Network Security - MOD4 (II)

MODULE 4: TOOLS FOR NETWORK SCANNING

Detecting an IP address

There are many ways to find an IP address of a host system.

For Windows OS:
One basic way to find an IP Address is:

• Press WINDOWS KEY+R on the keyboard to open up the Run dialog box.
• Type cmd in the Run dialog box and press ENTER.
• Now, in the Windows Command Prompt that will open, type ipconfig and press

ENTER.
This will show the internal IP address of the host machine.

For Macintosh OS X:
• Open the System Preferences application
• Click on the Network icon
• Select the interface or the network that is currently active on the left side of the Network
settings page.
• After the appropriate network is selected, the IP address will be displayed under the Status
field.

For Unix OS:
• Open Terminal
• Type the ifconfig -a command, or if this is not found then use /usr/sbin/ifconfig -a
• There will be a variety of responses. The IP address will be found in the entry that includes
the words inet and broadcast. The IP address right after the inet field is the IPv4 address
of the host machine. For example,
o inet 191.2.4.5 netmask 255.255.0.0 broadcast 191.2.255.255, where 191.2.4.5 is the
IP address of the host machine.

Traceroute

Almost all types of operating systems have traceroute pre-installed in them. The commands that
can be used to run traceroute are:

• In Linux: traceroute <IP address or hostname>
• In Windows: tracert <IP address or hostname>

Some of the functions that traceroute is used for are as follows:

1. The information regarding the geographical location of target host can be found out.
2. Detection of any firewalls can be done.
3. Detection of operating systems can be done.
4. Information regarding the network topography can be obtained by using traceroute.

1) Target system's geographical location:

Tools:

a) 3D Traceroute
b) Visual Route
c) NeoTrace

2) Detecting a firewall: whether a firewall has been installed in the target network or not can
be found out using traceroute. When a traceroute attempt times out, an '*' (Asterix) symbol
is displayed in the output. The indication that a firewall maybe present in the target network
can be obtained by using the traceroute command multiple times at various times of the
day and noting the output. A firewall would perhaps be present in the network if the '*'
symbol is present in all the outputs that are obtained throughout the day. When the firewall
installed in the target network filters out the traceroute attempts, the target system cannot
reply to that traceroute requests, and hence, the '*' (Asterix) symbol gets displayed.

3) Detection of operating system TTL Value UDP Value
Basic TTL values of some operating systems

Operating System

4) Information regarding the network topography: the information regarding the
following can be found out using traceroute:
a. A remote network's topography information.
b. The physical design of specific network.
c. The exploitable weaknesses of a specific network can be found out.

d. The network's class.
Tools to perform port scanning

1. IPEye
2. Superscan
3. NMAP
4. Netcat
5. Strobe

Nmap
Nmap is a free and open source utility that can be used for scanning target networks. Nmap is
utilized for discovering hosts on a network and for performing security testing. IP packets are
utilised by Nmap in unique ways to figure out the hosts that are present on the target network, the
services running on the target systems and version numbers of the applications those services

belong to, operating systems and their versions, type of firewalls that are being used in the network,
and much more information. Nmap works fine against single hosts, even though it was intended
to examine huge networks. Nmap can be installed and used on almost all mainstream operating
systems.

Types of Scans:

Some Nmap scan types that are used mostly by ethical hackers are listed below:

• Partial Scan, Full Scan, Fast Scan.
• Ping scan
• Version detection.
• TCP scan
• OS detection.
• Hundreds of available Scripts.
• UDP scan

Basics of a Transmission Control Protocol (TCP) Connection

The TCP and UDP are two of the most commonly used protocols in the internet. One should know
the working of the TCP protocol to understand how a scanning tool works and to launch a cyber-
attack. The TCP header includes 6 TCP flags. These flags show whether the packet is the
synchronisation (SYN), finish (FIN), acknowledgement (ACK), push (PSH), reset (RST), or the
urgent (URG) packet. A 3-way handshake is utilised by TCP to create and maintain sessions. The
3-way handshake is explained below:

1. Step 1: SYN packet (Source to Destination)
2. Step 2: SYN-ACK packet (Destination to Source)
3. Step 3: ACK packet (Source to Destination)

An ethical hacker can use their own combination of these TCP flags to get a reply from a target
host or launch an attack on the target host.

