CEH v8 Labs Module All-In-One

Citation preview

E thical H acking and C ounterm easures Lab Manual

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

EC-Council Copyright © 2013 by EC-Cou 11cil. All rights reserved. Except as permitted under the Copyright Act o f 1976, no part o f tins publication may be reproduced or distributed 111 any form or by any means, or stored 111 a database or retrieval system, without the prior written permission o f the publisher, with the exception that the program listings may be entered, stored, and executed 111 a computer system, but they may not be reproduced for publication. Information has been obtained by EC-Council from sources believed to be reliable. EC-Council uses reasonable endeavors to ensure that the content is current and accurate, however, because o f the possibility o l human or mechanical error we do not guarantee the accuracy, adequacy, or completeness o l any information and are not responsible for any errors or omissions or the accuracy o f the results obtained from use o f such information. The courseware is a result o f extensive research and contributions from subject matter experts from the field from all over the world. Due credits for all such contributions and references are given in the courseware in the research endnotes. We are committed towards protecting intellectual property. It you are a copyright owner (an exclusive licensee or their agent), and if you believe that any part o f the courseware constitutes an infringement o f copyright, or a breach o f an agreed licence or contract, you may notify us at le g a l@ e c c o u n c il.o r g . 1 1 1 the event o f a justified complaint, EC-Council will remove the material 111 question and make necessary rectifications. The courseware may contain references to other information resources and security solutions, but such references should not be considered as an endorsement o f 01‫ ־‬recommendation by EC-Council. Readers are encouraged at le g a l@ e c c o u n c il.o r g .

to

report

errors,

omissions

and

inaccuracies

If you have any issues, please contact s u p p o r t@ e c c o u n c il.o r g .

Ethical Hacking and Countermeasures All Rights Reserved. Reproduc

to

EC-Council

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Table of Contents M odule N tim b er

M odule N a m e

P age N o .

01

Introduction to E th ical H a ck in g

—

02

F ootprin ting and R econ n aissan ce

01

03

Scan n in g N etw ork s

84

04

E n u m eration

266

05

System H a ck in g

307

06

Trojans and B ackdoors

424

07

V iruses and W orm s

529

08

Sniffing

584

09

Social E n g in eerin g

674

10

D en ia l o f Service

702

11

S ession H ijack in g

715

12

H a ck in g W ebservers

730

13

H a ck in g W eb A pplications

761

14

SQ L Injection

781

15

H a ck in g W ireless N etw ork s

818

16

H a ck in g M obile Platform s

—

17

E vad in g ID S, Firew alls, and H o n ey p o ts

846

18

Buffer O verflow

901

19

Cryptography

914

20

Penetration T e stin g

—

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Labs DVD Contents DVD

Contents

01

L ab P rereq u isites, M odule 02 - M odule 04

02

M odule 05 - M odule 07

03

M odule 08 - M odule 11

04

M odule 12 - M odule 14

05

M odule 15 - M odule 17

06

M odule 18 - M odule 20, B ack T rack

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.

CEH Lab Manual

Footprinting and Reconnaissance Module 02

Module 02 - Footprinting and Reconnaissance

Footprirvting a Target Network Footprinting refers to uncovering and collecting as much information aspossible regarding a target netn ork

Lab Scenario Valuable mfonnation_____ Test your knowledge sA Web exercise m

Workbook review

Penetration testing is much more than just running exploits against vulnerable systems like we learned about 111 the previous module. 111 fact, a penetration test begins before penetration testers have even made contact with the victim’s systems. Rather than blindly throwing out exploits and praying that one of them returns a shell, a penetration tester meticulously studies the environment for potential weaknesses and their mitigating factors. By the time a penetration tester runs an exploit, he or she is nearly certain that it will be successful. Since failed exploits can 111 some cases cause a crash or even damage to a victim system, or at the very least make the victim un-exploitable 111 the tumre, penetration testers won't get the best results, or deliver the most thorough report to then‫ ־‬clients, if they blindly turn an automated exploit machine on the victim network with no preparation.

Lab Objectives The objective of the lab is to extract information concerning the target organization that includes, but is not limited to: ■ IP address range associated with the target ■ Purpose of organization and why does it exists ■ How big is the organization? What class is its assigned IP Block? ■ Does the organization freely provide information on the type of operating systems employed and network topology 111 use? ■ Type of firewall implemented, either hardware or software or combination of both ■ Does the organization allow wireless devices to connect to wired networks? ■ Type of remote access used, either SSH or \T N ■ Is help sought on IT positions that give information on network services provided by the organization?

C E H L ab M an u al Page 2

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

■ IdentitV organization’s users who can disclose their personal information that can be used for social engineering and assume such possible usernames & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance

Lab Environment Tins lab requires: ■

Windows Server 2012 as host machine

■ A web browser with an Internet connection ■ Administrative privileges to 11111 tools

Lab Duration Time: 50 ]Minutes

Overview of Footprinting Before a penetration test even begins, penetration testers spend time with their clients working out the scope, mles, and goals ot the test. The penetration testers may break 111 using any means necessary, from information found 111 the dumpster, to web application security holes, to posing as the cable guy. After pre-engagement activities, penetration testers begin gathering information about their targets. Often all the information learned from a client is the list of IP addresses and/or web domains that are 111 scope. Penetration testers then learn as much about the client and their systems as possible, from searching for employees on social networking sites to scanning die perimeter for live systems and open ports. Taking all the information gathered into account, penetration testers sftidv the systems to find the best routes of attack. Tins is similar to what an attacker would do or what an invading army would do when trying to breach the perimeter. Then penetration testers move into vulnerabilitv analysis, die first phase where they are actively engaging the target. Some might say some port scanning does complete connections. However, as cybercrime rates nse, large companies, government organizations, and other popular sites are scanned quite frequendy. During vulnerability analysis, a penetration tester begins actively probing the victim systems for vulnerabilities and additional information. Only once a penetration tester has a hill view of the target does exploitation begin. Tins is where all of the information that has been meticulously gathered comes into play, allowing you to be nearly 100% sure that an exploit will succeed. Once a system has been successfully compromised, the penetration test is over, right? Actually, that's not nght at all. Post exploitation is arguably the most important part of a penetration test. Once you have breached the perimeter there is whole new set of information to gather. You may have access to additional systems that are not available trom the perimeter. The penetration test would be useless to a client without reporting. You should take good notes during the other phases, because during reporting you have to tie evervdiing you found together 111 a way

C E H L ab M an u al Page 3

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

everyone from the IT department who will be remediating the vulnerabilities to the business executives who will be approving die budget can understand. m TASK 1 Overview

Lab Tasks Pick an organization diat you feel is worthy of vour attention. Tins could be an educational institution, a com m ercial com pany. 01 perhaps a nonprofit charity.

Recommended labs to assist you 111 footprinting; ■ Basic Network Troubleshooting Using the ping utility and nslookup Tool ■

People Search Using Anywho and Spokeo Online Tool

■ Analyzing Domain and IP Address Queries Using SmartWhois ■ Network Route Trace Using Path Analyzer Pro ■ Tracing Emails Using eMailTrackerPro Tool ■

Collecting Information About a target’s Website Using Firebug

■ Mirroring Website Using HTTrack Web Site Copier Tool ■ Extracting Company’s Data Using Web Data Extractor ■ Identifying Vulnerabilities and Information Disclosures 111 Search Engines using Search Diggity

Lab Analysis Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s security posture and exposure through public and free information.

P L EA S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

C E H L ab M an u al Page 4

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

Lab

1 Footprinting a Target Network Using the Ping Utility Ping is a computer network administrati0)1 utility used to test the reachability of a host on an Internetprotocol (IP) network and to measure the ronnd-trip timefor messages sentfrom the originating host to a destination computer. I CON KEY [£Z7 Valuable information Test your knowledge______ *

Web exercise

Lab Scenario As a professional penetration tester, you will need to check for the reachability of a computer 111 a network. Ping is one of the utilities that will allow you to gather important information like IP address, maximum P acket Fame size, etc. about the network computer to aid 111 successful penetration test.

Lab Objectives

Workbook review

Tins lab provides insight into the ping command and shows how to gather information using the ping command. The lab teaches how to: ■ Use ping ■ Emulate the tracert (traceroute) command with ping & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance

■

Find maximum frame size for the network

■

Identity ICMP type and code for echo request and echo reply packets

Lab Environment To carry out this lab you need: ■ Administrative privileges to run tools ■

TCP/IP settings correctly configured and an accessible DNS server

■ Tins lab will work 111 the CEH lab environment - on W indows Server 2012. W indows 8 , W indows Server 2008. and W indows 7

C E H L ab M an u al Page 5

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

Lab Duration Tune: 10 Minutes

Overview of Ping & PIN G stands for Packet Internet Groper. Ping command Syntax: ping [-q] [-v] [-R] [-c Count] [-iWait] [-s PacketSize] Host.

The ping command sends Internet Control M essage Protocol (ICMP) echo request packets to the target host and waits tor an ICMP response. During tins requestresponse process, ping measures the time from transmission to reception, known as die round-trip time, and records any loss of packets.

Lab Tasks 1. Find the IP address lor http:/ Avww.certihedhacker.com 2. To launch Start menu, hover the mouse cursor in the lower-left corner of the desktop

FIGURE 1.1: Windows Server 2012 —Desktop view

Locate IP Address

3. Click Command Prompt app to open the command prompt window

FIGURE 1.2: Windows Server 2012—Apps

For die command, ping -c count, specify die number of echo requests to send.

C E H L ab M anual Page 6

Type ping w w w .certified hacker.com 111 the command prompt, and press Enter to find out its IP address b. The displayed response should be similar to the one shown 111 the following screenshot

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

Administrator: C:\Windows\system32\cmd.exe

m The piiig command, “ping —iwait,” means wait time, that is the number of seconds to wait between each ping.

