Lab 5 ebruary 25, 2010 Scanning




Дата канвертавання24.04.2016
Памер42.51 Kb.
F

Lab 5
ebruary 25, 2010

Scanning

Student Name: _________________________________________



In this lab, the student will use the following utility programs to perform various scanning tasks. The objective is developing the scanning skills needed by ethical hackers and security auditors.
Fping is different from ping in many ways. With Fping, you can specify a file containing the lists of hosts to ping. Another key difference is that instead of trying one host until it timeouts or replies, Fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit, it will be considered unreachable.
Hping is a packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks. It is implemented in the Nmap security scanner. The new version of hping, hping3, is scriptable using the TCL language. It is a good tool for crafting IP packets.
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It works on most Unix-like operating systems using the libpcap library to capture packets. There is also a tcpdump for Windows called WinDump; which uses the WinPcap library. In some Unix-like operating systems, a user must have superuser privileges to use tcpdump. However, the -Z option may be used to drop privileges to a specific unprivileged user after capturing has been set up. In other Unix-like operating systems, the packet capturing mechanism can be configured to allow non-privileged users to use it; if that is done, superuser privileges are not required

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. It uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

Note: once these tools are installed, you can get help on using them by typing command –h (where command is the utility name like fping or nmap) or by typing man command (where command is the utility name like fping or nmap). Man allows accessing the command’s manual. Arrow keys allow navigating through the manual, and pressing q allows returning back to the command-line.

Target scanning using Fping

  1. Start your Linux virtual machine

  2. If you don’t have the Terminal on the desktop, add it to the desktop as follow:

    1. From the Menu bar click Applications / Accessories

    2. Right-click Terminal, and then select Add This Launcher to Desktop

  3. Double-click the Terminal to open a shell (i.e. a Command Prompt)

  4. To get help on how to use the fping utility, type the command fping –h followed by the ENTER key

  5. If you get a message saying that fping is not installed, install and run fping as follow:

Note: You need administrative privileges to install an application. When working with terminals, typing sudo before any command allows you to run that command as an administrator.

    1. Type sudo apt-get install fping followed by the ENTER key

    2. If asked for your password, type password followed by the ENTER key

    3. You should see the result indicating that the fping program is installed

    4. When you get the prompt, type fping -h followed by the ENTER key again

  1. You should get the syntax for fping along with its options

  2. Use the scroll bar to read the information and answer the following questions:

Q1. Use the appropriate option to check the version of fping that you are using. Write down your answer.

Version: ____________________ Year that the version was developed / released: ________
Q2. Which of the following options allows testing the reachability of a list of IP addresses that are saved in the eiu.txt notepad file?


  1. –n

  2. –A

  3. –S

  4. –u

  5. –f

Q3. You want to use the fping utility to send ping messages to a target computer in an attempt to “overload” it with repetitive requests that could lead to some kind of denial of service. What fping option could do that? Answer: ______________


Q4. Type fping www.google.com followed by the ENTER key to check the reachability of the computer that hosts Google service. Is the target live (i.e. reachable)? Yes No.
The target should be live because Google didn’t block pinging their web server.
Q5. Now, use fping with the –l option to send repetitive ping requests to www.google.com. You may stop the pinging (by pressing Ctrl+C) after seeing 10 replies or so. What percentage of the ping requests to www.google.com get lost, meaning didn’t get replied to? Answer: _______________. Which of the following might explain the result?

  1. The –l option of fping doesn’t work yet because the fping utility is still under development

  2. There may be a bug in the fping utility

  3. The network defense system at Google is configured to prevent pinging targets in a loop forever

  4. None of the above. Explain: ____________________________________________________




  1. Type fping 139.67.14.54 139.67.130.250 followed by the ENTER key. Based on the result, answer the following two questions.

Q6. Based on the result, which of the two computers is connected to the Internet? Write down its IP address: ____________________.


Q7. What are the possible reasons why you cannot reach the other target? (Choose all that apply)

  1. The IP address is not assigned to any computer

  2. A firewall is configured to block pinging that specific address

  3. You cannot type a list of IP addresses from the command prompt with fping. You need to save the IP addresses need to be in a file like addresses.txt and use fping –f addresses.txt.

  4. None of the above




  1. Which of the following command would allow you to ping all computers which IP address begins with 139.67.14 and ends with any decimal number between 0 and 255? Read the fping help information. [Please, do not try the commands. Instead read the fping help to find out]

  1. Fping –range 139.67.14.0 139.67.14.255

  2. Fping –g 139.67.14.0/24

  3. None of the above


Network mapping and IP Packet crafting using Nmap

  1. Type nmap -h followed by the ENTER key. If you get a message saying that nmap is not installed, install and run the utility as follow:

Note: You need administrative privileges to install an application. When working with terminals, typing sudo before any command allows you to run that command as an administrator.

    1. Type sudo apt-get install nmap followed by the ENTER key

    2. If asked for your password, type password followed by the ENTER key

    3. If/When asked to confirm by Y/N, say Y

    4. You should see the result indicating that the Hping program is installed

    5. When you get the prompt, type nmap -h followed by the ENTER key again

  1. You should get the syntax for nmap along with its options

  2. To send a SYN packet to the computer that hosts Google web service and scan that computer in order to know what UDP/TCP ports are open, type nmap –sS www.google.com followed by the ENTER key. Note: Depending on how much time has passed since you used the sudo command, you may need to type sudo before the command you just typed. If needed, type the right command to get the result.

  3. Now, type nmap –sS –v www.google.com followed by the ENTER key.

Q8. What does the –v option you added to the command allow in this case?

  1. It displays the version of nmap being used

  2. It activates verbosity, which means it makes the system show you the scanning activities as they happen.

  3. None of the above. Explain: ___________________________________________________

Answer the following questions based on the result.

Q9. How many IP addresses are assigned to the target computer? _____________

Q10. Based on the result, which of the following are among the services hosted by the target computer? (Choose all that apply)



  1. SMTP email service

  2. Web service

  3. FTP service

  4. Secure HTTP




  1. For this step, you may check the nmap help (copy in Appendix 1) to determine what option to use. Note that if you do not get a response from the target in a reasonable amount of time (few seconds), you should stop the scanning by pressing Ctrl+C. Perform a UDP scan on the 74.125.95.105 target in order to determine what UDP ports are open on the target computer. You may need to use the –v option to interactively see what is going on. Based on your try, write down, the correct command: _________________________________________________________

  2. Perform an ACK scan on the 74.125.95.105 target. You may need to use the –v option to interactively see what is going on. This scan should work. But the defense system protecting the target may be strengthen by the time you try; which would lead to the scan not working. Answer the following questions based on the result you have got.

Q11. What is the host name of the target? _______________________________

Q12. How many ports were scanned? _______________

Q13. How many of the ports are filtered? ____________

Q14. You may read the information about ACK scan in the book (p.91) to answer this question. What does the result tell about the defense system protecting the target?



  1. The filtering devices (if any) appear to be fooled because the scan packet went through

  2. In a normal communication, the ACK packet should be sent after a SYN and a SYN/ACK are exchanged between the two parties

  3. All of the above

Q15. You want to perform a scan of www.eiu.edu, but you are interested in scanning the target for only the following ports: 21 and 80. Which of the following commands would you type?

  1. nmap –port 21 80 www.eiu.edu

  2. nmap –p 21 80 www.eiu.edu

  3. nmap –p 21,80 www.eiu.edu

  4. nmap –P 80 21 www.eiu.edu

Use the information in Appendix 1 to answer the following questions.



  1. You want to scan all open ports on computer with IP address 74.125.95.105 in order to get information on hosted services along with the versions of the software used to provide the service. What nmap command you may type? Write down the command:

__________________________________________________________________________


  1. You want to use nmap to scan a target computer, but you do not want to go further than determining if the target is online. Which of the following options would you use?

  1. –sO

  2. –oN

  3. –sP

  4. None of the above

  1. You want to use nmap to scan a target computer in order to determine what IP protocols it support. Which of the following options would you use?

  1. –sO

  2. –oN

  3. –sP

  4. None of the above




  1. Use nmap to scan the computer with the host name www.google.com to determine what protocols it supports. Based on the result, name two of the protocols it supports: ____________, _____________. How many open ports use protocols you can’t get information about because of filtering? Answer: ______________

  2. You want to perform a scan and get information about the operating system installed on the target computer. Which of the following option would you use?

