Module 03: Scanning Networks Scenario Earlier you gathered all posse information about the target such az organization information (employee detail, partner deta, web links, ec), network information (domains, sub-domains, sub sub-domains, IP addresses, network topology, etc), and system information (05 details, user accounts, passwords, et}. Now, as an ethical hacker, oF a5 a penetration tester thereafter, pen teste, your next step willbe to perform port scanning and network scanning on the IP addresses that you obtained inthe information-gathering phase. Ths wil help you to identity an entry point into the target network, Scanning itself is not the actual intrusion, but an extended form af reconnaissance in which the ethical hacker and pen tester learns more about the target, including information about open ports and services, OSes, and ary configuration lapses. The information gleaned from this reconnaissance helps you to select strategies fer the attack onthe target system or network This is one of the most important phases of intelligence gathering, which enables you to create a profle of te target organization. In process of scanning, you attempt to gather information, including the specific IP addresses ofthe target system that can be accessed over ‘the network (ve hosts, open ports and respective services running an the open ports and vanarabites in the lve hosts Por scanning wll help you identify open ports and services running on specific ports, which involves connecting to Transmission Control Protocol {ICP) and User Datagram Protacol (UDP) system ports. Port scanning is also used to discover the vulnerabilities in the services running on a port, ‘The labs in this modile wl gve you real-time experience in gathering information about scanning and port scanning techniaues organization using various network Objective ‘The objective of ths In is to conduct network sannin, port Scanning analyzing the network vulnerabilities, et Networe scans are needed to: Check lve systems and open ports deni services running in ve systems + Perform banner grabbing/0S fingerprinting + Identity network vulnerabilities Overview of Scanning Networks Network scanning isthe process of gathering adelitiona detailed information about the target by using highly complex and aggressive reconnaissance techniques. The purpose of scanning sto discover exploitable communication channels, probe as many listeners 35 possible, and keep track ofthe responsive ones, Types of scanning: + Port Scanning: Lsts open ports and services + Network Scanning: Lists the active hosts and IP addresses + Vulnerability Seanning: Shows the presence of known weaknesses Lab Tasks Ethical hackers and pen testers use numerous tools and techniques to scan the target network. Recommended labs th learning various network seanning techniques include: assist you in 1. Perform host elcovery © Perform host ciscavery using Nmap © Perform host discovery using Angry IP Scanner 2. Perform port and sevice discovery © Perform port and service discovery using MegaPing © Perform port and service discovery using NetScanTools Pro © Perform port scanning using sx tool© Explore various network scanning techniques using Nmap © Explore various network scanning techniques using Hping3 3. Perform OS discovery © Identify the target system's OS with Time-to-Lve (TL) and TCP window sizes using Wireshark © Perform 05 discovery using Nmap Script Engine (NSE) © Perform OS discovery using Unicomscan 4. Scan beyond IDS and Firewall © Scan beyond 1DS/firewall using various evasion techniques © Create custom packets using Colasoft Packet Builder to scan beyond the 1S/firewall © Create custom UDP and TCP packets using Hping3 te scan beyond the 1DS/frewal 5. Perform network scansing using various scanning tools © Scan a target network using Metasploit Lab 1: Perform Host Discovery Lab Scenario ‘Asa professional ethical hacker or pen tester, you should be able to scan and detect the active network systems/devices inthe target network. During the network scanning phase of security assessment, your fis ask i to scan the network sytems/devices connected to the target network within a specfied IP range and check for ve systems inthe target newwork Lab Objectives + Perform hest discovery using Nmap + Perform host discovery using Angry IP Scanner ‘Overview of Host Discovery Host eiscovey is considered the primary task inthe network scanning process. Is used to discover the activelive hosts ina network It provides an accurate status ofthe systems inthe network which, In tum, reduces the time spent on scanning every part on every system ina sea of addresses in order to identify whether the targt hosts up. ‘The fllowing are examples of host discovery techniques: + ARP ping sean + UDP ping scan + ICMP ping scan ]CMP ECHO ping, IMP timestamp, ping ICMP, and address mask ping} * TCP ping scan (ICP SYN ping and TCP ACK ping) + 1P protocol ping sean Task 1: Perform Host Discovery using Nmap Nmap i a uty used for network cscovery, network administration, and secury ueiting, is aso used to perform tasks such as network inventory, managing sewice upgrade schedules, snd manitoring host or service uptime. Here, we wll use Nmap to discover Ist of ive hosts inthe target network. We can use Nmap to scan the active hosts inthe target network using various host discovery techniques such as ARP ping scan, UDP ping san, ICMP ECHO ping scan, ICMP ECHO ping sweep, ate 1. By defaul the Parrot Security machine is selected 2. Inthe login page, the attacker