Module 03 Unmask theHow Prepare for a Ce ee ees Peete ke ey eee 4 pseebeonantessiocan Z| J Policies/Controle ae ar ting that info pata notin the pees] Se ee Run nd 6% say madia attention has ineraased awareness Sood Authentication/Access of non-security companies have or plan to add Bp Be et eee is Encryption Cee ee eae eee ee oe eee ae2 Overview of Network Scanning Understanding Banner Grabbing |&_ Understanding different techniques to check for Live Systems Overview of Vulnerability Scanning Drawing Network Diagrams @ Understanding different techniques ta : check for Gper Ports Using Proxies and Anonymizers for Attack @_ Understanding various Scanning Techniques | Understanding IP Spoofing and various Detection Techniques @ Understanding various IDS Evasion eclintenies’ | Overview of Scanning Pen Testing zw - Gone 3 Reproduction sty Prohibited.Overview of Network Scanning Network scanning refers to a set of Network Scanning Process procedures for identifying hosts, ports, and services in a network sends Toop probes Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of attacker the target organization Objectives of Network Scanning eeeTCP Communication Flags sacri Dain | Data contained in| | There willbe ne Resetee | the packet should || more connection pe be processed aie immediately ay a i cv es [HEBHGE) __Window URG - (Urgent) (Finish) Tepes. Urgent itor none | —— rr PsH Ack (Posh) (Potnowledgement) sends all Acknowledges Initiates 9 buffered data the receipt of 3 connection immediately packet between hosts = — Standard TCP communications are controlled by flags in the TCP packet header GeeTCP Session Establishment (Three-way Handshake) TCP Session Termination GoneCreating Custom Packet Using TCP Flags neces Cee aie Od coo 0 ER te = oes eras Tourn colasoficom— ee Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability B Draw Network Diagrams Gone ‘Al igh Reserved, Reproduction sChecking for Live Systems - ‘© Ping scan involves sending ICMP ECHO requests to a host. if the host is live, it will return an ICMP ECHO reply ‘a This scan is useful for locating active devices or determining iF ICMP is passing through a firewall Source 102.368.1683] The ping scan output using Nma| =) =| — oS tip /farvoporg Lo ite aePing sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If host is live, it will return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number cof hosts present in the subnet ‘Attackers then use ping sweep to create an inventory of live eystems in the subnet 5.4 : ie Ge moe|] Ping Sweep (Cont’d) Colasoft Ping Tool (4 Advanced IP Scanner toy fsnccloscom SE Me/iomncednincons Visual Ping Tester - Standard toy ns pingtestere Ping Sweep | rns ansipgtdcom toy an diglentecnologiee.com ito/rnengresninecftcom Ping Scanner Pro ee Network Ping Oputils i) Ping Monitor Inep/fumamanogeenine om new fvaBtandcorn Pinkie pase eptine net PinginfoView py frncninafenet be ® > ie Ge moeCEH Check for Live Systems Scanning Beyond IDS Banner Grabbing Scan for Vulnerability B Draw Network Diagrams Gone ‘Al igh Reserved, Reproduction sSee eon cs Sica aenrteeraet eee \\ A ECP aang reste = At may allow attackers to Pe eee arc ete og gter information discovery Peete ee at eee Pee ieeautas ee oe eaeScanning in IPv6 Networks Mee Whee ute ee eee cag search space (64 bits of host address space or 2 addresses) provided by IPv6 in a subnet ‘Scanning in IPv6 network is more difficult and complex than the IPv4 and also some Petes et ead ee ee Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages attacker can compromise one host in the subnet; attacker can probe the" t a ‘Scanning IPv6 network, however, offers a large number of hosts ina subnet if anRip] rp org st Prohibte,Hping2 / Hping3 Command line gand g tool for the TCP/IP protocol It can be used for esting, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc he IclvP Scanning ‘ACK Scanning on port 80 eeeHping psec CREE Sere Ree peree ee Cee) Crete ee ene Pee eee eared liad a ee a ones ee ee CR eae Se eee peer een eres Ee) eee eae) Pe SUR Sei PCC Ree riestoy eaeTechniques Coca Feat oP ey ey Ce etd heen pe See Ee) fee ne eee od Pn eed Pees Cra ery - Py ee Fesawed. Reproductions Srey Potties/ Full Open Scan “hy TEP Connect scan detects when a port is open by completing the three-way handshake TCP Connect scan establishes a full connection and tears it down by sending a RST packet =. Itdoes not require super user privileges Attacker Ge Seo(Half- ‘Stealth scan involves resetting the TCP connection between client and server abruptly before completion of three-way handshake signals making the connaction half open | Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and themselves as usual network traffic Stealth Scan Process Tre cio condrecngle SYN podet tothecener MGMT Be Wabiroirine por a | a SYN/ACK packet Ifthe server responds with an RST packet, then the remote port isin the "clased” state The client sends the RST packet to close the init before a connection can ever be established Bill 10.00.22342 Port is open oz oie. a Sheela 10,0.0.3:30 Port is closed S¥N Port go) 5 > Sheela 10.00.3:20 TeAttackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set CR UR Sa enone a se sue eT Precast) Note: Inverse TCP flog scanning is known as FIN, URG, PSH scanning based on the flag set in the probe pecket. itis known as null scanning if there ino flag sot ee eeef Th Xmas scan, attackers send a TCP frame too remote device with FIN, URG, and PUSH flags set FIN scan works only with OSe: based TCP/IP implementation Teil not work against any current version of Microsoft Windows Port is open Port is closed Fin + URG + PUSH Fv +URG + PUSH i] ‘No Responce Atacker 10.008 Server server 1900823 1000823 Ge oeACK Flag Probe Scanning Attackers send TCP probe packets with ACK flag set to a remote device and then analyzes the header information (TTL and WINDOW field) of received ; ¥ RST packets to find whether the port is open or closed TTL based ACK flag probe scanning + tes Attacker Target Hest If the TTL value of RST packet on particular If the WINDOW value of RST packet on port is less than the boundary value of 64, particular port has non zero value, then that then that port is open port is openScanning (ook | ACK flag probe scanning can also be used to check the filtering system of target ‘W Attackers send an ACK probe packet ith random sequence number, no response means port is filtered (stateful firewall is present) and RST response means the port is not filtered. Stateful Firewall is Present abe roca Pace My Ea wees aa Target ost No Firewall ast = axtacker Target Host GoneIDLE/IPID Header Scan | C\EH ‘Most network servers listen on TCP ports, such “Apiachine atigeneSeies se web a port 90 and mail servers on ‘ 01 : will respond with an RST. An unsolicited Portis considered “open ifan application ic staning on the port cSt mat belsncred ‘One way to determine whether a port is open is very IP e Inter to send a "SYN" (session establishment) packet ry B packer on ihe inte mnet hese os identifica ber (11D) “ise (0S increments the IPID for each packet sent, ene tier irc: Nae thus probing an IPID gives an attacker the ic closed . n c since last probe The target machine will send back a "SYN |AC ee a ee err ee en pers ee ne) Espen ean A comm ee nee eT ETE Eas een eee ert rere tonne rer aro) 2i/tep open > ood a soft open es SS een ee eaeSend SYN + ACK packet to the zombie pi Every IP packet on the Internet has a fragment identification \\._|_number (PID), which increases everytime « host send IP packet Zombie not expecting a SYN + ACK packet will send RST packet, disclosing the IPD IPID Probe SYN + ACK Packet Response: IPID=31337 RST Packet Attacker Zombie GoneStep2 ® Send SYN packet to the target mac! 1¢ (port 80) spoofing the IP address of the “zombie” ® Ifthe port is open, the target will send SYN*ACK Packet to the zombie and in response zombie sends RST to the target ® Ifthe port is closed, the target will send RST to the “zombie” but zombie will not send anything back SYN Packat to port 80 ‘SYN Packat to port #0 altacker Target Zombie Port is closed Step 3 © Probe “zombie' IPID again me 11339 RST Packet a Response: Pl iaracker M10 incremented by 2 since Step 1, Zombie 0 prt 80 must be open Ge eeeAre you open on UDP Port 25? [No response if ports Open a < 4 x If Ports Closed, an ICMP Port unreachable message i received Ctl) Perio Pes © There is no three-way TCP handshake for UDP = = © The system does not respond with a message ‘when the port Is open © Ifa UDP packet is sent to closed port, the system responds with ICMP port unreachable message © Spywares, Trojan horses, and other malicious applications use UDP ports GeICMP Echo Scanning List Scan is not really port scanning, since ICMP | This type of scan simply generates and prints a list of IPs/Names without actually pinging them @ Th does not have a port abstraction @_ But itis sometimes useful to determine which hosts in a network are up by pinging them all ‘W Areverse DNS resolution is carried out to nmap -P cert.org/24 152.148.0.0/16 identify the host names a ieeer p= ei ESE Bl res a i j= = oa a ee [= = = oa Reserved, ReproductontsStrcty Probie GeeScanning Tool: | Network Tools Pro assists in troubleshooting, diagnosing, monitoring and discovering devices on the network & tists IPva/IPV6 addresses, hostnames, domain names, email addresses, and URLs automatically or with manual tools GoneSuperScan Ip yfonecacafeecom PRTG Network Monitor Ino y/smpoestercom Net Tools hitp//mabsofecom IP-Tools pi/onmbosofenet MegaPing Intoyunwsamopneosa.cor Ge Network Inventory Explorer ite/ fone s0-reom Globel Network Inventory Scanner Into ones onognetorefcors SoftPerfect Network Scanner Into/mes-sofpeecteom Advanced Port Scanner Inte /Pesecodnin.cort CurrPorts ofan aietinetScanning Tools for Mobile Umit Network Scanner Fing IP Network Scanner Pare) 7 ‘Apple cevice/comourer 5 Peay mypomaide-MacBo0k: Ale (us rd ‘ope cevelcomputer : cs ‘ape devielcomputer cy ume. Retna use Ee Fa Apple cevicelcomputerok) pare Pam canner ero nae Paemuan) eames) Re) Fea fone) ‘etps//wrmw stealhcoptercom Tito //pips wjhelden.com Iitor/rovet github iopeeel Countermeasures re firawall and IDS rules to detect and block probes Fun the port scanning tools agalnst hosts on ‘the network to determine whether the firewall properly detects the port scanning activity Ensure that mechanism used for routing and fering atthe routers and fvewals respectively ‘Cannot be bypassed using particular source ports or ouree-outing methods Ensure that the router, IDS, and firewall firmware are updated to their latest releases HH Gone Uze custom rule zat to lock down the network and block unwanted ports at the firewall Filter all ICMP messages (ie. inbound ICMP message types and outbound ICMP type 3 Unreachable messages) at the firewalls and Perform TCP and UDP zesnning along with ICMP probes against your organization's IP adérats space to check the network ‘configuration and its available ports Enzure that the anti canning and anti _specfing rules are configured 3 Reproduction sty Prohibited.— ee Check for Live Systems Check for Open Ports Banner Grabbing Scan for Vulnerability B Draw Network Diagrams Gone ‘Al igh Reserved, Reproduction sIDS Evasion Techniques @ ise fragmented iP packets Spoof your IP address when launching attacks (qy and sniff responses from server @ Use source routing (if possible) X a ad trojaned machines to launch attacks = Connect to proxy servers or compromised e = NaSYN/FIN Scanning Using IP Fragments Itisnotanew scanning method but amo of the earlier methods erent nt et ee eee nes pers te Tree) Scanning 192.168.168.5 [1000 ports) Discovered open port 445/tep on 192.168.168.5 Lremeeierpenen-cnte ero eeatreT: ET” ener eet Secrecy person rererietss) The TCP header is split into several packets so that the packet filters are not able to detect what the packets intend to do (seat ® ii portis closed) ‘SYN/FIN Scanningceasing Mahi] Check for Live Systems Check for Open Ports Scanning Beyond IDS Scan for Vulnerability B Draw Network Diagrams Gone ‘Al igh Reserved, Reproduction sBanner grabbing or OS \gerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry eut additional attacks Active Banner Grabbing Specially crafted packets are sent to remote (OS and the responses are noted The responses are then compared with a database to determine the OS Response from different OSes varies due to differences in TCP/IP stack implementation Ge Passive Banner Grabbing janner grabbing from error messages Error mezzages provide information such 2: type of server type of 05, and SSL tool used by the target romote system © Sriffing the network traffic Cepturing and analyzing packets from the target enables an attacker to datermine 0S used by the romote system © Banner grabbing from page extensions Looking for an extension in the URL may assist in dtormining the application version ‘Example: azpx => lS carver and Windows platform| Banner Grabbing ID Serve ID Serve is used to identify the make, model, and version of any web site's server software I is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc. A a ID Serve Tap wren Ge Netcraft © Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site SSE Tip ovo ncirajicin 3 Reproductions moeBanner Grabbing Tools (Cont’d) 1 vv 3 press[enter) 2 = Press [Enter] twice This utility ede Ey ; Microsoft-IS/6.0 using the TCP/IP protocol eee red = press{Enter] 2 0 = Pres Enter] twice This technique probes tert Cee rs to 1 Peete eA) determine the S F , in the HTTP ; response header fe vereBanner Grabbing Countermeasures: CIEH Dey ‘to misguide attackers Cae ese a ey Clerc) Use (http://vww.portBOsoftware.com) tools to disable or change Peas easy Gre eee eect) file to change banner information ES ecu in cr ee eaeBanner Grabbing Countermeasures: Gee Lee Ca co cet} ‘that an attacker can Prey tiie ey - 0 4 Apache users can use be directives IS users use tools such as PageXchanger to manage the file extensions W Itis even better if the file extension: Geceasing Mahi] Check for Live Systems Check for Open Ports Scanning Beyond IDS Banner Grabbing Draw Network Diagrams GoneVulnerability Scanning | EW Network: vulnerabilities Open ports and running services Vulnerability scanning identifies s and network in order to determine how a system can be exploited Application and services configuration errors Application and services vulneral eeeVulnerability Scanning Tool: Nessus is the vulnerability and | configuration | toca Nenwork : i assessment product = voor | Features Agentless auditing Compliance checks Content audits « © Customized reporting = High-speed winerability discovery © In-depth assessments j Mobile device audits oo Patch management integration Scan policy design and execution « ‘hepy/wwutenabiecom Ge feserved, Reproductonts Strictly ProbieVulnerability Scanning Tool: clEH GFI LanGuard be rete © Selectively creates custom — | vulnerability checks © Identifies security vulnerabilities and takes remedial action £=>)\" Creates different types of scans and vulnerability tests © Helps ensure third-party security applications offer optimum protection © Performs network device ‘vulnerability checks te:f/vueaficom Copyright © by ED Council A Rens Reserved. Reproduction sStrcty Probe,Tiipiwun quaiyscom Ge oeRetina CS Ito ssi beyondirntcon Core Impact Professional toy rn ceresecuiycom MBSA ito mmnaerooftcom ‘Shadow Security Scanner Into fnsfetrtbcorn Nsauditor Network Security Auditor nto /onmsosenitorcere @ ‘OpenVAS ‘i/o operaorg Security Manager Plus | Ineo sanogcenpine com Nexpose BEB ce SAINT nto /an.slotcorpovationcom Security Auditor's Research Assistant (SARA) toi famaearccom GeVulnerability Scanning Tools for Mobile Retina CS SecurityMetrics Nessus Vulnerability for Mobile MobileScan ‘Scanner oo" neti noraon aie Vulnerability Information 0.0 Ss utara Surmary cesta a ee + ® Meee ee es INSTALL ar Arr /panou beyonce rst com hitps//anrursecuritymetnes.com ep:ceasing Mahi] Check for Live Systems Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability Gone ‘Al igh Reserved, Reproduction s| Drawing target's network diagram gives valuable information about the network and its architecture to an attacker | Network diagram shows logical or physical path to a potential target Wer oeNetwork Discovery Tool: Features Network Topology Mapper discovers a network ® and produces a comprehensive network diagram tip://urne solarwinds.com esNetwork Discovery Tools: OpManager and NetworkView OpManager NetworkView ‘OpManager is a network monitoring software that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, etc. 4 NetworkView is a network discovery and management tool for Windows J Discover TCP/IP nodes and routes using DNS, SNMP, ports, NetBIOS, and WMI sir gene a Tapani or eeebe 1 (SS (DP (le The Dude Into fansmibeohcor LANState toy/onms.t0-tre.com Friendly Pinger Iitoyfanbieic com Ipsonar toys humetacom WhatsConnected Into yfanesuhateypgeldcors fe CD) Hel Fee NG Ge Switch Center Enterprise te Poon secerecom InterMapper ofan iotenmanger cen NetMapper ite/funatopnet.com NetBrain Enterprise Suite nap /swenetvaatec.com Spiceworks-Network Mapper Into: fasenesieeworkscom moeNetwork Discovery Tools for Mobile Net Master LAN Sean ‘Speed Tost Geotrace Port Sean T a ‘Rip /wunu nutecoppscom ee OtvE Network "Swiss-Army-Knife” e (ia) 1Pv4 Subnet Calculator [BBG] comass comms itor uorg p Mcamgronnag )) Domain to IP Lookup (EB Deep Whois Lookup IANA Port Number Lookup BD» Prperaren eer IANA TLD Lookup My Device WiFi IP Addr Tite eoborg weebiy.com oeceasing Mahi] Check for Live Systems Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability B Draw Network Diagrams Scanning Pen Testing Gone ‘Al igh Reserved, Reproduction sA proxy server is an application that can serve as an intermediary for connecting with other computers To hide the source IP acidress so that they can hack without any legal corollary To mask the actual source of the attack by impersonating a fake source address of the proxy To remotely access intranets and other website resources that are normally off limits To interrupt all the requests sent by a user and transmit them to a third destination, hence victims will only be able to identify the proxy server address Attackers chain multiple proxy servers to avoid detection Why Attackers Use Proxy Servers? GoneProxy Chaining 01 (53. Proxy cliant at the user’s systam connects to a proxy sorvor and passes the request to proxy server o3' 04RD co aos Roane ea 05 Atthe end unener is passed to the web server UserProxy Tool: Proxy Switcher Proxy Switcher — hides your IP 88 wy Scie reuse (Ace ro 21738 95 79326-UNTEDRNGOON) L=L° NBER | address from Ble [ot Asher Yew Hey the websites # wf 4 oO 7.ax aoge ae oO you visit Ce aProxy Tool: Proxy Workbench Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram Proxy Workbench De Siew och Ee Ge L10-AO- Seer, fe eases re ise Ghee ass Fatieansmat ay eed Copright © byEB-Gomeil. A Reis Reserve. Reproduction sStrctyPribes,Proxy Tools: TOR and CyberGhost Tor allows you to protect your &_CyberGhost allows you to protect your enline privacy, surf privacy and defend yourself anonymously, and access blocked or censored content against network surveillance 4 Ithides your IP and replaces it with one of yaur choice, allowing and traffic analysis you to surf anonymously i Vite Coma Pore |= | i a (Comected te Torre: @-- @--—~ 2--— aa Go Om ER Xuve ex Tikes Jovwrectorprojectorg Tttpswrewyberabostypn.com moeSocksChain Ineo fofsefcors Burp Suite toy /smw:portaiggernet Proxifier tos uneneprosifor som Proxy Tool Windows App Ineoi/fveborostsccorn Charles toy fase chriesproeyccmm Ge Fiddler tox rm teleritcom Proxy It Pn anebop.core Protoport Proxy Chain Inter//veweprtopertccm ProxyCap nao. prosyeap.com CCProxy tps youngeift.net moeProxy Tools for Mobile Proxy Browser for Android ProxyDroid AMG 120770 © roe Browser @ @ eevee Prony One Proxy Two ; ater teen (c ote As Ova nttps://play google.com ‘reps//ontu com NetShade beepers = United States IS United States Dine 222" Pevstic MEE Netherlands HEE Germany btip//wrancraynersi:com ee eee<4 A search in Google lists thousands of free proxy servers Ceorieht © by E-CounelIntroduction t nymizers | EH | Why use Anonymizer?Censorship Circumvention Tool: Tails Tails is a live operating system, that user can start on any computer from a DVD, USB WA stick, or sb cara wD It aims at preserving privacy and anonymity and helps you to: © Use the Intarnet anonymously and circumvent censorship % € Leave no trace on the computer Use state-of-the-art cryptographic tools to encrypt files, ‘emails and instant messaging. Titpa talks bourorg oe Goonwha Zappe ‘G2egpe- Pricing Seach oy ‘iyo Cong ste nt ie ts you cho ham hake ‘epacsyu snk x § Sap asensca) esc soe rise wor Google sets a cookie on ‘tne Gaspe erin be en an ery whred uch pre. user's system with a unique Me ome epee oe identifier that enables them Yow Gone © Oro) staticeat to track user's web activities ee oo ‘You eastnshavbemtctad i a7 such as: B) reenge sasenestand nme cbr Fle ® Search Keywords and habits How use © Search results @ Romper eae — © Websites visited @ Meee ere cee (Grn een ni orev ccc Information from Google cookies can be used as evidence in a court of law Ieipi//www.dlammysoftworecom GeProxify too cm Psiphon Intodootonea Anonymous Web Surfing Tool mtoifhomuanonymo-sufng-com Hide Your IP Address nto /rmmhideyouriadeess et Anonymizer Universal Intoyfusucancryniercon Ge Guardster Into: ane guerdetencom Spotflux nt /fvsspoctoncor Ultrasurf tps fbracurt Head Proxy Io Panc eedoroncon Hope Proxy nto /ans:opeoroncomAnonymizers for Mobile Ez Orbot Psiphon OpenDoor = | — as| Spoofing IP Address WIP spoofing refers to changing source IP addresses so that the attack appears to be come from someone else & When the victim replies to the address, it goes back to the spoofed bed address and not to the attacker's real address IP spoofing using Hping2: Hping2 wnr.certifiedhacker.com aorta Real address Ae You will not be able to complete the three-way handshake and open a successful TCP connection with, spoofed IP addresses Coprtght © by ED-Coumeil A Reis Reserve. Reproduction s Strictly Probe,IP Spoofing Detection Techniques: rE Send packet to host of suspect spoofed packet that triggers reply and compare TTLwith suspect packet; if the TTL in the reply is not the same as the packet being chacked, it is a spoofed packet This technique is successful when attacker is in a different subnet from victim Sending 2 packet with é fed 10.0.0 PTTL 13 Attacker (Spoofed Address 10.0.0.5) 10.0.0.5 Note: Normal traffic from one host can vary TTLs depending on traffic patterns Gone AN Reis Reserved, Reprodctor noeIP Spoofing Detection Techniques: IP Identification Number Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic Ei If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed 03 | This technique is successful even if the attacker is in the same subnet ‘Send packet with = an spoofed 1? 10.0.0.5; 1 258 Attacker (Speoted Address fea) 10.0.0.5) wt 10.0.0.5 Cepyraht © by ED-Geuneil Al righ Reserved, ReproductionIP Spoofing Detection Techniques: “Attackers sending spoofed TCP packets, will not receive the target's SYN-ACK packets ‘Attackers cannot therefore be responsive to change in the congestion window size “When received traffic continues after a window size is exhausted, most probably the packets are spoofed Sending @ SYN packet with spooted 10.0.0.5 Attacker ae (spoofed Address 100.05) 10.0.0.5 foeIP Spoofing | EW Encrypt all network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS Use multiple firewalls providing multi-layered depth of protection Do not rely on IP-based authentication foe Use random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing Ingress Filtering: Use routers and firewalls at your network perimeter to filter incoming packets that appear to come from an internal IP address Egress Filtering: Filter all outgoing packets with an invalid local IP address as source address— ee Check for Live Systems Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability B Draw Network Diagrams Prepare Proxies Gone ‘Al igh Reserved, Reproduction s| Pen testing a network for scanning vulnerabilities determines the network's security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt ‘The penetration testing report will help system adi services rules ' 1 | Dice ae calibrate funnecessary firewall i Y {banners(oe) oe Use toole such ae map, Angry IP Scanner, ete. > Use tools such as Nmap, Netscan Tools Pro, ete. Use tools such as Telnet, Netcraft, |D Serve, ete Use tools such as Nessus, © Check for the ive hosts using tools such as Nmap, Angry IP Scanner, Solar Winds Engineer's toolset, Colasoft Ping Tool, ete. © Check for open ports using tools such as Nmap, Netscan Tools Pro, SuperScan, PRTG Network Monitor, Net Tools, etc. © Perform banner grabbing/OS fingerprinting using tools such as Telnet, Nateraft, ID Serve, etc. © Scan for vulnerable using tacts such | 25 Nessus, GILANGuard, SAINT, Core | ct Professional, Retina CS agement, MBSA, et(oe) Use tools such as Networks Topology Mapper, ‘OpManazer, ete. Uze toole euch ae Prony Workbench, Proxifier, Proxy Switcher, ete. Draw network diagrams of the vulnerable hosts using tools such os Network Topology Mapper, OpManager, NetworkView, The Dude, FriendlyPinger, etc. Prepare proxies using tools such as Proxy Workbench, Proxifier, Proxy Switcher, SocksChain, TOR, etc. Document all the findings Ge> ol The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts Q Attackers use various scanning techniques to bypass firewall rules and logging mechanism, and hide themselves as usual network traffic Q Banner grabbing or 05 fingerprintin, running on a remote target system the method to determine the operating system Drawing target's network diagram gives valuable information about the network and its architecture to an attacker Q Aproxy server is an application that can serve as an intermediary for connecting with other computers G Achain of proxies can be created to evade a traceback to the attacker ee ee