Scribd
Upload
22 views26 pages

Ch3-Scan Analyse Réseau 1

The document discusses network scanning, a process used to identify hosts, ports, and services within a network, which can aid attackers in profiling target organizations. It outlines various scanning techniques, tools like Nmap and HPING, and methods for discovering active hosts, including ARP and ICMP scans. The content emphasizes the importance of network scanning in both security auditing and potential attack strategies.

Uploaded by

wolekal805
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views26 pages

Ch3-Scan Analyse Réseau 1

The document discusses network scanning, a process used to identify hosts, ports, and services within a network, which can aid attackers in profiling target organizations. It outlines various scanning techniques, tools like Nmap and HPING, and methods for discovering active hosts, including ARP and ICMP scans. The content emphasizes the importance of network scanning in both security auditing and potential attack strategies.

Uploaded by

wolekal805
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Sécurité

Sécurité
Informatique
Informatique
MODULE
MODULE 3
3 :: SCAN
SCAN DES
DES RESEAUX
RESEAUX

HTTPS://MASTER-SSI.JIMDOFREE.COM/
HTTPS://MASTER-SSI.JIMDOFREE.COM/
2

concepts
concepts d'analyse(scan)
d'analyse(scan) réseau
reseau
MODULE 33 :: SCAN
MODULE SCAN DES
DES RÉSEAUX
RESEAUX
Présentation
Presentation de
de l'analyse
l'analyse réseau
réseau 3

4 Network scanning refers to a set of procedures Network Scanning Process


used for identifying hosts, ports, and services
in a network Sends
TCP/IP probes
Network scanning is one of the components of
intelligence gathering which can be used by an
attacker to create a profile of the target
organization

To discover live hosts, IP address, and open ports of live hosts

Objectives of To discover operating systems and system architecture


Network
Scanning To discover services running on hosts

To discover vulnerabilities in live hosts


Flags
Flags de
de communication
communication TCP
TCP
4
Data contained There will be Resets a
in the packet no further connection
should be transmissions use Port | Desnncon Port
processed
immediately Sequence No

URG FIN
(Urgent) = (Finish) = Acknowledgement No

Offset Res TCP Flags Window


- - -

ACK SYN
4 (Acknowledgement) C4 (Synchronize) 4 TCP Checksum Urgent Pointer

Sends all Acknowledges initiates a Options


buffered data the receipt of a connection
immediately packet between hosts Le 0-31 Bits

Standard TCP communications are controlled by flags in the TCP packet header
La
La communication
communication TCP/IP
TCP/IP
5
TCP Session Establishment TCP Session Termination
(Three-way Handshake)

100 D.2:241 Ærsssmmssssnnnnnss $6056060060000800 » 10.0.0.3:21 10.0.0.2:21

[ WOuld like
to talk with
you

mination l
Ok, | recen ed your ter o mnt
.. acKaS3, sEQH 170

Client
6

Outils de scan
MODULE 3 : SCAN DES RÉSEAUX
NMAP
7
… Network administrators
lenrray

wee jot Prete Hep


can use Nmap for
1 { C bite buities con ei C8 gerti Pecter reertee scan af TCP gees
inventorying a network,
Come eel Tr £5535 Leeretegre® reneg -p ll
managing service upgrade
schedules, and monitoring | |" Se Nera Octpust Buty Attackers
add a target iP verte | Servez: fenag Oateet Ports (ods Topology, Hat Dash Sco
address
to perform icanning
Detets
host or service uptime 64 Hod rap -p P55, OS * Moa