usemame willbe selected by default. Enter password as toor inthe Password field and press Enter 10 login tothe machine [icte:ifs Paret Updater pop-up appears at the top-Fight comer of Desktop, ignore and cose Note: If2 Question pop-up window appears asking you to update the machine, click Ne to close the window.Search con { (2) on the Desktop. Type angry inthe search fel, the Angry IP Scanner app: result, click Open t DP man|i Serer Ab fos Dosumerts Wed Were estate en @ Sear the we Angry IP Scanner © angry seus |p Ma Bide. ne 1B ome ~~ sacar = © ont ues wary its 2 2 tinct soa 2 Pacousoa erat 2 2 P waryenoh © warysranipa © ary dirbroing gOoumgouwes Fe sar O 3. Angry IP Seanner stars, and a Getting Started window pops up lick Next follow the wizard, and click Clase, ote If Open File - Security Warning window appears, dick RunDisc Fes eougouess Fe SO Periyar 7% eougoueas Gs we 8© nga Snes - 9 * ‘Sar Seto Lonmnss Fase Teoh dp mato sn10i25 | whee orione Want EE] CS] Fra) ay aaa ae aoungouees oe to 6:The Preferences window pps nthe Seanning tab uncer he Pinging section seh UDP TCP rom tne drop-down inging method 35 Combined fowid te Was tage « orien Widest [Nana] ae] = ® mm lien Sree : Sing Poe gy ay heneonzigvnce iam 2 Pegmamsnos [contrat =] une preset as Pegi ih besa (sae certs ae or an lpaaen Beppe ion abe 25 EE ay Banal ase wougouwess Gs weNow, sich to the Display tab, Under the Display inthe results list se radio button and click OK. Phen doay i Pme 01019 1000125 orange Yoon tess (ena) = tion, select the Alive hosts (responding to pings) only ® = [mom Sree Saning Pate Ory ity niet ot Oaticeratnens| (Osechoas nang tpg ey Ons pepe Lubeeisineinterettit ‘event oar escalavenacntsmed onan oe Selon du, © natn ete icretenervesins {Biers menus erro Ce) SS —— Banal ase wougouwess Fe SiO 8. Inthe IP Range - Angry IP Scanner window, cick the Start button to start scanning the IP range that you entered‘ein Seto Lonmin Fre Teel lp Pie 01019 00125 Hesiene Wedeestt ERE] Ose) ay Bian me aongouess oe eo 9, Angry IP Seanner starts scanning the IP range and begins o lst out the ave hosts found along with their hostnames. Check the progress ba the bottonright comer ta see the progress ofthe scanning 10. After the scanning is completed, a Sean Statisies pop-up appears. Note the total number of Hasts alive (here, 7) and click Close a ea [sera] Coie) = = a wounoues £ 0 20am © 11. The results ofthe sean sted in the main window cat in the P Range - Angry IP Seanner window. You can see ll active eaenat tomate » Ore "Se . = oe > teeta) oSuetouesz os ee 4. The About MegaPing window appears click the | Agree butOne % O @ @ 0 ten Sue - © > 1 Bac cmiaNoates somes tied > Saning Ba Nagy 6] | 2 sang Lowman 4 Mime . omenedics We eS Doconme +, Bneingsapoe aa eee ae Brews + cere ome MEGAPING Dives reoriots Congrats 2 > eaenat yk nee > Ore > ecw > bees > teeta) > a ered hen Temata OOM Set shes we wougovwesx os ee 5. The MegaPing (Unregistered) GUI appears displaying he System Info, ae shown inthe screenshos a lei ‘en Ee se ‘Stone ‘ore eat Seca Ek gm Sos = tae Sonia Ents a SSvevaee Zanes Sar gS aa = go itis Gace go SS SS on Saat Ta ges Suse Sato ian iiecs Gass an sities! bse im Suminc Sith, Sass ne weououens# aoe ae & IP Scanner he left pane Inthe IP Seanner tab in the right-hand pane, enter the IP range in the From and Te nge is 10.10.15 to 10.10.1.20; then click Star. inthis I, the IP QoBveovin reines) 8 & Ad GBAa S203 SG 9S7/BO nests Sheree DB sean score wougovesx os ae ing Hata P adresses under the specified trae and alive hosts a5 shown inthe sc = a == a i a —— : 1 fe : 1 #8. a ro zat em dee od i eS tio =o, mwououes adem e 8 Selec the Port Scanner option from the left-hand pane. In the Port Sanner tab in the right-hand pane IP address ofthe Windows Server 2022 (10.10.1.22) machine into the Destination Address List field and cick AdBravia tiene 8 8 {ie Bw or Bop AdGahas FOS SSSI BO [Fee Gece BB Nomorctne oF bonsermer oe ae [fe goo" | =e Rea 5 Somes | toma 2rcner me | ces a ea a wougouwes os ae Select the 10.10.1.22 checkbox and click the Start Bria tiie 8 8 i S8H D905) 6o¥87/B0 coc eed B hettne oY Patteomer (Poser sets Bie ae me -tE mottaswce: | Durem omic Benin Cgirsmer Bsc saver wougdoueax# os ato10. MegaPing lists the ports associated with Windows Server 2022 (10.10.1.22), with detaled information an port number and type Service running on the part along with the description. andl associated risk, as shown in the screenshot. Using this information attackers can penetrate the target network and compromise it to launch a ye g oh 3% a Ee % Ley 32 z Ee 3s = e z 2 5 cI zg e t 3s B 5 BOnoueaR age ie 11. Siilay you can perform port and ser scanning on other target machines 12.This concludes the demonstration of discovering open ports and services running on the target IP address using MegaPing 13. Close all open windows and document ll the acquired information. Perform Port and Service Discovery using NetScanTools Pro iPro is an integrated collection of uti th the avaiable that gathers information on the Internet and troubleshoots networks for Network you can research IPvePvG address hostnames, domain names, e-mail addresses, ang URLE on Here, we wil se the NetScanTe Pro tool to discover open ports and services running on target range of IP addresses. ‘nthe Windows 11 machine, navigate to EACEH-Teols\CEHv12 Medule 03 Scanning Networks\Scanning Tools\NetScanTools Pro and double-click netp1demo.exe, [Note ifs User Account Control pop-up appears, clck Ves.Om % Of @ & T hen 9 + + |e sem