Scanning Networks - SMKN 4 Padalarang

Transcription

CEH Lab M anual
Scanning Networks
Module 03
Module 03 - Scanning Networks
Scanning a Target Network
Scanning a network refers to a set ofproceduresfor identifying hosts, po/ts, and
services running in a network.
Lab Scenario
ICON
KEY
Valuable
information
s
Test your
knowledge
H
Web exercise
Q
W orkbook review
Vulnerability scanning determines the possibility o f network security attacks. It
evaluates the organization’s systems and network for vulnerabilities such as missing
patches, unnecessary services, weak authentication, and weak encryption.
Vulnerability scanning is a critical component o f any penetration testing assignment.
You need to conduct penetration testing and list die direats and vulnerabilities
found in an organization’s network and perform port scanning, netw ork scanning,
and vulnerability scan n in g ro identify IP/hostname, live hosts, and vulnerabilities.
Lab Objectives
The objective o f diis lab is to help students in conducting network scanning,
analyzing die network vulnerabilities, and maintaining a secure network.
You need to perform a network scan to:
ZZ7 Tools
dem on strated in
this lab are
a va ila b le in
D:\CEHTools\CEHv8
M odule 03
S canning
N etw orks
■
Check live systems and open ports
■
Perform banner grabbing and OS fingerprinting
■
Identify network vulnerabilities
■
Draw network diagrams o f vulnerable hosts
Lab Environment
111
die lab, you need:
■ A computer running with W indows S erver 2012, W indows S erver 2008.
W indows 8 or W indows 7 with Internet access
■ A web browser
■ Administrative privileges to run tools and perform scans
Lab Duration
Time: 50 Minutes
Overview of Scanning Networks
Building on what we learned from our information gadiering and threat modeling,
we can now begin to actively query our victims for vulnerabilities diat may lead to a
compromise. We have narrowed down ou 1 attack surface considerably since we first
began die penetration test widi everydiing potentially in scope.
C E H L ab M an u al P ag e S5
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Note that not all vulnerabilities will result in a system compromise. When searching
for known vulnerabilities you will find more issues that disclose sensitive
information or cause a denial o f service condition than vulnerabilities that lead to
remote code execution. These may still turn out to be very interesting on a
penetration test. 111 fact even a seemingly harmless misconfiguration can be the
nuiiing point in a penetration test that gives up the keys to the kingdom.
For example, consider FTP anonymous read access. This is a fairly normal setting.
Though FTP is an insecure protocol and we should generally steer our clients
towards using more secure options like SFTP, using FTP with anonymous read
access does not by itself lead to a compromise. If you encounter an FTP server that
allows anonymous read access, but read access is restricted to an FTP directory that
does not contain any files that would be interesting to an attacker, then die risk
associated with the anonymous read option is minimal. O n die other hand, if you
are able to read the entire file system using die anonymous FTP account, or possibly
even worse, someone lias mistakenly left die customer's trade secrets in die FTP
directory that is readable to die anonymous user; this configuration is a critical issue.
Vulnerability scanners do have their uses in a penetration test, and it is certainly
useful to know your way around a few o f diem. As we will see in diis module, using
a vulnerability scanner can help a penetration tester quickly gain a good deal o f
potentially interesting information about an environment.
111 diis module we will look at several forms o f vulnerability assessment. We will
study some commonly used scanning tools.
Lab Tasks
T AS K 1
O verview
Pick an organization diat you feel is worthy o f your attention. This could be an
educational institution, a commercial company, or perhaps a nonprofit charity.
Recommended labs to assist you in scanning networks:
■
Scanning System and Network Resources Using A d v a n ce d IP S c a n n e r
■ Banner Grabbing to Determine a Remote Target System Using ID S e r v e
■ Fingerprint Open Ports for Running Applications Using the A m ap Tool
■ Monitor T C P /IP Connections Using die C urrP orts Tool
■ Scan a Network for Vulnerabilities Using GFI LanG uard 2 0 1 2
L__/ Ensure you have
ready a copy of the
additional readings handed
out for this lab.
