ceh lab manualdocshare01.docshare.tips/files/18489/184890979.pdf · 2016. 6. 1. · tools\cehv8...

CEH Lab Manual

S c a n n i n g N e t w o r k s

M o d u l e 0 3

M odule 03 - S can n in g N e tw o rk s

S c a n n i n g a T a r g e t N e t w o r kS c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d

s e rv ic e s ru n n in g in a n e tw o rk .

L a b S c e n a r io

Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port scan n in g , netw o rk scan n in g , and vu ln erab ility scan n in g ro identify IP/hostname, live hosts, and vulnerabilities.

L a b O b je c t iv e s

The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network.

You need to perform a network scan to:

■ Check live systems and open ports

■ Perform banner grabbing and OS fingerprinting

■ Identify network vulnerabilities

■ Draw network diagrams of vulnerable hosts

L a b E n v ir o n m e n t

111 die lab, you need:

■ A computer running with W indow s S e rv e r 2012, W indow s S e rv e r 2008. W indow s 8 or W indow s 7 with Internet access

■ A web browser

■ Admiiiistrative privileges to run tools and perform scans

L a b D u r a t io n

Time: 50 Minutes

O v e r v ie w o f S c a n n in g N e t w o r k s

Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope.

I C O N K E Y

Valuableinformation

s Test yourknowledge

H Web exercise

Q Workbook review

ZZ7 T o o ls d em o n strated in th is lab are a v a ilab le in

D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab M anual Page S5


Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom.

For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue.

Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment.

111 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools.

L a b T a s k s

Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity.

Recommended labs to assist you in scanning networks:

■ Scanning System and Network Resources Using A d v a n c e d IP S c a n n e r

■ Banner Grabbing to Determine a Remote Target System Using ID S e rv e

■ Fingerprint Open Ports for Running Applications Using the A m ap Tool

■ Monitor TCP/IP Connections Using die C u rrP o rts T o o l

■ Scan a Network for Vulnerabilities Using G F I L a n G u a rd 2 0 1 2

■ Explore and Audit a Network Using N m ap

■ Scanning a Network Using die N e tS c a n T o o ls Pro

■ Drawing Network Diagrams Using L A N S u rv e y o r

■ Mapping a Network Using the Fr ie n d ly P in g er

■ Scanning a Network Using die N e s s u s Tool

■ Auditing Scanning by Using G lo b a l N e tw o rk In ve n to ry

■ Anonymous Browsing Using P ro x y S w itc h e r

TASK 1

Overview

L_/ Ensure you haveready a copy of the additional readings handed out for this lab.

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab M anual Page 86


■ Daisy Chaining Using P ro x y W o rk b e n ch

■ HTTP Tunneling Using H T T P o rt

■ Basic Network Troubleshooting Using the M egaP ing

■ Detect, Delete and Block Google Cookies Using G -Z ap p e r

■ Scanning the Network Using the C o la so ft P a c k e t B u ild e r

■ Scanning Devices in a Network Using T h e Dude

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .




S c a n n i n g S y s t e m a n d N e t w o r k

R e s o u r c e s U s i n g A d v a n c e d I P

S c a n n e r-A d v a n c e d IP S c a n n e r is a fre e n e tiro rk s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f

in fo rm a tio n re g a rd in g lo c a l n e tiro rk c o m p u te rs .


111 this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.


The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network.

You need to:

■ Perform a system and network scan

■ Enumerate user accounts

■ Execute remote penetration

■ Gather information about local network computers


111 die lab, you need:

■ Advanced IP Scanner located at Z:\\CEHv8 M odule 03 Scan n in g N etw o rks\Scan n ing T o o ls A d van ce d IP S ca n n e r

■ You can also download the latest version of A d v a n c e d IP S c a n n e r from the link http://www.advanced-ip-scanner.com

I C O N K E Y

־=/ Valuableinformation

✓ Test yourknowledge

S Web exercise

C Q Workbook review

l— J T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks

Q You can alsodownload Advanced IPScanner fromhttp:/1 www. advanced-ip-scanner.com.



http://www.advanced-ip-scanner.com


■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ

■ A computer running W indow s 8 as die attacker (host machine)

■ Another computer running W indo w s se rv e r 2008 as die victim (virtual machine)

■ A web browser widi Internet a c c e s s

■ Double-click ip sca n 2 0 .m si and follow die wizard-driven installation steps to install Advanced IP Scanner

■ A d m in istrative privileges to run diis tool


Time: 20 Minutes

O v e r v ie w o f N e t w o r k S c a n n in g

Network scanning is performed to c o lle c t inform ation about live sy s te m s , open ports, and n etw o rk vu ln erab ilities. Gathered information is helpful in determining th re a ts and v u ln erab ilitie s 111 a network and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to resources.

L a b T a s k s

1. Go to S ta rt by hovering die mouse cursor in die lower-left corner of die desktop

FIGURE 1.1: Windows 8 - Desktop view2. Click A d van ce d IP S ca n n e r from die S ta rt menu in die attacker machine

(Windows 8).

/ 7 Advanced IP Scanner works on Windows Server 2003/ Server 2008 and on Windows 7 (32 bit, 64 bit).

S T A S K 1

Launch in g A d van ced IP

S c a n n e r

Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited



S t a r t Admin ^

Nc m

WinRAR MozillaFirefox

CommandPrompt

i t t

FngagoPacketbuilder

2*

Sports

Computer

tS

MicrosoftClipOrganizer

Advanced IP Scanner

m

i i i l i l i

finance

ControlPanel

Microsoft Office 2010 Upload...

•

FIGURE 12. Windows 8 - Apps3. The A d van ce d IP S c a n n e r main window appears.

FIGURE 13: The Advanced IP Scanner main window4. Now launch die Windows Server 2008 virtual machine (v ictim ’s m ach in e).


m With Advanced IP Scanner, you can scan hundreds of IP addresses simultaneously.

You can wake any machine remotely with Advanced IP Scanner, if the Wake-on־LAN feature is supported by your network card.



O jf f lc k 10:09 FM JiikFIGURE 1.4: The victim machine Windows server 2008

5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t range field.

6. Click die S c a n button to start die scan.

7. A d van ced IP S c a n n e r scans all die IP addresses within die range and displays the s c a n re su lts after completion.

L_/ You have to guess arange of IP address of victim machine.

a Radmin 2.x and 3.x Integration enable you to connect (if Radmin is installed) to remote computers with just one dick.

The status of scan is shown at the bottom left side of the window.

Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited



Advanced IP Scanner

File Actions Settings View Heip

J► Scar' J l IP cr=£k=3 r f to d id 3? f i l : Like us on ■ 1 Facebook10.0.0.1-10.0.0.10

MAC addressManufacturer

Resits | Favorites |

rStatus0 w 10.0.0.1 10.0.a1 Nlctgear, Inc. 00:09:5B:AE:24CC

ט *£< WIN-MSSELCK4K41 10.0.a2 Dell Inc DO:67:ES:1A:16:36® & WINDOWS# 10.0.03 Microsoft Corporation 00:15:5D: A8:6E:C6

WIN*LXQN3WR3R9M 10.0.05 Microsoft Corporation 00:15:5D:A8:&E:03® 15 WIN-D39MR5H19E4 10.0.07 Dell Inc D4:3E.-D9: C 3:CE:2D

5 a iv*, 0 d«J0, S unknown

FIGURE 1.6: The Advanced IP Scanner main window after scanning8. You can see in die above figure diat Advanced IP Scanner lias detected

die victim machine’s IP address and displays die status as alive

9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down

Advanced IP Scanner5־F ie Actions Settings View Helo

Like us on FacebookWi*sS:ip c u u *I IScan

10.0.0.1-10.0.0.10Resuts Favorites |

MAC addressto ru fa c tu re rnNameStatus00:09:5B:AE:24CCD0t67:E5j1A:16«36


m״ s i *

Like us on Facebook

3MAC addressjrer

00;C9;5B:AE:24;CC D0:67:E5:1A:16:36

It ion 00:15:3C:A0:6C:06It ion 00:13:3D:A8:6E:03

D4:BE:D9:C3:CE:2D

S hutdow n op tio ns

r Use Vtindcms authentifcationJser narre:

9essMord:

rneoc t (sec): [60

Message:

I” Forced shjtdo/vn

f " Reooot

&

File Actions Settings View Help

Scan J!] .■ ]110.0.0.1-100.0.10

Results | Favorites |

Status Name

® a 1a0.0.1WIN-MSSELCK4K41WINDOW S

$WIN-LXQN3WR3R9M

» a WIN-D39MR5HL9E4

S alive, Odcad, 5 unknown

Winfingerprint Input Options:■ IP Range (Netmask and

Inverted Netmask supported) IP ListSmgle Host Neighborhood

FIGURE 1.8: The Advanced IP Scanner Computer properties window12. Now you have die IP address. Name, and other details of die victim

machine.