mee» vacant 6) | 2 seh mmoeig ene * ct eit we Sie “L comnts ¢ , Wendoidenoae ‘coat seein si > ime > Grama > L dowiens > Ore > pew > Be > Btsotosecc) > = Mente > tener hen Teena 9M Set shes oumopzes as te 2 The Setup -NetScanTols Pro Deme window append Netseantoos Pro 5c Next and follow the wizard ven installation steps to install floteifa WinPeap 4.1.3 Setup pop-up appears, cick CaneOrw- bower # Lone 1 oecann # Be + Orne Bsus warere > ime > Grama > L dowiens > Ore > pew > ten > Retscsaate) > = Mente eso meme Downe # Bi beamet # ecw Ome > im deter > eae Yemeni > Ore > ecw > vase > R tecsbaatey > = newiaumede a Never 4: The Reminder wi 0 @ 6 GF Ns Sue - Pa Sang Hak» Nest | 2 serena ee z ot eit cs Soe aS Sytem = = NetScanTools Pro 11 DEMO Veansdeted 2900 Suet wougovweese 3h Completing the NetSeaTools re Deme Setup Wizard, es Fn Welcome to the NetScanTodls Pro Demo Setup Wizard {greets sine gamete Be Ge he @ ‘that Launch NetScanTools Pro Demo i checked and oO @ @ DT wen Sew a 2 6] [2 ee we a 58 ‘ie | etl ed Setup econo Pe Dame = gg Vesion 11 geen memo re mo Seta ‘J a % Sager Sheree 2 aun & 3 2 5 2 3 2 owe anata wougovweese eo ae ote 8 Tools Pro, click the Start the DEMO butto“hak you for tying the NeScanToos Pr 1 DEMO, Tis piston 9% ms wi is rem, a Lenin te dent 1 seve reas 2 th hty dab oes oo tai reps betwen sons 5 Pas Gonna sac IP ates amar be Jur Cntr IP (veri aE ny ce IP) § The PDF mana ot ded oe dln see. Avie wpn reset Pe ee be frm pops or eho ‘ess Buy Fall Version Now bel fr adored ole cavalo os Ask abut om ea ‘poo permet cons! rock fy wie eae A cont may ot be coi ha yo tne gueson cr pero ty onthe plone wit PO, ene cont nee dep tH (36) 6: 9805 Daa Tene” Lov Ase Tne ‘NeScaiTook Po DEMO is copied strare. Netcasts aden of Norwest Patermae Sov, ae SueG@owese O% Sam 0 DEMO Version ea TeeleGothen et Mekome Fohescoit sn regret tt ey hn Setanta wen sthyar bed eomrd ee crta PE S or Fate eet nb Cin Stet He ‘Then BSE ETAT eon a OE Pssst Mow er ak gtr Fn ae cee gt: es ou ne, under the Manual Too (al) section, scroll down an e ‘i ‘the Ping Seanner option, as shown int slog box opens explaining the Ping Seanner toot click OKGothen el Mekome Foes a Sen LER eS ae a 1 caren tea patent oe eee A omer a een ‘re how img Car tS pane hao py numbers te [Sint foactnefs aetna tars manne oe eas Fo yee O 2: ita the Start IP and End IP fel (here, 10.10.1.5 Ensure that Use Default System DNS. 10.10.1.23) then ick Start, [iota tn tis hb teak, we ave scanning Parrot Machine, Windows Server 2022, Windows Server 2079, and Android machines,Gothen el Menai Semen alter Soom omni Comeyontn ioscan = en 10. A Ping Seanner notice Gothen et Mena: Sanne @ surp[HRIS—_<] x Otmcnasmimns ‘si ate 7° atrnonee [ar i cere BORAT NETCETOENDER x Cooteat a pin teaser nese tase Rata cee Cesena ecco omer CF) (ime 6 @[email protected] easFlote: if How de you want to open this file? pop-up appears select Go (© ss te [=o GO he | CaeewhsmivtepOaaaoringNWPSNETSCA- MTT a) NetScanTools Pro vi1 oe SEEN ere. 2OHO fe Chrome from thelist and dick on OX. ou ee aS Rare Pama nea ETT cea pero Fes Pre ee ee ae ee BouBou as mate 12. Close the browser and switch tothe NetSeanTools Pre window 14 Inthe Target Hostname or IP Address field enter the IP address ofthe target (ere, 10.10.1.22). Ensure that TCP Full Connect rao button is selected, and then elk the Sean Range of Perts buttondev-Nascte rDev ev did? ed non 83 — > Gothen el Mana serene 9 Grom sen pere sas Sisaheam hater @ ia there orto 30 -Nonanip a Mr . ms Drovers as Petouesse 15. A Port Scanner notice pop-up appears cick | Accept. Gothen et Mena sent 9 ‘or etm bebe =a = ee Sg naceGothen el Mana serene 9 fam rome Sipcecy Serna a ont ma “sa Sergi peered a6 Sienna (hater aes = & a a a @ vccr0mes a @vomersoroins Task 3: Perform Port Scanning using sx Tool The 5x tools 8 command-line network scanner that ca 4 to perform ARP scans, ICMP scans, TCP SYN scan asa pplication scans such as SOCSS scan, Docker scan and Elastics Click CEHv12 Patrot Security to switen tothe Patrot Security machineeeSeen Seer}15. This conchae th demonstration ofp 2 seanning using 5x Tool 16. lose all open windows and docume’ 3 all sequited informa Task 4: Explore Various Network Scanning Techniques using Nmap Nmap comes with various inbuit serine that can be employed during 3 acanning process in an attempt to find the open ports and services running onthe pots. sends specially crafted packets tothe target host and then analyzes th Nmap includes many port scanning mechanisms (TCP and UDP). OS detection v responses to accomplish ts goal ion detection, ping sweeps et Here, we willuse Nmap te discover open ports and services running on the lve hosts in the target network 1 ick cehv12 windows 11 to switch tothe windows 11 machine inthe windows 11 machine, click search icon ( $9) on the desktop. ‘ype zenmap in the search field the zenmap appears in the results cick open to launch it wououes aoe Se 2.the zenmap appears n the command field, type the command nmap -st-v [target ip address] (here, the target ip address ie 10,10.1.22) and click sean pote: performs the ep conneelfll open scan and -w enables the verbose output (inchide allhoals and ports the outpu pote: the mac addresses might lifer when you perform the taskse [a ‘J mae [ Fees enmne om one wououee: nau gato 3. the ean results appear, displaying all the open tcp ports and services running onthe target machines shown in the screenshot. ote tcp connect scan completes a three-way handshake with the target machine in the ep three-way Randshake, the