CEH v8 Labs Module 03 Scanning Networks PDF

CEH Lab Manual
S c a n n i n g
N e t w o r k s M o d u le 03
M o d u le 0 3 - S c a n n in g N e tw o rk s
S c a n n in g a T a r g e t N e tw o rk
S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d s e rv ic e s ru n n in g in a n e tw o rk .
L a b S c e n a r io
I CON KEY
Valuable information s Test your knowledge Web exercise Workbook review
H Q
Vulnerability scanning determines the possibility of network security attacks. It evaluates the organizations systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organizations network and perform port s c a n n in g , n e tw o rk s c a n n in g , and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities.
L a b O b j e c t iv e s
The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: Check live systems and open ports Perform banner grabbing and OS fingerprinting Identify network vulnerabilities Draw network diagrams of vulnerable hosts
ZZ7 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
L a b E n v ir o n m e n t
111
die lab, you need: A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s W in d o w s 8 or W in d o w s 7 with Internet access A web browser Admiiiistrative privileges to run tools and perform scans
S e rv e r 2008.
L a b D u r a t io n
Time: 50 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k s
Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope.
C E H Lab M anual Page S5
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 1 1 1 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools.
Lab T asks TASK Overview 1
Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: Scanning System and Network Resources Using A d v a n c e d
IP S c a n n e r ID S e r v e
Banner Grabbing to Determine a Remote Target System Using
Fingerprint Open Ports for Running Applications Using the A m a p Tool Monitor TCP/IP Connections Using die C u r r P o r t s Scan a Network for Vulnerabilities Using G F I _/ Ensureyouhave L readyacopyof the additional readings handed out for this lab. Explore and Audit a Network Using N m ap Scanning a Network Using die
N e t S c a n T o o ls Pro LA N S u rv ey o r Tool
L an G u ard 2 0 1 2
Drawing Network Diagrams Using Mapping a Network Using the Scanning a Network Using die
F r ie n d ly P in g e r N essu s
Tool
Auditing Scanning by Using G lo b a l Anonymous Browsing Using P r o x y
N e tw o rk In v e n to ry S w it c h e r
C E H Lab M anual Page 86
E th ic a l H ackin g and Counterm easures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
Daisy Chaining Using P r o x y
W o rk b e n c h
HTTP Tunneling Using H T T P o r t Basic Network Troubleshooting Using the

M e g a P in g
Detect, Delete and Block Google Cookies Using G -Z a p p e r Scanning the Network Using the
C o la s o f t P a c k e t B u ild e r Dude
Scanning Devices in a Network Using T h e

L a b A n a ly s is
Analyze and document die results related to die lab exercise. Give your opinion on your targets security posture and exposure duough public and free information.
P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
S c a n n in g S y s te m a n d N e tw o rk R e s o u r c e s U s in g A d v a n c e d IP S canner
I CON KEY
-A d v a n c e d IP S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f
/ = Valuable information Test your knowledge Web exercise Workbook review
in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs .
C Q
this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.
111
l J
T o o ls
The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: Perform a system and network scan Enumerate user accounts Execute remote penetration Gather information about local network computers
d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
Q Y oucanalso dow nloadA dvancedIP Scanner from http:/1w w w .advanced-ipscanner.com .
111
die lab, you need: Advanced IP Scanner located at Z:\\C EH v8

M od ule 0 3 S c a n n in g N e tw o rk s\ S c a n n in g T o o ls A d v a n c e d IP S c a n n e r
You can also download the latest version of A d v a n c e d from the link http://www.advanced-ip-scanner.com
IP S c a n n e r
/ 7A dvancedIPScanner w orks onW indow sS erver 2003/ Server 2008andon W indow s 7(32bit, 64bit).
If you decide to download the in the lab might differ A computer running W in d o w s
8
la t e s t v e r s io n ,
then screenshots shown
as die attacker (host machine)

se rve r 2008
Another computer running W in d o w s machine) A web browser widi In te rn e t

access
as die victim (virtual
Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps to install Advanced IP Scanner
A d m in is tra tiv e
privileges to run diis tool
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any suspicious or u n a u th o rize d IP connections, which may enable data theft and cause damage to resources.
Lab T asks
S T A S K 1
1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die desktop
L a u n c h in g A d v a n c e d IP Scann er
FIG U R E1 .1 :W indow s8- D esktopview 2. Click A d v a n c e d (Windows 8).

IP S c a n n e r
from die S ta r t menu in die attacker machine
E th ic a l H ackin g and Counterm easures Copyright O by E C Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
S ta rt
Admin ^
WinRAR
Mozilla Firefox
Command
Prompt
it t
Fngago Packet b uilder
Nc m
2*
C om puter
m W ithA dvancedIP Scanner, youcanscan hundreds ofIP addresses sim ultaneously.
M icrosoft Clip O rganizer
Advanced IP Scanner
Sports
tS
C ontrol Panel
i i i l i l i
m
M icrosoft O ffice 2010 Upload...
finance
FIG U R E1 2. W indow s8- A pps 3. The A d v a n c e d

IP S c a n n e r
main window appears.
Y oucanw ake any m achinerem otelyw ith A dvancedIP Scanner, if theW ake-onLA Nfeature is supportedbyyour netw orkcard.
FIG U R E1 3 :T heA dvancedIPS cannerm ainw indow 4. Now launch die Windows Server 2008 virtual machine (v ic tim s
m a c h in e ).
L _/ Y ouhaveto guess a rangeof IP address of victimm achine.
iik
jf f lc k 10:09 F MJ
FIG U R E1 .4 :T hevictimm achineW indow sserver2 008

a R adm in2.xand3.x Integrationenableyouto connect (ifR adm inis installed) to rem ote com puters w ithjust one dick.
5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t ra n g e field. 6. Click die S c a n button to start die scan.
The status of scanis show nat the bottomleft sideofthew indow .
7.
A d v a n c e d IP S c a n n e r
displays the s c a n
scans all die IP addresses within die range and r e s u lt s after completion.
E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
L ists of com puters savingandloadingenable youtoperformoperations w ithaspecificlist of com puters.Just savealist ofm achines youneedand A dvancedIPScanner loads it at startupautom atically.
A d v a n c e d IP Scanner
File Actions Settings View Heip
J
R esits
Scar'
Jl
r=k=3 r f t o
IP c d id 3? f i l :
Like us on 1 Facebook
1 0 .0 .0 .1 1 0 .0 .0 .1 0
| Favorites | Status 0
w
15
r
10.0.0.1 WIN-MSSELCK4K41 WINDOWS# WIN*LXQN3WR3R9M WIN-D39MR5H19E4 10.0.a1
Manufacturer Nlctgear, Inc. Dell Inc Microsoft Corporation M icrosoft Corporation Dell Inc
MAC address 00:09:5B:AE:24CC DO:67:ES:1A:16:36 00: 5:5D: A8:6E:C6
> * &
10 .0.a2
10.0.03 10.0.05 10.0.07
00:15:5D:A8:&E:03 D4:3E.-D9: C3:CE:2D
m G roup O perations: A nyfeatureofA dvanced IP Scanner can beused w ithanynum ber of selectedcom puters. For exam ple, youcanrem otely shut dow nacom plete com puter classw ithafew dicks.
5a iv*, 0 dJ0, S unknown
FIG U R E1 .6 :TheA dvancedIPS cannerm ainw indowafterscanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machines IP address and displays die status as alive
M T A S K 2
9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut d o w n
Extract Victim s IP Address Info
5
F ie A ctions Settings View Helo Scan
A d v a n c e d IP Scanner
II
ip c
u u
*sS:
W i
Like us on Facebook
1 0 .0 .0 .1 1 0 .0 .0 .1 0
Resuts Status Favorites | Name
IHLMItHMM,
WINDOWS8
1 0 .0 .0 .1
t* p ore Copy
1 0 . 0 . 0 1 1
to ru fa c tu re r Netgear. In c M icrosoft Corporation M icrosoft Corporation Dell Inc
MAC address
00:09:5B:AE:24CC D0t67:E5j1A:1636 0:15 :U: A8:ofc:Ot> 00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D
hi
WIN-LXQN3WR3 WIN D39MR5HL<
Add to Favorites' Rescan selected Sive selected... WdkeO nLAN Shut dcwn... Abort shut dcwn
W ake-on-L A N :Y ou canw akeanym achine rem otelyw ithA dvancedIP Scanner, ifW ake-on-LA N featureis supportedby your netw orkcard.
a
Radrnir 5 alive. 0 dead, 5 unknown
FIG U R E1 .7 :T heA dvancedIPS cannerm ainw indoww ithA liveH ost list 10. The list displays properties of the detected computer, such as IP address. N a m e , M A C , and N e t B I O S information. 11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die selected victim machine/IP address
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
& File Actions Settings View Help
m si *
S h u td o w n o p tio n s
r
Scan
Use Vtindcms authentifcation
J!] . ]
Jser narre:
9essM ord:
Like us on Facebook
W infingerprint Input O ptions: IPR ange (N etm askand InvertedN etm ask supported) IPL istS m gle H ost N eighborhood
11 0.0.0.1-100.0.10 Results | Status a Favorites |
rn e o c t (sec): [60 Message: Name 1a0.0.1 WIN-MSSELCK4K41 W IND O W S WIN-LXQN3WR3R9M WIN-D39MR5HL9E4 jre r MAC address 00;C9;5B:AE:24;CC
D0:67:E5:1A:16:36
It ion It ion 00:15:3C:A0:6C:06 00:13:3D:A8:6E:03 D4:BE:D9:C3:CE:2D
$ a
Forced shjtdo/vn
f " Reooot
S alive, Odcad, 5 unknown
FIG U R E1 .8 :TheA dvancedIPS cannerC om puterpropertiesw indow 12. Now you have die machine.
IP address. Nam e,
and other
details
of die victim
13. You can also try Angry IP scanner located at
D:\CEH-Tools\CEHv8
Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner
It
also scans the network for machines and ports.

L a b A n a ly s is
Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Scan Information: Advanced IP Scanner IP address System name MAC address NetBIOS information Manufacturer System status
P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
1. Examine and evaluate the IP addresses and range of IP addresses.
Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Eth ica l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
B a n n e r G ra b b in g t o D e te r m in e a R e m o t e T a r g e t S y s t e m u s i n g ID S e rv e
ID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r s o fh v a re .
I CON
KEY
Valuable information
y*
Test your knowledge Web exercise
1 1 1 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.
Workbook review
The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.
111
O T o o ls
diis lab you will learn to: Identify die domain IP address Identify die domain information
d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
To perform die lab you need: ID Server is located at D :\ C E H -T o o ls \ C E H v 8

N e t w o r k s \ B a n n e r G ra b b in g T o o ls \ ID S e r v e M o d u le 0 3 S c a n n in g
You can also download the latest version of ID http: / / www.grc.com/id/idserve.htm If you decide to download the in the lab might differ
S e rv e
from the link
Double-click id s e r v e to run
ID S e r v e S e rv e
Administrative privileges to run die ID Run this tool on W in d o w s

tool
S erv er 2012
Time: 5 Minutes
O v e r v ie w o f ID S e r v e
ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and v e r s io n , whether it's for F T P , SMTP, POP, NEWS, or anything else.
Lab T asks TASK 1
1. Double-click id s e r v e located at D :\C E H -T o o ls\C E H v 8

N e tw o rk s\ B a n n e r G ra b b in g T o o ls\ID S e r v e
M o d u le 0 3 S c a n n in g
Id en tify w e b s it e s e r v e r in fo rm atio n
2. 1 1 1 die main window of ID S e v e r Q u e ry tab

0
S erv e
show in die following figure, select die

- r o
ID Serve
ID Serve
Background
In te rn e tServer Id e n tific a tio nU tility ,vl .0 2 Personal SecurityFreew arebySteveG ib so n

Copyright (c) 2003 by Gibson Research Corp
Server Query | Q&A/Help
ri
Enter
01
copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com)
r!
Server
Queiy The Server
When an Internet URL or IP has been provided above press this button to rwtiate a query of the speahed server
If anIPaddressis enteredinsteadof aU R L , IDServew ill attem pt to determ ine thedom ain nam e associatedw iththe IP
^ 4
Copy
The server identified <se* as
goto ID Serve web page
E*it
FIG U R E21: M ainw indowofIDS erv e 3. Enter die IP address 01URL address in E n t e r o r C o p y /p a ste
s e r v e r U R L o r IP a d d r e s s h e re : a n In te rn a l
ID Serve
ID Serve
Background
Entei or copy
In tern et Server IdentificationU tility, vl .0 2 Personal SecurityFreeware bySteve G ibson C o p y rig h t(c) 2 0 0 3b yG ib s o nR e s e a rc hC o r p .
Server Q uery I Q&A/tjelp
I paste an Internet serve* URL or IP adtfress here (example
www microsoft com)
^ [w w w certifiedhacker com [
IDServecanaccept the U R Lor IP as a com m and-lineparam eter
Query T h e S w v e i
W h e n an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the s p e c fo d server
(%
Server query processing
The server identified itse l as
Copy
G oto ID S eive web page
Ejjit
FIG U R E22 E nteringdieU R Lforquery 4. Click Query The Server; it shows server query processed information
ID Serve
, m x
ID Serve
Background
In tern etServer IdentificationU tility, vl .0 2 Personal SecurityFreeware bySteve G ibson C o p y rig h t(c) 2 0 0 3b yG ib s o nR e s e a rc hC o fp
Server Query | Q&A/Help
< T | www.certifiedhacker.com|
Enter or copy / paste an Internet seivef URL or IP address here (example www mc10s0ft com)
Q IDServecanalso connect w ithnon-w eb servers toreceiveand report that server'sgreeting m essage. Thisgenerally reveals the server's m ake, m odel, version, andother potentiallyuseful inform ation.
r2 [
Query The Server
W h e n an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied server
(3
Seiver query processing
In itia tin gserverq u e ry Lo o k in gu pIPaddressfo rd o m a in w w wcertified h ackerc o m T h eIPaddressfo rth ed o m a inis 2 0 2 .7 55 41 0 1 C o n n e c tin gtoth eservero nsta n d a rdHTTPp o rt: 8 0 C o n n ected ]R eq u estin gth eserver's d e fa u ltp ag e
The server identrfied itse l as
M ic r o s o f t - I I S / 6 . 0
Copy
Goto ID Serve web page
Exit
FIG U R E23: S erverprocessedinform ation
L a b A n a ly s is
Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab.
Tool/U tility
Information Collected/Objectives Achieved IP address: 202.75.54.101 Server Connection: Standard HT1P port: 80 Response headers returned from server:
ID Serve
H TTP/1.1 200 Server: Microsoft-IIS/6.0 X-Powered-By: PHP/4.4.8 Transfer-Encoding: chunked Content-Type: text/html
PLEA SE T A LK TO YOUR IN S T R U C T O R IF YOU H AV E R E L A T E D TO TH IS LAB.
QUESTIONS
Q u e s t io n s
1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Eth ica l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
F in g e rp r in tin g O p e n P o r ts U s in g t h e A m ap Tool
.- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t.
I CON KEY
2 ^
Valuable information Test vour knowledge
g
Q
Web exercise Workbook review
Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 1 1 1 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. 1 1 1 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what a p p lic a t io n s are running on each port found open.
C 5 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports. hi diis lab, you will learn to: Identify die application protocols running on open ports 80 Detect application protocols
To perform die lab you need: Amap is located at

D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s \ B a n n e r G ra b b in g T o o lsV A M A P
You can also download the latest version of A M A P from the link http: / / www.thc.org dic-amap. If you decide to download the in the lab might differ
A computer running Web Services enabled for port Administrative privileges to run die A m a p tool Run this tool on W in d o w s
S e rv e r 2012
80
Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g
Fingerprinting is used to discover die applications running on each open port found 0x 1 die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking up die responses in a list of response strings.
at T A S K
Id en tify A p p lic a tio n P ro to c o ls R u n n in g on P o rt 8 0
Lab T asks
1. Open die command prompt and navigate to die Amap directory. 1 1 1 diis lab die Amap directory is located at D :\C E H -T o o ls\C E H v 8 M od ule 0 3 S c a n n in g
N e tw o rk s\ B a n n e r G ra b b in g T o o ls\A M A P
2. Type a m a p
33
w w w .c e r t if ie d h a c k e r .c o m 8 0 ,
and press E n te r.
Administrator: Command Prompt
[D :\ C E H ~ T o o ls \C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T o o l s \A M A P > a n a p uw [u . c e r t i f i o d h a c h e r . c o m 80 Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo Jn id en tifie d p o rts: 2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>.
M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3 D :\ C EH -T 0 0 1 s \C E H 08 M o d u le 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tool s\AMAP>
Syntax: am ap [-A| B| -P|-W ] [-1buSR H U dqv] [[-m ] -o <file>] [-D<file>] [t/T sec] [-c cons] [-Cretries] [-pproto] [i <file>] [target port [port]...] FIG U R E3 .1 :A m apw ithhostnam ew w w .ce1tifiedl1ack e1.com w ithPort S O 3. You can see die specific a p p lic a tio n protocols running 011 die entered host name and die port 80. 4. Use die IP
a d d re ss
to check die applications running on a particular port.
5. 1 1 1 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 ) and press E n t e r (die IP address will be different in your network). For A m apoptions, type am ap-help. 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200
D :\ C E H -T o o ls \C E H u 8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75-81 laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arn in g : C ould n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g
KN>
C om piles on all U N IX basedplatform s - even M acO SX ,C ygw inon W indow s, A R M -L inuxand Palm O S
p o r t <EUN p o r t <EUN p o r t <EUN p o r t <EUN p o r t <EUN
W a rn in g : C ould n o t c o n n e c t 
1 0 .0 .0 .4 :7 5 /tc p , d isab lin g 1 0 .0 .0 .4 :7 7 /tc p , d isab lin g
K H > W arning: K N > K N >
W arn in g : Could n o t c o n n e c t to
Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g 1 0 .0 .0 .4 :7 9 /tc p , d isab lin g
W a rn in g : C ould n o t c o n n e c t t o |KN> W arn in g : C ould n o t c o n n e c t t o P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin
1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN
U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 / kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>. Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b : \ C E H - T o o l s \ C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g Tools\AMAP>
FIG U R E3 .2 :A m apw ithIPaddressandw ithrangeofsw itches7 3 -8 1

L a b A n a ly s is
Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Identified open port: 80 WebServers: 11ttp-apache2 http-iis webmin Amap Unidentified ports: 10.0.0.4:75/tcp 10.0.0.4:76/tcp 10.0.0.4:77/tcp 10.0.0.4:78/tcp 10.0.0.4:79/tcp 10.0.0.4:81/tcp
P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required
0 Y es
No
Platform Supported 0 Classroom iLabs
M o n ito r in g T C P /IP C o n n e c t i o n s U s in g t h e C u r r P o r ts T o o l
C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.
I CON K E Y
Valuable information Test your knowledge
111 the previous lab you learned how to check for open ports using the Amap tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a
a d m in is tra to r., your daily task is to check the T C P / IP of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the C u r r P o r t s tool. n etw o rk c o n n e c t io n s
w
m
C J T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer.
111
in this lab, you need to: Scan the system for currently opened Gather information 011 die List all the
IP a d d r e s s e s p o r ts T C P / IP
and
UDP
ports
and
p ro cesses
that are opened
that are currendy established connections
Close unwanted TCP connections and kill the process that opened the ports
C E H Lab M anual Page 103 E th ic a l H ackin g and Counterm easures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
To perform the lab, you need: CurrPorts located at

D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s \ S c a n n in g T o o ls \ C u r r P o r t s
You can also download the latest version of http: / / www.nirsoft.11e t/utils/cports.html If you decide to download the in the lab might differ
C u rrP o rts
from the link
A computer running W in d o w s CuuPorts tool from http://w w w .nirsoft.net.

a Y oucandow nload
S erv er 2012
Double-click c p o r t s .e x e to run this tool Administrator privileges to run die

C u rrP o rts
tool
Time: 10 Minutes
O v e r v ie w M o n it o r in g T C P / IP
Monitoring TCP/IP ports checks if there are m u ltip le IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server.
Lab T asks
The CurrPorts utility is a standalone executable and doesnt require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o r t s .e x e to launch.
TASK 1
1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports, IP and remote addresses, and their states.
C urrP orts
File Edit View Option* Help
D is c o v e r T C P /IP C o n n e c tio n
r 1 1 *
xSDv^!taer4*a-*
Process Na.. ( T enrome.ere f
f
Proces...
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
L ocal... 4119 4120 4121 4123 414S 3981 3982 4013 4163 4166 4168 1070 1070 1028 1028
Loc-
Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 100.0.7 100.0.7 100.0.7 aaao
Rem... 80 80 80 80 443 3982 3981 443 443 443 443
Rem... h ttp h ttp h ttp h ttp https
R e rc te Address 173.194.36.26 173.194.3626 173.194.3626 215720420 173.194 3626 12700.1 12700.1
Remote Host Nam bcm04501 -in f26.1 bcmOisOl -in-f26.1 bom04501in f26.1 a23-57-204-20.dep bom04501 -in-f26.1 WIN-D59MR5HL9F WIN-D39MR5HL9E bom01t01-in-f22.1 bom04!01 in f15.1 bcm04501 -in-f0.1 gra03s05in-f15.1e
2 m
2988 2988
<+1 rome.ere chrome.ere chrome.exe
2 m 2 m
1368 1368 1368 1368 1368 1368 1000 1800 564
CT chrome.exe ^ f i r t f c x ere
fir fc x x ( fir fc x (
fircfcx.cxc f1 rcfcxc.cc
https h ttp j h ttp j h ttp ;
173.1943622 173.194.36.15 173.194.360 74.125234.15 0.0.0.0 = 0.0.0.0 =
firef cx c<c \s , httpd.exe \th ttp d .e x e Q lsass.occ
0.0.0.0
3 l 5 5 a e 564 ____ _____ <1 1 1
T
NirSoft Freeware. ht1p;/AnrAv.rirsoft.net
>
7 9 ~ctal Ports. 2 1 Remote Connections. 1Selected
E th ic a l H ackin g and Counterm easures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
FIG U R E4.1 :T lieC urrP ortsm ainw indoww ithallprocesses, ports, andIPaddresses / /C urrPorts utilityis a standaloneexecutable, w hichdoesn't requireany installationprocess or additional D L L s. 2. CiirrPorts lists all die
n am e s. p ro ce sse s a n d r e m o te IP a d d r e s s ,
and their IDs, protocols used, lo c a l local and remote ports, and r e m o te h o s t
>H T M L R e p o r t s
3. To view all die reports as an HTML page, click V ie w

A ll It e m s .
C urrP orts
File Edit I View | Options Help
M - x
X B
Show Grid Lines Address ).7 ).7 ).7 ).7 ).7

.0.1
Process K J a1^ I Show Tooltips Mark Odd/Even Rows chrome. C* chromel HTML Report All I'errs ^ chrome. HTML Report - Selected terns C* chrome. Choose Columns ^ chromc.
( firc fc x .c
g f-e fc x e
Rem.. http http http http 443 3962 3981 443 443 443 443 https https https https https
Remote Address 173.1943526 173.194.3526 173.194.3526 23.5720420 173.194.3526 127.0.0.1 127.0.0.1 173.1943622 173.19436.15 173.19436.0 741252*4.15
0.0.0.0
Remote Host Nam *
bcmQ4s0l-in f 2 6 . 1 bcm04s0l-in-f26.1 bcm04s01 i n f 2 6 . 1

a23-57-204-20.dep S
bom04501-in f 2 6 . 1
WIN-D39MR5HL9E WIN-D39MR5HL9E bem04s01-in-f22.1 bom04i01in*f15.1 bcm04s0l*in-f0.1< gruC3s05-1nM5.1e
A uto Size Columns

Rfr#{h
F5 1l i TCP TCP TCP TCP TCP TCP TCP 4163

---
(p firc fo x .e 1 (c (B fa e fc x u e J ftfM c o ta e fr e fc x e te \h t t o d . e x e V h ttp d .e x e Q ls a s s e te
7 1368 I368 1368 1800 1800 564 561
T V . V , 0 .7
10.0.0.7 10.0.0.7 100.0.7
.0.1
4 1 5 6
4158 1070 1070 1028 1028
o .a o .o
aaao
Q In thebottomleft of theC urrPorts w indow , the status of total ports and rem ote connections displays.
0 .0 .0 .0
NirSoft Freeware, http.//w w w .rirs o ft.n e t
79Tctl Ports, 21 Remote Connection!, 1 Selected
FIG U R E4.2T heC urrPortsw ithH TM LR eport- A llItem s 4. The HTML Report
E<e Ldr View History Bookmarks 1001 Hdp I TCP/UDP Ports List ^ j j f j__ ' * - Google P ^ T C P /U D P P o r ts L is t =
a u t o m a t ic a lly
opens using die default browser.
( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>,repcriJit ml
countries of therem ote IP addresses, youhaveto dow nloadthelatest IPto C ountryfile. Y ouhaveto put the IpToC ountry.csv fileinthe sam efolder as cports.exe.
E3 To checkthe
C re a te d b v u sing C u rrP o rts
P m j .Nam
P ro titi ID 2988 2988 2988 2988 2988 2988 2988 2988 2988
P ro to co l
I.o ra l P o rt 4052 4059 4070 4071 4073 4083 4090 4103 4104
I A ra l P o rt X lB t
L o c a l A d d iv it
Remote P o rt 443 80 80 80 80 80 80 80 80
Rcm oU P o rt Name . https http http h ltp hup http hnp hup hnp 173 194 36 4 173.194.36.17 173.194.36.31 173.194.36.31 173.194.36.15 173.194.36.31 173.194.36.4 173.194.36.25 173 194 36 25 bo bo bo bo! boi bo! bo! bo bo > R tm v l A d d r t it
chxame rx c chiome.exc ch101nc.exe daom e.exe daom e.exe daom e.exe cfcrorae.exe chfomc.cxc chrome exe
TCP TCP TCP TCP TCP TCP TCP TCP TCP
10 0 0 7 10.0.0.7 10.0.0.7 10.0.0.7 1 00.0.7 10.0.0.7 100.0.7 100.0.7 10 0 0 7
FIG U R E4 .3 :HieW ebbrow serd isp lay in gC urrP ortsR eport- A llItem s 5. To save the generated CurrPorts report from die web browser, click
F ile >S a v e P a g e A s ...C t r l+ S .
TCP/UDP Ports List - Mozilla Firefox
3 5
C i f ' Google
m C urrPorts allow syou to saveall changes (added andrem ovedconnections) into alogfile. In order to start w ritingto thelogfile, checkthe ,LogC hanges' optionunder the F ile m enu
id *
1ry> Hitory
Bookmaikt Took Hrlp
fJcw l i b N*w Mnd<*1* Cpen Fie..
CW*T Ctrt*N CcrUO

f1 Dcsttop/q)D1ts-x64/rEpor: html
S*. Page As.. Ctr1*S Send LinkPag* Setup-. PrmtPi&Kw

E rrt.
!, r o t i f j j >111 ID chiom c.exe cfc10 me.exe chrome.exe chrome.exe chrome exe 2988 2988 2988 2988 2988 2988 2988 2988 2988
ti*
!'! o to co l
!.o ra l P o rt 4052 4059 4070 4071 4073 408; 4090 4103 4104
I o r a l P o rt Name
Local A d d rv u
Remote P o ri 443 80 80 80 80 80 80 80 80
K em otc P o rt Name https http hnp http http http http http http 173.194.36.4 173.194.36.17 173.194.36.31 173.194.36.31 173 194 36 15 173 194 36 31 173 194 36 4 173.194.36.25 173.194.36.25 boj bo: bo: boi boi bo! boi boj b03 K e u io l* A d d n i t
TCP TCP TCP TCP TCP TCP TCP TCP TCP
10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 100 0 7 100 0 7 100 0 7 10.0.0.7 10.0.0.7
2Z y"B ydefault, the logfile is savedas cports.loginthe sam e folder w here cports.exeis located. Y ou canchangethe default log filenam ebysettingthe L ogFilenam eentryinthe cports.cfgfile.
chrome exe ch*omc exe chiome.exe daom e.exe
FIG U R E4 .4 :T heW ebbrow sertoS av eC urrPortsR eport- A llItem s 6. To view only die selected report as HTML page, select reports and click
V ie w >H T M L R e p o r t s S e l e c t e d Ite m s .
C urrP orts
File X S Edit | View | Options (3 Help
1-1 x-
Show Grid L Show Tooltips Mark Odd/Even Rows HTML Report - All Items Address ).7 ).7 Rem... 80 80 80 80 445 3982 3981 443 443 443 443 https h ttp ; h ttp : https Rem... h ttp h ttp h ttp h ttp h ttp : Remote Address 175.19436.26 173.1943626 173.1943626 215720420 173.1943526 127.0.0.1 127JX011 173.1943622 173.194.36.15 173.194360 74125234.15 0.0.0.0 s 00.0.0 ___ AAA A 0.0.0.0 AAAA Hi1 Soft Freew are. http.,, w w w .r irsoft.net Remote Host Nam bom04s01-1nf26.1 bom04s01-1n-f26.1 bcm04s01-inf26.1f 323-57-204-20.dep bcm04s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bom04s01 -in-f22.1 bomOlsOl -in f1 5.1 bomOlsOI -in f0.1c gruC3s05 in -f 15.1c
Process Na P I
^ B e aw are! The logfile isupdatedonlyw henyou refreshtheports list m anually, orw henthe A utoR efreshoptionis turnedon.
C chrome.
C c h ro m e f
O'chrome
,fir e fc x e (gfircfcxe: fircfcx e< v L f ircfox.cxc fircfcx.cxc ^ firc fc x .c x c httpd.exe httpd.exe Q lsa sse xe Q b a s te x e -------a .--------
HTML Report Selected terns Choose Columns Auto Size Columns
0.7 P7 .0.1 .0.1 J>.7
Ctrl Plus F5
Refresh
1368 1368 1368 1000 1000 564 564 14nn TCP TCP TCP TCP TCP TCP TCP T rn 4163 4166 -4168 1070 1070 1028 1028 *
1000.7 1000.7 100.0.7 0.0.0.0
79 ~ctel Ports. 21 Remote Connections, 3 Selected
clickonthe W ebpageand savethe report.
a Y oucanalsoright-
FIG U R E4 .5 :C urrPortsw ithH T M LR eport- S electedItem s

7. Tlie selected
re p o rt
automatically opens using the
d e fa u lt b r o w s e r .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
TCP/UDP Ports List - Mozilla Firefox

ffi'g |d : Vico Hatory Bookmaiks Toob Help | + [ j TCP/UDP Ports List
1 n J~x
In the filters dialog bos, youcanaddone or m ore filter strings (separatedbyspaces, sem icolon, or C R L F ).
W c/'/C /lhervAdmin 1strotor/Dr5fctop/'cport5r64/rcpoi 0T1l
(? Google |,f t I
T C P /V D P P o rts L is t
C reated b y m in g C iir r P o m
P rocess N am e
dbiome.cxc fire fo x exe h ttp d
P rocess
ID 2988 1368 1800
em o te o ca l Local K Local I> m u t R Port P rotocol Port Port A ddress Port N am e .N a m e

TCP TCP TCP 4148 4163 1070 10.0.0.7 10 0 0 7 443 443 https https
K vuiotc A ddress
173.194.36-26 173 194 36 15
R em o teH ost N am e
bom04sC 1 m. 26.1 e 100.net bom 04s01 tn - fl 5. Ie l0 0 .n e t
State
Established Established Listening
c:
C: C:
c x c
FIG U R E4 .6 :T heW ebbrow serd isp lay in gC uaPortsw ithH T M LR eport- S electedItem s / / The Syntaxfor Filter S tring: [include | exclude]: [local | rem ote | both | process]: [tcp | udp | tcpudp] : [IPR ange | Ports R ange]. 8. To save the generated CurrPorts report from the web browser, click
F ile >S a v e P a g e A s ...C t r l+ S
TCP/UDP Ports List M ozilla Firefox Edfe Vir* N**T*b Open Fie... S*. P a g e A ;. Sir'd linkPage :er.p. Pnnt Preview
P rm L .
r= > r*
Hutory Boolvfmki Took HWp Clfl*T |+ |
an*N
Ctrl0
Ctrl-S
1r/Desktop/cpots x6Crepwthtml
fi
fic it Offline T o ral Local Local Po rt Pori Nam e A ddress TCP TCP TCP 4148 4163 1 0 0 0 .7 100.0.7 Rem ote Kcm ole Po rt Nam e https https
N am e
chtoxne.exe fiiefox-cxc http de xe
ID
2988 1368
Port
443 443
R em ote A ddress
1 73 .19 43 6 26 173.19436 15
Rem ote Ilo t l .N io it
boxu04s01 -ui-126. Ie l0 0 .n e t bom04s01-1a-115.lel00.net
Established Established
C C
1 8 0 0
1 0 0
C om m and-line option: /stext < F 11enam e>m eans savethelist of all opened TCP/UDPports into a regular text file.
FIG U R E4 .7 :TheW ebb rcn v sertoSawQ irrPortsw ithH T M LR eport- S electedItem s 9. To view the
P r o p e r tie s . p r o p e r t ie s
of a port, select die port and click F ile
>
r 1 File J Edit I View Options Help C trM Ctri+T
C urrP orts
I - ]
'
P N ctlnfo Close Selected TCP Connections Kill Processes Of Selected Ports Save Selected Items Properties
Local Address 10.0.0.7
Rem... 80 80 80 80 443 3982 3031 443 443
Rem.. http http http http https
Remote Address 173.194.3626 13.194.3626 1^3.194.36.26 23.57.204.20 1Ti 194.36.26 127.aa1 127.0L0L1
Remote Host Nam 1 bom04301 - in-f26.1 bom04501 in-f26.1 bom04s01-in-f26.1 a23*57204-20.dep bom 04s01-in-f2M WIN-D39MR5Hl9f WIM-D30MRSH10F bom04e01-mf22.1 bom04s01-m-f15.1
CtiUS AltÊntei C tiU P 1
10.0.0.7 10.0.0.7 10J3J3.7
/stab <Filenam e> m eans savethelist of all opened TCP/UDP ports intoa tab-delim itedtext file.
b&i C om m and-line option:
Process Properties Log Changes Open Log File Clear Log File Advanced Options Exit \ j 1 ttjd .e x e \h tto d .e x e lsass.exe 1800 1800 564 $64 TCP TCP TCP TCP
10.00.7 127.0.0.1 127.0.0.1 10.0.0.7
httpc https
1 , 1 194.3622 173.194.3615
CtrU O
10.0.0.7
10.0.0.7
10.0.0.7 1070 1070 1028 1028
443
443
https
https
173.194.360
74.12523415
bom04s01 mf0.1c
gru03s05-inf15.1 e
oaao aao.o
0 D S )S ) ::
0D S J J J
Q lsass-exe
r. >
NirSoft Freeware, h ttp :'w w w .n irso ft.n e t
|7 9 Tctel Ports, 21 Remote Connections, 1 Selected
FIG U R E4 .8 :C unPoitstoviewproperties foraselectedport 10. The P r o p e r t ie s window appears and displays all the properties for the selected port. 11. Click O K to close die
Process Nam e: Process ID: Protocol: Local Port: Local Port Nam e: Local Address: Remote Port: Remote Port Nam e: Remote Address: Remote Host Nam e: State: Process Path: Product Nam e: File Description: File Version: Com pany: Process Created O n: User Nam e: Process Services: Process Attributes: Added O n: Module Filename: Remote IP Country: Window Title:
P r o p e r t ie s
window
*
Properties firefox.exe
1368
TCP 4166 10.0.0.7 443 |https________________ 1 1 7 3 .194.36.0 bom 04s01-in-f0.1e100.net Established C:\Program Files (x86)\M 0zilla Firefox\firefox.exe Firefox Firefox 1 4 .0 .1 Mozilla Corporation 8/2 5 /2 0 1 2 2:36:28 PM WIN-D39MR5HL9E4\Administrator
C om m and-line option: /shtm l <Filenam e>m eans savethelist of all opened TCP/UDP ports into an H TM Lfile(H orizontal).
8/2 5 /2 0 1 2 3:32:58 PM
O K FIG U R E4 .9 :TheC urrPortsPropertiesw indowfortheselectedport
12. To close a TCP connection you think is suspicious, select the process and click F ile >C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ).
S T A S K 2 C urrPorts
-_,r
C lo s e T C P C o n n e c tio n
IPNetlnfo Close Selected TCP Connections Kill Processes Ctrt+1 C trl-T
O fSelected Ports
CtH-S AH- Enter Ctrl P
Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7
Rem... 6
Rem... http http http http https
Remote Address 173.19436.26 173.19436.26 173.19436.26 23.5730430 173.19436.26 127.0.0.1 127.0.0.1
Remote Host Nam I bom04s01-inf26.1 bom04s01-inf26.1 bom04sC1 in-f26.1 023-57 204 2C.dep = bom04s01 in f26.1 WIN-D39MR5HL9e WIN-D39MR5HL9 bom04s01 -in-f22.1 bom04s01-in-f15.1 bom04s01 in-f0.1s gru03s05-in-f151e
Save Selected Items Properties Process Properties Log Changes Cpen Log File Clear Log File A d/snced Options Exit ^ httpd.exe httpd.exe is a s s ^ x e Q toS fcC N e
^ J III
80 80 80
10.0.0.7 127.00.1 127.00.1 10.0.0.7 10.0.0.7
4 4 3
3932 3931
CtH+G
10.0.0.7 103 1800 564 564 TCP TCP TCP TCP r 1070 1070 1028 1Q28 om o 0D.0.0
4 4 3 4 4 3 4 4 3 4 4 3
http: https https https
173.19436.22 173.19436.15 173.19436.0 74.125.234.15 0.0.0.0 r o .a a o r
I> IlirSort fre e w a re . r-tto :v/Yv*/n rso tt.n et
7? Tot! Porte, 21 Remote Connection! 1 Selected
J
>K ill
FIG U R E4 .1 0 : ,H ieC unPoitsC loseS electedT C PC onnectionsoptionw indow 13. To

k ill
the
p ro ce sse s
of a port, select die port and click F i le

C urrP orts
P r o c e s s e s o f S e l e c t e d P o r ts .
I ~ I * '
f i TASK 3
K ill P r o c e s s
File
j Edit
View
Options
Help
PNetlnfo
Close Selected TCP Connection* kin Processes Of Selected Ports 5ave Selected Items
P ro p e rties
a n !
C*rt*T Loral Address 10.0.07 Clri-S A t-E n te r CtrKP 10.0.0.7 10.0.0.7 10.0.0.7 Rem... 80 80 80 80 443 3962 3981 443 443 443 443 https https https https Rem.. http http http http https Remote Addrect 173.14436.26 173.194.3626 173.194.3626 215720420 173.1943636 127.0.0.1 127.0.0.1 173.1943632 173.19436.15 173.19436.0 74125334.15
0.0.0.0
Remote Host Nam * bom04t01*in-f26.1 bomC4t01-inf26.1 bomC4j01 -in-f26.1 a23-57-204-20.dep s bcmC4s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bomC4s01-in-f22.1 bom04s01inf15.1 bom04$0linf0.1e gru03s05-1n-M5.1e
Process Properties Log Changes Open Log File Clear Log file Advanced Options Exit V httod.exe V h ttp d .e x e lw s s .e r e k a tc *re II 1800 1800 564 561 TCP TCP TCP TCP
10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.07 10.0.0.7
1070 1070 1028 1028

___
O . Q . Q . O o .a a o
/ )A A A
10.0.0.7
79 Tctel Ports, 21 Remote Connections, 1 Selected
MirSoft Freeware. http-Jta/ww.rirsoft.net
FIG U R E4 .1 1 :T heC urrP ortsK illP rocessesofS electedPortsO ptionW indow 14. To e x it from the CurrPorts utility, click F ile window c l o s e s .
>E x it .
The CurrPorts
C u rrP on s
File Edit View Options Help GH+I CtrK T .. Local Address 10.0.0.7 Ctifc-S A t-E a te r CtHP 10D.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 C tH -0 10.0.0.7 10.0.0.7 Ext \th ttp d .e x e \th ttp d .e x e Q lsa s& e xe H ls a is - a c 1800 1800 564 564 TCP TCP TCP TCP rrn 1070 1070 1028 1028 __ / a / \ a Rem.. 80 80 80 80 443 3082 3981 443 443 443 443 https https https https Rem http http http http httpt Remcte Address 173.194.36.26 173.194.3626 173.1943626 21 57.204.20 173.194.3626 127.0.0.1 127X10.1 173.19436.22 173.194.36.1S 173.194.36i) 74.125.234.15 0.0.0.0 = 0.0.0.0 = AAAA Nil Soft free were. Mtpy/vvwvv.r it soft.net
1-1 -
P N etlnfo Close Selected TCP Connections K il Processes O f Selected Ports
Remcte Host Nam bom04s01-in-f26.1 bom04s01-in-f26.1 bom04s01-inf26.1r a23-57-204-20.de
/sveihtm l <Filenam e> S avethelist of all opened TCP/UDP ports into H TM Lfile(V ertical).
hid C om m and-line option:
Save Selected Items Properties Procccc Properties lo g Changes Open Log File Clear Log File Advanced O ption!
bom04t01-in-f26.1| WIN-D3QMR5H19P WIN-039MR5HL9E bomC4101-in-f22.1 bemC4i01 in f15.1 bcmC4s01 in f0.1q gru03s05in-f15.1e
10.0.0.7 0.0.0.0 = 0.0.00
79 ctal Ports. 21 Remote Connections. 1 Selected
FIG U R E4 .1 2 :T heC urrPoitsE xit optionw indow

L a b A n a ly s is
Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab. feU IIn com m andline, the syntaxof /close com m and:/close <L ocal A ddress> <Local Port> <R em oteA ddress> <R em ote Port* . Tool/U tility Information Collected/Objectives Achieved Profile Details: Network scan for open ports Scanned Report: Process Name Process ID Protocol Local Port Local Address Remote Port Remote Port Name Remote Address Remote Host Name
CurrPorts
P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
Q C urrPorts allow s you toeasilytranslate all m enus, dialogboxes, and strings to other languages.
1 . Analyze the results from CurrPorts by creating a filter string that displays
only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.
.
Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports Of Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State
Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Lab
S c a n n in g f o r N e tw o rk V u ln e r a b ilitie s U s in g t h e G F I L a n G u a rd 2 0 1 2
G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity v u ln e r a b ilitie s th a t a re fo u n d .
I CON K E Y
Valuable information Test your knowledge Web exercise
You have learned in die previous lab to monitor T C P IP and U D P ports 011 your local computer or network using C u rrP o rts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your companys w e b s e r v e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to le a p fro g and attack odier servers 011 the ISP network from diis compromised one. As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to conduct penetration testing in order to determine die list of t h r e a t s and v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities.
Workbook review
Z U T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.
111
diis lab, you need to: Perform a vulnerability scan
Audit the network Detect vulnerable ports Identify security vulnerabilities Q Y oucandow nload GFI L A N guard from http://w w w gfi.com . Correct security vulnerabilities with remedial action
To perform die lab, you need: GFI Languard located at D :\C EH -T o o ls\C E H v 8 You can also download the latest version of link http://www.gfi.com/la1111etsca11 If you decide to download the in the lab might differ
M o d u le 0 3 S c a n n in g N e tw o rk sW u ln e ra b ility S c a n n in g T o o ls\G F I L a n G u a rd G F I L a n g u a rd
from the
A computer running W in d o w s Q G FI L A N guard com patiblyw orks on M icrosoft W indow s Server 2008Standard/Enterprise, W indow s Server 2003 Standard/E nterprise, W indow s 7U ltim ate, M icrosoft S m all B usiness Server 2008Standard, S m all B usiness Server 2003 (S P 1), and S m all B usiness Server 2000(S P 2).
W in d o w s S e r v e r 2 0 0 8 running
2012 S e rv e r
as die host machine
in virtual machine
Microsoft NET F r a m e w o r k
Scann er
2 .0 LA N g u a rd N e tw o rk S e c u r it y
Administrator privileges to run die G F I
It requires die user to register on the G F I w e b s it e http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y Complete die subscription and get an activation code; the user will receive an e m a il diat contains an a c tiv a tio n c o d e
Time: 10 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k
C-J GFI L A N guard includesdefault Security scans or audits enable you to identify and assess possible r is k s within a configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a allowyoutorun im m ediate scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s installationis com plete. and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information.
As an administrator, you often have to deal separately widi problems related to v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively.
Lab T asks
Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server.
B TASK 1
1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by hovering the mouse cursor in the lower-left corner of the desktop
S c a n n in g for V u ln e r a b ilitie s
Zenm ap fileinstalls the follow ingfiles: N m apC ore F iles N m apPath W inPcap 4 .1.1 N etw orkInterface Im port Zenm ap (G U I frontend) N eat (M odernN etcat) N diff
FIG U R E5 .1 :W indow sS erver2012- D esktopview 2. Click the window

G F I L an G u ard 2 0 1 2
app to open the
G FI L an G u ard 2 0 1 2
Windows Marager
Google
bm
r
Nnd
FT
SI
2)12
FIG U R E5.2W indow sS erver2012- A pps 3. The GFI LanGuard 2012 m ain A u d it tab contents. / / To executeascan successfully, G FI LA N guardm ust rem otely logonto target com puters w ithadm inistrator privileges.
w in d o w
appears and displays die N e tw o rk
GFI LanGuard 2012 I -| dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties
W D13CIA3 this
W elcome to GFI LanG uard 2012

GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites
Local Computer Vulnerability Level
options w hichprovide quickaccess to scanning m odes are: Q uickscan Full scan Launcha customscan Set up aschedule scan
e a The default scanning
us Nana9#*gentsor Launch a scan options 10 , the entile network.
JP 9 %
V ie w D a s h b o a rd Inve30gate netvuor*wjinerawiir, status and audi results
M <
{ 'M o w iim jIW - .
R e m o diate S e cu rity Iss u e s Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m ore
c a f h 'e .
Cunent Vulnerability Level is: High
M anage A g e n ts Enable agents to automate netooric secant? audit and totfstribute scanning load across client machines
L a u n c h a S can Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt. LATES1 NLWS V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp \feg 1! Ttft m u lar l w mr 1 ( 74 A q 701? Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd
tr.v in-
V*, 24-AJO-2012 -Patch M4uum< -Aiktod kuxkI 1 0 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd Sta-0 - -M j ut
FIG U R E5 .3 :T heG FIL A N guardm amw indow

m C ustomscans are recom m ended: W henperform inga onetim e scanw ith particular scanning param eters/profiles W henperform ingascan for particular netw ork threats and/or system inform ation Toperformatarget com puter scanusinga specific scanprofile
4. Click die L a u n c h
> I I
Doshboerd Scan
a Scan
Remediate
option to perform a network scan.

