PENETRATION TESTING

Phase 2

Scanning and Enumeration

 Phase 2: Scanning

• Phase 2 is scanning , which focuses on an active engagement of the target

with the intention of obtaining more information. Scanning the target
network will ultimately locate active hosts that can then be targeted in a
later phase. Once scanning determines which hosts are active and what the
network looks like, a more refined process can take place.
• During this phase tools such as these are used:
• Pings
• Ping sweeps
• Port scans
• Tracert
Phase 2: Scanning
• Scanning is a process that involves engaging and probing a target network with the
intent of revealing useful information and then using that information for later
phases of the pen test.

• Port Scan Port scanning is the process of sending carefully crafted messages or
packets to a target computer with the intent of learning more about it. These probes
are typically associated with well-known port numbers or those less than or equal to
1024. Through the careful application of this technique, you can learn about the
services a system offers to the network as a whole. It is even possible that during this
process you can tell systems such as mail servers, domain controllers, and web
servers from one another.
• Network Scan Network scanning is designed to locate all the live hosts on a network.
This type of scan will identify those systems that may be attacked later or those that
may be scanned more thoroughly.
• Scans that fit into this category are those such as ping sweeps, which rapidly scan a
range of IPs and determine if an address has a powered-on host attached to it or not.
Tools to perform this type of scan include nmap and Angry IP as well as others.
Phase 2: Scanning
• Vulnerability Scan A vulnerability scan is used to identify weaknesses or
vulnerabilities on a target system. This type of scan is quite commonly
done as a proactive measure, with the goal of catching problems
internally before an attacker is able to locate those same vulnerabilities
and act on them. A typical vulnerability scan will discover hosts, access
points, and open ports, analyze service response, classify threats and
generate reports.
• Difference between a vulnerability scan and a penetration test is that
vulnerability scan is designed to reveal weaknesses present in a network
or host but not to exploit those weaknesses. A penetration test is
designed to not only find weaknesses but also to exploit them much as
an actual attacker would.
Phase 2: Scanning
• During the scanning process it is possible to discover information such as
the following:
• Live hosts on a network
• Information on the open/closed ports on a host
• Information on the operating system(s) and the system architecture
• Services or processes running on hosts
• Types and seriousness of vulnerabilities
• Information about patches present on a system
• Presence of firewalls
• Addresses of routers and other devices
Phase 2: Scanning
• Check for live systems:
• Wardialing
• Wardriving
• Pinging
• Port scanning
 Phase 2: Scanning
• Wardialing
• The first and olds type of scan is wardialing. Wardialing has existed in an
almost unchanged state since the mid-1980s and has stayed around so long
because it has proven to be a useful information-gathering tool.
• In practice, wardialing is extremely simple compared to the other forms of
scanning in that it simply dials a block of phone numbers using a standard
modem to locate systems that also have a modem attached and accept
connections.
 Phase 2: Scanning
• Modems are still used for a number of reasons, including the low cost of the
technology, ease of use, and the availability of phone lines, which are pretty much
everywhere. Modems are still so commonly used that an attacker can easily dial a
block of phone numbers in just about any town and locate a good number of
computers still using dial-up to attach to the outside world.

• Once you fi nd a modem and get a response, the question becomes what to do
with that information. To answer that, you need to know what devices modems
are commonly attached to in the modern world. Private branch exchanges (PBXs)
often have modems attached (the nondigital ones), which can provide a good
opportunity for attacking. Other devices that sometimes have modems attached
are firewalls, routers and fax machines. If an attacker dials into a firewall and
gains access, an environment can quickly become unprotected.
 Phase 2: Scanning
• ToneLoc - A wardialing program that looks for dial tones by randomly dialing
numbers or dialing within a range. It can also look for a carrier frequency of
a modem or fax. ToneLoc uses an input fi le that contains the area codes
and number ranges you want it to dial.
• THC-SCAN A DOS-based program that can use a modem to dial ranges of
numbers in search of a carrier frequency from a modem or fax.
• NIKSUN’s PhoneSweep One of the few commercial options available in the
wardialing market.
 Scanning