dient sends syn packet, which the ecient acknowledges withthe syn--ack packet. in tum, the clant acknowledges the synack packet with 17 ack packet ta complete the connection. ance the handshake is complete he client sendean rst packet to 1 the connection. = oi = wououees age gate 4 click the ports/hosts tab to gather more information on the scan results. nmap displays the port protocol state, sevice, and version ofthe scanwououeg=: click the topology tab to view the topology ofthe target network that tovew the topology deal the fisheye option Rane 2 cin Y ateste wououep: sae me 6: the same way, cli the hest details ab to view the det ofthe te connect seanve aa at Seng Ht pt Se wououee= neu ote 7 dice the sans tab to view the command used to perform tep connectfull open scan 8 click the services tab locate inthe lft pane ofthe window. ths tab displays lst of services, =p =I ez a EST tne Yt od ns Se cone t ‘Prevtion|—teenten|) Wem wououce: age ome pote: you can use any of hese se ices and ther open pons to enter into the target network/host and establish a connection 9. inthis sub-task, we shall be performing a steaitnsean/tcphal-open scan, xmas sean, tep malmon scan, andl ack fag probe sean on 2 firewall-enabled machine (/, windows server 2022) in order to observe the result, to do this, We nees to enable windows firewall in the windows server 2022 machine 10 click cehv12-windows server 2022 to switch tothe windows server 2022 machine, 1. click traltedel to activate the machine. by defauk, ceh\administrator user profle is el field and press enter to login ced, type pa$SwOrd in she password oOCEH\Administrator Pvseend al De ey14 16 vw. the scan results appear, displaying all open tep ports and services running on the target machine, as shown enshot ote the stealth scan involves resetng the tcp connection between the lent and server abrapily before completion of three-way andshake signals, and hence leaving the connection half-open, this scanning technique can be used to bypass firewall ules, Jogging mechanisms, and hide under network traffic er a ons foe wounouem= age Ee sas shown inthe las task you can gather detailed information from the scan result in the ports/hosts, topology, host details, nd in the command fild of zenmap, type the command nmap -2x-v [target ip address] (here the target ip address is 10.10.1.22) and click sean pote: ax performs the ums scan and -: enables the verbose oulpar (nclude a hosts and ports in the output ‘the scan results appear, dsplaying thatthe pots ae ether open or fitered onthe target machine, which means a firewall has bs configured on the target machine ole: nnas Sean Sends tcp ame Toa largel system with in, ur, and push Mags seu. the target has opened the port then you wil ‘ceive no response from the target system. ifthe target has closed the por, then you wil ecive a target system reply with an 1(CRs mp Ph ps eee He etme * EE oe eaiewewmtans acide oa wOouou@ge * ou om 18. in the command fil, type the command nmap -sm -v [target ip address] (er, te targetip adress i 10.10.1.22) and click ‘ote amt performs the tcp maimon scan and -v enables the verbore output include all hosts and ports in the output 19 the scan results appear, dsploying ether the ports are openifitered onthe target machine, which means a fewsll has been configured on the target machine ‘ote inthe tep mamon scan FiVack probe i sent tothe targat if tare leno response, then the pore oneal racket i ent as a responce, then the patie closed Puozeae aca ze 20. in the command field, type the command nmap -sa-v [target ip address] (here, the arget ip address is 10.10.1.22) and cick sean ‘ole =a: performs the ack flag probe scan and mene Pez] 25. now, click eahw12-windows 11 to command feld of zenmap, type the command nmap -su-v [target ip address] (her, the target ip address is 10.10.1.22) and cick sean ® vigate back tothe windows 1 machine int2. ote -sur performs the udp scan and -v. enables the verbose output fnchide all hosts and ports Inthe output) ‘the scan rests appear, Japlaying all open udp porte and services running on the target machine, ae shown nthe sreenahok. pote: his san wil ake approximately 20 minutes nish the Scanning process and the resuls might differ In your nb cvironment pote: the udp scan uses udp protocol instead ofthe tcp there is no Uree-way handshake for the udp sean. it sends udp packets to he target host; no response means thatthe partis open. i the ports closed, an emp port unreachable message i received. TET eeu oe oO soe ae Dears seem > mwas a gououee= - a0 ome close the zenmap winds you can create your scan pofle, or you can also choot the default can profs avaible in map toscana network. click search ican ( {on the desktop. type zenmap in the search file the nmap - zenmap gui appears in the results click open to launchit ‘to choose the default scan profes available in nmap, click on the drop-down icon inthe profile fed and select the scanning technique you want to usewe nm Si : wouozee= age ame 3.10 create a san pro ew profile or command ick prof ote fa ser account contrel pop-up appears clek yes mwonouem= age ume 52. the profile editor window appears. in the profil 38, under the profile information section i » profile name (here, null an into the profile ame felBoOuouea= nae ume 233, now, clk the seam ‘sb nc select the scan option (her, all sean (sn) fom the tep scan drop-down It selec none inthe non-tep scans drop-down stand aggresive (-) nthe timing template Ist ensure that q advanced/aggressive options (-2) checkbox