Scanning - PowerPoint PPT Presentation

1 / 15
About This Presentation



Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is to figure out ... – PowerPoint PPT presentation

Number of Views:177
Avg rating:3.0/5.0
Slides: 16
Provided by: Honol5


Transcript and Presenter's Notes

Title: Scanning

Scanning Enumeration
  • Lab 3
  • Once attacker knows who to attack, and knows some
    of what is there (e.g. DNS servers, mail servers,
    etc.) the next step is to figure out the rest of
    the network and its vulnerabilities.

Network Scanning and Enumeration
  • The process of collecting information about
    computers (assets) available on a network by
    either by
  • listening to network traffic, or
  • probing the network by sending traffic and
    observing what traffic is returned as a result.
  • E.g. scan looking for IP addresses (ping)
  • Once you figure out what is there, then you can
    attack it appropriately
  • Scan for ports to see what services are
    available, and then apply appropriate exploits
  • Scan for user names and passwords, unused
    accounts, etc.

Port and Vulnerability Scanning
  • Once you know a device is present, what are its
  • Apply some programs to check all ports, looking
    for open ports
  • Some services running on certain ports have known
  • http//
  • http//
  • Or you can apply some programs that specifically
    look for vulnerabilities (combo of network, port
    and vulnerability scan)

Scanning Programs
  • Tools used to identify what computers are active
    on a network, and which ports and services are
    available on each computer.
  • Verify which IP addresses are active on a network
  • ping sweep
  • Determine what services are available from each
  • port scan
  • Note port scanning may be illegal in some
  • Examples
  • nmap (http//
  • unicornscan (http//
  • superscan (http//
  • nessus (http//
  • fping (http//, hping

Caveat tools have their own footprints - but not
  • While Nmap attempts to produce accurate results,
    keep in mind that all of its insights are based
    on packets returned by the target machines (or
    firewalls in front of them). Such hosts may be
    untrustworthy and send responses intended to
    confuse or mislead Nmap.
  • Much more common are non-RFC-compliant hosts
    that do not respond as they should to Nmap
    probes. FIN, NULL, and Xmas scans are
    particularly susceptible to this problem. Such
    issues are specific to certain scan types and so
    are discussed in the individual scan type
  • Truly advanced Nmap users need not limit
    themselves to the canned scan types offered. The
    --scanflags option allows you to design your own
    scan by specifying arbitrary TCP flags. Let your
    creative juices flow, while evading intrusion
    detection systems whose vendors simply paged
    through the Nmap man page adding specific rules!

Different kinds of scans explained
  • http//

Internet Control Message Protocol (ICMP)
  • Allow servers to communicate with each other and
    report errors to ensure that network paths are
    working properly.
  • The PING utility is based on the use of ICMP echo
    requests and echo replies.
  • PING is used to verify whether another network
    host is accessible.

UDP Scanning (UDP Protocol)
  • Sending UDP packets to a target host to determine
    what UDP ports are open.
  • A sequence of packets is sent to a series of
    different UDP port numbers to test the
    availability of each port.
  • If the UDP port is OPEN on the target host, no
    reply is sent.
  • If the UDP port is NOT OPEN, an ICMP Destination
    Unreachable packet is sent in response to the

TCP Scanning (TCP Protocol)
  • Based on various features of TCP.
  • Some of the features used for scanning and
    enumeration include
  • Opening a TCP connection (3-way handshake)
  • Closing a TCP connection
  • TCP connection reset
  • TCP null scan

TCP 3-way handshake
  • Used to establish a TCP connection.
  • Packet sequence for 3-way handshake
  • SYN segment - requests a connection (e.g., with a
  • SYN-ACK - acknowledges the (client's) SYN
    information and provides the (server's)
    information for establishing the connection.
  • ACK - acknowledges the (server's) information
  • This process can be used to determine which TCP
    ports are open on a server.

Closing a TCP Connection
  • Uses a modified 3-way handshake
  • FIN - indicates that either host (e.g., Host B)
    has finished sending data and is ready to close
    the connection.
  • ACK
  • Host A acknowledges receipt of the FIN.
  • Connection is "half-closed" at this point.
  • Host B transmits no more data.
  • FIN
  • Host A indicates itis now ready to close the
  • ACK
  • Host B acknowledge's A's FIN.
  • The connection is closed when Host A receives the
    final ACK from Host B.

TCP Connection Reset
  • Allows an application to disconnect from a
    connection in abnormal circumstances.
  • Either host initiates by sending a TCP segment
    with the RST bit set.
  • Receiving host immediately aborts the connection
    and informs the application program that a reset
    has occurred.

Some Types of TCP Port Scans
  • SYN scan
  • Send SYN packet
  • If port closed, target responds with RST/ACK
  • If port open, target responds with SYN/ACK
  • Sender sends RST/ACK to close connection
  • Connect scan
  • Similar to SYN scan completes 3-way handshake
  • Connection is established
  • NULL scan
  • Send packet will all flags OFF
  • If destination port open, no response sent
  • If destination port closed, RST packet sent

  • The process of extracting information from a
  • Resources or shares available on the network
  • Determine OS using fingerprinting/scanning
  • User names or groups assigned on the network
  • The last time a user logged on as well as his/her
  • http//
  • Tools
  • NBTscan (http//
  • NetScanTools Pro (http// )
  • Hyena (http//
  • Finger (http//
  • IKE-Scan (http//
    n/ )

Vulnerability Scanners
  • Programs designed to search for and map systems
    to look for weaknesses in an application,
    computer or network.
  • http//
  • http//
  • Tools
  • nessus (http// )
  • SAINT (http//
  • Microsoft Baseline Security Analyzer
Write a Comment
User Comments (0)