406 49 39MB
English Pages [969] Year 2017
E thical H acking and C ounterm easures Lab Manual
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
EC-Council Copyright © 2013 by EC-Cou 11cil. All rights reserved. Except as permitted under the Copyright Act o f 1976, no part o f tins publication may be reproduced or distributed 111 any form or by any means, or stored 111 a database or retrieval system, without the prior written permission o f the publisher, with the exception that the program listings may be entered, stored, and executed 111 a computer system, but they may not be reproduced for publication. Information has been obtained by EC-Council from sources believed to be reliable. EC-Council uses reasonable endeavors to ensure that the content is current and accurate, however, because o f the possibility o l human or mechanical error we do not guarantee the accuracy, adequacy, or completeness o l any information and are not responsible for any errors or omissions or the accuracy o f the results obtained from use o f such information. The courseware is a result o f extensive research and contributions from subject matter experts from the field from all over the world. Due credits for all such contributions and references are given in the courseware in the research endnotes. We are committed towards protecting intellectual property. It you are a copyright owner (an exclusive licensee or their agent), and if you believe that any part o f the courseware constitutes an infringement o f copyright, or a breach o f an agreed licence or contract, you may notify us at le g a l@ e c c o u n c il.o r g . 1 1 1 the event o f a justified complaint, EC-Council will remove the material 111 question and make necessary rectifications. The courseware may contain references to other information resources and security solutions, but such references should not be considered as an endorsement o f 01 ־recommendation by EC-Council. Readers are encouraged at le g a l@ e c c o u n c il.o r g .
to
report
errors,
omissions
and
inaccuracies
If you have any issues, please contact s u p p o r t@ e c c o u n c il.o r g .
Ethical Hacking and Countermeasures All Rights Reserved. Reproduc
to
EC-Council
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Table of Contents M odule N tim b er
M odule N a m e
P age N o .
01
Introduction to E th ical H a ck in g
—
02
F ootprin ting and R econ n aissan ce
01
03
Scan n in g N etw ork s
84
04
E n u m eration
266
05
System H a ck in g
307
06
Trojans and B ackdoors
424
07
V iruses and W orm s
529
08
Sniffing
584
09
Social E n g in eerin g
674
10
D en ia l o f Service
702
11
S ession H ijack in g
715
12
H a ck in g W ebservers
730
13
H a ck in g W eb A pplications
761
14
SQ L Injection
781
15
H a ck in g W ireless N etw ork s
818
16
H a ck in g M obile Platform s
—
17
E vad in g ID S, Firew alls, and H o n ey p o ts
846
18
Buffer O verflow
901
19
Cryptography
914
20
Penetration T e stin g
—
Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Labs DVD Contents DVD
Contents
01
L ab P rereq u isites, M odule 02 - M odule 04
02
M odule 05 - M odule 07
03
M odule 08 - M odule 11
04
M odule 12 - M odule 14
05
M odule 15 - M odule 17
06
M odule 18 - M odule 20, B ack T rack
Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual
Footprinting and Reconnaissance Module 02
Module 02 - Footprinting and Reconnaissance
Footprirvting a Target Network Footprinting refers to uncovering and collecting as much information aspossible regarding a target netn ork
Lab Scenario Valuable mfonnation_____ Test your knowledge sA Web exercise m
Workbook review
Penetration testing is much more than just running exploits against vulnerable systems like we learned about 111 the previous module. 111 fact, a penetration test begins before penetration testers have even made contact with the victim’s systems. Rather than blindly throwing out exploits and praying that one of them returns a shell, a penetration tester meticulously studies the environment for potential weaknesses and their mitigating factors. By the time a penetration tester runs an exploit, he or she is nearly certain that it will be successful. Since failed exploits can 111 some cases cause a crash or even damage to a victim system, or at the very least make the victim un-exploitable 111 the tumre, penetration testers won't get the best results, or deliver the most thorough report to then ־clients, if they blindly turn an automated exploit machine on the victim network with no preparation.
Lab Objectives The objective of the lab is to extract information concerning the target organization that includes, but is not limited to: ■ IP address range associated with the target ■ Purpose of organization and why does it exists ■ How big is the organization? What class is its assigned IP Block? ■ Does the organization freely provide information on the type of operating systems employed and network topology 111 use? ■ Type of firewall implemented, either hardware or software or combination of both ■ Does the organization allow wireless devices to connect to wired networks? ■ Type of remote access used, either SSH or \T N ■ Is help sought on IT positions that give information on network services provided by the organization?
C E H L ab M an u al Page 2
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
■ IdentitV organization’s users who can disclose their personal information that can be used for social engineering and assume such possible usernames & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance
Lab Environment Tins lab requires: ■
Windows Server 2012 as host machine
■ A web browser with an Internet connection ■ Administrative privileges to 11111 tools
Lab Duration Time: 50 ]Minutes
Overview of Footprinting Before a penetration test even begins, penetration testers spend time with their clients working out the scope, mles, and goals ot the test. The penetration testers may break 111 using any means necessary, from information found 111 the dumpster, to web application security holes, to posing as the cable guy. After pre-engagement activities, penetration testers begin gathering information about their targets. Often all the information learned from a client is the list of IP addresses and/or web domains that are 111 scope. Penetration testers then learn as much about the client and their systems as possible, from searching for employees on social networking sites to scanning die perimeter for live systems and open ports. Taking all the information gathered into account, penetration testers sftidv the systems to find the best routes of attack. Tins is similar to what an attacker would do or what an invading army would do when trying to breach the perimeter. Then penetration testers move into vulnerabilitv analysis, die first phase where they are actively engaging the target. Some might say some port scanning does complete connections. However, as cybercrime rates nse, large companies, government organizations, and other popular sites are scanned quite frequendy. During vulnerability analysis, a penetration tester begins actively probing the victim systems for vulnerabilities and additional information. Only once a penetration tester has a hill view of the target does exploitation begin. Tins is where all of the information that has been meticulously gathered comes into play, allowing you to be nearly 100% sure that an exploit will succeed. Once a system has been successfully compromised, the penetration test is over, right? Actually, that's not nght at all. Post exploitation is arguably the most important part of a penetration test. Once you have breached the perimeter there is whole new set of information to gather. You may have access to additional systems that are not available trom the perimeter. The penetration test would be useless to a client without reporting. You should take good notes during the other phases, because during reporting you have to tie evervdiing you found together 111 a way
C E H L ab M an u al Page 3
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
everyone from the IT department who will be remediating the vulnerabilities to the business executives who will be approving die budget can understand. m TASK 1 Overview
Lab Tasks Pick an organization diat you feel is worthy of vour attention. Tins could be an educational institution, a com m ercial com pany. 01 perhaps a nonprofit charity.
Recommended labs to assist you 111 footprinting; ■ Basic Network Troubleshooting Using the ping utility and nslookup Tool ■
People Search Using Anywho and Spokeo Online Tool
■ Analyzing Domain and IP Address Queries Using SmartWhois ■ Network Route Trace Using Path Analyzer Pro ■ Tracing Emails Using eMailTrackerPro Tool ■
Collecting Information About a target’s Website Using Firebug
■ Mirroring Website Using HTTrack Web Site Copier Tool ■ Extracting Company’s Data Using Web Data Extractor ■ Identifying Vulnerabilities and Information Disclosures 111 Search Engines using Search Diggity
Lab Analysis Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s security posture and exposure through public and free information.
P L EA S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .
C E H L ab M an u al Page 4
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
Lab
1 Footprinting a Target Network Using the Ping Utility Ping is a computer network administrati0)1 utility used to test the reachability of a host on an Internetprotocol (IP) network and to measure the ronnd-trip timefor messages sentfrom the originating host to a destination computer. I CON KEY [£Z7 Valuable information Test your knowledge______ *
Web exercise
Lab Scenario As a professional penetration tester, you will need to check for the reachability of a computer 111 a network. Ping is one of the utilities that will allow you to gather important information like IP address, maximum P acket Fame size, etc. about the network computer to aid 111 successful penetration test.
Lab Objectives
Workbook review
Tins lab provides insight into the ping command and shows how to gather information using the ping command. The lab teaches how to: ■ Use ping ■ Emulate the tracert (traceroute) command with ping & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance
■
Find maximum frame size for the network
■
Identity ICMP type and code for echo request and echo reply packets
Lab Environment To carry out this lab you need: ■ Administrative privileges to run tools ■
TCP/IP settings correctly configured and an accessible DNS server
■ Tins lab will work 111 the CEH lab environment - on W indows Server 2012. W indows 8 , W indows Server 2008. and W indows 7
C E H L ab M an u al Page 5
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
Lab Duration Tune: 10 Minutes
Overview of Ping & PIN G stands for Packet Internet Groper. Ping command Syntax: ping [-q] [-v] [-R] [-c Count] [-iWait] [-s PacketSize] Host.
The ping command sends Internet Control M essage Protocol (ICMP) echo request packets to the target host and waits tor an ICMP response. During tins requestresponse process, ping measures the time from transmission to reception, known as die round-trip time, and records any loss of packets.
Lab Tasks 1. Find the IP address lor http:/ Avww.certihedhacker.com 2. To launch Start menu, hover the mouse cursor in the lower-left corner of the desktop
FIGURE 1.1: Windows Server 2012 —Desktop view
Locate IP Address
3. Click Command Prompt app to open the command prompt window
FIGURE 1.2: Windows Server 2012—Apps
For die command, ping -c count, specify die number of echo requests to send.
C E H L ab M anual Page 6
Type ping w w w .certified hacker.com 111 the command prompt, and press Enter to find out its IP address b. The displayed response should be similar to the one shown 111 the following screenshot
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
Administrator: C:\Windows\system32\cmd.exe
m The piiig command, “ping —iwait,” means wait time, that is the number of seconds to wait between each ping.