is selected and click save changes, as shown in the screenshat ole using his configuration you are setting nmap To perform a null an with the Ume temple av &4 and all aggressive options nabled 235. this wll create a naw profile, nd wil hus be added tothe profile i, ror oy west Pn ene Se sm =] ome soon oye aspen Benetton Dopeenynsersntoh Owenemarten Outenames, Grew Ateseenesnt Oram Duozeae ace ate 36 inthis sub-task, we wl be targeting the ubuntu machine (1010219 37-in the main window of zenmap, enter the target ip adress (her, 10.101.) in the target field to scan, select the null sean profile, Which you created from the prfile drop-down lst, and hen cick seanwououen= aoe te 24. imap scans the get and daplays resus inthe nmap output ab as shown in the screenshot. ee oa ee ‘ho | svem |) rao nee Sie a cities (mest awtenis =] ens escent b wOououce= nee ze 39, apar from the sforemantion discovery techniques, you can also use the following scanning tachnigu ‘to perform a port and service dicovery ona target network using nmap, port scanning and servic © idle/ipid header scan: 2 ten port san method that can be used to send a spoofed source adcress to 3 computer ta discover what services ate available nmap si wv [target ip address] © setp init sean: an init chunk is sent tothe target host an init ack chunk response implies that the ports open, and an abor chunk response means thatthe port is closed nmap -sy-- [target ip address] oO© Setp cookie echo scan: a cookie ocho chunk is sent to the target host no response implies thatthe per is open and abort chunk response means thatthe por is closed nmap sz + [target ip address] 40. inthe command fl type the command nmap -sv [tars address] (her, the target ip addtess is 10.10.1.22) and click sean ‘the scan results appear, displaying that open ports and the version of sr running on the ports, as shown inthe screenshot pote: service version detecion helps you to obtain information about the running Senices and the versions ona lrget stem taining an accurate service version number allows you to determine which exploits the target system is vulnerable to TCO Chom : HHH Bowouea= aoe Ete 42. n the command fed ype the command nmap «a (target subnet] (ere, target subnet i 10.101. *) and ack sean. by providing the (asters wildcars, you can scan a whole subnet or ip range. ote -a: enables aggressive scan the aggresive scan option supports os detection (o), version scanning (5) Serpt scanning F0, nd traceroute (traceroute), you should not use -» against target networks without permission. “43, nmap scans the entire network and isplys information forall the hosts that were scanned, along with the open ports and services, device type elas of 0s, ete, a shown in the screenshotade te amp adress 10.10.1.22 from the Ist of hosts inthe let-pane and click the host details ab, this tab displays information h as host status, addresses, operating system, ports used, of classes, et associated withthe selected Bee mono his concludes the demonstration of discovering active hosts inthe nae ane get open ports services, services versions, device ype, os deal, et. of the larget network using vaiou anning techniques of nmap. 46, dose all open w 95 and document all the acquired information, Task 5: Explore Various Network Scanning Techniques using Hping3 Hping2/ping3 fs 8 commandsine-riented network requests and supports TCP, UDP, IC formation about the target such a5 ring and packet crafting toc! for the IP, and raw. proto PIP protocol that sends ICMP savior af a ile host and gain ices thatthe hos offers, the ports supporting the services, and the OS of ive hosts in the target network @ Using Hping, you can study th 2 will use Hping3 to discover ‘open ports and services running on the18. This concludes the pings lemonstration of discovering open ports and services running on the live hosts in the target network using 19, Close all open windows and document ll te acquired information Lab 3: Perform OS Discovery Lab Scenario {sa professional eth iPad 5 nacker or a pen tester, the next step after ciscovering the open ports and services running on the target range of 05 discovery. Identifying the OS used on the target system allows y ‘the exploits that might work onthe system to perform addtional attacks esses sto pert to assess the system's vulnerabilities and Lab objectives 4 dent the target system's OS with Time-to-Live (TTL) + Pe 18 TCP window sizes using Wireshark 1 OS discovery using Nmap Eng) + Perform 0S aiscovery using Unicomscan Overview of 05 Discovery/ Banner Grabbing Banner grabbing, oF OS fingerprinting isa method used to datermine the OS thats running on 3 emote target ‘There are two types of OS discovery or banner grabbing techniques: + Active Banner Grabbing Specially crafted packets ae sent to the rem compared with a database te deter implementation. esate noted, whi re then CIP stack OS. Responses from diffrent OSes vary, because of diferences in + Passive Banner Grabbing This depends on the di packets Passive banner rental implementation af the stack and the various ways an OS responds to abbing includes banner grabbing from ror messages sniffing the network trafic, and banner grabbing from page ext Parameters such as TTL and TCP windaw size inthe IP header ofthe fst packet in TCP session plays an important rlein identifying the (5 running onthe target machine. The TTL field determines the maxi size determines the length ofthe packet repo packet can remain in a network and the TCP window fr tothe fllowing table to learn ‘These values difr for itferen TIL values and TCP window size associated with various Operating System Time To Live ‘TCP Window Size Linux: 64. 