Contents

CEH-Module3 - Scanning Networks

Website Visitors:

Using network scanning we identify hosts, services, protocols and ports.

TCP vs UDP

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two different transport layer protocols used for transmitting data over the internet. Here’s a brief comparison:

  1. TCP (Transmission Control Protocol):
    • Connection-oriented: Establishes a reliable connection before data exchange.
    • Reliability: Provides error checking, retransmission of lost data, and in-order delivery of packets.
    • Slower: Due to the overhead of reliability mechanisms, it can be slower for certain applications.
    • Used for: Applications that require guaranteed data delivery and error correction, such as web browsing, email, and file transfers.
  2. UDP (User Datagram Protocol):
    • Connectionless: Does not establish a connection before sending data, making it faster for some applications.
    • Unreliable: Does not guarantee delivery, error checking, or packet order.
    • Faster: Lower overhead results in faster transmission, suitable for real-time applications.
    • Used for: Real-time applications like online gaming, video streaming, VoIP, and DNS where speed is more critical than reliability.

In summary, TCP is suitable for applications that require data reliability, while UDP is preferred for applications that prioritize speed and real-time data delivery, even if some data loss is acceptable. The choice between TCP and UDP depends on the specific needs of the application.

TCP Packet Header

The TCP (Transmission Control Protocol) packet header is a crucial part of a TCP segment that contains information required for the proper transmission, management, and delivery of data over a TCP connection. Note that source address and destination address are present in IP header which is different to TCP packet header.

Here’s an overview of the fields in a TCP packet header:

  1. Source Port (16 bits): Indicates the port number of the sender’s application or service.
  2. Destination Port (16 bits): Specifies the port number of the receiver’s application or service.
  3. Sequence Number (32 bits): Used to establish the order of TCP segments and detect missing or out-of-order packets. We have a unique sequence number for every 8 bits we send.
  4. Acknowledgment Number (32 bits): Acknowledges the receipt of data and indicates the next expected sequence number.
  5. Data Offset (4 bits): Specifies the length of the TCP header in 32-bit words to determine where the data begins.
  6. Reserved (6 bits): Reserved for future use and must be set to zero.
  7. Flags (6 bits): These include various control flags:
    • URG (Urgent): Indicates urgent data in the segment.
    • ACK (Acknowledgment): Confirms the acknowledgment number field is valid.
    • PSH (Push): Urges the receiver to push data to the application.
    • RST (Reset): Resets the connection.
    • SYN (Synchronize): Initiates a connection.
    • FIN (Finish): Initiates the connection termination.
  8. Window Size (16 bits): Specifies the size of the receiver’s advertised window, indicating how much more data it can accept without overflowing its buffer.
  9. Checksum (16 bits): Used for error checking and ensuring the integrity of the TCP segment.
  10. Urgent Pointer (16 bits): Points to the urgent data if the URG flag is set.
  11. Options (variable length, if Data Offset > 5): Optional fields that can include various control parameters or extended information. Common options include Maximum Segment Size (MSS) and Timestamps.
  12. Data (variable length): Contains the actual application data to be transmitted.

The maximum size of a TCP packet, including the TCP header and the data payload, is 65,535 bytes. This includes a 20-byte TCP header and up to 65,515 bytes of data.

The TCP header provides critical information for establishing, managing, and terminating connections, ensuring data reliability, and handling various control aspects of data transmission. The combination of these fields allows TCP to provide a reliable and ordered data transfer service over the internet.

The Source MAC (Media Access Control) address and Destination MAC address are not actually part of the TCP packet header. They are part of the Ethernet frame header, which is a layer 2 protocol that encapsulates the TCP packet.

The Ethernet frame header contains the following fields:

  • Destination MAC address (6 bytes)
  • Source MAC address (6 bytes)
  • EtherType (2 bytes) - indicates the protocol of the payload (in this case, TCP)
  • Payload (variable length) - contains the TCP packet
  • Frame Check Sequence (FCS) (4 bytes) - error-checking data

The TCP packet header, which is listed above, is contained within the payload of the Ethernet frame. So, the MAC addresses are not part of the TCP packet header, but rather part of the surrounding Ethernet frame header.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
+---------------+---------------+
|  Destination  |  Source      |
|  MAC Address  |  MAC Address  |
|  (6 bytes)    |  (6 bytes)    |
+---------------+---------------+
|  EtherType    |               |
|  (2 bytes)    |               |
+---------------+---------------+
|               |               |
|  TCP Packet   |               |
|  Header       |               |
|  +-----------+-----------+  |
|  |  Source    |  Destination  |
|  |  Port      |  Port        |
|  |  (16 bits) |  (16 bits)   |
|  +-----------+-----------+  |
|  |  Sequence  |  Acknowledgment|
|  |  Number    |  Number      |
|  |  (32 bits) |  (32 bits)   |
|  +-----------+-----------+  |
|  |  Data Offset|  Reserved    |
|  |  (4 bits)  |  (3 bits)    |
|  +-----------+-----------+  |
|  |  Flags      |  Window      |
|  |  (6 bits)  |  (16 bits)   |
|  +-----------+-----------+  |
|  |  Checksum  |  Urgent Pointer|
|  |  (16 bits) |  (16 bits)   |
|  +-----------+-----------+  |
|               |               |
|  TCP Payload  |               |
|  (variable    |               |
|   length)     |               |
|               |               |
+---------------+---------------+
|  Frame Check  |               |
|  Sequence     |               |
|  (FCS)        |               |
|  (4 bytes)    |               |
+---------------+---------------+

TCP communication flags: URG, FIN, RST, PSH, ACK, SYN

TCP (Transmission Control Protocol) uses various flags in its header to control and manage communication. Here are the key TCP communication flags:

SYN (Synchronize):

  • Sent by the initiating party to establish a connection.
  • It requests the other party to synchronize sequence numbers for communication initiation.

