CEHv6 Module 05 Scanning PDF

Ethical Hacking and
Countermeasures
Version 6
Module V
Scanning
Scenario
Stephen used to be the most bullied guy in his circle of friends.

Johnson the neighborhood guy was part of the peer group and
Johnson,
foremost in bullying Stephen. Stephen started developing hatred
for Johnson.
Johnson
J h owned/hosted
d/h t d a personall website
b it where
h h
he showcased
h d hi
his
website development skills. He passed the IP address of his website
to his peer group so that they could comment on it after viewing
the pages.
pages
Stephen comes across an article on hacking on the Internet.
Amazed by the potential of tools showcased in that article, he
decides to try it hands on
on. With the downloaded scanning tools
tools,
Stephen started scanning the IP of Johnson’s website
What kind of information will Stephen be exposed to?
Will the scan performed by Stephen affect Johnson’s Website?
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
News
Source: http://www.computerworld.com/ Copyright © by EC-Council

News
Source: http://www.abc.net.au/
Module Objective
This module will familiarize you with:
• Definition
D fi i i off scanning
i
• Types and objectives of Scanning
• Understanding CEH Scanning methodology
• Checking g live systems
y and open
p p ports
• Understanding scanning techniques
• Different tools present to perform Scanning
• Understanding banner grabbing and OS fingerprinting
• Drawing network diagrams of vulnerable hosts
• Preparing proxies
• Understanding anonymizers
• Scanning countermeasures
Module Flow
Scanning Definition Scanning Tools
Types of scanning Banner Grabbing
Scanning Objectives OS Fingerprinting
Drawing Network Diagrams

Scanning Methodology off Vulnerable
V l bl hhostt
Checking live systems Preparing Proxies
Checking open ports Anonymizers
Scanning techniques Countermeasures
Scanning - Definition
Scanning is one of the three components of intelligence gathering for an

attacker
The attacker finds information about

the:
• Specific IP addresses
• Operating Systems
• System architecture
• Services running on each computer
The various types of scanning

are as follows:
f ll
Port Network Vulnerability

Scanning Scanning Scanning
Types of Scanning
Port Scanning
• A series
i off messages sent bby someone attempting
i to bbreak
k
into a computer to learn about the computer’s network
services
• Each associated with a "well-known" port number
Network Scanning
• Approcedure for identifying
y g active hosts on a network
• Either for the purpose of attacking them or for network
security assessment
Vulnerability Scanning
• The automated process of proactively identifying
vulnerabilities of computing systems present in a network
Objectives of Scanning
To detect the live systems

y running
g on the network
To
o discover
o which po
ports are active/running
/ g
To discover the operating system running on the target system

(fi
(fingerprinting)
i i )
To discover the services running/listening on the target system
To discover
disco er the IP address of the target system
s stem
CEH Scanning Methodology
Check for live systems

y Check for open
p p ports
Banner g
grabbingg
Id tif S
Identify Service
i
/OS Fingerprinting
Draw network
D k diagrams
di off
Scan for Vulnerability
Vulnerable hosts
Prepare proxies
ATTACK!!
Checking
g for Live Systems
y
Checking for Live Systems - ICMP
Scanning
In this type of scanning, it is found out which hosts are up in a
net ork by
network b pinging them all
ICMP scanning can be run parallel so that it can run fast
It can also be helpful to tweek the ping timeout value with the –t
option
p
Angry IP Scanner
An IP scanner for Windows
Can scan IPs in anyy range

g
It simply pings each IP address to check if it is alive
Provides NETBIOS information such as:
• Computer name
• Workgroup name
• MAC address
dd
Angry IP Scanner: Screenshot
Ping Sweep
A ping sweep (also known as an ICMP sweep) is a basic network scanning

technique
h i used
d to d
determine
i which
hi h off a range off IP addresses
dd map to li
live
hosts (computers)
A ping sweep consists of ICMP ECHO requests sent to multiple hosts
If a given address is live, it will return an ICMP ECHO reply
Ping Sweep: Screenshot
Firewalk Tool
Firewalking is a tool that employs traceroute-like techniques to

analyze IP packet responses to determine gateway ACL filters and
map networks
The tooll employs

Th l the
h technique
h i to d
determine
i the
h fil
filter rules
l iin place
l
on a packet forwarding device
Firewalk works by sending out TCP or UDP packets with a TTL one
greater than the targeted gateway
• If the gateway allows the traffic, it will forward the packets to the next hop
where they will expire and elicit an ICMP_TIME_EXCEEDED message
• If the gateway host does not allow the traffic, it will likely drop the packets
on the floor and there will be no response
p
Firewalk Tool (cont’d)
Destination Host
Internet
PACKET FILTER Firewalking Host
Hop n
Hop n+m (m>1)

Hop 0
Firewalk Commands
Firewalk Output
Firewalk penetrated all of
the filters through the target
gateway but also port scan
the metric and determine
the following ports open:
port 23 (telnet)
port 25 (SMTP)
port
t 80 (HTTP)
Checking for Open Ports
Three Way Handshake
Computer A Computer B
192.168.1.2:2342 ------------syn-------------->192.168.1.3:80
192.168.1.2:2342 <---------syn/ack-----------192.168.1.3:80
192.168.1.2:2342-------------ack-------------->192.168.1.3:80
Connection Established
The Computer A ( 192.168.1.2 ) initiates a connection to the server (

192.168.1.3
9 3 ) via a packet
p with onlyy the SYN flag
g set
The server replies with a packet with both the SYN and the ACK flag set
For the final step, the client responds back to the server with a single ACK
packet
If these
th three
th steps
t are completed
l t d without
ith t complication,
li ti th
then a TCP
connection has been established between the client and the server
Three Way Handshake:
Screenshot
TCP Communication Flags
Standard TCP communications are controlled by flags in

th TCP packet
the k th
header
d
The flags
g are as follows:
• Synchronize – It is also called as "SYN” and is used to
initiate a connection between hosts
• Acknowledgement - It is also called as "ACK” ACK and is used in
establishing a connection between hosts
• Push – It is called as "PSH” and instructs receiving system to
send all buffered data immediately
• Urgent
U t - It is
i also
l called
ll d as "URG” andd states
t t ththatt th
the d
data
t
contained in the packet should be processed immediately
• Finish – It is also called as "FIN“ and tells remote system that
there will be no more transmissions
• Reset – It is also called "RST” and is used to reset a connection
Nmap
Nmap is a free open source utility for network

exploration
l i
It is designed to rapidly scan large networks
Features:
• Nmap is used to carry out port scanning, OS detection,

version detection, ping sweep, and many other
t h i
techniques
• It scans a large number of machines at one time
• It is supported by many operating systems
• It can carryy out all types
yp of p
port scanning
g techniques
q
Nmap: Screenshot
Nmap: Scan Methods
Some of the scan methods used by Nmap:
Xmas Tree: The attacker checks for TCP

services by sending "Xmas-tree" packets
SYN Stealth: It is referred to as "half-open"

scanning, as full TCP connection is not opened
Null Scan: It is an advanced scan that may

be able to pass through unmolested firewalls
Windows Scan: It is similar to the ACK scan

and can also detect open ports
ACK Scan: It is used to map out firewall

ruleset
Nmap: Scan Methods
NMAP Scan Options
-sT (TcpConnect) -sW (Window Scan)

-sS (SYN scan) -sR (RPC scan)
-sF (Fin Scan) -sL (List/Dns Scan)
-sX (Xmas Scan) -P0 (don’t ping)
-sN (Null Scan) -PT (TCP ping)
-sP (Ping Scan) -PS (SYN ping)
-sU (UDP scans) -PI (ICMP ping)
-sO (Protocol Scan) -PB (= PT + PI)
-sI (Idle Scan) -PP (ICMP timestamp)
-PM (ICMP netmask)

-sA (Ack Scan)
NMAP Output Format
-oN(ormal)
-oX(ml)
-oG(repable)
-oA(ll)
NMAP Timing Options
-T Paranoid – serial scan & 300 sec wait
-T Sneaky - serialize scans & 15 sec wait
-T Polite - serialize scans & 0.4

4 sec wait
-T Normal – parallel scan
-T Aggressive-
A i parallel
ll l scan & 300 sec timeout
i & 1.25 sec/probe
/ b
-T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe
--host_timeout --max_rtt_timeout
(default - 9000)
--min_rtt_timeout --initial_rtt_timeout
((default – 6000))
--max_parallelism --scan_delay (between probes)

