Professional Documents
Culture Documents
Computer Fundamentals Tutorial
Computer Fundamentals Tutorial
A thief wanted to rob a bank; he started watching the bank since a week
now, and he started to take notes about when the employees come, when
they leave, when there is big cash in the bank, when this cash is gone, and
he decided to rob the bank on the X day.
What do you think is missing here?
The thief has gathered his information from the outside, but he missed the
inside part. He didn’t report where the entrances and exits are, where the
guards are located, where the monitoring cameras are, and how to disable
or evade them; he didn’t see where cash is, what kind of vault they have,
how he will escape, what Plan B is…
Wow, this guy missed so many things, and this is what hackers try to avoid.
And this is what we call “Scanning and Enumeration”.
In “Scanning and Enumeration” we are trying to gather more information –
but this time by a partial delving into our target and grabbing the
information that will help us prepare our attack.
From the previous phase, we were able to gather general information about
our target, this time we will scan our system to find out:
1- Live systems
2- Open ports
3- Services running
4- Operating systems used
5- Vulnerabilities
Any “Penetration Testing” scanning starts with defining the live systems and
drawing a network topology for your target, our mission here is to find host,
routers, firewalls…
Both requirements can be achieved using some methods like “Tracerouting”
– which we already discussed in a previous article; another method is “Ping
Sweeping” – which is technique used by attackers where you send ICMP
Echo Request to multiple hosts, trying to find who of these hosts are alive.
Some of the tools that can accomplish “Ping Sweeping” are Nmap, Hping3,
netenum, Fping…
At the end of the Nmap command, you will see the result of the Ping
Sweeping
* If ICMP Echo Requests are blocked at the perimeter zone, then you are
stuck, because Ping Sweeping using ICMP won’t work then.
Note – In this case, we will use a TCP Ping Sweep to scan our target’s
network. What happens is that we send an ACK to the targets, and the live
ones should respond with a RST.
For example with Nmap, the command will be:
nmap –sP –PT 207.x.x.0/24
Or
nmap –sP –PT80 207.x.x.0/24 (where 80 here is a port number that is
allowable through the firewall, and it doesn’t mean that this port should be
opened on the scanned machines)
Now after we were able to see the live hosts on the target network, let’s see
which of these systems have open doors for our entry, and what services
might be running on these systems.
I will tell you the types of scans, and with each scan I will describe how it is
accomplished and what’s going on behind the scenes.
But before that, I would like to talk remind you about TCP connections.
We said before that all TCP connections are established using a 3 way
handshake SYN, SYN / ACK and finally ACK. And we said that TCP is a
Transport Protocol that is responsible for transferring data from one system
to another, and it divides the data into pieces and label them with sequence
numbers for proper order upon delivery.
“My Computer” sends a packet with Initial Sequence Number or ISN (Let’s
call it A) and the SYN flag is set to 1.
“My Target” will respond with a packet that has both the SYN and ACK flags
set to 1. The Acknowledgment will add 1 to the sequence it got from “My
Computer”, and will create another ISN special for responses (Let’s call it B).
“My Computer” will establish now the 3-Way handshake by sending an ACK,
using the ISN of “My Target and adding 1 to it.
From now on, whenever “My Computer” sends any packet to “My Target”, it
will be based on the ISN(A)+1. While whenever “My Target” send any packet
to “My Computer”, it will be based on the ISN(B)+1.
“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way
handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it
responded with a SYN/ACK, then the attacker will send the last ACK and tear
down the connection using the RST.
As we said previously, that this scan can be detected easily, because it will
generate a huge amount of scan targeting all of the ports on our Target,
trying to detect what the opened ports are.
From “Wireshark”, we can see that the attacker is sending a SYN to different
random ports on our target (The yellow lines), and the target is responding
with RST if the port is closed (The red lines), while it responds with a
SYN/ACK if the port is opened (The green line)
The attacker sends a SYN to the targets, if the target’s port is open and it
responded with a SYN/ACK, then the attacker will immediately tear down the
connection using the RST.
Note – One important thing you have to know here, these scans are not
going to work if your target is a WINDOS based.
Remember in the last article, our homework was to read the RFC793. In this
RFC it is indicated that when a port is closed, then a RST is sent back. And
no response is sent when the port is open.
Unfortunately, Microsoft doesn’t follow this RFC :) and whenever they
receive any of these scans, the response is always RST. That’s why these
scans will not work against Windows based systems.
From “Wireshark”, we can see that the attacker is sending a FIN to different
random ports on our target (The White lines), and the target is responding
with RST if the port is closed (The red lines), while it sends no response if
the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond,
just add a filter to your Wireshark such as tcp.port==22 (as in our case
here). This will show only the SSH packets, and you will see no responses
from the port (which indicates either open or filtered)
From “Wireshark”, we can see that the attacker is sending a packet with all
Flags set (FIN, PSH, URG) to different random ports on our target (The
White lines), and the target is responding with RST if the port is closed (The
red lines), while it sends no response if the port is open or filtered (by
Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond,
just add a filter to your Wireshark such as tcp.port==22 (as in our case
here). This will show only the SSH packets, and you will see no responses
from the port (which indicates either open or filtered)
From “Wireshark”, we can see that the attacker is sending a packet with no
Flags set (can you see the 2 empty brackets []) to different random ports on
our target (The White lines), and the target is responding with RST if the
port is closed (The red lines), while it sends no response if the port is open
or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond,
just add a filter to your Wireshark such as tcp.port==22 (as in our case
here). This will show only the SSH packets, and you will see no responses
from the port (which indicates either open or filtered)