Scanning Networks Monday, May 27, 2024

Department of Networks and

Communications

Saturday, June 3, 2023

2
Saturday, June 3, 2023
4
Types of Scanning

Port Scanning –
• Lists the open ports and services.
• Port scanning is the process of checking the services running on the target computer by sending a
sequence of messages in an attempt to break in.
• The listening state provides information about the OS and the application currently in use.
• Sometimes, active services may allow unauthorized users to misconfigure systems or to run software
with vulnerabilities.

5
 Types of Scanning

From a security
standpoint, these are
the ports that every
hacker should be
aware of.

These are often

protected by
firewalls.
Without firewalls,
these ports become
subject to their own
respective
vulnerabilities

6
Types of Scanning

Network Scanning –
• Lists the active hosts and IP addresses.
• Network scanning is a procedure for identifying active hosts on a network, either to attack them
or assess the security of the network.

7
Vulnerability Scanning –
• Shows the presence of known weaknesses.
• A vulnerability scanner consists of a scanning engine and a catalog.
• The catalog includes a list of common files with known vulnerabilities and common exploits.

What types of vulnerabilities are caught in vulnerability scans?

• Vulnerable Software:
• this category looks for known weaknesses in third party software and hardware.
• Common Mistakes and Misconfigurations:
• This class of vulnerabilities looks for commonly made mistakes such as incorrectly configured
software or a failure to follow security best practices.
• Examples might include a web server configurations.
• Encryption Weaknesses:
• Encryption configurations are used to protect data in transit, but there’s room for error in these
configurations.
• Web Application Vulnerabilities:
• These weaknesses could include cross-site scripting or SQL injection.

8
Assignment:
Visit this link and prepare a
report and possible
scenarios about how the
TCP flags can be exploited
by attackers.
(This reference (link) is not
enough, you have to search
for other references)

[Link]
m/2011/02/tcp-flags-
hackers-playground-
[Link]?m=1

9
10
11
 nmap scanning types

Probe Packet: A packet used in an active measurement experiment to

collect knowledge on a given network parameter of interest.
12
Normally they are crafted packets
Packet crafting: altering a normal IP
packet before transmitting it on a
network to test firewall rules, evade
intrusion detection, or cause a denial
of service

13
14
 The various Hping commands are as follows:

hping3 -1 [Link]
• hping sends an ICMP echo request to [Link] and receives an ICMP reply similarly to a ping utility.
hping3 –A [Link] –p 80
• Hping can be configured to perform an ACK scan by specifying the argument -A in the command line.
• Hping checks if a host is alive on a network.
• If it finds a live host and an open port, it returns an RST1 response.
hping3 -2 [Link] –p 80
• Using the argument -2 in the command line specifies that Hping operates in the UDP mode.
• It returns an ICMP port unreachable message if it finds the port closed and does not return a message if the port is open.
hping3 [Link] -Q -p 139
• Using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host
([Link]).
hping3 -S [Link] -p 80 --tcp-timestamp
• Many firewalls drop those TCP packets that do not have the TCP Timestamp option set.
• By adding the --tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try
to guess the timestamp update frequency of the target host ([Link]).

15
 The various Hping commands are as follows:

hping3 -1 [Link]
• hping sends an ICMP echo request to [Link] and receives an ICMP reply similarly to a ping utility.
hping3 –A [Link] –p 80
• Hping can be configured to perform an ACK scan by specifying the argument -A in the command line.
• Hping checks if a host is alive on a network.
• If it finds a live host and an open port, it returns an RST1 response.
hping3 -2 [Link] –p 80
• Using the argument -2 in the command line specifies that Hping operates in the UDP mode.
• It returns an ICMP port unreachable message if it finds the port closed and does not return a message if the port is open.
hping3 [Link] -Q -p 139
• Using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host
([Link]).
hping3 -S [Link] -p 80 --tcp-timestamp
• Many firewalls drop those TCP packets that do not have the TCP Timestamp option set.
• By adding the --tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try
to guess the timestamp update frequency of the target host ([Link]).
hping3 -8 50-60 –S [Link] –V
• Using the argument -8 or --scan in the command line, you are operating Hping in the scan mode to scan a range of ports
on the target host.
• Therefore, the above command performs a SYN scan on ports 50–60 on the target host. 15
 The various Hping commands are as follows:

hping3 –F –P –U [Link] –p 80
• This is sometimes called XMAS scan
• By adding the arguments –F, –P, and –U in the command line, you are setting FIN, PUSH, and URG packets in the
probe packets.
• By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host ([Link]).
• If port 80 is open, you will not receive a response (Simply because the combination is illogical). If the port is closed,
Hping will return an RST response.
hping3 -1 10.0.1.x --rand-dest –I eth0
• Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends an ICMP echo request
randomly (--rand-dest) to all the hosts from [Link] to [Link]
• The hosts whose ports are open will respond with an ICMP reply.