13. You can also try Angry IP scanner located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner Italso scans the network for machines and ports.

L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab.

Tool/Utility Information Collected/Objectives Achieved

Advanced IP Scanner

Scan Information:■ IP address■ System name■ MAC address■ NetBIOS information■ Manufacturer■ System status

Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited




Q u e s t io n s

1. Examine and evaluate the IP addresses and range of IP addresses.

Internet Connection Required

es□ Y

Platform Supported

0 Classroom

0 No

0 iLabs

Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



B a n n e r G r a b b i n g t o D e t e r m i n e a

R e m o t e T a r g e t S y s t e m u s i n g ID

S e r v eID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r

s o fh v a re .


111 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage.

Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.


The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.

111 diis lab you will learn to:

■ Identify die domain IP address

■ Identify die domain information


To perform die lab you need:

■ ID Server is located at D :\C EH -T o o ls\C EH v 8 M odule 03 S ca n n in g N e tw o rk s\B a n n e r G rab b in g To o ls\ID S e rv e

I C O N K E Y

Valuableinformation

y* Test yourknowledge

Web exercise

O Workbook review

O T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03

S ca n n in g N etw o rks




■ You can also download the latest version of ID S e rv e from the link http: / / www.grc.com/id/idserve.htm


■ Double-click id se rv e to run ID S e rv e

■ Administrative privileges to run die ID S e rv e tool

■ Run this tool on W indow s S e rv e r 2012


Time: 5 Minutes

O v e r v ie w o f ID S e r v e

ID Serve can connect to any se rv e r port on any dom ain or IP address, then pulland display die server's greeting message, if any, often identifying die server's make,model, and versio n , whether it's for FT P , SMTP, POP, NEW’S, or anything else.

L a b T a s k s

1. Double-click id se rv e located at D:\CEH -Tools\CEH v8 M odule 03 S ca n n in g N etw o rks\B ann er G rabbing Tools\ID S erv e

2. 111 die main window of ID S e rv e show in die following figure, select die S e v e r Q uery tab

TASK 1

Identify w e b s ite se rv e r inform ation

׳ - r oID Serve0Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research CorpID Serve

Background Server Query | Q&A/Help

Enter 01 copy / paste an Internet server URL 0* IP address here (example www rmcrosoft com)ri

When an Internet URL or IP has been provided above ^ press this button to rwtiate a query of the speahed serverQueiy The Serverr!

Server

The server identified


ID Server©Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Corp.ID Serve

Background Server Query I Q&A/tjelp

Entei or copy I paste an Internet serve* URL or IP adtfress here (example www microsoft com) ̂ [www certifiedhacker com[

W hen an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the specfod serverQuery TheS w ve i

Server query processing(%

The server identified itse l as

EjjitGoto ID Seive web pageCopy

ID Serve can accept the URL or IP as a command-line parameter

FIGURE 22 Entering die URL for query4. Click Query The Server; it shows server query processed information

m ׳ x־,ID Serve

Exit

Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research CofpID Serve

Background Server Query | Q&A/Help

Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com)

| www. certifiedhacker.com|



IP address: 202.75.54.101

Server Connection: Standard HT1P port: 80

Response headers returned from server:ID Serve ■ HTTP/1.1 200

■ Server: Microsoft-IIS/6.0■ X-Powered-By: PHP/4.4.8■ Transfer-Encoding: chunked■ Content-Type: text/html


Q u e s t io n s

1. Examine what protocols ID Serve apprehends.

2. Check if ID Serve supports https (SSL) connections.


□ Yes 0 No

Platform Supported

0 Classroom 0 iLabs

Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.



F i n g e r p r i n t i n g O p e n P o r t s U s i n g t h e

A m a p T o o l.-b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a ch o p e n p o r t.


Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 111 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine.

111 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what ap p lica tio n s are running on each port found open.


The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports.

hi diis lab, you will learn to:

■ Identify die application protocols running on open ports 80

■ Detect application protocols


To perform die lab you need:

■ Amap is located at D :\C EH -T o o ls\C EH v8 M odule 03 S ca n n in g N e tw o rk s\B a n n e r G rab b in g ToolsVAM AP

■ You can also download the latest version of AM AP from the link http: / / www.thc.org dic-amap.


I CON KEY2 ^ Valuable

information

Test vourknowledge

g Web exercise

Q Workbook review

C 5 T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03

S ca n n in g N etw o rks



http://www.thc.org


■ A computer running Web Services enabled for port 80

■ Administrative privileges to run die A m ap tool

■ Run this tool on W indow s S e rv e r 2012


Time: 5 Minutes

O v e r v ie w o f F in g e r p r in t in g

Fingerprinting is used to discover die applications running on each open port found 0x1 die network. Fingerprinting is achieved by sending trigger p a c k e ts and looking up die responses in a list of response strings.

L a b T a s k s

1. Open die command prompt and navigate to die Amap directory. 111 diis lab die Amap directory is located at D:\CEH -Tools\CEH v8 M odule 03 Scan n in g N etw o rks\B anner G rabbing Tools\AM AP

2. Type am ap w w w .ce rtif ie d h a ck e r.co m 80, and press Enter.

Administrator: Command Prompt33[D :\CEH~Tools \C EHu8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools \AM AP>anap uw [u . c e r t i f i o d h a c h e r . c o m 80Anap 0 5 . 2 .

M a p 0 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 5 3

D:\CEH-T0 0 1 s \CEH08 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>

FIGURE 3.1: Amap with host name www.ce1tifiedl1acke1.com with Port SO3. You can see die specific ap p licatio n protocols running 011 die entered host

name and die port 80.

4. Use die IP a d d re ss to check die applications running on a particular port.

5. 111 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) am ap 10 .0 .0 .4 75-81 (lo ca l W indow s S e rv e r 2008) and press E n te r (die IP address will be different in your network).

6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200

at TASK 1

Identify A pplication

P ro to co ls Running on Port 80

Syntax: amap [-A | ־B | -P | -W] [-1 buSRHUdqv] [[-m] -o ][-D ] [־t/־T sec] [-c cons] [-C retries][-p proto] [־i ] [target port [port]...]

✓ For Amap options, type amap -help.



http://www.certifiedhacker.comhttp://www.the.org/thc-anaphttp://www.ce1tifiedl1acke1.comhttp://www.certifiedhacker.com


ד

FIGURE 3.2: Amap with IP address and with range of switches 73-81

L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab.


Identified open port: 80

WebServers:■ 11ttp-apache2־■ http-iis■ webmin

Amap Unidentified ports:■ 10.0.0.4:75/tcp■ 10.0.0.4:76/tcp■ 10.0.0.4:77/tcp■ 10.0.0.4:78/tcp■ 10.0.0.4:79/tcp■ 10.0.0.4:81/tcp


D:\CEH -T ools \CE H u8 Module 03 S c a n n i n g N e tw o r k \B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75 -8 1

laroap v 5 . 2 t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 5 / t c p , d i s a b l i n g p o r t W a r n in g : C ou ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 7 7 / t c p , d i s a b l i n g p o r t W a r n in g : C ou ld n o t c o n n e c t ( u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 7 9 / t c p , d i s a b l i n g p o r t W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin

U n i d e n t i f i e d p o r t s : 1 0 . 0 . 0 . 4 : 7 5 / t c p 1 0 . 0 . 0 . 4 : 7 6 / t c p 1 0 . 0 . 0 . 4 : 7 7 / t c p 1 0 . 0 . 0 . 4 : 7 8 / k c p 1 0 . 0 . 0 . 4 : 7 9 / t c p 1 0 . 0 . 0 . 4 : 8 1 / t c p < t o t a l 6 > .

Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4

b : \C E H -T o o ls \C E H v 8 Module 03 S c a n n i n g N e tw orkN Banner G r a b b i n g Tools\AMAP>

Compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux and PalmOS


http://www.thc.org/thc-anap



Q u e s t io n s

1. Execute the Amap command for a host name with a port number other than 80.

2. Analyze how die Amap utility gets die applications running on different machines.

3. Use various Amap options and analyze die results.


□ Noes0 Y

Platform Supported

□ iLabs0 Classroom




M o n i to r in g T C P /I P C o n n e c t i o n s

U s i n g t h e C u r r P o r t s T o o lC u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly

o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.