!* ' ם י ־
'
C : \ ) p i n g u u u . c e r t i f i e d l 1a c k e r . c o m P i n g i n g w w w . c e r t i f i e d h a c k e r . c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 1 w i t 11 3 2 b y t e s o f d a t a : Request tim ed o u t . R e p l y f r o m 2 0 2 . ? 5 . 5 4 . 1 0 1 : b y t e s =32 t i m e = 2 6 7 m s TTL=113 R e p l y f r o m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 3 2 t i m e = 2 8 8 m s TTL=113 R e p l y f r o m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 3 2 t i m e = 5 2 5 m s TTL=113 Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e t s : S e n t = 4 , R e c e i v e d = 3 , L o s t = 1
FIGURE 1.3: The ping command to extract die IP address for www.certifiedhacker.com
6. You receive the IP address of www.certifledhacker.com that is 202.75.54.101
You also get information 011 Ping S ta tistic s, such as packets sent, packets received, packets lost, and Approximate round-trip tim e Now, find out the maximum frame size 011 the network. 111 the command prompt, type ping w w w .certified hacker.com - f - l 1500 Finding Maximum Frame Size
* ׳
Administrator: C:\Windows\system32\cmd.exe : \ < p i n g w w u . c e r t i f i e d l 1a c k e r . c o m - f
־1 1500
!Pinging w w w . c e r t if ie d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 1 w it h 1500 b y t e s o f d a ta : Packet needs t o be f r a g m e n t e d b u t UP s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e ts: Sent = 4 , R eceived = 0 ,
m Request time out is displayed because either the machine is down or it implements a packet filter/firewall.
L o s t = 4 j p i n g w w w . c e r t i f i e d h a c k e r . c o m - f
m 111 the ping command, option —f means don’t fragment.
! - ! = ■
X
'
- 1 1300
P in g in g w w w .ce r tifie d h a c k e r .c o m [2 0 2 .7 5 .5 4 .1 0 1 1 R eply from 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 3 0 0 time=392ms R eply from 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y te s = 1 3 0 0 time=362ms R eply from 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y te s = 1 3 0 0 time=285ms R e p l y f r o m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 3 0 0 t im e = 3 3 1 m s
w ith 1300 b y te s o f d a ta : TTL=114 TTL=114 TTL=114 TTL=114
Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e t s : S e n t = 4 , R e c e i v e d = 4 , L o s t = 0 < 0X l o s s ) , A p p r o x i m a t e r o u n d t r i p t i m e s i n m i l l i —s e c o n d s : Minimum = 2 8 5 m s , Maximum = 3 9 2 m s , A v e r a g e = 342ms C :\>
FIGURE 1.5: The ping command for www.certifiedhacker.com with —f —11300 options
C E H L ab M anual Page 7
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
11. You can see that the maximum packet size is le s s than 1500 b ytes and more than 1300 b ytes In die ping command, “Ping —q,” means quiet output, only summary lines at startup and completion.
12. Now, try different values until you find the maximum frame size. For instance, ping w w w .certified hacker.com - f - l 1473 replies with P ack et n e e d s to be fragm ented but DF s e t and ping w w w .certified hacker.com - f - l 1472 replies with a su c c e ssfu l ping. It indicates that 1472 bytes is the maximum frame size on tins machine network Note: The maximum frame size will differ depending upon on the network Administrator: C:\Windows\system32\cmd.exe C :S )p in g w o w .c ert i f ie d h a c k e r .c o m - f
I ־־I ם
x 1
1 4 7 3 1־
Pinccinc» w w w . c e r t i f i e d h a c k e r . c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 1 w i t l i 1 4 7 3 b y t e s o f d a t a : Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . Packet needs t o be f r a g m e n t e d b u t DF s e t . P ing s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a ckets: Sent = 4 , R eceived = 0,
Lost = 4 'ping w w w .c e r t if ie d h a c k e r .c o m - f
1- 1= ' » '
- 1 1 4 72
[Pinging w w w .c e r t if ie d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 ] R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 4 7 2 t im e = 3 5 9 m s R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s =147 2 t im e = 3 2 0 m s R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 4 7 2 t im e = 2 8 2 m s R e p l y f ro m 2 0 2 . 7 5 . 5 4 . 1 0 1 : b y t e s = 1 4 7 2 t im e = 3 1 7 m s
w it h 1472 b y t e s o f d a ta : TTL=114 TTL=114 TTL=114 TTL=114
Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e t s : S e n t = 4 , R e c e i v e d = 4 , L o s t = 0 p in g u u w .c e r t if ie d h a c k e r .c o m - i
3
Pinsrincf 1 7 u u . c e r t i f i e d h a c k e r . c o m [ 2 0 2 . 7 5 R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d in R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n R e p l y f ro m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n ■Ping s t a t i s t i c s f o r 2 0 2 . 7 5 . 5 4 . 1 0 1 : P a c k e ts: Sent = 4 , R eceived = 4 ,
1
. 5 4 . 1 0 1 ] u i t h 32 b y t e s o f d a t a : tra n sit. tra n sit. tr a n sit. tr a n sit.
p
L o s t = 0 |
FIGURE 1.9: The ping command for ™ ׳!יcr rrifiedl1acker.com with —i 1 —n 1 options
19. 111 the command prompt, type ping w w w .certified hacker.com -i 2 -n 1. The only difference between the previous pmg command and tliis one is -i 2 . The displayed resp o n se should be similar to the one shown 111 the following figure
C E H L ab M anual Page 9
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
Administrator: C:\Windows\system32\cmd.exe C :\)p in g
m
111 the
ping command, -t means to ping the specified host until stopped.
w w w .c e r tifie d h a ck er .c o m
P in g in g w w w .ce r tifie d h a c k e r .co m R equest tim e d o u t .
—i 2 —n 1 [2 0 2 .7 5 .5 4 .1 0 1 ]
Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a ck ets: Sent = 1 , R eceived = 0 ,
Lost
w i t h 32 b y t e s
= 1
FIGURE 1.10: The ping command for www.certifiedl1acke1.co1n with -i 2 - 11 1 options
20. 111 the command prompt, type ping w w w .certified hacker.com -i 3 -n 1. Use -n 1 111 order to produce only one answer (instead of four on Windows or pinging forever on Linux). The displayed response should be similar to the one shown 111 the following figure
C :\)p in g w w w .ce rtifie d h a ck er .co n - i
s
In the ping command, the -v option means verbose output, which lists individual ICMP packets, as well as echo responses.
3 -n 1
P i n g i n g w w w .c e r t i f i e d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 ] w i t h 32 b y t e s R e p l y f r o m 1 8 3 . 8 2 . 1 4 . 1 7 : TTL e x p i r e d i n t r a n s i t . Ping s t a t i s t i c s f o r 2 0 2 .7 5 .5 4 .1 0 1 : P a c k e ts: Sent = 1 , R eceived = 1 ,
Lost
of
da
= 0
FIGURE 1.11: Hie ping command for www.cerdfiedl1acker.com with — i 3 —n 1 options
21. 111 the command prompt, type ping w w w .certified hacker.com -i 4 -n 1 . Use -n 1 111 order to produce only one answer (instead of four on Windows or pinging forever on Linux). The displayed response should be similar to the one shown 111 the following figure G5J
Administrator: C:\Windows\system32\cmd.exe
D :\> p in g w w w .c e r tifie d h a c k e r .c o m
-i
4 -n
H » l
Lost
'
1
P in g in g w w w .c e r t i f i e d h a c k e r .c o m [ 2 0 2 . 7 5 . 5 4 . 1 0 1 ] w i t h 32 b y t e s R e p l y f r o m 1 2 1 . 2 4 0 . 2 5 2 . 1 : TTL e x p i r e d i n t r a n s i t . Ping s t a t i s t i c s f o r 2 0 2 . 7 5 . 5 4 . 1 0 1 : P a c k e ts: Sent = 1 , R eceived = 1 ,
>־
of
da
= 0 ). When 110 arguments are given, then the command queries to default server. The - (minus sign) invokes subcommands which are specified 011 command line and should precede nslookup commands. In non-interactive mode. i.e. when first argument is name 01 ־internet address of the host being searched, parameters and the query are specified as command line arguments 111 the invocation of the program. The noninteractive mode searches the information for specified host using default name server.
With nslookup you will eidier receive a non-audiontative or authoritative answer. You receive a non-authoritative answ er because, by default, nslookup asks your nameserver to recurse 111order to resolve your query and because your nameserver is not an authority for the name you are asking it about. You can get an authoritative answ er by querying the authoritative nameserver for die domain you are interested
C E H L ab M an u al Page 14
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
Lab Tasks 1. Launch Start menu by hovering the mouse cursor 111 the lower-left corner of the desktop S TASK 1 Extract Information i j Windows Server 2012 fttndcMsSewe*2012ReleMQnxtditeOaiMtm• !valuationcopyfold IP P R P G S * 5 ; ן ל ל ן יט י
FIGURE 2.1: Windows Server 2012 —Desktop view
2. Click the Command Prompt app to open the command prompt window
FIGURE 2.2: Windows Server 2012—Apps ,__ The general command syntax is nslookup [-option] [name | -] [server].
C E H L ab M anual Page 15
3. 111 the command prompt, type nslookup, and press Enter 4. Now, type help and press Enter. The displayed response should be similar to die one shown 111 the following figure
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
ss
Administrator: C:\Windows\system32\cmd.exe - nslookup
S
C :\)n slo o k u p D efault S e rv er: n s l . b e a m n e t . in A ddress: 2 0 2 .5 3 .8 .8
.S' Typing "help" or "?" at the command prompt generates a list of available commands.