GFI LanGuard 2012 AdMty Monitor Reports Configuration Ut*oes t Die1s thb version
W elcome to GFI LanG uard 2012

GFI LanGuard 2012 &ready to audit your network k* *AmafrMws
Local Computer Vulnerublllty Level use van a;# Agentsor Launch a scan options 10 auoa the entire network.
JP
V ie w D a s h b o a rd Investigate network!wjineraMit, status andauairesults
9
t - .& ^- iim jIM : Cunent Vulnerability Luvul is; High
R e m e diate S e cu rity Issu e s Deploy missing patches unirwtaurau*>0rf2e430**are. turn on antivirus ana m ore.
M anage A g e n ts Enable agents to automate neteror* secant* aud* and totfstnbute scanning load across client machines
L a u n c h a Scan Manually * < rtu p andtnwer anagerttest networktaint/ autirl LAI LSI NLWS <j ?4-Ajq-TOI? - fa it h M<au)nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 TOb
m e u la -
IW 3 1 -
V* 24A jq2012
Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard
24-Aju-2012 -Patch Md11r f u t ! 1t*t -Added support t o rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand c f f d - F=ad
^ If intrusiondetection softw are (ID S) is running duringscans, G FI LA N guard sets off a m ultitude of ID Sw arnings andintrusionalerts inthese applications.
FIG U R E5 .4 :T heG FIL A N guardm ainw indowindicatingtheL aunchaC ustomS canoption 5.

Launch a N ew sca n
window will appear from die drop-down list from die
i. ii. iii.
1 1 1 die Scan Target option, select lo c a lh o s t from die drop-down list 1 1 1 die Profile option, select F u ll 1 1 1 die Credentials option, select drop-down list
Scan
c u rre n tly lo g g ed on u s e r
6. Click S c a n .
C E H Lab M anual Page 115 E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
GF! LanGuard 2012
r x
C o n f!g u ra U o n Jt Urn C J, Uiscuuttm1
> l- I
ta u a d ia tn e S a n
D a s h b o a rd
S ca n
Ranrdijle
P10*: jf-J S^n
A ctiv.tyM o n ito r
R e p o rts
Scara02t: b a te : Ot0en:fck/Trt(r ockcCon uso Scar Qaccre... Son n d ti Ovrrvlew
v M V
v * ?axrrard: IIZ * 1 1
SOM R ru lti Dcta ll<
m For largenetw ork environm ents, aM icrosoft SQ LServer/M SD E database backendis recom m endedinsteadof theM icrosoft A ccess database.
FIG U R E5 .5 :S electin ganoptionfornetw orkscanning

7.
Scanning will s ta rt; it will take some time to scan die network. See die following figure
m Q uickscans have relativelyshort scan durationtim es com paredto full scans, m ainlybecause quickscans perform vulnerabilitychecks of only asubset of the entire database. It is recom m endedto runa quickscanat least once a w eek.
8. After completing die scan, die s c a n
re s u lt
will show in die left panel
&
yI
D a s h b o a id
S ca n
R e m cd u te
GFI Lar> G uard2012 A ctw ty M o n ito r R e p o rts C o n fig u ra tio n
, I x L ttr fr tm
ta u K k a lm k in
ScanTarget ccaftoct
K a te :
V ... | FalSar jsandffc: V Eaaswofd:
H II
Scan R r a k i Details
C j-rr& tbcaed on iser

Scan R r u ik i ovrrvm n
4 Scan target: locatbot - y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJ vws .
S ca n c o m p le te d !
Summ ary 8f *ear resufs 9eneraf0fl <Jut>51
T ypes of scans: Scana singlecom puter: Select this optionto scanalocal host or one specificcom puter. Scanarange of com puters: Select this optionto scananum ber of com puters defined throughanIPrange. Scanalist of com puters: Select this optionto im port alist of targets fromafileor to select targets fromanetw ork list. Scancom puters intest file: Select this optionto scantargets enum erated inaspecific text file. Scanadom ain or w orkgroup: Select this optionto scanall targets connectedto adom ain or w orkgroup.
V u ln e ra b ility le v e l: The average vulnerabilty le.ei lor ttus seanr s 1
Results statistics:
Audit operations processed; 1>703 aw*! operations processed
Missing scftwaie updates:

Other vulnerabilities:
20 <20 C tcaiHgr> 1313 Crecol'-.qh)

3
Potential vulnerabilities:
Scanner ActMty Wkxkm *^ W fa :ili !* W CanptJer VJUH> ra W J t !a i K t - n can Citar n 1 1 t41:ate 101 r r s q v
wunr is*lvatd or not found
i
----------12- 1
FIG U R E5 .7 :T heG FIL anG uardC ustomscanw izard 9. To check die Scan Result Overview, click IP right panel 10. It shows die V u ln e ra b ility A s s e s s m e n t click V u ln e ra b ility A s s e s s m e n t
ad d ress
of die machiiiein die
an d N e tw o rk & S o ftw a re A udit:
Eocafost
GFI LanGuard 2012 J |^ | Daihboard Sean R nrw U r AdMyMorilor Reports Configuration UtMws
W, Dis c u m tvs vtssaan
Q i3 3 iT ~ .it..
Cjend, bcaec
PceSe v j. . . | |FIS1
* * ?a.C rd:
o n u s e r
Userrvaae:
II
1Results Details
1 ___^
____
V a n t n r y t : lornlhost
| - 1000
,
V |WIW l)J9MIC>Mt9L4l (Window.

< 1>rrafcj1 ty W ^ n r r n t |
J] j
[ WUJ39MRSHL9f4| (Windows Server ?01? 164)
n N et-w ar* & Softwire Audit Vulnerability level:

T * corrvwar dues not have a Vuhe'aHty te.el VII. * :
Y/lttt dim
irean?
Po s s ib le reaso n s:
3 The credentials used 10 scan this confute 0 not 1: * 9 * cnty ecamer 10 retrieve an required tafomwtion 10 escmatra we Vjheraoity Level An account wth s M i r r a , :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0 ( Ite security scanner. Betam s a fa rt of most
t. Th can b not Inched yet 2.O sC ectbn of m issing paiches and vane abiEe* 8
s m U ta* ca1nir aerode used to performthe scan.
Scaruicr ActMty Window
flteetlKMQL
l l i r v ^ dl( k l h )
u. . M
' < V> I I c tfiiS ldriI ftwwl

I
FIG U R E5 .8 :S electin gV ulnerabilityA ssessm ent option
11. It shows all the V u ln e r a b ilit y

V
A ssessm en t
Reports
indicators by category
T ^ P
x
GFI LanGuard 2012 d >

Dashboard Scan Rernediate Activity Men!tor Configuration UUkbes
W,
GFI L A N guard scans target com puters to retrieve setupinform ationand identifyall security vulnerabilities including: M issingM icrosoft updates Systemsoftw are inform ation, including unauthori2ed applications, incorrect antivirus settings and outdatedsignatures Systemhardw are inform ation, including connectedm odem s and U S Bdevices
/ 7D uringa full scan,
Di 8cub 8 a vaon._
l a d i a Merc Scan
Bar Target; v | | .. . c/fomess [am r#y iC Q jjetf onuser
roS: H i scarJgynang:
3 $
Password: 5
V1
or
Scmi RrulU Ov*rvt*%

<0 $ u a U r t : l1 ) u lm l
Sc4nR*M1ft>0UNk V u ln e ra b ility A sse ssm e n t

stea ene of the folowno wjfcerabilry 01*99'** *
f S I S ItM J(m R-K M M U H U M ](W M tom .

Yuhefablty Assessment
A * *security wirerablofa (3)

J l MeCtomSearity Vuherabirtes (6) j , low Searity Viinerablitfes (4J PofanBd Vuherabltea (3)
4
t
*qn security Vumeratxaties (3) Xbu you toanalyze the security vjre tb i'.a
10
Meshc service Packs and U3cate =&u>s (1}
^ . .
# Msarvs Security Updates (3)
Jedium Security VulneraNKies )6 ( , toanajy7e thsrredun !earitytfjrerabises Low Security Vulnerabilities 1 4 ( ycu to a iy thelc 9eculty
- _* Hee*ak & Software Ault
1 5
Potential vulnerabilities )1( Xb>.s you to a-elvre tiie inform ationsecurity aJo Ufesing S vtca P acks and Updala RolHipc (1) U>3vcutoane(yK thcrm eiroiervm pK tsnV m evn
thread I (Idle) |Scan Pvead 7 (is' I 5 u n t1 : 3 O tfic] Bras
FIG U R E5 .9 :L ist ofV ulnerabilityA ssessm entcateg o ries 12. Click N e tw o rk

P a tc h in g
in die right panel, and then click S y s te m S t a t u s , which shows all die system patching statuses
& S o ftw a re A u d it
C r i L in O u a rd 2012
1 - r 1
Configuration JM M et <U) ' D iic in t llm vm*an
to >
Scar o e -
4 -
Dashboard
Sran
Re*Aate
Activity Monitor
Rrpoits
la u a d ia New Sean
Ho ft*.
- 11 ' ^ v | P315/.ord: Sari
O afattab: |0 rrentf> o g c or u er 1
Jse n re ;
SCM R M b Overview 9 Scan ta rve t iocalhost m
1Rem its Detais
- 3 1 8 I M A / [W 0 3 9 N R S W 4 ] ( I M l t K -
System Patching Status

Select one of tte Mtahg systemwtchro M U
Minting Service P acks nit llpduir Rciaup* )1( AI3v1 you to andyM f*r rrs K! server parW r>fj i w
Duetothelarge am ount ofinform ation retnevedfromscanned targets, full scans often tendto belengthy. It is recom m endedtorunafull scanat least onceevery2 w eeks.
** e h S e c v lt yV 1 * 1e r a M it t e t( 3 ) X rvfcdun Security VUrtrabilBe (6) X * J n a r a M t ) ( ) t S e r v ic e P n r i n m i1t3datr Roittn (1) f 1su1sSeu1UyUl>0at*(3) I \ f t o a r y .a ^ f t r a a r c r u O tI

X Sec ' >ty\\1hab4U (4)
S -4 (U!f(hilY to n T e il
)Mk Missing Security Updates (, J

Alotwt Mu U nWy.'t u! mistfio mcuICv update I
'0
- Jb j
m Missing Non-Security Updates )16(

Alan* you to analyie the rwn-security ipaaws rfamssen
S %
U A
Ports
rtor&Atrc
J%
*- f i Software a system mibnnaaon
1 2 J %!astaaed Non-SecurityUpdates )1(
staled Security Updates )2( Aq t> syou nay c tJic knitaifedsecurity!edatehfanala Aloyou to analyze thenstslicd nor-securty5 X g
Scanner A ctm ty Wmdow
Starting security scan of host \VIM.I)MMRSMl4[100.0 T \

!nr: I M k U PM
: ry Scan thread 1(idle) S a tllia i IM t ' . !
10
: t . 3
FIG U R E5 .1 0 :S ystempatchingstatusreport 13. Click P o rts, and under diis, click O p en

T C P P o rts
m Acustomscanis a netw orkaudit basedon param eters, w hichyou configure onthe flybefore launchingthe scanning process. V anous param eters canbe custom izedduringthis type of scan, including: T ypeof scanningprofile (L e., the typeof checks to execute/type ofdata toretrieve) Scantargets Logoncredentials
&
jbcahoK
> l- I
S ca n
Rancdijlr
GF! LanGuard 2 0 1 2 *!1 vty M o n ito r R e p o rts C o rrfig u ra
1- 1 C J, Uiscuu tin s1
V I ... I |MSw1 Uenvaae: S asG w ord:
Oc0en .dfe. |0xtrtK ocKcCon us
II ^9
1 ___ * = ____ 1 0
9 sr.Mi f .get torn lho\t

R : ; 10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _ viAwjBM y **OMtwrnt
J l )*h Sacuity \jh*r<t14t* (!)

^ X ^ # MJum Sttuity VllnefdMIUe( } Law Seeunty VUnerabttiei (4} POCWlOai Viiic'attittet (3) MsangSecuity Updates (3)
ft) so iDf*crpno: Mytxrtrrt trerwfrr Protocol {^> sr-wr: http (kt/ er r t Tfonjfcr rvotocoOI 5 ( Cwucto- D CC wi1u l sOl)0 1 **CTt*0V HMKCR 5M1 S*rM S*VCT r n] ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM *V a n Lrtnamn] B !027 piM otOor: !r#l1fo, 1( tM &*e v<e h no* t1 Urt(d :*>* & Croj^r: Ctandwone, Ditdflpy *rd others / SevC s ^ t-.H |Deunpecr: LSASS, If Iha m is not ratafc* ratfc ;< o w : Ctotafipy Network x, Oath a owers / Ser
f)
b e -* a e
f im it w : c a J O
m 3
# Moang Service Pocks 0d tp d str lo tto s CO B *ernoHc 8 1Software Audit *. ( ( System Patchrg Status
- 9 9 ^
::- 2 |CSObacn: M e Protect. MSrtQ, t te 1V . M>)eic - -- * c ro( IrsUltod D*mr* could ttt trojan: BLA trojan . Se 4
l2^l|tcroor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^ 1433 [CesccCcr: Microsoft SQL Server database r a a jr w :
s r t s c n Server /S > ic*: LTknown]
]333 I . S e e n H P P a r aW|
V Coen LC Ports (5)
I
II
A Hardware
.if Software
System [nfbmodon
a er ActKRy
YVlndvw
*' f..<t*ceve y v a n thread 1 (tdlr)
S o nr rad ) dp ( | 5 0 r *. vl ! ;<*)
error
FIG U R E5 .1 1 :TCP/U D PPortsresult 14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of die system information 15. Click P a s s w o r d
E B > 1 4 -1 Dathboaid launch a Mewsean ScarTarget ocaKx: &ederate: Z~M~CTt, bcced on toe Scaf 0 0 ^.-. Scan R rta tf Overview
% Sf A open IX P Ports (5) r1ard*e
P o lic y
GH LanGuard 2012
r n n
Corriiguratioo Ualiwt W . 1)1*1 lew vnun
Scan
fn m ijlr
Act*y Monitor
Reports
P0. t: v |... I (SjIScan ?aaiwd: V
1 U1J
0
1 __
Scan le a k ! Detalie
*50 1frane
Systsn InferT M h arj

a 9ki\. W |l HW.\fxC. ! > > > 1
L_J The next jobafter a netw orksecurityscanis to identifyw hichareas and system srequireyour im m ediateattention. D o this byanalyzingand correctlyinterpretingthe inform ationcollectedand generatedduringanetw ork securityscan.
J *!*run poaaw d length: chars J **!unoaa'w ordsgeiodays J >Mgw rfl mtary: n o h ttay
J Vaxnuri EMSSiwrd age: 42days J ! f a s p f f r m force 0
Sr.c1ll> Audit Policy (OtO

Wf Re0**v ft Net&OS M ao*3) ) % Computet tj| 610Lpt (28) & Users (4)
!_ LoggedCnUsers (11)
^ Sesscre (2) % J<rvcc5 {148} U Processes (76)
Remote TOO (Tme Of Oay)
Scanner AcUvy Window
I I > - V 1n thn-rtd I (Klfc) ScantheflUC*) i f<* 41'' !
A) I '"
FIG U R E5.12Inform ationofP assw ordP ohcy 16. Click G ro u p s: it shows all die groups present in die system
m Ahighvulnerability level is the result of vulnerabilities or m issing patches w hose average severityis categorizedas high.
>
D a s h b o a rd
Sun
ftftnca&e
GFI LanGuard 2 0 1 2 A c tm rtyM o n ito r R e p o rts C o n fig u ra tio n
T oU 1 9 C U B 3U lttV W ttK JR
vl W CrM e re s t [cuTr*f eooed cn user *1
**Scan -igemane: Password:
cc':era 1Rf*lt Overview

% C0nUOPPwts(5)
Sc* RevuJU DeUik
r A Hentesrc
. 1 Soffaart
^ Symrm tnkmtn
*k SN r~ W
-4* Pdwo1 ) Pdiy - i Sxunty Ault Pokey (Off) # lUotetry f t NetflCCS Narres (3)
l* ig r o u p s( 2 a )I I W 4} Ascheduled scanis a netw orkaudit scheduledto run autom aticallyona specificdate/tim e and at a specific frequency. Scheduledscans canbe set toexecuteonce or periodically.
% Sssns (2)
Computer
?. -OXfC0 users (1 )
%5 1 4 )8 :* a )
Ht rocrase* (76)
ente too Of 0y)
( V 'te y jM^^ < - aO a CfctrtutedCCMUser* a Guests a K>pe V a a E5JUSRS a r.etY>=<Ccnfig.rstcn -a ausers a Prfty1r5rcc '\r~ a PM^lSers a RES Ehdpcut Servers a
& *n t Log Straefcrs Adrritstrators Psrfertrsnce Log Users **?Operators PCS Manageent s vers
* tt Control AucUat* Cws abx1 ft * P n t t a w i * J i.s0 u 1 to 1 ft 0 fcw aw #d c c m w ra X cm
Cprators
W w rt* - .
S*rf 1 l 1f 1 .nl 1 (tdl | )Scan tfve*0 ? frt*)
*r*d S * fe ) | & u |
FIG U R E5 .1 3 :Inform ationofG roups 17. Click die D a sh b o a rd tab: it shows all the scanned network information 1 n ^ GFI LanGuard 2012
I Dashboardl > 5 I q
Gmp
Sun
Km*(
Activity Monitor
Reports
Configuration * t Pale**
UUkbe;
/. OitcuMlna vwawn.-
!t
f#
C emctm
wv
\ 'i\
1 ViAirrnhlfces
V
aH
SdNiare
fei *J
it 6mel1n*ork
f j UKJ-ct: ttlh-03M a.5rt.4-
^' ucj1!)<w>:y10j<1iR<x1>
E n tire N e tw o rk -1 c o m p u te r
Security Seniors
It is recom m ended to use scheduled scans: Toperform periodical/regular netw orkvulnerability scans autom aticallyand usingthe sam e scanning profiles andparam eters To tngger scans autom aticallyafter office hours andto generate alerts andautodistributionof scan resultsviaem ail To autom aticallytrigger auto-rem ediation options, (e.g., A uto dow nloadanddeploy m issingupdates)
m
rS \
Most M rarane c awoJSfS V. S C 3 y ^ L 3 6 4
wnwarn iwuw 1 0c X T |H 1 tcrs Service Packs and U Oaxrputers VulncraWWies 1copotr9

,AiirraNity Trend Owe' tme
K-p-w! Lratra-onied Aco*c Ccopucrj Ault SMTUt 0 !
0 coneuteis Malware Protection ...
O _ I o
cj : _ j
com puters Agent Hemtn Issues 0C 0 n p u 1 8 C 8
w
Maraqe saerts *41 ?i .KTJlii...
C om pu ter V 1 4 > era b feyCBtnbulivi
: o fu t M By Gperatng System
Z j H a r s c a n . . .
Sc-= r a d rsfrar. !TfaraaLgi p .g yy
Sec :ppdy-.ai -
C ^ p m :-jr_
*aer*Stofcg|\>3tStafcg|
Computes SO 0ath .| Compjters By rfeUai... |
FIG U R E5 .1 4 : scannedreportofthenetvrork
L a b A n a ly s is
Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process.
Tool/U tility
Information Collected/Objectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports Scan Results Details for Password Policy
GFI LanGuard 2012
Dashboard - Entire Network Vulnerability Level Security Sensors Most Vulnerable Computers Agent Status Vulnerability Trend Over Time Computer Vulnerability Distribution Computers by Operating System
P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.
Q u e s t io n s
1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how?
Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
E x p lo rin g a n d A u d itin g a N e tw o r k U s in g N m a p
N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .
I C O N
K E Y
Valuable information Test vour knowledge

S
1 1 1 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.
Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime. hi diis lab, you need to: Scan TCP and UDP ports Analyze host details and dieir topology Determine the types of packet filters
Record and save all scan reports

/j T o o ls d e m o n stra te d in th is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s
Compare saved results for suspicious ports

To perform die lab, you need: Nmap located at D :\C E H -T o o ls\C EH v 8

N e tw o rk s\ S c a n n in g T o o ls\N m ap M o d u le 0 3 S c a n n in g
You can also download the latest version of N m a p from the link http: / / nmap.org. / If you decide to download die la t e s t die lab might differ
v e r s io n ,
dien screenshots shown in
.Q Zenm apw orks on W indow s after including W indow s 7, and S erver 2003/2008.
A computer running W in d o w s
W in d o w s S e r v e r 2 0 0 8
S e rv e r 2012
as a host machine
running on a virtual machine as a guest
A web browser widi Internet access Administrative privileges to run die Nmap tool
Time: 20 Minutes
Network addresses are scanned to determine: What services

a p p lic a t io n n a m e s
and v e r s i o n s diose hosts offer
What operating systems (and OS versions) diey run The type of p a c k e t characteristics
T AS K 1 Lab T asks
f ilt e r s / f ir e w a lls
that are in use and dozens of odier
In te n s e S c a n
Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W in d o w S e r v e r 2 0 1 2 ). 1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left corner of the desktop
FIG U R E6 .1 :W indow sS erver2012 D esktopview

C E H Lab M anual Page 123 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
2. Click the
S t 3 f t
N m a p -Z e n m a p G U I
app to open the
Zenm ap
window
A d m in is tra to r
l _
Zenm ap fileinstalls
the following f i l e s :
Server Manager
Windows PowrShell m Control Panel
Google
Hy^-V Manager
Nmap Zenmap
N m apC oreF iles N m apPath W inPcap4 .1.1 N etw orkInterface Im port Zenm ap (G U I frontend) N eat (M odernN etcat)
Ndiff
S fe
*
vp*v Virtual Machine..
o e
w
Command Prompt * Frtfo*
Me^sPing HTTPort iSW M U 1
CWto*
FIG U R E6.2W indow sS erv er2012- A pps 3. The

N m ap - Z e n m a p G U I
window appears.
!N m ap S yntax: nm ap [S canT ype(s)] [O ptions] {target specification}
Inport scan techniques, onlyone m ethodm aybeused at a tim e, except that U D P scan (sU ) andanyone of the SC TPscantypes (sY , -sZ ) m aybe com binedw ithany one ofthe TC P scantypes.
/
FIG U R E6 .3 :TheZ enm apm ainw indcw 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4) t!1e j a r g e t: text field. You are performing a network inventory for r o J the virtual machine. 5. 1 1 1 tliis lab, die IP address would be your lab environment
6 .
1 0 .0 .0 .4 ;
it will be different from

ty p e o f
111 the
p ro file
P r o file :
text field, select, from the drop-down list, the you want to scan. 11 1 diis lab, select In t e n s e S c a n .
7. Click S c a n to start scantling the virtual machine.

Z e n m a p
Scan Target: I o o ls P ro file Help Profile: Intense scan 1 10.0.0.4| nm a p -T4 -A - v 10.0.0.4 Services icc> |
- r x
C om m and: H o s t!
Nm ap O utput
Ports
f Hosts | T o po lo gy | Host Details | Scans
W hileN m ap attem pts toproduce accurateresults, keepinm indthat all ofits insights are basedon packets returned bythe target m achines or the firew allsin front ofthem
OS < Host
FIG U R E6 .4 :T heZ enm apm ainw indoww ithT arget andP rofileentered !S "The sixport states recognized byN m ap: O pen C losed Filtered U nfiltered O pen| Filtered C losed|U nfiltered
8. Nmap scans the provided IP address with
In te n s e s c a n
and displays
X
the
s c a n r e s u lt
below the
N m a p O u tp u t
Zenm ap
tab.
^
Scan Target:
I o o ls
E rofile
H elp
10.0.0.4 nm a p -T4 -A - v 10.C0.4
Profile:
Intense scan
Scan:
C om m and:
N n ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans OS < Host 10.0.0.4 S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g ) at 2012 0 8 24 n m ap -T4 A v 10.00.4 ^ | | Details
N m ap accepts m ultiple host specifications onthe com m andline, and theydon't needto be ofthe sam etype.
NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135! t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451 t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o 0 t o o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4 Filter Hosts
(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,
1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72
FIG U R E6 .5 :TheZ enm apm ainw indoww iththeN m apO utputtabforIntenseS can 9. After the scan is c o m p le t e , Nmap shows die scanned results.
C E H Lab M anual Page 125 E th ic a l H ackin g and Counterm easures Copyright O by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
Zenm ap
Scan Target: C om m and: nm a p -T4 -A - v 10.C.0.4 I o o ls ro file Help
T= I
Scan! Cancel
The options available to control target selection: -iL<inputfilenam e> -1R<numhosts> -exclude <host1 >[,<host2>[,...]] -excludefile <exclude file>
a
N m ap O utp ut | Ports / Hosts | T o p o lo g ) OS < Host 10.0.0.4 n m ap T4 A v 10.0.0.4 1 3 9 /tc p open
JH ost Details | Scans
Details
445/tcp
open
5 3 5 7 /tc p open (SSOP/UPnP)
n e t b io s - s s n n c t b io s s sn h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0
|_httpmthods: No Allow or Public hadr in OPTIONS

re s p o n s e ( s t a tu s code 5 03 ) | _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ ;0 7 :1 0 ( M ic r o s o f t ) MAC Address: 0 ( 1 5 : 5D: D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p : / o : n ic r o s o f t : w in d o w s _ 7 c p e : / o : ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l 0 d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 ) N ttw o rK D is t a n c e ; 1 hop TCP S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s
Q The follow ing options control host discovery: -sL(list S can) -sn(N oport scan) -Pn (N oping) P S<port list> (T C P SY NP ing) -PA<port list> (T C P A CKPing) -PU<port list> (U D P Ping) -PY<port list>(SC T P IN T TPing) -PE;-PP;-PM(IC M P PingT ypes) -PO<protocol list> (IP Protocol Ping) -PR(A R PPing) traceroute (T racepath tohost) -n(N oD N Sresolution) -R(D N Sresolutionfor all targets) -system -dns (U se systemD N S resolver) -dns-servers <server1 >[,<server2>[,. ..]] (Servers touse for reverse D N Squeries)
Filter Hosts
FIG U R E6 .6 :T heZ enm apm ainw indoww iththeN m apO utputtabforIntenseS can 10. Click the results.
P o r ts / H o s ts
tab to display more information on the scan

P o rt, P r o to c o l, S t a t e . S e r v ic e ,
11. Nmap also displays die the scan.

Scan Target: I o o ls P ro file H elp
and
V e r s io n
of
Z e n m a p
10.0.0.4 nm a p -T4 -A - v 10.0.0.4 Services OS
T T
Scan
Cancel
C om m and:
Nm gp Out p
Tu[ . ul ut j y
Hu^t Details
Sk m :.
< Host
10.0.0.4 13S 139 445 5337 Up tcp tcp tcp open open open open open open open open open rm tp c n etbios-ssn n etbios-ssn h ttp m srpc m srpc m srpc m srpc m srpc M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD M ic ro s o ft W indow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M in o a o ft W ind ow s RPC
49152 tcp 49153 tcp 49154 tcp 49155 tcp 49156 tcp
FIG U R E6 .7 :TheZ enm apm ainw indoww iththePorts/H oststabforIntenseS can
12. Click the T o p o lo g y tab to view Nmaps topology for the provided IP address in the In t e n s e s c a n Profile.
7^t B ydefault, N m ap perform s ahost discovery andthenaport scan against eachhost it determ inesto be online.
FIG U R E6 .8 :TheZ enm apm ainw indoww ithT opologytabfor IntenseS can 13. Click the H o s t D e t a ils tab to see die details of all hosts discovered during the intense scan profile.
Z e n m a p
Scan Target: lo o ls P rofile Help Scan Conccl 10.0.0.4 nm a p -T4 -A - v 10.0.0.4
r^ rr* 1
C om m and:
Hosts OS < Host
||
Services
I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t O.O.C.4
Scan?
7^ B ydefault, N m ap determ inesyour D N S servers (for rD N S resolution) fromyour resolv.conffile(U N IX ) or the R egistry(W in32).
10.0.0.4
H Host Status
State: O pen p o rtc Filtered ports: Closed ports: Scanned ports: U p tim e : Last b oo t: up Q 0 991 1000 22151 Fri A u g 24 09:27:40 2012
B Addresses
IPv4: IPv6: M AC: 10.0.0.4 N o t available 00:15:50:00:07:10
- Operating System
Nam e: Accuracy: M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1
Ports used
Filter Hosts
FIG U R E6 .9 :TheZ enm apm ainw indoww ithH ostD etailstabforIntenseS can
14. Click the

Scan Target: Tools
Scans
tab to scan details for provided IP addresses.

Zenm ap
1- 1 x
Cancel
Profile
Help Profile: Intense scan
10.0.0.4 nm a p T4 A -v 100.0.4
a N m ap offers options for specifyingw hichports are scannedandw hether the scanorder is random !2edor sequential.
C om m and:
Hosts OS
\\
Services
N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an;
< Host
1 0 0 .0 4
Status
Comrard
Unsaved nmap -T4-A v 10.00.4
i f A pp e nd Scan
Remove Scan
Cancel Scan
a InN m ap, option-p <port ranges> m eans scan onlyspecifiedports.
FIG U R E6 .1 0 :TheZ enm apm ainw indoww ithS cantabforIntenseS can 15. Now, click the S e r v i c e s tab located in the right pane of the window. This tab displays the li s t of services. 16. Click the h ttp service to list all the HTTP Hostnames/lP Ports, and their s t a t e s (Open/Closed).
Z e n m a p
Scan Target: Tools Profile Help v] Profile: Intense scan v| Scan | Cancel 10.0.0.4 nm ap T4 -A -v 10.0.0.4
ad d re sse s.
Comman d:
Ports / Hosts Topology | H o c tD rtJ iik | S ^ jn t
Hosts Service
Services
N m ap O utput
< Hostname A Port < Protocol State Version
10.0.04
5357
tcp
open
M icroso ft HTTPAPI hctpd 2.0 (SSI
msrpc n etb io s5 5 n
Q InN m ap, option-F m eans fast (lim itedport) scan.
<L
FIG U R E6 .1 1 :TheZ enm apm ainw indoww ithS erv icesoptionforIntenseS can
C E H Lab M anual Page 128 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
17. Click the

Scan Target: I o o ls
m srp c
service to list all the Microsoft Windows RPC.

Z e n m a p 1 x
Scan]
P ro file
H elp Profile: Intense scan
10.0.0.4 nm a p -T4 -A - v 10.0.0.4 Services
InN m ap, O ption port-ratio cratioxdedmal num ber betw een0and 1 > m eans S cans all ports in nm ap-services filew itha ratiogreater thanthe one given. <ratio> m ust be betw een0.0and 1 .1
C om m and:
Nm ap O utput
Ports / Hosts
T o po lo gy | Host Details ^Scans
Service h ttp netbios-ssn
4 H o stnam e * Port < P rotocol * State Version 100.0.4 100.0.4 100.0.4 100 .04 1 0 0 .0 4 100.0.4 49156 49155 49154 49153 49152 135 Up tcp tcp tcp tcp tcp open open open open open open M icro so ft W in d o ro RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC
FIG U R E6.12T heZ enm apm ainw indow w ithm srpcS erv iceforIntenseS can 18. Click the
Scan Target: I c o ls
n e t b io s - s s n
service to list all NetBIOS hostnames.

Z e n m a p
T T T
Scan Cancel
E ro file
H e lp
10.0.0.4 nm a p -T4 -A - v 10.0.0.4 || Services |
C om m and: Hosts Service h ttp msrpc
InN m ap, O ption -r m eans don't random i2e ports.

hid
Nm ap O utput
Ports
f Hosts
T o po lo gy
Host D e oils
Scans
1 0 0 .0 J
100.0.4
445 139
tcp tcp
open open
FIG U R E6 .1 3 :TheZ enm apm ainw indoww ithnetbios-ssnS erv iceforIntenseS can
TASK 2
X m as Scan
19.
X m as scan
sends a T C P fra m e to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed
according to RFC 793. The current version of Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click
P ro file >N e w P r o file o r C o m m a n d C trl+ P
y X m as scan(-sX ) sets the FIN , PSH , andU R G flags, lightingthe packet up likeaC hristm as tree.
m The option m axretries <num tries> specifies the m axim um num ber ofport scanprobe retransm issions.
21. On the
P r o file
tab, enter
Xm as Scan
in the
P r o file n a m e
text field.
P ro file E d ito r
nm ap -T4 -A -v 10.0.0.4 Help Description P ro file In fo rm a tio n Profile name D * n ip t 10n XmasScanj The description is a fu ll description 0 vhac the scan does, w h ich m ay be long.
Profile
Scan | Ping | Scripting | Target | Source[ O thct | Tim ing
m The option-hosttim eout <tim e>givesup on slowtarget hosts.
Caned
Save Cl
a1 yci
FIG U R E6 .1 5 :T heZ enm apP rofileE ditorw indoww iththeP rofiletab
E th ic a l H ackin g and Counterm easures Copyright by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
22. Click the S c a n tab, and select s c a n s : drop-down list. UDPscanis activated w iththe -sUoption. It can be com binedw ithaTC P scantype suchas SY Nscan (sS ) to checkboth protocols duringthe sam e run.
!m a p -T4 -A -v 10.0.0.4
X m a s T r e e s c a n (s X )
from the
1_T ' x
TCP
P ro file E d ito r
Profile
Scan | Ping | Scripting | Target) Source | O ther
Tim ing
Help
Enable all arf/anced/aggressive o ptio ns Enable OS detection (-0 ). version dete ction (-5V), script scanning (s and traceroute (traceroute).
S u n optk>m
Target? (optional): TCP scan: Non-TCP scans: T im in g tem plate: 10.00.4 None None ACK scan (-sA) FIN scan (s F ) M aim on scan (-sM ) Version detection (-sV) Idle Scan (Zom bie) (-si) FTP bounce atta ck ( b) Disable reverse DNS resc IPv6 support (6) N ull scan (-sN) TCP SYN scan (-5S) TCP co nn ect >can (T) . W ind ow scan ) sW ( | Xmas Tree scan (sX)
FI
C M
Q N m ap detects rate lim itingand slow s dow n accordinglyto avoid floodingthe netw orkw ith useless packets that the target m achinedrops.
Cancel
Save Changes
FIG U R E6 .1 6 :TheZ enm apP rofileE ditorw indoww iththeS cantab 23. Select N o n e in die N o n -T C P s c a n s : drop-down list and T 4 ) in the T im in g t e m p la t e : list and click S a v e C h a n g e s
P ro file F riito r
nm ap sX T4 A v 10.0.0.4
A g g r e s s iv e (
1 ^ |
Profile
Scar
Ping | Scripting [ Target
Source | O ther | Tim ing
Help
Enable all ad/anced/aggressive o ptio ns Enable OS detection (-0 ). version d ete ction (-5V), script scanning ( s Q and tra c e ro u te (traceroute).
Scan o p tio n * Target? (optional): TCP scan: Non-TCP scans: T im in g tem plate:
@
Q Y oucanspeedup your U D Pscans by scanningm orehosts in parallel, doingaquickscan of just the popular ports first, scanningfrombehind the firew all, andusing host-tim eout to skipslow hosts.
1D.0D.4 Xmas Tle e scan (-sX) None Aggressive (-T4) |v | [v] [v |
Enab le all a d va n ced / ag g ressve options (-A)
O O
O perating system detection (-0) Version detection (-sV) Idle Scan (Zom bie) ( - 51) FTP bounce atta ck ( b) Disable reverse DNS resolution (n) IPv6 support (-6)
Cancel
Save Changes
FIG U R E6 .1 7 :T heZ enm apP rofileE ditorw indoww iththeS cantab 24. Enter the IP address in die T a r g e t : field, select the from the P r o file : field and click S c a n .
X m as sca n
opdon
Zenm ap
Scan Target: Tools Profile Help |v | Profile- | Xmas Scan |v | |S can | Cancel |
10.0.0.4 nm ap -sX -T 4 - A -v 1 0 0 .0 /
C om m and:
Hosts
||
Services A
N m ap O u tp u t
P o rts /H o s ts | T o po lo gy
H ost Details
j Scans
V 1
InN m ap, option -sY (SCTPINITscan) is often referredto as half-open scanning, becauseyoudonf t openafull SC T P association. Y ousendan INITchunk, asifyouw ere goingto open areal associationandthenw ait for aresponse.
0 5 < H ost
| Details]
Filter Hosts
FIG U R E6 .1 8 :T heZ enm apm ainw indoww ithT arget andP rofileentered 25. Nmap scans the target IP address provided and displays results on the N m a p O u tp u t tab. Q! W hen scanning system s, com pliant w ith this R FCtext, anypacket not containingSY N ,R S T , or A CKbits resultsin a returnedR ST , if theport is closed, andnoresponse at all, iftheport is open.
Zenm ap
Scan T a rg e t Tools P ro file H elp v l Profile. Xmas Scan |Scani|
izc
10.0.0.4 nm ap -sX -T 4 -A -v 1 0 0 .0 / Services
C om m and: Hosts OS Host * 10.0.0.4
N n a p O u tp u t
Ports / Hosts | T o po lo gy
H ost Details | Scans
nm a p -sX -T4 -A -v 10.0.0.4
S t a r t i n g Nmap 6 .0 1
( h ttp ://n m a p .o r g
) a t 2 0 1 2 - 0 8 -2 4
a The option, -sA(T C P A CKscan) is usedtom ap out firew all rulesets, determ iningw hether they are stateful or not and w hichports are filtered.
N<F lo a d e d 93 s c r ip t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts )
Initiating Scrvice scon ot 16:30

I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .
FIG U R E6 .1 9 :T heZ enm apm ainw indow w iththeN m apO utputtab 26. Click the S e r v i c e s tab located at the right side of die pane. It all die services of that host.
d is p la y s
Zenm ap
Scan
Target:
0
| ' | Scan |
= 1
I o o ls
P ro file
H elp ^ P ro file Xmas Scan
10.0.0.4 nm ap -sX -T 4 -A -v 10.0.0.4
C om m and:
Hosts
Services
N m ap O u tp u t
Ports / Hosts | T o p o lo g y | H o st Details | Scans Details
nm a p -sX T4 -A -v 10.0.0.4
S t a r t i n g Nmap 6 .0 1
( h ttp ://n m a p .o rg
) a t 2 0 1 2 * 0 8 -2 4
: L oa de d 0 3 * c r i p t c f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P l r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f l n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d
Nnap scan report for 10.0.0.4

H ost is u p ( 0 .0 0 0 2 0 s l a t e n c y ) . V
FIG U R E6 .2 0 :Z enm apM ainw indoww ithS erv icesT ab

S
T A S K
27.
Null S c a n
N u ll s c a n works only if the operating systems TCP/IP implementation is developed according to RFC 793.111 a 1 1 1 1 1 1 scan, attackers send a TCP frame to a remote host with NO Flags.
The optionN ull Scan (-sN ) does not set anybits (T C Pflagheaderis 0).
28. To perform a 1 1 1 1 1 1 scan for a target IP address, create a new profile. Click P r o file >N e w P ro file o r C o m m a n d C trl+ P
Z e n m a p
[ New Prof Je or Command 9 d it Selected Prof <e C trk P | nas Scan Q rl+E v Scan | Cancel |
Hosts
||
Scrvncct
Nmap Output P ortj / Hosts | T opology] Hot D e t a S c e n t
OS Host w 10.0.0.4
m The option, -sZ (SC T PCOOKIEECH O scan) isanadvanceSC T P COOKIEECHOscan. It takes advantageof the fact that SC T Pim plem entations shouldsilentlydroppackets containingCOO K IE ECHOchunks onopen ports but sendanA B O R T if the port is closed.
FIG U R E6 .2 1 :TheZ enm apm ainw indoww iththeN ewP rofileorC om m andoption
29. On die P r o file tab, input a profile name text field.

P ro file E d ito r
N u ll S c a n
in the
P r o file n a m e
L ^ I
a The option, -si <zom bie host>[:<probeport>] (idle scan) is anadvanced scan m ethodthat allow s for a trulyblindTC Pport scan of the target (m eaningno packets are sent tothe target fromyour real IP address). Instead, aunique side-channel attackexploits predictableIP fragm entationIDsequence generationonthe zom bie host togleaninform ation about the openports on thetarget.
nm ap -sX -T4 -A -v 10.0.0.4 Help Profile name P ro file In fo rm a tio n Profile name Description | N u ll Scanj~~| This is h o w the profile v/ill be id e n tf ied in the d ro p-d o w n co m b o box in th e scan tab.
Profile
Scan | Ping | Scripting | Target | Source | O ther | Tim ing^
FIG U R E622: TheZ enm apP rofileE ditorw iththeP rofiletab 30. Click die
m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. Scan S c a n (sN )
tab in the P r o file E d it o r window. Now select the option from the T C P s c a n : drop-down list.
P ro file E d ito r
N ull
n m a p -6X -T4 -A -v 10.0.0.4
P ro file] Scan | p!ng | S cnp tm g j larget | Source Scan o ptio ns Targets (optional): TCP scan: Non-TCP scans: T im in g tem plate: 1C.0.0.4
Jth e r
Tim ing
Help
P rof le name This is how the profile w ill be id entified n th e d ro p-d o w n co m b o box n th e scan tab.
Xmas Tree scan (-sX) None ACK seen ( sA)
|v
[Vj Enable all advanced/aggressu F N scan ( sF) O perating system detection ( M aim on t n (?M) Version dete ction (sV) N u ll scan (sN) TCP SYN scan(-sS) TCP conn ect scan (sT)
(71 Idle Scan (Zom bie) (si) O FTP bounce attack (-b)
(71 Disable reverse D N S resolutior W in cow scan ( sW)
The option, -r (D on't random izeports): B y default, N m ap random izes the scannedport order (except that certain com m onlyaccessibleports arem ovednear the beginning for efficiency reasons). T his random izationis norm ally desirable, but youcan specify-r for sequential (sortedfromlow est to highest) port scanning instead.
1 1 IPy 6 support (-6)
Xmas Tree !can (-sX)
Cancel
Save Changes
FIG U R E6 .2 3 :TheZ enm apP rofileE ditorw iththeS cantab 31. Select
N one A g g r e s s iv e (-T 4 )
from the N o n -T C P from the T im in g
scan s:
t e m p la t e :
drop-down field and select drop-down field.
32. Click S a v e
Changes
to save the newly created profile.
P ro file E d ito r
n m a p -sN -sX -74 -A -v 10.0.0.4
'-IT - '
|Scan[ Help Disable reverse DNS resolution
InN m ap, option version-all (T ryeverysingle probe) is analias for -version-intensity9 , ensuringthat everysingle probeis attem ptedagainst eachport.
Profile
Scan
P in g | Scripting | Target | S o ir e e [ C th ci | Timing
Scan o ptio ns Targets (opbonal): TCP scan: Non-TCP scans: T im ing tem plate: 10.0.04 N u l scan (sN) None Aggressive (-T4) V V V N e \er do reverse DNS. This can slash scanning times.
O perating system dete ction (-0 )
[ Z Version detection (-5V)

I Idle Scan (Z om b ie) (-si)
FTP bounce attack (-b)
I ! Disable reverse D N S resolution (-n)
IPv6 support (-6)
oncel
E r j Save Change*
The option,-topports <n> scans the <n> highest-ratioports foundin the nm ap-services file. <n> m ust be 1or greater.
m
FIG U R E6 .2 4 :TheZ enm apP rofileE ditorw iththeS cantab 33. 1 1 1 the main window of Zenmap, enter die t a r g e t IP a d d r e s s to scan, select the N u ll S c a n profile from the P r o file drop-down list, and then click S c a n .
Z e n m a p
Scfln
T a rg et
I o o ls
E ro file
Help
P ro f 1 :
| 10.0.0.4
N u ll Scan
C o m m a n d:
nm a p -sN sX T4 -A *v 10.00.4
Hosts
Services
N m ap O u tp jt
Ports / Hosts
T o po lo gy | H ost Detais ( Scans
Q The option-sR(R P C scan), m ethodw orksin conjunctionw iththe variousport scanm ethods ofN m ap. It takes all the TCP/UDPports found openandfloods themw ith SunR PCprogramN U LL com m ands inanattem pt to determ inew hether theyare R PCports, andif so, w hat programandversion num ber theyserveup.
O S < H o st
< P ort < P rcto ccl < State < Service < Version
*U
10.00.4
Filter Hosts
FIG U R E6 .2 5 :T heZ enm apm ainw indoww ithT arget andP rofileentered 34. Nmap scans the target IP address provided and displays results in O u tp u t tab.
N m ap
Z e n m a p
Scan Target Tools P rofile Help v Profile: N u ll Scan 10.0.0.4 nm a p -s N -T 4 -A -v 10.C.0.4
B Q
Scan!
u
Cancel
C o m m a n d:
Hosts OS < H ost IM 10.00.4
Services
N m ap O utp ut | P o rts / Hosts ] T o po lo gy [ H o st Details | Scans nm a p -sN T4 A - v 10.0.04
) at 2012 0 8 24
Details
S ta r t in g
Mmap 6 .0 1
( h t t p : / / n 1r a p . o r g
The option-versiontrace (T raceversion scan activity) causesN m ap to pnnt out extensive debugginginfo aboutw hat versionscanningis doing. It is a subset ofw hat you getw ith packet-trace,
N S t: Loaded 93 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ] C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t . 2 t 1 5 :4 7 C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 , 0 .2 8 s e la p s e d i n i t i a t i n g n u l l sca n a t 1 6 :4 7 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e . C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7 I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la D s e c Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) . Filter Hosts
FIG U R E6 .2 6 :T heZ enm apm ainw indoww iththeX m apO utputtab 35. Click the
H o s t D e t a ils S ta tu s , A d d re ss e s . O pen P o rts,
tab to view the details of hosts, such as and C lo s e d P o r ts

Z e n m a p -[nrx
Cancel
H ost
'
Scan Ta rg et
Tools
r o fle
Help Profile: N u ll Scan
10.0.0.4 nm ap -s N -T 4 A -v 10.0.0.4
C o m m a n d:
Hosts OS Host * 10.0.0.4
Sen/ices
N m a p O utp ut | P o r ts / Hosts | T o p o lo g y
H ost Details | Scans
-1 0 .0 .0 .4 !
B Host Status
State: O pen ports: ports: Closed ports: up 0 0 1000
ie
Scanned ports: 1000 Up tirr e : Last b oo t: N o t available N o t available
S Addresses
IPv4:
IPv6:
10.0.0.4
N o t a vailable
M AC:
00:15:5D:00:07:10
C o m m e n ts
Filter Hosts
FIG U R E627: TheZ enm apm ainw indoww iththeH ostD etailstab
T A S K 4
A C K F la g S c a n
36. Attackers send an A C K probe packet with a random sequence number. No response means the port is filtered and an R S T response means die port is not filtered.
37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file >N e w P r o file o r C o m m a n d C trl+ P .
Z e n m a p
m The script: scriptupdatedboptionupdates the script database foundin scripts/script.db, w hichis usedbyN m apto determ ine the available default scripts and categories. It is necessaryto update the database onlyif youhaveaddedor rem ovedN SEscripts from thedefault scriptsdirectory orifyouhavechangedthe categories ofanyscript. T his optionisgenerally used byitself: nm ap script-updatedb.
!^T 0 E
C om m and:
fj?l Edit Selected Profile !!m o p v n* **v Services ]
Ctrl+E
H o s t* OS 4 Host
IM 10.0.0.4
N m ip O jtp u t
Porte / Hot
T o p o lo g y | H o d Details
JSc an t
4 P o t 4 P ro to co l 4 S t a tt 4 S e rv ice 4 Version
Filter Hosts
FIG U R E6 .2 8 :TheZ enm apm ainw indoww iththeN ewP rofileorC om m andoption 38. On the
P r o file
tab, input A C K
F la g S c a n
in the
P r o file n a m e
text field.
P ro file E d ito r
nm a p -sN -T4 -A -v 10.0.0.4 Help Description P ro file In fo rm a tio n Profile name Description |A C K PagScanj
r a n
Profile [scan | Ping | Scripting | Target | S o ire e [ C thei | Tim ing
The d e scrp tio n is a fu ll description o f wh at the scan does, w h ich m ay be long.
The options: m inparallelism<num probes>; -m ax-parallelism <num probes> (A djust probe parallelization) control the total num ber of probes that m aybe outstandingfor ahost group. Theyareusedfor port scanningandhost discovery. B ydefault, N m apcalculates aneverchangingideal parallelism basedon netw ork perform ance.
an cel
Save Changes
FIG U R E6 .2 9 :TheZ enm apP rofileE ditorW indoww iththeP rofiletab 39. To select the parameters for an ACK scan, click the S c a n tab in die P ro file E d it o r window, select A C K s c a n (s A ) from the N o n -T C P s c a n s : drop-down list, and select N o n e for all die other fields but leave the T a r g e t s : field empty.
Profile Editor
n m a p -sA -sW -T4 -A -v 10.0.0.4 H e lp
!- !
x
[ScanJ
The option: min-rtttimeout <time>, --max-rtttimeout <time>, initialrtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.
Profile | Scan Scan o ptio ns
Ping
S cnpting
T3rg=t
Source
Other
Tim ing
E n a b lea lla d v a n c e d ,a g g r e s s iv e o p tio n s

Enable OS detection (-0 ), version detection (-5V), script scanning ( sC), and traceroute (ttaceroute).
Targets (optional): TCP scan: Non-TCP scans: T im in g tem plate:
10004 ACK scan (sA) None ACK s c a n ( sA) |v |
[34 Enable all advanced/aggressi\ FIN scan (-sF) O O perating system detection (- M a im o n scan (-sM ) Version detection (-5V) Idle Scan (Zom bie) (si) FTP bounce attack (b) N u ll scan (-sNl TCP SYN scan (-5S) TCP conn ect scan (-sT)
f l Disable reverse DNS resolutior Vbincov\ scan (-sW) 1 1 IPv6 su pp ort (-6) Xmas Tree scan (-5X)
ancel
Save Changes
FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab 4 0 . N o w c li c k t h e Ping t a b a n d c h e c k IPProto probes (PO) t o p r o b e t h e I P a d d r e s s , a n d t h e n c li c k Sa v e Changes.
Profile Editor
n m a p -sA -sNJ -T4 -A -v -PO 100.0.4 [Scan]
G The Option: -maxretries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simply lost on the network.
Profile
Scan
Ping
S cnp tin g| Target | Source
jOther
Tim ing
H e lp
IC M Pt im t a m pr # q u * :t
Send an ICMP tim e stam p probe to see targets are up.
Ping o ptio ns D on't p ing before scanning (Pn)
I I ICMP p ing (PE) Q ICMP tim e stam p request (-PP)
I I ICMP netmask request [-PM) Q 0 ACK ping (-PA) SYN p ing (-PS) UDP probes (-PU) jlPProto prcbs (-PO)i
( J SCTP INIT ping probes (-PY)
Cancel
Save Changes
FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab 4 1 . 111 t h e
Zenm ap m a i n w i n d o w , i n p u t d i e I P
a d d re ss
o f th e
ta rg e t
m a c h i n e ( in d i i s L a b : 10.0.0.3), s e l e c t A C K Flag Sca n f r o m d r o p - d o w n lis t, a n d t h e n c li c k Scan.
Profile:
C EH Lab Manual Page 138
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Zenmap
Scan Target: Tools Profile Help v Profile: ACK Flag Scan
10.0.0.4 nm a p -sA -PO 10.0.0.4 Services
Scans J
Scan
Cancel
C o m m a n d: H osts
N m ap O u tp u t
Ports / Hosts I T o p o lo g y ] H ost Details
3 The option: -hosttimeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.
D e ta ils
Filter Hosts
FIGURE 6.32: The Zenmap main window with the Target and Profile entered 42. N m a p s c a n s d ie ta rg e t I P a d d re ss p ro v id e d a n d d is p la y s r e s u l t s o n
Nmap Output ta b .
Zenmap
Tools r o fle Help
Sc$n
Target:
10.0.0.4 nm a p -s A -P 0 1C.0.0.4
Profile:
ACK Flag Scan
Cancel
C o m m a n d:
Hosts
Sen/ices
N m ap O u tp u t
j P o r ts /H o s ts [
T o po lo gy
H ost Details
Scans
The option: scandelay <time>; --max-scandelay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.
OS *
< Host
10.0.0.4
nm a p -sA -PO 10D.0.4
Details
S t a r tin g Nmap s c a n
^map 6 .0 1 re p o rt
h ttp :/ / n m a p .o r g 1 0 .0 .0 .4
) at
2012-08-24
1 7 :0 3
India Standard Tine

fo r
Host is u9 (0.00000301 latency).
A ll 1000 scanned ports on 10.0.0.4 are unfiltered

WAC A d d r e s s : Nmap d o n e : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 a d d ress (1 host (M ic r o s o ft ) up) scannec in 7 .5 7 second s 1 IP
Filter Hosts
FIGURE 6.33: The Zenmap main window with the Nmap Output tab 4 3 . T o v i e w m o r e d e ta i ls r e g a r d i n g t h e h o s t s , c li c k d i e Host Details t a b
Zenmap
Scan Target: Tools P rofile H e lp [~v~| Profile: ACK Flag Scan Scan Cancel
10.0.0.4 nm a p -s A -P O !0.0.04
Q The option: minrate <number>; max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.
C o m m a n d:
Hosts OS Host *
||
Services
N m ap O u tp u t ; 10.0.04
J Ports /
Hosts
J Topo lo gy
H o s tD e ta ls
Scans
10.0.0.4
5 H o st S tatus
State
O pen portc: Filtered ports: Closed ports: S ea m e d ports: U p t im e Last b o o t
B A d d re s s e s
IS
1000 N o t available N o t available
IPv4: IPv6: M AC:
1a0.0.4 N o t available 0Q15:50:00:07:10
Comments
Filter Hosts
FIGURE 6.34: The Zenmap main window with the Host Details tab
L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d T y p es o f S can u sed : In te n s e scan X m as scan N u ll sc a n A C K F la g s c a n
I n te n s e S c a n N m a p O u tp u t N m ap A R P P in g S c a n - 1 h o s t P a ra lle l D N S r e s o lu ti o n o f 1 h o s t S Y N S te a lth S c a n D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4 o 1 3 5 / tc p , 1 3 9 / tc p , 4 4 5 / tc p , . ..
M A C A d d re ss O p e r a tin g S y s te m D e ta ils U p tim e G u e s s N e tw o r k D is ta n c e T C P S e q u e n c e P re d ic tio n I P I D S e q u e n c e G e n e ra tio n S e rv ic e I n f o
Ethical Hacking and Countermeasures Copyright by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Q u e s t io n s
1. A n a ly z e a n d e v a lu a te t h e r e s u lts b y s c a n n i n g a ta r g e t n e t w o r k u s in g ; a. b. 2. S te a l th S c a n ( H a l f - o p e n S c a n ) nm ap -P
P e r f o r m I n v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d s e r v ic e s f o r a t a r g e t m a c h i n e i n d i e n e tw o r k .
I n te r n e t C o n n e c tio n R e q u ire d Y es
0 No
P la tfo rm S u p p o rte d 0 C la s s ro o m 0 iL a b s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Scanning a Network Using the NetScan Tools Pro

NetScanToolsPro is an integratedc o lle ctio n of internetinformationgatheringand netirork tro u b le s h o o tin gutilitiesforNehrork P/vfessionals.
ICON 2 3 Valuable information Test your knowledge Web exercise W orkbook review KEY
Y o u h a v e a lr e a d y n o t i c e d i n d i e p r e v i o u s la b h o w y o u c a n g a d i e r i n f o r m a t i o n s u c h as A R P p in g scan, M A C a d d re s s , o p e ra tin g s y s te m d e ta ils , I P ID sequence g e n e r a t io n , s e r v ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d
ACK Flag Scan
111 N m a p . A 1 1 a tt a c k e r c a n s im p ly s c a n a ta r g e t w i d i o u t s e n d i n g a
sin g le p a c k e t t o th e ta r g e t f r o m th e i r o w n I P a d d r e s s ; in s te a d , d i e y u s e a zombie
host t o p e r f o r m
th e
sc a n re m o te ly a n d i f a n
intrusion detection report is
g e n e r a t e d , i t w ill d is p la y d i e I P o f d i e z o m b i e h o s t a s a n a tta c k e r . A tta c k e r s c a n e a s ily k n o w h o w m a n y p a c k e t s h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k i n g d i e I P p a c k e t fragment identification number ( I P I D ) . A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u l d b e a b le t o d e t e r m i n e w h e d i e r a T C P p o r t is o p e n t o s e n d a SYN ( s e s s io n e s t a b li s h m e n t ) p a c k e t t o t h e p o r t . T h e ta r g e t m a c h i n e w ill r e s p o n d w i d i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re s e t) i f d i e p o r t is c lo s e d a n d b e p r e p a r e d t o b l o c k a n y s u c h a tta c k s 0 1 1 t h e n e t w o r k 111 d iis l a b y o u w ill le a r n t o s c a n a n e t w o r k u s i n g NetScan Tools Pro. Y o u a ls o n e e d t o d i s c o v e r n e tw o r k , g a d i e r i n f o r m a t i o n a b o u t I n t e r n e t o r lo c a l L A N n e tw o rk d e v ic e s , I P a d d r e s s e s , d o m a i n s , d e v ic e p o r t s , a n d m a n y o t h e r n e t w o r k s p e c ific s .
T h e o b je c tiv e o f d iis la b is a s s is t t o tr o u b l e s h o o t , d ia g n o s e , m o n i t o r , a n d d i s c o v e r d e v ic e s 0 1 1 n e tw o r k .
1 1 1 d iis la b , y o u n e e d to :
D i s c o v e r s I P v 4 / I P v 6 a d d r e s s e s , h o s t n a m e s , d o m a i n n a m e s , e m a il a d d re sse s, a n d U R L s D e t e c t lo c a l p o r t s
S 7Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o p e r f o r m d i e la b , y o u n e e d : N e t S c a n T o o l s P r o l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Scanning Tools\NetScanTools Pro

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N etScan Tools Pro f r o m t h e l i n k h t t p : / / w w w . 1 1 e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h t m l I f y o u d e c id e t o d o w n l o a d d i e l a t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r A c o m p u t e r r u n n i n g Windows Server 2012 A d m in i s t r a ti v e p r iv ile g e s t o r u n d i e NetScan Tools Pro t o o l
T im e : 1 0 M i n u te s
N e t w o r k s c a n n i n g is d i e p r o c e s s o f e x a m i n in g d i e activity on a network, w h i c h c a n i n c l u d e m o n i t o r i n g data flow a s w e ll a s m o n i t o r i n g d i e functioning o f n e t w o r k d e v ic e s . N e t w o r k s c a n n i n g s e r v e s t o p r o m o t e b o d i d i e security a n d p e r f o r m a n c e o f a n e tw o r k . N e t w o r k s c a n n i n g m a y a ls o b e e m p l o y e d f r o m o u ts id e a n e t w o r k in o r d e r t o i d e n t if y p o te n t ia l network vulnerabilities. N e tS c a n T o o l P r o p e r f o r m s th e fo llo w in g to n e tw o r k sc a n n in g :
S TASK 1
Monitoring n e t w o r k d e v i c e s a v a il a b il it y Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n i n g
Lab T asks
I n s ta ll N e t S c a n T o o l P r o i n y o u r W i n d o w S e r v e r 2 0 1 2 . F o ll o w d i e w i z a r d - d r i v e n in s ta l la t io n s te p s a n d in s ta ll NetScan Tool Pro. 1. L a u n c h t h e Sta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p
Scanning the Network
^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..
W in d o w s S e r \ * f 201 2
'1J#
*ta a ta ie rm X n ifa e m e CvcidilcOetoceitc

EMtuaian copy, luld M>:
FIGURE /.l: Windows Server 2012- Desktop view 2. C l i c k t h e N etScan Tool Pro a p p t o o p e n t h e N etScan Tool Pro w i n d o w
S ta rt
Server Manager Windows PowwShel Googfe Chrome H jperV kb-uoa NetScanT... Pro Demo
Administrator A
m
Control Pan*l
o Hjrpw-V Mdchir*.
f*
Q e
V
('nmittnd I't. n.". w rr
*I
20 2
x-x-ac
9
FIGURE 7.2 Windows Server 2012 - Apps
3.
I f y o u a r e u s i n g t h e D e m o v e r s i o n o f N e t S c a n T o o l s P r o , t h e n c li c k
Start the DEMO

L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3 4. T h e Open or C reate a N ew Result Database-NetScanTooIs Pro w i n d o w w ill a p p e a r s ; e n t e r a n e w d a t a b a s e n a m e i n D atabase Name
(enter new name here)

5. S e t a d e f a u l t d i r e c t o r y r e s u l t s f o r d a t a b a s e file l o c a t i o n , c li c k Continue Open or Create a New Results Database - NetScanTools Pro
N etScanToote P ro a u to m a b c a ly s a v e s resu lts n a d a ta b a s e . T h e d a ta b a s e s re q u re d . C r e a te a n e w R esu lts D a ta b a s e , o p en a p re viou s R e s d t s D a ta b a s e , or u s e this s o ftw a re r T r a n n g M ode with a tem po rary R esu lts D a tab a s e . T rain rtg M ode Qutdc S t a r t: P re s s C r e a te Training M ode D a ta b a s e then p re ss C o ntinue.
D a ta b a s e N am e (e n te r n e w n am e h e re ) Test|
A N E W R e s u lts D a ta b a s e w l b e a u to m a b c a ly p re fixed with ,NstProO ata-' a n d w i en d w ith ,. d b ? . N o sp ace s o r periods a r e allowed w h en e n te r n g a n e w d a ta b a s e nam e. R esu lts D a ta b a s e File Location R esu lts D a ta b a s e D irectory
S e le c t A n o th er R esu lts D a tab a s e
*C re a te Trainmg M ode D a ta b a s e
C : ^jJsers\Administrator d o c u m e n ts
P ro je ct N am e (o pb on al) S e t D e fau lt D irectory
A n a ly s t In form ation (o pb on al, c a n b e c isp laye d r\ rep o rts if desired) N am e Telep h on e Number
Title
Mobile Number
i' USB Version: start the software by locating nstpro.exe on your USB drive it is normally in the /nstpro directory p
O rganization
Email A d dress
U p d a te A n a lys t In form a bon
U s e L a s t R e s u lts D a ta b a s e
Continue
E x it Program
FIGURE 7.3: setting a new database name for XetScan Tools Pro 6. T h e N etScan Tools Pro m a i n w i n d o w w ill a p p e a r s a s s h o w i n d i e fo llo w in g fig u re
Ethical Hacking and Countermeasures Copyright O by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
test NetScartTools* Pro Demo Version Build 8-17-12 based o n version 11.19
file Eflit Aes51b!11ty View IP6 Help
IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9
( i p v 6 .g o o g l e .c o m ) o r ::1 (internal loopback address
Wefccrwto NrtScanTooh#f^5 [W o Vbtfen 1 1 TH fattwaiv n a drro ro< k>* re* t00i C u t

Th du ro M i a be ccne>ted to j W vtfden
H m x x d 'on hr A Jo i^ e d cr Vtao.a tads cr 1 |groined by fuidian on the kft panel
todi hav niror luiti
R03 iso- root carract : taoet. orwn icon :coa I8!en to net 11k traff c. ttu ; icon tooo * oca sy*em. end groy !con loots contact hid p51t> w * a w Autom ated too is M3nu3l lo ci: 13III fw o rn e tools *LCrre Dtt<ov<r/tools Pass ve 0 scow 1y ro ois
o t 0015
Fleet ' i t FI
wfyoj ' & ,to vie C <?a te rg h * local help !ncLdng Gerttirg Suited tfa m & xi
P 3 tt 1*vn toon tx tm u l >00is
proown into
FIGURE 7.4: Main window of NetScan Tools Pro 7. S e l e c t Manual Tools (all) o n t h e l e f t p a n e l a n d c li c k A R P Ping. A w i n d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P i n g T o o l . 8. C li c k OK
test
File fd it AccettibHity View IM
NetScanToois Pro Demo Version Build 8 17 12 based on version 11.19

MHp
-
Klrt'iianTooltS Pio ' J
Automata!! Tool Manual Tool( M l
About the ARP Ping Tool

use rhK tool to *. ' an IPv4 address on your subnet usino ARP packers. s<it on your LAN to find the 1a*>:*' tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and
does not respc *d to egu a Pn g .
A R P Pina require*, target IPv4 address on your LAN.

D o n 't miss th is special fe a t u re in th is to o l: Identify duplicate IPv4 address b y singing a ssecfic IPv4 address. If more th a - Gne Cevice (tw o or rrore MAC addresses} responds, you areshow n the a d d ie a o f each o f the deuces. D o n 't fo r g e t to r!ght d k * in th e results for a menu with more options.
mac
7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN
im
ARP Scan (MAC U a Cah F m n it d
D em o I im ita tio n s. None.
ij
Co*nto Monit.
c Tooll
A1 1 1 vc Dhiuveiy To Piss re Otttovety T o n s roots

p 3c t Level
root
brcemai toots Pro 0r3m Into | ( <x Help pres* FI
FIGURE 7.5: Selecting manual tools option 9. S e l e c t t h e Send Bro adcast A RP, then U nicast A R P r a d i o b u t t o n , e n t e r t h e I P a d d r e s s i n Target IPv4 Address, a n d c li c k Send Arp
test
File Fdit Accessibility View
NetScanTools Pro Demo Version Build 8 17 12 based on version 11.19

Help
,- ! s i
IPv6
Q Send Broadcast ARP, and then Unicast ARP this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box
A u tow ted Tools .lanual Tools lalf)
U9e ARP Padtets to Pnc an [Pv adjf c55 on y a r

subnet.
E Send B
O
ooCC35t ARP, then

arp
U ito st ARP
Dupi:a;-5 S c
O send B-oaCcae:
cnly
S e * th for Dipica te IP Addesoss
U
ARP Ping
T a rg e tIPv4A a dett
I ndex
ip
(f:0 0 . 0 0 O l^ F A d *
cc cc ce cc cc 0.002649 :. o : : t o 0.003318 0.002318 0.0:69*3 0.007615 0.002518 0.M198C 0.0:165$ 0.0:231.8 0.002649 0.0:2649 0.002318 0.002318 O.OS2649
A n To Automated |
R e p o r t ?
Q Add to Psvorftoc
Aaaress
mac
Address * < * - +
Response Tine (aaeci
Type Broadcast Unicast tin Ic a a t Onieaae ur.ic a a t Cr.le a s t Cr.Ic a a t Tinic a a t Onieaae Ur.ic a a t U n icast U n icast U n icast Unicast Vnicaat Unicast
y
AflP^can an |MA |MAC S<n)
ie n d A r c
S to p
N jr b n to Send
0 1 2 3 4 5
10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 1 0.0.0.1 10 .0 .0 .1 10.0.0.1 10.0.0.1 1 0.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1
Cache Forensic{
Cyde T ne (ms)
* * < * < >
cc cc cr cc cc cc cc cc cc cc
I0 0 EJ
Connwtwn Monitor |v | Fawortte Tooli Aa!re DHtovery Tool! Pj 11!x< Oiiovcry Tooli O t Tools P a level rools trte m ji looit f*coram Into
WnPcap Interface P
f 8 3 10 11 12 13 14 15
'
FPuiger 7.6: Result of ARP Ping 1 0. C li c k A R P Sca n (MAC Sca n ) i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n t o o l . C l i c k OK

test - NetScanTools Pro Demo Version Build 8-17-12 based on version 11.19
File Fdit Accessibility View IPv6 Help
!a lT ool! A R PP iy J
Automated Tool
About the ARP Scan Tool
ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.
Use U ib t o o l l o s e n d a n A R P R o q iM & t t o e v u ry IP v 4 ad d ress o n y o u r LAN. IPv4 connected d v u et c s n n o th n to f tv r ARP 3acfcC and mut ru p o n d with t h ! IP and MAC a d f i r * . Uncheck w e ResoKr? box for fssrti scan cor p i o n ome.
f>5
Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.
y
ARPStan 1 mac sea
mo L im itation s. H one.
p
oadcast
ic o s t
lease
le a s t le a s e
Ca<n ForcnsKs
ic a s t le a s t le a s t
le a s t
ic a a t Attn* Uncovefy 10 relive l>K0vry l e a s t! east !

le a s t
H 3rt level Tool
icaat
FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 1 1. E n t e r t h e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending
IPv4 Address t e x t b o x e s
1 2. C li c k Do Arp Scan
Ethical Hacking and Countermeasures Copyright O by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
test
File Edil Accessibility View
NetScanTools* Pro Demo Version Build 8-17 12based0nvefs00 11.19

Help
IPv6
Manual Too 4 -ARP Scan (MAC Scan) $ in tonated Toots kUnuai Tools laif) U9e thE tool a fine al Staraic F v 4 Accrea
active IPv4 d r ie r s o youi n im -t.
| :0. 0
a d jK o c c
[ J j p 0 A 1 2 r a a l
& v 4 n gIPv4A < * jr c 5 5
ARP Ping
ip v l M . . . 1 0 .0 .0 .1
W 1 CAdtireflfl 0 (
EC .
I ]A d d t s ^ a v a K a t
I / r M 4 n u r* c f3 re r n e t;c a r, la c . B c a ta *
E n tr y Type dynam o d y n azd c
l>5c!
10. 0 .0
10.0.0 .2
&11 lac
vm-MSSCL.
1 0 .0 .0
ar The Connection Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.
can (M AC Scan) ASP Scan (MAC
wrtpeap Interfax i p
Cache forennct
I 10.0.0.7
Scon OSsy T n c {> )
(IZZ
Connection Monitor Favorite Tools Active OhcCvify Tool! Pasiive Ofitovtry Too 1 1 o m Tools P3<Mt LPV8 1 Tools exttmai toon rôoram Into 0 Resolve P s
FIGURE 7.8 Result of ARP Scan (MAC Scan)
1 3 . C li c k DHCP Se rve r D iscovery i n t h e l e f t p a n e l , a w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C li c k OK

f*:
f4 e Ed* Accessibility
test - NetScanTods Pro Demo Version Build 8-17-12 based on version 11.19
View IPv6 Help
n '
RPScan IMAC Son ,
A u to m a te dlool M an u al 1 0 0 1 1!all
Cat he Forensic!
Alum! Hit* DHCP Sorv 1*f Discovery Tool

Use Uib 1004 to jitn n iy locate DHCP *ervur* < IP v l only) on your local network. It iho m th P addru and o r M C'qt ar bng handed out by DHCP wwao. Ih it too! a n aw find unknown or rooue' DHO3 swverj. Don't I otget to right dck n th* results for a menu with more options. Dano limitations. None. cry Type lo c a l
n a x le 1 0 .0 .0
Connection Monitc
naxic
10.0.0
LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv.
O K PSfw r Oucorc
DNS -Tools Tools-core
a J
Pn u n r DutoveiyTc
P l r l level Tool External Too 11
FIGURE 7.9: Selecting DHCP Server Discovery Tool Option 14. S e l e c t a ll t h e D iscover Options c h e c k b o x a n d c li c k Discover DHCP
Servers
I
Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations
test - NetScanTools* Pro Demo Version Build 8 -1 7-12 based o r version 11.19
T~Tn 1 '
Aurcmated To0 1 5 Fnri DHCPServers an fa r For Hdo. pe 8F:

Cache F orenwes
AddItoie IM A A. omvrd ** [
' * ] Ode or mtrrfacc bdow then crcos Discover

Discover ( X P Server* TM A d d re ss KIC A dd reas L . Jfc j% v 4 1 1 iD
.:n n cc t o n Monitor
QAddtoPnre5
I n t r f r D e s c r ip tio n Hyper-V V ir ta ! Eth ern et Adapter #2
Stop
DHCP S1 1 Dfccovtry
10.0.0.7
Wat Tim e (sec)
DfIS T Took ook -! Cote
a
a
DiscouB Opttans H05tn3r1e V Subnet M5*r V Donor ftairc
Rssordnc DHCP servers

EHCr Server IP
Server Hd3LnoM Offered I? 10.0.0.1 10.0.0.2
Offered Subnet Mask IP Address I SS.2SS.2SS.0 3 days, 0:0(
10.0.0.1
OWSTools Advanced
Fworit Tools A<tfc Dii coveiy Tools Paislv* Discovery Tools DNS Tooll =*> t r r t l TooH W * rnjl Tools P10 g r n into
d n s p Router P fa * KTP Servers
FIGURE 7.10: Result of DHCP Server Discovery 1 5 . C li c k Ping scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t P i n g S c a n n e r t o o l . C li c k OK

test
F8e EdK AtcesiibiRty Vltw
NetScanTools Pro Demo Version Build 8-17-12 based on version 11.19

Htp
IPv6
j.jA IC
WtKOIM AUtOIMtJ ToO h
M jn g jJ T00K (4 1 1 :
NtSunT00i13 P 10 S?
About the Ping Scanner (aka NetScanner) lool

use rim rooJ ro pmo . ranoe or lm of IPv4 addresses. rtvstool shows you cb romputes are active w tJiir! tr*ranoîi5t(tJ1* hav to rapond to omo). Uso it *vith * * u t o f F adflfss. To teeafl ee*ces n your subnrt mdudmg trios*blocking ping, you can um ARP Son tool. You can nport a text lest of IPv4 addresses to png Don't mres this speaal feature m this took use the Do SMB/NBNS scan qg: n B S resoonscs fiom unprotected W!ndo*s computers. Don't forget td nght didc m the results for a menu with more opaons.
Pn g
ErV1KJ
> 10
fir ,g m 0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.
Graphi cal
a
Port Scanner
P o am u o in Mod* * > <
Demo Im itations. Packet Delay (time between sending each ping) is limited to a lower tamt of SO iMlBeconds. packet Delay can be as low as zero (0) ms the f ill version. In other words, the full version w i be a bit faster.
.J
ravontf 001:
M int Ducoycnr to
Paijivt Discovery 10 DNS roou
P a a e ti m l tool} t<tcma! Tools rooram inro
FIGURE 7.11: selecting Ping scanner Option 16. S e l e c t t h e U se Default System DNS r a d i o b u t t o n , a n d e n t e r t h e r a n g e o f I P a d d r e s s i n Sta rt IP a n d End IP b o x e s 1 7 . C li c k Start
--e 6dK
test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19 Accessibility View IPv6
Aurc mated To 015
Start iP 10.0.0.:
Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.
| 'Lke Defadt Systen D N5j
End JP 10.0.0.S0
Fa Hdp, press F1
O Use Specific D NS: - 1*1 1307.53.8.8 vl l *

AKANrtSeannw
T a r g e t IP Hostname
AddPo<nre5 Statao
0:0 t e a : s c p i v
Time (m |
10.0.0.1 ?
1 0.5.0.2 10.0.0.5 0 Resolve TPs
Port Scanner 1 0 .0 .0 .7
0
0 0
0
tnK-KSSELOUKU my:-UQM3MRiRM
WIN-D39HRSHL9E4
0:0 tchs toply

0:0 Echs ta p ly 0:0 Echs Reply
J?
MSttp.0/.25SWl
Addtbnal Scan Tests:
m Proucuou5 Mode S<onr ^

Fr 01 * Tools Arthit Oil cover? Tools Pais** Discovery Tools DNS Too 11 S* J I L c rtl Tool I M e m * Tools Pfogr!* info
1 103 I oca ARP Scat
D 3 S * E.fc8\S5car
Do Sulnel M ai: Sea!
EnaSfc Post-Scan
M O b lg of
rton-Resso'dn; P s
|
I
irw : vu:
Oeof IwpQUr t tn
FIGURE 7.12: Result of sail IP address 18. C li c k Port scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r t o o l . C li c k OK
test
NetScanTod $ Pro Demo Version Build 8-17-12 based on version 11.19

Help
- _ l n l
ri1h 3 > I^
Welcome ,u tw ateO Tooli M nuITouu lair
F ie
Edit
Acceuibilrty
View
IPv6
unnei/N etSiannei 9
About the Poit Scanner Iool

NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNERS PERMISSION TO SCAN.
noo
tnrunced
Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query
P nq Scanner
lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp son. Don't miss this special feature in this tool: After a target has bee scanned, an aalfss .vineow will open in >our Oeh J t web browser. Don't fo rg e t nght c*<k n we resjits for 3 menu with more options.
fcstenino).
use rtm ool to scan j taro** for ICP or ports that . iKrrnang (open wirh senna*
orrer
Port Scanner
Notes: settings that strongly affect scan speed: Come:San Timeout. use 200c* less on a fact networkcorrection yjdhneaiby co rp.te i. - 3 ) 3003 seconds) or more ona dau: cameao. Wot After Connect -J i s c-1 1 0 o5 each port test worts before deodng that ih ; port is not 5ce. settirxcAXbv settee* ccmccxns. Try0, (hen (ry lire. Notice the dfference.
Se tO n q s^ a x<MC o n n e c to rs
Domo KmlUtlons. Hone.
P= fcu0\j1 Mode
FIGURE 7.13: selecting Port scanner option 19. E n t e r t h e I P A d d r e s s i n t h e Target Hostnam e or IP Address f i e ld a n d s e l e c t t h e T C P Ports only r a d i o b u t t o n 2 0 . C li c k S ca n Range of Ports
test - NetScanTools Pro Demo Version Build 8-17-12 based on version 11.19
fte
1-1
Manual Fools - Port Scanner ^
Ed*
Accessibility
View
6\)
Help
Automated Tool?
Manual Toots (alij
I1 0 . 0 0 1
T3r0ut HKTSire 3r P A:dS3
Pore Range are! Sarvfcafc
Start WARNING: the- to d scan? r * rargrfr- ports. Scan C irp lrtr. Sea R.anoc of ! v s
St *
I 'T C P P o r t s I LDP P 3te O TCP4UJP Ports O t cpsyn
C n y
(
A npTO AutOHHted | I
B'd f a
OlCPaMM
Show Al S an r d Ports, Actlvi 0! Not P o rt 80 P o r t Dvac h te p P r o to c o l TCP R r u lt P o r t A c tiv e
^toônt
C o m n o n
Path
O a t ft .v d
| E d tc o n w Part{ Let
Poit Scanner
Proucuom Mode
MrPasp :-ir-âcr : 10.D.0. Comect T rcout ( 100D= !second]
f3 v o r1 t* T o o ls A < t* D ts c o re ryT o o ls Passr* D is c o v e ryto o ls DNS ro o is p*ttml loon txtem ji to o ls p ro g ra min ro
:
watAfte'Conncc (ICOO -1 s*aofl
:
FIGURE 7.14: Result of Port scanner
L a b A n a ly s is
D o c u m e n t a ll d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d A R P S c a n R e s u lts : N e tS c a n T o o ls p ro IP v 4 A d d re ss M A C A d d re ss I / F M a n u fa c tu re r H o s tn a m e E n try T y p e L o c a l A d d re ss
In f o r m a tio n fo r D is c o v e r e d D H C P S e rv e rs: I P v 4 A d d r e s s : 1 0 .0 .0 .7 I n t e r f a c e D e s c r i p t i o n : H y p e r-V V irtu a l E th e r n e t A d a p te r # 2 D H C P S e r v e r I P : 1 0 .0 .0 .1 S e r v e r H o s t n a m e : 1 0 .0 .0 .1 O f f e r e d I P : 1 0 .0 .0 .7 O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0
Ethical Hacking and Countermeasures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Q u e s t io n s
1. D o e s N e t S c a i i T o o l s P r o s u p p o r t p r o x y s e r v e r s o r fire w a lls ?
In te rn e t C o n n e c tio n R e q u ire d
Y es Pla tfo rm Supported 0 C lassroom
No
0 iLabs
Drawing Network Diagrams Using LANSurveyor

l^42\s/nvejord is c o v e rsa nehvorkan dp rodu cesa c o m p r e h e n s iv enehvork d ia g ram thatin te g ra te s OSILayer2 andLajer 3 t o p o lo g ydata.
I CON K E Y 27
A i l a tt a c k e r c a n g a t h e r i n f o r m a t i o n f r o m A R P S c a n , D H C P S e r v e r s , e tc . u s i n g N e t S c a n T o o l s P r o , a s y o u h a v e l e a r n e d i n d i e p r e v i o u s la b . U s i n g d iis i n f o r m a t i o n a n a tt a c k e r c a n c o m p r o m i s e a D H C P s e r v e r 0 1 1 t h e n e tw o r k ; t h e y m i g h t d i s r u p t n e t w o r k s e r v ic e s , p r e v e n t i n g D H C P c lie n ts f r o m c o n n e c t i n g t o n e t w o r k r e s o u r c e s . B y g a in i n g c o n t r o l o f a D H C P s e r v e r , a tt a c k e r s c a n c o n f i g u r e D H C P c lie n ts w i t h f r a u d u l e n t T C P / I P c o n f i g u r a t i o n i n f o r m a t i o n , in c l u d in g a n in v a lid d e f a u l t g a te w a y o r D N S s e r v e r c o n f i g u r a t io n . 111 d ii s la b , y o u w ill l e a r n t o d r a w n e t w o r k d ia g r a m s u s i n g L A N S u r v e y o r . T o b e a n e x p e r t network administrator a n d
Web exercise
m Workbook review
penetration te s te r y o u n e e d t o d is c o v e r
n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e tw o r k s .
T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d is c o v e r a n d d ia g r a m n e t w o r k to p o l o g y a n d m a p a d is c o v e r e d n e t w o r k
1 1 1 d iis la b , y o u n e e d to :
D ra w a m a p s h o w i n g d i e lo g ic a l c o n n e c t iv it y o f y o u r n e t w o r k a n d n a v ig a te a r o u n d d ie m a p
C r e a te a r e p o r t d i a t in c lu d e s a ll y o u r m a n a g e d s w itc h e s a n d h u b s
ZZy Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o p e r f o r m d i e la b , y o u n e e d : L A N S u r v e y o r l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Network Discovery and Mapping Tools\LANsurveyor

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f LAN Surveyor f r o m d i e l i n k h ttp : / / w w w .s o la r w i11d s . c o m / I f y o u d e c id e t o d o w n l o a d d i e la t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r A c o m p u t e r r u n n i n g Windows Server 2012 A w e b b ro w s e r w id i In te r n e t a ccess A d m in i s t r a ti v e p riv ile g e s t o m i l d i e LANSurveyor t o o l
O v e r v ie w o f L A N S u r v e y o r
S o la r W in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e r s y o u r n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e network diagram t h a t c a n b e e a sily e x p o r t e d t o M i c r o s o f t O f f i c e V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s t o network
topology. I t s im p lifie s i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts ,
a d d r e s s e s r e p o r t i n g n e e d s f o r P C I c o m p l i a n c e a n d o t h e r r e g u l a to r y r e q u i r e m e n ts .
TASK
Draw Network Diagram
Lab T asks
I n s ta ll L A N S u r v e y o r o n y o u r Windows Server 2012 F o l l o w d i e w i z a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll L A N S u r v y o r . 1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p
W indow s Server 2012

* I S M fcnar X ltl(Wmw CjnMditt (*akrtun lopy. lull) 40:
FIGURE 8.1: Windows Server 2012 - Desktop view 2. C li c k t h e LANSurvyor a p p t o o p e n t h e LANSurvyor w i n d o w
Ethical Hacking and Countermeasures Copyright by EC Coundl All Rights Reserved. Reproduction is Strictly Prohibited
LANsurveyor's Responder client Manage remote Windows, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files
S ta rt
S e rw M o ra le r
A d m in istra to r
Windows
PowetShd
G oo*
Chrwne
HpV
1 ,XU j .
IANmny...
91
Panal Q w
e
rwnt h p to m
w :a MegaPing l i NMScanL. Pto Demo
*s
FIGURE 8.2 Windows Server 2012 - Apps 3. R e v i e w t h e l i m i t a t i o n s o f t h e e v a l u a t i o n s o f t w a r e a n d t h e n c li c k
Continue w ith Evaluation t o c o n t i n u e t h e e v a l u a t i o n

S olarW in ds LA N surveyor TFile Edit Men aye Monitor Report Tods Window Help
s o la rw in d s
- *
^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)
FIGURE 8.3: LANSurveyor evaluation window 4. T h e Getting Started w ith LANsurveyor d i a l o g b o x is d is p la y e d . C li c k
S ta rt Scanning Network
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
r
so larw in d s7'
&]
Getting Started with LANsurveyor
a u
What you can do with LANsurveyor.

S can and map Layer 1. 2. 3 network topology Export maps to Microsoft Vtito V ie w exam ple mgp Continuously scan your network automatically
f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.
"2
Onca aavod, a I cuatom n ap a car be uotd m SelarV/nda not/.ok and opplcotor management software, learn more
V/atch a vdae nt'oto barn more
thwack LANsurveyor forum

thwack is 8 community site orovidiro SobrtVrds js e s with useful niomaton. toos and vauable reso jrces
Qnfcne Manual
For additional hep on using the LAIJsuveyor read the LANSurveyor Administrator Gude
Evaluation Guide Support
Tha LAMaurvayor Evaiuabon Guida prcvdaa an irtrd cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor.
TheSohrwinds Supoorl W eti offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yor SohrWind* appleations
v b t tne <]1a w js a i .g a 2 s , r ic q y y r ty Q vyt9. o r Jp o a ic
I I Don't show agah
Start Scanrir.g Neta 0 * 1:
] [
FIGURE 8.4: Getting Started with LANSurveyor Wizard 5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d i a g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End
Address, a n d c li c k Sta rt Network Discovery
Create A New Network Map
N e t u io ikP a r a n e e tr
Eecin Acdres; 10.00.1 Enter Ke>t Address Here E rd Address 10.D.0.254
Hops
(Folowtrg cuter hopj requires SN M P rouier access!