Startieg Uren 7.78 tte ere.corg |} st 2055-06-27 se wie Tnitieting (3 detection (try 61) egeinat 10.10.00. 59
Tetrying OS detection (try #2) ageinst 19,10, 70.20
Attackers use Nmap to 13:04
mé : Lobiest
Stiewiard
148 © jot
Tice
sor 5 wily NSE, Seriot scoring 00.90.18. 18

extract information such ME; Script Pre-ncenming pritiating


Completed
"OE
Wit et
at 11:00
12:08, 35.002 «lepee
feitiating 62 at 55:84
Initisting ME ot 11:08
as live hosts on the Comietet
lnitisting
M2
MSE
mt
pt
12104
15:60
0. Ms clapped
epleted WOE et 12100, 055
Compieted GO) ef 121104 0. Ms elapeed Wasp scan repert fr be. 36.18
network, open ports, Tedtiating AW? Ping Scar at 15° Mast in wp (0. 0818e J1atenry|)

services (application
i rae : L ee > ta
Siannieg 10.19.00. 20 LE port]
Completes af Ping Scan ot Lids, ru! STATE Stvict via Don
ees) tocts
name and version), types Indtiating Paralles ONG r :

Cosleted Perallel DIS +es Obtains list of


of packet filters/ D 028 elroset
Ledtiating CVS Stealth Sean of 11104 open ports, OS
firewalls, as well as Scarring 10.18. 00.90 [02225 porta]
details, MAC
vered coen port isvtce o 16.10.10.
operating systems and erent open port 44>7tcH Oo 16,398.18. details, and
ered open port J)oytcp ao 16.36.10.
versions used trevered open port 46967 /tce of 10. 00.90.10 services slong
ered open port Seeartce on 30.19.18.18
ered apen part Seo) rtee on 20.48.16 ,06 with their
nt rent oven port 4807%/ten on 16. b6. 20.10
versions
21 Manlin can Thing; Abuet 47.95% cove; ETC

°
i

von 2 remninireg retirees

peered Open port AM /tip où 1. 00.98.18 '

Diecpvered enen port 40000 /tep on 16.00.90. 18 '

Discovered epen port 49964/tco 12. 08.38.18 AA hatress! O0NC:20:70:0)108 (Ware)

INMAP, Dist tvered open go t 490638/Icoe Le. D. 25. 10 "icroeett Mines Lengrern (548
Anarannive 0% mimamta,
D meered ooen po Lt «sen ) on 1e. 00. 00, 19 ls Micresert Mireles 30 2708 (928), Mis port wirstows
Conmgietes SYN Stealth Star 52 [5.298 aise 18 DSL ASIN), PUCES wives Server SOBs 572 (TI
£5955 fetal asorts ilcposals Mtoiout. À LÉ. Miceocott. énous. ii
HPING2/HPING3
HPING2/HPING3
8

Ci Command line network scanning and packet crafting too! for the TCP/IP protocol

It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute,
remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc.

ICMP Scanning ACK Scanning on port 80


Commandes
Commandes HPING
HPING
9
CMP Ping SYM scan on port 50-60

hping3 -1 10.0.0.25 hping3 -8 50-60 -8 10.0.0.28 -v

ACK scan on port 80 FIN, PUSH and URG scan on port 80

hping3 -A 10.0.0.25 -p 80 hping3 -F -P -U 10.0.0.25 -p 80

UDP scan on port 80 Scan entire subnet for live host

hping3 -2 10.0.0.25 -p 80 hping? -1 10.0.1." --rand-dest -I athÙ

Cotlecting tnitiali Sequence Number intercept all traffic containing HTTP signature

hping3 192.168.1.103 -Q -p 139 -s hping3 -9 HTTE -I eth0

Firewalls and Timestamps SYN flooding a victim

hping3 -S 192.168.1.1 -a 192.168.1.25¢ -p 22


hping3 -S 72.14.207.99 -p 80 --tep-timestamp
~-flood
Autres
Autres outils
outils de
de scan
scan
10
Metasploit NetScanTools Pro
Metasploit is an open-source project that provides the infrastructure, content, NetScanTools Pro assists attackers in automatically
and tools to perform penetration tests and extensive security auditing or manually listing IPv4/IPv6 addresses, hostnames,
domain names, and URLs

ips. /wew oeciscontook com

Other Scanning Unicornscan Solar Winds Port Scanner PRTG Network Monitor OmniPeek Network Protocol Analyzer
Tools: hetps://sourceforge.net https -//\wvew. solorwinds com Attps://www. poessicr.com attps://\www. hotspotshicid.com
Outils
Outils de
de scan
scan pour
pour mobile
mobile
11
IP Scanner Network Scanner

