0% found this document useful (0 votes)
38 views31 pages

Hands-On Ethical Hacking and Network Defense, 3rd Edition: Port Scanning

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1/ 31

Hands-On Ethical Hacking

and Network Defense, 3rd


Edition

Chapter 5
Port Scanning
Objectives

After completing this chapter, you will be able to:


•Describe port scanning and types of port scans
•Describe port-scanning tools
•Explain what ping sweeps are used for
•Explain how shell scripting is used to automate
security tasks

Hands-On Ethical Hacking and Network Defense, 3rd 2


Edition
Introduction to Port Scanning
• Port Scanning
– Method of finding which services are offered by a
host
– Identifies vulnerabilities
• Open services can be used on attacks
– Identify vulnerable port and launch exploit
• Scans all ports when testing
– Not just well-known ports

Hands-On Ethical Hacking and Network Defense, 3rd 3


Edition
Introduction to Port Scanning

Hands-On Ethical Hacking and Network Defense, 3rd 4


Edition
Introduction to Port Scanning
• Port scanning programs report:
– Open ports
• Allows access to applications and can be vulnerable
to attack
– Closed ports
• Doesn’t allow entry or access to a service
– Filtered ports
• Might indicate that a firewall is being used to allows
specified traffic into or out of the network

Hands-On Ethical Hacking and Network Defense, 3rd 5


Edition
Types of Port Scans
• SYN scan
– Stealthy scan
• Connect scan
– Completes three-way handshake
• NULL scan
– Packet flags are turned off
• XMAS scan
– FIN, PSH and URG flags are set

Hands-On Ethical Hacking and Network Defense, 3rd 6


Edition
Types of Port Scans
• ACK scan
– Used to get past firewall
• FIN scan
– Closed port responds with an RST packet
• UDP scan
– Closed port responds with ICMP “Port Unreachable”
message

Hands-On Ethical Hacking and Network Defense, 3rd 7


Edition
Using Port-Scanning Tools
• Port-scanning tools
– Hundreds available
– Not all are accurate
• Be familiar with a variety of tools
• Practice often to gain proficiency
– Do not use one tool exclusively
• Some tools include:
– Nmap
– Nessus and OpenVAS

Hands-On Ethical Hacking and Network Defense, 3rd 8


Edition
Nmap
• Originally written for Phrack magazine
– One of the most popular port scanning tools
– New features frequently added
• GUI front end
– Zenmap
– Makes working with complex options easier
• Standard tool for security professionals
– Command: nmap 193.145.85.201
• Scans every port on computer with this IP address

Hands-On Ethical Hacking and Network Defense, 3rd 9


Edition
Nmap

Hands-On Ethical Hacking and Network Defense, 3rd 10


Edition
Nmap

Hands-On Ethical Hacking and Network Defense, 3rd 11


Edition
Nessus and OpenVAS (or Greenbone
Security Assistant)
• Nessus
– First released in 1998
– No longer under GPL license
• Still available for download from Tenable Network
Security Corporation for noncommercial personal use

Hands-On Ethical Hacking and Network Defense, 3rd 12


Edition
Nessus and OpenVAS (or Greenbone
Security Assistant)
• OpenVAS
– Open-source fork of Nessus in 2005
– Now branded as Greenbone Security Assistant
– Capable of updating security check plug-ins
• Security test programs (scripts)
– Performs complex queries while client interfaces with
server
– Can also determine what vulnerabilities are
associated with services

Hands-On Ethical Hacking and Network Defense, 3rd 13


Edition
Nessus and OpenVAS (or Greenbone
Security Assistant)

Hands-On Ethical Hacking and Network Defense, 3rd 14


Edition
Nessus and OpenVAS (or Greenbone
Security Assistant)

Hands-On Ethical Hacking and Network Defense, 3rd 15


Edition
Conducting Ping Sweeps
• Ping sweeps
– Identify which IP addresses belong to active hosts
• Ping a range of IP addresses to see what type of
response is returned
• Problems
– Shut down computers cannot respond
– Networks may be configured to block ICMP Echo
Requests
– Firewalls may filter out ICMP traffic

Hands-On Ethical Hacking and Network Defense, 3rd 16


Edition
Fping
• With the Fping tool you can ping multiple IP
addresses simultaneously
– Included on the Kali Linux
• Accepts a range of IP addresses
– Entered at a command prompt
– File containing multiple IP addresses
• Input file
– Usually created with a shell-scripting language so
you don’t need to type thousands of IP addresses
needed for a ping sweep

Hands-On Ethical Hacking and Network Defense, 3rd 17


Edition
Fping

Hands-On Ethical Hacking and Network Defense, 3rd 18


Edition
Fping
• To ping sweep a range of IP addresses without
using an input file, use the command:
– fping –g BeginningIPaddress
EndingIPaddress
– The –g parameter is used when no input file is
available
– Example:
• fping –g 192.168.185.1 192.168.185.5
command returns the results shown on Figure 5-6

Hands-On Ethical Hacking and Network Defense, 3rd 19


Edition
Fping

Hands-On Ethical Hacking and Network Defense, 3rd 20


Edition
Hping
• Used to:
– Perform ping sweeps
– Bypass filtering devices
• Allows users to inject modified IP packets
• Powerful tool
– All security testers must be familiar with tool
– Supports many parameters

Hands-On Ethical Hacking and Network Defense, 3rd 21


Edition
Hping

Hands-On Ethical Hacking and Network Defense, 3rd 22


Edition
Hping

Hands-On Ethical Hacking and Network Defense, 3rd 23


Edition
Hping

Hands-On Ethical Hacking and Network Defense, 3rd 24


Edition
Crafting IP Packets
• Packet components
– Source IP address
– Destination IP address
– Flags
• Helps obtain information about a service
• Tools:
– Hping
– Fping

Hands-On Ethical Hacking and Network Defense, 3rd 25


Edition
Understanding Scripting
• Some tools might need to be modified to better suit
your needs as a security tester
• Customized scripts
– Automates tasks
– Time saving
– Requires basic programming skills

Hands-On Ethical Hacking and Network Defense, 3rd 26


Edition
Scripting Basics
• Similar to DOS batch programming
• A script or batch file
– Text file
– Contains multiple commands that would be entered
manually at the command prompt
• If you find that you are using repetitive commands
to perform the same task
– That task is a good candidate for scripting
• Practice is the key

Hands-On Ethical Hacking and Network Defense, 3rd 27


Edition
Scripting Basics

Hands-On Ethical Hacking and Network Defense, 3rd 28


Edition
Scripting Basics

Hands-On Ethical Hacking and Network Defense, 3rd 29


Edition
Summary
• Footprinting
– Gathering network information with Web tools
• Competitive intelligence
– Gathered through observation and Web tools
• IP addresses and domain names
– Found by using tools (e.g., SamSpade)
• Cookies and Web bugs
– Collect and retrieve user’s information
• Zone transfers
– Used to obtain network topologies
Hands-On Ethical Hacking and Network Defense, 3rd 30
Edition
Summary
• Social engineering
– Attacks using human nature
• Many methods
– Educate personnel
• Attacker techniques
– Shoulder surfing
– Dumpster diving
– Piggybacking
– Phishing

Hands-On Ethical Hacking and Network Defense, 3rd 31


Edition

You might also like