> h elp Comma nds : ( i d e n t i f i e r s a r e s how n i n u p p e r c a s e , LJ m ean s o p t i o n a l ) NAME - p r i n t i n f o a b o u t t h e h o s t / d o m a i n NAME u s i n g d e f a u l t s e r v e r NAME1 NAME2 - a s a b o v e , b u t u s e NAME2 a s s e r v e r help o r ? ־p r i n t i n f o on common commands s e t OPTION - s e t an o p t io n all - p r i n t o p tio n s * c u r r e n t s e r v e r and h o st [no]debug - p r i n t d ebugging in fo rm a tio n [nold2 ־p r i n t e x h a u s tiv e debugging in fo r m a tio n [ n o I d e f name - a p p e n d d o m a i n name t o e a c h q u e r y [no!recurse - ask f o r re c u r s iv e answer to query [no!search - u s e domain s e a r c h l i s t [n o Iv c - alw ays use a v i r t u a l c i r c u i t d o m a i n =NAME - s e t d e f a u l t d o m a i n name t o NAME s r c h l i s t = N 1 [ / N 2 / . . . / N 6 1 - s e t d o m a i n t o N1 a n d s e a r c h l i s t t o N 1 , N 2 , e t c . r o o t =NAME - s e t r o o t s e r v e r t o NAME retry=X - s e t num ber o f r e t r i e s t o X t im eo ut =X - s e t i n i t i a l tim e -o u t i n t e r v a l to X seconds - s e t q u e r y t y p e ( e x . A,AAAA,A*AAAA,ANY,CNAME,MX,NS,PTR, t y p e =X SOA,SRU) q u e r y t y p e =X - sa me a s t y p e c la ss ־X — s e t q u e r y c l a s s < e x . IN ( I n t e r n e t ) , ANY) - u s e MS f a s t z o n e t r a n s f e r [no]m sxf r - c u r r e n t v e r s i o n t o u s e i n IXFR t r a n s f e r r e q u e s t ixfrver=X s e r v e r NAME - s e t d e f a u l t s e r v e r t o NAME, u s i n g c u r r e n t d e f a u l t s e r v e r l s e r w e r NAME - s e t d e f a u l t s e r v e r t o NAME, u s i n g i n i t i a l s e r v e r root - s e t c u rre n t d e fa u lt s e rv e r to the root I s [ o p t ] DOMAIN [> F I L E ] - l i s t a d d r e s s e s i n DOMAIN ( o p t i o n a l : o u t p u t t o F I L E ) -a ־ l i s t c a n o n i c a l names a n d a l i a s e s -d — l i s t a l l records - t TYPE l i s t r e c o r d s o f t h e g i v e n RFC r e c o r d t y p e ( e x . A,CNAME,MX,NS, PTR e t c . > v i e w FILE - s o r t a n ' I s ' o u t p u t f i l e a n d v i e w i t w i t h pg - e x i t t h e program ex it >
FIGURE 2.3: The nslookup command with help option
5. 111 the nslookup interactive mode, type “se t type=a” and press Enter 6. Now, type www.certifiedhacker.com and press Enter. The displayed response should be similar to die one shown 111 die following figure Note: The DNS server Address (202.53.8.8) will be different from die one shown 111 die screenshot
FIGURE 2.4: hi nslookup command, set type=a option
U se Elicit Authoritative
7. You get Authoritative or Non-authoritative answer. The answer vanes, but 111diis lab, it is Non-authoritative answer 8. 111 nslookup interactive mode, type se t type=cname and press Enter 9. Now, type certifiedhacker.com and press Enter Note: The DNS server address (8 .8 .8 .8 ) will be different dian die one 111 screenshot
10. The displayed response should be similar to die one shown as follows:
> set type=cname C E H L ab M anual Page 16
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
> certifiedhacker.com Server: google-public-dns-a.google.com Address: 8.8.8.8 r Q
T A S K
Administrator: C:\Windows\system32\cmd.exe ־ns...
ם
x
3
Find Cname
נ: \> n s lo o k u p )e fa u lt S e rv e r: g o o g le -p u b lic -d n s -a .g o o g le .c o n Id d re s s : 8.8.8.8
> s e t ty p e = c n a m e > c e r t i t i e d h a c k e r .c o m J e ru e r: Id d re s s :
g o o g le - p u b lic ־d n s ־a . g o o g le .c o n 8.8.8.8
: e r t i f i e d h a c k e r .c o n p r im a r y nane s e r u e r = n s 0 .n o y e a r ly fe e s .c o m r e s p o n s ib le m a il a d d r = a d m in .n o y e a r ly fe e s .c o m s e r ia l = 35 r e f r e s h = 9 0 0 ( 1 5 m in s > re try = 6 0 0 ( 1 0 m in s ) e x p ir e = 8 64 00 (1 d a y ) d e f a u l t TTL = 3 6 0 0 (1 h o u r> III
FIGURE 2.5:111 iislookup command, set type=cname option
11. 111 nslookiip interactive mode, type server 64.147.99.90 (or any other IP address you receive in the previous step) and press Enter. 12. Now, type s e t type=a and press Enter. 13. Type w ww.certifiedhacker.com and press Enter. The displayed response should be similar to the one shown 111die following tigure. [SB Administrator: C:\Windows\system32\cmd.exe - ns. ״L ^ .
111 nslookiip command, root option means to set the current default server to the root.
FIGURE 2.6:111 nslookiip command, set type=a option
14. It you receive a request timed out message, as shown in the previous tigure, dien your firewall is preventing you trom sending DNS queries outside your LAN.
C E H L ab M anual Page 17
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
15. 111 nslookup interactive mode, type se t type=mx and press Enter. 16. Now, type certifiedhacker.com and press Enter. The displayed response should be similar to the one shown 111 die following figure. ׳-' To make queiytype of NS a default option for your nslookup commands, place one of the following statements in the user_id.NSLOOKUP.ENV data set: set querytype=ns or querytype=ns.
FIGURE 2.7: In nslookup command, set type=mx option
Lab Analysis Document all die IP addresses, DNS server names, and odier DNS information. T ool/U tility
Information Collected/Objectives Achieved DNS Server Name: 202.53.8.8 Non-Authoritative Answer: 202.75.54.101
nslookup
CNAME (Canonical N am e of an alias) ■ Alias: cert1fiedhacker.com ■ Canonical name: google-publ1c-d11s-a.google.com MX (Mail Exchanger): 111a11.cert1fiedl1acker.com
P L EA S E TALK T O Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Questions 1. Analyze and determine each of the following DNS resource records: ■ SOA
C E H L ab M anual Page 18
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
■ NS ■ A ■ PTR ■ CNAME ■ MX ■ SRY 2. Evaluate the difference between an authoritative and non-audioritative answer. 3. Determine when you will receive request time out in nslookup. Internet Connection Required 0 Yes
□ No
Platform Supported 0 Classroom
C E H L ab M an u al Page 19
□ !Labs
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
People Search Using the AnyWho Online Tool A_nyWho is an online whitepagespeople search directoryfor quickly looking up individualphone numbers.
Lab Scenario Valuable mfonnation_____ Test your knowledge *d Web exercise m
Workbook review
You have already learned that the first stage in penetration testing is to gather as much information as possible. 111 the previous lab, you were able to find information related to DNS records using the nslookup tool. If an attacker discovers a flaw 111 a DNS server, he or she will exploit the flaw to perform a cache poisoning attack, making die server cache the incorrect entries locally and serve them to other users that make the same request. As a penetration tester, you must always be cautious and take preventive measures against attacks targeted at a name server by securely configuring name servers to reduce the attacker's ability to cormpt a zone hie with the amplification record. To begin a penetration test it is also important to gather information about a user location to intrude into the user’s organization successfully. 111 tins particular lab, we will learn how to locate a client or user location using die AnyWho online tool.
Lab Objectives
H Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance
C E H L ab M an u al Page 20
The objective of tins lab is to demonstrate the footprinting technique to collect confidential information on an organization, such as then: key personnel and then־ con tact details, usnig people search services. Students need to perform people search and phone number lookup usnig http: / /www.a11ywho.com.
Lab Environment 111 the lab, you need: ■ A web browser with an Internet comiection ■ Admnnstrative privileges to run tools ■ Tins lab will work 111 the CEH lab environment - on W indows Server 2012. W indows 8 , W indows Server 2008. and W indows 7 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
Lab Duration Tune: 5 ]\luiutes
Overview of AnyWho AnyWho is a part ot the ATTi family ot brands, which mostly tocuses 011 local searches tor products and services. The site lists information from the White Pages (Find a Person/Reverse Lookup) and the Yellow P ages (Find a Business).
Lab Tasks 1. Launch Start menu by hovering the mouse cursor 011 the lower-left corner of the desktop
m AnyWho allow you to search for local businesses by name to quickly find their Yellow Pages listings with basic details and maps, plus any additional time and money-saving features, such as coupons, video profiles or online reservations.
■8 Windows Server 2012 Server 2012 Rele״Maps 4 Drivhg Dictions
M o re In fo rm a tio n fo r R ose C C hristian ייEmail 300 otner Phone lookup “ Get D ttila c BackQiound Information » G•! Pjtl'C RtCOIdS * ״Wew Property & A/ea Information ** view Social NetworkProfile
Rose E C hristian
M o re in fo rm a tio n to r R o • • E C hristian
•W •*% 9t t t
mmmm י״MM
FIGURE 3.5: AnyWho People Search Results
C E H L ab M anual Page 22
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
task
2
Viewing Person Information
6. Click die search results to see the address details and phone number of that person Rose A Christian Southfield PI, 0-f -SH ' 6
Add to Address Book | Print
!re, MD 21212
A re you R ose A Christian? » Remove Listing
Information provided solely by Intelius
Get Directions
□
Enter Address
ש
Southfield PI.
m The search results display address, phone number and directions for the location.
3 • ־re. MD 21212
>Reverse Directions
Cet Directions
Gulf of
O 'J J t t Z 'j r / j n d u i
-j ' j j l׳j ! >.׳/ r ־Cj
FIGURE 3.6: AnyWho - Detail Search Result of Rose A Christian
7. Sinulady, perform a reverse search by giving phone number or address 111 die R everse Lookup held IteUJ The Reverse Phone Lookup service allows visitors to enter in a phone number and immediately lookup who it is registered to.
C
0 ww/w.anyvrtx>.com• ׳everse-lookup
AnyWho f*a3ta0Arcc-f. Pitert m 35v■* >»«»׳
JL kVHIfE PACES
• Kfc«׳fcRStLOOKUP
A«bWJPC006 LOOKUP
R e v e rs e L o o k u p | F in d P e o p le By □
Phone Num ber
R e v e rs e L o o k u p
AnyWho's Reverse Phone LooKup sewce allows visitors to enter * »ימא*ן ג יnumber and immediately lookup who it is registered to. Perhaps you mssed an incoming phone call and want to know who x is bewe you call back. Type the phone number into the search box and well perform a white pages reverse lookup search פזfn i out exactly who it is registered to If we ha>־e a match far th* pnone number well show you the registrant's first and last name, and maimg address If you want to do reverse phone lookup for a business phone number then check out Rwrse Lookup at YP.com.
| sx»«r| e » 8185551212. (818)655-1212
HP Cetl phone numbers are not ewailable
Personal ״J6nnr.inc information available on AnyWho is n« pwaeo byAT&T and is provided solerf by an i^affiated third parly intelius. Inc Full Disclaimer
n
FIGURE 3.7: AnyWho Reverse Lookup Page
C E H L ab M anual Page 23
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
Reverse lookup will redirect you to die search result page widi die detailed information of die person for particular phone number or email address n> yp.com
^
-
\
C O anywhoyp.yellowpages.com/reversephonelookup?from=anywho_cobra &
\
Rose A Christian ־Southfield PI, - -
lore. MD 2 1 2 1 2
Are you Rose A Christian7 »» Remove Listing
Unpublished directory records are not displayed. If you want your residential listing removed, you have a couple of options: To have your listing unpublished, contact your local telephone company.
