Monday, 31 August 2015

Ethical Hacking - Module 3 : Scanning

                                          Scanning Life Cycle

1. Identify the Live Host

2. Identify the Open Port

3. Banner Grabbing :- Identify the services

4. Scanning beyond Firewall / IDS

5. Vulnerability Scanning

6. Drawing Network Topology

7. Using Proxy

Some more classification include

 Port Scanning: Open port and services
 Network Scanning: IP Address
 Vulnerability Scanning: Presence of known weaknesses

1. Identify Live Hosts

Ping sweep

# nmap -sn 192.168.13.*

A normal PING request sends out an ICMP echo request to the target host, which intern replies with an ICMP echo reply. 

Ping sweep is just a technique that can be used to find out which hosts are alive in a network or large number of IP addresses.
# nmap -sP

Ping Sweeping with fping command

you can also use fping command to do ping sweeping. You can install fping throuh yum. fping command is commonly used to send ICMP echo request to large number of hosts(ping sweep).

By default if you ping a large number of hosts using fping command, it assumes a host as unreachable if there no echo reply from the target host.


You can also mention the network address, or range of IP address as an argument to fping command, to do ping sweeping as shown below.

Ping Sweeping A network Which has blocked ICMP

Many network infrastructure security people block's ICMP traffic targeted to their network. Which will prevent ping Sweeping. So in such cases nmap tool has a good option to determine which hosts are alive in the network.

For achieving this, nmap uses TCP to scan the network instead of ICMP. It is called as tcp ping scan. it can be done the following way.

In the above method, what nmap does is to attempt making connection to port 80, and determines whether the host is alive.(it does not matter even if the port is not open on the target host. but traffic for that target port must be allowed in the network)the same thing can be achieved by using hping utility.

A firewalled host with blocked ICMP will not respond to the ICMP echo request. The obvious basic use of this scan is to find all active hosts on the network. This set of two commands gives a list of all active IP addresses in the range:

# nmap -sP -n -oG hostlist ## grep'able output file, hostlist
# cut -d " "-f2 hostlist > iplist    ## list of all active IPs in the target range, iplist

The ping scan uses only one packet for the request, and may get one packet in response, thus making it the fastest of all Nmap scan types, with the lowest footprint. The ping scan cannot be combined with other scan types.

   Very difficult to trace — only two standard ICMP frames,

     which are very common in network traffic,are required to
       complete the scan.

   Root privilege not required to run the scan.

   Yields a device inventory by identifying active devices on the


2. Identify Open Ports

Below are the different kinds of scans for finding the open ports in a system,

 2.1 TCP Connect Scan

# nmap -sT -v

Requires Privileged Access: NO
Identifies TCP Ports: YES
Identifies UDP Ports: NO

The TCP connect() scan is named after the connect() call that's used by the operating system to initiate a TCP connection to a remote device. The TCP connect() scan uses a normal TCP connection to determine if a port is available. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network. 


As the trace file excerpt shows, the TCP connect() scan completed the TCP three-way handshake and then immediately sent a reset (RST) packet to close the connection.

Unlike the TCP SYN scan, the nmap output shows that very few raw packets were required for the TCP connect() process to complete:

# nmap -sT -v

Starting nmap 3.81 ( ) at 2005-04-11 12:30 EDT
Initiating Connect() Scan against [1663 ports] at 12:30
Discovered open port 3389/tcp on
Discovered open port 80/tcp on
Discovered open port 3306/tcp on
Discovered open port 445/tcp on
Discovered open port 139/tcp on
Discovered open port 520/tcp on
Discovered open port 135/tcp on
The Connect() Scan took 1.45s to scan 1663 total ports.
Host appears to be up ... good.
Interesting ports on
(The 1656 ports scanned but not shown below are in state: closed)
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
520/tcp  open  efs
3306/tcp open  mysql
3389/tcp open  ms-term-serv
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 2.242 seconds
               Raw packets sent: 2 (68B) | Rcvd: 1 (46B)

Advantages of the TCP connect() Scan
No special privileges are required to run the TCP connect() scan. Nmap uses the operating system's normal method of connecting to remote devices via TCP before it tears down the connection with the RST packet. Because these are TCP-based methods that any user can employ, no additional rights or privileges are required.