16
20
Nmap Commands
(Host Discovery – Assuming the host IP address is [Link])

21
Useful for discovering all
active devices in the IPv4
range even though the
presence of such devices is
hidden by restrictive
firewalls.

22
22
UDP ping scan is similar to
TCP ping scan; however, in
the UDP ping scan, Nmap
sends UDP packets to the
target host.

The default port number

used by Nmap for the UDP
ping scan is 40,125.

This default port number can

be configured using
DEFAULT_UDP_PROBE_PORT_SPEC
during compile time in Nmap.

22
22
22
23
23
 Alternatives

23
24
TCP ACK ping is similar to TCP
SYN ping, albeit with minor
variations. TCP ACK ping also
uses the default port 80.

24
IP protocol ping tries to send
different packets using
different IP protocols, hoping
to get a response indicating
that a host is online.

Multiple IP packets for

ICMP (protocol 1),
IGMP (protocol 2),
IP-in-IP (protocol 4)
are sent by default when no
protocols are specified.

For configuring the default

protocols, change
DEFAULT_PROTO_PROBE_PO
RT_SPEC in nmap.h
during compile time.
24
25
Administrators: often
use port scanning
techniques to verify the
security policies of their
networks

Attackers: use them to

identify open ports and
running services on a
host with the intent of
compromising the
network.

26
 Port states recognized by Nmap

1. Open: The application associated with this port is actively accepting TCP connections or UDP packets on this port.
2. Closed: The port receives and responds to Nmap probe packets), but there is no application listening on it.
3. Filtered: Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching
the port.
4. Unfiltered: a port is accessible, but Nmap is unable to determine whether it is open or closed.
• Scanning unfiltered ports with other scan types such as SYN scan, or FIN scan, may help resolve
whether the port is open.
5. Open|Filtered: unable to determine whether a port is open or filtered.
• This occurs when open ports give no response.
• The lack of response could also mean that a packet filter dropped the probe

27
30
RFC793

31
Filtered ports:

• Firewall is in use.

• This usually means that a

request packet was
filtered out and/or blocked
by a firewall.

32
33
 Service Version Discovery

• Every port is assigned a specific service and every service has its own version.
• Some versions of the services are insecure.

34
35
36
36
37
37
 OS Discovery using Nmap Script Engine

Nmap Scripting Engine (NSE)

• can be used to automate a wide
variety of networking tasks by
allowing users to write and
share scripts.

• smb-os-discovery is an inbuilt
script used for collecting OS
information using the Server
Message Block (SMB) protocol.

38
39
40
Packet fragmentation
• Splitting of a probe packet into
several smaller packets
(fragments).

• When these packets reach a

host, the IDS and firewalls
generally queue all of them and
process them one by one.

• However, since this method of

processing involves greater CPU
and network resource
consumption, the configuration
of most IDS skip fragmented
packets during port scans.

41
42
43
43
In this technique, the
attacker sends packets to
the target uses different IP
addresses. Only one of the
packets contains the
attacker’s IP address.

In this way, the victim will

not know who is the real
attacker.

44
45
45
46
Network firewalls filter packets based on the source Media Access Control (MAC) address.
Attackers use the --spoof-mac Nmap option to set a specific MAC address for the packets to evade firewalls.

47
48
Scanning target hosts in a random
order instead sequential

49
If there is a response, then it is from the
IDS or firewall.
If there is no response, then it can be
inferred that the system is
misconfigured

49
50
• To hide the actual source of a scan and evade certain IDS/firewall
restrictions.
• To hide the source IP address.
• To remotely access intranets and other website resources that are
normally restricted.
• To interrupt all the requests sent by a user and transmit them to a third
destination; hence, victims will only be able to identify the proxy server
address.
• To chain multiple proxy servers to avoid detection.

50
51
52
53
55