■ Explore and Audit a Network Using Nmap
■ Scanning a Network Using die N e tS c a n T o o ls Pro
■ Drawing Network Diagrams Using L A N Su rveyor
■ Mapping a Netw ork Using the Friendly P inger
■ Scanning a Netw ork Using die N e s s u s Tool
■ Auditing Scanning by Using G lobal N etw o rk Inventory
■ Anonymous Browsing Using P ro xy S w itc h e r
C E H L ab M an u al P ag e S6
■ Daisy Chaining Using P ro xy W orkb ench
■ H TTP Tunneling Using HTTPort
■ Basic N etw ork Troubleshooting Using the M egaP ing
■ Detect, Delete and Block Google Cookies Using G -Zapper
■ Scanning the Netw ork Using the C o la s o ft P a c k e t B uilder
■ Scanning Devices in a Network Using T h e Dude
Lab A nalysis
Analyze and document die results related to die lab exercise. Give your opinion on
your target’s security posture and exposure duough public and free information.
P L E A S E TA LK T O Y O U R I N S T R U C T O R IF Y OU H A V E Q U E S T I O N S
R E L A T E D T O T H I S LAB.
C E H L ab M an u al P ag e 87
Scanning System and Network
Resources Using Advanced IP
Scanner
ICON
KEY
/ = ‫ ־‬Valuable
information
✓
Test your
knowledge
S Web exercise
CQ W orkbook review
-Advanced IP Scanner is afree nefirork scanner thatgivesyon various types of
information regarding local nehvork computers.
Lab S cenario
this day and age, where attackers are able to wait for a single chance to attack an
organization to disable it, it becomes very important to perform vulnerability
scanning to find the flaws and vulnerabilities in a network and patch them before an
attacker intrudes into the network. The goal o f running a vulnerability scanner is to
identify devices on your network that are open to known vulnerabilities.
111
Lab O bjectives
l—J Tools
dem on strated in
this lab are
a va ila b le in
D:\CEHTools\CEHv8
M odule 03
S canning
N etw orks
The objective o f this lab is to help students perform a local network scan and
discover all the resources 011 die network.
You need to:
■
Perform a system and network scan
■
Enumerate user accounts
■
Execute remote penetration
■
Gather information about local network computers
Lab Environm ent
Q You can also
download Advanced IP
Scanner from
http:/1 www. advanced-ipscanner.com.
111
die lab, you need:
■ Advanced IP Scanner located at Z:\\CEHv8 Module 03 Scanning
N etw orks\Scanning Tools A d van ced IP S can n er
■ You can also download the latest version o f A d v a n ce d IP S c a n n e r
from the link http://www.advanced-ip-scanner.com
■
/ 7 Advanced IP Scanner
works on Windows Server
2003/ Server 2008 and on
Windows 7 (32 bit, 64 bit).
I f you decide to download the la te s t v e rsio n , then screenshots shown
in the lab might differ
■ A computer running W indow s 8 as die attacker (host machine)
■ Another computer running W indow s server 2008 as die victim (virtual
machine)
■ A web browser widi Internet a c c e s s
■
Double-click ipscan20.m si and follow die wizard-driven installation steps
to install Advanced IP Scanner
■ A dm inistrative privileges to run diis tool
Lab D uration
Time: 20 Minutes
O verview o f N e tw o rk Scanning
Network scanning is performed to c o lle c t inform ation about live sy s te m s , open
ports, and n etw ork vulnerabilities. Gathered information is helpful in determining
th reats and vulnerabilities 111 a network and to know whether there are any
suspicious or unauthorized IP connections, which may enable data theft and cause
damage to resources.
Lab Tasks
S TASK 1
1. Go to S tart by hovering die mouse cursor in die lower-left corner o f die
desktop
Launching
A d van ced IP
S can n er
FIGURE 1.1: Windows 8- Desktop view
2. Click A d van ced IP S can n er from die S tart menu in die attacker machine
(Windows 8).
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl
All Rights Reserved. Reproduction is Strictly Prohibited
Start
A dm in
WinRAR
Mozilla
Firefox
Command
Prompt
it t
Nc m
Computer
m With Advanced IP
Scanner, you can scan
hundreds of IP addresses
simultaneously.
tS
Sports
iiilili
finance
Microsoft
Clip
Organizer
Control
Panel
^
Fngago
Packet
builder
2*
Advanced
IP Scanner
m
Microsoft
Office 2010
Upload...
