ch 3

Overview of Network Scanning

Network scanning is a set of procedures used for identifying hosts, ports, and services within a network.
It is a critical component of intelligence gathering used by attackers to create a detailed profile of a target organization.
The Network Scanning Process involves an attacker sending TCP/IP probes to a network and receiving network information as a result.
Objectives of Network Scanning: - Discovering live hosts, IP addresses, and open ports on live hosts. - Discovering operating systems (OS) and system architecture. - Identifying services running on hosts. - Discovering vulnerabilities present in live hosts.

TCP Communication Flags and Packet Structure

Standard TCP communications are controlled by flags located in the TCP packet header. The packet header structure (Bits $0-31$ ) includes: - Source Port and Destination Port - Sequence Number and Acknowledgement Number - Offset, Reserved (Res), and TCP Flags - Window, TCP Checksum, and Urgent Pointer - Options and Data
TCP Flags and their Functions: - URG (Urgent): Data contained in the packet should be processed immediately. - PSH (Push): Sends all buffered data immediately. - ACK (Acknowledgement): Acknowledges the receipt of a packet. - RST (Reset): Resets a connection. - SYN (Synchronize): Initiates a connection between hosts. - FIN (Finish): Indicates there will be no further transmissions.

TCP/IP Communication Sessions

TCP Session Establishment (Three-way Handshake): - Step $1$ : Client (Bill, $10.0.0.2:21$ ) sends a SYN packet to the Server (Sheela, $10.0.0.3:21$ ). Message: "I would like to talk with you Sheela on port 21, Are you open?" Packet: SYN, SEQ# 10. - Step $2$ : Server responds with a SYN+ACK packet. Message: "Ok, let's talk Bill!, I am open on port 21". Packet: SYN+ACK, ACK# 11, SEQ# 142. - Step $3$ : Client responds with an ACK packet. Message: "Ok, thanks Sheela". Packet: ACK, ACK# 143, SEQ# 11.
TCP Session Termination: - Step $1$ : Client sends a FIN packet. Message: "I am done with the data transfer". Packet: FIN, SEQ# 50. - Step $2$ : Server responds with an ACK packet. Message: "Ok, I received your termination request". Packet: ACK, ACK# 51, SEQ# 170. - Step $3$ : Server sends its own FIN packet. Message: "I have received all the data sent". Packet: FIN, SEQ# 171. - Step $4$ : Client responds with a final ACK packet. Message: "Ok, thanks Sheela". Packet: ACK, ACK# 172, SEQ# 51.

Network Scanning Tools: Nmap and Hping3

Nmap (Network Mapper): - Used by administrators for inventorying networks, managing service upgrades, and monitoring uptime. - Used by attackers to extract information such as live hosts, open ports, services (application name and version), packet filters/firewalls, and operating systems. - Zenmap is the graphical user interface (GUI) for Nmap. - Example Scan Command: nmap -p 1-65535 -T4 -A -v 10.10.1.11.
Hping3: - A command-line network scanning and packet crafting tool for the TCP/IP protocol. - Used for security auditing, firewall testing, path MTU discovery, traceroute, and OS fingerprinting. - Hping Commands: - ICMP Ping: hping3 -1 10.0.0.25 - ACK scan on port 80: hping3 -A 10.0.0.25 -p 80 - UDP scan on port 80: hping3 -2 10.0.0.25 -p 80 - Collecting Initial Sequence Number: hping3 192.168.1.103 -Q -p 139 - SYN scan on port 50-60: hping3 -8 50-60 -S 10.0.0.25 -v - FIN, PUSH, and URG scan on port 80: hping3 -F -P -U 10.0.0.25 -p 80 - Scan entire subnet for live hosts: hping3 -1 10.0.1.x --rand-dest -I eth0 - Intercept HTTP traffic: hping3 -9 HTTP -I eth0 - Firewalls and Timestamps: hping3 -S 72.14.207.99 -p 80 --tcp-timestamp - SYN flooding a victim: hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Host Discovery Techniques