!‫* ' ם י ־‬

'

C : \ ) p i n g u u u . c e r t i f i e d l 1a c k e r . c o m P i n g i n g w w w . c e r t i f i e d h a c k e r . c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 1 w i t 11 3 2 b y t e s o f d a t a : Request tim ed o u t . R e p l y f r o m 2 0 2 . ? 5 . 5 4 . 1 0 1 : b y t e s =32 t i m e = 2 6 7 m s TTL=113 R e p l y f r o m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 3 2 t i m e = 2 8 8 m s TTL=113 R e p l y f r o m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 3 2 t i m e = 5 2 5 m s TTL=113 Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e t s : S e n t = 4 , R e c e i v e d = 3 , L o s t = 1

FIGURE 1.3: The ping command to extract die IP address for www.certifiedhacker.com

6. You receive the IP address of www.certifledhacker.com that is 202.75.54.101

You also get information 011 Ping S ta tistic s, such as packets sent, packets received, packets lost, and Approximate round-trip tim e Now, find out the maximum frame size 011 the network. 111 the command prompt, type ping w w w .certified hacker.com - f - l 1500 Finding Maximum Frame Size

* ‫׳‬

Administrator: C:\Windows\system32\cmd.exe : \ < p i n g w w u . c e r t i f i e d l 1a c k e r . c o m - f

‫ ־‬1 1500

!Pinging w w w . c e r t if ie d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 1 w it h 1500 b y t e s o f d a ta : Packet needs t o be f r a g m e n t e d b u t UP s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e ts: Sent = 4 , R eceived = 0 ,

m Request time out is displayed because either the machine is down or it implements a packet filter/firewall.

L o s t = 4 j p i n g w w w . c e r t i f i e d h a c k e r . c o m - f

m 111 the ping command, option —f means don’t fragment.

! - ! = ■

X

'

- 1 1300

P in g in g w w w .ce r tifie d h a c k e r .c o m [2 0 2 .7 5 .5 4 .1 0 1 1 R eply from 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 3 0 0 time=392ms R eply from 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y te s = 1 3 0 0 time=362ms R eply from 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y te s = 1 3 0 0 time=285ms R e p l y f r o m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 3 0 0 t im e = 3 3 1 m s

w ith 1300 b y te s o f d a ta : TTL=114 TTL=114 TTL=114 TTL=114

Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e t s : S e n t = 4 , R e c e i v e d = 4 , L o s t = 0 < 0X l o s s ) , A p p r o x i m a t e r o u n d t r i p t i m e s i n m i l l i —s e c o n d s : Minimum = 2 8 5 m s , Maximum = 3 9 2 m s , A v e r a g e = 342ms C :\>

FIGURE 1.5: The ping command for www.certifiedhacker.com with —f —11300 options

C E H L ab M anual Page 7

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

11. You can see that the maximum packet size is le s s than 1500 b ytes and more than 1300 b ytes In die ping command, “Ping —q,” means quiet output, only summary lines at startup and completion.

12. Now, try different values until you find the maximum frame size. For instance, ping w w w .certified hacker.com - f - l 1473 replies with P ack et n e e d s to be fragm ented but DF s e t and ping w w w .certified hacker.com - f - l 1472 replies with a su c c e ssfu l ping. It indicates that 1472 bytes is the maximum frame size on tins machine network Note: The maximum frame size will differ depending upon on the network Administrator: C:\Windows\system32\cmd.exe C :S )p in g w o w .c ert i f ie d h a c k e r .c o m - f

I ‫ ־־‬I ‫ם‬

x 1

1 4 7 3 1‫־‬

Pinccinc» w w w . c e r t i f i e d h a c k e r . c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 1 w i t l i 1 4 7 3 b y t e s o f d a t a : Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . P ing s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a ckets: Sent = 4 , R eceived = 0,

Lost = 4 'ping w w w .c e r t if ie d h a c k e r .c o m - f

1- 1= ' » '

- 1 1 4 72

[Pinging w w w .c e r t if ie d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 ] R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 4 7 2 t im e = 3 5 9 m s R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s =147 2 t im e = 3 2 0 m s R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 4 7 2 t im e = 2 8 2 m s R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 4 7 2 t im e = 3 1 7 m s

w it h 1472 b y t e s o f d a ta : TTL=114 TTL=114 TTL=114 TTL=114

Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e t s : S e n t = 4 , R e c e i v e d = 4 , L o s t = 0 p in g u u w .c e r t if ie d h a c k e r .c o m - i

3

Pinsrincf 1 7 u u . c e r t i f i e d h a c k e r . c o m [ 2 0 2 . 7 5 R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d in R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n ■Ping s t a t i s t i c s f o r 2 0 2 . 7 5 . 5 4 . 1 0 1 : P a c k e ts: Sent = 4 , R eceived = 4 ,

1

. 5 4 . 1 0 1 ] u i t h 32 b y t e s o f d a t a : tra n sit. tra n sit. tr a n sit. tr a n sit.

p

L o s t = 0 |

FIGURE 1.9: The ping command for ™ ‫ ׳!י‬cr rrifiedl1acker.com with —i 1 —n 1 options

19. 111 the command prompt, type ping w w w .certified hacker.com -i 2 -n 1. The only difference between the previous pmg command and tliis one is -i 2 . The displayed resp o n se should be similar to the one shown 111 the following figure

C E H L ab M anual Page 9

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

Administrator: C:\Windows\system32\cmd.exe C :\)p in g

m

111 the

ping command, -t means to ping the specified host until stopped.

w w w .c e r tifie d h a ck er .c o m

P in g in g w w w .ce r tifie d h a c k e r .co m R equest tim e d o u t .

—i 2 —n 1 [2 0 2 .7 5 .5 4 .1 0 1 ]

Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a ck ets: Sent = 1 , R eceived = 0 ,

Lost

w i t h 32 b y t e s

= 1

FIGURE 1.10: The ping command for www.certifiedl1acke1.co1n with -i 2 - 11 1 options

20. 111 the command prompt, type ping w w w .certified hacker.com -i 3 -n 1. Use -n 1 111 order to produce only one answer (instead of four on Windows or pinging forever on Linux). The displayed response should be similar to the one shown 111 the following figure

C :\)p in g w w w .ce rtifie d h a ck er .co n - i

s

In the ping command, the -v option means verbose output, which lists individual ICMP packets, as well as echo responses.

3 -n 1

P i n g i n g w w w .c e r t i f i e d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 ] w i t h 32 b y t e s R e p l y f r o m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n t r a n s i t . Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e ts: Sent = 1 , R eceived = 1 ,

Lost

of

da

= 0

FIGURE 1.11: Hie ping command for www.cerdfiedl1acker.com with — i 3 —n 1 options

21. 111 the command prompt, type ping w w w .certified hacker.com -i 4 -n 1 . Use -n 1 111 order to produce only one answer (instead of four on Windows or pinging forever on Linux). The displayed response should be similar to the one shown 111 the following figure G5J

Administrator: C:\Windows\system32\cmd.exe

D :\> p in g w w w .c e r tifie d h a c k e r .c o m

-i

4 -n

H » l

Lost

'

1

P in g in g w w w .c e r t i f i e d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 ] w i t h 32 b y t e s R e p l y f r o m 1 2 1 . 2 4 0 . 2 5 2 . 1 : TTL e x p i r e d i n t r a n s i t . Ping s t a t i s t i c s f o r 2 0 2 . 7 5 . 5 4 . 1 0 1 : P a c k e ts: Sent = 1 , R eceived = 1 ,

>‫־‬

of

da

= 0 ). When 110 arguments are given, then the command queries to default server. The - (minus sign) invokes subcommands which are specified 011 command line and should precede nslookup commands. In non-interactive mode. i.e. when first argument is name 01‫ ־‬internet address of the host being searched, parameters and the query are specified as command line arguments 111 the invocation of the program. The noninteractive mode searches the information for specified host using default name server.

With nslookup you will eidier receive a non-audiontative or authoritative answer. You receive a non-authoritative answ er because, by default, nslookup asks your nameserver to recurse 111order to resolve your query and because your nameserver is not an authority for the name you are asking it about. You can get an authoritative answ er by querying the authoritative nameserver for die domain you are interested

C E H L ab M an u al Page 14

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

Lab Tasks 1. Launch Start menu by hovering the mouse cursor 111 the lower-left corner of the desktop S TASK 1 Extract Information i j Windows Server 2012 fttndcMsSewe*2012ReleMQnxtditeOaiMtm• !valuationcopyfold IP P R P G S * 5 ; ‫ן ל ל ן יט י‬

FIGURE 2.1: Windows Server 2012 —Desktop view

2. Click the Command Prompt app to open the command prompt window

FIGURE 2.2: Windows Server 2012—Apps ,__ The general command syntax is nslookup [-option] [name | -] [server].

C E H L ab M anual Page 15

3. 111 the command prompt, type nslookup, and press Enter 4. Now, type help and press Enter. The displayed response should be similar to die one shown 111 the following figure

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

ss

Administrator: C:\Windows\system32\cmd.exe - nslookup

S

C :\)n slo o k u p D efault S e rv er: n s l . b e a m n e t . in A ddress: 2 0 2 .5 3 .8 .8

.S' Typing "help" or "?" at the command prompt generates a list of available commands.

> h elp Comma nds : ( i d e n t i f i e r s a r e s how n i n u p p e r c a s e , LJ m ean s o p t i o n a l ) NAME - p r i n t i n f o a b o u t t h e h o s t / d o m a i n NAME u s i n g d e f a u l t s e r v e r NAME1 NAME2 - a s a b o v e , b u t u s e NAME2 a s s e r v e r help o r ? ‫ ־‬p r i n t i n f o on common commands s e t OPTION - s e t an o p t io n all - p r i n t o p tio n s * c u r r e n t s e r v e r and h o st [no]debug - p r i n t d ebugging in fo rm a tio n [nold2 ‫ ־‬p r i n t e x h a u s tiv e debugging in fo r m a tio n [ n o I d e f name - a p p e n d d o m a i n name t o e a c h q u e r y [no!recurse - ask f o r re c u r s iv e answer to query [no!search - u s e domain s e a r c h l i s t [n o Iv c - alw ays use a v i r t u a l c i r c u i t d o m a i n =NAME - s e t d e f a u l t d o m a i n name t o NAME s r c h l i s t = N 1 [ / N 2 / . . . / N 6 1 - s e t d o m a i n t o N1 a n d s e a r c h l i s t t o N 1 , N 2 , e t c . r o o t =NAME - s e t r o o t s e r v e r t o NAME retry=X - s e t num ber o f r e t r i e s t o X t im eo ut =X - s e t i n i t i a l tim e -o u t i n t e r v a l to X seconds - s e t q u e r y t y p e ( e x . A,AAAA,A*AAAA,ANY,CNAME,MX,NS,PTR, t y p e =X SOA,SRU) q u e r y t y p e =X - sa me a s t y p e c la ss ‫־‬X — s e t q u e r y c l a s s < e x . IN ( I n t e r n e t ) , ANY) - u s e MS f a s t z o n e t r a n s f e r [no]m sxf r - c u r r e n t v e r s i o n t o u s e i n IXFR t r a n s f e r r e q u e s t ixfrver=X s e r v e r NAME - s e t d e f a u l t s e r v e r t o NAME, u s i n g c u r r e n t d e f a u l t s e r v e r l s e r w e r NAME - s e t d e f a u l t s e r v e r t o NAME, u s i n g i n i t i a l s e r v e r root - s e t c u rre n t d e fa u lt s e rv e r to the root I s [ o p t ] DOMAIN [> F I L E ] - l i s t a d d r e s s e s i n DOMAIN ( o p t i o n a l : o u t p u t t o F I L E ) -a ‫־‬ l i s t c a n o n i c a l names a n d a l i a s e s -d — l i s t a l l records - t TYPE l i s t r e c o r d s o f t h e g i v e n RFC r e c o r d t y p e ( e x . A,CNAME,MX,NS, PTR e t c . > v i e w FILE - s o r t a n ' I s ' o u t p u t f i l e a n d v i e w i t w i t h pg - e x i t t h e program ex it >

