Professional Documents
Culture Documents
S c a n n i n g
N e t w o r k s M o d u le 03
M o d u le 0 3 - S c a n n in g N e tw o rk s
S c a n n in g a T a r g e t N e tw o rk
S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d s e rv ic e s ru n n in g in a n e tw o rk .
L a b S c e n a r io
I CON KEY
H Q
Vulnerability scanning determines the possibility of network security attacks. It evaluates the organizations systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organizations network and perform port s c a n n in g , n e tw o rk s c a n n in g , and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities.
L a b O b j e c t iv e s
The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: Check live systems and open ports Perform banner grabbing and OS fingerprinting Identify network vulnerabilities Draw network diagrams of vulnerable hosts
ZZ7 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
L a b E n v ir o n m e n t
111
die lab, you need: A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s W in d o w s 8 or W in d o w s 7 with Internet access A web browser Admiiiistrative privileges to run tools and perform scans
S e rv e r 2008.
L a b D u r a t io n
Time: 50 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k s
Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 1 1 1 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools.
Lab T asks TASK Overview 1
Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: Scanning System and Network Resources Using A d v a n c e d
IP S c a n n e r ID S e r v e
Fingerprint Open Ports for Running Applications Using the A m a p Tool Monitor TCP/IP Connections Using die C u r r P o r t s Scan a Network for Vulnerabilities Using G F I _/ Ensureyouhave L readyacopyof the additional readings handed out for this lab. Explore and Audit a Network Using N m ap Scanning a Network Using die
N e t S c a n T o o ls Pro LA N S u rv ey o r Tool
L an G u ard 2 0 1 2
Drawing Network Diagrams Using Mapping a Network Using the Scanning a Network Using die
F r ie n d ly P in g e r N essu s
Tool
N e tw o rk In v e n to ry S w it c h e r
E th ic a l H ackin g and Counterm easures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
W o rk b e n c h
Detect, Delete and Block Google Cookies Using G -Z a p p e r Scanning the Network Using the
C o la s o f t P a c k e t B u ild e r Dude
Analyze and document die results related to die lab exercise. Give your opinion on your targets security posture and exposure duough public and free information.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
S c a n n in g S y s te m a n d N e tw o rk R e s o u r c e s U s in g A d v a n c e d IP S canner
I CON KEY
-A d v a n c e d IP S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f
in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs .
L a b S c e n a r io
C Q
this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.
111
L a b O b j e c t iv e s
l J
T o o ls
The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: Perform a system and network scan Enumerate user accounts Execute remote penetration Gather information about local network computers
L a b E n v ir o n m e n t
111
You can also download the latest version of A d v a n c e d from the link http://www.advanced-ip-scanner.com
IP S c a n n e r
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
/ 7A dvancedIPScanner w orks onW indow sS erver 2003/ Server 2008andon W indow s 7(32bit, 64bit).
If you decide to download the in the lab might differ A computer running W in d o w s
8
la t e s t v e r s io n ,
Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps to install Advanced IP Scanner
A d m in is tra tiv e
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any suspicious or u n a u th o rize d IP connections, which may enable data theft and cause damage to resources.
Lab T asks
S T A S K 1
L a u n c h in g A d v a n c e d IP Scann er
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S ta rt
Admin ^
WinRAR
Mozilla Firefox
Command
Prompt
it t
Nc m
2*
C om puter
Advanced IP Scanner
Sports
tS
C ontrol Panel
i i i l i l i
m
M icrosoft O ffice 2010 Upload...
finance
Y oucanw ake any m achinerem otelyw ith A dvancedIP Scanner, if theW ake-onLA Nfeature is supportedbyyour netw orkcard.
FIG U R E1 3 :T heA dvancedIPS cannerm ainw indow 4. Now launch die Windows Server 2008 virtual machine (v ic tim s
m a c h in e ).
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
iik
jf f lc k 10:09 F MJ
5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t ra n g e field. 6. Click die S c a n button to start die scan.
7.
A d v a n c e d IP S c a n n e r
displays the s c a n
scans all die IP addresses within die range and r e s u lt s after completion.
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
L ists of com puters savingandloadingenable youtoperformoperations w ithaspecificlist of com puters.Just savealist ofm achines youneedand A dvancedIPScanner loads it at startupautom atically.
A d v a n c e d IP Scanner
File Actions Settings View Heip
J
R esits
Scar'
Jl
r=k=3 r f t o
IP c d id 3? f i l :
Like us on 1 Facebook
1 0 .0 .0 .1 1 0 .0 .0 .1 0
| Favorites | Status 0
w
15
r
10.0.0.1 WIN-MSSELCK4K41 WINDOWS# WIN*LXQN3WR3R9M WIN-D39MR5H19E4 10.0.a1
Manufacturer Nlctgear, Inc. Dell Inc Microsoft Corporation M icrosoft Corporation Dell Inc
> * &
10 .0.a2
10.0.03 10.0.05 10.0.07
m G roup O perations: A nyfeatureofA dvanced IP Scanner can beused w ithanynum ber of selectedcom puters. For exam ple, youcanrem otely shut dow nacom plete com puter classw ithafew dicks.
FIG U R E1 .6 :TheA dvancedIPS cannerm ainw indowafterscanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machines IP address and displays die status as alive
M T A S K 2
9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut d o w n
5
F ie A ctions Settings View Helo Scan
A d v a n c e d IP Scanner
II
ip c
u u
*sS:
W i
Like us on Facebook
1 0 .0 .0 .1 1 0 .0 .0 .1 0
Resuts Status Favorites | Name
IHLMItHMM,
WINDOWS8
1 0 .0 .0 .1
t* p ore Copy
1 0 . 0 . 0 1 1
MAC address
00:09:5B:AE:24CC D0t67:E5j1A:1636 0:15 :U: A8:ofc:Ot> 00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D
hi
Add to Favorites' Rescan selected Sive selected... WdkeO nLAN Shut dcwn... Abort shut dcwn
W ake-on-L A N :Y ou canw akeanym achine rem otelyw ithA dvancedIP Scanner, ifW ake-on-LA N featureis supportedby your netw orkcard.
a
FIG U R E1 .7 :T heA dvancedIPS cannerm ainw indoww ithA liveH ost list 10. The list displays properties of the detected computer, such as IP address. N a m e , M A C , and N e t B I O S information. 11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die selected victim machine/IP address
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
m si *
S h u td o w n o p tio n s
r
Scan
J!] . ]
Jser narre:
9essM ord:
Like us on Facebook
W infingerprint Input O ptions: IPR ange (N etm askand InvertedN etm ask supported) IPL istS m gle H ost N eighborhood
rn e o c t (sec): [60 Message: Name 1a0.0.1 WIN-MSSELCK4K41 W IND O W S WIN-LXQN3WR3R9M WIN-D39MR5HL9E4 jre r MAC address 00;C9;5B:AE:24;CC
D0:67:E5:1A:16:36
It ion It ion 00:15:3C:A0:6C:06 00:13:3D:A8:6E:03 D4:BE:D9:C3:CE:2D
$ a
Forced shjtdo/vn
f " Reooot
FIG U R E1 .8 :TheA dvancedIPS cannerC om puterpropertiesw indow 12. Now you have die machine.
IP address. Nam e,
and other
details
of die victim
D:\CEH-Tools\CEHv8
It
Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Scan Information: Advanced IP Scanner IP address System name MAC address NetBIOS information Manufacturer System status
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
Eth ica l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
B a n n e r G ra b b in g t o D e te r m in e a R e m o t e T a r g e t S y s t e m u s i n g ID S e rv e
ID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r s o fh v a re .
I CON
KEY
L a b S c e n a r io
Valuable information
y*
1 1 1 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.
L a b O b j e c t iv e s
Workbook review
The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.
111
O T o o ls
diis lab you will learn to: Identify die domain IP address Identify die domain information
L a b E n v ir o n m e n t
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
You can also download the latest version of ID http: / / www.grc.com/id/idserve.htm If you decide to download the in the lab might differ
la t e s t v e r s io n ,
S e rv e
Double-click id s e r v e to run
ID S e r v e S e rv e
tool
S erv er 2012
Time: 5 Minutes
O v e r v ie w o f ID S e r v e
ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and v e r s io n , whether it's for F T P , SMTP, POP, NEWS, or anything else.
Lab T asks TASK 1
M o d u le 0 3 S c a n n in g
Id en tify w e b s it e s e r v e r in fo rm atio n
S erv e
ID Serve
ID Serve
Background
ri
Enter
01
copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com)
r!
Server
When an Internet URL or IP has been provided above press this button to rwtiate a query of the speahed server
If anIPaddressis enteredinsteadof aU R L , IDServew ill attem pt to determ ine thedom ain nam e associatedw iththe IP
^ 4
Copy
E*it
FIG U R E21: M ainw indowofIDS erv e 3. Enter die IP address 01URL address in E n t e r o r C o p y /p a ste
s e r v e r U R L o r IP a d d r e s s h e re : a n In te rn a l
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
ID Serve
ID Serve
Background
Entei or copy
In tern et Server IdentificationU tility, vl .0 2 Personal SecurityFreeware bySteve G ibson C o p y rig h t(c) 2 0 0 3b yG ib s o nR e s e a rc hC o r p .
^ [w w w certifiedhacker com [
Query T h e S w v e i
W h e n an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the s p e c fo d server
(%
Copy
Ejjit
FIG U R E22 E nteringdieU R Lforquery 4. Click Query The Server; it shows server query processed information
ID Serve
, m x
ID Serve
Background
In tern etServer IdentificationU tility, vl .0 2 Personal SecurityFreeware bySteve G ibson C o p y rig h t(c) 2 0 0 3b yG ib s o nR e s e a rc hC o fp
< T | www.certifiedhacker.com|
Enter or copy / paste an Internet seivef URL or IP address here (example www mc10s0ft com)
Q IDServecanalso connect w ithnon-w eb servers toreceiveand report that server'sgreeting m essage. Thisgenerally reveals the server's m ake, m odel, version, andother potentiallyuseful inform ation.
r2 [
W h e n an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied server
(3
In itia tin gserverq u e ry Lo o k in gu pIPaddressfo rd o m a in w w wcertified h ackerc o m T h eIPaddressfo rth ed o m a inis 2 0 2 .7 55 41 0 1 C o n n e c tin gtoth eservero nsta n d a rdHTTPp o rt: 8 0 C o n n ected ]R eq u estin gth eserver's d e fa u ltp ag e
The server identrfied itse l as
M ic r o s o f t - I I S / 6 . 0
Copy
Exit
L a b A n a ly s is
Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab.
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Tool/U tility
Information Collected/Objectives Achieved IP address: 202.75.54.101 Server Connection: Standard HT1P port: 80 Response headers returned from server:
ID Serve
H TTP/1.1 200 Server: Microsoft-IIS/6.0 X-Powered-By: PHP/4.4.8 Transfer-Encoding: chunked Content-Type: text/html
QUESTIONS
Q u e s t io n s
1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Eth ica l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
F in g e rp r in tin g O p e n P o r ts U s in g t h e A m ap Tool
.- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t.
I CON KEY
2 ^
L a b S c e n a r io
g
Q
Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 1 1 1 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. 1 1 1 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what a p p lic a t io n s are running on each port found open.
L a b O b j e c t iv e s
The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports. hi diis lab, you will learn to: Identify die application protocols running on open ports 80 Detect application protocols
L a b E n v ir o n m e n t
You can also download the latest version of A M A P from the link http: / / www.thc.org dic-amap. If you decide to download the in the lab might differ
la t e s t v e r s io n ,
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
A computer running Web Services enabled for port Administrative privileges to run die A m a p tool Run this tool on W in d o w s
L a b D u r a t io n
S e rv e r 2012
80
Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g
Fingerprinting is used to discover die applications running on each open port found 0x 1 die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking up die responses in a list of response strings.
at T A S K
Id en tify A p p lic a tio n P ro to c o ls R u n n in g on P o rt 8 0
Lab T asks
1. Open die command prompt and navigate to die Amap directory. 1 1 1 diis lab die Amap directory is located at D :\C E H -T o o ls\C E H v 8 M od ule 0 3 S c a n n in g
N e tw o rk s\ B a n n e r G ra b b in g T o o ls\A M A P
2. Type a m a p
33
w w w .c e r t if ie d h a c k e r .c o m 8 0 ,
and press E n te r.
Syntax: am ap [-A| B| -P|-W ] [-1buSR H U dqv] [[-m ] -o <file>] [-D<file>] [t/T sec] [-c cons] [-Cretries] [-pproto] [i <file>] [target port [port]...] FIG U R E3 .1 :A m apw ithhostnam ew w w .ce1tifiedl1ack e1.com w ithPort S O 3. You can see die specific a p p lic a tio n protocols running 011 die entered host name and die port 80. 4. Use die IP
a d d re ss
5. 1 1 1 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 ) and press E n t e r (die IP address will be different in your network). For A m apoptions, type am ap-help. 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
D :\ C E H -T o o ls \C E H u 8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75-81 laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g
KN>
C om piles on all U N IX basedplatform s - even M acO SX ,C ygw inon W indow s, A R M -L inuxand Palm O S
W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e ) t o
KH>
1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN
U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 / kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>. Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b : \ C E H - T o o l s \ C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g Tools\AMAP>
Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Identified open port: 80 WebServers: 11ttp-apache2 http-iis webmin Amap Unidentified ports: 10.0.0.4:75/tcp 10.0.0.4:76/tcp 10.0.0.4:77/tcp 10.0.0.4:78/tcp 10.0.0.4:79/tcp 10.0.0.4:81/tcp
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required
0 Y es
No
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
M o n ito r in g T C P /IP C o n n e c t i o n s U s in g t h e C u r r P o r ts T o o l
C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.
I CON K E Y
Valuable information Test your knowledge
L a b S c e n a r io
111 the previous lab you learned how to check for open ports using the Amap tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a
a d m in is tra to r., your daily task is to check the T C P / IP of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the C u r r P o r t s tool. n etw o rk c o n n e c t io n s
w
m
L a b O b j e c t iv e s
The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer.
111
in this lab, you need to: Scan the system for currently opened Gather information 011 die List all the
IP a d d r e s s e s p o r ts T C P / IP
and
UDP
ports
and
p ro cesses
Close unwanted TCP connections and kill the process that opened the ports
C E H Lab M anual Page 103 E th ic a l H ackin g and Counterm easures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b E n v ir o n m e n t
You can also download the latest version of http: / / www.nirsoft.11e t/utils/cports.html If you decide to download the in the lab might differ
C u rrP o rts
la t e s t v e r s io n ,
S erv er 2012
tool
Time: 10 Minutes
O v e r v ie w M o n it o r in g T C P / IP
Monitoring TCP/IP ports checks if there are m u ltip le IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server.
Lab T asks
The CurrPorts utility is a standalone executable and doesnt require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o r t s .e x e to launch.
TASK 1
1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports, IP and remote addresses, and their states.
C urrP orts
File Edit View Option* Help
D is c o v e r T C P /IP C o n n e c tio n
r 1 1 *
xSDv^!taer4*a-*
Process Na.. ( T enrome.ere f
f
Proces...
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
L ocal... 4119 4120 4121 4123 414S 3981 3982 4013 4163 4166 4168 1070 1070 1028 1028
Loc-
Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 100.0.7 100.0.7 100.0.7 aaao
Remote Host Nam bcm04501 -in f26.1 bcmOisOl -in-f26.1 bom04501in f26.1 a23-57-204-20.dep bom04501 -in-f26.1 WIN-D59MR5HL9F WIN-D39MR5HL9E bom01t01-in-f22.1 bom04!01 in f15.1 bcm04501 -in-f0.1 gra03s05in-f15.1e
2 m
2988 2988
2 m 2 m
1368 1368 1368 1368 1368 1368 1000 1800 564
CT chrome.exe ^ f i r t f c x ere
fir fc x x ( fir fc x (
fircfcx.cxc f1 rcfcxc.cc
0.0.0.0
T
NirSoft Freeware. ht1p;/AnrAv.rirsoft.net
>
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
FIG U R E4.1 :T lieC urrP ortsm ainw indoww ithallprocesses, ports, andIPaddresses / /C urrPorts utilityis a standaloneexecutable, w hichdoesn't requireany installationprocess or additional D L L s. 2. CiirrPorts lists all die
n am e s. p ro ce sse s a n d r e m o te IP a d d r e s s ,
and their IDs, protocols used, lo c a l local and remote ports, and r e m o te h o s t
>H T M L R e p o r t s
M - x
X B
Process K J a1^ I Show Tooltips Mark Odd/Even Rows chrome. C* chromel HTML Report All I'errs ^ chrome. HTML Report - Selected terns C* chrome. Choose Columns ^ chromc.
( firc fc x .c
g f-e fc x e
Rem.. http http http http 443 3962 3981 443 443 443 443 https https https https https
Remote Address 173.1943526 173.194.3526 173.194.3526 23.5720420 173.194.3526 127.0.0.1 127.0.0.1 173.1943622 173.19436.15 173.19436.0 741252*4.15
0.0.0.0
bom04501-in f 2 6 . 1
WIN-D39MR5HL9E WIN-D39MR5HL9E bem04s01-in-f22.1 bom04i01in*f15.1 bcm04s0l*in-f0.1< gruC3s05-1nM5.1e
T V . V , 0 .7
10.0.0.7 10.0.0.7 100.0.7
.0.1
4 1 5 6
4158 1070 1070 1028 1028
o .a o .o
aaao
Q In thebottomleft of theC urrPorts w indow , the status of total ports and rem ote connections displays.
0 .0 .0 .0
NirSoft Freeware, http.//w w w .rirs o ft.n e t
FIG U R E4.2T heC urrPortsw ithH TM LR eport- A llItem s 4. The HTML Report
E<e Ldr View History Bookmarks 1001 Hdp I TCP/UDP Ports List ^ j j f j__ ' * - Google P ^ T C P /U D P P o r ts L is t =
a u t o m a t ic a lly
countries of therem ote IP addresses, youhaveto dow nloadthelatest IPto C ountryfile. Y ouhaveto put the IpToC ountry.csv fileinthe sam efolder as cports.exe.
E3 To checkthe
P m j .Nam
P ro titi ID 2988 2988 2988 2988 2988 2988 2988 2988 2988
P ro to co l
I.o ra l P o rt 4052 4059 4070 4071 4073 4083 4090 4103 4104
I A ra l P o rt X lB t
L o c a l A d d iv it
Remote P o rt 443 80 80 80 80 80 80 80 80
Rcm oU P o rt Name . https http http h ltp hup http hnp hup hnp 173 194 36 4 173.194.36.17 173.194.36.31 173.194.36.31 173.194.36.15 173.194.36.31 173.194.36.4 173.194.36.25 173 194 36 25 bo bo bo bo! boi bo! bo! bo bo > R tm v l A d d r t it
chxame rx c chiome.exc ch101nc.exe daom e.exe daom e.exe daom e.exe cfcrorae.exe chfomc.cxc chrome exe
FIG U R E4 .3 :HieW ebbrow serd isp lay in gC urrP ortsR eport- A llItem s 5. To save the generated CurrPorts report from die web browser, click
F ile >S a v e P a g e A s ...C t r l+ S .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
3 5
C i f ' Google
m C urrPorts allow syou to saveall changes (added andrem ovedconnections) into alogfile. In order to start w ritingto thelogfile, checkthe ,LogC hanges' optionunder the F ile m enu
id *
1ry> Hitory
!, r o t i f j j >111 ID chiom c.exe cfc10 me.exe chrome.exe chrome.exe chrome exe 2988 2988 2988 2988 2988 2988 2988 2988 2988
ti*
!'! o to co l
!.o ra l P o rt 4052 4059 4070 4071 4073 408; 4090 4103 4104
I o r a l P o rt Name
Local A d d rv u
Remote P o ri 443 80 80 80 80 80 80 80 80
K em otc P o rt Name https http hnp http http http http http http 173.194.36.4 173.194.36.17 173.194.36.31 173.194.36.31 173 194 36 15 173 194 36 31 173 194 36 4 173.194.36.25 173.194.36.25 boj bo: bo: boi boi bo! boi boj b03 K e u io l* A d d n i t
2Z y"B ydefault, the logfile is savedas cports.loginthe sam e folder w here cports.exeis located. Y ou canchangethe default log filenam ebysettingthe L ogFilenam eentryinthe cports.cfgfile.
FIG U R E4 .4 :T heW ebbrow sertoS av eC urrPortsR eport- A llItem s 6. To view only die selected report as HTML page, select reports and click
V ie w >H T M L R e p o r t s S e l e c t e d Ite m s .
C urrP orts
File X S Edit | View | Options (3 Help
1-1 x-
Show Grid L Show Tooltips Mark Odd/Even Rows HTML Report - All Items Address ).7 ).7 Rem... 80 80 80 80 445 3982 3981 443 443 443 443 https h ttp ; h ttp : https Rem... h ttp h ttp h ttp h ttp h ttp : Remote Address 175.19436.26 173.1943626 173.1943626 215720420 173.1943526 127.0.0.1 127JX011 173.1943622 173.194.36.15 173.194360 74125234.15 0.0.0.0 s 00.0.0 ___ AAA A 0.0.0.0 AAAA Hi1 Soft Freew are. http.,, w w w .r irsoft.net Remote Host Nam bom04s01-1nf26.1 bom04s01-1n-f26.1 bcm04s01-inf26.1f 323-57-204-20.dep bcm04s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bom04s01 -in-f22.1 bomOlsOl -in f1 5.1 bomOlsOI -in f0.1c gruC3s05 in -f 15.1c
Process Na P I
^ B e aw are! The logfile isupdatedonlyw henyou refreshtheports list m anually, orw henthe A utoR efreshoptionis turnedon.
C chrome.
C c h ro m e f
O'chrome
,fir e fc x e (gfircfcxe: fircfcx e< v L f ircfox.cxc fircfcx.cxc ^ firc fc x .c x c httpd.exe httpd.exe Q lsa sse xe Q b a s te x e -------a .--------
Ctrl Plus F5
Refresh
1368 1368 1368 1000 1000 564 564 14nn TCP TCP TCP TCP TCP TCP TCP T rn 4163 4166 -4168 1070 1070 1028 1028 *
a Y oucanalsoright-
d e fa u lt b r o w s e r .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
1 n J~x
In the filters dialog bos, youcanaddone or m ore filter strings (separatedbyspaces, sem icolon, or C R L F ).
(? Google |,f t I
T C P /V D P P o rts L is t
C reated b y m in g C iir r P o m
P rocess N am e
dbiome.cxc fire fo x exe h ttp d
P rocess
ID 2988 1368 1800
K vuiotc A ddress
173.194.36-26 173 194 36 15
R em o teH ost N am e
bom04sC 1 m. 26.1 e 100.net bom 04s01 tn - fl 5. Ie l0 0 .n e t
State
Established Established Listening
c:
C: C:
c x c
FIG U R E4 .6 :T heW ebbrow serd isp lay in gC uaPortsw ithH T M LR eport- S electedItem s / / The Syntaxfor Filter S tring: [include | exclude]: [local | rem ote | both | process]: [tcp | udp | tcpudp] : [IPR ange | Ports R ange]. 8. To save the generated CurrPorts report from the web browser, click
F ile >S a v e P a g e A s ...C t r l+ S
TCP/UDP Ports List M ozilla Firefox Edfe Vir* N**T*b Open Fie... S*. P a g e A ;. Sir'd linkPage :er.p. Pnnt Preview
P rm L .
r= > r*
an*N
Ctrl0
Ctrl-S
1r/Desktop/cpots x6Crepwthtml
fi
fic it Offline T o ral Local Local Po rt Pori Nam e A ddress TCP TCP TCP 4148 4163 1 0 0 0 .7 100.0.7 Rem ote Kcm ole Po rt Nam e https https
N am e
chtoxne.exe fiiefox-cxc http de xe
ID
2988 1368
Port
443 443
R em ote A ddress
1 73 .19 43 6 26 173.19436 15
Established Established
C C
1 8 0 0
1 0 0
C om m and-line option: /stext < F 11enam e>m eans savethelist of all opened TCP/UDPports into a regular text file.
FIG U R E4 .7 :TheW ebb rcn v sertoSawQ irrPortsw ithH T M LR eport- S electedItem s 9. To view the
P r o p e r tie s . p r o p e r t ie s
>
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
C urrP orts
I - ]
'
P N ctlnfo Close Selected TCP Connections Kill Processes Of Selected Ports Save Selected Items Properties
Remote Address 173.194.3626 13.194.3626 1^3.194.36.26 23.57.204.20 1Ti 194.36.26 127.aa1 127.0L0L1
Remote Host Nam 1 bom04301 - in-f26.1 bom04501 in-f26.1 bom04s01-in-f26.1 a23*57204-20.dep bom 04s01-in-f2M WIN-D39MR5Hl9f WIM-D30MRSH10F bom04e01-mf22.1 bom04s01-m-f15.1
/stab <Filenam e> m eans savethelist of all opened TCP/UDP ports intoa tab-delim itedtext file.
Process Properties Log Changes Open Log File Clear Log File Advanced Options Exit \ j 1 ttjd .e x e \h tto d .e x e lsass.exe 1800 1800 564 $64 TCP TCP TCP TCP
httpc https
1 , 1 194.3622 173.194.3615
CtrU O
10.0.0.7
10.0.0.7
10.0.0.7 1070 1070 1028 1028
443
443
https
https
173.194.360
74.12523415
bom04s01 mf0.1c
gru03s05-inf15.1 e
oaao aao.o
0 D S )S ) ::
0D S J J J
Q lsass-exe
r. >
NirSoft Freeware, h ttp :'w w w .n irso ft.n e t
FIG U R E4 .8 :C unPoitstoviewproperties foraselectedport 10. The P r o p e r t ie s window appears and displays all the properties for the selected port. 11. Click O K to close die
Process Nam e: Process ID: Protocol: Local Port: Local Port Nam e: Local Address: Remote Port: Remote Port Nam e: Remote Address: Remote Host Nam e: State: Process Path: Product Nam e: File Description: File Version: Com pany: Process Created O n: User Nam e: Process Services: Process Attributes: Added O n: Module Filename: Remote IP Country: Window Title:
P r o p e r t ie s
window
*
Properties firefox.exe
1368
TCP 4166 10.0.0.7 443 |https________________ 1 1 7 3 .194.36.0 bom 04s01-in-f0.1e100.net Established C:\Program Files (x86)\M 0zilla Firefox\firefox.exe Firefox Firefox 1 4 .0 .1 Mozilla Corporation 8/2 5 /2 0 1 2 2:36:28 PM WIN-D39MR5HL9E4\Administrator
C om m and-line option: /shtm l <Filenam e>m eans savethelist of all opened TCP/UDP ports into an H TM Lfile(H orizontal).
8/2 5 /2 0 1 2 3:32:58 PM
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
12. To close a TCP connection you think is suspicious, select the process and click F ile >C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ).
S T A S K 2 C urrPorts
-_,r
C lo s e T C P C o n n e c tio n
IPNetlnfo Close Selected TCP Connections Kill Processes Ctrt+1 C trl-T
O fSelected Ports
CtH-S AH- Enter Ctrl P
Rem... 6
Remote Host Nam I bom04s01-inf26.1 bom04s01-inf26.1 bom04sC1 in-f26.1 023-57 204 2C.dep = bom04s01 in f26.1 WIN-D39MR5HL9e WIN-D39MR5HL9 bom04s01 -in-f22.1 bom04s01-in-f15.1 bom04s01 in-f0.1s gru03s05-in-f151e
Save Selected Items Properties Process Properties Log Changes Cpen Log File Clear Log File A d/snced Options Exit ^ httpd.exe httpd.exe is a s s ^ x e Q toS fcC N e
^ J III
80 80 80
4 4 3
3932 3931
CtH+G
10.0.0.7 103 1800 564 564 TCP TCP TCP TCP r 1070 1070 1028 1Q28 om o 0D.0.0
4 4 3 4 4 3 4 4 3 4 4 3
J
>K ill
the
p ro ce sse s
P r o c e s s e s o f S e l e c t e d P o r ts .
I ~ I * '
f i TASK 3
K ill P r o c e s s
File
j Edit
View
Options
Help
PNetlnfo
Close Selected TCP Connection* kin Processes Of Selected Ports 5ave Selected Items
P ro p e rties
a n !
C*rt*T Loral Address 10.0.07 Clri-S A t-E n te r CtrKP 10.0.0.7 10.0.0.7 10.0.0.7 Rem... 80 80 80 80 443 3962 3981 443 443 443 443 https https https https Rem.. http http http http https Remote Addrect 173.14436.26 173.194.3626 173.194.3626 215720420 173.1943636 127.0.0.1 127.0.0.1 173.1943632 173.19436.15 173.19436.0 74125334.15
0.0.0.0
Remote Host Nam * bom04t01*in-f26.1 bomC4t01-inf26.1 bomC4j01 -in-f26.1 a23-57-204-20.dep s bcmC4s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bomC4s01-in-f22.1 bom04s01inf15.1 bom04$0linf0.1e gru03s05-1n-M5.1e
Process Properties Log Changes Open Log File Clear Log file Advanced Options Exit V httod.exe V h ttp d .e x e lw s s .e r e k a tc *re II 1800 1800 564 561 TCP TCP TCP TCP
O . Q . Q . O o .a a o
/ )A A A
10.0.0.7
FIG U R E4 .1 1 :T heC urrP ortsK illP rocessesofS electedPortsO ptionW indow 14. To e x it from the CurrPorts utility, click F ile window c l o s e s .
>E x it .
The CurrPorts
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
C u rrP on s
File Edit View Options Help GH+I CtrK T .. Local Address 10.0.0.7 Ctifc-S A t-E a te r CtHP 10D.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 C tH -0 10.0.0.7 10.0.0.7 Ext \th ttp d .e x e \th ttp d .e x e Q lsa s& e xe H ls a is - a c 1800 1800 564 564 TCP TCP TCP TCP rrn 1070 1070 1028 1028 __ / a / \ a Rem.. 80 80 80 80 443 3082 3981 443 443 443 443 https https https https Rem http http http http httpt Remcte Address 173.194.36.26 173.194.3626 173.1943626 21 57.204.20 173.194.3626 127.0.0.1 127X10.1 173.19436.22 173.194.36.1S 173.194.36i) 74.125.234.15 0.0.0.0 = 0.0.0.0 = AAAA Nil Soft free were. Mtpy/vvwvv.r it soft.net
1-1 -
/sveihtm l <Filenam e> S avethelist of all opened TCP/UDP ports into H TM Lfile(V ertical).
Save Selected Items Properties Procccc Properties lo g Changes Open Log File Clear Log File Advanced O ption!
Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab. feU IIn com m andline, the syntaxof /close com m and:/close <L ocal A ddress> <Local Port> <R em oteA ddress> <R em ote Port* . Tool/U tility Information Collected/Objectives Achieved Profile Details: Network scan for open ports Scanned Report: Process Name Process ID Protocol Local Port Local Address Remote Port Remote Port Name Remote Address Remote Host Name
CurrPorts
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
Q C urrPorts allow s you toeasilytranslate all m enus, dialogboxes, and strings to other languages.
1 . Analyze the results from CurrPorts by creating a filter string that displays
only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.
.
Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports Of Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab
S c a n n in g f o r N e tw o rk V u ln e r a b ilitie s U s in g t h e G F I L a n G u a rd 2 0 1 2
G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity v u ln e r a b ilitie s th a t a re fo u n d .
I CON K E Y
Valuable information Test your knowledge Web exercise
L a b S c e n a r io
You have learned in die previous lab to monitor T C P IP and U D P ports 011 your local computer or network using C u rrP o rts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your companys w e b s e r v e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to le a p fro g and attack odier servers 011 the ISP network from diis compromised one. As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to conduct penetration testing in order to determine die list of t h r e a t s and v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities.
L a b O b j e c t iv e s
Workbook review
The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.
111
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Audit the network Detect vulnerable ports Identify security vulnerabilities Q Y oucandow nload GFI L A N guard from http://w w w gfi.com . Correct security vulnerabilities with remedial action
L a b E n v ir o n m e n t
To perform die lab, you need: GFI Languard located at D :\C EH -T o o ls\C E H v 8 You can also download the latest version of link http://www.gfi.com/la1111etsca11 If you decide to download the in the lab might differ
M o d u le 0 3 S c a n n in g N e tw o rk sW u ln e ra b ility S c a n n in g T o o ls\G F I L a n G u a rd G F I L a n g u a rd
from the
la t e s t v e r s io n ,
A computer running W in d o w s Q G FI L A N guard com patiblyw orks on M icrosoft W indow s Server 2008Standard/Enterprise, W indow s Server 2003 Standard/E nterprise, W indow s 7U ltim ate, M icrosoft S m all B usiness Server 2008Standard, S m all B usiness Server 2003 (S P 1), and S m all B usiness Server 2000(S P 2).
W in d o w s S e r v e r 2 0 0 8 running
2012 S e rv e r
in virtual machine
Microsoft NET F r a m e w o r k
Scann er
2 .0 LA N g u a rd N e tw o rk S e c u r it y
It requires die user to register on the G F I w e b s it e http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y Complete die subscription and get an activation code; the user will receive an e m a il diat contains an a c tiv a tio n c o d e
L a b D u r a t io n
Time: 10 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k
C-J GFI L A N guard includesdefault Security scans or audits enable you to identify and assess possible r is k s within a configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a allowyoutorun im m ediate scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s installationis com plete. and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information.