Rotfers. Switches and her SN M P Device Dijcovery -M* 0 S N M P v l D * v k #j S M M P /I Community Strng(*)
= &=
[ ptfefc private
Q S H W P v 2 c Devices SN M Pv2 c Community Strngfs)
LANsurveyor's network
discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address
| pubiu. pmats
SNKPv3Devbe5 Other IP Service Dixovery
I SNMPv3 Options..
Ivi lANsuveya F e j pender;
1 jP
LAN survefor Responder Password:
0 IC M P (P r g )
0 N e l8 IC S Clwvs M S P Clients
Mapping Speed
I I A ctve Directory DCs
Slower
Faster
C o n f ig u r a t io nM a ^ a p e r o n * S a v e0 K c o v e t yC o n fg w a io n .
| Cored
I D isco ver Configuafon..
Start Notvo*k Dioco/cry
FIGURE 8.5: New Network Map window 6. T h e e n t e r e d I P a d d r e s s mapping process w ill d i s p l a y a s s h o w n i n t h e fo llo w in g fig u re
Mapping Progress
Searching for P nodes HopO: 10.0.0.1-10.0.0.254 SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped
03 LANsurveyor rs capable o f discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, nonconsecutive VLANs
Last Node Contacted:
WIN-D39MR5HL9E4
Cancel
FIGURE 8.6: Mapping progress window 7.
LAN surveyor d is p la y s d i e m a p o f y o u r n e t w o r k
S c la A V in d s LA N su rv eyo r - [M a p 1] Me
| ^
= -
Edit
h a> .
Manage
j
Monitor
1*
Report
s v
Tools
3 a
Avdow
0 a s
Help
r&
Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.
&
1 51 v
H s o la rw in d s
K H > e
E tf=d
id * || ;
ff
-4
hC as
f f c -
* ft
Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP Reuter LANsurveyor Responder Nodes SNMP Nodes SNMP SvntchesHubs SIP (V IPJ Nodes Layer i Nodes Active Directory DCs Groups
1 1
Wti '.'SilLC M W I
Wf.-WSC'tlXMK-O
veisor
W1N-DWlllRlLSt4 WIN D3JI H 5HJ* O vervie w f*~|
..0.0- (.0.0.255
M N LX Q N 3 W R JN S N
10006
V*4 UCONJWRSfWW
n o n '
1 0 0 9 1 1 2 -
FIGURE 8.7: Resulted network diagram
L a b A n a ly s is
D o c u m e n t all d ie I P a d d r e s s e s , d o m a i n n a m e s , n o d e n a m e s , I P r o u t e r s , a n d S N M P n o d e s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c liie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4 I P N o d e s D e ta ils : L A N S u rv e y o r S N M P S en d - 62 I C M P P i n g S e n d 31 I C M P R e c e ip ts 4 N odes M apped 4
N e tw o r k s e g m e n t D e ta ils : IP A d d re ss - 4 D o m a in N a m e s - 4 N ode N am es - 4
Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.
RELATED TO
Q u e s t io n s
1. D o e s L A N S u i v e y o r m a p e v e r y I P a d d r e s s t o its c o r r e s p o n d i n g s w it c h o r h u b p o rt? 2. C a n e x a m i n e n o d e s c o n n e c t e d v ia w ir e le s s a c c e s s p o i n t s b e d e t e c t e d a n d m apped? I n te rn e t C o n n e c tio n R e q u ire d
Yes
0 No
Platfo rm Supported 0 C lassroom 0 iL a b s
Ethical Hacking and Countermeasures Copyright by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
Mapping a Network Using Friendly Pinger

Friendly Pingeris a user-frie n d lyapplicationfor netirork administration, m o n ito rin g , andinvento ry.
I CON K E Y 27
111 d i e p r e v i o u s la b , y o u f o u n d d i e S N A I P , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils u s i n g d i e t o o l L A N S u i v e y o r . I f a n a tt a c k e r is a b le t o g e t a h o l d o f th is in f o r m a t i o n , h e o r s h e c a n s h u t d o w n y o u r n e t w o r k u s i n g S N M P . T h e y c a n a ls o g e t a lis t o f in t e r f a c e s 0 1 1 a r o u t e r u s i n g d i e d e f a u l t n a m e p u b li c a n d d is a b le d i e m u s i n g d i e r e a d w r ite c o m m u n it y . S N M P M I B s in c l u d e i n f o r m a t i o n a b o u t t h e i d e n t i t y o f t h e a g e n t's h o s t a n d a tt a c k e r c a n ta k e a d v a n ta g e o f d iis i n f o r m a t i o n t o in itia te a n a tta c k . U s in g d i e I C M P r e c o n n a i s s a n c e te c h n i q u e a n a tt a c k e r c a n a ls o d e t e r m i n e d i e t o p o l o g y o f d i e t a r g e t n e t w o r k . A tta c k e r s c o u l d u s e e i t h e r d i e I C M P h o s t t o im m e d i a te l y d r o p a c o n n e c t i o n . A s a n e x p e r t Network Administrator a n d Penetration T e ste r y o u n e e d t o d i s c o v e r n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e t w o r k s a n d b lo c k a tt a c k s b y d e p lo y i n g fire w a lls 0 1 1 a n e t w o r k t o filte r u n - w a n t e d tra ffic . Y o u s h o u l d b e a b le t o b l o c k o u t g o i n g S N M P tr a f f ic a t b o r d e r r o u t e r s o r fire w a lls. 111 d iis la b , y o u w ill l e a n i t o m a p a n e t w o r k u s i n g d ie t o o l F r i e n d ly P in g e r . ,T i m e e x c e e d e d " 0 1 " D e s tin a tio n u n re a c h a b le " m e ssa g e s. B o d i o f d ie s e I C M P m e s sa g e s c a n c a u se a
Web exercise
m Workbook review
T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d i s c o v e r a n d d ia g r a m n e t w o r k t o p o l o g y a n d m a p a d is c o v e re d n e tw o r k h i d iis la b , y o u n e e d to : D i s c o v e r a n e t w o r k u s i n g discovery te c h n i q u e s D i a g r a m t h e n e t w o r k to p o l o g y D e t e c t n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o l o g y P e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts
ZZ7 Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o p e r f o r m d i e la b , y o u n e e d : F r i e n d ly P i n g e r l o c a t e d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning
Networks\Network Discovery and Mapping Tools\FriendlyPinger

Y o u can also download die latest version o f Friendly Pinger from the
link http://www.kilierich.com/fpi11ge17download.htm
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r A c o m p u t e r r u n n i n g Windows Server 2 0 1 2 A w e b b ro w s e r w id i I n te rn e t a ccess A d m in i s t r a ti v e p riv ile g e s t o r u n d i e Friendly Pinger t o o l
O v e r v ie w o f N e t w o r k M a p p in g
N e t w o r k m a p p i n g is d i e s t u d y o f d i e p h y s ic a l connectivity o f n e tw o r k s . N e t w o r k m a p p i n g is o f t e n c a r r ie d o u t t o discover s e r v e r s a n d o p e r a t i n g s y s te m s r u i n i n g o n n e tw o r k s . T h i s te c l u ii q u e d e te c ts n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o lo g y . Y o u c a n p e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts . F rie n d ly P in g e r p e r f o r m s th e fo llo w in g to m a p th e n e tw o rk :
Monitoring n e t w o r k d e v i c e s a v a il a b il it y Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n Ping o f a ll d e v i c e s i n p a r a l l e l a t o n c e
Audits hardw are a n d softw are c o m p o n e n t s i n s t a l l e d o n t h e c o m p u t e r s

o v e r th e n e tw o rk
Lab T asks
1. 2. task I n s ta ll F r i e n d ly P i n g e r
0x 1 y o u r Windows Server
2012
F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll F r i e n d ly P in g e r . L a u n c h t h e Sta rt m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n d i e lo w e r - le f t c o rn e r o f th e d e s k to p
1
3.
Draw Network Map
FIGURE 9.1: Windows Server 2012 - Desktop view 4. C li c k t h e Friendly Pinger a p p t o o p e n t h e Friendly Pinger w i n d o w
S ta r t
^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.
A d m in is tra to r
Sen*r M anager
Windows PowerSMI
GOOQte Chrome
W**r-V
Uninstall
r _ C om piler
m
Control Panol
* Hyp-V Mac f.inf .
&
9 M02111a Firefox
Patti A ra^zer Pro
Eaplewr
Command Prompt
2 .7
>
i l Fnendty PWêr fl* IG
K m
SeorchO.
Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IPaddresses for scanning 5.
O rte f
FIGURE 9.2 Windows Server 2012 - Apps T h e Friendly Pinger w i n d o w a p p e a r s , a n d F r i e n d l y P i n g e r p r o m p t s y o u to w a tc h a n o n lin e d e m o n s tr a tio n . 6. C li c k No
& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map
Friendly Pinger [Demo.map]

file Edit View Pinq Notification Scan FWatchcr Inventory Help *
1 & - y a fit V Denro
D em ons tra tio n m ap
S
W oik Statio n
Internet M.ui S hull cut Sm v ti
Workstation
(*mall)
^ 2 1 /2 4 /3 7
dick the client orco to add new device...
& OG 00:35
FIGURE 9.3: FPinger Main Window
7.
S e l e c t File f r o m t h e m e n u b a r a n d s e l e c t d i e Wizard o p t i o n
r
File | Edit View Ping Notification Scan
Friendly Pinger [Demo.map]
L-!j x
Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network
* C *%! ft
F/fatdier
Inventory
Help
WeA
Reopen
CtrUN Ct11+0
Gtfr Open... |
U
Uadate Save.. Sava At... Close
CtrhU
C tfU S
t b Close All
fcV Save A j Image... ^ Print... Lock... Create Setup... Options...
^
^ 0
Ctrl* B
5T In la n d
fr! S c iy c i
F9 Alt*)( Imen-pr H ail S h o itcu l Se n w r
X L Frit
Hob
-----
JJ
W n f k S t A lio n
M n d p n
a
r'r;m
W in k S ta tiu n I1 ,1 1|
C ie d t Od llin itia lllld L

C] Map occupies the most part of the window. Rightclick it. In the appeared contest menu select "Add and then Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture FIGURE 9.4: FPinger Staiting Wizard 8. T o c r e a t e i n i t i a l m a p p i n g o f t h e n e t w o r k , t y p e a r a n g e o f IP addresses i n s p e c i f i e d f i e ld a s s h o w n i n t h e f o l l o w i n g f i g u r e c li c k Next Wizard
---
Local IP address:
10.0.0.7
The initial map will be created by query from DNS-server the information about following IP-addresses:
1 0 .0 .0 .1 2 d
You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 5.1 10
| I Tim eout
1 0 0 0
The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged
? Help
Timeout allows to increase searching, but you can miss some addresses.
4*
gack
= M e x t
X Cancel
FIGURE 9.5: FPinger Intializing IP address range 9. T h e n t h e w i z a r d w ill s t a r t s c a n n i n g o f IP addresses 111 d i e n e t w o r k , a n d li s t t h e m . 1 0 . C li c k Next
Wizard
IP address
01 0 .0 .0 .2
0 0 10.0.0.3 10.0.0.5 10.0.0.7
Name W1N-MSSELCK4K41 W indows8 W1N-LXQN3WR3R9M W1N-D39MR5HL9E4
L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window
The inquiry is completed. 4 devices found.
R em o ve tick from devices, which you d on t want to add on the map
Help
4*
B ack
3 N ext
C ancel
FPinger 9.6: FPmger Scanning of Address completed
11. Set the default options in the Wizard selection windows and click Next
Wizard 0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.
Q e v i c e s ty p e:
W orkstation
Address
OUse IP-address
| Use DNS-name | Name Remove DNS suffix
Add* ion
OA dd devices to the new map

(> Add devices to the current map
Help
! Next
Cancel
FIGURE 9.7: FPinger selecting the Devices type 12. T h e n t h e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p i n t h e FPinger w in d o w
V
File Edit View/ Ping NotificaTion Scan
Friendly Pinger [Default.map]

FWatcher inventory Help
H >
If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server.
ft J* & g
FIGURE 9.8 FPmger Client area with Network architecture 13. T o s c a n th e s e le c te d c o m p u te r in th e n e tw o r k , s e le c t d ie c o m p u te r a n d s e l e c t t h e Sca n t a b f r o m t h e m e n u b a r a n d c li c k Scan
F rie n d ly P in g e r [D e fa u lt.m a p ]
file Edit View - y Ping a Notification *
e
Scan M
F W rtc h p
Inventory
Help
^ You may download the latest release: http: / / www. kilievich.com/ fpinger
Lb
Scan..
F61
5 0 *m
click the clicnt area to add c new devicc..
233:1
S i. 3/4/4
00:00:47
Q Select File | Options, and configure Friendly Pinger to your taste.
FIGURE 9.9: FPinger Scanning the computers in the Network 14. I t d is p la y s scanned details i n t h e Scanning w i z a r d
Scanning
Service & ] HTTP ] HTTP Compute W1N-MSSELCK... W1N-D39MR5H... Command f a h ttp://W IN -M S S ELC X 4M 1 http://W IN -D39M R5H L9E 4
Double-click tlie device to open it in Explorer.
S c a n n in g c o m p le te Progress
^J Bescan
? H e lp
y ok
X Cancel
FIGURE 9.10: FPinger Scanned results 1 5 . C l i c k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t i o n d e ta i ls o f th e s e le c te d c o m p u te r Audit software and hardware components installed on tlie computers over the network
V
Pk Edit V1w Ping Notification S<*n
F rie n d ly P in g e r fD e fa u lt.m a p l FWat<hcr Irvcnto
T ^ rr
1 C a :* B S J m
\ & \ ^ *
r y\Ndp________________
Ctil-F#
E l Inventory Option!.
Tracking user access and files opened on your computer via the network
FIGURE 9.11: FPinger Inventory tab 1 6. T h e General t a b o f t h e Inventory w i z a r d s h o w s d i e com puter name a n d i n s t a l l e d operating system
W
File E d it V ie w R eport O p tio n s H e lp
Inventory
la e:
W IN-D39MR5HL9E4 |g General[ Computer/User Misc| M'j
0 S ? 1 1 E
Hardware] Software{ _v) History| ^ K >
CQ Assignment of external commands (like telnet, tracert, net.exe) to devices
Host name User name
|W IN-D39MR5HL9E4 !Administrator
W indows Name Service pack |W indows Server 2012 Release Candriate Datacenter
C otecton tme Colecbon time 18/22 /2 0 12 11 :2 2:3 4 AM
FIGURE 9.12: FPinger Inventory wizard General tab 1 7 . T h e M isc t a b s h o w s t h e Netw ork IP addresses. MAC addresses. File
System , a n d Size o f t h e d is k s 5 Search of HTTP, FTP, e-mail and other network services
Inventory
File E dit V ie w R eport O p tio n s H e lp
x ' <^0
e ig ?
0 *a a
G*? fieneraj Misc hardware | Software | Network IP addresses MAC addresses 110.0.0.7 D4-BE-D9-C3-CE-2D
History |
J o ta l space Free space
465.42 Gb 382.12 Gb
Display $ettng$ display settings [ 1366x768,60 H z, T rue Color (32 bit)
Disk 3 C
Type Fixed Fixed
Free, Gb 15.73 96.10
Size, Gb 97.31 97.66
84
2
File System NTFS NTFS
Function "Create Setup" allows to create a lite freeware version with your maps and settings
S D
-
FIGURE 9.13: FPinger Inventory wizard Misc tab 18. T h e H ardw are t a b s h o w s t h e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r n e tw o rk e d c o m p u te rs
TT
File Edit View Report Options Help
0 ^ 1 3 1 0
H
w
1N-D39MFS5HL9E4||
General
Miscl
M i
H a rd w a re [^ ]
Software
History |
<
>1
4x Intel Pentium III Xeon 3093 B 4096 Mb - Q j B IO S - ) Monitors
< 2
Memory
Q | AT/AT COMPATIBLE D ELL

Genetic Pn P Monitor D isplays ad ap ters
6222004 02/09/12
- V
E O -
B j ) lnte<R) HD Graphics Family D isk drives

q
ST3500413AS (Serial: W2A91RH6)
N etw ork ad ap ters | j | @netrt630x64.inf,%rtl8168e.devicedesc%êaltekPQeGBE Family Controller S C S I and R A ID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller
-^
I
FIGURE 9.14: FPinger Inventory wizard Hardware tab
1 9 . T h e So ftw are t a b s h o w s d i e i n s t a l l e d s o f t w a r e o n d i e c o m p u t e r s Inventory

File Edit View Report Options Help
-----------H 0 1 3 1 0
[ )Q 5 r
WIN-D39MR5HL9E4 G* general | M sc
Hfdware| S
Software |
History | QBr < A
>
Q Visualization of your computer network as a beautiful animated screen
Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 O ff*** Prnnfirxi (Pnnli^hl ? flirt T e ta S Name Version Developer Homepage |
ft
Go
FIGURE 9.15: FPinger Inventory wizard Software tab
L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b .
T o o l/U tility
I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 0 F o u n d IP a d d re ss: 1 0 .0 .0 .2 1 0 .0 .0 .3 1 0 .0 .0 .5 1 0 .0 .0 .7
D e t a i l s R e s u l t o f 1 0 .0 .0 .7 : F rie n d lv P in g er
C o m p u te r n a m e O p e r a tin g s y s te m IP A d d re ss M A C a d d re ss F ile s y s t e m S iz e o f d i s k H a rd w a re in fo rm a tio n S o ftw a re in f o rm a tio n
Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.
RELATED TO
Q u e s t io n s
1. 2. D o e s F P i n g e r s u p p o r t p r o x y s e r v e r s fire w a lls? E x a m i n e th e p r o g r a m m i n g o f la n g u a g e u s e d i n F P in g e r .
I n te r n e t C o n n e c tio n R e q u ire d
Yes Pla tfo rm Supported 0 C lassroom
0 No
0 iL a b s
Lab
Scanning a Network Using the N essus Tool

N e s s / z sallowsyou tore m o te lyaudita nehvorkandd e te r/ n in eif it has b e e nb ro k e n into orm is u s e din s o m enay.It alsoprovidesth eability tolocally audita sp ecific m a c h in e for vulnerabilities.
I C O N K E Y
111 t h e p r e v i o u s l a b , y o u l e a r n e d t o u s e F r i e n d l y P i n g e r t o m o n i t o r n e t w o r k d e v i c e s , r e c e i v e s e r v e r n o t i f i c a t i o n , p i n g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia t h e n e t w o r k , v i e w g r a p h i c a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e t h e i n f o r m a t i o n re la te d to n e tw o r k d e v ic e s , th e y c a n u s e i t as a n e n tr y p o i n t to a n e tw o r k f o r a c o m p r e h e n s iv e a tta c k a n d p e r f o r m m a n y ty p e s o f a tta c k s ra n g in g f r o m D o S a tta c k s to u n a u th o r iz e d a d m in is tra tiv e access. I f a tta c k e rs a re a b le to get tr a c e r o u t e in f o r m a t io n , th e y m i g h t u s e a m e t h o d o lo g y s u c h as fire w a lk in g to d e t e r m i n e t h e s e r v i c e s t h a t a r e a l l o w e d t h r o u g h a f ir e w a ll. I f a n a tta c k e r g a in s p h y s ic a l a c c e s s to a s w itc h o r o t h e r n e tw o r k d e v ic e , h e o r s h e w ill b e a b l e t o s u c c e s s f u l l y i n s t a l l a r o g u e n e t w o r k d e v i c e ; t h e r e f o r e , a s a n a d m in is tra to r, y o u s h o u ld d is a b le u n u s e d p o r ts in th e c o n f ig u r a tio n o f th e d e v ic e . A l s o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o l o g i e s t o d e t e c t s u c h r o g u e d e v ic e s 0 1 1 th e n e tw o rk . A s a n e x p e r t ethical h ack er a n d penetration tester, y o u m u s t u n d e r s t a n d h o w
7 =
Valuable information Test your knowledge Web exercise
W orkbook review
vulnerabilities, com pliance specifications, a n d content policy violations a r e

s c a n n e d u s i n g t h e Nessus t o o l .
T h i s l a b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n i n g t h e n e t w o r k f o r v u l n e r a b i l i t i e s , a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to : U s e th e N e s s u s to o l S c a n th e n e tw o r k f o r v u ln e r a b ilitie s
Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o c a n y o u t d ie la b , y o u n e e d : N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
N etw orksW ulnerability Scanning Tools\Nessus

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N e s s u s f r o m t h e l i n k h t t p : / / w w w . t e n a b l e .c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d a g re e m e n t I f y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n in th e la b m ig h t d if fe r A c o m p u t e r r u n n i n g W indow s Server 2012 A w e b b ro w s e r w ith I n te r n e t access A d m in is tr a tiv e p riv ile g e s to r u n th e N e s s u s to o l
Nessus is public Domain software related under the GPL.
O v e r v ie w o f N e s s u s T o o l
N e s s u s h e lp s s t u d e n t s t o le a r n , u n d e r s t a n d , a n d d e t e r m i n e vulnerabilities a n d
w eaknesses o f a s y s te m a n d network 111 o r d e r t o k n o w h o w a s y s te m c a n b e exploited. N e t w o r k v u ln e r a b ilitie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n i n g s e r v ic e s , application and service
c o n f i g u r a t i o n e r r o r s , a n d a p p li c a ti o n a n d service vulnerabilities.
Lab T asks 8 TAs K 1

Nessus Installation
1. T o i n s t a l l N e s s u s n a v i g a t e t o D:\CEH-Tools\CEHv8 Module 03
Scanning Netw orksW ulnerability Scanning Tools\Nessus

2. 3. D o u b l e - c l i c k t h e Nessus-5.0.1-x86_64.msi file . T h e Open File - Secu rity Warning w i n d o w a p p e a r s ; c li c k Run
O p e n File S e c u rit y W a r n in g
Do you want to run this fie ?

fJan e /lk g rt\A d m in irtrat0 r\D etH 0 D 'v N e cs1 K -5 0 -6
2 & C .r r K
Pud sht:
IcnaMc Network Security Int.
Type Windows Installer Package
From; G\Ura\Adminottatot\Doklop\No>uj*5.0.2-*66 64
Run CencH
"^7 Nessus is designed to

automate the testing and discovery of known security problems.
V Always esk cefcre opening the file
Wh Jr fi: from the Internet can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust. ^ What s the nsk?
FIGURE 10.1: Open File Security Warning
4.
T h e N essus - InstallShield Wizard a p p e a r s . D u r i n g t h e i n s t a l l a t i o n p r o c e s s , th e w iz a r d p r o m p ts y o u f o r s o m e b a s ic in f o r m a tio n . F o llo w d i e i n s t r u c t i o n s . C l i c k Next.
&
Tenable Nessus (x64) InstallShield Wizard

W elcome to th e InstallShield Wizard for Tenable N essus (x64)
The updated Nessus security checks database is can be retrieved with commands nessus-updatedplugins.
The InstalSh1eld(R) W izard w dl nstal Tenable Nessus (x64) on your computer. To continue, ddc Next.
W A RN IN G : Ths program is protected by copyright law and nternational treaties.
< Back
Next >
Cancel
FIGURE 10.2: The Nessus installation window 5. B e f o r e y o u b e g i n i n s t a l l a t i o n , y o u m u s t a g r e e t o t h e license agreem ent a s s h o w n i n t h e f o l l o w i n g f ig u r e . 6. S e l e c t t h e r a d i o b u t t o n t o a c c e p t t h e l i c e n s e a g r e e m e n t a n d c li c k Next.
!;
Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.
Tenable Nessus (x64) - InstallShield Wizard
License Agreement Please read the following kense agreement carefully.
Tenable Network Security, Inc. NESSUS software license Agreement

This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (Tenable"), and you, the party licensing Software (You). This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F n p tw /.q ArtPFPMFUT auh 0 Print accept the terms in the kense agreement O I do not accept the terms n the kense agreement InstalShiekJ------------------------------------------< Back Next > Cancel
Nessus security scanner includes NASL (Nessus Attack Scripting Language).
FIGURE 10.3: Hie Nessus Install Shield Wizard 7. S e le c t a d e s t i n a t i o n f o l d e r a n d c li c k Next.

Destination Folder C lick Next to instal to this folder, or ckk Change to instal to a different folder.
Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.
>
Instal Tenable Nessus (x64) to: C:\Program F*es\TenableNessus \
Change...
InstalShield < Back Next > Cancel
FIGURE 10.4: Tlie Nessus Install Shield Wizard 8. T h e w i z a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll p r o g r a m f e a t u r e s w ill b e i n s t a l l e d . C h e c k Complete a n d c li c k Next.

Setup Type Choose the setup type that best smts your needs.
Q Nessus probes a range of addresses on a network to determine which hosts are alive.
FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9. T h e N e s s u s w i z a r d w ill p r o m p t y o u t o c o n f i r m t h e i n s t a l l a t i o n . C li c k
Install

Ready to Install the Program
Nessus probes network services on each host to obtain banners that contain software and OS version information
The wizard is ready to begn nstalation. C lick Instal to begn the nstalatoon. If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard.
InstalShield < Back Instal Cancel
FIGURE 10.6: Nessus InstallShield Wizard 1 0 . O n c e i n s t a l l a t i o n is c o m p l e t e , c li c k Finish.

In stalS hield W izard Completed
Q Path of Nessus home directory for windows \programfiles\tanable\nessus
The InstalShield W izard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.
Cancel
FIGURE 10.7: Nessus Install Shield wizard
Nessus Major D irectories

T l i e m a j o r d i r e c t o r i e s o f N e s s u s a r e s h o w n i n t h e f o l l o w i n g ta b l e .
Nessus Home Directory 1Windows \Program Files\Tenable\Nessus

feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required
Nessus Sub-Directories
Purpose
\conf \data \nessus\plugins \nassus\usrs\<username>\lcbs \no33us\logs
Configuration files Stylesheet templates Nessus plugins User knowledgebase saved on disk
-------------------------------- -1 >
, Nessus log files --------------------1
TABLE 10.1: Nessus Major Directories 11. A f te r in s ta lla tio n N e s s u s o p e n s in y o u r d e fa u lt b ro w s e r. 1 2 . T h e W elcom e to Nessus s c r e e n a p p e a r s , c li c k d i e here l i n k t o c o n n e c t v ia S S L
w e lc o m e to Nessus!
PI m m c o n n e c t v i a S S L b y c lic k in c J h r . You are hkely to get a security alert from your web browser saying that the SS L certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid S S L certificate from a registrar. Please refer to the Nessus documentation for more information.
FIGURE 10.8: Nessus SSL certification 1 3 . C li c k OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s
Security Alert
The Nessus Server Manager used in Nessus 4 has been deprecated
J j You are about to view pages over a secure connection.

Any information you exchange with this site cannot be viewed by anyone else on the web. În the future, do not show this warning OK More Info
FIGURE 10.9: Internet Explorer Security Alert 14. C li c k t h e Continue to this w ebsite (not recommended) l i n k t o c o n tin u e
&
* ^
II
C crtfica te Error: M avigation... '
Snagit g j
There is a problem with this website's security certificate.

The security certificate presented by this w ebsite w as not issued b y a trusted certificate authority. The security certificate presented by this websrte w as issued fo r a different w eb site s address. Sccu n ty certificate problem s m a y indicate an ottem pt to fool y o u o r intercept a n y data you send to the server.
W c recommend that you close this webpage and do not continue to this website.
d Click here to close this webpage. 0 Continue to this website (not recommended). M ore information
FIGURE 10.10: Internet Explorer websites security certificate 1 5. o n OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s . Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers
Security Alert
tr
1 C. i )
You are about to view pages over a secure connection Any information you exchange with this site cannot be viewed by anyone else on the web. H I In the future, do not show this warning
OK
More Info
FIGURE 10.11: Internet Explorer Security Alert 1 6 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l i c k t h e Get
Started > b u t t o n .
R ff
W elcom e to N e s s u s
warning, a custom certificate to your organization must be used
T W ik you foi liintrtllli j
tin w uM 1
> > <h *H i
N m iii v* tflknv y!> u l< 1 portoim
1I *ah 3ped vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es 1 A1 j n lU 1a 1 mtrlili mj, la 1m U w t no Im l ) ia acurlly |W I w. >L-umplianca chocks, to verify and prove that v v , host on your network adheres to tho security pokey you 1 Scan sehwliJnm, to automatically rui *cant at the freijwncy you And morel
!!< stofted *
FIGURE 10.11: Nessus Getting Started 1 7 . 111 Initial Account Setup e n t e r t h e c r e d e n t i a l s g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Next >
o ( * * < * . > .e c
Wefconeu Neaus
In itia l Account Setup

First, w e need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete users, stop ongoing scans, and change the scanner configuration.
loo*n: admin Confirm P*Mword: < Prev | Next > |
Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be
i that the admin user has the same privileges as the *root ( or administrator) user on the remote ho:
FIGURE 10.12: Nessus Initial Account Setup 1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o o b t a i n a c t i v a t i o n c o d e , c li c k t h e
http://www.nessus.org/register/ lin k .
19. C li c k t h e Using Nessus at Home i c o n i n Obtain an Activation Code
>
el
If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins
m i (A *CAftCM i n
<9>T E N A B L E Network Security*

I n Certift&ttH)!! Resource* Supicot
if'tMhk ProdiKls * Protfua Ovenfe Nk s u i AudHai
Obtain an Activation Code

Using Nesaus at Work?
A wuk1uV4cM * f u < ail
n lu 1 .
Using Nessus at Home?

A Ham( ml m>*Criprl Is Dm jn l t o th tm Mia ootj
'! Ml Plug**
.Sjirplr Report! NMUi FAQ Vkle D14CMFAQ Dtptovmam 1> :001u Mowus Evukoiion Training
in
FIGURE 10.13: Nessus Obtaining Activation Code 2 0 . 111 N essus for Home a c c e p t t h e a g r e e m e n t b y c l i c k i n g t h e Agree b u t t o n a s s h o w n in th e fo llo w in g fig u re .
Wckcme 1 0Mawt
Mom fc<Mama|tnat1 l
ow* m ss
t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat otu u 1 . The Netare rtoaaafocd do*1 *c* gn* you i o : w to of 1 K0 v >yov to perform < dedR 0 ( *S* Tw Nes*u llrtual
Product Ovenv*
Faaiuraa Nossue W*y Buwwct to New#* t Noasus ter Homa Nesius V 1lf A!(n
1 Nmhh Hom Fnd Mibscilpllon it aalatile lot ptnoia) mm a I ( o tf. * Is ink lot use by any commercial otqam/atn t !on 1 q t!
c **| or vw *Inm * iiw M n i tr.iinrvj

Trtontoa Ptoarjm tor 0< >1r(; ttio n f. a ro a jJ #! 1k* M m ii HowFbwJ Mtncri|40n lot lo 1 m | f c w cfe* ^7 to k u i *to turn 0 1M 4ml bwjln iho < Jc #nlMd prooaat SU8VCWII0M ACM I Ml NI
N W III PluflM S41v(Ju Rapotto N m a i fAQ M<I6 Dtotc** FAQ Deployment Options
* SuyôtW w m Ini 01 Openlr*j SyvtMn otw Mbwaowi) m oa> 1 to 1mvCcI vaeelto ncton| n n u n M o iy IVrjalAQor rtaouis fA<J lound cti arr, lenaUa K Ratoawonarf-aod S4xc>|ptn You agiaa 10 rv * *<> <* to to TtâUa to ach ayatoan on which You have inttaltod a Prjntr'Kl Scama T< pj Ojaniriton MiVAPthntandiuj 1 N pitîfcrtcn ow cotnwcM a* m S*Cm 2141.1 Vau ara * *atimj 01!>trifi10n You m* copy M M iwget * 4 MMMaM T t N t V t IMM Md Tm1U HonMF*d s<Mot*M rwgto to < 1 rt>to 1 *dto * eww 00tn teeing onV Upon eompteôti ot #* d m t* rigM to * a lt> Pkjn& ptmUtod by to* HomaFaad SubfeuipCanis Ptc/w*. ;wFwd SK.tvjlpi:1 (. *(fle a b*e n * ,ox !tent# *> toe Suts associated P Tmi Su&ttrfpaa You awv not u&a tw H>r *f sad Subscripted 91anted to You lot * ! inj p u > p 0M to aacuf Yu>01 any third party's, laatwoifcs or to any etoa tw clMo taning h * rorvpioductrxi nvor1r> *r1 T e a M a m tofanuci a fr* Sutrp#on undat this Suction 21c|al t coti apmant and DiMnbttoan tenable I C is t* Metsus Ftogm Deralopment 1 & JM am at lha Subbcitpttaoa 1 0wtto and dovobp 1
FIGURE 10.14: Nessus Subscription Agreement
21
S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive.
F ill i n t h e R egister a Hom eFeed s e c t i o n t o o b t a i n a n a c t i v a t i o n c o d e a n d c li c k Register.
ENTER SEARCH TEXT
* TEN A BLE Network Security

Partner* 1raining li fortification Resources Si port > paint |
GO!
!e n a b leP r o d u c t s
Product O v m v Iow No s m s Auditor OuniSes N84u Ptu^lns Documentation Sample Repoita N*5u 9 FAQ Motde Devices FAQ Deployment Options Nes3u3 Evaluation Training
Register a HomeFeed
T0 May up todato with 1 1 m * Nut.uit. pljgint you n w tl tt> ; etrnU iMlilte-11 to utilch an activation code wll be *ert Ye th a r td with any 3rd patty.
1 # h4v jfe d
> 1 1 U nil! not I
a m *
con^
Check lo receive updates from Tenable |
H pql^ter
FIGURE 10.15: Nessus Registering HomeFeed 2 2 . T h e Thank You for Registering w i n d o w a p p e a l s f o r Tenable Nessus
HomeFeed.
Ethical Hacking and Countermeasures Copyright C by EC Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
. V j .
*> Y.to ENTER SEARCH IE(
TENABLE Network Security1

Solutions
Products
Services
Partners
iraimna & certification
Resources
Support
Atout !enable
Store
> print | sltare Q
T en able P ro d u c ts
nessus
Thank You for Registering!

Thank jrou tor reghlMlag your I eonbit Nt-viun HomeFeed An emal conraMng w a activation 604 hA* just boon Mint to you l tie email K k tm you pravWed Please note *at tie !enable Nessus HomeFeed h uvislU iM t- for home um oor If you wantto use Nasaus at your place of business, you nuat ouicnase the Nessus Proleaaowageed Akemaiet. you nay purchase a subscriptionto the Nessus PofimoHM Sarnica and scan in tM cioudl Tha N a ttu i Ponawlci Service does no( require any software download.
For more mtetraabon on t w HomsFeed. Professional eed and Nessus Perimeter Sec.ice. please visit our Discussions Forum.
Tenable Charitable & !raining Organization Program

Tenable N c t in il Security offers Nessus l rotwon( *4 uMcnpcon t no cod to ct1*ftut4 oroartaation I
Product Overview Nessus Auditor Bundles Nessus Plugins Documentation
217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gpluginscustomers.nessus .org
Sample Reports Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining
FIGURE 10.16: Nessus Registration Completed 2 3 . N o w lo g in to y o u r e m a il f o r th e a c tiv a tio n c o d e p r o v id e d a t th e tim e o f r e g is tr a tio n as s h o w n in th e fo llo w in g fig u re .
P
|
Y
<d
X
uflKfccjr
_ uSmqSma yaH00.C0n '
- S m > C u 1 Omu >

a h o o
! m a il
1b4e Homefeeo Activation CoO* NMtut K ig L iio i 10
MIMDttalt
aw . ounoooor*
thr* )Oulw rtanlairtj row N n w i m w 1 * w sully gcannng you usa rusius n professorial 09301 10u
Th* WU Hamafaad gubKiCton will >*er |M Netful a ftcftsslcruiFoaa suBcagimi
< % ) w * *tiel*le 4 1 lupntlw
ms r , 3onMme 0
ncu ir-n1 4 *aorta
\- is > 0u 11t1worepsK<trasc3rr>ri1(.f1if10t. C u sn g 1nt srcceSires Stlpw.
**:
PtaawconW t If! Nmmii n*tt wn ^9 Ne inttmal Aixeii i w Mnaui * *- ' M>t tl'MU inttiiiilnr camoi a t * 1 You an Andottna ic-jlsti 1 tjr m ilv a n at
i 1
w* ^ . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum" ***
t ** ea *aM e in anamit* p.* y >p* tia uw. ana c*>* M t x caaa toittiaiaftBfl
I cnm ! S T O C M t
>* 1 MatpUJ-<n
FIGURE 10.17: Nessus Registration mail 2 4 . N o w e n t e r t h e a c t i v a t i o n c o d e r e c e i v e d t o y o u r e m a i l I D a n d c li c k Next.
F
P l u g in Feed R e g is t r a t io n
" - ,[ Wekcm* 10 Meuvt 9
As information about new vulnerabilities 1 8 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins) that enable Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code.
IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI will initialize and the Nessus server will start
To use Nessus at your workplace, pufdiaae a commetG d Prgfcaatonalfccd To um NcMuti at In a non commercial homo environment, you can get HomeFeed (or free Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below To perform offline plugin updates, enter 'offline' In the field below
11
Activation Code Please enter your Activation Code:|9061-0266-9046-S6E4-l84| x|
Optional Proxy Settings < Prev Next >
FIGURE 10.18: Nessus Applying Activation Code 2 5 . T h e Registering w i n d o w a p p e a r s a s s h o w n i n d i e f o l l o w i n g s c r e e n s h o t .

C * fx Bs~** d *-ho* P 0 Cc**uttemH SC J w efc< * <to m ft * o 1
R e g is t e r in g . . . Registering the scanner with Tenable...
FIGURE 10.19: Nessus Registering Activation Code 2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c li c k , Next: Download plugins > t o d o w n lo a d N e s s u s p lu g in s .
m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI
P OC e*rt< *eo & C | [x a =f
W etconetoN e s s u s
* ft * o
R e g is t e r in g . . . Successfully registered the scanner with Tenable. Successfully created the user. | Next: Download plug!mi > |
FIGURE 10.20: Nessus Downloading Plugins 2 7 . N e s s u s w ill s t a r t f e t c h i n g t h e p l u g i n s a n d i t w ill i n s t a l l t h e m , i t w ill t a k e tim e to in s ta ll p lu g in s a n d in itia liz a tio n
N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t
P le a a e w a it...
FIGURE 10.21: Nessus fetching the newest plugin set 2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Usernam e a n d Passw ord g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Log In.
TASK
/ > .0
tc
Network Scan Vulnerabilities
nessus
I
T E N A L g
Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems.
FIGURE 10.22: The Nessus Log In screen 2 9 . T h e Nessus Hom eFeed w i n d o w a p p e a r s . C li c k OK.
,1
/ /
n essu s
w l oaiiUtanter any oust fton* oroigMtaAofii M to a PTOtoMknalFMd Subecrtpfcxi h a<
inn r m m i v a u u r a h m k M to llm id TBtH il lr nanatamO M M to MMWuNMy i M W M u w may load 10(*iMoaAon J m i u h (eepenew.
190* -?0121)nM1 N M M s*.o r*/ nc
OK
FIGURE 10.23: Nessus HomeFeed subscription 3 0 . A f t e r y o u s u c c e s s f u l l y l o g i n , t h e Nessus Daemon w i n d o w a p p e a r s a s To add a new policy, dick Policies Âdd Policy.
s h o w n in th e fo llo w in g s c r e e n s h o t.
FIGURE 10.24: The Nessus main screen 3 1 . I f y o u h a v e a n Adm inistrator Role, y o u c a n s e e d i e U sers t a b , w h i c h li s t s a ll Users, t h e i r Roles, a n d t h e i r Last Logins.
New policies are configured using tlie Credentials tab.
FIGURE 10.25: The Nessus administrator view 3 2 . T o a d d a n e w p o li c y , c li c k Po licie s >Add Policy. F il l i n t h e General p o l i c y s e c t i o n s , n a m e l y , B asic, Sca n , Network Congestion, Port
Scanners, Port Sca n Options, a n d Performance.
^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully
FIGURE 10.26: Adding Policies 3 3 . T o c o n f i g u r e d i e c r e d e n t i a l s o f n e w p o l i c y , c li c k d i e Credentials t a b s h o w n i n t h e l e f t p a n e o f Add Policy.
m The most effective credentials scans are those for which the supplied credentials have root privileges.
FIGURE 10.27: Adding Policies and setting Credentials 3 4 . T o s e l e c t t h e r e q u i r e d p l u g i n s , c li c k t h e Plugins t a b i n t h e l e f t p a n e o f
Add Policy.
P .
m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.
WO W B lc/O tr! c U rir ^ r u!j S u it#1 o!v.b O anottK dfenw ct, (a) 0 n eral V jG en lT O U K B lS * aj* y C h K * y m p -u xL 0 C a Seaiftycki Jurat UjcUS acu n tyC h K M 3w opn T rie*m att tc*
18 W 8 eo?1 A xaunt 0 +m **7 O .. O C U kttO 'ta -JU rK lnl I o iiiiiI ii > > u I I.< W
O A r lfc** ftM *2m* L *r>* >IknU. o 1 B aiH ir r>K M 1SuorPar20AO.W eilm iinftw aia O 16 T OCCHO P 1 W )0 1M elo n O1 4 M 0C *1 tarK T T PPra! S if* ! H cd Hattr R urolaD o S <J 1 2 0 M CtcdPowF .irV V a l 4, 1 . uaeV jInentollB|0f.F S |
f* 1C ikre T C Ppoll*22 1W O . 75* * * ffjw yU e ly B ia lK W 5 isAOioai*scrtr sc * < * * n c e pars T C P .E 2 2 1 >!1 W v * .v.eC T .17* MtiKtAwklinsj T C P .'1 7 8 14 * .* )tcfirttxnUxlum g
FIGURE 10.28: Adding Policies and selecting Plugins 3 5 . T o c o n f i g u r e p r e f e r e n c e s , c li c k t h e Preferen ces t a b i n t h e l e f t p a n e o f
Add Policy.
3 6 . I n t h e Plugin f ie ld , s e l e c t Database settings f r o m t h e d r o p - d o w n lis t. If the policy is successfully added, then the 3 7 . E n t e r t h e Login d e t a i l s g i v e n a t d i e t i m e o f r e g i s t r a t i o n . Nessus server displays the massage 3 8 . G i v e t h e D a t a b a s e S I D : 4587, D a t a b a s e p o r t t o u s e : 124, a n d s e l e c t
O r a c l e a u t l i ty p e : SY SD BA . 3 9 . C li c k Submit.
CD Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
FIGURE 10.29: Adding Policies and setting Preferences 4 0 . A m e s s a g e Po licy N etw o rk Scan _Po licy w as successfu lly added d is p la y s a s s h o w n a s f o l l o w s .
FIGURE 10.30: The NetworkScan Policy To scan the window, input the field name, type, policy, scan target, and target file. 4 1 . N o w , c li c k Sca n s >Add t o o p e n t h e Add Sca n w i n d o w . 4 2 . I n p u t t h e f i e ld Name, Type, Policy, a n d S ca n Target 4 3 . 111 S ca n Targets, e n t e r d i e I P a d d r e s s o f y o u r n e t w o r k ; h e r e i n t h i s l a b w e a r e s c a n n i n g 1 0 .0 .0 .2 . 4 4 . C li c k Launch S ca n a t d i e b o t t o m - r i g h t o f t h e w i n d o w .
Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r l a b e n v i r o n m e n t
Ethical Hacking and Countermeasures Copyright O by EC Counc11
Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file.
FIGURE 10.31: Add Scan 4 5 . T h e s c a n l a u n c h e s a n d starts scanning t h e n e t w o r k .
FIGURE 10.32: Scanning in progress
S ' Tools demonstrated in this lab are available in D:\CEH Tools\CEHv8 Module 03 Scanning Networks
4 6 . A f t e r t h e s c a n is c o m p l e t e , c li c k t h e Reports ta b .
FIGURE 10.33: Nessus Reports tab 4 7 . D o u b l e - c l i c k Local Network t o v i e w t h e d e t a i l e d s c a n r e p o r t .
fc
..-*
gMtyi
Bn B m tn
< Cvwii
'
So-Mity
Hm n t w1 1 1I K IN W I
* M m Me
Z
< * < HM HM tMM H9W xfn H lrrt> Iftte Infe [ l v >
MUl-a* * . * Qi
CuMUrm tlmbn rf
UTMMB1 W . i 1
MM
KTT* Im i T> M VIWMH N M < N ilr a W U IIM t W M l
Wt W M W lK M l
M .~ Tnl *m
NHHl^ll>H|i iW .I
UhmlUn C M * * WiMom w m m uv* no^jMren Un CM
McmcC o 1o -* it f i LMdicr^ntarnjlutPu < Funtut SID Ewneutan M m x M tC o t n m k U u iu im L i 1-cruttn hgr r J O aH K Qn-a U r . riCK) SnaUU-
1 0 1
U B MO.
FIGURE 10.34: Report of the scanned target
4 8 . D o u b l e - c l i c k a n y result t o d i s p l a y a m o r e d e t a i l e d s y n o p s i s , d e s c r i p t i o n , s e c u r ity le v e l, a n d s o lu tio n .
Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications.
FIGURE 10.35: Report of a scanned target 4 9 . C l i c k t h e Download Report b u t t o n i n t h e l e f t p a n e . 5 0 . Y o u c a n d o w n l o a d a v a il a b le r e p o r t s w i t h a .nessus e x t e n s i o n f r o m t h e d r o p - d o w n lis t. Download R eport Download Format 1 Chapters
C hap ter Selectio n N ot A llow ed
G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button. Cancel FIGURE 10.36: Download Report with .nessus extension 5 1 . N o w , c li c k Log out. 5 2 . 111 t h e N e s s u s S e r v e r M a n a g e r , c li c k Stop Nessus Server. Subm it
B
>M
*6
a
FIGURE 10.37: Log out Nessus
69
L a b A n a ly s is
D o c u m e n t all d i e r e s u lts a n d r e p o r t s g a d i e r e d d u r i n g d i e la b .
T o o l/U tility
I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d S c a n T a rg e t M a c h in e : L o cal H o st
Perfo rm ed Scan P o lic y : N e t w o r k S c a n P o l i c y N e ssu s T arg et I P Address: 1 0 .0 .0 .2 R esult: L o c a l H o s t v u l n e r a b i l i t i e s
PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.
Q u e s t io n s
1. E v a lu a te th e O S p la tfo rm s th a t N e s s u s h a s b u ild s fo r. E v a lu a te w h e th e r N e s s u s w o r k s w ith th e s e c u r ity c e n te r. 2. D e te r m in e h o w th e N e s s u s lic e n s e w o r k s in a V M (V ir tu a l M a c h in e ) e n v iro n m e n t.
In te rn e t C o n n e c tio n R e q u ire d
0 \ es
Pla tfo rm Supported 0 C lassroom
No
iL a b s
Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
I CON K E Y aValuable information Test your knowledge Web exercise
Auditing Scanning by using Global Network Inventory

Global]Seh) o r kInventoryis u s e dasanauditscannerin ~ e r od e p lo y m e n tand a g e n t f r e ee n v ir o n m e n ts . It s c a n sco n rp !ite rsb yIP r a n g e ,d o m a in ,c o n / p !ite r sorsin g le c o m p u t e r s ,d e fin e db yth e GlobalNetirork Inventory h o stfile.
W ith th e d e v e lo p m e n t o f n e tw o rk te c h n o lo g ie s and a p p lic a tio n s , n e tw o r k
01
m W orkbook review
a t t a c k s a r e g r e a t l y i n c r e a s i n g b o t h i n n u m b e r a n d s e v e r ity . A t t a c k e r s a lw a y s l o o k f o r service v u l n e r a b i l i t i e s a n d
application v u l n e r a b i l i t i e s o n a n e t w o r k
s e r v e r s . I f a n a t t a c k e r f i n d s a f la w o r l o o p h o l e i n a s e r v i c e r u n o v e r t h e I n t e r n e t , t h e a t t a c k e r w ill i m m e d i a t e l y u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s t e m a n d o th e r d a ta fo u n d , th u s he or she can c o m p ro m is e o th e r s y s te m s

0 11
th e
n e t w o r k . S im ila r ly , i f t h e
a tta c k e r fin d s
a w o rk s ta tio n w ith
adm inistrative
privileges w i t h f a u l t s i n t h a t w o r k s t a t i o n s a p p l i c a t i o n s , t h e y c a n e x e c u t e a n
a rb itr a r y c o d e 0 1 im p la n t v iru s e s to in te n s ify th e d a m a g e to th e n e tw o rk . A s a k e y te c h n iq u e in n e tw o r k s e c u r ity d o m a in , in t r u s i o n d e te c tio n s y s te m s (ID S e s ) p la y a v ita l r o le o f d e te c tin g v a r io u s k in d s o f a tta c k s a n d s e c u r e th e n e t w o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n a s t h e root user, a n d s h o u l d b e c a u t i o u s o f p a t c h e s a n d u p d a t e s f o r a p p l i c a t i o n s f r o m v e n d o r s 0 1 s e c u r i t y o r g a n i z a t i o n s s u c h a s C ER T a n d CVE. S a f e g u a r d s c a n b e im p le m e n te d s o t h a t e m a il c lie n t s o f tw a re d o e s n o t a u to m a tic a lly o p e n o r e x e c u t e a t t a c h m e n t s . 1 1 1 t h i s l a b , y o u w ill l e a r n h o w n e t w o r k s a r e s c a n n e d u s i n g th e G lo b a l N e t w o r k I n v e n t o r y to o l.
T h i s l a b w ill s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e G l o b a l N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to : U s e th e G lo b a l N e tw o r k I n v e n to r y to o l
ZZ Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o c a n y o u t d ie la b , y o u n e e d : G l o b a l N e t w o r k I n v e n t o r y t o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module
03 Scanning Networks\Scanning Tools\Global Network Inventory Scanner

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f G l o b a l N e t w o r k I n v e n t o r y f r o m th is lin k h t t p : / /w w w .m a g n e to s o f t.c o m /p r o d u c ts /g lo b a l n e tw o rk in v e n to r y /g n i f e a tu re s .h tm / I f y o u d e c i d e t o d o w n l o a d t h e l a t e s t v e r s i o n , t h e n screenshots s h o w n in th e la b m ig h t d iffe r A c o m p u t e r r u n n i n g Windows Server 2012 a s a tt a c k e r ( h o s t m a c h i n e ) A n o t h e r c o m p u t e r r u n n i n g Window Server 2008 a s v ic t im (v irtu a l m a c h in e ) A w e b b ro w s e r w ith I n te r n e t acc e ss F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s t o in s ta ll Global Network
Inventory
A d m in i s t r a ti v e p r iv ile g e s t o r u n to o l s
O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y
G l o b a l N e t w o r k I n v e n t o r y is o n e o f d i e de facto to o l s f o r security auditing a n d
testing o f fire w a lls a n d n e tw o r k s , i t is a ls o u s e d t o e x p lo i t Idle Scanning.
Lab T asks
task
1
1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f d ie d e s k to p .
Scanning the network
FIGURE 11.1: Windows Server 2012 - Desktop view 2. C lic k d i e Global Network Inventory a p p t o o p e n d i e Global Network
Inventory w in d o w .
5 t 9 |
Administrator
Server Manager
Windows PcrwerShell
Google Chrome
Hn>er.V Manager
fL *J
m
Control Panel
*
Hypr-V Wtual Machine.
SQLServs
Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file
F
Command Prompt Mozfla 1 1 * 1 0 *
Mww&plcm
B
S- Bui Search01.. Global Necort
PutBap
H
FIGURE 112: Windows Server 2012 - Apps
3.
T l i e Global Network Inventory M a i n w i n d o w a p p e a r s a s s h o w n i n d ie fo llo w in g fig u re .
4.
T h e Tip of Day w i n d o w a ls o a p p e a r s ; c lic k Close.
& S c a n only items that you need by customizing scan elements
FIGURE 11.3 Global Network Inventory Maui Window 5. T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h i n e f r o m H v p e r - V M a n a g e r .
Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices
FIGURE 11.4: Windows 2008 Virtual Machine 6. N o w s w it c h b a c k t o W i n d o w s S e r v e r 2 0 1 2 m a c h i n e , a n d a n e w A u d i t W i z a r d w i n d o w w ill a p p e a r . C lic k Next ( o r i n d i e t o o l b a r s e le c t Scan ta b a n d c lic k Launch audit wizard).
New Audit Wizard Welcome to the New Audit Wizard

T h s wizard will guide you through the process of creating a n ew inventory audit.
VIEWS SCAN RE S UL TS , /N CL UD/ NC HISTORIC RE S UL TS FOR ALL SCANS, INDIVIDUAL M ACHINES, O K SELECTED NUMBER O F ADDRESSES
To continue, click Next.
c Back
Next >
Cancel
FIGURE 11.5: Global Network Inventory new audit wizard 7. S e le c t IP range s c a n a n d t h e n c lic k Next i n d i e Audit Scan Mode w iz a r d .
New Audit Wizard

A u d it S c a n M o d e To start a new audfc scan you must choose the scenario that best fits how you w i be using this scan. Is (^
O Single address scan Choose this mode
Q Fully customizable layouts and color schemes on all views and reports
i you want to audit a single computer i you want to audit a group of computers wttwn a sr>gle IP range i you want to audit computers that are part of the same doma1(s)
() IP range scan Choose this mode O Domain scan Choose this mode 0
Host file scan Choose this mode to a u d t computers specified in the host file The most common scenario is to a u d t a group of computers without auditing an IP range or a domain
O Export audit agent Choose this mode you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scnoi.
To continue, c ic k Next.
1 ______
< Back
Nd>
Cancel
FIGURE 11.6: Global Network Inventory Audit Scan Mode 8. Export data to HTML, XML, Microsoft Excel, and text formats S e t a il IP range s c a n a n d t h e n c lic k Next in d ie IP Range Scan w iz a r d .
Licenses are networkbased rather than userbased. In addition, extra licenses to cover additional addresses can be purchased at any time if required
9.
111 d i e Authentication Settings w iz a r d , s e le c t Connect as a n d fill t h e r e s p e c t e d c r e d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d c lic k Next.
New Audit Wizard

Authentication Settings
The program comes with dozens of customizable reports. New reports can be easily added through the user interface
Specify the authentication settings to use to connect to a remote computer
OConnect as cxrrertiy logged on user

( ) Connect as Domain \ User name Password a d ^ iriS '3 (-
...........'
To continue, dck Next
<Back
Nert >
Caned
FIGURE 11.8 Global Network Inventory Authentication settings 10. L iv e d i e s e ttin g s a s d e f a u l t a n d c lic k Finish t o c o m p l e t e d i e w iz a r d . New Audit Wizard
Completing th e N ew Audit Wizard
( 7Ability to generate reports on schedule after every scan, daily, weekly, or monthly
You are ready to start a new IP range scan You can set the following options for this scan:
@ Do not record unavailable nodes

@ Open scan progress dialog when scan starts Rescan nodes that have been su ccessfJy scanned Rescan, but no more than once a day
( T o configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently
To complete this wizard, d ic k Finish.
<Back
finah
Cancel
FIGURE 11.9: Global Network Inventory final Audit wizard 11. I t d is p la y s d i e Scanning progress i n d i e Scan progress w in d o w .
iJ
0 1 2 3 4 5 6 7 8 9 10 2 Address 10.0.0.2 10.0.0.3 10.0.0.4 0.0.0.5 0.0 06 10.0.0.7 10.0.08 10.009 100010 100011 10.0.0.12 100013 10.0.014
Scan progress
Name
Percent
E ! %
E*
W1N-ULY858KHQIP AOMINPC WIN-039MR5HL9E4
! z ^ z z _ W 852
E !*
92*4 92* | |
Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s)
' '
E* E* E* E*
1 A Tmestamp 06/22/1215 38:3 08/22/1215:36:23 08/22/1215:36:25 08/22/1215:36:23 = 06/22/1215:36:23 06/22/1215:36:22 08/22/1215:36:23 08/22/1215:36 24 06/22/1215:36 24 08/22/1215:36:24 08/22/1215:36:24 08/22/1215:36:24 06/22/1215:36:24
rtn m
@ Open this dialog sdien scan starts @ Close this dialog when scan completes @ D o n l display completed scans
Elapsed time: 0 min 6 sec Scanned nodes: 0 /24
. S l0 p
_ C l
1 /
FIGURE 11.10: Global Network Inventory Scanning Progress 12. A f t e r c o m p l e t i o n , scanning results c a n b e v ie w e d a s s h o w n i n t h e f o llo w in g fig u re .
Pi'v fie
Globa' Network Inventory - Unregistered

Stan Tools Reports H elp
V ie w
]E
BlBW talri~EI] u *?
Niirt - MpIa addresses

$ WORKGROUP
NotBlOS |A S h anes Carrîe s>en Q PiocMMn ^ H o t f t x e t |A)* t a t S y t t e r n ] rcmnaon mrrr .: . Ne t w o r t

Scar M W i ^ (^p#rat:r.r
JW l i t e rg r tn ; Man beard Q
^ 5 1 \ Logged or Memory mu Memorydeuces : > H Detflcp
|Q
!rwit
:I 10.0JX7 (W IN-D39... m 1a0JX (W 1N -U LV 8...

