Gravitation: Overview of Network Scanning

Overview of Network Scanning

As we already discussed, footprinting is the first phase of hacking in which the attacker gains information about a potential target. Footprinting alone is not enough for hacking because here you will gather only the primary information about the target. You can use this primary information in the next phase to gather many more details about the target. The process of gathering additional details about the target using highly complex and aggressive reconnaissance techniques is called scanning.

The idea is to discover exploitable communication channels, to probe as many listeners as possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning phase, you can find various ways of intruding into the target system. You can also discover more about the target system, such as what operating system is used, what services are running, and whether or not there are any configuration lapses in the target system. Based on the facts that you gather, you can form a strategy to launch an attack.

Types of Scanning

- Port scanning - Open ports and services

- Network scanning - IP addresses

- Vulnerability scanning - Presence of known weaknesses

In a traditional sense, the access points that a thief looks for are the doors and windows. These are usually the house's points of vulnerability because of their relatively easy accessibility. When it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. The more the ports are open, the more points of vulnerability, and the fewer the ports open, the more secure the system is. This is simply a general rule. In some cases, the level of vulnerability may be high even though few ports are open.

Network scanning is one of the most important phases of intelligence gathering. During the network scanning process, you can gather information about specific IP addresses that can be accessed over the Internet, their targets' operating systems, system architecture, and the services running on each computer. In addition, the attacker also gathers details about the networks and their individual host systems.

Objectives of Network Scanning

If you have a large amount of information about a target organization, there are greater chances for you to learn the weakness and loopholes of that particular organization, and consequently, for gaining unauthorized access to their network.

Before launching the attack, the attacker observes and analyzes the target network from different perspectives by performing different types of reconnaissance. How to perform scanning and what type of information to be achieved during the scanning process entirely depends on the hacker's viewpoint. There may be many objectives for performing scanning, but here we will discuss the most common objectives that are encountered during the hacking phase:

- Discovering live hosts, IP address, and open ports of live hosts running on the network.

- Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network.

- Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities.

- Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats.

- Detecting the associated network service of each port.

Checking for Live Systems - ICMP Scanning

ICMP Scanning

All required information about a system can be gathered by sending ICMP packets to it. Since ICMP does not have a port abstraction, this cannot be considered a case of port scanning. However, it is useful to determine which hosts in a network are up by pinging them all (the -P option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the number of pings in parallel with the -L option. It can also be helpful to tweak the ping timeout value with the -T option.

ICMP Query

The UNIX tool ICMPquery or ICMPush can be used to request the time on the system (to find out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, one can determine all the subnets in use. After gaining information about the subnets, one can target only one particular subnet and avoid hitting the broadcast addresses.

ICMPquery has both a timestamp and address mask request option:

icmp query <-query-> [-B] [-f fromhost] [-d delay] [-T time] target

Where

<query> is one of:

-t: icmp timestamp request (default)

-m: icmp address mask request

-d: delay to sleep between packets is in microseconds. -T - specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses.

Ping Scan Output Using Nmap

Source: http://nmap.org

Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.

TCP/IP Packet

To understand ping, you should be able to understand the TCP/IP packet. When a system pings, a single packet is sent across the network to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a return packet from the target system. A good return packet is expected only when the connections are good and when the targeted system is active. Ping also determines the number of hops that lie between the two computers and the round-trip time, i.e., the total time taken by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then it is an indication that the system is unable to resolve the name to the specific IP address.

Source: http://nmap.org

Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP addresses of live hosts. This provides information about the live host IP addresses as well as their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on the network. The following screenshot shows the result of a ping sweep using Zenmap, the official cross-platform GUI for the Nmap Security Scanner:

Three-Way Handshake

TCP is connection-oriented, which implies connection establishment is principal prior to data transfer between applications. This connection is possible through the process of the three-way handshake. The three-way handshake is implemented for establishing the connection between protocols.

The three-way handshake process goes as follows:

- To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the destination (10.0.0.3:21).

- The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN/ACK packet back to the source.

- This ACK packet confirms the arrival of the first SYN packet to the source.

- In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the destination.

- This triggers an "OPEN" connection allowing communication between the source and the destination, until either of them issues a "FIN" packet or a "RST" packet to close the connection.

TCP Communication Flags

Standard TCP communications monitor the TCP packet header that holds the flags. These flags govern the connection between hosts, and give instructions to the system. The following are the TCP communication flags:

- Synchronize alias "SYN": SYN notifies transmission of a new sequence number

- Acknowledgement alias "ACK": ACK confirms receipt of transmission, and identifies next expected sequence number

- Push alias "PSH": System accepting requests and forwarding buffered data

- Urgent alias "URG": Instructs data contained in packets to be processed as soon as possible

- Finish alias "FIN": Announces no more transmissions will be sent to remote system

- Reset alias "RST": Resets a connection

SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process.

Stealth Scan (Half-Open Scan)

Stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This is a scan type that sends a single frame with the expectation of a single response. The half-open scan partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet. This stops the service from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a stealth method of port scanning.

The three-way handshake methodology is also implemented by the stealth scan. The difference is that in the last stage, remote ports are identified by examining the packets entering the interface and terminating the connection before a new initialization was triggered.

The process preludes the following:

- To start initialization, the client forwards a single "SYN" packet to the destination server on the corresponding port.

- The server actually initiates the stealth scanning process, depending on the response sent.

- If the server forwards a "SYN/ACK" response packet, then the port is supposed to be in an "OPEN" state.

IDLE Scan

The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is sent from your own IP address; instead, another host is used, often called a "zombie," to scan the remote host and determine the open ports. This is done by expecting the sequence numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up.

Understanding TCP/IP

Source: http://nmap.org

Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to understand it. You need to understand the following basic facts:

- Most of the network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port; otherwise it is closed.

- То determine whether a port is open, send a session establishment "SYN" packet to the port. The target machine responds with a session request acknowledgment "SYN|ACK" packet if the port is open and a Reset "RST" packet if the port is closed.

- A machine that receives an unsolicited SYN|ACK packet responds with an RST. An unsolicited RST is ignored.

- Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.

From these facts, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning.

UDP Scanning

UDP Raw ICMP Port Unreachable Scanning

UDP port scanners use the UDP protocol instead of TCP, and can be more difficult than TCP scanning. You can send a packet, but you cannot determine that the host is alive or dead or filtered. However, there is one ICMP that you can use to determine whether ports are open or closed. If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. If any port returns an ICMP error, then it's closed, while the ports that didn't answer are either open or filtered by the firewall.

This happens because open ports do not have to send an acknowledgement in response to a probe, and closed ports are not even required to send an error packet.

UDP Packets

Source: http://nmap.org

When you send a packet to a closed UDP port, most of the hosts send an ICMP_PORT_UNREACH error. Thus, you can find out if a port is NOT open. Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement the retransmission of packets that appear lost. UDP scanners interpret lost traffic as open ports.

In addition, this scanning technique is slow because of limiting the ICMP error message rate as compensation to machines that apply RFC 1812 section 4.3.2.8. A remote host will need to access the raw ICMP socket to distinguish closed from unreachable ports.

UDP RECVFROM () and WRITE () Scanning

While non-root users cannot read port unreachable errors directly; Linux informs you indirectly when they receive messages.

Example

For example, a second write () call to a closed port will usually fail. A lot of scanners, such as Netcat and Pluvial pscan.c do recvfrom () on non-blocking UDP sockets, usually return EAGAIN ("Try Again," errno 13) if the ICMP error has not been received, and ECONNREFUSED ("Connection refused," errno 111), if it has. This is the technique used for determining open ports when non-root users use -u (UDP). Root users can also use the -I (lamer UDP scan) options to force this.

Advantage:

The UDP scan is less informal regarding an open port, since there's no overhead of a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan. Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.

Disadvantage:

The UDP scan provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-O).

Advantage:

Disadvantage:

The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions.

Most networks have huge amounts of TCP traffic; as a result, the efficiency of the UDP scan is lost. The UDP scan will locate these open ports and provide the security manager with valuable information that can be used to identify these invasions achieved by the attacker on open UDP ports caused by spyware applications, Trojan horses, and other malicious software.

Inverse TCP Flag Scanning

Attackers send the TCP probe packets by enabling various TCP flag (FIN, URG, PSH) or with no flags. When the port is open, the attacker doesn't get any response from the host, whereas when the port is closed, he or she receives the RST/ACK from the target host.

The SYN packets that are sent to the sensitive ports of the targeted hosts are detected by using security mechanisms such as firewalls and IDS. Programs such as Synlogger and Courtney are available to log half-open SYN flag scan attempts. At times, the probe packets enabled with TCP flags can pass through filters undetected, depending on the security mechanisms installed.

Probing a target using a half-open SYN flag is known as an inverted technique. It is called this because the closed ports can only send the response back. According to RFC 793, An RST/ACK packet must be sent for connection reset, when the port is closed on host side. Attackers take advantage of this feature to send TCP probe packets to each port of the target host with various TCP flags set.

Common flag configurations used for probe packet include:

- A FIN probe with the FIN TCP flag set

- An XMAS probe with the FIN, URG, and PUSH TCP flags set

- A NULL probe with no TCP flags set

- A SYN/ACK probe

All the closed ports on the targeted host will send an RST/ACK response. Since the RFC 793 standard is completely ignored in the operating system such as Windows, you cannot see the RST/ACK response when connected to the closed port on the target host. This technique is effective when used with UNIX-based operating systems.

Advantages

- Avoids many IDS and logging systems, highly stealthy Disadvantages

- Needs raw access to network sockets, thus requiring super-user privileges

- Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against Microsoft Windows hosts in particular)

ACK Flag Scanning

A stealthy technique is used for identifying open TCP ports. In this technique a TCP packet with ACK flag ON is sent to the remote host and then the header information of the RST packets sent by remote host are analyzed. Using this technique one can exploit the potential vulnerabilities of BSD derived TCP/IP stack. This technique gives good results when used with certain operating systems and platforms.

ACK scanning can be performed in two ways:

- TTL field ananlysis

- WINDOW field analysis

Using TTL value one can determine the number of systems the TCP packet traverses. You can send an ACK probe packet with random sequence number: no response means port is filtered (state full firewall is present) and RST response means the port is not filtered.

nmap -sA -P0 10.10.0.25

Starting nmap 5.21 (http://nmap.org) at 2010-05-16 12:15 EST

All 52 9 scanned ports on 10.10.0.25 are: filtered

Port Scanning Countermeasures

As discussed previously, port scanning provides a lot of useful information such as IP addresses, host names, open ports, etc. to the attacker. Open ports especially provide an easy means for the attacker to break into the security. But there is nothing to worry about, as you can secure your system or network against port scanning by applying the following countermeasures:

The firewall should be good enough to detect probes an attacker sends to scan the network. So the firewall should carry out stateful inspection if it has a specific rule set. Some firewalls do a better job than others in detecting stealth scans. Many firewalls have specific options to detect SYN scans, while others completely ignore FIN scans.

- Network intrusion detection systems should detect the OS detection method used by tools such as Nmap, etc. Snort (http://-snort.org) is an intrusion detection and prevention technology that can be of great help, mainly because signatures are frequently available from public authors.

в Only necessary ports should be kept open; the rest of the ports should be filtered as the intruder will try to enter through any open port. This can be accomplished with the custom rule set. Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at border routers and firewalls.

- Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques.

Test your own IP address space using TCP and UDP port scans as well as ICMP Probes to determine the network configuration and accessible ports.

- If a commercial firewall is in use, then ensure that the firewall is patched with the latest updates, antispoofing rules have been correctly defined, and fastmode services are not used in Check Point Firewall-1 environments.