As an administrator, you often have to deal separately widi problems related to v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab T asks
Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server.
B TASK 1
1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by hovering the mouse cursor in the lower-left corner of the desktop
S c a n n in g for V u ln e r a b ilitie s
Zenm ap fileinstalls the follow ingfiles: N m apC ore F iles N m apPath W inPcap 4 .1.1 N etw orkInterface Im port Zenm ap (G U I frontend) N eat (M odernN etcat) N diff
G FI L an G u ard 2 0 1 2
Windows Marager
bm
r
Nnd
FT
SI
2)12
FIG U R E5.2W indow sS erver2012- A pps 3. The GFI LanGuard 2012 m ain A u d it tab contents. / / To executeascan successfully, G FI LA N guardm ust rem otely logonto target com puters w ithadm inistrator privileges.
w in d o w
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
GFI LanGuard 2012 I -| dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties
W D13CIA3 this
options w hichprovide quickaccess to scanning m odes are: Q uickscan Full scan Launcha customscan Set up aschedule scan
JP 9 %
M <
{ 'M o w iim jIW - .
R e m o diate S e cu rity Iss u e s Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m ore
c a f h 'e .
M anage A g e n ts Enable agents to automate netooric secant? audit and totfstribute scanning load across client machines
L a u n c h a S can Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt. LATES1 NLWS V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp \feg 1! Ttft m u lar l w mr 1 ( 74 A q 701? Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd
tr.v in-
V*, 24-AJO-2012 -Patch M4uum< -Aiktod kuxkI 1 0 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd Sta-0 - -M j ut
4. Click die L a u n c h
> I I
Doshboerd Scan
a Scan
Remediate
Local Computer Vulnerublllty Level use van a;# Agentsor Launch a scan options 10 auoa the entire network.
JP
9
t - .& ^- iim jIM : Cunent Vulnerability Luvul is; High
R e m e diate S e cu rity Issu e s Deploy missing patches unirwtaurau*>0rf2e430**are. turn on antivirus ana m ore.
M anage A g e n ts Enable agents to automate neteror* secant* aud* and totfstnbute scanning load across client machines
L a u n c h a Scan Manually * < rtu p andtnwer anagerttest networktaint/ autirl LAI LSI NLWS <j ?4-Ajq-TOI? - fa it h M<au)nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 TOb
m e u la -
IW 3 1 -
V* 24A jq2012
Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard
24-Aju-2012 -Patch Md11r f u t ! 1t*t -Added support t o rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand c f f d - F=ad
^ If intrusiondetection softw are (ID S) is running duringscans, G FI LA N guard sets off a m ultitude of ID Sw arnings andintrusionalerts inthese applications.
i. ii. iii.
1 1 1 die Scan Target option, select lo c a lh o s t from die drop-down list 1 1 1 die Profile option, select F u ll 1 1 1 die Credentials option, select drop-down list
Scan
c u rre n tly lo g g ed on u s e r
6. Click S c a n .
C E H Lab M anual Page 115 E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
r x
C o n f!g u ra U o n Jt Urn C J, Uiscuuttm1
> l- I
ta u a d ia tn e S a n
D a s h b o a rd
S ca n
Ranrdijle
P10*: jf-J S^n
A ctiv.tyM o n ito r
R e p o rts
v M V
v * ?axrrard: IIZ * 1 1
m For largenetw ork environm ents, aM icrosoft SQ LServer/M SD E database backendis recom m endedinsteadof theM icrosoft A ccess database.
Scanning will s ta rt; it will take some time to scan die network. See die following figure
m Q uickscans have relativelyshort scan durationtim es com paredto full scans, m ainlybecause quickscans perform vulnerabilitychecks of only asubset of the entire database. It is recom m endedto runa quickscanat least once a w eek.
re s u lt
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
&
yI
D a s h b o a id
S ca n
R e m cd u te
, I x L ttr fr tm
ta u K k a lm k in
ScanTarget ccaftoct
K a te :
V ... | FalSar jsandffc: V Eaaswofd:
H II
Scan R r a k i Details
S ca n c o m p le te d !
Summ ary 8f *ear resufs 9eneraf0fl <Jut>51
T ypes of scans: Scana singlecom puter: Select this optionto scanalocal host or one specificcom puter. Scanarange of com puters: Select this optionto scananum ber of com puters defined throughanIPrange. Scanalist of com puters: Select this optionto im port alist of targets fromafileor to select targets fromanetw ork list. Scancom puters intest file: Select this optionto scantargets enum erated inaspecific text file. Scanadom ain or w orkgroup: Select this optionto scanall targets connectedto adom ain or w orkgroup.
Results statistics:
Audit operations processed; 1>703 aw*! operations processed
Potential vulnerabilities:
Scanner ActMty Wkxkm *^ W fa :ili !* W CanptJer VJUH> ra W J t !a i K t - n can Citar n 1 1 t41:ate 101 r r s q v
i
----------12- 1
FIG U R E5 .7 :T heG FIL anG uardC ustomscanw izard 9. To check die Scan Result Overview, click IP right panel 10. It shows die V u ln e ra b ility A s s e s s m e n t click V u ln e ra b ility A s s e s s m e n t
ad d ress
Eocafost
GFI LanGuard 2012 J |^ | Daihboard Sean R nrw U r AdMyMorilor Reports Configuration UtMws
W, Dis c u m tvs vtssaan
Q i3 3 iT ~ .it..
Cjend, bcaec
PceSe v j. . . | |FIS1
* * ?a.C rd:
o n u s e r
Userrvaae:
II
1Results Details
1 ___^
____
V a n t n r y t : lornlhost
| - 1000
,
J] j
Y/lttt dim
irean?
Po s s ib le reaso n s:
3 The credentials used 10 scan this confute 0 not 1: * 9 * cnty ecamer 10 retrieve an required tafomwtion 10 escmatra we Vjheraoity Level An account wth s M i r r a , :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0 ( Ite security scanner. Betam s a fa rt of most
t. Th can b not Inched yet 2.O sC ectbn of m issing paiches and vane abiEe* 8
flteetlKMQL
l l i r v ^ dl( k l h )
u. . M
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
A ssessm en t
Reports
indicators by category
T ^ P
x
GFI L A N guard scans target com puters to retrieve setupinform ationand identifyall security vulnerabilities including: M issingM icrosoft updates Systemsoftw are inform ation, including unauthori2ed applications, incorrect antivirus settings and outdatedsignatures Systemhardw are inform ation, including connectedm odem s and U S Bdevices
Di 8cub 8 a vaon._
l a d i a Merc Scan
roS: H i scarJgynang:
3 $
Password: 5
V1
or
4
t
*qn security Vumeratxaties (3) Xbu you toanalyze the security vjre tb i'.a
10
^ . .
Jedium Security VulneraNKies )6 ( , toanajy7e thsrredun !earitytfjrerabises Low Security Vulnerabilities 1 4 ( ycu to a iy thelc 9eculty
1 5
Potential vulnerabilities )1( Xb>.s you to a-elvre tiie inform ationsecurity aJo Ufesing S vtca P acks and Updala RolHipc (1) U>3vcutoane(yK thcrm eiroiervm pK tsnV m evn
in die right panel, and then click S y s te m S t a t u s , which shows all die system patching statuses
& S o ftw a re A u d it
C r i L in O u a rd 2012
1 - r 1
Configuration JM M et <U) ' D iic in t llm vm*an
to >
Scar o e -
4 -
Dashboard
Sran
Re*Aate
Activity Monitor
Rrpoits
la u a d ia New Sean
Ho ft*.
- 11 ' ^ v | P315/.ord: Sari
O afattab: |0 rrentf> o g c or u er 1
Jse n re ;
- 3 1 8 I M A / [W 0 3 9 N R S W 4 ] ( I M l t K -
Duetothelarge am ount ofinform ation retnevedfromscanned targets, full scans often tendto belengthy. It is recom m endedtorunafull scanat least onceevery2 w eeks.
S -4 (U!f(hilY to n T e il
'0
- Jb j
S %
U A
Ports
rtor&Atrc
J%
staled Security Updates )2( Aq t> syou nay c tJic knitaifedsecurity!edatehfanala Aloyou to analyze thenstslicd nor-securty5 X g
10
: t . 3
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
m Acustomscanis a netw orkaudit basedon param eters, w hichyou configure onthe flybefore launchingthe scanning process. V anous param eters canbe custom izedduringthis type of scan, including: T ypeof scanningprofile (L e., the typeof checks to execute/type ofdata toretrieve) Scantargets Logoncredentials
&
jbcahoK
> l- I
S ca n
Rancdijlr
1- 1 C J, Uiscuu tin s1
II ^9
1 ___ * = ____ 1 0
ft) so iDf*crpno: Mytxrtrrt trerwfrr Protocol {^> sr-wr: http (kt/ er r t Tfonjfcr rvotocoOI 5 ( Cwucto- D CC wi1u l sOl)0 1 **CTt*0V HMKCR 5M1 S*rM S*VCT r n] ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM *V a n Lrtnamn] B !027 piM otOor: !r#l1fo, 1( tM &*e v<e h no* t1 Urt(d :*>* & Croj^r: Ctandwone, Ditdflpy *rd others / SevC s ^ t-.H |Deunpecr: LSASS, If Iha m is not ratafc* ratfc ;< o w : Ctotafipy Network x, Oath a owers / Ser
f)
b e -* a e
f im it w : c a J O
m 3
# Moang Service Pocks 0d tp d str lo tto s CO B *ernoHc 8 1Software Audit *. ( ( System Patchrg Status
- 9 9 ^
::- 2 |CSObacn: M e Protect. MSrtQ, t te 1V . M>)eic - -- * c ro( IrsUltod D*mr* could ttt trojan: BLA trojan . Se 4
]333 I . S e e n H P P a r aW|
V Coen LC Ports (5)
I
II
A Hardware
.if Software
System [nfbmodon
a er ActKRy
YVlndvw
S o nr rad ) dp ( | 5 0 r *. vl ! ;<*)
error
FIG U R E5 .1 1 :TCP/U D PPortsresult 14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of die system information 15. Click P a s s w o r d
E B > 1 4 -1 Dathboaid launch a Mewsean ScarTarget ocaKx: &ederate: Z~M~CTt, bcced on toe Scaf 0 0 ^.-. Scan R rta tf Overview
% Sf A open IX P Ports (5) r1ard*e
P o lic y
GH LanGuard 2012
r n n
Corriiguratioo Ualiwt W . 1)1*1 lew vnun
Scan
fn m ijlr
Act*y Monitor
Reports
1 U1J
0
1 __
Scan le a k ! Detalie
*50 1frane
L_J The next jobafter a netw orksecurityscanis to identifyw hichareas and system srequireyour im m ediateattention. D o this byanalyzingand correctlyinterpretingthe inform ationcollectedand generatedduringanetw ork securityscan.
J *!*run poaaw d length: chars J **!unoaa'w ordsgeiodays J >Mgw rfl mtary: n o h ttay
J Vaxnuri EMSSiwrd age: 42days J ! f a s p f f r m force 0
!_ LoggedCnUsers (11)
^ Sesscre (2) % J<rvcc5 {148} U Processes (76)
A) I '"
FIG U R E5.12Inform ationofP assw ordP ohcy 16. Click G ro u p s: it shows all die groups present in die system
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
m Ahighvulnerability level is the result of vulnerabilities or m issing patches w hose average severityis categorizedas high.
>
D a s h b o a rd
Sun
ftftnca&e
T oU 1 9 C U B 3U lttV W ttK JR
r A Hentesrc
. 1 Soffaart
^ Symrm tnkmtn
*k SN r~ W
-4* Pdwo1 ) Pdiy - i Sxunty Ault Pokey (Off) # lUotetry f t NetflCCS Narres (3)
l* ig r o u p s( 2 a )I I W 4} Ascheduled scanis a netw orkaudit scheduledto run autom aticallyona specificdate/tim e and at a specific frequency. Scheduledscans canbe set toexecuteonce or periodically.
% Sssns (2)
Computer
?. -OXfC0 users (1 )
%5 1 4 )8 :* a )
Ht rocrase* (76)
ente too Of 0y)
( V 'te y jM^^ < - aO a CfctrtutedCCMUser* a Guests a K>pe V a a E5JUSRS a r.etY>=<Ccnfig.rstcn -a ausers a Prfty1r5rcc '\r~ a PM^lSers a RES Ehdpcut Servers a
& *n t Log Straefcrs Adrritstrators Psrfertrsnce Log Users **?Operators PCS Manageent s vers
Cprators
W w rt* - .
*r*d S * fe ) | & u |
FIG U R E5 .1 3 :Inform ationofG roups 17. Click die D a sh b o a rd tab: it shows all the scanned network information 1 n ^ GFI LanGuard 2012
I Dashboardl > 5 I q
Gmp
Sun
Km*(
Activity Monitor
Reports
Configuration * t Pale**
UUkbe;
/. OitcuMlna vwawn.-
!t
f#
C emctm
wv
\ 'i\
1 ViAirrnhlfces
V
aH
SdNiare
fei *J
it 6mel1n*ork
f j UKJ-ct: ttlh-03M a.5rt.4-
^' ucj1!)<w>:y10j<1iR<x1>
E n tire N e tw o rk -1 c o m p u te r
Security Seniors
It is recom m ended to use scheduled scans: Toperform periodical/regular netw orkvulnerability scans autom aticallyand usingthe sam e scanning profiles andparam eters To tngger scans autom aticallyafter office hours andto generate alerts andautodistributionof scan resultsviaem ail To autom aticallytrigger auto-rem ediation options, (e.g., A uto dow nloadanddeploy m issingupdates)
m
rS \
Most M rarane c awoJSfS V. S C 3 y ^ L 3 6 4
O _ I o
cj : _ j
w
Maraqe saerts *41 ?i .KTJlii...
: o fu t M By Gperatng System
Z j H a r s c a n . . .
Sec :ppdy-.ai -
C ^ p m :-jr_
*aer*Stofcg|\>3tStafcg|
FIG U R E5 .1 4 : scannedreportofthenetvrork
L a b A n a ly s is
Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process.
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Tool/U tility
Information Collected/Objectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports Scan Results Details for Password Policy
Dashboard - Entire Network Vulnerability Level Security Sensors Most Vulnerable Computers Agent Status Vulnerability Trend Over Time Computer Vulnerability Distribution Computers by Operating System
P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how?
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
E x p lo rin g a n d A u d itin g a N e tw o r k U s in g N m a p
N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .
I C O N
K E Y
L a b S c e n a r io
1 1 1 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.
L a b O b j e c t iv e s
Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime. hi diis lab, you need to: Scan TCP and UDP ports Analyze host details and dieir topology Determine the types of packet filters
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
You can also download the latest version of N m a p from the link http: / / nmap.org. / If you decide to download die la t e s t die lab might differ
v e r s io n ,
.Q Zenm apw orks on W indow s after including W indow s 7, and S erver 2003/2008.
A computer running W in d o w s
W in d o w s S e r v e r 2 0 0 8
S e rv e r 2012
as a host machine
A web browser widi Internet access Administrative privileges to run die Nmap tool
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
What operating systems (and OS versions) diey run The type of p a c k e t characteristics
T AS K 1 Lab T asks
f ilt e r s / f ir e w a lls
In te n s e S c a n
Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W in d o w S e r v e r 2 0 1 2 ). 1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left corner of the desktop
M o d u le 0 3 - S c a n n in g N e tw o rk s
2. Click the
S t 3 f t
N m a p -Z e n m a p G U I
Zenm ap
window
A d m in is tra to r
l _
Zenm ap fileinstalls
the following f i l e s :
Server Manager
Hy^-V Manager
Nmap Zenmap
N m apC oreF iles N m apPath W inPcap4 .1.1 N etw orkInterface Im port Zenm ap (G U I frontend) N eat (M odernN etcat)
Ndiff
S fe
*
vp*v Virtual Machine..
o e
w
Command Prompt * Frtfo*
CWto*
window appears.
Inport scan techniques, onlyone m ethodm aybeused at a tim e, except that U D P scan (sU ) andanyone of the SC TPscantypes (sY , -sZ ) m aybe com binedw ithany one ofthe TC P scantypes.
/
FIG U R E6 .3 :TheZ enm apm ainw indcw 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4) t!1e j a r g e t: text field. You are performing a network inventory for r o J the virtual machine. 5. 1 1 1 tliis lab, die IP address would be your lab environment
6 .
1 0 .0 .0 .4 ;
111 the
p ro file
P r o file :
text field, select, from the drop-down list, the you want to scan. 11 1 diis lab, select In t e n s e S c a n .
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
- r x
C om m and: H o s t!
Nm ap O utput
Ports
W hileN m ap attem pts toproduce accurateresults, keepinm indthat all ofits insights are basedon packets returned bythe target m achines or the firew allsin front ofthem
OS < Host
FIG U R E6 .4 :T heZ enm apm ainw indoww ithT arget andP rofileentered !S "The sixport states recognized byN m ap: O pen C losed Filtered U nfiltered O pen| Filtered C losed|U nfiltered
8. Nmap scans the provided IP address with
In te n s e s c a n
and displays
X
the
s c a n r e s u lt
below the
N m a p O u tp u t
Zenm ap
tab.
^
Scan Target:
I o o ls
E rofile
H elp
Profile:
Intense scan
Scan:
C om m and:
N n ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans OS < Host 10.0.0.4 S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g ) at 2012 0 8 24 n m ap -T4 A v 10.00.4 ^ | | Details
N m ap accepts m ultiple host specifications onthe com m andline, and theydon't needto be ofthe sam etype.
NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135! t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451 t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o 0 t o o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4 Filter Hosts
(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,
1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72
FIG U R E6 .5 :TheZ enm apm ainw indoww iththeN m apO utputtabforIntenseS can 9. After the scan is c o m p le t e , Nmap shows die scanned results.
C E H Lab M anual Page 125 E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Zenm ap
Scan Target: C om m and: nm a p -T4 -A - v 10.C.0.4 I o o ls ro file Help
T= I
Scan! Cancel
The options available to control target selection: -iL<inputfilenam e> -1R<numhosts> -exclude <host1 >[,<host2>[,...]] -excludefile <exclude file>
a
Details
445/tcp
open
n e t b io s - s s n n c t b io s s sn h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0
Q The follow ing options control host discovery: -sL(list S can) -sn(N oport scan) -Pn (N oping) P S<port list> (T C P SY NP ing) -PA<port list> (T C P A CKPing) -PU<port list> (U D P Ping) -PY<port list>(SC T P IN T TPing) -PE;-PP;-PM(IC M P PingT ypes) -PO<protocol list> (IP Protocol Ping) -PR(A R PPing) traceroute (T racepath tohost) -n(N oD N Sresolution) -R(D N Sresolutionfor all targets) -system -dns (U se systemD N S resolver) -dns-servers <server1 >[,<server2>[,. ..]] (Servers touse for reverse D N Squeries)
Filter Hosts
FIG U R E6 .6 :T heZ enm apm ainw indoww iththeN m apO utputtabforIntenseS can 10. Click the results.
P o r ts / H o s ts
and
V e r s io n
of
Z e n m a p
10.0.0.4 nm a p -T4 -A - v 10.0.0.4 Services OS
T T
Scan
Cancel
C om m and:
Nm gp Out p
Tu[ . ul ut j y
Hu^t Details
Sk m :.
< Host
10.0.0.4 13S 139 445 5337 Up tcp tcp tcp open open open open open open open open open rm tp c n etbios-ssn n etbios-ssn h ttp m srpc m srpc m srpc m srpc m srpc M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD M ic ro s o ft W indow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M in o a o ft W ind ow s RPC
49152 tcp 49153 tcp 49154 tcp 49155 tcp 49156 tcp
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
12. Click the T o p o lo g y tab to view Nmaps topology for the provided IP address in the In t e n s e s c a n Profile.
7^t B ydefault, N m ap perform s ahost discovery andthenaport scan against eachhost it determ inesto be online.
FIG U R E6 .8 :TheZ enm apm ainw indoww ithT opologytabfor IntenseS can 13. Click the H o s t D e t a ils tab to see die details of all hosts discovered during the intense scan profile.
Z e n m a p
Scan Target: lo o ls P rofile Help Scan Conccl 10.0.0.4 nm a p -T4 -A - v 10.0.0.4
r^ rr* 1
C om m and:
||
Services
Scan?
7^ B ydefault, N m ap determ inesyour D N S servers (for rD N S resolution) fromyour resolv.conffile(U N IX ) or the R egistry(W in32).
10.0.0.4
H Host Status
State: O pen p o rtc Filtered ports: Closed ports: Scanned ports: U p tim e : Last b oo t: up Q 0 991 1000 22151 Fri A u g 24 09:27:40 2012
B Addresses
IPv4: IPv6: M AC: 10.0.0.4 N o t available 00:15:50:00:07:10
- Operating System
Nam e: Accuracy: M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1
Ports used
Filter Hosts
FIG U R E6 .9 :TheZ enm apm ainw indoww ithH ostD etailstabforIntenseS can
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Scans
1- 1 x
Cancel
Profile
10.0.0.4 nm a p T4 A -v 100.0.4
a N m ap offers options for specifyingw hichports are scannedandw hether the scanorder is random !2edor sequential.
C om m and:
Hosts OS
\\
Services
< Host
1 0 0 .0 4
Status
Comrard
i f A pp e nd Scan
Remove Scan
Cancel Scan
FIG U R E6 .1 0 :TheZ enm apm ainw indoww ithS cantabforIntenseS can 15. Now, click the S e r v i c e s tab located in the right pane of the window. This tab displays the li s t of services. 16. Click the h ttp service to list all the HTTP Hostnames/lP Ports, and their s t a t e s (Open/Closed).
Z e n m a p
Scan Target: Tools Profile Help v] Profile: Intense scan v| Scan | Cancel 10.0.0.4 nm ap T4 -A -v 10.0.0.4
ad d re sse s.
Comman d:
Hosts Service
Services
N m ap O utput
10.0.04
5357
tcp
open
msrpc n etb io s5 5 n
<L
FIG U R E6 .1 1 :TheZ enm apm ainw indoww ithS erv icesoptionforIntenseS can
C E H Lab M anual Page 128 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
m srp c
P ro file
InN m ap, O ption port-ratio cratioxdedmal num ber betw een0and 1 > m eans S cans all ports in nm ap-services filew itha ratiogreater thanthe one given. <ratio> m ust be betw een0.0and 1 .1
C om m and:
Nm ap O utput
Ports / Hosts
4 H o stnam e * Port < P rotocol * State Version 100.0.4 100.0.4 100.0.4 100 .04 1 0 0 .0 4 100.0.4 49156 49155 49154 49153 49152 135 Up tcp tcp tcp tcp tcp open open open open open open M icro so ft W in d o ro RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC
FIG U R E6.12T heZ enm apm ainw indow w ithm srpcS erv iceforIntenseS can 18. Click the
Scan Target: I c o ls
n e t b io s - s s n
T T T
Scan Cancel
E ro file
H e lp
Nm ap O utput
Ports
f Hosts
T o po lo gy
Host D e oils
Scans
1 0 0 .0 J
100.0.4
445 139
tcp tcp
open open
FIG U R E6 .1 3 :TheZ enm apm ainw indoww ithnetbios-ssnS erv iceforIntenseS can
TASK 2
X m as Scan
19.
X m as scan
sends a T C P fra m e to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
according to RFC 793. The current version of Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click
P ro file >N e w P r o file o r C o m m a n d C trl+ P
y X m as scan(-sX ) sets the FIN , PSH , andU R G flags, lightingthe packet up likeaC hristm as tree.
m The option m axretries <num tries> specifies the m axim um num ber ofport scanprobe retransm issions.
21. On the
P r o file
tab, enter
Xm as Scan
in the
P r o file n a m e
text field.
P ro file E d ito r
nm ap -T4 -A -v 10.0.0.4 Help Description P ro file In fo rm a tio n Profile name D * n ip t 10n XmasScanj The description is a fu ll description 0 vhac the scan does, w h ich m ay be long.
Profile
Caned
Save Cl
a1 yci
E th ic a l H ackin g and Counterm easures Copyright by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
22. Click the S c a n tab, and select s c a n s : drop-down list. UDPscanis activated w iththe -sUoption. It can be com binedw ithaTC P scantype suchas SY Nscan (sS ) to checkboth protocols duringthe sam e run.
!m a p -T4 -A -v 10.0.0.4
X m a s T r e e s c a n (s X )
from the
1_T ' x
TCP
P ro file E d ito r
Profile
Tim ing
Help
Enable all arf/anced/aggressive o ptio ns Enable OS detection (-0 ). version dete ction (-5V), script scanning (s and traceroute (traceroute).
S u n optk>m
Target? (optional): TCP scan: Non-TCP scans: T im in g tem plate: 10.00.4 None None ACK scan (-sA) FIN scan (s F ) M aim on scan (-sM ) Version detection (-sV) Idle Scan (Zom bie) (-si) FTP bounce atta ck ( b) Disable reverse DNS resc IPv6 support (6) N ull scan (-sN) TCP SYN scan (-5S) TCP co nn ect >can (T) . W ind ow scan ) sW ( | Xmas Tree scan (sX)
FI
C M
Q N m ap detects rate lim itingand slow s dow n accordinglyto avoid floodingthe netw orkw ith useless packets that the target m achinedrops.
Cancel
Save Changes
FIG U R E6 .1 6 :TheZ enm apP rofileE ditorw indoww iththeS cantab 23. Select N o n e in die N o n -T C P s c a n s : drop-down list and T 4 ) in the T im in g t e m p la t e : list and click S a v e C h a n g e s
P ro file F riito r
nm ap sX T4 A v 10.0.0.4
A g g r e s s iv e (
1 ^ |
Profile
Scar
Help
Enable all ad/anced/aggressive o ptio ns Enable OS detection (-0 ). version d ete ction (-5V), script scanning ( s Q and tra c e ro u te (traceroute).
Scan o p tio n * Target? (optional): TCP scan: Non-TCP scans: T im in g tem plate:
@
Q Y oucanspeedup your U D Pscans by scanningm orehosts in parallel, doingaquickscan of just the popular ports first, scanningfrombehind the firew all, andusing host-tim eout to skipslow hosts.
O O
O perating system detection (-0) Version detection (-sV) Idle Scan (Zom bie) ( - 51) FTP bounce atta ck ( b) Disable reverse DNS resolution (n) IPv6 support (-6)
Cancel
Save Changes
FIG U R E6 .1 7 :T heZ enm apP rofileE ditorw indoww iththeS cantab 24. Enter the IP address in die T a r g e t : field, select the from the P r o file : field and click S c a n .
X m as sca n
opdon
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Zenm ap
Scan Target: Tools Profile Help |v | Profile- | Xmas Scan |v | |S can | Cancel |
10.0.0.4 nm ap -sX -T 4 - A -v 1 0 0 .0 /
C om m and:
Hosts
||
Services A
N m ap O u tp u t
P o rts /H o s ts | T o po lo gy
H ost Details
j Scans
V 1
InN m ap, option -sY (SCTPINITscan) is often referredto as half-open scanning, becauseyoudonf t openafull SC T P association. Y ousendan INITchunk, asifyouw ere goingto open areal associationandthenw ait for aresponse.
0 5 < H ost
| Details]
Filter Hosts
FIG U R E6 .1 8 :T heZ enm apm ainw indoww ithT arget andP rofileentered 25. Nmap scans the target IP address provided and displays results on the N m a p O u tp u t tab. Q! W hen scanning system s, com pliant w ith this R FCtext, anypacket not containingSY N ,R S T , or A CKbits resultsin a returnedR ST , if theport is closed, andnoresponse at all, iftheport is open.
Zenm ap
Scan T a rg e t Tools P ro file H elp v l Profile. Xmas Scan |Scani|
izc
N n a p O u tp u t
Ports / Hosts | T o po lo gy
S t a r t i n g Nmap 6 .0 1
( h ttp ://n m a p .o r g
) a t 2 0 1 2 - 0 8 -2 4
a The option, -sA(T C P A CKscan) is usedtom ap out firew all rulesets, determ iningw hether they are stateful or not and w hichports are filtered.
N<F lo a d e d 93 s c r ip t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts )
FIG U R E6 .1 9 :T heZ enm apm ainw indow w iththeN m apO utputtab 26. Click the S e r v i c e s tab located at the right side of die pane. It all die services of that host.
d is p la y s
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Zenm ap
Scan
Target:
0
| ' | Scan |
= 1
I o o ls
P ro file
C om m and:
Hosts
Services
N m ap O u tp u t
nm a p -sX T4 -A -v 10.0.0.4
S t a r t i n g Nmap 6 .0 1
( h ttp ://n m a p .o rg
) a t 2 0 1 2 * 0 8 -2 4
: L oa de d 0 3 * c r i p t c f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P l r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f l n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d
T A S K
27.
Null S c a n
N u ll s c a n works only if the operating systems TCP/IP implementation is developed according to RFC 793.111 a 1 1 1 1 1 1 scan, attackers send a TCP frame to a remote host with NO Flags.
The optionN ull Scan (-sN ) does not set anybits (T C Pflagheaderis 0).
28. To perform a 1 1 1 1 1 1 scan for a target IP address, create a new profile. Click P r o file >N e w P ro file o r C o m m a n d C trl+ P
Z e n m a p
[ New Prof Je or Command 9 d it Selected Prof <e C trk P | nas Scan Q rl+E v Scan | Cancel |
Hosts
||
Scrvncct
OS Host w 10.0.0.4
m The option, -sZ (SC T PCOOKIEECH O scan) isanadvanceSC T P COOKIEECHOscan. It takes advantageof the fact that SC T Pim plem entations shouldsilentlydroppackets containingCOO K IE ECHOchunks onopen ports but sendanA B O R T if the port is closed.
FIG U R E6 .2 1 :TheZ enm apm ainw indoww iththeN ewP rofileorC om m andoption
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
N u ll S c a n
in the
P r o file n a m e
L ^ I
a The option, -si <zom bie host>[:<probeport>] (idle scan) is anadvanced scan m ethodthat allow s for a trulyblindTC Pport scan of the target (m eaningno packets are sent tothe target fromyour real IP address). Instead, aunique side-channel attackexploits predictableIP fragm entationIDsequence generationonthe zom bie host togleaninform ation about the openports on thetarget.
nm ap -sX -T4 -A -v 10.0.0.4 Help Profile name P ro file In fo rm a tio n Profile name Description | N u ll Scanj~~| This is h o w the profile v/ill be id e n tf ied in the d ro p-d o w n co m b o box in th e scan tab.
Profile
FIG U R E622: TheZ enm apP rofileE ditorw iththeP rofiletab 30. Click die
m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. Scan S c a n (sN )
tab in the P r o file E d it o r window. Now select the option from the T C P s c a n : drop-down list.
P ro file E d ito r
N ull
P ro file] Scan | p!ng | S cnp tm g j larget | Source Scan o ptio ns Targets (optional): TCP scan: Non-TCP scans: T im in g tem plate: 1C.0.0.4
Jth e r
Tim ing
Help
P rof le name This is how the profile w ill be id entified n th e d ro p-d o w n co m b o box n th e scan tab.
|v
[Vj Enable all advanced/aggressu F N scan ( sF) O perating system detection ( M aim on t n (?M) Version dete ction (sV) N u ll scan (sN) TCP SYN scan(-sS) TCP conn ect scan (sT)
(71 Idle Scan (Zom bie) (si) O FTP bounce attack (-b)
The option, -r (D on't random izeports): B y default, N m ap random izes the scannedport order (except that certain com m onlyaccessibleports arem ovednear the beginning for efficiency reasons). T his random izationis norm ally desirable, but youcan specify-r for sequential (sortedfromlow est to highest) port scanning instead.
Cancel
Save Changes
FIG U R E6 .2 3 :TheZ enm apP rofileE ditorw iththeS cantab 31. Select
N one A g g r e s s iv e (-T 4 )
scan s:
t e m p la t e :
32. Click S a v e
Changes
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
P ro file E d ito r
n m a p -sN -sX -74 -A -v 10.0.0.4
'-IT - '
|Scan[ Help Disable reverse DNS resolution
InN m ap, option version-all (T ryeverysingle probe) is analias for -version-intensity9 , ensuringthat everysingle probeis attem ptedagainst eachport.
Profile
Scan
Scan o ptio ns Targets (opbonal): TCP scan: Non-TCP scans: T im ing tem plate: 10.0.04 N u l scan (sN) None Aggressive (-T4) V V V N e \er do reverse DNS. This can slash scanning times.
oncel
E r j Save Change*
The option,-topports <n> scans the <n> highest-ratioports foundin the nm ap-services file. <n> m ust be 1or greater.
m
FIG U R E6 .2 4 :TheZ enm apP rofileE ditorw iththeS cantab 33. 1 1 1 the main window of Zenmap, enter die t a r g e t IP a d d r e s s to scan, select the N u ll S c a n profile from the P r o file drop-down list, and then click S c a n .
Z e n m a p
Scfln
T a rg et
I o o ls
E ro file
Help
P ro f 1 :
| 10.0.0.4
N u ll Scan
C o m m a n d:
nm a p -sN sX T4 -A *v 10.00.4
Hosts
Services
N m ap O u tp jt
Ports / Hosts
Q The option-sR(R P C scan), m ethodw orksin conjunctionw iththe variousport scanm ethods ofN m ap. It takes all the TCP/UDPports found openandfloods themw ith SunR PCprogramN U LL com m ands inanattem pt to determ inew hether theyare R PCports, andif so, w hat programandversion num ber theyserveup.