HoalN... J Status d Doran WORKGROUP [COUNT-2) IP A dd : 0.0 0.4 (C0UNT-11
|T ir c it a m p
MAC A.. Verrfa ' 03 Mams FtoccJia ... * Coimtert
T n to ro :& 2 2 /2 0 1 2 3 36:49PM (COUNT-1)
0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column
C o ro j.. |v/N LLV05(| Succcii JIP A dde .1 0 .a 0 .7 |C O U N T 1 |
|C0-15 5DQ01 Micro:)*Ca V irccw ; Server |
1Trrcj a36. 30 3 2012 3 . &22> PM (C0UNT 1] CK>j..[v/N3SMn|Succ0M |D4 BED3 C'|Rrtek |lnts(Rl Co!e(fM' Serial; H2D2<
Tow ?Henr(t)
1
O isp la ye^ ro iJp ^ J^ ro u p s
R tJu ltJfT iito ry d e p t^ L iJtu a rio rta c h a M re ^ s
FIGURE 11.11: Global Network Inventory result window 13. N o w s e le c t Windows Server 2008 m a c h i n e f r o m v ie w r e s u lts t o v ie w in d iv id u a l re s u lts .
Global Network Inventory Uniegislered

Me view scan Tool( Report < Help
l - l W *
in
% u 1 1 0 |s^ P ig B|Q|^|a|D|B-B # ,
'- Loocad!s\s^ Port a rre d o R ^ j| Orvces Scan unrary 3 Computer yysten | Q System dots NetBIOS | ^ Z: -:* B ' tens Netr*of. adapter: |3 Startup Lbcre B8 K3 |J Desktoo Logged cr ^ Morer)
t* ss 3 8
N*rrc B ÂH addresses B- <* WORKGROUP
|^
Hot fxes Shores ''; bosd
3e;jr** certer L ^cvps ^
*rfcT1DC.07tV/1N-D^Tn
C J 4 fw-ULY3
Po ;c 3:cn> 0 :.: ,:tn3 ' .:ten
,ft
& * Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors
Type
HoitN
SMtu:
MAC A
* Vanda
C JS
Proceisci
wCornu w r
J Duiein * o ^ e n a j p COUNT-11 JIPA ddrew 10XL0.7 (COUNT =1 TncU aro: G/22/2012 3:36:38 PM (COUNT-1) C5T0J. jV/N 039MR Succe |D4BE D 9 C |R cakk ntsfR] Corc(TM' Send: H202!
R e d y
êsufc^jto^jegtôj^caôôc^cdfcj^
FIGURE 11.12 Global Network Inventory Individual machine results 14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d i e m a c h i n e s t h a t have been scan n ed
Global Network Inventory Unregistered

fie VHvr Scan Tools Reports Melo
1- ^ r
*5 ' n
]e t 1
a x
1^-sa
k Mcritofj |{jjjj ( j Q [# J NoifcKJS y w cto i Sêton dot |^ ^ : ^ : ;o re
aw ^ C X > k&tszi Q mo "Sntcn ^ :., ;!= !Q | j* J Networx oocpteo Startup |H Dcck!op LoggoCon^ *5 Hoi focce Sharoe MantcsrdJ Socuty ccrto U w group( U*ra
1 *a *
S f
a
Sn uperatmg
Logical dska
N am
- ! A 1addrestM
Dovcoi
-: Tp-M<tyrte-r
* êrvces
WORKGROUP
^ lj1 C M 7 ^ iN D ^..l
]^ jan rm y Scanl#||
! = |
:I lOiXOi^N-ULYC"
To configure results history level choose Scan | Results history level from the main menu and set the desired history level
Hcs4 H.. - Status

d t ' o m a r : \ v t R r . i i - O U l .JLrJ ^ -
MAC A... barrio-
O S K s rw
Prco3350r.. Corrmert
P 3 d * e : IC .0 .0 : CQUNT=1J _____________________________ Id Tn rg ra p B /2 2 ;2 P lZ 3 -3 6 ^ P M [ C D U H r = l l
| ;* Ccnpu |WM-039VIR|S1jrowt
rU-BF-D C :|R^rri
lrvel(R)Core(TM; Seiial H??
Total 4 em(s)
1
^c^ltîiitorydepthj
FIGURE 11.13: Global Inventory Scan Summary tab 15. T h e Bios s e c t i o n g iv e s d e ta ils o f B io s s e ttin g s .

fit view 5tan Tools Report( Help
1 ' ' x
1 ^
icwresufts
* 89 J5 N a rrc H * P A ll addresses B 5 W ORKG RO UP
5 El SJ1' E T ? |5| ! H i ] H
X ^ ^
_
&, t o
. rrq .7 : 3" > Startup |^ f,7. . Desktop Lccocd or Hct fixes Shares ^ Srcurti ca te r jscr j a n Mar :>c*od Q ) Mcrcry fc l 1555 >* Memory devices rent
k. Por. -annccfcrc Derive* 2 Q System dots MdBIOS P

S c ai aum anr
J. Pocessots
f c f1 M 0 T '(\ v i N 6 3 9 . 7
10. 0. 1>* V IN -IJI Y8...
J^
Opcra.i-1 0 Cvs.or
a Scan only items that you need by customizing scan elements
10 1 *1
U d /
R t u ttt h itto ry dpth: Latt t o n fo r ta c ft a f lc r t t;
Q 't p lt / d group: All gro u p t
FIGURE 11.14: Global Network Inventory Bios summary tab 16. T l i e Memory ta b s u m m a r i z e s d i e m e m o r y i n y o u r s c a n n e d m a c h i n e .
E-mail address Specifies the email address that people should use when sending email to you at this account. The email address must be in the format name(ftcompany for example, someone@mycom pany.com
Global Network Inventory - Unregistered

Fie
View Scan Tools Reports help

a x
H e
* I "J*
i B l B & l m l H F i - ii i
L j0> Mentors tf| |g j
Logical d ak s t M Oak n - !:> Network a d ^ c n !
vw w r u R <
\ M 0 coofirokn
** s a
N am * H %
Operating S,d- )ti fff
y - .
c t*n o c t
t 5
UMfcro
A ll *d d tess e*
Dve*t
[#]
N *BI0S
|I
Shw*1
% -
s t a r t u p |k >
IIwt or
MwitMV f l w f
1 0 *
| 'J.
b*r/1r*c
WORKGROUP
*w
p y
m I0.C .0.4 (W IN -U L Y 8 ...
d [D
Td a lP h ^ c d v e n w x / .M a
S a la b le H -yrea... -
Total vfc u a L. ~
A v a to e V rtja ... -
lo t a ...- -
ftvalable..-
V .C R t 5 F 0 U P [C r M J N '= ] J Hcsr Marre 3 9 ^ ^ MF 5 HL 9 E4 (C0U !\iT=1) J hres-aap f t 2 22/ C12 3:36 3B PM (COUNT| ) 3317
7 o b i 1 its u ;1
Results history depth: Last scan for each address
O iip la /e d group: A ll groups
FIGURE 11.15: Global Network Inventory Memory tab 1 7 . I n d i e N etBIO S s e c t io n , c o m p l e t e d e ta ils c a n b e v ie w e d .

F ie v ie w Son Tools Reports Help
;-!or
is ?
i B i a i a s p
5 ! !a
&
V*y* results
Mencry
Memory device( |; & Services Destdop logged on
Narre
-
Message subject Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject
& Ia d d r e s s e s B-fiW O R K G R O U P 1 C . 0 . C . (W IN D 3 9 .
19 1 0 ^ f^ U L Y ::
Scan
3 JT T m a rv
S)
hitdtedyt*sre Cl nvmmgrt Qf
S*drt/M tr |."3 Startup
Port conrwctre
Cl
zJ Harr l l i n* 0 33* | , \ v F5H. = )E4 (COLNT= 3 ) Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T3) *[V/K-039M Ro-LSE4<0>aJ> X 3 WORKGROUP < 0x00> Lmqj? Unque Group Woikstatcr Service Fie Server Service Domain Name
W KC SMR^LSE4<Ox20S
Toid3i.enld Rea fly Remits history depth ia<t scan ret earn naorett
t< pt/d g ro u p : All g ro u p s
FIGURE 11:16: Global Network Inventory NetBIOS tab 18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i t h d i e w o r k g r o u p .
G'obel Network Inventory Unregistered

F ie V ie w Scan Tools Reports Help
I 1
Name Specifies the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages
[ E T |E p |g |B ) | IB; * a
H I as a * 3$
Narr *i* All address: - i f WORKGROUP
? S iiilL ia iJiw N S :
e m o r y M c n t c r y c f c v c c s 2 C o n ju t as r r f Q P r c c c 3 5 0 r a | ^ M a rb o a r d I^ J) M P r r tc o >N e t t e d ,o d a t f c o c c c I: k V e n t L o c ic o ld b k s ^ D s d r > c * m # >C IO jj] O p c r a lin q C y s lc r r Q n -n vro rm o n t c r 7 Q ij0 ^ D e v ic c : It # ] N e tC lD C ^ S h a r e s |J? Jxryw A -_ b e r a I, L o jj= d o r
J Ctoitup Deaktoo
H o s tN c n e / / * -D39-4R5H L9E4(C OU N T-51 z i ' rre s c a n p : E /2 2 '2 0 1 2 3:36:38 FM ( COUN5- ] z i G io jj ^ r w 'is rafcr: (C 0U N T =1) U5cr occcurt
/ / ! S 0 CEN R 5HL3E4'>Adrim$tratoi z i Gr^JD : C K ttK ited CUM Useis (COUN I - 1 1 W lS-O394R5HL3E4\Ad1rini?trdt01 _ J G r ^ o : Gue:; C O U N T -1 ) Jk Ul f l r<03 E M R 5 H L g 5 \ 4 ussl d C 1 0 * .IIS J U S fiS C O U N T !)
U ;e 1 accourt
U8#f accourt
% N T > F \lZcV^cpcrlScvor z i G ro w
VV# krcv n gtcup oooounl
Pfftavure*1 r g
U n i t (COUNT 1)
TU0I5 i cn|i| Rsad/ RcsuMts history depth: Lost scan foi each ooaes! Displayed group; All qioupa
FIGURE 11.17: Global Network Inventory User groups section 19. T h e Logged on t a b s h o w s d e ta ile d lo g g e d o n d e ta ils o f d ie m a c h i n e .
Globa! Network Inventory Unregistered

Me view 5<ar tools Reports Help
1 - 1
3-Is ? Hc1e/
Vw resuKs
-1a
^
&
L > j1 d j s v j
*2 m
N e ir c _
J
\
a id syiefi Scansuranaiy Port comedo* C r ^r . ^ Q}
Q BICS '* {3 0 S
Processors |.)
Main beard
Q
Nenoiy
Memory de/ces
Net .
Di:-. J .
Ooefatro System | Hotfixes Sfia'es 2'
l )totaled software | ( | ^ S e a it) eerier U stty. >
Environment _J Users | j>
Services | Logged or J
E % All addresses S f WORKGROUP
System slots
3.< n:u,__H L_2 s5 tlSB_J
& Port Specifies the port number you connect to on your outgoing email (SM TP) server. This port number is usually 25.
;1dbix7"(wiN-D3g... ; '160.04 (WIN-ULY8...
Ho a N o k WH-033NR5HL3E4 (COUNTS
1 NT SERV.CE > MsDisServerl 10 f H SERVCE'MSSQLFDLounchct *, N SRVC\MS$QLSERVER f N SERVCE'MSSQLSer/eiOLAPSeiviee * , N SERVCE'RcportScrva \A H D39MREHL9E4\A<irnriatral:or 38/22/12 09:01:20
R o d /
Results fcitory depth lost icon lor toch address
Oowove^rou^lUroups
FIGURE 11.18: Global Network Inventory Lowed on Section 2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d i e n e tw o r k .
ST
File
Globa' Network Inventory - Unregistered

Scan Toolt Report( Help
1S
vipwrûi:
wax
L. ; c j n c u r r r jr ,
NetBIOS
n l-bntcrj
Fiocessois
Sharps
^ Logcal disks
J i.
Lfte
D:
Outgoing mail (SMTP) Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages
N a m e
H-
a b #
*
1
may Q a
User*
Logged on Memory d evus Networx 0d3?1cr: S m : Desktop !r j
M < ji1 b0 f J
All SddtKteS f r * WORKGROUP
WOS
|S )
0p1fcrg S y r r
fcrvronm^nt | Startup
P o r tconnectors
F ll^ T fMM Di 9
0 ^10 .(WfWNULY8""
JO
hrr
Jh e * H a re :t * T .D 3 9 M R 5 H L J 3 E 4 ( C O U N T 2 5 ) 7 3 D H 7 7O D H 7 0 3 H t 7o 0 h 7 0 3 1 1 ,7 0 3 H alal 25 A tris
J 1 *ttaro : &'22/2D12 33638 PM (COUNT = 26)
Dorian. V/D^KOROU? (C0UNT=25I
S e r ia lP o r1 S 5 5 C A C o n p a t t le K e y t 0 1d P o r t M o u c cP o r i U S B U S B U C D U S B
D 6 9 . M a le F S / 2
F S / 2 & m > 5 1 b u s
* C C O H . b lM A c o # s t .b u t
Disj ayecl arouo; All aroups
Fes jts nistory deptn: Last scan foi ecdi cCtite><
FIGURE 11.19: Global Network Inventory Port connectors tab 2 1 . T h e Service s e c t io n g iv e d i e d e ta ils o f d ie s e r v ic e s in s ta l le d i n d i e m a c h i n e .
S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button
Globa! Network Inventory Unregistered

Me view 5rar Tools Reports Help
= r
- $*] H e p H B ] e |
View re<ufts
-Eg D
n System slots
3
&
| Hotfixes ^ Secut) center Startup
|
* 1*9 2 m
N e ir c _
Usercroups Mainboard | ^
Jsers NetBOS | Memory Qf
Loaaedor Msrrcryde/ces Desktoo

S c r r is o |
Port cornedas
E % All addresses
S f W O RKGRO UP
"
M
i
0 . c t i u Svtte ig (
'
13
jjjj*
: u n i c i t
1 y 'a a 7 iw iN-D38 " ; '160.04 (WIN-ULY8...
N
z i Domr* VORC13RO UP |CDUMIl4/) _!J Hcs* sLan^ WIMÎR5HL9E4(COUNT!47| zi rr^ an p 3/22!20H 3 3&38FM [COUNT =147)
.
41loma1e Manual R u fM rg R u m rg R j 'i ' i r g : 'P?! 1 g -a n F ilei [vffc)\Comrmn Fite'iAdobi C vV.mdowt\system32\svehott eye k netsv C V.Klowt\^1srern32\fivch0ftexe k apphr
Ldcte A c x b 2t U pcare S e r/ c e
fcanon Host Helper Service
, p f teanon E>o=r1enee .
Automatic
Manual Manual Manual Manual
^ A p p fc a n o n Identtji A pflcanon Intonation . Apffcrariofi Layer 5 areway Service A pffcarion M anarjenenr
S tc ff e d
R im r g
C\*fcmdow1\svstem32\svc*r0ft.exe k Local C V.m<tem(t\sysiern32\svcf10fr.exe k netsv

C ,V,mdowt\S3i5tem32Ulg )= <
S iq ^ ie d
C \Mn<low?\system32Nsvchotr exe k n e tw
10taH47 toart:J
R o d /
Results fcitory depth lost icon lor to<h address
Oowove^rou^lUroups
FIGURE 11J20: Global Network Inventory Services Section 2 2 . T h e Network Adapters s e c t i o n s h o w s d i e Adapter IP a n d Adapter type.
Fie view Stan Tools Reports Help
I*
'/cwrcsuR;
1 t*g a e v
X
^ j| y H D c*c [# J Conputer >* Tort cm ed oo Scan ajrrrcrv ^ Q Q
Q 'l l & <

NetBIOS | ^ Prooeaaora System alots 80S |jgj] |^ SK3X3 4 U3cr<rouF3 fjj JL Memory j* B Uacn B?1 Startup Envtrontnonrt ^ Looocdon Mom boane Hotfixes ^ Memory devices |H I J, Desktop Sorvcoo Ccc^rfy eerier IrwUkd oftwuo
r l
& A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory uses a blank password
Narr<
^ E $
y ~ * WORKGROUP - m o M ( w n ' u l^ "."
B V^l All addr<#e
Cporatrj Syotom
h v0 0
1 -
|v
- Tinettarp:
1 r j 2 > 2 3 3 6 : 3 3 3 2 FM (COUNT-1 1
l2552EE.2g|1H.01 [vicreolt |E therrct QIC|N0
g W w iih w lE fo . |P4:BE:D9:C|100.D7
I otall ren^j
R e a ^
êsujt^jjto^jepthâsâô^seJ^ddrts^
FIGURE 11.21: Global Network Inventory Network Adapter tab
L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d ie la b .
T o o l/U tility
I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P S c a n R a n g e : 1 0 .0 .0 .1 1 0 .0 .0 .5 0 S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4 R e s u lt: S can su m m a ry B io s M e m o ry N e tB IO S U se rG ro u p L ogged O n P o rt c o n n e c to r S e rv ic e s N e tw o rk A d a p te r
G lo b a l N e tw o r k In v e n to ry
PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.
Q u e s t io n s
1. C a n G lo b a l N e tw o r k In v e n to r y a u d it re m o te c o m p u te rs a n d n e tw o rk a p p lia n c e s , a n d i f y e s , h o w ? 2. H o w c a n y o u e x p o r t th e G lo b a l N e tw o r k a g e n t to a s h a re d n e tw o rk d ir e c to r y ? In te r n e t C o n n e c tio n R e q u ire d
Yes P la tfo rm Supported 0 C lassro om
0 No
0 iL a b s
A nonym ous B row sing u sin g P roxy S w itc h e r

Proxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection.
I C O N p=7 K E Y
L a b
S c e n a r io
scan s u m m a ry , N e tB IO S
V a lu a b le in f o r m a t io n
111 t h e p r e v i o u s l a b , y o u g a t h e r e d i n f o r m a t i o n l i k e
d e t a ils , s e r v ic e s r u n n i n g o n a c o m p u t e r , e tc . u s i n g G l o b a l N e t w o r k I n v e n t o r y .
Test your k n o w le d g e w
N e tB IO S
p r o v id e s
p ro g ra m s w ith
a u n if o r m
set o f c o m m a n d s
f o r r e q u e s t in g
d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t
W e b e x e r c is e
s e s s io n s , a n d been
send in
d a ta g ra m s
b e tw e e n
nodes
on
a n e tw o r k . V u ln e r a b ility one o f th e
lia s
W o r k b o o k r e v ie w
id e n tifie d
M ic r o s o ft W in d o w s , w h ic h
in v o lv e s
N e tB IO S
o v e r T C P /IP s e r v ic e , t h e
( N e t B T ) s e r v ic e s , t h e N e t B I O S fin d a c o m p u t e r s I P
N a m e S e rv e r ( N B N S ) . W it h d iis a d d re s s by u s in g it s N e tB IO S
a tta c k e r c a n
n a m e , a n d v ic e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a in ra n d o m d a ta fro m th e d e s tin a tio n c o m p u t e r s m e m o r y ; a n a tta c k e r c o u ld seek
to e x p lo it th is v u ln e r a b ilit y b y s e n d in g th e d e s tin a tio n c o m p u t e r a N e t B T n a m e s e r v ic e q u e r y a n d t h e n l o o k i n g a n y ra n d o m d a ta f r o m c a r e fu lly a t th e re s p o n s e to d e te r m in e w h e t h e r
t h a t c o m p u t e r 's m e m o r y is in c l u d e d . t y p ic a l s e c u r ity p r a c tic e s , t o P ro to c o l scanned
A s a n e x p e r t p e n e t r a t io n te s te r, y o u s h o u ld f o llo w
b lo c k s u c h In t e r n e t- b a s e d a tta c k s b lo c k th e p o r t 1 3 7 U s e r D a ta g r a m (U D P ) a t th e fir e w a ll. Y o u m u s t a ls o u n d e rs ta n d h o w n e tw o rk s a re
u s in g P r o x y S w it c h e r .
L a b
O b je c t iv e s
to use P ro x y
T h is la b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w S w it c h e r . I t w i l l te a c h y o u h o w to : th e w e b s ite s y o u v is it
H id e y o u r IP a d d re s s f r o m
P r o x y s e rv e r s w itc h in g f o r im p r o v e d a n o n y m o u s s u r fin g
L a b
E n v ir o n m e n t
T o c a n y o u t th e la b , y o u n e e d : P r o x y S w it c h e r is lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itch er P ro x y W o rk b e n c h fro m
2 " Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is l i n k h t t p : / / w w w . p r o x y s w it c h e r . c o m /
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r
c o m p u te r r u n n in g
W indows Server 2012
A w e b b ro w s e r w ith In te r n e t access F o l lo w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls
Proxy Sw itch er
L a b
D u r a t io n
T im e : 1 5 M in u te s
O v e r v ie w
o f P r o x y S w it c h e r
P r o x y S w it c h e r a llo w s y o u t o a u t o m a t ic a lly e x e c u te a c tio n s , b a s e d o n th e d e te c te d n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w it c h e r c o m e s w i t h s o m e d e f a u l t a c t i o n s , f o r e x a m p l e , s e t t i n g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x , a n d O p e ra .
L a b
C l A u to m a tic
T a s k s
In s t a ll P r o x y W o r k b e n c h i n
change o f proxy c o n fig u ra tio n s (or any o th e r a ctio n ) based on n e tw o rk in fo rm a tio n
1. 2.
W indows Server 2012
( H o s t M a c h in e )
P r o x y S w it c h e r is lo c a t e d a t
D:\CEH-Tools\CEHv8 Module 03 Scanning Netw orks\Proxy Tools\Proxy S w itch e r

th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s
3.
F o llo w o f th e
W indow s operating system .

la b e n v ir o n m e n t - o n
4.
T h is la b w i l l w o r k i n th e C E H
W indow s S e rve r
2012, W indow s S e rve r 2008 a n d W indow s 7

5. O p e n th e F ir e fo x b r o w s e r in y o u r c lic k
W indows Server 2012, g o
to
Tools,
and
Options
in d ie m e n u b a r.
Google Moiillo Fitefox

colt | HtJp Qownloatfs moderns S< * UpS^K. CW-I c m * v *A
e Documents Calendar Mote
!1 cc 9 u
fi *
C3 Often different
internet connections require com pletely different proxy server settings and it's a real pain to change them m anually
Yo u
Search
Images
Web Developer Page Info
Sign n
Cler Recent Ustsr.
01 + Sh1 ft*IW
G o o g le
Gocgie Search I'm feeling Lucky
A .t> ng Piogam m ei
6 11
Business SolUion*
P ir a c y t Te
Google
Aboul Google
Google com
F IG U R E 121 : F ire fo x o p tio n s tab
6.
G o
to
d ie
Advanced
p r o file in
Network
ta b , a n d d ie n c lic k
d i e Options Settings. Options
w i z a r d o f F i r e f o x , a n d s e le c t
&
General Tabs Content General | MetworV Connection
%
Applications
p
Privacy
* k
Secuiity
S>nc
Advanced
j Update | Encryption j
3 k
P r o x y S w itc h e r fu lly
Configure how h re fo i connects to the Internet
S g tn g i.
c o m p a tib le w ith In te r n e t E x p lo r e r , F ir e fo x , O p e ra a n d o th e r p ro g ra m s
Cached W eb Content Your vreb content cache > scurrently using 8.7 M B of disk space I I Override a u to m ate cache m anagem ent
Clear Now
Limit cache to | 1024-9] MB of space

Offline Web Content and User Data You 1 application cache is c jiie n t l/ using 0 bytes 0 1 disk space M Tell me when a wefccite aclrt to store Hat* fo r offline uce The follov/ing tvebsites aie a lowed to store data for offline use
Clear Nov/
E x c e p tio n s ..
B a r eve..
OK
Cancel
Help
F IG U R E 1 2 2 F ire fo x N e tw o rk Settin g s
7.
S e le c t d i e
Use System proxy settings
r a d io b u t t o n , a n d c lic k
OK.
Connection Settings
Configure Poxies to Access the Internet O No prox^
' )Auto-detect proxy settings fo r this network () Use system proxy settings
M a n u a l p roxy co n fig u ra tio n :
f i proxy switcher supports following command line options: -d: Activate direct connection
HTTP 5rojjy:
127.0.0.1 @ U je this prcxy server fo r all protocols
SSLVoxy: FTP *ro xy. SOCKS H o s t
127.0.0.1 127.0.0.1 127.0.0.1 O SOCKS v4 SOCKS v5
P firt P o rt P o rt
No Pro>y f o r localhcst, 127.0.0.1
Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Autom atic proxy configuration URL: Reload
OK
Cancel
Help
F IG U R E 12.3: F ire fo x C o n n e c tio n Settin g s
8.
N o w
t o I n s t a ll P r o x y S w it c h e r S ta n d a r d , f o l l o w
th e w iz a r d - d r iv e n
in s t a lla t io n s te p s . 9. T o la u n c h P r o x y S w it c h e r S ta n d a r d , g o t o
S ta rt
m e n u b y h o v e r in g d ie
m o u s e c u r s o r in d ie lo w e r - le ft c o r n e r o f th e d e s k to p .
TASK
Proxy Servers Downloading
F IG U R E 1 2 4 : W m d cK vs S e rv e r 2012 - D e s k to p v ie w
10. C lic k d ie w in d o w .
P roxy S w itc h e r S tandard
a p p t o o p e n d ie
Proxy S w itc h e r
O R C lic k
P roxy S w itc h e r
f r o m d i e T r a y I c o n lis t .
S ta rt
A d m in is tra to r ^
Server Manager
Windows RowerShetl
W
Google Chrome * Hyper-V Machine...
Hyper-V Marvager 91
Proxy S w itch er is free to use w ith o ut lim itations for personal and com m ercial use
Global Network Inventory S I
Fsb
Compute
Control Panel
v
Centof...
K
y .
9
M021I4
Command Prompt
v rr
PKKVSw* *
Frefox <0 Proxy Checker , *
p-
CM *up
F IG U R E 125 : W in d o w s S e rv e r 2012 - A p p s
at*
i f th e s e rv e r b e c o m e s
in a c c e s s ib le P r o x y S w itc h e r w ill tr y to fin d w o rk in g p ro x y s e rv e r a re d d is h b a c k g ro u n d w ill b e d is p la y e d t ill a w o rk in g p ro x y s e rv e r is fo u n d .
s S e rv e r. A /Q
Customize...
ja te
D a ta c e n te r 8400
\ t 1 l A r - r / 1 !
^ D p ^ u ild
F IG U R E 126 : S e le ct P ro x y S w itc h e r
11. T h e
P roxy L is t W izard
w ill a p p e a r as
s h o w n i n d ie f o llo w in g fig u r e ; c lic k
N ext
Proxy List Wizard
3 P roxy S w itc h e r ssu pp orts fo r LAN, dialup, VPN and o th e r RAS c o n n e ctio n s
W elcom e to th e Proxy S w itcher

Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next
@ Show Wizard on Startup
<Back
Next >
Cancel
F IG U R E 12 7 : P ro x y L is t w iz a rd
1 2 . S e le c t d i e fro m
Find N ew Server, Rescan Server, R echeck Dead

a n d c lic k
r a d io b u t t o n
Com m on Task,
Finish.
Proxy List Wizard

Uang this wizard you can qcackly complete common proxy lot managment tasks Cick finish to continue.
& Proxy s w itc h in g from com m and line (can be used a t logon to a u to m a tic a lly s e t co n n e ctio n se tting s).
C o m m o n Tasks
() find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers
0 Show Wizard on Startup
< Back
Finish
Caned
F IG U R E 12.8: S e le c t co m m o n tasks
13. A
lis t o f
dow nloaded proxy servers
w i l l s h o w i n d ie l e f t p a n e l.
Proxy Switcher Unregistered ( Direct Connection ]

File Edit A ction s V iew Help
I
Filer Proxy Servers
W h e n P r o x y S w itc h e r is r u n n in g in K u fh A U v e m o d e it trie s to m a in ta in w o rk in g p ro x y s e rv e r c o n n e c tio n b y s w itc h in g to d iffe r e n t p ro x y s e rv e r i f c u rre n t d ie s
Roxy Scanner M * New (683) B &high Aronymsus (0) SSL (0) : Bte(O) i Dead (2871) 2 Permanently (656?) 1 Book. Anonymity (301) - 5 Pnva!e (15) V t t Dangerous (597) f~ & My P0 */ Servere (0) : PnwcySwitchcr (0)
Serve* , ? 93.151.160.197:1080 93.151.10.195:108Q 93.150.9.381C80 knnel-113-68vprforge.com , f 93 126.111210:80 95.170.181 121 8080 < ? 95.159 368 C 95.159.31.31:80 95.159 3M 4 80 , f 94.59.250 71:8118
................
State Testino Teetirg Testing Lhtested Lhtested lht*ct*d Lhtested Lhtested Lhtested Lhtoetod _ _ Lt itcatgd___
ResDDnte 17082ns 17035n 15631ns
Countiy H RJSSIAN FEDERATION m a RJSSIAN FEDERATION RJSSIAN FEDERATION * ^ 5

C
UNITED STATES SYR;AM ARAD REPUBLIC b KAN AKAB KtPUBLIt SYRIAN ARAB REPUBLIC UNITED ARAB EMIRATES UNITED AR\B EMIRATES
m a RJSSIAN FEDERATION
Caned
S te fre
S ta te
Conpbte Conpfcte
Progress
MZ3
Core PrcxyNet wviw.aliveoroxy .com mw .cyberayndrome .net w!w nrtime.com<
28 kb
Fbud 1500
&
F IG U R E 1 2 9 : L is t o f d o w n lo a d e e d P r o s y S e rv e r
D L
14. T o
stop
Actions
d o w n lo a d in g d ie p r o x y s e rv e r c lic k Proxy Switcher U nregistered ( Direct Connection )
L = Jg ' x 1
filer Fox/ Servers
File
Edit
View
Help
Proxy Scanner N#w (?195)

W h e n a c tiv e p ro x y s e rv e r b e c o m e s in a c c e s s ib le P r o x y S w itc h e r w ill p ic k d iffe r e n t s e rv e r fro m P r o x y S w it c h e r c a te g o r y I f th e a c tiv e p ro x y s e rv e r is c u r r e n tly a l i v e th e b a c k g ro u n d w ill b e g re e n H
\y
Serve* 001 147 48 1* tw nt

Aicnymouo (0)
lml5+1S-11065.avwd
I SSL (0)
fc?Bte(0)
B ~ # Dead (1857)
= {2 ' Permanently 16844] Basic Anonymity (162) | ^ Private (1) j- & Dangerous \696) h & My Proxy Servers (0J - 5 }ProocySwtcher (0)
218152.121 184:8080 95.211.152.218:3128 95.110.159.54:3080 9156129 24 8)80 u>4 gpj 1133aneunc co p jf dsdcr/2'20Jcvonfcrc com: 91.144.44.86:3128 91.144.44.8$:&80 92.62.225.13080:
Slate (Aliv-$SL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (.*Jive-SSL) (Alive-SSL) (.Alive-SSL) (Alive-SSL)
Resronte 13810nt 106Nh* 12259ns 11185ns 13401ns 11&D2ns 11610m 15331ns 11271ns 11259ns 11977ns
Couriry J HONG KONG | ITALY : REPUBLIC OF KOREA NETHERLANDS !IT A LY UNITED ARAB EMIRATES : REPUBLICOF KOREA 5 SWEDEN SYRIAN ARAB REPUBLIC SYRIAN ARAB REPUBLIC CZECH REPUBLIC
Cancel DsajleJ Keep Ali/e Auto Swtcf
108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection jmed out.
F IG U R E 1 21 0: C lic k o n S ta rt b u tto n
1 5 . C lic k
Basic Anonymity i n
d ie r i g h t p a n e l; i t s h o w s a lis t o f d o w n lo a d e d
p r o x y s e rv e rs .
Proxy Switcher Unregistered ( Direct Connection)

File Edit A ctions View Help
| _ ; o ^
z W hen running in A u t o S w i t c h m ode Proxy S w itc h e r w ill s w itc h a c tiv e proxy servers regularly. S w itc h in g period can be s e t w ith a s lid e r fro m 5 m inu te s to 1 0 seconds
& s
Ia a a
Server , f 91 14444 65 3128 <f 119252.170.34:80.. , f 114110*4.353128 f 41 164.142.154:3123 ,f 2149101 10? 3128 , f 2D3 66 4* 28C , f 203 254 223 54 8080 <f 200253146.5 8080 <f 199231 211 1078080 , f 1376315.61:3128 i f 136233.112.23128 < State (Alve-SSU (Aive-SSU (Alve-SSL) (Alve-SSU Alve Alvo (Alve-SSL) Alve (Alve-SSU (Alve-SSU (Alve-SSU 1 RespxKe 10160ns 59/2rre 10705ns 12035ns 11206ns 10635n 11037ns 10790ns 10974m 10892m 11115ns Countiy Sv RAfi ARAB REPUBI INDONESIA ^ INDONESIA )E SOUTH AFRICA m BRAZIL H iT A IV /A M REPUBLIC OF KOREA BRAZIL
g? Proxy Scanner j ~ # New (853) B & Anonymous (0) h & SSL(0) Bte(0) -& Dead (2872) Femanently (6925)
1513
\
'.. . " < <1 "
Pnvale (16) ;5 Danoerous (696) \ & My Proxy Sorvoro (0) - ProxySwltcher (0)
pg
gq b razil brazil
Caned
Cis^bled
Keep Alive
AUd Swtd
177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive]
119252.170.34.80 tested as [(Alive-SSL)]
IS illi& S S itS iS k
33/32
F IG U R E 1211: S e le ctin g d o w n lo a d e d P ro x y se rve r fro m B a s ic A n o n y m ity
1 6 . S e le c t o n e
Proxy server IP address
f r o m r i g h t p a n e l t o s w i c h d i e s e le c t e d
p r o x y s e rv e r, a n d c lic k d ie
f lit a (3 File Edit ,Actions View Help
fTJ
ic o n .
1~ l~a ! *
P ro x y S w itc h e r U n r e g is te r e d ( D ir e c t C o n n e c tio n )
3 # n [a a. a a if j \
Server J * New )766(
2 \y
State (Alve-SSU (Alve-SSL (Alve-SSU Alh/e (Alve-SSU (Alve-SSL: (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSL) (Alve-SSU (AlveSSU (Alve-SSU
L is |
/ |
Proxy Srvera
|X j
Pxy Scanner 5
rtgh Anonymous )0( & SSL)0<
; B 1 te 0 1 )0 (
& } : Dead )2381(
^
f ,9 1 .1 4 4 4 4 .6 5 :3 1 2 3 ,.f 0 0 1 .1 4 7 .4 8 .1U .ctabcrct lx > s tS 4 1 5 9?, 1 & . a e m e f.9 5 f ,2 1 8 .1 5 2 .1 2 1 .1 8 4 :3 0 3 0

95.110159.545080
3 i.5 6 .2 S.2-i.8GS:)..
In a d d itio n to sta n d a rd
.......... Pemanently
)6925(
a d d / re m o v e / e d it fu n c tio n s p ro x y m a n a g e r c o n ta in s fu n c tio n s u s e fu l fo r a n o n y m o u s s u rfin g an d p ro x y a v a ila b ility te s tin g
Basic Anonymity )467'
h & Pn ate 116( j & Dangerous )696! r & Proxy Ser/ere )0( : ProxySvtitcher )0(
if 9 5 .2 1 1 1 5 2 .2 1 8 :3 1 2 3 f u 5 4 jp j1 1 3 5 a T T S jn oc o Jc r : ,f 9 1 .8 2 .6 5 .1 7 3 :8 0 8 0 <f 8 6 .1 1 1 1 A 4 .T 9 4 .3 1 2 3
$
,f 9 1 4 4 4 48 63 1 2 3
4 .89.130.23128
He>ponte 10159ms 131 5m 10154TBS 10436ns 13556ns n123me 10741ns 10233ns 10955ns 11251m 10931ns 15810ns 10154ns
Lointiy SYRIAN ARAB REPUBLIC [ J HONG KONG 1 | ITALY REPUBLIC OF IQOREA ;-S W E D E N 1 ITALY ------NETHERLANDS REPUBLIC OF KOREA HUNGARY ^ ^ IR A C S35 KENYA SYRAN ARAB REPUBLIC
Ctaeblcd
[[
Koep Alive
][ Auto Swtch |
2 1 8 .1 5 2 .1 2 1 .1 8 4 :8 0 3 0 h a * 5 4 -1 5 9 -l 1 0 -9 5s e n ie rie d ie a tia m b ait 8080te**d ( A lv e -S S L )] 0 3 1 .1 4 7 .4 8 .1K > . a tb .n e t/ig 3 to r.c o m :3 1 2 3te a ts d0 5[(A S v eS S L )]
218 152. 121.I84:8030tested as ((Alve-SSL:] tested as [Alive]
F IG U R E 1 2 1 2 S e le ctin g th e p ro x y se rve r
1 7 . T h e s e le c t e d
pro xy se rve r w
ill c o n n e c t, a n d i t w ill s h o w d ie f o llo w in g
c o n n e c t io n ic o n .
Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ITALY)

pF File ik Edit Actions View Help
I~ l f x
$5 Proxy Scanner
H * New !766) Ugh Anonymous (0) g t SSL(O) H 2 ? a te (0 B - R Dead (2381) Pm*n#ntly (G975) f y 003. Anonymity (4G7) Pnvate (16) | 0 Dangerous (6961 l & My Proxy Servere (0) :ProxySviitcha 25 ) 0(
Serve! ^ 9 1 .1 4 4 4 4 65:3123 001.147.48. ilS.etatic .re t.. , ? host54-159-110-95.server.. & 218.152.121.1(4:3080 , f dedserr2i23Jevonlme to n L 95 110159 54 8080
, ? 95 211 152 21( 3128
u54aDJl133arunfl,co.kr:l
, f 91 82 5 173:8080 g >I
86.111 144.194.3128 91 14444 86 3123
, ? 41.89.130^3128
State (Alve-SSU (Alve-SSU (Alve-SSU Alive (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (AlveSSU (Alve-SSU (Alve-SSU (Alve-SSU
Response 10159ms 13115n* 10154ns 10436ms 13556ms 11123 10740ms 10233ms 10955ms 1l251ra 10931ms 158101s 10154ns
Comtiy SYRAN ARAB REPUBLIC [ J HONG KONG | |IT A LY > : REPJBLIC OF KOREA SW ED EN I ITA tr UNI ILL) ARAD CMIRATCS NETHERLANDS REP JBLIC OF KOREA HUNGARY IRAG g g K E N rA SYRIAN ARAB REPUBLIC
Dsebicd
1 1 Keep Alive
|[" Auto Switch
2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive]

host54-159-110-95 9rverdedicati arnba 8080 tested as RAIve-SSL)] 031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL))
E a u c An on ym ity
ML
F IG U R E 1213: S u c c e s fiil c o n n e c tio n o f selected p ro x y
S ta rtin g from version 3.0 Proxy S w itc h e r in co rp o ra te s in te rn a l pro xy server. It is useful w hen you w a n t to use o th e r a p p lic a tio n s (besides In te rn e t E xplorer) th a t s u p p o rt HTTP p ro xy v ia Proxy S w itc h e r. By d e fa u lt it w a its fo r c o n n e c tio n s on localhost:3 128
18. G o to a
w e b b ro w se r
( F ir e fo x ) , a n d ty p e d ie f o llo w in g U R L
h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d i e s e le c t e d p r o x y s e r v e r c o m i e t i v i t y ; i f i t i s s u c c e s s f u l l y c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g fig u r e .
Detecting your location
3? ri!t "' ' History BookmorH Iool* Jjdp 0*r<ring your kxatkm..
M07illa Firefox
r 1 0 C x 1
4 . I UU-..J.UU,I
C * I
Go,I.
f i
f!
Your possible IP address is: Location:
2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 U nknow n
Proxy Inform ation Proxy Server: Proxy IP: Proxy Country: DFTFCTFD 95.110.159.67 Unknown
F IG U R E 121 4: D e te c te d P ro x y se rve r
19. O p e n a n o th e r ta b i n d ie p ro x y .
w eb brow ser,
a n d s u r f a n o n y m o s ly u s in g d iis
proxy server
Cerca con G oogle - Mozilla Fiiefox
rlc Edit yie* Histoiy Bookmark: Tools Udp Ottecbngyour location..