17? (eter Sec aren


Network Seann
metwork router (U-e00)

metwork router

ee Be (Thin dewew
re) LR! !r
Lang Room Azrport

network router eetgeieway Uateway


ELA En

hoapedotk iMac

Brother ML SG?O0W series


eel BLP:
ea ett
network Cameras”

Mors Tablet KOU - ‘ e rs


e e ee
Pieystation

168.197
<5 Vevice
Sala

Nest Protect
12
D

Découverte des Hôtes


MODULE 3 : SCAN DES RÉSEAUX
Techniques
Techniques de
de découverte
découverte de
de l’hôte
l'hôte
13
IS
4 Host discovery techniques are used to identify the active/live systems in the network

ARP Ping Scan

UDP Ping Scan


ICMP Timestamp Ping ICMP ECHO Ping Sweep

ICMP Ping Scan ICMP Address Mask Ping

TCP Ping Scan

iP Protocol Ping Scan


ARP
ARP ping
ping scan
scan &
& UDP
UDP ping
ping scan
scan
14
ARP Ping Scan UDP Ping Scan

J Attackers send ARP request probes to target hosts, J Attackers send UDP packets to target hosts, and
and an ARP response indicates that the host is active a UDP response indicates that the host is active

EB eee eee m ee eeeeee


sees
UDP ping
eseaees >
?)
3 Ka
ARP res UDP
mnnnsresponse
dns nr naanennnnnn ns
Host ts Active Host is Active
Attacker Attacker

lens

Scan lock Profle Help

10,70. 1,10 | Target: | MASSE 10.10


nian ae FS 20 10 112 20 Lowered er U 2107

|
Nenep Outpet Forts
/ Hees Topology Hest Getats Scans Hosts liesp Outpot Ports / Hosts Topology How Detail Scans

onep -4n 58 10.10, 10.10 OS ¢ Mec romep an -PU (

sterting Seep 7,70 | Ste veap.ore at SS OeLu»r tartine “eae e nites “en .ore
12120 Stondard 1504 12:29 Stecdard tle
Lan report for 18.28.18. 10 wae ican report far 16.30. 28.18
Host is usil@®.@@s Llatercy). iatefcy).
MAL Address: 60:0C:29- 25:27:29 (Ware 66-00:259:79:22:39 (VWtaare
Mean dene; i IP acoress (1 Mast ug) scanned in @.2 I? addrese (1 Post wp) scammed in 6.75
second”
ICMP
ICMP ECHO
ECHO ping
ping scan
scan
15
ICMP ECHO ping scans involve sending ICMP ECHO requests to a host. If the host is live, it
will return an ICMP ECHO reply

This scan is useful for locating active devices or determining if the ICMP is passing through
a firewall

ICMP Echo ping scan output using Zenmap

Jerun »~

Target

- orrven are nmap on FE 1 10.10

|
Hot arte Mémep Atpul Posts Hots Tepetegy Huet Detgde Scan:
ICMP Echo Reply
O5 + He - msg -5n -PE 00 1 ML) Cetmès
Destination
(10.10.10.16) (10.10.10. 10) ” 10,5. 90. 10 Starting las e org et 2019-06-07
7 F { netp nan
oe

12:91 Stenderd Tise


MAR. 4640. 207 , or 10.38.08.18
“est 14 wo (8.8356 s latency
SM. Address: O8-80:29:79-82:8% (Weare
Mag done: 3 1? ecoress 1 rot up comes in 0.2
Leconds

