SlideShare ist ein Scribd-Unternehmen logo

Ch 5: Port Scanning

Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610. Instructor: Sam Bowne Class website: https://samsclass.info/123/123_S17.shtml

Bildung
1 von 50
Downloaden Sie, um offline zu lesen
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last revised 10-4-17
KonBoot ● Get into any account without the password ● Works on Windows and Linux ● No longer free ● Link Ch 5r
From the Projects: UBCD ● Proj 13 ● Create new administrator user on a Windows computer ● Based on Win XP Pre-Boot Environment; causes BSOD on some modern systems
Linux-Based UBCD ● Proj X7 ● Promote normal user to administrator user on a Windows computer ● Works well on modern systems
Objectives ● Describe port scanning ● Describe different types of port scans ● Describe various port-scanning tools ● Explain what ping sweeps are used for ● Explain how shell scripting is used to automate security tasks 4
Introduction to Port Scanning ● Port Scanning ● Finds out which services are offered by a host ● Identifies vulnerabilities ● Open services can be used on attacks ● Identify a vulnerable port ● Launch an exploit ● Scan all ports when testing ● Not just well-known ports 5
6
6
6
6
11
Introduction to Port Scanning (continued) ● Port scanning programs report ● Open ports ● Closed ports ● Filtered ports ● Best-guess assessment of which OS is running 7
Is Port Scanning Legal? ● The legal status of port scanning is unclear ● If you have permission, it's legal ● If you cause damage of $5,000 or more, it may be illegal ● For more, see links Ch 5a and Ch 5b 8
Normal TCP Handshake Client SYN ! Server Client " SYN/ACK Server Client ACK ! Server After this, you are ready to send data 9
SYN Port Scan Client SYN ! Server Client " SYN/ACK Server Client RST ! Server The server is ready, but the client decided not to complete the handshake 10
Types of Port Scans ● SYN scan ● Stealthy scan, because session handshakes are never completed ● That keeps it out of some log files ● Three states ● Closed ● Open ● Filtered 11
Types of Port Scans ● Connect scan ● Completes the three-way handshake ● Not stealthy--appears in log files ● Three states ● Closed ● Open ● Filtered 12
Types of Port Scans ● NULL scan ● All the packet flags are turned off ● Two results: ● Closed ports reply with 
 RST ● Open or filtered ports give 
 no response 13
Types of Port Scans ● XMAS scan ● FIN, PSH and URG flags are set ● Works like a NULL scan – a closed port responds with an RST packet ● FIN scan ● Only FIN flag is set ● Closed port responds with an RST packet 14
Windows Machines ● NULL, XMAS and FIN scans don't work on Windows machines ● Win 2000 Pro and Win Server 2003 shows all ports closed ● Win XP Pro all ports open/filtered ● See the NMAP tutorial (link Ch 5c) 15
Types of Port Scans ● Ping scan ● Simplest method sends ICMP ECHO REQUEST to the destination(s) ● TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) ● Any response shows the target is up 16
Types of Port Scans (continued) ● ACK scan ● Used to get information about a firewall ● Stateful firewalls track connection and block unsolicited ACK packets ● Stateless firewalls just block incoming SYN packets, so you get a RST response ● UDP scan ● Closed port responds with ICMP “Port Unreachable” message ● Rarely used--but much improved in latest Nmap version (2010) 17
Using Port-Scanning Tools ● Nmap ● Nessus and OpenVAS (the GPL-licensed fork of Nessus) ● A complete vulnerabilty scanner, more than a port scanner 23
Nmap ● Originally written for Phrack magazine ● One of the most popular tools ● GUI versions ● Xnmap and Ubuntu's NmapFE ● Open source tool ● Standard tool for security professionals 24
The Matrix Reloaded ● Trinity uses Nmap ● Video at link Ch 4e 25
26
Nessus ● First released in 1998 ● No longer free, free version is called OpenVAS(GreenBone) ● Uses a client/server technology ● Can conduct tests from different locations ● Can use different OSs for client and network 29
Nessus (continued) ● Finds services running on ports ● Finds vulnerabilities associated with identified services 32
31
30 OpenVAS (Greenbone)
31
32
Conducting Ping Sweeps ● Ping sweeps ● Identify which IP addresses belong to active hosts ● Ping a range of IP addresses ● Problems ● Computers that are shut down cannot respond ● Networks may be configured to block ICMP Echo Requests ● Firewalls may filter out ICMP traffic 34
FPing ● Ping multiple IP addresses simultaneously ● www.fping.com/download ● Command-line tool ● Input: multiple IP addresses ● To enter a range of addresses ● -g option ● Input file with addresses ● -f option ● See links Ch 5k, 5l 35
36
37
Hping ● Used to bypass filtering devices ● Allows users to fragment and manipulate IP packets ● www.hping.org/download ● Powerful tool ● All security testers must be familiar with tool ● Supports many parameters (command options) ● See links Ch 5m, Ch 5n 38
39
40
41
Broadcast Addresses ● If you PING a broadcast address, that can create a lot of traffic ● Normally the broadcast address ends in 255 ● But if your LAN is subnetted with a subnet mask like 255.255.255.192 ● There are other broadcast addresses ending in 63, 127, and 191 42
Smurf Attack ● Pinging a broadcast address on an old network resulted in a lot of ping responses ● So just put the victim's IP address in the "From" field ● The victim is attacked by a flood of pings, none of them directly from you ● Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks ● Windows XP and Ubuntu don't respond to broadcast PINGs ● See links Ch 5o, 5p 43
Broadcast Ping at CCSF
Crafting IP Packets ● Packet components ● Source IP address ● Destination IP address ● Flags ● Crafting packets helps you obtain more information about a service ● Tools ● Fping ● Hping 45
Understanding Shell Scripting ● Modify tools to better suit your needs ● Script ● Computer program that automates tasks ● Time-saving solution 46
Scripting Basics ● Similar to DOS batch programming ● Script or batch file ● Text file ● Contains multiple commands ● Repetitive commands are good candidate for scripting ● Practice is the key 47
48
Scapy ● Packet-crafting python utility ● Proj 9, 10, 17, X11, X12, X13
Python ● Write your own tools ● Using this book in CNIT 124
50

