Network Basics and Network

Security
Network Discovery & IP Network Scanning
 • TCP Header & Handshake
• Tools: Nmap and Zenmap
Unit 9
• Scan types in nmap
Network Discovery and • Initial Network scanning using nmap
• Vulnerability Scanning with NSE
IP Network Scanning
• Firewall and IDS evasion and
spoofing
• Bulk Vulnerability scanning using
nessus

2
TCP Header Format

3
 Source Port: 16 bits
The source port number.

Destination Port: 16 bits

The destination port number.

Sequence Number: 32 bits

The sequence number of the first data octet in this segment
(except when SYN is present). If SYN is present the sequence number
is the initial sequence number (ISN) and the first data octet is ISN+1.
TCP Header
Acknowledgment Number: 32 bits
If the ACK control bit is set this field contains the value of the
next sequence number the sender of the segment is expecting to
receive. Once a connection is established this is always sent.

Data Offset: 4 bits

The number of 32 bit words in the TCP Header. This indicates
where the data begins. The TCP header (even one including options)
is an integral number of 32 bits long.

4
 Reserved: 6 bits
Reserved for future use. Must be zero.

Control Bits: 6 bits (from left to right):

URG: Urgent Pointer field significant
ACK: Acknowledgment field significant
PSH: Push Function
RST: Reset the connection
SYN: Synchronize sequence numbers
FIN: No more data from sender
TCP Header
Window: 16 bits
The number of data octets beginning with the one indicated in the
acknowledgment field which the sender of this segment is willing to
accept.

Checksum: 16 bits
To detect corruption of packets

Urgent Pointer: 16 bits

Don’t wait and send the packet immediately

5
TCP 3 Way Handshake

6
 Nmap (“Network Mapper”) is a free and open source utility for
network discovery and security auditing.

Many systems and network administrators also find it useful for tasks
such as:
● network inventory,
● managing service upgrade schedules, and
● monitoring host or service uptime

Nmap and ZenMap

7
 SCAN TYPES:
SYN SCAN:
● It works by sending a single TCP SYN packet to each possible
port.
● If it gets a SYN ACK packet back, then Nmap knows there is a
service running there.
● The SYN scan does not complete the TCP handshake by sending
an ACK back to the machine

Nmap and ZenMap TCP CONNECT:

● Completes TCP handshake
● Puts more load on the machines being scanned and the network.
● If stealth or bandwidth is not an issue, a Connect scan is
sometimes more accurate than the SYN scan.

PING SWEEP:
● If you don’t really care about what services are running and you
just want to know which IP addresses are up, this is a lot faster
than a full port scan.
● Some machines may be configured not to respond to a ping, but
still have services running on them
● A ping sweep is not as accurate as a full port scan.
 SCAN TYPES:
UDP SCAN:
● This scan checks to see if there are any UDP ports listening.
● UDP does not respond with a positive acknowledgment like TCP
● Only responds to an incoming UDP packet when the port is closed
● This scan can sometimes show false positives.

FIN SCAN:
● This is a stealthy scan, like the SYN scan
Nmap and ZenMap ● Sends a TCP FIN packet
● Most but not all computers will send a RST packet back if they get
this input, so the FIN scan can show false positives and negatives
● May get under the radar of some IDS programs and other
countermeasures.

NULL SCAN:
● Sets all the TCP header flags to off or NULL
● Not a valid packet.
● Gets unreliable results. Windows system are in this group
 SCAN TYPES:
XMAS SCAN:
● All TCP header flags are set to on
● Windows machine will not respond to this

RPC SCAN:
● looks for machines answering to RPC (Remote Procedure Call)
services.
● RPC, which allows remote commands to be run on the machine
Nmap and ZenMap under certain conditions

WINDOWS SCAN:
● Relies on an anomaly in the responses to ACK packets in some
operating systems to reveal ports that are supposed to be filtered.
● Some OS are known to be vulnerable to this kind of scan.

IDLE SCAN:
● Discover open host through zombie computer

1
0
 nmap 10.0.0.1
Scan a single host IP

nmap 192.168.10.0/24
Scan a Class C subnet range

nmap 10.1.1.5-100
Scan the range of IPs between 10.1.1.5 up to 10.1.1.100

nmap -iL hosts.txt

Nmap: Scan IP Address Scan the IP addresses listed in text file “hosts.txt”

nmap 10.1.1.3 10.1.1.6 10.1.1.8

Scan the 3 specified IPs only

nmap www.somedomain.com
First resolve the IP of the domain and then scan its IP address
 nmap -p80 10.1.1.1
Scan only port 80 for specified host

nmap -p20-23 10.1.1.1

Scan ports 20 up to 23 for specified host

nmap -p80,88,8000 10.1.1.1

Scan ports 80,88,8000 only

nmap -p- 10.1.1.1

Nmap: Port Related Scan ALL ports for specified host

nmap -sS -sU -p U:53,T:22 10.1.1.1

Scan ports UDP 53 and TCP 22

nmap -p http,ssh 10.1.1.1

Scan http and ssh ports for specified host
 nmap -sS 10.1.1.1
TCP SYN Scan (best option)

nmap -sT 10.1.1.1

Full TCP connect scan

nmap -sU 10.1.1.1

Scan UDP ports

nmap -sP 10.1.1.0/24

Do a Ping scan only

Nmap: Scan Types nmap -Pn 10.1.1.1

Don’t ping the hosts, assume they are up.

-sS: This sends only a TCP SYN packet and waits for a TCP ACK. If it
receives an ACK on the specific probed port, it means the port exist
on the machine. This is fast and pretty accurate.

