CEHv12-03 - Recon Techniques - Scanning

In

Network scanning types

Process of obtaining additional information about hosts, ports and services in network for more detailed reconnaissance in order to identify vulnerabilities in communication channels and then create an attack plan.

  • Host discovery: to list IP addresses. Discover live hosts and operating systems.
  • Port scanning: to list open ports and services. Discover open ports, and verify which services (version) run on them.
  • Vulnerability scanning: to discover the presence of known vulnerabilities. Use previosuly obtained information to narrow down againts a database.

Network scanning tools

Tools for techniques are used to identify hosts, ports, and services in the target network

  • namp is the most popular:
    • Includes:
      • Ncat: reads and writes data across networks from the command
      • ndiff: compares scan results
      • nping: generates packets and analyzes responses
    • Phases:
      1. Script pre-scanning: Runs NSE scripts that are run once per execution for each targets, e.g. dhcp-discover.
      2. Target enumeration: Resolves DNS names, CIDR network notations etc. to list of IPv4 or IPv6 addresses
      3. Host discovery (ping scanning): Checking if a host (or which hosts are) is alive before deeper investigation
      4. Reverse-DNS resolution: Provides IP numbers for hosts that are alive
      5. Port scanning: Probes are sent and remote port states are classified as open, closed, filtered
      6. Version detection: Determines what server software is running on remote system
      7. OS detection: Determines OS that’s running on the port
      8. Traceroute: Usually involves another round of reverse-DNS resolution for intermediate hosts.
      9. Script scanning: Runs most of the scripts rather than pre-scan and post-scan phases.
      10. Output: Prints results using different options e.g. XML
      11. Script post-scanning: Runs scripts that process results and deliver final reports and statistics
  • Metasploit
  • Hping port scanner
  • Colasoft Packet Builder
  • NetScanTools Pro
  • Packeth
  • Fing

Host discovery

  • Types:
    • Internal: inside the network.
    • External: starting from the exterior.

Techniches:

  • Scanning ICMP or ping scan (echo).
  • ARP for TCP.
  • UDP (usually forgotten).

Tools:

  • ip: retrieve network information: ip -br -c a
  • ping: test if device is alive: ping 8.8.8.8.
  • nmap: discovery: nmap -sn 8.8.8.8
    • usually “echo” (-PE) is blocked on firewall, others like ICMP, ARP, UDP are not (-PE, -PR, -PU).
  • traceroute: gets you the external network information: traceroute 8.8.8.8
  • angry ip scanner built upon ping.

Corporations use a perimeter or DMZ to pretect themselves against these technicques.

Port and service scanning

List of TCP and UDP port numbers

Port Protocol Default service
21 TCP FTP (File Transfer Protocol)
22 TCP SSH (Secure Shell)
23 TCP Telnet
25 TCP SMTP (Simple Mail Transfer Protocol)
53 TCP/UDP DNS (Domain Name Server)
80 TCP TTP (Hypertext Transfer Protocol). HTTP/3 will run over UDP
123 TCP NTP (Network Time Protocol)
443 TCP/UDP TTPS
500 TCP/UDP IKE/IPSec (Internet Key Exchange / IPSec)
631 TCP/UDP IPP (Internet Printing Protocol)
3389 TCP/UDP RDP (Remote Desktop Protocol)
9100 TCP/UDP AppSocket/JetDirect (HP JetDirect, Printer PDL Data Stream)

Example on map:

1
2
3
4
# port, state and service
nmap -T5 -n -Pn -p- 8.8.8.8 -o nmapscan.txt
# port, state, service and version from the service
nmap -T5 -n -Pn -p- -sV 8.8.8.8 -o nmapVersionScan.txt

TCP connect scan

“Full open scan” used for detecting open ports upon the completion of the three-way handshake. Works by establishing a full connection and then dropping it by sending a RST packet.

  • Tools:

    • Wireshark: capture traffic from other tools and “paints it”.

    • Nmap: nmap -sT <ip-or-host>.

      1
      2
      # port, state and service
      nmap -sT 8.8.8.8

  • Three-way handshake: Establishes a TCP connection with synchorinzation and acknowledge.

    • Sender: SYN → Receiver: SYN ACK → Sender: ACK.
    • ACK is then set in every packet sent after the handshake.
    • Sender: FIN → Receiver: ACK FIN → Sender: ACK.
sequenceDiagram
    Attacker->>Target: (1) SYN
    Target->>Attacker: (2) SYN/ACK
    Attacker->>Target: (3) ACK

Stealth scan

Also known as TCP SYN ping, SYN stealth, stealth scan, half-open scan or TCP ping scan, is the default and most popular scan. It works by resetting the TCP connection before the three-way handshake is completed, which in turn makes the connection half open.

  • Pros and cons:

    • Pro: Stealthy because it never completes TCP connections (can bypass firewalls and logging).
    • Con: Require root privileges.
    • Con: Rulesets block many SYN scan attempts.