Attps mes ar
ICMP
ICMP ECHO
ECHO ping
ping sweep
sweep
16
Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple
hosts. If a host is alive, it will return an ICMP ECHO reply

Attackers calculate subnet masks by using a Subnet Mask Calculator to identify the number of hosts that are present in the
subnet

Attackers subsequently use a ping sweep to create an inventory of live systems in the subnet

benag Output Portez Huts Tegateg, Hort Deteds Sauve

mag «tn DE 90.90. 805-15 Oetarts

Serting Wenp 7.78 { nttp .. go) et DOS 06:14


Sy) o) india Siete lle
’ rourr ter 18.10. .%
mat is we Pe. aes stercy)
ay a0 90 29:20:94.5 fy
a. Ê L 12.10.12 2
= is ws} 2.0850c latency
BAL AMC, 00C:29 40:99:52 . w™

MAL LA revert ter 10,18,18.18


“ee? La im ICO. 8e latente:
en dec : 20:20 01 108
a t +> 18.1@. 18.13
letoncy
dress; GHoRC294E Se Ae (Were)
mx ane. 11 De easresses (4 Pests up) scares Ly KOMP Echo Request
> etcorcds
10 10 10.10
Outils
Outils de
de balayage
balayage ping
ping
17

Angry IP | J Angry IP Scanner pings each IP address to check if any of these addresses are live. Then, it
Scanner optionally resolves hostnames, determines the MAC address, scans ports, etc.

<> ip Range - Angry |P Scarwer


Ping Sweep Tools
xen Goto Commonds Favorites Took Help

P Range 10.10.10.0 to | 10.90.90.255 P Range ~ 1


SolarWinds Engineer's Toolset
(https://www.solarwinds.com)
Hostname Server2016 ip Metrnask D Start

Hostname Ports [1000+]


NetScanTools Pro
(https://www.netscantools.com) WIN-CIAQ7OHBPAI 53,60, 8, 135, 139, 389,445, 464, 593,638
Server 2010 00) 135, 126445
Colasoft Ping Tool Vic TIM 135, 199.445
(https://www.colasoft.com) sason-Vartual-Mactune 80
{ ;
LUE 2 80
Visual Ping Tester
(http://www.pingtester.net)

Oputils (https://www.manageengine.com)
Dvspiey: Alve only Threads 0
Contremesures
Contremesures au
au balayage
balayage ping
ping
18

Configure firewalls to detect and prevent ping sweep attempts instantaneously

Use intrusion detection systems and intrusion prevention systems like Snort to detect and prevent ping sweep
attempts

Carefully evaluate the type of ICMP traffic flowing through enterprise networks

Cut off connections with any host that performs more than 10 ICMP ECHO requests

Use DMZs and allow only commands like ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED within a DMZ

Limit ICMP traffic using Access Control Lists (ACLs) and grant permissions only to specific IP addresses such as ISPs
Autres
Autres techniques
techniques de
de découvertes
decouvertes
d’hôtes
d'hôtes 19
ICMP Timestamp and Address Mask Ping Scan ICMP Timestamp Ping Scan

4 These techniques are alternatives for the traditional ICMP ECHO


# mmap —sn -PP <target IP address>
ping scan and are used to determine whether the target host is live, ICMP Address Mask Ping Scan
specifically when the administrators block ICMP ECHO pings # nmap -sn ~PM <target IP address>

TCP SYN Ping Scan


J Attackers send empty TCP SYN packets to a target host, and an ACK
response means that the host is active
# map -an -PS <target IP address>

TCP ACK Ping Scan


4 Attackers send empty TCP ACK packets to a target host, and an RST
response means that the host is active
# mmap -an -PA <target IP address>

IP Protocol Ping Scan


4 Attackers send various probe packets to the target host using different
IP protocols, and any response from any probe indicates that a host is
active
@ mmap -an ~PO <target IP address>
20