FIGURE 2.3: The nslookup command with help option

5. 111 the nslookup interactive mode, type “se t type=a” and press Enter 6. Now, type www.certifiedhacker.com and press Enter. The displayed response should be similar to die one shown 111 die following figure Note: The DNS server Address (202.53.8.8) will be different from die one shown 111 die screenshot

FIGURE 2.4: hi nslookup command, set type=a option

U se Elicit Authoritative

7. You get Authoritative or Non-authoritative answer. The answer vanes, but 111diis lab, it is Non-authoritative answer 8. 111 nslookup interactive mode, type se t type=cname and press Enter 9. Now, type certifiedhacker.com and press Enter Note: The DNS server address (8 .8 .8 .8 ) will be different dian die one 111 screenshot

10. The displayed response should be similar to die one shown as follows:

> set type=cname C E H L ab M anual Page 16

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

> certifiedhacker.com Server: google-public-dns-a.google.com Address: 8.8.8.8 r Q

T A S K

Administrator: C:\Windows\system32\cmd.exe ‫ ־‬ns...

­

‫ם‬

x

3

Find Cname

‫ נ‬: \> n s lo o k u p )e fa u lt S e rv e r: g o o g le -p u b lic -d n s -a .g o o g le .c o n Id d re s s : 8.8.8.8

> s e t ty p e = c n a m e > c e r t i t i e d h a c k e r .c o m J e ru e r: Id d re s s :

g o o g le - p u b lic ‫ ־‬d n s ‫ ־‬a . g o o g le .c o n 8.8.8.8

: e r t i f i e d h a c k e r .c o n p r im a r y nane s e r u e r = n s 0 .n o y e a r ly fe e s .c o m r e s p o n s ib le m a il a d d r = a d m in .n o y e a r ly fe e s .c o m s e r ia l = 35 r e f r e s h = 9 0 0 ( 1 5 m in s > re try = 6 0 0 ( 1 0 m in s ) e x p ir e = 8 64 00 (1 d a y ) d e f a u l t TTL = 3 6 0 0 (1 h o u r> III

FIGURE 2.5:111 iislookup command, set type=cname option

11. 111 nslookiip interactive mode, type server 64.147.99.90 (or any other IP address you receive in the previous step) and press Enter. 12. Now, type s e t type=a and press Enter. 13. Type w ww.certifiedhacker.com and press Enter. The displayed response should be similar to the one shown 111die following tigure. [SB Administrator: C:\Windows\system32\cmd.exe - ns.‫ ״‬L ^ .

111 nslookiip command, root option means to set the current default server to the root.

FIGURE 2.6:111 nslookiip command, set type=a option

14. It you receive a request timed out message, as shown in the previous tigure, dien your firewall is preventing you trom sending DNS queries outside your LAN.

C E H L ab M anual Page 17

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

15. 111 nslookup interactive mode, type se t type=mx and press Enter. 16. Now, type certifiedhacker.com and press Enter. The displayed response should be similar to the one shown 111 die following figure. ‫׳‬-' To make queiytype of NS a default option for your nslookup commands, place one of the following statements in the user_id.NSLOOKUP.ENV data set: set querytype=ns or querytype=ns.

FIGURE 2.7: In nslookup command, set type=mx option

Lab Analysis Document all die IP addresses, DNS server names, and odier DNS information. T ool/U tility

Information Collected/Objectives Achieved DNS Server Name: 202.53.8.8 Non-Authoritative Answer: 202.75.54.101

nslookup

CNAME (Canonical N am e of an alias) ■ Alias: cert1fiedhacker.com ■ Canonical name: google-publ1c-d11s-a.google.com MX (Mail Exchanger): 111a11.cert1fiedl1acker.com

P L EA S E TALK T O Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions 1. Analyze and determine each of the following DNS resource records: ■ SOA

C E H L ab M anual Page 18

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

■ NS ■ A ■ PTR ■ CNAME ■ MX ■ SRY 2. Evaluate the difference between an authoritative and non-audioritative answer. 3. Determine when you will receive request time out in nslookup. Internet Connection Required 0 Yes

□ No

Platform Supported 0 Classroom

C E H L ab M an u al Page 19

□ !Labs

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

People Search Using the AnyWho Online Tool A_nyWho is an online whitepagespeople search directoryfor quickly looking up individualphone numbers.

Lab Scenario Valuable mfonnation_____ Test your knowledge *d Web exercise m

Workbook review

You have already learned that the first stage in penetration testing is to gather as much information as possible. 111 the previous lab, you were able to find information related to DNS records using the nslookup tool. If an attacker discovers a flaw 111 a DNS server, he or she will exploit the flaw to perform a cache poisoning attack, making die server cache the incorrect entries locally and serve them to other users that make the same request. As a penetration tester, you must always be cautious and take preventive measures against attacks targeted at a name server by securely configuring name servers to reduce the attacker's ability to cormpt a zone hie with the amplification record. To begin a penetration test it is also important to gather information about a user location to intrude into the user’s organization successfully. 111 tins particular lab, we will learn how to locate a client or user location using die AnyWho online tool.

Lab Objectives

H Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance

C E H L ab M an u al Page 20

The objective of tins lab is to demonstrate the footprinting technique to collect confidential information on an organization, such as then: key personnel and then‫־‬ con tact details, usnig people search services. Students need to perform people search and phone number lookup usnig http: / /www.a11ywho.com.

Lab Environment 111 the lab, you need: ■ A web browser with an Internet comiection ■ Admnnstrative privileges to run tools ■ Tins lab will work 111 the CEH lab environment - on W indows Server 2012. W indows 8 , W indows Server 2008. and W indows 7 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

Lab Duration Tune: 5 ]\luiutes

Overview of AnyWho AnyWho is a part ot the ATTi family ot brands, which mostly tocuses 011 local searches tor products and services. The site lists information from the White Pages (Find a Person/Reverse Lookup) and the Yellow P ages (Find a Business).

Lab Tasks 1. Launch Start menu by hovering the mouse cursor 011 the lower-left corner of the desktop

m AnyWho allow you to search for local businesses by name to quickly find their Yellow Pages listings with basic details and maps, plus any additional time and money-saving features, such as coupons, video profiles or online reservations.

■8 Windows Server 2012 Server 2012 Rele״‬Maps 4 Drivhg Dictions

M o re In fo rm a tio n fo r R ose C C hristian ‫ יי‬Email 300 otner Phone lookup “ Get D ttila c BackQiound Information » G•! Pjtl'C RtCOIdS *‫ ״‬Wew Property & A/ea Information ** view Social NetworkProfile

Rose E C hristian

M o re in fo rm a tio n to r R o • • E C hristian

•W •*% 9t t t

mmmm‫ י״‬MM

FIGURE 3.5: AnyWho People Search Results

C E H L ab M anual Page 22

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

task

2

Viewing Person Information

6. Click die search results to see the address details and phone number of that person Rose A Christian Southfield PI, 0-f -SH ' 6

Add to Address Book | Print

!re, MD 21212

A re you R ose A Christian? » Remove Listing

Information provided solely by Intelius

Get Directions

□

Enter Address

‫ש‬

Southfield PI.

m The search results display address, phone number and directions for the location.

3 • ‫־‬re. MD 21212

>Reverse Directions

Cet Directions

Gulf of

O 'J J t t Z 'j r / j n d u i

-j ' j j l‫׳‬j ! >.‫׳‬/ r ‫ ־‬Cj

FIGURE 3.6: AnyWho - Detail Search Result of Rose A Christian

7. Sinulady, perform a reverse search by giving phone number or address 111 die R everse Lookup held IteUJ The Reverse Phone Lookup service allows visitors to enter in a phone number and immediately lookup who it is registered to.

C

0 ww/w.anyvrtx>.com‫• ׳‬everse-lookup

AnyWho f*a3ta0Arcc-f. Pitert m 35v■* ‫>»«»׳‬

JL kVHIfE PACES

• Kfc«‫׳‬fcRStLOOKUP

A«bWJPC006 LOOKUP

R e v e rs e L o o k u p | F in d P e o p le By □

Phone Num ber

R e v e rs e L o o k u p

AnyWho's Reverse Phone LooKup sewce allows visitors to enter *‫ »ימא*ן ג י‬number and immediately lookup who it is registered to. Perhaps you mssed an incoming phone call and want to know who x is bewe you call back. Type the phone number into the search box and well perform a white pages reverse lookup search ‫ פז‬fn i out exactly who it is registered to If we ha>‫־‬e a match far th* pnone number well show you the registrant's first and last name, and maimg address If you want to do reverse phone lookup for a business phone number then check out Rwrse Lookup at YP.com.

| sx»«r| e » 8185551212. (818)655-1212

HP Cetl phone numbers are not ewailable

Personal ‫״‬J6nnr.inc information available on AnyWho is n« pwaeo byAT&T and is provided solerf by an i^affiated third parly intelius. Inc Full Disclaimer

n

FIGURE 3.7: AnyWho Reverse Lookup Page

C E H L ab M anual Page 23

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

Reverse lookup will redirect you to die search result page widi die detailed information of die person for particular phone number or email address n> yp.com

^

-

\

C O anywhoyp.yellowpages.com/reversephonelookup?from=anywho_cobra &

\

Rose A Christian ‫ ־‬Southfield PI, - -

lore. MD 2 1 2 1 2

Are you Rose A Christian7 »» Remove Listing

Unpublished directory records are not displayed. If you want your residential listing removed, you have a couple of options: To have your listing unpublished, contact your local telephone company.