  • Types:

    • Open: only uses the first part of the conversation.
sequenceDiagram
    Attacker->>Target: (1) SYN + Port
    Target->>Attacker: (2) SYN/ACK
    Attacker->>Target: (3) RST
  • Closed: reset after finish.
sequenceDiagram
    Attacker->>Target: (1) SYN + Port
    Target->>Attacker: (2) RST
  • Filtered: Retry if not recovered.
sequenceDiagram
    Attacker->>Target: (1) SYN + Port
    Attacker->>Target: (2) SYN + Port retry
  • Tools
    • Nmap: -PS (host discovery, default behaviour) or -sS (port scan): sudo nmap -sS -PS 8.8.8.8.
    • Hping: hping3 -8 <port-list e.g. 50-60> –S <ip-address> –V

Inverse TCP XMAS and Maimon scans

Works by sending a TCP frame with FIN, URG, and PUSH flags set.

  • Christmas tree packet (-sX): packet with every option set, like bulbs on a Christmas tree.
  • TCP Maimon Scan (-sM): This technique is exactly the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK.
Probe Response Assigned State
No response received (even after retransmissions) open or filtered
TCP RST packet closed
ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered
  • Closed: reset after finish.
graph LR;
    A[Attacker];
    B[Target];
    A -- 1: URG, FIN, PUSH --> B;
    B -- 2: RST --> A;
  • Open or filtered: no response.
graph LR;
    A[Attacker];
    B[Target];
    A -- 1: URG, FIN, PUSH --> B;
  • Filtered: Retry if not recovered.
graph LR;
    A[Attacker];
    B[Target];
    A -- 1: URG, FIN, PUSH --> B;
    B -- 2: ICMP unreachable error --> A;
  • Tools
    • Hping: hping3 -F -P -U <ip-address> -p <port-number>
      • -F for FIN, -P for PUSH), -U for URG
      • 0% packet loss is closed, 100% packet loss is open.
    • Nmap: -sX‘.
      1
      2
      sudo nmap --scanflags URGACKPSHRSTFIN 8.8.8.8
      # flags go together: URG ACK PSH RST FIN

ACK scan

Also known as ACK flag scanning, ACK flag probe scanning or TCP ACK scan. Used to detect existence of firewalls, cannot detect open ports.
Works by sending TCP packet with ACK flag set, where ACK (acknowledgment) is used to acknowledge the successful receipt of a packet

  • Unfiltered:
graph LR;
    A[Attacker];
    B[Target];
    A -- 1: ACK --> B;
    B -- 2: RST --> A;
  • Filtered, unresponsive:
graph LR;
    A[Attacker];
    B[Target];
    A -- 1: ACK --> B;
  • Filtered: errored.
graph LR;
    A[Attacker];
    B[Target];
    A -- 1: SYN + port --> B;
    B -- 2: ICMP unreachable error --> A;
  • Pros and cons:
    • Pro: Difficult to log, avoids IDS detection, helps detecting existence of stateful firewalls.
    • Con: Relies on BSD network code bug in older versions and is slow.
  • Tools
    • Nmap: -PA (host discovery) or -sA (port scan): sudo nmap -sA -PA 8.8.8.8.
    • Hping: hping3 –A <ip-address> –p <port>

IDLE IPID scan

  • Allows for blind port scanning (without sending any packet with own IP).
  • Utilizes IP address of a zombie machine through spoofed packets.
  • Flow:
    1. Probe the zombie’s IP ID and record it.
      • IP ID:
        • Every IP packet on the Internet has a fragment identification number
        • Incremented by OSes for each packet sent
      • Zombie should be:
        • idle as no other traffic would increase the traffic
        • assigning IP ID packets incrementally on global level instead of per-host basis.
    2. Forge a SYN packet from the zombie and send it to the desired port on the target.
    3. Probe the zombie’s IP ID again.
      • If it’s increased compared to one in step 1, port is open (it has received)
  • *Pros and cons:
    • Pro: Ultimate stealth scan as attackers IP would not be revealed, can be used for framing as IDS will report zombie as the attacker.
    • Con: It takes far longer, and many ISPs implement egress filtering to prevent the packet spoofing.
  • Tools:
    • Nmap: nmap -Pn -sI <zombie-ip/domain> <target-ip/domain>
      • -sI: Idle scan
      • -Pn: no ping to be stealthy

UDP scan

UDP is the connectionless stream protocol, so no handshakes. UDP is used by e.g. DNS (port 53), SNMP (port 161/162), and DHCP (port 67/68). It is also known as UDP ping, UDP/ICMP error scan, UDP port scan or UDP ICMP_PORT_UNREACHABLE scan. It exploits UDP behavior where the receiver sends an ICMP packet with error code when a port is unreachable. No response is interpreted as “open” or “filtered” behind firewall.