Get Directions
□
Enter Address
■ Southfield PI. •— *K>re, MD 2 1 2 1 2
• R e v e rs e D irectio n s
To have your listing removed from AnyWho without obtaining an unpublished telephone number, follow the instructions provided in AnyWho Listing Removal to submit your listing for removal.
C h in q u a p in Pa r k ־B elvedere
La k e Ev e s h a m
Go va n s to w n
W Northern Pkwy t N°'
Ro s e b a n k
M i d -G o v a n s
Dnwci W yndhu rst
W ooi
'// He
P jrk C a m e r o n V ill a g e
Chlnqu4p Pork K e n il w o r t h P ar k Ro l a n d Park W in s t q n -G q v a n s
FIGURE 3.8: AnyWho - Re\*e1se Lookup Search Result
Lab Analysis Analyze and document all the results discovered 111die lab exercise. T ool/U tility
Information Collected/Objectives Achieved WhitePages (Find people by name): Exact location of a person with address and phone number
AnyWho
Get Directions: Precise route to the address found lor a person Reverse Lookup (Find people by phone number): Exact location of a person with complete address
C E H L ab M anual Page 24
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Questions 1. Can vou collect all the contact details of the key people of any organization? 2. Can you remove your residential listing? It yes, how? 3. It you have an unpublished listing, why does your information show up in AnyWho? 4. Can you tind a person in AnyWho that you know has been at the same location for a year or less? If yes, how? 5. How can a listing be removed from AnyWho? Internet Connection Required 0 Yes
□ N
o/a> Onlne 300kina: Siterru http://certifiedhackef.c1 http://certifiedhacker.com/Online B:>o*ung/b־c Onlne Booking. Brows http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/c* Onine Booking: Check http://certifiedhackef.c1 http7/certifiedhackef rom/'Dnlinft Bsoking/ea Onine Booking Conta http7/eertifiedhaek« c! http://certifiedhacker.com/Online Bookrig/c:* Onine Booking: Conta http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/ca Onine Booking: Conta http://certifiedhackef.c1 http://certifiedhacker.com/Online Bookirtg/fac Onine Booking: FAQ http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/pal Onine 300king: Sitem< http://certif1edhackef.c1 http://certifiedhacker.com/Online Booking/se< Onine 300king: Searc http://certifiedhackef.c1 http^/cortifiodhackor.convOnline B»oking/sei Onine Booking: Searc ht׳p://certifiedhackef.ci http://certifiedhacker.com/Online Booking/se< Onine 300king: Searc http://certifiedhackef.c1 http://certifiedhacker.com/Online Booking/ten Online Booking: Typoc http://certifedhackef.c1 http://ccrtificdhackcr.com/Onlinc B:>oking/hol Onine Dooking: Hotel http://ccrtifiedh0cka.ci http: //certifiedhacker. com/ P-folio/contacl htn P-Foio http: //certiliedhackef. c! http://certifiedhacker.com/Real Estates/page: Professional Real Esta ht‘p://certifiedhackef.ci http://certifiedhacker.com/Real Estales/pags: Professional Red Esta http:///cerlifiedhackef.ci http://certifiedhacker.com/Real Estates/page: Professional Real Esta http: //certifiedhackef.ci http://certifiedhacker.com/Real Estdes/pag* Professional Real Esta http //certifedhackef.c! http://certifiedhacker.com/Real Estates/peg* Professional Real Esta http //certifiedhackef.ci http://certifiedhacker.Com/'Social Media/sarrp Unite - Together is Bet http //certifiedhackef.ci http://certifiedhacker.com/Under the treesTbc Undef lie Tfees http //certifiedhackef.ci http://cert1f1edhacker.com/Under the trees/bc Undef tie I fees http ://certifiedhackef.ci •?Air I Irvfef l^x» Tit a
httrv//(*••־rtifiArlhArk
httn/Zrprti^HhArkwr,
FIGURE 10.10: Web Data Extractor Extracted Phone details window
12. Similarly, check for the information under Faxes, Merged list, Urls (638), Inactive sites tabs 13. To save the session, go to File and click S ave se ssio n
C E H L ab M anual Page 75
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
Web Data Extractor 8.3
--------
F ile | View
Help
Edit session
Jobs 0 J /
5
Cur. speed Avg. speed
Open session
ctti-s
S«vc session
| s (29)
Faxes (27)
Merged list Urls (638
Inactive sites
Delete sesson URL procesced 74 Delete All sessions
Traffic received 626.09 Kb
Start session Stop session Stop Queu ng sites b it
Sfe Save extracted links directly to disk file, so there is no limit in number of link extraction per sessio n . It supports operation through proxy-server and works very fast, a s it is able of loading several pages simultaneously, and requires very few resources
FIGURE 10.11: Web Data Extractor Extracted Phone details window
14. Specify the session name in the S ave s e s s io n dialog box and click OK '1^ 1®' a ׳ Web Data Extractor 8.3 [File
View
H dp
m 0 New Ses$k>r
£dit
p 1 Qpen
Meta tegs (64)
« $ta»t
£ Sloe
1
Jobs [0 | /
Emails (6) Phones (29)
Cur. speed Avg speed
| Faxes (27)
0.0Dkbps 0 03kbps
1 1
Merged list Urls (638) Inactive sites
S*o piococcod 1 f 1. Time 4:12 min
URL pcocesied 74 Tralfic receded 626.09 Kb Save session
־ נ ^ו־
Please specify session name:
FIGURE 10.12: Web Data Extractor Extracted Phone details window
15. By default, the session will be saved at D:\Users\admin\Documents\W ebExtractor\Data
C E H L ab M anual Page 76
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
Lab Analysis Document all die Meta Tags, Emails, and Phone/Fax. T ool/U tility
Information Collected/Objectives Achieved M eta tags Inform ation: URL, Title, Keywords, Description, Host. Domain, Page size, etc.
Web D ata Extractor
E m ail Inform ation: Email Address, Name, URL. Title, Host, Keywords density״, etc. Phone Inform ation: Phone numbers, Source, Tag, etc.
P L EA S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .
Questions 1. What does Web Data Extractor do? 2. How would you resume an interrupted session 111Web Data Extractor? 3. Can you collect all the contact details of an organization? Internet Connection Required □ Yes
0 No
Platform Supported 0 Classroom
C E H L ab M an u al Page 77
0 iLabs
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
Identifying Vulnerabilities and Information Disclosures in Search Engines using Search Diggity / Valuable mformation_____ Test your knowledge *4 Web exercise m
Search Diggity is theprimary attack tool of the Google Hacking Diggity Project It is an M S Windons GUI application that serves as afront-end to the latest versions of Diggity tools: GoogleDiggity, BingDiggity, Bing L/nkFromDomainDiggity, CodeSearchDiggity, Dl^PDiggity, FlashDiggity, Main areDiggity, Po/tScanDiggity, SHOD.4NDiggity, BingBina/yMalnareSearch, andNotlnMyBackYardDiggity.
Lab Scenario
Workbook review
An easy way to find vulnerabilities 111 websites and applications is to Google them, which is a simple method adopted bv attackers. Using a Google code search, hackers can identify crucial vulnerabilities 111 application code stnngs, providing the entry point they need to break through application security. As an expert eth ical hacker, you should use the same method to identity all the vulnerabilities and patch them before an attacker identities them to exploit vulnerabilities.
Lab Objectives The objective of tins lab is to demonstrate how to identity vulnerabilities and information disclosures 111 search engines using Search Diggity. Students will learn how to: H Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 02 Footprinting and R econnaissance
C E H L ab M an u al Page 78
■ Extract Meta Tag, Email, Phone/Fax from the web pages
Lab Environment To carry out the lab, you need: ■
Search Diggitvis located at D:\CEH-Tools\CEHv8 Module 02 Footprinting and R econ n aissan ce\G oogle Hacking Tools\SearchD iggity
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
■ You can also download die latest version of Search Diggity from the link http: / / www.stachliu.com/resources / tools / google-hacking-diggitvproject/attack-tools ■ If you decide to download the latest version, then sc r e e n sh o ts shown 111 the lab might differ ■ Tins lab will work 111 the CEH lab environment - 011 W indows Server 2012, W indows 8, W indows Server 2008, and W indows 7
Lab Duration Time: 10 Minutes GoogleDiggity is the primary Google hacking tool, utilizing the Google JSON/ATOM Custom Search API to identify vulnerabilities and information disclosures via Google searching.
Overview of Search Diggity Search Diggity has a predefined query database diat nuis against the website to scan die related queries.
Lab Tasks 1.
To launch the Start menu, hover the mouse cursor 111 the lower-lelt corner of the desktop
FIGURE 11.1: Windows Server 2012—Desktop view
2. 111 the Start menu, to launch Search Diggity click the Search Diggity Launch Search Diggity
Start
Administrator
MMMger
tools a
* Control Panel
g
Myp«־V f/onaqef
%
m
Hyper V Vliiijol Machine..
Command
?״
F"
Google Chrome
Adobe Reader X
•
T
Mozilla
Internet Informal). Services..
©
^
1 V«(hOt
o
י
FIGURE 11.2: Windows Server 2012 —Start menu
C E H L ab M anual Page 79
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 02 - Footprinting and Reconnaissance
3. The Search Diggity main window appears with G oogle Diggity as the default
ss-. Queries —Select Google dorks (search queries) you wish to use in scan by checking appropriate boxes.
