Scribd
Upload
32 views51 pages

Port Scanning, Host Discovery, Service and OS Detection

Uploaded by

student -1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
32 views51 pages

Port Scanning, Host Discovery, Service and OS Detection

Uploaded by

student -1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 51

Active Reconnaissance:

DNS and Mail Server Enumeration

• In the enumeration process, attacker creates active connections to


system and performs directed queries to gain more information about
the target.
• DNS/Mail Server enumeration is the process of locating all DNS servers
and their corresponding records for an organization.
• Can yield usernames, computer names, and IP addresses of potential target
systems.
• Can reveal the size of the organization that can translate to the potential size of
the attack.

• Tools used:
• nslookup, host, dig, etc.

29
30
30
30
(2) Active Reconnaissance: Scanning

• In active reconnaissance scanning tool performs


major role.
• Scanning can be used to detect:
• Live host in a network and network infrastructure
• Open ports
• Service running in some particular port
• Operating system of target machine
• Vulnerabilities of network/application/OS/target system.
• Tools used:
• NMAP, ZenMap, Nessus, Nexpose, etc.

31
Introduction to Network Mapper (NMAP)

• NMAP is a free, open-source tool for vulnerability scanning and network


discovery.
• Generic command to run NMAP on command prompt:
nmap [scan types] [options] <host or network ...>

• The main feature of NMAP are:


• Host Discovery: Which hosts are alive?
• Port Scanning: What services are
• Service and Version available? Which version
Detection: is running?
• OS Detection: Which OS version is
running?

32
NMAP: Host Discovery (Live System Discovery)
• To detect live host NMAP queries multiple hosts.
• If it gets reply then the target/host is marked as live.
• This is known as ping sweep operation.

• Various host scan techniques are supported by NMAP:


a) ICMP sweep
b) Broadcast ICMP
c) Non-Echo ICMP
d) TCP sweep
e) UDP sweep

33
Host discovery using ICMP Sweep
• How it works?
• Easy to
• Send out an ICMP ECHO request (ICMP type 8) implement
• If an ICMP ECHO reply (ICMP type 0) is • Rather slow
received  TARGET IS ALIVE • Easy to block
• No response is received  TARGET IS DOWN
• To perform ICMP echo sweep -PE option is used.
ICMP ECHO
request

ICMP ECHO reply


Scanner Target
TARGET is alive
ICMP ECHO
request

No response
Scanner TARGET is down/filtered Target

34
Sep 20, 2025
Sep 20, 2025
(b) Host discovery using Broadcast ICMP
• How it works?
• Send out an ICMP ECHO request to the network and/or broadcast
address.
• All the hosts in the network will simultaneously send back ICMP ECHO
reply packets.
• Faster than previous method.
• ping -b 192.168.1.255

• Most routers block


Broadcast ICMP ECHO request
this.
• Windows ignore
Scanner these requests.

36
Host discovery using Non-ECHO ICMP
• How it works?
• Instead of ICMP ECHO request, the scanner sends out other types of
ICMP messages.
• The target will respond to such messages.
• Approach 1: Send ICMP type 13 messages (TIMESTAMP) (-PP
option)
• The scanner queries current time to the target.
• Approach 2: Send ICMP type 17 messages (ADDRESS MASK
REQUEST) (-PM option)
• The scanner queries subnet mask to the target (this feature is
used by diskless workstations during booting).

37
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Host discovery using TCP Sweep
• How it works?
• The scanner sends out TCP SYN or TCP ACK packet to
the target.
• It also detect open ports.
• The port number can be suitably selected to prevent
blocking by firewall.
• Typical port numbers used: 21, 22, 23, 25, 80
• TCP sweep can be performed using two options:
• -PS : for TCP SYN sweep
• -PA : for TCP ACK sweep
• TCP sweep is also used by default port scanning options.
39
Sep 20, 2025
Sep 20, 2025
(e) Host discovery using UDP Sweep

• How it works?
• The scanner sends a UDP datagram to the target.
• If no ICMP PORT UNREACHABLE message is received  TARGET IS
ALIVE
• If an ICMP PORT UNREACHABLE message is received  TARGET IS
DOWN

• To perform UDP sweep -PU option is used.


• If the UDP port is unreachable then the port will be reported
as closed.
• Routers can drop UDP packets as they cross the Internet.
• Many UDP services do not respond.
• Firewalls typically drop UDP packets (except DNS).
• Not very reliable

41
Sep 20, 2025
Sep 20, 2025
Port Scanning Using NMAP
• To determine what services are running or LISTEN-ing.
• Each running TCP service is associated with a port number,
which listens for incoming connections.
• Each running UDP service is associated with a port number.
• Various port scanning techniques in NMAP:
a) TCP Connect scan
b) TCP SYN scan
c) TCP Stealth scan
d) FTP Bounce scan

46
TCP Connect scan
• How it works?
• Use basic TCP connection establishment mechanism.
• Complete 3-way handshake.
• Easy to detect by inspecting the system log.

47
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
TCP SYN scan
• How it works?
• Do not establish complete connection (half-open scanning).
• SYN/ACK is received  The port is LISTENING
• Immediately terminate connection by sending RST.
• RST/ACK is received  The port is NON-LISTENING
• The -sT scan uses both TCP SYN and TCP ACK packets.
• It also uses ICMP ECHO sweep for checking if host is up or not.

49
Sep 20, 2025
(c) TCP Stealth scan
• Basic idea:
• Carry out port scanning while avoiding detection.
• Try to hide themselves among normal network traffic.
• Not to be logged (stealth).
• How it works?
• Flag probe packets (also known as Inverse Mapping)
• Response is sent back only by closed port.
• Intruder determines what services do not exist, and
can infer the ones that exist.
• Slow scan rate
• Difficult to detect, and needs long history log.

51
• How it can be done?
• RFC793 talks about how to handle wrong packets.
• Closed ports  Reply with a RESET packet
• Open ports  Ignore any packet in question
• Various ways:
• Send a RST scan packet.
• Send a FIN probe with FIN flag set.
• Send an XMAS probe with FIN, URG, SYN, RST, PSH flags set.

52
Sep 20, 2025
Sep 20, 2025
(d) FTP Bounce scan

• How it works?
• Connect to a FTP server, and establish a control connection, and ask the FTP
server to initiate an active data transfer process.

53
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Service Version and OS Detection
• Some OS responds with specific messages in
response to certain requests.
• Helps in identification of its type.

58
Some Specific Examples
• ACK: sending FIN|PSH|URG to a closed port
• Most OS  ACK with the same sequence number.
• Windows  ACK with sequence number + 1

• Type of Service: Probing with ICMP_PORT_UNREACHABLE


message
• Most OS  Returns with TOS = 0.
• Linux  Returns with TOS = 0xC0.

• For detecting OS and version –o and – sV options are used.

59
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Sep 20, 2025
Reconnaissance - Countermeasures
Some steps can be taken to prevent reconnaissance such as:
• Do not release critical info publically.
• Use footprint techniques to discover and remove sensitive
information.
• Use split DNS, and restrict zone transfer.
• Disable directory listing.
• Encrypt password and sensitive information
• Keep your system updated.
• Examine logs for suspicious packets
• Identify connections not properly terminated
• Analyze ports usage

66

You might also like