^ *Tu
| pray ic . -C e r a con Google

C U tao Gccgie
< 9wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy scrvcr&pt-p8b1Ricerca Immagini Maps Play YouTube Mews Gmail Document! Calendar
G o o g le
03 A fte r th e an o n ym o u s
proxy server
p ro x y se rve rs h ave b eco m e ava ila b le fo r sw itc h in g yo u c a n a ctiv a te a n y o n e to b e co m e in v is ib le fo r th e sites y o u v isit.
Ricerca
Proxy Wikipodia
Im m agin Maps Video
it.wkj ped a.org/tv k Pioxy
In informatica e telecomunicaôw un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ... Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate
11
N o o s e
Shopping
Ptu contanuti
Public Proxy Servers - Free Proxy Server List

ivwiv publicpfoxyserveis conV Tiacua questa pagina Public Proxy Server* is a free and *!dependent proxy checking system. Our service helps you to protect your Ktently and bypass surfing restrictions since 2002. Proxy Servers -Sored By Rating -Proxy Servers Sorted By Country -Useful Links
Proxy Server - Pest Secure, rree. Online Proxy

ItaHa Camtm localit.l
wvwproxyserver com 'Traduci questa pagma Tho boet fin Pioxy Sarvef out there* Slop soarching a proxy list for pioxies that are never fa1 or do noi even get onl1e Proxy Server com has you covered from ...
Proxoit Cuida alia naviaazione anonima
I proxy server
F IG U R E 1214: S u r f u sin g P ro x y se rve r
L a b
A n a ly s is
D o c u m e n t a ll d ie
IP addresses o f live (SSL) proxy servers
a n d th e c o n n e c tiv ity
y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In f o r m a tio n
C o lle c t e d / O b je c t iv e s A c h ie v e d
S e r v e r : L i s t o f a v a ila b le P r o x y s e r v e r s S e le c te d P r o x y S e r v e r I P P r o x y S w it c h e r S e le c te d P r o x y C o u n t r y N a m e : I T A L Y R e s u lte d P r o x y s e r v e r I P A d d r e s s : 9 5 .1 1 0 .1 5 9 .6 7 A d d r e s s : 9 5 .1 1 0 .1 5 9 .5 4
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. 2. E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r . E v a lu a t e w h y P r o x y S w it c h e r is n o t o p e n s o u r c e .
In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es S u p p o rte d iL a b s N o
P la tfo r m 0
C la s s r o o m
Lab w
1 i 3
D aisy Chaining using Proxy W orkbench

Proxy Workbench is a uniquep/vxy server, idealfor developers, security experts, a n d twiners, which displays data in real time.
I C O N 2 3 V a lu a b le
in fo r m a tio n
K E Y
L a b
S c e n a r io
to
Y o u h a v e le a r n e d i n d ie p r e v io u s la b h o w S w it c h e r a n d b ro w s e som eone bank
h id e y o u r a c tu a l IP
and
u s in g a P r o x y in te n t lik e
a n o n y m o u s ly . S im ila r ly a n a tta c k e r w i t h e ls e u s in g a p ro x y s e rv e r by
m a lic io u s
Test your k n o w le d g e
can
pose
as
g a th e r in fo r m a t io n
account o r O nce
d e ta ils
o f an
in d iv id u a l
p e r fo r m in g he o r she
s o c ia l e n g in e e rin g .
can hack in to th a t use s o m e tim e s
a tta c k e r
g a in s
r e le v a n t fo r
in f o r m a t io n o n lin e
in d iv id u a ls
bank
account
s h o p p in g .
A tta c k e rs
m u lt ip le
p ro x y
s e rv e rs f o r s c a n n in g a n d
a tta c k in g , m a k in g i t v e r y d i f f i c u lt f o r
a d m in is tr a to r s t o tra c e d ie re a l s o u rc e o f a tta c k s . A s a n a d m i n i s t r a t o r y o u s h o u l d b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p l o y i n g a n in t r u s io n d e te c tio n s y s te m w it h w h ic h y o u c a n c o lle c t n e t w o r k in f o r m a t io n a n a ly s is t o d e t e r m in e i f a n a tta c k o r in tr u s io n h a s o c c u rre d . Y o u fo r
c a n a ls o u s e
P roxy W o rk b e n c h
L a b
to u n d e rs ta n d h o w n e tw o r k s a re s c a n n e d .
O b je c t iv e s
T h is la b w i l l s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y W o r k b e n c h . I t w ill te a c h y o u h o w to : U s e th e P r o x y W o r k b e n c h to o l D a i s y c h a i n t h e W i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h i n e s
L a b
T o c a r r y o u t th e la b , y o u n e e d : P r o x y W o r k b e n c h is lo c a t e d a t D:\CEH-Tools\CEHv 8 M odule 03 Scanning N etw orks\P roxy Tools\Proxy W orkbench
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is lin k
P ro x y W o rk b e n c h
fro m
ZZ7 Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
h ttp ://p ro x y w o rk b e n c h .c o m
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A c o m p u te r r u n n in g
as a tta c k e r ( h o s t m a c h in e ) as
A n o t h e r c o m p u te r r u n n in g v ic tim ( v ir t u a l m a c h in e )
W indow Server 2008, and W indow s 7
A w e b b ro w s e r w ith In te rn e t access F o l l o w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls
Proxy W orkbench
L a b
D u r a t io n
O v e r v ie w
o f P ro x y W o rk b e n c h
P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d i s p l a y s i t s d a t a i n r e a l t i m e . T h e d a t a f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d a c tiv e m o d e s .
L a b
T a s k s
I n s t a ll P r o x y W o r k b e n c h o n a ll p la t f o r m s o f d ie W in d o w s o p e r a t in g s y s te m
C S ecu rity: Proxy servers provide a level o f s e c u rity w ith in a n e tw o rk . They can help preve nt s e c u rity a tta c k s as th e only w a y in to th e n e tw o rk fro m th e In te rn e t is via th e p ro xy serve r
W indow s Server 2012. W indow s Server 2008.

P r o x y W o r k b e n c h is lo c a t e d a t
and
W indow s 7)
D:\CEH-Tools\CEHv 8 M odule 03 S ca n n in g N e tw o rk s \P ro x y T o o ls \P ro x y W o rkb e n ch P roxy W o rkb e n ch

fro m
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is l i n k h t t p : / / p r o x y w o r k b e n c h . c o m
4.
F o llo w o f
th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s
W in d o w s o p e ra tin g sy s te m W in d o w s S e rve r
_
T h is la b w i l l w o r k i n th e C E F I la b e n v ir o n m e n t - o n
2012, W in d o w s S e rve r 2 0 0 8
6.
O p e n F ir e fo x b r o w s e r in y o u r a n d c lic k
and
W in d o w s 7
a n d g o to
W in d o w s S e rve r 2012,
T o o ls
o p tio n s
E th ic a l H ackin g and Counterm easures Copyright O by E C Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
Google Moiillo Fitefox

colt | HtJp Qownloatfs moderns S<* UpS^K. CW-I c m * v *A
e Documents Calendar Mote
!1 cc 9 u
fi *
Yo u
Search
Images
Web Developer Page Info 5 1 1*) 6 9 Cler Recent U stsr. Cl 1+ Sh1 ft*IW
Sign n
G o o g le
Gocgie Search I'm feeling Lucky
AtfMt Mg Piogammei
11
Bumoeti SolUion*
Piracy t Te
Google
Aboul Google
Google com
F IG U R E 13.1: F ire fo x o p tio n s tab
7.
G o
t o A dvanced N e tw o rk t a b , a n d
p r o file in d ie n c lic k
d i e O ptions Settings. Options
w i z a r d o f F i r e f o x , a n d s e le c t d i e
&
General f t T h e s o c k e ts p a n e l sh o w s th e n u m b e r o f A liv e s o c k e t c o n n e c tio n s th a t P r o x y W o r k b e n c h is m a n a g in g . D u r in g p e rio d s o f n o a c tiv ity th is w ill d ro p b a c k to z e ro S e le c t Cached Web Content Connection Tabs Content
%
Applications
p
Privacy Security
S>nc
Advanced
General | MetworV Update | Encryption
Configure h o * h re fo i connects to the Internet
| S g t n g i.
Your w eb content cache 5currently using 8.7 M B of disk space I I Override a u to m ate cache m anagem ent
Clear Now
Limit cache to | 1024-9] MB of space Offline Web Content and User Data
You 1 application cache is c jiie n t l/ using 0 bytes of disk space M Tell me when a wefccite aclrt to store data fo r offline uce The follow ing websites are a lowed to store data for offline use
Clear Nov/
E x c e p tio n s ..
B a r eve..
OK
Cancel
Help
F IG U R E 13.2 F ire fo x N e tw o rk Settin g s
S T he s ta tu s bar show s th e d e ta ils o f Proxy W orkbench*s a c tiv ity . The firs t panel disp lays th e a m ou nt o f data Proxy W orkbench c u rre n tly has in m em ory. The a c tu a l am o un t of m em ory th a t Proxy W orkbench is consum ing is g e n e ra lly m uch m ore th a n th is due to overhead in m anaging it.
8.
9.
C heck Type
Manual proxy c o n fig u ra tio n 111
th e
C onnection S e ttin g s
w iz a r d . check
HTTP Proxy as 127.0.0.1
a n d e n t e r d ie p o r t v a lu e as
8080 a n d OK.
d ie o p t io n o f
Use th is proxy se rve r fo r a ll p rotocols,

Connection Settings
a n d c lic k
Configure Proxies to Access th e Internet O No prox^ O A uto-detect proxy settings for this network O ii** system proxy settings () Manual proxy configuration: HTTP Proxy: 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: TP Proxy: SOKS H ost 127.0.0.1 127.0.0.1 127.0.0.1 D SOCKS v4 No Proxy fo r (S) SOCKS ^5 Port Port PorJ: 8080 8080y | 8080v Port
localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24
O Automatic proxy configuration URL Rgload
OK
Cancel
Help
F IG U R E 13.3: F ire fo x C o n n e c tio n Settin g s
10. W h ile c o n fig u r in g , i f y o u e n c o u n te r a n y 1 1 . L a u n c h th e
p o rt e rro r please ignore it
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t
c o r n e r o f th e d e s k to p .
S c a n c o m p u te rs b y I P ra n g e , b y d o m a in , s in g le c o m p u te rs , o r c o m p u te rs , d e fin e d b y th e G lo b a l N e tw o r k In v e n to r y h o s t file 4 W indows Server 2012 WaoomW1P iW 2 taeneCjickttr 0H iK tT r baLMcncowtuid M O .
g. - ?
F IG U R E 13.4: W in d o w s S e rv e r 2012 - D e s k to p v ie w
1 2 . C lic k d ie
Proxy W orkbench
Proxy W orkbench
w in d o w
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
T h e e v e n ts p a n e l
Fa
m
Control Pand
HyperV Virtual Machine
SO I Server
d is p la y s th e to ta l n u m b e r o f e v e n ts th a t P ro x y W o r k b e n c h h a s in m e m o ry . B y c le a rin g th e d a ta ( F ile > C le a r A ll D a t a ) th is w ill d e c re a s e to z e ro i f th e re a re n o c o n n e c tio n s th a t a re A liv e
Detkc
Command Prompt
MO? 1 1 3 Firefox
Searct101_
H
dobai Network Inventory
O
Proxy Woricbenu.
Si
F IG U R E 13.5: W in d o w s S e rv e r 2012 - A p p s
13. T h e
Proxy W orkbench
m a in w in d o w a p p e a rs as s h o w n i n d ie f o llo w in g
fig u r e .
Proxy Workbench
File V ie w T o o ls H e lp
H I
& The la s t panel d isp lays th e c u rre n t tim e as re ported by your o p eratin g system
Monitorirg: WIND33MR5HL9E4 (10.0.0.7) SMTP Outgoing e-mal (25) ^

&
Details for All Activity

From
K N JH
To 173.194.36.24:80 (www g . 74.125.31.106:80 (p5 4ao 173.194 36 21:443 (m aig 173.194.36.21 M 2 (m a ig . 173.194.36 21:443 (maig..
173 K M TC. 71 A n (m d
1 Protocol HTTP HTTP HTTP HTTP HTTP

H T T P ____
| Started 18:23:39.3^ 18:23:59.0 18:24:50.6( 18:24:59.8' 18:25:08.9

1 fijR - 1 fir
JJ127 .0.0.1:51199 127.0.0.1:51201 J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207

W 'l! ? 7 n n 1 ^
POP3 Incoming e-mail (110) HTTP Proxji Web (80B0) HTTPS Proxy SecureWeb (443) FTP File T!ansfer Protocol (21) Pass Through For Testing Apps (1000)
3eal time data for All Activity
000032 000048 000064 000080 000096 000112 000128 000144 000160 000176
< III
/I .1. . UserAgent : Mozilla/5.0 ( indows NT 6.2; V OU64; r v :14.0) G ecko/20100101 Fi refox/14.0.1..Pr oxy-Connection: koop-alivo. Host : mail. google. co m ....
2f 3a 69 4f 65 ?2 6f 6b 3a 6d
2e 4d 64 36 6b b5 66 73 79 65 65 20 6d Od Qa 31 20 6e 57 63
31 Od 7a 6 77 34 3b 6f 2f 6f 78 2d 43 70 2d 61 69 Od 0a
Si
0A 69 73 20 32 2f 6f 61 6c
SS 6c 20 72 30 31
73 6c 4e 76 31 34 60 6e 6c 69 2e 67 ,
Memory: 95 KByte Sockets: 1C O
Events: 754
u n ; 1iciu ic . u n ; 1 1
7angwrrx?n Luyymy. u n ; .
>
F IG U R E 13.6: P ro x v W o rk b e n c h m a in w in d o w
14. G o to
T ools
o n d i e t o o l b a r , a n d s e le c t
C onfigure Ports
Proxy Workbench
File Lô o ls J Help View I Save Data... 5 Monitoring: W All Activity ^ SMTF Configure Ports. Failure Simulation... Real Tim e 9099 Options...
U- 3
=tails for All Activity |10m | T0 I Protocol
m n ih m
| Started ^
J1 2 7 .0 .0 .15 1 1 9 9
tJ 127.0.0.1 51201
& The *Show th e real tim e data w in d o w ' a llo w s th e u ser to s p e c ify w h e th e r th e re al-tim e d ata pane should be displayed o r no t
POPd ^ ^
k # HTTP T T W ny TTWU(WW)
HTTPS Proxy Secure Web |443) FTP File T ransler Protocol (21) Pass Through For Testing Apps (1000)
3d 1 2 7 .0 .0 .1 5 1 2 0 3 J1 2 7 .0 .0 .15 1 2 0 5 ; jd 1 2 7 .0 .0 .1 5 1 2 0 7 l1?7nn15 R 1 9 1 1 >

Real time data for All Activity
1 7 3 .1 9 4 .3 6 .2 4 :8 0(w w * .g .. HTTP 7 4 .1 2 5 .3 1 .1 0 6 :8 0|p t4 a o HTTP 1 7 3 .1 9 43 6 .2 1 :4 4 3(naig. HTTP 1 7 3 .1 9 43 6 .2 1 :4 4 3(na*g HTTP 1 7 3 .1 9 43 62 1 :4 4 3(naig HTTP 1 7 n * c * n *H T T P
1 8 :2 3 :3 9 .3 } 1 8 :2 3 :5 9 .0 1 8 :2 4 :5 0 .6 ( 1 8 :2 4 :5 9 .8 ' 1 8 :2 5 :0 8 .9
m - w ip r
000032 000048 000064 000080 000096 000112 000128 000144 000160 000176
Memory: 95 KByte Sockets: 100 Events: 754
/ l.1 ..User-Agent : Mozilla/5.0 (W indows N T 6.2; U O U64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m ....
11c1u4c. uu
2f 3a 69 4f 65 72 6f 6b 3a 6d
3 1 2e 2 04 d be 6 4 5 73 6 b 36 b 6 56 6 ?8 7 9 b 56 5 2 06 d O d 0a
3 1O d 6f 7a 6f 7 7 3 43 b 6 2f 6 7 8 2 d4 3 7 02 d 6 16 9 O d 0a
0a 6 9 ?3 2 0 3 2 2f 6f 6 1 6c
5 5 6c 2 0 7 2 3 0 3 1 6e 6c 2 e
7 3 6c 4e 7 6 3 1 3 4 6e 6 9 6 7
I eiiim a ic UII
unuuic u i i
L ty1c u n
1_<.yymy. u n
ju i
F IG U R E 13.7: P ro x y W o rk b e n c h C o n F IG U R E P o rts o p tio n
1 5 . 111 d i e
C onfigure Proxy W orkbench
w i z a r d , s e le c t
8080 HTTP P roxy - Web
i i i d ie le f t p a n e o f 16. C h e c k
P orts to lis te n on.

f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k
HTTP 111 d i e l i g h t p a n e o C onfigure HTTP fo r p o rt 8080
C L l P e o p le w h o b e n e fit fro m P r o x y W o rk b e n c h
Configure Proxy Workbench

Proxy Ports Ports to listen on: Protocol assigned to port 8080 ; >>Don't use
Home users w ho have taken the first step in understanding the Internet and are starting to ask "B a t how does it work? People who are curious about how their web browser, email client or FTP client communicates w ith the Internet. People who are concerned about malicious programs sending sensitive information out in to the Internet. The inform ation that programs are sending can be readily identified. Internet software developers w ho are w riting programs to existing protocols. Software development fo r die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol :- T 1 - > Internet Security experts w ill benefit fro m seeing the data flowing in real-time This wiH help them see w ho is doing what and when
Port [ Description 25 un SMTP Outgoing e-mail PHP3 - lnnnmino ft-maiI HTTP Proxy Web HTTPS Proxy Secure Web FTP File Transfer Protocol Pass Through Foe Testing Apps
:
Pass Through HTTPS POP3 FTP
18080
443
21 1000
&dd-
Qetete
| |
Configure H T TP tor poet 8080.|
W Sho^ this screen at startup

F IG U R E 13.8: P r o s y W o rk b e n c h C o n fig u rin g H T T P fo r P o r t 8080
Close
17. T h e
HTTP P roperties
e n te r y o u r
w in d o w a p p e a rs . N o w c h e c k
C onnect via an o th e r OK
proxy,
W indow s Server 2003 8080
v ir t u a l m a c h in e I P a d d re s s i n
Proxy Server,
a n d e n te r
in P o r t a n d d ie n c lic k
HTTP Properties
General
C (
On the web server, connect to port: Connect via another proxy |10.0.0.7| Iftfififi
Proxy server Port:

^
M a n y p e o p le
u n d e rs ta n d s o c k e ts m u c h b e tte r th e n th e y th in k . W h e n y o u s u r f th e w e b a n d g o to a w e b s ite c a lle d w w w a lta v is ta .c o m , y o u a re a c tu a lly d ire c tin g y o u r w e b b ro w s e r to o p e n a s o c k e t c o n n e c tio n to th e s e rv e r c a lle d " w w w .a lta v ia ta .c o m " w ith p o r t n u m b e r 80
OK
Cancel
F IG U R E 13.9: P r o s y W o rk b e n c h H T T P fo r P o r t 8080
18. C lic k
C lose i n d i e C onfigure Proxy W orkbench c o n fig u ra tio n s e ttin g s Configure Proxy Workbench
Proxy Ports 3orts to listen on: Port | Description 25
w iz a r d a fte r c o m p le tin g d ie
Protocol assigned to port 8080 <Don't use>____________ Pass Through HTTPS POP3 FTP
1 1 0
T h e re a l tim e lo g g in g a llo w s y o u to re c o rd e v e ry th in g P ro x y W o r k b e n c h d o e s to a te x t file . T h is a llo w s th e in fo r m a tio n to b e re a d ily im p o rte d in a sp re a d s h e e t o r d a ta b a se so th a t th e m o s t a d v a n c e d a n a ly s is c a n b e p e rfo rm e d o n th e d a ta
8080 443
2 1
1000
SMTP Outgoing e-mail POP3 Incoming e-mail HTTP Proxy - Web HTTPS Proxy-Secure Web FTP File Transfer Protocol Pass Through - For T esting Apps
Add
delete
Configure HTTP for port 8080
W Show this screen at startup

F IG U R E 13.10: P ro x v W o rk b e n c h C o n fig u re d p ro x y
Close
1 9 . R e p e a t d ie c o n f ig u r a t io n s te p s o f P r o x y W o r k b e n c h f r o m 1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .
Step 1 1 to Step
2 0 . 111
ty p e d ie I P a d d re s s o f W in d o w s 7 V ir t u a l
M a c h in e . 21. O p e n a
F irefox
b ro w s e r in
a n d b ro w s e w e b pages.
2 2 . P r o x y W o r k b e n c h G e n e ra te s d ie t r a f f ic w i l l b e g e n e ra te d as s h o w n i n d ie
& Proxy W orkbench changes th is . Not o nly is it an aw esom e proxy server, but you can see all o f th e data flo w in g through it, v is u a lly d isp la y a socket co n n e ctio n h is to ry and save it to HTML
f o llo w in g fig u r e o f 2 3 . C h e c k d ie
W indow s Server 2008 10.0.0.3

( W in d o w s
To
C o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o
S e rv e r 2 0 0 8 v ir t u a l M a c h in e ) .
Mcnfanj MN1r2CiU.;4 3 1 1 0 002 | | 4 A O T * !>

^ SHIP 0 .*!> > < *\1
^1 C Q C ) l^ff-0^rIH1(l
0 7
I.(flff:iilf f llW '/ t ilH IU II
y H TI R F W -S.o i W.6 (4 4 3 1 6 FIP Hori^ra *<X0:d|71) V p*m (1 1 0 *i !-f rnjA c * n o 3 0 1
* lira 'f J
vr. u - < 1 *1^
w M u o n 144a laccc
*0010041
1 0 5 .
0525& 4 3 052*100 05 261E 0526217 K.W263K
06.K2S.31T 06052?
A =
UK
laaaixzo 1 0 0 0 )#
1444 ]cto
M ta ia o n
u il . : . I 41 >1 . > 1 11 :
U .
1 J *J
1 0 0 1 1 )* * a
14441400 *0 0 )CM 14441cm 1404 HCW 1400 )IB 144a IK M 1400 )CM 144a m e 1444 ItOM 140a1:w 144 a 1t a t
teit*1 KKrT
0526 IK tiiir, :1 iw. (6 0526 7 3 4
n n :1 1 9 ,
* ? < 06052C92? CV9*. * 1 5 7 06274B 5 5 6 06 052* ** ? SfwAcwirw* 1 utre^rw r 9 rM 0 ( a < rM . 'V** * 1191 * ' K052CTO 27ug IV* 06052706
< V 1 3 r > M 4 c a 1 f a c ct W J
2 1 1 0 >*) **
. *
(*0127 1 0 4
0 $ 2 7
K re z'S ) acr.rte
H B700
IV J 3 J4 1
3 ( 9 5
; v W> .< * < * 1 1 9 9 06 052:7
1 1
.*1
10 0 0)acta
1444 laQHl 144a 14CM
2 1
lO O Q lK W
31 20 10 30
78 4d 39 66 74 47 tl Od 1 30 6 20 IJ Ic 0. 70 2 6 63 4 5 72 47 65 32 64 3a 43
14,0127 ;71 m< k 27 4 1 1 (6 052743( C60127M (6 0527 5 9 7 (6052702 05 7 3 0605275S7
0J2n01
0 5 ;
h < (aa
11
in
0627 0e 2? 5 ae 06052l 06052*173
P A t h t f < k a M c c
F V 9 h n < * c o < n a < t 1 1 2 0
.-*)-
s au szs
tS IS :4?
V *3 h M 4 1 x > d t 06052 3 5 C
1 T \
1 1 10 ) 1112 t t i r t F r i . 23 0 *>: w 0c 2* 1 .'0 10 >4 3 C]141 > 3 n :*dta-Caat
SotExterna0M&4 CSC[ 10 S . . : : i l 00 52 ::>* 4 a ir u . - u
0M4S 1 0 17 34 a n
20 u 64 30
:3 0 0 0 0 1 6 0 o: .ji-age > 0 00 1 7 4 t0 1 ?2
4 50 M 4c
Q o1 3 tl 04 d 61 7a 20 ?.( b I m Cm
61 6 7*
32 30 31 4; 41 0 38 20 >> 10 ?0
31 ro 0 4c (1 7 i 32 (3 3d (3
?2 W 2c
3d U 41 74
4 5MH
3 K 7 (1
2 0 (
Sf <4 30 I I
F IG U R E 13.11: P ro x y W o ik b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2012 H o s t M a c h in e
2 4 . N o w lo g in in to
c o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o M a c h in e ) .
W indow s Server 2008 V i r t u a l M a c h i n e , a n d c h e c k 10.0.0.7 ( W i n d o w s 7 V i r t u a l
d ie
To
F if eV ie wT o d *H r ip
M irilcrrfj hin i'iii/'l 3 |10 0 0 3| !'*!41.
$A M r/M |y
^
IT IF* F' t v W<*b(>]CH])
7 A n d n o w , P ro x y W o r k b e n c h in c lu d e s c o n n e c tio n fa ilu re s im u la tio n stra te g ie s. W h a t th is m e a n s is th a t y o u c a n sim u la te a p o o r n e tw o rk , a s lo w In te r n e t o r u n re s p o n s iv e se rv e r. T h is is m a k e s it th e d e fin itiv e T C P a p p lic a tio n te s te r
fm ^d)006ff)ft lrMfiin3 J10.00.610 jtJ':a:fc3 114 J'].0 0.6 9 0 1 5 & mo 0.6 to 10 0.0 7 J 6 ; 0 : snt J10 0 06 9 8 19 " W FrP-Fielienifei Ftolord 1 Nol Lit* h !0 a.6 9 8 20 PdssThiojî F01 Tastroô*nOOOl fJ jh J'I 0 0.&9B22 1100169824 110 00 69826 1100069828 1*100.6 9 8 3 0 110 0 0& 9H32
P O P 3 0 n iir 1 C 1 Qwpnmamm H1 Q O Q 2 I0 1 Q Q Q 7 H T 1 P 5R o vS e o jicW e b ( 4 4 3 1 | 2 1
,iM T P Outguny frl(25|
1 1000701C O 1a0.a?;8D80 lQ0D7-mm 1aoa7.83E0 00 07: 1Q007:83E O 1ao.a?;83a1 1aoa7!ffiEa 1a0.a7:83EO 1Q0a7:fflffl 1000.7:8303 1a0.Q7.83EO mon7rmgo
HTTP H IIP HUP HTTP HITP HTTP HUP HUP HTTP HTTP HTTP HTTP H1IP 1 76 4d 39 66 74 47 6t Od 65 70 61 20 69 20 4d 6c 69 72 72 20 47 Id 6S 64 32 30 JJ 30 20 0 9 43 61 70 2d 61
11 *!f . 1 i K su w 0 T ) tB 40 !00 F 061B33 750 06tt411 5 6 K 06.05 40109 Q 3 40 !0 < B U. 9 (h 4 10 7 0 F 06.(E 375 0 3 00.41.625 F (06 41437 0,0141 ms F 0606 *3 5 3 1 0 5 05 4 12 8 1 F 06.05 546 06.0541.281 F 05<E 40 578 (E05 40Bt3 F 06:0=4:655 0 6 05:41.828 F 06 05*3 906 (K O S4 15 9 3 F 06<e 41015 0605 4 14 0 6 F 0 6 05 4 17 1 8 F 06.0C4 1 *09 (KtR 4 1 TIB as 05 4 1^ 1 1 Fj 2J
fte d c M sF o iH rT PP ic e a y V / H 3 | B 0 B ]| p iro D So t 2 6 :1:064 Sx 010080 IUr 2 0 1 10 0G 2

09* 060112
*1
a
65 73 3a 32 30 31 S4 0d 04 20 16 30 39 20 G <3 61 fd 61 78 6 60 65 (c 69 6 20 S3 i l 74 ? 31 20 30 30 3a ic 61 73 74 .?rf 7 2 b'3 2c 20 32 63 2d 63 65
0 0 0 1 2 C 060144 0 6 0 1 6 0
060176 080192
<0 CUT hint. Nrd 1 1 t.wd. f t 1 . 23 0 c t 2009 2010 04 GMT. . Ccho-Cont roL max-oge-360 0. Connect io a k oe p - o livc
3 23 03 . 3 13 0
b0 61 74 Od
t ')
65 2d 4 3 6? 65 3d bl 6 0o Od 0o
Mar a y 3ES KBylei
T 1mnate 01( R cIlb c Qr
'h rbf
C m ^ ! CK -oggrg 01( 613AM 6:15 AM
Start |
Proxy Worfctxfyh
A iL d
F IG U R E 1 3 .12 P ro x y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2003 V irtu a l M a c h in e
2 5 . S e le c t O n d i e w e b s e r v e r , c o n n e c t t o a n d c lic k
p o rt 80
in
W indow s 7
v ir t u a l m a c h in e ,
OK
-TTTP Properties
General |
( On the *tcb server, connect to port: C " Connect vb atoihcr proxy
Pro<y :erver: 110.0.0.5 Port: [fiflffi
H I I t a llo w s y o u to 's e e ' h o w y o u r e m a il c lie n t c o m m u n ic a te s w ith th e e m a il s e rv e r, h o w w e b p ag es a re d e liv e re d to y o u r b ro w s e r a n d w h y y o u r F T P c lie n t is n o t c o n n e c tin g to its s e rv e r
OK
il
Cr>cd
F IG U R E 13.13: C o n fig u rin g H T T P p ro p e rtie s in W in d o w s 7
2 6 . N o w C h e c k d ie tr a f f ic i n
10.0.0.7
( W in d o w s 7 V ir t u a l M a c h in e )
TO
c o lu m n s h o w s t r a f f ic g e n e ra te d f i o m
d ie d if f e r e n t w e b s ite s b r o w s e d i n

" Unix
p i?
w a
'*wts c > w
Wd
iso
r*e
> : o 11 1 ; >
V W ur Toeli Help
7&
Q2 In the C onnectio n Tree, if a p ro to c o l o r a c lie n t/s e rv e r p a ir is se le cte d , th e D etails Pane d isp lays th e sum m ary in fo rm a tio n o f all o f th e s o c k e t c o n n e c tio n s th a t a re in progress fo r th e se le c te d ite m on th e C onnection Tree.
n*Vlet7naQa7}
ft A ll5 ctr*y
DcUI1 t a H T T P IW - W b 1 8 0 8 0 1 From *010.0 D32237 )0 1 0 0 0 32239 )8100032239 ;0100032240 )0 10 0 0 32241 ) 0 10 0 0 3 2242 50100032243 )0 1 0 0 0 3 224( )0 10 0 0 3 2245 )9100032246 )0 10 0 0 22 c )610 0 0 3229 ) 0 10 0 0 3 224) ',W10 0 0 3 2250 : . .*3 26E0 I1 :-.h< . 571SS22G.aK:0|adi * 78206120 6 *< 9878206126* 0 * 0* 1337320612!6c0|ic>*1t.. 2027921012140 (t * K 1 Pictocoi HUP HTTP HTTP HTTP 06:0634.627 0&634643 C6X634S66 C6:(634$G6 06:C&34.336 .0634 S3 06C636030 C 6 (& .X.2l 0 fe 354 06:0636483 06C03CW3 06.06 3U6U6 flf.r3570? t e a . 56 786 060U363W C fr X C 7 ? C6:0636124 C6:Cfc36.166 06:0636216 CC&36 C6C636366 06.C&36.606 U sE ^ rl 1 laslSUto 06.05:35.436 FVB ho? J'.ccrncc... 0 < 6 2 3 fVt'B hai d : c f r r l 06(636390 06(635624 060636624 c e c & x 21e (6(636186 060&355W C M & X T tS P*J3 l J i r r l . . . f * ?hasdaxrrecJ... FV>B bn d s O T iw l Km d : r r l FWB hat d n c r m l . ha* d if fr r w l I
m il B/*5 C25 1 BylesS 1577 0 1555 0 1556 1950 1131
^ SM TP Ouiflonfl e id |2 5 | K CC Irm^1*fflalf110l C lC lC l3to1 0005 10003to 2 0 3 .8 5 .2 3 1 .8 3 |m j.Br c > 00031# 6 87 12 0 91 7 6|abc g oc 100031a 5 02 70 62 0 7|edn> m )k| 100031a 5 8 .2 7 .8 6 .1 2 3ledge Bus 100031a 6 87 12 2 01 6 5|ab c cm 100031a 2 0 27 92 1 01 2 1 Ibi.ta* 10003b) 2 0 51 2 88 4 .1 2 6 100031a 5 02 78 61 0 5|f*\1 ur 100031a 5 827.06.21; I1 d 1 u . t> 100031a 1 5 71 6 62 5 52 1 6M d ic 100031a 1 5 71 6 62 5 53 1 |riv, 100031s 2 0 38 52 1 11 4 8lilt 100031a 2 0 31 0 68 55 1 |bkcmc 100031a 5 02 70 62 2 5|s etrrcd 100031a 1 5 7 .1 6 6 .2 2 6 .2 6Iwmc 100031a 1 9 99 36 21 2 6 100031a 2 0 3 .1 0 6 .8 5 .6 5 |1 p e .< M r 1000310 2 0 74614 83 2!view* 100031a 6 62 3 51 3 05 9Ix ffc c m 100Q3la 2 0 3 .1 0 6 .8 5 .1 7 7Ib.scae 100031a 02 62 0 71 2 6ledn vrtt 100031a 1 5 71 6 62 2 63 2|tvea 100031a 5 82 72 27 2|r.*\tum 100031a 1 9 07 02 0 61 2 6|icchk 100031a 1 5 71 6 62 2 6 .4 6ledlnr^ 100031a 6 62 3 51 4 22 4|rrel1 b)< 100031a 2 0 31 0 60 51 7 6Idi M rw 1000311 1 5 7 .1 6 6 .2 5 5 .1 3Im m m a 100031a 6 87 12 0 91 7 3 |4 b c fl0<
HTTP HTTP HTTP 57 iffi 2262(680|** 5621 4 3 1 1 lOtCImet71c . h i TP HTTP : 01106 9517&<>4 , -. 1 1 :1 |. . : HI TP HI IP ' ra 2 D 5 1 2 e w 0 a * u HUP J0n>206120WI1ht HTTP 17820612S8000<ht ftfC|v.w HUP h i IP HTTP
2110
447S 2710 1572 11 IA 2 3 1183 2i03 . , MS
) 0 10 0 0 32251 ) 0 1 OOO 322C

M 1000 32253 )0100032254 ) 0 10 0 0 32255 )01OOO322S )0 10 0 0 32257 )010.0.0.32258
828 > 18 1 -Sani2 a h b j

'ra20612t<)BCTht 3873206126t01icdn.. 397920G1;&C|1 fce i78206l260Hiceht 157.1652262660) lfc
H TTP HI T P HI T P H TT P H TTP H TT P
(6 (C!36 (66 (*(CJ&124 0606J6243 rv>V bm d iw riK l... ff .f fT V W * K d n (rr 1 . > COOUJCW 1 8 h o d im r M l. M hoi d iM r m i 06(636718 ^ I n l 1a r r l... 0606367*9 *8 060636611 FVrtJ he! diccrriKl.. 0&0K36&2? PV.9 hatiic e r r c c t..
06(6368(6
3 3 33
2125
0 0 0 0 0 0 112 0 0 0 0 0 0 0 0
358
2(21
1124
060637.436
t te d 2 r r * ... FVjB h s d.ccrrecl...
1120
1 5 3 3
0 0 0 0
p e al line dsis is HTTP P * / Web (9060) 000160 000192 000206
000176
Wi 30( 5et. 55 000224 26 bar 2011 00 20 000240 ?2 3 1 CUT Conn* 3S 000256 ct*oc .iv s * . Co 61 60 000272
ISL
Btwt-Uim h 2 0
61 72 64 69 4f i l 4e 32 32 74 ?4
60 6 P 20 id
75 3a 20 Od 4? 4? 22 O d 36 20 4d 3a 33 31 6 ? 6 ( 6 656a ?4
41 0a 56 0 61 20 3 2d
63 60 61 44 ?2 47 20 4c
20
61 20 4tJ 6) 65
63 33
6 5 ? 0 7 4 2 d 4 61 3 6 .
SO if 74 32
3a 2043 50 3d 22 ?5 S220 42 5? 53 65 320 53 (1 74 30 3131 20 30 30 ?4 0 1 1 0a4 ) ii 6e (e &c Cl ?3 65 CJ 0 43 t>0 67 30 32 20 *3 68
40 20 2c 3a 65 il 4
_ L* a
and
F IG U R E 13.14: P r o s y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s 7 V ir tu a l M a c h in e
L a b
A n a ly s is
D o c u m e n t a ll d ie
IP addresses, open p o rts
and
running a p p lica tio n s,
p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In fo r m a tio n
P r o x y s e r v e r U s e d : 1 0 .0 .0 .7 P o rt s c a n n e d : 8080 P ro x y W o rk b e n c h R e s u lt: T r a f f ic c a p tu re d b y w in d o w s 7 v ir t u a l m a c h in e ( 1 0 .0 .0 .7 )
P L E A S E
T A L K
T O
Y O U R
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. 2. E x a m in e t h e C o n n e c t io n F a i lm e - T e r m i n a t io n a n d R e fu s a l. E v a lu a te h o w r e a l- tim e lo g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .
In t e r n e t C o n n e c tio n 0 Y es S u p p o rte d
R e q u ir e d N o
P la tfo r m 0
C la s s r o o m
iL a b s
HTTP T unneling U sing H TTPort

H T T P o / f is a program f r o m H T T H o s f that mates a transparent tunnel through a p m x j server orf/renall L a b S c e n a r io
a r e a lw a y s i n a h u n t f o r c lie n ts IP a t h a t c a n b e e a s ily c o m p r o m i s e d to dam age and
I CON
V a lu a b le
KEY
A tta c k e rs
in fo r m a tio n
th e y c a n e n te r th e s e a tta c k e r can get
n e tw o rk s w it h th ro u g h
s p o o fin g by
o r s te a l d a ta . T h e d ie IP a d d re s s . to d o in If th e
Test vour k n o w le d g e
p a c k e ts to
fir e w a ll
s p o o fin g
a t t a c k e r s a r e a b le p r e v io u s la b ,
c a p tu r e n e t w o r k t r a f f ic , as y o u h a v e le a r n e d can p e rfo rm T r o ja n to a tta c k s , be r e g is tr y fo r
th e y
a tta c k s , an
p a s s w o rd
h ija c k in g
a tta c k s , e tc ., w h ic h
can p ro v e
d is a s t r o u s
o r g a n iz a tio n s
n e tw o rk . A n
a tta c k e r m a y u s e a n e tw o r k p r o b e
t o c a p tu r e r a w p a c k e t d a ta a n d
th e n u s e th is r a w p a c k e t d a ta t o r e tr ie v e p a c k e t i n f o r m a t io n s u c h as s o u rc e a n d d e s tin a tio n IP a d d re s s , s o u rc e and d e s tin a tio n p o rts , fla g s , header le n g th ,
c h e c k s u m , T im e t o L iv e ( T I L ) , a n d p r o t o c o l ty p e . T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y e x tr a c tin g in f o r m a t io n fro m c a p tu re d tr a ffic s u c h as s o u rc e a n d d e s tin a tio n I P a n d d e s tin a tio n p o r t s , e tc . a n d
a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , s o u rc e c o m p a r e th e s e d e ta ils w i t h
m o d e le d a t t a c k s ig n a tu r e s t o
d e te r m in e i f a n a tta c k
h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d ta k e e v a s iv e a c t io n s . A ls o , y o u s h o u ld b e f a m ilia r w i t h can id e n tify a d d itio n a l s e c u r ity th e H T T P r is k s th a t t u n n e lin g te c h n iq u e b y w h ic h y o u m ay n o t be r e a d ily v is ib le by
c o n d u c t in g s im p le n e t w o r k a n d v u ln e r a b ilit y s c a n n in g a n d d e t e r m in e th e e x t e n t to w h ic h a n e tw o r k ID S c a n i d e n t i f y m a lic io u s t r a f f i c w i t h i n a c o m m u n ic a t io n T u n n e lin g u s in g H T T P o r t .
c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P
L a b
O b je c t iv e s
n e tw o rk s c a n b e s c a n n e d a n d h o w to use
T h is la b w i l l s h o w y o u h o w and
H T T P ort
H T T H o st
la b , v o u n e e d d ie H T T P o r t to o l.
L a b
1 1 1d i e
H T T P o r t i s lo c a t e d a t
D:\CEH-Tools\CEHv 8 M odule 03 S canning N e tw o rk s \T u n n e lin g T o o ls\H T T P o rt H T T P o rt

fro m d ie lin k
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h t t p : / / w w w .t a 1 g e t e d . o r g /
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n th e la b m i g h t d i f f e r
" Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
I n s t a ll H T T H o s t o n I n s t a ll H T T P o r t o il
W in d o w s S erver 2008 W in d o w s S e rve r 2 0 1 2
V ir t u a l M a c h in e H o s t M a c h in e
F o l lo w t h e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d
in s ta ll it.
A d m in is tra tiv e p riv ile g e s
is r e q u i r e d t o r u n d i i s t o o l tu n n e lin g
T h is la b m ig h t n o t w o r k i f r e m o te s e r v e r f ilt e r s / b lo c k s H T T P p a c k e ts
L a b
D u r a t io n
O verview o f H TTPort
HTTPort
bypasses c re a te s a t r a n s p a r e n t t u n n e lin g t u n n e l d ir o u g h a p r o x y s e r v e r o r fir e w a ll. H T T P o r t a llo w s u s in g a ll s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h i n d d ie p r o x y . I t
HTTP p ro xie s
and
HTTP, fire w a lls ,
and
tra n sp a re n t a ccelerators.
L a b
T a s k s
B e fo r e r u n n in g d ie t o o l y o u n e e d t o s to p
Stopping IIS S ervices

2.
IIS A dm in S ervice
and
World
W ide W eb Publishing se rvices

G o to
on
W indow s S erver 2008 v irtu a l m achine. S ervices IIS Adm in Service,

r ig h t
A d m in is tra tiv e P rivileges Stop

o p tio n .
c lic k a n d c lic k th e
01 HTTPort cre a te s a tra n sp a re n t tu nn el th ro ug h a proxy se rve r or fire w a ll. T his a llo w s you to use a ll so rts o f In te rn e t s o ftw a re fro m behind th e proxy.
IIS Admin Scrvict

Sioo th- service
5.estart thesevce
Docrpton: Enabltc 6 1 1 > to * d 1 n v j ! t ::s : * H5 X 'J tK C r*ouM1 0 n *or SK* one FTP : i v' n il * u * to am f g. S or ftp. :, the servce e c jx c . an, fa I tottait.
1 * r v io r *t h u m v t e t t a u p r d . 2 16 3
se1/ ee* *v9!tporv dfpeo; o *mI
K a-n- * '*,FurcBon Discovery Provide Host P-rcoco Decovery Resource PJ>lc3ten C ^ C rO v OPoicy Cent Key aid Cerbfeate Mens9trp-t ,h\jma1 :rtc'frc Devi: Access CfchyMr-v m u txchanoa s w a <|1 Hyoer-VGuet Shutdown Sev o e < ^Hyp*rVUtatoeat Stive* '^,hvsf'-v Tir* Syndvonuaton Save 'X V0iuneSh30WC00VRUMCDr .32 a d Au0!:p tPMC *C eyUg M odJet C feInteractive services Detection 4 Internet Cornecton Shwrng CCS) IP helper ,IPsec PoIcy Agent : JkctR.t1* v < trbuted Transaction Coordnsso Îrtt-tover Toog>Discovery1 tepee?iwicroajft KETFrans0 rk N GB<v3 0.50727_kfr ;*Microsoft .rcrFraroenorkNGei v: 0.50727_> '*, M0090* Fb e Channel ^stfo'Ti Res^Cstcn Se* ^ M C T 0 M*t 6 CSI ]ntigtor Service ^Vbon*! Software Shacton Copy P'ordfi Q,MoJU Manteimce Save
I CeKri3bcn | 5:afc_s hostcroca.. , Stated P-behes t... Started The serve... Started P-o-rde*X... E'aolas 9a P0 vd81 a .. . started fvovdes a .. . Started Va-iton th... 5hr ted Syrdvcnj . SUr'tid cocfdnjte _ 1urted S tJt________ P.-llv Res-re R3rt jn...
! * "
St* lid
Started . 5:cited AITmks 3te , Started -- 0 ... Started Proprf br% t .... Stated 8 t.. wb , W ragn ... Th*M00IU..
_J
Stana*.- J ~
>t:p jcrvce IL Acrrr StrVtt on L O C OCaiOutt* F IG U R E 14.1: S to p p in g I I S A d m in S e rv ic e in W in d o w s S e rv e r 2008
3.
G o to
A d m in is tra tiv e P rivileges
S ervices
W orld W ide Web

o p tio n .
Publishing Services, & It bypasses HTTPS and HTTP proxies, tra n sp a re n t a c c e le ra to rs , and fire w a lls . It has a b u ilt-in SOCKS4 server.
*te Action jjen Kels
r ig h t - c lic k a n d c lic k d ie
Stop
E f IB [ >rrf | E N^ltwl AbServwj C lomJ)

I S v (lo ca l) v; tid Wide Web PwbW-mg SrrvK n e servce Rf*tr; t t ' t e
.1
SfcvOU
1
S Mijs. Coov AudO
CwJOCor P1cr> *0M ... MWU0K*... TUtWtbM.. Mo'eOcS a... Ha'sOeid... he W a P l.. Ha-aoesr... Haaoe; u... Ab .-sero... Thssevfc... Thssevfc... ViW owsF.. .
I S !a w
Cso aion: (V d f Web a n w r< r r end : rr y .y f c : rr r lnforrr~-.cn 5e r a * Hjrage-
2 8 11 1
CfetYea Marâoerent S e < ce % Vrd ^ vxto/.9 Aucto ErekJrtit s J s e ^ Y < to/.S Cotor SySteri (M fld M Dectoymeot Sevces Serve ^ M m s Driver Fourdaoon -Lee cce Diver * xr1 . . Y d /.s & Repo Semoe i^ %Yrd ? e i: Cotecto % \V'tkr/.$ e it uw ^!Y rd o/.s Fe.\dl $*Yrd>/.e CngU i/ler CJtYrtto/.9 1 1 vd0/9 ModJes trwtalei I
'1 1 > / .9 1 0 3 0 8 / .9
Ste tec Stated Stated Stated Stated Stated Stated stated stated
aat
5 I ^ r Re*t
a it m
Adds, m od . ftovd a ... & a b n s... V J o B... M ints *S.. . KrHTTPl... ^***TMC... Pre* ^
C i vxto/. BioceM Activation Seivd ^ V'cto/n 5mote M V e*nt M try ^ %YYfew, uoflat* ^ * v r H n p webP'oxvAuto-oaeovJ ^ . v < -Autocar *c Perfcrwsrce Aflao* \'08>'taecr
30
U n d o ...
H n y r B fi bet)
06 0
Stated
JE 3 S JB
\ x a r d e ; A Sarri8: /
:c -T ;'g . ', o'c y 1 :c er: -vb1 ?n; ' r c t.: r: ; 0 0^ F IG U R E 1 4 2 : S to p p in g W o r ld W id e W e b S e rv ic e s in W in d o w s S e rv e r 2008
It supp orts stro n g tra ffic e n cryp tio n , w h ic h m akes proxy logging useless, and suppo rts NTLM and o th e r a u th e n tic a tio n schem es.
4.
CEH-Tools" Z:\CEHv 8 M odule 03 Scanning N etw orks\T unneling Tools\H TTH ost
O p e n M a p p e d N e tw o r k D r iv e O pen T lie
5.
H TTHost
fo ld e r a n d d o u b le c lic k
htthost.exe . O ptions
ta b .
6.
7.
H TTH ost
w i z a r d w i l l o p e n ; s e le c t d i e
O n d ie
O ptions
t a b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t
Personal
Passw ord fie ld ,
w h i c h s h o u l d b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s
la b , d ie p e r s o n a l p a s s w o r d is
k m a g ic.'?
8.
C h e c k d ie
R evalidate DNS nam es
and
Log C onnections
o p t io n s a n d c lic k
A pply
HTTHost 1.8.5
N etw ork B ind lis te n in g to : P o rt: B ind e x t e r n a l to :
|0.0.0.0
Allow a c c e s s fr o m :
[80
10.0.0.0
P e r s o n a l p a s s w o rd :
10.0.0.0
[ P a s s th r o u g h u n r e c o g n iz e d r e q u e s t s to : P o rt: O rig in a l IP h e a d e r fie ld : | x O rig in a l IP
H o s t n a m e o r IP :
1127.0.0.1
|81
T im e o u ts :
& To s e t up H TTPort need to p o in t yo u r b ro w s e r to 127.0.0.1
M ax. local b u ffe r:
|0= 12
R e v a lid a te DNS n a m e s Log c o n n e c tio n s

Apply
S ta tis tic s ] A p p lic a tio n log | ^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift)

F IG U R E 14.3: H T T H o s t O p tio n s tab
9.
N o w le a v e
HTTHost
in ta c t, a n d d o n t t u r n o f f
W indow s S erver 2008
V i r t u a l M a c h in e . 10. N o w s w itc h to fio m
W indow s Server 2012 H ost M achine,

a n d d o u b le - c lic k
a n d in s t a ll H T T P o r t
D:\CEH-Tools\CEHv 8 M odule 03 Scanning N etw orks\Tunneling h ttp o rt3 sn fm .e xe
Tools\H TTPort & H TTPort goes w ith th e predefined m apping "E x te rn a l HTTP p ro xy o f local po rt
1 1 . F o llo w d ie w iz a r d - d r iv e n 1 2 . L a u n c h th e
in s ta lla tio n steps.
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t
F IG U R E 14.4: W in d o w s S e rv e r 2012 - D e s k to p ^ ie w
1 3 . C lic k d ie
HTTPort 3.SNFM
HTTPort 3.SNFM
w in d o w .
5 t3 ft
Administrator
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
HTTPort 3.SNPM 1
T ools d e m on stra te d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
i.
Con>puter
m
Control Panel
Wyper-V Virtual Machine...
91
SOI Server incaknor Cent!.
*
-
V
Command Prompt M 021IU Firefox
n
Nctwodc
Proxy Workbea. -T
if
MegaPng
*8
14. T h e
HTTPort 3.SNFM
w in d o w a p p e a rs as s h o w n i n d ie fig u r e d ia t f o llo w s .
HTTPort 3.SNFM
' r
Port:
S y s te m j Proxy :j por^ m a p p in g | A bout | R e g iste r | HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s :

F o r e a c h s o ftw a re to c re a te c u s to m , g iv e n a ll th e a d d re sse s fro m w h ic h it o p e ra te s . F o r a p p lic a tio n s th a t a re d y n a m ic a lly c h a n g in g th e p o rts th e re S o c k s 4 - p ro x y m o d e , in w h ic h th e s o ftw a re w ill c re a te a lo c a l s e rv e r S o c k s (1 2 7 .0 .0 .1 )
Proxy re q u ire s a u th e n tic a tio n U se rn a m e : P assw ord!
Misc. o p tio n s U ser-A gent: IE 6 .0 B ypass m o d e :
U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s : Port: P assw ord:
I------------------------------ P
?
\ 4
I-------------S tart
This b u tto n h elp s
F IG U R E 14.6: H T T P o r t M a in W in d o w
1 5 . S e le c t d i e m a c h in e .
Proxy
ta b a n d e n te r d ie
h ost nam e
or
IP address
o f ta rg e te d
1 6 . H e r e as a n e x a m p le : e n t e r
address,
a n d e n te r
W indow s Server 2008 Port num ber 80

and
v ir t u a l m a c h in e
IP
1 7 . Y o n c a n n o t s e t d ie 1 8 . 111 d i e
Usernam e
Password
f ie ld s .
U ser personal rem ote host a t
s e c tio n , c lic k
s ta rt and
d ie n
sto p
and
d ie n e n te r d ie ta r g e te d b e 80.
H ost m achine IP address
a n d p o r t , w h ic h s h o u ld
19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d as
*m agic r|a
S y s te m
In real w o rld environm ent, people som e tim e s use passw ord p ro te c te d pro xy to m ake com pany em ployees to ac c e s s th e In terne t.
HTTPort3.SNFM | 3
'
Proxy | p 0 rt m a p p in g | A bout | R e g iste r |
HTTP p roxy to b y p a s s (b la n k = direct o r firewall) H ost n a m e o r IP a d d re s s : | 1 0 .0 .0 .4 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Port: |8 0
Misc. o p tio n s U se r-A g en t: | IE 6 .0 B y p ass m o d e : | R e m o te h o s t
U se p e rs o n a l re m o te h o s t a t (b la n k * u s e public) H ost n a m e o r IP a d d re s s : |1 0 .0 .0 .4 *ort: P a s sv rd :
I 8 0
|............1
S ta rt
? | <T his b u tto n h e lp s
F IG U R E 14.7: H T T P o r t P ro x v settin g s \ rin d o w
2 0 . S e le c t d ie
Port M apping
*
S y s te m | Proxy
ta b a n d c lic k
Add
t o c re a te
N ew M apping
HTTPort 3.SNFM 1 - 1
Port m a p p in g A bout | R e g iste r J Static T C P /IP p o rt m a p p in g s (tu n n e ls ) Q New m a p p in g Q Local po rt
1 1
1-0
Q H T T H o s t s u p p o rts th e r e g is tra tio n , b u t it is fre e a n d p a s s w o rd - fre e - y o u w ill b e is s u e d a u n iq u e ID , w h ic h y o u c a n c o n ta c t th e s u p p o rt te a m a n d a sk y o u r q u e s tio n s .
(3 R e m o te h o s t re m o te , h o s t, n a m e R e m o te port
1_0
S e le c t a m a p p in g to s e e sta tistic s : No s ta t s - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 se rv e r
W
LEDs:
O Proxy
R un SOCKS s e rv e r (p o rt 108 0 ) Full SOCKS4 s u p p o rt (BIND)
A vailable in "R e m o te H ost" m o d e : r
? | 4 This b u tto n h e lp s
F IG U R E 14.8: H T T P o r t cre a tin g a N e w M a p p in g
2 1 . S e le c t
N ew M apping Node,
a n d r ig h t- c lic k
N ew Mapping,
a n d c lic k
Edit
HTTPort 3.SNFM
S y s te m | Proxy
T33
Add R em o v e
m a p p in g | A bout | R e g iste r |
Static T C P /IP p o rt m a p p in g s (tu n n e ls ) New m a o Local p Edit 0 0 R e m o te h o s t re m o te , h o s t, n a m e (=J R e m o te po rt
Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
L_o
S e le c t a m a p p in g to s e e sta tistic s : No s ta ts - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 s e rv e r
W
LEDs:
O Proxy
R un SOCKS s e rv e r (p o rt 1080) Full SOCKS4 s u p p o rt (BIND)
A vailable in " R e m o te H ost" m o d e : r
? |
T his b u tto n h e lp s
F IG U R E 14.9: H T T P o r t E d itin g to assign a m a p p in g
2 2 . R e n a m e th is t o c lic k
ftp c e rtifie d hacker, 21
a n d s e le c t
Local p o rt node;
th e n lig h t-
E dit
a n d e n te r P o r t v a lu e t o
2 3 . N o w r ig h t c lic k o n
R em ote h o st node ftp .c e rtifie d h a c k e r.c o m R em ote p o rt
to
E dit
a n d r e n a m e i t as
2 4 . N o w r ig h t c lic k o n
n o d e to
E dit
-
a n d e n te r d ie p o r t v a lu e t o 1 r x
21
1
r* 1 S y s te m | Proxy
HTTPort 3.SNFM
Port m a p p in g | A bout | R e g iste r |
r Static T C P /IP p o rt m a p p in g s (tu n n e ls ) 1 =1 .=. 5 -2 1
/s
Add R em o v e
0 Local p o rt 0 R e m o te h o s t
ftp .c e rtifie d h a c k e r.c o m R e m o te port I21 S e le c t a m a p p in g to s e e s ta tistic s : No s ta ts - inactive n /a x n /a B /sec
dulitin
S In th is kind o f environm en t, th e fe d e ra te d search w e b p a rt of M ic ro s o ft Search Server 2008 w ill n o t w o rk out-ofthe-box because w e o n ly suppo rt non-passw ord p ro te c te d proxy.
=
V LEDs:
n /a K
Proxy
server
SOCKS s e rv e r (p o rt 1 080)
W R un
I
A vailable in " R e m o te H ost" m o d e : Full SOCKS4 s u p p o rt (BIND)
? |
T his b u tto n h e lp s
F IG U R E 14.10: H IT P o r t S ta tic T C P / IP p o rt m a p p in g
2 5 . C lic k
S ta rt
o n d ie
Proxy
ta b o f H T T P o r t t o m i l d ie H T T P tu n n e lin g .
HTTPort 3.SNFM r a :
S y s te m ^ o x y | Port m a p p in g | A bout | R e g iste r |
- HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s : |1 0 .0 .0 .4 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Port: [80
Misc. o p tio n s U ser-A gent: IE 6 .0 B y p ass m o d e : [ R e m o te h o s t
U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s : Port: P assw ord:
|10.0.0.4
? | ^ T his b u tto n h e lp s
[So
****
( J3 H T T P is th e b a sis fo r W e b s u rfin g , so i f y o u c a n fr e e ly s u r f th e W e b fro m w h e re y o u axe, H T T P o r t w ill b rin g y o u th e re s t o f th e In te r n e t a p p lic a tio n s .
F IG U R E 14.11: H T T P o r t to start tu n n e lin g
2 6 . N o w s w it c h t o d ie
v ir t u a l m a c h in e a n d c lic k d ie
A p p lic a tio n s log
ta b .
2 7 . C h e c k d ie la s t lin e i f p r o p e r ly .
L is te n e r liste n in g a t 0.0.0.0:80,
a n d d i e n i t is m i m i n g
HTTHost 1 A 5
A p p lic a tio n lo g : M A IN : H T T H O S T 1 . 8 . 5 P ER S O N A L G IF T W A R E D E M O s t a r t i n g ^ M A IN : P r o je c t c o d e n a m e : 9 9 re d b a llo o n s M A IN : W r it t e n b y D m it r y D v o in ik o v M A IN : ( c ) 1 9 9 9 - 2 0 0 4 , D m it r y D v o in ik o v M A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n ( s ) M A IN : n e tv /o r k s t a r t e d M A IN : R S A k e y s in it ia liz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . . M A IN : lo a d e d f i l t e r " g r a n t . d l l " ( a llo w s a ll c o n n e c tio n s w ith in M A IN : lo a d e d f i l t e r " b l o c k . d l l " ( d e n ie s al I c o n n e c tio n s w ith ir M A IN : d o n e , t o t a l 2 f i l t e r ( s ) lo a d e d M A IN : u s in g t r a n s f e r e n c o d i n g : P r im e S c r a m b le r 6 4 / S e v e n T e g r a n t . d l l: f ilt e r s c o n e c tio n s b lo c k . d ll: f ilt e r s c o n e c tio n s !L IS T E N E R : lis t e n in g a t C.C.0.C:sT|
T o m a k e a d a ta tu n n e l
th ro u g h th e p a s s w o rd p ro te c te d p ro x y , s o w e c a n m a p e x te rn a l w e b s ite to lo c a l p o rt, a n d fe d e ra te th e s e a rc h re s u lt.
z]
S ta tis tic s
( Application log
O p t io n s
S e c u r ity | S e n d a G ift
F IG U R E 14.12 H T T H o s t A p p lic a tio n lo g se ctio n
2 8 . N o w s w it c h t o d ie
h o s t m a c h in e a n d t u r n
ON
d ie
W indow s F irew all

2 9 . G o t o W in d o w s F ir e w a ll w it h
A dvanced S e cu rity
3 0 . S e le c t
O utbound rules f r o m d i e l e f t p a n e o N ew Rule i n d i e r i g h t p a n e o f d i e w i n d o w .

View Help
f d ie w in d o w , a n d d ie n c lic k
Windows Firewall v/ith Advanced Security

Fie Action
-: -
W in d o w sF i r c w . 5 1 1 w ithA d v ! Q In b o u n dR u in
Outbound Rules |
Outbound Ruin Name Group BranchCache- Content Retr... BranchCache - Hosted Cech BranchCache - Hosted C ad i. BranchCache - PeerOtscove... Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Profile Al Al Al Al Al Al Al Deane! Domain Dcm51 Al Al Al Al Al Al Al Al Al Al Al Al Al Al tnatfed A No No No No Vet Yes rei Ves Yes Yes Yes Yes Ves Ves Yes Ves Yec Ves Ves Ves Ves Vet Yes Vet O utbound Rule* New Rule...
V Filter by Profile
^ Monitoring
B'anchCache Content Rt1 ival (HTTP.O... C o n n e c tio nS e c u r ityR u BranchC ache Horted Ca<t* Cbent IHTT... BranchCache Hosted Cache Seve1(HTTP. BranchC ache Peer Dncovery (WSDOut) C o e Networking DNS <U0P-0ut) Core Networking- D > 1 v> m -e Config... Core Networking Dynamic Host Config... CoreNetworkng Grcup Policy (ISA5S~ Core Networking - 5cup Poky (NP-Out) CoreNetworkeig - Group Policy CTCP-O-. Core Networking - Internet Group Mana...
Filter by State
7 F ilte rb yG r o u p
View O Refresh Export List... Q Help
T ools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks
Core Networking IPHT7PS (TCP-Out] Core Networking- IP v ffM C u l) Core Networkng Mulbcost listener Do-. Core Networking - Mulocast Listener Qu~ Core Network*!g -Mufceost listener Rep~ Core Networking Mutecjst Listener Rep... Core Networking - Neighbor Dncovery A... Core Networking Core Networking *fc1 (joo Ceccvery S... Core Networking Core Networkrig Packet loo Big (ICMP-. Core Networking Core Networking Par3meterProblem (1- Core Networking Core Networking - ficutet Advertnement... Care Networking Core Networking - P.cuur Soictaeon (1C.. Core Networking Core Networkng - Itird o iLOP-Outl Core Networking
" i
r" .......
v'
F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d v a n c e d S e c u n ty w in d o w in W in d o w s S e rv e r 2008
3 1 . 111 d i e
N ew Outbound Rule W izard, N ext
s e le c t d i e
Port
o p t io n in d ie
Rule Type
s e c tio n a n d c lic k
New O utb o u n d Rule Wizard

p R u le T y p e Select the type cf firewall rule to create Steps. j Rule Type What :ype d rue wodd you like to create?
w Protocol and Ports Action Profle flame O Program Rde Bidt controls connections for a program. >Port | RJe W controls connexions for a TCP or UDP W . O Predefined: | BranrhCacne - Content Retrieval (Ueee HTTP) RUe t a controls connections for a Windows experience O Custom Cu3tomrJe v 1
S Tools d em o nstrate d in th is lab are ava ila b le in Z:\ Mapped N e tw o rk D rive in V irtu a l M achines
< Beck
Next >
11
Cancel
F IG U R E 14.14: W in d o w s F ire w a ll se lectin g a R u le T y p e
32. N o w
s e le c t
All re m o te ports
in
d ie
P rotocol and Ports
s e c tio n , a n d c lic k
N ext
New Outbound Rule Wizard P ro to co l and Porta
Specify the protocols and ports to which ths r ie apofes
Steps
+ Ru 'yp
D o e st * sr u l ea o p f / t oTCPo rUDP?
< !> TCP
4P r c t o c o la n dP o r t s
4
Acaor
OU D P
Does tnis nie aoply tc all remote ports or specific renote port*9
!? m o te p o d s
4P r o f i l e
4
Q H T T P o r t d o e s n 't r e a lly Name
c a re f o r th e p ro x y as s u c h , i t w o rk s p e r fe c tly w ith fire w a lls , tra n s p a re n t a c c e le ra to rs , N A T s a n d b a s ic a lly a n y th in g th a t le ts H T T P p r o to c o l th ro u g h .
O Specific re m o tep o rts :

Example 80.443.5000-5010
< E a c x
Ned >
Cancel
F IG U R E 14.15: W in d o w s F ire w a ll assig n in g P ro to c o ls an d P o rts
3 3 . 111 d i e
A c tio n
s e c t i o n , s e le c t
d ie
B lo ck th e c o n n e c tio n '
o p t io n a n d c lic k
N ext
New O utbound Rule Wizard
Action Q Youn eedtoinstall h tth o st onaPC, w hois g en erally accessib leonth eInternet typicallyyour "hom e" PC. This m e a n s th at if yon sta rte da W eb server o n th eh o m e PC, everyo n ee lsem u st b ea b leto co nnect toit. There aretw o sh o w sto p p ers for h tth ost o n h o m ePCs
Specify the acton to be taken when connect!:>n notches the condticno specified in the n ie .
Steps:
4
HUe Type
Protocol and Porta
What acbon ohodd b taken whon a connexion match08 tho opochod conoticno7
4 Action
OA lowttv co n n ectio n
Tho nclxJes cornoctiona that 0 piotectod wth IPaoc 09 wel cs t103c otc not.
4
4
Profile Name
OA lowItic cwviediui If M Is secuie

Ths ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns wil be secued using the settngs in IPsec pop5rtes and nJes r the Correction Security RuteTode.
' )
H o c k th e c o n n e c tio n
F IG U R E 14.16: Windows Firewall setting an Action 3 4 . 111 d i e
P rofile s e c t i o n , Domain, Public. P rivate
s e le c t
a ll
th re e
o p tio n s .
The
r u le
w ill
a p p ly
to :
a n d d ie n c lic k
N ext
*
Q N A T /firew all issues: You need to enable an inco m in g p ort. For H TThost it w ill ty p ic a lly be 8 0(h ttp ) or 44 3(https), but any po rt can be used - IF the HTTP p ro xy a t w o rk sup p orts it som e proxys are c o nfig ured to a llo w o n ly 80 and 443.
New O utb o u n d Rule Wizard
Profile
Specify the prof les for which this rule applies
Skin
* Ru*Typ#
When does # rule apply7
4 3r c t o c o la n cP o r t s
# *cbor
3rcfile
171 Daman Vpfces *I en a computer is connected to Is corporate doman.
0 Private
3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orworcpi ce
B Public
Vp* c3
0 a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon
c Eacx
Next >
Cancel
F IG U R E 14.17: W in d o w s F ire w a ll P ro file setting s
ZZy Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
35. T y p e
P ort 21 B locked
i n d ie
Nam e
fie ld , a n d c lic k
Finish
New O utbound Rule Wizard N am e S 06dfy the rams and desorption of this lie.
None
|?or. 2 ' B b d c e J Desaiption (optional):
3 T h e d e fa u lt T C P p o r t fo r F T P c o n n e c tio n is p o r t 2 1. S o m e tim e s th e lo c a l In te r n e t S e rv ic e P r o v id e r b lo c k s th is p o r t a n d th is w ill re s u lt in F T P
< Back
Finish
Cancel
CW<EAfl*1MaW&al Page 231
E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
F IG U R E 14.18: W in d o w s F ire w a ll assig n in g a n am e to P o e t
3 6 . T h e n e w m le
Port 21 B locked
is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e .
Windows Firewall with Advanced Security

Fie Action View Hdp
1-1 1 * :
Windows Firewall with Adv; C nfcound Rules Na C Outbound Rules [O^Port 2 1 Blocked Connection SecuntyRul BranchCache Content Rctrcvtl (HTTP-0.. BranchCache Content Retr.. t Monitoring ^ Branch(a 1he Hotted Cache Client (H it . Branch( at hr Hotted ( ach
^
Actions
Outbound Rules
A l :1 A l A l A l A l
Domain
New Rule...
V
V
Filter by Profit
Fliter by Stirte Filter by Group View
H T T P o r t d o e s n 't re a lly
c a re f o r th e p ro x y as su ch : i t w o rk s p e r fe c tly w ith fire w a lls , tra n s p a re n t a c c e le ra to rs , N A T s a n d b a s ic a lly a n y th in g th a t le ts th e H T T P p ro to c o l th ro u g h .
0 BianchCach* Hosted Cache $erv*1(HTTP... BranchCach HuiteJCach BranchCache Peer Cn<o.er/ //SD Cut) BranchCache Peer Discove.. Core Networking DNS(UDP-OutJ Core Networking C o ir Networking- Dynamic Hod Config.. Core Networking Core Networking -Dynamic Host Corvfig... Core Networking Core Networking -Group Pcfccy CLSASS-- Core Networking @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) Core Networking - Group Poicy (TCP-O-. Core Networking Core Networking - internet Group Mana... Core Ndwwiing- lPHTTPS(TCP-OutJ Core Networking (Pw6-0ut) Core Networking Cote Networking Core Networking
Al
(Oj Refresh [a Export List...

Li Help
C o r eN e tw o r k in g
D o m a in
Domain
A l A l
Al
Po rt 2 1B lo ck e d
* Disable Rule
Core Networking Listener Do Core Networking Core Networking Muh < yt* listener O j. Core Networking Cote Networking -Mul!< aU Iktenet Rep. Core Networking Cor Networking Vuh cast .!s:nr Rep. Cor Networking Core Networking rfcignfccf Discovery A... Core Networking tmg Meaghbct Discoveiy 5 , Core Networking C or.1 NetmD1 C 016 Nstworking - Pe.ktlT v. Big K M P .. Core Networking - Parameter Protolem (I.. sement... Core Networking Router A<hert1 Core Networking -Router SoKckation (1C... CortNttwQiking Core Networking Core Networking Core Networking
A l A l A l A l
Al
4 c u t
Gfe Copy
X
( | U
Dlt Propeitie* Help
A l
Al
A l A l A l
F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le
3 7 . R i g h t - c l i c k d i e n e w l y c r e a t e d r u l e a n d s e le c t
P roperties
*
File Action View Hdp
W indows Firewall w ith Advanced Security
!
I Actions
Name
O.P01t21 Blocked
g f Windows Firewall with Adv; f t inbound Rules O Outbound Rules
Group
Profie Disable Rale
Ervsl
Outbound Rules
New Rule... V V V Filter by Profile Filter by State Fliter by Group Vi*w jO! Refresh
C o n n e c tio nS e c u rityR u l X / M o n ito r in g
^BranchCache Content Retrieval (HTTP-O. Branc hCac he Cor BranchCache Hosted Cache Ciem(HTT.
BranchCache - Hos Cut Copy Delete Properties Hdp Dom*n Domn Domn Al Al Al Al Al Al Al Al Al Al Al Al Al Yet Ves Yes Yet Yes Yes Yes Yes Yes Yes Yes Yes Yb Yes YCS Yes
H T T P o r t th e n
in te rc e p ts th a t c o n n e c tio n a n d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y .
BranchCache Hosted Cechc Saver(HTTP_ BranchCache Ho: BranchCache Peet Disccvay (WSD-Ckjt) BranchCache - Pee Core Networking Cote Networbng - Df5 (U0P-0ut) Core Networking D>rwm : Host Ccnfig. Lore Networking Core Networbng D>neo>c Most Config... Cote Networbng Group Policy (ISASS-... Core Networking Group Policy (NP-Out) Core Networbng Group PolKy(TCP-0. Core Networbng Internet Group kbiu.. Core Networbng IPHTTPS(TCP-0ut) Core Networbng -IPv6 (1 P$<XjtJ C oie Netwoibng -Mufticsst Listener Do... Core Networbng - Multicast Listener Qu...
Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking
Export Litt... Help -
Port 21 Blocked
Disable Rule 4 c t
41 Copy X Delete Properties 0 Help
CoreNerwcrbng -MJbcsst Listener Rep... Core Networking Cote Netwoibng - Mulbcest Listener Rep... Core Networking Core Networbng - Neighbor Discovery A. Core Networking Core Networbng Neighbor Discovery S... Core Networking I^ C cie Netwoibng Packet Too Big (ICMP... Core Networking Cote Networbng Parameter Problem (1 Core Networking Core Networbng Reuter Atf^trtscment.- Core Networking Core Netwoibng * Rcotei Sol*tation (1C~ Core Networking
r ... n -.----- 11
the properties dialog box foi the tuner it ^leun
F IG U R E 14.20: W in d o w s F ire w a ll n e w ru le p ro p e rtie s
3 8 . S e le c t d i e
7 E n a b le s y o u to b yp a ss y o u r H T T P p ro x y in ca se it b lo c k s y o u fro m th e In te r n e t
P rotocols and P orts t a b . C h a n g e d i e R em ote Port S p e cific P orts a n d e n t e r d i e Port num ber a s 21 A pply
o p tio n to
3 9 . L e a v e d i e o t h e r s e t t in g s a s d i e i r d e f a u l t s a n d c l i c k
d ie n c lic k
OK.
Port 21 Blocked Properties

jerteral_________Pngams and Services
Protocolt and Fore FVwocob and po*s Prctocdtype: Prctocd runber | Scope | Advancec
*
Remote Conpjiefs
j Local Princpab
Loco port
All Potto
Exampb. 80. 443.5003-5010 Remote port
S p e c ifeP a ts [2 1
Example. 80. 443.5003-5010 I Custonizo.
htenet Gortnd Message Protocol (CMP)ting*: i W it h H T T P o r t , y o u c a n u se v a rio u s In te r n e t s o ftw a re fr o m b e h in d th e p ro x y , e .g ., e - m a il, in s ta n t m e sse n g e rs, P 2 P file sh a rin g , IC Q , N e w s , F T P , IR C e tc . T h e b a s ic id e a is th a t y o u se t u p y o u r In te r n e t s o ftw a re
F IG U R E 14.21: F ire w a ll P o r t 21 B lo c k e d P ro p e rtie s
40. T yp e
ftp ftp .c e rtifie d h a c k e r.c o m i n t h e c o m m a n d p r o m p t a n d p r e s s Enter. T h e c o n n e c t i o n i s b l o c k e d i n W indow s Server 2008 by fire w a ll
3 H T T P o r t d o e s n e ith e r fre e z e n o r h a n g . W h a t y o u a re e x p e rie n c in g is k n o w n as b lo c k in g o p e ra tio n s
F IG U R E 14.22: ftp c o n n e c tio n is b lo ck e d
4 1 . N o w o p e n d ie c o m m a n d p r o m p t m a c h in e a n d ty p e
0 11 d i e W indow s S erver 2012 h o s t
ftp 127.0.0.1
a n d p re s s
E nter
7 ^
H T T P o r t m a k e s it
p o s s ib le to o p e n a c lie n t sid e o f a T C P / IP c o n n e c tio n a n d p ro v id e it to a n y s o ftw a re . T h e k e y w o rd s h e re a re : "c lie n t " a n d "a n y s o ftw a re ".
F IG U R E 14.23: E x e c u tin g ftp co m m a n d
L a b
A n a ly s is
a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o t o c o ls
D o c u m e n t a ll d i e I P
y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In f o r m a tio n
P r o x y s e r v e r U s e d : 1 0 .0 .0 .4 H T T P o rt P o rt s c a n n e d : 80 R e s u lt: f t p 1 2 7 .0 .0 .1 c o n n e c t e d t o 1 2 7 .0 .0 .1
P L E A S E
T A L K
T O
Y O U R
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u d o o k , M e s s e n g e r , e tc . ) ? 2. E x a m in e i f s o ft w a r e d o e s n o t a llo w e d it in g d ie a d d re s s t o c o n n e c t to .
In t e r n e t C o n n e c tio n 0 Y es S u p p o rte d
R e q u ir e d N o
P la tfo r m 0
C la s s r o o m
iL a b s
B asic N etw ork T roubleshooting Using M egaPing

MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor information system administrators a n d I T solutionproviders.
i con
/ / V a lu a b le in f o r m a t io n
k e y
L a b
S c e n a r io
t u n n e l i n g is a t e c h n i q u e w h e r e c a p tu re d u s in g th e H T T P
Y o u h a v e le a r n e d in th e p r e v io u s la b t h a t H T T P c o m m u n ic a tio n s w ith in n e tw o rk p r o t o c o ls a re
p r o t o c o l. F o r a n y c o m p a n ie s t o e x is t These w eb s e rv e rs p ro v e to be a
0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .
h ig h d a ta v a lu e ta rg e t fo r a tta c k e rs . The a n d g a in s c o m m a n d l i n e e s ta b lis h e d , th e a tta c k e r th e lits
a tt a c k e r u s u a lly e x p lo it s d ie W W W access to th e s y s te m . O nce a
s e rv e r r u n n in g IIS has been
c o n n e c tio n
u p lo a d s a p r e c o m p ile d
v e r s io n o f th e
H T T P
t u n n e l s e r v e r ( lits ) . W i t h
s e r v e r s e t u p th e a tta c k e r th e n s ta rts a c lie n t tr a ffic lis te n s to th e SRC p o r t o f th e s y s te m
0 11 h is o r h e r s y s te m a n d d ir e c ts its
th e lit s s e rv e r. T h is tr a ffic . The lits lits p ro c e s s p ro c e s s
r u n n in g and
0 11 p o r t 8 0 o f t h e h o s t W W W
H T T P
r e d ir e c ts
c a p tu re s th e t r a f f ic in
h e a d e rs a n d fo rw a rd s it to
th e W W W
s e rv e r p o r t
8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k . M e g a P in g s e c u r ity s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t ia l v u ln e r a b ilit ie s t h a t m ig h t b e u s e d t o a tt a c k y o u r n e t w o r k , a n d s a v e s in f o r m a t io n i n s e c u r ity r e p o r t s .
1 1 1 th is
la b
you
w ill
le a r n
to
use
M e g a P in g
to
check
fo r
v u ln e r a b ilit ie s
and
t r o u b l e s h o o t is s u e s .
L a b
O b je c t iv e s
T h is la b g iv e s a n i n s ig h t i n t o p i n g in g t o a d e s t in a t io n a d d r e s s lis t . I t te a c h e s h o w to : P in g a d e s tin a tio n a d d re s s lis t T ra c e ro u te P e rfo rm N e tB IO S s c a n n in g
L a b
T o c a n y o u t d ie la b , y o u n e e d : M e g a P in g is lo c a t e d a t
C D Tools
D:\CEH-Tools\CEHv 8 M odule 03 S canning N e tw o rk s \S c a n n in g T ools\M egaP in g M egaping

fro m th e lin k
d em o nstrate d in th is lab are a va ila b le in D:\CEH Tools\CEHv 8 M odule 03 S canning N e tw o rks
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h ttp : / / w w w .m a g n e to s o ft.c o m /
I f y o u d e c id e t o d o w n l o a d t h e i n th e la b m ig h t d if f e r
la te s t ve rs io n ,
th e n s c re e n s h o ts s h o w n
A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls s e t t i n g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib l e D N S la b e n v ir o n m e n t , o n s e rv e r
TCP/IP
T h is la b w i l l w o r k i n th e C E H
W in d o w s S e rve r
P IN G
sta n d s fo r
2012, W in d o w s 2008,
and
W in d o w s 7
P a c k e t In te r n e t G ro p e r.
O v e r v ie w
o f P in g
T h e p in g c o m m a n d s e n d s p a c k e ts t o d ie
In te rn e t C ontrol M essage P rotocol (ICMP)

fo r an
e c h o re q u e s t d iis re q u e s t-
ta r g e t h o s t a n d w a its
ICMP response.
D u r in g
re s p o n s e p ro c e s s , p in g m e a s u re s d ie tim e f r o m d ie
tr a n s m is s io n t o r e c e p tio n , k n o w n as
round-trip tim e ,
T a s k s
L a u n c h th e
a n d r e c o r d s a n y lo s s p a c k e ts .
L a b TASK 1
1.
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le ft
IP Scanning
2.
C lic k d ie
M egaPing
MegaPing
w in d o w .
3.
TQ i^M e g aP ing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ 1 g u 1^ ^ ^

55
File View Tools Hdp
MegaPing (Unregistered)
'
Q Fngcr 1 S Network Time

gg Ping
C Q A ll S c a n n e rs c a n sca n in d iv id u a l c o m p u te rs , a n y ra n g e o f I P ad d re sse s, d o m a in s , a n d se le c te d ty p e o f c o m p u te rs in s id e d o m a in s ^
g g Traceroute
DNS Lookup Name
&DNSLidrtosfe
Who 1 1 Network R#toufc#t
< < >Process Info Systam Info IP Scanner $ NetBIOS Scanner '4 ? Share Scanner ^ Security Scanner -J? Port Scanner Jit Host Monitor
*S Lbt Ho>ts
F ig u r e 15.3: M e g a P in g m a in w in d o w s
4.
S e c u r ity s c a n n e r p ro v id e s th e fo llo w in g in fo rm a tio n : N e t B IO S n a m e s, C o n fig u ra tio n in fo , o p e n T C P a n d U D P p o rts , T ra n s p o rts , S h a re s , U s e rs , G r o u p s , S e rv ic e s , D r iv e r s , L o c a l D r iv e s , S e s s io n s , R e m o te T im e o f D a te , P r in te r s
S e le c t a n y o n e o f d ie S e le c t
o p tio n s
fro m
d ie le f t p a n e o f d ie w in d o w . fie ld ; i n
5.
IP s c a n n e r,
a n d ty p e in th e
t h is la b t h e I P r a n g e is f r o m
IP range i n d i e From a n d To 1 0 . 0 . 0 .1 t o 10.0.0.254. C l i c k S ta rt
6.
Y o u c a n s e le c t t h e
IP range
d e p e n d in g o n y o u r n e t w o r k .
fs r
File V*/ Took Help
^ 3^>
^<
_
^ e g
DNS List !U X .Hosts IWU
r a
P - 1 'S W W
* t DNS Lookup Name ^ Finger Network Time 8a 8 Ping iraccroutc ^ Whois Network Resources <> Process Info ^ System Info
t
I3 Scanner
Select I Scam I | 10
IP Sconncr SKtngj
10
254 | 1
SM
*iiaui.111
NetBIOS Scanner
Y* Share Scanner
j & Security Scanncr ^ Port Scanner

^ Host Monitor
F IG U R E 15.4: M e g a P in g I P S c a n n in g
I t w i l l lis t d o w n a ll th e ( T im e t o L iv e ) , a n d a liv e h o s ts .
IP a d d re sse s
u n d e r d ia t ra n g e w it h th e ir
TTL
S ta tu s
(d e a d o r a liv e ) , a n d d ie
s ta tis tic s
o f th e d e a d
Pie CD N e t w o r k u t ilit ie s : D N S lis t h o s t, D N S lo o k u p n a m e , N e tw o r k T im e S y n c h ro n i2 e r, P in g , T ra c e ro u te , W h o is , a n d F in g e r. View Tools Help
11 g
Q
a Finger
ft A < >
IP5innw
i , DN: List Hosts ,p, DNS Lookup Name Network Time Traceroute HVhols 1 5 Network Resources % rocess Info ^ System Info NetBIOS Scanner
y * Share Scanner
IP Scanner Setect. |R5rg
IP Scanner Satnge
i t Ping
10 . 0
0 . 1
10
254 I
Start
F S ca re Status: ZoTDCTCC 25^ accroco33 m 15 8 C C S 3 A tte s t .=1 10.0.0.1 Name 1a0.04 iao.o.6 1ao.o.7 Tme 0 1 0 0 TTL 54 Statj* Afivc
o l Show MAC
A d d r e s s e s
H o s t sS t a t s
To!d. 254 Active 4 Faicd: 250
Security Sconner
g g
^
128 A kvt 128 A ive 128 Afcve D e lDest.. D tDest Det._ Dest Dest._ Rcpon
l. Jj? Port Scanner
JSi Host Monitor
1a0.0.10 j q 10.0.0.100 1CL0.0.I0I 10.0.0.102 iclo .o.io j 1a0.0.105
j l 10.0.0.1m
F IG U R E 15.5: M e g a P in g I P S c a n n in g R e p o r t
T A S K
8.
NetBIOS Scanning
NetB IO S S c a n n e r f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e i n t h e From a n d To f i e l d s . 111 t h i s l a b , t h e IP ra n g e is f r o m 10.0.0.1 t o 1 0.0.0 .2 54 C l i c k S ta rt

S e le c t th e
W
File
rP- A J* | DNS List Hosts
f/egaPing (Unregistered)
View Tools Hdp
T IP I
,5 , DNS Lookup Name M egaPing can scan yo u r e n tire n e tw o rk and provide in fo rm a tio n such as open shared resources, open ports, se rvice s/drivers a c tiv e on th e co m p u te r, key re g is try en trie s, users and groups, tru s te d dom ains, p rin te rs, and more.
9.
g Finger
N c G C S Ssonrcr
Network Time
Traceroute
t S P1n9 Whols
Network Resource < $ > Process Info System Info ^ IP Scanncr
i! \
Share Scanner ^ ^ Security Scanner Port Scanner Host Monitor
NetBIOS Scanner
F IG U R E 15.6: M e g a P in g N e t B IO S S c a n n in g
The
N etB IO S s c a n w a d a p te r a d d re sse s
i l l lis t a ll th e h o s ts w i t h t h e ir
N etB IO S nam es
and
Me
V tf A
Tori?
Help
JL JL 4S & * 88 8&
& Scan results can be saved in HTML or TXT reports, w h ic h can be used to secure your n e tw o rk fo r exam ple, by s h u ttin g dow n unnecessary ports, clo sin g shares, etc.
JJ, D N SL is tH o s ts j!LD N SL o o k u pN a m QF in g e r !3 1N e tw o rkT im e

t i p,n9
g*3 Traceroute ^ Whole - O Network Resources % Process Info J ^ System Info ^ IP Scanner
&
^
KBIT$ Scarrer
N et90$ Scanrer
M e nBIOS Scarrra
|Rerg5 NstEtOS Scanner aJatLS
] |1 0. 0 . 0 . 1 |
10
0 . 0 .254
Stop
Z o ro e e cQuemg NetBOS Names on

Name STctus WIN-ULY833KHQ.. A l* 3 00 15-5D 00-07 . . Microsoft WORKGROUP ADMIN PC 6 Alive M<T0?cfr
E x p a r d
1Names
Expand
$m ggnn1
4 jp Share Scanner Security Scanner
/ y Port Scanner
100.0.4 2 ) NetBIOS Names
Summary
W gf Adopter Address
A cmam
Sots Told. 131 Actvc 3
2 ( Host M unitur
iac.0.6
fr] NetBIOS Nome:
W B Adapter Addre
4^ Domain 100.0.7
0 0 1 5 5 0 0 0 0 7 ..
=a!od 123
WORKGROUP WIN-D39MRSHL.. A lv# 3 D4-BE-D9-C3-CE..

Report
j | ] NetBIOS Names X f Adapter Address
NetBIOS Scanner
F IG U R E 15.7: M e g a P in g N e t B IO S S c a n n in g R e p o r t
10. R ig h t- c lic k th e I P
a d d r e s s . 111 t h i s l a b , t h e s e l e c t e d I P i s 1 0 . 0 . 0 . 4 ; i t w i l l
b e d iffe r e n t in y o u r n e tw o r k . 5
TAs K 3 T ra ce ro u te
1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e
T ra c e ro u te
o p tio n .
v
File View Tools Hdp ^ O th e r fe a tu re s in c lu d e g 3 DNS List Hosts Finger Network Time $
; j , DNS Lookup Name
NetBICS Scarre
m u ltith re a d e d d e s ig n th a t a llo w s to p ro c e s s a n y n u m b e r o f re q u e s ts in a n y to o l a t th e sam e tim e , realtim e n e tw o rk c o n n e c tio n s s ta tu s a n d p ro to c o ls s ta tis tic s , re a l- tim e p ro c e s s in fo r m a tio n a n d u sag e, re a l- tim e n e tw o rk in fo rm a tio n , in c lu d in g n e tw o r k c o n n e c tio n s , a n d o p e n n e tw o rk file s , syste m tr a y s u p p o rt, a n d m o re
M *3 0 S Scarner Soeci: Range NetElOS S eine r

Satus
NetBIOS Scanner S9<tngs Rom: v | 10 0 0 0 254 Start
t* Pin9 A Traceroute 4 $ Whois Network Resources ^ Process Info System Info
Carotored ? M addresses m M secs
^ IP Scanner J ^ NetBIOS Scanner Share Scanner Security Scanner
_______ B 0 B
* D NetBIOS f AdapeerA A Comain - j j 10.0.0.5 i - J | NetBIOS S ? Adopter A ^ Comain B A 10.0.0.7 NetBIGS
Names Nome Export To File Merge Hosts Open Share View Hotfix Detab Apply Hot Fixes Copy selected item Copy selected row Copy all result; Save As
3 0 ( jj
b ?Summary
Hoete Slate Total: 254 Active 3 Failed251
Dcpand
Port Scanner
g l Host Monitor
3 Adopter A
Traceroute
Tnccroutcs the selection
F IG U R E 15.8: M e g a P in g T ra c e ro u te
1 2 . I t w i l l o p e n th e s e le c t e d .
T ra c e ro u te
w in d o w , a n d w i l l tra c e d ie I P
a d d re s s
Fie Viea Tools Help
S. JL 4$ 1 5 1* 8 8
Jj, DNS List Ho>b J!L DNS Lookup Nam Tracerout*
& T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
| J Finger i l l Network Time
** D e s tr e b o n : 1 0 5 0 .4
Ztestrawn \Jdrcs5 Jst
aa T r a c e r o u teS e tth o t
Resolve I4ans
^ -O
Whois Network Resources Process Info System Info
IP Scanner NetBIOS Scanner Security Scanner
Select A l
Add Ddctc
*jp Share Scannei > y Port Scanner hoo 9 > 91 1 m A ' * 4 1 1 Time 0 Name Dstafc WIN-ULY8S8KHUIP [1_ Complete. 10.0.0.4 ADMIN PC [10.0.0.6] 10.0.0.6 <73/1210t44tf Complete. 08/23/12 IQ4SJ1 Repoit |
jtA Hot Monitor
F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o r t
TAs K 4
1 3 . S e le c t P o r t S c a n n e r f r o m
d ie l e f t p a n e a n d a d d th e
P ort Scanning
w w w .c e rtifie d h a c k e r.c o m 111 c l i c k t h e S ta rt b u t t o n .

14. A f t e r c lic k in g th e
D e s tin a tio n A d d re ss L is t
a n d th e n
S ta rt
b u t t o n i t to g g le s t o
S top
1 5 . I t w i l l lis t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d ie k e y w o r d , r is k , a n d p o r t n u m b e r .
File View Tools Help &
A A G J 8s 8s <5 J ' b -jj, DNS List Hosts ,5, DNS Lookup Name
^ Finger
&
G O
J!
^ AotScamcr jftjf F01 Sc*1r* PrttowlB Scan Type TCP an: UCP A/!h1S Pab
m m < V**tv30fl< n
M e g a P in g s e c u rity sc a n n e r c h e c k s y o u r n e tw o rk fo r p o te n tia l v u ln e ra b ilitie s th a t m ig h t u se to a tta c k y o u r n e tw o rk , a n d s a v e s in fo rm a tio n in s e c u rity re p o rts
54 Network Time f t Ping

g g Traceroute
^ Whois
Network Resources
-^ P ick m Info
1 1
S 1 0 0
Desindo^ A i^nt U a >
System Into
U IP Scnn< ' f f NetBIOS Sc *nnei
S * t* dA l w !* |
2o r*
Share Seanner 4P ScjntyScanner
Jjf
5 Monitor J f) , H0 =S 3 Ce2 fc
T > o e
Keyword
De a ctor
Scanning(51 %) 99 Sccon ds Remain g File Transfer [Control] TCP ftp TCP www-http World V.'1 de Web HTTP
UDP tcpmux TCP Port Servkc MultL. JOP compress.. Management Utility compten . CompreiMoo Proem
81
R*
,y 1 .* 2
.y ! .*5
j * '
UDP JOP JOP UOP
rje echo ditcntd
Remote Job Entr> Echo Discard
Eksatcd Elevated Ele.xed L < * m Law Low Low Law
F IG U R E 15.10 : M e g a P iiig P o r t S c a n n in g R e p o r t
L a b
A n a ly s is
D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In f o r m a tio n IP
C o lle c t e d / O b je c t iv e s A c h ie v e d 1 0 .0 .0 .1 1 0 .0 .0 . 2 5 4
S can R ange:
P e r fo r m e d A c tio n s : M e g a P in g R e s u lt: L is t o f A c tiv e H o s t N e tB io s N a m e A d a p te r N a m e P o r t S c a n n in g I P S c a n n in g N e tB IO S S c a n n in g
T ra c e ro u te
P L E A S E
T A L K
T O
Y O U R
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. 2. H o w d o e s M e g a P in g d e te c t s e c u r it y v u ln e r a b ilit ie s o n d ie n e t w o r k ? E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .
In t e r n e t C o n n e c tio n R e q u ir e d Y es S u p p o rte d 0 iL a b s 0 N o
P la tfo r m 0
C la s s r o o m
L ab
D e te c t, D elete a n d B lock G oogle C o o k ies U sing G -Z apper

G-Zapper is a utility to block Goog/e cookies, dean Google cookies, a n d help yon stay anonymous while searching online. I CON
V a lu a b le in f o r m a t io n
KEY
L a b
Y o u your
S c e n a r io
have le a r n e d fo r in d ie p r e v io u s la b d ia t M e g a P in g th a t m ig h t s e c u r ity be used It scanner checks to a tta c k your
n e tw o rk and
p o t e n t ia l v u ln e r a b ilit ie s in fo r m a t io n in
n e tw o rk ,
saves
s e c u r ity
re p o rts .
p r o v id e s
d e ta ile d
in fo r m a t io n
a b o u t a ll c o m p u t e r s
a n d n e tw o rk
a p p lia n c e s . I t
s c a n s y o u r e n tir e
m .
n e t w o r k a n d p r o v id e s in f o r m a t io n s e r v ic e s / d r iv e r s a c tiv e
s u c h as o p e n
s h a re d re s o u rc e s , o p e n p o rts ,
0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r i e s , u s e r s a n d g r o u p s ,
S can r e s u lts can be saved in H T M L o r T X T
tru s te d
d o m a in s , p r in t e r s , e tc .
re p o r ts , w h ic h c a n b e u s e d t o s e c u re y o u r n e tw o r k . A s an a d m in is tr a to r , p o rts , you can o r g a n iz e to s a fe ty b lo c k m e a s u re s a tta c k e rs by fro m s h u ttin g dow n th e
u n n e c e s s a ry
c lo s in g
s h a re s , e tc .
in tr u d in g
n e t w o r k . A s a n o th e r a s p e c t o f p r e v e n t io n y o u c a n u s e G - Z a p p e r , w h ic h b lo c k s G o o g le c o o k ie s , c le a n s G o o g le c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h ile
s e a r c h in g o n lin e . T h is w a y y o u c a n p r o t e c t y o u r id e n t i t y a n d s e a rc h h is t o r y .
L a b
O b je c t iv e s
T h is la b e x p la in h o w G - Z a p p e r a u t o m a t ic a lly c o o k ie e a c h t im e y o u u s e y o u r w e b b r o w s e r .
d e te c ts
and
c le a n s
th e G o o g le
L a b
T o c a r r y o u t th e la b , y o u n e e d :
G - Z a p p e r is lo c a t e d a t
S Tools dem onstrate d in th is lab are available in D:\CEHTools\CEHv 8 M odule 03 Scanning N etw orks
D:\CEH-Tools\CEHv 8 M odule 03 S canning N e tw o rk s \A n o n ym ize rs\G -Z a p p e r GZ a p p e r

fro m th e lin k
Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f lit t p : / / w w w . d u m m y s o ftw a re .c o m / I f y o u d e c id e t o d o w n l o a d t h e i n th e la b m ig h t d i f f e r In s ta ll
la te s t v e rs io n ,
th e n s c re e n s h o ts s h o w n
G -Z apper
in W in d o w s S e r v e r 2 0 1 2 b y f o llo w in g w iz a r d d r iv e n
in s t a lla t io n s te p s A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls A c o m p u te r r u n n in g
W in d o w s S e rv e r 2012
L a b
D u r a t io n
O v e r v ie w
o f G - Z a p p e r
G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d i e
lo n g
Google co o k ie i n s t a l l e d o n y o u r searches h a v e
you to
y o u r P C , d is p la y d ie d a te i t w a s in s t a lle d , d e t e r m in e h o w been
tra cke d ,
and
d isp la y
y o u r G o o g le
s e a rc h e s . G s e a rc h
Z a p p e r a llo w s c o o k ie f r o m
a u to m a tic a lly
de le te
o r e n tir e ly
b lo c k
d ie
G o o g le
f u t u r e in s t a lla t io n .
L a b
S
T a s k s
L a u n c h th e
t ask
1.
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t
D e te ct & D elete Google Cookies
c o m e r o f t h e d e s k t o p . _____________________________________________________
! 3 Windows Serve! 2012

* ttcua Stfwr JOtJ ReleaseCmadtte Oatacert* ftabslanuwy. 1uMM>:
2.
C lic k d ie
G-Zapper a p p
t o o p e n d ie
GZ apper
w in d o w .
S ta rt
Administrator
Server Manager
Wruiows PowerShel
6 0 0 9 * Chrome
#
HyperV Virtual Mtww
Wjpw-V t/druê-
fLm Computer
V
Control Pwl
Ancrym.. Surfog Tutonal
G-Zapper
1 1
SOL S e n a
G - Z a p p e r xs
*J
w
Command Prompt
Q
M v ii l.retox
c o m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2 0 0 0 , X P , V is ta , W in d o w s 7.
'-x-olglan
$
NetSca'iT... Pro Demo
5 1
Standard
Maw
r*
1 1
F IG U R E 162 : W in d o w s S e rv e r 2012 - A p p s
3.
The
G -Zapper
m a in w i n d o w w i l l a p p e a r a s s h o w n i n th e f o l l o w i n g
s c re e n s h o t.
G-Zapper TRIAL VERSION

W h a t is G -Zapper G-Zapper - Protecting y o u Se arch Privacy Did you know Google stores a unique identifier in a cookie on your PC , vrfich alo w s them to track the keywords you search fo r G-Zapper w i autom atically d etect and clean this cookie in your w eb browser. Ju s t run G-Zapper, m rw nee the w ndow , and en!oy your enhanced search privacy
2 ' I A Google Tracking ID oasts on your PC.

Your G oogle ID (Chrome) 6b4b4d9fe5c60cc1 Google n sta le d the co okie on W ednesday. Septem ber 05.2012 01 54 46 AM Your searches h ave been tracked for 13 hours
L J G - Z a p p e r h e lp s p ro te c t y o u r id e n tity a n d s e a rc h h is to ry . G - Z a p p e r w ill re a d th e G o o g le c o o k ie in s ta lle d o n y o u r P C , d is p la y th e d a te it w a s in s ta lle d , d e te rm in e h o w lo n g y o u r s e a rch e s h a v e b e e n tra c k e d , a n d d is p la y y o u r G o o g le se a rch e s
>| No Google searches found n Internet Explorer or Frefox
How to U se It
To delete the G oogle cookie, d c k the D elete Cookie button Your identity w i be obscured from previous searches and G-Zapper w i re g Ja rly d e an future cookies. T 0 restore the Google search cookie d ick the Restore Cookie button
htto //www dummvsoftwar e. com
D elete Cookie
Resto re Cookie
T est Google
Settings
Register
F IG U R E 16.3: G - Z a p p e r m a in w in d o w s
4.
T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e
D e le te C o o kie
b u tto n ; a
w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie lo c a t io n . C lic k
OK
W h at is G-Zapper
G-Zapper - TRIAL VERSION
]j l F
G-Zapper Pro tectn g your S e arch Privacy
#
C ] A n e w c o o k ie w ill b e g e n e ra te d u p o n y o u r n e x t v is it to G o o g le , b re a k in g th e c h a in th a t re la te s y o u r se a rch e s. Howt
Did you know Google stores a unique identifier n a cookie on y o u P C , v*ch alo w s them 10 track the keywords you search for G-Zapper w i autom atically defect and d e an this co okie in your w eb browser. _.lm tJun_G 7an nftj the, w ndnw * in i ftninu.unui ^ n h ao cad joauacu_______ _______
GZapper
The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located a t (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite
OK
T 0 block and delete the G oogle search cookie, click the B lo ck Cookie button (Gm ail and A dsense w i be u n avaJab le with the cookie blocked)
http //www. dumm vsoftware com
Delete Cookie
Block Cookie
T e st Google
Settings
Register
F IG U R E 1 6 .4 : D e le tin g s e a rc h c o o k ie s
5.
T o b lo c k th e G o o g le s e a rc h c o o k ie , c lic k d ie
B lo c k c o o k ie
b u tto n . A
w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a lly b lo c k th e G o o g le c o o k ie . C l i c k
Yes
GZapper TRIAL VERSION '- m
W h a t is G -Zapper G-Zapper - Pro tectn g y o u Se arch Privacy
T he tin y tra y icon runs in th e background, ta k e s up very little space and can n o tify you by sound & a nim ate w hen th e Google c o o k ie is blocked.
How
Did you know - G oogle stores a unique identifier in a cookie on your P C . w hich alo w s them to track the keywords you search for. G-Zapper will autom atically d etect and d e an this cookie in y o u w eb browser.
p____ .L M
iijn fi- Z a n rre t m rnnnre the, w nrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara_________ _______
Manually Blocking the Google Cookie

Gmail and other Google services will be unavailable while th e cookie is manually blocked. If you use these services, we recom m end not blocking the cookie and instead allow G-Zapper to regularly clean th e cookie automatically. Are you sure you wish to manually block the Google cookie?
Yes
T 0 block and delete the Google search cookie, click the Blo ck Cookie bU ton (Gm ail and A dsense w l be unavaiaW e with the cookie blocked)
No
http //www dummvsoftware, com
Delete Cookie
Block Cookie
T est Google
Settings
Register
F IG U R E 1 6 .5 : B lo c k G o o g le c o o k ie
6.
I t w i l l s h o w a m e s s a g e d i a t th e G o o g le c o o k ie h a s b e e n b lo c k e d . T o v e r if y , c lic k
OK
E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
GZapper -TRIAL VERSION

W h a t is G-Zapper G-Zappef - Protechng your Se arch Privacy Did you know G oogle stores a unique kfentifiet in a cookie on your P C . w hich alo w s them to track the keywords you search for G-Zapper will autom atically d etect and d e a n this cookie n y o u w eb browser. Ju s t run G-Zapper, mmmize the w rxlo w , and enjoy your enhanced search privacy
1 ^ 0
GZapper
The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify.
H ow t
OK
Your identity will be obscured from previous searches and G-Zapper w i regularly clean M u re cookies
T0 restore the Google search cookie c lc k the Restore Cookie button
& G-Zapper can also cle an your Google search h is to ry in In te rn e t E xplo re r and M ozilla Firefox. It's fa r to o easy fo r som eone using your PC to g e t a glim p se o f w h a t you've been searching for.
http //www dum m vsoltware com
Delete Cookie
R e s t o r eC o o k i e
Test Google
Settings
R e g i s t e r
F IG U R E 16.6: B lo c k G o o g le c o o k ie (2 )
7.
T o te s t th e G o o g le c o o k ie t h a t h a s b e e n b lo c k e d , c lic k th e b u tto n .
T e s t G oogle
8.
Y o iu d e fa u lt w e b b r o w s e r w ill n o w o p e n t o G o o g le s P re fe re n c e s p a g e . C lic k
OK.
AA
goog... P - 2 (5 [ 0 ?references
Sign in
You Search Images Maps Play YouTube News Gmal More
Google
Preferences
Goflflls Account 5tt303 Piefeiences Help I About Google Save Preferences
Save your preference* when finished and !*turn to iw r c h
Global Preferences (changoc apply to al Googio sorvtcos)
Your cookies seem fo be disabled.

Setting p referen ces will not w o rk until you enable co o kies in y ou r browser.
BaHiflafcfllttg
Interface Language Display Googio Tips and messages in: Engiisn If you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program
Search I anguag*
P iefei pages m itten in the*e language(*)
Afrikaans
b English
I~ Estonian
U Indonesian L I Setblan
A r a b i c
D Armenian
L .E s p e r a n t oU I t a l i a n
F I Japanese
S l o v a k
0 Slovenian
Belarusian U Bulgarian
C Ftipino L Finnish
Koiean U Latvian
G Spanish L I Swahi
F IG U R E 16.7: C o o k ie s d is a b le d m a ssag e
9.
T o v i e w th e d e le t e d c o o k ie i n f o r m a t io n , c lic k d ie c lic k
S e ttin g
b u tto n , a n d
V ie w Log
i n t h e c le a n e d c o o k ie s l o g .
G-Zapper - TRIAL VERSION

W h a t is G -Zapper
- m
G-Zapper Settings
Sounds f* R a y sound effect w hen a cookie is deleted d efault w av
Preview
Browse
G oogle Analytics T iack rtg Q Y o u c a n s im p ly ru n

W
Blo ck Google Analytics fiom tia ck n g w eb sites that I visit.
G - Z a p p e r, m in im iz e th e w in d o w , a n d e n jo y y o u r e n h a n c e d s e a rc h p r iv a c y D eaned Cookies Log

W
Enab le logging of cookies that h ave recently been cleaned. S a v e my G oogle ID in the d ean ed cookies log.
C lear Log
V ie w Log
OK
Delete Cookie
Resto re Cookie
T e st Google
Settings
R egister
F IG U R E 16.8: V ie w in g th e d e le te d lo g s
1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .
cookiescleaned - Notepad
File Edit Format View Help
[x
S ' T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 A M (Chrome) C:\Users\Administrator\AppData\Local\Google\Chrome\User Data \Default\Cookies Friday, August 31, 2012 11:04:20 A M (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 A M (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sq lite Wednesday, September 05, 2012 02:52:38 P M |
F IG U R E 16.9: D e le te d lo g s R e p o r t
L a b
A n a ly s is
D o c u m e n t a ll t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .
T o o l/U tility
In fo r m a tio n
A c tio n P e rfo rm e d : G Z a p p e r D e t e c t d i e c o o k ie s D e le t e t h e c o o k ie s B l o c k t h e c o o k ie s
R e s u l t : D e le t e d c o o k ie s a re s t o r e d i n C :\U s e r s \A d m in is tr a to r \ A p p lic a tio n D a ta
P L E A S E
T A L K
T O
Y O U R
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. E x a m i n e h o w G - Z a p p e r a u t o m a t i c a l l y c le a n s G o o g l e c o o k ie s .
2.
C h e c k t o s e e i f G - z a p p e i i s b l o c k i n g c o o k i e s o n s ite s o t h e r t h a n G o o g l e .
In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es S u p p o rte d iL a b s N o
P la tfo r m 0
C la s s r o o m
Lab
S canning th e N etw ork Using th e C olasoft P ack e t Builder

The Colasoft Packet Builder is a useful toolfor creating custom netirork packets. I CON
V a lu a b le in fo r m a tio n
KEY
L a b
S c e n a r io
11 1 d i e p r e v i o u s l a b y o u h a v e l e a r n e d l i o w y o u c a n d e t e c t , d e le t e , a n d b l o c k c o o k ie s .
A tta c k e rs e x p lo it d ie XSS v u ln e r a b ilit y , w h ic h in v o lv e s an a tta c k e r p u s h in g
m a lic io u s J a v a S c r ip t c o d e i n t o
a w e b a p p lic a tio n . W h e n a n o d ie r u s e r v is its a p a g e
w i d i d i a t m a lic io u s c o d e i n it , d ie u s e r s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r lia s
Q Q
110 w a y o f t e l l i n g t h e d i f f e r e n c e b e t w e e n l e g i t i m a t e a n d m a l i c i o u s c o d e . I n j e c t e d
c o d e is a n o d i e r m e c h a n i s m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i j a c k i n g : b y d e f a u l t
c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n r e a d a u s e r s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d i e a tt a c k e r . A s a n e x p e rt
e th ic a l h a c k e r
and
p e n e tra tio n te s te r
y o u s h o u l d b e a b le t o p r e v e n t fie ld s , a n d h id d e n
s u c h a tt a c k s b y v a l id a t in g a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m
f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a w e b a p p lic a t io n f ir e w a ll t o b l o c k th e e x e c u t io n o f m a lic io u s s c r ip t . A n o d i e r m e t h o d o f v u ln e r a b ilit y c h e c k in g is t o P acket B u ild e r . 111 t h i s la b , you w ill be le a r n s c a n a n e t w o r k u s in g th e C o la s o ft about s n iffin g n e tw o rk p a c k e ts ,
p e r f o r m in g A R P p o is o n in g , s p o o f in g th e n e t w o r k , a n d D N S p o is o n in g .
^ T T o o ls
L a b
O b je c t iv e s
d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
T h e o b je c t iv e o f d i is la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r it y p o li c y , p o li c y e n f o r c e m e n t , a n d p o l i c y a u d it s .
L a b
11 1 d i i s l a b , y o u n e e d :
C o la s o f t P a c k e t B u ild e r lo c a t e d a t
D:\CEH-Tools\CEHv 8 M odule 03 S canning N etw orks\C ustom P acket C reator\C olasoft P a cke t B uilder
c o m p u te r r u n n in g
as h o s t m a c h in e
W indow 8
r u n n i n g o n v ir t u a l m a c h in e as ta r g e t m a c h in e
Y o u c a n a ls o d o w n l o a d d i e l a t e s t v e r s i o n o f
A dvanced C olasoft P acket
B uilde r
php
fro m
d ie lin k
h t t p : / / w w w .c o la s o ft.c o m / d o w n lo a d /p r o d u c ts /d o w n lo a d _ p a c k e t_ b u ild e r .
I f y o u d e c id e t o d o w n l o a d d i e d ie la b m ig h t d if f e r .
la te s t version,
d ie n s c re e n s h o ts s h o w n in
A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t io n n u u iin g i n h o s t m a c liin e
L a b
D u r a t io n
O v e r v ie w
o f C o la s o f t P a c k e t B u ild e r
c r e a t e s a n d e n a b le s c u s t o m n e t w o r k p a c k e t s . T h i s t o o l c a n
C olasoft P acket B uild e r
b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a tt a c k s a n d in t r u d e r s . C o la s o f t P a c k e t B u i l d e r f e a t u r e s a d e c o d i n g e d i t o r a l l o w i n g u s e r s t o e d i t s p e c i f i c p r o t o c o l f i e l d v a lu e s m u c h e a s ie r . U s e r s a r e a l s o a b le t o e d i t d e c o d i n g i n f o n n a t i o n i n t w o e d i t o r s :
Decode E d ito r
and
Hex Editor. U s e r s c a n s e l e c t a n y o n e o f IP P acket, ARP P acket, o r TCP Packet.

L a b
S t a s k
d ie p r o v id e d te m p la te s :
E thernet Packet,
T a s k s
In s t a ll a n d la u n c h d ie L a u n c h th e
1
1. 2.
C olasoft P acket Builder.
S canning N e tw o rk
S ta rt
m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t
3.
Q y <u c a n d o w n lo a d Yo C o la s o ft P a c k e t B u ild e r fro m h ttp : / / w w w . c o la s o ft. co m .
C l i c k t h e C o la s o ft P a c k e t B u ild e r 1.0 P a c k e r B u ild e r w i n d o w
a p p to o p e n th e
C o la s o ft
S ta rt
Administrator
Sew
Windows PowerSM
m
Googte Chrome
Cotaoft Pacto?! Bunder t.O
Es
compule r
*
Manager
*
v Mochn#.
control 1 'and
*J
V
Command Prompt
91
U3LWvr Irn-.aljt 0 Center.
9 MfrtjpaC* Studc
te r
se
V
.
M
3
Nnwp 7ftmap GUI
refax CMtoo
e u M a
F IG U R E 17.2 W in d o w s S e rv e r 2012 - A p p s
4.
T h e C o la s o f t P a c k e t B u ild e r m a in w i n d o w a p p e a rs .
Colasoft Packet Builder 1= 1 !
Fie # Import
Edt ^
Send
Help
1 S ? & Add Insert
1
Packet No.
No pxkec elected:
Checksum
4 $ Oecode Edro*
\ $Packet Lilt
[A s^J
Adapter Packets
5 5
Colasoft
0 Selected 0 1
Delta Time Sourer
O p e ra tin g syste m re q u ire m e n ts : W in d o w s S e rv e r 200 3 a n d 6 4 - b it E d itio n W in d o w s 2 0 0 8 a n d 6 4 - b it E d itio n W in d o w s 7 a n d 64-b it E d itio n
> 0 :0
HeEdfcor
fatal
0 byte* |
< L
F IG U R E 17.3: C o la s o ft P a c k e t B u ild e r m a in screen
5.
B e fo re
s ta r tin g
o f y o u r ta s k , c h e c k
th a t d ie
A d a p te r
s e t t in g s
a re
se t to
d e fa u lt a n d d ie n c lic k
OK.
Select Adapter *
A d ap ter:
Ph ysical Address Link Sp eed M ax Fram e Size IP Address D efau lt G atew ay A d ap ter Sta tu s
D 4 :BE:D 9 :C 3 :C E:2 D 0 100.0 l* )p s 1500 b ytes 10.0.0.7/255.255.255.0
1 0 .0 .0 .1
O perational
OK
C ancel
Help
F IG U R E 17.4: C o la s o ft P a c k e t B u ild e r A d a p te r settings
E th ic a l H ackin g and Counterm easures Copyright < 0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
6.
T h e re a re tw o w a y s to c re a te a p a c k e t - A d d a n d In s e rt. T h e d iffe re n c e b e tw e e n th e s e is th e n e w ly a d d e d p a c k e t's p o s itio n in th e P a c k e t L is t . T h e n e w p a c k e t is lis te d as th e la s t p a c k e t in th e lis t i f ad d e d b u t a fte r th e c u rre n t p a c k e t i f in s e rte d .
T o add
0 1 c r e a t e d i e p a c k e t , c l i c k Add 111 d i e m e n u s e c t i o n .
File ff 1 Import [ ^
Edit
Send
Help
0
Export Add Insert
Decode Editor
F IG U R E 17.5: C o la s o ft P a c k e t B u ild e r cre a tin g d ie p ack et
7.
W h e n an a n d c lic k
A dd P a cke t OK.
d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d i e t e m p la t e
Q c o la s o f t P a c k e t B u ild e r s u p p o rts * .c s c p k t (C a p s a 5 .x a n d 6 .x P a c k e t F ile ) a n d * c p f (C a p s a 4.0 P a c k e t F ile ) fo rm a t. Y o u m a y a ls o im p o rt d a ta fro m .c a p (N e tw o r k A s s o c ia te s S n iffe r p a c k e t file s ), * .p k t (E th e r P e e k v 7 / T o k e n P e e k / A 1 ro P e e k v 9 / O m n iP e e k v 9 p a c k e t file s ), * .d m p (T C P D U M P ), a n d * ra w p k t (ra w p a c k e t file s ).
Add Packet
Select Template:
n n
ARP Packet 0.1
Delta Time:
Second
OK
Cancel
Help
F IG U R E 17.6: C o la s o ft P a c k e t B u ild e r A d d P a c k e t d ia lo g b o x
8.
Y ou
can
v ie w
d ie
added
p a c k e ts
lis t
0 11 y o u r r i g h t - h a n d s id e o f y o u r
w in d o w .
Packet List S
Packets
Selected
t a s k
_______ U sl______ Delta Tims . S o u r c e 1 0.100000 00:00:00:00:00:00
D e s tin a tio n _______,
Decode E ditor
F IG U R E 17.7: C o la s o ft P a c k e t B u ild e r P a c k e t L is t
9.
C o la s o f t P a c k e t B u ild e r a llo w s y o u t o e d it d ie t w o e d it o r s :
decoding
in f o r m a t io n i n d ie
Decode E ditor
and
H ex Editor.
Decode Editor Packet: B- Ethernet Type I I le s tin a tio n Address: J Source Address: j ! ^ P r o to c o l: - sj ARP - Address Resolution Protocol ! < # >Hardware type: ! #( Protocol Type: j.. Hardware Address Length: .. Protocol Address Length: !
\
Q B u s t M o d e O p tio n : I f y o u c h e c k th is o p tio n , C o la s o ft P a c k e t B u ild e r se n d s p a c k e ts o n e a fte r a n o th e r w ith o u t in te rm is s io n . I f y o u w a n t to s e n d p a c k e ts a t th e o rig in a l d e lta tim e , d o n o t c h e c k th is o p tio n .
| <#1ype: -^J>S0urce Physics:
j3 Source IP : D estination Physics: j D estination IP : - Extra Data: Number of Bytes: FCS: L # FCS: <l 1 1 1 j
Num:000001 Length:64 Captured: [0/14] FF: FF: FF: FF: FF: FF [0/6] 00:00:00:00:00:00 [6/6] (ARP) [12. 0x0806 [14/28] (Ethernet) 1 0x0800 [16/2] 6 [18/1] 4 [19/1] (ARP Reque. 1 00:00:00:00:00:00 [22/6] 0.0.0.0 [28/4] 00:00:00:00:00:00 [32/6] 0.0.0.0 [38/4] [42/18] 18 bytes [42/18] 0xF577BDD9 ...... ; ......,.... .... >J
F IG U R E 17.8: C o la s o ft P a c k e t B u ild e r D e c o d e E d ito r
^ Hex Editor 0000 FF FF FF 000E 00 01 08 001C 00 00 00 002A 00 00 00 0038 00 00 00
Total FF 00 00 00 00 FF 06 00 00 FF 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 06 00 00 00 ....
60 bytes
F IG U R E 17.9: C o la s o ft P a c k e t B u ild e r H e x E d ito r
1 0 . T o s e n d a ll p a c k e ts a t o n e t im e , c lic k 11. C h e c k d ie d ie n c lic k
Send All
f r o m d ie m e n u b a r. d ia lo g w in d o w , a n d
Burst Mode Start.
o p t io n i n d ie
Send All Packets
0 1 O p tio n , L o o p S e n d in g : T h is d e fin e s th e re p e a te d tim e s o f th e se n d in g e x e c u tio n , o n e tim e in d e fa u lt. P le a s e e n te r z e ro i f y o u w a n t to k e e p se n d in g p a c k e ts u n til y o u p a u se o r s to p it m a n u a lly .
^4
C o la s o f t C a p s a
Jown Checksum
Send Send All Packets
Packet Analyzer 1 Selected 1
Packet List No. 1 Delta Time Source 0.100000 00:00:00:00:00:00
Destination FF:FF:FF:FF:FF:FF
F IG U R E 17.10: C o la s o ft P a c k e t B u ild e r S e n d A ll b u tto n
3 S e le c t a p a c k e t fro m th e p a c k e t lis tin g to a c tiv a te S e n d A ll b u tto n
F IG U R E 17.11: C o h s o ft P a c k e t B u ild e r S e n d A H P a c k e ts
12.
C lic k
S ta rt
Send All Packets

O p tions A d a p te r: R e a lte k P C Ie G 8 E Fam rfy C o n tro ller
Select...
B u rs t M ode (n o d e la y b e tw e e n p a ck e ts)
Lo op S e n d n g :
D e la y B e tw e e n Lo o p s:
A 1 0 0 0 A 1000 -
loops (z e ro fo r in fin ite lo o p )
m illiseconds
Sen d in g In fo rm a tio n 0 T h e p ro g re s s b a r p re s e n ts a n o v e r v ie w o f th e s e n d in g p ro c e s s y o u are e n g a g e d in a t th e m o m e n t. P ro g re ss: P a c k e ts S e n t: 1
T o tal P a c k e ts :
S ta r t
S to p
C lo se
H elp
F IG U R E 1 7 .12 C o la s o ft P a c k e t B u ild e r S e n d A H P a c k e ts
13.
T o
e x p o rt
d ie
p a c k e ts
sent
fro m
d ie
F ile
m enu,
s e le c t
F ile Ê x p o rt Â ll Packets.
E th ic a l H ackin g and Counterm easures Copyright < 0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
li File Edit Export Send 1*

^
Colas Help 0 1 a X glete ketNo. |_ jJ I Num: 00( ] 0/14[ FF: FF:1

00:00:( ,
Import... 10
All Packets...
Exit + ^T Packet:
Selected Packets...
El E thernet Type I I
^ D e s tin a tio n Address: Source Address:

F IG U R E 17.13: E x p o r t A ll P a c k e ts p o tio n
O p tio n , P a c k e ts S e n t
Save As
5avein!"! :o la e c -ft f lf c l Rcccnt plocca Nome Dtc modified No items match your search. Type
x I
T h is s h o w s th e n u m b e r o f p a c k e ts s e n t s u c c e s s fu lly . C o la s o ft P a c k e t B u ild e r d is p la y s th e p a c k e ts se n t u n s u c c e s s fu lly , to o , i f th e re is a p a c k e t n o t s e n t o u t.
Desktop
<
Libraries lA f f Computer
Network
r n _______ F 1Unm* Sv c typ

|
... Fjiekct e c p ld v j v | Sav Crcl
[> 1
|
(Colafloft Packot Rio (v6) (*.oocpkt)
F IG U R E 17.14: S e le c t a lo c a tio n to save th e ex p o rted file
U
Packets.cscpkt
F IG U R E 17.15: C o la s o ft P a c k e t B u ild e r e x p o rtin g p ack et
L a b
A n a ly s is
A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o t h e l a b e x e r c is e .
T o o l/U tility
In fo r m a tio n
A d a p t e r U s e d : R e a lte k P C I e F a m ily C o n t r o lle r C o la s o ft P a c k e t S e le c t e d P a c k e t N a m e : A R P P a c k e ts B u ild e r R e s u lt : C a p tu r e d p a c k e ts a re s a v e d i n p a c k e ts .c s c p k t
P L E A S E
T A L K
T O
Y O U R
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. A n a ly z e how C o la s o ft P a c k e t B u ild e r a ffe c ts y o u r n e tw o rk tr a ffic w h ile
a n a ly z in g y o u r n e t w o r k . 2. 3. E v a lu a te w h a t ty p e s o f in s t a n t m e s s a g e s C a p s a m o n it o r s . D e te r m in e w h e t h e r d ie p a c k e t b u f f e r a ffe c ts p e r fo r m a n c e . I f y e s , th e n w h a t s te p s d o y o u ta k e t o a v o id o r r e d u c e it s e f f e c t o n s o ft w a r e ?
In t e r n e t C o n n e c tio n R e q u ir e d Y es S u p p o rte d 0 iL a b s 0 N o
P la tfo r m 0
C la s s r o o m
Lab
S canning D evices in a N etw ork Using T h e Dude

I CON
5 V a lu a b le
KEY
The D n d e automatically scans all devices within specified subnets, draws a n d lays out a w a p of y o ur networks, monitors services ofy ou r devices, a n d a/eftsyon in case
in fo r m a tio n
some service hasp roblems. L a b S c e n a r io

p r e v io u s la b you le a r n e d ho w p a c k e ts can be c a p tu re d u s in g C o la s o ft a
1 1 1 th e
P a c k e t B u ild e r . A tta c k e r s t o o
c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m n e tw o rk in fo r m a t io n . The a tta c k e r can
n e tw o rk
and
o b ta in
s p e c if ic
d is r u p t
c o m m u n ic a tio n
b e tw e e n h o s ts a n d c lie n ts b y m o d if y in g s y s te m
c o n fig u r a tio n s ,
o r t h r o u g h th e p h y s ic a l d e s t r u c t io n o f th e n e t w o r k . A s a n e x p e r t e th ic a l h a c k e r, y o u s h o u l d b e a b l e t o g a d i e r i n f o r m a t i o n 0 11 o rg a n iz a tio n s n e tw o rk to c h e c k fo r v u ln e ra b ilitie s and fix th e m b e fo re an a tta c k e r g e ts to c o m p ro m is e th e m a c h in e s using th o s e v u ln e ra b ilitie s . I f d e te c t any a tta c k th a t has been p e rfo rm e d
you
0 11 a n e t w o r k , im m e d ia t e ly
im p le m e n t p r e v e n t a tiv e m e a s u re s t o s to p a n y a d d itio n a l u n a u th o r iz e d a c c e s s .
1 1 1th is
l a b y o u w i l l le a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k
a n d th e t o o l w i l l a le r t y o u i f a n y a tt a c k h a s b e e n p e r f o r m e d
0 11 t h e n e t w o r k .
L a b
O b je c t iv e s
T h e o b j e c t i v e o f t h i s l a b i s t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s n e tw o rk .
0 11 d i e
V J Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

L a b
T o c a r r y o u t th e la b , y o u n e e d : T h e D u d e is lo c a t e d a t
D:\CEH-T 0 0 ls\C EH v 8 M odule 03 S canning N e tw o rk s \N e tw o rk D is c o v e ry and M apping T o o ls\T h e Dude The Dude
fro m th e
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h ttp : / / w w w .m ik r o tik .c o m / th e d u d e .p h p
I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n i n th e la b m ig h t d if f e r
s c re e n s h o ts
show n
c o m p u te r r u n n in g W in d o w s S e rv e r 2 0 1 2
D o u b le - c lic k d ie in s t a ll
The Dude
a n d f o l l o w w i z a r d - d r iv e n in s t a lla t io n s te p s t o
The Dude
A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls
L a b
D u r a t io n
O v e r v ie w
o f T h e
D u d e
T h e D u d e n e t w o r k m o n i t o r is a n e w a p p lic a t io n d i a t c a n d r a m a t ic a lly i m p r o v e d ie w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t i c a l l y s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s o f y o u r d e v ic e s , a n d a l e r t y o u i n c a s e s o m e s e r v ic e l i a s p r o b l e m s .
L a b
1.
T a s k s
L a u n c h th e
S ta rt
m e n u b y h o v e r in g th e m o u s e c u r s o r o n th e lo w e r - le f t
i|
Windows Server 2012
Ser*? 2 0 1 2Ma1 eC an dW ateDitaceM* ____________________________________________________________________________Ev^mbonoopy BuildWX:
F IG U R E
18.1: Windows Server 2012 - Desktop view
t a s k
1 1 1 t h e S ta rt m e n u , t o l a u n c h T h e Dude, c l i c k T he Dude i c o n .
Launch The Dude

S ta rt Administrator
Server Maiwgcr
Com puter
O n m
*
SS?
f>
~ v
M m n ttr.
- 1
com m and Prompi
1n0u0f
T < x J1
lp
F IG U R E 182 : W in d o w s S e rv e r 2012 - S ta rt m e n u
3.
T h e m a in w in d o w o f
fS m m
() 5references Setting*
Contert* A3<*T3S USS A Admn#
The Dude
w ill a p p e a r.
- l l jjy i2 m c *
X
adm in@ localhost - The Dude 4.0beta3 9 Local Server CJ 71S E 1 O * Ssttnst j
Cikovot *70011
H do
m
V J
. .*. Lay* irk(
H 0
H D*wic 5
?5? Flea Functona M Htfay Action*

H Lntu Lc0*
7 7 Cecus 7 &em 7 Syslog

E Notic?
-A
- B Keftroric Maps B Lccd

t- ! U n i r t i
J
Cterl. w
Uj /U
[.Ca 1MUd
334 bw
S* *x215bc*.'UM2bc
F IG U R E 18.3: M a in w in d o w o f T h e D u d e
4.
C lic k th e
---- -------------
5reference*
D is c o v e r

*b
b u t t o n o n th e t o o lb a r o f d ie m a in w in d o w .
admin@localhost - The Dude 4.0beta3
rh tZ
.
3 . v E
1 x IIIIJH b _d
2
9 Local Seiver
a C a-ite !*
Q Addra# list* A vamro 0 * fl OmiaN f * . Ftea f= 1 F_nccon8 B Haay Action* n 1 ^* Legs ? ActJcn 7 D efcus 7 Event 7 Sjobg R Mb N otie? - Q Network M aos B Lccdl M
*
-1+ o
Sottrco
Dkov* * | Too
| ?lrk*
'
|!Corrected
Cfert. ix $59bus /tx 334bp*
:<* a215bc<'u642bc
F IG U R E 18.4: S e le c t d is c o v e r b u tto n
5.
The
D e vice D is c o v e ry
w in d o w a p p e a rs .
Device Discovery General Services Device Types Advanced

Enter subnet number you want to scan for devices
Discover Cancel
Scan Networks: 1 10.0.0.0/24 Agent: |Pg? P Add Networks To Auto Scan Black List: |1 Device Nam e Preference: |DNS. SNMP. NETBIOS. IP Discovery M ode: ( fast (scan by ping) C reliable (scan each service) Recursive Hops: /
2 I 4 I 6 I 8 I 10 I 14 I I I 20 50
!-
F Layout M ap /tfter Discovery Com plete
F IG U R E 18.6: D e v ic e d is c o v e ry w in d o w
6.
111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y
d e fa u lt
and
fro m m
d ie d ie
A g e n t d ro p -d o w n
l i s t , s e le c t
S can N e tw o rk s r a n g e , s e l e c t DNS, SNMP, NETBIOS.

d r o p - d o w n lis t, a n d c lic k
IP f r o D iscover.
D e vice N am e P re fe re n ce
Device Discovery General Services Device Types Advanced

number you want to scan for
Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none Device Nam e Preference DNS. SNMP. NETBIOS. IP
Discovery M ode ( fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]] /r 1 1 1 -----------------------------------------2 4 6 8 10 14 20 SO
I - Layout M ap /tfter Discovery Com plete
F IG U R E 18.7: S e le ctin g d e vic e n am e p re fe re n ce
7.
O n c e t h e s c a n is c o m p l e t e , a ll t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r n e t w o r k w i l l b e d is p la y e d .
adrmn@localhost
The Dude 4.0beta3
f t ^ t
^2 0 9 m :[ 1 0
1 1 dL o c d f a t S a n h f la !_ 1 1 s +-_ Ccrtemt____________ f~l *ricteo Lata A d n n s4 . QF u 1 d io n

B *< 2 Chats Oevteaa *- * Pie
C : _e [o * | S e c p y I |D h c o v e f |^ T o o ia tt 1 a s - |l k s
Q y
.t
WIN.D39MR5HLSE-:
AOMN
WW*IXY858KH04P (DU I 9 N tn c n t 63 % vM: 27% disk 75%
e t1 0 n *0 7 *40 H1 -* -00 7^ 6
L f Uofcoa L?rvn1
r M flM M tttL C X U U l
\
*
w in ? U 't '. ic . '. - t f s
I
N .
\
to b> 1 0 m
d n *^Map* Q Local r fcnwortc
asy*B
- ^
Q NotActfont
H PjTriS
Q adrrin 1 2 7 .0 ,0 .1
Q P t 638 5> Sennco Q Tcde
V I1 h K .K 0 H )1 m 3 ^ M
Qm - x 3 2 5 oc w I 95 bpj
Saver r 1 ( ( 4 (> > * 3 9 tc
F IG U R E
1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n
8.
Select a device and place d ie mouse cursor o n i t to display the detailed in fo rm a tio n about d ia t device.
C artvM 5 Ad<*3a Lota A Admr* R Afl*rta
jo ^ S t f t t K u j o D w o v w
~ * 1Z o o m .[ T O
C h a t *
Q0 8 V 1 0 0 8
^ Plea Q Functions Lnk* Lcoa ]J? Acton
t f t t e O T . JLYKSO-Ci P IP 100 0 9
W rd c v n a x n p u c r,
V irc 0*5 I t o i a i 6 & End
M A CC tt - 1 0
H a t o v V * *
C7 Detua
? Ewr L7Sbg Mb Mod* rielwork Maps B local n NHwwk
S jc rT !.*.v w . . Y 3 5 a m 3 ip C esacto- -fc*.=e ntes Famly G Wsdd 42 9eppng 7 M /M COUPATBU 6 0 0 1 WipxnsrFix)

Ipwue 0028 <J771
S*'42 m (7V U > i 1 Q r0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck
2 N 9U lc4B0r
Q Parris
H* 1 2 7 . 0 0 . 1 P c N
Q> Samcas H Tocte
J?* I !_ a M L'
I? #
1 4 <
iwttdai e UU liriM M O ll-
) > n n : u U C M K JP
12:3 I ecu lam 0 a.'iaaeoip
u :a
12:40
12: X
1*:
.W * . n m ,
| mdiv 0 vnn-uiYKBocnP
1 3 :ta
W -ll r8!a.H0TP
C V t m 2 4 5 Upa/tx 197bpa
n .1 5 4 ttp a /fc 3 3 k b c
F IG U R E
1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v i c e
9.
N o w , c lic k the d o w n a rro w fo r die L o ca l d ro p -d o w n lis t to see in fo rm a tio n o n H is to ry A c tio n s , T o o ls, F iles. Logs, and so on.
E th ic a l H ackin g and Counterm easures Copyright by E C Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
F IG U R E
1 8 .1 0 : S e le c tin g L o c a l i n f o r m a t i o n
10. Select o p tio n s fro m d ie d ro p -d o w n lis t to v ie w com plete in fo rm a tio n .

adm!r1@iocalha5t The Dude 4.0beta3 | | Preferences | f r Local Swar Heb
< _ X ,
S e t B n g j
C onot?
Q Add's** Lilt(
4 4 1! Q *stU
e I~ , M
O w l
r*1 LVvn.* *Fto* Q I undior M U K >Logs
IM a y/ t o w n s 7A = < 1 0 n
? Debug
7 E v rf
2u 3u au 5U cu
7U
? Stfog Mb Me**
9u 10 u u 12 u 1 3U 14 U 1 5U
6 U 16 U
fi U
7 u
20 u
1 9U
A d e n NttwOlk Map Benrfl dn11*d e n n tc h a n je d 1 3 0 2 4 CNer*ek Map B 13024S fJrtocik Map btmrU 1 la 1 r* c h a n g e d 1 3 0 ;4 9Netvak Map B lv w 'i:Jw j* 0 1302S0 fM o w k Map b f w m c h a n g e d ttitc ik Map B 1 3 0 ?5 ?H w 1 !( .1 1 j 0 130254 fM o cik Map H e m e m c h a n g e d (3 0 2K Merwak Map B 130258 fjnC*k Map b c w : changtd fm c ik Map Bemem changed 1 3 0 3 4 0tk 130302 NttWClk Map Be lt# ills' jeO 1 3 0 3 0 3lJere(k Map Berotm changed 13.03.06 r(.ck Map 0 c1*sr. da'jed 1 3 0 3 4 8liefMCik Map Beroen: changed . cha'Sed 13.03.14 ta t a k Map Bc1*T 1 3 0 31 6tieCMdk Map B fw t changed w n e rtc h a n o e d 13.03.20 Netwak Map B 1 3 0 3 2 2I jefMCik Map Berne'S changed w m n lc h rxl 130324 heCaak Map B 1 3 0 3 2 7Net*ck Map Beroen! changed
130245
Crr<tJ
0 *rt 9 17kbpa/|x 1 I2kbp
Snv a 3?4Ktv* H ?*ten
a d ^ n ^ io c a lh o s t - The Dude 4,Obela3 fafaenoee O toca sn
oI
G r t B f g j
Conterts
3 Address Usts AcJ-rriS Q Ao-nls
*
i
* L ^ v:c 100a! 1 0 0 0 . 1 2 1 0 0 0 2 5 5 A D V f , V / V 2 H 9 S T O S G W t t O U M R S H L WHCSCI S G 1 W IUJO0M I w !H 5 s r .c 1 u

W K M W S8 l l l
ih ti^ rS S B S S X S A l
_ ..L J U
Type, (*
M * f^ i
T]
g o w n s
U i Z . r 't nT,c>
j-=le incte iincte M-rle
Q Devicw 5! Fte Q Functor
M T C f c
Q Ktolciy Actons
1 Lrk
C7 Aden
r7 E v 4 Lfb S ^ o fl CJ M r * d .
CfO e b u o
W C t e w* tn c b
u-de vmo M* | *mcl*
w *C 0 w
Mao Local Local Local Local Local Local Local Local Local Local Local Local
Cflrr x 2 91 kbpa/ tx276bf>t
S f ln 0 9t 2 l6 -rp * * 2 4 ?
F IG U R E
1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t io n
E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
11. A s described previously, you m ay select all die o th e r o p tio n s fro m the d ro p -d o w n lis t to v ie w d ie respective in fo rm a tio n . 12. O nce scanning is com plete, c lic k the b u tto n to disconnect.
a d m in lo c a lh o s t - Th e D u d e 4.0beta3
Fwfcwnooa 9 Local Sorvor *to
jC tn a s d G'
RA d d r e s sU 8 I8
AdnlrM
Agert
C. O
S*crgc
O noowf
Too*
*.
L* ,*
[irk T
Chate
t<
W ik U L Y S S B K H Q IP tpu 2 2 % IM fT t S 0 % v.it 3 4 % disk 7 5 %
,1
W IN-D39NRSH1.91= 4
ADMIN
G e v c e s
QH is to r y A c tio n s HL in lc s =3 L e g *
r* = 1 nF _ ra c n 8
C fActon
Even!
_ WIN-2N95T0SGIEM
v
\
1000
(ZJ D c b u o
O
Q IS e tw o ifcM ip s
S/*log M to Nodoo
< |
B - l gcjj
j [>
r \ ^T ^ ^ ^ .1
WM-LXQ\3\VR3!WM
n Z
W k b w ' b 135 bps
5<?vrr r t
i.
1 2 c p 5 't * 3 15 *bps
FIGURE 1 8 .1 2 :Connectionof system sin network
L a b A n a ly s is
Analyze and docum ent die results related to die lab exercise. T o o l/U tility In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d IP A d d re s s R a n g e : 10.0.0.0 10.0.0.24 D e v ic e N a m e P re fe re n ce s: D N S , S N M P , The D ude N E T B IO S , IP O u tp u t: L is t o f connected system, devices in N e tw o rk
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
In te r n e t C o n n e c tio n R e q u ire d Y es P la tfo r m S u p p o rte d 0 C la s s ro o m 0 iLabs 0 No

CEH v8 Labs Module 03 Scanning Networks PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 03 Scanning Networks PDF

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

Valuable information s Test your knowledge Web exercise Workbook review

C E H Lab M anual Page S5

Banner Grabbing to Determine a Remote Target System Using

Auditing Scanning by Using G lo b a l Anonymous Browsing Using P r o x y

C E H Lab M anual Page 86

Daisy Chaining Using P r o x y

HTTP Tunneling Using H T T P o r t Basic Network Troubleshooting Using the

Scanning Devices in a Network Using T h e

P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

C E H Lab M anual Page 87

/ = Valuable information Test your knowledge Web exercise Workbook review

d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

Q Y oucanalso dow nloadA dvancedIP Scanner from http:/1w w w .advanced-ipscanner.com .

die lab, you need: Advanced IP Scanner located at Z:\\C EH v8

C E H Lab M anual Page 88

then screenshots shown

as die attacker (host machine)

Another computer running W in d o w s machine) A web browser widi In te rn e t

as die victim (virtual

privileges to run diis tool

1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die desktop

FIG U R E1 .1 :W indow s8- D esktopview 2. Click A d v a n c e d (Windows 8).

from die S ta r t menu in die attacker machine

C E H Lab M anual Page 89

Fngago Packet b uilder

m W ithA dvancedIP Scanner, youcanscan hundreds ofIP addresses sim ultaneously.

M icrosoft Clip O rganizer

FIG U R E1 2. W indow s8- A pps 3. The A d v a n c e d

main window appears.

C E H Lab M anual Page 90

L _/ Y ouhaveto guess a rangeof IP address of victimm achine.

FIG U R E1 .4 :T hevictimm achineW indow sserver2 008

The status of scanis show nat the bottomleft sideofthew indow .

C E H Lab M anual Page 91

MAC address 00:09:5B:AE:24CC DO:67:ES:1A:16:36 00: 5:5D: A8:6E:C6

00:15:5D:A8:&E:03 D4:3E.-D9: C3:CE:2D

5a iv*, 0 dJ0, S unknown

Extract Victim s IP Address Info

to ru fa c tu re r Netgear. In c M icrosoft Corporation M icrosoft Corporation Dell Inc

WIN-LXQN3WR3 WIN D39MR5HL<

Radrnir 5 alive. 0 dead, 5 unknown

C E H Lab M anual Page 92

& File Actions Settings View Help

Use Vtindcms authentifcation

11 0.0.0.1-100.0.10 Results | Status a Favorites |

S alive, Odcad, 5 unknown

13. You can also try Angry IP scanner located at

Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner

also scans the network for machines and ports.

C E H Lab M anual Page 93

1. Examine and evaluate the IP addresses and range of IP addresses.

Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No

C E H Lab M anual Page 94

Test your knowledge Web exercise

d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

To perform die lab you need: ID Server is located at D :\ C E H -T o o ls \ C E H v 8

C E H Lab M anual Page 95

from the link

then screenshots shown

Administrative privileges to run die ID Run this tool on W in d o w s

1. Double-click id s e r v e located at D :\C E H -T o o ls\C E H v 8

3 l 5 5 a e 564 _ <1 1 1