Simple tool to perform scanning is ping. Ping is a utility that can be used to
perform the initial scanning process.
Ping works by using an Internet Control Message Protocol (ICMP) message,
which is why this technique is also called ICMP scanning. The process works
by using one system to send an ICMP echo request to another system; if that
system is live, it will send back an ICMP echo reply. Once this reply is received,
the system is confirmed to be up, or live.
To use the ping command :
ping <target IP>
or
ping <target hostname>
 Scanning
A more advanced tool that can be use is hping3 which is a TCP/IP packet crafter. This
means it not only has the ability to send packets across network but also allows for
the creation of customized packets that can be used to assess the behavior of a
remote host and bypass Firewalls.
It supports TCP, UDP, ICMP, and RAW-IP protocols, has a traceroute mode, and has
the ability to transfer files.
This is the basic syntax command to transmit an ICMP request and receive a reply:
hping3 -1 <domain name>
Let us see if there is a firewall blocking ping requests. We will now create a packet
with an ACK flag sent to the target. The switches used are -A for ACK, -V for verbose, -
p followed by a target port number, and –s for the port on the source computer
where the packet will originate.
hping3 -c 1 -V -p 80 -s 5050 -A <domain name>
If we receive a reply, then the system is alive and the port target is open. If no
response is returned, there may very well be a firewall in between the scanner and
the target.
 Scanning
TCP flags
SYN Initiates a connection between two hosts to facilitate communication.
ACK Acknowledges the receipt of a packet of information.
URG Indicates that the data contained in the packet is urgent and should be
processed immediately.
PSH Instructs the sending system to send all buffered data immediately.
FIN Tells the remote system that no more information will be sent. In essence,
this gracefully closes a connection.
RST Resets a connection.
 Scanning
These flags are very important in the scanning process, especially if we are
using a packet crafter. Using hping3 we can generate many different types of
packets and send them to a target:
Create an ACK packet and send it to port 80 on the victim:
hping3 –A <target IP address> -p 80
Create a SYN scan against different ports on a victim:
hping3 -8 50-56 –s <target IP address> -v
Create a packet with FIN, URG, and PSH flags set and send it to port 80 on the
victim:
hping3 –F –P -U <target IP address> -p 80
 Scanning
Another tool you can use to to ping a remote system is nmap.
map –sP –v <target IP address>
If the command successfully finds a live host, it returns a message stating that
the IP address is up and provides the media access control (MAC) address and
the network card vendor.
Up one level from the ICMP scan is the ping sweep, so named because you
use this
technique to scan or sweep a range of IPs looking for live hosts. Once again
nmap proves helpful by allowing you to perform a quick scan.
nmap –sP –PE –PA<port numbers> <starting IP/ending IP>
As an example:
nmap –sP –PE –PA21,23,80,3389 <192.168.10.1-50>
 Scanning
Full-Open Scan
The first type of scan nmap scans is known as a full-open scan,. Here the systems involved initiated
and completed the three-way handshake. The advantage of a
full-open scan is that you have positive feedback that the host is up and the connection is
complete. In many cases new penetration testers will attempt a full-open scan against a target
either on purpose or accidentally; this can be bad and even fatal to your test because it can be
detected and logged by firewalls and an IDS.
During this scan of a closed port is encountered, the sending party will transmit an ACK packet to a
specific port on the remote host; when this request encounters the closed port, an RST will be sent
back, terminating the attempt.
In order to perform a full-open scan you must choose to perform a TCP Connect scan using the –sT
switch, where the –s indicates the scan and the capital T states that the scan type is TCP Connect.
The command to execute this scan type is:
nmap –sT <ip address or range>
Keep in mind that when you perform this type of scan, it is very “noisy” and will be easy for the
target to find it in the in logs. Use this scan only when no other scan will work or is appropriate.
 Scanning
Stealth / SYN Scanning
• To overcome some of the problems previously explained nmap has a
scanning technique called “stealth” scan or SYN.
• SYN is the default scan technique used when no scan technique is specified
in an nmap command and the user has the required raw sockets privileges.
• SYN scanning is a TCP port scanning method that involves sending SYN
packets to various ports on a target machine without completing a TCP
handshake. If a TCP port is open, a SYN-ACK should be sent back from the
target machine, informing us that the port is open.
• At this point, the port scanner does not bother to send the final ACK to
complete the three-way handshake.
nmap -sS IP_Target
 Scanning