O S < H o st
< P ort < P rcto ccl < State < Service < Version
*U
10.00.4
Filter Hosts
FIG U R E6 .2 5 :T heZ enm apm ainw indoww ithT arget andP rofileentered 34. Nmap scans the target IP address provided and displays results in O u tp u t tab.
N m ap
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Z e n m a p
Scan Target Tools P rofile Help v Profile: N u ll Scan 10.0.0.4 nm a p -s N -T 4 -A -v 10.C.0.4
B Q
Scan!
u
Cancel
C o m m a n d:
Services
) at 2012 0 8 24
Details
S ta r t in g
Mmap 6 .0 1
( h t t p : / / n 1r a p . o r g
The option-versiontrace (T raceversion scan activity) causesN m ap to pnnt out extensive debugginginfo aboutw hat versionscanningis doing. It is a subset ofw hat you getw ith packet-trace,
N S t: Loaded 93 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ] C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t . 2 t 1 5 :4 7 C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 , 0 .2 8 s e la p s e d i n i t i a t i n g n u l l sca n a t 1 6 :4 7 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e . C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7 I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la D s e c Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) . Filter Hosts
FIG U R E6 .2 6 :T heZ enm apm ainw indoww iththeX m apO utputtab 35. Click the
H o s t D e t a ils S ta tu s , A d d re ss e s . O pen P o rts,
H ost
'
Scan Ta rg et
Tools
r o fle
10.0.0.4 nm ap -s N -T 4 A -v 10.0.0.4
C o m m a n d:
Sen/ices
N m a p O utp ut | P o r ts / Hosts | T o p o lo g y
-1 0 .0 .0 .4 !
B Host Status
State: O pen ports: ports: Closed ports: up 0 0 1000
ie
S Addresses
IPv4:
IPv6:
10.0.0.4
N o t a vailable
M AC:
00:15:5D:00:07:10
C o m m e n ts
Filter Hosts
FIG U R E627: TheZ enm apm ainw indoww iththeH ostD etailstab
T A S K 4
A C K F la g S c a n
36. Attackers send an A C K probe packet with a random sequence number. No response means the port is filtered and an R S T response means die port is not filtered.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file >N e w P r o file o r C o m m a n d C trl+ P .
Z e n m a p
m The script: scriptupdatedboptionupdates the script database foundin scripts/script.db, w hichis usedbyN m apto determ ine the available default scripts and categories. It is necessaryto update the database onlyif youhaveaddedor rem ovedN SEscripts from thedefault scriptsdirectory orifyouhavechangedthe categories ofanyscript. T his optionisgenerally used byitself: nm ap script-updatedb.
!^T 0 E
C om m and:
Ctrl+E
H o s t* OS 4 Host
IM 10.0.0.4
N m ip O jtp u t
Porte / Hot
T o p o lo g y | H o d Details
JSc an t
4 P o t 4 P ro to co l 4 S t a tt 4 S e rv ice 4 Version
Filter Hosts
FIG U R E6 .2 8 :TheZ enm apm ainw indoww iththeN ewP rofileorC om m andoption 38. On the
P r o file
tab, input A C K
F la g S c a n
in the
P r o file n a m e
text field.
P ro file E d ito r
nm a p -sN -T4 -A -v 10.0.0.4 Help Description P ro file In fo rm a tio n Profile name Description |A C K PagScanj
r a n
The options: m inparallelism<num probes>; -m ax-parallelism <num probes> (A djust probe parallelization) control the total num ber of probes that m aybe outstandingfor ahost group. Theyareusedfor port scanningandhost discovery. B ydefault, N m apcalculates aneverchangingideal parallelism basedon netw ork perform ance.
an cel
Save Changes
FIG U R E6 .2 9 :TheZ enm apP rofileE ditorW indoww iththeP rofiletab 39. To select the parameters for an ACK scan, click the S c a n tab in die P ro file E d it o r window, select A C K s c a n (s A ) from the N o n -T C P s c a n s : drop-down list, and select N o n e for all die other fields but leave the T a r g e t s : field empty.
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Profile Editor
n m a p -sA -sW -T4 -A -v 10.0.0.4 H e lp
!- !
x
[ScanJ
The option: min-rtttimeout <time>, --max-rtttimeout <time>, initialrtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.
Ping
S cnpting
T3rg=t
Source
Other
Tim ing
[34 Enable all advanced/aggressi\ FIN scan (-sF) O O perating system detection (- M a im o n scan (-sM ) Version detection (-5V) Idle Scan (Zom bie) (si) FTP bounce attack (b) N u ll scan (-sNl TCP SYN scan (-5S) TCP conn ect scan (-sT)
f l Disable reverse DNS resolutior Vbincov\ scan (-sW) 1 1 IPv6 su pp ort (-6) Xmas Tree scan (-5X)
ancel
Save Changes
FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab 4 0 . N o w c li c k t h e Ping t a b a n d c h e c k IPProto probes (PO) t o p r o b e t h e I P a d d r e s s , a n d t h e n c li c k Sa v e Changes.
Profile Editor
n m a p -sA -sNJ -T4 -A -v -PO 100.0.4 [Scan]
G The Option: -maxretries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simply lost on the network.
Profile
Scan
Ping
jOther
Tim ing
H e lp
IC M Pt im t a m pr # q u * :t
Send an ICMP tim e stam p probe to see targets are up.
I I ICMP netmask request [-PM) Q 0 ACK ping (-PA) SYN p ing (-PS) UDP probes (-PU) jlPProto prcbs (-PO)i
Cancel
Save Changes
FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab 4 1 . 111 t h e
Zenm ap m a i n w i n d o w , i n p u t d i e I P
a d d re ss
o f th e
ta rg e t
Profile:
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Zenmap
Scan Target: Tools Profile Help v Profile: ACK Flag Scan
Scans J
Scan
Cancel
C o m m a n d: H osts
N m ap O u tp u t
3 The option: -hosttimeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.
D e ta ils
Filter Hosts
FIGURE 6.32: The Zenmap main window with the Target and Profile entered 42. N m a p s c a n s d ie ta rg e t I P a d d re ss p ro v id e d a n d d is p la y s r e s u l t s o n
Nmap Output ta b .
Zenmap
Tools r o fle Help
Sc$n
Target:
10.0.0.4 nm a p -s A -P 0 1C.0.0.4
Profile:
Cancel
C o m m a n d:
Hosts
Sen/ices
N m ap O u tp u t
j P o r ts /H o s ts [
T o po lo gy
H ost Details
Scans
The option: scandelay <time>; --max-scandelay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.
OS *
< Host
10.0.0.4
Details
S t a r tin g Nmap s c a n
^map 6 .0 1 re p o rt
h ttp :/ / n m a p .o r g 1 0 .0 .0 .4
) at
2012-08-24
1 7 :0 3
Filter Hosts
FIGURE 6.33: The Zenmap main window with the Nmap Output tab 4 3 . T o v i e w m o r e d e ta i ls r e g a r d i n g t h e h o s t s , c li c k d i e Host Details t a b
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Zenmap
Scan Target: Tools P rofile H e lp [~v~| Profile: ACK Flag Scan Scan Cancel
10.0.0.4 nm a p -s A -P O !0.0.04
Q The option: minrate <number>; max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.
C o m m a n d:
Hosts OS Host *
||
Services
N m ap O u tp u t ; 10.0.04
J Ports /
Hosts
J Topo lo gy
H o s tD e ta ls
Scans
10.0.0.4
5 H o st S tatus
State
O pen portc: Filtered ports: Closed ports: S ea m e d ports: U p t im e Last b o o t
B A d d re s s e s
IS
1000 N o t available N o t available
Comments
Filter Hosts
FIGURE 6.34: The Zenmap main window with the Host Details tab
L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d T y p es o f S can u sed : In te n s e scan X m as scan N u ll sc a n A C K F la g s c a n
I n te n s e S c a n N m a p O u tp u t N m ap A R P P in g S c a n - 1 h o s t P a ra lle l D N S r e s o lu ti o n o f 1 h o s t S Y N S te a lth S c a n D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4 o 1 3 5 / tc p , 1 3 9 / tc p , 4 4 5 / tc p , . ..
Ethical Hacking and Countermeasures Copyright by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Q u e s t io n s
1. A n a ly z e a n d e v a lu a te t h e r e s u lts b y s c a n n i n g a ta r g e t n e t w o r k u s in g ; a. b. 2. S te a l th S c a n ( H a l f - o p e n S c a n ) nm ap -P
P e r f o r m I n v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d s e r v ic e s f o r a t a r g e t m a c h i n e i n d i e n e tw o r k .
I n te r n e t C o n n e c tio n R e q u ire d Y es
0 No
P la tfo rm S u p p o rte d 0 C la s s ro o m 0 iL a b s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b S c e n a r io
Y o u h a v e a lr e a d y n o t i c e d i n d i e p r e v i o u s la b h o w y o u c a n g a d i e r i n f o r m a t i o n s u c h as A R P p in g scan, M A C a d d re s s , o p e ra tin g s y s te m d e ta ils , I P ID sequence g e n e r a t io n , s e r v ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d
111 N m a p . A 1 1 a tt a c k e r c a n s im p ly s c a n a ta r g e t w i d i o u t s e n d i n g a
sin g le p a c k e t t o th e ta r g e t f r o m th e i r o w n I P a d d r e s s ; in s te a d , d i e y u s e a zombie
host t o p e r f o r m
th e
sc a n re m o te ly a n d i f a n
g e n e r a t e d , i t w ill d is p la y d i e I P o f d i e z o m b i e h o s t a s a n a tta c k e r . A tta c k e r s c a n e a s ily k n o w h o w m a n y p a c k e t s h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k i n g d i e I P p a c k e t fragment identification number ( I P I D ) . A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u l d b e a b le t o d e t e r m i n e w h e d i e r a T C P p o r t is o p e n t o s e n d a SYN ( s e s s io n e s t a b li s h m e n t ) p a c k e t t o t h e p o r t . T h e ta r g e t m a c h i n e w ill r e s p o n d w i d i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re s e t) i f d i e p o r t is c lo s e d a n d b e p r e p a r e d t o b l o c k a n y s u c h a tta c k s 0 1 1 t h e n e t w o r k 111 d iis l a b y o u w ill le a r n t o s c a n a n e t w o r k u s i n g NetScan Tools Pro. Y o u a ls o n e e d t o d i s c o v e r n e tw o r k , g a d i e r i n f o r m a t i o n a b o u t I n t e r n e t o r lo c a l L A N n e tw o rk d e v ic e s , I P a d d r e s s e s , d o m a i n s , d e v ic e p o r t s , a n d m a n y o t h e r n e t w o r k s p e c ific s .
L a b O b j e c t iv e s
T h e o b je c tiv e o f d iis la b is a s s is t t o tr o u b l e s h o o t , d ia g n o s e , m o n i t o r , a n d d i s c o v e r d e v ic e s 0 1 1 n e tw o r k .
1 1 1 d iis la b , y o u n e e d to :
D i s c o v e r s I P v 4 / I P v 6 a d d r e s s e s , h o s t n a m e s , d o m a i n n a m e s , e m a il a d d re sse s, a n d U R L s D e t e c t lo c a l p o r t s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
S 7Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
L a b E n v ir o n m e n t
T o p e r f o r m d i e la b , y o u n e e d : N e t S c a n T o o l s P r o l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
L a b D u r a t io n
T im e : 1 0 M i n u te s
O v e r v ie w o f N e t w o r k S c a n n in g
N e t w o r k s c a n n i n g is d i e p r o c e s s o f e x a m i n in g d i e activity on a network, w h i c h c a n i n c l u d e m o n i t o r i n g data flow a s w e ll a s m o n i t o r i n g d i e functioning o f n e t w o r k d e v ic e s . N e t w o r k s c a n n i n g s e r v e s t o p r o m o t e b o d i d i e security a n d p e r f o r m a n c e o f a n e tw o r k . N e t w o r k s c a n n i n g m a y a ls o b e e m p l o y e d f r o m o u ts id e a n e t w o r k in o r d e r t o i d e n t if y p o te n t ia l network vulnerabilities. N e tS c a n T o o l P r o p e r f o r m s th e fo llo w in g to n e tw o r k sc a n n in g :
S TASK 1
Monitoring n e t w o r k d e v i c e s a v a il a b il it y Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n i n g
Lab T asks
I n s ta ll N e t S c a n T o o l P r o i n y o u r W i n d o w S e r v e r 2 0 1 2 . F o ll o w d i e w i z a r d - d r i v e n in s ta l la t io n s te p s a n d in s ta ll NetScan Tool Pro. 1. L a u n c h t h e Sta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p
^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..
W in d o w s S e r \ * f 201 2
'1J#
FIGURE /.l: Windows Server 2012- Desktop view 2. C l i c k t h e N etScan Tool Pro a p p t o o p e n t h e N etScan Tool Pro w i n d o w
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S ta rt
Server Manager Windows PowwShel Googfe Chrome H jperV kb-uoa NetScanT... Pro Demo
Administrator A
m
Control Pan*l
o Hjrpw-V Mdchir*.
f*
Q e
V
('nmittnd I't. n.". w rr
*I
20 2
x-x-ac
9
FIGURE 7.2 Windows Server 2012 - Apps
3.
I f y o u a r e u s i n g t h e D e m o v e r s i o n o f N e t S c a n T o o l s P r o , t h e n c li c k
D a ta b a s e N am e (e n te r n e w n am e h e re ) Test|
A N E W R e s u lts D a ta b a s e w l b e a u to m a b c a ly p re fixed with ,NstProO ata-' a n d w i en d w ith ,. d b ? . N o sp ace s o r periods a r e allowed w h en e n te r n g a n e w d a ta b a s e nam e. R esu lts D a ta b a s e File Location R esu lts D a ta b a s e D irectory
*C re a te Trainmg M ode D a ta b a s e
C : ^jJsers\Administrator d o c u m e n ts
A n a ly s t In form ation (o pb on al, c a n b e c isp laye d r\ rep o rts if desired) N am e Telep h on e Number
Title
Mobile Number
i' USB Version: start the software by locating nstpro.exe on your USB drive it is normally in the /nstpro directory p
O rganization
Email A d dress
U s e L a s t R e s u lts D a ta b a s e
Continue
E x it Program
FIGURE 7.3: setting a new database name for XetScan Tools Pro 6. T h e N etScan Tools Pro m a i n w i n d o w w ill a p p e a r s a s s h o w i n d i e fo llo w in g fig u re
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
test NetScartTools* Pro Demo Version Build 8-17-12 based o n version 11.19
file Eflit Aes51b!11ty View IP6 Help
IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9
( i p v 6 .g o o g l e .c o m ) o r ::1 (internal loopback address
R03 iso- root carract : taoet. orwn icon :coa I8!en to net 11k traff c. ttu ; icon tooo * oca sy*em. end groy !con loots contact hid p51t> w * a w Autom ated too is M3nu3l lo ci: 13III fw o rn e tools *LCrre Dtt<ov<r/tools Pass ve 0 scow 1y ro ois
o t 0015
Fleet ' i t FI
wfyoj ' & ,to vie C <?a te rg h * local help !ncLdng Gerttirg Suited tfa m & xi
proown into
FIGURE 7.4: Main window of NetScan Tools Pro 7. S e l e c t Manual Tools (all) o n t h e l e f t p a n e l a n d c li c k A R P Ping. A w i n d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P i n g T o o l . 8. C li c k OK
test
File fd it AccettibHity View IM
-
Klrt'iianTooltS Pio ' J
mac
7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN
im
ARP Scan (MAC U a Cah F m n it d
ij
Co*nto Monit.
c Tooll
root
FIGURE 7.5: Selecting manual tools option 9. S e l e c t t h e Send Bro adcast A RP, then U nicast A R P r a d i o b u t t o n , e n t e r t h e I P a d d r e s s i n Target IPv4 Address, a n d c li c k Send Arp
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
test
File Fdit Accessibility View
,- ! s i
IPv6
Q Send Broadcast ARP, and then Unicast ARP this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box
E Send B
O
U ito st ARP
Dupi:a;-5 S c
O send B-oaCcae:
cnly
U
ARP Ping
T a rg e tIPv4A a dett
I ndex
ip
(f:0 0 . 0 0 O l^ F A d *
cc cc ce cc cc 0.002649 :. o : : t o 0.003318 0.002318 0.0:69*3 0.007615 0.002518 0.M198C 0.0:165$ 0.0:231.8 0.002649 0.0:2649 0.002318 0.002318 O.OS2649
A n To Automated |
R e p o r t ?
Q Add to Psvorftoc
Aaaress
mac
Address * < * - +
Type Broadcast Unicast tin Ic a a t Onieaae ur.ic a a t Cr.le a s t Cr.Ic a a t Tinic a a t Onieaae Ur.ic a a t U n icast U n icast U n icast Unicast Vnicaat Unicast
y
AflP^can an |MA |MAC S<n)
ie n d A r c
S to p
N jr b n to Send
0 1 2 3 4 5
10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 1 0.0.0.1 10 .0 .0 .1 10.0.0.1 10.0.0.1 1 0.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1
Cache Forensic{
Cyde T ne (ms)
cc cc cr cc cc cc cc cc cc cc
I0 0 EJ
Connwtwn Monitor |v | Fawortte Tooli Aa!re DHtovery Tool! Pj 11!x< Oiiovcry Tooli O t Tools P a level rools trte m ji looit f*coram Into
WnPcap Interface P
f 8 3 10 11 12 13 14 15
'
!a lT ool! A R PP iy J
Automated Tool
ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.
Use U ib t o o l l o s e n d a n A R P R o q iM & t t o e v u ry IP v 4 ad d ress o n y o u r LAN. IPv4 connected d v u et c s n n o th n to f tv r ARP 3acfcC and mut ru p o n d with t h ! IP and MAC a d f i r * . Uncheck w e ResoKr? box for fssrti scan cor p i o n ome.
f>5
Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.
y
ARPStan 1 mac sea
mo L im itation s. H one.
p
oadcast
ic o s t
lease
le a s t le a s e
Ca<n ForcnsKs
ic a s t le a s t le a s t
le a s t
icaat
FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 1 1. E n t e r t h e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending
IPv4 Address t e x t b o x e s
1 2. C li c k Do Arp Scan
Ethical Hacking and Countermeasures Copyright O by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
test
File Edil Accessibility View
IPv6
Manual Too 4 -ARP Scan (MAC Scan) $ in tonated Toots kUnuai Tools laif) U9e thE tool a fine al Staraic F v 4 Accrea
| :0. 0
a d jK o c c
[ J j p 0 A 1 2 r a a l
ARP Ping
ip v l M . . . 1 0 .0 .0 .1
W 1 CAdtireflfl 0 (
EC .
I ]A d d t s ^ a v a K a t
I / r M 4 n u r* c f3 re r n e t;c a r, la c . B c a ta *
l>5c!
10. 0 .0
10.0.0 .2
&11 lac
vm-MSSCL.
1 0 .0 .0
ar The Connection Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.
wrtpeap Interfax i p
Cache forennct
I 10.0.0.7
Scon OSsy T n c {> )
(IZZ
Connection Monitor Favorite Tools Active OhcCvify Tool! Pasiive Ofitovtry Too 1 1 o m Tools P3<Mt LPV8 1 Tools exttmai toon r^ooram Into 0 Resolve P s
test - NetScanTods Pro Demo Version Build 8-17-12 based on version 11.19
View IPv6 Help
n '
A u to m a te dlool M an u al 1 0 0 1 1!all
Cat he Forensic!
Connection Monitc
naxic
10.0.0
LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv.
O K PSfw r Oucorc
a J
Pn u n r DutoveiyTc
FIGURE 7.9: Selecting DHCP Server Discovery Tool Option 14. S e l e c t a ll t h e D iscover Options c h e c k b o x a n d c li c k Discover DHCP
Servers
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
I
Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations
test - NetScanTools* Pro Demo Version Build 8 -1 7-12 based o r version 11.19
T~Tn 1 '
AddItoie IM A A. omvrd ** [
.:n n cc t o n Monitor
QAddtoPnre5
I n t r f r D e s c r ip tio n Hyper-V V ir ta ! Eth ern et Adapter #2
Stop
DHCP S1 1 Dfccovtry
10.0.0.7
a
a
10.0.0.1
OWSTools Advanced
Fworit Tools A<tfc Dii coveiy Tools Paislv* Discovery Tools DNS Tooll =*> t r r t l TooH W * rnjl Tools P10 g r n into
IPv6
j.jA IC
WtKOIM AUtOIMtJ ToO h
M jn g jJ T00K (4 1 1 :
NtSunT00i13 P 10 S?
Pn g
ErV1KJ
> 10
fir ,g m 0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.
Graphi cal
a
Port Scanner
P o am u o in Mod* * > <
Demo Im itations. Packet Delay (time between sending each ping) is limited to a lower tamt of SO iMlBeconds. packet Delay can be as low as zero (0) ms the f ill version. In other words, the full version w i be a bit faster.
.J
ravontf 001:
M int Ducoycnr to
Paijivt Discovery 10 DNS roou
FIGURE 7.11: selecting Ping scanner Option 16. S e l e c t t h e U se Default System DNS r a d i o b u t t o n , a n d e n t e r t h e r a n g e o f I P a d d r e s s i n Sta rt IP a n d End IP b o x e s 1 7 . C li c k Start
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
--e 6dK
test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19 Accessibility View IPv6
Start iP 10.0.0.:
Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.
End JP 10.0.0.S0
Fa Hdp, press F1
AddPo<nre5 Statao
0:0 t e a : s c p i v
Time (m |
10.0.0.1 ?
1 0.5.0.2 10.0.0.5 0 Resolve TPs
Port Scanner 1 0 .0 .0 .7
0
0 0
0
tnK-KSSELOUKU my:-UQM3MRiRM
WIN-D39HRSHL9E4
J?
MSttp.0/.25SWl
Addtbnal Scan Tests:
D 3 S * E.fc8\S5car
Do Sulnel M ai: Sea!
EnaSfc Post-Scan
M O b lg of
rton-Resso'dn; P s
|
I
irw : vu:
Oeof IwpQUr t tn
test
- _ l n l
ri1h 3 > I^
Welcome ,u tw ateO Tooli M nuITouu lair
F ie
Edit
Acceuibilrty
View
IPv6
unnei/N etSiannei 9
noo
tnrunced
Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query
P nq Scanner
lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp son. Don't miss this special feature in this tool: After a target has bee scanned, an aalfss .vineow will open in >our Oeh J t web browser. Don't fo rg e t nght c*<k n we resjits for 3 menu with more options.
fcstenino).
use rtm ool to scan j taro** for ICP or ports that . iKrrnang (open wirh senna*
orrer
Port Scanner
Notes: settings that strongly affect scan speed: Come:San Timeout. use 200c* less on a fact networkcorrection yjdhneaiby co rp.te i. - 3 ) 3003 seconds) or more ona dau: cameao. Wot After Connect -J i s c-1 1 0 o5 each port test worts before deodng that ih ; port is not 5ce. settirxcAXbv settee* ccmccxns. Try0, (hen (ry lire. Notice the dfference.
Se tO n q s^ a x<MC o n n e c to rs
Domo KmlUtlons. Hone.
P= fcu0\j1 Mode
FIGURE 7.13: selecting Port scanner option 19. E n t e r t h e I P A d d r e s s i n t h e Target Hostnam e or IP Address f i e ld a n d s e l e c t t h e T C P Ports only r a d i o b u t t o n 2 0 . C li c k S ca n Range of Ports
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
test - NetScanTools Pro Demo Version Build 8-17-12 based on version 11.19
fte
1-1
Manual Fools - Port Scanner ^
Ed*
Accessibility
View
6\)
Help
Automated Tool?
I1 0 . 0 0 1
Start WARNING: the- to d scan? r * rargrfr- ports. Scan C irp lrtr. Sea R.anoc of ! v s
St *
C n y
(
A npTO AutOHHted | I
B'd f a
OlCPaMM
Show Al S an r d Ports, Actlvi 0! Not P o rt 80 P o r t Dvac h te p P r o to c o l TCP R r u lt P o r t A c tiv e
^to^ont
C o m n o n
Path
O a t ft .v d
| E d tc o n w Part{ Let
Poit Scanner
Proucuom Mode
:
watAfte'Conncc (ICOO -1 s*aofl
:
FIGURE 7.14: Result of Port scanner
L a b A n a ly s is
D o c u m e n t a ll d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d A R P S c a n R e s u lts : N e tS c a n T o o ls p ro IP v 4 A d d re ss M A C A d d re ss I / F M a n u fa c tu re r H o s tn a m e E n try T y p e L o c a l A d d re ss
Ethical Hacking and Countermeasures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Q u e s t io n s
1. D o e s N e t S c a i i T o o l s P r o s u p p o r t p r o x y s e r v e r s o r fire w a lls ?
In te rn e t C o n n e c tio n R e q u ire d
No
0 iLabs
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b S c e n a r io
A i l a tt a c k e r c a n g a t h e r i n f o r m a t i o n f r o m A R P S c a n , D H C P S e r v e r s , e tc . u s i n g N e t S c a n T o o l s P r o , a s y o u h a v e l e a r n e d i n d i e p r e v i o u s la b . U s i n g d iis i n f o r m a t i o n a n a tt a c k e r c a n c o m p r o m i s e a D H C P s e r v e r 0 1 1 t h e n e tw o r k ; t h e y m i g h t d i s r u p t n e t w o r k s e r v ic e s , p r e v e n t i n g D H C P c lie n ts f r o m c o n n e c t i n g t o n e t w o r k r e s o u r c e s . B y g a in i n g c o n t r o l o f a D H C P s e r v e r , a tt a c k e r s c a n c o n f i g u r e D H C P c lie n ts w i t h f r a u d u l e n t T C P / I P c o n f i g u r a t i o n i n f o r m a t i o n , in c l u d in g a n in v a lid d e f a u l t g a te w a y o r D N S s e r v e r c o n f i g u r a t io n . 111 d ii s la b , y o u w ill l e a r n t o d r a w n e t w o r k d ia g r a m s u s i n g L A N S u r v e y o r . T o b e a n e x p e r t network administrator a n d
Web exercise
m Workbook review
penetration te s te r y o u n e e d t o d is c o v e r
n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e tw o r k s .
L a b O b j e c t iv e s
T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d is c o v e r a n d d ia g r a m n e t w o r k to p o l o g y a n d m a p a d is c o v e r e d n e t w o r k
1 1 1 d iis la b , y o u n e e d to :
D ra w a m a p s h o w i n g d i e lo g ic a l c o n n e c t iv it y o f y o u r n e t w o r k a n d n a v ig a te a r o u n d d ie m a p
C r e a te a r e p o r t d i a t in c lu d e s a ll y o u r m a n a g e d s w itc h e s a n d h u b s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
ZZy Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
L a b E n v ir o n m e n t
T o p e r f o r m d i e la b , y o u n e e d : L A N S u r v e y o r l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
L a b D u r a t io n
T im e : 1 0 M i n u te s
O v e r v ie w o f L A N S u r v e y o r
S o la r W in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e r s y o u r n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e network diagram t h a t c a n b e e a sily e x p o r t e d t o M i c r o s o f t O f f i c e V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s t o network
topology. I t s im p lifie s i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts ,
a d d r e s s e s r e p o r t i n g n e e d s f o r P C I c o m p l i a n c e a n d o t h e r r e g u l a to r y r e q u i r e m e n ts .
TASK
Draw Network Diagram
Lab T asks
I n s ta ll L A N S u r v e y o r o n y o u r Windows Server 2012 F o l l o w d i e w i z a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll L A N S u r v y o r . 1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p
Ethical Hacking and Countermeasures Copyright by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
LANsurveyor's Responder client Manage remote Windows, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files
S ta rt
S e rw M o ra le r
A d m in istra to r
Windows
PowetShd
G oo*
Chrwne
HpV
1 ,XU j .
IANmny...
91
Panal Q w
e
rwnt h p to m
*s
- *
^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)
S ta rt Scanning Network
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
r
so larw in d s7'
&]
a u
f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.
"2
Onca aavod, a I cuatom n ap a car be uotd m SelarV/nda not/.ok and opplcotor management software, learn more
Qnfcne Manual
For additional hep on using the LAIJsuveyor read the LANSurveyor Administrator Gude
Tha LAMaurvayor Evaiuabon Guida prcvdaa an irtrd cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor.
TheSohrwinds Supoorl W eti offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yor SohrWind* appleations
v b t tne <]1a w js a i .g a 2 s , r ic q y y r ty Q vyt9. o r Jp o a ic
] [
FIGURE 8.4: Getting Started with LANSurveyor Wizard 5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d i a g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End
Ethical Hacking and Countermeasures Copyright O by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
N e t u io ikP a r a n e e tr
Eecin Acdres; 10.00.1 Enter Ke>t Address Here E rd Address 10.D.0.254
Hops
= &=
[ ptfefc private
Q S H W P v 2 c Devices SN M Pv2 c Community Strngfs)
LANsurveyor's network
discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address
| pubiu. pmats
I SNMPv3 Options..
1 jP
0 IC M P (P r g )
0 N e l8 IC S Clwvs M S P Clients
Mapping Speed
Slower
Faster
C o n f ig u r a t io nM a ^ a p e r o n * S a v e0 K c o v e t yC o n fg w a io n .
| Cored
FIGURE 8.5: New Network Map window 6. T h e e n t e r e d I P a d d r e s s mapping process w ill d i s p l a y a s s h o w n i n t h e fo llo w in g fig u re
Mapping Progress
Searching for P nodes HopO: 10.0.0.1-10.0.0.254 SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped
03 LANsurveyor rs capable o f discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, nonconsecutive VLANs
WIN-D39MR5HL9E4
Cancel
LAN surveyor d is p la y s d i e m a p o f y o u r n e t w o r k
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S c la A V in d s LA N su rv eyo r - [M a p 1] Me
| ^
= -
Edit
h a> .
Manage
j
Monitor
1*
Report
s v
Tools
3 a
Avdow
0 a s
Help
r&
Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.
&
1 51 v
H s o la rw in d s
K H > e
E tf=d
id * || ;
ff
-4
hC as
f f c -
* ft
Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP Reuter LANsurveyor Responder Nodes SNMP Nodes SNMP SvntchesHubs SIP (V IPJ Nodes Layer i Nodes Active Directory DCs Groups
1 1
Wti '.'SilLC M W I
Wf.-WSC'tlXMK-O
veisor
W1N-DWlllRlLSt4 WIN D3JI H 5HJ* O vervie w f*~|
..0.0- (.0.0.255
M N LX Q N 3 W R JN S N
10006
V*4 UCONJWRSfWW
n o n '
1 0 0 9 1 1 2 -
L a b A n a ly s is
D o c u m e n t all d ie I P a d d r e s s e s , d o m a i n n a m e s , n o d e n a m e s , I P r o u t e r s , a n d S N M P n o d e s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c liie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4 I P N o d e s D e ta ils : L A N S u rv e y o r S N M P S en d - 62 I C M P P i n g S e n d 31 I C M P R e c e ip ts 4 N odes M apped 4
N e tw o r k s e g m e n t D e ta ils : IP A d d re ss - 4 D o m a in N a m e s - 4 N ode N am es - 4
Ethical Hacking and Countermeasures Copyright O by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.
