FOOTPRINTING IS A PROCESS that passively gathers information about a target from many diverse sources. The goal of footprinting is to learn about a target system prior to launching an attack. If footprinting is performed patiently and thoroughly, a very detailed picture of a victim can be achieved, but that still leaves this question: What's next? If all this information is gathered up, organized, and placed before the attacker, how can it be acted upon? This next step, port scanning, is an active process that gathers information in more detail than footprinting can.
After the target has been analyzed and all relevant information organized, port scanning can take place. The goal of performing port scanning is to identify open and closed ports as well as the services running on a given system. Port scanning forms a critical step in the hacking process because the hacker needs to identify what services are present and running on a target system prior to initiating an effective attack. Port scanning also helps to determine the course of action in future steps because once the nature of running services is identified, the correct tools can be selected from the hacker's toolbox. For example, a hacker may have a tool to target a file transfer service such as the Washington University file transfer program (WUFTP). However, if the victim is running Microsoft File Transfer Protocol (FTP) program, the exploit tool will be incompatible. Once a port scan has been thoroughly performed, the hacker can then move on to mapping the network and looking for vulnerabilities that can be exploited.
The first step in port scanning is one of preparation, specifically the gathering of information about the range of Internet protocols (IPs) in use by the target. When identifying the network range, your ultimate goal is to get a picture of what the range of IP addresses in use look like together with the appropriate subnet mask in use. With this information the port scanning process can become much more accurate and effective as only the IP addresses on the intended victim will be scanned. Not having the appropriate network range can result in an inaccurate or ineffective scan that may even inadvertently set off detective measures. When getting information about the network ranges, two options can be used. With a manual registrar query, you simply go directly to the registration sites and query for information manually. With an automatic registrar query, you use Web-based tools. No matter how the range is determined, it is essential that the range be positively identified before you go any further. Chapter 5 provides a more in depth explanation of the tools that can be used: Manual Registrar Query (from the Internet Assigned Numbers Authority, or IANA), Root Zone Database, Whois, and Automatic Registrar Query.
Once a valid network range has been obtained, the next step is to identify active machines on the network. There are several ways that this task can be accomplished, including the following:
Each of these methods offers different capabilities useful in detecting active systems and as such will need to be explored individually. To use each of these techniques the attacker must clearly understand areas for which they are useful as well as those areas in which they are weak.
An old but still useful technique is wardialing. Wardialing is a technique that has existed for more than 25 years as a footprinting tool, which explains why the process involves the use of modems. Wardialing is very simple: it uses a modem to dial up phone numbers to locate modems. Upon first look, the technique looks sorely out of place in a world of broadband and wireless connection technology, but modems are still widely used due to the low cost of the technology. An attacker who picked a town at random and dialed up a range of phone numbers in that town would likely turn up several computers with modems attached. Wardialing can still be effective even in a world of high-speed connection technologies.
Note
The name wardialing originated from the 1983 film WarGames. In the film, the protagonist programmed his computer to dial phone numbers in a town to locate a computer system with the game he was looking for. In the aftermath of the popularity of the movie, the name WarGames Dialer was given to programs designed to do the same thing. Over time, the name was shortened to wardialing.
Dialing a range of phone numbers and getting several modems to respond doesn't initially sound significant until what is connected to those modems is considered. While modems are not nearly as popular as they were several years ago, their presence is still felt, as modems can be found connected to devices such as public branch exchanges (PBX), firewalls, routers, fax machines, and a handful of other systems not including actual computers. When you include more sensitive devices such as routers and firewalls, someone dialing up a modem and attaching to a firewall or router remotely takes on new significance. A modem can and should be looked at as a viable backdoor into a network, one that should factor in when planning defensive measures. While there is a long list of wardialing programs that have been created over the years, three well-known wardialing tools include:
ToneLoc—A wardialing program that looks for dial tones by randomly dialing numbers or dialing within a range. It can also look for a carrier frequency of a modem or fax. ToneLoc uses an input file that contains the area codes and number ranges you want it to dial.
THC-Scan—An older DOS-based program that can use a modem to dial ranges of numbers in search for a carrier frequency from a modem or fax.
PhoneSweep—One of the few commercial options available in the wardialing market.
Note
Always check local laws before using any security/hacking tools. As an example, some states have laws that make it illegal to place a call without the intent to communicate. In fact, several laws banning the use of automated dialing systems used by companies such as telemarketers were a direct result of wardialing activities.
Why is wardialing still successful? One of the biggest reasons is the relative lack of attention paid to modems by corporations. Modems tend to be thought of as old, low-tech devices unworthy of serious attention by defenders of a network or attackers. As such, it is not uncommon to find modems attached to networks that are still active, but forgotten and unmonitored. In some cases, modems have been discovered active and attached to a company network only after a phone bill was submitted to closer scrutiny, generating questions about what certain phone numbers are used for.
Wardriving is another valuable technique for uncovering access points into a network. Wardriving is the process of locating wireless access points and gaining information about the configuration of each. This "sniffing" can be performed with a notebook, a car, and software designed to record the access points detected. Additionally, a global positioning system (GPS) can be included to go to the next step of mapping the physical location of the access points. Don't get caught up in names, however; wardriving or variations can be performed with the same equipment while walking, biking, or even flying. If an attacker is able to locate even a single unsecured access point, the dangers can be enormous, as it can give that same attacker quick and easy access to the internal network of a company. An attacker connecting to an unsecured access point is more than likely bypassing protective measures such as the corporate firewall, for example.
While there are a multitude of tools used to perform wardriving, other tools, including the following, are useful in defending against these attacks:
Airsnort—Wireless cracking tool
Airsnare—An intrusion detection system to help you monitor your wireless networks. It can notify you as soon as an unapproved machine connects to your wireless network.
Kismet—Wireless network detector, sniffer, and intrusion detection system commonly found on Linux
Netstumbler—Wireless network detector; also available for Mac and for handhelds
So why is wardriving successful? One of the most common reasons is that employees install their own access points on the company network without company permission (known as a rogue access points). An individual who installs an access point in such a way will more than likely have no knowledge of, or possibly not care about, good security practices and by extension leave the access point completely unsecured. Another reason is that sometimes when an access point has been installed, those performing the installation have actively decided not to configure any security features. Wardriving generally preys upon situations in which security is not considered or is poorly planned. Steps should be taken to ensure that neither happens.
A technique that is useful at determining whether a system is present and active is a ping sweep of an IP address range. By default, a computer will respond to a ping request with a ping reply or echo. A ping is actually an Internet Control Message Protocol (ICMP) message. With the use of a ping, it is possible to identify active machines and measure the speed at which packets are moved from one host to another as well as obtain details such as the Time to Live (TTL).
Note
If you want to learn more about ping and how ICMP works, take a moment to review RFC 792. It can be found at http://www.faqs.org/rfcs/rfc792.html.
A key advantage of ICMP scanning is that it can be performed rapidly because it runs scanning and analysis processes in parallel. In other words, it means more than one system can be scanned simultaneously; thus it is possible to scan an entire network rapidly. There are several tools available that can perform ping scans, but three of the better known ones include Pinger, Friendly Pinger, and WS Ping Pro.
Of course, for every pro there is a con, and pinging in this manner is not without issue. First, it is not uncommon for network administrators to specifically block ping at the firewall or even turn off ping completely on host devices. Second, it is a safe bet that any intrusion detection system (IDS) or intrusion prevention system (IPS) that is in place will detect and alert network managers in the event a ping sweep occurs. Finally, ping sweeps have no capability to detect systems that are plugged into the network but powered down.
Note
Remember, just because a ping sweep doesn't return any results, it does not mean that no systems are available. Ping could be blocked and/or the systems pinged may be off.
The next step to take after discovering active systems is to find out what is available on the systems; in this case, a technique known as port scanning is used. Port scanning is designed to probe each port on a system in an effort to determine which ports are open. It is effective for gaining information about a host because the probes sent toward a system have the ability to reveal more information than a ping sweep can. A successful port scan will return results that will give a clear picture of what is running on a system. This is because ports are bound to applications.