Découverte
Decouverte des
des ports
ports et
et des
des services
services
MODULE 33 :: SCAN
MODULE SCAN DES
DES RÉSEAUX
RESEAUX
Techniques
Techniques de
de scan
scan de
de ports
ports
21
4 The port scanning techniques are categorized according to the type of protocol used for communication

+ © E” ® se
Open TCP Scanning
: TCP Connect / Full Open Scan
TCP Scanning o> \ Methods

Stealth TCP Scanning


Methods
UDP Scanning
Half-open Scan
Third Party and Spoofed _ -
FE: 3 TCP Scanning
nang
Methods inverse TCP Flag Scan
Port and Service
SCTP Scanning !--
Discovery :
ACK Flag Probe Scan

SSDP Scanning :
SCTP INIT Scanning . +8

IDLE /IPID Header Scan TTL-based Scan


IPv6 Scanning SCTP COOKIE ECHO
Scanning | Window Scan
TCP
TCP connect/Full
connect/Full open
open Scan
Scan
22
The TCP Connect scan detects when a port is open after
completing the three-way handshake

TCP Connect scan establishes a full connection and then closes trs DST EE EEE
the connection by sending an RST packet CS + Fu pat WRN
tarts . ay 7.28 tps a. ory et 2010-18-72 12
S| ug ms

It does not require superuser privileges er me Gy ” Pieg


Fyn bow et 1)

oe 0 Ping mnt ., ce

tiating Pornilez Om “ralutii


Completed Perelisel O85 resciution e* 1 test
eLagoet
SYN Packet
+ Port (mn) Iétéstire Connest Goan ot: 33:06
s we. ele. on porta
red open © . , po ee ee
eed wer à - po we eee
Scan result when Disemeered men part eebytes me DS. NS. 18 18
‘ Dis et coer gert Ser tcp en SO. 58.98.10
a port is open Dis ares coen sart Stites oo 12. 28. oe. 08
Discovered open gart SIT tco en ER ER. 50.19
[mg et eo “~? » st 1010 1: + anti ei eee tae
perte
Attacker mos en feoert fe 08. 2. 1h: 8
+ . on. De “rr
mt pan 0 ! terre à ra
pou? STATE SERNILT

Scan result when ent Atérenh: €0:60:20-00:04.09 (Gare


a port is ciosed Seed pote tiles free C Pregran lilas
ner ge: L 1? vore L OT ue
fes paschets sent: | (2

Attacker
Stealth
Stealth Scan
Scan (Half-open
(Half-open Scan)
Scan)
23
4 Stealth scanning involves abruptly resetting the TCP connection
between the client and server before the completion of three-
way handshake signals, thus leaving the connection half-open
wart Pets) ee Tepetes, Meet Pete Score

Attackers use stealth scanning techniques to bypass firewall 7 ’

rules as well as logging mechanisms, and hide themselves under ting weap )
tonte «
Ttpes

reap : et 19-18-25

ring Alf Ping mn oF 11


the appearance of regular network traffic ~pietet
~ 4.10.8.
Ar Pire "ef
pert}
bi

inétiming Porailel Oe eaubin ten


Compieted Peralicl OCF resclaticr <* L test. où 19
.¢ ‘ere

Ingtisting SUN Seeeler Geen at Shae


< 4.16.0. ie oo
à ape part éélrecs on 16. 06. Oe 88
oer vréèn port rico on 8.18 18. 1e
Scan result when 2 npen
pen
part
oot
LIS tee of IR ES. ER. 0
LOivtce on 16. 12. pe. 0P

a port is open on
ec
apen
open
pert
port
IR 'scce
ST/tces
on 19.18. 25. 10
ot We. O08. 28. 38
Completed SPU Stee = ot Lt cs #lLepied
ts. ert
10.0.0.2 2341 10.0.0.3-80 tee ee . “rort ! =... te
tere L + LP, oe
»;! tu "i #1 lt eee per ts
post STATE SERIE
en 1!

Scan result when pam 7 MAC Aétrmns: 09-00-2908 14 FD Cees


à <--
a port is closed Saut fete files from
es Soe, 1 LP pores:
C:Urcgren flms
Nos eu) ares Lt
Bill La: 1:88

tou past ore Lane ? ‘ .


100.02 7342 se;
Inverse
Inverse TCP
TCP Flag
Flag Scan
Scan
24
J Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, where no response
implies that the port is open, whereas an RST response means that the port is closed

Probe Packet (FIN/URG/PSH/NULL)

Port is open

Port is closed

Note: inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. It is known as null scanning if there is
no flag set
XMAS
XMAS Scan
Scan
25
Xmas scan output using Zenmap
Using the Xmas scan, attackers send a TCP frame toa
remote device with FIN, URG, and PUSH flags set © Zenmag
Scan, loom «Profile Isle

FIN scanning works only with OSes that use an RFC 793- large ¥8.90.10,10
based TCP/IP implementation Coteent leunap «ct MR TS
The Xmas scan will not work against any current version of Hosts | Services Nenap Outpt Pom / Hom Tepetnyy Most Detsin Scans
PRE “SA ‘4 Ty u 10 Denis
me ‘ hic<t
Microsoft Windows

» Cum Starting Mines 7? ttes nt or st 2019-18-23


12:29 Standard Tise
Taitiating ARP Ping Scan et 12:2!
Scenning 28. 98.10.10 [1 pert)
Coepileted 447 Ping Scan et 12:29, ©.095 elapsed (1 total
7 | ts)

Port 15 a : Initiating Parelial O96 resolution of 1 most, ef 12:26


Cempletes Parallel DNS resslution of i bent, at 12:29,
open — 0.03: laps
Initiating MS Scon at 12:23
Senmnnine 16.286.10.10 [1008 ports]
Complete AMAR Scan et 12:29, 23.008 elepeed (1008 t
ports)
Mmepp scan resort for 18.28.28. 10
eect ic up (6.685 latency
All 10008 ecemred porte of 2B,10,10. 18 ere open! iit
BAC Address; GO)0C)29:00074:95 (Vieare
‘ Rond data f1les from C'Progr'am Files (208) \1mes
Port 15 ep | £ 1 0° eddrees L out up) cesrmeg in 2

closed See peckets sent: 2081 (BB. @ZEKE) | Aces

10008:23
TCP
TCP Maimon
Maimon Scan
Scan
26
Zenmap

J Attackers send FIN/ACK probes, and if there is <ae Took

no response, then the port is Open| Filtered, T erget 10.10, 06 1G

but if an RST packet is sent in response, then Comment nmap <M -y 107000
-
;

the port is closed Hosts Series Nrnep Cutput Ports / Hosts Topeliegy Host Dated Scans

nrnap AA v 10 DU mai Details


> * Moat =
» 10101000 Starting Mmes 2.09 | nttps eeap.org ) et 2019-10-27
12:32 Staecderd Tire
Imitisting ASF Ping Scan at 12:32
FIN/ACK Probe Scanning 10.19.19.18 [1 port!
Completed ARP Ping Scan at 12 2, 0.0508 elepeed [1 total
hogtTs

initiating Parallel Ons +


Completed Parallel DMS rescletic
8.055 elaosed
Initiating Maimon Scan st 22:32
Scamming 10.10.30.10 (1000 ports}
Cospleted Maleoe Scan at 12:22, 23.4708 elapsed (1000
tetas ports)
‘een scan report for 10,10.10.10
fost is up (0.866 latency
All 1868 scanned ports om 19.10.10.16 are open| filtered
BAC Bagress. O8:00129100)'4:9) (WYware)

Port is feed
Meee Sone:
Mata thies
i if
froq,
address
C:\Program
(1 host
Flies
up) scammed
(a8) \lerap
in 23.77
closed 34¢ OSs

Rue peckets sent: 2001 (28-2188) | Revue: 5


Target
filter Hosts

You might also like