RELATED TO
Q u e s t io n s
1. D o e s L A N S u i v e y o r m a p e v e r y I P a d d r e s s t o its c o r r e s p o n d i n g s w it c h o r h u b p o rt? 2. C a n e x a m i n e n o d e s c o n n e c t e d v ia w ir e le s s a c c e s s p o i n t s b e d e t e c t e d a n d m apped? I n te rn e t C o n n e c tio n R e q u ire d
Yes
0 No
Ethical Hacking and Countermeasures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b S c e n a r io
111 d i e p r e v i o u s la b , y o u f o u n d d i e S N A I P , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils u s i n g d i e t o o l L A N S u i v e y o r . I f a n a tt a c k e r is a b le t o g e t a h o l d o f th is in f o r m a t i o n , h e o r s h e c a n s h u t d o w n y o u r n e t w o r k u s i n g S N M P . T h e y c a n a ls o g e t a lis t o f in t e r f a c e s 0 1 1 a r o u t e r u s i n g d i e d e f a u l t n a m e p u b li c a n d d is a b le d i e m u s i n g d i e r e a d w r ite c o m m u n it y . S N M P M I B s in c l u d e i n f o r m a t i o n a b o u t t h e i d e n t i t y o f t h e a g e n t's h o s t a n d a tt a c k e r c a n ta k e a d v a n ta g e o f d iis i n f o r m a t i o n t o in itia te a n a tta c k . U s in g d i e I C M P r e c o n n a i s s a n c e te c h n i q u e a n a tt a c k e r c a n a ls o d e t e r m i n e d i e t o p o l o g y o f d i e t a r g e t n e t w o r k . A tta c k e r s c o u l d u s e e i t h e r d i e I C M P h o s t t o im m e d i a te l y d r o p a c o n n e c t i o n . A s a n e x p e r t Network Administrator a n d Penetration T e ste r y o u n e e d t o d i s c o v e r n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e t w o r k s a n d b lo c k a tt a c k s b y d e p lo y i n g fire w a lls 0 1 1 a n e t w o r k t o filte r u n - w a n t e d tra ffic . Y o u s h o u l d b e a b le t o b l o c k o u t g o i n g S N M P tr a f f ic a t b o r d e r r o u t e r s o r fire w a lls. 111 d iis la b , y o u w ill l e a n i t o m a p a n e t w o r k u s i n g d ie t o o l F r i e n d ly P in g e r . ,T i m e e x c e e d e d " 0 1 " D e s tin a tio n u n re a c h a b le " m e ssa g e s. B o d i o f d ie s e I C M P m e s sa g e s c a n c a u se a
Web exercise
m Workbook review
L a b O b j e c t iv e s
T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d i s c o v e r a n d d ia g r a m n e t w o r k t o p o l o g y a n d m a p a d is c o v e re d n e tw o r k h i d iis la b , y o u n e e d to : D i s c o v e r a n e t w o r k u s i n g discovery te c h n i q u e s D i a g r a m t h e n e t w o r k to p o l o g y D e t e c t n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o l o g y P e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b E n v ir o n m e n t
ZZ7 Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o p e r f o r m d i e la b , y o u n e e d : F r i e n d ly P i n g e r l o c a t e d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning
link http://www.kilierich.com/fpi11ge17download.htm
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r A c o m p u t e r r u n n i n g Windows Server 2 0 1 2 A w e b b ro w s e r w id i I n te rn e t a ccess A d m in i s t r a ti v e p riv ile g e s t o r u n d i e Friendly Pinger t o o l
L a b D u r a t io n
T im e : 1 0 M i n u te s
O v e r v ie w o f N e t w o r k M a p p in g
N e t w o r k m a p p i n g is d i e s t u d y o f d i e p h y s ic a l connectivity o f n e tw o r k s . N e t w o r k m a p p i n g is o f t e n c a r r ie d o u t t o discover s e r v e r s a n d o p e r a t i n g s y s te m s r u i n i n g o n n e tw o r k s . T h i s te c l u ii q u e d e te c ts n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o lo g y . Y o u c a n p e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts . F rie n d ly P in g e r p e r f o r m s th e fo llo w in g to m a p th e n e tw o rk :
Lab T asks
1. 2. task I n s ta ll F r i e n d ly P i n g e r
0x 1 y o u r Windows Server
2012
F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll F r i e n d ly P in g e r . L a u n c h t h e Sta rt m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n d i e lo w e r - le f t c o rn e r o f th e d e s k to p
1
3.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
FIGURE 9.1: Windows Server 2012 - Desktop view 4. C li c k t h e Friendly Pinger a p p t o o p e n t h e Friendly Pinger w i n d o w
S ta r t
^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.
A d m in is tra to r
Sen*r M anager
Windows PowerSMI
GOOQte Chrome
W**r-V
Uninstall
r _ C om piler
m
Control Panol
&
9 M02111a Firefox
Eaplewr
Command Prompt
2 .7
>
K m
SeorchO.
Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IPaddresses for scanning 5.
O rte f
FIGURE 9.2 Windows Server 2012 - Apps T h e Friendly Pinger w i n d o w a p p e a r s , a n d F r i e n d l y P i n g e r p r o m p t s y o u to w a tc h a n o n lin e d e m o n s tr a tio n . 6. C li c k No
& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map
S
W oik Statio n
Workstation
(*mall)
^ 2 1 /2 4 /3 7
& OG 00:35
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
7.
S e l e c t File f r o m t h e m e n u b a r a n d s e l e c t d i e Wizard o p t i o n
r
File | Edit View Ping Notification Scan
L-!j x
Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network
* C *%! ft
F/fatdier
Inventory
Help
WeA
Reopen
CtrUN Ct11+0
Gtfr Open... |
U
CtrhU
C tfU S
t b Close All
^
^ 0
Ctrl* B
5T In la n d
fr! S c iy c i
X L Frit
Hob
-----
JJ
W n f k S t A lio n
M n d p n
a
r'r;m
W in k S ta tiu n I1 ,1 1|
---
Local IP address:
10.0.0.7
The initial map will be created by query from DNS-server the information about following IP-addresses:
1 0 .0 .0 .1 2 d
You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 5.1 10
| I Tim eout
1 0 0 0
The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged
? Help
Timeout allows to increase searching, but you can miss some addresses.
4*
gack
= M e x t
X Cancel
FIGURE 9.5: FPinger Intializing IP address range 9. T h e n t h e w i z a r d w ill s t a r t s c a n n i n g o f IP addresses 111 d i e n e t w o r k , a n d li s t t h e m . 1 0 . C li c k Next
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Wizard
IP address
01 0 .0 .0 .2
0 0 10.0.0.3 10.0.0.5 10.0.0.7
L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window
The inquiry is completed. 4 devices found.
Help
4*
B ack
3 N ext
C ancel
11. Set the default options in the Wizard selection windows and click Next
Wizard 0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.
Q e v i c e s ty p e:
W orkstation
Address
OUse IP-address
| Use DNS-name | Name Remove DNS suffix
Add* ion
Help
! Next
Cancel
FIGURE 9.7: FPinger selecting the Devices type 12. T h e n t h e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p i n t h e FPinger w in d o w
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
V
File Edit View/ Ping NotificaTion Scan
H >
If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server.
ft J* & g
FIGURE 9.8 FPmger Client area with Network architecture 13. T o s c a n th e s e le c te d c o m p u te r in th e n e tw o r k , s e le c t d ie c o m p u te r a n d s e l e c t t h e Sca n t a b f r o m t h e m e n u b a r a n d c li c k Scan
F rie n d ly P in g e r [D e fa u lt.m a p ]
file Edit View - y Ping a Notification *
e
Scan M
F W rtc h p
Inventory
Help
^ You may download the latest release: http: / / www. kilievich.com/ fpinger
Lb
Scan..
F61
5 0 *m
233:1
S i. 3/4/4
00:00:47
FIGURE 9.9: FPinger Scanning the computers in the Network 14. I t d is p la y s scanned details i n t h e Scanning w i z a r d
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Scanning
Service & ] HTTP ] HTTP Compute W1N-MSSELCK... W1N-D39MR5H... Command f a h ttp://W IN -M S S ELC X 4M 1 http://W IN -D39M R5H L9E 4
S c a n n in g c o m p le te Progress
^J Bescan
? H e lp
y ok
X Cancel
FIGURE 9.10: FPinger Scanned results 1 5 . C l i c k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t i o n d e ta i ls o f th e s e le c te d c o m p u te r Audit software and hardware components installed on tlie computers over the network
V
Pk Edit V1w Ping Notification S<*n
T ^ rr
1 C a :* B S J m
\ & \ ^ *
r y\Ndp________________
Ctil-F#
E l Inventory Option!.
Tracking user access and files opened on your computer via the network
FIGURE 9.11: FPinger Inventory tab 1 6. T h e General t a b o f t h e Inventory w i z a r d s h o w s d i e com puter name a n d i n s t a l l e d operating system
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
W
File E d it V ie w R eport O p tio n s H e lp
Inventory
la e:
W IN-D39MR5HL9E4 |g General[ Computer/User Misc| M'j
0 S ? 1 1 E
Hardware] Software{ _v) History| ^ K >
|W IN-D39MR5HL9E4 !Administrator
W indows Name Service pack |W indows Server 2012 Release Candriate Datacenter
FIGURE 9.12: FPinger Inventory wizard General tab 1 7 . T h e M isc t a b s h o w s t h e Netw ork IP addresses. MAC addresses. File
System , a n d Size o f t h e d is k s 5 Search of HTTP, FTP, e-mail and other network services
Inventory
File E dit V ie w R eport O p tio n s H e lp
x ' <^0
e ig ?
0 *a a
G*? fieneraj Misc hardware | Software | Network IP addresses MAC addresses 110.0.0.7 D4-BE-D9-C3-CE-2D
History |
465.42 Gb 382.12 Gb
Disk 3 C
84
2
Function "Create Setup" allows to create a lite freeware version with your maps and settings
S D
-
FIGURE 9.13: FPinger Inventory wizard Misc tab 18. T h e H ardw are t a b s h o w s t h e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r n e tw o rk e d c o m p u te rs
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
TT
File Edit View Report Options Help
0 ^ 1 3 1 0
H
w
1N-D39MFS5HL9E4||
General
Miscl
M i
H a rd w a re [^ ]
Software
History |
<
>1
< 2
Memory
6222004 02/09/12
- V
E O -
N etw ork ad ap ters | j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller S C S I and R A ID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller
-^
I
FIGURE 9.14: FPinger Inventory wizard Hardware tab
-----------H 0 1 3 1 0
[ )Q 5 r
WIN-D39MR5HL9E4 G* general | M sc
Hfdware| S
Software |
>
Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 O ff*** Prnnfirxi (Pnnli^hl ? flirt T e ta S Name Version Developer Homepage |
ft
Go
L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b .
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
T o o l/U tility
D e t a i l s R e s u l t o f 1 0 .0 .0 .7 : F rie n d lv P in g er
Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.
RELATED TO
Q u e s t io n s
1. 2. D o e s F P i n g e r s u p p o r t p r o x y s e r v e r s fire w a lls? E x a m i n e th e p r o g r a m m i n g o f la n g u a g e u s e d i n F P in g e r .
I n te r n e t C o n n e c tio n R e q u ire d
0 No
0 iL a b s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab
L a b S c e n a r io
111 t h e p r e v i o u s l a b , y o u l e a r n e d t o u s e F r i e n d l y P i n g e r t o m o n i t o r n e t w o r k d e v i c e s , r e c e i v e s e r v e r n o t i f i c a t i o n , p i n g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia t h e n e t w o r k , v i e w g r a p h i c a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e t h e i n f o r m a t i o n re la te d to n e tw o r k d e v ic e s , th e y c a n u s e i t as a n e n tr y p o i n t to a n e tw o r k f o r a c o m p r e h e n s iv e a tta c k a n d p e r f o r m m a n y ty p e s o f a tta c k s ra n g in g f r o m D o S a tta c k s to u n a u th o r iz e d a d m in is tra tiv e access. I f a tta c k e rs a re a b le to get tr a c e r o u t e in f o r m a t io n , th e y m i g h t u s e a m e t h o d o lo g y s u c h as fire w a lk in g to d e t e r m i n e t h e s e r v i c e s t h a t a r e a l l o w e d t h r o u g h a f ir e w a ll. I f a n a tta c k e r g a in s p h y s ic a l a c c e s s to a s w itc h o r o t h e r n e tw o r k d e v ic e , h e o r s h e w ill b e a b l e t o s u c c e s s f u l l y i n s t a l l a r o g u e n e t w o r k d e v i c e ; t h e r e f o r e , a s a n a d m in is tra to r, y o u s h o u ld d is a b le u n u s e d p o r ts in th e c o n f ig u r a tio n o f th e d e v ic e . A l s o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o l o g i e s t o d e t e c t s u c h r o g u e d e v ic e s 0 1 1 th e n e tw o rk . A s a n e x p e r t ethical h ack er a n d penetration tester, y o u m u s t u n d e r s t a n d h o w
7 =
W orkbook review
L a b O b j e c t iv e s
T h i s l a b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n i n g t h e n e t w o r k f o r v u l n e r a b i l i t i e s , a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to : U s e th e N e s s u s to o l S c a n th e n e tw o r k f o r v u ln e r a b ilitie s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b E n v ir o n m e n t
Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o c a n y o u t d ie la b , y o u n e e d : N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
L a b D u r a t io n
T im e : 2 0 M i n u te s
O v e r v ie w o f N e s s u s T o o l
N e s s u s h e lp s s t u d e n t s t o le a r n , u n d e r s t a n d , a n d d e t e r m i n e vulnerabilities a n d
w eaknesses o f a s y s te m a n d network 111 o r d e r t o k n o w h o w a s y s te m c a n b e exploited. N e t w o r k v u ln e r a b ilitie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n i n g s e r v ic e s , application and service
c o n f i g u r a t i o n e r r o r s , a n d a p p li c a ti o n a n d service vulnerabilities.
2 & C .r r K
Pud sht:
From; G\Ura\Adminottatot\Doklop\No>uj*5.0.2-*66 64
Run CencH
Wh Jr fi: from the Internet can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust. ^ What s the nsk?
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
4.
&
The updated Nessus security checks database is can be retrieved with commands nessus-updatedplugins.
The InstalSh1eld(R) W izard w dl nstal Tenable Nessus (x64) on your computer. To continue, ddc Next.
< Back
Next >
Cancel
FIGURE 10.2: The Nessus installation window 5. B e f o r e y o u b e g i n i n s t a l l a t i o n , y o u m u s t a g r e e t o t h e license agreem ent a s s h o w n i n t h e f o l l o w i n g f ig u r e . 6. S e l e c t t h e r a d i o b u t t o n t o a c c e p t t h e l i c e n s e a g r e e m e n t a n d c li c k Next.
!;
Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.
>
Change...
FIGURE 10.4: Tlie Nessus Install Shield Wizard 8. T h e w i z a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll p r o g r a m f e a t u r e s w ill b e i n s t a l l e d . C h e c k Complete a n d c li c k Next.
Q Nessus probes a range of addresses on a network to determine which hosts are alive.
FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9. T h e N e s s u s w i z a r d w ill p r o m p t y o u t o c o n f i r m t h e i n s t a l l a t i o n . C li c k
Install
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
The wizard is ready to begn nstalation. C lick Instal to begn the nstalatoon. If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard.
The InstalShield W izard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.
Cancel
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Nessus Sub-Directories
Purpose
Configuration files Stylesheet templates Nessus plugins User knowledgebase saved on disk
-------------------------------- -1 >
TABLE 10.1: Nessus Major Directories 11. A f te r in s ta lla tio n N e s s u s o p e n s in y o u r d e fa u lt b ro w s e r. 1 2 . T h e W elcom e to Nessus s c r e e n a p p e a r s , c li c k d i e here l i n k t o c o n n e c t v ia S S L
w e lc o m e to Nessus!
PI m m c o n n e c t v i a S S L b y c lic k in c J h r . You are hkely to get a security alert from your web browser saying that the SS L certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid S S L certificate from a registrar. Please refer to the Nessus documentation for more information.
Security Alert
The Nessus Server Manager used in Nessus 4 has been deprecated
FIGURE 10.9: Internet Explorer Security Alert 14. C li c k t h e Continue to this w ebsite (not recommended) l i n k t o c o n tin u e
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
&
* ^
II
Snagit g j
W c recommend that you close this webpage and do not continue to this website.
d Click here to close this webpage. 0 Continue to this website (not recommended). M ore information
FIGURE 10.10: Internet Explorer websites security certificate 1 5. o n OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s . Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers
Security Alert
tr
1 C. i )
You are about to view pages over a secure connection Any information you exchange with this site cannot be viewed by anyone else on the web. H I In the future, do not show this warning
OK
More Info
FIGURE 10.11: Internet Explorer Security Alert 1 6 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l i c k t h e Get
Started > b u t t o n .
R ff
W elcom e to N e s s u s
tin w uM 1
1I *ah 3ped vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es 1 A1 j n lU 1a 1 mtrlili mj, la 1m U w t no Im l ) ia acurlly |W I w. >L-umplianca chocks, to verify and prove that v v , host on your network adheres to tho security pokey you 1 Scan sehwliJnm, to automatically rui *cant at the freijwncy you And morel
!!< stofted *
FIGURE 10.11: Nessus Getting Started 1 7 . 111 Initial Account Setup e n t e r t h e c r e d e n t i a l s g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Next >
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
o ( * * < * . > .e c
Wefconeu Neaus
Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be
i that the admin user has the same privileges as the *root ( or administrator) user on the remote ho:
FIGURE 10.12: Nessus Initial Account Setup 1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o o b t a i n a c t i v a t i o n c o d e , c li c k t h e
http://www.nessus.org/register/ lin k .
>
el
If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins
m i (A *CAftCM i n
n lu 1 .
'! Ml Plug**
.Sjirplr Report! NMUi FAQ Vkle D14CMFAQ Dtptovmam 1> :001u Mowus Evukoiion Training
in
FIGURE 10.13: Nessus Obtaining Activation Code 2 0 . 111 N essus for Home a c c e p t t h e a g r e e m e n t b y c l i c k i n g t h e Agree b u t t o n a s s h o w n in th e fo llo w in g fig u re .
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Wckcme 1 0Mawt
Mom fc<Mama|tnat1 l
ow* m ss
t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat otu u 1 . The Netare rtoaaafocd do*1 *c* gn* you i o : w to of 1 K0 v >yov to perform < dedR 0 ( *S* Tw Nes*u llrtual
Product Ovenv*
Faaiuraa Nossue W*y Buwwct to New#* t Noasus ter Homa Nesius V 1lf A!(n
1 Nmhh Hom Fnd Mibscilpllon it aalatile lot ptnoia) mm a I ( o tf. * Is ink lot use by any commercial otqam/atn t !on 1 q t!
N W III PluflM S41v(Ju Rapotto N m a i fAQ M<I6 Dtotc** FAQ Deployment Options
* Suy^otW w m Ini 01 Openlr*j SyvtMn otw Mbwaowi) m oa> 1 to 1mvCcI vaeelto ncton| n n u n M o iy IVrjalAQor rtaouis fA<J lound cti arr, lenaUa K Ratoawonarf-aod S4xc>|ptn You agiaa 10 rv * *<> <* to to Tt^aUa to ach ayatoan on which You have inttaltod a Prjntr'Kl Scama T< pj Ojaniriton MiVAPthntandiuj 1 N pit^ifcrtcn ow cotnwcM a* m S*Cm 2141.1 Vau ara * *atimj 01!>trifi10n You m* copy M M iwget * 4 MMMaM T t N t V t IMM Md Tm1U HonMF*d s<Mot*M rwgto to < 1 rt>to 1 *dto * eww 00tn teeing onV Upon eompte^oti ot #* d m t* rigM to * a lt> Pkjn& ptmUtod by to* HomaFaad SubfeuipCanis Ptc/w*. ;wFwd SK.tvjlpi:1 (. *(fle a b*e n * ,ox !tent# *> toe Suts<i * *0 caa( an rftj (of 4nd pay 81) ! > associated P Tmi Su&ttrfpaa You awv not u&a tw H>r *f sad Subscripted 91anted to You lot * ! inj p u > p 0M to aacuf Yu>01 any third party's, laatwoifcs or to any etoa tw clMo taning h * rorvpioductrxi nvor1r> *r1 T e a M a m tofanuci a fr* Sutrp#on undat this Suction 21c|al t coti apmant and DiMnbttoan tenable I C is t* Metsus Ftogm Deralopment 1 & JM am at lha Subbcitpttaoa 1 0wtto and dovobp 1
21
S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive.
GO!
!e n a b leP r o d u c t s
Product O v m v Iow No s m s Auditor OuniSes N84u Ptu^lns Documentation Sample Repoita N*5u 9 FAQ Motde Devices FAQ Deployment Options Nes3u3 Evaluation Training
Register a HomeFeed
T0 May up todato with 1 1 m * Nut.uit. pljgint you n w tl tt> ; etrnU iMlilte-11 to utilch an activation code wll be *ert Ye th a r td with any 3rd patty.
1 # h4v jfe d
> 1 1 U nil! not I
a m *
con^
H pql^ter
FIGURE 10.15: Nessus Registering HomeFeed 2 2 . T h e Thank You for Registering w i n d o w a p p e a l s f o r Tenable Nessus
HomeFeed.
Ethical Hacking and Countermeasures Copyright C by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
. V j .
Products
Services
Partners
Resources
Support
Atout !enable
Store
T en able P ro d u c ts
nessus
217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gpluginscustomers.nessus .org
Sample Reports Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining
FIGURE 10.16: Nessus Registration Completed 2 3 . N o w lo g in to y o u r e m a il f o r th e a c tiv a tio n c o d e p r o v id e d a t th e tim e o f r e g is tr a tio n as s h o w n in th e fo llo w in g fig u re .
P
|
Y
<d
X
uflKfccjr
_ uSmqSma yaH00.C0n '
! m a il
MIMDttalt
aw . ounoooor*
thr* )Oulw rtanlairtj row N n w i m w 1 * w sully gcannng you usa rusius n professorial 09301 10u
ms r , 3onMme 0
**:
PtaawconW t If! Nmmii n*tt wn ^9 Ne inttmal Aixeii i w Mnaui * *- ' M>t tl'MU inttiiiilnr camoi a t * 1 You an Andottna ic-jlsti 1 tjr m ilv a n at
i 1
w* ^ . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum" ***
t ** ea *aM e in anamit* p.* y >p* tia uw. ana c*>* M t x caaa toittiaiaftBfl
I cnm ! S T O C M t
>* 1 MatpUJ-<n
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
F
P l u g in Feed R e g is t r a t io n
As information about new vulnerabilities 1 8 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins) that enable Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code.
IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI will initialize and the Nessus server will start
To use Nessus at your workplace, pufdiaae a commetG d Prgfcaatonalfccd To um NcMuti at In a non commercial homo environment, you can get HomeFeed (or free Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below To perform offline plugin updates, enter 'offline' In the field below
11
FIGURE 10.19: Nessus Registering Activation Code 2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c li c k , Next: Download plugins > t o d o w n lo a d N e s s u s p lu g in s .
m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI
W etconetoN e s s u s
* ft * o
R e g is t e r in g . . . Successfully registered the scanner with Tenable. Successfully created the user. | Next: Download plug!mi > |
FIGURE 10.20: Nessus Downloading Plugins 2 7 . N e s s u s w ill s t a r t f e t c h i n g t h e p l u g i n s a n d i t w ill i n s t a l l t h e m , i t w ill t a k e tim e to in s ta ll p lu g in s a n d in itia liz a tio n
N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t
P le a a e w a it...
FIGURE 10.21: Nessus fetching the newest plugin set 2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Usernam e a n d Passw ord g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Log In.
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
TASK
/ > .0
tc
nessus
I
T E N A L g
Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems.
FIGURE 10.22: The Nessus Log In screen 2 9 . T h e Nessus Hom eFeed w i n d o w a p p e a r s . C li c k OK.
,1
/ /
n essu s
w l oaiiUtanter any oust fton* oroigMtaAofii M to a PTOtoMknalFMd Subecrtpfcxi h a<
OK
FIGURE 10.23: Nessus HomeFeed subscription 3 0 . A f t e r y o u s u c c e s s f u l l y l o g i n , t h e Nessus Daemon w i n d o w a p p e a r s a s To add a new policy, dick Policies ^Add Policy.
s h o w n in th e fo llo w in g s c r e e n s h o t.
FIGURE 10.24: The Nessus main screen 3 1 . I f y o u h a v e a n Adm inistrator Role, y o u c a n s e e d i e U sers t a b , w h i c h li s t s a ll Users, t h e i r Roles, a n d t h e i r Last Logins.
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
FIGURE 10.25: The Nessus administrator view 3 2 . T o a d d a n e w p o li c y , c li c k Po licie s >Add Policy. F il l i n t h e General p o l i c y s e c t i o n s , n a m e l y , B asic, Sca n , Network Congestion, Port
^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
m The most effective credentials scans are those for which the supplied credentials have root privileges.
Add Policy.
P .
m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.
WO W B lc/O tr! c U rir ^ r u!j S u it#1 o!v.b O anottK dfenw ct, (a) 0 n eral V jG en lT O U K B lS * aj* y C h K * y m p -u xL 0 C a Seaiftycki Jurat UjcUS acu n tyC h K M 3w opn T rie*m att tc*
18 W 8 eo?1 A xaunt 0 +m **7 O .. O C U kttO 'ta -JU rK lnl I o iiiiiI ii > > u I I.< W
O A r lfc** ftM *2m* L *r>* >IknU. o 1 B aiH ir r>K M 1SuorPar20AO.W eilm iinftw aia O 16 T OCCHO P 1 W )0 1M elo n O1 4 M 0C *1 tarK T T PPra! S if* ! H cd Hattr R urolaD o S <J 1 2 0 M CtcdPowF .irV V a l 4, 1 . uaeV jInentollB|0f.F S |
f* 1C ikre T C Ppoll*22 1W O . 75* * * ffjw yU e ly B ia lK W 5 isAOioai*scrtr sc * < * * n c e pars T C P .E 2 2 1 >!1 W v * .v.eC T .17* MtiKtAwklinsj T C P .'1 7 8 14 * .* )tcfirttxnUxlum g
Add Policy.
3 6 . I n t h e Plugin f ie ld , s e l e c t Database settings f r o m t h e d r o p - d o w n lis t. If the policy is successfully added, then the 3 7 . E n t e r t h e Login d e t a i l s g i v e n a t d i e t i m e o f r e g i s t r a t i o n . Nessus server displays the massage 3 8 . G i v e t h e D a t a b a s e S I D : 4587, D a t a b a s e p o r t t o u s e : 124, a n d s e l e c t
O r a c l e a u t l i ty p e : SY SD BA . 3 9 . C li c k Submit.
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
CD Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
FIGURE 10.29: Adding Policies and setting Preferences 4 0 . A m e s s a g e Po licy N etw o rk Scan _Po licy w as successfu lly added d is p la y s a s s h o w n a s f o l l o w s .
FIGURE 10.30: The NetworkScan Policy To scan the window, input the field name, type, policy, scan target, and target file. 4 1 . N o w , c li c k Sca n s >Add t o o p e n t h e Add Sca n w i n d o w . 4 2 . I n p u t t h e f i e ld Name, Type, Policy, a n d S ca n Target 4 3 . 111 S ca n Targets, e n t e r d i e I P a d d r e s s o f y o u r n e t w o r k ; h e r e i n t h i s l a b w e a r e s c a n n i n g 1 0 .0 .0 .2 . 4 4 . C li c k Launch S ca n a t d i e b o t t o m - r i g h t o f t h e w i n d o w .
Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r l a b e n v i r o n m e n t
M o d u le 0 3 - S c a n n in g N e tw o rk s
Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file.
S ' Tools demonstrated in this lab are available in D:\CEH Tools\CEHv8 Module 03 Scanning Networks
4 6 . A f t e r t h e s c a n is c o m p l e t e , c li c k t h e Reports ta b .
fc
..-*
gMtyi
Bn B m tn
< Cvwii
'
So-Mity
Hm n t w1 1 1I K IN W I
* M m Me
Z
< * < HM HM tMM H9W xfn H lrrt> Iftte Infe [ l v >
MUl-a* * . * Qi
CuMUrm tlmbn rf
UTMMB1 W . i 1
MM
Wt W M W lK M l
M .~ Tnl *m
NHHl^ll>H|i iW .I
McmcC o 1o -* it f i LMdicr^ntarnjlutPu < Funtut SID Ewneutan M m x M tC o t n m k U u iu im L i 1-cruttn hgr r J O aH K Qn-a U r . riCK) SnaUU-
1 0 1
U B MO.
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications.
FIGURE 10.35: Report of a scanned target 4 9 . C l i c k t h e Download Report b u t t o n i n t h e l e f t p a n e . 5 0 . Y o u c a n d o w n l o a d a v a il a b le r e p o r t s w i t h a .nessus e x t e n s i o n f r o m t h e d r o p - d o w n lis t. Download R eport Download Format 1 Chapters
C hap ter Selectio n N ot A llow ed
G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button. Cancel FIGURE 10.36: Download Report with .nessus extension 5 1 . N o w , c li c k Log out. 5 2 . 111 t h e N e s s u s S e r v e r M a n a g e r , c li c k Stop Nessus Server. Subm it
B
>M
*6
a
FIGURE 10.37: Log out Nessus
69
L a b A n a ly s is
D o c u m e n t all d i e r e s u lts a n d r e p o r t s g a d i e r e d d u r i n g d i e la b .
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
T o o l/U tility
Q u e s t io n s
1. E v a lu a te th e O S p la tfo rm s th a t N e s s u s h a s b u ild s fo r. E v a lu a te w h e th e r N e s s u s w o r k s w ith th e s e c u r ity c e n te r. 2. D e te r m in e h o w th e N e s s u s lic e n s e w o r k s in a V M (V ir tu a l M a c h in e ) e n v iro n m e n t.
In te rn e t C o n n e c tio n R e q u ire d
0 \ es
Pla tfo rm Supported 0 C lassroom
No
iL a b s
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
m W orkbook review
a t t a c k s a r e g r e a t l y i n c r e a s i n g b o t h i n n u m b e r a n d s e v e r ity . A t t a c k e r s a lw a y s l o o k f o r service v u l n e r a b i l i t i e s a n d
application v u l n e r a b i l i t i e s o n a n e t w o r k
th e
n e t w o r k . S im ila r ly , i f t h e
a tta c k e r fin d s
a w o rk s ta tio n w ith
adm inistrative
privileges w i t h f a u l t s i n t h a t w o r k s t a t i o n s a p p l i c a t i o n s , t h e y c a n e x e c u t e a n
a rb itr a r y c o d e 0 1 im p la n t v iru s e s to in te n s ify th e d a m a g e to th e n e tw o rk . A s a k e y te c h n iq u e in n e tw o r k s e c u r ity d o m a in , in t r u s i o n d e te c tio n s y s te m s (ID S e s ) p la y a v ita l r o le o f d e te c tin g v a r io u s k in d s o f a tta c k s a n d s e c u r e th e n e t w o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n a s t h e root user, a n d s h o u l d b e c a u t i o u s o f p a t c h e s a n d u p d a t e s f o r a p p l i c a t i o n s f r o m v e n d o r s 0 1 s e c u r i t y o r g a n i z a t i o n s s u c h a s C ER T a n d CVE. S a f e g u a r d s c a n b e im p le m e n te d s o t h a t e m a il c lie n t s o f tw a re d o e s n o t a u to m a tic a lly o p e n o r e x e c u t e a t t a c h m e n t s . 1 1 1 t h i s l a b , y o u w ill l e a r n h o w n e t w o r k s a r e s c a n n e d u s i n g th e G lo b a l N e t w o r k I n v e n t o r y to o l.
L a b O b j e c t iv e s
T h i s l a b w ill s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e G l o b a l N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to : U s e th e G lo b a l N e tw o r k I n v e n to r y to o l
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b E n v ir o n m e n t
ZZ Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o c a n y o u t d ie la b , y o u n e e d : G l o b a l N e t w o r k I n v e n t o r y t o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module
Inventory
A d m in i s t r a ti v e p r iv ile g e s t o r u n to o l s
L a b D u r a t io n
T im e : 2 0 M i n u te s
O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y
G l o b a l N e t w o r k I n v e n t o r y is o n e o f d i e de facto to o l s f o r security auditing a n d
Lab T asks
task
1
1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f d ie d e s k to p .
FIGURE 11.1: Windows Server 2012 - Desktop view 2. C lic k d i e Global Network Inventory a p p t o o p e n d i e Global Network
Inventory w in d o w .
Ethical Hacking and Countermeasures Copyright O by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
5 t 9 |
Administrator
Server Manager
Windows PcrwerShell
Google Chrome
Hn>er.V Manager
fL *J
m
Control Panel
*
Hypr-V Wtual Machine.
SQLServs
Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file
F
Command Prompt Mozfla 1 1 * 1 0 *
Mww&plcm
B
S- Bui Search01.. Global Necort
PutBap
H
FIGURE 112: Windows Server 2012 - Apps
3.
4.
FIGURE 11.3 Global Network Inventory Maui Window 5. T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h i n e f r o m H v p e r - V M a n a g e r .
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices
FIGURE 11.4: Windows 2008 Virtual Machine 6. N o w s w it c h b a c k t o W i n d o w s S e r v e r 2 0 1 2 m a c h i n e , a n d a n e w A u d i t W i z a r d w i n d o w w ill a p p e a r . C lic k Next ( o r i n d i e t o o l b a r s e le c t Scan ta b a n d c lic k Launch audit wizard).
VIEWS SCAN RE S UL TS , /N CL UD/ NC HISTORIC RE S UL TS FOR ALL SCANS, INDIVIDUAL M ACHINES, O K SELECTED NUMBER O F ADDRESSES
c Back
Next >
Cancel
FIGURE 11.5: Global Network Inventory new audit wizard 7. S e le c t IP range s c a n a n d t h e n c lic k Next i n d i e Audit Scan Mode w iz a r d .
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Q Fully customizable layouts and color schemes on all views and reports
i you want to audit a single computer i you want to audit a group of computers wttwn a sr>gle IP range i you want to audit computers that are part of the same doma1(s)
() IP range scan Choose this mode O Domain scan Choose this mode 0
Host file scan Choose this mode to a u d t computers specified in the host file The most common scenario is to a u d t a group of computers without auditing an IP range or a domain
O Export audit agent Choose this mode you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scnoi.
To continue, c ic k Next.
1 ______
< Back
Nd>
Cancel
FIGURE 11.6: Global Network Inventory Audit Scan Mode 8. Export data to HTML, XML, Microsoft Excel, and text formats S e t a il IP range s c a n a n d t h e n c lic k Next in d ie IP Range Scan w iz a r d .
Licenses are networkbased rather than userbased. In addition, extra licenses to cover additional addresses can be purchased at any time if required
9.
111 d i e Authentication Settings w iz a r d , s e le c t Connect as a n d fill t h e r e s p e c t e d c r e d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d c lic k Next.
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
The program comes with dozens of customizable reports. New reports can be easily added through the user interface
...........'
<Back
Nert >
Caned
FIGURE 11.8 Global Network Inventory Authentication settings 10. L iv e d i e s e ttin g s a s d e f a u l t a n d c lic k Finish t o c o m p l e t e d i e w iz a r d . New Audit Wizard
Completing th e N ew Audit Wizard
( 7Ability to generate reports on schedule after every scan, daily, weekly, or monthly
You are ready to start a new IP range scan You can set the following options for this scan:
( T o configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently
<Back
finah
Cancel
FIGURE 11.9: Global Network Inventory final Audit wizard 11. I t d is p la y s d i e Scanning progress i n d i e Scan progress w in d o w .