•
FIGURE 12. Windows 8- Apps
3. The A d van ced IP S can n er main window appears.
You can wake any
machine remotely with
Advanced IP Scanner, if
the Wake-on‫־‬LAN feature
is supported by your
network card.
FIGURE 13: The Advanced IP Scanner main window
4. N ow launch die Windows Server 2008 virtual machine (victim ’s m achine).
L__/ You have to guess a
range of IP address of
victim machine.
iik
O
jf f lc k
10:09 FM J
FIGURE 1.4: The victim machine Windows server 2008
a
Radmin 2.x and 3.x
Integration enable you to
connect (if Radmin is
installed) to remote
computers with just one
dick.
5. Now, switch back to die attacker machine (Windows 8) and enter an IP
address range in die S e le c t range field.
6. Click die S c a n button to start die scan.
The status of scan is
shown at the bottom left
side of the window.
7. A d van ced IP S can n er scans all die IP addresses within die range and
displays the s c a n resu lts after completion.
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11
Lists of computers
saving and loading enable
you to perform operations
with a specific list of
computers. Just save a list
of machines you need and
Advanced IP Scanner loads
it at startup automatically.
Advanced IP Scanner
File Actions Settings View Heip
r=£k=3 r f t o
d id 3 ? f i l :
■
Like us on
1 F a ce b o o k
10.0.0.1- 10.0.0.10
R esits
|
Favorites |
r
Status
0
w
‫ט‬
>£*
15
®
Manufacturer
10.0.0.1
® &
m Group Operations:
Any feature of Advanced
IP Scanner can be used
with any number of
selected computers. For
example, you can remotely
shut down a complete
computer class with a few
dicks.
IP c
J► S c a r' J l
5*iv*, 0
d«J0,
Nlctgear, Inc.
10.0.a1
. .a2
M A C ad d ress
00:09:5B:AE:24CC
W IN -M SSE LC K 4 K 4 1
10 0
D ell Inc
D0:67:ES:1A:16:36
W INDO W S#
10.0.03
M ic r o s o ft C o rp o ra tio n
00: 5:5D: A8:6E:C6
1
W IN * L X Q N 3 W R 3 R 9 M
10.0.05
00:15:5D:A8:&E:03
W IN -D 39M R 5H 19E 4
10.0.07
Dell Inc
D 1:3‫׳‬E:D9:C3:CE:2D
S unknown
FIGURE 1.6: The Advanced IP Scanner main window after scanning
8. You can see in die above figure diat Advanced IP Scanner lias detected
die victim machine’s IP address and displays die status as alive
M
T A S K
2
Extract Victim’s
IP Address Info
9. Right-click any o f die detected IP addresses. It will list Wake-On-LAN. Shut
down, and Abort Shut down
5‫־‬
F ie
Advanced IP Scanner
A ctions
Scan
Settings
View
Helo
II
*
*sS :
10.0.011
n
ip c u u
Like us on
Wi F a ce b o o k
10 .0 .0 . 1- 10 .0 .0.10
Resuts
Favorites |
Status
N am e
10.0 .0.1
IHLMItHMM,
W IN D O W S 8
h i
W IN -L X Q N 3 W R 3
—
t* p ‫׳‬o re
Copy
W IN ‫ ־‬D39MR5HL<
Add to ‘Favorites'
!
MAC address
to ru fa c tu re r
Netgear. Inc
0G:09:5B:AE:24CC
M icrosoft Corporation
00:15:‫צ‬U:A8:ofc:Ot>
00:15:SD:A8:6E:03
Dell Inc
CW:BE:D9:C3:CE:2D
D0t67:E5j1A:16«36
Rescan selected
S ive selected...
W d ke‫־‬O n ‫־‬L A N
S h u t dcw n...
A b o rt s h u t d c w n
a
Wake-on-LAN: You
can wake any machine
remotely with Advanced IP
Scanner, if Wake-on-LAN
feature is supported by
your network card.
R a d rn ir
5 alive. 0 dead , 5 u n k n o w n
FIGURE 1.7: The Advanced IP Scanner main window with Alive Host list
10. The list displays properties o f the detected computer, such as IP
address. Name, MAC, and NetBIOS information.