Stealth / SYN Scanning

The result of this scan is that there is a lot less to log, and since the final ACK
packet was never sent, an open port has still been confirmed, but no active
connection has been made.
However, if a port is closed rather than open, the three-way handshake starts
with the attacker sending a SYN, only to have the victim respond with an RST
packet indicating that the port is closed and not taking connections.
• Advantage of this particular type of scanning is that it is less likely to trigger
detection mechanisms or end up being logged, but the downside is that it is
a little less reliable than a full-open scan, because confirmation is not
received during this process due to the lack of the final ACK.
 Scanning

Xmas Tree Scan

In this scan numerous flags are set in the packet. A single packet is sent to the
client with URG, PSH, and FIN all set to on.
Having all the flags set creates an illogical or illegal combination, and the
receiving system has to determine what to do when this occurs.
In most modern systems this simply means that the packet is ignored or
dropped, but on some systems the lack of response tells you a port is open,
whereas a single RST packet tells you the port is closed.
nmap –sX –v <target IP address>
The response you get during this scan can vary just a little or a lot from
operating system to operating system.
 Scanning

FIN Scan
In this type of scan, the attacker sends packets to the victim with the FIN flag
set. The concept behind this type of scan is that SYN scans are still very
In order to be stealthier a packet with a FIN flag is used. This type of scanning
technique is effective not only because it is less obvious, but also because it
can reliably pass through firewalls without alteration and then right on
toward the intended target. SYN packets are likely to get higher levels of
scrutiny when they encounter a firewall and get stopped.
The result here is similar to the Xmas tree scan and the victim’s response
depends on whether the port is open or closed. If an FIN is sent to an open
port, there is no response, bu.t if the port is closed, the victim returns an RST.
nmap –sF <target IP address>
 Scanning

NULL Scan
In this type of scan, the attacker sends frames to the victim with no flag set.
The result is similar to what happens in an FIN scan. The victim’s response
depends on whether the port is open or closed.
If no flags are set on a frame that is sent to an open port, there is no
response, but if the port is closed, the victim returns an RST.
nmap –sN <target IP address>
 Scanning

Idle Scanning
This unique and very powerful scan. It is effective because of its high degree
of stealthiness compared to other scans.
An idle scan is known for its ability to hide the identity of the attacking party
by not sending the packets from the actual attacking system. In practice this
process is performed by bouncing the scan off another host (commonly called
a zombie) and then on toward the target.
If the victim of the scan investigates the activity generated by the process,
they will trace the scan back not to the actual attacker but to the zombie
system instead.
This scan also allows discovery of IP-based trust relationships between
machines.
 Scanning
Idle Scanning
This scan depends on three basic points:
One way to determine whether a TCP port is open is to send an SYN (session
establishment) packet to the port. The target machine will respond with an
SYN/ACK (session request acknowledgment) packet if the port is open, and an RST
(reset) if the port is closed.
A machine that receives an unsolicited SYN/ACK packet will respond with an RST. An
unsolicited RST will be ignored.
Every IP packet on the Internet has a fragment identification number (IP ID). Since
many operating systems simply increment this number for each packet they send,
probing for the IP ID can tell an attacker how many packets have been sent since
the last probe.
It is through the application and combination of these properties that the attacking
party can spoof their identity and cast blame on another system, which in this case
is the zombie. To an outside observer, the zombie will look like the originator of the
attack.
 Scanning
An idle scan consists of three steps that would be repeated for each port to be scanned:
• 1. Probe the zombie’s IP ID and record it.
• 2. Forge a SYN packet from the zombie and send it to the desired port on the target.
Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID
to be incremented.
• 3. Probe the zombie’s IP ID again.
The target port state is then determined by comparing this new IP ID with the one
recorded in step 1.
After this process, the zombie’s IP ID should have incremented by a value of either one or
two. An increase of one indicates that the zombie hasn’t sent out any packets, except for
its reply to the attacker’s probe. This lack of sent packets means that the port is not open
(the target must have sent the zombie either an RST packet, which was ignored, or nothing
at all).
An increase of two indicates that the zombie sent out a packet between the two probes
 Scanning

This extra packet usually means that the port is open. Increases larger than
two usually signify a bad zombie host. It might not have predictable IP ID
numbers, or it might be engaged in communication unrelated to the idle scan.
Even though what happens with a closed port is slightly different from what
happens with a filtered port, the attacker measures the same result in both
cases, namely, an IP ID increase of one. Therefore, it is not possible for the
idle scan to distinguish between closed and filtered ports. When nmap
records an IP ID increase of one, it marks the port closed|filtered.
In the case of idle scans, one of the pros is that this type of scan is effective at
evading detection by an IDS and some firewalls. A downside is that the scan
will take longer to perform than other options. In the case of idle scans you
can expect a scan to increase in duration significantly.
 Scanning

What to do if Scan Is Blocked?

One of the methods we can use is fragmenting works by breaking a packet
into multiple pieces with the goal of preventing detection devices from seeing
what the original unfragmented packet intends to do. In nmap, if you wish to
fragment a packet, you can do so by using the –f switch.
nmap –sS –T4 –A –f –v <target IP address>
Scanning

OS Fingerprinting
We now know e have a live host and behind the ports we discovered is an
operating system and we need to determine its type by fingerprinting it.
There are two types of fingerprinting: passive and active
 Scanning
All fingerprinting techniques are based on detecting the differences in packets
generated by different operating systems.
• Common techniques are based on analyzing the following:
• IP TTL values
• IP ID values
• TCP Window size
• TCP options (generally, in TCP SYN and SYN+ACK packets)
• DHCP requests
• ICMP requests
• HTTP packets (generally, the User-Agent field)
• Running services
• Open port patterns
Scanning

Active Fingerprinting
One of the easiest ways to detect a remote OS is to use nmap. During
fingerprinting nmap sends TCP and UDP packets at the target system and
then looks for responses to be returned. The responses are analyzed and
compared to what nmap already knows about OS behaviour. Once the range
of tests has been completed, nmap compares the findings to the database it
has.
Once a match is found it will report it back to us.
nmap -O <ip address>
 Scanning
• In order to perform a passive analysis of an OS nmap performs closer analysis
of the subtle variations in network traffic observed. One of the methods is
inspecting initial time to live (TTL) value in the header of a packet.
• Also it analyzes the header of a packet is the window size used in TCP packets
during the SYN and SYN+ACK steps of the three-way handshake.
• These are some typical initial TTL values and window sizes:
 Scanning