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
iJ
0 1 2 3 4 5 6 7 8 9 10 2 Address 10.0.0.2 10.0.0.3 10.0.0.4 0.0.0.5 0.0 06 10.0.0.7 10.0.08 10.009 100010 100011 10.0.0.12 100013 10.0.014
Scan progress
Name
Percent
E ! %
E*
W1N-ULY858KHQIP AOMINPC WIN-039MR5HL9E4
! z ^ z z _ W 852
E !*
92*4 92* | |
Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s)
' '
E* E* E* E*
1 A Tmestamp 06/22/1215 38:3 08/22/1215:36:23 08/22/1215:36:25 08/22/1215:36:23 = 06/22/1215:36:23 06/22/1215:36:22 08/22/1215:36:23 08/22/1215:36 24 06/22/1215:36 24 08/22/1215:36:24 08/22/1215:36:24 08/22/1215:36:24 06/22/1215:36:24
rtn m
@ Open this dialog sdien scan starts @ Close this dialog when scan completes @ D o n l display completed scans
. S l0 p
_ C l
1 /
FIGURE 11.10: Global Network Inventory Scanning Progress 12. A f t e r c o m p l e t i o n , scanning results c a n b e v ie w e d a s s h o w n i n t h e f o llo w in g fig u re .
Pi'v fie
V ie w
]E
BlBW talri~EI] u *?
JW l i t e rg r tn ; Man beard Q
|Q
!rwit
|T ir c it a m p
MAC A.. Verrfa ' 03 Mams FtoccJia ... * Coimtert
0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column
1Trrcj a36. 30 3 2012 3 . &22> PM (C0UNT 1] CK>j..[v/N3SMn|Succ0M |D4 BED3 C'|Rrtek |lnts(Rl Co!e(fM' Serial; H2D2<
Tow ?Henr(t)
1
O isp la ye^ ro iJp ^ J^ ro u p s
FIGURE 11.11: Global Network Inventory result window 13. N o w s e le c t Windows Server 2008 m a c h i n e f r o m v ie w r e s u lts t o v ie w in d iv id u a l re s u lts .
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
l - l W *
in
% u 1 1 0 |s^ P ig B|Q|^|a|D|B-B # ,
'- Loocad!s\s^ Port a rre d o R ^ j| Orvces Scan unrary 3 Computer yysten | Q System dots NetBIOS | ^ Z: -:* B ' tens Netr*of. adapter: |3 Startup Lbcre B8 K3 |J Desktoo Logged cr ^ Morer)
t* ss 3 8
N*rrc B ^AH addresses B- <* WORKGROUP
|^
*rfcT1DC.07tV/1N-D^Tn
C J 4 fw-ULY3
,ft
& * Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors
Type
HoitN
SMtu:
MAC A
* Vanda
C JS
Proceisci
wCornu w r
J Duiein * o ^ e n a j p COUNT-11 JIPA ddrew 10XL0.7 (COUNT =1 TncU aro: G/22/2012 3:36:38 PM (COUNT-1) C5T0J. jV/N 039MR Succe |D4BE D 9 C |R cakk ntsfR] Corc(TM' Send: H202!
R e d y
^esufc^jto^jegt^oj^ca^o^oc^cdfcj^
FIGURE 11.12 Global Network Inventory Individual machine results 14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d i e m a c h i n e s t h a t have been scan n ed
1- ^ r
*5 ' n
]e t 1
a x
1^-sa
k Mcritofj |{jjjj ( j Q [# J NoifcKJS y w cto i S^eton dot |^ ^ : ^ : ;o re
aw ^ C X > k&tszi Q mo "Sntcn ^ :., ;!= !Q | j* J Networx oocpteo Startup |H Dcck!op LoggoCon^ *5 Hoi focce Sharoe MantcsrdJ Socuty ccrto U w group( U*ra
1 *a *
S f
a
Sn uperatmg
Logical dska
N am
- ! A 1addrestM
Dovcoi
-: Tp-M<tyrte-r
* ^ervces
WORKGROUP
^ lj1 C M 7 ^ iN D ^..l
]^ jan rm y Scanl#||
! = |
:I lOiXOi^N-ULYC"
To configure results history level choose Scan | Results history level from the main menu and set the desired history level
O S K s rw
Prco3350r.. Corrmert
P 3 d * e : IC .0 .0 : CQUNT=1J _____________________________ Id Tn rg ra p B /2 2 ;2 P lZ 3 -3 6 ^ P M [ C D U H r = l l
| ;* Ccnpu |WM-039VIR|S1jrowt
rU-BF-D C :|R^rri
Total 4 em(s)
1
^c^lt^iiitorydepthj
FIGURE 11.13: Global Inventory Scan Summary tab 15. T h e Bios s e c t i o n g iv e s d e ta ils o f B io s s e ttin g s .
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
1 ' ' x
1 ^
icwresufts
* 89 J5 N a rrc H * P A ll addresses B 5 W ORKG RO UP
5 El SJ1' E T ? |5| ! H i ] H
X ^ ^
_
&, t o
. rrq .7 : 3" > Startup |^ f,7. . Desktop Lccocd or Hct fixes Shares ^ Srcurti ca te r jscr j a n Mar :>c*od Q ) Mcrcry fc l 1555 >* Memory devices rent
J. Pocessots
f c f1 M 0 T '(\ v i N 6 3 9 . 7
10. 0. 1>* V IN -IJI Y8...
J^
Opcra.i-1 0 Cvs.or
10 1 *1
U d /
FIGURE 11.14: Global Network Inventory Bios summary tab 16. T l i e Memory ta b s u m m a r i z e s d i e m e m o r y i n y o u r s c a n n e d m a c h i n e .
E-mail address Specifies the email address that people should use when sending email to you at this account. The email address must be in the format name(ftcompany for example, someone@mycom pany.com
a x
H e
* I "J*
i B l B & l m l H F i - ii i
L j0> Mentors tf| |g j
vw w r u R <
\ M 0 coofirokn
** s a
N am * H %
y - .
c t*n o c t
t 5
UMfcro
A ll *d d tess e*
Dve*t
[#]
N *BI0S
|I
Shw*1
% -
s t a r t u p |k >
IIwt or
MwitMV f l w f
1 0 *
| 'J.
b*r/1r*c
WORKGROUP
*w
p y
d [D
Td a lP h ^ c d v e n w x / .M a
S a la b le H -yrea... -
Total vfc u a L. ~
A v a to e V rtja ... -
lo t a ...- -
ftvalable..-
V .C R t 5 F 0 U P [C r M J N '= ] J Hcsr Marre 3 9 ^ ^ MF 5 HL 9 E4 (C0U !\iT=1) J hres-aap f t 2 22/ C12 3:36 3B PM (COUNT| ) 3317
7 o b i 1 its u ;1
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
;-!or
is ?
i B i a i a s p
5 ! !a
&
V*y* results
Mencry
Narre
-
Message subject Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject
& Ia d d r e s s e s B-fiW O R K G R O U P 1 C . 0 . C . (W IN D 3 9 .
19 1 0 ^ f^ U L Y ::
Scan
3 JT T m a rv
S)
hitdtedyt*sre Cl nvmmgrt Qf
S*drt/M tr |."3 Startup
Port conrwctre
Cl
zJ Harr l l i n* 0 33* | , \ v F5H. = )E4 (COLNT= 3 ) Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T3) *[V/K-039M Ro-LSE4<0>aJ> X 3 WORKGROUP < 0x00> Lmqj? Unque Group Woikstatcr Service Fie Server Service Domain Name
W KC SMR^LSE4<Ox20S
Toid3i.enld Rea fly Remits history depth ia<t scan ret earn naorett
t< pt/d g ro u p : All g ro u p s
FIGURE 11:16: Global Network Inventory NetBIOS tab 18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i t h d i e w o r k g r o u p .
I 1
Name Specifies the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages
[ E T |E p |g |B ) | IB; * a
H I as a * 3$
Narr *i* All address: - i f WORKGROUP
? S iiilL ia iJiw N S :
e m o r y M c n t c r y c f c v c c s 2 C o n ju t as r r f Q P r c c c 3 5 0 r a | ^ M a rb o a r d I^ J) M P r r tc o >N e t t e d ,o d a t f c o c c c I: k V e n t L o c ic o ld b k s ^ D s d r > c * m # >C IO jj] O p c r a lin q C y s lc r r Q n -n vro rm o n t c r 7 Q ij0 ^ D e v ic c : It # ] N e tC lD C ^ S h a r e s |J? Jxryw A -_ b e r a I, L o jj= d o r
J Ctoitup Deaktoo
H o s tN c n e / / * -D39-4R5H L9E4(C OU N T-51 z i ' rre s c a n p : E /2 2 '2 0 1 2 3:36:38 FM ( COUN5- ] z i G io jj ^ r w 'is rafcr: (C 0U N T =1) U5cr occcurt
/ / ! S 0 CEN R 5HL3E4'>Adrim$tratoi z i Gr^JD : C K ttK ited CUM Useis (COUN I - 1 1 W lS-O394R5HL3E4\Ad1rini?trdt01 _ J G r ^ o : Gue:; C O U N T -1 ) Jk Ul f l r<03 E M R 5 H L g 5 \ 4 ussl d C 1 0 * .IIS J U S fiS C O U N T !)
U ;e 1 accourt
U8#f accourt
% N T > F \lZcV^cpcrlScvor z i G ro w
Pfftavure*1 r g
U n i t (COUNT 1)
TU0I5 i cn|i| Rsad/ RcsuMts history depth: Lost scan foi each ooaes! Displayed group; All qioupa
FIGURE 11.17: Global Network Inventory User groups section 19. T h e Logged on t a b s h o w s d e ta ile d lo g g e d o n d e ta ils o f d ie m a c h i n e .
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
1 - 1
3-Is ? Hc1e/
Vw resuKs
-1a
^
&
L > j1 d j s v j
*2 m
N e ir c _
J
\
Q BICS '* {3 0 S
Processors |.)
Main beard
Q
Nenoiy
Memory de/ces
Net .
Di:-. J .
Services | Logged or J
System slots
& Port Specifies the port number you connect to on your outgoing email (SM TP) server. This port number is usually 25.
Ho a N o k WH-033NR5HL3E4 (COUNTS
1 NT SERV.CE > MsDisServerl 10 f H SERVCE'MSSQLFDLounchct *, N SRVC\MS$QLSERVER f N SERVCE'MSSQLSer/eiOLAPSeiviee * , N SERVCE'RcportScrva \A H D39MREHL9E4\A<irnriatral:or 38/22/12 09:01:20
R o d /
Oowove^rou^lUroups
ST
File
1S
vipwr^ui:
wax
L. ; c j n c u r r r jr ,
NetBIOS
n l-bntcrj
Fiocessois
Sharps
^ Logcal disks
J i.
Lfte
D:
Outgoing mail (SMTP) Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages
N a m e
H-
a b #
*
1
may Q a
User*
M < ji1 b0 f J
WOS
|S )
0p1fcrg S y r r
fcrvronm^nt | Startup
P o r tconnectors
F ll^ T fMM Di 9
0 ^10 .(WfWNULY8""
JO
hrr
Jh e * H a re :t * T .D 3 9 M R 5 H L J 3 E 4 ( C O U N T 2 5 ) 7 3 D H 7 7O D H 7 0 3 H t 7o 0 h 7 0 3 1 1 ,7 0 3 H alal 25 A tris
J 1 *ttaro : &'22/2D12 33638 PM (COUNT = 26)
S e r ia lP o r1 S 5 5 C A C o n p a t t le K e y t 0 1d P o r t M o u c cP o r i U S B U S B U C D U S B
D 6 9 . M a le F S / 2
F S / 2 & m > 5 1 b u s
* C C O H . b lM A c o # s t .b u t
Disj ayecl arouo; All aroups
FIGURE 11.19: Global Network Inventory Port connectors tab 2 1 . T h e Service s e c t io n g iv e d i e d e ta ils o f d ie s e r v ic e s in s ta l le d i n d i e m a c h i n e .
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button
= r
- $*] H e p H B ] e |
View re<ufts
-Eg D
n System slots
3
&
| Hotfixes ^ Secut) center Startup
|
* 1*9 2 m
N e ir c _
Usercroups Mainboard | ^
Port cornedas
E % All addresses
S f W O RKGRO UP
"
M
i
0 . c t i u Svtte ig (
'
13
jjjj*
: u n i c i t
N
z i Domr* VORC13RO UP |CDUMIl4/) _!J Hcs* sLan^ WIM^IR5HL9E4(COUNT!47| zi rr^ an p 3/22!20H 3 3&38FM [COUNT =147)
.
41loma1e Manual R u fM rg R u m rg R j 'i ' i r g : 'P?! 1 g -a n F ilei [vffc)\Comrmn Fite'iAdobi C vV.mdowt\system32\svehott eye k netsv C V.Klowt\^1srern32\fivch0ftexe k apphr
Ldcte A c x b 2t U pcare S e r/ c e
fcanon Host Helper Service
, p f teanon E>o=r1enee .
Automatic
Manual Manual Manual Manual
S tc ff e d
R im r g
S iq ^ ie d
C \Mn<low?\system32Nsvchotr exe k n e tw
10taH47 toart:J
R o d /
Oowove^rou^lUroups
FIGURE 11J20: Global Network Inventory Services Section 2 2 . T h e Network Adapters s e c t i o n s h o w s d i e Adapter IP a n d Adapter type.
Global Network Inventory Unregistered
Fie view Stan Tools Reports Help
I*
'/cwrcsuR;
1 t*g a e v
X
^ j| y H D c*c [# J Conputer >* Tort cm ed oo Scan ajrrrcrv ^ Q Q
r l
& A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory uses a blank password
Narr<
^ E $
y ~ * WORKGROUP - m o M ( w n ' u l^ "."
Cporatrj Syotom
h v0 0
1 -
|v
- Tinettarp:
1 r j 2 > 2 3 3 6 : 3 3 3 2 FM (COUNT-1 1
l2552EE.2g|1H.01 [vicreolt |E therrct QIC|N0
g W w iih w lE fo . |P4:BE:D9:C|100.D7
I otall ren^j
R e a ^
^esujt^jjto^jepth^as^a^o^seJ^ddrts^
L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d ie la b .
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
T o o l/U tility
G lo b a l N e tw o r k In v e n to ry
Q u e s t io n s
1. C a n G lo b a l N e tw o r k In v e n to r y a u d it re m o te c o m p u te rs a n d n e tw o rk a p p lia n c e s , a n d i f y e s , h o w ? 2. H o w c a n y o u e x p o r t th e G lo b a l N e tw o r k a g e n t to a s h a re d n e tw o rk d ir e c to r y ? In te r n e t C o n n e c tio n R e q u ire d
0 No
0 iL a b s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b
S c e n a r io
scan s u m m a ry , N e tB IO S
V a lu a b le in f o r m a t io n
111 t h e p r e v i o u s l a b , y o u g a t h e r e d i n f o r m a t i o n l i k e
d e t a ils , s e r v ic e s r u n n i n g o n a c o m p u t e r , e tc . u s i n g G l o b a l N e t w o r k I n v e n t o r y .
Test your k n o w le d g e w
N e tB IO S
p r o v id e s
p ro g ra m s w ith
a u n if o r m
set o f c o m m a n d s
f o r r e q u e s t in g
d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t
W e b e x e r c is e
s e s s io n s , a n d been
send in
d a ta g ra m s
b e tw e e n
nodes
on
a n e tw o r k . V u ln e r a b ility one o f th e
lia s
W o r k b o o k r e v ie w
id e n tifie d
M ic r o s o ft W in d o w s , w h ic h
in v o lv e s
N e tB IO S
o v e r T C P /IP s e r v ic e , t h e
( N e t B T ) s e r v ic e s , t h e N e t B I O S fin d a c o m p u t e r s I P
N a m e S e rv e r ( N B N S ) . W it h d iis a d d re s s by u s in g it s N e tB IO S
a tta c k e r c a n
A s a n e x p e r t p e n e t r a t io n te s te r, y o u s h o u ld f o llo w
u s in g P r o x y S w it c h e r .
L a b
O b je c t iv e s
to use P ro x y
T h is la b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w S w it c h e r . I t w i l l te a c h y o u h o w to : th e w e b s ite s y o u v is it
H id e y o u r IP a d d re s s f r o m
P r o x y s e rv e r s w itc h in g f o r im p r o v e d a n o n y m o u s s u r fin g
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b
E n v ir o n m e n t
2 " Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is l i n k h t t p : / / w w w . p r o x y s w it c h e r . c o m /
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r
c o m p u te r r u n n in g
Proxy Sw itch er
L a b
D u r a t io n
T im e : 1 5 M in u te s
O v e r v ie w
o f P r o x y S w it c h e r
L a b
C l A u to m a tic
T a s k s
In s t a ll P r o x y W o r k b e n c h i n
1. 2.
( H o s t M a c h in e )
P r o x y S w it c h e r is lo c a t e d a t
3.
F o llo w o f th e
4.
T h is la b w i l l w o r k i n th e C E H
W indow s S e rve r
to
Tools,
and
Options
in d ie m e n u b a r.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
!1 cc 9 u
fi *
C3 Often different
internet connections require com pletely different proxy server settings and it's a real pain to change them m anually
Yo u
Search
Images
Sign n
Cler Recent Ustsr.
01 + Sh1 ft*IW
G o o g le
Gocgie Search I'm feeling Lucky
A .t> ng Piogam m ei
6 11
Business SolUion*
P ir a c y t Te
Aboul Google
Google com
6.
G o
to
d ie
Advanced
p r o file in
Network
ta b , a n d d ie n c lic k
w i z a r d o f F i r e f o x , a n d s e le c t
&
General Tabs Content General | MetworV Connection
%
Applications
p
Privacy
* k
Secuiity
S>nc
Advanced
j Update | Encryption j
3 k
P r o x y S w itc h e r fu lly
S g tn g i.
c o m p a tib le w ith In te r n e t E x p lo r e r , F ir e fo x , O p e ra a n d o th e r p ro g ra m s
Cached W eb Content Your vreb content cache > scurrently using 8.7 M B of disk space I I Override a u to m ate cache m anagem ent
Clear Now
E x c e p tio n s ..
B a r eve..
OK
Cancel
Help
F IG U R E 1 2 2 F ire fo x N e tw o rk Settin g s
7.
S e le c t d i e
r a d io b u t t o n , a n d c lic k
OK.
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Connection Settings
Configure Poxies to Access the Internet O No prox^
' )Auto-detect proxy settings fo r this network () Use system proxy settings
M a n u a l p roxy co n fig u ra tio n :
f i proxy switcher supports following command line options: -d: Activate direct connection
HTTP 5rojjy:
P firt P o rt P o rt
Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Autom atic proxy configuration URL: Reload
OK
Cancel
Help
8.
N o w
t o I n s t a ll P r o x y S w it c h e r S ta n d a r d , f o l l o w
th e w iz a r d - d r iv e n
in s t a lla t io n s te p s . 9. T o la u n c h P r o x y S w it c h e r S ta n d a r d , g o t o
S ta rt
m e n u b y h o v e r in g d ie
m o u s e c u r s o r in d ie lo w e r - le ft c o r n e r o f th e d e s k to p .
TASK
F IG U R E 1 2 4 : W m d cK vs S e rv e r 2012 - D e s k to p v ie w
10. C lic k d ie w in d o w .
a p p t o o p e n d ie
Proxy S w itc h e r
O R C lic k
P roxy S w itc h e r
f r o m d i e T r a y I c o n lis t .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S ta rt
A d m in is tra to r ^
Server Manager
Windows RowerShetl
W
Hyper-V Marvager 91
Proxy S w itch er is free to use w ith o ut lim itations for personal and com m ercial use
Fsb
Compute
Control Panel
v
Centof...
K
y .
9
M021I4
Command Prompt
v rr
PKKVSw* *
p-
CM *up
F IG U R E 125 : W in d o w s S e rv e r 2012 - A p p s
at*
i f th e s e rv e r b e c o m e s
s S e rv e r. A /Q
Customize...
ja te
D a ta c e n te r 8400
\ t 1 l A r - r / 1 !
^ D p ^ u ild
F IG U R E 126 : S e le ct P ro x y S w itc h e r
11. T h e
P roxy L is t W izard
w ill a p p e a r as
N ext
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
3 P roxy S w itc h e r ssu pp orts fo r LAN, dialup, VPN and o th e r RAS c o n n e ctio n s
<Back
Next >
Cancel
F IG U R E 12 7 : P ro x y L is t w iz a rd
1 2 . S e le c t d i e fro m
r a d io b u t t o n
Com m on Task,
Finish.
& Proxy s w itc h in g from com m and line (can be used a t logon to a u to m a tic a lly s e t co n n e ctio n se tting s).
C o m m o n Tasks
() find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers
< Back
Finish
Caned
F IG U R E 12.8: S e le c t co m m o n tasks
13. A
lis t o f
w i l l s h o w i n d ie l e f t p a n e l.
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
I
Filer Proxy Servers
Roxy Scanner M * New (683) B &high Aronymsus (0) SSL (0) : Bte(O) i Dead (2871) 2 Permanently (656?) 1 Book. Anonymity (301) - 5 Pnva!e (15) V t t Dangerous (597) f~ & My P0 */ Servere (0) : PnwcySwitchcr (0)
Serve* , ? 93.151.160.197:1080 93.151.10.195:108Q 93.150.9.381C80 knnel-113-68vprforge.com , f 93 126.111210:80 95.170.181 121 8080 < ? 95.159 368 C 95.159.31.31:80 95.159 3M 4 80 , f 94.59.250 71:8118
................
State Testino Teetirg Testing Lhtested Lhtested lht*ct*d Lhtested Lhtested Lhtested Lhtoetod _ _ Lt itcatgd___
UNITED STATES SYR;AM ARAD REPUBLIC b KAN AKAB KtPUBLIt SYRIAN ARAB REPUBLIC UNITED ARAB EMIRATES UNITED AR\B EMIRATES
m a RJSSIAN FEDERATION
Caned
S te fre
S ta te
Conpbte Conpfcte
Progress
MZ3
28 kb
Fbud 1500
&
F IG U R E 1 2 9 : L is t o f d o w n lo a d e e d P r o s y S e rv e r
D L
14. T o
stop
Actions
L = Jg ' x 1
filer Fox/ Servers
File
Edit
View
Help
\y
Aicnymouo (0)
lml5+1S-11065.avwd
I SSL (0)
fc?Bte(0)
B ~ # Dead (1857)
= {2 ' Permanently 16844] Basic Anonymity (162) | ^ Private (1) j- & Dangerous \696) h & My Proxy Servers (0J - 5 }ProocySwtcher (0)
218152.121 184:8080 95.211.152.218:3128 95.110.159.54:3080 9156129 24 8)80 u>4 gpj 1133aneunc co p jf dsdcr/2'20Jcvonfcrc com: 91.144.44.86:3128 91.144.44.8$:&80 92.62.225.13080:
Slate (Aliv-$SL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (.*Jive-SSL) (Alive-SSL) (.Alive-SSL) (Alive-SSL)
Resronte 13810nt 106Nh* 12259ns 11185ns 13401ns 11&D2ns 11610m 15331ns 11271ns 11259ns 11977ns
Couriry J HONG KONG | ITALY : REPUBLIC OF KOREA NETHERLANDS !IT A LY UNITED ARAB EMIRATES : REPUBLICOF KOREA 5 SWEDEN SYRIAN ARAB REPUBLIC SYRIAN ARAB REPUBLIC CZECH REPUBLIC
108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection jmed out.
F IG U R E 1 21 0: C lic k o n S ta rt b u tto n
1 5 . C lic k
Basic Anonymity i n
d ie r i g h t p a n e l; i t s h o w s a lis t o f d o w n lo a d e d
p r o x y s e rv e rs .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
| _ ; o ^
z W hen running in A u t o S w i t c h m ode Proxy S w itc h e r w ill s w itc h a c tiv e proxy servers regularly. S w itc h in g period can be s e t w ith a s lid e r fro m 5 m inu te s to 1 0 seconds
& s
Ia a a
Server , f 91 14444 65 3128 <f 119252.170.34:80.. , f 114110*4.353128 f 41 164.142.154:3123 ,f 2149101 10? 3128 , f 2D3 66 4* 28C , f 203 254 223 54 8080 <f 200253146.5 8080 <f 199231 211 1078080 , f 1376315.61:3128 i f 136233.112.23128 < State (Alve-SSU (Aive-SSU (Alve-SSL) (Alve-SSU Alve Alvo (Alve-SSL) Alve (Alve-SSU (Alve-SSU (Alve-SSU 1 RespxKe 10160ns 59/2rre 10705ns 12035ns 11206ns 10635n 11037ns 10790ns 10974m 10892m 11115ns Countiy Sv RAfi ARAB REPUBI INDONESIA ^ INDONESIA )E SOUTH AFRICA m BRAZIL H iT A IV /A M REPUBLIC OF KOREA BRAZIL
g? Proxy Scanner j ~ # New (853) B & Anonymous (0) h & SSL(0) Bte(0) -& Dead (2872) Femanently (6925)
1513
\
Pnvale (16) ;5 Danoerous (696) \ & My Proxy Sorvoro (0) - ProxySwltcher (0)
pg
gq b razil brazil
Caned
Cis^bled
Keep Alive
AUd Swtd
177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive]
119252.170.34.80 tested as [(Alive-SSL)]
IS illi& S S itS iS k
33/32
1 6 . S e le c t o n e
f r o m r i g h t p a n e l t o s w i c h d i e s e le c t e d
p r o x y s e rv e r, a n d c lic k d ie
f lit a (3 File Edit ,Actions View Help
fTJ
ic o n .
1~ l~a ! *
P ro x y S w itc h e r U n r e g is te r e d ( D ir e c t C o n n e c tio n )
3 # n [a a. a a if j \
Server J * New )766(
2 \y
State (Alve-SSU (Alve-SSL (Alve-SSU Alh/e (Alve-SSU (Alve-SSL: (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSL) (Alve-SSU (AlveSSU (Alve-SSU
L is |
/ |
Proxy Srvera
|X j
Pxy Scanner 5
; B 1 te 0 1 )0 (
& } : Dead )2381(
^
In a d d itio n to sta n d a rd
.......... Pemanently
)6925(
h & Pn ate 116( j & Dangerous )696! r & Proxy Ser/ere )0( : ProxySvtitcher )0(
if 9 5 .2 1 1 1 5 2 .2 1 8 :3 1 2 3 f u 5 4 jp j1 1 3 5 a T T S jn oc o Jc r : ,f 9 1 .8 2 .6 5 .1 7 3 :8 0 8 0 <f 8 6 .1 1 1 1 A 4 .T 9 4 .3 1 2 3
$
,f 9 1 4 4 4 48 63 1 2 3
4 .89.130.23128
He>ponte 10159ms 131 5m 10154TBS 10436ns 13556ns n123me 10741ns 10233ns 10955ns 11251m 10931ns 15810ns 10154ns
Lointiy SYRIAN ARAB REPUBLIC [ J HONG KONG 1 | ITALY REPUBLIC OF IQOREA ;-S W E D E N 1 ITALY ------NETHERLANDS REPUBLIC OF KOREA HUNGARY ^ ^ IR A C S35 KENYA SYRAN ARAB REPUBLIC
Ctaeblcd
[[
Koep Alive
][ Auto Swtch |
2 1 8 .1 5 2 .1 2 1 .1 8 4 :8 0 3 0 h a * 5 4 -1 5 9 -l 1 0 -9 5s e n ie rie d ie a tia m b ait 8080te**d ( A lv e -S S L )] 0 3 1 .1 4 7 .4 8 .1K > . a tb .n e t/ig 3 to r.c o m :3 1 2 3te a ts d0 5[(A S v eS S L )]
F IG U R E 1 2 1 2 S e le ctin g th e p ro x y se rve r
1 7 . T h e s e le c t e d
pro xy se rve r w
c o n n e c t io n ic o n .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
I~ l f x
$5 Proxy Scanner
H * New !766) Ugh Anonymous (0) g t SSL(O) H 2 ? a te (0 B - R Dead (2381) Pm*n#ntly (G975) f y 003. Anonymity (4G7) Pnvate (16) | 0 Dangerous (6961 l & My Proxy Servere (0) :ProxySviitcha 25 ) 0(
Serve! ^ 9 1 .1 4 4 4 4 65:3123 001.147.48. ilS.etatic .re t.. , ? host54-159-110-95.server.. & 218.152.121.1(4:3080 , f dedserr2i23Jevonlme to n L 95 110159 54 8080
, ? 95 211 152 21( 3128
u54aDJl133arunfl,co.kr:l
, f 91 82 5 173:8080 g >I
, ? 41.89.130^3128
State (Alve-SSU (Alve-SSU (Alve-SSU Alive (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (AlveSSU (Alve-SSU (Alve-SSU (Alve-SSU
Response 10159ms 13115n* 10154ns 10436ms 13556ms 11123 10740ms 10233ms 10955ms 1l251ra 10931ms 158101s 10154ns
Comtiy SYRAN ARAB REPUBLIC [ J HONG KONG | |IT A LY > : REPJBLIC OF KOREA SW ED EN I ITA tr UNI ILL) ARAD CMIRATCS NETHERLANDS REP JBLIC OF KOREA HUNGARY IRAG g g K E N rA SYRIAN ARAB REPUBLIC
Dsebicd
1 1 Keep Alive
ML
F IG U R E 1213: S u c c e s fiil c o n n e c tio n o f selected p ro x y
S ta rtin g from version 3.0 Proxy S w itc h e r in co rp o ra te s in te rn a l pro xy server. It is useful w hen you w a n t to use o th e r a p p lic a tio n s (besides In te rn e t E xplorer) th a t s u p p o rt HTTP p ro xy v ia Proxy S w itc h e r. By d e fa u lt it w a its fo r c o n n e c tio n s on localhost:3 128
18. G o to a
w e b b ro w se r
( F ir e fo x ) , a n d ty p e d ie f o llo w in g U R L
h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d i e s e le c t e d p r o x y s e r v e r c o m i e t i v i t y ; i f i t i s s u c c e s s f u l l y c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g fig u r e .
Detecting your location
3? ri!t "' ' History BookmorH Iool* Jjdp 0*r<ring your kxatkm..
M07illa Firefox
r 1 0 C x 1
4 . I UU-..J.UU,I
C * I
Go,I.
f i
f!
2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 U nknow n
Proxy Inform ation Proxy Server: Proxy IP: Proxy Country: DFTFCTFD 95.110.159.67 Unknown
F IG U R E 121 4: D e te c te d P ro x y se rve r
19. O p e n a n o th e r ta b i n d ie p ro x y .
w eb brow ser,
a n d s u r f a n o n y m o s ly u s in g d iis
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
proxy server
< 9wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy scrvcr&pt-p8b1Ricerca Immagini Maps Play YouTube Mews Gmail Document! Calendar
G o o g le
03 A fte r th e an o n ym o u s
proxy server
Ricerca
Proxy Wikipodia
Im m agin Maps Video
it.wkj ped a.org/tv k Pioxy
In informatica e telecomunica^ow un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ... Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate
11
N o o s e
Shopping
Ptu contanuti
wvwproxyserver com 'Traduci questa pagma Tho boet fin Pioxy Sarvef out there* Slop soarching a proxy list for pioxies that are never fa1 or do noi even get onl1e Proxy Server com has you covered from ...
I proxy server
L a b
A n a ly s is
D o c u m e n t a ll d ie
a n d th e c o n n e c tiv ity
y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In f o r m a tio n
C o lle c t e d / O b je c t iv e s A c h ie v e d
S e r v e r : L i s t o f a v a ila b le P r o x y s e r v e r s S e le c te d P r o x y S e r v e r I P P r o x y S w it c h e r S e le c te d P r o x y C o u n t r y N a m e : I T A L Y R e s u lte d P r o x y s e r v e r I P A d d r e s s : 9 5 .1 1 0 .1 5 9 .6 7 A d d r e s s : 9 5 .1 1 0 .1 5 9 .5 4
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. 2. E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r . E v a lu a t e w h y P r o x y S w it c h e r is n o t o p e n s o u r c e .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es S u p p o rte d iL a b s N o
P la tfo r m 0
C la s s r o o m
Eth ica l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab w
1 i 3
K E Y
L a b
S c e n a r io
to
h id e y o u r a c tu a l IP
and
u s in g a P r o x y in te n t lik e
a n o n y m o u s ly . S im ila r ly a n a tta c k e r w i t h e ls e u s in g a p ro x y s e rv e r by
m a lic io u s
Test your k n o w le d g e
can
pose
as
g a th e r in fo r m a t io n
account o r O nce
d e ta ils
o f an
in d iv id u a l
p e r fo r m in g he o r she
s o c ia l e n g in e e rin g .
can hack in to th a t use s o m e tim e s
W e b e x e r c is e
a tta c k e r
g a in s
r e le v a n t fo r
in f o r m a t io n o n lin e
in d iv id u a ls
W o r k b o o k r e v ie w
bank
account
s h o p p in g .