SYN/FIN Scanning Using IP Fragments

SYN/FIN scanning using IP fragments is a modification of the earlier methods of scanning; the probe packets are further fragmented. This method came into existence to avoid the false positive from other scans, due to a packet filtering device present on the target machine. You have to split the TCP header into several packets instead of just sending a probe packet for avoiding the packet filters. Every TCP header should include the source and destination port for the first packet during any transmission: (8 octet, 64 bit), and the initialized flags in the next, which allow the remote host to reassemble the packet upon receipt through an Internet protocol module that recognizes the fragmented data packets with the help of field equivalent values of protocol, source, destination, and identification.

Fragmented Packets

The TCP header, after splitting into small fragments, is transmitted over the network. But, at times you may observe unpredictable results such as fragmentation of the data in the IP header after the reassembly of IP on the server side. Some hosts may not be capable of parsing and reassembling the fragmented packets, and thus may cause crashes, reboots, or even network device monitoring dumps.

Firewalls

Some firewalls may have rule sets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented due to the adverse effect on performance. Since several intrusions detection systems employ signature-based methods to indicate scanning attempts based on IP and/or the TCP headers, fragmentation is often able to evade this type of packet filtering and detection. There is a probability of network problems on the target network.

Banner Grabbing

Banner grabbing or OS fingerprinting is a method to determine the operating system running on a remote target system. Banner grabbing is important for hacking as it provides you with a greater probability of success in hacking. This is because most of the vulnerabilities are OS specific. Therefore, if you know the OS running on the target system, you can hack the system by exploiting the vulnerabilities specific to that operating system.

Banner grabbing can be carried out in two ways: either by spotting the banner while trying to connect to a service such as FTP or downloading the binary file/bin/ls to check the architecture with which it was built.

Banner grabbing is performed using the fingerprinting technique. A more advanced fingerprinting technique depends on stack querying, which transfers the packets to the network host and evaluates packets based on the reply. The first stack querying method was designed considering the TCP mode of communication, in which the response of the connection requests is evaluated. The next method was known as ISN (Initial Sequence Number) analysis. This identifies the differences in the random number generators found in the TCP stack. A new method, using the ICMP protocol, is known as ICMP response analysis. It consists of sending the ICMP messages to the remote host and evaluating the reply. The latest ICMP messaging is known as temporal response analysis. Like others, this method uses the TCP protocol. Temporal response analysis looks at the retransmission timeout (RTO) responses from a remote host. There are two types of banner grabbing techniques available; one is active and the other is passive.

Active Banner Grabbing

Active banner grabbing is based on the principle that an operating system's IP stack has a unique way of responding to specially crafted TCP packets. This arises because of different interpretations that vendors apply while implementing the TCP/IP stack on the particular OS. In active banner grabbing, a variety of malformed packets are sent to the remote host, and the responses are compared to a database.

For instance, in Nmap, the OS fingerprint or banner grabbing is done through eight tests. The eight tests are named Tl, T2, T3, T4, T5, T6, T7, and PU (port unreachable). Each of these tests is illustrated as follows, as described in www.packetwatch.net:

Tl: In this test, a TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP port.

T2: It involves sending a TCP packet with no flags enabled to an open TCP port. This type of packet is known as a NULL packet.

T3: It involves sending a TCP packet with the URG, PSH, SYN, and FIN flags enabled to an open TCP port.

T4: It involves sending a TCP packet with the ACK flag enabled to an open TCP port.

T5: It involves sending a TCP packet with the SYN flag enabled to a closed TCP port.

Т4: It involves sending a TCP packet with the ACK flag enabled to an open TCP port.

T5: It involves sending a TCP packet with the SYN flag enabled to a closed TCP port.

T6: It involves sending a TCP packet with the ACK flag enabled to a closed TCP port.

T7: It involves sending a TCP packet with the URG, PSH, and FIN flags enabled to a closed TCP port.

PU (Port Unreachable): It involves sending a UDP packet to a closed UDP port. The objective is to extract an "ICMP port unreachable" message from the target machine.

The last test that Nmap performs is named TSeq for TCP Sequencability test. This test tries to determine the sequence generation patterns of the TCP initial sequence numbers, also known as TCP ISN sampling, the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port.

The objective is to find patterns in the initial sequence of numbers that the TCP implementations choose while responding to a connection request. These can be categorized into many groups such as the traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or True "random" (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a "time-dependent" model where the ISN is incremented by a fixed amount for each time period.

Source: www.insecure.org, "Most operating systems increment a system-wide IPID value for each packet they send. Others, such as OpenBSD, use a random IPID and some systems (like Linux) use an IPID of 0 in many cases where the 'Don't Fragment' bit is not set. Windows does not put the IPID in network byte order, so it increments by 256 for each packet. Another number that can be sequenced for OS detection purposes is the TCP timestamp option values. Some systems do not support the feature; others increment the value at frequencies of 2HZ, 100HZ, or 1000HZ and still others return 0."

Passive Banner Grabbing

Source: http://honevnet.org

Like active banner grabbing, passive banner grabbing is also based on the differential implementation of the stack and the various ways an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study for telltale signs that can reveal an OS.

The four areas that are typically noted to determine the operating system are:

TTL - What the operating system sets the Time To Live on the outbound packet

- Window Size - hat the operating system sets the Window size

- DF - Does the operating system set the Don't Fragment bit

- OS - Does the operating system set the Type of Service

Passive fingerprinting has to be neither fully accurate nor be limited to these four signatures. However, by looking at several signatures and combining information, accuracy can be improved.

Why Attackers Use Proxy Servers

For an attacker, it is easy to attack or hack a particular system than to conceal the attack source. So the main challenge for an attacker is to hide his identity so that no one can trace him or her. To conceal the identity, the attacker uses the proxy server. The main cause behind using a proxy is to avoid detection of attack evidence. With help of the proxy server, an attacker can mask his or her IP address so that he or she can hack the computer system without any fear of legal repercussion. When the attacker uses a proxy to connect to the destination, the proxy's source address will be recorded in the server logs instead of the actual source address of the attacker.

In addition to this, the reasons for which attackers use proxy servers include:

- Attacker appears in a victim server's log files with a fake source address of the proxy rather than with the attacker's actual address

To remotely access intranets and other website resources that are normally off limits. To interrupt all the requests sent by an attacker and transmit them to a third destination, hence victims will only be able to identify the proxy server address. To use multiple proxy servers for scanning and attacking, making it difficult for administrators to trace the real source of attack.

Why do I Need HTTP Tunneling?

HTTP tunneling allows you to use the Internet despite having firewall restrictions such as blocking specific firewall ports to restrict specific protocol communication. HTTP tunneling helps you to overcome this firewall restriction by sending specific protocol communication through HTTP protocol.

The attacker may use this technique for the following reasons:

- It assures the attacker that no one will monitor him or her while browsing

- It helps the attacker to bypass firewall restrictions

- It ensures secure browsing

- The attacker can hide his or her IP address from being trapped

- It assures that it is highly impossible for others to identify him or her online

Suppose the organization has blocked all ports in your firewall and only allows port 80/443, and you want to use FTP to connect to some remote server on the Internet.

SSH Tunneling

SSH tunneling is another technique that an attacker can use to bypass firewall restrictions. It also helps you hide your IP address on the Internet; therefore, no one can trace or monitor you.

The prerequisite of SSH tunneling is raised from the problems caused by the public IP address, the means for accessing computers from anywhere in the world. The computers networked with the public IP address are universally accessible, so they could be attacked by anyone on the global Internet easily and can be victimized by attackers. The development of SSH tunneling solves the problems faced by the public IP address.

An SSH tunnel is a link that proceeds traffic from an indiscriminate port on one machine to a remote machine through an intermediate machine. An SSH tunnel comprises an encrypted tunnel, so all your data is encrypted as it uses a secure shell to create the tunnel.

