Footprinting, Scanning

LECTURER: NGUYỄN THỊ THANH VÂN – FIT - HCMUTE

 Objective

 Overview: Footprinting, Scanning

 Footprinting
 Scanning

13/03/2021 2
 Overview: Footprinting, Scanning

13/03/2021 3
Footprinting
 What Is Footprinting

 Footprinting:
 is a method of observing and collecting information about a potential
target with the intention of finding a way to attack the target.
 looks for information and later analyzes it, weaknesses or potential
vulnerabilities.
 Footprinting results:
 a unique organization profile with respect to
networks (Internet/intranet/ extranet/wireless)
and systems involved

13/03/2021
5
 Objectives of Footprinting

 To know security posture

 To reduce focus area
 Identify vulnerabilities
 Draw network map

13/03/2021 6
 Steps of Footprinting

 Footprinting generally needs the following steps to

ensure proper information retrieval:

1. Collect information about a target: host and network

2. Determine the OS of web server and web application data.

3. Query such as Whois, DNS, network, and organizational

4. Locate existing or potential vulnerabilities or exploits that exist in the current

infrastructure
=> helpful to launching later attacks.
13/03/2021 7
 Threats Introduced by Footprinting
 Social Engineering: ask to get information

 Network and System Attacks: gather information relating to an

environment’s system configuration and operating systems.

 Information Leakage: victims of data and other company secrets slipping out
the door and into the wrong hands.

 Privacy Loss: access to a system can compromise not only the security of the
system, but the privacy of the information stored on it as well

 Revenue Loss: Loss of information and security related to online business,

banking, and financial-related issues can easily lead to lack of trust in a
business, which may even lead to closure of the business itself.

13/03/2021 8
 Footprinting Methodology

 Search Engines
 Advance Google Hacking Techniques
 Social Networking Sites
 Websites
 Email
 Competitive Intelligence
 WHOIS
 DNS
 Network
 Social Engineering

13/03/2021 9
 Search engines. Advanced Google

 Search engines
 Finding Company’s Public and Restricted Websites
 Collect Location Information
 People Search Online Services
 Gather Information from Financial Services
 Footprinting through Job Sites
 Monitoring Target Using Alerts
 Information Gathering Using Groups, Forums, and Blogs
 Footprinting using Advanced Google Hacking Techniques
 Google Advanced Search Operators
 Google Hacking Database (GHDB): www.exploit-db.com,

13/03/2021 10
 Social Networking Sites

 Footprinting through Social Networking Sites

 Social Engineering
 Social Networking

13/03/2021 11
 Website Footprinting

 Website Footprinting
 Determining the Operating System
 Website Mirroring Tools
 Extract Website Information
 Monitoring Web Updates
Website monitoring Tools

13/03/2021 12
 Email Footprinting. Competitive Intelligence

 Email Footprinting: from Tracking Email from Email Header. Tools:

 Polite Mail, IPSpecialist.net, Email Tracker Pro, Email Lookup, Yesware , Who Read
Me, Contact Monkey, Read Notify, Did They Read It, Get Notify, Point of Mail.
Trace Email, G-Lock Analytics
 Competitive Intelligence:
 collecting information, analyzing and gathering statistics regarding the
competitors.
 Source of Competitive Intelligence

13/03/2021 13
 Monitoring Website

 Monitoring Website Traffic of Target Company

 Showing information of ranking of the targeted website. Tools:

 Tracking Online Reputation of the Target. Tools:

13/03/2021 14
 Network Footprinting. Social Engineering

 Network Footprinting.
 Tools: Whois, Ping, Nslookup, Tracert
 Social Engineering:
 Eavesdropping: listening to the conversation covertly
 Phishing: sent a message looks legitimate, then victim click and be redirected to
fake website: ask sensitive infor, download malicious script
 Shoulder Surfing: standing behind a target
 Dumpster Diving: looking for treasure (info) in trash
 Impersonation

13/03/2021 15
 Countermeasures of Footprinting

 Employees on an organization must be restricted to access social networking

sites from the corporate network.
 Devices and Servers are configured to avoid data leakage.
 Provide education, training, and awareness of footprinting, impact,
methodologies, and countermeasures to the employees of an organization.
 Avoid revealing sensitive information in Annual reports, Press releases, etc.
 Prevent search engines to cache web pages.

13/03/2021 16
 Labs:

 Lab 02-1: Maltego Tool Overview

 Lab 02-2: Recon-ng Overview
 Lab 02-3: FOCA Tool Overview
 Lab 2-4: Gathering information using Windows Command Line Utilities
 Lab 2-5: Downloading a Website using Website Copier tool (HTTrack)
 Lab 2-6: Gathering information using Metasploit

13/03/2021 17
Scanning
 Scanning

 One of the three components of intelligence gathering for an attacker

 Scanning based on TCP communication

13/03/2021 19
 TCP Communication: Three Way Handshake

6 Flags:
 SYN
 ACK
1  FIN
 URG
 RST 2
 PUSH

13/03/2021 20
 TCP Communication: Close connection

6 Flags:
2  SYN
 ACK
3
 FIN
 URG

4  RST
 PUSH

13/03/2021 21
 TCP vs UDP

13/03/2021 22
 TCP & UDP

No. TCP UDP

1. Connection Oriented Protocol Connection-less Protocol

2. Connection in byte stream Connection in message stream

It does’t support multicasting

3. It supports broadcasting
and broadcasting

It provides error control and Error Control and Flow control

4.
flow control is not provided

5. Supports full Duplex Does not support full Duplex

TCP packet is called as UDP packet is called as User

6.
Segment Datagram

13/03/2021 23
 Objectives of Scanning

 To identify live hosts on a network

 To identify open & closed ports
 To identify operating system information
 To identify services running on a network
 To identify running processes on a network
 To identify the presence of Security Devices like firewalls
 To identify System architecture
 To identify running services
 To identify vulnerabilities

13/03/2021 24
 Steps of Scanning Methodology

13/03/2021 25
 Checking for Live Systems

 Finding live hosts in a network is done by ICMP Packets.

 Pinging (ICMP Scanning - Internet Control Message Protocol):
test whether a host is reachable across an IP network and to measure the RTT for
packets sent from source to the destination computer.

 ICMP Scanning using nmap/Zenmap

13/03/2021 26
 ping

13/03/2021 27
 Ping Sweep

 Ping Sweep: ICMP Echo Request packets to a range of IP.

 Using tools:

13/03/2021 28
 Check for Open Ports

 SSDP Scanning
 Simple Service Discovery Protocol (SSDP) is a protocol used for discovery of
network services without the assistance of server-based configuration like
DHCP and DNS and static network host configuration.
 SSDP protocol can discover Plug & Play devices, with UPnP (Universal Plug and
Play).
 SSDP protocol is compatible with IPv4 and IPv6.
 Scanning Tool
 Nmap: Another way to ping a host
 Hping2 & Hping3:
 a command-line TCP/IP packet assembler
 It supports TCP, UDP, ICMP and RAW-IP protocols

13/03/2021 29
 Scanning techniques

13/03/2021 30
 Full Open Scan

 the systems involved initiated and completed the three-way handshake.

 The advantage: ensures the response that the targeted host is live and the
connection is complete.
 Disadvantage: can be detected, logged by security devices such as Firewalls
and IDS.
 nmap –sT <ip range>

13/03/2021 31
 Stealth Scan, or Half-open Scan

 it does not open a full TCP connection

 The key advantage is that fewer sites log this scan
32
 nmap –sS <ip range>
 Inverse TCP Flag Scanning

 the Scanning process in which Sender either send TCP probe with TCP
flags, i.e. FIN, URG, and PSH or without Flags.
 Probes with TCP flags is known as XMAS Scanning.
 In case, if there is no flag set, it is known as Null Scanning.

13/03/2021 33
 Xmas Tree Scan

 Having all the flags set creates an illogical or illegal combination, and the
receiving system has to determine what to do:
 Drop (old sys)
 Respond: port is open
 RST packet: port is closed

 NMAP: NMAP –sX –v <target IP>

34
13/03/2021
 FIN Scan

 The attacker sends frames to the victim with the FIN flag set.
 The victim’s response depends on whether the port is open or closed.
 if an FIN is sent to an open port there is no response,
 but if the port is closed the victim returns an RST.

 NMAP: NMAP –sF <target IP address>

13/03/2021 35
 Null Scan

 The attacker sends frames to the victim with no flag set.

 The victim’s response depends on whether the port is open or closed:
 if an FIN is sent to an open port there is no response,
 if the port is closed the victim returns an RST

 NMAP –sN <target IP address>

13/03/2021 36
 ACK Flag Probe Scanning

 Process:
 sends TCP packet with ACK flag set towards the target.
 Sender Examine the header information because even when ACK packet has made
its way to the target, it replies with RST packet either the port is open or closed.
 After Analyzing the header information such as TTL and WINDOW fields of
RST packet, the attacker identifies if the port is open or closed
 NMAP –sA -v <target IP address>

13/03/2021 37
 IDLE Scan

 IDLE Scan: allows for completely blind port scanning

 Attackers can actually scan a target without sending a single packet to
the target from their own IP address
 One way to determine whether a port is open is:
 to send a "SYN" packet to the port. The target machine will:
 send back a "SYN|ACK" packet if the port is open, an "RST" packet if the port is closed.

 A machine which receives an undesirable SYN|ACK packet will respond with an RST.
An undesirable RST will be ignored

 Every IP packet on the Internet has a "fragment identification" number

 Many OSs simply increment this number for every packet they send
 So probing for this number can tell an attacker how many packets have
been sent since the last probe
13/03/2021 38
 IDLE Scan – Step 1

 Choose a "zombie" and probe for its current IPID number

 Extract IPID from Packet.

13/03/2021 39
 IDLE Scan – Step 2

 Send SYN packet to target machine spoofing the IP address of the “zombie”

13/03/2021 40
 IDLE Scan – Step 3

 Probe “zombie" IPID again, to get & compare its IPID Numbers to IPID
extracted in step 01 (i.e. 1234).
 Zombie responds with RST packet. Its Reply discloses the IPID.
 Extract IPID from Packet. Compare the IPID.
 Port is open if IPID is incremented by 2.
 Port is close if IPID is incremented by 1.

13/03/2021 41
 UDP Scanning
 UDP does not have flags. UDP packets are working with ports; no
connection orientation requires

 nmap –sU –v <ip range>

13/03/2021 42
 SYN/FIN Scanning Using IP
Fragments
 It is a modification of earlier methods
 The TCP header is split up into several packets so that the packet
filters are not able to detect what the packets intend (plan) to do

13/03/2021 43
 ACK Scanning

 Identify open TCP ports by:

 sending ACK probe packets
 analyzing the header information of the RST packets received
 exploits vulnerabilities in certain Oss and platforms
 There are 2 main ACK scanning techniques that involve:
 Analysis of the time-to-live (TTL) field of received packets
 Analysis of the WINDOW field of received packets
 test whether any filtering is being done on a port

13/03/2021 44
 Scanning Tools

 Nmap
 IPSec
 NetScan
 SuperScan
 IPScanner
 MegaPing
 Global Network Inventory Scanner
 Net Tools Suite Pack
 Floppy Scan

13/03/2021 45
 Nmap: Scan Methods

 Some of the scan methods used by Nmap:

 Xmas tree: The attacker checks for TCP services by sending "Xmas-tree" packets
 SYN Stealth: It is referred to as "half open" scanning, as a full TCP connection is not
opened
 Null Scan: It’s an advanced scan that may be able to pass through firewalls
unmolested
 Windows scan: It is similar to the ACK scan and can also detect open ports
 ACK Scan: Used to map out firewall rule set

13/03/2021 46
 Nmap: Scan Methods

 -sT (TcpConnect)  -sR (RPC scan)

 -sS (SYN scan)  -sL (List/Dns Scan)
 -sF (Fin Scan)  -P0 (don’t ping)
 -sX (Xmas Scan)  -PT (TCP ping)
 -PS (SYN ping)
 -sN (Null Scan)
 -PI (ICMP ping)
 -sP (Ping Scan)
 -PB (= PT + PI)
 -sU (UDP scans)
 -PP (ICMP timestamp)
 -sO (Protocol Scan)
 -PM (ICMP netmask)
 -sI (Idle Scan)
 -sA (Ack Scan)
 -sW (Window Scan)
13/03/2021 47
 IPSecScan

13/03/2021 48
 NetScan Tools Pro

13/03/2021 49
 SuperScan

13/03/2021 50
 IPScan

13/03/2021 51
 Global Network Inventory Scanner

13/03/2021 52
 CEH Scanning Methodology

13/03/2021 53
 OS Fingerprinting

 OS Fingerprinting
 is the method to determine the operating system that is running on the target
system
 The two different types of fingerprinting are:
 Active stack fingerprinting
 Passive fingerprinting

13/03/2021 54
 Active Stack Fingerprinting

 Based on the fact that OS vendors implement the TCP stack differently
 Specially crafted packets are sent to remote OSs and response is noted
 The responses are then compared with a database to determine the OS
 The Firewall logs your active banner grabbing scan since you are probing
directly

13/03/2021 55
 Passive Fingerprinting

 Passive banner grabbing refers to indirectly scanning a

system to reveal its server’s operating system
 It is also based on the differential implantation of the
stack and the various ways an OS responds to it
 It uses sniffing techniques instead of the scanning
techniques
 It is less accurate than active fingerprinting