111 the previous lab you learned how to check for open ports using the Amap tool. As an e th ic a l h a c k e r and p e n e tra tio n te s te r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer.

You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection.

As a n e tw o rk ad m in istrato r., your daily task is to check the T C P /IP c o n n e c t io n s of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s ta b lis h e d IP a d d r e s s e s of the server using the C u rrP o rts tool.


The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer.

111 in this lab, you need to:

■ Scan the system for currently opened T C P /IP and U D P ports

■ Gather information 011 die p o rts and p r o c e s s e s that are opened

■ List all the IP a d d r e s s e s that are currendy established connections

■ Close unwanted TCP connections and kill the process that opened the ports

ICON KEYValuableinformation

Test yourknowledge

w Web exercisem Workbook review

C J T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8

M odule 03 S ca n n in g N etw o rks





To perform the lab, you need:

■ CurrPorts located at D :\C EH -T o o ls\C EH v 8 M odule 03 S ca n n in g N e tw o rk s\S ca n n in g T o o ls\C u rrP o rts

■ You can also download the latest version of C u rrP o rts from the link http: / / www.nirsoft.11et/utils/cports.html


■ A computer running W in d o w s S e r v e r 2 0 1 2

■ Double-click c p o r ts .e x e to run this tool

■ Administrator privileges to run die C u rrP o rts tool


Time: 10 Minutes

a You can download CuuPorts tool from http://www.nirsoft.net.

O v e r v ie w M o n ito r in g T C P / IP

Monitoring TCP/IP ports checks if there are m ultiple IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server.

L a b T a s k s

The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o rts .e x e to launch.

1. Launch C u rrp o rts . It a u to m a tic a lly d is p la y s the process name, ports, IP and remote addresses, and their states.

TASK 1

rCurrPorts־1״1 * יFile Edit View Option* Help

xSD®v^ ! t ae r4*a-*Process Na.. Proces... Protocol Local... L oc - Local Address Rem... Rem... R ercte Address Remote Host Nam

(T enrome.ere 2 m TCP 4119 10.0.0.7 80 h ttp 173.194.36.26 bcm04501 -in־f26.1f


FIGURE 4.1: Tlie CurrPorts main window with all processes, ports, and IP addresses2. CiirrPorts lists all die p r o c e s s e s and their IDs, protocols used, lo c a l

and rem o te IP a d d re s s , local and remote ports, and rem o te h o st n a m e s.

3. To view all die reports as an HTML page, click V ie w H

chrome exe 2988 TCP 4104 10 0 0 7 80 hnp 173 194 36 25

FIGURE 4.3: Hie Web browser displaying CurrPorts Report - All Items5. To save the generated CurrPorts report from die web browser, click

F ile S


■3 TCP/UDP Ports List - Mozilla Firefoxד5ק ז ו id * «1ry> Hitory Bookmaikt Took Hrlp

P *C i f ' Google»f1׳Dcsttop/q)D1ts-x64/rEpor: htmlfJcw l ib CW*T

N*w׳ ’Mnd111•

ID

otocol!'!־

chiomc.exe 2988 TCP 4052 10.0.0.7 443 https 173.194.36.4 boj

cfc10me.exe 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo:

chrome.exe 2988 TCP 4070 10.0.0.7 80 hnp 173.194.36.31 bo:

chrome.exe 2988 TCP 4071 10.0.0.7 80 http 173.194.36.31 boi

chrome exe 2988 TCP 4073 100 0 7 80 http 173 194 36 15 boi

chrome exe 2988 TCP 408 ; 100 0 7 80 http 173 194 36 31 bo!

ch*omc exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi

chiome.exe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boj

daome.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03

FIGURE 4.4: The Web browser to Save CurrPorts Report - All Items6. To view only die selected report as HTML page, select reports and click

V ie w H .7 443 https 173.1943622 bom04s01 -in-f22.1

File Edit | View | Options Help

X S (3 Show Grid Lחו א

Process Na P I Show Tooltips

C chrome. Mark Odd/Even RowsHTML Report - All Items

HTML Report ■ Selected ternsC c h ro m e f O' chrome “

Ctrl ♦■Plus

F5

Choose Columns ® ,f ire fc x e Auto Size Columns

(gfircfcxe: Refreshfircf cx e


TCP/UDP Ports List - Mozilla Firefox I 1 ־ n J~xffi'g |d : Vico Hatory Bookmaiks Toob Help

[ j TCP/UDP Ports List | +

^ W c/'/C/lherv׳Admin 1strotor/Dr5fctop/'cport5־r64/rcpoדיi«0T1l (? ־ Google P | ,f t IT C P /V D P P o rts L is t

Created by m ing C ii r rP o m

ProcessName

ProcessID

Protocol LocalPortI>ocalPort.Name

LocalAddress

K«mut«Port

RemotePortName

KvuiotcAddress Remote Host Name State

dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC 1 m. £26.1 e 100.net Established c:fire fox exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom04s01 tn - fl 5. Ie l00 .ne t Established C:

httpd cxc 1800 TCP 1070 Listening C:

In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF).

FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items8. To save the generated CurrPorts report from the web browser, click

F ile S r ׳

fi *1r/Desktop/cpo»ts x6C repwthtmlEdfe Vir* Hutory Boolvfmki Took HWp N**׳T*b Clfl*T | + |

an*NOpen Fie... Ctrl»0

Ctrl-SPag eA ;.S*.«Sir'd link-

Established C

Established C

Remote Ilo t l .N io it

boxu04s01 -ui-1‘26. Ie l00.net

bom04s01-1a-115.lel00.net

RemoteAddress

173.1943626

173.19436 15

Kcm olePort

Name

https

https

T oral Remote Address Port

1 0 0 0 .7 443

443100.0.7

LocalPort

Name

LocalPoriID

Page :er.p. Pnnt Preview Prm L. fic it Offline

Name

4148TCP2988chtoxne.exe

41631368 TCPfiiefox-cxc

10TCP1800httpdexe ׳0

FIGURE 4.7: The Web brcnvser to Saw QirrPorts with HTML Report - Selected Items9. To view the p ro p e rt ie s of a port, select die port and click F ile


r ® CurrPorts I - ] “ ' * m1 File J Edit View Options Help

I PNctlnfo C trM

Close Selected TCP Connections Ctri+T Local Address Rem... Rem.. Remote Address Remote Host Nam י׳ 1Kill Processes Of Selected Ports 10.0.0.7 80 http 173.194.3626 bom04301 - in-f26.1

Save Selected Items CtiUS 10.0.0.7 80 http 1׳־3.194.3626 bom04501 ־ in-f26.1

Properties Alt^Entei 110.0.0.7 80 http 1^3.194.36.26 bom04s01-in-f26.1

10J3J3.7 80 http 23.57.204.20 a23*57204-20־.dep ■Process Properties CtiUP

10.00.7 443 https 1Ti 194.36.26 bom04s01-in-f2MLog Changes 127.0.0.1 3982 127.aa1 WIN-D39MR5Hl9f

Open Log File 127.0.0.1 3031 127.0L0L1 WIM-D30MRSH10F

Clear Log File 10.0.0.7 443 httpc 1 1 ־,194.3622 bom04e01-m־f22.1

Advanced Options CtrUO10.0.0.7 443 https 173.194.3615 bom04s01-m-f15.1

10.0.0.7 443 https 173.194.360 bom04s01 m־f0.1cExit 10.0.0.7 443 https 74.12523415 gru03s05-in־f15.1 e

\ j 1ttjd .exe 1800 TCP 1070 oaao 0 D S ) S )\h t to d .e x e 1800 TCP 1070 ::□ lsass.exe 564 TCP 1028 aao.o 0 D S J J JQlsass-exe $64 TCP 1028 r .

״ ־ T >

|7 9 Tctel Ports, 21 Remote Connections, 1 Selected NirSoft Freeware, h ttp :'www .n irsoft.net

b&i Command-line option: /stab means save the list of all opened TCP/UDP ports into a tab-delimited text file.

FIGURE 4.8: CunPoits to view properties for a selected port10. The P ro p e rt ie s window appears and displays all the properties for the

selected port.