Creating a tunnel for a privately addressed machine needs to implement three basic steps and also requires three machines. The three requisite machines are:

- Local machine

- An intermediate machine with a public IP address

Target machine with a private address to which the connection must be established.

You can create a tunnel as follows:

- Start an SSH connection from local machine to the intermediate machine with public IP address.

- Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding.

- On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine.

To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key.

Anonymizers

An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (gopher :) Internet services.

To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.

Why Use an Anonymizer?

The reasons for using anonymizers include:

- Ensures privacy: It protects your identity by making your web navigation activities untraceable. Your privacy is maintained until and unless you disclose your personal information on the web by filling out forms, etc.

- Accesses government-restricted content: Most governments prevent their citizens from accessing certain websites or content in order to avoid them from accessing inappropriate information or sensitive information. But these people can access even these types of resources by an anonymizer located outside the country.

- Protect you from online attacks: Anonymizers protect you from all instances of online pharming attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.

- Bypass IDS and firewall rules: Bypassing of firewalls is mostly done in organizations or schools by employees or students accessing websites they are not supposed to access. An anonymizer service gets around your organization's firewall by setting up a connection between your computer and the anonymizer service. By doing such, firewalls can see only the connection from you to anonymizer's web address. The anonymizer will then connect to Twitter or any website you wanted to access with the help of an Internet connection and sends the content back to you. For your organization, it looks like your system is connected to an anonymizer's web address, but not to Twitter or other sites. Anonymizers, apart from protecting users' identities, can also attack the website and no one can actually detect where the attack came from.

Types of Anonymizers

An anonymizer is a service through which one can hide their identity when using certain services of the Internet. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonymizers are of two types:

- Networked anonymizers

- Single-point anonymizers

Networked Anonymizers

These type of anonymizer first transfers your information through a network of Internet computers before sending it to the website. Since the information passes through several Internet computers, it becomes more cumbersome for anyone trying to track your information to establish the connection between you and anonymizer.

Example: If you want to visit any web page you have to make a request. The request will first pass through A, B, and С Internet computers prior to going to the website. Then after being opened, the page will be transferred back through С, В, and A and then to you.

Advantage: Complication of the communications makes traffic analysis complex.

Disadvantage: Any multi-node network communications have some degree of risk at each node for compromising confidentiality.

Single-point Anonymizers

Single-point anonymizers first transfer your information through a website before sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity.

Advantage: IP address and related identifying information are protected by the arms-length communications

Disadvantage: It offers less resistance to sophisticated traffic analysis.

Scanning Pen Testing

Let's see step by step how a penetration test is conducted on the target network.

Step 1: Host Discovery

The first step of network penetration testing is to detect live hosts on the target network. You can attempt to detect the live host, i.e., accessible hosts in the target network, using network scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts behind the firewall.

Step 2: Port Scanning

Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc. These tools will help you to probe a server or host on the target network for open ports. Open ports are the doorways for attackers to install malware on a system. Therefore, you should check for open ports and close them if not necessary.

Step 3: Banner Grabbing or OS Finger Printing

Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, Netcat, etc. This determines the operating system running on the target host of a network and its version. Once you know the version and operating system running on the target system, find and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network.

Step 4: Scan for Vulnerabilities

Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Ratina CS, MBSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network.

Step 5: Draw Network Diagrams

Draw a network diagram of the target organization that helps you to understand the logical connection and path to the target host in the network. The network diagram can be drawn with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The network diagrams provide valuable information about the network and its architecture.

Step 6: Prepare Proxies

Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy, ProxyFinder, etc. to hide yourself from being caught.

Step 7: Document all Findings

The last but the most important step in scanning penetration testing is preserving all outcomes of tests conducted in previous steps in a document. This document will assist you in finding potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you can plan the counteractions accordingly. Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.

Gravitation

понедельник, 6 марта 2017 г.

Overview of Network Scanning

Комментариев нет:

Отправить комментарий

понедельник, 6 марта 2017 г.

Overview of Network Scanning

Комментариев нет:

Отправить комментарий

понедельник, 6 марта 2017 г.