NMAP Options
--resume (scan) --append_output
-iL <targets_filename> -p <port ranges>
-F (Fast scan mode) -D <decoy1 [,decoy2][,ME],>
-S <SRC_IP_Address> -e <interface>
-g
g <portnumber> --data
data_length
length <number>
--randomize_hosts -O (OS fingerprinting) -I (dent-scan)
f (fragmentation)
-f (f t ti ) -v (verbose)
( b ) -h h (help)
(h l )
-n (no reverse lookup) -R (do reverse lookup)
-r (don’t randomize port scan) -b <ftp relay host> (FTP bounce)
HPING2
HPING is a command-line oriented TCP/IP packet assembler/analyzer
It has a Traceroute mode
It has the ability to send files between a covered channel
It not only sends but also supports ICMP echo requests
• TCP
• UDP
• ICMP and
• Raw-IP
Raw IP protocols
Features
• Firewall testing
• Ad
Advanced d portt scanning
i
• Network testing, using different protocols, TOS, fragmentation
• Advanced Traceroute, under all the supported protocols
• Remote OS fingerprinting
• R
Remote
t uptime
ti guessing
i
• TCP/IP stacks auditing
Hping2 Commands
hping2 10.0.0.5
• This command sends a TCP null-flags packet to port
0 of host 10.0.0.5
hping2 10.0.0.5 -p 80
• This command sends the packet to port 80
hping2 -a 10.0.0.5 -S -p
81 10.0.0.25
• This command sends spoofed SYN packets to the
target via a trusted third party to port 81
hping www.debian.org -p
80 -A
• This command sends ACK to port 80 of
www.debian.org
hping www.yahoo.com -p
80 -A
• This command checks for IPID responses
SYN Stealth / Half Open Scan
SYN Stealth / Half Open Scan is often referred to as half open scan because it does not
open a ffull
ll TCP connection
ti
First, a SYN packet is sent to a port of the machine, suggesting a request for connection,
andd the
th response iis awaited
it d
If the port sends back a SYN/ACK packet, then it is inferred that a service at the
particular port is listening. If an RST is received, then the port is not active/ listening. As
soon as the SYN/ACK packet is received,
received an RST packet is sent,
sent instead of an ACK,
ACK to
tear down the connection
The key advantage is that fewer sites log this scan
Stealth Scan
192.168.1.2:2342
192 168 1 2:2342 ------------syn-----------
syn
>192.168.1.3:80
192.168.1.2:2342 <---------syn/ack----------
192.168.1.3:80
192.168.1.2:2342-------------RST-----------
>192.168.1.3:80
Client sends a single SYN packet to the server on the appropriate port
If the port is open then the server responds with a SYN/ACK packet
If th
the server responds
d with
ith an RST packet,
k t then
th the
th remote
t portt iis iin ""closed”
l d”
state
The client sends the RST packet to close the initiation before a connection
can ever be established
This scan is also known as “half-open” scan

Xmas Scan
Xmas scan directed at open port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
Xmas scan directed at closed port:

p
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note: XMAS scan only works if OS system's TCP/IP implementation is

developed according to RFC 793
Xmas Scan will

ill not work
k against
i any current version
i off Microsoft
i f Windows
i d
Xmas scans directed at any Microsoft system will show all ports on the host as
b i closed
being l d
FIN Scan
FIN sca
scan directed
d ec ed at
a open
ope port:
po
192.5.5.92:4031 -----------FIN------------------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
FIN scan directed at closed port:

192.5.5.92:4031 -------------FIN------------------192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note: FIN scan only works if OS’ TCP/IP implementation is developed

according to RFC 793
FIN Scan will not work against any current version of Microsoft Windows
FIN scans directed at any Microsoft system will show all ports on the host as
being closed
NULL Scan
NULL
U sca
scan d
directed
ec ed at
a open
ope port:
po
192.5.5.92:4031 -----------NO FLAGS SET---------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
NULL scan directed at closed port:

192.5.5.92:4031 -------------NO FLAGS SET---------192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note: NULL scan only works if OS’ TCP/IP implementation is developed

according to RFC 793
NULL Scan will not work against any current version of Microsoft Windows
NULL scans directed at any

an Microsoft system
s stem will
ill sho
show all ports on the host as
being closed
IDLE Scan
Almost four years ago, security researcher Antirez posted

an innovative new TCP port scanning technique
IDLE Scan, as it has become known, allows for

completely
l t l bli
blind
d portt scanning
i
Attackers can actually scan a target without sending a

single packet to the target from their own IP address
IDLE Scan: Basics
Most network servers listen on TCP ports, such as web servers on port 80 and mail
servers on port 25
A port is considered "open" if an application is listening on the port, otherwise it is

closed
One wayy to determine whether a p

port is open
p is to send a "SYN" (session establishment)
packet to the port
The target machine will send back a "SYN|ACK" (session request acknowledgment)
packet if the port is open, and an "RST" (Reset) packet if the port is closed
A machine which receives an unsolicited SYN|ACK packet will respond with an RST. An
unsolicited RST will be ignored
Everyy IP p
packet on the Internet has a "fragment
g identification" number
Many operating systems simply increment this number for every packet they send
So probing for this number can tell an attacker how many packets have been sent since
the last probe
IDLE Scan: Step 1
Choose a "zombie" and p

probe for its current IPID number
IPID Probe
SYN / ACK Packet
Response: IPID=31337
RST Packet
Attacker Zombie
IDLE Scan: Step 2.1 (Open Port)
Send SYN packet to target machine spoofing the IP address of the

“zombie”
zombie
SYN Packet to port 80

spoofing zombie IP address
Attacker
Target
Zombie
IDLE Scan: Step 2.2 (Closed Port)
The target will send RST to the “zombie” if port is closed. Zombie will
not send anything back
SYN Packet to port 80

spoofing zombie IP address
Attacker
Target
Zombie
IDLE Scan: Step 3
Probe “zombie" IPID again
IPID Probe
SYN / ACK Packet
Response: IPID=31339
RST Packet
Attacker IPID incremented by 2 since Zombie

Step 1 so port 80 must be open!
ICMP Echo Scanning/List Scan
ICMP E
Echo
h SScanning
i
• This is not really port scanning, since ICMP does not have a
port abstraction
p
• But it is sometimes useful to determine which hosts in a
network are up by pinging them all
• nmap -P cert.org/24 152.148.0.0/16
List Scan
• This type of scan simply generates and prints a list of
IPs/Names without actually pinging or port scanning them
• A DNS name resolution will also be carried out
TCP Connect / Full Open Scan
This is the most reliable form of TCP scanning
The connect()
Th t() system
t call
ll provided
id d b
by th
the
operating system is used to open a connection to
every open port on the machine
ACK
SYN
If the port is open, connect() will succeed
ACK
SYN
+
If the port is closed, then it is unreachable ACK
SYN/FIN Scanning Using IP
Fragments
It is not a new scanning method but a modification of the earlier
methods
The TCP header is split up into several packets so that the packet
filters are not able to detect what the packets intend to do
UDP Scanning
UDP RAW ICMP Port Unreachable Scanning

• This scanning method uses a UDP protocol instead of a TCP
protocol
• Though this protocol is simpler, scanning it is more difficult
UDP RECVFROM() Scanning
• While non root users cannot read port unreachable errors directly,
directly
LINUX is intuitive enough to inform the users indirectly when they
have been received
• This is the technique used for determining open ports by non root
users
Reverse Ident Scanning
The Ident protocol allows for the disclosure of the username of the owner of
any process connected via TCP, even if that process did not initiate the
connection
So a connection
S ti can b be established
t bli h d with
ith th
the htt
http portt and
d th
then use Id
Identt tto
find out whether the server is running as a root
This can be done only with a full TCP connection to the target port
Window Scan
This scan iis similar

Thi i il tto th
the ACK scan, exceptt th
thatt it can
sometimes detect open ports as well as filtered/unfiltered
ports due to an anomaly in the TCP window size reported
b some operating
by ti systems
t
Blaster Scan
A TCP port scanner for UNIX-based
operating
p g systems
y
Ping target hosts for examining

connectivity
Scans subnets on a network
Examines FTP for anonymous access
Examines CGI bugs
Examines POP3 and FTP for brute

f
force vulnerabilities
l biliti
PortScan Plus, Strobe
PortScan Plus
• Windows-based scanner developed by Peter Harrison

• The user can specify
p y a range
g of IP addresses and pports to be
scanned
• When scanning a host or a range of hosts, it displays the open
ports on those hosts
Strobe
• A TCP port scanner developed by Julian Assange

• Written in C for UNIX-based operating systems
• Scans all open ports on the target host
• Provides only limited information about the host
IPSecScan
IPSecScan is a tool that can scan either a single IP address or a

range of IP addresses looking for systems that are IPSec
IPSec-enabled
enabled
NetScan Tools Pro
It is used to:
• Determine the ownership
of IP addresses
• Translate
T l t IP addresses
dd tto
hostnames
• Scan networks
• Probe p ports of target
g
computers for services
• Validate email addresses
• Determine the ownership
of domains
• List the computers in a
domain
WUPS – UDP Scanner
WUPS is a simple but

effective
ff i UDP scanner
for Windows with a
graphical
g p interface
SuperScan
It is a TCP port scanner, pinger, and hostname resolver
It can perform ping scans, scans port using any IP range, and scans any port range from a
built-in list or specified range
IPScanner
IPScanner performs different

types
yp of scans on each targetg
IP address and reports the
results in a nice graphical
format for your review
The scan types are :
• Pingscan
• TCPPort scan
• Netbios scan
• NT Services scan
• Local Groups scan
• Remote Time of Dayy scan
Global Network Inventory
Scanner
Global
Gl b lN
Network
t k
Inventory is a software
and hardware inventory
system that can be used
as an audit scanner in
an agent-free and zero
deployment
environments
It can audit remote

workstations and
network k appliances,
li
including network
printers, hubs, and
other devices
Net Tools Suite Pack
N t Tools
Net T l S Suite
it PPack
k iis a collection
ll ti off scanning
i ttools
l
This toolset contains tons of port scanners, flooders, web

rippers, and mass e-mailers
Net Tools Suite Pack: Screenshot
FloppyScan
Interesting ports on 192.168.100.5:
Floppyscan is a dangerous hacking tool (The 1646 ports scanned but not
which can be used to portscan a system shown below are in state: closed)
using a floppy disk PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
It boots up mini Linux
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
It displays “Blue
Blue screen of death
death” screen 445/tcp open microsoft-ds
microsoft ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
It port scans the network using NMAP
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
3268/tcp open globalcatLDAP
It sends the results by e-mail to a 3269/tcp open globalcatLDAPssl
remote server
FloppyScan Steps
Step2: The system boots to floppy
and BSOD is displayed on the screen
Step1: Walk to a PC and insert the

