[EH Wk 2] Module 03: Scanning

Overview of Network Scanning

• Set of procedures to identify hosts, ports, and services
• Component of intelligence gathering

Network Flags

TCP Communication Flags

• URG (Urgent): Packet to be processed ASAP
• FIN (Finished): No further data from sender
• RST (Reset): Reset connection (Commonly seen in Stealth Scans where three-way handshake is not completed)
• PSH (Push): Sends all buffered data immediately (Tells receiver to process data ASAP instead of buffering it)
• SYN (Synchronize): Initiates connection between hosts, synchronises sequence numbers for data transmission
• ACK (Acknowledge): Acknowledges packet being received

TCP Session Establishment Steps (Three-way Handshake)

1. Client -> Server: SYN (Please open, it’s chit chat time)
2. Server -> Client: SYN + ACK (Okay, chit chat at 1 of my 65,535 ports)
3. Client -> Server: ACK (Okay, see you at the port)

TCP Session Termination Steps

1. Client -> Server: FIN (I’ve heard enough)
2. Server -> Client: ACK (Okay)
3. Server -> Client: FIN (I have clearly received your message)
4. Client -> Server: ACK (I acknowledge that you have received my message)

Types of Scans

Host Discovery Scans

1. ARP Ping Scan
   • Efficient and accurate
2. TCP ping Scan
   • SYN: Does not create any connection; logs are not recorded. SYN+ACK = Port open; RST = Port closed
   • ACK: Maximises chances of bypassing firewall. RST = Port open; No response = Port closed
   • NULL/FIN/XMAS: No response = Port open; RST = Port closed
3. UDP ping Scan
   • Able to detect systems behind firewalls with strict TCP filtering
4. ICMP ping Scan
   • Useful for locating active devices / if ICMP pass through firewall
   • Does not work on Windows

Service Version Discovery

• Determines versions of services running on target system based on responses to probes
• Determine vulnerabilities based on service versions
• Tools: Nmap, Zenmap - Both -sV flag

OS Discovery

• Banner grabbing / OS fingerprinting to determine OS of remote target system based on TCP/IP behaviour
• Figure out vulnerabilities based on OS to plan exploits
• Tools: Nmap, Zenmap - Both -O flag

Active Banner Grabbing

• Specially crafted packets sent to observe responses
• Compare responses to known OS signatures
• Response varies due to TCP/IP stack implementation
• Tools: Telnet, Netcat, Nmap, wget, curl

Passive Banner Grabbing

• From error messages provided by target via information leakage
• Sniffing network traffic generated by target
• Banner grabbing from page extensions, e.g. .aspx means IIS server
• Tools: Shodan, Censys

Identifying OS

• Attackers identify OS running through the TTL and TCP Window Size (amount of data that can be sent before receiving ACK)
• Sniff response generated from target machine
• Passive Tools: Shodan, Censys

IDS/Firewall Evasion Techniques

1. Packet Fragmentation: Split packets into smaller fragments
2. Source Routing: Specify route packets should take
3. Source Port Manipulation: Change source port to prevent suspicious traffic
4. IP Address Decoy: Send packets from multiple IP addresses to prevent IDS from identifying real source
5. IP Address Spoofing: Change source IP address
6. MAC Address Spoofing: Change MAC address to bypass MAC filtering
7. Creating Custom Packets: Craft packets to bypass IDS rules
8. Randomising Host Order, Sending Bad Checksums: Scanning hosts in target network in random order and sending bad TCP/UDP checksums to avoid firewall rulesets
9. Proxy Servers: Hide source of attack and impersonates the fake source address of proxy. Can also remotely access usually restricted resources.