11. Click O K to close die P ro p e rt ie s window

*Propertiesfirefox.exe1368

TCP4166

10.0.0.7443| https________________1173.194.36.0 bom04s01-in-f0.1 e100.net EstablishedC:\Program Files (x86)\M0zilla Firefox\firefox.exe FirefoxFirefox14.0.1Mozilla Corporation8/25/2012 2:36:28 PMWIN-D39MR5HL9E4\Administrator

8/25/2012 3:32:58 PM

Process Name: Process ID:Protocol:Local Port:Local Port Name: Local Address: Remote Port:Remote Port Name: Remote Address: Remote Host Name: State:Process Path: Product Name:File Description:File Version: Company:Process Created On: User Name:Process Services: Process Attributes: Added On:Module Filename: Remote IP Country: Window Title:

OK

Command-line option: /shtml means save the list of all opened TCP/UDP ports into an HTML file (Horizontal).

FIGURE 4.9: The CurrPorts Properties window for the selected port



http://www.nirsoft.net


12. To close a TCP connection you think is suspicious, select the process and click F ile C

JIlirSort freew are. r-tto v/Yv*/n rsott.net7? Tot«! Porte, 21 Remote Connection! 1 Selected׳:FIGURE 4.10: ,Hie CunPoits Close Selected TCP Connections option window

13. To k ill the p r o c e s s e s of a port, select die port and click F i le K


1-1°CurrPons׳ - ’File Edit View Options Help

PNetlnfo GH+I

Close Selected TCP Connections CtrKT .. Local Address Rem.. Rem״ Remcte Address Remcte Host NamK il Processes Of Selected Ports 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1

Save Selected Items Ctifc-S 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1

Properties

Procccc Properties

A t-Ea ter

CtH«־P

10.0.0.710.0.0.7

10.0.0.7

8080

443

httphttp

httpt

173.1943626 21 57.204.20

173.194.3626

bom04s01-in־f26.1r a23-57-204-20.de J bom04t01-in-f26.1|

lo g Changes 127.0.0.1 3082 127.0.0.1 WIN-D3QMR5H19P

Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E

Clear Log File 10.0.0.7 443 https 173.19436.22 bomC4101-in-f22.1

Advanced Option! C tH -010.0.0.7 443 https 173.194.36.1S bemC4i01 in f15.1־

10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1qExt 1 10.0.0.7 443 https 74.125.234.15 gru03s05in-f15.1e

\th ttp d .e x e 1800 TCP 1070 0.0.0.0 0.0.0.0

\th ttp d .e x e 1800 TCP 1070 = =

Q lsas&exe 564 TCP 1028 0.0.00 0.0.0.0

H ls a is - a c 564 TCP 1028 =־ ־ ■ r r n __ a ו/ / \ a A A A A

Nil Soft free were. Mtpy/vvwvv.r it soft.net79 ז ctal Ports. 21 Remote Connections. 1 Selected

hid Command-line option: /sveihtml Save the list of all opened TCP/UDP ports into HTML file (Vertical).

FIGURE 4.12: The CurrPoits Exit option window

L a b A n a ly s is

Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab.


Profile Details: Network scan for open ports

Scanned Report:■ Process Name■ Process ID■ Protocol

CurrPorts ■ Local Port■ Local Address■ Remote Port■ Remote Port Name■ Remote Address■ Remote Host Name

feUI In command line, the syntax of /close command :/close < Local Address> < Remote Address >< Remote Port נ *.





Q u e s t io n s

Analyze the results from CurrPorts by creating a filter string that displays only packets with remote TCP poit 80 and UDP port 53 and running it.

Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.

Determine the use of each of die following options diat are available under die options menu of CurrPorts:

a. Display Established

b. Mark Ports Of Unidentified Applications

c. Display Items Widiout Remote Address

d. Display Items With Unknown State


□ Yes 0 No

Platform Supported

0 Classroom 0 !Labs

1.

כ .

Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages.




Lab

S c a n n i n g f o r N e t w o r k

V u l n e r a b i l i t i e s U s i n g t h e G F I

L a n G u a r d 2 0 1 2G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a sse ss, a n d c o rre c t a n y s e c u rity

v u ln e ra b ilitie s th a t a re fo u n d .


You have learned in die previous lab to monitor T C P IP and U DP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections.

Your company’s w e b se rv e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b ackd o o r on th e se rver. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one.

As a se c u rity ad m in istrato r and penetration te s te r for your company, you need to conduct penetration testing in order to determine die list of th re a ts and v u ln erab ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G FI Lan G u ard 2012 to scan your network to look for vulnerabilities.


The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.

111 diis lab, you need to:

■ Perform a vulnerability scan

ICON KEYValuableinformation

✓ Test yourknowledge

Web exercise

Q Workbook review

Z U T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



■ Audit the network

■ Detect vulnerable ports

■ Identify security vulnerabilities

■ Correct security vulnerabilities with remedial action


To perform die lab, you need:

■ GFI Languard located at D:\CEH -Tools\CEH v8 M odule 03 S ca n n in g N etw o rksW u ln erab ility S ca n n in g Tools\G FI Lan G u ard

■ You can also download the latest version of G F I L a n g u a rd from the link http://www.gfi.com/la1111etsca11


■ A computer running W indow s 2 012 S e rv e r as die host machine

■ W indow s S e rv e r 2008 running in virtual machine

■ Microsoft ■NET Fram ew o rk 2 .0

■ Administrator privileges to run die G FI LAN guard N etw ork S e cu r ity S ca n n e r

■ It requires die user to register on the G FI w e b s ite http: / /www.gfi.com/la1111etscan to get a lic e n se key

■ Complete die subscription and get an activation code; the user will receive an em ail diat contains an activatio n co d e


Time: 10 Minutes

O v e r v ie w o f S c a n n in g N e t w o r k

As an administrator, you often have to deal separately widi problems related to vu ln erab ility issues, patch m anagem en t, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r isk a n a ly s is , and maintain a secure and co m p lian t n etw o rk state faster and more effectively.

Security scans or audits enable you to identify and assess possible r is k s within a network. Auditing operations imply any type of ch e ck in g performed during a network security audit. These include open port checks, missing Microsoft p a tch e s and vu ln erab ilitie s, service infomiation, and user or p ro c e ss information.

Q You can download GFI LANguard from http: //wwwgfi. com.

Q GFI LANguard compatibly works on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/ Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2).

C-J GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete.



http://www.gfi.com/la1111etsca11http://www.gfi.com/la1111etscan


L a b T a s k s

Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server.

1. Navigate to W in d o w s S e rv e r 2 0 1 2 and launch the S ta r t menu by hovering the mouse cursor in the lower-left corner of the desktop

FIGURE 5.1: Windows Server 2012 - Desktop view2. Click the G F I L a n G u a rd 2 0 1 2 app to open the G F I L a n G u a rd 2 0 1 2

window

MaragerWindows Google

b m r ♦ *

Nnd

V

e FT־ £ S I

2)12

0

FIGURE 5.2 Windows Server 2012 - Apps3. The GFI LanGuard 2012 m ain w in d o w appears and displays die N etw ork

Audit tab contents.

B TASK 1S ca n n in g for

V u ln erab ilitie s

Zenmap file installs the following files:■ Nmap Core Files■ Nmap Path■ WinPcap 4.1.1■ Network Interface

Import■ Zenmap (GUI frontend)■ Neat (Modern Netcat)■ Ndiff

/ / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges.




W D13CIA3 this ■י

GFI LanGuard 2012

I - | dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties

Welcome to GFI LanGuard 2012GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites

V iew DashboardInve30gate netvuor* wjinerawiir, status and audi results

Remodiate S ecurity IssuesDeploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and more

M anage AgentsEnable agents to automate netooric secant? audit and to tfstribute scanning load across client machines

JP9%

Local Computer Vulnerability Levelus• ־Nana9#*gents־or Launch a scan־ options 10,

the entile network.

M<

{ ' M o wc a f h 'e . — iim jIW -.

Cunent Vulnerability Level is: High

-IL aunch a ScanManually set-up andtnuser an aoerSess neVrxt seajrit/ audrt.

LATES1 NLWS

txkul a fyn le d ID I -XI }un jp \fe»g l ־ Ttft ■mu lar ־1 !1 w mr־»DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd tr.vi •n- kuxkI 101 APS812-1S. Mobm Auob* 10.1.4 Pro mtd St—a-0 - -Mj ut

V# ?4-A*j-7017 - Patch MmuxirTimri - N n pi 1 ( 74 Aq 701? Patch Mfwtgnnnnl Added V*, 24-AJO-2012 - Patch M4uu«m< - Aiktod

ea The default scanning options which provide quick access to scanning modes are:■ Quick scan■ Full scan■ Launch a custom scan■ Set up a schedule scan

FIGURE 5.3: The GFI LANguard mam window4. Click die L a u n ch a S c a n option to perform a network scan.