Get Directions

□

Enter Address

■ Southfield PI. •— *K>re, MD 2 1 2 1 2

• R e v e rs e D irectio n s

To have your listing removed from AnyWho without obtaining an unpublished telephone number, follow the instructions provided in AnyWho Listing Removal to submit your listing for removal.

C h in q u a p in Pa r k ‫ ־‬B elvedere

La k e Ev e s h a m

Go va n s to w n

W Northern Pkwy t N°'

Ro s e b a n k

M i d -G o v a n s

Dnwci W yndhu rst

W ooi

'// He

P jrk C a m e r o n V ill a g e

Chlnqu4p Pork K e n il w o r t h P ar k Ro l a n d Park W in s t q n -G q v a n s

FIGURE 3.8: AnyWho - Re\*e1se Lookup Search Result

Lab Analysis Analyze and document all the results discovered 111die lab exercise. T ool/U tility

Information Collected/Objectives Achieved WhitePages (Find people by name): Exact location of a person with address and phone number

AnyWho

Get Directions: Precise route to the address found lor a person Reverse Lookup (Find people by phone number): Exact location of a person with complete address

C E H L ab M anual Page 24

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions 1. Can vou collect all the contact details of the key people of any organization? 2. Can you remove your residential listing? It yes, how? 3. It you have an unpublished listing, why does your information show up in AnyWho? 4. Can you tind a person in AnyWho that you know has been at the same location for a year or less? If yes, how? 5. How can a listing be removed from AnyWho? Internet Connection Required 0 Yes

□ N
o/a> Onlne 300kina: Siterru http://certifiedhackef.c1 http://certifiedhacker.com/Online B:>o*ung/b‫־‬c Onlne Booking. Brows http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/c* Onine Booking: Check http://certifiedhackef.c1 http7/certifiedhackef rom/'Dnlinft Bsoking/ea Onine Booking Conta http7/eertifiedhaek« c! http://certifiedhacker.com/Online Bookrig/c:* Onine Booking: Conta http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/ca Onine Booking: Conta http://certifiedhackef.c1 http://certifiedhacker.com/Online Bookirtg/fac Onine Booking: FAQ http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/pal Onine 300king: Sitem< http://certif1edhackef.c1 http://certifiedhacker.com/Online Booking/se< Onine 300king: Searc http://certifiedhackef.c1 http^/cortifiodhackor.convOnline B»oking/sei Onine Booking: Searc ht‫׳‬p://certifiedhackef.ci http://certifiedhacker.com/Online Booking/se< Onine 300king: Searc http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/ten Online Booking: Typoc http://certifedhackef.c1 http://ccrtificdhackcr.com/Onlinc B:>oking/hol Onine Dooking: Hotel http://ccrtifiedh0cka.ci http: //certifiedhacker. com/ P-folio/contacl htn P-Foio http: //certiliedhackef. c! http://certifiedhacker.com/Real Estates/page: Professional Real Esta ht‘p://certifiedhackef.ci http://certifiedhacker.com/Real Estales/pags: Professional Red Esta http:///cerlifiedhackef.ci http://certifiedhacker.com/Real Estates/page: Professional Real Esta http: //certifiedhackef.ci http://certifiedhacker.com/Real Estdes/pag* Professional Real Esta http //certifedhackef.c! http://certifiedhacker.com/Real Estates/peg* Professional Real Esta http //certifiedhackef.ci http://certifiedhacker.Com/'Social Media/sarrp Unite - Together is Bet http //certifiedhackef.ci http://certifiedhacker.com/Under the treesTbc Undef lie Tfees http //certifiedhackef.ci http://cert1f1edhacker.com/Under the trees/bc Undef tie I fees http ://certifiedhackef.ci •?Air I Irvfef l^x» Tit a

httrv//(‫*••־‬rtifiArlhArk

httn/Zrprti^HhArkwr,

FIGURE 10.10: Web Data Extractor Extracted Phone details window

12. Similarly, check for the information under Faxes, Merged list, Urls (638), Inactive sites tabs 13. To save the session, go to File and click S ave se ssio n

C E H L ab M anual Page 75

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

Web Data Extractor 8.3

--------

F ile | View

Help

Edit session

Jobs 0 J /

5

Cur. speed Avg. speed

Open session

ctti-s

S«vc session

| s (29)

Faxes (27)

Merged list Urls (638

Inactive sites

Delete sesson URL procesced 74 Delete All sessions

Traffic received 626.09 Kb

Start session Stop session Stop Queu ng sites b it

Sfe Save extracted links directly to disk file, so there is no limit in number of link extraction per sessio n . It supports operation through proxy-server and works very fast, a s it is able of loading several pages simultaneously, and requires very few resources

FIGURE 10.11: Web Data Extractor Extracted Phone details window

14. Specify the session name in the S ave s e s s io n dialog box and click OK '1^ 1®' a ‫׳‬ Web Data Extractor 8.3 [File

View

H dp

m 0 New Ses$k>r

£dit

p 1 Qpen

Meta tegs (64)

« $ta»t

£ Sloe

1

Jobs [0 | /

Emails (6) Phones (29)

Cur. speed Avg speed

| Faxes (27)

0.0Dkbps 0 03kbps

1 1

Merged list Urls (638) Inactive sites

S*o piococcod 1 f 1. Time 4:12 min

URL pcocesied 74 Tralfic receded 626.09 Kb Save session

‫־ נ ^ו־‬

Please specify session name:

FIGURE 10.12: Web Data Extractor Extracted Phone details window

15. By default, the session will be saved at D:\Users\admin\Documents\W ebExtractor\Data

C E H L ab M anual Page 76

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

Lab Analysis Document all die Meta Tags, Emails, and Phone/Fax. T ool/U tility

Information Collected/Objectives Achieved M eta tags Inform ation: URL, Title, Keywords, Description, Host. Domain, Page size, etc.

Web D ata Extractor

E m ail Inform ation: Email Address, Name, URL. Title, Host, Keywords density‫״‬, etc. Phone Inform ation: Phone numbers, Source, Tag, etc.

P L EA S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions 1. What does Web Data Extractor do? 2. How would you resume an interrupted session 111Web Data Extractor? 3. Can you collect all the contact details of an organization? Internet Connection Required □ Yes

0 No

Platform Supported 0 Classroom

C E H L ab M an u al Page 77

0 iLabs

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

Identifying Vulnerabilities and Information Disclosures in Search Engines using Search Diggity / Valuable mformation_____ Test your knowledge *4 Web exercise m

Search Diggity is theprimary attack tool of the Google Hacking Diggity Project It is an M S Windons GUI application that serves as afront-end to the latest versions of Diggity tools: GoogleDiggity, BingDiggity, Bing L/nkFromDomainDiggity, CodeSearchDiggity, Dl^PDiggity, FlashDiggity, Main areDiggity, Po/tScanDiggity, SHOD.4NDiggity, BingBina/yMalnareSearch, andNotlnMyBackYardDiggity.

Lab Scenario

Workbook review

An easy way to find vulnerabilities 111 websites and applications is to Google them, which is a simple method adopted bv attackers. Using a Google code search, hackers can identify crucial vulnerabilities 111 application code stnngs, providing the entry point they need to break through application security. As an expert eth ical hacker, you should use the same method to identity all the vulnerabilities and patch them before an attacker identities them to exploit vulnerabilities.

Lab Objectives The objective of tins lab is to demonstrate how to identity vulnerabilities and information disclosures 111 search engines using Search Diggity. Students will learn how to: H Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance

C E H L ab M an u al Page 78

■ Extract Meta Tag, Email, Phone/Fax from the web pages

Lab Environment To carry out the lab, you need: ■

Search Diggitvis located at D:\CEH-Tools\CEHv8 Module 02 Footprinting and R econ n aissan ce\G oogle Hacking Tools\SearchD iggity

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

■ You can also download die latest version of Search Diggity from the link http: / / www.stachliu.com/resources / tools / google-hacking-diggitvproject/attack-tools ■ If you decide to download the latest version, then sc r e e n sh o ts shown 111 the lab might differ ■ Tins lab will work 111 the CEH lab environment - 011 W indows Server 2012, W indows 8, W indows Server 2008, and W indows 7

Lab Duration Time: 10 Minutes GoogleDiggity is the primary Google hacking tool, utilizing the Google JSON/ATOM Custom Search API to identify vulnerabilities and information disclosures via Google searching.

Overview of Search Diggity Search Diggity has a predefined query database diat nuis against the website to scan die related queries.

Lab Tasks 1.

To launch the Start menu, hover the mouse cursor 111 the lower-lelt corner of the desktop

FIGURE 11.1: Windows Server 2012—Desktop view

2. 111 the Start menu, to launch Search Diggity click the Search Diggity Launch Search Diggity

Start

Administrator

MMMger

tools a

* Control Panel

g

Myp«‫־‬V f/onaqef

%

m

Hyper V Vliiijol Machine..

Command

‫?״‬

F"

Google Chrome

Adobe Reader X

•

T

Mozilla

Internet Informal). Services..

©

^

1 V«(hOt

o

‫י‬

FIGURE 11.2: Windows Server 2012 —Start menu

C E H L ab M anual Page 79

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 02 - Footprinting and Reconnaissance

3. The Search Diggity main window appears with G oogle Diggity as the default

ss-. Queries —Select Google dorks (search queries) you wish to use in scan by checking appropriate boxes.

‫ה‬ Aggress**

Cautious

Googte Custom sparer‫ ־‬ID:

Queries

»*n>a

Croat•

r ‫ ח‬FS06

t □ (.►O*

Catoqory

SuOcstoqory

Soarch String

Pago Tid•

I [ J G*>BR*b0rn I □ SharePwrt OO^gtty > U s io e > I ISLOONCW > f 1 OLPOwty Initial * Nonsw* saarctxs & t ] FtashDggty ln©ai

Google Status: Ready

Download P rog rss: Id « 0‫׳‬.*n F.j ce

FIGURE 11.3: Search Dimity—Main window

4. Select Sites/Dom ains/IP R anges and type the domain name 111 the domain lield. Click Add Ootonj CodeSearch S«rpl«

Mrto Brng

llnkfromDomnin

DLP

Flash

Mnlwor#

PortS«ar

Mot'nMyBnckynrri

Ackencwj

BingMnlwnr#

| ‫ יוד‬crosoft.com

I

Clients

SKorinn IjlT .T ll

___( Clca■

Hide

‫ ׳נ‬n FSDB

t>QGH06

Category

Subcategory

Search Stnng

Page Ttie

> □ GHDBRebom

£ 0 Download_Button — Select (highlight) one or more results in the results pain, dien click this button to download die search result files locally to your computer. By default, downloads to D :\D ig g ity D o w n lo a d s \.

? p SharePDtit Diggty > 12 SLD3 > □ sldbnew > r DLPDigg.ty Intia! > Flash MorrS'AF Searches

Selected Result

t> F FiashDiggty Intial

Gooqk* Sldtuv: RttJy

Download Proqrvvs: Id • 1!! F5PB Subcategory

t‫ ׳‬E: CHD6

Search String

Page Title

URL

> C GHDeReborr t‫( ׳‬v sfiarcPon: oqgkv > (!‫ י‬a o a *‫ ם ־‬SI06NEW > IT OtPDlQqltY Iftlldl

selected Result

> C Rash HanSMlF S«ardws - (T RashOigpty inrtial ^ C SVVF Flndng Gener !c • □ SWF Targeted 5eorches j *

Google S tatu s :

Dotviihjad P rogress: tzk! C?‫ ־‬n Fo.d‫־‬r

FIGURE 11.5: Search Diggity —Domain added

6. Now, select a Query trom left pane you wish to run against the website that you have added 111 the list and click Scan SB.

T A S K

2

Run Query against a w eb site

Note: 111 this lab, we have selected the query SWF Finding Generic. Similarly, you can select other queries to run against the added website "5

Seaich Diogity oodons CodeScarfr

' ‫ם י ־־‬

x

HdO Bing

LirkfrornDomam

DLP

,‫י״‬1■'

Flash

Malware

PortScan

HotiftMyflxIcyard

Settings 1 . Cat ical Oownloac]

Proxies 1

SingMalwnre

Shodan

< .Q 1 fc fll1 126.192.100.1 1

1

microsort.com [Kcmove]

lEOal dear

□F‫־‬D 6

Category

□ GHD6

Subcategory

search stnng

ps ge

Hide Title

URL

O GHDBRebom □ SharePoinl t>ggiy □ SLOB O SLDBNEW □ DIPDigjjty Tnrtiol

m

When scanning is kicked off, the selected query is run against the complete website.

Selected Result

□ Fiasf nodswf s«arch«s [

FiasfrDtggity Initial____ 117 SWF Prdng Gencric]

> n SWF Targeted Searches

booqle s ta tu s :

Download Progress: :de

holJt'

FIGURE 11.6: Seaich Diggity —Selecting query and Scanning

C E H L ab M anual Page 81

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 02 - Footprinting and Reconnaissance

m

Results Pane - As scan runs, results found will begin populating in this window pane.

7. The following screenshot shows the scanning p r o ce ss ^

x -

Search Dignity

LinkFromDomain 5 nr 313

PortScan

ftotin M/Backyard

AcS‫׳‬arced

BingMalware

S ho da n

> 128.192.100.1 Cancel

rrecrosoft.com [Rer ove]

Proxies

Download

|_________

|

Ceai

□F5D 6 □ GHDB

Cntegory

Subcntegory

Search String

Hide

Page T*e

URL

*

□ GHOBRetoorr

F1a«fcD1gg1ty ]ml SWF Finding G< exfcswt ste :mu Finland rrcNrg

‫ ח‬stiaroPom: Digqty

FlastiDiggity ]ml SWF Finding G< ext:swf ste:m1< Start the Tour 1 http://v/v/7v.m1cr0xtt.com/napp01nt/flosh/Mapl'o1r1t

Mtp ://Vr/vw.rniCTOsoft.com/europe/home.swf

5106 ‫ט‬

MastiPiqqity inn swf Finding G< oxt:swf s1tc:m1< cic* h«rc - mic ‫•־׳‬ttp '.‫׳‬vwiV.microMft.com/loarninq/olcarrinq/DcmosI Z

□ SLD6ICW □ OiPOigglty Irttlai

S«totted Result

□ Tosh honSWF Searches

□HashoiggtYtotal

(✓ SWF Finding G»rwr
£*

15

®

Manufacturer

10.0.0.1

® &

m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks.

IP c

J► S c a r' J l

5*iv*, 0

d«J0,

Nlctgear, Inc.

10.0.a1

. .a2

M A C ad d ress 00:09:5B:AE:24CC

W IN -M SSE LC K 4 K 4 1

10 0

D ell Inc

D0:67:ES:1A:16:36

W INDO W S#

10.0.03

M ic r o s o ft C o rp o ra tio n

00: 5:5D: A8:6E:C6

1

W IN * L X Q N 3 W R 3 R 9 M

10.0.05

M ic r o s o ft C o rp o ra tio n

00:15:5D:A8:&E:03

W IN -D 39M R 5H 19E 4

10.0.07

Dell Inc

D 1:3‫׳‬E:D9:C3:CE:2D

S unknown

FIGURE 1.6: The Advanced IP Scanner main window after scanning

8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machine’s IP address and displays die status as alive

M

T A S K

2

Extract Victim’s IP Address Info

9. Right-click any o f die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down

5‫־‬ F ie

Advanced IP Scanner A ctions

Scan

Settings

View

Helo

II

*

*sS :

10.0.011

n

ip c u u

Like us on

Wi F a ce b o o k

10 .0 .0 . 1- 10 .0 .0.10 Resuts

Favorites |

Status

N am e

10.0 .0.1

IHLMItHMM, W IN D O W S 8

h i

W IN -L X Q N 3 W R 3

— t* p ‫׳‬o re Copy

W IN ‫ ־‬D39MR5HL
־‬HTML R ep o rts ‫ ־‬S e le c te d Item s.

1- 1° ‫ ׳‬x -

CurrPorts File Edit | View | Option)

X S

(3

Help

Show Grid L‫אחו‬

Process Na P I Show Tooltips

^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on.

C

chrome.

C

c h ro m e f

Address ).7 ).7

AAAA

AAAA

HTML Report - All Items

F ■0.7

H T M L Report ■ Selected te rn s

O ' c h ro m e “

®,firefcxe (g fir c f c x e :

fircfcx e.7 1000.7 1000.7 100.0.7 0.0.0.0

Ctrl♦■Plus

Refresh

1368 1368 1368 1000 1000 564 564

TCP TCP TCP TCP TCP TCP TCP

4163 4166 416S 1070 1070 1028 1028

14nn

T rn

‫י«׳*־ו־‬

79 'ctel Ports. 21 Remote Connections, 3 Selected

a You can also rightclick on the Web page and

00.0.0

Remote Address Remote Host Nam 175.19436.26 bom04s01-1n‫־‬f26.1 173.1943626 bom04s01-1n‫־‬f26.1 173.1943626 bcm04s01-in‫־‬f26.1f 215720420 323-57-204-20.dep 173.1943526 bcm04s0l-in-f26.1 12700.1 WIN-D39MR5HL9E 12700.1 WIN-D39MR5HL9E 173.1943622 bom04s01 -in-f22.1 173.194,36.15 bomOlsOI -in‫־‬f15.1 173.194360 bomOlsOI -in‫־‬f0.1c gruC3s05 in-f 15.1c 74125234.15 0.0.0.0 s 0.0.0.0

Mark Odd/Even Rows

__

Rem... 80 80 80 80 443 3982 3981 443 443 443 443

Rem... http http http http http:

https http; http: https

H irS o ft F re e w a re . h ttp . ‫׳‬,‫׳‬,w w w . r ir s o ft.n e t

FIGURE 4.5: CurrPorts with HTML Report - Selected Items

7.

The selected rep ort automatically opens using the d e fa u lt b row ser.

save the report.

C E H L ab M an u al P ag e 106

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

TCP/UDP Ports List - Mozilla Firefox

1‫ ־‬n J~x

I

ffi'g |d : V‫»־‬cv» Hatory Bookmaiks Toob Help [

In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF).

] TCP/UDP Ports List ^

| +

W c /'/C /l h e r v ‫׳‬Admin 1strotor/Dr 5fctop/'cport5 ‫־‬r 64/rcp o ‫די‬i«0T1l

(? ‫ ־‬GoogleP |,f t I

T C P / V D P Ports L is t

Created by ining CiirrPom

Process Name

Process Local Protocol ID Port

I>ocal Local Port Address .Name

Reuiotv Port

Remote Port Name

Kvuiotc Address

Remote Host Name

State

c:

dbiome.cxc 2988

TCP

4148

10.0.0.7

443

https

173.194.36-26 bom04sC 1 m. £26.1e 100.net Established

firefox exe

1368

TCP

4163

10 0 0 7

443

https

173 194 36 15 bom04s01 tn-fl 5. Iel00.net Established C:

hUpd cx c

1800

TCP

1070

Listening

C:

FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items / / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range].

8. To save the generated CurrPorts report from the web browser, click File ‫ >־‬S a v e P a g e A s...C trl+ S TCP/‫׳‬UDP Ports List ‫ ־‬Mozilla Firefox

‫׳‬

r= > r* ‫י‬

Edfe Vir* Hutory Boolvfmki Took HWp N**‫׳‬T*b

Clrl-T

|+ |

an*N Open Fie...

Ctrl»0

S*.« PageA;.

Ctrl-S

fi *

»r/Deslctop/cpo»ts x6A NirSoft Freeware, http:/wvrw.nircoft.net

|79 Tctel Ports, 21 Remote Connections, 1 Selected

FIGURE 4.8: CunPorts to view properties for a selected port

10. The P ro p e rtie s window appears and displays all the properties for the selected port. 11. Click OK to close die P ro p e rtie s window *

Properties Process N am e:

fire fo x .e x e

Process ID:

1368

Protocol:

TC P

Local Port:

4166

Local Port N am e: Local A ddress: R em ote Port:

Command-line option: / shtml means save the list of all opened TCP/UDP ports into an HTML file (Horizontal).

1 0.0 .0 .7 4 43

R em ote Port N am e:

|https_________________

R em ote A ddress:

1173.1 9 4 .3 6 .0

R em ote H ost N am e:

bo m 04s01-in -f0.1 e 1 0 0.n e t

State:

E s tab lis h e d

Process Path:

C:\Program Files (x 86 )\M 0 z illa F ire fo x \fire fo x .e x e

Product N am e:

Flrefox

File D escription:

Firefox

File Version:

14.0.1

Com pany:

M o z illa Corporation

Process C reated On:

8 /2 5 /2 0 1 2 2 :36 :2 8 PM

U s e r N am e:

W IN -D 3 9 M R 5 H L 9 E 4 \A d m in is tra to r

Process S e rv ice s : Process Attributes: Added On:

8 /2 5 /2 0 1 2 3:32 :5 8 PM

M o d u le F ile n a m e : R em ote IP Country: W in d o w Title:

OK FIGURE 4.9: Hie CunPorts Properties window for the selected port

C E H L ab M an u al P ag e 108

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

S TASK

12. To close a TCP connection you think is suspicious, select the process and click File ‫ >־‬C lo s e S e le c te d T C P C o n n e c tio n s (or Ctrl+T). 2

-_,»r

CurrPorts

C lo se TCP Connection

IPNetlnfo

Clrf♦■‫ו‬

Close Selected TCP Connections

Ctrl-T

Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.00.1 127.00.1 10.0.0.7 10.0.0.7

Kill Processes Of Selected Ports SaveSelected Items

CtH-S

Properties

AH- Enter Ctrl—P

Process Properties Log Changes Cpen Log File Clear Log File Ad/snced Options

Ctrl+0

Exit ^ httpd.exe httpd.exe □isass^xe QtoSfcCNe ^

1£03 1800 564 564

J

10.0.0.7 0D.0.0

TCP

1070

TCP TCP TCP

1070 1028 1Q28

Rem... 60 80 80 80

443 3932 3931 443

443 443 443

Rem... http http http http https

http: https https https

Remote Address 173.19436.26 173.19436.26 173.19436.26 23.5730430 173.19436.26 127.0.0.1 127.0.0.1 173.19436.22 173.19436.15 173.19436.0 74.125.234.15 0.0.0.0

Remote Host Nam ‫ י׳‬I bom04s01-in‫־‬f26.1 bom04s01-in‫־‬f26.1 bom04sC1 in-f26.1 023-57 204 2C.dep = bom04s01 in‫־‬f26.1 WIN-D39MR5HL9e WIN-D39MR5HL9£ bom04s01 -in-f22.1 bom04s01-in-f15.1 bom04s01 ■in-f0.1s gru03s05-in-f151e

r o.aao r

om o

I>

­‫״ ד‬

III

‫ד‬

HirSoft freeware. r-tto:‫׳‬v/Yv*/n rsott.net

7? Tot«! Porte, 21 Remote Connection! 1 Selected

FIGURE 4.10; ,Hie CunPoits Close Selected TCP Connections option window

13. To kill the p r o c e s s e s o f a port, select die port and click F ile ‫ >־‬Kill P r o c e s s e s o f S e le c te d Ports.

I ~ I‫* ' ם‬

CurrPorts File j Edit

fi

TASK

3

View Options Help

an♦!

P N e tln f o C lo s e Se lected T C P C o n n e c tio n !

Kill P ro ce s s

Clil^T

Loral Addrect 10.0.07 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 O.Q.Q.O

kin Processes Of Selected Ports Ctrt-S

Save Selected Items

A t -E n t e r

P r o p e r tie c

CtrKP

P r o c e s s P r o p e r t ie s

Log Changes Open Log File Clear Log file Advanced Options Exit

V htt3d.exe Vbttpd.exe □l«ss.ete □ katc *1*

‫ר‬

1800 1800 564 561

TCP TCP TCP TCP

1070 1070 1028 1028

Rem... 80 80 80 80 443 3962 3981 443 443 443 443

fam.. http http http http https

https https https https

Remote Addrect 173.14436.26 173.194.3626 173.194.3626 215720420 173.1943636 127.0.0.1 127.0.0.1 173.1943632 173.19436.15 173.19436.0 74125334.15 0.0.0.0

Remote Host Nam * bom04t01*in-f26.1 bomC4t01-in‫־‬f26.1 bomC4j01 -in-f26.1 a23-57-204-20.dep s bcmC4s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bomC4s01-in-f22.1 bom04s01‫־‬in‫־‬f15.1 bom04s0l‫־‬in‫־‬f0.1e gru03s05-1n-M5.1e

o.aao ___

/)A A A

II

79 Tctel Ports, 21 Remote Connections, 1 Selected

M irSoft F re e w a re . h ttp -J ta /w w .rirs o ft.n e t

FIGURE 4.11: The CurrPorts Kill Processes of Selected Ports Option Window

14. To e x it from the CurrPorts utility, click File ‫ >־‬Exit. The CurrPorts window c lo s e s .

C E H L ab M an u al P ag e 109

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

1- 1° ‫ ׳‬- ’

CurrPons File

Edit

View Options

Help

PNetlnfo

QH+I

Close Selected TCP Connections

CtrKT

..

Kil Processes Of Selected Ports

h id Command-line option: / sveihtml Save the list of all opened TCP/UDP ports into HTML file (Vertical).

Save Selected Items

Ctrfc-S

Properties

At-Eater

Process Properties

CtH«‫־‬P

log Changes Open Log File Clear Log File Advanced Option!

CtH-0

Ext \thttpd.exe \thttpd.exe Qlsas&cxe H lsais-ae ■ ‫־־‬

1 1800 1800 564 564

TCP TCP TCP TCP rrn

1070 1070 1028 1028

itnt

__

Local Address 10.0.0.7 10D.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 0.0.0.0 = 0.0.00

Rem... 80 80 80 80 443 3987 3981 443 443 443 443

Rem‫״‬ http http http http https

https https https https

/‫ ו‬a /\ a

Remcte Address 173.194.36.26 173.194.3626 173.194.3626 21572Q420 173.194.3626 127DD.1 127X10.1 173.194.36-22 173.194.36.1S 173.194.36i) 74.125.234.15 0.0.0.0 = 0.0.0.0 = AAAA

Remcte Host Nam bom04s01-in-f26.1 bom04s01-in-f26.1 bom04s01-in‫־‬f26.1r a23-57-204-20.deJ bom04t01-in-f26.1| WIN-D39MR5H19P WIN-039MR5HL9E bomC4101-in-f22.1 bomC4i01 in‫־‬f15.1 bcmC4s01 in f0.1q gru03sG5in-f15.1e

Nil Soft fre e w ere. Mtpy/vvwvv.r it soft.net

79 T ctal Ports. 21 Remote Connections. 1 P ie c e d

FIGURE 4.12: The CurrPoits Exit option window

Lab Analysis Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. feUI In command line, the syntax of / close command :/close < Local Address> < Remote Address > < Remote Port ‫ * נ‬.

T o o l/U tility

Profile D etails: Network scan for open ports S canned Report:

C urrP orts

C E H L ab M an u al P ag e 110

In fo rm atio n C o llected /O b jectiv es A chieved

■ ■ ■ ■ ■ ■ ■ ■ ■

Process Name Process ID Protocol Local Port Local Address Remote Port Remote Port Name Remote Address Remote H ost Name

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

PL E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q uestions Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages.

1. Analyze the results from CurrPorts by creating a filter string that displays

only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. ‫כ‬.

Determine the use o f each o f die following options diat are available under die options menu o f CurrPorts: a.

Display Established

b. Mark Ports O f Unidentified Applications c.

Display Items Widiout Remote Address

d. Display Items With Unknown State In te rn e t C o n n ectio n R eq u ired □ Yes

0 No

P latform S u p p o rted 0 C lassroom

C E H L ab M an u al P ag e 111

0 !Labs

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab

Scanning for Network Vulnerabilities Using the GFI LanGuard 2012 GFI LA N gw rd scans networks andports to detect, assess, and correct any security vulnerabilities that arefound. I CON KEY Valuable information ✓

Test your knowledge Web exercise

Q

W orkbook review

Z U Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks

Lab S cenario You have learned in die previous lab to monitor TCP IP and UDP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious T C P/U D P ports owned by unidentified applications. To prevent attacks pertaining to TC P/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b serve r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. An evil attacker uses diis vulnerability and places a b ack d oor on th e server. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one. As a se cu rity adm inistrator and penetration te s te r for your company, you need to conduct penetration testing in order to determine die list o f th re a ts and vulnerabilities to the network infrastructure you manage. 111 diis lab, you will be using GFI LanGuard 2 0 12 to scan your network to look for vulnerabilities.

Lab O bjectives The objective o f diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111

diis lab, you need to: ■

C E H L ab M an u al P ag e 112

Perform a vulnerability scan

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

■ Audit the network

Q You can download GFI LANguard from http: / /wwwgfi. com.

■

Detect vulnerable ports

■

Identify sennit}‫ ־‬vulnerabilities

■

Correct security vulnerabilities with remedial action

Lab Environm ent To perform die lab, you need: ■

GFI Languard located at D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orksW ulnerability Scan ning Tools\GFI LanGuard

■ You can also download the latest version o f GFI L an gu ard from the link h ttp ://www.gfi.com/la 1111etsca 11 ■

I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ

■ A computer running W indow s 2 0 12 S erver as die host machine

Q GFI LANguard compatibly works on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/ Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2).

■

W indows S erver 2008 running in virtual machine

■

Microsoft ■NET Fram ew ork 2.0

■ Administrator privileges to run die GFI LANguard N etw ork S ecu rity S can n er

■

It requires die user to register on the GFI w e b site http: / / www.gii.com/la 1111etsca11 to get a lic e n se key

■

Complete die subscription and get an activation code; the user will receive an em ail diat contains an activation c o d e

Lab D uration Time: 10 Minutes

O verview o f Scanning N e tw o rk As an adminisuator, you often have to deal separately widi problems related to vulnerability issues, patch m an agem ent, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture o f a network setup, provide risk an alysis, and maintain a secure and com pliant n etw ork state faster and more effectively. C -J GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete.

C E H L ab M an u al P ag e 113

Security scans or audits enable you to identify and assess possible risks within a network. Auditing operations imply any type o f ch eck in g performed during a network security audit. These include open port checks, missing Microsoft p a tch e s and vulnerabilities, service infomiation, and user or p ro c e s s information.

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab Tasks Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. 1. B

T AS K 1

Navigate to W in dow s S e rv e r 2 0 12 and launch the S ta rt m enu by hovering the mouse cursor in the lower-left corner o f the desktop

Scanning for V ulnerabilities

Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path

FIGURE 5.1: Windows Server 2012 - Desktop view

2. Click the GFI LanG uard 2 0 12 app to open the GFI LanG uard 2 0 12 window

■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modern Netcat)

Windows

Google

Marager

bm

■ Ndiff

r

♦

*

£

SI

N nd

V

e

FT‫־‬

2 )G

0 FIGURE 5.2 Windows Server 2012 - Apps

3. The GFI LanGuard 2012 main w in d ow appears and displays die N etw ork Audit tab contents. / / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges.

C E H L ab M an u al P ag e 114

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

GFI LanGuard 2012 I

- |

dashboard

Seen

R em edy

ActMty Monitor

Reports

Configuration

UtSties

W

D13CIA3 this ■ ‫י‬

Welcome to GFI LanGuard 2012 GFI LanGuard 2012 is ready to audit your network iw rtireta& dites

L o ca l C o m p u te r V u ln e ra b ility L ev el

ea The default scanning

u s • ‫־‬N an a 9# *gents‫ ־‬or Launch a scan‫ ־‬options 10 , the entile network.

options which provide quick access to scanning modes are:

JP

V iew Dashboard Invest!gate netvuor* wjinprawiir, status and a u til results

Rem odiate Security Issues M
:‫ < ׳‬Ccnfig.rstcn Cp‫־‬rators

♦a » a **?Operators

S«ss»ns (2)

% Servfcee (l•*©) H i ®rocrase* (76)

W w rt* ‫״‬

K>pe‫ ׳‬V Adrritstrators

* ft ‫־״‬ft • ft

•? . -OXfC 0 ‫ ״‬users ( 1 ‫)נ‬

A scheduled scan is a network audit scheduled to run automatically on a specific date/tim e and at a specific frequency. Scheduled scans can be set to execute once or periodically.

Actmrty M onitor

S*rf« 1l 1f 1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*)

RES Ehdpcut Servers PCS Manage‫»״‬ent Servers

Soan *read S * fe ) | 8 ‫ י‬0‫| • ׳‬

FIGURE 5.13: Information of Groups

17. Click die D ashboard tab: it shows all the scanned network information 1 ° n ^ ‫׳‬

GFI LanGuard 2012

> 45‫ ״‬I q Crap

I Dashbcurdl

it 6mel1n*ork

Sun

Remedy!*

!t

Activity Monitor

f#

V»'

Ce m ctm

•w «v

Reports

1

Configuration

to

*

UUkbe;

4t

‫זי‬/.‫־‬

V

ViAirrnhlfces

O u c u M ln a varam ..

fei *J

PeA*

v

(

SdNiare

Entire Network -1 com puter

f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-» Security S«1tors w n w a rn i w u w •

‫^' ־‬ucj1!):y10«j

|

Nmap Output Ports f Hosts | Topology | Host Details | Scans

OS < Host

FIGURE 6.4: The Zenmap main window with Target and Profile entered ! S " The six port states recognized by Nmap: ■ Open

8. N m ap scans the provided IP address with In ten se scan and displays the scan resu lt below the Nmap Output tab.

■ Filtered ■ Unfiltered

^

Zenmap

■ Closed Scan

Target:

I o o ls

E rofile

X

‫ן‬

H elp

10.0.0.4

C om m and:

‫ז ם י‬

‫׳י‬

Profile:

Intense scan

Scan:

nm a p -T4 -A - v 10.C.0.4

■ Open | Filtered Nn ■ap Output [ports / Hosts | Topolog) | Host Details | Scans

■ Closed | Unfiltered OS < Host ‫׳׳‬

nmap-T4 •A -v 10.00.4 S to r tin g

Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type.

|

^

| Details

10.0.0.4 Nmap C . O l

(

h ttp ://n m s p .o r g

)

at

2012 0 8

NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4

24

(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,

1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72

Filter Hosts

FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan

9. After the scan is com plete, N m ap shows die scanned results.

C E H L ab M an u al P ag e 125

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T=I

Zenmap Scan

Iools

£rofile

Help Target:

a

Command:

Cancel

‫י‬

Details

nmap -T4 -A -v 10.C.0.4

The options available to control target selection: ■ -iL

Scan!

J

Nrr^p Output | Ports / Hosts | Topolog) Host Details | Scans OS

nmap •T4 •A ■v 10.0.0.4

< Host

‫׳׳‬

‫פ כ‬

n e tb io s -s s n 1 3 9 /tc p open 4 4 5 /tc p open n c tb io s ssn h ttp M ic ro s o ft HTTPAPI h ttp d 2.0 5 3 5 7 /tc p open (SSOP/UPnP) | _ h t t p ‫ ־‬m « th o d s : No A llo w o r P u b lic h « a d « r i n OPTIONS re s p o n s e ( s t a tu s code 5 03 )

10.0.0.4

■ -1R ■ -exclude [, [,...]]

| _ r r t t p - t it le : S ervice U na va ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ ;0 7 :1 0 ( M ic r o s o f t ) MAC A d d r e s s : 0( 1 5 : 5D: D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l (?‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )

■ -excludefile

‫ח‬

Nttwort Distance; 1 hop

TCP S eq u en ce P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s

Q The following options control host discovery: Filter Hosts

■ -sL (list Scan)

FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan

■ -sn (No port scan) ■ -Pn (No ping) ■ ■PS (TCP SYN Ping) ■ -PA (TCP ACK Ping) ■ -PU (UDP Ping) ■ -PY (SCTP INTT Ping) ■ -PE;-PP;-PM (ICMP Ping Types) ■ -PO (IP Protocol Ping) ■ -PR (ARP Ping) ■ —traceroute (Trace path to host) ■ -n (No DNS resolution) ■ -R (DNS resolution for all targets)

10. Click the Ports/H osts tab to display more information on the scan results. 11. N m ap also displays die Port, Protocol, S tate. Service, and Version o f the scan.

T‫־‬T

Zenmap Scan Target:

Iools

Profile

10.0.0.4

Command:

‫״״‬

Scan

Cancel

nmap -T4 -A -v 10.0.0.4 Services

OS

Help

Nmgp Out p

u

(

Tu[.ul u1jy

Hu^t Details Sk m :.

< Host 10.0.0.4

Minoaoft Windows RPC

13S

tcp

open

rmtpc

139

tcp

open

netbios-ssn

445

tcp

open

netbios-ssn

5337

tcp

open

http

Microsoft HTTPAPI httpd 2.0 (SSD

49152 tcp

open

msrpc

Microsoft Windows RPC

49153 tcp

open

m srpc

Microsoft Windows RPC

49154 tcp

open

msrpc

Microsoft Windows RPC

49155 tcp

open

msrpc

Microsoft Windows RPC

49156 tcp

open

msrpc

Microsoft Windows RPC

■ -system-dns (Use system DNS resolver) ■ -dns-servers < server 1 > [, [,. ..]] (Servers to use for reverse DNS queries)

FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan

C E H L ab M an u al P ag e 126

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

12. Click the Topology tab to view N m ap’s topology for the provided IP address in the Intense scan Profile.

7 ^ t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line.

FIGURE 6.8: The Zenmap main window with Topology tab fot Intense Scan

13. Click the Host Details tab to see die details o f all hosts discovered during the intense scan profile. r^r°rx 1

Zenmap Scan

lools

Target:

Profile

10.0.0.4

Command: Hosts

7^ ‫ ׳‬By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32).

Scan

Conccl

nmap -T4 -A -v 10.0.0.4 ||

Services

OS < Host -‫־׳‬

Help

10.0.0.4

I

I Nm ap Output I Porte / H octt | Topologyf * Host Detail‫׳‬: Scan? 13.0.C .4

H Host Status S ta t e :

up

O p e n p o rtc

Q

Filtered poits:

0

Closed ports:

991

Scanned ports: 1000 Uptime:

22151

Last boot:

Fri Aug 24 09:27:40 2012

#

B Addresses

IPv4:

10.0.0.4

IPv6:

Not available

MAC: 00:15:50:00:07:10 - O perating System

Name:

Microsoft Windows 7 or Windows Seiver 2008 SP1

Accuracy: P o rts used

Filter Hosts

FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan

C E H L ab M an u al P ag e 127

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

14. Click the S cans tab to scan details for provided IP addresses. 1- 1° ‫ ׳‬x

Zenmap Scan

a

Nmap offers options for specifying winch ports are scanned and whether the scan order is random!2ed or sequential.

Tools

Profile

Help

10.0.0.4

Target:

Command: Hosts

Profile:

Cancel

nmap •T4 •A -v 100.0.4 |[

Services

|

Nmap Output J Ports.' Hosts | Topology | Host Detail;| S:an; Sta!us

OS < Host

Com‫׳‬r»ard

Unsaved nmap -14-A •v 10.00.4

100.04

if■ Append Scan

a

In Nmap, option -p means scan only specified ports.

Intense scan

»

Remove Scan

Cancel Scan

FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan

15. Now, click the Services tab located in the right pane o f the window. This tab displays the list o f services. 16. Click the http service to list all the H TTP H ostnam es/lP a d d resses. Ports, and their s ta te s (Open/Closed). ‫ י ־ז‬° ‫ד * מ‬

Zenmap Scan

Tools

Target:

Help

10.0.0.4

Comman d: Hosts

Profile

v]

Profile:

Intense scan

v|

Scan |

‫ו‬

nmap •T4 -A -v 10.0.0.4 |

Services

Cancel

|

Nmap Output Ports / Hosts Topology HoctDrtaik | S^ant < Hostname A Port < Protocol « State « Version

Service

i

10.0.04

5357

tcp

open

Microsoft HTTPAPI hctpd 2.0 (SSI

msrpc n e t b i o s 5 5 ‫־‬n

Q In Nmap, option -F means fast (limited port) scan.

m Target? (optional):

10.00.4

TCP scam

None

Non-TCP scans:

None

Timing template:

FI

Enable OS detection (-0). version detection (-5V), script scanning (sCMand traceroute (‫־־‬traceroute).

ACK scan (-sA) ‫ ׳‬FIN scan ( sF) Mamon scan (-sM)

Q Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine drops.