A discussion of port scanning can't proceed without a clear understanding of some of the fundamentals of ports. In all, there are 65,535 TCP and 65,535 UDP ports on any given system. Each of these port numbers identifies a specific process that is either sending or receiving information at any time. At first glance, it might seem that a security professional would have to memorize all 65,000 plus ports in order to be adequately prepared, but this is not the case. In reality, only a few ports should ever be committed to memory, and if a port scan returns any ports that are not immediately recognizable, those port numbers should be further scrutinized. Some common port numbers are shown in Table 6-1.
Table 6-1. Common port numbers.
PORT | SERVICE | PROTOCOL |
|---|---|---|
20/21 | FTP | TCP |
22 | SSH | TCP |
23 | Telnet | TCP |
25 | SMTP | TCP |
53 | DNS | TCP/UDP |
80 | HTTP | TCP |
110 | POP3 | TCP |
135 | RPC | TCP |
161/162 | SNMP | UDP |
1433/1434 | MSSQL | TCP |
Contained in the list of common port numbers in Table 6-1 is an important detail located in the last column. In this column, the protocol in use is listed as either TCP or UDP (the same protocols discussed earlier when reviewing the TCP/IP suite of protocols). In practice, applications that access the network can do so using either TCP or UDP, based on how the service is designed. An effective port scan will be designed to take into account both TCP and UDP as part of the scanning process; these protocols work in different ways. TCP acknowledges each connection attempt; UDP does not, so it tends to produce less reliable results.
Table 6-2. TCP flag types.
PURPOSE | |
|---|---|
SYN | Synchronize sequence number |
ACK | Acknowledgement of sequence number |
FIN | Final data flag used during the four-step shutdown |
RST | Reset bit used to close an abnormal connection |
PSH | Push data bit used to signal that data in this packet should be pushed to the beginning of the queue |
URG | Urgent data bit used to signify that there are urgent control characters in this packet that should have priority |
TCP is a protocol that was designed to enable reliable communication, fault tolerance, and reliable delivery. Each of these attributes allows for a better communication mechanism, but at the same time these features allow an attacker to craft TCP packets designed to gain information about running applications or services.
To better understand these attacks, a quick overview of flags is needed. Flags are bits that are set in the header of a packet, each describing a specific behavior as shown in Table 6-2. A penetration tester or attacker with a good knowledge of these flags can use this knowledge to craft packets and tune scans to get the best results every time.
TCP offers a tremendous capability and flexibility due to flags that can be set as needed. However, UDP does not offer the same capabilities, largely because of the mechanics of the protocol itself. UDP can be thought of as a fire-and-forget or best-effort protocol and, as such, uses none of the flags and offers none of the feedback that is provided with TCP. UDP is harder to scan with successfully; as data is transmitted, there are no mechanisms designed to deliver feedback to the sender. A failed delivery of a packet from a client to a server offers only an ICMP message as an indicator of events that have transpired.
One of the mechanisms that port scanning relies on is the use of a feature known as flags. Flags are used in the TCP protocol to describe the status of a packet and the communication that goes with it. For example a packet flagged with the FIN flag signals the end or clearing of a connection. The ACK flag is a signal used to indicate that a connection has been acknowledged. An XMAS scan is a packet that has all its flags active at once, in effect "lit up" like a XMAS tree.
Some of the more popular scans designed for TCP port scanning include:
TCP connect scan—This type of scan is the most reliable but also the easiest to detect. This attack can be easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK while closed ports respond with a RST/ACK.
TCP SYN scan—This type of scan is commonly referred to as half open because a full TCP connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems, although most modern systems have adapted to detect it. Open ports reply with a SYN/ACK while closed ports respond with a RST/ACK.
TCP FIN scan—This scan attempts to detect a port by sending a request to close a nonexistent connection. This type of attack is enacted by sending a FIN packet to a target port; if the port responds with a RST, it signals a closed port. This technique is usually effective only on UNIX devices.
TCP NULL scan—This attack is designed to send packets with no flags set. The goal is to elicit a response from a system to see how it responds and then use the results to determine the ports that are open and closed.
TCP ACK scan—This scan attempts to determine access control list (ACL) rule sets or identify if stateless inspection is being used. If an ICMP destination is unreachable, the port is considered to be filtered.
TCP XMAS tree scan—This scan functions by sending packets to a target port with flags set in combinations that are illegal or illogical. The results are then monitored to see how a system responds. Closed ports should return an RST.
Port scanning is a very effective tool for an ethical hacker or attacker, and proper countermeasures should be deployed. These countermeasures include the range of techniques utilized by an organization's IT security group to detect and prevent successful port scanning from occurring. As there are a number of techniques that can be used to thwart port scanning, it would be impossible to cover them all, but listed here are some countermeasures that prevent an attacker from acquiring information via a port scan:
Deny all—Designed to block all traffic to all ports unless such traffic has been explicitly approved
Proper design—A careful and well-planned network that includes security measures such as IDSs and firewalls
Firewall testing—Scanning a firewall is used to verify its capability to detect and block undesirable traffic.
Port scanning—Utilizes the same tools that an attacker will use to attack a system with the goal of gaining a better understanding of the methods involved
Security awareness training—An organization should strive to provide a level of security awareness within the organization. With proper security awareness in place, personnel will know how to look for certain behaviors and maintain security. Security awareness will also be used to verify security policies and practices are being followed and to determine whether adjustments need to be made.
With scanning completed and information obtained, the next step of mapping the network can be performed. An attack in this stage has moved into a more interactive and aggressive format. There are many tools available that can be used to map open ports and identify services on a network. Because every tool cannot be covered, it is necessary to limit the discussion to those tools that are widely used and well known. No matter which tools are to be used, however, the activity here can be boiled down to determining whether a target is live and then port scanning the target.
Nmap is one of the most widely used security tools and a firm understanding of Nmap is considered a requirement for security professionals. At its core, Nmap is a port scanner that has the ability to perform a number of different scan types. The scanner is freely available for several operating systems, including Windows, Linux, MacOS, and others. By design, the software runs as a command line application, but to make usage easier, a graphical user interface (GUI) is available through which the scan can be configured. The strength of Nmap is that it has numerous command line switches to tailor the scan to return the desired information. The most common command switches are listed in Table 6-3.
Table 6-3. Nmap options.
NMAP COMMAND | SCAN PERFORMED |
|---|---|
-sT | TCP connect scan |
-sS | SYN scan |
-sF | FIN scan |
-sX | XMAS tree scan |
-sN | NULL scan |
-sP | Ping scan |
-sU | UDP scan |
-sO | Protocol scan |
-sA | ACK scan |
-sW | Windows scan |
-sR | RPC scan |
-sL | List/DNS scan |
-sI | Idle scan |
-Po | Don't ping |
-PT | TCP ping |
-PS | SYN ping |
-PI | ICMP ping |
-PB | TCP and ICMP ping |
-PB | ICMP timestamp |
-PM | ICMP netmask |
-oN | Normal output |
-oX | XML output |
-oG | Greppable output |
-oA | All output |
-T Paranoid | Serial scan; 300 sec between scans |
-T Sneaky | Serial scan; 15 sec between scans |
-T Polite | Serial scan; .4 sec between scans |
-T Normal | Parallel scan |
-T Aggressive | Parallel scan |
-T Insane | Parallel scan |
To perform an Nmap scan, at the Windows command prompt, type Nmap IP address, followed by the switches that are needed to perform the scan desired. For example, to scan the host with the IP address 192.168.123.254 using a full TCP connecting scan type, enter the following at the command line:
Nmap -sT 92.168.123.254
The response will be similar to this:
Starting Nmap 4.62 (http://nmap.org) at 2010-03-21 10:37 Central Daylight Time Interesting ports on 192.168.123.254: Not shown: 1711 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 2601/tcp open zebra 2602/tcp open ripd MAC Address: 00:16:01:D1:3D:5C (Linksys) Nmap done: 1 IP address (1 host up) scanned in 113.750 seconds
These results are providing information about the victim system, specifically the ports that are open and ready to accept connections. Additionally, since the scan was performed against a system on the local network, it also displays the media access control (MAC) address of the system being scanned. The port information can be used later to obtain more information as will be explored later.
Nmap's results can display the status of the port in one of three states:
Open—The target device is accepting connections on the port.
Closed—A closed port is not listening or accepting connections.
Filtered—A firewall, filter, or other network device is monitoring the port and preventing full probing to determining its status.
Superscan is a Windows-based port scanner developed by Foundstone. This port scanner is designed to scan TCP and UDP ports, perform ping scans, run Whois queries, and use tracert. Superscan is a GUI-based tool that has a preconfigured list of ports to scan or can be customized to scan a specific range. It's shown in Figure 6-1.
Scanrand is a scanning tool that is designed to scan a single host up to large-scale networks quickly and then return results about the network. Scanrand is unique among network scanners because although most scan a port at a time, Scanrand scans ports in parallel using what is known as stateless scanning. By using stateless scanning, Scanrand can perform scans much faster than other network scanners.
Note
Scanrand is available for both the Linux and UNIX platforms; there is no Windows equivalent.
Stateless scanning is an approach to scanning that splits scanning into two distinct processes. The two processes work together to complete the scanning process with one process transmitted and the other listening for results. Specifically, the first process transmits connection requests at a high rate, and the second process is responsible for sorting out the results. The power of this program is a process known as inverse SYN cookies.
Scanrand builds a hashed sequence number that is placed in the outgoing packet that can be identified upon return. This value contains information that identifies source IP, source port, destination IP, and destination port. Scanrand is useful to a security professional when a large number of IP addresses need to be scanned quickly.
THC-Amap (Another Mapper) is a scanner that offers a different approach to scanning. When using traditional scanning programs, problems arise when services that use encryption are scanned, because these services might not return a banner, due to the fact that certain services such as the Secure Sockets Layer (SSL) expect a handshake. Amap handles this by storing a collection of normal responses that can be provided to ports to elicit a response. The tool also excels at allowing the security professional to find services that have been redirected from standard ports.
Note
THC-Amap is similar to Nmap in that it can identify a service that is listening on a given port. Amap does not include the extensive identification abilities possessed by Nmap, but it can be used to confirm results of Nmap or to fill in any gaps.
Open ports that have been uncovered during the port scanning phase need to be further investigated because the mere existence of an open port does not mean vulnerability exists; this must still be determined. The open ports that are discovered provide clues to what operating system is in use on the target. Determining the operating system that is in use on a specific target is the purpose of what is known as OS fingerprinting. Once an operating system is identified, it is possible to better focus the attacks that come later. To identify an OS, there are two different methods that can be utilized: active fingerprinting or passive fingerprinting.
OS fingerprinting relies on the unique characteristics that each OS possesses to function. Each operating system responds to communication attempts in different ways that, once analyzed, can allow for a well-educated guess to be made about the system in place. To seek out these unique characteristics, active and passive fingerprinting can probe a system to generate a response or listen to a system's communications for details about the OS.
The process of active OS fingerprinting is accomplished by sending specially crafted packets to the targeted system. In practice, several probes or triggers are sent from the scanning system to the target. When the responses are received from a targeted system, based on the responses an educated guess can be made as to the OS that is present. Though it may appear otherwise, OS identification is an accurate method of determining the system in place because the tools have become much more accurate than in the past.
Xprobe2, a commonly used active fingerprinting tool, relies on a unique method to identify an operating system known as fuzzy signature matching. This method consists of performing a series of tests against a certain target and collecting the results. The results are then analyzed to a probability that a system is running a specific OS. Xprobe2 cannot say definitively which operating system is running, but instead uses the results to infer what system is running. As an example, running Xprobe2 against a targeted system yields the following results:
75% Windows 7 20% Windows XP 5% Windows 98
The results that Xprobe2 is presenting here are the probability that the system is running a given OS. Xprobe2 comes with several predefined profiles for different OSs, and the results are compared against these profiles to generate the results seen here. The results show that there are three OSs that match profiles to different degrees: The results for Windows 7 are at 75 percent and the others are quite low, so it can be assumed with some confidence that Windows 7 is in place. This score is intended to determine which operating system the target computer is running.