Empfohlen

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 

Empfohlen

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 

Weitere ähnliche Inhalte

Was ist angesagt?

NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Was ist angesagt? (20)

NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
System hacking
System hackingSystem hacking
System hacking
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Application Security
Application SecurityApplication Security
Application Security
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
NMAP
NMAPNMAP
NMAP
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Network scanning
Network scanningNetwork scanning
Network scanning
 

Andere mochten auch

Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: CryptographySam Bowne
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewSam Bowne
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksSam Bowne
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: EnumerationSam Bowne
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection SystemsSam Bowne
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsSam Bowne
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)Sam Bowne
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecuritySam Bowne
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 

Andere mochten auch (20)

Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts Review
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking Overview
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer Attacks
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security Professionals
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malware
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 

Ähnlich wie Ch 5: Port Scanning

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBakry3
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using JavaRahul Hada
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Paolo Saviano
 
CurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious CharactersCurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious Characterspieterh
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentationVarun Varshney
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)Andrew Denner
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security GLC Networks
 
Bsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsBsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsScott Tsai
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DCAPNIC
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenterssuser4b98f0
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 Maxence Dunnewind
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Opersys inc.
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network GLC Networks
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...egypt
 

Ähnlich wie Ch 5: Port Scanning (20)

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using Java
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
 
CurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious CharactersCurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious Characters
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentation
 
Twisted
TwistedTwisted
Twisted
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on Mikrotik
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
 
Bsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsBsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessions
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DC
 
Lisa14
Lisa14Lisa14
Lisa14
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenter
 
Irc how to sept 2012
Irc how to sept 2012Irc how to sept 2012
Irc how to sept 2012
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 

Mehr von Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

Mehr von Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Kürzlich hochgeladen

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 

Kürzlich hochgeladen (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

Ch 5: Port Scanning

  • 1. Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last revised 10-4-17
  • 2. KonBoot ● Get into any account without the password ● Works on Windows and Linux ● No longer free ● Link Ch 5r
  • 3. From the Projects: UBCD ● Proj 13 ● Create new administrator user on a Windows computer ● Based on Win XP Pre-Boot Environment; causes BSOD on some modern systems
  • 4. Linux-Based UBCD ● Proj X7 ● Promote normal user to administrator user on a Windows computer ● Works well on modern systems
  • 5. Objectives ● Describe port scanning ● Describe different types of port scans ● Describe various port-scanning tools ● Explain what ping sweeps are used for ● Explain how shell scripting is used to automate security tasks 4
  • 6. Introduction to Port Scanning ● Port Scanning ● Finds out which services are offered by a host ● Identifies vulnerabilities ● Open services can be used on attacks ● Identify a vulnerable port ● Launch an exploit ● Scan all ports when testing ● Not just well-known ports 5
  • 7. 6
  • 8. 6
  • 9. 6
  • 10. 6
  • 11. 11
  • 12. Introduction to Port Scanning (continued) ● Port scanning programs report ● Open ports ● Closed ports ● Filtered ports ● Best-guess assessment of which OS is running 7
  • 13. Is Port Scanning Legal? ● The legal status of port scanning is unclear ● If you have permission, it's legal ● If you cause damage of $5,000 or more, it may be illegal ● For more, see links Ch 5a and Ch 5b 8
  • 14. Normal TCP Handshake Client SYN ! Server Client " SYN/ACK Server Client ACK ! Server After this, you are ready to send data 9
  • 15. SYN Port Scan Client SYN ! Server Client " SYN/ACK Server Client RST ! Server The server is ready, but the client decided not to complete the handshake 10
  • 16. Types of Port Scans ● SYN scan ● Stealthy scan, because session handshakes are never completed ● That keeps it out of some log files ● Three states ● Closed ● Open ● Filtered 11
  • 17. Types of Port Scans ● Connect scan ● Completes the three-way handshake ● Not stealthy--appears in log files ● Three states ● Closed ● Open ● Filtered 12
  • 18. Types of Port Scans ● NULL scan ● All the packet flags are turned off ● Two results: ● Closed ports reply with 
 RST ● Open or filtered ports give 
 no response 13
  • 19. Types of Port Scans ● XMAS scan ● FIN, PSH and URG flags are set ● Works like a NULL scan – a closed port responds with an RST packet ● FIN scan ● Only FIN flag is set ● Closed port responds with an RST packet 14
  • 20. Windows Machines ● NULL, XMAS and FIN scans don't work on Windows machines ● Win 2000 Pro and Win Server 2003 shows all ports closed ● Win XP Pro all ports open/filtered ● See the NMAP tutorial (link Ch 5c) 15
  • 21. Types of Port Scans ● Ping scan ● Simplest method sends ICMP ECHO REQUEST to the destination(s) ● TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) ● Any response shows the target is up 16
  • 22. Types of Port Scans (continued) ● ACK scan ● Used to get information about a firewall ● Stateful firewalls track connection and block unsolicited ACK packets ● Stateless firewalls just block incoming SYN packets, so you get a RST response ● UDP scan ● Closed port responds with ICMP “Port Unreachable” message ● Rarely used--but much improved in latest Nmap version (2010) 17
  • 23. Using Port-Scanning Tools ● Nmap ● Nessus and OpenVAS (the GPL-licensed fork of Nessus) ● A complete vulnerabilty scanner, more than a port scanner 23
  • 24. Nmap ● Originally written for Phrack magazine ● One of the most popular tools ● GUI versions ● Xnmap and Ubuntu's NmapFE ● Open source tool ● Standard tool for security professionals 24
  • 25. The Matrix Reloaded ● Trinity uses Nmap ● Video at link Ch 4e 25
  • 26. 26
  • 27. Nessus ● First released in 1998 ● No longer free, free version is called OpenVAS(GreenBone) ● Uses a client/server technology ● Can conduct tests from different locations ● Can use different OSs for client and network 29
  • 28. Nessus (continued) ● Finds services running on ports ● Finds vulnerabilities associated with identified services 32
  • 29. 31
  • 31. 31
  • 32. 32
  • 33. Conducting Ping Sweeps ● Ping sweeps ● Identify which IP addresses belong to active hosts ● Ping a range of IP addresses ● Problems ● Computers that are shut down cannot respond ● Networks may be configured to block ICMP Echo Requests ● Firewalls may filter out ICMP traffic 34
  • 34. FPing ● Ping multiple IP addresses simultaneously ● www.fping.com/download ● Command-line tool ● Input: multiple IP addresses ● To enter a range of addresses ● -g option ● Input file with addresses ● -f option ● See links Ch 5k, 5l 35
  • 35. 36
  • 36. 37
  • 37. Hping ● Used to bypass filtering devices ● Allows users to fragment and manipulate IP packets ● www.hping.org/download ● Powerful tool ● All security testers must be familiar with tool ● Supports many parameters (command options) ● See links Ch 5m, Ch 5n 38
  • 38. 39
  • 39. 40
  • 40. 41
  • 41. Broadcast Addresses ● If you PING a broadcast address, that can create a lot of traffic ● Normally the broadcast address ends in 255 ● But if your LAN is subnetted with a subnet mask like 255.255.255.192 ● There are other broadcast addresses ending in 63, 127, and 191 42
  • 42. Smurf Attack ● Pinging a broadcast address on an old network resulted in a lot of ping responses ● So just put the victim's IP address in the "From" field ● The victim is attacked by a flood of pings, none of them directly from you ● Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks ● Windows XP and Ubuntu don't respond to broadcast PINGs ● See links Ch 5o, 5p 43
  • 44. Crafting IP Packets ● Packet components ● Source IP address ● Destination IP address ● Flags ● Crafting packets helps you obtain more information about a service ● Tools ● Fping ● Hping 45
  • 45. Understanding Shell Scripting ● Modify tools to better suit your needs ● Script ● Computer program that automates tasks ● Time-saving solution 46
  • 46. Scripting Basics ● Similar to DOS batch programming ● Script or batch file ● Text file ● Contains multiple commands ● Repetitive commands are good candidate for scripting ● Practice is the key 47
  • 47. 48
  • 48. Scapy ● Packet-crafting python utility ● Proj 9, 10, 17, X11, X12, X13
  • 49. Python ● Write your own tools ● Using this book in CNIT 124
  • 50. 50