5840 FreeBSD 64, 65535 Open8sD_ 255 16384 Windows. 128 65,535 bytes to 1 Gigabyte Cisco Routers 255 4128 Solaris 255 8760 AIX 255 16384 Task 1: Identify the Target System's OS with Time-to-Live (TTL) and TCP Window Sizes using Wireshark Wireshark is 2 network protocol analy sed er that allows capturing and interact jemtty the target OS through sriffing/capturing ther machine, Further, you can abserve the TTL and TCP window size be determined. browsing the traffic running on a computer network Itis yenerated from the target machine tothe request-riginated Ids inthe captured TCP packet. Using ti values, the target 0 Here, we will se the Wireshar cal to perform OS discovery on the target hosts) 1. Click CEHW12 Windows 11 to sw ch to the Windows 11 machineSearch icon ( {9 ) on the Desktop. Type wireshark in the search fil the Wireshark appea' in the results, cick Open to Iaunch it 2 wnt yaa ae os Mi erence 363.0% 2 esa Sexiness 2 vir lest doin 2 ena onan a © esters goumdouwes zen Os ism @ 3. The Wireshark Network Analyzer main window appears; double-ick the avaiable ether the packet ptr, as show nthe screenshot. interface (here, Ethernet to start [lots Software Update window appears, cick Remind me later.eougoueea os te aouGozeeaaObserve the packets captured by Wireshark fe fit ew Go Gate rape Stes ‘Mghoy Wis Tec ep ANAO DERE QeoeTIS Sagan (Wissen as Je 74 cee ping) request Lice, seat/56, 2128 (en tn Seon bac arora Hon 34a (ping) reply Lwaeeh, squ/nen telaas (eget © Fee a7 74 byes on wre (52 Ite), 7 beer eared (RP bits) interface \evLeNer {SAESSE-FSSH05-BREKCIDSIIA), 4 © ) Eotrent ty srt harem ehstesa (ai tsthatatan) ber nicrne eames euiesact-0) SSigaees gaseesss 1 SSS reece cece ed ee ef ve S975 1 hit oerstoy Patera cerca‘ Poe BouGdoueada Fo yom O Choose any packet ofthe ICMP reply fram the Windows Server 2022 (10.10.1.22) ta Windows 11 (10.10.1.11) machines and cexgand the Internet Protocol Version 4 node inthe Packet Details pane 7.The TTL value is recorded as 128, which ns that ICMP reply possibly came from a Windows-based machine4 coronene - 9 * (He Est fone Cape drape Sas gery ee Tle ANAO DERE QeoeTIS Sagan (Wissen ae oy ~ Srenaene: meieae 4 th ping) segues ido, e986, tleze (cepy i & ‘ 479 08.100 awasaar i eh ping) vegnet tba, the tpie) copy. ion snare, ekan (cost in 7 Fra «787 wpe on wire (S97 DRE), 74 Bese capa (NBL) of Ear sues Fi BBE ECODSEEG), 14 © 2 Seat sos hrs oin bn suto), oe Ret een (oussoenies) ai Stte Lege: 20 wes 5) tkernenea sree Feige (BCP Cy OH NOE-ET) = Tae ae cea Se eT wy Honmgouweaaa as ome Now, stop the eaptur in the Wireshark win bar clicking onthe Stop button fo 4 cope eben 8 & (est fone Cape drape Ses gery Wie Take aMa@52Re QeoeTiseaaan Wis tah nace = = = te or corn ed egh 3 se Tiimn Rianaerten Fat rae) Tr Str gry rape an eee i rs | ~ Reeeueees Prato) Her 74 Ee ping) request Lima sqn/356, tn (ely tn (29 eH Torte in rey om, Se teas et Mine into masa 185 HES in oy | Sc es, Sat ae [eases aa ee Toe re cehe (ping) requect LdnuaaoL, aqes/768, teiei28 (Poply tn & Sages bisce i. 108 (ting) reply. Lemans, squ/nen telaas (agar Frame 478: 78 bytes on wire (S52 Dts), 74 bytes captured (992 bLE5) on interface YOevice\NPr_(SAS0308-FES5-402)-806-DCCISADBIIIG), Ld ® 2 Eetrrnt ny eres harem obsesd (aitsthatatan) be, cre etaaae eaiesict-0) > Siisentnee services Hide Bad BSD: 58, £04 MCT) Tewefieetons a? ce) Povesls 0 (2) ender Checouns Ou [elietiondsobled) See wT Bounmgoueaaa as ame 3 from the toolbar, I an Unsaved packets... Pop-up appears ick Continue withous Now, click the Start eapturing packets b saving,Aree - 9 * He fst Wow So Cape Araae Sas gery Wits eH AN SODDRE QeosTISSaaan (igen a+ oe or Tore aa oe Ee a5 ties Giana tan ey Ts Sdard gyre 1 cae Fh Rat | Fras 78 7 wpe on wire (G9 DRE), 78 BESE capa (SD WL) of ISM ava (SHS FO wl Be. CCDSLEG), TA 2 Seat sos hrs oin ensue), on Ret ahem (oussoenies) ia 2 fader enh 20 ayes 5) » Sitfeensses servicer Heid! a8 (ESC 58, COW HET) (fener cecaue atts bier tied) “SS eusueegs gasaeeen ) ) = mE escussis goncse on a SS Br oso cece or ea of Jo 721598 78.18 ghistien open © wate shennan Paice tenses SI‘ Peo BouGdoueada Fo yom O 10. Wireshark il start capturing the new packets 11. Inthe Command Prompt window, type ping 10.10.1.9 and press Enter. Flote 10:10:19 the IP adress of the Ubuntu machineaouMoseadafe fit ew Go Gate rape Stes ‘Mghoy Wis Tec ep ANAO/SEREQeoeTIS (Wissen ae a om one Tore aa oe 24 et ping) request nad, eps/200, e820 (ep 10 fx tnvaris Femcanisarffean fest fons "37 steaer gery reponse 008 TH cae Flat PR ts ten G2seea Fematpecaersan frac ‘oe ry rtprce totes TA, ache Fach Noa“ Sboma luew heaea fo (Bory reapne eas 1, chen fash Freon Sts me an ns ms TH, eh ih rs Pere ‘oe {Ser oepnce tans rar len Fa ot ae ates Pen aoe eoeee roe Deer f Ruke ABBE Sissi apy” Shao. aie Bhs ee eee coe sm » Stdeensses servicer Heid ah (ESC 58, COW HET) Tawericlctns ate (88) ‘essen thesiouns ate [elsattn eles) Eisien eps Pair Omir zr(oeom—~—* roe BouGdoueada Fo yom © ure in the Wireshark window by c ing on the Stop button 16.This concludes the demonstration of identifying the OS ofthe target system using Wireshark | open windows and dacument al the acquired information. Task 2: Perform OS Discovery using Nmap Script Engine (NSE) Nmap, along with Nmap Seript Engine NSE, can extract considerable vakable information from the target system. In adltion to Nmap commands, NSE provides sripts that revel all sorts of useful information from the target system, sing NSE, you may obtain information ch a5 05, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time of Here, we will use Nop to perform OS discovery using -A parameter, -© parameter, and NSE, 1. Click cestvt2 3 Security to switch to the Parrot Security machine®10. Close all open windows and document all the acquired information. Lab 4: Scan beyond IDS and Firewall Lab Scenario ‘Asa professional ethical hacker ora pen tester, the nest step after discovering the OS ofthe target IP addresste) ito perform network scanning without being detected by the network security perimeters suchas the Frewall and IDS. IDSs and firewall are efficient security mechanisms; however, they stil have some secur limitations. You may be required to launch attacks to expat these limitations using various IDS firewall evasion techniques such as packet fragmentation, source routing, IP address spoofing, etc. Scanning beyond the IDS nd firewall allows you to evaluate the target network's IDS and firewall security. Lab objectives + Sean beyond ID5/frewall using various evasion techniques + Create custom packets using Colasoft Packet Builder to scan beyond the IDS/frewal * Create custom UDP and TCP packets using Hpings to scan beyond the IDS/irewall ‘Overview of Scanning beyond IDS and Firewall [An Intrusion Detection System (1D5) and fewall are the security mechanisms intended to prevent an unauthorized person from accessing ' network However, ven IDSs and firewalls have some security limitations. Firewalls and IDSs intend to avoid malicious traffic packets) ‘rom entering into a network, but certain techniques can be used to send intended packets tothe target and evade IDSs/irewalls Techniques to evade IDS/iewall: ' Packet Fragmentation: Send fragmented probe packets tothe intended target, which re-assembles it after receiving all the fragments *+ Source Routing: Specifies the routing path forthe malformed packet to reach the intended target + Source Port Manipulation: Manipulate the actual source port withthe common source port ta evade IDS/frewall + IP Address Decoy: Generate or manually specify IP addresses of the decoys so thatthe 1DS/frewall cannot determine the actual IP addeess + IP Address Spoofing: Change source IP addresses so thatthe attack appears tobe coming in as someone else + Creating Custom Packets: Send custom packets to scan the intended target beyond the firewalls + Randomizing Host Order in the target network in a random order to scan the intended target that is lying beyone the firewall + Sending Bad Checksums: Send the packets with bad or bogus TCP/UPD checksums tothe intended target + Proxy Servers: Use a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions + Anonymizers: Use anonymizers that allow them to bypass Internet censors and evade certain IDS and firewall rules the number of ho Task 1: Scan beyond IDS/Firewall using Various Evasion Techniques Nmap offers many features to hel understand complex networks with enabled security mechanisms and supports mechanisms for bypassing poorly implemented defenses. Using Nmap various techniques can be implemented, which can bypass the 1DS/frewal security mechanisms Here, we will use Nmap to evade IDS/rewall using various techniques such as packet fragmentation, source port manipulation, MTU, and IP acess decoy 1. Click CEHV12 Windows 11 to switch to the Windows 11 machine 2, Navigate to Control Panel --> System and Security > Windows Defender Firewall > Turn Windows Defender Firewall on oF off, enable Windows Defender Firewall and click OK, as shown in the screenshot£45 Fy conten» imate» nti emning SO tenho Cee rmeiens O eemeyeeetes hat aa nin Sears 9 oeeeentce ° | Beet tine comer wcutng taint BA rm ap Shaceeateostscpttasnee © Ornette tar wBownouesse oon ee 3. Minimize the Control Panel winow, cick Search icon ( $9.) on the Desktop, Type wireshark inthe search field, the Wireshark 2 inthe results, click Open to launch it zOuoues ate Ste 4. The Wireshark Network Analyzer window appears, Start capturing packets by double-clicking the available ethernet or interface (here, Ethernet, [Note 1 Software Update window appears, cick Remind me later‘ee zens “o 55Soess ut maaan iether et wououes age Ste 26. This concludes the demonsvation of evading IDS and frewal using various evasion techniques in Nmap. 27. Close all open windows and document all the acquited information Task 2: Create Custom Packets using Colasoft Packet Builder to Scan beyond the |DS/Firewall Colasoft Packet Builder is 2 tool that allows you to create custom network packets to assess net lect a TCP dar editar, hexadecimal edit, oF ASCII editor to creste 8 *s saving packets to packet fles and sending packets tothe cket fom the provided templates and change the parameters in the 1. In ation to building packets, the Colasoft Packet Buller sup Here, we will use the Colasoft Packet Builder create custom TCP packets o scan the target host by bypassing the IDS/frewal 1. Click CEHv12 Windows Server 2019 to switch tothe Windows Server 2019 machine 2. rofl is ele Alt Del to activate the machine. By default, Administrator, and press Enter‘ login. 4, ‘ype Pa$SwOrd inthe Password fice Flote: Networks screen appears, cick Ves © allow your PC To be dacoverable by olher PCs and devices on the networkee Administratoreo Colm pce Buse 20asthe giles£ &. ed ea (of Packet ist = Bias o e222 ED gilesmoet Poms are sane Ce ee = Baan Boe ot 2B con sie ee etn | GARE :: semainehe th tthe oe ee. x - |) 3 sts Faerie AI 3 Decode 2 SNe f ”: besoin. + rc rab o:b:00 08 q * Dal Hexee sM| Se Sa eB 1D. a en seen font ies || raw eee Dersinene ee)=. 