Valuable in OS fingerprinting as well as port scanning, Nmap can provide reliable data on which operating system is present. Nmap is effective at identifying the OSs of networked devices and generally can provide results that are highly accurate. Several Nmap options that can be used to fine-tune the scan include:
-sV Application version detection
-O OS fingerprinting
-A Both of the previous options
An example of an Nmap scan with the -O option is shown here:
Nmap -O 192.168.123.254 Starting Nmap 4.62 (http://nmap.org) at 2010-03-21 12:09 Central Daylight Time Interesting ports on 192.168.123.22: Not shown: 1712 closed ports PORT STATE SERVICE 80/tcp open http 2601/tcp open zebra 2602/tcp open ripd MAC Address: 00:16:01:D1:3D:5C (Netgear) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18-2.4.32 (likely RedHat) Uptime: 77.422 days (since Sun Jan 03 01:01:46 2010) Network Distance: 1 hop
Nmap has identified this system as Linux along with version and uptime information. An attacker gaining this information can now target an attack to make it more effective because it would be possible to focus on only those exploits that are appropriate—for example, no Windows attacks. Nmap is capable of identifying commonly encountered network devices and is a tool that should not be overlooked.
The alternative to active fingerprinting is passive fingerprinting, which approaches the process differently. Passive fingerprinting, by design, does not interact with the target system itself. It is a passive tool that monitors or captures network traffic. The traffic monitored is analyzed for patterns that would suggest which operating systems are in use. Passive OS fingerprinting tools simply sniff network traffic and then match that traffic to specific OS signatures. The database of known patterns can be updated from time to time as new operating systems are released and updated. As an example, a tool may have a fingerprint for Windows Vista but will need to be updated to include Windows 7.
A passive identification requires larger amounts of traffic, but offers a level of stealth, as it is much harder to detect these tools, since they do not perform any action that would reveal their presence. These tools are similar in that they examine specific types of information found in IP and TCP headers. While you do not need to understand the inner workings of TCP/IP to use these tools, you should have a basic understanding as to what areas of these headers these tools examine. These include:
TTL Value
Don't Fragment Bit (DF)
Type of Service (TOS)
Window Size
A tool for performing passive OS fingerprinting is a tool named p0f, which can identify an OS using passive techniques. That means p0f can identify the target without placing any additional traffic on the network that can lead to detection. The tool makes attempts to fingerprint the system based on the incoming connections that are attempted.
The following results have been generated using p0f:
C:>p0f -i2 p0f-passive os fingerprinting utility, version 3.0.4 (C) M. Zalewski <[email protected]>, W. Stearns <wstearns@pobox .com> WIN32 port (C) M. Davis <[email protected]>, K. Kuehl <[email protected]> p0f: listening (SYN) on 'DeviceNPF_{AA134627-43B7-4FE5-AF9B -18CD840ADW7E}', 11 2 sigs (12 generic), rule: 'all'. 192.168.123.254:1045-Linux RedHat
Once p0f is running, it will attempt to identify the system that is being connected to, based on the traffic that it observes. The previous example shows that p0f has identified the system in question as being a distribution of Linux known as RedHat.
The next step in the process is to generate a picture of the network that is being targeted. When the information has been collected and organized, a network diagram can be produced that will show vulnerable or potentially vulnerable devices on the target network. A number of network management tools can produce an accurate map of the network built of information that has been gathered previously in addition to new information. Some tools that can help in the process include SolarWinds Toolset, Cheops, Queso, and Harris Stat.
Note
The tools in this category were designed to help those who create networks manage them. However, as with most tools, the possibility for abuse exists. As is true in most cases, the tool isn't evil or bad; it's the intention of the user that actually determines whether honorable or less-than-honorable actions will be the result.
Even without these tools, you should be able to manually map your findings. This information can be recorded in a notebook or a simple spreadsheet. This spreadsheet should contain domain name information, IP addresses, domain name system (DNS) servers, open ports, OS version, publicly available IP address ranges, wireless access points, modem lines, and application banner details you may have discovered.
Cheops is an open source network management tool that can assist in viewing the network layout and the devices therein. Cheops can assist an attacker in the same way it would assist a network admin—it performs tasks such as identifying hosts on a network and the services each offers. Even more useful is the ability to display the whole network in a graphic format showing the paths of data between systems on the target network.