Floppy scan disk and restart the
machine
Step3: Performs
S f NMAP
A scan on the
h
local network
Step4: Sends the results through e-

mail
E-mail Results of FloppyScan
Atelier Web Ports Traffic Analyzer
(AWPTA)
AWPTA captures the data that flows in and out of your PC since the
time of booting
Atelier Web Ports Traffic Analyzer provides Real-time

Real time mapping of
ports to processes (applications and services) and shows history since
boot time of every TCP, UDP, or RAW port opened through Winsock
Optionally, AWPTA can also log (up to 500mb) all traffic since the
last boot to a file
Atelier Web Ports Traffic Analyzer
(AWPTA): Screenshot
Atelier Web Security Port Scanner
(AWSPS)
AWSPS provides useful information about other networked machines

and
d users on a llocall area network
t k
It also p
provides traffic details for TCP and UDP traffic,, as well as for
control packets (ICMP), including ping
Features:
• Provides TCP scanning functionality

• UDP Port Scanning
• Local Network Enumeration
• High-level of detail on the local network set-up
AWSPS: Connections and Listening Ports.
TCP,, UDP and ICMP Statistics
AWSPS: IP Statistics/Settings
AWSPS: UDP Scan
AWSPS: Ping
IPEye
IPEye is a command-line driven port scanner for Windows
The basic usage for IPEye is:

ipEye <target IP> <scantype> -p <from port> <to port> [optional parameters]
Only SYN SCAN is valid when scanning a Windows system
IPEye scans requested ports, given a valid IP address, and returns a list of ports which are
open, closed, or rejected
IP address of the machine is required while scanning; host names are not accepted
The scan type parameter can take

values of:
-xmas = Xmas
-syn = SYN scan -fin = FIN scan -null = Null scan
scan
IPEye: Screenshot
ike-scan
www.nta monitor.com
www.nta-monitor.com
ike-scan is a command-line tool for discovering, fingerprinting, and

testing
i IPsec
IP VPN systems
It constructs and sends IKE Phase

Phase-11 packets to the specified hosts and
displays any responses that are received
ike-scan allows to:
• Send IKE packets to any number of destination hosts

• Construct the outgoing IKE packet in a flexible way
• Decode and display any returned packets
• C k aggressive
Crack i mode d pre-shared
h d keys
k
ike-scan: Screenshot 1
ike-scan: Screenshot 2
Infiltrator Network Security Scanner
www.infiltration-systems.com
y
IInfiltrator
filt t iis an intuitive
i t iti network
t k security
it scanner th
thatt can quickly
i kl
scan and audit your network computers for vulnerabilities, exploits,
and information enumerations
Features:
Information Gathering
Security Auditing and Analysis
Generates Sleek Scan Reports
Comes with many built in network utilities such as Whois client
Infiltrator Network Security
Scanner: Screenshot 1
Infiltrator Network Security
Scanner: Screenshot 2
YAPS: Yet Another Port Scanner
www.steelbytes.com
Yaps
p is a small and fast TCP/IP/ p port scanner with little configuration
g
options and a fairly plain interface
F t
Features:
Supports simultaneous connections to many targets
S
Supports command
d line
li and
d GUI mode
d
Customizable timeout
Can scan a range off addresses

dd or single
i l address
dd
Can resolve addresses
Includes names for well known ports
YAPS: Yet Another Port Scanner:
Screenshot
Advanced Port Scanner
www.famatech.com
Advanced Port Scanner is a small,, fast,, and easy-to-use

y port scanner
p
that runs multi-threaded for optimum performance
Features:
Fast and Stable multi-threaded

Port Scanning
Fully configurable Port Scan
Export scan results
Advanced Port Scanner:
Screenshots
NetworkActiv Scanner
www.networkactiv.com
NetworkActiv Port Scanner is a network exploration and

administration tool that allows you to scan and explore internal
LANs and external WANs
Features:
• TCP connect() port scanner and TCP SYN port scanner
• UDP port scanner with automatic speed control
• Ping scanning of subnets (UDP or ICMP)
• TCP subnet port scanner for finding Web servers and other
servers
• High performance trace-route
• Remote OS detection by TCP/IP stack fingerprinting
• Whois Client
• DNS Dig system
NetworkActiv Scanner:
Screenshot 1
NetworkActiv Scanner:
Screenshot 2
NetGadgets
www.noticeware.com
NetGadgets is a complete set of diagnostic tool for every level of Internet user
The tools within NetGadgets provide invaluable data about your Internet and
network connections, other users, and web site information
It combines all the standard Internet tools like Ping, Trace Route, NS Lookup
and Whois,, with other less common tools like Time,, Daytime,
y , Echo Plus,, Email
Verify, Finger, Name Scan, Ping Scan, Port Scan, Service Scan, and others
NetGadgets: Screenshot
P-Ping Tools
P-Ping Tools is an administrative network scanner that allows

you to scan TCP/UDP ports to see if they are in use
You can scan a single or multiple IP address and also log the
results to a text file that are in use
The program allows you to scan a single port or all of them,

them as
well as scanning for popular services on an IP range
P-Ping Tools: Screenshot
MegaPing
www.magnetosoft.com
MegaPing
g g is the ultimate must-have toolkit that p
provides all essential
utilities for Information System specialists, system administrators, IT
solution providers, or individuals
Features:
Includes scanners, host and port monitors, system

information viewers, and various network utilities
Automatically detects security vulnerabilities on your network
Provides detailed information about all computers and

network appliances
MegaPing: Screenshot 1
LanSpy
www.lantricks.com
LanSpy
py is a set of network utilities p
pooled together
g in a single
g p program
g
with simple and easy-to-use interface
It includes
i l d ffastt portt scanner ffor gathering
th i iinformation
f ti about
b t open ports
t
on remote computer and displays services using these ports
• Audits your network for security reason issues

• Views processes on remote computers
Features: • Shows a list of installed application on workstations
• Detects shares, open ports, and user accounts
LanSpy: Screenshot
HoverIP
www.hoverdesk.net
HoverIP is a useful set of network utilities, that can display your IP configuration
((on all network cards),
), perform
p NsLookup p queries,
q , Traceroute,, Ping,
g, and port
p
scanning
HoverIP: Screenshot
LANView
www.jxdev.com
LANView can quickly obtain information about all hosts on a

network,
t k including
i l di IP addresses,
dd MAC addresses,
dd h
hostnames,
t
users, and groups
Features:
• Multiple
p applications
pp in one: LAN Search,, capturing
p g
and analyzing IP packets
• IP Statistics, IP Traffic, Network Connections,Port
Scan,Ping Scan, Local interface, and Windows Socket
information ,,organized
g as independent
p windows allow
multitask operation
• Multiple thread design ensures the efficiency
• LAN Searcher, IP Capture, Port Scan, Ping Scan, and
some other functions are designed as independent
threads
LANView: Screenshot 1
NetBruteScanner
www.rawlogic.com
NetBrute allows you to scan a single computer or multiple IP addresses

for available Windows File & Print Sharing resources
• This is probably one of the most dangerous and easily exploitable security
holes
It is common for novice users to have their printers or their entire hard
drive shared without being aware of it
This utility will help you to find these resources, so you can secure them
with a firewall or by informing your users how to properly configure
their shares with tighter security
NetBruteScanner: Screenshot
SolarWinds Engineer’s Toolset
Engineer's
g Toolset includes 49 p
powerful network management,
g
monitoring and troubleshooting tools to easily and effectively manage
your network
Features:
• Monitors and alerts on availability, bandwidth
utilization, and health for hundreds of network
d i
devices
• Provides robust network diagnostics for
troubleshooting and quickly resolving complex
network issues
• Offers
Off an array off network
t k di
discovery ttools
l th
thatt
facilitate IP address management, port mapping
and ping sweeps
• Eases management of Cisco® devices with tools
for real-time
real time NetFlow analysis,
analysis configuration
management and router management
SolarWinds Engineer’s Toolset:
Screenshots
AUTAPF
www.networkactiv.com
NetworkActiv AUTAPF is easy to use,

use and quick to configure
UDP and TCP Windows based port forwarder
Features:
• Define IP address ranges to allow or block for each port being

forwarded
• Optionally control IP address filtering via external program or
script
p - in real-time
• Have program forward multiple ports simultaneously
• View the current data throughput speed of each port forwarding
operation
• Have program log connection events to a text file
• Have program hide in taskbar
AUTAPF: Screenshots
OstroSoft Internet Tools
OstroSoft Internet Tools is an integrated set of network information utilities
It is intended for use by network, domain and systems administrators, network security
professionals, Internet users, and everyone who wants to know more about network and
Internet
It gives you vital information such as:
• Which computers on domain are running a specified service (domain scanner)