ה Aggress**
Cautious
Googte Custom sparer ־ID:
Queries
»*n>a
Croat•
r חFS06
t □ (.►O*
Catoqory
SuOcstoqory
Soarch String
Pago Tid•
I [ J G*>BR*b0rn I □ SharePwrt OO^gtty > U s io e > I ISLOONCW > f 1 OLPOwty Initial * Nonsw* saarctxs & t ] FtashDggty ln©ai
Google Status: Ready
Download P rog rss: Id « 0׳.*n F.j ce
FIGURE 11.3: Search Dimity—Main window
4. Select Sites/Dom ains/IP R anges and type the domain name 111 the domain lield. Click Add Ootonj CodeSearch S«rpl«
Mrto Brng
llnkfromDomnin
DLP
Flash
Mnlwor#
PortS«ar
Mot'nMyBnckynrri
Ackencwj
BingMnlwnr#
| יודcrosoft.com
I
Clients
SKorinn IjlT .T ll
___( Clca■
Hide
׳נn FSDB
t>QGH06
Category
Subcategory
Search Stnng
Page Ttie
> □ GHDBRebom
£ 0 Download_Button — Select (highlight) one or more results in the results pain, dien click this button to download die search result files locally to your computer. By default, downloads to D :\D ig g ity D o w n lo a d s \.
? p SharePDtit Diggty > 12 SLD3 > □ sldbnew > r DLPDigg.ty Intia! > Flash MorrS'AF Searches
Selected Result
t> F FiashDiggty Intial
Gooqk* Sldtuv: RttJy
Download Proqrvvs: Id • 1!! F5PB Subcategory
t ׳E: CHD6
Search String
Page Title
URL
> C GHDeReborr t( ׳v sfiarcPon: oqgkv > (! יa o a * ם ־SI06NEW > IT OtPDlQqltY Iftlldl
selected Result
> C Rash HanSMlF S«ardws - (T RashOigpty inrtial ^ C SVVF Flndng Gener !c • □ SWF Targeted 5eorches j *
Google S tatu s :
Dotviihjad P rogress: tzk! C? ־n Fo.d־r
FIGURE 11.5: Search Diggity —Domain added
6. Now, select a Query trom left pane you wish to run against the website that you have added 111 the list and click Scan SB.
T A S K
2
Run Query against a w eb site
Note: 111 this lab, we have selected the query SWF Finding Generic. Similarly, you can select other queries to run against the added website "5
Seaich Diogity oodons CodeScarfr
' ם י ־־
x
HdO Bing
LirkfrornDomam
DLP
,י״1■'
Flash
Malware
PortScan
HotiftMyflxIcyard
Settings 1 . Cat ical Oownloac]
Proxies 1
SingMalwnre
Shodan
< .Q 1 fc fll1 126.192.100.1 1
1
microsort.com [Kcmove]
lEOal dear
□F־D 6
Category
□ GHD6
Subcategory
search stnng
ps ge
Hide Title
URL
O GHDBRebom □ SharePoinl t>ggiy □ SLOB O SLDBNEW □ DIPDigjjty Tnrtiol
m
When scanning is kicked off, the selected query is run against the complete website.
Selected Result
□ Fiasf nodswf s«arch«s [
FiasfrDtggity Initial____ 117 SWF Prdng Gencric]
> n SWF Targeted Searches
booqle s ta tu s :
Download Progress: :de
holJt'
FIGURE 11.6: Seaich Diggity —Selecting query and Scanning
C E H L ab M anual Page 81
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 02 - Footprinting and Reconnaissance
m
Results Pane - As scan runs, results found will begin populating in this window pane.
7. The following screenshot shows the scanning p r o ce ss ^
x -
Search Dignity
LinkFromDomain 5 nr 313
PortScan
ftotin M/Backyard
AcS׳arced
BingMalware
S ho da n
> 128.192.100.1 Cancel
rrecrosoft.com [Rer ove]
Proxies
Download
|_________
|
Ceai
□F5D 6 □ GHDB
Cntegory
Subcntegory
Search String
Hide
Page T*e
URL
*
□ GHOBRetoorr
F1a«fcD1gg1ty ]ml SWF Finding G< exfcswt ste :mu Finland rrcNrg
חstiaroPom: Digqty
FlastiDiggity ]ml SWF Finding G< ext:swf ste:m1< Start the Tour 1 http://v/v/7v.m1cr0xtt.com/napp01nt/flosh/Mapl'o1r1t
Mtp ://Vr/vw.rniCTOsoft.com/europe/home.swf
5106 ט
MastiPiqqity inn swf Finding G< oxt:swf s1tc:m1< cic* h«rc - mic •־׳ttp '.׳vwiV.microMft.com/loarninq/olcarrinq/DcmosI Z
□ SLD6ICW □ OiPOigglty Irttlai
S«totted Result
□ Tosh honSWF Searches
□HashoiggtYtotal
(✓ SWF Finding G»rwr
£*
15
®
Manufacturer
10.0.0.1
® &
m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks.
IP c
J► S c a r' J l
5*iv*, 0
d«J0,
Nlctgear, Inc.
10.0.a1
. .a2
M A C ad d ress 00:09:5B:AE:24CC
W IN -M SSE LC K 4 K 4 1
10 0
D ell Inc
D0:67:ES:1A:16:36
W INDO W S#
10.0.03
M ic r o s o ft C o rp o ra tio n
00: 5:5D: A8:6E:C6
1
W IN * L X Q N 3 W R 3 R 9 M
10.0.05
M ic r o s o ft C o rp o ra tio n
00:15:5D:A8:&E:03
W IN -D 39M R 5H 19E 4
10.0.07
Dell Inc
D 1:3׳E:D9:C3:CE:2D
S unknown
FIGURE 1.6: The Advanced IP Scanner main window after scanning
8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machine’s IP address and displays die status as alive
M
T A S K
2
Extract Victim’s IP Address Info
9. Right-click any o f die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down
5־ F ie
Advanced IP Scanner A ctions
Scan
Settings
View
Helo
II
*
*sS :
10.0.011
n
ip c u u
Like us on
Wi F a ce b o o k
10 .0 .0 . 1- 10 .0 .0.10 Resuts
Favorites |
Status
N am e
10.0 .0.1
IHLMItHMM, W IN D O W S 8
h i
W IN -L X Q N 3 W R 3
— t* p ׳o re Copy
W IN ־D39MR5HL
־HTML R ep o rts ־S e le c te d Item s.
1- 1° ׳x -
CurrPorts File Edit | View | Option)
X S
(3
Help
Show Grid Lאחו
Process Na P I Show Tooltips
^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on.
C
chrome.
C
c h ro m e f
Address ).7 ).7
AAAA
AAAA
HTML Report - All Items
F ■0.7
H T M L Report ■ Selected te rn s
O ' c h ro m e “
®,firefcxe (g fir c f c x e :
fircfcx e.7 1000.7 1000.7 100.0.7 0.0.0.0
Ctrl♦■Plus
Refresh
1368 1368 1368 1000 1000 564 564
TCP TCP TCP TCP TCP TCP TCP
4163 4166 416S 1070 1070 1028 1028
14nn
T rn
י«׳*־ו־
79 'ctel Ports. 21 Remote Connections, 3 Selected
a You can also rightclick on the Web page and
00.0.0
Remote Address Remote Host Nam 175.19436.26 bom04s01-1n־f26.1 173.1943626 bom04s01-1n־f26.1 173.1943626 bcm04s01-in־f26.1f 215720420 323-57-204-20.dep 173.1943526 bcm04s0l-in-f26.1 12700.1 WIN-D39MR5HL9E 12700.1 WIN-D39MR5HL9E 173.1943622 bom04s01 -in-f22.1 173.194,36.15 bomOlsOI -in־f15.1 173.194360 bomOlsOI -in־f0.1c gruC3s05 in-f 15.1c 74125234.15 0.0.0.0 s 0.0.0.0
Mark Odd/Even Rows
__
Rem... 80 80 80 80 443 3982 3981 443 443 443 443
Rem... http http http http http:
https http; http: https
H irS o ft F re e w a re . h ttp . ׳,׳,w w w . r ir s o ft.n e t
FIGURE 4.5: CurrPorts with HTML Report - Selected Items
7.
The selected rep ort automatically opens using the d e fa u lt b row ser.
save the report.
C E H L ab M an u al P ag e 106
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
TCP/UDP Ports List - Mozilla Firefox
1 ־n J~x
I
ffi'g |d : V»־cv» Hatory Bookmaiks Toob Help [
In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF).
] TCP/UDP Ports List ^
| +
W c /'/C /l h e r v ׳Admin 1strotor/Dr 5fctop/'cport5 ־r 64/rcp o דיi«0T1l
(? ־GoogleP |,f t I
T C P / V D P Ports L is t
Created by ining CiirrPom
Process Name
Process Local Protocol ID Port
I>ocal Local Port Address .Name
Reuiotv Port
Remote Port Name
Kvuiotc Address
Remote Host Name
State
c:
dbiome.cxc 2988
TCP
4148
10.0.0.7
443
https
173.194.36-26 bom04sC 1 m. £26.1e 100.net Established
firefox exe
1368
TCP
4163
10 0 0 7
443
https
173 194 36 15 bom04s01 tn-fl 5. Iel00.net Established C:
hUpd cx c
1800
TCP
1070
Listening
C:
FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items / / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range].
8. To save the generated CurrPorts report from the web browser, click File >־S a v e P a g e A s...C trl+ S TCP/׳UDP Ports List ־Mozilla Firefox
׳
r= > r* י
Edfe Vir* Hutory Boolvfmki Took HWp N**׳T*b
Clrl-T
|+ |
an*N Open Fie...
Ctrl»0
S*.« PageA;.
Ctrl-S
fi *
»r/Deslctop/cpo»ts x6A NirSoft Freeware, http:/wvrw.nircoft.net
|79 Tctel Ports, 21 Remote Connections, 1 Selected
FIGURE 4.8: CunPorts to view properties for a selected port
10. The P ro p e rtie s window appears and displays all the properties for the selected port. 11. Click OK to close die P ro p e rtie s window *
Properties Process N am e:
fire fo x .e x e
Process ID:
1368
Protocol:
TC P
Local Port:
4166
Local Port N am e: Local A ddress: R em ote Port:
Command-line option: / shtml means save the list of all opened TCP/UDP ports into an HTML file (Horizontal).
1 0.0 .0 .7 4 43
R em ote Port N am e:
|https_________________
R em ote A ddress:
1173.1 9 4 .3 6 .0
R em ote H ost N am e:
bo m 04s01-in -f0.1 e 1 0 0.n e t
State:
E s tab lis h e d
Process Path:
C:\Program Files (x 86 )\M 0 z illa F ire fo x \fire fo x .e x e
Product N am e:
Flrefox
File D escription:
Firefox
File Version:
14.0.1
Com pany:
M o z illa Corporation
Process C reated On:
8 /2 5 /2 0 1 2 2 :36 :2 8 PM
U s e r N am e:
W IN -D 3 9 M R 5 H L 9 E 4 \A d m in is tra to r
Process S e rv ice s : Process Attributes: Added On:
8 /2 5 /2 0 1 2 3:32 :5 8 PM
M o d u le F ile n a m e : R em ote IP Country: W in d o w Title:
OK FIGURE 4.9: Hie CunPorts Properties window for the selected port
C E H L ab M an u al P ag e 108
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
S TASK
12. To close a TCP connection you think is suspicious, select the process and click File >־C lo s e S e le c te d T C P C o n n e c tio n s (or Ctrl+T). 2
-_,»r
CurrPorts
C lo se TCP Connection
IPNetlnfo
Clrf♦■ו
Close Selected TCP Connections
Ctrl-T
Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.00.1 127.00.1 10.0.0.7 10.0.0.7
Kill Processes Of Selected Ports SaveSelected Items
CtH-S
Properties
AH- Enter Ctrl—P
Process Properties Log Changes Cpen Log File Clear Log File Ad/snced Options
Ctrl+0
Exit ^ httpd.exe httpd.exe □isass^xe QtoSfcCNe ^
1£03 1800 564 564
J
10.0.0.7 0D.0.0
TCP
1070
TCP TCP TCP
1070 1028 1Q28
Rem... 60 80 80 80
443 3932 3931 443
443 443 443
Rem... http http http http https
http: https https https
Remote Address 173.19436.26 173.19436.26 173.19436.26 23.5730430 173.19436.26 127.0.0.1 127.0.0.1 173.19436.22 173.19436.15 173.19436.0 74.125.234.15 0.0.0.0
Remote Host Nam י׳I bom04s01-in־f26.1 bom04s01-in־f26.1 bom04sC1 in-f26.1 023-57 204 2C.dep = bom04s01 in־f26.1 WIN-D39MR5HL9e WIN-D39MR5HL9£ bom04s01 -in-f22.1 bom04s01-in-f15.1 bom04s01 ■in-f0.1s gru03s05-in-f151e
r o.aao r
om o
I>
״ ד
III
ד
HirSoft freeware. r-tto:׳v/Yv*/n rsott.net
7? Tot«! Porte, 21 Remote Connection! 1 Selected
FIGURE 4.10; ,Hie CunPoits Close Selected TCP Connections option window
13. To kill the p r o c e s s e s o f a port, select die port and click F ile >־Kill P r o c e s s e s o f S e le c te d Ports.
I ~ I* ' ם
CurrPorts File j Edit
fi
TASK
3
View Options Help
an♦!
P N e tln f o C lo s e Se lected T C P C o n n e c tio n !
Kill P ro ce s s
Clil^T
Loral Addrect 10.0.07 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 O.Q.Q.O
kin Processes Of Selected Ports Ctrt-S
Save Selected Items
A t -E n t e r
P r o p e r tie c
CtrKP
P r o c e s s P r o p e r t ie s
Log Changes Open Log File Clear Log file Advanced Options Exit
V htt3d.exe Vbttpd.exe □l«ss.ete □ katc *1*
ר
1800 1800 564 561
TCP TCP TCP TCP
1070 1070 1028 1028
Rem... 80 80 80 80 443 3962 3981 443 443 443 443
fam.. http http http http https
https https https https
Remote Addrect 173.14436.26 173.194.3626 173.194.3626 215720420 173.1943636 127.0.0.1 127.0.0.1 173.1943632 173.19436.15 173.19436.0 74125334.15 0.0.0.0
Remote Host Nam * bom04t01*in-f26.1 bomC4t01-in־f26.1 bomC4j01 -in-f26.1 a23-57-204-20.dep s bcmC4s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bomC4s01-in-f22.1 bom04s01־in־f15.1 bom04s0l־in־f0.1e gru03s05-1n-M5.1e
o.aao ___
/)A A A
II
79 Tctel Ports, 21 Remote Connections, 1 Selected
M irSoft F re e w a re . h ttp -J ta /w w .rirs o ft.n e t
FIGURE 4.11: The CurrPorts Kill Processes of Selected Ports Option Window
14. To e x it from the CurrPorts utility, click File >־Exit. The CurrPorts window c lo s e s .
C E H L ab M an u al P ag e 109
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
1- 1° ׳- ’
CurrPons File
Edit
View Options
Help
PNetlnfo
QH+I
Close Selected TCP Connections
CtrKT
..
Kil Processes Of Selected Ports
h id Command-line option: / sveihtml Save the list of all opened TCP/UDP ports into HTML file (Vertical).
Save Selected Items
Ctrfc-S
Properties
At-Eater
Process Properties
CtH«־P
log Changes Open Log File Clear Log File Advanced Option!
CtH-0
Ext \thttpd.exe \thttpd.exe Qlsas&cxe H lsais-ae ■ ־־
1 1800 1800 564 564
TCP TCP TCP TCP rrn
1070 1070 1028 1028
itnt
__
Local Address 10.0.0.7 10D.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 0.0.0.0 = 0.0.00
Rem... 80 80 80 80 443 3987 3981 443 443 443 443
Rem״ http http http http https
https https https https
/ וa /\ a
Remcte Address 173.194.36.26 173.194.3626 173.194.3626 21572Q420 173.194.3626 127DD.1 127X10.1 173.194.36-22 173.194.36.1S 173.194.36i) 74.125.234.15 0.0.0.0 = 0.0.0.0 = AAAA
Remcte Host Nam bom04s01-in-f26.1 bom04s01-in-f26.1 bom04s01-in־f26.1r a23-57-204-20.deJ bom04t01-in-f26.1| WIN-D39MR5H19P WIN-039MR5HL9E bomC4101-in-f22.1 bomC4i01 in־f15.1 bcmC4s01 in f0.1q gru03sG5in-f15.1e
Nil Soft fre e w ere. Mtpy/vvwvv.r it soft.net
79 T ctal Ports. 21 Remote Connections. 1 P ie c e d
FIGURE 4.12: The CurrPoits Exit option window
Lab Analysis Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. feUI In command line, the syntax of / close command :/close < Local Address> < Remote Address > < Remote Port * נ.
T o o l/U tility
Profile D etails: Network scan for open ports S canned Report:
C urrP orts
C E H L ab M an u al P ag e 110
In fo rm atio n C o llected /O b jectiv es A chieved
■ ■ ■ ■ ■ ■ ■ ■ ■
Process Name Process ID Protocol Local Port Local Address Remote Port Remote Port Name Remote Address Remote H ost Name
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
PL E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.
Q uestions Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages.
1. Analyze the results from CurrPorts by creating a filter string that displays
only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. כ.
Determine the use o f each o f die following options diat are available under die options menu o f CurrPorts: a.
Display Established
b. Mark Ports O f Unidentified Applications c.
Display Items Widiout Remote Address
d. Display Items With Unknown State In te rn e t C o n n ectio n R eq u ired □ Yes
0 No
P latform S u p p o rted 0 C lassroom
C E H L ab M an u al P ag e 111
0 !Labs
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
Lab
Scanning for Network Vulnerabilities Using the GFI LanGuard 2012 GFI LA N gw rd scans networks andports to detect, assess, and correct any security vulnerabilities that arefound. I CON KEY Valuable information ✓
Test your knowledge Web exercise
Q
W orkbook review
Z U Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks
Lab S cenario You have learned in die previous lab to monitor TCP IP and UDP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious T C P/U D P ports owned by unidentified applications. To prevent attacks pertaining to TC P/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b serve r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. An evil attacker uses diis vulnerability and places a b ack d oor on th e server. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one. As a se cu rity adm inistrator and penetration te s te r for your company, you need to conduct penetration testing in order to determine die list o f th re a ts and vulnerabilities to the network infrastructure you manage. 111 diis lab, you will be using GFI LanGuard 2 0 12 to scan your network to look for vulnerabilities.
Lab O bjectives The objective o f diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111
diis lab, you need to: ■
C E H L ab M an u al P ag e 112
Perform a vulnerability scan
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
■ Audit the network
Q You can download GFI LANguard from http: / /wwwgfi. com.
■
Detect vulnerable ports
■
Identify sennit} ־vulnerabilities
■
Correct security vulnerabilities with remedial action
Lab Environm ent To perform die lab, you need: ■
GFI Languard located at D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orksW ulnerability Scan ning Tools\GFI LanGuard
■ You can also download the latest version o f GFI L an gu ard from the link h ttp ://www.gfi.com/la 1111etsca 11 ■
I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ
■ A computer running W indow s 2 0 12 S erver as die host machine
Q GFI LANguard compatibly works on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/ Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2).
■
W indows S erver 2008 running in virtual machine
■
Microsoft ■NET Fram ew ork 2.0
■ Administrator privileges to run die GFI LANguard N etw ork S ecu rity S can n er
■
It requires die user to register on the GFI w e b site http: / / www.gii.com/la 1111etsca11 to get a lic e n se key
■
Complete die subscription and get an activation code; the user will receive an em ail diat contains an activation c o d e
Lab D uration Time: 10 Minutes
O verview o f Scanning N e tw o rk As an adminisuator, you often have to deal separately widi problems related to vulnerability issues, patch m an agem ent, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture o f a network setup, provide risk an alysis, and maintain a secure and com pliant n etw ork state faster and more effectively. C -J GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete.
C E H L ab M an u al P ag e 113
Security scans or audits enable you to identify and assess possible risks within a network. Auditing operations imply any type o f ch eck in g performed during a network security audit. These include open port checks, missing Microsoft p a tch e s and vulnerabilities, service infomiation, and user or p ro c e s s information.