  • Pros and cons:
    • Pro: Avoids TCP IDS, and scans non-TCP ports that are quite common.
    • Cons:
      • Provides port information only, ICMP is rate-limited by Linux kernel however not by Windows.
      • Require root privileges and slower.
  • Tools
    • Hping: hping3 -2 <ip-address> –p <port>
    • Nmap: -PU (host discovery) or -sU (port scan)

SCTP INIT and COOKIE ECHO scans

SCTP: most reliable protocol for transport layer.

sequenceDiagram
    Client->>Server: INT
    Server->>Client: INT + ACK
    Client->>Server: Cookie+ Echo
    Server->>Client: Cookie + ACK
  • Tools
    • Nmap: -sY (SCTP init and cookie echo scan): sudo nmap -sY -n -Pn 8.8.8.8 --packet-trace

Scan optimizations

  • Increase focus: start from wider net, then reduce targets.
  • Remove unnecessary scanner.
  • Templates: -T4 is faster than -T3.
    • -T0: paranoid.
    • -T1: sneaky.
    • -T2: polite.
    • -T3: normal.
    • -T4: aggresive.
    • -T5: insane.
1
2
3
4
5
# -n: skip name resolution
# -Pn: skip ping, since Windows blocks it
# -F top 100 ports
# --disable-arp-ping end IP traffic
sudo nmap -n -Pn -F -T2 --disable-arp-ping scanme.nmap.org

Target OS identification techniques

  • Time To Live (ttl) may give up the OS:

    1
    2
    3
    ping -c 4 8.8.8.8
    # Windows ttl is 128
    # Linux ttl is 64

  • nmap may try to guess the OS:

    1
    2
    3
    4
    # educated guess
    sudo nmap -O 8.8.8.8
    # SMB 1.0 is out of support, but on packages you may find things like "WIN" and "10PRO"
    sudo nmap --script smb-os-discovery.nse 8.8.8.8 --package-trace

  • IPv6: it is usually not firewalled

    1
    2
    # -6 goes for IPv6
    sudo nmap -O -6 8.8.8.8

  • Countermeassures:

    • Dissinformation.
    • Turn off unused protocols.
    • Turn off banners (“Hi, I am this service running on this version”).
    • Don’t show file extensions.

IDS and firewall evasion

Avoiding meassures like Intrussion Detection System and firewalls.

  • Packet fragmentation: splitting up TCP header to several smaller (fragmented) packets on send, and the server reasembles them once all packets are received.

    • Usually ignored by IDSes as processing them requires a lot of computer resources
    • Any IP datagram can be fragmented: including UDP, TCP, ICMP, etc.
    • Tools:
      • Nmap: -f flag e.g. nmap -f <ip-or-host>
        • splits the packets into 8 bytes or less after the IP header
        • Alternatively can use --mtu option allows to set bytes e.g. --mtu 16
      • fragroute
        • Usage: fragroute <domain-name>
          *Intercept, modify, and rewrite egress traffic to use fragments

  • IP address decoy: all packets originate from the scanning machine, but some have spoofed source addresses.

    • It elps to confuse port scan detection, but it does not offer any information beyond a regular scan.
    • Tools:
      • Nmap:
        • nmap -D decoy1,decoy2,ME,decoy3... <target>: Manual list with custom positioned ME
        • nmap -D RND:10 <target> to randomize 10 decoy IP addresses

  • IP address spoofing: used to make packet appear to come from someone else, done by changing address information in IP packet header field.

    • Replies go back to the spoofed address not to the attacker.
    • Mostly used for DoS attacks.
    • If it does not get a response, the firewalll did not block it (no drop, no rejection), so there may be something here.
    • Tools:
      • hping: hping3 <target> -a <spoofed-ip>
      • Nmap: nmap <target> -S <spoofed-ip> -e -Pn

  • Source routing: specifying which path the malformed packet will take to get to the target host, but it is usually blocked.

    • Used to skip routes (routers/gateways) where firewalls exist, disregarding what route tables say.
    • Done by modifying IP address field in IP Options field
    • Using Nmap:
      • Loose routing:
        • Specifying packet to be loose source routed through given IP way points
        • E.g. --ip-options "L 192.168.0.7 192.168.30.9"
      • Strict routing:
        • You will have to specify every single hop along the path.
        • E.g. --ip-options "S 192.168.0.7 192.168.0.9 .. 192.168.30.9"

  • Source port modification: Firewalls filter port (ingress and egress), e.g. usually port 53 is open so DNS can work, so piggyback your request over there.

    • Tools:
      • Nmap: nmap -g 53 <target>

  • SSRF (Server Side Request Forgeries): a server makes the request on our behalf. BurpSuite, Zap

  • Randomize host: hides by avoiding sequences, using randimizers.

    • Tools:
      • Mmap: nmap --randomize-hosts <target>

  • Proxies: use middleman (nmap --proxies).

  • Anonymiser: avoid blacklists Proxyswitcher, FoxyProxy, VPNs, TOR browse, or OS level like Tails or Whonix.