ACK (Acknowledgment):

  • Sent to acknowledge the receipt of data and confirm successful communication.
  • It is used in conjunction with other flags to indicate various stages of the connection.

FIN (Finish):

  • Sent to initiate the graceful termination of a connection.
  • It signals that the sender has finished sending data and wants to close the connection.

RST (Reset):

  • Sent to abort an established connection or indicate an error.
  • It is used when there is an issue, and the connection needs to be forcibly reset.

PSH (Push):

  • Indicates that the sending side wants to push data to the receiving application immediately, bypassing buffering.

URG (Urgent):

  • Used to indicate that certain data in the packet is urgent and requires immediate attention.

ECE (Explicit Congestion Notification Echo):

  • It is used in conjunction with the CWR (Congestion Window Reduced) flag to indicate congestion in the network.

CWR (Congestion Window Reduced):

  • Signifies that the sender has reduced its congestion window due to congestion in the network.

These flags are set in the TCP header to manage the various aspects of a TCP connection, including initiation, data transfer, and termination, as well as handling congestion and errors during communication. The combination of these flags helps ensure the reliable and orderly transmission of data over a TCP connection.

3 way handshake

TCP session establishment is a three way handshake.

  • Client Sends SYN: The client (initiator) sends a TCP packet with the SYN (synchronize) flag set to the server, indicating it wants to establish a connection.

  • Server Responds with SYN-ACK: The server acknowledges the client’s request by sending a TCP packet with both the SYN and ACK flags set. It also includes a sequence number for tracking.

  • Client Sends ACK: The client acknowledges the server’s response by sending a TCP packet with the ACK flag set. This packet also contains an incremented sequence number.

Now, the connection is established, and both parties know that they are ready to exchange data. This process ensures a reliable and orderly beginning to their communication.

Each ack acknowledges the syn sent from other party. Until rst is send or fin is sent communication is established. We get an rst if port is closed. We get Syn ack if port is open. No response if port is down or filtered.

4 way handshake

The 4-way handshake is a process that comes into play when terminating a TCP connection. Here’s how it works:

  • Initiator Sends FIN (1st FIN): The client or initiator, when done sending data, sends a TCP packet with the FIN (finish) flag set to the server, indicating it wants to close the connection for sending data.
  • Server Acknowledges (1st ACK): The server acknowledges the client’s request with a TCP packet containing the ACK flag. At this point, the server can still send data to the client.
  • Server Sends FIN (2nd FIN): Once the server is also done sending data, it sends a TCP packet with the FIN flag to the client.
  • Client Acknowledges (2nd ACK): The client acknowledges the server’s request, and the connection is fully terminated. This 4-way handshake ensures a graceful closure of the connection, allowing both parties to finish any remaining data exchanges before fully ending the connection.

Network Mapper (nmap)

Nmap, short for “Network Mapper,” is a popular open-source network scanning tool used for discovering and mapping network hosts and services. It is a powerful utility that allows network administrators and security professionals to assess the security and configuration of networked devices. Nmap can be run on various operating systems, including Linux, Windows, and macOS.

Nmap is known for its flexibility and wide range of features, and it can be used for a variety of purposes, including network reconnaissance, vulnerability assessment, and network inventory.

Here are some of the most commonly used parameters and options in Nmap:

Basic Usage: The basic syntax of Nmap is as follows: nmap [scan type] [options] target

  • [scan type]: Specifies the type of scan to perform, such as TCP connect scan, SYN scan, or UDP scan.
  • [options]: Various command-line options to customize the scan.
  • target: Specifies the target host or network to scan.

Common Scan Types:

NMAP Scanning types explained. Here are some of the common types of Nmap scans:

  1. TCP Connect Scan (-sT): This is the most basic type of scan where Nmap attempts to establish a full TCP connection with the target ports. It’s straightforward but easily detectable.
  2. Syn Scan (Half-open Scan) (-sS): This scan is more stealthy than a TCP Connect Scan because it doesn’t complete the full connection handshake. Instead, it sends SYN packets and listens for SYN/ACK responses, identifying open ports without completing the connection. IDS can detect this scan these days.
  3. UDP Scan (-sU): UDP Scan is used to identify open UDP ports on a target system. Since UDP is connectionless, this scan sends UDP packets to various ports and analyzes the responses, if any. The UDP scan uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.
  4. Acknowledgment Scan (-sA): This scan type is also known as the “Firewall Evasion Scan” as it sends ACK packets to determine the state of ports. It doesn’t establish a full connection, so it can bypass certain firewall rules.The ACK scan in Nmap doesn’t perform traditional port scanning like other types, such as SYN or TCP connect scans. Instead, it sends ACK (acknowledgment) packets to determine how a firewall or filtering system responds to them. It’s mainly used to detect the state of the firewall, filtering rules, or to bypass certain filtering devices by interpreting their responses. The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.
  5. Fin Scan (-sF), Null Scan (-sN): These scans exploit different TCP packet flag settings (FIN, NULL, and FIN/URG/PSH flags respectively) to determine port states. They rely on the fact that some systems might respond differently to improperly formed TCP packets. These scans do not work on windows systems. Windows gives you an RST in the reply even if port is open or closed.
  6. Xmas Tree scan(-sX): Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
  7. Version Detection (-sV): This scan type aims to determine service and application versions running on open ports. It sends additional probes to identify the application protocol and version running on the discovered ports.
  8. OS Detection (-O): This scan is used to determine the operating system running on the target host by analyzing various network characteristics and responses.
  9. Script Scanning (-sC): Nmap offers a collection of scripts that can be executed with the -sC option to perform a variety of tasks such as vulnerability detection, service enumeration, or extracting information.
  10. Maimon Scan (-sM): The Maimon scan, also known as the Maimon method, is a stealthy scanning technique that aims to evade detection by security devices like intrusion detection systems (IDS) or firewalls. This technique is designed to identify open ports on a target system without triggering alarms or detection mechanisms that might be in place. The Maimon scan works by sending specially crafted packets that manipulate the TCP Initial Sequence Number (ISN). Traditional scans typically involve sending SYN packets to initiate a connection and determining the port’s state based on the response. However, the Maimon scan manipulates the sequence numbers in a way that makes it more difficult for security systems to detect it as a scan.