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
Lab Tasks Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. 1. B
T AS K 1
Navigate to W in dow s S e rv e r 2 0 12 and launch the S ta rt m enu by hovering the mouse cursor in the lower-left corner o f the desktop
Scanning for V ulnerabilities
Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path
FIGURE 5.1: Windows Server 2012 - Desktop view
2. Click the GFI LanG uard 2 0 12 app to open the GFI LanG uard 2 0 12 window
■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modern Netcat)
Windows
Google
Marager
bm
■ Ndiff
r
♦
*
£
SI
N nd
V
e
FT־
2 )G
0 FIGURE 5.2 Windows Server 2012 - Apps
3. The GFI LanGuard 2012 main w in d ow appears and displays die N etw ork Audit tab contents. / / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges.
C E H L ab M an u al P ag e 114
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
GFI LanGuard 2012 I
- |
dashboard
Seen
R em edy
ActMty Monitor
Reports
Configuration
UtSties
W
D13CIA3 this ■ י
Welcome to GFI LanGuard 2012 GFI LanGuard 2012 is ready to audit your network iw rtireta& dites
L o ca l C o m p u te r V u ln e ra b ility L ev el
ea The default scanning
u s • ־N an a 9# *gents ־or Launch a scan ־options 10 , the entile network.
options which provide quick access to scanning modes are:
JP
V iew Dashboard Invest!gate netvuor* wjinprawiir, status and a u til results
Rem odiate Security Issues M
: < ׳Ccnfig.rstcn Cp־rators
♦a » a **?Operators
S«ss»ns (2)
% Servfcee (l•*©) H i ®rocrase* (76)
W w rt* ״
K>pe ׳V Adrritstrators
* ft ־״ft • ft
•? . -OXfC 0 ״users ( 1 )נ
A scheduled scan is a network audit scheduled to run automatically on a specific date/tim e and at a specific frequency. Scheduled scans can be set to execute once or periodically.
Actmrty M onitor
S*rf« 1l 1f 1 .nl 1 (tdl• | )׳Scan tfve*0 ? frt*)
RES Ehdpcut Servers PCS Manage»״ent Servers
Soan *read S * fe ) | 8 י0| • ׳
FIGURE 5.13: Information of Groups
17. Click die D ashboard tab: it shows all the scanned network information 1 ° n ^ ׳
GFI LanGuard 2012
> 45 ״I q Crap
I Dashbcurdl
it 6mel1n*ork
Sun
Remedy!*
!t
Activity Monitor
f#
V»'
Ce m ctm
•w «v
Reports
1
Configuration
to
*
UUkbe;
4t
זי/.־
V
ViAirrnhlfces
O u c u M ln a varam ..
fei *J
PeA*
v
(
SdNiare
Entire Network -1 com puter
f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-» Security S«1tors w n w a rn i w u w •
^' ־ucj1!):y10«j
|
Nmap Output Ports f Hosts | Topology | Host Details | Scans
OS < Host
FIGURE 6.4: The Zenmap main window with Target and Profile entered ! S " The six port states recognized by Nmap: ■ Open
8. N m ap scans the provided IP address with In ten se scan and displays the scan resu lt below the Nmap Output tab.
■ Filtered ■ Unfiltered
^
Zenmap
■ Closed Scan
Target:
I o o ls
E rofile
X
ן
H elp
10.0.0.4
C om m and:
ז ם י
׳י
Profile:
Intense scan
Scan:
nm a p -T4 -A - v 10.C.0.4
■ Open | Filtered Nn ■ap Output [ports / Hosts | Topolog) | Host Details | Scans
■ Closed | Unfiltered OS < Host ׳׳
nmap-T4 •A -v 10.00.4 S to r tin g
Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type.
|
^
| Details
10.0.0.4 Nmap C . O l
(
h ttp ://n m s p .o r g
)
at
2012 0 8
NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135! ׳t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451 ׳t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o צ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4
24
(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,
1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72
Filter Hosts
FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan
9. After the scan is com plete, N m ap shows die scanned results.
C E H L ab M an u al P ag e 125
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
T=I
Zenmap Scan
Iools
£rofile
Help Target:
a
Command:
Cancel
י
Details
nmap -T4 -A -v 10.C.0.4
The options available to control target selection: ■ -iL
Scan!
J
Nrr^p Output | Ports / Hosts | Topolog) Host Details | Scans OS
nmap •T4 •A ■v 10.0.0.4
< Host
׳׳
פ כ
n e tb io s -s s n 1 3 9 /tc p open 4 4 5 /tc p open n c tb io s ssn h ttp M ic ro s o ft HTTPAPI h ttp d 2.0 5 3 5 7 /tc p open (SSOP/UPnP) | _ h t t p ־m « th o d s : No A llo w o r P u b lic h « a d « r i n OPTIONS re s p o n s e ( s t a tu s code 5 03 )
10.0.0.4
■ -1R ■ -exclude [, [,...]]
| _ r r t t p - t it le : S ervice U na va ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ ;0 7 :1 0 ( M ic r o s o f t ) MAC A d d r e s s : 0( 1 5 : 5D: D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : ׳n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l (? לd e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )
■ -excludefile
ח
Nttwort Distance; 1 hop
TCP S eq u en ce P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s
Q The following options control host discovery: Filter Hosts
■ -sL (list Scan)
FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan
■ -sn (No port scan) ■ -Pn (No ping) ■ ■PS (TCP SYN Ping) ■ -PA (TCP ACK Ping) ■ -PU (UDP Ping) ■ -PY (SCTP INTT Ping) ■ -PE;-PP;-PM (ICMP Ping Types) ■ -PO (IP Protocol Ping) ■ -PR (ARP Ping) ■ —traceroute (Trace path to host) ■ -n (No DNS resolution) ■ -R (DNS resolution for all targets)
10. Click the Ports/H osts tab to display more information on the scan results. 11. N m ap also displays die Port, Protocol, S tate. Service, and Version o f the scan.
T־T
Zenmap Scan Target:
Iools
Profile
10.0.0.4
Command:
״״
Scan
Cancel
nmap -T4 -A -v 10.0.0.4 Services
OS
Help
Nmgp Out p
u
(
Tu[.ul u1jy
Hu^t Details Sk m :.
< Host 10.0.0.4
Minoaoft Windows RPC
13S
tcp
open
rmtpc
139
tcp
open
netbios-ssn
445
tcp
open
netbios-ssn
5337
tcp
open
http
Microsoft HTTPAPI httpd 2.0 (SSD
49152 tcp
open
msrpc
Microsoft Windows RPC
49153 tcp
open
m srpc
Microsoft Windows RPC
49154 tcp
open
msrpc
Microsoft Windows RPC
49155 tcp
open
msrpc
Microsoft Windows RPC
49156 tcp
open
msrpc
Microsoft Windows RPC
■ -system-dns (Use system DNS resolver) ■ -dns-servers < server 1 > [, [,. ..]] (Servers to use for reverse DNS queries)
FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan
C E H L ab M an u al P ag e 126
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
12. Click the Topology tab to view N m ap’s topology for the provided IP address in the Intense scan Profile.
7 ^ t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line.
FIGURE 6.8: The Zenmap main window with Topology tab fot Intense Scan
13. Click the Host Details tab to see die details o f all hosts discovered during the intense scan profile. r^r°rx 1
Zenmap Scan
lools
Target:
Profile
10.0.0.4
Command: Hosts
7^ ׳By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32).
Scan
Conccl
nmap -T4 -A -v 10.0.0.4 ||
Services
OS < Host -־׳
Help
10.0.0.4
I
I Nm ap Output I Porte / H octt | Topologyf * Host Detail׳: Scan? 13.0.C .4
H Host Status S ta t e :
up
O p e n p o rtc
Q
Filtered poits:
0
Closed ports:
991
Scanned ports: 1000 Uptime:
22151
Last boot:
Fri Aug 24 09:27:40 2012
#
B Addresses
IPv4:
10.0.0.4
IPv6:
Not available
MAC: 00:15:50:00:07:10 - O perating System
Name:
Microsoft Windows 7 or Windows Seiver 2008 SP1
Accuracy: P o rts used
Filter Hosts
FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan
C E H L ab M an u al P ag e 127
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
14. Click the S cans tab to scan details for provided IP addresses. 1- 1° ׳x
Zenmap Scan
a
Nmap offers options for specifying winch ports are scanned and whether the scan order is random!2ed or sequential.
Tools
Profile
Help
10.0.0.4
Target:
Command: Hosts
Profile:
Cancel
nmap •T4 •A -v 100.0.4 |[
Services
|
Nmap Output J Ports.' Hosts | Topology | Host Detail;| S:an; Sta!us
OS < Host
Com׳r»ard
Unsaved nmap -14-A •v 10.00.4
100.04
if■ Append Scan
a
In Nmap, option -p means scan only specified ports.
Intense scan
»
Remove Scan
Cancel Scan
FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan
15. Now, click the Services tab located in the right pane o f the window. This tab displays the list o f services. 16. Click the http service to list all the H TTP H ostnam es/lP a d d resses. Ports, and their s ta te s (Open/Closed). י ־ז° ד * מ
Zenmap Scan
Tools
Target:
Help
10.0.0.4
Comman d: Hosts
Profile
v]
Profile:
Intense scan
v|
Scan |
ו
nmap •T4 -A -v 10.0.0.4 |
Services
Cancel
|
Nmap Output Ports / Hosts Topology HoctDrtaik | S^ant < Hostname A Port < Protocol « State « Version
Service
i
10.0.04
5357
tcp
open
Microsoft HTTPAPI hctpd 2.0 (SSI
msrpc n e t b i o s 5 5 ־n
Q In Nmap, option -F means fast (limited port) scan.
m Target? (optional):
10.00.4
TCP scam
None
Non-TCP scans:
None
Timing template:
FI
Enable OS detection (-0). version detection (-5V), script scanning (sCMand traceroute (־־traceroute).
ACK scan (-sA) ׳FIN scan ( sF) Mamon scan (-sM)
Q Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine drops.
