In our first article, Is Your Business’s Privacy at Risk?, we looked over the different not that technical methods for gathering information about a network you’re interested in. In this article, the second of the series, we will focus on the process of scanning computer networks to identify potential targets. As an ethical hacker you would be either scanning your own network, or scanning someone else’s network (your company’s or another company’s one) following a contract between you two. You should never start with this process on a network that is not your own, before you have a signed contract indicating that you can proceed with this. Otherwise, there may be legal consequences against you. Don’t indicate accounts or IPs that you will be using, this would compromise the tests. The scanning process takes place after the initial information gathering. Without careful scanning you may miss easy targets. Some of the tools and commands enlisted here will help you, some of them won’t. But you should be familiar with all of them in order to be able to get the most information about your target network. This way, you will know what hacker could understand about your network. Knowing that, you could easily close unneeded or unused ports on vulnerable devices.
The process of scanning a network usually starts with checking for live systems. Ping sweep can be used for that purpose. However, it’s pretty noisy and most intrusion detection systems (IDSes) catch it. Furthermore, you should be able to identify and bypass firewalls on your way into the network. This process is called firewalking and you can use hping for it. The firewalls usually block the hping’s requests and you see asterisks in the results. During all your scanning activities make sure you use a proxy. There are free proxies available that you can use or you can set up one of your own. The idea of using a proxy while scanning is for you to cover your tracks so that the activities you perform can’t be tracked back to you. This way, you will check on the company’s procedures for chasing hackers. Anonymizers work in a similar way but they are commonly used by users to post into blogs, for example, to make sure that no one will track them back.
Once you’ve identified the live systems on your target network, you can check them for open ports. You can also perform so called banner grabbing, which is the process of making a smart assumption of the applications running on a server by looking at their specific response to a query. Nikto is a good tool for banner grabbing. With all this information in place you can easily scan for vulnerabilities. Actually, you can scan for vulnerabilities as a first step along with the scanning for live systems. There are automatic software solutions for doing that. However, it is most likely that any intrusion detection system or firewall in place will recognize your malicious intents and quickly block you. That’s why it is much more sophisticated to first gather all the information you can, being as silent as possible, and after that to make smart tests for vulnerabilities.
For example, you can use nmap to perform a quiet scan (meaning to wait a while before scanning the next IP in the range) of the network and identify any open ports. By looking at the open ports you can assume the role that the server is performing, such as a web server. Afterwards, by banner grabbing you can determine whether it is an Apache or an IIS server. Then you won’t test the mentioned server for all kinds of possible vulnerabilities, because the scanning may trigger an alert in the IDS. You will only test for known vulnerabilities with Apache or IIS. Furthermore, you can even get the uptime of the machine. How can such information help you? Well, if you know that an important service pack has been released two months ago, but the system hasn’t been rebooted for the last 3 months, then you can be sure that the patch has not been applied, meaning that you can exploit more known vulnerabilities.
While investigating your target network, make sure you put all the information in one place for quicker further reference. You should make notes on the live hosts you find, logging their OSes, and using PTR requests to find their names. Also note the locations of the firewalls in the network. At the end of this process you can even draw a network diagram, which is likely to be more meaningful than the network diagrams already in place in the organization.
Let’s take a closer look at the process of identifying live systems on the network. For that step you can try ping sweep, which will basically ping all the hosts in a network range (the range that you’ve identified by using public records or that has been given to you by the company if they contracted you to run the tests) and then give you the list of hosts that have replied.
To scan for open ports you will most often use the TCP negotiation process, because it gives you the opportunity to mask your traffic as legitimate communication. The TCP negotiation process is the so called three way handshake. Here it is described in steps:
1. The host trying to establish the communication sends a SYN packet to the destination. This is the SYN phase.
2. The destination sends an ACK packet to acknowledge, and along with the ACK packet it sends its own SYN packet. This is the SYN/ACK phase.
3. The initiating host sends an ACK packet to the destination’s SYN.
4. The hosts are now able to communicate both ways.
You can check for open ports by sending SYN packets to an IP (1st step of the TCP negotiation process) and making a note on which ones reply (2nd step). Afterwards, instead of going to the 3rd step, you can send the destination an RST packet, which means you’re not interested in communicating with it anymore. Why bother to do that when you already know the port is open? Remember to cover your tracks. Persistent open sessions may raise suspicion and further investigation or even blocking of the IP you’re using. Malicious hackers would cover their tracks, and while impersonating them you should do that too.