13/03/2021 56
 Active Banner Grabbing Using Telnet

 You can use telnet to grab the banner of a website

telnet www.certifiedhacker 80
HEAD / HTTP/1.0

13/03/2021 57
 GET REQUESTS

 You might want to try these additional get

requests for banner grabbing.
 Take a look at
GET REQUESTS KNOWN_TESTS.htm file

13/03/2021 58
 Disabling or Changing Banner

 Apache Server
 Apache 2.x users who have the mod_headers module loaded can use a simple
directive in their httpd.conf file to change banner information
Header set Server "New Server Name“
 Apache 1.3.x users have to edit defines in httpd.h and recompile Apache to get the
same result

 IIS Server
 IIS users can use following tools to disable or change banner information
– IIS Lockdown Tool
– ServerMask

13/03/2021 59
 Tool: ServerMask

 It modifies web server's

"fingerprint“ by removing
unnecessary HTTP response
data, modifying cookie
values and adjusting other
response information
 ServerMask hides the
identity of server

13/03/2021 60
 CEH Scanning Methodology

13/03/2021 61
 Vulnerability scanning

 identify problems and holes in operating systems and applications

 Operation: checking coding, ports, variables, banners, and many other
potential problem areas.
 victims can use vulnerability scanning to find out:
 if there is a possibility of being successfully attacked and
 what needs to be fixed to remove the vulnerability.
 can check entire operating environments, including networks and virtual
machines.
 if they don’t find those issues then they may leave the false impression that
there are no problems.
 Therefore, it is wise to verify the results of these applications

13/03/2021 62
 Bidiblah Automated Scanner

 Bidiblah automates footprinting, DNS enumeration, banner grabbing, port

scanning, and vulnerability assessment into a one single program
 This tool is based on the following methodology:

13/03/2021 63
 Network vulnerability examples

Cloudy-
64
13/03/2021
 Nessus
 One of the vulnerability scanners that became very popular, which looks for
bugs in software
 An attacker can use this tool to interrupt the security aspects of a software
product

 Features
 Plug-in-architecture
 NASL (Nessus Attack Scripting Language)
 Can test unlimited number of hosts simultaneously
 Smart service recognition
 Client-server architecture
 Smart plug-ins
 Up-to-date security vulnerability database

13/03/2021 65
 Nessus

13/03/2021 66
 SATAN
(Security Administrator’s Tool for Analyzing Networks)

 Examines UNIX-based systems and reports the vulnerabilities

 Provides information about the software, hardware, and network
topologies
 User-friendly program with an X Window interface
 Written using C and Perl languages. Thus to run SATAN, the attacker
needs Perl 5 and a C compiler installed on the system
 In addition, the attacker needs a UNIX-based operating system and
at least 20MB of disk space

13/03/2021 67
 OpenVAS

 OpenVAS developed the Greenbone Security

 Assistant (GSA) as the user interface for OpenVAS. Today, GSA is accessed
through a web interface

13/03/2021 68
 CEH Scanning Methodology

13/03/2021 69
 Draw Network Diagrams of Vulnerable
Hosts
 to help you fully visualize the network environment
and start getting a clearer picture of what the
network looks like.
 you can clearly see holes and deficiencies that can
be exploited.
 Tools:
 1. Network Topology Mapper
 2. OpManager
 3. Network View
 4. LANState Pro

13/03/2021 70
 Solar Wind Network Topology Mapper

13/03/2021 71
 LANState Pro

13/03/2021 72
 CEH Scanning Methodology

13/03/2021 73
 Prepare proxy

 Perform several functions

■ Filtering traffic in and out of the network
■ Anonymizing web traffic
■ Providing a layer of protection between the outside world and the internal network

13/03/2021 74
 Preparing Proxies

13/03/2021 75
 Proxy tools

 Tools:
 1. Proxy Switcher
 2. Proxy Workbench
 3. TOR
 4. CyberGhost
 Squid

13/03/2021 76
 Spoofing IP Address

 a technique is used to gain unauthorized access to machines

 IP spoofing can be detected by different techniques including
 Direct TTL probing technique
 packets are sent to the host that is suspected of sending spoofed packets and
responses are observed. By comparing TTL value from the reply from the suspected host,

13/03/2021 77
 Spoofing IP Address

 a technique is used to gain unauthorized access to machines

 IP spoofing can be detected by different techniques including
 Verifying IPID Number
 additional probes are sent to verify the IPID of the host.,

13/03/2021 78
 CEH Scanning Methodology

13/03/2021 79
 Lab

 Footprinting with tools, ex

 Maltego
 Recon-ng
 FOCA
 Window command line: ping, tracert, nslookup,
 Gathering information using Metasploit
 Pingsweep: Ipscan, Advanced scan IP
 Scanning with tools
 Nmap, Zenmap
 Hping3

13/03/2021 80
 Q&A

13/03/2021 81