A tta c k e rs
m u lt ip le
p ro x y
s e rv e rs f o r s c a n n in g a n d
a tta c k in g , m a k in g i t v e r y d i f f i c u lt f o r
c a n a ls o u s e
P roxy W o rk b e n c h
L a b
to u n d e rs ta n d h o w n e tw o r k s a re s c a n n e d .
O b je c t iv e s
T h is la b w i l l s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y W o r k b e n c h . I t w ill te a c h y o u h o w to : U s e th e P r o x y W o r k b e n c h to o l D a i s y c h a i n t h e W i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h i n e s
L a b
E n v ir o n m e n t
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is lin k
P ro x y W o rk b e n c h
fro m
ZZ7 Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
h ttp ://p ro x y w o rk b e n c h .c o m
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A c o m p u te r r u n n in g
as a tta c k e r ( h o s t m a c h in e ) as
A n o t h e r c o m p u te r r u n n in g v ic tim ( v ir t u a l m a c h in e )
Proxy W orkbench
L a b
D u r a t io n
T im e : 2 0 M in u te s
O v e r v ie w
o f P ro x y W o rk b e n c h
P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d i s p l a y s i t s d a t a i n r e a l t i m e . T h e d a t a f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d a c tiv e m o d e s .
L a b
T a s k s
I n s t a ll P r o x y W o r k b e n c h o n a ll p la t f o r m s o f d ie W in d o w s o p e r a t in g s y s te m
C S ecu rity: Proxy servers provide a level o f s e c u rity w ith in a n e tw o rk . They can help preve nt s e c u rity a tta c k s as th e only w a y in to th e n e tw o rk fro m th e In te rn e t is via th e p ro xy serve r
and
W indow s 7)
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is l i n k h t t p : / / p r o x y w o r k b e n c h . c o m
4.
F o llo w o f
th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s
W in d o w s o p e ra tin g sy s te m W in d o w s S e rve r
_
T h is la b w i l l w o r k i n th e C E F I la b e n v ir o n m e n t - o n
2012, W in d o w s S e rve r 2 0 0 8
6.
O p e n F ir e fo x b r o w s e r in y o u r a n d c lic k
and
W in d o w s 7
a n d g o to
W in d o w s S e rve r 2012,
T o o ls
o p tio n s
E th ic a l H ackin g and Counterm easures Copyright O by E C Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
!1 cc 9 u
fi *
Yo u
Search
Images
Web Developer Page Info 5 1 1*) 6 9 Cler Recent U stsr. Cl 1+ Sh1 ft*IW
Sign n
G o o g le
Gocgie Search I'm feeling Lucky
AtfMt Mg Piogammei
11
Bumoeti SolUion*
Piracy t Te
Aboul Google
Google com
7.
G o
t o A dvanced N e tw o rk t a b , a n d
p r o file in d ie n c lic k
w i z a r d o f F i r e f o x , a n d s e le c t d i e
&
General f t T h e s o c k e ts p a n e l sh o w s th e n u m b e r o f A liv e s o c k e t c o n n e c tio n s th a t P r o x y W o r k b e n c h is m a n a g in g . D u r in g p e rio d s o f n o a c tiv ity th is w ill d ro p b a c k to z e ro S e le c t Cached Web Content Connection Tabs Content
%
Applications
p
Privacy Security
S>nc
Advanced
| S g t n g i.
Your w eb content cache 5currently using 8.7 M B of disk space I I Override a u to m ate cache m anagem ent
Clear Now
Limit cache to | 1024-9] MB of space Offline Web Content and User Data
You 1 application cache is c jiie n t l/ using 0 bytes of disk space M Tell me when a wefccite aclrt to store data fo r offline uce The follow ing websites are a lowed to store data for offline use
Clear Nov/
E x c e p tio n s ..
B a r eve..
OK
Cancel
Help
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S T he s ta tu s bar show s th e d e ta ils o f Proxy W orkbench*s a c tiv ity . The firs t panel disp lays th e a m ou nt o f data Proxy W orkbench c u rre n tly has in m em ory. The a c tu a l am o un t of m em ory th a t Proxy W orkbench is consum ing is g e n e ra lly m uch m ore th a n th is due to overhead in m anaging it.
8.
9.
C heck Type
th e
C onnection S e ttin g s
w iz a r d . check
a n d e n t e r d ie p o r t v a lu e as
8080 a n d OK.
d ie o p t io n o f
a n d c lic k
Configure Proxies to Access th e Internet O No prox^ O A uto-detect proxy settings for this network O ii** system proxy settings () Manual proxy configuration: HTTP Proxy: 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: TP Proxy: SOKS H ost 127.0.0.1 127.0.0.1 127.0.0.1 D SOCKS v4 No Proxy fo r (S) SOCKS ^5 Port Port PorJ: 8080 8080y | 8080v Port
OK
Cancel
Help
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t
c o r n e r o f th e d e s k to p .
g. - ?
F IG U R E 13.4: W in d o w s S e rv e r 2012 - D e s k to p v ie w
1 2 . C lic k d ie
Proxy W orkbench
a p p t o o p e n d ie
Proxy W orkbench
w in d o w
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
T h e e v e n ts p a n e l
Fa
m
Control Pand
SO I Server
Detkc
Command Prompt
MO? 1 1 3 Firefox
Searct101_
H
dobai Network Inventory
O
Proxy Woricbenu.
Si
F IG U R E 13.5: W in d o w s S e rv e r 2012 - A p p s
13. T h e
Proxy W orkbench
m a in w in d o w a p p e a rs as s h o w n i n d ie f o llo w in g
fig u r e .
Proxy Workbench
File V ie w T o o ls H e lp
H I
& The la s t panel d isp lays th e c u rre n t tim e as re ported by your o p eratin g system
K N JH
To 173.194.36.24:80 (www g . 74.125.31.106:80 (p5 4ao 173.194 36 21:443 (m aig 173.194.36.21 M 2 (m a ig . 173.194.36 21:443 (maig..
173 K M TC. 71 A n (m d
POP3 Incoming e-mail (110) HTTP Proxji Web (80B0) HTTPS Proxy SecureWeb (443) FTP File T!ansfer Protocol (21) Pass Through For Testing Apps (1000)
000032 000048 000064 000080 000096 000112 000128 000144 000160 000176
< III
/I .1. . UserAgent : Mozilla/5.0 ( indows NT 6.2; V OU64; r v :14.0) G ecko/20100101 Fi refox/14.0.1..Pr oxy-Connection: koop-alivo. Host : mail. google. co m ....
2f 3a 69 4f 65 ?2 6f 6b 3a 6d
2e 4d 64 36 6b b5 66 73 79 65 65 20 6d Od Qa 31 20 6e 57 63
31 Od 7a 6 77 34 3b 6f 2f 6f 78 2d 43 70 2d 61 69 Od 0a
Si
0A 69 73 20 32 2f 6f 61 6c
SS 6c 20 72 30 31
73 6c 4e 76 31 34 60 6e 6c 69 2e 67 ,
Events: 754
u n ; 1iciu ic . u n ; 1 1
7angwrrx?n Luyymy. u n ; .
>
F IG U R E 13.6: P ro x v W o rk b e n c h m a in w in d o w
14. G o to
T ools
o n d i e t o o l b a r , a n d s e le c t
C onfigure Ports
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Proxy Workbench
File L^o o ls J Help View I Save Data... 5 Monitoring: W All Activity ^ SMTF Configure Ports. Failure Simulation... Real Tim e 9099 Options...
U- 3
=tails for All Activity |10m | T0 I Protocol
m n ih m
| Started ^
J1 2 7 .0 .0 .15 1 1 9 9
tJ 127.0.0.1 51201
& The *Show th e real tim e data w in d o w ' a llo w s th e u ser to s p e c ify w h e th e r th e re al-tim e d ata pane should be displayed o r no t
POPd ^ ^
k # HTTP T T W ny TTWU(WW)
HTTPS Proxy Secure Web |443) FTP File T ransler Protocol (21) Pass Through For Testing Apps (1000)
1 7 3 .1 9 4 .3 6 .2 4 :8 0(w w * .g .. HTTP 7 4 .1 2 5 .3 1 .1 0 6 :8 0|p t4 a o HTTP 1 7 3 .1 9 43 6 .2 1 :4 4 3(naig. HTTP 1 7 3 .1 9 43 6 .2 1 :4 4 3(na*g HTTP 1 7 3 .1 9 43 62 1 :4 4 3(naig HTTP 1 7 n * c * n *H T T P
1 8 :2 3 :3 9 .3 } 1 8 :2 3 :5 9 .0 1 8 :2 4 :5 0 .6 ( 1 8 :2 4 :5 9 .8 ' 1 8 :2 5 :0 8 .9
m - w ip r
000032 000048 000064 000080 000096 000112 000128 000144 000160 000176
Memory: 95 KByte Sockets: 100 Events: 754
/ l.1 ..User-Agent : Mozilla/5.0 (W indows N T 6.2; U O U64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m ....
11c1u4c. uu
2f 3a 69 4f 65 72 6f 6b 3a 6d
3 1 2e 2 04 d be 6 4 5 73 6 b 36 b 6 56 6 ?8 7 9 b 56 5 2 06 d O d 0a
3 1O d 6f 7a 6f 7 7 3 43 b 6 2f 6 7 8 2 d4 3 7 02 d 6 16 9 O d 0a
0a 6 9 ?3 2 0 3 2 2f 6f 6 1 6c
5 5 6c 2 0 7 2 3 0 3 1 6e 6c 2 e
7 3 6c 4e 7 6 3 1 3 4 6e 6 9 6 7
I eiiim a ic UII
unuuic u i i
L ty1c u n
1_<.yymy. u n
ju i
1 5 . 111 d i e
w i z a r d , s e le c t
i i i d ie le f t p a n e o f 16. C h e c k
C L l P e o p le w h o b e n e fit fro m P r o x y W o rk b e n c h
Home users w ho have taken the first step in understanding the Internet and are starting to ask "B a t how does it work? People who are curious about how their web browser, email client or FTP client communicates w ith the Internet. People who are concerned about malicious programs sending sensitive information out in to the Internet. The inform ation that programs are sending can be readily identified. Internet software developers w ho are w riting programs to existing protocols. Software development fo r die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol :- T 1 - > Internet Security experts w ill benefit fro m seeing the data flowing in real-time This wiH help them see w ho is doing what and when
Port [ Description 25 un SMTP Outgoing e-mail PHP3 - lnnnmino ft-maiI HTTP Proxy Web HTTPS Proxy Secure Web FTP File Transfer Protocol Pass Through Foe Testing Apps
:
Pass Through HTTPS POP3 FTP
18080
443
21 1000
&dd-
Qetete
| |
Close
17. T h e
HTTP P roperties
e n te r y o u r
w in d o w a p p e a rs . N o w c h e c k
C onnect via an o th e r OK
proxy,
v ir t u a l m a c h in e I P a d d re s s i n
Proxy Server,
a n d e n te r
in P o r t a n d d ie n c lic k
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
HTTP Properties
General
C (
On the web server, connect to port: Connect via another proxy |10.0.0.7| Iftfififi
M a n y p e o p le
u n d e rs ta n d s o c k e ts m u c h b e tte r th e n th e y th in k . W h e n y o u s u r f th e w e b a n d g o to a w e b s ite c a lle d w w w a lta v is ta .c o m , y o u a re a c tu a lly d ire c tin g y o u r w e b b ro w s e r to o p e n a s o c k e t c o n n e c tio n to th e s e rv e r c a lle d " w w w .a lta v ia ta .c o m " w ith p o r t n u m b e r 80
OK
Cancel
F IG U R E 13.9: P r o s y W o rk b e n c h H T T P fo r P o r t 8080
18. C lic k
C lose i n d i e C onfigure Proxy W orkbench c o n fig u ra tio n s e ttin g s Configure Proxy Workbench
Proxy Ports 3orts to listen on: Port | Description 25
w iz a r d a fte r c o m p le tin g d ie
Protocol assigned to port 8080 <Don't use>____________ Pass Through HTTPS POP3 FTP
1 1 0
T h e re a l tim e lo g g in g a llo w s y o u to re c o rd e v e ry th in g P ro x y W o r k b e n c h d o e s to a te x t file . T h is a llo w s th e in fo r m a tio n to b e re a d ily im p o rte d in a sp re a d s h e e t o r d a ta b a se so th a t th e m o s t a d v a n c e d a n a ly s is c a n b e p e rfo rm e d o n th e d a ta
8080 443
2 1
1000
SMTP Outgoing e-mail POP3 Incoming e-mail HTTP Proxy - Web HTTPS Proxy-Secure Web FTP File Transfer Protocol Pass Through - For T esting Apps
Add
delete
Close
1 9 . R e p e a t d ie c o n f ig u r a t io n s te p s o f P r o x y W o r k b e n c h f r o m 1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .
Step 1 1 to Step
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
2 0 . 111
ty p e d ie I P a d d re s s o f W in d o w s 7 V ir t u a l
M a c h in e . 21. O p e n a
F irefox
b ro w s e r in
a n d b ro w s e w e b pages.
2 2 . P r o x y W o r k b e n c h G e n e ra te s d ie t r a f f ic w i l l b e g e n e ra te d as s h o w n i n d ie
& Proxy W orkbench changes th is . Not o nly is it an aw esom e proxy server, but you can see all o f th e data flo w in g through it, v is u a lly d isp la y a socket co n n e ctio n h is to ry and save it to HTML
f o llo w in g fig u r e o f 2 3 . C h e c k d ie
To
C o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o
S e rv e r 2 0 0 8 v ir t u a l M a c h in e ) .
^1 C Q C ) l^ff-0^rIH1(l
0 7
* lira 'f J
w M u o n 144a laccc
*0010041
1 0 5 .
0525& 4 3 052*100 05 261E 0526217 K.W263K
06.K2S.31T 06052?
A =
UK
laaaixzo 1 0 0 0 )#
1444 ]cto
M ta ia o n
u il . : . I 41 >1 . > 1 11 :
U .
1 J *J
1 0 0 1 1 )* * a
14441400 *0 0 )CM 14441cm 1404 HCW 1400 )IB 144a IK M 1400 )CM 144a m e 1444 ItOM 140a1:w 144 a 1t a t
teit*1 KKrT
0526 IK tiiir, :1 iw. (6 0526 7 3 4
n n :1 1 9 ,
* ? < 06052C92? CV9*. * 1 5 7 06274B 5 5 6 06 052* ** ? SfwAcwirw* 1 utre^rw r 9 rM 0 ( a < rM . 'V** * 1191 * ' K052CTO 27ug IV* 06052706
< V 1 3 r > M 4 c a 1 f a c ct W J
2 1 1 0 >*) **
. *
(*0127 1 0 4
0 $ 2 7
K re z'S ) acr.rte
H B700
IV J 3 J4 1
3 ( 9 5
1 1
.*1
10 0 0)acta
2 1
lO O Q lK W
31 20 10 30
78 4d 39 66 74 47 tl Od 1 30 6 20 IJ Ic 0. 70 2 6 63 4 5 72 47 65 32 64 3a 43
0J2n01
0 5 ;
h < (aa
11
in
P A t h t f < k a M c c
F V 9 h n < * c o < n a < t 1 1 2 0
.-*)-
s au szs
tS IS :4?
V *3 h M 4 1 x > d t 06052 3 5 C
1 T \
0M4S 1 0 17 34 a n
20 u 64 30
:3 0 0 0 0 1 6 0 o: .ji-age > 0 00 1 7 4 t0 1 ?2
4 50 M 4c
Q o1 3 tl 04 d 61 7a 20 ?.( b I m Cm
61 6 7*
32 30 31 4; 41 0 38 20 >> 10 ?0
31 ro 0 4c (1 7 i 32 (3 3d (3
?2 W 2c
3d U 41 74
4 5MH
3 K 7 (1
2 0 (
Sf <4 30 I I
2 4 . N o w lo g in in to
c o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o M a c h in e ) .
d ie
To
F if eV ie wT o d *H r ip
M irilcrrfj hin i'iii/'l 3 |10 0 0 3| !'*!41.
$A M r/M |y
^
fm ^d)006ff)ft lrMfiin3 J10.00.610 jtJ':a:fc3 114 J'].0 0.6 9 0 1 5 & mo 0.6 to 10 0.0 7 J 6 ; 0 : snt J10 0 06 9 8 19 " W FrP-Fielienifei Ftolord 1 Nol Lit* h !0 a.6 9 8 20 PdssThioj^i F01 Tastro^o*nOOOl fJ jh J'I 0 0.&9B22 1100169824 110 00 69826 1100069828 1*100.6 9 8 3 0 110 0 0& 9H32
1 1000701C O 1a0.a?;8D80 lQ0D7-mm 1aoa7.83E0 00 07: 1Q007:83E O 1ao.a?;83a1 1aoa7!ffiEa 1a0.a7:83EO 1Q0a7:fflffl 1000.7:8303 1a0.Q7.83EO mon7rmgo
HTTP H IIP HUP HTTP HITP HTTP HUP HUP HTTP HTTP HTTP HTTP H1IP 1 76 4d 39 66 74 47 6t Od 65 70 61 20 69 20 4d 6c 69 72 72 20 47 Id 6S 64 32 30 JJ 30 20 0 9 43 61 70 2d 61
11 *!f . 1 i K su w 0 T ) tB 40 !00 F 061B33 750 06tt411 5 6 K 06.05 40109 Q 3 40 !0 < B U. 9 (h 4 10 7 0 F 06.(E 375 0 3 00.41.625 F (06 41437 0,0141 ms F 0606 *3 5 3 1 0 5 05 4 12 8 1 F 06.05 546 06.0541.281 F 05<E 40 578 (E05 40Bt3 F 06:0=4:655 0 6 05:41.828 F 06 05*3 906 (K O S4 15 9 3 F 06<e 41015 0605 4 14 0 6 F 0 6 05 4 17 1 8 F 06.0C4 1 *09 (KtR 4 1 TIB as 05 4 1^ 1 1 Fj 2J
*1
a
65 73 3a 32 30 31 S4 0d 04 20 16 30 39 20 G <3 61 fd 61 78 6 60 65 (c 69 6 20 S3 i l 74 ? 31 20 30 30 3a ic 61 73 74 .?rf 7 2 b'3 2c 20 32 63 2d 63 65
0 0 0 1 2 C 060144 0 6 0 1 6 0
060176 080192
<0 CUT hint. Nrd 1 1 t.wd. f t 1 . 23 0 c t 2009 2010 04 GMT. . Ccho-Cont roL max-oge-360 0. Connect io a k oe p - o livc
3 23 03 . 3 13 0
b0 61 74 Od
t ')
65 2d 4 3 6? 65 3d bl 6 0o Od 0o
'h rbf
Start |
Proxy Worfctxfyh
A iL d
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
2 5 . S e le c t O n d i e w e b s e r v e r , c o n n e c t t o a n d c lic k
p o rt 80
in
W indow s 7
v ir t u a l m a c h in e ,
OK
-TTTP Properties
General |
OK
il
Cr>cd
2 6 . N o w C h e c k d ie tr a f f ic i n
10.0.0.7
( W in d o w s 7 V ir t u a l M a c h in e )
TO
c o lu m n s h o w s t r a f f ic g e n e ra te d f i o m
d ie d if f e r e n t w e b s ite s b r o w s e d i n
w a
'*wts c > w
Wd
iso
r*e
> : o 11 1 ; >
V W ur Toeli Help
7&
Q2 In the C onnectio n Tree, if a p ro to c o l o r a c lie n t/s e rv e r p a ir is se le cte d , th e D etails Pane d isp lays th e sum m ary in fo rm a tio n o f all o f th e s o c k e t c o n n e c tio n s th a t a re in progress fo r th e se le c te d ite m on th e C onnection Tree.
n*Vlet7naQa7}
ft A ll5 ctr*y
DcUI1 t a H T T P IW - W b 1 8 0 8 0 1 From *010.0 D32237 )0 1 0 0 0 32239 )8100032239 ;0100032240 )0 10 0 0 32241 ) 0 10 0 0 3 2242 50100032243 )0 1 0 0 0 3 224( )0 10 0 0 3 2245 )9100032246 )0 10 0 0 22 c )610 0 0 3229 ) 0 10 0 0 3 224) ',W10 0 0 3 2250 : . .*3 26E0 I1 :-.h< . 571SS22G.aK:0|adi * 78206120 6 *< 9878206126* 0 * 0* 1337320612!6c0|ic>*1t.. 2027921012140 (t * K 1 Pictocoi HUP HTTP HTTP HTTP 06:0634.627 0&634643 C6X634S66 C6:(634$G6 06:C&34.336 .0634 S3 06C636030 C 6 (& .X.2l 0 fe 354 06:0636483 06C03CW3 06.06 3U6U6 flf.r3570? t e a . 56 786 060U363W C fr X C 7 ? C6:0636124 C6:Cfc36.166 06:0636216 CC&36 C6C636366 06.C&36.606 U sE ^ rl 1 laslSUto 06.05:35.436 FVB ho? J'.ccrncc... 0 < 6 2 3 fVt'B hai d : c f r r l 06(636390 06(635624 060636624 c e c & x 21e (6(636186 060&355W C M & X T tS P*J3 l J i r r l . . . f * ?hasdaxrrecJ... FV>B bn d s O T iw l Km d : r r l FWB hat d n c r m l . ha* d if fr r w l I
^ SM TP Ouiflonfl e id |2 5 | K CC Irm^1*fflalf110l C lC lC l3to1 0005 10003to 2 0 3 .8 5 .2 3 1 .8 3 |m j.Br c > 00031# 6 87 12 0 91 7 6|abc g oc 100031a 5 02 70 62 0 7|edn> m )k| 100031a 5 8 .2 7 .8 6 .1 2 3ledge Bus 100031a 6 87 12 2 01 6 5|ab c cm 100031a 2 0 27 92 1 01 2 1 Ibi.ta* 10003b) 2 0 51 2 88 4 .1 2 6 100031a 5 02 78 61 0 5|f*\1 ur 100031a 5 827.06.21; I1 d 1 u . t> 100031a 1 5 71 6 62 5 52 1 6M d ic 100031a 1 5 71 6 62 5 53 1 |riv, 100031s 2 0 38 52 1 11 4 8lilt 100031a 2 0 31 0 68 55 1 |bkcmc 100031a 5 02 70 62 2 5|s etrrcd 100031a 1 5 7 .1 6 6 .2 2 6 .2 6Iwmc 100031a 1 9 99 36 21 2 6 100031a 2 0 3 .1 0 6 .8 5 .6 5 |1 p e .< M r 1000310 2 0 74614 83 2!view* 100031a 6 62 3 51 3 05 9Ix ffc c m 100Q3la 2 0 3 .1 0 6 .8 5 .1 7 7Ib.scae 100031a 02 62 0 71 2 6ledn vrtt 100031a 1 5 71 6 62 2 63 2|tvea 100031a 5 82 72 27 2|r.*\tum 100031a 1 9 07 02 0 61 2 6|icchk 100031a 1 5 71 6 62 2 6 .4 6ledlnr^ 100031a 6 62 3 51 4 22 4|rrel1 b)< 100031a 2 0 31 0 60 51 7 6Idi M rw 1000311 1 5 7 .1 6 6 .2 5 5 .1 3Im m m a 100031a 6 87 12 0 91 7 3 |4 b c fl0<
HTTP HTTP HTTP 57 iffi 2262(680|** 5621 4 3 1 1 lOtCImet71c . h i TP HTTP : 01106 9517&<>4 , -. 1 1 :1 |. . : HI TP HI IP ' ra 2 D 5 1 2 e w 0 a * u HUP J0n>206120WI1ht HTTP 17820612S8000<ht ftfC|v.w HUP h i IP HTTP
2110
447S 2710 1572 11 IA 2 3 1183 2i03 . , MS
H TTP HI T P HI T P H TT P H TTP H TT P
(6 (C!36 (66 (*(CJ&124 0606J6243 rv>V bm d iw riK l... ff .f fT V W * K d n (rr 1 . > COOUJCW 1 8 h o d im r M l. M hoi d iM r m i 06(636718 ^ I n l 1a r r l... 0606367*9 *8 060636611 FVrtJ he! diccrriKl.. 0&0K36&2? PV.9 hatiic e r r c c t..
06(6368(6
3 3 33
2125
0 0 0 0 0 0 112 0 0 0 0 0 0 0 0
358
2(21
1124
060637.436
1120
1 5 3 3
0 0 0 0
000176
Wi 30( 5et. 55 000224 26 bar 2011 00 20 000240 ?2 3 1 CUT Conn* 3S 000256 ct*oc .iv s * . Co 61 60 000272
ISL
Btwt-Uim h 2 0
61 72 64 69 4f i l 4e 32 32 74 ?4
60 6 P 20 id
75 3a 20 Od 4? 4? 22 O d 36 20 4d 3a 33 31 6 ? 6 ( 6 656a ?4
41 0a 56 0 61 20 3 2d
63 60 61 44 ?2 47 20 4c
20
61 20 4tJ 6) 65
63 33
6 5 ? 0 7 4 2 d 4 61 3 6 .
SO if 74 32
40 20 2c 3a 65 il 4
_ L* a
and
F IG U R E 13.14: P r o s y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s 7 V ir tu a l M a c h in e
L a b
A n a ly s is
D o c u m e n t a ll d ie
and
p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
T o o l/U tility
In fo r m a tio n
C o lle c t e d / O b je c t iv e s A c h ie v e d
P r o x y s e r v e r U s e d : 1 0 .0 .0 .7 P o rt s c a n n e d : 8080 P ro x y W o rk b e n c h R e s u lt: T r a f f ic c a p tu re d b y w in d o w s 7 v ir t u a l m a c h in e ( 1 0 .0 .0 .7 )
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. 2. E x a m in e t h e C o n n e c t io n F a i lm e - T e r m i n a t io n a n d R e fu s a l. E v a lu a te h o w r e a l- tim e lo g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .
In t e r n e t C o n n e c tio n 0 Y es S u p p o rte d
R e q u ir e d N o
P la tfo r m 0
C la s s r o o m
iL a b s
E th ic a l H ackin g and Counterm easures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
I CON
V a lu a b le
KEY
A tta c k e rs
in fo r m a tio n
n e tw o rk s w it h th ro u g h
s p o o fin g by
o r s te a l d a ta . T h e d ie IP a d d re s s . to d o in If th e
Test vour k n o w le d g e
p a c k e ts to
fir e w a ll
s p o o fin g
a t t a c k e r s a r e a b le p r e v io u s la b ,
th e y
a tta c k s , an
p a s s w o rd
W e b e x e r c is e
h ija c k in g
W o r k b o o k r e v ie w
a tta c k s , e tc ., w h ic h
can p ro v e
d is a s t r o u s
o r g a n iz a tio n s
n e tw o rk . A n
a tta c k e r m a y u s e a n e tw o r k p r o b e
t o c a p tu r e r a w p a c k e t d a ta a n d
a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , s o u rc e c o m p a r e th e s e d e ta ils w i t h
m o d e le d a t t a c k s ig n a tu r e s t o
d e te r m in e i f a n a tta c k
c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P
L a b
O b je c t iv e s
n e tw o rk s c a n b e s c a n n e d a n d h o w to use
T h is la b w i l l s h o w y o u h o w and
H T T P ort
H T T H o st
E n v ir o n m e n t
la b , v o u n e e d d ie H T T P o r t to o l.
L a b
1 1 1d i e
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
H T T P o r t i s lo c a t e d a t
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h t t p : / / w w w .t a 1 g e t e d . o r g /
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n th e la b m i g h t d i f f e r
" Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
I n s t a ll H T T H o s t o n I n s t a ll H T T P o r t o il
V ir t u a l M a c h in e H o s t M a c h in e
F o l lo w t h e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d
in s ta ll it.
is r e q u i r e d t o r u n d i i s t o o l tu n n e lin g
T h is la b m ig h t n o t w o r k i f r e m o te s e r v e r f ilt e r s / b lo c k s H T T P p a c k e ts
L a b
D u r a t io n
T im e : 2 0 M in u te s
O verview o f H TTPort
HTTPort
bypasses c re a te s a t r a n s p a r e n t t u n n e lin g t u n n e l d ir o u g h a p r o x y s e r v e r o r fir e w a ll. H T T P o r t a llo w s u s in g a ll s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h i n d d ie p r o x y . I t
HTTP p ro xie s
and
and
tra n sp a re n t a ccelerators.
L a b
T a s k s
B e fo r e r u n n in g d ie t o o l y o u n e e d t o s to p
IIS A dm in S ervice
and
World
on
c lic k a n d c lic k th e
01 HTTPort cre a te s a tra n sp a re n t tu nn el th ro ug h a proxy se rve r or fire w a ll. T his a llo w s you to use a ll so rts o f In te rn e t s o ftw a re fro m behind th e proxy.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
5.estart thesevce
Docrpton: Enabltc 6 1 1 > to * d 1 n v j ! t ::s : * H5 X 'J tK C r*ouM1 0 n *or SK* one FTP : i v' n il * u * to am f g. S or ftp. :, the servce e c jx c . an, fa I tottait.
1 * r v io r *t h u m v t e t t a u p r d . 2 16 3
se1/ ee* *v9!tporv dfpeo; o *mI
K a-n- * '*,FurcBon Discovery Provide Host P-rcoco Decovery Resource PJ>lc3ten C ^ C rO v OPoicy Cent Key aid Cerbfeate Mens9trp-t ,h\jma1 :rtc'frc Devi: Access CfchyMr-v m u txchanoa s w a <|1 Hyoer-VGuet Shutdown Sev o e < ^Hyp*rVUtatoeat Stive* '^,hvsf'-v Tir* Syndvonuaton Save 'X V0iuneSh30WC00VRUMCDr .32 a d Au0!:p tPMC *C eyUg M odJet C feInteractive services Detection 4 Internet Cornecton Shwrng CCS) IP helper ,IPsec PoIcy Agent : JkctR.t1* v < trbuted Transaction Coordnsso ^Irtt-tover Toog>Discovery1 tepee?iwicroajft KETFrans0 rk N GB<v3 0.50727_kfr ;*Microsoft .rcrFraroenorkNGei v: 0.50727_> '*, M0090* Fb e Channel ^stfo'Ti Res^Cstcn Se* ^ M C T 0 M*t 6 CSI ]ntigtor Service ^Vbon*! Software Shacton Copy P'ordfi Q,MoJU Manteimce Save
I CeKri3bcn | 5:afc_s hostcroca.. , Stated P-behes t... Started The serve... Started P-o-rde*X... E'aolas 9a P0 vd81 a .. . started fvovdes a .. . Started Va-iton th... 5hr ted Syrdvcnj . SUr'tid cocfdnjte _ 1urted S tJt________ P.-llv Res-re R3rt jn...
! * "
St* lid
Started . 5:cited AITmks 3te , Started -- 0 ... Started Proprf br% t .... Stated 8 t.. wb , W ragn ... Th*M00IU..
_J
Stana*.- J ~
3.
G o to
S ervices
Publishing Services, & It bypasses HTTPS and HTTP proxies, tra n sp a re n t a c c e le ra to rs , and fire w a lls . It has a b u ilt-in SOCKS4 server.
*te Action jjen Kels
r ig h t - c lic k a n d c lic k d ie
Stop
.1
SfcvOU
1
S Mijs. Coov AudO
CwJOCor P1cr> *0M ... MWU0K*... TUtWtbM.. Mo'eOcS a... Ha'sOeid... he W a P l.. Ha-aoesr... Haaoe; u... Ab .-sero... Thssevfc... Thssevfc... ViW owsF.. .
I S !a w
2 8 11 1
CfetYea Mar^aoerent S e < ce % Vrd ^ vxto/.9 Aucto ErekJrtit s J s e ^ Y < to/.S Cotor SySteri (M fld M Dectoymeot Sevces Serve ^ M m s Driver Fourdaoon -Lee cce Diver * xr1 . . Y d /.s & Repo Semoe i^ %Yrd ? e i: Cotecto % \V'tkr/.$ e it uw ^!Y rd o/.s Fe.\dl $*Yrd>/.e CngU i/ler CJtYrtto/.9 1 1 vd0/9 ModJes trwtalei I
'1 1 > / .9 1 0 3 0 8 / .9
Ste tec Stated Stated Stated Stated Stated Stated stated stated
aat
5 I ^ r Re*t
a it m
Adds, m od . ftovd a ... & a b n s... V J o B... M ints *S.. . KrHTTPl... ^***TMC... Pre* ^
C i vxto/. BioceM Activation Seivd ^ V'cto/n 5mote M V e*nt M try ^ %YYfew, uoflat* ^ * v r H n p webP'oxvAuto-oaeovJ ^ . v < -Autocar *c Perfcrwsrce Aflao* \'08>'taecr
30
U n d o ...
H n y r B fi bet)
06 0
Stated
JE 3 S JB
\ x a r d e ; A Sarri8: /
It supp orts stro n g tra ffic e n cryp tio n , w h ic h m akes proxy logging useless, and suppo rts NTLM and o th e r a u th e n tic a tio n schem es.
4.
CEH-Tools" Z:\CEHv 8 M odule 03 Scanning N etw orks\T unneling Tools\H TTH ost
O p e n M a p p e d N e tw o r k D r iv e O pen T lie
5.
H TTHost
fo ld e r a n d d o u b le c lic k
htthost.exe . O ptions
ta b .
6.
7.
H TTH ost
w i z a r d w i l l o p e n ; s e le c t d i e
O n d ie
O ptions
t a b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t
Personal
w h i c h s h o u l d b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s
la b , d ie p e r s o n a l p a s s w o r d is
k m a g ic.'?
