Tải bản đầy đủ (.pdf) (172 trang)
  1. Trang chủ
    2. >>
  2. Công Nghệ Thông Tin
    3. >>
  3. An ninh - Bảo mật

CEHv8 module 03 scanning networks

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (8.33 MB, 172 trang )

Scanning N etw orks
Module 03


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2-50 C ertified Ethical H acker

ScanningNetworks
M o d u le 0 3

Engineered by Hackers. Presented by Professionals.

CEH

©

E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v 8
M o d u l e 0 3 : S c a n n in g N e t w o r k s
E xa m 3 1 2 -5 0

M o d u le 0 3 Page 263

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s


Exam 3 1 2 -5 0 C ertified Ethical H acker

SecurityNews
H one

Services

Company

Networks

Contact

Oct 18 2012
S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g
IP v 4 A d d r e s s S p a c e

r

The w ell known b o tn e t Sality, w hich locates vulne rab le voice-over-IP (VoIP) servers can
be con trolled to fin d th e e n tire IPv4 address space w ith o u t alerting, claim ed a
new study, published by Paritynews.com on O ctober 10, 2012.
Sality is a piece o f m alw are whose prim ary aim is to infe ct w eb servers, disperse
spam, and steal data. But the latest research disclosed o th e r purposes o f the same including

r

r

1

1

recognizing susceptible VoIP targets, which could be used in to ll fraud attacks.
Through a m ethod called "reverse-byte ord e r scanning," sality has adm inistered tow ards scanning
possibly the w hole IPv4 space devoid o f being recognized. That's on ly the reason th e technique uses
very less num ber o f packets th a t com e fro m various sources.

The selection o f the target IP addresses is generated in re verse-byte-order increm ents. Also, th e re are
large am ounts o f bots con tributin g in the scan.


l- l
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.

S e c u r ity N e w s
N fu js
S a lie n tly

S a lity

B o tn e t T r a p p e d

S c a n n in g

IP v 4

A d d r e s s

S p a c e


Source: h ttp ://w w w .s p a m fig h te r.c o m
A sem i-fam ous b otn et, Sality, used fo r locating vulnerable vo ice ‫־‬o v e r‫־‬IP (VoIP) servers has been
co ntro lle d to w a rd d e te rm in in g the e ntire IPv4 address space w ith o u t setting o ff alerts, claims a
new study, published by Paritynews.com , on O ctober 10, 2012.
Sality is a piece o f m alw are w ith the prim a ry aim o f infecting w eb servers, dispersing spam, and
stealing data. But the latest research has disclosed o th e r purposes, including recognizing
susceptible VoIP targets th a t could be used in to ll fraud attacks.
Through a m ethod called "reve rse -b yte o rd e r scanning," Sality can be adm inistered to w a rd
scanning possibly the w hole IPv4 space, devoid o f being recognized. That's the only reason the
tech n iq ue uses a very small num ber o f packets th a t come fro m various sources.
The selection o f the ta rg e t IP addresses develops in re ve rse -b yte -o rd e r in cre m e nts. Also, there
are many bots co n trib u tin g in the scan. The conclusion is th a t a solitary n e tw o rk w o u ld obtain
scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various

M o d u le 0 3 Page 264

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

sources, U n ive rsity o f C a lifornia, San Diego (UCSD), claim ed one o f the researchers, A listair
King, as published by Softpedia.com on O ctober 9, 2012).
According to A lb e rto D a in o tti, it's n ot th a t this stealth-scanning m ethod is exceptional, b ut it's
the firs t tim e th a t such a happening has been both noticed and docum ented, as re p orte d by
Darkreading.com on O ctober 4, 2012. M any o th e r experts hold fa ith th a t this m anner has been

accepted by o th e r botnets. Nevertheless, the team at UCSD is n ot aware o f any data verifying
any event like this one.
According to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be
the firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by
em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses. The b o tn e t use classy
"o rc h e s tra tio n " m ethods to evade d e te ctio n . It can be sim ply stated th a t the b o tn e t o p e ra to r
categorized the scans at around 3 m illio n bots fo r scanning the fu ll IPv4 address space throu g h
a scanning p atte rn th a t disperses coverage and p artly covers, b ut is unable to be noticed by
present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012.

Copyright © S P A M fig h te r 2 0 03 -201 2
h ttp ://w w w .s p a m fig h te r.c o m /N e w s -1 7 9 9 3 -S a lie r1 tlv -S a litv -B o tn e t-T ra p p e d -S c a n n in g -IP v 4 A dd ress-S p ace .h tm

M o d u le 0 3 Page 265

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Module Objectives

CEH

J


Overview o f N etw ork Scanning

J

Use o f Proxies fo r Attack

J

CEH Scanning M ethodology

J

Proxy Chaining

J

Checking fo r Live Systems

J

HTTP Tunneling Techniques

J

Scanning Techniques

J

SSH Tunneling


J

IDS Evasion Techniques

J

Anonymizers

J

Banner Grabbing

J

IP Spoofing Detection Techniques

J

Vulnerability Scanning

J

Scanning Countermeasures

J

Drawing N etw ork Diagrams

J


Scanning Pen Testing

^

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.