Disadvantages of the TCP connect() Scan
The disadvantage of this scan is apparent when application connection logs are examined. Since the TCP connect() scan is completing a TCP connection, normal application processes immediately follow

When to use the TCP connect() Scan
Because this scan is so obvious when browsing through the application event logs, it might be considered the TCP scan of last resort. If privileged access isn't available and determination of open TCP ports is absolutely necessary, however, this scan may be the only method available.

The only option to the TCP connect() scan that does not require privileged access but still scans TCP ports is the FTP bounce attack (-b). Given the small number of susceptible FTP servers that will participate in a bounce attack, this option is becoming less viable.

Try not to use the connect() scan unless it's absolutely necessary. It's very obvious (in both network traces and in application log files), and it uses many more system and application resources than the SYN scan! 

  2.2 Sync Scan / half open / half connect / stealth scan

# nmap -sS -v

Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO

The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.

If a scan type is not specified on the nmap command line and nmap currently has privileged access to the host (root or administrator), the TCP SYN scan is used by default.

TCP SYN Scan Operation
Most of the ports queried during the TCP SYN scan will probably be closed. These closed port responses to the TCP SYN frame will be met with a RST frame from the destination station.

If nmap receives an acknowledgment to a SYN request, then the port is open. Nmap then sends an RST to reset the session, and the handshake is never completed.


The nmap output shows the results of this TCP SYN scan. As expected, most of the packets sent during this scan were built using the operating system's raw sockets:

# nmap -sS -v

Starting nmap 3.81 ( ) at 2005-04-11 12:25 EDT
Initiating SYN Stealth Scan against [1663 ports] at 12:25
Discovered open port 80/tcp on
Discovered open port 3389/tcp on
Discovered open port 3306/tcp on
Discovered open port 139/tcp on
Discovered open port 135/tcp on
Discovered open port 520/tcp on
Discovered open port 445/tcp on
The SYN Stealth Scan took 1.35s to scan 1663 total ports.
Host appears to be up ... good.
Interesting ports on
(The 1656 ports scanned but not shown below are in state: closed)
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
520/tcp  open  efs
3306/tcp open  mysql
3389/tcp open  ms-term-serv
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 2.117 seconds
  Raw packets sent: 1705 (68.2KB) | Rcvd: 1664 (76.5KB)

Advantages of the TCP SYN Scan
The TCP SYN scan never actually creates a TCP session, so isn't logged by the destination host's applications. This is a much "quieter" scan than the TCP connect() scan, and there's less visibility in the destination system's application logs since no sessions are ever initiated. Since an application session is never opened, the SYN scan is also less stressful to the application service.

Disadvantages of the TCP SYN Scan
The TCP SYN scan requires that nmap have privileged access to the system. Without privileged access, nmap can't create the raw packets necessary for this half-open connection process.

When to use the TCP SYN Scan
The SYN scan is a common scan when looking for open ports on a remote device, and its simple SYN methodology works on all operating systems. Because it only half-opens the TCP connections, it's considered a very 'clean' scan type.

The TCP SYN scan only provides open, closed, or filtered port information. To determine operating system or process version information, more intrusive scanning is required, such as the version scan (-sV) or the operating system fingerprinting (-O) option.

The TCP SYN scan is the most common scan to use because it works on all networks, across all operating systems, and it's invisible to applications. If the SYN scan didn't work, then TCP wouldn't work! 

  2.3 FIN Scan

# nmap -sF

The standard use of a FIN packet is to terminate the TCP connection — typically after the data transfer is complete. Instead of a SYN packet, Nmap initiates a FIN scan by using a FIN packet. Since there is no earlier communication between the scanning host and the target host, the target responds with an RST packet to reset the connection. However, by doing so, it reveals its presence.

Steath Scanning :- The FIN Scan(-sF), Xmas Tree Scan(-sX), and Null Scan(-sN), Sync scan(-sS)

The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. If a TCP session isn't active, the session certainly can't be formally closed!

In this FIN scan, TCP port 443 is closed so the remote station sends a RST frame response to the FIN packet: