Enumeration



Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services. It also refers to actively querying or connecting to a target system to acquire this information.
Hackers need to be methodical in their approach to hacking. The following steps are an example of those a hacker might perform in preparation for hacking a target system:
  1. Extract usernames using enumeration.
  2. Gather information about the host using null sessions.
  3. Perform Windows enumeration using the SuperScan tool.
  4. Acquire the user accounts using the tool GetAcct.
  5. Perform SNMP port scanning.
The object of enumeration is to identify a user account or system account for potential use in hacking the target system. It isn't necessary to find a system administrator account, because most account privileges can be escalated to allow the account more access than was previously granted.
Note 
The process of privilege escalation is covered in the next chapter.
Many hacking tools are designed for scanning IP networks to locate NetBIOS name information. For each responding host, the tools list IP address, NetBIOS computer name, logged-in username, and MAC address information.
On a Windows 2000 domain, the built-in tool net view can be used for NetBIOS enumeration. To enumerate NetBIOS names using the net view command, enter the following at the command prompt:
    net view / domain
    nbtstat -A IP address

Scanning Anonymously



Preparing proxy servers is the last step in the CEH scanning methodology. A proxy server is a computer that acts as an intermediary between the hacker and the target computer.
Using a proxy server can allow a hacker to become anonymous on the network. The hacker first makes a connection to the proxy server and then requests a connection to the target computer via the existing connection to the proxy. Essentially, the proxy requests access to the target computer, not the hacker's computer. This lets a hacker surf the Web anonymously or otherwise hide their attack.
Anonymizers are services that attempt to make web surfing anonymous by utilizing a website that acts as a proxy server for the web client. The first anonymizer software tool was developed by Anonymizer.com; it was created in 1997 by Lance Cottrell. The anonymizer removes all the identifying information from a user's computers while the user surfs the Internet, thereby ensuring the privacy of the user.
To visit a website anonymously, the hacker enters the website address into the anonymizer software, and the anonymizer software makes the request to the selected site. All requests and web pages are relayed through the anonymizer site, making it difficult to track the actual requester of the web page. Use Anonymouse to web surf anonymously in Exercise 1.
Exercise 1: Use Anonymouse to Surf Websites Anonymously

  1. Open a web browser to the http://anonymouse.org website and select English at the top of the page.
  2. Type a website address in the Enter Website Address field and click the Surf Anonymously button.
    This works especially well if you know certain websites are blocked.

A popular method of bypassing a firewall or IDS is to tunnel a blocked protocol (such as SMTP) through an allowed protocol (such as HTTP). Almost all IDS and firewalls act as a proxy between a client's PC and the Internet and pass only the traffic defined as being allowed.
Most companies allow HTTP traffic because it's usually benign web access. However, a hacker using an HTTP tunneling tool can subvert the proxy by hiding potentially destructive protocols, such as IM or chat, within an innocent-looking protocol packet.
A hacker can spoof an IP address when scanning target systems to minimize the chance of detection. One drawback of spoofing an IP address is that a TCP session can't be successfully completed.
Source routing lets an attacker specify the route that a packet takes through the Internet. This can also minimize the chance of detection by bypassing IDS and firewalls that may block or detect the attack. Source routing uses a reply address in the IP header to return the packet to a spoofed address instead of the attacker's real address. 
To detect IP address spoofing, you can compare the time to live (TTL) values: the attacker's TTL will be different from the spoofed address's real TTL.

Banner Grabbing and OS Fingerprinting Techniques



Banner grabbing and operating system identification—which can also be defined as fingerprinting the TCP/IP stack—is the fourth step in the CEH scanning methodology. The process of fingerprinting allows the hacker to identify particularly vulnerable or high-value targets on the network. Hackers are looking for the easiest way to gain access to a system or network. Banner grabbing is the process of opening a connection and reading the banner or response sent by the application. Many email, FTP, and web servers will respond to a telnet connection with the name and version of the software. This aids a hacker in fingerprinting the OS and application software. For example, a Microsoft Exchange email server would only be installed on a Windows OS.
Active stack fingerprinting is the most common form of fingerprinting. It involves sending data to a system to see how the system responds. It's based on the fact that various operating system vendors implement the TCP stack differently, and responses will differ based on the operating system. The responses are then compared to a database to determine the operating system. Active stack fingerprinting is detectable because it repeatedly attempts to connect with the same target system.
Passive stack fingerprinting is stealthier and involves examining traffic on the network to determine the operating system. It uses sniffing techniques instead of scanning techniques. Passive stack fingerprinting usually goes undetected by an IDS or other security system but is less accurate than active fingerprinting.

War-Dialing Techniques | Scanning



War dialing is the process of dialing modem numbers to find an open modem connection that provides remote access to a network for an attack to be launched against the target system. The term war dialing originates from the early days of the Internet when most companies were connected to the Internet via dial-up modem connections. War dialing is included as a scanning method because it finds another network connection that may have weaker security than the main Internet connection. Many organizations set up remote-access modems that are now antiquated but have failed to remove those remote-access servers. This gives hackers an easy way into the network with much weaker security mechanisms. For example, many remote-access systems use the Password Authentication Protocol (PAP), which send passwords in cleartext, rather than newer virtual private networking (VPN) technology that encrypts passwords.
War-dialing tools work on the premise that companies don't control the dial-in ports as strictly as the firewall, and machines with modems attached are present everywhere even if those modems are no longer in use. Many servers still have modems with phone lines connected as a backup in case the primary Internet connection fails. These available modem connections can be used by a war-dialing program to gain remote access to the system and internal network.

TCP Communication Flag Types | Scanning



TCP scan types are built on the TCP three-way handshake. TCP connections require a three-way handshake before a connection can be made and data transferred between the sender and receiver. Figure 1 details the steps of the TCP three-way handshake.

 
Figure 1: TCP three-way handshake
To complete the three-way handshake and make a successful connection between two hosts, the sender must send a TCP packet with the synchronize (SYN) bit set. Then, the receiving system responds with a TCP packet with the synchronize (SYN) and acknowledge (ACK) bit set to indicate the host is ready to receive data. The source system sends a final packet with the ACK bit set to indicate the connection is complete and data is ready to be sent.
Because TCP is a connection-oriented protocol, a process for establishing a connection (three-way handshake), restarting a failed connection, and finishing a connection is part of the protocol. These protocol notifications are called flags. TCP contains ACKRSTSYNURGPSH, and FIN flags. The following list identifies the function of the TCP flags:
  • SYN Synchronize. Initiates a connection between hosts.
  • ACK Acknowledge. Established connection between hosts.
  • PSH Push. System is forwarding buffered data.
  • URG Urgent. Data in packets must be processed quickly.
  • FIN Finish. No more transmissions.
  • RST Reset. Resets the connection.
A hacker can attempt to bypass detection by using flags instead of completing a normal TCP connection. The TCP scan types in Table 1 are used by some scanning tools to elicit a response from a system by setting one or more flags.
Table 1: TCP scan types 
XMAS scan
Flags sent by hacker
XMAS scan
All flags set (ACKRSTSYNURGPSHFIN)
FIN scan
FIN
NULL scan
No flags set
TCP connect/full-open scan
SYN, then ACK
SYN scan/half-open scan
SYN, then RST

Exercise 1 shows how to use AngryIP scanner to perform a port scan.
Exercise 1: Free IPTools Port Scan

To use a port scan tool to determine listening ports of active hosts:
  1. Download Angry IP Scanner from www.angryip.org/w/Download.
  2. Enter the IP address of the target system in the Host or IP Address field or enter a range or IP address for your lab systems and click Start to perform a conventional (full connect) scan of standard ports.