Ack, Maimon, Xmas scans are used to test if firewall is enabled and how it responds. Not for port scanning.

Each type of scan has its advantages and drawbacks, and the choice of scan type depends on the goal of the assessment and the network environment. It’s important to use these tools responsibly and ethically, as scanning networks without proper authorization is illegal and unethical.

Scan Type

You can also specify the scan type and perform the scan you need. Here, -s option is to specify the scan type:

-sS or --syn: TCP SYN scan (default)

Description: The TCP SYN scan, also known as a half-open scan, is a stealthy scanning method. It sends a TCP SYN packet to the target and listens for the response. If the port is open, the target responds with a SYN-ACK, and Nmap then sends an RST to close the connection. If the port is closed, the target responds with an RST. This technique is less likely to be logged by the target system compared to a full TCP connection. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.

Usage: nmap -sS [target]

-sT or --connect: TCP connect scan

Description: The TCP connect scan is the most basic form of TCP scanning. It establishes a full TCP connection to the target port and completes the three-way handshake. This method is more easily detectable by intrusion detection systems but is useful in situations where stealth is not a primary concern.

Usage: nmap -sT [target]

-sU or --udp: UDP scan

Description: This option enables UDP scanning. UDP does not have a formal “open” or “closed” state like TCP, and determining the status of UDP ports can be more challenging. Nmap sends UDP packets to the specified ports and waits for a response. Lack of response indicates that the port is potentially open, but it doesn’t guarantee it. UDP scans can be slower than TCP scans.

Usage: nmap -sU [target]

-sV or --version-intensity: Service and version detection

Description: This option probes open ports to determine the service and version information running on the target. Nmap uses various techniques, including banner grabbing, to identify the application and its version. It provides valuable information for understanding the target system’s configuration and potential vulnerabilities.

Usage: nmap -sV [target]

-sA or --ack: TCP ACK scan

Description: The TCP ACK scan is used to determine whether a firewall is present on the target. It sends TCP ACK packets to certain ports and examines the responses. A closed port will usually result in a RST response, while an open port may not generate any response. This scan is not suitable for identifying open or closed ports but can help infer the presence of filtering devices.

Usage: nmap -sA [target]

-sF or --fin: TCP FIN scan

Description: The TCP FIN scan sends TCP FIN packets to the target ports. The behavior of the target’s response can help identify whether a port is open or closed. A closed port typically responds with a RST, while an open port may ignore the FIN packet. Like other stealth scans, it is designed to avoid triggering alarms on the target system.

Usage: nmap -sF [target]

-sX or --xmas: TCP Xmas scan

Description: The Xmas scan sets specific TCP header flags in a packet to gather information about the state of ports on a target system. It sets the FIN, URG, and PSH flags in the TCP header of the packets sent to various ports. Normally, when a port is open, it should respond differently to different types of packets (e.g., SYN packets, ACK packets).

Here’s how it works:

  • If a system responds with a RST (reset) packet, it implies the port is closed.

  • If no response is received, it can mean the port is open or filtered (filtered by a firewall or other security device).

The reason behind the name “Xmas scan” is that, like a Christmas tree with its many lights, the packet used in this scan has multiple flags “lit up” in the TCP header, resembling the varied and colorful appearance of a Christmas tree.

However, the Xmas scan can be less reliable than other scans because different systems may respond differently to these packets. Some systems might respond to every packet, while others might not respond at all, making it harder to accurately interpret the results.

Moreover, modern firewalls and intrusion detection systems are often configured to detect and block abnormal or suspicious traffic patterns, including those generated by scans like the Xmas scan. Consequently, the effectiveness of this scan can be limited in environments with robust security measures.

When using -SX option if the output says open|filtered it means that the firewall is configured on target machine.

Usage: nmap -sX [target]

-sN or --null: Null scan Description: The Null scan is a stealthy scan that sends TCP packets with no flags set. Like other stealth scans, it aims to avoid triggering alarms. The behaviour of the target’s response helps identify whether a port is open or closed. A closed port typically responds with a RST, while an open port may not respond at all.

Usage: nmap -sN [target]

-sP: Ping scan Description: This is a simple ping scan that checks the online status of target hosts. It doesn’t perform a port scan but rather focuses on determining which hosts are up on the network. It uses different ping methods, and you can customize the type of ping with additional options.

Usage: nmap -sP [target]

For Discovery you can use –sn and combination of below given options:

Ping Type

EX: nmap –sn –PR TargetIP

-P is for specifying ping type and the next letter determines the type of the scan. Here, we will have two characters P and something else. For specifying ports there is separate parameter called –p and we have to specify port numbers.