M o d u le

O b je c tiv e s

Once an a ttacker id e ntifies h is/h e r ta rg e t system and does the in itia l reconnaissance,
as discussed in the fo o tp rin tin g and reconnaissance m odule, the a ttacker concentrates on
g ettin g a m ode o f e n try into the ta rg e t system . It should be noted th a t scanning is n ot lim ited
to in tru sion alone. It can be an extended fo rm o f reconnaissance w here the a tta cke r learns
m ore about h is/h e r target, such as w h a t operating system is used, the services th a t are being
run on th e systems, and c o n fig u ra tio n lapses if any can be id e n tifie d . The a tta cke r can then
strategize h is/h e r attack, facto rin g in these aspects.
This m odule w ill fam iliarize you w ith :
0

O verview o f N e tw o rk Scanning

0

Use o f Proxies fo r A ttack

0

CEH Scanning M e tho d olog y


0

Proxy Chaining

0

Checking fo r Live Systems

0

HTTP Tunneling Techniques

0

Scanning Techniques

0

SSH Tunneling

0

IDS Evasion Techniques

0

Anonym izers

0


Banner Grabbing

0

IP Spoofing D etection Techniques

0

V u ln e ra b ility Scanning

0

Scanning Counterm easures

0

Drawing N e tw o rk Diagrams

0

Scanning Pen Testing

M o d u le 0 3 Page 2 66

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s


Exam 3 1 2 -5 0 C ertified Ethical H acker

OverviewofNetworkScanning CEH
(•rtift•*

N e tw o rk scanning refers to a set o f

ttkujl lUckM

Sends TCP

procedures fo r id e n tify in g hosts, p o rts, and

/IP p ro b e s

services in a n e tw o rk
G e ts n e tw o r k

N e tw o rk scanning is one o f th e c o m p o n e n ts
o f in te llig e n c e g a th e rin g an a tta cker uses to
create a p ro file o f th e ta rg e t organization

S

&

in fo r m a tio n

A ttacker


O b je c tiv e s o f N e t w o r k S c a n n in g

To discover live hosts,

To discover operating

To discover services

To discover

IP address, and open
po rts o f live hosts

systems and system
architecture

ru nning on hosts

vu ln e ra b ilitie s in live
hosts

O v e r v ie w

o f N e t w o r k S c a n n in g

As we already discussed, fo o tp rin tin g is the firs t phase o f hacking in w hich the
a ttacker gains in fo rm a tio n about a p ote n tia l target. F ootp rin tin g alone is n ot enough fo r
hacking because here you w ill gather only the prim a ry in fo rm a tio n about the targe t. You can
use this prim a ry in fo rm a tio n in th e next phase to gather many m ore details abo u t the target.

The process o f g a th e rin g a d d itio n a l d etails about the ta rg e t using highly com plex and
aggressive reconnaissance techniques is called scanning.
The idea is to discover e x p lo ita b le c o m m u n ica tio n channels, to probe as many listeners as
possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking. In the scanning
phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system. You can also discover
m ore about the ta rg e t system , such as w h a t o p e ra tin g system is used, w h a t services are
ru n nin g , and w h e th e r or n ot th e re are any co n fig u ra tio n lapses in the ta rg e t system. Based on
the facts th a t you gather, you can fo rm a strategy to launch an attack.
Types o f Scanning
9

P ort scanning - Open ports and services

e

N e tw o rk scanning - IP addresses

6

V u ln e ra b ility scanning - Presence o f know n weaknesses

M o d u le 0 3 Page 267

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s


Exam 3 1 2 -5 0 C ertified Ethical H acker

In a tra d itio n a l sense, the access p oints th a t a th ie f looks fo r are the doors and w indow s. These
are usually the house's points o f vu ln e ra b ility because o f th e ir re la tively easy accessibility.
W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w indow s o f the
system th a t an in tru d e r uses to gain access. The m ore the ports are open, the m ore points o f
vu ln e ra b ility, and the fe w e r the ports open, th e m ore secure the system is. This is sim ply a
general rule. In some cases, the level o f vu ln e ra b ility may be high even though fe w ports are
open.
N e tw o rk scanning is one o f the m ost im p o rta n t phases o f intelligence gathering. During the
n e tw o rk scanning process, you can gather in fo rm a tio n abo u t specific IP addresses th a t can be
accessed over the Inte rn e t, th e ir targets' operating systems, system a rch itectu re , and the
services running on each co m puter. In a dd ition, the a ttacker also gathers details about the
netw orks and th e ir individual host systems.
Sends TCP
/IP probes

Gets netw o rk

&

‫נ‬

inform a tion

Network

Attacker
FIGURE 3.1: N e tw o rk Scanning Diagram


O

b je c tiv e s

o f N

e tw

o r k

S c a n n in g

If you have a large a m o un t o f in fo rm a tio n abo u t a ta rg e t o rg an iza tion , th e re are
greater chances fo r you to learn the w eakness and lo o ph o les o f th a t p articula r organization,
and consequently, fo r gaining unauthorized access to th e ir netw ork.
Before launching the attack, the a ttacker observes and analyzes the ta rg e t n e tw o rk fro m
d iffe re n t perspectives by p erfo rm ing d iffe re n t types o f reconnaissance. How to p erform
scanning and w h a t type o f in fo rm a tio n to be achieved during the scanning process e n tire ly
depends on the hacker's v ie w p o in t. There may be many objectives fo r p erfo rm ing scanning,
b ut here we w ill discuss the m ost com m on objectives th a t are encountered during the hacking
phase:
©

D iscovering live hosts, IP address, and open p orts o f live hosts ru n n in g on th e
n e tw o rk .

©

D iscovering open p o rts: Open ports are the best means to break in to a system or
n etw o rk. You can fin d easy ways to break into the ta rg e t organization's n e tw o rk by

discovering open ports on its netw ork.
D iscovering o p e ra tin g system s and system a rch ite ctu re o f th e ta rg e te d system : This is
also referred to as fin g e rp rin tin g . Here the a ttacker w ill try to launch th e attack based
on the operating system 's vulnerabilities.

M o d u le 0 3 Page 268

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

9

Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security
risks present in any system. You can compromise the system or network by exploiting
these vulnerabilities and threats.

9

Detecting the associated network service of each port

M o d u le 0 3 Page 269

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .



Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Gi

Exam 3 1 2 -5 0 C ertified Ethical H acker

HHH
□ ‫שם‬
Check for
Live Systems

‫ן‬,.✓

Check for
Open Ports

n

■ “ hi
Scan for
Vulnerability

C E H

Scanning
Beyond IDS


n
L 1^■

Banner
Grabbing

W ₪m,
U

r ‫— י‬

Draw N e tw o rk.
Diagrams

Prepare
Proxies

wJ

Scanning
Pen Testing

S c a n n in g M e t h o d o lo g y

The firs t step in scanning the n e tw o rk is to check fo r live systems.