11. You can forcefully Shutdown, Reboot, and Abort Shutdown die
selected victim m achine/IP address
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council
&
‫״‬m s i *
Shutdown options
File Actions Settings View Help
r
Scan
Winfingerprint Input
Options:
■ IP Range (Netmask and
Inverted Netmask
supported) IP ListSmgle
Host Neighborhood
Use V/jndo'AS autheritifcation
Like us on
J ! ] .■ ]
w\ F a ce b o o k
Jse r narre:
Dcss*rord:
110.0.0.1-100.0.10
3
rn e o c t (sec): [60
Results |
Favorites |
Message:
Status
®
a
$
» a
jre r
Name
100.0.1
MAC address
00;C9;5B:AE:24;CC
D0:67:E5:1A:16:36
WIN-MSSELCK4K41
WIND0WS8
WIN-LXQN3WR3R9M
WIN-D39MR5HL9E4
It ion
00:15:3C:A0:6C:06
It ion
00:I5:5D:A8:6E:03
D4:BE D$:C3:CE:2D
I” Forced shjtdown
f " Reooot
S0Jr\c, Odcad, 5 unknown
FIGURE 1.8: The Advanced IP Scanner Computer properties window
12. N ow you have die IP a d d re s s . N am e, and o th er d e ta ils o f die victim
machine.
13. You can also try Angry IP scanner located at D:\CEH-Tools\CEHv8
Module 03 Scanning Networks\Ping S w e e p Tools\Angry IP S can n er It
also scans the network for machines and ports.
Lab A nalysis
Document all die IP addresses, open ports and dieii running applications, and
protocols discovered during die lab.
T o o l/U tility
In fo rm atio n C o llected /O b jectiv es A chieved
Scan Inform ation:
A dvanced IP
S canner
■
■
■
■
■
■
IP address
System name
MAC address
NetBIOS information
Manufacturer
System status
PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
Q uestions
1. Examine and evaluate the IP addresses and range o f IP addresses.
In te rn e t C o n n ectio n R eq u ired
□ Y es
0 No
P latform S u p p o rted
0 C lassroom
0 iLabs
E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council
Banner Grabbing to Determine a
Remote Target System using ID
Serve
ID S Serve is used to identify the make, model, and version of any website's server
sofhrare.
I CON
KEY
Valuable
information
y*
Test your
knowledge
Web exercise
O
W orkbook review
Lab Scenario
111 die previous lab, you learned to use Advanced IP Scanner. This tool can also be
used by an attacker to detect vulnerabilities such as buffer overflow, integer flow,
SQL injection, and web application 011 a network. If these vulnerabilities are not
fixed immediately, attackers can easily exploit them and crack into die network and
cause server damage.
Therefore, it is extremely important for penetration testers to be familiar widi
banner grabbing techniques to monitor servers to ensure compliance and
appropriate security updates. Using this technique you can also locate rogue servers
or determine die role o f servers within a network. 111 diis lab, you will learn die
banner grabbing technique to determine a remote target system using ID Serve.
Lab Objectives
The objective o f diis lab is to help students learn to banner grabbing die website and
discover applications running 011 diis website.
111
O Tools
dem on strated in
this lab are
a va ila b le in
D:\CEHTools\CEHv8
M odule 03
S canning
N etw orks
diis lab you will learn to:
■
Identify die domain IP address
■
Identify die domain information
Lab Environment
To perform die lab you need:
■
ID Server is located at D:\CEH-Tools\CEHv8 M odule 03 S can n in g
N etw orks\B an n er G rabbin g Tools\ID S e r v e
■ You can also download the latest version o f ID S e r v e from the link
http: / / w ww.grc.com /id/idserve.htm
■
■
Double-click id s e r v e to run ID S e r v e
■ Administrative privileges to run die ID S e rv e tool
■
Run this tool on W indows S erver 2012
Lab Duration
Time: 5 Minutes
Overview of ID Serve
ID Serve can connect to any server port on any dom ain or IP address, then pull
and display die server's greeting message, if any, often identifying die server's make,
model, and version, whether it's for FTP, SMTP, POP, NEW’S, or anything else.
Lab Tasks
TASK 1
Identify w e b site
se rve r information
1. Double-click id serve located at D:\CEH-Tools\CEHv8 M odule 03 Scanning
N etw orks\Banner Grabbing Tools\ID S erve
2. 111 die main window o f ID S erve show in die following figure, select die
S e v e r Q uery tab
0
ID Serve
ID Serve
Internet Server Identification Utility, v l .02
Personal Security Freeware by Steve Gibson
Copyright (c) 2003 by Gibson Research Cap.
Background
|
Server Query
'-ro
Q & A /H elp
Enter 01 copy / paste an Internet server URL 0* IP address here (example www rmcrosoft com)
ri
r!
Query The Server
^
When an Internet URL or IP has been provided above
press this button to rwtiate a query of the speahed server
Server
If an IP address is
entered instead of a URL,
ID Serve will attempt to
determine the domain
name associated with the
IP
^4
Copy
The server identified <se* as
goto ID Serve web page
E*it
FIGURE 21: Main window of ID Serve
3. Enter die IP address or URL address in Enter or Copy/paste an Internal
se rve r URL or IP a d d ress here:
r©
ID Serve
ID Serve
Copyright (c) 2003 by Gibson Research Corp.
Background
I
Server Query
Q & A /tje lp
Enter or copy I paste an Internet serve* URL or IP address here (example www rmcrosoft com)
^
ID Serve can accept
the URL or IP as a
command-line parameter
|www c e rtifie d h a c k e r com[
When an Internet URL 0* IP has been provided above,
press this button 10 initiate a query 01 the specfod server
Query The Server
Server query processing
(%
The server identified ilsef as
Goto ID Serve web page
Copy
Ejjit
FIGURE 2 2 Entering die URL for query
4. Click Query T h e Server; it shows server query processed information
’- r ° ]
ID Serve
ID Serve
Copyright (c) 2003 by Gibson Research Cofp
Background
|
Server Query
Q ID Serve can also
connect with non-web
servers to receive and
report that server's greeting
message. This generally
reveals the server's make,
model, version, and other
potentially useful
information.
|w w w . c e r t if ie d h a c k e r . c o m |
r2
[
‫׳‬
Q & A /H elp
Enter or copy / paste an Internet server URL or IP address here (example
<T
-
www
m»crosott com)
When an Internet URL 0* IP has been provided above,
press this button to initiate a query of the speeded server
Query The Server
Server query processing
Initiating server query
Looking up IP address for domain www certifiedhacker com
The IP address for the domain is 202.75 54 101
Connecting to the server on standard HTTP port: 80
Connected] Requesting the server's default page
a
The server identfied itself as
M i c r o soft-11 S/6.0
Copy
Goto ID Serve web page
Exit
FIGURE 23: Server processed information
Lab A nalysis
Document all the IP addresses, their running applications, and die protocols you
discovered during die lab.
T o o l/U tility
IP address: 202.75.54.101
Server C onnection: Standard H T 1 P port: 80
R esp o n se h ead ers retu rn e d from server:
ID Serve
■
■
■
■
■
H T T P /1.1 200
Server: M icrosoft-IIS/6.0
X -Pow ered-B y: PH P/4.4.8
T ran sfer-E n co d in g : chunked
C o n ten t-T y p e: tex t/h tm l
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D TO T H I S LAB.
Q uestions
1. Examine what protocols ID Serve apprehends.
2. Check if ID Serve supports https (SSL) connections.
□ Yes
0 No
Platform S upported
0 C lassroom
0 iLabs
Fingerprinting Open Ports Using the
Amap Tool
.-bnap determines applications running on each openport.
ICON KEY
2 ^ Valuable
information
Test vour
knowledge
g
Web exercise
Q
W orkbook review
Lab Scenario
Computers communicate with each other by knowing die IP address in use and
ports check which program to use when data is received. A complete data transfer
always contains the IP address plus the port number required. 111 the previous lab
we found out that die server connection is using a Standard HTTP port 80. If an
attacker finds diis information, he or she will be able to use die open ports for
attacking die machine.
111 this lab, you will learn to use the Amap tool to perform port scanning and know
exacdy what ap plication s are running on each port found open.
Lab Objectives
C 5 Tools
dem on strated in
this lab are
a va ila b le in
D:\CEHTools\CEHv8
M odule 03
S canning
N etw orks
The objective o f diis lab is to help students learn to fingerprint open ports and
discover applications 11 inning on diese open ports.
h i diis lab, you will learn to:
■
Identify die application protocols running on open ports 80
■
Detect application protocols
Lab Environment
To perform die lab you need:
■
Amap is located at D:\CEH-Tools\CEHv8 M odule 03 S can n in g
N etw orks\B an n er G rabbin g ToolsVAMAP
■ You can also download the latest version o f AMAP from the link
http: / / www.thc.org dic-amap.