Solarwinds is another network management tool that can be used to render a diagram of a network and the services within. Solarwinds has the ability to detect, diagram, and reflect changes in the network architecture with a few button clicks. It is even possible for Solarwinds to generate network maps that can be viewed in products such as Microsoft's diagramming product Visio.
With a wealth of data on hand, the attacker now must undertake the process of analyzing that data to learn more about the target. Understanding the vulnerabilities of the victim and identifying potential points of entry require careful analysis and organization. At this point, the attacker starts to plan the attack. When analyzing data, for example, items such as an open wireless access point can lead a hacker to consider additional wardriving or wireless attack activities in an attempt to connect to the network. Another example is an unpatched Web server that would present the hacker an opportunity to run an attack against the server itself. Generally, these steps would be the following:
Once each of these items has been completed, the attacker can now use a search engine to gather information about potential attacks by searching the OS and exploits. Plenty of information is available for an attacker to learn how to position an attack. One example, http://www.securityfocus.com, was searched for vulnerabilities for Windows Web server IIS version 5. The results are shown in Figure 6-2. Notice that there are more than three pages of results.
It is at this point that the reasons for patiently and thoroughly collecting information about a target become clear. With the results of previous scans, maps, and other data gathered, a target can be more accurately pinpointed resulting in a more effective and potentially devastating attack.
This chapter introduced the concept of port scanning. Port scanning is a technique that is used to identify services present on a system or range of systems. The purpose of port scanning is to get a better idea of what is present and running on a target prior to carrying out an actual attack against a system. In order to learn more about the services that are available on a system, several techniques can be used, including wardriving, wardialing, and ping sweeps. Once services have been identified and confirmed, the next step is to learn about the operating system to better target the attack itself.
To get the best results from an attack, the operating system needs to be known. There are two ways to determine the OS: active and passive fingerprinting. Active fingerprinting identifies a system or range of systems by sending specially crafted packets designed to reveal unique characteristics about the target. The downside of this type of fingerprinting is that the process can be easily detected. Active fingerprinting tools include Nmap and Xprobe2. The alternative to active fingerprinting is passive fingerprinting, which is stealthier, but is not as accurate. One of the best passive fingerprinting tools is p0f.
The attacker will then move on to mapping the network to determine the nature and relationship of the hosts on the network. Network mapping reveals the nature and relationship of the network in a graphical format, allowing for a better view of the network. Network mapping is one of the last steps before choosing an attack.
Once applications have been mapped and operating systems identified, the attack moves to the final steps, which include mapping the network and analyzing the results. An attacker that has obtained information about services is very close to being able to launch an attack. As a security professional, your goal is to find these problems and fix them before the hacker can exploit these findings.
Active fingerprinting
Banner
Internet Control Message Protocol (ICMP)
OS identification
Passive fingerprinting
Ping sweep
_______ is a popular though easily detectable scanning technique.
Full connect
Half open scanning
NULL scan
Xmas tree scan
Which of the following is the Nmap command line switch for a full connect port scan?
-sS
-sU
-sT
-O
Which of the following is an example of a passive fingerprinting tool?
Superscan
Xprobe2
Nmap
p0f
TCP and UDP both use flags.
True
False
Which of the following statements is most correct?
Active fingerprinting tools inject packets into the network.
Passive fingerprinting tools inject traffic into the network.
Nmap can be used for passive fingerprinting.
Passive fingerprinting tools do not require network traffic to fingerprint an operating system.
Which of the following is not a network mapping tool?
Solarwinds
Netstat
Cheops
Harris
_______ is the point at which an attacker Stat starts to plan his or her attack.
Active OS fingerprinting
Passive OS fingerprinting
Port scanning
Analyzing the results
A XMAS tree scan sets all of the following flags except _______.
SYN
URG
PSH
FIN
Of the two protocols discussed, which is more difficult to scan for?
You have been asked to perform a port scan for POP3. Which port will you scan for?
22
25
69
110
Ping scanning does not identify open ports.
True
False
The process of determining the underlying version of the system program being used is best described as _______.
OS fingerprinting
Port scanning
Wardialing
Wardriving
Which of the following switches is used for an ACK scan?
-sI
-sS
-sA
-sT