□ Version detection (-sV)

Null scan (-sN)

‫ח‬

Idle Scan (Zombie) (-si)

TCP SYN scan (-5S)

□

FTP bounce attack (-b)

TCP connect >can (‫»־‬T)

□

Disable reverse DNS resc

. Window scan (-sW)

‫ם‬

IPv6 support (■6)

| Xmas Tree scan (‫־‬sX)

Cancel

0Save Changes

FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab

23. Select None in die Non-TCP scan s: drop-down list and A ggressive (‫־‬ T4) in the Timing tem plate: list and click Save Changes 1‫י ^ ם | ־‬

Profile Friitor nmap •sX •T4 -A ■v 10.0.0.4 Help

Profile Scar Ping | Scripting [ Target Source | Other | Timing

Enable all ad/anced/aggressive options

Scan o p tio n *

Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ‫־־‬ host-timeout to skip slow hosts.

Target? (optional):

1D.0D.4

TCP scan:

Xmas Tlee scan (‫־‬sX)

|v |

Non-TCP scans:

None

[v‫] ׳‬

Timing template:

Aggressive (-T4)

[v |

@

Enable OS detection (-0). version detection (-sV), script scanning (sQ and traceroute(--traceroute).

E n a b le a ll a d v a n c e d / a g g r e s s v e o p t i o n s ( - A )

□ Operating system detection (•O) O Version detection (-sV) □

Idle Scan (Zombie) (- 51)

□

FTP bounce attack (-b)

O Disable reverse DNS resolution (‫־‬n) ‫ח‬

IPv6 support (-6)

Cancel

0 Save Changes

FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab

24. Enter the IP address in die T arget: field, select the Xmas scan opdon from the Profile: held and click Scan.

C E H L ab M an u al P ag e 131

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap Scan

Tools

Target:

( Hosts 05

Help

10.0.0.4

Command:

In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as if you were going to open a real association and then wait for a response.

Profile

|v |

Profile- | Xmas Scan

|v |

|Scan|

Cancel |

nmap -sX -T4 -A -v 100.0/ ||

Services

< Host

|

Nmap Output Potts/Hosts | Topology Host Details j Scans V

A

1

| Details]

Filter Hosts

FIGURE 6.18: The Zenmap main window with Target and Profile entered

25. N m ap scans the target IP address provided and displays results on the Nmap Output tab. £Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open.

Tools

Target

Command: Hosts

*

Profile

Help vl

10.0.0.4

OS « Host

Profile.

Services

|Scani|

N-nap Output Ports / Hosts | Topology Host Details | Scans nm a p -sX -T4 -A -v 10.0.0.4

10.0.0.4 S t a r t i n g Nmap 6 .0 1

a

Xmas Scan

nmap -sX -T4 -A -v 100.0/

N < F ‫ ל‬lo a d e d

The option, -sA (TCP ACK scan) is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

iz c

Zenmap Scan

93

( h ttp ://n m a o .o r g

s c r ip ts

fo r

) a t 2 0 1 2 - 0 8 -2 4

s c a n n in g .

NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S c r v i c e scon o t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .

FIGURE 6.19: The Zenmap main windowwith the Nmap Output tab

26. Click the S ervices tab located at the right side o f die pane. It displays all die services o f that host.

C E H L ab M an u al P ag e 132

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap Scan

Iools

Target:

Profile

10.0.0.4

Command: Hosts

‫־‬

0

=

1

Help ^

Profile

Xmas Scan

‫ | | 'י‬Scan |

nmap -sX -T4 -A -v 10.0.0.4 |

Services

|

Nmap Output Ports / Hosts | Topology | Host Dttails | Scans nmap -sX T4 -A -v 10.0.0.4 S t a r t i n g Nmap 6 .0 1

( h ttp ://n m a p .o rg

Details ) a t 2 0 1 2 * 0 8 -2 4

: Loaded 03 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P i r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f 1 n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d ‫־׳‬o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XHAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i o t i n g S e r v i c e sca n at 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 e s e la p s e d N nap

scan

H ost is

re p o rt

fo r

‫ח‬ m

1 0 .0 .0 .4

u p ( 0 .0 0 0 2 0 s l a t e n c y ) .

V

FIGURE 6.20: Zenmap Main window with Services Tab

S

T A S K

3

Null Scan

27. Null scan works only if the operating system’s T C P /IP implementation is developed according to RFC 793.111 a 111111 scan, attackers send a TCP frame to a remote host with N O Flags. 28. To perform a 111111 scan for a target IP address, create a new profile. Click Profile ‫ >־‬New Profile or Command Ctrl+P

The option Null Scan (‫־‬sN) does not set any bits (TCP flag header is 0).

Zenmap [ New ProfJe or Command 9 £d it Selected Prof (FT P bounce scan) allows a user to connect to one F T P server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse o n m any levels, so m ost servers have ceased supporting it.

30. Click die Scan tab in the Profile Editor window. N ow select the Null Scan (‫־‬sN) option from the TCP scan : drop-down list. Profile Editor nmap -eX -T4 -A -v 10.0.0.4 H e lp

Profile] Scan | Ping | Scripting| larget | Source Jther Timing

Prof le name

Scan options Targets (optional):

1C.0.04

TCP scan:

Xmas Tree scan (-sX)

Non-TCP scans:

None

Timing template:

ACKscen ( sA)

|v

This is how the profile will be identified n the drop-down combo box n the scan tab.

[Vj Enable all advanced/aggressu FN scan (‫־‬sF) □ Operating system detection (‫ ־‬Maimon «can (•?M)

The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.

C E H L ab M an u al P ag e 134

□ Version detection (■sV)

Null scan (•sN)

(71 Idle Scan (Zombie) (•si)

TCP SYN scan(-sS)

O FTP bounce attack (-b)

TCP connect scan (‫־‬sT)

(71 Disable reverse DNSresolutior Win cow scan (‫־‬sW) Xma; Tree !can (-sX) 1 1 IPy6 support (-6)

Cancel

Save Changes

FIGURE 6.23: The Zenmap Profile Editor with the Scan tab

31. Select None from the Non-TCP scan s: drop-down field and select A ggressive (-T4) from the Timing tem plate: drop-down field. 32. Click Save C hanges to save the newly created profile.

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

'-IT - '

Profile Editor nmap -sN -sX -74 -A -v 10.0.0.4

In Nmap, option — version-all (Try every single probe) is an alias for -version-intensity 9, ensuring that every single probe is attempted against each port.

P r o f ile

S can

|Scan[ Help

P i n g | S c r i p t in g | T a r g e t | S o i r e e [ C t h c i | T im in g

Disable reverse DNS resolution

Scan options Targets (opbonal):

N e \er do reverse DNS. This can slash scanning times.

1 0 .0 .0 .4

TCP scan:

Nul scan (•sN)

V

Non-TCP scans:

None

V

Timing template:

Aggressive (-T4)

V

C Operating system detection (-0)

[Z

Version detection (-5V)

I

I d le S c a n ( Z o m b ie ) ( -s i)

Q FTP bounce attack (-b) I

! D i s a b l e r e v e r s e D N S r e s o lu t io n ( - n )

□

IPv6 support (-6)

£oncel

m The option,-‫־‬topports scans the highest-ratio ports found in the nmap-services file. must be 1 or greater.

E rj Save Change*

FIGURE 6.24: The Zenmap Profile Editor with the Scan tab

33. 111 the main window o f Zenmap, enter die ta rg e t IP a d d re ss to scan, select the Null Scan profile from the Profile drop-down list, and then click Scan. Zenmap Scfln

Iools

Erofile

Help

Target | 10.0.0.4 Command: Hosts

Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up.

OS

Services

Null Scan

Nmap Outpjt Ports / Hosts Topology | Host Detais ( Scans < Port

< H ost

*U

Prof1‫•י‬:

nmap -sN •sX •T4 -A *v 10.00.4

< Prctoccl

< State


:

FIGURE /.l: Windows Server 2012- Desktop view

2. Click the N etScan Tool Pro app to open the N etScan Tool Pro window

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Administrator A

Start Server Manager

Windows PowwShel

Google Chrome

H jp erV kWvwcr

NetScanT... Pro Demo

h

m

o

‫וי‬

f*

Control Pan*l

Mjrpw-V Mdchir*.

Q

V ( onviund I't. n.".‫־‬

e '»‫ **“־׳‬1■»***‫■׳‬

w rr

*I

©

20 ‫ ז‬2

n

x-x-ac

9 FIGURE 7.2 Windows Server 2012 - Apps

3. I f you are using the D em o version o f NetScan Tools Pro, then click S tart th e DEMO £L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3

4. The Open or C reate a New R esult D atabase-N etScanTooIs Pro window will appears; enter a new database name in D atabase Name (enter new nam e here) 5. Set a default directory results for database file location, click Continue Open or Create a New Results Database - NetScanTools® Pro

*‫ו‬

NetScanToote Pro au to m a tica l saves results n a database. The database «s requred. Create a new Results Database, open a previous Resdts Database, or use this software r Tranng Mode with a temporary Results Database. ■‫״‬Trainrtg Mode Qutdc Start: Press Create Training Mode Database then press Continue. Database Name (enter new name here) Test|

Select Another Results Database

A NEW Results Database w l be automabcaly prefixed with MstProOata-' and w i end with ,.db?. No spaces or periods are allowed when enterng a new database name. Results Database File Location Results Database Directory

‫*״‬Create Trainmg Mode Database

C :^Msers\Administrator documents

Project Name (opbonal) Set Default Directory

Analyst Information (opbonal, can be cisplayed r\ reports if desired)

i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫ ־‬it is normally in the /nstpro directory p

Name

Telephone Number

Fitie

Mobile Number

Organization

Email Address

Update Analyst Information

Use Last Results Database

Continue

Exit Program

FIGURE 7.3: setting a new database name for XetScan Tools Pro

6. The N etScan Tools Pro main window will appears as show in die following figure C E H L ab M an u al P ag e 144

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

_ - n |

test • NetScanTools* Pro Demo Version Build 8-17-12 based on version 11.19 file

— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9 ( i p v 6 . g o o g l e . com) o r : : 1 (in te rn a l lo o p b a c k a d d r e s s

Eflit

A«es51b!11ty

View

IP«6

V

-

Help

Wefccrwto NrtScanToobePiJ [ W o Vbtfen 11 TH1 «a n a d r r o r o < k > * •r e * T00“i Cut Th■ duro carrnot be cj>« vt»>0 to a U v * d c n

to d i hav• nir or luiti

H m x x d '•o n ■hr A J o i^ e d cr Vtao.a la d s cr 10311 groined by fm d ia n on the k ft panel R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I 8!en to noucrktniffc. ttu ; icon tooo ‫ * ® •ו‬we• y o j oca sy*em. end groy !con 100b contact ihid party Fleet ' i t FI '«&, to vie‫ ״‬e