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
8.
C h e c k d ie
and
Log C onnections
o p t io n s a n d c lic k
A pply
HTTHost 1.8.5
N etw ork B ind lis te n in g to : P o rt: B ind e x t e r n a l to :
|0.0.0.0
Allow a c c e s s fr o m :
[80
10.0.0.0
P e r s o n a l p a s s w o rd :
10.0.0.0
[ P a s s th r o u g h u n r e c o g n iz e d r e q u e s t s to : P o rt: O rig in a l IP h e a d e r fie ld : | x O rig in a l IP
H o s t n a m e o r IP :
1127.0.0.1
|81
T im e o u ts :
|0= 12
9.
N o w le a v e
HTTHost
in ta c t, a n d d o n t t u r n o f f
a n d in s t a ll H T T P o r t
Tools\H TTPort & H TTPort goes w ith th e predefined m apping "E x te rn a l HTTP p ro xy o f local po rt
1 1 . F o llo w d ie w iz a r d - d r iv e n 1 2 . L a u n c h th e
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t
c o r n e r o f th e d e s k to p .
F IG U R E 14.4: W in d o w s S e rv e r 2012 - D e s k to p ^ ie w
1 3 . C lic k d ie
HTTPort 3.SNFM
a p p t o o p e n d ie
HTTPort 3.SNFM
w in d o w .
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
5 t3 ft
Administrator
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
HTTPort 3.SNPM 1
i.
Con>puter
m
Control Panel
91
SOI Server incaknor Cent!.
*
-
V
Command Prompt M 021IU Firefox
n
Nctwodc
Proxy Workbea. -T
if
MegaPng
*8
F IG U R E 14.5: W in d o w s S e rv e r 2012 - A p p s
14. T h e
HTTPort 3.SNFM
w in d o w a p p e a rs as s h o w n i n d ie fig u r e d ia t f o llo w s .
HTTPort 3.SNFM
' r
Port:
I------------------------------ P
?
\ 4
I-------------S tart
F IG U R E 14.6: H T T P o r t M a in W in d o w
1 5 . S e le c t d i e m a c h in e .
Proxy
ta b a n d e n te r d ie
h ost nam e
or
IP address
o f ta rg e te d
1 6 . H e r e as a n e x a m p le : e n t e r
address,
a n d e n te r
v ir t u a l m a c h in e
IP
1 7 . Y o n c a n n o t s e t d ie 1 8 . 111 d i e
Usernam e
Password
f ie ld s .
s e c tio n , c lic k
s ta rt and
d ie n
sto p
and
d ie n e n te r d ie ta r g e te d b e 80.
a n d p o r t , w h ic h s h o u ld
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d as
*m agic r|a
S y s te m
In real w o rld environm ent, people som e tim e s use passw ord p ro te c te d pro xy to m ake com pany em ployees to ac c e s s th e In terne t.
HTTPort3.SNFM | 3
'
HTTP p roxy to b y p a s s (b la n k = direct o r firewall) H ost n a m e o r IP a d d re s s : | 1 0 .0 .0 .4 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Port: |8 0
I 8 0
|............1
S ta rt
2 0 . S e le c t d ie
Port M apping
*
S y s te m | Proxy
ta b a n d c lic k
Add
t o c re a te
N ew M apping
HTTPort 3.SNFM 1 - 1
Port m a p p in g A bout | R e g iste r J Static T C P /IP p o rt m a p p in g s (tu n n e ls ) Q New m a p p in g Q Local po rt
1 1
1-0
Q H T T H o s t s u p p o rts th e r e g is tra tio n , b u t it is fre e a n d p a s s w o rd - fre e - y o u w ill b e is s u e d a u n iq u e ID , w h ic h y o u c a n c o n ta c t th e s u p p o rt te a m a n d a sk y o u r q u e s tio n s .
(3 R e m o te h o s t re m o te , h o s t, n a m e R e m o te port
1_0
S e le c t a m a p p in g to s e e sta tistic s : No s ta t s - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 se rv e r
W
LEDs:
O Proxy
? | 4 This b u tto n h e lp s
2 1 . S e le c t
N ew M apping Node,
a n d r ig h t- c lic k
N ew Mapping,
a n d c lic k
Edit
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
HTTPort 3.SNFM
S y s te m | Proxy
T33
Add R em o v e
m a p p in g | A bout | R e g iste r |
Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
L_o
S e le c t a m a p p in g to s e e sta tistic s : No s ta ts - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 s e rv e r
W
LEDs:
O Proxy
? |
T his b u tto n h e lp s
2 2 . R e n a m e th is t o c lic k
a n d s e le c t
Local p o rt node;
th e n lig h t-
E dit
a n d e n te r P o r t v a lu e t o
2 3 . N o w r ig h t c lic k o n
to
E dit
a n d r e n a m e i t as
2 4 . N o w r ig h t c lic k o n
n o d e to
E dit
-
a n d e n te r d ie p o r t v a lu e t o 1 r x
21
1
r* 1 S y s te m | Proxy
HTTPort 3.SNFM
/s
Add R em o v e
0 Local p o rt 0 R e m o te h o s t
ftp .c e rtifie d h a c k e r.c o m R e m o te port I21 S e le c t a m a p p in g to s e e s ta tistic s : No s ta ts - inactive n /a x n /a B /sec
dulitin
S In th is kind o f environm en t, th e fe d e ra te d search w e b p a rt of M ic ro s o ft Search Server 2008 w ill n o t w o rk out-ofthe-box because w e o n ly suppo rt non-passw ord p ro te c te d proxy.
=
V LEDs:
n /a K
Proxy
server
SOCKS s e rv e r (p o rt 1 080)
W R un
I
? |
T his b u tto n h e lp s
F IG U R E 14.10: H IT P o r t S ta tic T C P / IP p o rt m a p p in g
2 5 . C lic k
S ta rt
o n d ie
Proxy
ta b o f H T T P o r t t o m i l d ie H T T P tu n n e lin g .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
HTTPort 3.SNFM r a :
S y s te m ^ o x y | Port m a p p in g | A bout | R e g iste r |
- HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s : |1 0 .0 .0 .4 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Port: [80
|10.0.0.4
? | ^ T his b u tto n h e lp s
[So
****
2 6 . N o w s w it c h t o d ie
v ir t u a l m a c h in e a n d c lic k d ie
ta b .
2 7 . C h e c k d ie la s t lin e i f p r o p e r ly .
L is te n e r liste n in g a t 0.0.0.0:80,
a n d d i e n i t is m i m i n g
HTTHost 1 A 5
A p p lic a tio n lo g : M A IN : H T T H O S T 1 . 8 . 5 P ER S O N A L G IF T W A R E D E M O s t a r t i n g ^ M A IN : P r o je c t c o d e n a m e : 9 9 re d b a llo o n s M A IN : W r it t e n b y D m it r y D v o in ik o v M A IN : ( c ) 1 9 9 9 - 2 0 0 4 , D m it r y D v o in ik o v M A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n ( s ) M A IN : n e tv /o r k s t a r t e d M A IN : R S A k e y s in it ia liz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . . M A IN : lo a d e d f i l t e r " g r a n t . d l l " ( a llo w s a ll c o n n e c tio n s w ith in M A IN : lo a d e d f i l t e r " b l o c k . d l l " ( d e n ie s al I c o n n e c tio n s w ith ir M A IN : d o n e , t o t a l 2 f i l t e r ( s ) lo a d e d M A IN : u s in g t r a n s f e r e n c o d i n g : P r im e S c r a m b le r 6 4 / S e v e n T e g r a n t . d l l: f ilt e r s c o n e c tio n s b lo c k . d ll: f ilt e r s c o n e c tio n s !L IS T E N E R : lis t e n in g a t C.C.0.C:sT|
T o m a k e a d a ta tu n n e l
z]
S ta tis tic s
( Application log
O p t io n s
S e c u r ity | S e n d a G ift
2 8 . N o w s w it c h t o d ie
h o s t m a c h in e a n d t u r n
ON
d ie
A dvanced S e cu rity
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
3 0 . S e le c t
f d ie w in d o w , a n d d ie n c lic k
-: -
W in d o w sF i r c w . 5 1 1 w ithA d v ! Q In b o u n dR u in
Outbound Rules |
Outbound Ruin Name Group BranchCache- Content Retr... BranchCache - Hosted Cech BranchCache - Hosted C ad i. BranchCache - PeerOtscove... Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Profile Al Al Al Al Al Al Al Deane! Domain Dcm51 Al Al Al Al Al Al Al Al Al Al Al Al Al Al tnatfed A No No No No Vet Yes rei Ves Yes Yes Yes Yes Ves Ves Yes Ves Yec Ves Ves Ves Ves Vet Yes Vet O utbound Rule* New Rule...
V Filter by Profile
^ Monitoring
B'anchCache Content Rt1 ival (HTTP.O... C o n n e c tio nS e c u r ityR u BranchC ache Horted Ca<t* Cbent IHTT... BranchCache Hosted Cache Seve1(HTTP. BranchC ache Peer Dncovery (WSDOut) C o e Networking DNS <U0P-0ut) Core Networking- D > 1 v> m -e Config... Core Networking Dynamic Host Config... CoreNetworkng Grcup Policy (ISA5S~ Core Networking - 5cup Poky (NP-Out) CoreNetworkeig - Group Policy CTCP-O-. Core Networking - Internet Group Mana...
Filter by State
7 F ilte rb yG r o u p
View O Refresh Export List... Q Help
T ools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
Core Networking IPHT7PS (TCP-Out] Core Networking- IP v ffM C u l) Core Networkng Mulbcost listener Do-. Core Networking - Mulocast Listener Qu~ Core Network*!g -Mufceost listener Rep~ Core Networking Mutecjst Listener Rep... Core Networking - Neighbor Dncovery A... Core Networking Core Networking *fc1 (joo Ceccvery S... Core Networking Core Networkrig Packet loo Big (ICMP-. Core Networking Core Networking Par3meterProblem (1- Core Networking Core Networking - ficutet Advertnement... Care Networking Core Networking - P.cuur Soictaeon (1C.. Core Networking Core Networkng - Itird o iLOP-Outl Core Networking
" i
r" .......
v'
3 1 . 111 d i e
s e le c t d i e
Port
o p t io n in d ie
Rule Type
s e c tio n a n d c lic k
w Protocol and Ports Action Profle flame O Program Rde Bidt controls connections for a program. >Port | RJe W controls connexions for a TCP or UDP W . O Predefined: | BranrhCacne - Content Retrieval (Ueee HTTP) RUe t a controls connections for a Windows experience O Custom Cu3tomrJe v 1
S Tools d em o nstrate d in th is lab are ava ila b le in Z:\ Mapped N e tw o rk D rive in V irtu a l M achines
< Beck
Next >
11
Cancel
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
32. N o w
s e le c t
All re m o te ports
in
d ie
s e c tio n , a n d c lic k
N ext
New Outbound Rule Wizard P ro to co l and Porta
Specify the protocols and ports to which ths r ie apofes
Steps
+ Ru 'yp
D o e st * sr u l ea o p f / t oTCPo rUDP?
< !> TCP
4P r c t o c o la n dP o r t s
4
Acaor
OU D P
Does tnis nie aoply tc all remote ports or specific renote port*9
!? m o te p o d s
4P r o f i l e
4
Q H T T P o r t d o e s n 't r e a lly Name
< E a c x
Ned >
Cancel
3 3 . 111 d i e
A c tio n
s e c t i o n , s e le c t
d ie
B lo ck th e c o n n e c tio n '
o p t io n a n d c lic k
N ext
New O utbound Rule Wizard
Action Q Youn eedtoinstall h tth o st onaPC, w hois g en erally accessib leonth eInternet typicallyyour "hom e" PC. This m e a n s th at if yon sta rte da W eb server o n th eh o m e PC, everyo n ee lsem u st b ea b leto co nnect toit. There aretw o sh o w sto p p ers for h tth ost o n h o m ePCs
Specify the acton to be taken when connect!:>n notches the condticno specified in the n ie .
Steps:
4
HUe Type
Protocol and Porta
What acbon ohodd b taken whon a connexion match08 tho opochod conoticno7
4 Action
OA lowttv co n n ectio n
Tho nclxJes cornoctiona that 0 piotectod wth IPaoc 09 wel cs t103c otc not.
4
4
Profile Name
' )
H o c k th e c o n n e c tio n
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
s e le c t
a ll
th re e
o p tio n s .
The
r u le
w ill
a p p ly
to :
a n d d ie n c lic k
N ext
*
Q N A T /firew all issues: You need to enable an inco m in g p ort. For H TThost it w ill ty p ic a lly be 8 0(h ttp ) or 44 3(https), but any po rt can be used - IF the HTTP p ro xy a t w o rk sup p orts it som e proxys are c o nfig ured to a llo w o n ly 80 and 443.
Profile
Specify the prof les for which this rule applies
Skin
* Ru*Typ#
4 3r c t o c o la n cP o r t s
# *cbor
3rcfile
0 Private
3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orworcpi ce
B Public
Vp* c3
c Eacx
Next >
Cancel
ZZy Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
35. T y p e
P ort 21 B locked
i n d ie
Nam e
fie ld , a n d c lic k
Finish
New O utbound Rule Wizard N am e S 06dfy the rams and desorption of this lie.
None
|?or. 2 ' B b d c e J Desaiption (optional):
< Back
Finish
Cancel
E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
3 6 . T h e n e w m le
Port 21 B locked
is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e .
1-1 1 * :
Windows Firewall with Adv; C nfcound Rules Na C Outbound Rules [O^Port 2 1 Blocked Connection SecuntyRul BranchCache Content Rctrcvtl (HTTP-0.. BranchCache Content Retr.. t Monitoring ^ Branch(a 1he Hotted Cache Client (H it . Branch( at hr Hotted ( ach
^
Actions
Outbound Rules
A l :1 A l A l A l A l
Domain
New Rule...
V
V
Filter by Profit
Fliter by Stirte Filter by Group View
H T T P o r t d o e s n 't re a lly
0 BianchCach* Hosted Cache $erv*1(HTTP... BranchCach HuiteJCach BranchCache Peer Cn<o.er/ //SD Cut) BranchCache Peer Discove.. Core Networking DNS(UDP-OutJ Core Networking C o ir Networking- Dynamic Hod Config.. Core Networking Core Networking -Dynamic Host Corvfig... Core Networking Core Networking -Group Pcfccy CLSASS-- Core Networking @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) Core Networking - Group Poicy (TCP-O-. Core Networking Core Networking - internet Group Mana... Core Ndwwiing- lPHTTPS(TCP-OutJ Core Networking (Pw6-0ut) Core Networking Cote Networking Core Networking
Al
C o r eN e tw o r k in g
D o m a in
Domain
A l A l
Al
Po rt 2 1B lo ck e d
* Disable Rule
Core Networking Listener Do Core Networking Core Networking Muh < yt* listener O j. Core Networking Cote Networking -Mul!< aU Iktenet Rep. Core Networking Cor Networking Vuh cast .!s:nr Rep. Cor Networking Core Networking rfcignfccf Discovery A... Core Networking tmg Meaghbct Discoveiy 5 , Core Networking C or.1 NetmD1 C 016 Nstworking - Pe.ktlT v. Big K M P .. Core Networking - Parameter Protolem (I.. sement... Core Networking Router A<hert1 Core Networking -Router SoKckation (1C... CortNttwQiking Core Networking Core Networking Core Networking
A l A l A l A l
Al
4 c u t
Gfe Copy
X
( | U
A l
Al
A l A l A l
F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le
3 7 . R i g h t - c l i c k d i e n e w l y c r e a t e d r u l e a n d s e le c t
P roperties
*
File Action View Hdp
!
I Actions
Name
O.P01t21 Blocked
Group
Ervsl
Outbound Rules
New Rule... V V V Filter by Profile Filter by State Fliter by Group Vi*w jO! Refresh
^BranchCache Content Retrieval (HTTP-O. Branc hCac he Cor BranchCache Hosted Cache Ciem(HTT.
BranchCache - Hos Cut Copy Delete Properties Hdp Dom*n Domn Domn Al Al Al Al Al Al Al Al Al Al Al Al Al Yet Ves Yes Yet Yes Yes Yes Yes Yes Yes Yes Yes Yb Yes YCS Yes
H T T P o r t th e n
in te rc e p ts th a t c o n n e c tio n a n d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y .
BranchCache Hosted Cechc Saver(HTTP_ BranchCache Ho: BranchCache Peet Disccvay (WSD-Ckjt) BranchCache - Pee Core Networking Cote Networbng - Df5 (U0P-0ut) Core Networking D>rwm : Host Ccnfig. Lore Networking Core Networbng D>neo>c Most Config... Cote Networbng Group Policy (ISASS-... Core Networking Group Policy (NP-Out) Core Networbng Group PolKy(TCP-0. Core Networbng Internet Group kbiu.. Core Networbng IPHTTPS(TCP-0ut) Core Networbng -IPv6 (1 P$<XjtJ C oie Netwoibng -Mufticsst Listener Do... Core Networbng - Multicast Listener Qu...
Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking
Port 21 Blocked
Disable Rule 4 c t
CoreNerwcrbng -MJbcsst Listener Rep... Core Networking Cote Netwoibng - Mulbcest Listener Rep... Core Networking Core Networbng - Neighbor Discovery A. Core Networking Core Networbng Neighbor Discovery S... Core Networking I^ C cie Netwoibng Packet Too Big (ICMP... Core Networking Cote Networbng Parameter Problem (1 Core Networking Core Networbng Reuter Atf^trtscment.- Core Networking Core Netwoibng * Rcotei Sol*tation (1C~ Core Networking
r ... n -.----- 11
3 8 . S e le c t d i e
7 E n a b le s y o u to b yp a ss y o u r H T T P p ro x y in ca se it b lo c k s y o u fro m th e In te r n e t
P rotocols and P orts t a b . C h a n g e d i e R em ote Port S p e cific P orts a n d e n t e r d i e Port num ber a s 21 A pply
o p tio n to
3 9 . L e a v e d i e o t h e r s e t t in g s a s d i e i r d e f a u l t s a n d c l i c k
d ie n c lic k
OK.
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
*
Remote Conpjiefs
j Local Princpab
Loco port
All Potto
S p e c ifeP a ts [2 1
Example. 80. 443.5003-5010 I Custonizo.
htenet Gortnd Message Protocol (CMP)ting*: i W it h H T T P o r t , y o u c a n u se v a rio u s In te r n e t s o ftw a re fr o m b e h in d th e p ro x y , e .g ., e - m a il, in s ta n t m e sse n g e rs, P 2 P file sh a rin g , IC Q , N e w s , F T P , IR C e tc . T h e b a s ic id e a is th a t y o u se t u p y o u r In te r n e t s o ftw a re
40. T yp e
4 1 . N o w o p e n d ie c o m m a n d p r o m p t m a c h in e a n d ty p e
ftp 127.0.0.1
a n d p re s s
E nter
7 ^
H T T P o r t m a k e s it
p o s s ib le to o p e n a c lie n t sid e o f a T C P / IP c o n n e c tio n a n d p ro v id e it to a n y s o ftw a re . T h e k e y w o rd s h e re a re : "c lie n t " a n d "a n y s o ftw a re ".
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b
A n a ly s is
a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o t o c o ls
D o c u m e n t a ll d i e I P
y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In f o r m a tio n
C o lle c t e d / O b je c t iv e s A c h ie v e d
P r o x y s e r v e r U s e d : 1 0 .0 .0 .4 H T T P o rt P o rt s c a n n e d : 80 R e s u lt: f t p 1 2 7 .0 .0 .1 c o n n e c t e d t o 1 2 7 .0 .0 .1
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u d o o k , M e s s e n g e r , e tc . ) ? 2. E x a m in e i f s o ft w a r e d o e s n o t a llo w e d it in g d ie a d d re s s t o c o n n e c t to .
In t e r n e t C o n n e c tio n 0 Y es S u p p o rte d
R e q u ir e d N o
P la tfo r m 0
C la s s r o o m
iL a b s
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
k e y
L a b
S c e n a r io
t u n n e l i n g is a t e c h n i q u e w h e r e c a p tu re d u s in g th e H T T P
Y o u h a v e le a r n e d in th e p r e v io u s la b t h a t H T T P c o m m u n ic a tio n s w ith in n e tw o rk p r o t o c o ls a re
Test your k n o w le d g e
p r o t o c o l. F o r a n y c o m p a n ie s t o e x is t These w eb s e rv e rs p ro v e to be a
0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .
h ig h d a ta v a lu e ta rg e t fo r a tta c k e rs . The a n d g a in s c o m m a n d l i n e e s ta b lis h e d , th e a tta c k e r th e lits
W e b e x e r c is e
c o n n e c tio n
W o r k b o o k r e v ie w
u p lo a d s a p r e c o m p ile d
v e r s io n o f th e
H T T P
t u n n e l s e r v e r ( lits ) . W i t h
0 11 h is o r h e r s y s te m a n d d ir e c ts its
th e lit s s e rv e r. T h is tr a ffic . The lits lits p ro c e s s p ro c e s s
r u n n in g and
0 11 p o r t 8 0 o f t h e h o s t W W W
H T T P
r e d ir e c ts
c a p tu re s th e t r a f f ic in
h e a d e rs a n d fo rw a rd s it to
th e W W W
s e rv e r p o r t
1 1 1 th is
la b
you
w ill
le a r n
to
use
M e g a P in g
to
check
fo r
v u ln e r a b ilit ie s
and
t r o u b l e s h o o t is s u e s .
L a b
O b je c t iv e s
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
L a b
E n v ir o n m e n t
T o c a n y o u t d ie la b , y o u n e e d : M e g a P in g is lo c a t e d a t
C D Tools
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h ttp : / / w w w .m a g n e to s o ft.c o m /
I f y o u d e c id e t o d o w n l o a d t h e i n th e la b m ig h t d if f e r
la te s t ve rs io n ,
th e n s c re e n s h o ts s h o w n
A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls s e t t i n g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib l e D N S la b e n v ir o n m e n t , o n s e rv e r
TCP/IP
T h is la b w i l l w o r k i n th e C E H
W in d o w s S e rve r
P IN G
sta n d s fo r
2012, W in d o w s 2008,
L a b D u r a t io n
and
W in d o w s 7
P a c k e t In te r n e t G ro p e r.
T im e : 1 0 M in u te s
O v e r v ie w
o f P in g
T h e p in g c o m m a n d s e n d s p a c k e ts t o d ie
e c h o re q u e s t d iis re q u e s t-
ta r g e t h o s t a n d w a its
ICMP response.
D u r in g
re s p o n s e p ro c e s s , p in g m e a s u re s d ie tim e f r o m d ie
tr a n s m is s io n t o r e c e p tio n , k n o w n as
round-trip tim e ,
T a s k s
L a u n c h th e
a n d r e c o r d s a n y lo s s p a c k e ts .
L a b TASK 1
1.
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le ft
IP Scanning
c o r n e r o f th e d e s k to p .
F IG U R E 13.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w
2.
C lic k d ie
M egaPing
a p p t o o p e n d ie
MegaPing
w in d o w .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
F IG U R E 15.2: W in d o w s S e rv e r 2012 - A p p s
3.
MegaPing (Unregistered)
'
&DNSLidrtosfe
< < >Process Info Systam Info IP Scanner $ NetBIOS Scanner '4 ? Share Scanner ^ Security Scanner -J? Port Scanner Jit Host Monitor
*S Lbt Ho>ts
F ig u r e 15.3: M e g a P in g m a in w in d o w s
4.
S e c u r ity s c a n n e r p ro v id e s th e fo llo w in g in fo rm a tio n : N e t B IO S n a m e s, C o n fig u ra tio n in fo , o p e n T C P a n d U D P p o rts , T ra n s p o rts , S h a re s , U s e rs , G r o u p s , S e rv ic e s , D r iv e r s , L o c a l D r iv e s , S e s s io n s , R e m o te T im e o f D a te , P r in te r s
S e le c t a n y o n e o f d ie S e le c t
o p tio n s
fro m
d ie le f t p a n e o f d ie w in d o w . fie ld ; i n
5.
IP s c a n n e r,
a n d ty p e in th e
t h is la b t h e I P r a n g e is f r o m
6.
Y o u c a n s e le c t t h e
IP range
d e p e n d in g o n y o u r n e t w o r k .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
fs r
File V*/ Took Help
MegaPing (Unregistered)
^ 3^>
^<
_
^ e g
r a
P - 1 'S W W
* t DNS Lookup Name ^ Finger Network Time 8a 8 Ping iraccroutc ^ Whois Network Resources <> Process Info ^ System Info
t
I3 Scanner
Select I Scam I | 10
IP Sconncr SKtngj
10
254 | 1
SM
*iiaui.111
NetBIOS Scanner
Y* Share Scanner
F IG U R E 15.4: M e g a P in g I P S c a n n in g
I t w i l l lis t d o w n a ll th e ( T im e t o L iv e ) , a n d a liv e h o s ts .
IP a d d re sse s
u n d e r d ia t ra n g e w it h th e ir
TTL
S ta tu s
(d e a d o r a liv e ) , a n d d ie
s ta tis tic s
o f th e d e a d
MegaPing (Unregistered)
Pie CD N e t w o r k u t ilit ie s : D N S lis t h o s t, D N S lo o k u p n a m e , N e tw o r k T im e S y n c h ro n i2 e r, P in g , T ra c e ro u te , W h o is , a n d F in g e r. View Tools Help
11 g
Q
a Finger
ft A < >
IP5innw
i , DN: List Hosts ,p, DNS Lookup Name Network Time Traceroute HVhols 1 5 Network Resources % rocess Info ^ System Info NetBIOS Scanner
y * Share Scanner
IP Scanner Satnge
i t Ping
10 . 0
0 . 1
10
254 I
Start
F S ca re Status: ZoTDCTCC 25^ accroco33 m 15 8 C C S 3 A tte s t .=1 10.0.0.1 Name 1a0.04 iao.o.6 1ao.o.7 Tme 0 1 0 0 TTL 54 Statj* Afivc
o l Show MAC
A d d r e s s e s
H o s t sS t a t s
To!d. 254 Active 4 Faicd: 250
Security Sconner
g g
^
128 A kvt 128 A ive 128 Afcve D e lDest.. D tDest Det._ Dest Dest._ Rcpon
j l 10.0.0.1m
F IG U R E 15.5: M e g a P in g I P S c a n n in g R e p o r t
T A S K
8.
NetBIOS Scanning
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
W
File
rP- A J* | DNS List Hosts
f/egaPing (Unregistered)
View Tools Hdp
T IP I
,5 , DNS Lookup Name M egaPing can scan yo u r e n tire n e tw o rk and provide in fo rm a tio n such as open shared resources, open ports, se rvice s/drivers a c tiv e on th e co m p u te r, key re g is try en trie s, users and groups, tru s te d dom ains, p rin te rs, and more.
9.
g Finger
N c G C S Ssonrcr
Network Time
Traceroute
t S P1n9 Whols
i! \
Share Scanner ^ ^ Security Scanner Port Scanner Host Monitor
NetBIOS Scanner
F IG U R E 15.6: M e g a P in g N e t B IO S S c a n n in g
The
N etB IO S s c a n w a d a p te r a d d re sse s
i l l lis t a ll th e h o s ts w i t h t h e ir
N etB IO S nam es
and
MegaPing (Unregistered)
Me
V tf A
Tori?
Help
JL JL 4S & * 88 8&
& Scan results can be saved in HTML or TXT reports, w h ic h can be used to secure your n e tw o rk fo r exam ple, by s h u ttin g dow n unnecessary ports, clo sin g shares, etc.
&
^
KBIT$ Scarrer
N et90$ Scanrer
M e nBIOS Scarrra
] |1 0. 0 . 0 . 1 |
10
0 . 0 .254
Stop
E x p a r d
1Names
Expand
$m ggnn1
4 jp Share Scanner Security Scanner
/ y Port Scanner
Summary
W gf Adopter Address
A cmam
2 ( Host M unitur
iac.0.6
fr] NetBIOS Nome:
W B Adapter Addre
4^ Domain 100.0.7
0 0 1 5 5 0 0 0 0 7 ..
=a!od 123
NetBIOS Scanner
F IG U R E 15.7: M e g a P in g N e t B IO S S c a n n in g R e p o r t
10. R ig h t- c lic k th e I P
a d d r e s s . 111 t h i s l a b , t h e s e l e c t e d I P i s 1 0 . 0 . 0 . 4 ; i t w i l l
b e d iffe r e n t in y o u r n e tw o r k . 5
TAs K 3 T ra ce ro u te
1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e
T ra c e ro u te
o p tio n .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
v
File View Tools Hdp ^ O th e r fe a tu re s in c lu d e g 3 DNS List Hosts Finger Network Time $
MegaPing (Unregistered)
NetBICS Scarre
m u ltith re a d e d d e s ig n th a t a llo w s to p ro c e s s a n y n u m b e r o f re q u e s ts in a n y to o l a t th e sam e tim e , realtim e n e tw o rk c o n n e c tio n s s ta tu s a n d p ro to c o ls s ta tis tic s , re a l- tim e p ro c e s s in fo r m a tio n a n d u sag e, re a l- tim e n e tw o rk in fo rm a tio n , in c lu d in g n e tw o r k c o n n e c tio n s , a n d o p e n n e tw o rk file s , syste m tr a y s u p p o rt, a n d m o re
_______ B 0 B
* D NetBIOS f AdapeerA A Comain - j j 10.0.0.5 i - J | NetBIOS S ? Adopter A ^ Comain B A 10.0.0.7 NetBIGS
Names Nome Export To File Merge Hosts Open Share View Hotfix Detab Apply Hot Fixes Copy selected item Copy selected row Copy all result; Save As
3 0 ( jj
b ?Summary
Hoete Slate Total: 254 Active 3 Failed251
Dcpand
Port Scanner
g l Host Monitor
3 Adopter A
Traceroute
Tnccroutcs the selection
F IG U R E 15.8: M e g a P in g T ra c e ro u te
1 2 . I t w i l l o p e n th e s e le c t e d .
T ra c e ro u te
w in d o w , a n d w i l l tra c e d ie I P
a d d re s s
MegaPing (Unregistered)
Fie Viea Tools Help
S. JL 4$ 1 5 1* 8 8
Jj, DNS List Ho>b J!L DNS Lookup Nam Tracerout*
& T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
** D e s tr e b o n : 1 0 5 0 .4
Ztestrawn \Jdrcs5 Jst
aa T r a c e r o u teS e tth o t
Resolve I4ans
^ -O
Select A l
Add Ddctc
*jp Share Scannei > y Port Scanner hoo 9 > 91 1 m A ' * 4 1 1 Time 0 Name Dstafc WIN-ULY8S8KHUIP [1_ Complete. 10.0.0.4 ADMIN PC [10.0.0.6] 10.0.0.6 <73/1210t44tf Complete. 08/23/12 IQ4SJ1 Repoit |
F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o r t
TAs K 4
1 3 . S e le c t P o r t S c a n n e r f r o m
d ie l e f t p a n e a n d a d d th e
P ort Scanning
D e s tin a tio n A d d re ss L is t
a n d th e n
S ta rt
b u t t o n i t to g g le s t o
S top
1 5 . I t w i l l lis t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d ie k e y w o r d , r is k , a n d p o r t n u m b e r .
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
MegaPing (Unregistered)
File View Tools Help &
A A G J 8s 8s <5 J ' b -jj, DNS List Hosts ,5, DNS Lookup Name
^ Finger
&
G O
J!
^ AotScamcr jftjf F01 Sc*1r* PrttowlB Scan Type TCP an: UCP A/!h1S Pab
m m < V**tv30fl< n
^ Whois
Network Resources
-^ P ick m Info
1 1
S 1 0 0
System Into
U IP Scnn< ' f f NetBIOS Sc *nnei
S * t* dA l w !* |
2o r*
Jjf
5 Monitor J f) , H0 =S 3 Ce2 fc
T > o e
Keyword
De a ctor
Scanning(51 %) 99 Sccon ds Remain g File Transfer [Control] TCP ftp TCP www-http World V.'1 de Web HTTP
UDP tcpmux TCP Port Servkc MultL. JOP compress.. Management Utility compten . CompreiMoo Proem
81
R*
,y 1 .* 2
.y ! .*5
j * '
F IG U R E 15.10 : M e g a P iiig P o r t S c a n n in g R e p o r t
L a b
A n a ly s is
D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In f o r m a tio n IP
C o lle c t e d / O b je c t iv e s A c h ie v e d 1 0 .0 .0 .1 1 0 .0 .0 . 2 5 4
S can R ange:
T ra c e ro u te
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. 2. H o w d o e s M e g a P in g d e te c t s e c u r it y v u ln e r a b ilit ie s o n d ie n e t w o r k ? E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .
In t e r n e t C o n n e c tio n R e q u ir e d Y es S u p p o rte d 0 iL a b s 0 N o
P la tfo r m 0
C la s s r o o m
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
L ab
KEY
L a b
Y o u your
S c e n a r io
have le a r n e d fo r in d ie p r e v io u s la b d ia t M e g a P in g th a t m ig h t s e c u r ity be used It scanner checks to a tta c k your
n e tw o rk and
p o t e n t ia l v u ln e r a b ilit ie s in fo r m a t io n in
Test your k n o w le d g e
n e tw o rk ,
saves
s e c u r ity
re p o rts .
p r o v id e s
d e ta ile d
in fo r m a t io n
a b o u t a ll c o m p u t e r s
a n d n e tw o rk
a p p lia n c e s . I t
s c a n s y o u r e n tir e
m .