  1. –OS

  2. –oS

  3. –O

  4. None of the above




  1. You want to use nmap to perform target scans. You want to spoof your computer’s IP address in an attempt to avoid being blocked by firewalls and other devices in the defense system that protects the target. What option should you use? Answer: ______________.


Appendix 1: Nmap –help result

user@UbuntuVirtual:~$ nmap -h

Nmap 4.76 ( http://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-iL : Input from list of hosts/networks

-iR : Choose random targets

--exclude : Exclude hosts/networks

--excludefile : Exclude list from file

HOST DISCOVERY:

-sL: List Scan - simply list targets to scan

-sP: Ping Scan - go no further than determining if host is online

-PN: Treat all hosts as online -- skip host discovery

-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports

-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

-PO [protocol list]: IP Protocol Ping

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

--dns-servers : Specify custom DNS servers

--system-dns: Use OS's DNS resolver

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

--scanflags : Customize TCP scan flags

-sI : Idle scan

-sO: IP protocol scan

-b : FTP bounce scan

--traceroute: Trace hop path to each host

--reason: Display the reason a port is in a particular state

PORT SPECIFICATION AND SCAN ORDER:

-p
: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080

-F: Fast mode - Scan fewer ports than the default scan

-r: Scan ports consecutively - don't randomize

--top-ports : Scan most common ports

--port-ratio : Scan ports more common than

SERVICE/VERSION DETECTION:

-sV: Probe open ports to determine service/version info

--version-intensity : Set from 0 (light) to 9 (try all probes)

--version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

--version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

-sC: equivalent to --script=default

--script=: is a comma separated list of

directories, script-files or script-categories

--script-args=: provide arguments to scripts

--script-trace: Show all data sent and received

--script-updatedb: Update the script database.

OS DETECTION:

-O: Enable OS detection

--osscan-limit: Limit OS detection to promising targets

--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:

Options which take

(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

-T[0-5]: Set timing template (higher is faster)

--min-hostgroup/max-hostgroup : Parallel host scan group sizes

--min-parallelism/max-parallelism

--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout

probe round trip time.

--max-retries : Caps number of port scan probe retransmissions.

--host-timeout

--scan-delay/--max-scan-delay

--min-rate : Send packets no slower than per second

--max-rate : Send packets no faster than per second

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu : fragment packets (optionally w/given MTU)

-D : Cloak a scan with decoys

-S : Spoof source address

-e : Use specified interface

-g/--source-port
: Use given port number

--data-length : Append random data to sent packets

--ip-options : Send packets with specified ip options

--ttl : Set IP time-to-live field

--spoof-mac : Spoof your MAC address

--badsum: Send packets with a bogus TCP/UDP checksum

OUTPUT:

-oN/-oX/-oS/-oG : Output scan in normal, XML, s|

and Grepable format, respectively, to the given filename.

-oA : Output in the three major formats at once

-v: Increase verbosity level (use twice or more for greater effect)

-d[level]: Set or increase debugging level (Up to 9 is meaningful)

--open: Only show open (or possibly open) ports

--packet-trace: Show all packets sent and received

--iflist: Print host interfaces and routes (for debugging)

--log-errors: Log errors/warnings to the normal-format output file

--append-output: Append to rather than clobber specified output files

--resume : Resume an aborted scan

--stylesheet
: XSL stylesheet to transform XML output to HTML

--webxml: Reference stylesheet from Nmap.Org for more portable XML

--no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:


-6: Enable IPv6 scanning

-A: Enables OS detection and Version detection, Script scanning and Traceroute

--datadir : Specify custom Nmap data file location

--send-eth/--send-ip: Send using raw ethernet frames or IP packets

--privileged: Assume that the user is fully privileged

--unprivileged: Assume the user lacks raw socket privileges

-V: Print version number

-h: Print this help summary page.

EXAMPLES:

nmap -v -A scanme.nmap.org

nmap -v -sP 192.168.0.0/16 10.0.0.0/8

nmap -v -iR 10000 -PN -p 80



SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES



/


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка