Monday, 31 August 2015

Ethical Hacking - Module 3 : Scanning3

    3. Banner Grabbing or OS Fingerprinting

It can be categorized into two categories:-
  1. Active Banner grabbing
  2. Passive Banner grabbing 
Active Banner grabbing

Specially crafted packets are sent to the Target Operating System and there response is noted.

The responses are then matched with a database to determine the Operating System.

The Response from different Operating System can be varies due to the differences in TCP/IP stack implementation.

Passive Banner grabbing
Banner grabbing from error messages:-
Error messages provides us the information such as type of server, type of Operating System etc.


Sniffing the network traffic:-
Capturing the network traffic and analyzing the packets from the target system enables an attacker to determine Operating System used by the target system.

Banner grabbing from page extensions:-
Looking for an extension in the URL may help us in determining the application version eg .aspx => IIS server and Windows platform.

.asp/.aspx:This sure-shot means victim is running 
         Microsoft Active Server Pages technology.
.jsp:Java Based web technology.Most of the
    time database used is MySQL with JSP, 
   this can be used as guess
.cfm: Macromedia Cold Fusion
.asmx: .Net/J2EE
.jws: Java web services
.wsdl: Web Service Definition Language (WSDL)


ID Serv : Install the ID Serv s/w and give the domain name and
     port that you need to grab, it will give you the details.

 Netcraft: Give details about a domain.


$ nc 80

host: localhost

HTTP/1.1 302 Found
Date: Mon, 07 Jan 2013 22:41:20 GMT
Server: Apache
X-Powered-By: PHP/4.3.11
Location: ./user/index.php
Connection: close
Content-Type: text/html

# nc 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request


$ curl -I
HTTP/1.1 200 OK
Date: Mon, 07 Jan 2013 22:42:08 GMT
Server: Apache
Last-Modified: Mon, 10 Sep 2012 11:34:38 GMT
ETag: "580005-1270-504dd04e"
Accept-Ranges: bytes
Content-Length: 4720
Connection: close
Content-Type: text/html


$ telnet 80
Connected to
Escape character is '^]'.
host: localhost

HTTP/1.1 302 Found
Date: Mon, 07 Jan 2013 22:52:27 GMT
Server: Apache
X-Powered-By: PHP/4.3.11
Location: ./user/index.php
Connection: close
Content-Type: text/html

Connection closed by foreign host.


$ nmap -sV -p 80 --script=banner
Starting Nmap 6.01 ( ) at 2013-01-08 00:14 CET
Nmap scan report for (
Host is up (0.030s latency).
rDNS record for
80/tcp open  http    Apache httpd

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 16.56 seconds


# wget -q -S
HTTP/1.1 200 OK
  Date: Mon, 07 Jan 2013 23:43:56 GMT
  Server: Apache
  Last-Modified: Mon, 10 Sep 2012 11:34:38 GMT
  ETag: "580005-1270-504dd04e"
  Accept-Ranges: bytes
  Content-Length: 4720
  Connection: close
  Content-Type: text/html

The banner might look something like the following:
<html><head><title>501 Method Not Implemented</title>
<h1>Method Not Implemented</h1>
<p>GET to /index.html not supported.<br /></p>
<p>Additionally, a 404 Not Found error was encountered.</p><hr>
<address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ Server at Port 80</address>
The HTML code is returning several errors which can be ignored. The real information is at the end in the <address> section. You can see the following information:
  • Apache/2.2.25 (Unix) – This is an Apache web server version 2.25 running on a Unix system.
  • mod_ssl/2.2.25 – This is an Apache module that provides SSL and TLS support.
  • OpenSSL/1.0.0-fips – This is an open source implementation of SSL and TLS protocols using Federal Information Processing Standard (fips)
  • mod_auth_passthrough/2.1 – An Apache module that supports other programs to use their own authentication methods.
  • mod_bwlimited/1.4 – this identifies a CPanel modules used for monitoring bandwidth.
  • FrontPage/ – It has a FrontPage extension enabled.
  • Server at Port 80 – This shows the IP and port number.

4. Scanning Beyond IDS / Firewall

Intrusion Detection System(IDS)–> An intrusion detection system (IDS) detects malicious activities by inspecting  all inbound and outbound network activity.It automatically alert network security administrators when someone is performing malicious activities. IDS works by monitoring the network traffic for malicious and suspicious activities.
Hackers can easily fool IDS systems into thinking their attack is a legitimate traffic. They are using the techniques like fragmentation,obfuscation etc to prevent their detection.

Fragmentation–>Fragmentation means breaking a single packet into multiple packets of smaller pieces in order to allow the packets to traverse the network. These smaller packets are called fragments.
Attacker can bypass Intrusion detection systems(IDS) with the help of a port scanner with fragmentation feature available on it such as nmap.This is accomplished because most Intrusion detection systems(IDS) fail to process large chunk of fragmented packets because this involves greater CPU consumption and memory. For Accomplish this task we will use SYN/Fin Scanning Using IP Fragments.

SYN/Fin Scanning Using IP Fragments–> The TCP header is divided into multiple packets so that the Intrusion detection systems(IDS) is not able to detect what the packet intend to do.