Ping sweeps are very effective as they can build an inventory of systems
quickly. Problem is that many network administrators block ping at the
firewall, so pinging hosts from outside the network is impossible without
extra effort.
Second, an intrusion-detection system (IDS) or intrusion-prevention system
(IPS) will often be present on larger networks or in enterprise environments,
and these systems will alert the system owner and/or shut your scan down.
Finally, due to the way the scan works, there really isn’t any capability in the
scan to detect systems that are down; in such cases the ping will hang for a
few moments before informing you that it cannot reach a host. If you are
scanning a lot of hosts hanging makes a problem as this takes time.
 Enumeration
• Enumeration is the systematic probing of a target with the goal of obtaining user lists,
routing tables, and protocols from the system. In this phase we are now looking inside of
the system to gather data. Information such as shares, users, groups, applications,
protocols, and banners all proved useful in getting to know your target, and this
information is carried forward into the attack phase.
• The information gathered includes, but is not limited to, the following:
• Usernames
• Group information
• Passwords
• Hidden shares
• Device information
• Network layout
• Protocol information
• Server data
• Service information
 Enumeration
• Banner Grabbing/Service Enumeration
We can identify services running on specific ports by inspecting service
banners (-sV) and running various OS and service enumeration scripts (–A)
against the target:
nmap -sV -sT -A <ip address>
• SMB Enumeration
• Nmap comes with SMB NSE scripts that can perform various tasks such as
OS discovery and enumeration via SMB. As an example we will use the smb-
os-discovery module:
nmap -v -p 139, 445 --script=smb-os-discovery <ip address>
 Enumeration
SMTP Enumeration
We can also gather information about a host or network from mail servers.
The Simple Mail Transport Protocol (SMTP) supports several interesting
commands, such as VRFY and EXPN. A VRFY request asks the server to verify
an email address, while EXPN asks the server for the membership of a mailing
list.
These can often be abused to verify existing users on a mail server.
nc -nv 10.11.1.217 25 <ip address>
 IMPORTANT!!!

Please note that port scanning is not representative of

traditional user activity and could be considered illegal in
some jurisdictions. Therefore, it should not be performed
outside the labs without direct, written permission from the
target network owner!!!
 Scanning
Port scanning is the process of inspecting TCP or UDP ports on a remote machine
with the intention of detecting what services are running on the target and what
potential attack vectors may exist.
It is essential to understand the implications of port scanning, as well as the impact
that specific port scans can have. Due to the amount of traffic some scans can
generate, along with their intrusive nature, running port scans blindly can have
adverse effects on target systems or the client
network such as overloading servers and network links or triggering IDS. Running
the wrong scan could result in DoS.
Depending on the scope of the engagement, instead of running a full port scan
against the target network, we can start by only scanning the ports related to
targeted services (i.e. 80, 443 if it’s a web server)
Port scanning is a dynamic process that is unique to each engagement. The results
of one scan determine the type and scope of the next scan.
 Scanning

TCP Scanning – Connect Scan

• The simplest TCP port scanning technique, usually called CONNECT
scanning, relies on the three-way TCP handshake. This mechanism is
designed so that two hosts attempting to communicate can negotiate the
parameters of the network TCP socket connection before transmitting any
data.
• The host sends a TCP SYN packet to a server on a destination port. If the
destination port is open, the server responds with a SYN-ACK packet and the
client host sends an ACK packet to complete the handshake. If the
handshake completes successfully, the port is considered open.
 Scanning

• UDP scanning is problematic for several reasons. First, UDP scanning is often
unreliable, as firewalls and routers may drop ICMP packets. This can lead to
false positives and ports showing as open when they are, in fact, closed.
• Second, many port scanners do not scan all available ports, and usually have
a pre-set list of “interesting ports” that are scanned. This means open UDP
ports can go unnoticed. Using a protocol-specific UDP port scanner may
help in obtaining more accurate results.
• Also, many penetration testers often forget to scan for open UDP ports,
instead focusing on known TCP ports.
• UDP scanning can be unreliable but should be mandatory as there are many
of attack vectors possible by abusing open UDP ports!
Scanning

Vulnerability Scanning
Most vulnerability scanner work by performing following actions:a
1. Detect if a target is up and running.
2. Conduct a full or partial port scan, depending on the configuration.
3. Identify the operating system using common fingerprinting techniques.
4. Attempt to identify running services with common techniques such as
banner grabbing, service behavior identification, or file discovery.
5. Execute a signature-matching process to discover vulnerabilities.
As a part of this signature-matching process, many scanners use banner
grabbing.
QUESTIONS???