-PI: Ping type for discovery Description: Used in combination with -sn for host discovery. It specifies the type of ping to use. In this case, -PI indicates ICMP ping. Example: nmap -sn -PI [target]

-PR, -PU, -PE, -PP, -PM: Additional ping types for discovery Description: These options are used in combination with -sn for host discovery, each specifying a different type of ping. -PR is ARP, -PU is UDP, -PE is Echo, -PP is Timestamp, and -PM is Netmask. Example: nmap -sn -PR [target] -PI – P for ping type and I is for icmp.

-PR - ARP

-PU – UDP - The UDP ping scan sends UDP packets to the target host; a UDP response means that the host is active. If the target host is offline or unreachable, various error messages such as “host/network unreachable” or “TTL exceeded” could be returned.

-Pn: Treat all hosts as online – skip host discovery

-PE – ICMP Echo

The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if the ICMP is passing through a firewall.

-PP – Timestamp

ICMP timestamp ping is an optional and additional type of ICMP ping whereby the attackers query a timestamp message to acquire the information related to the current time from the target host machine.

-PM - Netmask

-PS – Syn ping – Ack response if host is active. No response if host is inactive.

-PA – Ack ping – rst response if host is active and No response if host is inactive.

-PO – protocol scan. – Any response if host is active and No response if host is inactive.

-v increase verbose level.

-g – source port manipulation (you can also use --source-port option)

-f – split the ip packet into tiny fragment packets.

Multiple options can be used such as using –sn and –PE runs no port scan but only an ECHO scan. Similarly nmap –sn –PR targetip means no port scan but only arp scan.

Scan Type VS Ping Type

The difference between scan type and ping type is

  • Ping types in Nmap determine how the tool discovers whether a target is active or not before initiating the actual scanning process. These methods help determine if a host is reachable and responsive.

  • Scan types in Nmap define how the tool interacts with the target(s) and what information it seeks to gather. Different scan types provide varying levels of detail and speed.

Apart from the aforementioned network scanning techniques, you can also use the following scanning techniques to perform a host discovery on a target network.

ICMP Address Mask Ping Scan: This technique is an alternative for the traditional ICMP ECHO ping scan, which are used to determine whether the target host is live specifically when administrators block the ICMP ECHO pings.

nmap -sn -PM [target IP address]

TCP SYN Ping Scan: This technique sends empty TCP SYN packets to the target host, ACK response means that the host is active.

nmap -sn -PS [target IP address]

TCP ACK Ping Scan: This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.

nmap -sn -PA [target IP address]

IP Protocol Ping Scan: This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.

nmap -sn -PO [target IP address]

IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available. Attacker uses a printer or a zombie machine and scans the target. When the target responds back, if port is open, ipid value will be increased. So, when that target communicates with the attacker machine ipid is increased again. So, twice ipid value is increased if port is open. That way attacker knows if port is open. If the port on target is closed, ipid value between zombie machine and target is not increased twice. This way attacker knows if port is closed.

nmap -sI -v [target IP address]

SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.

nmap -sY -v [target IP address]

SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.

nmap -sZ -v [target IP address]

Timing Options:

  • -T<0-5>: Timing templates (0 = paranoid, 5 = insane).
  • --max-rtt-timeout: Maximum RTT timeout.
  • --initial-rtt-timeout: Initial RTT timeout.
https://www.mediafire.com/convkey/f4bd/8hnwc36goxxnyp09g.jpg
Source: Anastasis Vasileiadis Linkedin Post

Nmap Timing Options Explained

In Nmap, the -T (timing) options allow users to adjust the speed and aggressiveness of the scan. These options affect the timing and performance of the scan, determining how fast Nmap sends packets and how long it waits for responses. The -T option ranges from -T0 to -T5, with -T5 being the fastest and most aggressive.

Here’s a breakdown of the different timing options:

  • T0: This is the slowest timing option, designed to be very stealthy and take a lot of time. It performs minimal timing calculations and increases the delays between probes significantly. It’s useful for evading intrusion detection systems or when scanning very unreliable networks.
  • T1: This is the default timing option and balances speed with accuracy. It performs basic timing calculations and waits for responses before sending the next probe. It’s suitable for most situations and networks.
  • T2: This is slightly faster than the default timing and may increase the aggressiveness of the scan. It reduces the delays between probes compared to -T1.
  • T3: This option is more aggressive, sending probes more quickly and decreasing the time Nmap waits for responses. It might cause more impact on the network and systems being scanned.
  • T4: This is a significantly more aggressive timing option, sending probes very quickly and decreasing the timeouts even further. It’s faster but more likely to be detected by intrusion detection systems or firewalls.
  • T5: This is the fastest and most aggressive timing option, sending probes at a very high rate and using minimal timeouts. It’s the quickest option but also the most likely to cause network disturbances or be flagged by security measures.

Other Nmap command details:

  1. Output Options:
    • -oN: Normal output format.
    • -oX: XML output.
    • -oG: Grepable output.
    • -oA: All formats (normal, XML, and grepable).
  2. Host Specification:
    • -iL <file>: Input from a list of hosts/networks.
    • --exclude <hosts>: Exclude hosts from the scan.
  3. Scripting Engine:
    • --script: Execute NSE scripts.
  4. Operating System Detection:
    • -O: OS detection.
  5. Firewall Evasion:
    • --source-port: Use a different source port.
    • --data-length: Append random data to packets.
  6. Aggressive Scanning:
    • -A: Aggressive scan options. It performs OS detection, version detection, script scanning and traceroute.
  7. Service and Version Detection:
    • -sV: Probe open ports to determine service and version information.
  8. Custom Port Ranges:
    • -p <port1,port2,etc>: Specify custom port ranges.
  9. Scan Multiple Targets:
    • You can specify multiple targets searated by spaces or use CIDR notation for entire networks.

Full list of all parameters is given here: https://nmap.org/book/man-briefoptions.html

Using –sU scan UDP ports also. This shows different ports than TCP ports. So you should scan them too.

If you do not specify ports nmap scans for the top 1000 most used ports. It is not 0-999 ports. These 1000 ports are not in sequence, but it is as per the most used ones. It could be 25, 80,135,139,1025,1028,3372, 6666 and so on.. Just the top 1000 most used ones.

In Nmap, the parameter for an aggressive scan is “-A” and for an ACK scan, the parameter is “-sA”.

Subnet scan with NMap

Using Nmap or zenmap you can also scan whole subnet: nmap –A 10.10.1.* Here, * means it scans whole subnet.

Identifying Target OS

nmap --script smb-os-discovery targetIP

-O parameter gives a general OS type but the smb-os-discovery script gives the more accurate OS details.

Scanning tools

Hping3

Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. Using Hping, you can study the behavior of an idle host and gain information about the target such as the services that the host offers, the ports supporting the services, and the OS of the target.

Hping3 –A Target ip – sends arp packets to target ip.

Hping3 –A IPAddress –p 80 –c 5 – Here -A specifies setting the ACK flag, -p specifies the port to be scanned (here, 80), and -c specifies the packet count (here, 5). You will see the response in output if port is open.

Similarly you can send reset, syn, full tcp, fin, push, urgent parameters in hping3.

hping3 -8 1-100 192.168.80.4 –V – In this command, -8 specifies a scan mode, -p specifies the range of ports to be scanned (here, 0-100), and -V specifies the verbose mode.

hping3 -F -P -U targetip -p 80 -c 5 In this command, -F specifies setting the FIN flag, -P specifies setting the PUSH flag, -U specifies setting the URG flag, -c specifies the packet count (here, 5), and -p specifies the port to be scanned (here, 80).

hping3 --scan 0-100 -S targetip In this command, –scan specifies the port range to scan, 0-100 specifies the range of ports to be scanned, and -S specifies setting the SYN flag.

You can also use other ping sweep tools such as Angry ip scanner, SolarWinds Engineer’s Toolset, NetScanTools Pro, Colasoft Ping Tool, Visual Ping Tester, and OpUtils to discover active hosts in the target network.

Megaping and netscantools pro are other port scanner tools for windows.

SX Tool

The sx tool is a linux based command-line network scanner that can be used to perform ARP scans, ICMP scans, TCP SYN scans, UDP scans and application scans such as SOCS5 scan, Docker scan and Elasticsearch scan.

Ex: sx arp 10.10.1.0/24

sx arp 10.10.1.0/24 --json | tee arp.cache

Format: cat filename | sx tcp –json –p portnumber targetip

cat arp.cache | sx udp –json –p 53 192.168.80.6

cat arp.cache | sx tcp -p 1-65535 10.10.1.11

cat arp.cache | sx udp --json -p 53 10.10.1.11

Host discovery techniques

Ping sweep – it could be arp scan, udp, icmp, tcp, ip protocol ping scan.

Address Resolution Protocol

ARP, which stands for Address Resolution Protocol, is a fundamental networking protocol used to map an IP address to a physical (MAC) address on a local network. It is essential for communication between devices on the same network segment. Here is how ARP works:

  1. Problem: In local area networks (LANs), devices communicate using their IP addresses. However, devices also have unique physical MAC addresses. To send data from one device to another on the same network, a device needs to know the recipient’s MAC address.
  2. ARP Request: When a device (the sender) needs to send data to another device on the same local network, it first checks its ARP cache (a table that maps IP addresses to MAC addresses). If the MAC address is not in the cache, the sender sends out an ARP request broadcast message to the entire network, asking, “Who has this IP address?”
  3. ARP Reply: The device that holds the IP address mentioned in the ARP request replies with its MAC address. This reply is sent directly to the requesting device.
  4. ARP Cache: The requesting device updates its ARP cache with the received MAC address, associating it with the IP address, so it doesn’t need to perform ARP again for that IP in the near future.

ARP needs you to be on same subnet as the host you’re scanning otherwise it wont work. If the ip you’re scanning with nmap is on same subnet by default nmap uses arp ping.

TCP, ICMP, TCP sync scans are different types of scans.

Banner grabbing, or OS fingerprinting, is a method used to determine the OS that is running on a remote target system.

Nmap –O targetip – gives you OS details or you can also use nmap –script –smb-os-discovery targetip for OS version details.

There are two types of OS discovery or banner grabbing techniques:

  • Active Banner Grabbing: Specially crafted packets are sent to the remote OS, and the responses are noted, which are then compared with a database to determine the OS. Responses from different OSes vary, because of differences in the TCP/IP stack implementation.

  • Passive Banner Grabbing: This depends on the differential implementation of the stack and the various ways an OS responds to packets. Passive banner grabbing includes banner grabbing from error messages, sniffing the network traffic, and banner grabbing from page extensions.

Parameters such as TTL and TCP window size in the IP header of the first packet in a TCP session plays an important role in identifying the OS running on the target machine. The TTL field determines the maximum time a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values differ for different OSes: you can refer to the following table to learn the TTL values and TCP window size associated with various OSes.

https://www.mediafire.com/convkey/0d6b/s775vul3jprf8gz9g.jpg
TTL Values and OS types

Zombie scan or TCP Idle scan

A zombie (idle) scan uses an intermediary machine to interact with the target. An FTP bounce scan uses a vulnerable FTP server to perform a scan against the real target.