Host discovery identifies active systems in a network. Techniques include: - ARP Ping Scan: Sends ARP request probes. Response means host is active. Most efficient and accurate for local networks. Command: nmap -sn -PR <Target IP Address>. - UDP Ping Scan: Sends UDP requests. Response or certain errors indicate host status. Detects systems behind strict TCP-filtering firewalls. Command: nmap -sn -PU <Target IP Address>. - ICMP ECHO Ping / Sweep: Sends ICMP ECHO requests. Command: nmap -sn -PE <Target IP Address Range>. This is the oldest, slowest method. - ICMP Timestamp Ping Scan: Used when administrators block ICMP ECHO pings. Command: nmap -sn -PP <Target IP Address>. - ICMP Address Mask Ping Scan: Alternative to ECHO ping. Command: nmap -sn -PM <Target IP Address>. - TCP SYN Ping Scan: Sends empty TCP SYN requests. ACK response means host is active. It avoids creating full connections and leaves fewer traces. Command: nmap -sn -PS <Target IP Address>. - TCP ACK Ping Scan: Sends empty TCP ACK requests. RST response means host is active. Maximizes chances of bypassing firewalls. Command: nmap -sn -PA <Target IP Address>. - IP Protocol Ping Scan: Sends different packets using multiple IP protocols (ICMP, IGMP, TCP, UDP). Command: nmap -sn -PO <Target IP Address>.

Port Scanning Techniques

Classified by communication protocol: - TCP Connect / Full Open Scan: Completes the three-way handshake. Does not require super-user privileges but is easily detectable. Command: nmap -sT -v <Target IP Address>. - Stealth Scan (Half-Open Scan): Sends a single SYN. If SYN+ACK is received, the port is open; the attacker sends RST to close it. Bypasses logging and firewalls. Command: nmap -sS -v <Target IP Address>. - Inverse TCP Flag Scan: Uses FIN, URG, or PSH flags (or NULL). No response indicates an open port; RST/ACK indicates closed. Effective against Unix but not Windows. Command: nmap (-sF, -sN, -sX) -v <Target IP Address>. - Xmas Scan: Sends packets with FIN, URG, and PUSH flags set. No response suggests the port is open. Only works on Unix-like systems compliant with RFC $793$ . Command: nmap -sX -v <Target IP Address>. - TCP Maimon Scan: Uses FIN/ACK probes. No response suggests an open port. Command: nmap -sM -v <Target IP Address>. - ACK Flag Probe Scan: Checks filtering systems. No response indicates a stateful firewall is present. Command: nmap -sA -v <Target IP Address>. - IDLE/IPID Header Scan: A blind scanning technique that uses a "zombie" host to scan the target. Command: nmap -Pn -p- -sI <Zombie Hostname> <Target Hostname>.

Service and OS Discovery

Service Version Discovery: Helps attackers find specific vulnerabilities. Nmap option: -sV.
OS Discovery: Provides OS details of the target. - Nmap option: -O. - Unicornscan: Identifies OS by observing Time-to-Live (TTL) values. A TTL of $128$ often indicates Windows. - Nmap Scripting Engine (NSE): Automates tasks like OS discovery. The script smb-os-discovery.nse collects info via the SMB protocol. Activate with -sC or --script.
Nmap Scan Time Reduction Techniques: Omit non-critical tests, optimize timing parameters, separate UDP scans, upgrade Nmap, execute concurrent instances, scan from favorable network locations, and increase bandwidth/CPU.

IDS/Firewall Evasion Techniques

Packet Fragmentation: Splitting probe packets into smaller fragments so filters cannot detect the intent. Nmap option: -f. Example: nmap -sS -T4 -A -f -v 10.10.1.11.
Source Routing: Dictating the path a packet takes through the network to avoid routers configured with IDS/firewalls.
Source Port Manipulation: Using well-known ports (like port $80$ or $53$ ) as the source to bypass firewalls that allow traffic from these ports. Nmap option: -g or --source-port.
IP Address Decoy: Generating decoy IP addresses to mask the actual scanner IP. Decoy scanning options: nmap -D RND:10 [target] (random decoys) or nmap -D decoy1,decoy2... [target] (manual).
IP Spoofing: Changing the source IP address in the packet header. Reply packets go to the spoofed address. Three-way handshakes cannot be completed with spoofed IPs.
MAC Address Spoofing: Setting a specific MAC address to evade firewalls. Nmap option: --spoof-mac. Example vendors: Dell.
Custom Packets: Using tools like Colasoft Packet Builder or NetScan Tools Pro to craft specific packets that bypass security.
Host Randomization: Scanning hosts in a random order to avoid detection. Nmap option: --randomize-hosts.
Bad Checksums: Sending packets with bogus TCP/UDP checksums to avoid certain firewall rule sets. Nmap option: --badsum.