2 ese, Move cosets =a reese manne Deptenr ap re eeA theme . RE QeosTIsHaaan az wes Frooe 251 byted wr wire G6 BE red is) cs eco (SE (abee tection Batecel erent) Fe ) 4 3 © te Phe AS lB 8. Een) 2 Se 2 AER Bele we | | row Scn|1 Feat sete Pies tal] 2)og ¢, x . date " $ bene Dh ween i minkPercent AL fope Documents Wes More ae os vom SS 2 wnat P neon 2 leans 2 neat © esters gOoxrmd@ouwes Fe yer © 3. The Wireshark Network Analyzer window appears, double-click the available ethernet or interface (here, Ethernet) to start the packet capture [lote:ifa Software Update pop-up appears dick on Remind me later.eersnrert4 Copa fe een - 9 x est on So Cape rape Sas gery Wits Take Hp NAGS DRE QeoeTISeaaan Capea oy oe on Tore Ta oe Sia csseiaSnu-anaoe nate” Uap ath fey tang) oe TiN Mazen ow entrant Tandon at Jone miu Cater tpt ane ite eeeaant Suesninonarns reece Tome ste minscact citer apt cee | Se Sin sos ees ane a to Sie 0 eee : doc dianes locates © leuetan te 0 hum se ura 1 Eoicsenauaie _soe.tue eseerast___ HOS _418 Standard tery ressnse ute Tay cache fluch TR eb rane 2450631 SE ber on wire (5 is), iD ayes eptred (36 Bs) oy Atefoce Weve MSHS Fes) AE O86 CEUSLG, ) Rinrwt ty sre fal Pysserver al sélsadih (aesseriudb), ate oderaso bre (00563488) (lenges 8. [Ss egGeeaEn SHudee Tor Ss ieeseacc oawaas ot cote ' © 7 sterer eemwenserns Faieiear- osc aaOD | moe B@onG@oueada Fw yin @ mn the Parrot Terminal window, frst press Control+C 12. Click CEHv12 Parrot Security to switch to the Parrat Security mach ‘ype hping3 -S Target IP Address] -p 80 -c5 (ner, target IP address is 10.10.11), and shen press Enter. Flote: Here, «5 specifies the TCP SYN request on the target machine, -p species asigning the port to send the Waic and sel the 13 Inthe result tis indicated that ve packe fre sent and received through port €0Berra 8 Fos=aaan4 corn feneene - 9 * (est fone Cape drape Sts gery ites Tle Anse DERE QeoETIS Eagan (igen ™ oe on Tora a iScanese inact wana Sone + 6 fone] sepaeusuan nos com i vat inant an S657 2 [ors] eqns nests ond russ ananas an 5 fio 8 Leer] Se toc seer LB an S18 20 [une] sopsesbiae Urata Lome iSe cena cet a Seat 6 [ane] seqantastonse bist Lond ee eat hin Sete 0 [eres] seqeirasint? siz camo 3 fst = 8 Laer] senrzsezes nia Ler S220 [aan] sststo wees So Seo +6 fn] seesorsss west toe 5) on Soerfoce eeceIF_(SSESNE e945 86 BEINN, 148 rt ty sree Forks hyssererch stesso (riod Ladtly Des mlernof As 00e8 60534: -00) radeon control Protacly re ori by Ds Pre 8, Seq AUSDEO, Lent 7 cra le 1 Fake ROOT Oech REGNGMD| Feo G@ou@ouesa Fw yee O ne captured packet, ‘The TCP pac Au c@uRRBacesTss Stee yet Mouestrsener sais (usnebae), a wrt io (SE ‘ance CanechProtaehy Sec Bees ath ut ove 4 Sag AUER, Lan {Seren ine 28 [conerciioncoupuconcesTcaaplet (2) {fer epee en Sepece mer" LSO57 relate segence mint) Secs ner rm Panne Seip we: sae? Gatacie guns mer) ctnvedpene tee (emp 396072 iat peter Lagu 28 ee > Faget ecoe ton) (calelated window sizes 52) i © wet henson [Tracers cts ois Cimon oe a G@ou@ouesada Fo yee © 821. Turn off the Windows Firewall in the Windows 11 by navigating to Control Panel --> System and Security -> Windows Defender Firewall > Turn Windows Defender Firewall on oF off 22. This concludes the demonstration of evading the IDS and firewall using various evasion techniques in Hping3. s.com), Colasoft packet builder 23. You can also use other packet crafting tools such as NetScanTools Pro (htt mw netsca (hetpsv/nmcolasoftcom) ee to build custom packets to evade security mechanisms 24, Close all open windows and document all the acquited information Lab 5: Perform Network Scanning using Various Scanning Tools Lab Scenario ‘The information obtained inthe previous steps might be insutficient to reveal potential vulnerabilities inthe target networ there may be ‘more information available that could help in fnaing loopholes in the target network. As an ethical hacker and pen terer, you should look {for ar much information ae posible about systems in the target netwark using various work scanning tools when need. Ths la wl demonstrate other techniques/commands/methods that can assist you in extracting information about the systems inthe target network using various scanning tool, Lab Objectives Seana target network using Metasploit ‘Overview of Network Scanning Tools Scanning tools are used to scan and identify Ive hosts, open ports running services on 3 target network, acator-info, NetBIOS info, and information about al TCP/IP and UDP open parts. Information obtained from these tocle wil asst an ethical hacker in cresting the profile ‘of the target organization and to scan the netwark for open ports ofthe devices connected, Task 1: Scan a Target Network using Metasploit Metasploit Framework stool that provides information about security vulnerabilities inthe target organizations system, and ads in penetration testing and IDS signature development It facilitates the tasks of attackers, exploit writers, and payload writers. A major advantage of the framework the modular approsch, that i, allowing the combination of any exploit wth any payloae Here, we will use Metasploit to discover active hosts, open ports, services running, and OS detals of systems present in the target network 1. Click CEHV12 Parrot Security to switch to th 9 Security machine. 2. Click the MATE Terminal icon inthe top ofthe Desktop to open 2 Terminal window.