# nmap -sS -T4 -A -f -v IP Address”
  eg: nmap -sS -T4 -A -f -v

-sS SYN Scan -T<0-5>: Set timing template (higher is faster) -A: Enable OS detection, version detection, script scanning, and traceroute -f; –mtu <val>: fragment packets (optionally w/given MTU) -v  Verbose

We can also use Nessus.

here are two types of IDS/IPS also available that might be installed on the target machine, this is the situation that a penetration tester needs to tackle. There are so many different type of Nmap techniques that can be used in this situation, for example:

TCP ACK Scan (-sA)

It is always good to send the ACK packets rather than the SYN packets because if there is any active firewall working on the remote computer then because of the ACK packets the firewall cannot create the log, since firewalls treat ACK packet as the response of the SYN packet. 

As a penetration tester you need to check the response of a firewall; there might be four types of responses:
  • Open port (few ports in the case of the firewall)
  • Closed port (most ports are closed because of the firewall)
  • Filtered (Nmap is not sure whether the port is open or not)
  • Unfiltered (Nmap can access the port but is still confused about the open status of the port)
So these are some important responses that you might get during a penetration testing. ACK scan is slightly different from the other types of scanning techniques because it has not been designed to discover the open ports, but it has an ability to determine the filtered and unfiltered responses. Let’s compare the two results of an ACK scan.

So now it is very easy to find out whether the target computer has a firewall enabled or not, since a simple ACK scan means there is a lower chance of detection at the victim side but a high chance for the attacker to discover the firewall. The result of a SYN scan for both the situations are as follows:

Note: The victim is the Windows computer for all the cases with the three situations.
  • Firewall enabled
  • Firewall enabled + all ports are closed
  • Firewall disabled
TCP Window Scan (-sW)

Very similar to the ACK scan with a little difference, the TCP window scan has been designed to differentiate between open and closed ports instead of showing unfiltered. It also requires the root privilege to execute. Let’s examine the different responses of a TCP window scan.


This type of scan does not open any active session with the target computer, so there is no chance that the victim’s computer can create a log of the activities. It works on the simple phenomena to send ACK packets and receive a single RST packet in response.

Fragment Packets (-f)

It is a very general concept and can be used in so many different situations, for example: if the target machine does not have the capabilities to handle larger packets then the fragmentation technique is useful to evade the firewall. The parameter of this technique is -f, it just split the request into small segments of IP packets called the fragmented IP packets. You can use -f twice -ff if you want to further break the IP headers.


Specify a specific MTU

Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.This is similar to the packet fragmentation technique that we have explained above.During the scan that size of the nmap will create packets with size based on the number that we will give.In this example we gave the number 24 so the nmap will create 24-byte packets causing a confusion to the firewall.Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc).  You can specify the MTU of your choice with the command –mtu number target.


Use Decoy addresses

In this type of scan you can instruct Nmap to spoof packets from other hosts.In the firewall logs it will be not only our IP address but also and the IP addresses of the decoys so it will be much harder to determine from which system the scan started.There are two options that you can use in this type of scan:
  1. nmap -D RND:10 [target] (Generates a random number of decoys)
  2. nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the IP addresses of the decoys)

Source port number specification

A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number.The –source-port option of Nmap can be used to exploit this misconfiguration.Common ports that you can use for this type of scan are: 20,53 and 67


Append Random Data

Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan.This is because many scanners are sending packets that have specific size.In order to avoid that kind of detection you can use the command –data-length to add additional data and to send packets with different size than the default.In the image below we have changed the packet size by adding 25 more bytes.

Scan with Random Order

In this technique you can scan a number of hosts in random order and not sequential.The command that you use to instruct Nmap to scan for host in random order is –randomize-hosts.This technique combined with slow timing options in nmap command can be very effective when you don’t want to alert firewalls.


Spoof MAC Address

This one is the simpler techniques,you can spoof your MAC (attacker MAC) address., MAC address spoofing creates a very difficult situation for the victim to identify the computer who originated the incoming request. Nmap can select a completely random MAC address for each and every scan based on the vendor name, the other option is to manually specify the MAC address (by doing this an attacker can spoof the address of a computer on the same network). Nmap has the database called nmap-mac-prefixes and whenever the vendor name is given it looks on the database to find the suitable MAC address. 

# nmap –spoof-mac Cisco

Nmap Timing Options

Timing option is a very important and an interesting feature of a Nmap, since sometimes you need to make a delay between every request. There are so many reasons for this but the most important reason is stress on the network; sometimes the victim’s computer and even a network cannot handle a big request. As a penetration tester you need to make sure that your scanning should not be treated as a Denial of Service attack (DoS), so the timely response and request are very important aspects in scanning.  

Delay (–scan_delay)


Host Timeout Option (–host-timeout)

Sometimes a host takes too much time to respond and if you are scanning an entire network then it is very difficult to wait for a single host. There might be so many reasons behind a slow response, for example the network connectivity and the firewall, so if you don’t want to waste your time then you can set a time limit.


  Check Nmap Scripting.


5.Scan for Vulnerability

Vulnerability scanning checks systems for weaknesses in an application, computer or network.

External vulnerability scans

Internal vulnerability scans

Black-box testing
Grey-box testing
White-box testing

Enter Goolag Scan
Goolag Scan, cDc's Google-powered vulnerability scanner, uses selected search queries to uncover links to exposed Web applications, backdoors and documents that contain potentially useful information for attackers. Although skilled hackers have long been able to find such material with their own custom-search techniques, Goolag Scan promises to give the same power to far less knowledgeable individuals, conceivably expanding the ranks of attackers significantly.


Nessus :

GFI Languard :

Qualys :

Metasploit :

No comments:

Post a Comment