You can perform SSDP scan to identify vulnerable home and small scale networks. This is one of the best and complicated way to find ports on remote machines. Complicated because we need to identify proper zombie machine first.

The Idle Scan command is: sudo nmap -v -sI 192.168.2.14 192.168.2.2 -P0. The “-v” option shows more verbosity and if needed the “-vv” option could be used to produce more details. The option “-sI” specifies the “zombie” system, which is “192.168.2.14”. Then next IP Address, “192.168.2.2”, is the Target system to be scanned. Finally, the “-P0” specifies that no pings should be sent to the Target. Since no Pings are sent from the Source to the Target system, there will be no communication directly between the two devices.

The Internet Protocol (IP) IDs are numbers used to identify packets on a network. Most systems will use consecutive IP IDs. It is important to remember that the IP IDs are consecutive. All packets on a network have an IP ID. Since the IP IDs are consecutive and need to be so, the “nmap” utility will check that the “zombie” system produces consecutive IDs. If the “zombie” does not create consecutive IP IDs, then “nmap” will stop. It is also imperative that the “zombie” be idle. If it is sending and receiving packets, then the IP IDs will not be consecutive and cause an erroneous result.

Prerequisites for zombie scan:

  • Port 80 should be opened on the zombie. The reason Port 80 must be open is that a “SYN” is being sent to the “zombie” with no Port number designated. Since the 3-Way Handshake is not completed, the port cannot be set and the default port is Port 80.
  • Zombie machine should be idle. So select devices like printers.

Unicorn

Unicornscan is a Linux-based command line-oriented network information-gathering and reconnaissance tool. It is an asynchronous TCP and UDP port scanner and banner grabber that enables you to discover open ports, services, TTL values, etc. running on the target machine. In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result.

Unicornscan Targetip –Iv

Port Scanning Techniques

Port scanning techniques can be categorized into several primary types, each with its own subtypes:

Primary Types of Port Scanning Techniques

  1. TCP Scans:

    • Connect Scan: Attempts to complete a full TCP handshake to identify open ports.
    • SYN Scan: Sends SYN packets to identify open ports without completing the connection.
    • FIN Scan: Sends FIN packets to identify open ports.
    • XMAS Scan: Sends packets with various flags set to identify open ports.
    • NULL Scan: Sends packets with no flags set to identify open ports.
    • ACK Scan: Analyzes the response to ACK packets to determine port status.
  2. UDP Scans:

    • UDP Scan: Identifies open UDP ports by sending UDP packets and analyzing responses.

Subtypes Within Port Scanning Techniques

  • Stealth Scans: Techniques designed to avoid detection by firewalls or intrusion detection systems (IDS). Examples include SYN, FIN, XMAS, and NULL scans.

  • Full Connect Scans: Complete the TCP handshake to ascertain open ports (Connect Scan).

  • Half-Open Scans: Initiates part of the TCP handshake without completing it (SYN Scan).

  • Firewall Detection Scans: Techniques like ACK Scan used to detect if a firewall is filtering ports.

  • Service Version Detection: Goes beyond port identification to determine the version and type of service running on open ports (often part of a more comprehensive scanning process).

For all the above scans, reply would be a reset if port is closed.

IDS/Firewall Evasion Techniques

An Intrusion Detection System (IDS) and firewall are the security mechanisms intended to prevent an unauthorized person from accessing a network. However, even IDSs and firewalls have some security limitations. Firewalls and IDSs intend to avoid malicious traffic (packets) from entering into a network, but certain techniques can be used to send intended packets to the target and evade IDSs/firewalls.

Nmap –sS, -sM, -sA are scan types for evading firewalls. In these 3 scans if RST is received, then port is closed. If not, then port is open or firewalled.

Techniques to evade IDS/firewall

  • Packet Fragmentation: Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments.
  • Source Routing: Specifies the routing path for the malformed packet to reach the intended target. Most routers wont agree to this.
  • Source Port Manipulation: Manipulate the actual source port with the common source port to evade IDS/firewall.
  • IP Address Decoy: Generate or manually specify IP addresses of the decoys so that the IDS/firewall cannot determine the actual IP address.
  • IP Address Spoofing: Change source IP addresses so that the attack appears to be coming in as someone else.
  • Creating Custom Packets: Send custom packets to scan the intended target beyond the firewalls.
  • Randomizing Host Order: Scan the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall.
  • Sending Bad Checksums: Send the packets with bad or bogus TCP/UPD checksums to the intended target.
  • Proxy Servers: Use a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions.
  • Anonymizers: Use anonymizers that allow them to bypass Internet censors and evade certain IDS and firewall rules.

Packet fragmentation

Packet fragmentation is a process used in computer networking where large packets of data are broken down into smaller fragments to fit within the maximum transmission unit (MTU) size of a network. The MTU is the largest size of a data packet that can be transmitted over a network without being fragmented.

When a data packet is too large to fit within the MTU of a network, it is divided into smaller fragments that can be transmitted individually and reassembled at the destination. This process is primarily used in the Internet Protocol (IP) suite, where routers along the network path may have different MTU sizes.

Packet fragmentation involves breaking the original packet into smaller fragments and including additional information in each fragment to aid in reassembly. However, some networks and security mechanisms may be configured to block or limit fragmented packets due to potential security concerns, such as evasion techniques used in cyber attacks.

Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, IDSs and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU consumption as well as network resources, the configuration of most of IDSs makes it skip fragmented packets during port scans.

TCP header is split into several packets so that the packet filters are not able to detect what packets are intended to do.

