![Page 1: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/1.jpg)
Hands-On Ethical Hacking and Network Defense
Chapter 5Port Scanning
![Page 2: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/2.jpg)
Hands-On Ethical Hacking and Network Defense 2
Objectives
• Describe port scanning
• Describe different types of port scans
• Describe various port-scanning tools
• Explain what ping sweeps are used for
• Explain how shell scripting is used to automate security tasks
![Page 3: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/3.jpg)
Hands-On Ethical Hacking and Network Defense 3
Introduction to Port Scanning
• Port Scanning• Finds out which services are offered by a host• Identifies vulnerabilities
• Open services can be used on attacks• Identify a vulnerable port• Launch an exploit
• Scan all ports when testing• Not just well-known ports
![Page 4: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/4.jpg)
Hands-On Ethical Hacking and Network Defense 4
![Page 5: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/5.jpg)
Hands-On Ethical Hacking and Network Defense 5
Introduction to Port Scanning (continued)
• Port scanning programs report• Open ports• Closed ports• Filtered ports• Best-guess assessment of which OS is
running
![Page 6: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/6.jpg)
Hands-On Ethical Hacking and Network Defense 6
Types of Port Scans
• SYN scan• Stealthy scan
• Connect scan• Completes the three-way handshake
• NULL scan• Packet flags are turned off
• XMAS scan• FIN, PSH and URG flags are set
![Page 7: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/7.jpg)
Hands-On Ethical Hacking and Network Defense 7
Types of Port Scans (continued)
• ACK scan• Used to past a firewall
• FIN scan• Closed port responds with an RST packet
• UDP scan• Closed port responds with ICMP “Port
Unreachable” message
![Page 8: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/8.jpg)
Hands-On Ethical Hacking and Network Defense 8
Using Port-Scanning Tools
• Nmap
• Unicornscan
• NetScanTools Pro 2004
• Nessus
![Page 9: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/9.jpg)
Hands-On Ethical Hacking and Network Defense 9
Nmap
• Originally written for Phrack magazine
• One of the most popular tools
• GUI version• Xnmap
• Open source tool
• Standard tool for security professionals
![Page 10: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/10.jpg)
Hands-On Ethical Hacking and Network Defense 10
![Page 11: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/11.jpg)
Hands-On Ethical Hacking and Network Defense 11
Unicornscan
• Developed in 2004• Ideal for large networks• Scans 65,535 ports in three to seven seconds• Handles port scanning using • TCP• ICMP• IP
• Optimizes UDP scanning
![Page 12: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/12.jpg)
Hands-On Ethical Hacking and Network Defense 12
NetScanTools Pro 2004
• Robust easy-to-use commercial tool• Supported OSs• *NIX• Windows
• Types of tests• Database vulnerabilities• E-mail account vulnerabilities• DHCP server discovery• IP packets and name servers• OS fingerprinting
![Page 13: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/13.jpg)
Hands-On Ethical Hacking and Network Defense 13
![Page 14: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/14.jpg)
Hands-On Ethical Hacking and Network Defense 14
![Page 15: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/15.jpg)
Hands-On Ethical Hacking and Network Defense 15
Nessus
• First released in 1998
• Open source tool
• Uses a client/server technology
• Conducts testing from different locations
• Can use different OSs for client and network
![Page 16: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/16.jpg)
Hands-On Ethical Hacking and Network Defense 16
Nessus (continued)
• Server• Any *NIX platform
• Client• Can be UNIX or Windows
• Functions much like a database server
• Ability to update security checks plug-ins• Scripts
• Some plug-ins are considered dangerous
![Page 17: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/17.jpg)
Hands-On Ethical Hacking and Network Defense 17
![Page 18: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/18.jpg)
Hands-On Ethical Hacking and Network Defense 18
Nessus (continued)
• Finds services running on ports• Finds vulnerabilities associated with
identified services
![Page 19: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/19.jpg)
Hands-On Ethical Hacking and Network Defense 19
![Page 20: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/20.jpg)
Hands-On Ethical Hacking and Network Defense 20
Conducting Ping Sweeps
• Ping sweeps• Identify which IP addresses belong to active
hosts• Ping a range of IP addresses
• Problems• Computers that are shut down cannot
respond• Networks may be configured to block ICMP
Echo Requests• Firewalls may filter out ICMP traffic
![Page 21: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/21.jpg)
Hands-On Ethical Hacking and Network Defense 21
FPing• Ping multiple IP addresses simultaneously• www.fping.com/download• Command-line tool• Input: multiple IP addresses• Entered at a shell• -g option
• Input file with addresses• -f option
![Page 22: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/22.jpg)
Hands-On Ethical Hacking and Network Defense 22
![Page 23: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/23.jpg)
Hands-On Ethical Hacking and Network Defense 23
![Page 24: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/24.jpg)
Hands-On Ethical Hacking and Network Defense 24
Hping• Used to bypass filtering devices• Allows users to fragment and manipulate IP packets
• www.hping.org/download
• Powerful tool• All security testers must be familiar with tool
• Supports many parameters (command options)
![Page 25: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/25.jpg)
Hands-On Ethical Hacking and Network Defense 25
![Page 26: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/26.jpg)
Hands-On Ethical Hacking and Network Defense 26
![Page 27: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/27.jpg)
Hands-On Ethical Hacking and Network Defense 27
![Page 28: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/28.jpg)
Hands-On Ethical Hacking and Network Defense 28
Crafting IP Packets
• Packet components• Source IP address• Destination IP address• Flags
• Crafting packets helps you obtain more information about a service
• Tools• Fping• Hping
![Page 29: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/29.jpg)
Hands-On Ethical Hacking and Network Defense 29
Understanding Shell Scripting
• Modify tools to better suit your needs
• Script• Computer program that automates tasks• Time-saving solution
![Page 30: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/30.jpg)
Hands-On Ethical Hacking and Network Defense 30
Scripting Basics
• Similar to DOS batch programming
• Script or batch file• Text file• Contains multiple commands
• Repetitive commands are good candidate for scripting
• Practice is the key
![Page 31: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/31.jpg)
Hands-On Ethical Hacking and Network Defense 31
![Page 32: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/32.jpg)
Hands-On Ethical Hacking and Network Defense 32
![Page 33: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/33.jpg)
Hands-On Ethical Hacking and Network Defense 33
Summary
• Port scanning• Also referred as service scanning• Process of scanning a range of IP address• Determines what services are running
• Port scan types• SYN• ACK• FIN• UDP• Others: Connect, NULL, XMAS
![Page 34: Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cc35503460f9498b9a3/html5/thumbnails/34.jpg)
Hands-On Ethical Hacking and Network Defense 34
Summary (continued)
• Port scanning tools• Nmap• Nessus• Unicornscan
• Ping sweeps• Determine which computers are “alive”
• Shell scripting• Helps with automating tasks