Scan Types | Scanning



As a CEH, you need to be familiar with the following scan types and uses:
  • SYN A SYN or stealth scan is also called a half-open scan because it doesn't complete the TCP three-way handshake. (The TCP/IP three-way handshake will be covered in the next section.) A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it's assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it's assumed the port isn't active or is closed. The advantage of the SYN stealth scan is that fewer IDS systems log this as an attack or connection attempt.
  • XMAS XMAS scans send a packet with the FINURG, and PSH flags set. If the port is open, there is no response; but if the port is closed, the target responds with a RST/ACK packet. XMAS scans work only on target systems that follow the RFC 793 implementation of TCP/IP and don't work against any version of Windows.
  • FIN A FIN scan is similar to an XMAS scan but sends a packet with just the FIN flag set. FIN scans receive the same response and have the same limitations as XMAS scans.
  • NULL A NULL scan is also similar to XMAS and FIN in its limitations and response, but it just sends a packet with no flags set.
  • IDLE An IDLE scan uses a spoofed IP address to send a SYN packet to a target. Depending on the response, the port can be determined to be open or closed. IDLE scans determine port scan response by monitoring IP header sequence numbers.

nmap Command Switches



Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning a large number of machines in a single session. It's supported by many operating systems, including Unix, Windows, and Linux.
The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filteredmeans a firewall or network filter is screening the port and preventing nmap from discovering whether it's open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests.
Nmap supports several types of scans. Table 1 details some of the common scan methods.
Table 1: Nmap scan types 
Nmap scan type
Description
TCP connect
The attacker makes a full TCP connection to the target system. The most reliable scan type but also the most detectable. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.
XMAS tree scan
The attacker checks for TCP services by sending XMAS-tree packets, which are named as such because all the "lights" are on, meaning the FINURG, and PSHflags are set (the meaning of the flags will be discussed later in this chapter). Closed ports reply with a RST flag.
SYN stealth scan
This is also known as half-open scanning. The hacker sends a SYN packet and receives a SYN-ACK back from the server. It's stealthy because a full TCP connection isn't opened. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.
Null scan
This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on Unix systems. Closed ports will return a RST flag.
Windows scan
This type of scan is similar to the ACK scan and can also detect open ports.
ACK scan
This type of scan is used to map out firewall rules. ACK scan only works on Unix. The port is considered filtered by firewall rules if an ICMP destination unreachable message is received as a result of the ACK scan.
The nmap command has numerous switches to perform different types of scans. The common command switches are listed in Table 2.
Table 2: Common nmap command switches 
nmap command switch
Scan performed
-sT
TCP connect scan
-sS
SYN scan
-sF
FIN scan
-sX
XMAS tree scan
-sN
Null scan
-sP
Ping scan
-sU
UDP scan
-sO
Protocol scan
-sA
ACK scan
-sW
Windows scan
-sR
RPC scan
-sL
List/DNS scan
-sI
Idle scan
-Po
Don't ping
-PT
TCP ping
-PS
SYN ping
-PI
ICMP ping
-PB
TCP and ICMP ping
-PB
ICMP timestamp
-PM
ICMP netmask
-oN
Normal output
-oX
XML output
-oG
Greppable output
-oA
All output
-T Paranoid
Serial scan; 300 sec between scans
-T Sneaky
Serial scan; 15 sec between scans
-T Polite
Serial scan; .4 sec between scans
-T Normal
Parallel scan
-T Aggressive
Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane
Parallel scan, 75 sec timeout, and .3 sec/probe
To perform an nmap scan, at the Windows command prompt type Nmap IPaddress followed by any command switches used to perform specific type of scans. For example, to scan the host with the IP address 192.168.0.1 using a TCP connect scan type, enter this command:
Nmap 192.168.0.1 -sT
Make sure you're familiar with the different types of nmap scans, the syntax to run nmap, and how to analyze nmap results. The syntax and switches used by the nmap command will be tested on the CEH exam.

Popular Posts