Lab02 - Network Scanning PDF

Title	Lab02 - Network Scanning
Author	Nishit Patel
Course	IT security
Institution	Algonquin College
Pages	6
File Size	226.2 KB
File Type	PDF
Total Downloads	56
Total Views	149

Preview

CLICK TO PREVIEW PDF

Summary

Answers for 2nd lab...

Description

CST8230

Lab #2

Network Scanning

Corrector Q1.

What kind of information did the nmap scan results show you, specifically? Based on decent explanation of what all is displayed by NMAP –sP scan Just using screen cap or copy of NMAP result not good enough. E.g.: version of Nmap; date/time of scan request; whether host is up; latency in scan; ports found open or closed/filtered (state) and service associated with open ports; scanned system MAC address; Nmap result.

Q2.

So what, exactly, does the –sn option do? Basically means “skip the port scan phase”, or do a host scan only. This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. .

Q3.

Was the result the same? If not, what’s different? Same info as Q1 + # of ports scanned and whether ports are open or closed. However, only scanned known & common service ports.

Q4.

Was the result the same as Q3? Explain why. And, no, timestamp differences don’t count. No, this time it scanned all 65535 ports, but the rest of the info is the same. Nmap normally only scans known & common service ports unless port range is specified.

Q5.

Are there differences in the results between the two above commands? Explain why. No, since the –sS (SYN Stealth) scan is the default mode for Nmap, if no other scan options are specified. However, the scan may seem faster to return results.

Q6.

What kind of new information did the results show you? Device type, O/S running on target system (if in DB), O/S Details (if any) and network distance in hops. Works with both –O or –A with slightly different depth of results… depending on O/S, one might work better than the other, so not a bad idea to use both to confirm findings.

Q7.

What do each of -oN, -oX, -oG and –oS command options do? -oN outputs a human readable logs; -oX outputs XML logs; -oG outputs a grepable logs; -oS scriptkitty output

V 1.3.2

February 23, 2017

Page 1 of 6

CST8230 Q8.

Lab #2

Network Scanning

What exactly is an nmap –sT scan? Explain & contrast to –sS in some detail. -sT -> TCP Connect Scan, follows the TCP 3-way handshake process from start to end, but it will only get results if the port is listening - default TCP scan type when SYN scan is not an option (i.e. user does not have raw packet / admin privileges). If it is down, it responds as not reachable. Entirely visible to target as it does complete 3-way handshake for each connection. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. -sS -> TCP SYN Scan, SYN scan is the default and most popular scan option, also called half-open scanning because it never completes the TCP connection process, sending an RST as soon as a SYN packet is sent back. Can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. Tends to be a better choice.

Q9.

What is a SYN Stealth scan? Explain in some detail. Sends a SYN packet but doesn’t close the connection normally; in theory a stealthy way to detect if port is open or not while avoiding most detection. Specifically, a packet with the SYN flag set is sent to the target port. The target port should respond with a SYN-ACK packet (or RST if the port is closed). Normally the scanning machine would then send an ACK packet to the target to complete the standard TCP three-way handshake, but in this case it sends a RST packet instead to terminate the connection prematurely. In the past, some firewalls/IDS would not log this connection (called a “half-open” connection) since it didn't complete – but this is no longer the case and your scan is likely to be detected, logged and possibly acted upon. A SYN Stealth scan also helps to identify the O/S based on its reaction to a “half-open” connection.

Q10. Describe what a Bounce scan consists of? An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. The NMAP –b command attempts to use that “feature/vulnerability”. It is considered one method to try and get Nmap past firewall(s).

V 1.3.2

February 23, 2017

Page 2 of 6

CST8230

Lab #2

Network Scanning

Q11. What does the “Use Decoy(s)” option do, exactly? Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5–10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. Decoys are used both in the initial ping scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (O or -A). Decoys do not work with version detection or TCP connect scan. It is worth noting that using too many decoys may slow your scan and potentially even make it less accurate. Also, some ISPs will filter out your spoofed packets, but many do not restrict spoofed IP packets at all. Q12. Explain with some detail how NMap interpret & achieve O/S fingerprinting? By using a series of different techniques to scan (using TCP, UDP and other scan types), probe and observe the O/S’s - and software behind open ports - reaction to said packets, and comparing the overall results to a database of known characteristics and responses, then makes an approximate guess of the O/S type based on the results from the database. The really neat part is that, if you get a result that isn’t in the database, you can submit your scan and the information about the O/S you were scanning to the NMap group and they’ll analyze and add the info to the DB – so it gets smarter over time!

V 1.3.2

February 23, 2017

Page 3 of 6

CST8230

Lab #2

Network Scanning

 Q13 – 20 requires packet capture and highlighting / interpreted for full marks ► Scan an open port on your target with a: Q13. TCP Connect scan 13:15:38.844575 172.16.0.128.1041a > 172.16.0.1.80b: Sc 2458495487:2458495487(0) win 16384 (DF) 13:15:38.844674 172.16.0.1.80 > 172.16.0.128.1041: Sd 2953482001:2953482001(0) ackd 2458495488 win 17520 (DF) 13:15:38.845106 172.16.0.128.1041 > 172.16.0.1.80: . acke 1 win 17520 (DF) 13:15:38.846286 172.16.0.128.1041 > 172.16.0.1.80: Rf 2458495488:2458495488(0)win 0 (DF) a. b. c. d. e. f.

Source IP and Source Port Destination IP and Destination Port Syn Flag – this packet is attempting to open a TCP connection Syn and Ack flags sent in response to the initial Syn request The ACK flag to complete the three way handshake The RSET flag is sent from the scanning machine to abort the connection

The process follows the standard TCP 3-way handshake process from start to end (SYN / SYN-ACK / ACK), then resets the connection (RST). Q14. FIN stealth scan 13:17:53.536257 172.16.0.128.58601 > 172.16.0.1.46: F 0:0(0) win 2048 13:17:53.536325 172.16.0.1.46 > 172.16.0.128.58601: F 0:0(0) ack 1 win 0 13:17:53.536325 172.16.0.128.58601 > 172.16.0.1.46: R 0:0(0) ack 1 win 0

The FIN stealth scan acts like a TCP stealth scan, in that it starts the FIN process but ignores any responses or requests from the other host – i.e. no ACK’s back to system being scanned. Not all operating systems respond the same way to this scan – because the FIN scan “breaks” the rules of TCP/IP, each O/S is free to respond in its own way. So you may encounter more RST packets or a slightly different flag occurrence pattern. Q15. TCP XMAS scan 13:16:00.415119 172.16.0.128.42688 > 172.16.0.1.80: FP 0:0(0) win 4096 urg 0 13:16:00.415187 172.16.0.1.80 > 172.16.0.128.42688: R 0:0(0) ack 1 win 0

The scan computer constructs a packet with FIN, PSH and URG flags set. These flags are not normally found together. The scanning computer is attempting to confuse a firewall. The target computer responds with a RST segment because it is confused. The packets above are from scanning a Windows machine – a Linux machine will respond differently to these “broken” or malicious packets.

V 1.3.2

February 23, 2017

Page 4 of 6

CST8230

Lab #2

Network Scanning

Q16. TCP Null scan 13:16:07.895497 172.16.0.128.37302 > 172.16.0.1.80: . win 4096 13:16:07.895566 172.16.0.1.80 > 172.16.0.128.37302: R 0:0(0) ack 0 win 0

Similar to XMAS scan, but this time the scanning computer doesn’t set any flags (this never happens with normal traffic). Again, the packets above are from scanning a Windows machine – a Linux machine will respond differently to these “broken” or malicious packets. ► Scan a closed TCP port on your target with a: Q17. Connect scan 13:17:39.825664 172.16.0.128.1042 > 172.16.0.1.46: S 2488863818:2488863818(0) win 16384 (DF) 13:17:39.825735 172.16.0.1.46 > 172.16.0.128.1042: R 0:0(0) ack 2488863819 win 0

A TCP connect scan on a closed port causes the target computer to respond with a TCP segment with the RST flag set. This means the port is not open for business. Q18. SYN stealth scan 13:15:49.598104 172.16.0.128.47298 > 172.16.0.1.80: S 1991778512:1991778512(0) win 4096 13:15:49.601197 172.16.0.1.80 > 172.16.0.128.47298: R 0:0(0) ack 1991778513 win 0

The scanning computer is expecting to not allow the three way handshake to complete and send a RST segment as soon as the target responds. However, as the port is closed, this causes the target computer to respond with the RST flag set. This means the port is not open for business. N.B.: It’s actually very hard to differentiate between packets from Q23 and Q24 due to closed port. A closed port, when scanned, will respond the same way regardless of scanning method used. Q19. How would you differentiate between the scans from Q17 and Q18, from a packet PoV? In theory, the TCP Connect scan (Q17) should show all 3 of the initial connection establishing handshake packets (i.e. SYN/SYN-ACK/ACK), and the TCP SYN Stealth scan would use the non-completion pattern (i.e. SYN/SYN-ACL/RST). The problem is, because it’s a closed port, neither scan get to complete the connection and will likely look IDENTICAL as far as the flag sequences and responses – the only minor difference would be that the RST packet comes from the target and not the NMap box + a few details (Win, MSS, MSS, etc.) are different in the RST packet. V 1.3.2

February 23, 2017

Page 5 of 6

CST8230

Lab #2

Network Scanning

► UDP scans Q20. Scan an open UDP port on your target 13:16:47.850179 172.16.0.128.50919 > 172.16.0.1.135: udp 0 13:16:53.850067 172.16.0.128.50920 > 172.16.0.1.135: udp 0

Notice that there is no response from the target computer. We assume the port is open. UDP scans for open ports can produce “False Positive” results. Q21. Scan a closed UDP port on your target 13:17:09.263510 172.16.0.128.42943 > 172.16.0.1.136: udp 0 13:17:09.263579 192.168.0.1 > 192.168.0.128: icmp: 192.168.0.1 udp port 136 unreachable

A UDP scan on a closed port causes the target computer to respond with an ICMP destination port unreachable style message.

V 1.3.2

February 23, 2017

Page 6 of 6...