Scan for Vulnerability

Check fo r Live Systems


ft

Check for Open Ports

Scanning Beyond IDS

Banner Grabbing

r
Q O

1

Draw Network Diagrams

Prepare Proxies

Scanning Pen Testing

This section highlights how to check fo r live systems w ith the help o f ICMP scanning, how to
ping a system and various ping sweep tools.

M o d u le 0 3 Page 2 70

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s


Exam 3 1 2 -5 0 C ertified Ethical H acker

CheckingforLiveSystemsICMPScanning

CEH

J Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return
an ICMP ECHO reply
J This scan is useful for locating active devices or determining if ICMP is passing through a
firewall

t o

M

ICMP Echo Request

ICMP Echo Reply

Source (192.168.168.3)

D e stin a tio n (192.168.168.5)

T h e ping s c a n output
u sin g Nm ap:

Zenmap
Sc!n


l o o Is

Target.

P 'c fK

192166.168.5

Command:
Hosts

Profile

Ping »c«n

|n rr*p •wi 192.168.168.3
Service!

Host

*

Nmap 0utp14

Pciti ‫ ׳‬H oiti Topology H ojI Detail!

1

192.16S. 168.1
192.168.1663

192.168.1685

Scans

‫ד־פ‬

nmap ■jn 192.168.163.5

S t a r t i n g fJTap 6 .0 1 ( h t t p : / / n r o p . o r g ) a t 2 0 1 2 - 0 8 08
1 3 :0 2 EOT

Swap scan re p o rt fo r 192.168.168.5
i s up ( 0 .0 0 5 l a t e n c y ) .
MAC f l d d r e t t :
( D e l l)
M!ap do ng : 1 IP ad dre ss (1 h o s t up ) scanned i n 0 .1 0
se co rd s
most

192.168.166.1S

‫ו־ ר ד^־י־ו‬

Piter Hosts


Copyright © by H H rW B C il. All Rights Reserved. Reproduction is S trictly Prohibited.

C h e c k in g


f o r L iv e

S y s te m s ‫ ־‬IC M P

S c a n n in g

ICMP Scanning
All required in fo rm a tio n about a system can be gathered by sending ICMP packets to it. Since
ICMP does n ot have a p o rt abstraction, this cannot be considered a case o f p o rt scanning.
However, it is useful to d ete rm ine w hich hosts in a n e tw o rk are up by pinging the m all (the -P
o ptio n does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase
the n um ber o f pings in parallel w ith the -L o ptio n . It can also be helpful to tw e ak the ping
tim e o u t value w ith the -T option.
ICMP Q uery
The UNIX to o l IC M P query o r ICMPush can be used to request the tim e on the system (to find
o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The
netm ask on a p articula r system can also be d ete rm ine d w ith ICMP type 17 messages (ADDRESS
MARK REQUEST). A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d ete rm ine all the
subnets in use. A fte r gaining in fo rm a tio n about th e subnets, one can ta rg e t only one p articula r
subnet and avoid h ittin g the broadcast addresses.
ICMPquery has both a tim e sta m p and address mask request o ptio n :
icmp query <-query-> [-B] [-f fro m h o s t] [‫־‬d delay] [-T tim e ] targe t

M o d u le 0 3 Page 271

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s

S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

W here
<query> is one of:
-t: icm p tim e sta m p request (default)
-m : icm p address mask request
-d: delay to sleep betw een packets is in microseconds.
-T - specifies the n um ber o f seconds to w a it fo r a host to respond. The d e fa u lt is 5.
A ta rg e t is a list o f hostnam es or addresses.

*iJN:::::::::::::ft:::::::::::::
ICMP Echo Request

/*

V

V

‫־‬

/

ICMP Echo Reply

Source (192.168.168.3)

Destination (192.168.168.5)


FIGURE 3.2: ICMP Q u e ry Diagram

Ping Scan O u tp u t Using Nm ap
Source: h ttp ://n m a p .o rg
Nm ap is a to o l th a t can be used fo r ping scans, also know n as host discovery. Using this to o l you
can d ete rm ine the live hosts on a n etw o rk. It perform s ping scans by sending the ICMP ECHO
requests to all the hosts on the n etw o rk. If the host is live, then the host sends an ICMP ECHO
reply. This scan is useful fo r locating active devices or d e te rm in in g if ICMP is passing throu g h a
fire w a ll.
The fo llo w in g screenshot shows the sample o u tp u t o f a ping scan using Zenm ap, the official
cross-platform GUI fo r the Nmap Security Scanner:
Zenmap
Scan

Jo o ls

Target

Profile

Help

192.168.168.5

Command:
Hosts

v I Profile:


Ping scan

v

:Scan!

Cancel

|nm ap -sn 192.168.168.51
Services

OS < Host
IM

192.168.168.1

I•*

192.168.168.3

*"

192.168.168.5

tM 192.168.168.13
..
v
------- —------ -----------------1
Filter Hosts


Nmap Output Ports/H osts Topology Host Details Scans
nmap -sn 192.168.168.5

V

Details

S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n 1r a p .o r g ) a t 2 0 1 2 -08-08
■a?
Nmap sc a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5
H ost i s up ( 0 .0 6 s l a t e n c y ) .
MAC A d d re ss:
( D e ll)
Nmap done: 1 IP a d d re s s (1 h o s t up) sc a n n ed in 0 .1 0
sec o n d s

FIGURE 3.3: Zenm ap S how ing Ping Scan O u tp u t

M o d u le 0 3 Page 272

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

PingSweep


CEH

J

Ping sweep is used to determ ine the live hosts from a range of IP addresses by sending ICMP
ECHO requests to m ultiple hosts. If a host is live, it w ill return an ICMP ECHO reply

J

Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of
hosts present in the subnet

