![Page 1: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/1.jpg)
Who's Knocking? A Brief Intro to Network Scanning
Greg Horie
![Page 2: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/2.jpg)
Me… Husband & Father
… Outdoors enthusiast
… Tech hobbyist
… Ultimate frisbee player
… Board game geek
… Network Ops Lead
![Page 3: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/3.jpg)
What is Network Scanning?● A method for identifying active devices in a network● Uses network protocols to signal devices and await a response
○ e.g. Sending a ICMP echo request (i.e. ping)● Typically uses:
○ Security assessments○ Discovery / Identification○ Monitoring
● Nefarious uses are also common
![Page 4: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/4.jpg)
Network vs. Vulnerability Scanning● Network Scanning
○ Discover available network services running on the targeted hosts○ Determine the operating systems (OSs) in use by assessing network responses○ Helpful for troubleshooting and hardening a system
● Vulnerability Scanning○ Scan system for weak spots○ Preliminary step before attempting to compromise, crash or DoS a system
■ Attacks based on known vulnerabilities
● Today's focus will be network scanning○ Goal - Understand how to protect your systems
![Page 5: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/5.jpg)
PrepUbuntu 18.04
$ sudo apt update
$ sudo apt install -y wireshark netcat nmap
CentOS 7
$ sudo yum check-update$ sudo yum install -y wireshark netcat nmap
![Page 6: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/6.jpg)
Exercise - ping & captureSetup:$ sudo wireshark
# capture on your wireless interface - e.g. wlan0# display filter: icmpv6 or icmp
Try:$ ping -6 vicpimakers.ca$ ping -4 vicpimakers.ca
![Page 7: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/7.jpg)
ping & ICMP● Is ping a network scanning tool?● Why do we need it?● What is ICMP (ICMPv6) ?
○ ICMP - Internet Control Message Protocol○ The “admin assistant” of the Internet Protocol○ Carries both informational and error messages○ ICMP = Typical starting point for many network scan
![Page 8: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/8.jpg)
Exercise - traceroute & captureSetup:$ nslookup vicpimakers.ca
# collect IPv4 and / or IPv6$ sudo wireshark
# again, capture on your wireless interface - e.g. wlan0# display filters:
ip.addr == <IP> or icmp # for IPv4ipv6.addr == <IP> or icmpv6 # for IPv6
Try:$ traceroute -4 vicpimakers.ca -m 16$ traceroute -6 vicpimakers.ca -m 16
![Page 9: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/9.jpg)
traceroute
● Is traceroute a network scanning tool?
● Why do we need it?● How does it work?
○ TTL !
![Page 10: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/10.jpg)
Exercise - netcat & captureSetup:$ nslookup vicpimakers.ca
# collect IPv4 and / or IPv6$ sudo wireshark
# again, capture on your wireless interface - e.g. wlan0# display filters:
ip.addr == <IP> # for IPv4ipv6.addr == <IP> # for IPv6
Try:$ nc -v -4 vicpimakers.ca 80$ nc -v -6 vicpimakers.ca 80
![Page 11: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/11.jpg)
netcat & TCP● Is netcat a network scanning tool?● Why do we need it?
○ Swiss army knife of network troubleshooting● What did we illustrate in this exercise?
○ TCP 3-way handshake■ Both session setup and teardown
![Page 12: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/12.jpg)
Exercise - nmap host port scanSetup:$ nslookup vicpimakers.ca
# collect IPv4 and / or IPv6$ sudo wireshark
# again, capture on your wireless interface - e.g. wlan0# display filter:
ipv6.addr == <IP> # for IPv6ip.addr == <IP> # for IPv4
Try:$ nmap -6 vicpimakers.ca$ nmap -4 vicpimakers.ca
![Page 13: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/13.jpg)
nmap
● Is nmap a network scanning tool?● Why do we need it?
○ De facto standard for port scanning○ Makes discovery easy
● What happened in this exercise?
![Page 14: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/14.jpg)
Exercise - nmap subnet discoverySetup:$ ip -4 route # record local IPv4 subnet$ ip -6 route # record local IPv6 subnet$ sudo wireshark
# any suggestions ?
Try:$ nmap -4 -sn <IPv4 subnet>$ nmap -6 -sn <IPv6 subnet>$ subnetcalc <IPv6 subnet>
![Page 15: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/15.jpg)
nmap - Subnet discovery● What happened in this exercise?●
○○○○
● Specific observations on v6 scanning?
![Page 16: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/16.jpg)
Exercise - nmap OS and service detectionSetup:$ default4=$(ip -4 route | grep ^default | awk ‘{print $3}’)$ default6=$(ip -6 route | grep ^default | awk ‘{print $3}’)$ echo $default4 $default6$ sudo wireshark
# any suggestions ?
Try:$ nmap -4 -A -T4 $default4$ nmap -6 -A -T4 $default6
![Page 17: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/17.jpg)
nmap - OS and service detection● What happened in this exercise?● OS detection with TCP/IP stack fingerprinting
○ Compares results with known OS fingerprints○ ~2600 OSes in the nmap database
● Specific observations on v6 scanning?
![Page 18: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/18.jpg)
Summary● Network scanning can help you discover
the hosts in your networks● Useful for troubleshooting ● Can reveal security gaps● Note - It’s not illegal to port scan
… but better to ask for permission :-)
![Page 19: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/19.jpg)
Possible Future Discussions● Vulnerability scanning / Pen-testing
○ e.g. Metasploit, OpenVAS, etc.● Intrusion Detection
○ e.g. Snort, etc.● Network monitoring
○ e.g. Prometheus, Elastic Stack, Nagios, Cactus, etc.
● Honey Pots● IPv6 with containers - k8s w/ calico ?● Other ideas welcome!
![Page 20: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/20.jpg)
VicPiMakers and Others Slack● Please let us know if you want an invite to this Slack group
![Page 21: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/21.jpg)
Backup Slides
![Page 22: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/22.jpg)
Zenmap● nmap + GUI● Standard scans without having to
memorizing all the CLI options● Topology views
![Page 23: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/23.jpg)
Exercise - netcat client / serverSetup:Terminal 1:
$ nc -v -l 60001Terminal 2:
$ nc -v localhost 60001
Try:Terminal 1:
Hello !Terminal 2:
Hello to you too !
![Page 24: Who's Knocking? A Brief Intro to Network Scanning · Network vs. Vulnerability Scanning Network Scanning Discover available network services running on the targeted hosts Determine](https://reader034.vdocument.in/reader034/viewer/2022042211/5eb152008f1d3522ae5b9b17/html5/thumbnails/24.jpg)
Exercise - Scan netcat serverSetup:Terminal 1:
$ nc -v -l 60001
Try:$ nmap -4 <wlan0 v4 address>
Questions:● How to fix this scan?