Nmap with –f parameter is for packet fragmentation. nmap -f targetip

Using –mtu option in nmap smaller packets are transmitted instead of sending one complete packet at a time. This technique evades the filtering and detection mechanism enabled in the target machine.

Nmap –mtu 8 targetip

Source Port Manipulation

Nmap –g is the parameter for source port manipulation. You should also specify the port you want to manipulate.

Nmap –g 80 targetIP or nmap –source-port targetIP is the syntax for source port manipulation.

Source port manipulation is a technique used in networking and cybersecurity to modify the source port number of a communication packet. The source port is part of the transport layer header in the packet and, along with the source IP address, helps identify the sender of the packet. This is how it works:

  1. Regular Communication Flow: When your device communicates with a server, it sends data packets with a source port (a number attached to the data) that helps the server know where to send its response.
  2. Firewalls and Filters: Networks often have security measures like firewalls that control the flow of data based on specific rules. These rules might say which ports are allowed or not allowed for incoming traffic.
  3. Changing Source Ports: Sometimes, people try to bypass these rules by changing the source port number of outgoing packets. They hope that by using a different source port, the firewall won’t recognize the traffic as something it should block.
  4. Server’s Response: However, when the manipulated packet reaches the server, the server tries to send its response back to the source address and port mentioned in the packet.
  5. Unexpected Port: If the source port was changed and the server responds to a port that didn’t start the conversation (i.e., wasn’t expecting a response there), the server sees this as strange and unexpected. server sends the response back to the receiver on port it received the communication from (note that this is modified port). If the port on sender’s end is closed (or there may be a disturbance caused by firewalls), server immediately sends a RST and ACK signal.
  6. RST, ACK Signal: In response to this unexpected communication, the server sends a special signal called a TCP Reset (RST) along with an acknowledgment (ACK). This signal tells your device, “I got a message addressed to a conversation I didn’t start, so I’m closing this connection.”

In essence, it’s like the server saying, “I received a message on a door that wasn’t supposed to be used for this conversation, so I’m slamming it shut.” This behavior is part of how devices maintain security by closing unexpected or irregular connections.

Let’s say you are the sender and you modified source port with port 80. Now the receiver or the server gets the communication and tries to respond back on port 80 to your machine. IF port 80 is closed in your machine, server sends a RST and ACK.

Source Routing

In a typical network, when a device wants to send a packet to a destination, it relies on routers along the way to determine the path the packet should take. These routers make forwarding decisions based on the destination address in the packet header.

Source routing, on the other hand, allows the sender of a packet to specify the route the packet should follow through the network. The sender includes a list of intermediate routers, known as hop-by-hop options or explicit route options, in the packet header. This list dictates the path the packet should take to reach its destination. There are two types of source routing:

Strict Source Routing:

  • In this mode, the sender explicitly defines the entire route that the packet must take.
  • Each router in the specified route must be listed in the packet header, and the packet is only accepted by routers along the specified path.
  • If a router is not on the specified route, it should not forward the packet.

Loose Source Routing:

  • In this mode, the sender specifies a loose list of routers, and the packet can traverse other routers not explicitly listed.
  • Routers not on the specified route can still forward the packet to the next router in the general direction of the destination.

Now, while source routing provides flexibility, it comes with security risks. Malicious users could potentially exploit source routing to manipulate the network path for malicious purposes, such as bypassing security measures or launching attacks. Due to these security concerns, many networks and routers disable or restrict the use of source routing. In fact, it’s often considered a security best practice to filter out or limit the acceptance of packets with explicit source routing options.

Ex: ping –j router1IP router2ip router3ip TargetIP

Ping –j 10.0.0.2 10.0.0.3 10.0.0.4 172.16.0.0

Here 172.16.0.0 is the actual ip address that I want to reach and 0.2, 0.3, 0.4 are the routers. I am explicitly specifying my connection to go through 0.2, 0.3, 0.4 routers. You can see this in wireshark.

IP address decoy

An IP address decoy, often referred to as IP address spoofing, is a technique used to falsify the source IP address in a network packet. The purpose of IP address decoy can vary, but it is often employed for malicious activities, such as:

Anonymity:

  • Attackers may use IP address decoys to hide their true identity and location. By falsifying the source IP address, they can make it difficult for investigators to trace the origin of malicious activities.

Evasion:

  • IP address decoy can be used to bypass security measures, such as firewalls or intrusion detection systems, by making the traffic appear to come from a trusted or legitimate source.

Denial of Service (DoS) Attacks:

  • In some cases, attackers may use IP address decoy as part of a Denial of Service attack, flooding a target with traffic from multiple spoofed IP addresses to overwhelm its resources.

Impersonation:

  • Attackers may impersonate a trusted entity by using the IP address of a legitimate server or device. This can be exploited to gain unauthorized access or conduct phishing attacks.

Traffic Interception:

  • IP address decoy can be part of a strategy to intercept or eavesdrop on communication between two parties by pretending to be one of them.

It’s important to note that IP address decoy is considered a malicious practice, and there are various security measures in place to detect and prevent it. Network security tools, such as intrusion detection and prevention systems, can be configured to identify anomalous or suspicious traffic patterns that may indicate IP address spoofing.

Additionally, techniques like ingress and egress filtering at the network perimeter can help prevent the use of spoofed IP addresses, making it more difficult for attackers to successfully carry out malicious activities using IP address decoys.

Using nmap –D you can specify decoy or false ip addresses for the scan. Here, there are two types again. You can specify automated random decoys or manually specify decoy ips.