_l

Attackers then use ping sweep to create an inventory o f live systems in the subnet

a

a

T h e p in g s w e e p o u t p u t u s in g N m a p

lo o ts

T*fqcc

N

*


H e lp

’92.l6a.16S.l-S0

C o m m an d
H o jb

“3

ICM P Echo Request

v

P ro file

*I

S c irt

C anct

192.168.168.5

| ‫ ״‬m 8 p ‫ ג ו ו‬P f PA21,23.9Q,J389192.168.168.1-501
k n x ei

19e.166.16a.1j

1 v .1 t t.1 tt .1 4


V

I ttlttlttlS

y

1 9 2 16s.16a.17

»

1 9 2 . It t I t t 1 9

*

1 9 2 .1 6 8 . 1 6 8 2 6

»

I 9 ilttltt2 3

S [0 **

.001

v

uM
192!.1
.168^.16

8.6

ICM P Echo Reply

(

1& 1 6 6 . 1 & )

*

0

S t a r t l r a N » « 6 .0 1
h t t p : / / r o u p , o r g ) a t 2012 01 01
1 2 :4 1 to r
* tu p ! c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1
H o s t i s u s ( 0. 00) l a t e n c y ) .
* W I A g f llC n .
‫ ( ״‬H e « le t! - P a c k a r d C o m p an y )
“* * • p * c a n r e p o r t f o r 1 9 2 . 1 6 * . 1 6 • . 5
fto v t I t u p ( t . M i l a t e n c y ) .
*AC W r t t t ;
(A p p le )
w p s c a n r e p o r t *or 1 9 2 . 1 6 8 . 1 6 8 . ‫ל‬
► to s t i s u p ( 0 . 0 0 1 0 s l a t e n c y ) .
HA( A d d re ss:
(D e ll)
f * 1a p s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 6 8 . 1 3
M o » t i* u p < 8
latency).

«A C A d d re w :
» (F o x c o n n l
s n a p s c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 4

‫ אז‬I t t 168 3

•»

ICM P Echo Request

N ‫ ׳‬n < * p O u t p u t P o r t ( / HoUi | T o p o l o g y H o t ! D e t a i l * S c a n t
n m a p w P E PA21.2J.80l3 3 8 9 192.168.168.1•*0

OS 4 Ho*
*
W i t t 16S. 1
*

‫יי‬

I n i , —

Zenmap

Sen

a

ICM P Echo Request


Source

192.168.168.3

M l
192.168.168.7

IC M P Echo Reply
ICM P Echo Request

F * « H o s ts

»

192.168.168.8

http://nmap. org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.

P in g

S w eep

A ping sweep (also know n as an ICMP sweep) is a basic n e tw o rk scanning technique
to d ete rm ine w hich range o f IP addresses map to live hosts (com puters). W hile a single ping
tells th e user w h e th e r one specified host co m p u te r exists on the n etw o rk, a ping sweep consists
o f ICMP ECHO requests sent to m u ltip le hosts.

ICMP ECHO Reply
If a host is active, it returns an ICMP ECHO reply. Ping sweeps are am ong the oldest and slowest

m ethods to scan a n etw o rk. This u tility is d istrib u te d across alm ost all platform s, and acts like a
roll call fo r systems; a system th a t is live on the n e tw o rk answers the ping query th a t is sent by
a no th e r system.

M o d u le 0 3 Page 273

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

ICMP Echo Request
1 9 2 .1 6 8 .1 6 8 .5
ICMP Echo Request

a

<

ICMP Echo Reply
1 9 2 .1 6 8 .1 6 8 .6

ICMP Echo Request

Source


>

W
1 9 2 .1 6 8 .1 6 8 .7

1 9 2 .1 6 8 .1 6 8 .3

<

ICMP Echo
ICMP Echo Request
1 9 2 .1 6 8 .1 6 8 .8

FIGURE 3.4: Ping Sweep Diagram

TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings,
a single packet is sent across th e n e tw o rk to a specific IP address. This packet contains 64 bytes,
i.e., 56 data bytes and 8 bytes o f p rotocol header in fo rm a tio n . The sender then w aits fo r a
re tu rn packet fro m the ta rg e t system. A good re tu rn packet is expected only w hen the
connections are good and when the targe te d system is active. Ping also determ ines the num ber
o f hops th a t lie betw een the tw o co m puters and the ro u n d -trip tim e , i.e., the to ta l tim e taken
by a packet fo r co m p letin g a trip . Ping can also be used fo r resolving host names. In this case, if
the packet bounces back w hen sent to th e IP address, b ut not w hen sent to the name, then it is
an indication th a t the system is unable to resolve the name to the specific IP address.
Source: h ttp ://n m a p .o rg
Using Nm ap S ecurity Scanner you can p erfo rm ping sweep. Ping sweep determ ines the IP
addresses o f live hosts. This provides in fo rm a tio n abo u t the live host IP addresses as w ell as
th e ir MAC address. It allows you to scan m u ltip le hosts at a tim e and d ete rm ine active hosts on
the n etw o rk. The fo llo w in g screenshot shows the result o f a ping sweep using Zenmap, the

official cross-platform GUI fo r the Nmap Security Scanner:

M o d u le 0 3 Page 274

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Zenmap
Sc!n Joolt

Erofik

{jdp

192.168. 168. 1-50

Target

"v] Proffe

Scan

Cancel


%

Details

11

Command |nmap -sn -PE •PA21,23,80. 3389192.168.168.1- 5(
Hosts

Sernces

OS « Host
*

192. 168. 168.1

*

192.168.168.3

Nmap Output Ports /Hosts Topology Host Details Scans
A

S tarting Mrap

192.168. 168.13
192. 168.168.14
192. 168.168.15
192. 168. 168.17


fti

192.168.168.19

*

192. 168.168-26

*

192. 168.16828
Filter Hosts

6.01

( ) at

2012- 08-08

12:41

<■ 192.168.168.5

*

nmap -sn •PE-PA21.23.80.3389 192. 168. 168.1-50

v

Map scan report fo r 192. 168. 168.1

Host is up ( 0. 00s latency).
*AC Address; I
(Hewlett-Packard Co«pany)
f*rap scan report fo r 192. 168. 168.3
Host is up ( 0. 00s latency).
*AC A d d rm i
* (Apple)
Nnap scan report for 192. 168. 168.5
Host is up ( 0 . 0010s latency).
MAC Address;
- •
(D e ll)
Nnap scan report fo r 192. 168. 168.13
Host is up ( 0 . 00s latency).
MAC Address: •

(Foxconn)
N*ap scan report fo r 192. 168. 168.14
Host is up ( 0 . 0020s latency).
v

FIGURE 3.5: Zenm ap show ing ping sweep o u tp u t

M o d u le 0 3 Page 275

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s

S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

PingSweepTools

SolarWinds Engineer Toolset's Ping Sweep enables
scanning a range o f IP addresses to identify which
IP addresses are in use and which ones are
currently free. It also performs reverse DNS lookup.

Angry IP Scanner pings each IP address to check if
it's alive, then optionally resolves its hostname,
determ ines the MAC address, scans ports, etc.

o

IP Range Angry IP Scanner
to K.0J.S)

M0*wme VWNUQN3WR1RW
© 1 :0 :1
£ 1 0 0 cj
Q io a u
f ti o a c j
Q10&&S
C H o a tt
©100C7
fh o ac j
®MOOC9


Qr-at
0.11
.11
10

CH ac
•1 0 a a;
Chocu
# ac.u
#100£1‫י‬
&1COC.U
® M o atr
C h o a tu
f h o a c .»

‫ם‬

x

JoeU H»lp

S'**
*Rjr* * 1C011

9

‫״‬

CEH




‫י״י׳‬9
1m
Cm
lm
h/»l
4n
h/•!
1m
K»l
KH
K‫!»׳‬

[l»Pjnje

Uctmiifc v

Hcarwrc
/11
HnOcwit

v *

SUrt

M
Pcm1i00c-1
80

•0US.1
1JX
In‫)•׳‬
1JH H M U
In

In
MM Mtt£lCMM1
In/•!
HV•!
ln/1)
In‫!•׳‬

h/1l
O?m
m
|V*I
Kv.|

K»1
h/»l
!*/•I
K«l

1

In/•!
In/•!
In/•)

In‫!•׳׳‬
I‫׳‬V»|
In/•!
In‫!•׳‬

In/1l

In/•!
In‫!•׳‬
AJI

*•‫׳<״״‬

!•‫׳‬

|n ‫!•׳‬
|nfe|
In‫!•׳‬
‫!•׳ייו‬
In'•!
In•!
|n •!
In‫!•׳‬
In‫!•׳‬
|n ‫|«׳‬
In•!
I" •!____________________ v |

Th0*»«*‫״‬


Angry IP Scanner

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.

P in g

S w e e p T o o ls

D eterm ining live hosts on a ta rg e t n e tw o rk is the firs t step in the process o f hacking
o r breaking in to a n etw o rk. This can be done using ping sweep tools. There are a num ber o f
ping sweep tools readily available in the m arket using w hich you can p erfo rm ping sweeps
easily. These tools a llow you to d ete rm ine the live hosts by sending ICMP ECHO requests to
m u ltip le hosts at a tim e . A ngry IP Scanner and S olarw inds Engineer's Toolset are a fe w
co m m only used ping sweep tools.
A n g r y
/j

IP

S c a n n e r

Source: h ttp ://w w w .a n g ry ip .o rg

Angry IP Scanner is an IP scanner to o l. This to o l id e ntifie s all non-responsive addresses as dead
nodes, and resolves hostnam e details, and checks fo r open ports. The main fe a tu re o f this to o l
is m u ltip le ports scanning, configuring scanning colum ns. Its main goal is to fin d th e active hosts
in the n e tw o rk by scanning all the IP addresses as w ell as ports. It runs on Linux, W indow s, Mac
OS X, etc. It can scan IP addresses ranging fro m 1.1.1.1 to 255.255.255.255.

M o d u le 0 3 Page 276


Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

IP Range - Angry IP Scanner
Scan £0 ‫י‬°

Commands

Favorites

IP Range | 10.0.0.1

loots

Help

| to | 10.0.0.50

Hostname | WIN-LXQN3WR3R9I
IP

Ping
1 ms

Oms
Oms
[n/a]
4 ms
[n/a]
1 ms
[n/a]

€>10.0.0.1
010.0.0.2
@10.0.0.3
#10.0.0.4
€>10.0.0.5
© 10.0.0.6
€)10.0.0.7
C m 0.0.0.8
€> 10.0.0.9
#10.0.0.10
#10.0.0.11
# 10.0.0.12
#10.0.0.13
# I0.0.0.M
#10.0.0.15
#10.0.0.16
# 10.0.0.17
#10.0.0.18
#10.0.0.19

| | IF Range


# IP I | Netmask r J

v ‫א‬

C+ Start

i|

Hostname
[n'a]
W1N-MSS£LCK4IC41
WindowsS

Ports [2000•.]
80
80.135.139.4...
135,139,445,...
[n/a]
135,139,445,...

|n/a]
W1N-LXQN3WR3R9M

[n/a]
80.135
[n/a]
[n/a]

[n/a]
[n/a]

[n/a]
[n/a]
[n/a]

[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
627 ms
[n/a]

In /,]

[n/a]
[n/a]
[n/a]

In^a]

l"/a]
[n/a]
[n/a]

ln /»

]‫»׳‬/•[

[n/a]

[n/a]
[n/a]
[n/a]

[n/a]
[n/a]
[n/a]
|n/a]
[n/a]
[n/a]

In'*]
In/a]

Ready

=

Display: All

v

1

Threads; 0

1

FIGURE 3.6: A ngry IP Scanner Screenshot


S o la r w in d s

E n g in e e r ’ s

T o o ls e t

Source: h ttp ://w w w .s o la rw in d s .c o m
The Solarwinds Engineer's Toolset is a collection o f n e tw o rk e ngineer's to o ls. By using this
to o ls e t you can scan a range o f IP addresses and can id e n tify the IP addresses th a t are in use
c u rre n tly and the IP addresses th a t are free. It also perform s reverse DNS lo o kup .

Ping Sweep
EHe

E d it

S t a r t i n g I P A d d r e s s 11 9 2 .1 6 8 .1 £ 8 1 0
F n r im g IP A H r im t t

^ I

(1 9 2 1 8 8 1 6 8 95(

| S ra n F «

10

R equest T m e d O ut

1 9 2 1 6 6 1 6 6 11


R equest T m e d O ut

IM

|A l I P t

R esponse Tm e

fp A d d r e s s
192 I M

u o o

H e lp

S ran

R equest T m e d O ut

192 166 166 12
^

1 9 2 1 6 6 1 6 6 13
192 1 6 6 1 6 6 14

A
DNS Lookup

=


R equO St T m e d O u t

^

3 me

192 16 6 1 6 8 1 6

‫_{י‬

R eauest T m e d O ut

192 1 6 6 .1 6 6 1 7
192 166 1 6 6 .1 6

#

192 1 6 6 1 6 6 1 5
R eoues! T m ed O at

‫^■ייי‬

R ecues! T m ed O ul , t

192 166 166 19

R equest T m ed O ul

192 166 166 2 0


R equest T m e d O ut

1 9 2 1 6 6 166 .2 1

R equest T m e d O ut

1 9 2 1 6 6 1 6 6 .2 2

R equest T m e d O ut

192 16 6 166 2 3

R e q u e s t T im e d O u t

192 166 166 24

»

I J I

R equest T m e d O ut

192 166 166 2 5

R equest T m e d O ut

192 166 166 26

2 ms


1 9 2 166 1 6 6 .2 7

_ * V * “"

192 1 6 6 1 6 6 .2 6
192 166 166 2 9

N

R equest T m e d O ut
2 ms
R equest T m e d O yt

1 9 2 1 6 6 166 30

3 me

1 9 2 1 6 6 1 6 6 31

3 ms

192 166 166 32

2 ms

‫׳י‬
III

<1

S c a n C o m p l ie d

S can

>
DNS

h

r

90

FIGURE 3.7: Solarw inds Engineer's T oolset Screenshot

M o d u le 0 3 Page 277

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

PingSweepTools

CEH


(C o n t’d)

^

C o la so ft Ping Tool

PacketTrap MSP

h ttp ://w w w . colasoft. com

http ://w w w .pa ckettra p .co m

V isu a l Ping T ester - S ta n d a rd

f

Ping S w eep
h ttp://w w w .w hatsupgold.com

h ttp ://w w w .p in g te ste r.n e t

Ping S canner Pro

N e tw o rk Ping

http://w w w .digilextechnoiogies.com

h ttp://w w w .greenline-soft.com

‫ז‬


U ltra Ping Pro
h ttp ://u ltra p in g . webs.com



*

Ping M o n ito r
h ttp ://w w w .n ilia n d . com

P in g ln fo V ie w

P in kie

h ttp ://w w w .n irs o ft.n e t

h ttp ://w w w .ip u p tim e .n e t

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited.

jf S S S
u

P in g

S w e e p T o o ls ( C o n t’ d )

r -


In a dd itio n to Solarwinds Engineer's Toolset and Angry IP Scanner, th e re are many
o th e r tools th a t fea tu re ping sweep capabilities. For exam ple:
9

Colasoft Ping Tool available at h ttp ://w w w .c o la s o ft.c o m

9

Visual Ping Tester - Standarad available at h ttp ://w w w .p in g te s te r.n e t

9

Ping Scanner Pro available at h ttp ://w w w .d ig ile xte ch n o lo g ie s.co m

9

Ultra Ping Pro available at h ttp ://u ltra p in g .w e b s .c o m

9

P inglnfoView available at h ttp ://w w w .n irs o ft.n e t

9

PacketTrap MSP available at

9

Ping Sweep available at h ttp ://w w w .w h a ts u p g o ld .c o m


9

N e tw o rk Ping available at h ttp ://w w w .g re e n lin e -s o ft.c o m

9

Ping M o n ito r available at h ttp ://w w w .n ilia n d .c o m

9

Pinkie available at h ttp ://w w w .ip u p tim e .n e t

M o d u le 0 3 Page 278

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

*-— 1

Exam 3 1 2 -5 0 C ertified Ethical H acker

So fa r we discussed how to check fo r live systems. Open ports are the doorw ays fo r an

attacker to launch attacks on systems. Now we w ill discuss scanning fo r open ports.

Check for Live Systems


life

Scan for Vulnerability

r

Check fo r Open Ports

Scanning Beyond IDS

O Q
‫יז־^־ל‬

Banner Grabbing

Draw Network Diagrams

Prepare Proxies

Scanning Pen Testing

This section covers the th re e -w a y handshake, scanning IPv6 netw orks, and various scanning
techniques such as FIN scan, SYN scan, and so on.

M o d u le 0 3 Page 279

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .



Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

CEH

Three-WayHandshake

(•rtifwd

itkitjl

TCP uses a th re e-w ay handshake to establish a connection between server and client

T hre e-w ay H a n d sh a k e
P ro c e s s
1. The Computer A (10.0.0.2) initiates
a connection to the server (10.0.0.3)
via a packet w ith only the SYN flag
set
2. The server replies w ith a packet
w ith both the SYN and the ACK flag
set
3. For the final step, the client
responds back to the server w ith a
single ACK packet
4. If these three steps are com pleted
w ithou t com plication, then a TCP

connection is established between
the client and the server

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.

T h re e -W a y H a n d s h a k e
TCP is co n n e c tio n -o rie n te d , w hich im plies connection establishm ent is principal p rio r
to data tra n sfe r betw een applications. This connection is possible throu g h the process o f the
th re e -w a y

handshake.

The

th re e -w a y

handshake

is

im p le m e n te d

fo r

establishing

the

co nn e ction b etw e e n p ro to co ls.


The three-way handshake process goes as follows:
9

To launch a TCP conn e ction , the source (10.0.0.2:62000) sends a SYN packet to the
d estination (10.0.0.3:21).

9

The destination, on receiving the SYN packet, i.e., sent by the source, responds by
sending a SYN/ACK packet back to the source.

9

This ACK packet confirm s the arrival o f the firs t SYN packet to the source.

9

In conclusion, the source sends an ACK packet fo r the ACK/SYN packet sent by the
destination.

9

This triggers an "OPEN" connection allow ing com m unication betw een the source and
the d estination, u ntil e ith e r o f the m issues a "FIN" packet or a "RST" packet to close the
connection.

M o d u le 0 3 Page 2 80

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .



Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

The TCP p ro to co l m aintains state ful connections fo r all co nn e ctio n -o rie n te d protocols across
the Inte rn e t, and w orks the same as an o rd ina ry te lep h on e co m m unication, in w hich one picks
up a telep h on e receiver, hears a dial tone, and dials a num ber th a t triggers ringing at the o th e r
end u ntil a person picks up the receiver and says, "H e llo ."

Bill

Three-way Handshake

1 0 . 0 . 0 . 2 : 6 2 0 0 0 ‫ ^ ־‬.................. ‫י‬

‫ י‬...............

Sheela
1 0 .0 .0 .3 :2 1

........

..‫* ״‬

IrVC

C lient


S erver

FIGURE 3.8: Three-way Handshake Process
E s ta b lis h in g

a

T C P

C o n n e c tio n

As we previously discussed, a TCP connection is established based on the three -w ay
hand shake m ethod. It is clear fro m the name o f the connection m ethod th a t the establishm ent
o f the connection is accom plished in th re e m ain steps.
Source: h ttp ://s u p p o rt.m ic ro s o ft.c o m /k b /1 7 2 9 8 3
The fo llo w in g th re e fram es w ill explain the e stablishm ent o f a TCP connection betw een nodes
NTW3 and BDC3:

Frame 1:
In the firs t step, the client, NTW3, sends a SYN segm ent (TCP ....S.). This is a request to the
server to synchronize the sequence num bers. It specifies its Initial Sequence N um ber (ISN),
w hich is increm ented by 1 and th a t is sent to the server. To initialize a connection, the client
and server m ust synchronize each o th e r's sequence num bers. There is also an o p tio n fo r the

M o d u le 0 3 Page 281

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .



Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

M axim um Segment Size (MSS) to be set, w hich is defined by the length (len: 4), this o ptio n
com m unicates th e m axim um segm ent size the sender w ants to receive. The A cknow ledgem ent
fie ld (ack: 0) is set to zero because this is th e firs t part o f the th re e -w a y handshake.
1

2 .0 7 8 5 NTW3 - - > BDC3 TCP ___ S .,

le n :

4, se q :

8221822-8221825, a c k : 0,

win: 8192, src: 1037 dst: 139 (NBT Session) NTW 3- > BDC3 IP
TCP:

....S .,

d s t:

139

le n :


4, se q:

8221822-8221825, a c k : 0, w in :

8192,

s rc :

1037

(NBT S e s s io n )

TCP: S ource P o r t = 0x040D
TCP: D e s t in a t io n P o r t = NETBIOS S e s s io n S
TCP: Sequence Number = 8221822

(0x7D747E)

TCP: A cknow ledgem ent Number = 0 (0x0)
TCP: Data O f f s e t = 24 (0x18)
TCP: R eserved = 0 (0x0000)
TCP: F la g s = 0x02

: . . . . S.

TCP:

. . 0 ........

= No u r g e n t d a ta


TCP:

. . . 0 . . . . = A cknow ledgem ent f i e l d

TCP:

....0 ...

n o t s ig n if ic a n t

= No Push f u n c t io n

......... 0 . . = No R eset

TCP:

1 . = S y n c h ro n iz e sequence numbers

.

TCP:

TCP:

............................ 0 = No F in

TCP: Window = 8192

(0x2000)


TCP: Checksum = 0xF213
TCP: U rg e n t P o in t e r = 0 (0x0)
TCP: O p tio n s

TCP: O p tio n K in d

(Maximum Segment S iz e )

= 2 (0x2)

TCP: O p tio n L e n g th = 4 (0x4)
TCP: O p tio n V a lu e = 1460

(0x5B4)

TCP: Frame P ad d in g

00000:

02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00

. ' ......... ' . ; ------- E .

00010:

00 2C 0D 01 40 00 80 06 E l 4B 83 6B 02 D6 83 6B

. , . . 0 ___ K .k . . .k


00020:

02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02

.............. } t ~ ------- ' .

00030:

20 00 F2 13 00 00 02 04 05 B4 20 20

M o d u le 0 3 Page 282

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segm ent (TCP .A..S.). In
this segm ent the server is acknow ledging the request o f the clie n t fo r synchronization. A t the
same tim e , the server is also sending its request to the clie n t fo r synchronization o f its
sequence num bers. There is one m ajor d ifference in this segm ent. The server transm its an
acknow ledgem ent n um ber (8221823) to the client. The acknow ledgem ent is ju st p ro o f to the
clie n t th a t the ACK is specific to the SYN the client in itia te d . The process o f acknow ledging the
client's request allows th e server to in cre m e nt the client's sequence num ber by one and uses it
as its acknow ledgem ent num ber.

