Mod 4 (Part II)

Module 4 - Tools Used in Ethical Hacking

Scanning

Scanning is the second step of the hacking process. The information gathered previously during
the reconnaissance phase is important as it helps fine-tune the search. Scanning is the second step
of the hacking process. On this step, Networks are scanned to determine which hosts are live on
the network and what they do. There are multiple types of scans and tools available. Most popular
tools are Nmap and SuperScan.

Performing explicit searches reduces the time required to discover data and brings down the odds
of the scan getting detected by an IDS or anti-virus system and getting logged. It also reduces the
chances of system administrators getting alerted about the incident.

During the scanning phase, the network is scanned by the attacker for explicit data based on data
assembled during the information gathering phase.

Scanning can include use of diallers, port scanners, network mapping, ping tools, vulnerability
scanners, etc.

Attacker scans the whole network and find out, which of the hosts are live and which ones are
dead. After running a scan, the second step is port scanning. In Computer Networking, a Port is an
endpoint of communication. In simple wording Ports are being considered as a door of the
computers through which the computer communicates their services. There are Total 65535 ports
in which some are registered by IANA or by ICANN.

Ports 0 to 1023 are the well-known ports, ports 1024 to 49151 are registered ports, and ports from
49152 to 65535 are dynamic or private ports.

Extracting Information

After completing scanning the tools give some return value as information of the victim/target
machine such as Live Machines, ports, port status, OS details, device type, system uptime, type of
service running on the networks etc. to launch attack.

Network Scanning is one of the components of the information gathering an attacker uses to create
a profile of the target organization.

Tools of Trade

Nmap

Nmap is a free and open source utility that can be used for scanning target networks. Nmap is
utilized for discovering hosts on a network and for performing security testing. IP packets are
utilised by Nmap in unique ways to figure out the hosts that are present on the target network,
the services running on the target systems and version numbers of the applications those services
belong to, operating systems and their versions, type of firewalls that are being used in the
network, and much more information. Nmap works fine against single hosts, even though it was
intended to examine huge networks. Nmap can be installed and used on almost all mainstream
operating systems.

Types of Scans:

Some Nmap scan types that are used mostly by ethical hackers are listed below:

• Partial Scan, Full Scan, Fast Scan.
• Ping scan
• Version detection.
• TCP scan
• OS detection.
• Hundreds of available Scripts.
• UDP scan

• Basics of a Transmission Control Protocol (TCP) Connection

The TCP and UDP are two of the most commonly used protocols in the internet. One should
know the working of the TCP protocol to understand how a scanning tool works and to launch a
cyber-attack. The TCP header includes 6 TCP flags. These flags show whether the packet is the
synchronisation (SYN), finish (FIN), acknowledgement (ACK), push (PSH), reset (RST), or the
urgent (URG) packet. A 3-way handshake is utilised by TCP to create and maintain sessions.
The 3-way handshake is explained below:

1. Step 1: SYN packet (Source to Destination)
2. Step 2: SYN-ACK packet (Destination to Source)
3. Step 3: ACK packet (Source to Destination)

An ethical hacker can use their own combination of these TCP flags to get a reply from a target
host or launch an attack on the target host.

SYN Flood: this is a Denial-of-Service attack in which the attacking computer sends only SYN
packets to the target system. A vast number of half-open sessions get created on the target
system as a result of this attack, and the target system's resources get over utilised resulting in the
target system becoming unusable.

• TCP Scans Types:
Full Scan: this scan completes all 3 parts of the 3-way handshake. This is the
most reliable scan but very Noisy and can be easily picked by the IDS systems.
Half-open (syn) Scan: Only use first part of the handshake to get syn-ack won’t
send the third part (ack) back. This also can be picked by IDS systems.
Stealth Scan: Varies Time and Frequency of the scan to avoid detection by IDS.
This is not a full connect scan.
Xmas Scan: malformed packets that sends fin, urg and push flag. This is used to
Bypass Firewalls.
ACK Scan: Sends only an ack packet receiving end won’t know how to respond
as there was no handshake causes open ports to return a reset.
FIN Scan: Sends a packet with fin flag set. This can usually bypass IDS systems.