  • Random decoys: nmap –D RND:10 TargetIP — It generates 10 random decoys
  • Static decoy: nmap –D decoyip1,decoyip2,decoyip3 … TargetIP

Nmap –D RND:10 TargetIP In this command, -D: performs a decoy scan and RND: generates a random and non-reserved IP addresses (here, 10).

The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewall. This technique makes it difficult for the IDS/firewall to determine which IP address was actually scanning the network and which IP addresses were decoys. By using this command, Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IP addresses.

Evade IDS using mac spoofing

MAC address spoofing technique involves spoofing a MAC address with the MAC address of a legitimate user on the network. This technique allows you to send request packets to the targeted machine/network pretending to be a legitimate host.

Nmap –sT –Pn –spoof-mac 0 Target IP

In this command –spoof-mac 0 represents randomizing the MAC address, -sT: performs the TCP connect/full open scan, -Pn is used to skip the host discovery.

IP Address Spoofing

IP address spoofing is a technique where an attacker manipulates the source IP address in a packet to make it appear as if it’s coming from a different source. This deceptive practice can be exploited to hide the true origin of network traffic, evade security measures, and potentially launch malicious activities.

Ip spoofing refers to changing the source IP address So that the attack appears to be coming from someone else. When victim replies to the address it goes back to the spoof address rather than the attackers real address. Attackers modify the address information in the IP packet header and the source address bits field in order to bypass the IDs or firewall.

HPing3 -S www.certifiedhacker.com –a 7.7.7.7 – Here 7.7.7.7 is the spoofed ip attacker uses to ping the website. It could be a real ip on the public internet. If someone looks at the wireshark capture for the backend server for www.certifiedhacker.com, they get the source ip as 7.7.7.7.

HPing3 -S 192.168.80.4 –a 7.7.7.7 - Here, 7.7.7.7 is the spooofed ip and 192.168.80.4 is the actual target. Again, wireshark capture on 192.168.80.4 server shows the syn scan is coming from 7.7.7.7 ip.

Using Hping3, you can also set a random source and send udp packets: hping3 192.168.80.6 --udp --rand-source --data 500. Here, –udp specifies sending the UDP packets to the target host, –rand-source enables the random source mode and –data specifies the packet body size.

hping3 -S 192.168.80.6 -p 80 -c 5 Here, -S specifies the TCP SYN request on the target machine, -p specifies assigning the port to send the traffic, and -c is the count of the packets sent to the target machine. When you use the hping3 command with the options -s targetip -p 80 -c 5, you’re essentially sending five TCP SYN packets to the specified target IP address on port 80. The SYN (synchronize) flag is set in these packets, indicating an initiation of a TCP connection.

However, if you’re immediately receiving RST (reset) packets as a response after sending the SYN packets, it typically means that the port you’re trying to connect to (port 80 in this case) is closed on the target machine.

Hping3 targetip –flood performs TCP flooding. You can also use other packet crafting tools such as NetScanTools Pro (https://www.netscantools.com), Colasoft packet builder (https://www.colasoft.com), etc. to build custom packets to evade security mechanisms.

Network scanning tools

Proxy Servers

A proxy server acts as an intermediary between your device and the internet. Instead of connecting directly to a website, your requests go through the proxy server, which then forwards the data to you. It can be used for various purposes, like improving security, privacy, or even accessing content restricted in your region. Think of it as a middleman that helps you navigate the online world with a bit more control and anonymity.

Proxy chaining

Proxy chaining involves using multiple proxy servers in a sequence to enhance privacy and security. Each proxy server in the chain adds an extra layer of protection, making it more challenging for anyone to trace your online activities back to you. It’s like wearing multiple disguises on your way to the internet party—each layer adds a little more mystery. Just keep in mind that while it adds security, it can also slow down your connection a bit. Each proxy server knows information about its previous proxy server only. So it is hard to trace back.

Proxy tools

Proxy switcher and cyberghost vpn are some of the tools for proxy switching. Burp suite, tor, ccproxy and hotspot shield are some of other proxy tools.

Anonymizers

Anonymizers are like the invisibility cloaks of the internet, helping you keep a low profile. They disguise your online identity by routing your internet traffic through a third-party server. It’s like wearing a mask at a masquerade ball—nobody knows who you really are. They are handy for maintaining privacy, whether you are browsing the web or communicating online.

Anonimizers allow you to bypass internet censors. Whonix is a desktop OS designed for advanced security and privacy.

Anonymizer vs proxy servers

Think of them as different flavors of the same privacy-protecting ice cream. Both aim to conceal your online identity, but they have their nuances. Anonymizers hide your IP address and often come with additional features like encryption and cookie management. They’re all about that full-service privacy. On the other hand, proxy servers are more like middlemen. They act as intermediaries between you and the websites you visit, forwarding your requests and obscuring your IP address in the process. It’s like having a friend stand between you and the world, whispering your requests so nobody can eavesdrop. In short, anonymizers offer a more comprehensive package, while proxy servers are like the discreet messengers of online anonymity.

IP Spoofing detection techniques

  • Direct TTL probes
  • IP Identification number
  • TCP flow control method

Nmap IDS evasion techniques

  • Nmap –f targetip – fragment packets so that IDS will allow them.
  • Nmap –g targetip – specify alternate source port
  • Nmap –mtu – using mtu smaller packets are transmitted instead of sending one complete packet at a time. This technique evades the filtering and detection mechanism enabled in the target machine.
  • Nmap –D RND:10 TargetIp The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewall.
  • Nmap –sT –Pn –spoof-mac 0 TargetIP MAC address spoofing technique involves spoofing a MAC address with the MAC address of a legitimate user on the network.

Your inbox needs more DevOps articles.

Subscribe to get our latest content by email.