□ Version detection (-sV)
Null scan (-sN)
ח
Idle Scan (Zombie) (-si)
TCP SYN scan (-5S)
□
FTP bounce attack (-b)
TCP connect >can (»־T)
□
Disable reverse DNS resc
. Window scan (-sW)
ם
IPv6 support (■6)
| Xmas Tree scan (־sX)
Cancel
0Save Changes
FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab
23. Select None in die Non-TCP scan s: drop-down list and A ggressive (־ T4) in the Timing tem plate: list and click Save Changes 1י ^ ם | ־
Profile Friitor nmap •sX •T4 -A ■v 10.0.0.4 Help
Profile Scar Ping | Scripting [ Target Source | Other | Timing
Enable all ad/anced/aggressive options
Scan o p tio n *
Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ־־ host-timeout to skip slow hosts.
Target? (optional):
1D.0D.4
TCP scan:
Xmas Tlee scan (־sX)
|v |
Non-TCP scans:
None
[v] ׳
Timing template:
Aggressive (-T4)
[v |
@
Enable OS detection (-0). version detection (-sV), script scanning (sQ and traceroute(--traceroute).
E n a b le a ll a d v a n c e d / a g g r e s s v e o p t i o n s ( - A )
□ Operating system detection (•O) O Version detection (-sV) □
Idle Scan (Zombie) (- 51)
□
FTP bounce attack (-b)
O Disable reverse DNS resolution (־n) ח
IPv6 support (-6)
Cancel
0 Save Changes
FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab
24. Enter the IP address in die T arget: field, select the Xmas scan opdon from the Profile: held and click Scan.
C E H L ab M an u al P ag e 131
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
Zenmap Scan
Tools
Target:
( Hosts 05
Help
10.0.0.4
Command:
In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as if you were going to open a real association and then wait for a response.
Profile
|v |
Profile- | Xmas Scan
|v |
|Scan|
Cancel |
nmap -sX -T4 -A -v 100.0/ ||
Services
< Host
|
Nmap Output Potts/Hosts | Topology Host Details j Scans V
A
1
| Details]
Filter Hosts
FIGURE 6.18: The Zenmap main window with Target and Profile entered
25. N m ap scans the target IP address provided and displays results on the Nmap Output tab. £Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open.
Tools
Target
Command: Hosts
*
Profile
Help vl
10.0.0.4
OS « Host
Profile.
Services
|Scani|
N-nap Output Ports / Hosts | Topology Host Details | Scans nm a p -sX -T4 -A -v 10.0.0.4
10.0.0.4 S t a r t i n g Nmap 6 .0 1
a
Xmas Scan
nmap -sX -T4 -A -v 100.0/
N < F לlo a d e d
The option, -sA (TCP ACK scan) is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
iz c
Zenmap Scan
93
( h ttp ://n m a o .o r g
s c r ip ts
fo r
) a t 2 0 1 2 - 0 8 -2 4
s c a n n in g .
NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S c r v i c e scon o t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .
FIGURE 6.19: The Zenmap main windowwith the Nmap Output tab
26. Click the S ervices tab located at the right side o f die pane. It displays all die services o f that host.
C E H L ab M an u al P ag e 132
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
Zenmap Scan
Iools
Target:
Profile
10.0.0.4
Command: Hosts
־
0
=
1
Help ^
Profile
Xmas Scan
| | 'יScan |
nmap -sX -T4 -A -v 10.0.0.4 |
Services
|
Nmap Output Ports / Hosts | Topology | Host Dttails | Scans nmap -sX T4 -A -v 10.0.0.4 S t a r t i n g Nmap 6 .0 1
( h ttp ://n m a p .o rg
Details ) a t 2 0 1 2 * 0 8 -2 4
: Loaded 03 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P i r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f 1 n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d ־׳o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XHAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i o t i n g S e r v i c e sca n at 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 e s e la p s e d N nap
scan
H ost is
re p o rt
fo r
ח m
1 0 .0 .0 .4
u p ( 0 .0 0 0 2 0 s l a t e n c y ) .
V
FIGURE 6.20: Zenmap Main window with Services Tab
S
T A S K
3
Null Scan
27. Null scan works only if the operating system’s T C P /IP implementation is developed according to RFC 793.111 a 111111 scan, attackers send a TCP frame to a remote host with N O Flags. 28. To perform a 111111 scan for a target IP address, create a new profile. Click Profile >־New Profile or Command Ctrl+P
The option Null Scan (־sN) does not set any bits (TCP flag header is 0).
Zenmap [ New ProfJe or Command 9 £d it Selected Prof (FT P bounce scan) allows a user to connect to one F T P server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse o n m any levels, so m ost servers have ceased supporting it.
30. Click die Scan tab in the Profile Editor window. N ow select the Null Scan (־sN) option from the TCP scan : drop-down list. Profile Editor nmap -eX -T4 -A -v 10.0.0.4 H e lp
Profile] Scan | Ping | Scripting| larget | Source Jther Timing
Prof le name
Scan options Targets (optional):
1C.0.04
TCP scan:
Xmas Tree scan (-sX)
Non-TCP scans:
None
Timing template:
ACKscen ( sA)
|v
This is how the profile will be identified n the drop-down combo box n the scan tab.
[Vj Enable all advanced/aggressu FN scan (־sF) □ Operating system detection ( ־Maimon «can (•?M)
The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.
C E H L ab M an u al P ag e 134
□ Version detection (■sV)
Null scan (•sN)
(71 Idle Scan (Zombie) (•si)
TCP SYN scan(-sS)
O FTP bounce attack (-b)
TCP connect scan (־sT)
(71 Disable reverse DNSresolutior Win cow scan (־sW) Xma; Tree !can (-sX) 1 1 IPy6 support (-6)
Cancel
Save Changes
FIGURE 6.23: The Zenmap Profile Editor with the Scan tab
31. Select None from the Non-TCP scan s: drop-down field and select A ggressive (-T4) from the Timing tem plate: drop-down field. 32. Click Save C hanges to save the newly created profile.
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
'-IT - '
Profile Editor nmap -sN -sX -74 -A -v 10.0.0.4
In Nmap, option — version-all (Try every single probe) is an alias for -version-intensity 9, ensuring that every single probe is attempted against each port.
P r o f ile
S can
|Scan[ Help
P i n g | S c r i p t in g | T a r g e t | S o i r e e [ C t h c i | T im in g
Disable reverse DNS resolution
Scan options Targets (opbonal):
N e \er do reverse DNS. This can slash scanning times.
1 0 .0 .0 .4
TCP scan:
Nul scan (•sN)
V
Non-TCP scans:
None
V
Timing template:
Aggressive (-T4)
V
C Operating system detection (-0)
[Z
Version detection (-5V)
I
I d le S c a n ( Z o m b ie ) ( -s i)
Q FTP bounce attack (-b) I
! D i s a b l e r e v e r s e D N S r e s o lu t io n ( - n )
□
IPv6 support (-6)
£oncel
m The option,-־topports scans the highest-ratio ports found in the nmap-services file. must be 1 or greater.
E rj Save Change*
FIGURE 6.24: The Zenmap Profile Editor with the Scan tab
33. 111 the main window o f Zenmap, enter die ta rg e t IP a d d re ss to scan, select the Null Scan profile from the Profile drop-down list, and then click Scan. Zenmap Scfln
Iools
Erofile
Help
Target | 10.0.0.4 Command: Hosts
Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up.
OS
Services
Null Scan
Nmap Outpjt Ports / Hosts Topology | Host Detais ( Scans < Port
< H ost
*U
Prof1•י:
nmap -sN •sX •T4 -A *v 10.00.4
< Prctoccl
< State
:
FIGURE /.l: Windows Server 2012- Desktop view
2. Click the N etScan Tool Pro app to open the N etScan Tool Pro window
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
Administrator A
Start Server Manager
Windows PowwShel
Google Chrome
H jp erV kWvwcr
NetScanT... Pro Demo
h
m
o
וי
f*
Control Pan*l
Mjrpw-V Mdchir*.
Q
V ( onviund I't. n.".־
e '» **“־׳1■»***■׳
w rr
*I
©
20 ז2
n
x-x-ac
9 FIGURE 7.2 Windows Server 2012 - Apps
3. I f you are using the D em o version o f NetScan Tools Pro, then click S tart th e DEMO £L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3
4. The Open or C reate a New R esult D atabase-N etScanTooIs Pro window will appears; enter a new database name in D atabase Name (enter new nam e here) 5. Set a default directory results for database file location, click Continue Open or Create a New Results Database - NetScanTools® Pro
*ו
NetScanToote Pro au to m a tica l saves results n a database. The database «s requred. Create a new Results Database, open a previous Resdts Database, or use this software r Tranng Mode with a temporary Results Database. ■״Trainrtg Mode Qutdc Start: Press Create Training Mode Database then press Continue. Database Name (enter new name here) Test|
Select Another Results Database
A NEW Results Database w l be automabcaly prefixed with MstProOata-' and w i end with ,.db?. No spaces or periods are allowed when enterng a new database name. Results Database File Location Results Database Directory
*״Create Trainmg Mode Database
C :^Msers\Administrator documents
Project Name (opbonal) Set Default Directory
Analyst Information (opbonal, can be cisplayed r\ reports if desired)
i—' USB Version: start the software by locating nstpro.exe on your USB drive ־it is normally in the /nstpro directory p
Name
Telephone Number
Fitie
Mobile Number
Organization
Email Address
Update Analyst Information
Use Last Results Database
Continue
Exit Program
FIGURE 7.3: setting a new database name for XetScan Tools Pro
6. The N etScan Tools Pro main window will appears as show in die following figure C E H L ab M an u al P ag e 144
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ־Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
_ - n |
test • NetScanTools* Pro Demo Version Build 8-17-12 based on version 11.19 file
— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9 ( i p v 6 . g o o g l e . com) o r : : 1 (in te rn a l lo o p b a c k a d d r e s s
Eflit
A«es51b!11ty
View
IP«6
V
-
Help
Wefccrwto NrtScanToobePiJ [ W o Vbtfen 11 TH1 «a n a d r r o r o < k > * •r e * T00“i Cut Th■ duro carrnot be cj>« vt»>0 to a U v * d c n
to d i hav• nir or luiti
H m x x d '•o n ■hr A J o i^ e d cr Vtao.a la d s cr 10311 groined by fm d ia n on the k ft panel R03 iso- root carract : «־ta״oet. orwn icon :coa I 8!en to noucrktniffc. ttu ; icon tooo * ® •וwe• y o j oca sy*em. end groy !con 100b contact ihid party Fleet ' i t FI '«&, to vie ״e