■
■ A computer running Web Services enabled for port 80
■ Administrative privileges to run die A m ap tool
■
Run diis tool on W indows S erver 2012
Lab Duration
Time: 5 Minutes
Overview of Fingerprinting
Fingerprinting is used to discover die applications running on each open port found
0 x1 die network. Fingerprinting is achieved by sending trigger p a c k e ts and looking
up die responses in a list o f response strings.
a t TASK
1
Identify
Application
P rotocols Running
on Port 80
Lab Tasks
1. Open die command prompt and navigate to die Amap directory. 111 diis lab
die Amap directory is located at D:\CEH-Tools\CEHv8 Module 03 Scanning
N etw orks\Banner Grabbing Tools\AMAP
2. Type am ap w w w .ce rtified h a ck er.co m 80, and press Enter.
Administrator: Command Prompt
33
[ D : \ C E H ~ T o o l s \ C E H u 8 M o d u l e 0 3 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T o o l s \ A M A P > a n a p uw
[ w . c o r t i f io d h a c h e r .c o m 80
Anap v 5 . 2 <w w w . t b c . o r g / t h c - a m a p > s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING n o d e
J n id en tifie d
*map v 5 . 2
p orts:
fin ish ed
2 0 2 .? 5 .5 4 .1 0 1 :8 0 /tc p
at
2012-08-28
< to ta l 1>.
12:20:53
D :\C E H -T o o ls\C E H v 8 M odule 0 3 S c a n n i n g N e t w o r k \ B a n n e r G r a b b in g Tools\AM AP>
Syntax: amap [-A | ‫־‬
B | -P | -W] [-1buSRHUdqv]
[[-m] -o <file>]
[-D <file>] [-t/-T sec] [-c
cons] [-C retries]
[-p proto] [‫־‬i <£ile>] [target
port [port]...]
FIGURE 3.1: Amap with host name www.ce1tifiedl1acke1.com with Port SO
3. You can see die specific application protocols running 011 die entered host
name and die port 80.
4. Use die IP a d d ress to check die applications running on a particular port.
5. 111 die command prompt, type die IP address o f your local Windows Server
2008(virtual machine) am ap 10.0.0.4 75-81 (local W indows S erver 2008)
and press Enter (die IP address will be different in your network).
✓ For Amap options,
type amap -help.
6. Try scanning different websites using different ranges o f switches like amap
www.certifiedhacker.com 1-200
‫ד‬
D : \ C E H - T o o l s \ C E H u 8 M o d u le 0 3 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T oo ls \A M A P > a m a p I f
. 0 . 0 . 4 75-81
laroap 0 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode
Compiles on all UNIX
based platforms - even
MacOS X, Cygwin on
Windows, ARM-Linux and
PalmOS
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2
W arning: C ould n o t c o n n e c t < u n rea c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p ,
KN>
W arn in g:
KN>
W arning:
KN>
W arn in g:
KN>
W arn in g:
KN>
W arning:
KN>
d isa b lin g
port
<EUN
port
<EUN
< u n reach ab le) to
Could n o t c o n n e c t
< u n rea c h a b le> to
1 0 .0 .0 .4 :7 7 /tc p ,
d isa b lin g
port
<EUN
Could n o t c o n n e c t
(u n r ea ch a b le)
1 0 .0 .0 .4 :7 8 /tc p ,
d isa b lin g
port
<EUN
to
1 0 .0 .0 .4 :7 5 /tc p ,
d isa b lin g
C ould n o t c o n n e c t
1 0 .0 .0 .4 :7 9 /tc p ,
d isa b lin g
port
<EUN
1 0 .0 .0 .4 :8 1 /tc p ,
d isa b lin g
port
<EUN
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p
U n id e n tified p o rts:
kcp 1 0 .0 .0 .4 : 7 9 / t c p
Linap 0 5 . 2 f i n i s h e d
natches h t t p - i i s
n a t c h e s webmin
1 0 .0 .0 .4 :7 5 /tc p
1 0 .0 .0 .4 :8 1 /tc p
at 2012-08-28
1 0 .0 .0 .4 :7 6 /tc p
< to ta l 6>.