GFI LanGuard 2012

«t Di»e1«s thb versionDoshboerd Scan Remediate AdMty Monitor Reports Configuration Ut*oes> I «־ I

View DashboardInvestigate network! wjineraMit, status andauairesults

R em ediate S ecurity IssuesDeploy missing patches unirwta■ urau*>0rf2e430**are. turn on antivirus ana more.

M anage AgentsEnable agents to automate neteror* secant* aud* and to tfstnbute scanning load across client machines

JP

9%

Welcome to GFI LanGuard 2012GFI LanGuard 2012 1& ready to audit your network k* *AmafrMws

Local Computer Vulnerublllty Level use ־van a;# Agents ־or Launch a scan־ options 10 auoa

the entire network.

t - &־.יז ־־־-^ iim jIM :

Cunent Vulnerability Luvul is; High

L aunch a ScanManually *


־°r x ־ GF! LanGuard 2012’ןCJ, Uiscuu ttm 1Dashboard Scan Ranrdijle Activ.ty Monitor Reports Conf!guraUon Jt Urn•> l«- I

tauad iatneSan

Scar־a02׳t: P10•*:b a te : v M jf-J S^n v *Ot0en:־fc- ?axrrard:k»/T«rt(r ockcC on uso־ V I IZ * 1 1 ״

Scar Qaccre...

Son ■ n d ti Ovrrvlew SOM R ru lti Dcta ll<

FIGURE 5.5: Selecting an option for network scanning7. Scanning will start; it will take some time to scan die network. See die

following figure

m For large network environments, a Microsoft SQL Server/MSDE database backend is recommended instead of the Microsoft Access database.

m Quick scans have relatively short scan duration times compared to full scans, mainly because quick scans perform vulnerability checks of only a subset of the entire database. It is recommended to run a quick scan at least once a week.

8. After completing die scan, die sc a n resu lt will show in die left panel




x□ GFI Lar>Guard2012,־I־y I I Dashboaid Scan Remcdute Actwty Monitor Reports Configuration Lttrfrtm&

t a u K k a lm k i n

Scan Target Kate:ccaftoct V ... | FalSar H

jsandffc: Eaaswofd:Cj-rr& t bcaed on iser V IIScan R r a k i DetailsScan R ru ik i ovrrvmn

Scan com ple ted !Summary 8f *ear resufs 9eneraf0fl 51*

1 >703 aw*! operations processed 20 1313 Crecol'-.qh)3

Vulnerab ility leve l:

The average vulner abilty le.ei lor ttus sea־nr s 1

Results statistics:

Audit operations processed; Missing scftwaie updates: Other vulnerabilities: Potential vulnerabilities:

4 Scan target: locatbo»t- y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJvws .

Scanner ActMty Wkxkm •יז CanptJer *̂ו CitarW f a : i l i « ! * W VJUH> ra W Jt« !a i K t - n •can n » t41:ate 101 r ״11 r sq v wunr is *lvatd or not found i

----------12- 1

FIGURE 5.7: The GFI LanGuard Custom scan wizard9. To check die Scan Result Overview, click IP a d d re ss of die machiiiein die

right panel

10. It shows die V u ln erab ility A sse ss m e n t and N etw ork & S o ftw are Audit: click V u ln erab ility A sse ssm e n t

GFI LanGuard 2012

W, Dis c u m tvs vtssaanJ | ^ | Daihboard Sean RnrwUr AdMyMorilor Reports Configuration UtMwsE -PceSe

ocafost v j. . . | |F״IS1״־ * ו *Q i33iT~.it.. Userrvaae: ?a££׳.Crd:Cj־end, bcaec on user II J ••• 1 ___^ ____1

1 Results Details

(W»UJ39MRSHL9f4| (Windows Server ?01? 164] ׳

Vulnerability level:

T►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * :

Y/lttt dim irean?

Possible reasons:

t. Th• •can b not Inched yet2.OsCectbn of missing paiches and vane׳ abiEe* 8 smUta * «ליינ »ca1׳nir a erode used to perform the scan.The credentials used 10 scan this confute ־3 ׳ 0ג not »1: * 9* «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An account wth s M ir r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fart of most

# V a n tn ry t : lornlhost |V |WIW l)J9MIC>Mt9L4l (Window. J] jר־ 1000 - |

« , rrafcj1ty W ^ n rrn t |•־ n Net-war* & Softwire Audit

I

Scaruicr ActMty Window

flteetlKMQL llirv̂d l (klh•) u..״ M •' ■ I Ic— tfiiSldri I ftwwl

FIGURE 5.8: Selecting Vulnerability Assessment option

Types of scans:mScan a single computer: Select this option to scan a local host or one specific computer.Scan a range of computers: Select this option to scan a number of computers defined through an IP range.Scan a list of computers: Select this option to import a list of targets from a file or to select targets from a network list.Scan computers in test file: Select this option to scan targets enumerated in a specific text file.Scan a domain or workgroup: Select this option to scan all targets connected to a domain or workgroup.




11. It shows all the V u ln e ra b ility A s s e s s m e n t indicators by categoryV GFI LanGuard 2012 T־־ ^ P x ־

L d > ־» Dashboard Scan Rernediate Activity Men!tor Reports Configuration UUkbes W, Di 8cub8 •»a v«a«on._

la —d i a Merc Scan

Bar Target; »roS»:v || .. . Hi scar- 3 $

c/fomess Jgynang: Password:[amr#y iCQjjetf on user V1 5or

A

Sc4nR*M1ft>0«UNk

Vulnerab ility Assessm ents«tea ene of the folowno wjfcerabilry 01*99'** ייה«*ל

*qn security Vumeratxaties (3)Xbu you to analyze the 1 ״0־ security vjretb i'.a

(6) Jedium Security VulneraNKies■ ^to anajy7e ths rredun !ear ity tfjrerabises ,וגי

(14 Low Security Vulnerabilities . 15iy» the lc« 9eculty׳ycu to a ̂

(1) Potential vulnerabilities . o־־Xb>.s you to a-elvre tiie information security aJ

Ufesing S«1 vtca Packs and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn

Scmi Rr»ulU Ov*rvt*%»s (1}# Msarvs Security Updates (3)

- _* Hee*ak & Software Ault

thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 «: 3 Otfic] Bras

/ 7 During a full scan, GFI LANguard scans target computers to retrieve setup information and identify all security vulnerabilities including:■ Missing Microsoft

updates■ System software

information, including unauthori2ed applications, incorrect antivirus settings and outdated signatures

■ System hardware information, including connected modems and USB devices

FIGURE 5.9: List of Vulnerability Assessment categories12. Click N etw ork & S o ftw are A udit in die right panel, and then click S y ste m

P atch in g S ta tu s , which shows all die system patching statuses

to■ > • 4 - 1C r i LinO uard 2012 1- ״r״1

Dashboard Sran Re״»*Aate Activity Monitor Rrpoits Configuration JMMet og c« or uer ־1 Sari

1 Remits Detais

System Patching StatusSelect one of tte Mtahg system wtchro M U

(1) *Minting Service Packs ■•nit llpduir Rciaup K! server parW r>f»—j i w«־AI3v»1 you to andyM f*r rrs

Mk Missing Security Updates (,J)Alotwt Mu U nWy.'t u!« mistfio mcuICv update I '0 - Jb j■

(16) m Missing Non-Security UpdatesAlan* you to analyie the rwn-security ipaaws rfamssen

(2) J% staled Security Updates nay 2c tJic knitaifed security !edate hfanala■ט ־ A1qt>s you

(1) J% !astaaed Non-Security Updates 5 you to analyze the nstslicd nor-securty״יAlo

SCM R « M b Overview

- 9 Scan tarvet iocalhost- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - m

S -4 (U־!f(hilY to n T e il* *eh Secvlty V1*1eraMittet (3)X rvfcdun Security VUrtrabilBe• (6)X “Sec יי«־ ' >ty\\1h»ab4U»» (4)X *JnaraMt)•• (ג)t Service Pnrin mi 1t3datr Roittn (1)f •1su1sSeu1UyUl>0at«*(3)I ״ \ftoary. a ̂ftraarc ruOt I

S % Ports U A rtor&Atrc *»- f i Software a system mibnnaaon

Scanner Actmty Wmdow X

Starting security scan of host \VIM.I)MMRSMl«4[10 0.0 T\ g!■nr: IM k U PM

™ 3 «.t :1.0! י'ry Scan thread 1 (idle) S a tllia i IM t:

FIGURE 5.10: System patching status report13. Click Ports, and under diis, click Open T C P Ports

Due to the large amount of information retneved from scanned targets, full scans often tend to be lengthy. It is recommended to run a full scan at least once every 2 weeks.




1- 1■■GF! LanGuard 2012CJ, Uiscuu tins 1Scan Rancdijlr £*!1vty Monitor Reports Corrfigura•> l«- I&

jbcahoK V I ... I |MSw1 י י ו •Oc0en־.dfe. Uenvaae: SasGword:|0xt«rtK ocKcC on us®־ - II 1___ * = ____1

• ft) so iDf*crpno״: Mytxrtrrt trerwfrr Protocol { »sr-wr: http (kt/0er r < ליוד̂ז t Tfonjfcr rvotocoOI ̂ 9 ״Cwucto- DCC w»i1u) כג5 l ־»sOl)0»׳£ 1 f) ►**CTt*0׳V HMKCR 5M»1׳ S*rM» ! S*׳VCT r « » [n״^ 44J Pfiapton: MooioftOS k tt* Omlav, VNntfcM* V a n fimitw: Lrtnamn]

B £ !027 piMotOor: !r#l»1fo, 1( tM& *e׳ v*« caJO &• Croj r̂: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* be-*ae ratfc ;)eic -־ י-» - » * c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4׳ « £ l2^l|t«croor:Nfss1i5Jcar1ty5canr*rr/servct:1r*n0M ^9 ^ 1433 [CesccCcr: Microsoft SQL Server database r a a־ j r w : srtscn Server /S«־>ic*: LTknown]

9 sr.Mi f . ר ׳ get־ torn lho\tR •־ : ; 10.0.0.7 |WIN-D39MR5H19C4| (W m dvn _

- • viAwjBMy **OMtwrntJ l (!) «*h Sacuity »\jh*r 1 4 - 1 Dathboaid Scan fn m i j l r Act*«y Monitor Reports C orriiguratioo Ualiwt W. 1)1*1 lew •«« vnun

launch a Mew sean

ScarTarget P0.־«t:ocaKx: v |... I (׳SjIScan 3 •

&ederate: ?aaiwd:Z~M~CTt, bcced on toe־ V 1 U1J 1__Scaf 0 0 ̂כפ .-.

Scan R rta tf Overview Scan le a k ! Deta lieJ *־*׳!run poaawd length: 0 charsJ Vaxnuri EMSSiwrd age: 42daysJ **״!־unoaa'wordsgeiodays J ! f a s «p ff r m force J >Mgw0rfl mtary: noh ׳ ttay

% open IX P Ports (5)Sf A r1ard*«e ׳ ־1־ 50* fr»ane

| Systsn Infer׳TMharja 9ki\׳. W, |l HW.\fxC. !■■>>•>1• S«r.c1ll> Audit Policy (OtO

Wf Re0**vft Net&OS Mao*3) ״ )% Computettj| 610Lpt (28)& Users (4)•!_ Logged Cn Users (11)^ Sesscre (2)% J«- ׳ V ־n thn-rtd I (Klfc•) ScantheflUC*) i f


׳ר -T o -GFI LanGuard 2012 U19CUB3 Ultt VWttKJR—Dashboard Sun ftftnca&e Actmrty Monitor Reports Configuration>־ *v l W **Scan H

Cr M erest -igemane: Password:[cuT€r*f eooed cn user *1

■ cc ':e ra

Sc*• RevuJU DeUikControl AucUat* Cws abx 1

* P n t ta w i 0*Ji.s 0u«1»to1׳cmfcw aw# dccm wraO (V'tey jM̂ו ̂ויו ->׳ ו׳ CfctrtutedCCMUser*&*nt Log Straefcrs GuestsK>pe׳ V Adrritstrators E5JUSRSr.etY>=׳< Ccnfig.rstcn Cp־rators Psrfertrsnce Log UsersPr־fty1r 5rcc '\r ~a usersPM^lSers**?OperatorsRES Ehdpcut ServersPCS Manage ״»ent s « vers

* tt ■ ft • ft• X• a• a י a• a• a יי a• a ״-a• a• a » a• « ז a

1 R«f»*lt» Overview% C0«nUOPPwts(5)

r A Hentesrc• . 1 Soffaart• ^ Symrm tnk׳m»t»n

*k SN r~W-4* Pd«wo1׳ ) Pdiy

- i» Sxunty Ault Pokey (Off) # lUotetry ־f t NetflCCS Narres (3)% Computer l*i groups (2a) II W4}•?. -OXfC 0״ users (1 נ)% S«ss»ns (2)% 5«14) 8»:*לa)Ht ®rocrase* (76)

(Of 0»y מיוחן en»te too ג

W w r t * ״ - . S*rf« 1 l1f1 .nl 1 (tdl•׳) | Scan tfve*0 ? frt*) *r«*d S *fe) | & u « |

FIGURE 5.13: Information of Groups17. Click die D ashboard tab: it shows all the scanned network information

1 °n ^ GFI LanGuard 2012׳I Dashboardl Sun Km•*•(• Activity Monitor Reports Configuration UUkbe; ־./זי OitcuMlna vwawn.-

! t f# \'i\ ^ 4 V fei v (1 * t *JC emctm •w«v ViAirrnhlfces Pale►** ► aH SdNiare> «-

I q ״5Gmp

Entire N etw ork -1 com pute r

Security Seniorswnwarn iwuw•1 o0 c«XT־|H1tcrs ^ !K-p-w ז 0 coneuteis

Service Packs and U- Lratra-onied Aco*c Malware Protection ...כ O cjOaxrputers C co־pu־crj computers ו

VulncraWWies _ Ault SMTUt : _ Agent Hemtn IssuesI o •1 co״pot«r9 «י״יד» ! 0 j 0 C0npu18C8

r S \Most Mrarane cawoJSfS

V. SC3y׳ ^ L 3 6 4

,AiirraNity Trend Owe' tme

fu tM By Gperatng System־o:

oComputes S ■ O0«ath■ ■. | Compjters By rfeUai... |

Computer V14>erabfey CBtnbuliviw

1*aer*Stofcg|\>3tStafcg|

it 6mel1n*orkf j UKJ»-c«t: ttlh-03»Ma.5rt.4£-»



Vulnerability Level

Vulnerable Assessment

System Patching Status

Scan Results Details for Open TCP Ports

GFI LanGuard 2012

Scan Results Details for Password Policy

Dashboard - Entire Network■ Vulnerability Level■ Security Sensors■ Most Vulnerable Computers■ Agent Status■ Vulnerability Trend Over Time■ Computer Vulnerability Distribution■ Computers by Operating System


Q u e s t io n s

1. Analyze how GFI LANgtiard products provide protection against a worm.

2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment.

3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how?


□ Yes 0 No

Platform Supported

0 Classroom 0 iLabs

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



E x p lo r in g a n d A u d i t i n g a N e t w o r k

U s i n g N m a pN /n a p (Z e n m a p is th e o ff ic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y fo r

n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .


111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques.

Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information.

Also, as an e th ica l h a c k e r and n etw o rk adm in istrato r for your company, your job is to carry out daily security tasks, such as n etw o rk inventory, service upgrade sch e d u le s , and the m onitoring of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.


Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime.

hi diis lab, you need to:

■ Scan TCP and UDP ports

■ Analyze host details and dieir topology

■ Determine the types of packet filters

I C O N K E Y

Valuableinformation

Test vourknowledge

S Web exercise

ט Workbook review




■ Record and save all scan reports

■ Compare saved results for suspicious ports


To perform die lab, you need:

■ Nmap located at D :\CEH -Tools\CEH v8 M odule 03 S can n in g N etw o rks\Scan n ing Tools\N m ap

■ You can also download the latest version of N m ap from the link http: / / nmap.org. /

■ If you decide to download die la te s t v ersio n , dien screenshots shown in die lab might differ

■ A computer running W indow s S e rv e r 2012 as a host machine

■ W indow s S e rv e r 2008 running on a virtual machine as a guest

■ A web browser widi Internet access

■ Administrative privileges to run die Nmap tool


Time: 20 Minutes

O v e r v ie w o f N e t w o r k S c a n n in g

Network addresses are scanned to determine:

■ What services a p p lic a t io n n a m e s and v e r s io n s diose hosts offer

■ What operating systems (and OS versions) diey run

■ The type of p a c k e t f ilte rs/ f ire w a lls that are in use and dozens of odier characteristics

/—j T o o ls d em o n strated in th is lab a re av a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 Sca n n in g N etw o rks

.Q Zenmap works on Windows after including Windows 7, and Server 2003/2008.