If you don’t get a response, you can’t be sure that the port is closed on the destination server. It could be either closed or filtered. You can use ACK scanning for that. It sends an ACK packet directly (without any SYN packets before that).
When we’re searching for open ports, we can also perform a so called side channel attack. What it does is to send a few SYN/ACK packets to the host we’re interested in. By looking at the responding RST packets (the destinations refuse the connection since they haven’t sent a SYN packet first and the TCP negotiation procedure is not being followed) we can understand whether a specific port is open or not. For side channel attacks intruders use a zombie to cover their tracks. The process is as follows:
1. The attacker sends a SYN/ACK packet to the zombie.
2. The zombie replies with an RST (it refuses the connection because it didn’t ask for it). However, in the RST packet there is a unique identifier called IPID which is what the attacker is interested in.
3. The attacker sends a normal SYN packet on a specific port to the target (the 1st step of the TCP negotiation process) by spoofing its IP address with that of the zombie.
4. (IF the port is open) The target responds to the zombie (because the packet has come from it) with a SYN/ACK packet.
5. (IF the port is open) The zombie responds to the target with an RST packet (because it didn’t send the SYN packet and it doesn’t expect a SYN/ACK. The IPID is increasing (usually by one, but the actual value is different in some systems).
6. (IF the port is filtered/closed) Nothing else happens and the IPID is not increased.
7. The attacker sends another SYN/ACK packet to the zombie.
8. The zombie responds with an RST packet. If the value has increased by only one, then the port we’re interested in is closed. If the value has increased by two, then the port is open.
By using this method we can search for open ports without being detected. There are several prerequisites for a device to be used as a zombie. It definitely can’t be a heavily used user’s computer. It should be a device that doesn’t communicate over the network too much. That’s for the IPID to be meaningful. The zombie’s system should also respond with predictable IPIDs, i.e. increasing by 1 or by 256. Usually, printers are good candidates for zombies. You may think of securing your own organization from that type of attack by investigating the traffic originating from a printer.
Another interesting technique we can try to use to get past firewalls is to search for “emergency” admin access. There are organizations that have such an access point in place, just in case everything with the network is down. It is usually a modem access and is much less secure. We can try to find such an access point by war dialling numbers preceding or following the public numbers of the company.
Now let’s spend some more time on investigating nmap’s functionalities. There are several ways for you to use namp. You can download the application for Windows (zenmap); for Mac OSX, there is the browser version (inprotect); or you can scan your local machine with nmap-online.com. However, the most commonly used is the Linux command version. There are a whole bunch of things that nmap can do. Here we will focus on the main functions that nmap can provide and we will check the command that goes with these functions for quick further reference.
• Nmap – sP [-vv] 10.0.0.0/24 (ping sweep [very verbose])
• Nmap –Pn 10.10.10.49 – assumes that the host is online and starts discovering open ports
• Nmap –sP –PP 10.0.0.14 – timestamp request (to see if host is up)
• Nmap –sT 10.0.0.0/24 – It’s very accurate but noisy. It attempts establishing a full tcp session to open ports
• Nmap –sU 10.0.0.0 – scans for UDP open ports
• Nmap –sL 10.0.0.0/24 – scans for PTR records in order to find the subnet used by an organization
• Nmap –sP T1(polite)/T2/T3(default)/T4/T5(insane) – waits an interval between the scans The T1 is the one that is most commonly used because it’s silent. However, it is also slower.
• Nmap – sF 10.10.10.90 – FIN scan (FIN packets are similar to RST packets and they end communication)
• Nmap -sN – null scan (sends NULL instead of a port number, it may work on firewalls that block specific ports)
• Nmap -sX – Christmas tree scan (sends FIN, PUSH, and URGENT flags at once)
• Nmap -sX –f 10.10.10.80 – fragments the packets (works with hping 3 also). The IDSes will most likely not understand your intent because they won’t be able to inspect whole packets but only smart parts of them.
• Nmap –Pn –p- -sI 10.0.0.3(zombie) 10.0.0.7(target) – performs side channel attack (also known as idle-scan)
Nmap is a free product so you can easily download and test it. Furthermore, you can read the documentation and find many more functions not mentioned in this brief description.
Have you finished scanning your target networks? Have you been able to find at least one new vulnerability to close? If yes, we’re glad we’ve helped. Stay tuned for our next CEH article!