2

2 .0 7 8 6 BDC3 — > NTW3

8221823, w in :

8760,

TCP . A . . S . ,

s rc :

TCP:

.A ..S .,

le n :

s rc :

139 (NBT S e s s io n )

TCP: S ource P o r t =

139

le n :

4, se q :


(NBT S e s s io n )

4, se q:
d s t:

d s t:

1109645-1109648, a c k :

1037 BDC3 - - > NTW3

1109645-1109648, a c k :

8221823, w in :

IP
8760,

1037

NETBIOS S e s s io n S e rv ic e

TCP: D e s t in a t io n P o r t = 0x040D
TCP: Sequence Number = 1109645

(0xl0EE8D)

TCP: A cknow ledgem ent Number = 8221823

(0x7D747F)


TCP: D ata O f f s e t = 24 (0x18)
TCP: R eserved = 0 (0x0000)
TCP: F la g s = 0x12

: .A .. S .

TCP:

. . 0 .......... =

TCP:

...1 .... =

TCP:

. . . . 0 . . . = No Push f u n c t io n

TCP:

......... 0 . . = No R eset

TCP:

..............1. = S y n c h ro n iz e

TCP:

................0 = No F in


TCP: Window = 8760

No u r g e n t d a ta
A cknow ledgem ent f i e l d

s ig n if ic a n t

sequence numbers

(0x2238)

TCP: Checksum = 0x012D
TCP: U rg e n t P o in t e r = 0 (0x0)
TCP: O p tio n s
TCP: O p tio n K in d

(Maximum Segment S iz e )

= 2 (0x2)

TCP: O p tio n L e n g th = 4 (0x4)
TCP: O p tio n V a lu e = 1460

(0x5B4)

TCP: Frame P adding

00000


02

60 8C 3B 85 C l 02 60 8C 9E 18 8B 08 00 45 00

00010

00

2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B

. , [ . 0 _____ L . k . . . k

00020

02

D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12

.............................. } t ' .

M o d u le 0 3 Page 283

.............E.

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s


Exam 3 1 2 -5 0 C ertified Ethical H acker

00030:

8‫״‬. -

22 38 01 2D 00 00 02 04 05 B4 20 20

Frame 3:
In the th ird step, th e client sends an ACK on this segm ent (TCP .A....). In this segm ent, the client
is acknow ledging the request fro m the server fo r synchronization. The client uses the same
a lg orith m the server im p lem ented in providing an acknow ledgem ent num ber. The client's
acknow ledgm ent o f the

server's request fo r synchronization

com pletes the

process o f

establishing a reliable connection, thus the th re e -w a y handshake.
3

2 .7 8 7 NTW3 - - > BDC3

1109646, w in :

TCP:


.A ....,

s rc :

1037

8760,

s rc :

le n :

d s t:

TCP .A
1037

0, se q:
139

, le n :
d s t:

139

0, se q:

8221823-8221823, a c k :

(NBT S e s s io n )


8221823-8221823, a c k :

NTW3 - - > BDC3

1109646, w in :

IP

8760,

(NBT S e s s io n )

TCP: S ource P o r t = 0x040D
TCP: D e s t in a t io n P o rt = NETBIOS S e s s io n S e rv ic e
TCP: Sequence Number = 8221823

(0x7D747F)

TCP: A cknow ledgem ent Number = 1109646

(0xl0EE8E)

TCP: D ata O f f s e t = 20 (0x14)
TCP: R eserved = 0 (0x0000)
TCP: F la g s = 0x10 : . A . . . .

TCP:

. . 0 .........


= No u r g e n t d a ta

TCP:

. . . 1 . . . . = A cknow ledgem ent f i e l d

TCP:

___ 0 . . .

= No

Push f u n c t io n

TCP:

......... 0 . .

= No

R eset

TCP:

............0. = No

S y n c h ro n iz e

TCP:


.............. 0 = No

F in

TCP: Window = 8760

(0x2238)

TCP: Checksum = 0xl8E A
TCP: U rg e n t P o in t e r = 0 (0x0)
TCP: Frame P ad d in g

00000:

02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00

. ' ............. ' . ; ---------- E .

00010:

00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B

.

00020:

02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10

................... } t ----------P .


00030:

22 38 18 EA 00 00 20 20 20 20 20 20

‫ ״‬8 ___

M o d u le 0 3 Page 284

(. . 0 ___ O .k .

.

.k

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

TCPCommunicationFlags
Data contained in
the packet should
be processed
immediately


There w ill be no
more
transmissions

Resets a
connection

F IN
(Finish)

URG
(Urgent)

jm ₪₪mm
PSH
(Push)

Sends all
buffered data
immediately

ACK
>
(Acknowledgement)A

Acknowledges
the receipt of a
packet

1


SYN
(Synchronize)

Initiates a
connection
between hosts

Standard TCP com m unications are con trolled by flags in th e TCP packet header
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited

T C P

C o m m u n ic a tio n

F la g s

Standard TCP com m unications m o n ito r the TCP packet header th a t holds the flags.
These flags govern the connection betw een hosts, and give instructions to the system. The
fo llo w in g are the TCP co m m unication flags:
9

Synchronize alias "SYN": SYN notifies transm ission o f a new sequence num ber

9

A cknow ledgem ent alias "ACK":

ACK confirm s receipt o f transm ission, and id e ntifies


next expected sequence num ber
9
9

Push alias "PSH": System accepting requests and fo rw a rd in g buffered data
U rgent alias "URG": Instructs data contained in packets to be processed as soon as
possible

Q

Finish alias "FIN ": Announces no m ore transm issions w ill be sent to re m o te system

Q

Reset alias "RST": Resets a connection

SYN scanning m ainly deals w ith three o f the flags, nam ely, SYN, ACK, and RST. You can use
these th re e flags fo r gathering illegal in fo rm a tio n fro m servers during the e nu m eration process.

M o d u le 0 3 Page 285

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker


Acknowledgem ent No

O ffse t

Res

TCP Flags

TCP Checksum

W indow

Urgent Pointer

Options
\< ------------------------- 0-31 B its --------------------------->
FIGURE 3.9: TCP C o m m u n ica tio n Flags

M o d u le 0 3 Page 286

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .


Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×