmap Experiment.

Nmap Experiment.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Similar presentations

Ads by Google