W e b e x e r c is e
n e t w o r k a n d p r o v id e s in f o r m a t io n s e r v ic e s / d r iv e r s a c tiv e
s u c h as o p e n
s h a re d re s o u rc e s , o p e n p o rts ,
0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r i e s , u s e r s a n d g r o u p s ,
S can r e s u lts can be saved in H T M L o r T X T
W o r k b o o k r e v ie w
tru s te d
d o m a in s , p r in t e r s , e tc .
u n n e c e s s a ry
c lo s in g
s h a re s , e tc .
in tr u d in g
n e t w o r k . A s a n o th e r a s p e c t o f p r e v e n t io n y o u c a n u s e G - Z a p p e r , w h ic h b lo c k s G o o g le c o o k ie s , c le a n s G o o g le c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h ile
s e a r c h in g o n lin e . T h is w a y y o u c a n p r o t e c t y o u r id e n t i t y a n d s e a rc h h is t o r y .
L a b
O b je c t iv e s
T h is la b e x p la in h o w G - Z a p p e r a u t o m a t ic a lly c o o k ie e a c h t im e y o u u s e y o u r w e b b r o w s e r .
d e te c ts
and
c le a n s
th e G o o g le
L a b
E n v ir o n m e n t
T o c a r r y o u t th e la b , y o u n e e d :
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
G - Z a p p e r is lo c a t e d a t
S Tools dem onstrate d in th is lab are available in D:\CEHTools\CEHv 8 M odule 03 Scanning N etw orks
Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f lit t p : / / w w w . d u m m y s o ftw a re .c o m / I f y o u d e c id e t o d o w n l o a d t h e i n th e la b m ig h t d i f f e r In s ta ll
la te s t v e rs io n ,
th e n s c re e n s h o ts s h o w n
G -Z apper
in W in d o w s S e r v e r 2 0 1 2 b y f o llo w in g w iz a r d d r iv e n
in s t a lla t io n s te p s A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls A c o m p u te r r u n n in g
W in d o w s S e rv e r 2012
L a b
D u r a t io n
T im e : 1 0 M in u te s
O v e r v ie w
o f G - Z a p p e r
G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d i e
lo n g
Google co o k ie i n s t a l l e d o n y o u r searches h a v e
you to
y o u r P C , d is p la y d ie d a te i t w a s in s t a lle d , d e t e r m in e h o w been
tra cke d ,
and
d isp la y
y o u r G o o g le
s e a rc h e s . G s e a rc h
Z a p p e r a llo w s c o o k ie f r o m
a u to m a tic a lly
de le te
o r e n tir e ly
b lo c k
d ie
G o o g le
f u t u r e in s t a lla t io n .
L a b
S
T a s k s
L a u n c h th e
t ask
1.
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t
c o m e r o f t h e d e s k t o p . _____________________________________________________
F IG U R E 16.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w
2.
C lic k d ie
G-Zapper a p p
t o o p e n d ie
GZ apper
w in d o w .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S ta rt
Administrator
Server Manager
Wruiows PowerShel
6 0 0 9 * Chrome
#
HyperV Virtual Mtww
Wjpw-V t/dru^e-
fLm Computer
V
Control Pwl
G-Zapper
1 1
SOL S e n a
G - Z a p p e r xs
*J
w
Command Prompt
Q
M v ii l.retox
c o m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2 0 0 0 , X P , V is ta , W in d o w s 7.
'-x-olglan
$
NetSca'iT... Pro Demo
5 1
Standard
Maw
r*
1 1
F IG U R E 162 : W in d o w s S e rv e r 2012 - A p p s
3.
The
G -Zapper
m a in w i n d o w w i l l a p p e a r a s s h o w n i n th e f o l l o w i n g
s c re e n s h o t.
How to U se It
To delete the G oogle cookie, d c k the D elete Cookie button Your identity w i be obscured from previous searches and G-Zapper w i re g Ja rly d e an future cookies. T 0 restore the Google search cookie d ick the Restore Cookie button
D elete Cookie
Resto re Cookie
T est Google
Settings
Register
F IG U R E 16.3: G - Z a p p e r m a in w in d o w s
4.
T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e
D e le te C o o kie
b u tto n ; a
w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie lo c a t io n . C lic k
OK
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
W h at is G-Zapper
]j l F
#
C ] A n e w c o o k ie w ill b e g e n e ra te d u p o n y o u r n e x t v is it to G o o g le , b re a k in g th e c h a in th a t re la te s y o u r se a rch e s. Howt
Did you know Google stores a unique identifier n a cookie on y o u P C , v*ch alo w s them 10 track the keywords you search for G-Zapper w i autom atically defect and d e an this co okie in your w eb browser. _.lm tJun_G 7an nftj the, w ndnw * in i ftninu.unui ^ n h ao cad joauacu_______ _______
GZapper
The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located a t (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite
OK
T 0 block and delete the G oogle search cookie, click the B lo ck Cookie button (Gm ail and A dsense w i be u n avaJab le with the cookie blocked)
Delete Cookie
Block Cookie
T e st Google
Settings
Register
F IG U R E 1 6 .4 : D e le tin g s e a rc h c o o k ie s
5.
T o b lo c k th e G o o g le s e a rc h c o o k ie , c lic k d ie
B lo c k c o o k ie
b u tto n . A
w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a lly b lo c k th e G o o g le c o o k ie . C l i c k
Yes
GZapper TRIAL VERSION '- m
T he tin y tra y icon runs in th e background, ta k e s up very little space and can n o tify you by sound & a nim ate w hen th e Google c o o k ie is blocked.
How
Did you know - G oogle stores a unique identifier in a cookie on your P C . w hich alo w s them to track the keywords you search for. G-Zapper will autom atically d etect and d e an this cookie in y o u w eb browser.
p____ .L M
iijn fi- Z a n rre t m rnnnre the, w nrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara_________ _______
Yes
T 0 block and delete the Google search cookie, click the Blo ck Cookie bU ton (Gm ail and A dsense w l be unavaiaW e with the cookie blocked)
No
Delete Cookie
Block Cookie
T est Google
Settings
Register
F IG U R E 1 6 .5 : B lo c k G o o g le c o o k ie
6.
I t w i l l s h o w a m e s s a g e d i a t th e G o o g le c o o k ie h a s b e e n b lo c k e d . T o v e r if y , c lic k
OK
E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
1 ^ 0
GZapper
The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify.
H ow t
OK
Your identity will be obscured from previous searches and G-Zapper w i regularly clean M u re cookies
& G-Zapper can also cle an your Google search h is to ry in In te rn e t E xplo re r and M ozilla Firefox. It's fa r to o easy fo r som eone using your PC to g e t a glim p se o f w h a t you've been searching for.
Delete Cookie
R e s t o r eC o o k i e
Test Google
Settings
R e g i s t e r
F IG U R E 16.6: B lo c k G o o g le c o o k ie (2 )
7.
T o te s t th e G o o g le c o o k ie t h a t h a s b e e n b lo c k e d , c lic k th e b u tto n .
T e s t G oogle
8.
Y o iu d e fa u lt w e b b r o w s e r w ill n o w o p e n t o G o o g le s P re fe re n c e s p a g e . C lic k
OK.
AA
goog... P - 2 (5 [ 0 ?references
Sign in
Preferences
BaHiflafcfllttg
Interface Language Display Googio Tips and messages in: Engiisn If you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program
Search I anguag*
Afrikaans
b English
I~ Estonian
U Indonesian L I Setblan
A r a b i c
D Armenian
L .E s p e r a n t oU I t a l i a n
F I Japanese
S l o v a k
0 Slovenian
Belarusian U Bulgarian
C Ftipino L Finnish
Koiean U Latvian
G Spanish L I Swahi
F IG U R E 16.7: C o o k ie s d is a b le d m a ssag e
9.
T o v i e w th e d e le t e d c o o k ie i n f o r m a t io n , c lic k d ie c lic k
S e ttin g
b u tto n , a n d
V ie w Log
i n t h e c le a n e d c o o k ie s l o g .
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
- m
G-Zapper Settings
Sounds f* R a y sound effect w hen a cookie is deleted d efault w av
Preview
Browse
Enab le logging of cookies that h ave recently been cleaned. S a v e my G oogle ID in the d ean ed cookies log.
C lear Log
V ie w Log
OK
Delete Cookie
Resto re Cookie
T e st Google
Settings
R egister
F IG U R E 16.8: V ie w in g th e d e le te d lo g s
1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .
cookiescleaned - Notepad
File Edit Format View Help
[x
S ' T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 A M (Chrome) C:\Users\Administrator\AppData\Local\Google\Chrome\User Data \Default\Cookies Friday, August 31, 2012 11:04:20 A M (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 A M (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sq lite Wednesday, September 05, 2012 02:52:38 P M |
F IG U R E 16.9: D e le te d lo g s R e p o r t
L a b
A n a ly s is
D o c u m e n t a ll t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
T o o l/U tility
In fo r m a tio n
C o lle c t e d / O b je c t iv e s A c h ie v e d
A c tio n P e rfo rm e d : G Z a p p e r D e t e c t d i e c o o k ie s D e le t e t h e c o o k ie s B l o c k t h e c o o k ie s
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. E x a m i n e h o w G - Z a p p e r a u t o m a t i c a l l y c le a n s G o o g l e c o o k ie s .
2.
C h e c k t o s e e i f G - z a p p e i i s b l o c k i n g c o o k i e s o n s ite s o t h e r t h a n G o o g l e .
In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es S u p p o rte d iL a b s N o
P la tfo r m 0
C la s s r o o m
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab
KEY
L a b
S c e n a r io
11 1 d i e p r e v i o u s l a b y o u h a v e l e a r n e d l i o w y o u c a n d e t e c t , d e le t e , a n d b l o c k c o o k ie s .
A tta c k e rs e x p lo it d ie XSS v u ln e r a b ilit y , w h ic h in v o lv e s an a tta c k e r p u s h in g
Test your k n o w le d g e
m a lic io u s J a v a S c r ip t c o d e i n t o
w i d i d i a t m a lic io u s c o d e i n it , d ie u s e r s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r lia s
Q Q
W e b e x e r c is e
110 w a y o f t e l l i n g t h e d i f f e r e n c e b e t w e e n l e g i t i m a t e a n d m a l i c i o u s c o d e . I n j e c t e d
c o d e is a n o d i e r m e c h a n i s m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i j a c k i n g : b y d e f a u l t
W o r k b o o k r e v ie w
c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n r e a d a u s e r s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d i e a tt a c k e r . A s a n e x p e rt
e th ic a l h a c k e r
and
p e n e tra tio n te s te r
y o u s h o u l d b e a b le t o p r e v e n t fie ld s , a n d h id d e n
s u c h a tt a c k s b y v a l id a t in g a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m
f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a w e b a p p lic a t io n f ir e w a ll t o b l o c k th e e x e c u t io n o f m a lic io u s s c r ip t . A n o d i e r m e t h o d o f v u ln e r a b ilit y c h e c k in g is t o P acket B u ild e r . 111 t h i s la b , you w ill be le a r n s c a n a n e t w o r k u s in g th e C o la s o ft about s n iffin g n e tw o rk p a c k e ts ,
p e r f o r m in g A R P p o is o n in g , s p o o f in g th e n e t w o r k , a n d D N S p o is o n in g .
^ T T o o ls
L a b
O b je c t iv e s
T h e o b je c t iv e o f d i is la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r it y p o li c y , p o li c y e n f o r c e m e n t , a n d p o l i c y a u d it s .
L a b
E n v ir o n m e n t
11 1 d i i s l a b , y o u n e e d :
C o la s o f t P a c k e t B u ild e r lo c a t e d a t
D:\CEH-Tools\CEHv 8 M odule 03 S canning N etw orks\C ustom P acket C reator\C olasoft P a cke t B uilder
c o m p u te r r u n n in g
as h o s t m a c h in e
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
W indow 8
r u n n i n g o n v ir t u a l m a c h in e as ta r g e t m a c h in e
Y o u c a n a ls o d o w n l o a d d i e l a t e s t v e r s i o n o f
B uilde r
php
fro m
d ie lin k
h t t p : / / w w w .c o la s o ft.c o m / d o w n lo a d /p r o d u c ts /d o w n lo a d _ p a c k e t_ b u ild e r .
I f y o u d e c id e t o d o w n l o a d d i e d ie la b m ig h t d if f e r .
la te s t version,
d ie n s c re e n s h o ts s h o w n in
A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t io n n u u iin g i n h o s t m a c liin e
L a b
D u r a t io n
T im e : 1 0 M in u te s
O v e r v ie w
o f C o la s o f t P a c k e t B u ild e r
c r e a t e s a n d e n a b le s c u s t o m n e t w o r k p a c k e t s . T h i s t o o l c a n
b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a tt a c k s a n d in t r u d e r s . C o la s o f t P a c k e t B u i l d e r f e a t u r e s a d e c o d i n g e d i t o r a l l o w i n g u s e r s t o e d i t s p e c i f i c p r o t o c o l f i e l d v a lu e s m u c h e a s ie r . U s e r s a r e a l s o a b le t o e d i t d e c o d i n g i n f o n n a t i o n i n t w o e d i t o r s :
Decode E d ito r
and
d ie p r o v id e d te m p la te s :
E thernet Packet,
T a s k s
In s t a ll a n d la u n c h d ie L a u n c h th e
1
1. 2.
S canning N e tw o rk
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t
c o r n e r o f th e d e s k to p .
F IG U R E 17.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w
3.
Q y <u c a n d o w n lo a d Yo C o la s o ft P a c k e t B u ild e r fro m h ttp : / / w w w . c o la s o ft. co m .
a p p to o p e n th e
C o la s o ft
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
S ta rt
Administrator
Sew
Windows PowerSM
m
Googte Chrome
Es
compule r
*
Manager
*
v Mochn#.
control 1 'and
*J
V
Command Prompt
91
U3LWvr Irn-.aljt 0 Center.
9 MfrtjpaC* Studc
te r
se
V
.
M
3
Nnwp 7ftmap GUI
refax CMtoo
e u M a
F IG U R E 17.2 W in d o w s S e rv e r 2012 - A p p s
4.
T h e C o la s o f t P a c k e t B u ild e r m a in w i n d o w a p p e a rs .
Colasoft Packet Builder 1= 1 !
Fie # Import
Edt ^
Send
Help
1
Packet No.
No pxkec elected:
Checksum
4 $ Oecode Edro*
\ $Packet Lilt
[A s^J
Adapter Packets
5 5
Colasoft
0 Selected 0 1
> 0 :0
HeEdfcor
fatal
0 byte* |
< L
F IG U R E 17.3: C o la s o ft P a c k e t B u ild e r m a in screen
5.
B e fo re
s ta r tin g
o f y o u r ta s k , c h e c k
th a t d ie
A d a p te r
s e t t in g s
a re
se t to
d e fa u lt a n d d ie n c lic k
OK.
Select Adapter *
A d ap ter:
Ph ysical Address Link Sp eed M ax Fram e Size IP Address D efau lt G atew ay A d ap ter Sta tu s
1 0 .0 .0 .1
O perational
OK
C ancel
Help
E th ic a l H ackin g and Counterm easures Copyright < 0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
6.
T h e re a re tw o w a y s to c re a te a p a c k e t - A d d a n d In s e rt. T h e d iffe re n c e b e tw e e n th e s e is th e n e w ly a d d e d p a c k e t's p o s itio n in th e P a c k e t L is t . T h e n e w p a c k e t is lis te d as th e la s t p a c k e t in th e lis t i f ad d e d b u t a fte r th e c u rre n t p a c k e t i f in s e rte d .
T o add
0 1 c r e a t e d i e p a c k e t , c l i c k Add 111 d i e m e n u s e c t i o n .
File ff 1 Import [ ^
Edit
Send
Help
0
Export Add Insert
Decode Editor
7.
W h e n an a n d c lic k
A dd P a cke t OK.
d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d i e t e m p la t e
Q c o la s o f t P a c k e t B u ild e r s u p p o rts * .c s c p k t (C a p s a 5 .x a n d 6 .x P a c k e t F ile ) a n d * c p f (C a p s a 4.0 P a c k e t F ile ) fo rm a t. Y o u m a y a ls o im p o rt d a ta fro m .c a p (N e tw o r k A s s o c ia te s S n iffe r p a c k e t file s ), * .p k t (E th e r P e e k v 7 / T o k e n P e e k / A 1 ro P e e k v 9 / O m n iP e e k v 9 p a c k e t file s ), * .d m p (T C P D U M P ), a n d * ra w p k t (ra w p a c k e t file s ).
Add Packet
Select Template:
n n
Delta Time:
Second
OK
Cancel
Help
F IG U R E 17.6: C o la s o ft P a c k e t B u ild e r A d d P a c k e t d ia lo g b o x
8.
Y ou
can
v ie w
d ie
added
p a c k e ts
lis t
0 11 y o u r r i g h t - h a n d s id e o f y o u r
w in d o w .
Packet List S
Packets
Selected
t a s k
Decode E ditor
F IG U R E 17.7: C o la s o ft P a c k e t B u ild e r P a c k e t L is t
9.
C o la s o f t P a c k e t B u ild e r a llo w s y o u t o e d it d ie t w o e d it o r s :
decoding
in f o r m a t io n i n d ie
Decode E ditor
and
H ex Editor.
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Decode Editor Packet: B- Ethernet Type I I le s tin a tio n Address: J Source Address: j ! ^ P r o to c o l: - sj ARP - Address Resolution Protocol ! < # >Hardware type: ! #( Protocol Type: j.. Hardware Address Length: .. Protocol Address Length: !
\
j3 Source IP : D estination Physics: j D estination IP : - Extra Data: Number of Bytes: FCS: L # FCS: <l 1 1 1 j
Num:000001 Length:64 Captured: [0/14] FF: FF: FF: FF: FF: FF [0/6] 00:00:00:00:00:00 [6/6] (ARP) [12. 0x0806 [14/28] (Ethernet) 1 0x0800 [16/2] 6 [18/1] 4 [19/1] (ARP Reque. 1 00:00:00:00:00:00 [22/6] 0.0.0.0 [28/4] 00:00:00:00:00:00 [32/6] 0.0.0.0 [38/4] [42/18] 18 bytes [42/18] 0xF577BDD9 ...... ; ......,.... .... >J
Total FF 00 00 00 00 FF 06 00 00 FF 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 06 00 00 00 ....
60 bytes
Send All
f r o m d ie m e n u b a r. d ia lo g w in d o w , a n d
o p t io n i n d ie
^4
C o la s o f t C a p s a
Jown Checksum
Destination FF:FF:FF:FF:FF:FF
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
F IG U R E 17.11: C o h s o ft P a c k e t B u ild e r S e n d A H P a c k e ts
12.
C lic k
S ta rt
Select...
B u rs t M ode (n o d e la y b e tw e e n p a ck e ts)
Lo op S e n d n g :
D e la y B e tw e e n Lo o p s:
A 1 0 0 0 A 1000 -
m illiseconds
T o tal P a c k e ts :
S ta r t
S to p
C lo se
H elp
F IG U R E 1 7 .12 C o la s o ft P a c k e t B u ild e r S e n d A H P a c k e ts
13.
T o
e x p o rt
d ie
p a c k e ts
sent
fro m
d ie
F ile
m enu,
s e le c t
F ile ^E x p o rt ^A ll Packets.
E th ic a l H ackin g and Counterm easures Copyright < 0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Import... 10
All Packets...
Exit + ^T Packet:
Selected Packets...
El E thernet Type I I
O p tio n , P a c k e ts S e n t
Save As
5avein!"! :o la e c -ft f lf c l Rcccnt plocca Nome Dtc modified No items match your search. Type
x I
Desktop
<
Libraries lA f f Computer
Network
[> 1
|
U
Packets.cscpkt
F IG U R E 17.15: C o la s o ft P a c k e t B u ild e r e x p o rtin g p ack et
L a b
A n a ly s is
A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o t h e l a b e x e r c is e .
T o o l/U tility
In fo r m a tio n
C o lle c t e d / O b je c t iv e s A c h ie v e d
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. A n a ly z e how C o la s o ft P a c k e t B u ild e r a ffe c ts y o u r n e tw o rk tr a ffic w h ile
a n a ly z in g y o u r n e t w o r k . 2. 3. E v a lu a te w h a t ty p e s o f in s t a n t m e s s a g e s C a p s a m o n it o r s . D e te r m in e w h e t h e r d ie p a c k e t b u f f e r a ffe c ts p e r fo r m a n c e . I f y e s , th e n w h a t s te p s d o y o u ta k e t o a v o id o r r e d u c e it s e f f e c t o n s o ft w a r e ?
In t e r n e t C o n n e c tio n R e q u ir e d Y es S u p p o rte d 0 iL a b s 0 N o
P la tfo r m 0
C la s s r o o m
Eth ica l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab
KEY
The D n d e automatically scans all devices within specified subnets, draws a n d lays out a w a p of y o ur networks, monitors services ofy ou r devices, a n d a/eftsyon in case
in fo r m a tio n
Test your k n o w le d g e
W e b e x e r c is e
1 1 1 th e
P a c k e t B u ild e r . A tta c k e r s t o o
W o r k b o o k r e v ie w
n e tw o rk
and
o b ta in
s p e c if ic
d is r u p t
c o m m u n ic a tio n
b e tw e e n h o s ts a n d c lie n ts b y m o d if y in g s y s te m
c o n fig u r a tio n s ,
o r t h r o u g h th e p h y s ic a l d e s t r u c t io n o f th e n e t w o r k . A s a n e x p e r t e th ic a l h a c k e r, y o u s h o u l d b e a b l e t o g a d i e r i n f o r m a t i o n 0 11 o rg a n iz a tio n s n e tw o rk to c h e c k fo r v u ln e ra b ilitie s and fix th e m b e fo re an a tta c k e r g e ts to c o m p ro m is e th e m a c h in e s using th o s e v u ln e ra b ilitie s . I f d e te c t any a tta c k th a t has been p e rfo rm e d
you
0 11 a n e t w o r k , im m e d ia t e ly
im p le m e n t p r e v e n t a tiv e m e a s u re s t o s to p a n y a d d itio n a l u n a u th o r iz e d a c c e s s .
1 1 1th is
l a b y o u w i l l le a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k
a n d th e t o o l w i l l a le r t y o u i f a n y a tt a c k h a s b e e n p e r f o r m e d
0 11 t h e n e t w o r k .
L a b
O b je c t iv e s
T h e o b j e c t i v e o f t h i s l a b i s t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s n e tw o rk .
0 11 d i e
L a b
E n v ir o n m e n t
T o c a r r y o u t th e la b , y o u n e e d : T h e D u d e is lo c a t e d a t
D:\CEH-T 0 0 ls\C EH v 8 M odule 03 S canning N e tw o rk s \N e tw o rk D is c o v e ry and M apping T o o ls\T h e Dude The Dude
fro m th e
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h ttp : / / w w w .m ik r o tik .c o m / th e d u d e .p h p
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 0 3 - S c a n n in g N e tw o rk s
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n i n th e la b m ig h t d if f e r
s c re e n s h o ts
show n
c o m p u te r r u n n in g W in d o w s S e rv e r 2 0 1 2
D o u b le - c lic k d ie in s t a ll
The Dude
a n d f o l l o w w i z a r d - d r iv e n in s t a lla t io n s te p s t o
The Dude
A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls
L a b
D u r a t io n
T im e : 1 0 M in u te s
O v e r v ie w
o f T h e
D u d e
T h e D u d e n e t w o r k m o n i t o r is a n e w a p p lic a t io n d i a t c a n d r a m a t ic a lly i m p r o v e d ie w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t i c a l l y s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s o f y o u r d e v ic e s , a n d a l e r t y o u i n c a s e s o m e s e r v ic e l i a s p r o b l e m s .
L a b
1.
T a s k s
L a u n c h th e
S ta rt
m e n u b y h o v e r in g th e m o u s e c u r s o r o n th e lo w e r - le f t
c o r n e r o f th e d e s k to p .
i|
F IG U R E
t a s k
1 1 1 t h e S ta rt m e n u , t o l a u n c h T h e Dude, c l i c k T he Dude i c o n .
Server Maiwgcr
Com puter
O n m
*
SS?
f>
~ v
M m n ttr.
- 1
com m and Prompi
1n0u0f
T < x J1
lp
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
F IG U R E 182 : W in d o w s S e rv e r 2012 - S ta rt m e n u
3.
T h e m a in w in d o w o f
fS m m
() 5references Setting*
Contert* A3<*T3S USS A Admn#
The Dude
w ill a p p e a r.
- l l jjy i2 m c *
X
adm in@ localhost - The Dude 4.0beta3 9 Local Server CJ 71S E 1 O * Ssttnst j
Cikovot *70011
H do
m
V J
H 0
H D*wic 5
-A
J
Cterl. w
Uj /U
[.Ca 1MUd
334 bw
S* *x215bc*.'UM2bc
F IG U R E 18.3: M a in w in d o w o f T h e D u d e
4.
C lic k th e
---- -------------
5reference*
D is c o v e r
*b
b u t t o n o n th e t o o lb a r o f d ie m a in w in d o w .
admin@localhost - The Dude 4.0beta3
rh tZ
.
3 . v E
1 x IIIIJH b _d
2
9 Local Seiver
a C a-ite !*
Q Addra# list* A vamro 0 * fl OmiaN f * . Ftea f= 1 F_nccon8 B Haay Action* n 1 ^* Legs ? ActJcn 7 D efcus 7 Event 7 Sjobg R Mb N otie? - Q Network M aos B Lccdl M
*
-1+ o
Sottrco
Dkov* * | Too
| ?lrk*
'
|!Corrected
:<* a215bc<'u642bc
F IG U R E 18.4: S e le c t d is c o v e r b u tto n
5.
The
D e vice D is c o v e ry
w in d o w a p p e a rs .
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
Discover Cancel
Scan Networks: 1 10.0.0.0/24 Agent: |Pg? P Add Networks To Auto Scan Black List: |1 Device Nam e Preference: |DNS. SNMP. NETBIOS. IP Discovery M ode: ( fast (scan by ping) C reliable (scan each service) Recursive Hops: /
2 I 4 I 6 I 8 I 10 I 14 I I I 20 50
!-
F IG U R E 18.6: D e v ic e d is c o v e ry w in d o w
6.
111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y
d e fa u lt
and
fro m m
d ie d ie
A g e n t d ro p -d o w n
l i s t , s e le c t
IP f r o D iscover.
D e vice N am e P re fe re n ce
Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none Device Nam e Preference DNS. SNMP. NETBIOS. IP
Discovery M ode ( fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]] /r 1 1 1 -----------------------------------------2 4 6 8 10 14 20 SO
7.
O n c e t h e s c a n is c o m p l e t e , a ll t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r n e t w o r k w i l l b e d is p la y e d .
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
adrmn@localhost
f t ^ t
^2 0 9 m :[ 1 0
C : _e [o * | S e c p y I |D h c o v e f |^ T o o ia tt 1 a s - |l k s
Q y
.t
WIN.D39MR5HLSE-:
AOMN
e t1 0 n *0 7 *40 H1 -* -00 7^ 6
L f Uofcoa L?rvn1
r M flM M tttL C X U U l
\
*
w in ? U 't '. ic . '. - t f s
I
N .
\
to b> 1 0 m
d n *^Map* Q Local r fcnwortc
asy*B
- ^
Q NotActfont
H PjTriS
Q adrrin 1 2 7 .0 ,0 .1
Q P t 638 5> Sennco Q Tcde
V I1 h K .K 0 H )1 m 3 ^ M
Qm - x 3 2 5 oc w I 95 bpj
F IG U R E
1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n
8.
Select a device and place d ie mouse cursor o n i t to display the detailed in fo rm a tio n about d ia t device.
jo ^ S t f t t K u j o D w o v w
~ * 1Z o o m .[ T O
C h a t *
Q0 8 V 1 0 0 8
^ Plea Q Functions Lnk* Lcoa ]J? Acton
t f t t e O T . JLYKSO-Ci P IP 100 0 9
W rd c v n a x n p u c r,
V irc 0*5 I t o i a i 6 & End
M A CC tt - 1 0
H a t o v V * *
C7 Detua
? Ewr L7Sbg Mb Mod* rielwork Maps B local n NHwwk
2 N 9U lc4B0r
Q Parris
H* 1 2 7 . 0 0 . 1 P c N
Q> Samcas H Tocte
J?* I !_ a M L'
I? #
1 4 <
) > n n : u U C M K JP
u :a
12:40
12: X
1*:
.W * . n m ,
| mdiv 0 vnn-uiYKBocnP
1 3 :ta
W -ll r8!a.H0TP
C V t m 2 4 5 Upa/tx 197bpa
n .1 5 4 ttp a /fc 3 3 k b c
F IG U R E
1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v i c e
9.
N o w , c lic k the d o w n a rro w fo r die L o ca l d ro p -d o w n lis t to see in fo rm a tio n o n H is to ry A c tio n s , T o o ls, F iles. Logs, and so on.
E th ic a l H ackin g and Counterm easures Copyright by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
F IG U R E
1 8 .1 0 : S e le c tin g L o c a l i n f o r m a t i o n
< _ X ,
S e t B n g j
C onot?
Q Add's** Lilt(
4 4 1! Q *stU
e I~ , M
O w l
r*1 LVvn.* *Fto* Q I undior M U K >Logs
IM a y/ t o w n s 7A = < 1 0 n
? Debug
7 E v rf
2u 3u au 5U cu
7U
? Stfog Mb Me**
9u 10 u u 12 u 1 3U 14 U 1 5U
6 U 16 U
fi U
7 u
20 u
1 9U
A d e n NttwOlk Map Benrfl dn11*d e n n tc h a n je d 1 3 0 2 4 CNer*ek Map B 13024S fJrtocik Map btmrU 1 la 1 r* c h a n g e d 1 3 0 ;4 9Netvak Map B lv w 'i:Jw j* 0 1302S0 fM o w k Map b f w m c h a n g e d ttitc ik Map B 1 3 0 ?5 ?H w 1 !( .1 1 j 0 130254 fM o cik Map H e m e m c h a n g e d (3 0 2K Merwak Map B 130258 fjnC*k Map b c w : changtd fm c ik Map Bemem changed 1 3 0 3 4 0tk 130302 NttWClk Map Be lt# ills' jeO 1 3 0 3 0 3lJere(k Map Berotm changed 13.03.06 r(.ck Map 0 c1*sr. da'jed 1 3 0 3 4 8liefMCik Map Beroen: changed . cha'Sed 13.03.14 ta t a k Map Bc1*T 1 3 0 31 6tieCMdk Map B fw t changed w n e rtc h a n o e d 13.03.20 Netwak Map B 1 3 0 3 2 2I jefMCik Map Berne'S changed w m n lc h rxl 130324 heCaak Map B 1 3 0 3 2 7Net*ck Map Beroen! changed
130245
Crr<tJ
oI
G r t B f g j
Conterts
3 Address Usts AcJ-rriS Q Ao-nls
*
i
ih ti^ rS S B S S X S A l
_ ..L J U
Type, (*
M * f^ i
T]
g o w n s
U i Z . r 't nT,c>
j-=le incte iincte M-rle
M T C f c
Q Ktolciy Actons
1 Lrk
C7 Aden
r7 E v 4 Lfb S ^ o fl CJ M r * d .
CfO e b u o
W C t e w* tn c b
u-de vmo M* | *mcl*
w *C 0 w
Mao Local Local Local Local Local Local Local Local Local Local Local Local
S f ln 0 9t 2 l6 -rp * * 2 4 ?
F IG U R E
1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t io n
E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
11. A s described previously, you m ay select all die o th e r o p tio n s fro m the d ro p -d o w n lis t to v ie w d ie respective in fo rm a tio n . 12. O nce scanning is com plete, c lic k the b u tto n to disconnect.
a d m in lo c a lh o s t - Th e D u d e 4.0beta3
Fwfcwnooa 9 Local Sorvor *to
jC tn a s d G'
RA d d r e s sU 8 I8
AdnlrM
Agert
C. O
S*crgc
O noowf
Too*
*.
L* ,*
[irk T
Chate
t<
W ik U L Y S S B K H Q IP tpu 2 2 % IM fT t S 0 % v.it 3 4 % disk 7 5 %
,1
W IN-D39NRSH1.91= 4
ADMIN
G e v c e s
QH is to r y A c tio n s HL in lc s =3 L e g *
r* = 1 nF _ ra c n 8
C fActon
Even!
_ WIN-2N95T0SGIEM
v
\
1000
(ZJ D c b u o
O
Q IS e tw o ifcM ip s
S/*log M to Nodoo
< |
B - l gcjj
j [>
r \ ^T ^ ^ ^ .1
WM-LXQ\3\VR3!WM
n Z
5<?vrr r t
i.
1 2 c p 5 't * 3 15 *bps
L a b A n a ly s is
Analyze and docum ent die results related to die lab exercise. T o o l/U tility In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d IP A d d re s s R a n g e : 10.0.0.0 10.0.0.24 D e v ic e N a m e P re fe re n ce s: D N S , S N M P , The D ude N E T B IO S , IP O u tp u t: L is t o f connected system, devices in N e tw o rk
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
M o d u le 0 3 - S c a n n in g N e tw o rk s
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.