L a b T a s k s

Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W indow S e r v e r 2 012).

1. Launch the S ta r t menu by hovering die mouse cursor in the lower-left corner of the desktop

TASK 1In ten se S c a n

FIGURE 6.1: Windows Server 2012—Desktop view



2. Click the N m ap -Z en m ap G U I app to open the Z e n m a p window


S t 3 f t A d m in is tra to r

ServerManager

WindowsPowrShell

Google Hy^-VManager

Nmap - Zenmap

Sfe m * י וControlPanel

»■vp*vVirtualMachine..

o w

eCommandPrompt

ח*

Frtfo*

©Mê sPing HTTPort

iSWM

CWto* K U1

l_ Zenmap file installsthe following files:■ Nmap Core Files■ Nmap Path■ WinPcap 4.1.1■ Network Interface

Import■ Zenmap (GUI frontend)■ Neat (Modern Netcat)■ Ndiff

FIGURE 6.2 Windows Server 2012 - Apps3. The N m ap - Z e n m a p G U I window appears.

! Nmap Syntax: nmap [Scan Type(s)] [Options] {target specification}

FIGURE 6.3: The Zenmap main windcw/ In port scan

techniques, only one 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d re s s (10.0.0.4)method may be used at a t!1e j a r ge t: text field. You are performing a network inventory fortime, except that UDP scan r o J.sU) and any one of the the virtual machine־)SCTP scan types (־sY, -sZ)

111 tliis lab, die IP address would be 1 0 .0 .0 .4 ; it will be different from your lab environment

111 the P ro file : text field, select, from the drop-down list, the typ e of p ro file you want to scan. 111 diis lab, select In te n s e S c a n .

may be combined with any 5.one of the TCP scan types.

6.




7. Click S c a n to start scantling the virtual machine.

- ׳׳ ° r xZenmap

Profile: Intense scan

Scan Io o ls P rofile Help

Target: 110.0.0.4|

Command: nmap -T4 -A -v 10.0.0.4

Ports f Hosts | Topology | Host Details | ScansNmap Outputicc> |H os t! ServicesOS < Host

FIGURE 6.4: The Zenmap main window with Target and Profile enteredNmap scans the provided IP address with In te n s e s c a n and displays the s c a n re s u lt below the N m ap O u tp ut tab.

^ ם יז X ן

8.

Z e n m a p

10.0.0.4 ׳י Profile: Intense scan Scan:Scan Io o ls Erofile Help

Target:

Command: nmap -T4 -A -v 10.C0.4

N n ■ap O utput [ports / Hosts | Topo log) | Host Details | Scans

nmap -T4 •A ■v 10.00.4 ^ | | Details

S t o r t i n g Nmap C .O l ( h t t p : / / n m s p .o r g ) a t 2012 08 24

NSE: Loaded 93 s c r i p t s f o r s c a n n in g .MSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 .0 . 4 [1 p o r t ]C o m p le te d ARP P in e Scan a t 1 5 :3 5 , 0 .1 7 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 5 :3 5 C o m p le te d P a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 5 :3 5 , 0 .5 0 s e la p s e dI n i t i a t i n g SYN S te a l t h Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 .0 . 4 [1 0 0 0 p o r t s ]D is c o v e re d open p o r t ׳!135 t c p on 1 6 .0 .0 .4D is c o v e re d open p o r t 1 3 9 / tc p on 1 0 .0 .0 .4D is c o v e re d open p o r t ׳4451 t c p on 1 6 .0 .0 .4I n c r e a s in g send d e la y f o r 1 6 .0 .0 .4 f r o « 0 t o dee t צ o 72o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c re a s e .D is c o v e re d open p o r t 4 9 1 5 2 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 4 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 3 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 6 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 5 / tc p on 1 0 .0 .0 .4D is c o v e re d open p o r t 5 3 5 7 / tc p on 1 0 .6 .0 .4

OS < Host

׳ 10.0.0.4 ׳

Filter Hosts

FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan9. After the scan is c o m p le te , Nmap shows die scanned results.

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or the firewalls in front of them

!S" The six port states recognized by Nmap:■ Open■ Closed■ Filtered■ Unfiltered■ Open | Filtered■ Closed | Unfiltered

Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type.



http://nmsp.org


T= IZ e n m a pScan Io o ls £ro file Help

Scan! CancelTarget:

Command: nmap -T4 -A -v 10.C.0.4

Detailsכ י פNm ap O utput | Ports / Hosts | Topo log) J Host Details | Scansnmap •T4 •A ■v 10.0.0.4

M ic r o s o f t HTTPAPI h t t p d 2 .0

n e tb io s - s s n n c tb io s ssn h t t p

1 3 9 / tc p open 445/tcp open5 3 5 7 / tc p open (SSOP/UPnP)|_http־m«thods: No Allow or Public h«ad«r in OPTIONS re s p o n s e ( s t a tu s code 5 03 )| _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le

ח

M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC

;0 7 :1 0 ( M ic r o s o f t )

4 9 1 5 2 / tc p open 4 9 1 5 3 / tc p open 4 9 1 5 4 / tc p open 4 9 1 5 5 / tc p open 4 9 1 5 6 / tc p open MAC Address: 0(

m srpc m srpc m srpc m srpc m srpc

______________ 1 5 :5D:D e v ic e t y p e : g e n e ra l purpose R u n n in g : M ic r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : n׳ ic ro s o f t :w in d o w s _ 7 c p e : / o :» ic r o s o f t :w in d o w s _ s e rv e r_ 2 0 0 8 : : s p l0 ל d e t a i l s : M ic r o s o f t W indows 7 o r W indows S e rv e r 2008 SP1 U p tim e g u e s s : 0 .2 5 6 d ays ( s in c e F r i Aug ?4 0 9 :2 7 :4 0 2012)N ttw o rK D is ta n c e ; 1 hopTCP S cuuctice P r e d ic t io n : D i f f i c u l t y - 2 6 3 (O ood lu c k ! )IP IP S equence G e n e ra t io n : In c re m e n ta lS e rv ic e I n f o : OS: W indow s; CPE: c p e : /o :n ic r o s c f t :w in d o w s

OS < Host

׳ 10.0.0.4 ׳

Filter Hosts

FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan10. Click the P o rts/H o sts tab to display more information on the scan

results.

11. Nmap also displays die Po rt, P ro to co l, S ta te . S e r v ic e , and V e rs io n ofthe scan.

T ־ TZenmap

Scan Cancel


Target: 10.0.0.4


Nmgp Out p u ( Tu[ . ul ut j y Hu^t Details Sk m :.

M in o a o ft W indows RPCopen rm tpc13S U p

M icroso ft HTTPAPI h ttpd 2.0 (SSD

M icroso ft W indows RPC





netbios-ssn

netbios-ssn

http

msrpc

msrpc

msrpc

msrpc

msrpc

open

open

open

open

open

open

open

open

tcp

tcp

tcp

139

445

5337

49152 tcp

49153 tcp

49154 tcp

49155 tcp

49156 tcp

Services

OS < Host״״ 10.0.0.4

a The options available to control target selection:■ -iL ■ -1R ■ -exclude

[, [,...]]■ -excludefile

Q The following options control host discovery:■ -sL (list Scan)■ -sn (No port scan)■ -Pn (No ping)■ ■PS (TCP

SYN Ping)■ -PA (TCP

ACK Ping)■ -PU (UDP

Ping)■ -PY (SCTP

INTT Ping)■ -PE;-PP;-PM (ICMP

Ping Types)■ -PO (IP

Protocol Ping)■ -PR (ARP Ping)■ —traceroute (Trace path

to host)■ -n (No DNS resolution)■ -R (DNS resolution for

all targets)■ -system-dns (Use

system DNS resolver)■ -dns-servers

< server 1 > [,< server 2 > [,. ..]] (Servers to use for reverse DNS queries)

FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan

C E H Lab M anual Page 126 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited


12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In te n s e s c a n Profile.

FIGURE 6.8: The Zenmap main window with Topology tab for Intense Scan13. Click the H o st D e ta ils tab to see die details of all hosts discovered

during the intense scan profile.r ^ r ° r * 1Zenmap

Scan Conccl

Scan lo o ls Profile Help

Target: 10.0.0.4


Scan?Hosts || Services I I Nm ap O utput I Porte / H oc tt | Topologyf * Hn^t

O.O.C.4

H Host StatusState: up

Open p o rtc Q

Filtered ports: 0

Closed ports: 991

Scanned ports: 1000

U p tim e : 22151

Last boot: Fri A ug 24 09:27:40 2012

B AddressesIPv4: 10.0.0.4

IPv6: Not available

MAC: 00:15:50:00:07:10

- Operating SystemName: M icroso ft W indows 7 o r W indows Server 2008 SP1

#

Accuracy:

Ports used

OS < Host

־׳- 10.0.0.4

Filter Hosts

FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan

7^t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line.

7̂ By default, Nmap ׳determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32).




14. Click the S c a n s tab to scan details for provided IP addresses.

1- 1 ° xZ ׳ e n m a p

CancelIntense scanProfile:

Scan Tools Profile Help

Target: 10.0.0.4

Command: nmap •T4 •A -v 100.0.4

Hosts \\ Services | Nm ap O utput J Pcrts.' Hosts | Topology | Host D etail;| S:an;Status Com׳r»ard

Unsaved nmap -T4-A •v 10.00.4OS < Host

100.04

i f ■ Append Scan » Remove Scan Cancel Scan

FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan15. Now, click the S e r v ic e s tab located in the right pane of the window.

This tab displays the l i s t of services.

16. Click the http service to list all the HTTP Hostnames/lP a d d r e s s e s . Ports, and their s t a t e s (Open/Closed).

* ־ד י ° ZenmapזמScan Tools Profile Help

Target:

Comman

10.0.0.4 v ] Profile: Intense scan v | Scan | Cancel

d: nmap •T4 -A -v 10.0.0.4 וHosts | Services Nmap Output Ports / Hosts Topology | H octD rtJ iik | S ^ jn t

< Hostname A Port < Protocol « State « Version

i 10.0.04 5357 tcp open M icrosoft HTTPAPI hctpd 2.0 (SSI


17. Click the m srp c service to list all the Microsoft Windows RPC.

ז1םי ־ x ׳Zenmap

10.0.0.4 י Profile: Intense scan Scan]


Target:


Topology | Host Details ̂ ScansPorts / HostsNmap Output

4 Hostname *־ Port < Protocol * State « Version

• 100.0.4 49156 U p open M icrosoft W ind o ro RPC

• 100.0.4 49155 tcp open M icroso ft Windows RPC


• 100.04 49153 tcp open M icroso ft Windows RPC

• 100.04 49152 tcp open M icroso ft Windows RPC


Services

Service

http

netbios-ssn

In Nmap, Option — port-ratio cratioxdedmal number between 0 and 1> means Scans all ports in nmap-services file with a ratio greater than the one given. must be between 0.0 and 1.1

FIGURE 6.12 The Zenmap main window with msrpc Service for Intense Scan18. Click the n e tb io s -s sn service to list all NetBIOS hostnames.

TTTZenmapScan Cancel

Scan Ic o ls E rofile Help

Target: 10.0.0.4


Topology Host Deoils ScansPorts f HostsNmap Output

open

open

445 tcp

139 tcp

100.0 J 100.0.4

Hosts || Services |

Service

http

msrpc

FIGURE 6.13: The Zenmap main window with netbios-ssn Service for Intense Scan19. X m a s s c a n sends a T C P fram e to a remote device with URG, ACK, RST,

SYN, and FIN flags set. FIN scans only with OS TCP/IP developed

hid In Nmap, Option -r means don't randomi2e ports.

TASK 2X m a s S c a n




according to RFC 793. The current version of Microsoft Windows is not supported.

20. Now, to perform a Xmas Scan, you need to create a new profile. Click P ro file N


22. Click the S c a n tab, and select X m a s T re e s c a n s־) X ) from the T C P s c a n s : drop-down list.

1_T□ ' xP ro file E d ito r!m a p -T4 -A -v 10.0.0.4

HelpEnable all arf/anced/aggressive options

Enable OS detection (-0 ). version detection (-5V), script scanning (- sCM and traceroute (־־traceroute).

Scan | Ping | Scripting | Target) Source | Other Tim ingProfile

10.00.4

None FINone

ACK scan (-sA)

FIN scan (sF ׳ )

M aimon scan (-sM)

Null scan (-sN)

TCP SYN scan (-5S)

TCP connect >can (־»T)

(sW)־ W indow scan .

| Xmas Tree scan (־sX)

S u n optk>m

Target? (optional):

TCP scan:

Non-TCP scans:

T im ing template:

□ Version detection (-sV)

ח Idle Scan (Zombie) (-si)

□ FTP bounce attack ( (b־

□ Disable reverse DNS resc

ם IPv6 support (■6)

Cancel 0 Save Changes

FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab23. Select N one in die N o n-TC P s c a n s : drop-down list and A g g re s s iv e ־)

T 4 ) in the T im in g te m p la te : list and click S a v e C h a n g e s־י | ם ^1P ro file F r iito r

nmap •sX •T4 ■A ■v 10.0.0.4

HelpEnable all ad/anced/aggressive options

Enable OS detection (-0 ). version detection (-5V), script scanning (־ s Q and tracerou te(—traceroute).

Ping | Scripting [ Target Source | Other | Tim ingScarProfile

Scan option*

Target? (optional): 1D.0D.4

TCP scan: Xmas Tlee scan (-sX) | v |

Non-TCP scans:

T im ing template:

None [v׳ ]

Aggressive (-T4) [ v |

@ Enable all advanced/aggressve options (-A)

□ Operating system detection (-0)

O Version detection (-sV)

□ Idle Scan (Zombie) ( -51)

□ FTP bounce attack ( (b־

O Disable reverse DNS resolution (־n)

ח IPv6 support (-6)

Cancel 0 Save Changes

FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab24. Enter the IP address in die T a rg e t : field, select the X m a s s c a n opdon

from the P ro file : field and click S c a n .

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan sS) to check both־)protocols during the same run.

Q Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine drops.

Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ־־ host-timeout to skip slow hosts.



Z e n m a p


Scan Tools Profile Help

Target: 10.0.0.4 | v | Profile- | Xmas Scan | v | |Scan| Cancel |

Command: nmap -sX -T4 -A -v 1 0 0 .0 /

( Hosts || Services | Nm ap O utput P o rts /H o sts | Topology Host Details j Scans0 5 < Host A V 1 | Details]

Filter Hosts

In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as if you were going to open a real association and then wait for a response.

FIGURE 6.18: The Zenmap main window with Target and Profile entered25. Nmap scans the target IP address provided and displays results on the

N m ap O u tp ut tab.

izcZ e n m a p10.0.0.4 v l Profile. Xmas Scan |Scani|

Scan Tools P rofile Help

Target

Command: nmap -sX -T4 -A -v 1 0 0 .0 /

N nap׳ O utput Ports / Hosts | Topology H ost Details | Scans

nmap -sX -T4 -A -v 10.0.0.4

S t a r t in g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 -0 8 -2 4

N


Z־0=1 e n m a p

10.0.0.4 ^ Profile Xmas Scan י ' | | Scan |


Target:

Command: nmap -sX -T4 -A -v 10.0.0.4

Nmap O utput Ports / Hosts | Topology | Host Details | Scans

Detailsnmap -sX T4 -A -v 10.0.0.4

Sח t a r t i n g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 *0 8 -2 4: Loaded 03 * c r i p t c f o r s c a n n in g .

NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P lr g Scan a t 1 6 :2 9S c a n r in g 1 0 . 0 .0 . 4 [1 p o r t ] mC om p le ted ARP P in g Scan a t 1 6 :2 9 , 8 .1 5 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g 3a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 6 :2 9 C om p le ted P a r a l l e l DNS r e s o lu t io n 0-f l n e s t , a t 1 6 :2 9 ,0 .0 0 s e la p s e dI n i t i a t i n g XMAS Scan a t 1 6 :2 9 S c a n r in g 1 0 .0 .0 .4 [1 0 0 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 .0 .0 .4 f ro m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c re a s

ceh lab manualdocshare01.docshare.tips/files/18489/184890979.pdf · 2016. 6. 1. · tools\cehv8...

Documents