• What network services are running on a specified computer (remote or local) -
(Port scanner)
• Shows you the path TCP packet takes from your system to the remote host
(Traceroute)
• Shows
Sh you the
h information
i f i about
b active
i connections
i on your computer (N
(Netstat))
• Resolves host names to IP addresses and vice versa (Host Resolver - dns)
• Returns contact information (address, phone, fax, administrator name, DNS
servers) for specified network (Network Info)
• Shows network
network-related
related information (IP address, host name, version of Winsock,
etc.) about your computer (Local Host Info)
OstroSoft Internet Tools:
Screenshot
Advanced IP Scanner
Advanced IP Scanner is a fast, robust, and easy to use LAN scanner,

which
h h gathers
h various types off information
f about
b the
h llocall network
k
computers
It provides access to many useful functions including remote shutdown

and wake up
Results include NetBios username, computer name, group name, and

Mac address
IP addresses can be saved in a list as well for later usage
Advanced IP Scanner:
Screenshot 1
Advanced IP Scanner:
Screenshot 2
Colasoft MAC Scanner
Colasoft MAC scanner allows to scan the network and get a list of
MAC addresses
dd along
l with
i h IP address,
dd machine
hi name, and d
manufacturer’s information
It can automatically detect all subnets according to the IP addresses

configured on multiple NICs of a machine
It supports multi-threaded
multi threaded scanning
Colasoft MAC Scanner:
Screenshot
Active Network Monitor
Active Network Monitor allows Systems

Administrators to ggather information from all
machines in the network without installing server-
side applications on these computers
Allows to view, store, and compare the received

data
Selects a variety of items to be scanned, including

installed applications, hotfixes, hardware
resources, OS information, and computer
information
Results are in-depth; however, they are displayed

in individual windows for each scan and can be
hard to manage if many items are included
Active Network Monitor:
Screenshot
Advanced Serial Data Logger
Advanced Serial Data Logger is a serial port data logging and monitoring
solution that can be used as serial port and RS232 real time sniffer or to log
all received data to a local file
It captures serial data, custom tailors it to your needs, then extracts bits of
data from data packets,
packets and transfers the data to any Windows or DOS
application
It captures
p data either by sending
g keystrokes
y to the application
pp window,, or by
passing the data through Dynamic Data Exchange conversations, ODBC, OLE
It supports RS
RS-485,
485, full duplex mode, flexible parameters, plug
plug-ins,
ins, and can
run as a service
It also transmits requests or commands out the serial port to control or query
your instruments
i directly
di l from
f Advanced
Ad d Serial
S i l Data
D L
Logger over ASCII or
MODBUS protocol
Advanced Serial Data Logger:
Screenshot 1
Advanced Serial Data Logger:
Screenshot 2
Advanced Serial Port Monitor
This p
program
g allows to check the flow of data through
g a computer's
p COM p
ports
It can work as serial port monitor and supports full duplex mode, output received data to
fil ffree d
file, data source, and
d serial
i lddevice
i simulation
i l i
It supports
pp the miscellaneous baudrates (up p to 115200), number of databits, number of
stop bits, different types to parity, flow control types and others
Itt can
ca monitor
o to the
t e data eexchange
c a ge bet
between
ee aanyy eexternal
te a dev
devices,
ces, co
connected
ected to se
serial
a po
portt
and Windows applications
I can run with

It i h predefined
d fi d options
i and
d actions
i or execute commands
d ffrom plugins
l i
Advanced Serial Port Monitor:
Screenshot
WotWeb
WotWeb is a port scanner specifically made to scan and display active web
servers and shows the server software running on them
IP lists can be entered manually or by reading from a file
Scanning is fast and accurate and the acquired list of servers can be saved to a
comma separated text file for importing into your favorite spreadsheet
application
pp for further analysis
y
WotWeb was written to aid system administrators who manage large networks
and need to keep track of all their web servers and the type of server software
running on them
WotWeb: Screenshot
Antiy Ports
Antiy Ports is a TCP/UDP port monitor that maps the ports in use to the
applications that are currently using them
It offers to kill any selected process and links to additional port information
online
Port Detective
Port Detective is a tool that helps you find out what ports
are blocked by the router, firewall, or ISP
It comes pre-configured for the most commonly used

ports and you can also add your own ports to the list
ports,
The program is intended to check the availability of

common ports for the purpose of self-hosting, as many
ISPs are blocking these ports to prevent users from
running public web servers, mail servers etc. on their
h
home computers
t
Port Detective: Screenshot
Roadkil’s Detector
Roadkil`s Detector is a simple port

listener, that allows to monitor
connections to the specific system
po ts
ports
It displays the IP address of the

connectingg agent,
g the remote
machine’s name, as well as time
and date of the connection
The output can optionally be saved

to a log file
Portable Storage Explorer
Portable Storage Explorer displays remote network computer USB devices, removable
storage,
g , CD-Rom and DVD drive information and state,, drive type,
yp , serial number,, revision,,
device name, last cleaned time, device vendor and product name, operational state, created
and modified time, device library, etc
War Dialer Technique
War Dialer Technique
War dialing involves the use of a program in conjunction with a modem to penetrate the
modem-based
modem based systems of an organization by continually dialing in
Companies do not control the dial-in ports as strictly as the firewall and machines with
modems attached are present everywhere
A tool that identifies the phone numbers that can successfully make a connection with a
computer modem
It generally works by using a predetermined list of common user names and passwords in an
attempt to gain access to the system
Why War Dialing?
It doesn't matter how strongly you've locked the front

door to your network if you
you've
ve left the back door wide
open
• Has someone inside your organization attached a modem to your
network?
• Are your authorized modems susceptible to a break-in with a
wardialer?
• Are your modems revealing banners with their identity?
• Do yyour modems still have default manufacturer p passwords?
• Is there unknown open access to a legacy system?
• Are you at risk by not conducting regular audits across your
organization?
Wardialing
PhoneSweep – War Dialing Tool
THC Scan
It is a type of War Dialer that scans a defined range of phone

numbers
Another tool for wardialing is PhoneSweeper
ToneLoc
ToneLoc is a popular war dialing computer program for MS-DOS
It dials numbers to look for some kind of tone
Command line options for ToneLoc:
ToneLoc [DataFile] /M:[Mask] /R:[Range] /D:[ExRange] /X:[ExMask]

/C:[Config] /S:[StartTime] /E:[EndTime] /H:[Hours] /T[-] /K[-]
It is used to:
• Find PBX‘s
• Find loops or milliwatt test numbers
• Find dial-up long distance carriers
• Find any number that gives a constant tone, or something that your
modem will recognize as one
• Finding carriers (other modems)
• Hacking PBX's
ModemScan
www wardial net
www.wardial.net
ModemScan is a GUI wardialer software program which utilizes

Microsoft Windows Telephony
Features:
• ModemScan works with hardware you already own and does
not require the additional purchase of specific nor
specialized hardware
• Randomly selects and dials phone numbers from the dial
ranges list to prevent line termination from phone
companies which detect sequential dialing
• Runs multiple ModemScan copies with more than one phone
line and modem on the same computer
• Imports comma delimited text files containing phone
numbers or ranges
• Flexible phone number dialing
• Utilizes Microsoft's Telephony
p y settings
g for easyy modem and
location setup
War Dialing Countermeasures
SandTrap Tool
Sandtrap can detect war dialing attempts and notify the administrator immediately upon
being called,
called or upon being connected to,
to via an email message,
message pager or via HTTP POST to
a web server
Conditions that can be

configured to generate
notification messages
include:
• Incoming Caller ID
• Login attempt
Banner Grabbing
OS Fingerprinting
OS fingerprinting
g p g is the method to determine the operating
p g system
y that is
running on the target system
The two different types of fingerprinting are:
• Active stack fingerprinting

• Passive fingerprinting
Active Stack Fingerprinting
Based on the fact that OS vendors implement the TCP stack differently
Specially crafted packets are sent to remote OSs and the response is noted
The responses are then compared with a database to determine the OS
The Firewall logs your active banner grabbing scan since you are probing directly
Passive Fingerprinting
Passive banner grabbing refers to indirectly scanning a system to reveal

its server’s
server s operating system
It is also based on the differential implantation of the stack and the

various waysy an OS responds
p to it
It uses sniffing techniques instead of the scanning techniques
It is less accurate than active fingerprinting
Active Banner Grabbing Using
Telnet
You can use telnet to grab the banner of a website
telnet www.certifiedhacker 80 HEAD / HTTP/1.0
GET REQUESTS
You might
g want to tryy
these additional get
requests for banner
grabbing
Take a look at :
GET REQUESTS
KNOWN_TESTS.htm
file
p0f – Banner Grabbing Tool
p0f is a passive OS fingerprinting technique that is based on analyzing

the information sent by a remote host
The captured packets contain enough information to identify the remote