-sT: This creates a full TCP connection with the host (full TCP
handshake). This is considered more accurate than SYN scan but
slower and noisier.

-sP: This is for fast checking which hosts reply to ICMP ping packets
(useful if you are on the same subnet as the scanned range and want
a fast result about how many live hosts are connected).
 nmap -sV 10.1.1.1
Version detection scan of open ports (services)

nmap -O 10.1.1.1
Identify Operating System version

nmap -A 10.1.1.1
This combines OS detection, service version detection, script
scanning and traceroute.

Nmap: Identify Version &

OS
 nmap -T0 10.1.1.1 Slowest scan (to avoid IDS)

nmap -T1 10.1.1.1 Sneaky (to avoid IDS)

nmap -T2 10.1.1.1 Polite (10 times slower than T3)

nmap -T3 10.1.1.1 Default scan timer (normal)

nmap -T4 10.1.1.1 Aggressive (fast and fairly accurate)

nmap -T5 10.1.1.1 Very Aggressive (might miss open ports)

Nmap: Scan Timings

 Supports 3 main output formats:

nmap -oN [filename] [IP hosts]

Normal text format

nmap -oG [filename] [IP hosts]

Grepable file (useful to search inside file)

nmap -oX [filename] [IP hosts]

XML file

Nmap: Output Types nmap -oA [filename] [IP hosts]

Output in all 3 formats supported
 There are hundreds of included scripts that you can use with nmap to
scan for all sorts of vulnerabilities such as:
- brute force login to services
- check for well-known weaknesses on services etc.

nmap --script="name of script" 10.1.1.0/24

Run the specified script towards the targets.

nmap --script="name of script" --script-args="argument=arg"

10.1.1.0/24
Run the script with the specified arguments.
Nmap: NSE Scripts
nmap --script-updatedb
Update script database

Example:
To detect heartbleed vulnerability
nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24

To find vulnerability and produce relevant CVE information

nmap --script vulscan,nmap-vulners -sV <target>
 locate nmap scripts:
locate *.nse

To get help on script

nmap --script-help <nse script>

NSE SCRIPT CATEGORIES

auth
NSE scripts related to user authentication.

Nmap: NSE Scripts broadcast

A very interesting category of scripts that use broadcast petitions to
gather network information.

brute
A category for scripts that help conduct brute-force password
auditing.

default
Scripts executed when a script scan is executed (-sC).

discovery
Scripts related to host and service discovery.

dos
Scripts related to denial-of-service attacks.
 exploit
Scripts used to exploit security vulnerabilities.

external
This category is for scripts depending on a third-party service.

fuzzer
NSE scripts focused on fuzzing.

intrusive
A category for scripts that might crash something or generate a lot of
network noise. Scripts that system administrators may consider
Nmap: NSE Scripts intrusive go here.

malware
A category for scripts related to malware detection.

safe
Scripts that are considered safe in all situations.

version
Scripts for advanced version detection.

vuln
Scripts related to detecting and exploiting security vulnerabilities.
 -f (fragment packets); --mtu (using the specified MTU)

● -f option causes the requested scan (including ping scans) to use

tiny fragmented IP packets.
● Some programs have trouble handling these tiny packets.
● Nmap Scripting Engine generally don't support fragmentation

-D <decoy1>[,<decoy2>][,....][,...] (Cloak a scan with decoys)

● Causes a decoy scan to be performed, which makes it appear to

the remote host that the host(s) you specify as decoys are
Firewall/ IDS Evasion scanning the target network too.
● Their IDS might report 5–10 port scans from unique IP addresses,
but they won't know which IP was scanning them and which were
innocent decoys.

-S <IP_Address> (Spoof source address)

● spoof the scan to make the targets think that someone else is
scanning them.
 --source-port <portnumber>; -g <portnumber> (Spoof source
port number)

● One surprisingly common misconfiguration is to trust traffic based

only on the source port number.

--data-string <string> (Append custom string to sent packets)

Ex:
--data-string "Scan conducted by Lucideus Security, extension 7192"

Firewall/ IDS Evasion

--data-length <number> (Append random data to sent packets)

● TCP packets are generally 40 bytes and ICMP echo requests are
just 28.
● Some UDP ports and IP protocols get a custom payload by
default.
● This option tells Nmap to append the given number of random
bytes to most of the packets it sends, and not to use any
protocol-specific payloads.
● Slows things down a little, but can make a scan slightly less
conspicuous
 --ttl <value> (Set IP time-to-live field)

Sets the IPv4 time-to-live field in sent packets to the given value.

--randomize-hosts (Randomize target host order)

● Tells Nmap to shuffle each group of up to 16384 hosts before it

scans them.
● This can make the scans less obvious to various network
monitoring systems, especially when you combine it with slow
timing options.

Firewall/ IDS Evasion --proxies <Comma-separated list of proxy URLs> (Relay TCP
connections through a chain of proxies)

● Asks Nmap to establish TCP connections with a final target

through supplied chain of one or more proxies.

--badsum (Send packets with bogus TCP/UDP checksums)

● Asks Nmap to use an invalid TCP, UDP or SCTP checksum for

packets sent to target hosts.
● Since virtually all host IP stacks properly drop these packets, any
responses received are likely coming from a firewall or IDS that
didn't bother to verify the checksum.
 Nessus works by:

1. Testing each port on a computer

2. Determining what service it is running
3. Testing this service to make sure there are no vulnerabilities in it
that could be used by a hacker to carry out a malicious attack.

Nessus
Nessus Scanner
/etc/init.d/nessusd start
Thank you