Null Scan: Sends a packet with no flag set. This can also Bypass the IDS system
in most cases.

• UDP Scanning
Unlike TCP, UDP protocol doesn’t have too many controls and handshakes.
The Process of the UDP is much simpler.
Source device will send a UDP Request and a Destination will Respond.
UDP Scanning scans only for UDP packets.
It is less reliable than TCP Scanning.
Maybe of limited value, Since UDP or ICMP may be blocked at the firewall.

• ICMP Scanning
ICMP is the most common Protocol to Ping scanning.
Ping scanning is the most common way of scanning.
Live Hosts may respond to ICMP Type 0 or 8.
Most network scanner include ping scan.
Usually it will trigger IDS alerts and is detectable.

PORT AND SERVICES SCANNING

• Identifying Ports and Services
This step will be the next after scanning to determine live hosts.
Identifying services and open ports tells us what function box is performing
And what OS is running.
Exploitation of those services can begin after this step.
Port scanning is running to determine what ports on computer is listing on
Ping/Port/Services Scans are frequently run together using the same tool.

• OS Fingerprinting
This step is used to determine what OS on target system is running, then exploit
vulnerability associated with that OS.

IT works based on the facts that some OS implements TCP/IP stack differently
and responses to certain scans determine the types of OS some run particular
services on certain ports and this is another way of identifying their OS.

Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is a feature in Nmap using which hackers can automate a lot
of tasks by writing scripts that make use of the Lua programming language. These scripts make
the hacking tasks very fast and efficient. Hackers can customise the scripts according to their
needs. The tasks that can be performed using these scripts could be anything from discovering
hosts on the target network and intense version detection to discovering vulnerabilities on the
target hosts. Exploitation of vulnerabilities can also be performed using NSE scripts. Scripts are
distributed into various categories according to the functions they perform to ease the process of
finding the appropriate script for a specific task. Some categories of NSE scripts are default,
malware, exploit, vuln, intrusive, and fuzzer.

These NSE scripts could cause damage to the system on which they are executed as they do not
run in a sandboxed environment. A privacy breach could also occur by using these scripts.
Hence, while utilising NSE scripts, one must be cautious, and another thing to take note of is that
unless a script has been deeply inspected and the owner of that script is a trustworthy entity, it
should not be used.

Some commands that can be used for NSE scripts are:
nmap --script "http-*"
nmap --script "not intrusive"
nmap --script "default or safe"

DATA ENUMERATION

Data Enumeration means grabbing detailed system information about the target machine,
network and hosts. It utilises various techniques that aren’t defined as exploits. It is a non-
intrusive way to gain valuable technical information. The information includes:

• Groups and Usernames
• SNMP Communities
• OS Fingerprinting

BANNER GRABBING

This technique is mainly used to figure out the type of operating system being used on the target
systems. It is also referred to as OS fingerprinting. There are two basic types of banner grabbing
techniques, and they are:

i) Active- Specially crafted packets are sent to remote OS and the response is been noticed.
After that the response is compared with the database to determine the OS which we
grabbed.

ii) Passive
a. Banner grabbing from Error Message
Error message provides information such as Type of Server, Type of OS and
SSL tool used by the remote system.
b. Sniffing the Network
Capturing and analysing packets from the target enables an attacker to
determine OS used by the victim machine.
c. Banner Grabbing and page Extension
By Looking for an extension in the URL may assist in determining the
application version on which the website is running. E.g. if ‘aspx’ is given in
the URL, then that usually means that IIS server and Windows platform are
being used.

Tools of trade:

1) NETCAT.
2) TELNET.
3) ID SERVER.

SCANNING FOR VULNERABILITY

Vulnerability scanning is a technique that can be used to discover the weaknesses present in the
target networks and systems. Using the information provided by vulnerability scanning a hacker
can figure out the ways in which the vulnerabilities present in the target systems can be
exploited. The types of vulnerabilities that can be found in the targets are application and
services vulnerabilities, web application vulnerabilities, network vulnerabilities,
misconfigurations in application and services, etc.

Tools of trade

Vulnerabilities scanning tools:

i) Nessus.
ii) Nexpose.
iii) GFI LanGuard.
iv) Qualys FreeScan.
v) MBSA.