OS
How to run p0f?
Run p0f –i
You will see the OS
<your
y Open
p IE and visit
fingerprinted on
interface card websites
number> the p0f window
p0f for Windows
Httprint Banner Grabbing Tool
httprint
p is a web server fingerprinting
g p g tool
It relies on web server characteristics to accurately identify web servers, despite the fact
that they may have been obfuscated by changing the server banner strings, or by plug-
ins such as mod
mod_security
security or servermask
httprint can also be used to detect web-enabled devices which do not have a server
banner string, such as wireless access points, routers, switches, and cable modems
httprint uses text signature strings and it is very easy to add signatures to the
signature database
Httprint: Screenshot
Tool: Miart HTTP Header
Miart HTTP Header is a simple

p tool to gget the HTTP Header
information from any website by entering the URL into the
program
It also includes:
Ping tool
Traceroute tool
Domain name/IP resolver
Miart HTTP Header: Screenshot
Tools for Active Stack
Fingerprinting
XPROBE2
• It is a remote OS detection tool which determines the OS running

on the target system with minimal target disturbance
RING V2 http://www.sys-security.com/
• This tool is designed with a different approach to OS detection

• This tool identifies the OS of the target system with a matrix-based
fingerprinting approach
Most of the port scanning tools like Nmap are used for active stack
fingerprinting
Netcraft
Netcraft toolbar
(htt //
(http://www.netcraft.com)
t ft )
can be used to identify the
remote OS of a target
system passively
Disabling or Changing Banner
Apache
p Server
• Apache 2.x users who have the mod_headers module loaded can
use a simple
p directive in their httpd.conf
p file to change
g banner
information Header set Server "New Server Name“
• Apache 1.3.x users have to edit defines in httpd.h and recompile
Apache to get the same result
IIS Lockdown Tool

IIS users can use
following tools to
IIS Server
disable or change
banner information
ServerMask
Se ve as
IIS Lockdown Tool
IIS Lockdown Wizard is used

to turn off unnecessary
features to reduce attack
surface available to attackers
Tool: ServerMask
It modifies web server's "fingerprint" by removing unnecessary HTTP response data,
modifying cookie values and adjusting other response information
ServerMask hides the identity of server
Modified…
Tool: ServerMask (cont’d)
Features:
• Numerous HTTP masking ki options

i
• Unique cookie masking feature
• Disables potentially dangerous features like Microsoft WebDav
with one click ((Windows 2000 SP3 3 or greater
g only)
y)
• Controls other signatures such as the SMTP banner display
• Compatible with IIS Lockdown, URLScan, major third party
server-side scripting platforms like ASP, ASP.NET, ColdFusion,
PHP, JSP, Perl
• Supports FrontPage publishing and Outlook Web Access
• Super-fast, stable ISAPI filter with no noticeable server
performance impact
• Quick and easy installation and configuration
Hiding File Extensions
Hiding file extensions is a good practice to

mask the technology generating dynamic pages
Apache users can use mod_negotiation

directives
IIS users can use tools as PageXchanger to

manage file extensions
Tool: PageXchanger
PageXchanger is a IIS server module that negotiates content with browsers and
mask file extensions
Features:
• Allows removal of file extensions in source code without affecting site
functionality
• Redirects requests for pages and allows content to be served without file
extensions
• URLs no longer display file extensions in a Web browser's address or location bar
Benefits:
• Security: Enhances security by obscuring technology platform and stops hacker
exploits
• Migration: Changes site technology easily without broken links or numerous
redirects
• Content Negotiation: Transparently selects and serves language, image, and
other content based on the user's browser
• A clean URL site: Easier for users to navigate, simple to maintain, and makes for
more effective and lasting URLs in all company communications
PageXchanger: Screenshot
V l
Vulnerability
bilit SScanning
i
Bidiblah Automated Scanner
Bidiblah automates footprinting, DNS enumeration, banner grabbing,

port scanning
scanning, and vulnerability assessment into a single program
This tool is based on the following methodology:
Bidiblah Automated Scanner:
Screenshot
Qualys Web-based Scanner
www.qualys.com/eccouncil
SAINT
It is also known as Security

Administrator's Integrated Network
Tool
It detects the network vulnerabilities

on any remote target in a non
non-
intrusive manner
It gathers information regarding

what type of OS is running and
which ports are open
ISS Security Scanner
Internet Security Scanner provides

automated vulnerability detection and
analysis of networked systems
It performs automated, distributed, or

event-driven probes of geographically
dispersed network services
services, OS
OS,
routers/switches, firewalls, and
applications and then displays the scan
results
ISS Security Scanner: Screenshot
Nessus
Nessus is a vulnerability scanner which looks for bugs in software
An attacker can use this tool to violate the security aspects of a software
product
Features:
• Plug-in-architecture
• NASL (Nessus Attack Scripting Language)
• Can test unlimited number of hosts
simultaneously
• Smart service recognition
• Client-server architecture
• Smart plug-ins
• Up-to-date security vulnerability database
Nessus: Screenshot 1
Nessus: Screenshot 2
GFI LANGuard
GFI LANGUARD analyzes the

operating system and the
applications running on a
network
t k and
d finds
fi d outt th
the
security holes present
It scans the entire network,

IP by IP, and provides
information such as the
service pack level of the
machine and missing security
patches, to name a few
GFI LANGuard Features
Fast TCP and UDP port scanning and identification
Finds all the shares on the target network
It alerts the pinpoint security issues
Automatically detects new security holes
Checks p
password p
policyy
Finds out all the services that are running on the target network
Vulnerabilities database includes UNIX/CGI issues
SATAN (Security Administrator’s
Tool for Analyzing Networks)
Security-auditing tool developed by Dan Farmer and Weitse
Venema
Examines UNIX-based systems and reports the vulnerabilities
Provides information about the software, hardware, and

network topologies
User-friendly program with an X Window interface
Written using C and Perl languages. Thus to run SATAN, the

attacker needs Perl 5 and a C compiler installed on the system
In addition,
addition the attacker needs a UNIX-based operating system
and at least 20MB of disk space
Retina
Retina network security scanner is a network vulnerability assessment scanner
It can scan every machine on the target network, including a variety of operating
system platforms
platforms, networking devices,
devices databases
databases, and third party or custom
applications
It has the most comprehensive

p and up-to-date
p vulnerabilityy database and
scanning technology
Retina: Screenshot
Nagios
www.nagios.org
Nagios is a host and service monitor designed to inform you of

network
k problems
bl before
b f your clients,
l end-users,
d or managers do
d
Features:
• Monitoring of network services (SMTP, POP3, HTTP, NNTP,
PING, etc.)
• Monitoring of host resources (processor load, disk and memory
usage, running processes, log files, etc.)
• Simple plugin design that allows users to easily develop their
own host and service checks
• Ability to define network host hierarchy, allowing detection of
and distinction between hosts that are down and those that are
unreachable
• Contact notifications when service or host problems occur and
get resolved (via email, pager, or other user-defined method)
Nagios: Screenshot 1
PacketTrap's pt360 Tool Suite
It consolidates the PacketTrap free network management tools into a

real time reporting solution and replaces disparate IT tools from
multiple vendors
It also includes integration with brower

brower-based
based open source networking
tools such as Nagios, OpenNMS, and others
Features:
Real Time Reporting
Dashboard
Favorites
Recent Tools Lists
Networks
Custom Tools and Categories
PacketTrap's pt360 Tool Suite:
Screenshot
NIKTO
NIKTO is an open source web server scanner

It performs comprehensive tests against webservers for
multiple items
It tests web servers in the shortest time possible
Uses RFP’s libwhisker as a base for all network functionality
F easy updates,
For d the
h main
i scan d
database
b iis off CSV fformat
SSL support
Output to file in simple text, html, or CSV format
Plug-in support
Generic and server type specific checks

SAFEsuite Internet Scanner,
IdentTCPScan
SAFEsuite Internet Scanner
• Developed by Internet Security Systems (ISS) to examine the

vulnerabilities in Windows NT networks
• Requirements are Windows NT and product license key
• Reports all possible security gaps on the target system
• Suggests possible corrective actions
• Uses three scanners: Intranet,
Intranet Firewall
Firewall, and Web Scanner
IdentTCPScan
• Examines open ports on the target host and reports the services
running on those ports
• It
I is
i a special
i l ffeature that
h reports the
h UID
UIDs off the
h services
i
Draw Network Diagrams of
Vulnerable Hosts
FriendlyPinger
A powerful and user-friendly application for network administration andmonitoring
It can be used for pinging of all devices in parallel at once and in assignment of external
commands (like telnet, tracert, net.exe) to devices
LANsurveyor
www.solarwinds.com
VisioLANsurveyor
y automaticallyy discovers yyour network and p
produces
comprehensive and easy-to-view network maps that can be exported
into Microsoft Office
Features:
• Automatically discovers and diagrams network

topology
• Generates network maps in Microsoft Office® Visio®
• Automatically detects new devices and changes made to
the network topology
• Performs inventory management for hardware and
software assets
• Directly addresses PCI compliance and other regulatory
requirements
LANsurveyor: Screenshot
Ipsonar
www.lumeta.com
Lumeta's IPsonar actively scans the network to collect all data

related
l d to these
h ffactors via
i NNetwork
k Di
Discovery, H
Host Di
Discovery,
Leak Discovery, and Device Fingerprint Discovery
LANState
www.10 strike.com
www.10-strike.com
LANState is a network mapping, monitoring, management, and

administration software solution for corporate Microsoft Windows
networks
Benefits:
• LANState builds a network map automatically by

scanning Windows network neighborhood or IP-
address range
• Save your network map for future use, print it, and
export it to a bitmap file
• Be notified by background device monitoring via a
screen message,
message sound,
sound or ee-mail
mail when your
servers go down or start working
LANState: Screenshot
Insightix Visibility
www.insightix.com
Insightix Visibility obtains a complete inventory of all network devices,

i l di fi
including firewalled,
ll d unmanaged d andd virtual
i lddevices,
i and
d provides
id
location information and a full list of associated properties
Features:
• Complete IT Asset Discovery – It delivers a comprehensive
inventoryy of everyy device on the network,, including g firewalled,,
unmanaged and virtual devices, and provides location information
and a full list of associated properties
• Accurate Network Topology Map – It maps the entire physical
network topology,
p gy, including g all devices,, such as workstations,,
servers, printers, wireless access points, VoIP phones, switches,
routers, and more
• Real-Time Change Detection – It continuously monitors the
network for anyy changesg made to the network and/or / anyy of the
devices on the network
IPCheck Server Monitor
www.paessler.com
IPCheck Server Monitor helps organizations to monitor critical

network resources and detect system failures or performance
problems immediately, thus minimizing downtimes and their
economic impact
Features:
• Powered by Paessler's reliable IPCheck™ technology

• Remote Management via web browser, PocketPC, or Windows
client
• Notifies
N tifi users about
b t outages
t b
by email,
il ICQ
ICQ, or pager/SMS,
/SMS and
d
more
• Monitors network services with its comprehensive sensor type
selection
• Multiple
M l i l llocation
i monitoring
i i using i secure R Remote PProbes
b
IPCheck Server Monitor:
Screenshot 1
Screenshot 2
Screenshot 3
PRTG Traffic Grapher
www.paessler.com
PRTG Traffic Grapher is an easy to use Windows software for

monitoring and classifying the bandwidth’s
bandwidth s usage
It provides system administrators with live readings and long-term

usage
g trends for their network devices
Features:
Avoid bandwidth and server performance bottlenecks
Find out what applications or what servers use up your bandwidth
Deliver better quality of service to your users by being proactive
Reduce costs by buying bandwidth and hardware according to the

actual load
PRTG Traffic Grapher Screenshot:
Network Traffic Monitoring
g
PRTG Traffic Grapher Screenshot:
Customizable Screen Layout
y
PRTG Traffic Grapher Screenshot: Access
Monitoring
g Data from Anywhere
y Using
g a Web Browser
Preparing Proxies
Proxy Servers
Proxy is a network computer that can serve as an
intermediate
te ed ate for
o co
connection
ect o with
t ot
other
e co
computers
pute s
They are usually used for the

following purposes:
• As a firewall, a proxy protects the local
network from outside access
• As an IP addresses multiplexer,
multiplexer a proxy allows the
connection of a number of computers to the
Internet when having only one IP address
• Proxy servers can be used (to some extent) to
anonymize web surfing
• Specialized proxy servers can filter out unwanted
content, such as ads or 'unsuitable' material
• Proxy servers can afford some protection against
h ki attacks
hacking tt k
Use of Proxies for Attack
DIRECT ATTACK/ NO PROXIES (1)
Logged
d proxy
PROXY VICTIM
(2)
The last proxy IP address
ATTACKER
CHAIN OF PROXIES is logged
There can be thousands
of proxies used in the
attack process
Traceback can be
extremely difficult
(3)
Free Proxy Servers
Attacks using thousands of proxy servers around the world are difficult to trace
Thousands of free proxy servers are available on the Internet
Search for “free proxy servers” in Google
Some of them might be a honeypot to catch hackers red

red-handed
handed
Using proxy servers can mask your trace
Free Proxy Servers (cont’d)
SocksChain
SocksChain is a program that works

through a chain of SOCKS or HTTP
proxies to conceal the actual IP-address
SocksChain can function as a usual

SOCKS-server that transmits queries
through
h h a chain
h i off proxies
i
Proxy Workbench
Proxy Workbench is a small proxy server which resides inside the

network and monitor’s connection
Configuration:
Install Proxy Workbench
Configure the clients to use this proxy IP to connect to port 8080
User
Internet
Proxy Server Copyright © by EC-Council

Proxy Workbench: Screenshot
ProxyManager Tool
ProxyManager connects to
the Internet and downloads
lists of proxy servers from
various websites
You will have thousands of

proxyy server IP addresses
p
within minutes
Saves time instead of

manually visiting
individual web sites looking
for free proxy servers
Super Proxy Helper Tool
S
Super Proxy
P Helper
H l will
ill h
help
l you to:
• Fi
Find
d anonymous, ffree, or ffastest proxy
• Check proxy status response time within a country
• Determine Proxy type (Transparent, Anonymous, or High
anonymity)
• Import export proxy
• Download proxy lists from the web
Super Proxy Helper Tool (cont’d)
Happy Browser Tool (Proxy-based)
Happy Browser is a multifunctional web browser with many

i t
integrated
t d utilities
tiliti
You can dynamically change proxy servers while browsing the

web
You can even use hundreds of proxy servers to browse the web
It is a complete automated proxy-based web browser
Happy Browser Tool (Proxy-based)
(cont d)
(cont’d)
MultiProxy
What if your Firewall is blocking you from various proxy servers and
anonymizers?
MultiProxy uses different proxies every time you visit the Internet
Add thousands of proxies to the list and your Firewall does not see a
pattern in your traffic
This tool can make the trace difficult
MultiProxy (cont’d)
How Does MultiProxy Work
List of Proxy Servers
164.58.28.250:80
194.muja.pitt.washdctt.dsl.att.ne
j p
t:80
web.khi.is:80
customer-148-223-48-
114.uninet.net.mx:80
163.24.133.117:80
paubrasil.mat.unb.br:8080 Target
164.58.18.25:80
bpubl014.hgo.se:3128
Attacker bpubl007.hgo.se:3128
www.reprokopia.se:8000
193.188.95.146:8080
193.220.32.246:80
AStrasbourg-201-2-1-
26.abo.wanadoo.fr:80
gennet.gennet.ee:80
t t 80
pandora.teimes.gr:8080
mail.theweb.co.uk:8000
mail.theweb.co.uk:8888
194.6.1.219:80
194.79.113.83:8080
ntbkp.naltec.co.il:8080
195 103 8 10:8080
195.103.8.10:8080 Internet
pools1-31.adsl.nordnet.fr:80
pools1-98.adsl.nordnet.fr:80
195.167.64.193:80
server.sztmargitgimi.sulinet.hu:8
MultiProxy running 0
at 127.0.0.1:8088 los.micros.com.pl:80
195.47.14.193:80
mail.voltex.co.za:8080
196.23.147.34:80
196.40.43.34:80
TOR Proxy Chaining Software
Tor is a network of virtual tunnels connected together and works like

a big chained proxy
It masks the identity of the originating computer from the Internet
Tor uses random set of servers every time a user visits a site
A branch of the U.S. Navy uses Tor for open source intelligence
gathering, and one of its teams used Tor while deployed in the
Middle East
Law enforcement agencies use Tor for visiting or surveillance of web

sites without leaving government IP addresses in their web logs and
for security during sting operations
Visit http://tor.eff.com
TOR Proxy Chaining Software
Additional Proxy Tools
Anonymizers
Anonymizers are services that help to make web surfing anonymous
The first anonymizer developed was Anonymizer.com, created in 1997 by Lance

Cottrell
An anonymizer removes all the identifying information from a user’s computers

while the user surfs the Internet,
Internet thereby ensuring the privacy of the user
Why Use Anonymizer?
• Example: Google.com keeps track of all your web

searches on their servers by placing a cookie on
your machine
• Every
E single
i l search h you entered
t d att G
Googlel iis
logged
Surfing Anonymously
Bypasses the
security line
www.proxify.com
User wants to access