Proxy Servers and Anonymizers

Proxy Servers: Act as intermediaries to hide the source scan, mask an attack, access restricted intranets, or chain multiple proxies to avoid detection.
Proxy Chaining: - $1$ . User requests resource. - $2$ . Proxy client connects to a proxy server. - $3$ . Proxy server strips user ID and passes request to the next proxy. - $4$ . Repeated through the chain until the unencrypted request reaches the web server.
Anonymizers: Remove identity information while surfing to make activity untraceable and bypass censors. Example: Whonix (OS for advanced privacy).
Other Proxy Tools: Proxy Switcher, CyberGhost VPN, Burp Suite, Tor, CCProxy, Hotspot Shield.

Countermeasures and Detection

Scanning Countermeasures: - Configure firewall/IDS rules to block probes. - Run your own scans to verify firewall detection. - Update router, IDS, and firewall firmware. - Filter all ICMP messages (Inbound and Type $3$ Unreachable). - Configure anti-scanning and anti-spoofing rules.
IP Spoofing Countermeasures: - Use IPsec, TLS, SSH, or HTTPS encryption. - Use random initial sequence numbers. - Ingress Filtering: Filter incoming packets that appear to come from internal IPs. - Egress Filtering: Filter outgoing packets with invalid local source IPs.
Scanning Detection Tools: ExtraHop Reveal(x), Splunk Enterprise Security, QRadar XDR, Cynet 360, Vectra Cognito Detect, Scanlogd.

Network scanning is like a treasure map that helps find hidden items (hosts, ports, and services) in the big world of computers (the network). Imagine you’re a detective looking for clues about a mystery organization. Here’s how it works:

What is Network Scanning?
Network scanning is a set of steps to explore and find out what computers (hosts) are available in a network, what doors (ports) are open for communication, and what services (tools or applications) are running on those computers.
Why is it Important?
Think of it as gathering information about a friend before meeting them. This helps you know if they’re safe, fun, or interesting. In the same way, attackers use this information to understand weaknesses in an organization. So, scanning is about finding out what’s out there, but it can also be used for bad things!
How Does Network Scanning Work?
It starts when someone (like an attacker) sends out signals (TCP/IP probes) to a network. When the network responds, it gives back information about which computers are alive, what services they have, and even potential weaknesses.
Key Goals of Network Scanning:
    - Finding which computers are on (live hosts).
    - Seeing their addresses (IP addresses).
    - Checking if communication doors (open ports) are available.
    - Learning what software they run (services).
    - Finding out potential issues or vulnerabilities.

Now, let’s break down some more technical things in a simple way, okay?

TCP Communication Flags and Packet Structure

Packets are like little envelopes that computers send to each other. Inside each envelope, there are special notes called flags that tell what should happen. Here are some flags:

URG (Urgent): Hey, this is important - read it fast!
PSH (Push): Please read this right away!
ACK (Acknowledgment): Got it, I received your message!
RST (Reset): Something went wrong, let’s start over.
SYN (Synchronize): Let’s start talking!
FIN (Finish): I’m done talking.

How Computers Talk (TCP/IP Sessions)

When two computers want to talk, they first make sure they’re on the same page through a quick handshake. This is like a secret greeting that indicates they’re ready to communicate:

Step 1: The computer says, "Hello! Want to chat?" (SYN)
Step 2: The other one responds, "Sure! Let’s chat!" (SYN+ACK)
Step 3: The first computer says, "Thanks! Let’s start!" (ACK).

When they’re done chatting, they also say goodbye:

Step 1: One says, "I’m done now!" (FIN).
Step 2: The other replies, "Okay, goodbye!" (ACK).
Step 3: Then the second one says, "I’m done too!" (FIN).
Step 4: The first completes it with a final, "Thanks!" (ACK).

This process is a friendly way for computers to establish and close their conversations, ensuring they understand each other well!