![Page 1: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/1.jpg)
1
Anti-Hacker Tool Kit
Port Scanners
Chapter 6
![Page 2: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/2.jpg)
2
Introduction
• The first step in the process of hacking– Discover the services– Version label– Operation System
• Send few packets to the host
![Page 3: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/3.jpg)
3
Pre Study
• TCP Packet Header
![Page 4: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/4.jpg)
4
TCP conversation
Client Server
SYN
SYN/ACK
ACK
Connection Established
Client Server
FIN
ACK/FIN
ACK
Connection Closed
Connect Disconnect
Three-way handshake
![Page 5: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/5.jpg)
5
TCP Flag Definitions
Flag
SYN The beginning of a connection
ACK Acknowledge receipt of a previous packet or transmission
FIN Close a TCP connection
RST Abort a TCP connection
![Page 6: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/6.jpg)
6
Scanning for Hosts
• Is the host alive ?
• Method– Ping
• nmap –sP 192.168.0.1
– TCP Ping• nmap –sT 192.168.0.1
![Page 7: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/7.jpg)
7
Scanning for TCP Ports
• TCP connect– nmap –sT 192.168.0.1
• RCP service– nmap –sR 192.168.0.1
![Page 8: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/8.jpg)
8
SYN Scan
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
SYN SYN/ACK Port is open
Host is up
SYN RST Port is closed
Host is up
SYN Nothing Port is blocked by firewall
Or Host is down
Nmap –sS <target host>
![Page 9: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/9.jpg)
9
ACK Scan
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
ACK RST Port is not firewall-protect
Port may be open or closed
Host is up
ACK Nothing or ICMP unreachable
Port is blocked by firewall if host is up
No firewall~
Protected by firewall~
Nmap –sA <target host>
![Page 10: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/10.jpg)
10
FIN Scan
Connect
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
FIN RST Port is closed Host is up
FIN Nothing Port is open if host is up and not firewall-protected
Nmap –sF <target host>
![Page 11: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/11.jpg)
11
Xmas Scan
• Non-normal TCP operation
• Set the flags FIN,URG,PUSH
• With –sX
Nmap –sX <target host>
![Page 12: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/12.jpg)
12
Null scan
• Turn off all flags
• With -sN
Nmap –sN <target host>
![Page 13: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/13.jpg)
13
Scanning for UDP Ports
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
Empty UDP packet
Nothing Port assumed open if host responds to Ping.
Port may be closed if firewall blocking ICMP
Empty UDP packet
ICMP unreachable
Port is closed
Nmap –sU <target host>
![Page 14: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/14.jpg)
14
Scanning for Protocol
IP HeaderNmap –sO <target host>
![Page 15: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/15.jpg)
15
• Decoys• Fragmentation
Hiding Your Scan
(-D) (-r)(-f)
Nmap –sS –f <target host>
• With –sS –sF –sN -sX
• FTP Bounce
Nmap –b anonymous@<ftp server> –p <targer port> <target host>Nmap –D <spoof host> <target host>
• Disable Randomizing Ports
Nmap –r <target host>
![Page 16: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/16.jpg)
16
Timing Your Scan
• Time-based algorithm• Using -T option
Nmap –T <name> <target host>
name Probe Response Timeout
Time Spent on One Host
Time between Probes
Use Parallelized Probes
Paranoid 5 min Unlimited 5 min No
Sneaky 15 sec Unlimited 12 sec No
Polite 6 sec Unlimited 0.4 sec No
Normal 6 sec Unlimited None No
Aggressive 1 sec 5 min None Yes
Insane 0.3 sec 75 sec None Yes
![Page 17: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/17.jpg)
17
TCP Reverse Ident Scanning
• Who runs the process (-I)
Nmap –I <target host>
![Page 18: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/18.jpg)
18
OS Fingerprinting
• With –O flag
Sending specially TCP and UDP headers
Analyze the result and compare information
OS information
![Page 19: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/19.jpg)
19
OS Detection on Linux
• Nmap –O 192.168.0.1
![Page 20: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/20.jpg)
20
Mapping Networks
• Scanning a Class C subnet
![Page 21: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/21.jpg)
21
Mapping Networks
• Port scans in IP section
![Page 22: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/22.jpg)
22
Scanning Tools on windows
• Netscantools
• Superscan
• IPEYE
• WUPS
![Page 23: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/23.jpg)
23
Netscantools
• Powerful tools
• Port scanner+finger+whois+traceRoute...etc
![Page 24: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/24.jpg)
24
Super Scan
![Page 25: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/25.jpg)
25
IPEYE
• TCP stealth scan
• SYN, FIN, Xmas tree, and null scan
![Page 26: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/26.jpg)
26
WUPS
Scanning UPD ports for Windows
![Page 27: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/27.jpg)
27
Banner Identification
• Get the information normally– Hostname– Program– Version
![Page 28: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/28.jpg)
28
Using your “Telnet”
Try this
FTP ServiceTelnet ServiceWorld Wide Web Service
![Page 29: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/29.jpg)
29
Message logGenerateTCP connect() method
Normal timing option
System Log
![Page 30: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/30.jpg)
30
Summary
• Protect your host
• Dishonesty
• Footprints in the sand show where one has been.
![Page 31: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/31.jpg)
31
Reference
• Nmap www.insecure.org/nmap/• Tcmpdump www.tcpdump.org/• Superscan
www.foundstone.com/resources/proddesc/superscan.htm
• Netscanools www.netscantools.com• RFC 1700• RFC 793
![Page 32: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/32.jpg)
32
What is RPC Service ?• Remote Procedure Call• 程序呼叫
–一個程式裡一部份呼叫另一部份去做某項工作
![Page 33: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/33.jpg)
33
UDP_SCAN
![Page 34: 1 Anti-Hacker Tool Kit Port Scanners Chapter 6. 2 Introduction The first step in the process of hacking –Discover the services –Version label –Operation](https://reader036.vdocument.in/reader036/viewer/2022070412/56649d4a5503460f94a271fb/html5/thumbnails/34.jpg)
34
UDP_SCAN