Sites (e.g. www.target.com) which have been
blocked as per company’s policy Gets access to
www.target.com
Primedius Anonymizer
www primedius com
www.primedius.com
StealthSurfer
StealthSurfer offers comprehensive protection of

personal information, credit card numbers, and
financial transactions from online snoops
It is tiny enough to carry on a keychain, and bundled

with its own high-speed browser; the USB 2.0 flash drive
plugs into the USB port of a Windows XP or Windows
2000 computer and allows users to surf the web with
total privacy
Anonymous Surfing: Browzar
Anonymous Surfing: Browzar 1
Anonymous Surfing: Browzar 2
Torpark Browser
www.torrify.com/index.php
Torpark is free, portable, zero-install, pre-

configured, fully anonymous, and encrypted
browser which runs on Windows
It is based on the Firefox browser and connects to

the
h IInternet via
i the
h onion
i router network k
You could even put it on a USB keychain and surf

anonymously and leave no tracks behind
Torpark Browser: Screenshot
GetAnonymous
GetAnonymous offers a comprehensive online privacy and protection

solution that combines several popular features into a single product
Features:
• Shields your IP address

• Provides you with enhanced proxy suit
• Cleans all traces left on your pc after surfing the Internet
• Keeps cookies off your computer
• Destroys all logs that may keep information about your surfing habits
• Controls data going out of your computer
• Blocks data sent to you by a suspicious server
• HTTP, HTTPS, SOCKS4, and SOCKS5 support
• Logs all your surfing activities
• Controls your level of privacy with customized settings
GetAnonymous: Screenshots 1
GetAnonymous: Screenshots 2
IP Privacy
www.privacy pro.com
www.privacy-pro.com
IP Privacy is a privacy protection tool that hides your computer IP

address
dd preventing
ti your surfing
fi habits
h bit and d your IInternet
t t activity
ti it
over the Internet form being tracked by websites or Internet Service
Providers
IP Privacy provides a good online privacy protection by cleaning all

online traces that may harm or use inadvertently information on your
computer:
p
• Clears Internet History

• Clears Typed URL
• Cl
Clears Temporary
T IInternet
t t Fil
Files
• Clears Cookies
• Clears Auto Complete Forms History
• Clears Auto complete Password History
• Clears Internet Favorites
IP Privacy: Screenshot
Anonymity 4 Proxy (A4Proxy)
www.inetprivacy.com
A4Proxy is a personal anonymous proxy server and anonymizing software
This local proxy server includes a database with hundreds of anonymous

public proxy servers located all over the world
Benefits:
• Visits any website in the world without telling them who you are and
where
h you li
live
• Optionally modifies the operating system and other technical
information sent out by your browser
• Confuses the websites further by sending them a fake IP address along
with your requests
• Downloads files with programs like GetRight and other download
managers staying anonymous to the sites from which you download
• If you are a webmaster, submit multiple webpages to search engines
without having to worry about submission limits - submit each page
using a different anonymous proxy!
Anonymity 4 Proxy: Screenshot 1
Psiphon
Psiphon is a human rights software project developed by the Citizen Lab at the
Munk Centre for International Studies
It allows citizens in uncensored countries to provide unfettered access to the Net
They can access with their home computers to friends and family members who
live behind firewalls of states that censor
Psiphon: Screenshot
Connectivity Using Psiphon
Connectivity to Wikipedia – Step 1
Bloggers Write Text Backwards
to Bypass Web Filters in China
Bloggers and journalists in China are using a novel approach to bypass Internet filters
i their
in th i country
t – they
th write it backwards
b k d or from
f right
i ht tto lleft
ft
The content therefore remains readable by human beings but defeats the web filtering
software
ft
China is known to implement ‘packet filtering’ – a technique that detects TCP packets
containing
i i controversial
i l keywords
k d lik
like Tibet,
Tib D Democracy, Ti
Tiananmen, etc
To dodge these censors, Internet writers in China are writing backwards when posting
to web
b forums
f andd bl
blogs
They do it using this web tool that flips sentences to read right to left instead of left to
right, and vertically instead of horizontally
Vertical Text Converter
http://www.cshbl.com/gushu.html
How to Check If Your Website Is
Blocked In China or Not
"How do I find out if web users in China can access my website at xyz.com?”
If you get a "Packets lost" error or there is a time-out while connecting to your site,
chances are that the site is restricted
1. Just Ping - They have checkpoints inside Hong Kong and Shanghai in China
• http://www.just-ping.com/index.php
2. Watch Mouse - This service too has monitoring stations inside Hong Kong and Shanghai in
China
• http://www.watchmouse.com/en/ping.php
p // / /p g p p
3. Website Pulse - In addition to Hong Kong and Shanghai, Website Pulse conducts website
connectivity test from a computer located in Beijing as well
• http://www.websitepulse.com/help/testtools.china-test.html
Mowser and Phonifier
Surf the web using Mowser and Phonifier, a new service that is free and
converts any website into a mobile phone friendly format
www.mowser.com
www.phonifier.com
AnalogX Proxy
AnalogX Proxy is a small and simple server that allows any other
machine on your local network to route it’s
it s requests through a central
machine
Supports HTTP (web),

S ( b) HTTPS (secure
( web),
b) POP3
POP (receive
( i mail),
il)
SMTP (send mail), NNTP (newsgroups), FTP (file transfer), and
Socks4/4a and partial Socks5 (no UDP) protocols
NetProxy
www.grok.co.uk
NetProxy is a secure, reliable, and highly cost-effective

method of providing simultaneous Internet access to
multiple network users with only one Internet connection of
almost any type
Proxy+
www.proxyplus.net
Proxy+ works as firewall proxy server and mail server
Features:
• Separates the LAN from the
Internet to protect from attacks
• Insecure interfaces (connected to
the internet) are detected
automatically
• Cache
C h increases
i speed
d off d
data
retrieval and enables the use of data
even if a connection is not
established
• Sends and receives mail for many
Internet mail boxes at one time
using the POP3 protocol
• Full SMTP mail server for one or
more domains
• Option
i forf lleaving
i messages on
POP3 server
ProxySwitcher Lite
www.proxyswitcher.com
ProxySwitcher Lite is a handy tool to quickly switch between different

proxy servers while surfing the Internet
F t
Features:
Change proxy settings on the fly
Automatic proxy server switching for anonymous surfing
Works with Internet Explorer, Firefox, Opera, and others
Flexible proxy list management
Proxy server availability testing
Anonymous proxy server list download

ProxySwitcher Lite: Screenshot
JAP
JAP enables anonymous web surfing with any browser through

the use of integrated proxy services that hide your real IP address
JAP: Screenshot
Proxomitron
Proxomitron is a flexible HTTP web filtering proxy that enables to filter web
content in
i any b
browser
This program runs as a local proxy server and needs to configure browser to
use a local
l l host
h at port 8080
8 8 iin order
d to activate
i fil
filtering
i
Proxomitron allows you to remove and replace ad banners, Java scripts, off-
site images,
images Flash animations
animations, background images,
images frames
frames, and many other
page elements
HTTP headers can be added,

added deleted
deleted, or changed
Proxomitron filters can be customized and edited as per needs
Proxomitron: Screenshots
Google Cookies
"Google builds up a detailed profile of your
search terms over many years. Google
probably knew when you last thought you
were pregnant, what diseases your children
have had, and who your divorce lawyer is."
BBC technology commentator Bill Thompson
G-Zapper helps you stay anonymous while

searching Google by deleting or blocking the
Google cookie that tracks your preferences and
search history
This is what Google's log might look like when you

search for “cars””
inktomi1-lng.server.ntl.com - 25/Mar/2003 10:15:32

htt //
http://www.google.com/search?q=cars"
l / h? " - MSIE 6
6.0;
0 Wi
Windows
d NT 5
5.1
1 -
740674ce2123e969 PRIVACY COOKIE
SSL Proxy Tool
SSLproxy is a transparent proxy that can translate between encrypted and
unencrypted data transport on socket connections
It also has a non-transparent mode for automatic encryption-detection on netbios
Wh should
When h ld I use SSLP
SSLProxy??
• Let’s say you want to launch an attack on a remote server which has SSL installed
• The exploits you send will be caught by the IDS and you want to mask this detection
• Run SSLproxy
p y on yyour machine and tunnel all the exploits
p through
g this p
proxy,
y, which will use SSL to
transmit the packets to the remote server blinding the IDS
Exploits SSLProxy IDS SSL Protocol
ESTABLISH SSL TUNNEL TO SEND EXPLOITS
INTERNET
How to Run SSL Proxy
Window 1: Client – Hacker Machine Run:
• sslproxy -L127.0.0.1 -l55 -R <some remote IP> -r
443 -c dummycert.pem -p ssl2
Window 2: Client - Connect to 12.0.0.1 p

port 55
and send your exploits
• Example: telnet 127.0.0.1 55
• Then type GET /
HTTP Tunneling Techniques
HTTP Tunneling technology

allows users to perform various
Internet tasks despite the
restrictions imposed by firewalls
This is made possible by sending

data through HTTP (port 80)
Why Do I Need HTTP Tunneling
Let’s say your
organization has
blocked all the p
ports in
your firewall and only
allows port 80/443
and you want to use
FTP to connect to
some remote server on
the Internet
In this case, you can