SYN Flood: this is a Denial-of-Service attack in which the attacking computer sends only SYN
packets to the target system. A vast number of half-open sessions get created on the target system

as a result of this attack, and the target system's resources get over utilised resulting in the target
system becoming unusable.

TCP Scans Types:

Full Scan: this scan completes all 3 parts of the 3-way handshake. This is the most
reliable scan but very Noisy and can be easily picked by the IDS systems.
Half-open (syn) Scan: Only use first part of the handshake to get syn-ack won’t
send the third part (ack) back. This also can be picked by IDS systems.
Stealth Scan: Varies Time and Frequency of the scan to avoid detection by IDS.
This is not a full connect scan.
Xmas Scan: malformed packets that sends fin, urg and push flag. This is used to
Bypass Firewalls.
ACK Scan: Sends only an ack packet receiving end won’t know how to respond
as there was no handshake causes open ports to return a reset.
FIN Scan: Sends a packet with fin flag set. This can usually bypass IDS systems.
Null Scan: Sends a packet with no flag set. This can also Bypass the IDS system
in most cases.

UDP Scanning

• Unlike TCP, UDP protocol doesn’t have too many controls and handshakes.
• The Process of the UDP is much simpler.
• Source device will send a UDP Request and a Destination will Respond.
• UDP Scanning scans only for UDP packets.
• It is less reliable than TCP Scanning.
• Maybe of limited value, Since UDP or ICMP may be blocked at the firewall.

ICMP Scanning

• ICMP is the most common Protocol to Ping scanning.
• Ping scanning is the most common way of scanning.
• Live Hosts may respond to ICMP Type 0 or 8.

• Most network scanner include ping scan.
• Usually it will trigger IDS alerts and is detectable.

Port and service scanning

• Identifying Ports and Services
o This step will be the next after scanning to determine live hosts.
o Port scanning is used to determine what network ports are open and listening on a
computer.
o Ping/Port/Services Scans are frequently run together using the same tool.
o Identifying services and open ports tells us what function a system is performing
o Type of operating system being used.
o Exploitation of those services can begin after this step.

• Fingerprinting the operating system
o This step is used to determine the type of operating system being used on the target
system, which can be useful in discovering the vulnerabilities present in the
operating system.
o It works based on the facts that various operating systems implement the TCP/IP
stack differently and the responses to certain scans determine the type of OS. Some
run particular services on certain ports and this is another way of identifying the
OS.

Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is a feature in Nmap using which hackers can automate a lot
of tasks by writing scripts that make use of the Lua programming language. These scripts make
the hacking tasks very fast and efficient. Hackers can customise the scripts according to their

needs. The tasks that can be performed using these scripts could be anything from discovering
hosts on the target network and intense version detection to discovering vulnerabilities on the
target hosts. Exploitation of vulnerabilities can also be performed using NSE scripts. Scripts are
distributed into various categories according to the functions they perform to ease the process of
finding the appropriate script for a specific task. Some categories of NSE scripts are default,
malware, exploit, vuln, intrusive, and fuzzer.

These NSE scripts could cause damage to the system on which they are executed as they do not
run in a sandboxed environment. A privacy breach could also occur by using these scripts. Hence,
while utilising NSE scripts, one must be cautious, and another thing to take note of is that unless
a script has been deeply inspected and the owner of that script is a trustworthy entity, it should not
be used.

Some commands that can be used for NSE scripts are:
nmap --script "http-*"
nmap --script "not intrusive"
nmap --script "default or safe"

Ping sweeping tools
• WS-Ping Propack: it’s based on the Windows OS.
o Using WS-Ping Propack:

▪ Double click the software’s icon to execute it.
▪ Select the Ping tab and type in the URL, IP address or the hostname.
▪ Click on start.
▪ The tool starts pinging using 5 different ICMP packets.
▪ If a reply is received, then that tells that the target is connected to the

network and is live.
• SuperScan: It has an option to use another protocol for PINGING instead of ICMP. It is

available for Windows operating system.
o Using SuperScan on Windows OS:
▪ Double click the SuperScan icon to execute and run it.
▪ Go to tools and in the URL space type the IP address or the domain name.
▪ Click on the Ping button.
▪ The results will be displayed in the output field.
▪ A firewall may be blocking the ping requests, or the target may not be
connected to the internet if there are no replies to the ping requests.
▪ 4 different host discovery methods are supported by SuperScan.
▪ Click on host- service discovery.
▪ SuperScan can use address mark request, ICMP information request and
timestamp request in addition to ICMP Echo request.
▪ An ICMP Echo request can be denied by a firewall, but it is not the same
case for the other 3 types of requests as only a few types of firewalls can
block these requests.
▪ Now, type in the IP address or the hostname of the target.
▪ Click on the Play tab.
▪ It will be confirmed that the target is not connected to the internet if there is
no output yet again.

• Nmap: It is open-source. Alternate protocols can be used for pinging. It is supported by
both the Unix and Windows operating systems.
o Using Nmap on Linux:

▪ Open the Run dialog box by pressing WINDOWS KEY+R.
▪ Type cmd to open the Windows Command Prompt.
▪ Navigate to the directory in which Nmap is installed using the CD

command.
▪ After navigating to the Nmap directory:

❖ To perform a ping scan:
o Type nmap –sP <IP address or hostname>
o The results will show that 1 host is up if the target host is
connected to the network and is live.

❖ To perform a scan using ICMP and by also keeping the TCP ACK
flag on:
o Type nmap –PA –sP <IP address or hostname>
o If the target is shown to be down, but it can still be accessed
via a web browser, then that tells that a firewall is being used.
o An attacker can be fooled by this response if he does not use
the web browser to check the target’s availability.

❖ To perform a TCP SYN scan:
o Type nmap –PS –sP <IP address or hostname>

❖ To perform an ARP scan:
o Type nmap –PR –sP <IP address or hostname>

• fping
o Using fping on Unix OS:
▪ Open Terminal.
▪ Type fping –f input.txt.
▪ This will output a list of IP addresses.

• CPing
• Ping Sweep: This is a tool used by corporations and can be purchased for a certain price.

Countermeasures:

To counter ping sweeping attacks the following tools can be used:

1) scanlogd: it detects ping sweeps and is based on Unix.
2) Ippl: unix based tool.
3) pingd: using this tool, false replies can be sent for any ICMP requests. It is based

on Unix.
4) Protolog: Any probe attempts can be detected and logged using this tool. It is based

on Unix.
It can also be inferred from the fact that as most of the detection tools are based on UNIX, it is a
more secure operating system then the Windows OS.
Data enumeration
Data Enumeration means grabbing detailed system information about the target machine, network
and hosts. It utilises various techniques that aren’t defined as exploits. It is a non-intrusive way to
gain valuable technical information. The information includes:

• Groups and Usernames
• SNMP Communities
• OS Fingerprinting

Banner grabbing

This technique is mainly used to figure out the type of operating system being used on the target
systems. It is also referred to as OS fingerprinting. There are two basic types of banner grabbing
techniques, and they are:

i) Active- Specially crafted packets are sent to remote OS and the response is been noticed.
After that the response is compared with the database to determine the OS which we
grabbed.

ii) Passive
a. Banner grabbing from Error Message
Error message provides information such as Type of Server, Type of OS and
SSL tool used by the remote system.
b. Sniffing the Network
Capturing and analysing packets from the target enables an attacker to
determine OS used by the victim machine.
c. Banner Grabbing and page Extension
By looking for an extension in the URL may assist in determining the
application version on which the website is running. E.g. if ‘aspx’ is given in
the URL, then that usually means that IIS server and Windows platform are
being used.

Tools of trade:
1) NETCAT.
2) TELNET.
3) ID SERVER.

Scanning for vulnerability

Vulnerability scanning is a technique that can be used to discover the weaknesses present in the
target networks and systems. Using the information provided by vulnerability scanning a hacker
can figure out the ways in which the vulnerabilities present in the target systems can be exploited.
The types of vulnerabilities that can be found in the targets are application and services
vulnerabilities, web application vulnerabilities, network vulnerabilities, misconfigurations in
application and services, etc.

Tools of trade

Vulnerabilities scanning tools:

i) Nessus
ii) Nexpose
iii) GFI LanGuard
iv) Qualys FreeScan
v) MBSA