send your packets via
ol
http protocol
toc
pro
p
htt
ia
tv
en
ssi
ta
Da
Httptunnel for Windows
httptunnel creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP
requests can be sent via an HTTP proxy if so desired
This can be useful for users behind restrictive firewalls
If WWW access is allowed through an HTTP proxy, it is possible to use httptunnel and, say, telnet or
PPP tto connectt to
t a computer
t outside
t id the
th firewall
fi ll
On the server you must run hts. If I wanted to have port 80 (http) redirect all
traffic to port 23 (telnet) then it would go something like:
hts -F server.test.com:23 80
On the client you would run htc. If you are going through a proxy, the -P option is
needed otherwise omit it.
htc -P proxy.corp.com:80 -F 22 server.test.com:80
Then telnet localhost and it will redirect the traffic out to port 80 on the proxy server and on to
port 80 of the server, then to port 23.
How to Run Httptunnel
HTTP-Tunnel
HTTP-Tunnel acts as a socks server allowing you to use your Internet

applications
li i safely
f l d
despite
i restrictive
i i fi firewalls
ll and
d gives
i you an extra
layer of protection against hackers, spyware, and ID theft's
Features:
• Bypasses any firewall
• Secures Internet browsing
• Can use favorite programs without being monitored
• Has extra security for online transactions
• Encrypts all your Internet traffic
• Visits sites that were previously blocked
• Prevents 3rd party monitoring or regulation of your Internet
browsing and downloads
• Uses yyour favorite applications
pp p
previouslyy blocked
• Hides your IP address
HTTP-Tunnel: Screenshot 1
HTTPort
HTTPort (client)
HTTP ( li ) and
d HTTHost
HTTH (server)
( ) are free
f tools
l which
hi h can be
b used
d to tunnell any TCP traffic
ffi
through HTTP protocol
Visit http://www.htthost.com for more information
It is a free open source tool. Source code is available on the Internet
Spoofing IP Address
IP Spoofing is when an attacker changes his IP address so that he/she appears to

be someone else
When the victim replies back to the address, it goes back to the spoofed address
and not to the attacker’s real address
You will not be able to complete the three-way handshake and open a successful
TCP connection by spoofing an IP address
Example: (7.7.7.7 is
the spoofed address)
Hping2 www.eccuni.us -a
7.7.7.7
Spoofing IP Address
From Address: 10.0.0.5

To Address: 10.0.0.25
Attacker
10.0.0.5
Peter
10.0.0.25
Spoofed Address
EC-Council 10.0.0.50 All Rights Reserved. Reproduction is Strictly Prohibited
Spoofing IP Address Using
Source Routing
For this technique to work, an attacker must inject himself into the path that
traffic would normally take, to get from the destination machine back to the source
Source routing allows you specify the path a packet will take through the Internet
Source routing feature is built into the TCP/IP protocol suite
The sender specifies a list of IP

Loose source
addresses that the traffic or
routing (LSR)
Types of packet must go through
source
routing:
Strict source The sender specifies the exact
routing (SRS) path that the packet must take
Source Routing (cont
(cont’d)
d)
Source routing works by using a 39-byte source route option field in the
IP header
You can specify upto 8 IP addresses in this field
An attacker sends a packet to the destination with a spoofed address but

specifies loose source routing and puts his IP address in the list
When the recipient responds, the packet goes to the attacker’s machine
before reaching the spoofed address
Source Routing (cont
(cont’d)
d)
For this
F hi technique
h i to work,
k an attacker
k must iinject
j hi
himself
lf iinto the
h
path that traffic would normally take to get from the destination
machine back to the source
3. Attacker sees the 1. Spoofed packet

reply as it goes back From Address: 10.0.0.5
to 10.0.0.5 T Add
To Address: 10.0.0.25
10 0 0 25
2. Replies
sent back
Spoofed to: 10.0.0.5
Address Attacker Peter
10.0.0.5 10.0.0.50 10.0.0.25
Source Routing Command
The command in Windows:
•tracert –j 10
10.0.0.50
0 0 50 10
10.0.0.5
0 0 5
The command in hping2:

•hping2 –G 10.0.0.50 10.0.0.5
Countermeasures
• DISABLE IP SOURCE ROUTING AT THE ROUTER
Detecting IP Spoofing
When an attacker is spoofing packets, he/she is usually at a different location than the
address being spoofed
Attacker's TTL will be different from the spoofed address' real TTL
If you check the received packet’s TTL with spoofed one, you will see TTL does not match
Sending a packet with spoofed

10.0.0.5 IP – TTL 13
Attacker
Target
Spoofed Address Copyright © by EC-Council

EC-Council 10.0.0.5 All Rights Reserved. Reproduction is Strictly Prohibited
Despoof Tool
Despoof is a free, open

source tool that
measures the TTL to
determine whether or
not a packet
k has
h been
b
spoofed
The idea is simple - if

you receive a packet
that you suspect is
spoofed try to
spoofed,
determine the real TTL
of the packet and
compare it to the TTL of
the packet you received
Scanning Countermeasures
The firewall of a particular network should be good

enough to detect the probes of an attacker. The firewall
should carry out inspection having a specific rule set
Network intrusion detection systems should be used to

find out the OS detection method used by some tools
such as Nmap
Only necessary ports should be kept open and the rest

should be filtered
All sensitive information that is not to be disclosed to the

public over the Internet, should not be displayed
Tool: SentryPC
Secure Filtering, Monitoring, and Access Control
SentryPC enables you to control, restrict, and monitor access and usage of your
PC
Features:
• Complete Time Management

• Application-on
pp Scheduling
g and Filtering
g
• Website Filtering
• Chat Filtering
• Keystroke Filtering
• Powerful Security Features
• Protects your Users
• Logs
• Keystrokes Typed
• Application Usage
• Website Visits
• Chat Conversations
• Windows Viewed
SentryPC: Screenshot 1
SentryPC: Screenshot 2
What Happened Next?
Stephen could not believe the information that

was exposedd after
ft ththe scan. St
Stephen
h could
ld llay hi
his
hands on the following information:
• Operating System of the Web server
• System services
• Firewall mechanism
• Vulnerabilities present on the web server
ATTACK!!
Summary
Scanning is one of the three components of intelligence gathering for an attacker
The objective of scanning is to discover live systems, active/running ports, the operating systems, and the
services running on the network
FTP bounce scanning is a type of port scanning which makes use of the Bounce attack vulnerability in FTP
servers
War dialing
g involves the use of a p
program
g in conjunction
j with a modem to p
penetrate the modem-based
systems of an organization by continually dialing in
OS fingerprinting is the method to determine the operating system that is running on the target system
Proxy is a network computer that can serve as an intermediate for connecting with other computers
A chain of proxies can be created to evade the traceback of the attacker

CEHv6 Module 05 Scanning PDF

Uploaded by

Copyright:

Available Formats

CEHv6 Module 05 Scanning PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv6 Module 05 Scanning PDF

Uploaded by

Copyright:

Available Formats

Ethical Hacking and

Stephen used to be the most bullied guy in his circle of friends.

Source: http://www.computerworld.com/ Copyright © by EC-Council

This module will familiarize you with:

Types of scanning Banner Grabbing

Scanning Objectives OS Fingerprinting

Drawing Network Diagrams

Checking live systems Preparing Proxies

Checking open ports Anonymizers

Scanning techniques Countermeasures

Scanning is one of the three components of intelligence gathering for an

The attacker finds information about

The various types of scanning

Port Network Vulnerability

To detect the live systems

To discover the operating system running on the target system

To discover the services running/listening on the target system

Check for live systems

ICMP scanning can be run parallel so that it can run fast

An IP scanner for Windows

Can scan IPs in anyy range

It simply pings each IP address to check if it is alive

Provides NETBIOS information such as:

A ping sweep (also known as an ICMP sweep) is a basic network scanning

A ping sweep consists of ICMP ECHO requests sent to multiple hosts

If a given address is live, it will return an ICMP ECHO reply

Firewalking is a tool that employs traceroute-like techniques to

The tooll employs

PACKET FILTER Firewalking Host

Hop n+m (m>1)

The Computer A ( 192.168.1.2 ) initiates a connection to the server (

Standard TCP communications are controlled by flags in

Nmap is a free open source utility for network

It is designed to rapidly scan large networks

• Nmap is used to carry out port scanning, OS detection,

Some of the scan methods used by Nmap:

Xmas Tree: The attacker checks for TCP

SYN Stealth: It is referred to as "half-open"

Null Scan: It is an advanced scan that may

Windows Scan: It is similar to the ACK scan

ACK Scan: It is used to map out firewall

-sT (TcpConnect) -sW (Window Scan)

-sF (Fin Scan) -sL (List/Dns Scan)

-sX (Xmas Scan) -P0 (don’t ping)

-sN (Null Scan) -PT (TCP ping)

-sP (Ping Scan) -PS (SYN ping)

-sU (UDP scans) -PI (ICMP ping)

-sO (Protocol Scan) -PB (= PT + PI)

-sI (Idle Scan) -PP (ICMP timestamp)

-PM (ICMP netmask)

-T Paranoid – serial scan & 300 sec wait

-T Sneaky - serialize scans & 15 sec wait

-T Polite - serialize scans & 0.4

-T Normal – parallel scan

-T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe

--max_parallelism --scan_delay (between probes)

--resume (scan) --append_output

-iL <targets_filename> -p <port ranges>

-F (Fast scan mode) -D <decoy1 [,decoy2][,ME],>