1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 : 7 8 /
12:27:54
b : \ C E H - T o o l s \ C E H v 8 M o d u le 0 3 S c a n n i n g N e t w o r k N B a n n e r G r a b b i n g T o o ls \A M A P >
FIGURE 3.2: Amap with IP address and with range of switches 73-81
Lab A nalysis
Document all die IP addresses, open ports and their running applications, and die
protocols you discovered during die lab.
T o o l/U tility
Id en tified o p en port: 80
W ebServers:
■ http-apache2‫־‬
■ http-iis
■ webmin
A m ap
U n id en tified ports:
■
■
■
■
■
■
10.0.0.4:75/tcp
10.0.0.4:76/tcp
10.0.0.4:77/tcp
10.0.0.4:78/tcp
10.0.0.4:79/tcp
10.0.0.4:81/tc p
Q uestions
1. Execute the Amap command for a host name with a port number other
than 80.
2. Analyze how die Amap utility gets die applications running on different
machines.
3. Use various Amap options and analyze die results.
0 Y es
□ No
P latform S upported
0 C lassroom
□ iLabs
Monitoring TCP/IP Connections
Using the CurrPorts Tool
CurrPorts is netirork monitoring soft!rare that displays the list of all currently
opened TCP/ IP and UDPports onyour local computer.
I CON KEY
Valuable
information
Test your
knowledge
w
Web exercise
m
Workbook review
Lab S cenario
111 the previous lab you learned how to check for open ports using the Amap
tool. As an e th ic a l h a c k e r and p en e tra tio n te s te r , you m ust be able to block
such attacks by using appropriate firewalls or disable unnecessary services
running 011 the computer.
You already know that the Internet uses a software protocol named TCP/ IP to
format and transfer data. A 11 attacker can m onitor ongoing TCP connections
and can have all the information in the IP and TCP headers and to the packet
payloads with which he or she can hijack the connection. As the attacker has all
die inform ation 011 the network, he or she can create false packets in the TCP
connection.
As a n e tw o rk adm inistrator., your daily task is to check the TCP/IP
c o n n e c tio n s o f each server you manage. You have to m onitor all TCP and
U D P ports and list all the e s ta b lis h e d IP a d d r e s s e s o f the server using the
C urrP orts tool.
H U Tools
dem on strated in
this lab are
ava ila b le in
D:\CEHTools\CEHv8
M odule 03
Scanning
N etw orks
Lab O bjectives
The objective o f diis lab is to help students determine and list all the T C P /IP
and U D P ports o f a local computer.
111
in this lab, you need to:
■
Scan the system for currently opened TCP/IP and UDP ports
■
Gather inform ation
■
List all the IP a d d r e s s e s that are currendy established connections
■
Close unwanted TCP connections and kill the process that opened the
ports
011
die p o rts and p r o c e s s e s that are opened
Lab Environment
To perform the lab, you need:
■
CurrPorts located at D:\CEH-Tools\CEHv8 M odule 03 S ca n n in g
N etw o rks\S can n in g Tools\C urrPorts
■ You can also download the latest version o f C urrP orts from the link
http: / / www.nirsoft.11e t /u tils/cports.html
■
■ A com puter running W in dow s S e r v e r 2 0 12
a
You can download
CuuPorts tool from
http://www.nirsoft.net.
■
Double-click c p o r ts .e x e to run this tool
■ Administrator privileges to run die C urrP orts tool
Lab Duration
Time: 10 Minutes
Overview Monitoring TCP/IP
Monitoring T C P /IP ports checks if there are multiple IP connections established
Scanning T C P /IP ports gets information on all die opened TCP and UDP ports and
also displays all established IP addresses on die server.
Lab Tasks
The CurrPorts utility is a standalone executable and doesn’t require any installation
process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die
desired location and double click c p o rts .e x e to launch.
T AS K 1
D iscover TCP/IP
Connection
1. Launch C urrports. It a u to m a tic a lly d is p la y s the process name, ports,
IP and remote addresses, and their states.
r‫ ־‬1 ‫ ״‬1 * ‫י‬
CurrPorts
File Edit
View Option*
Help
x S D ® v ^ ! t a e r 4* a - *
Process Na..
(T enroare.ere
f ct1 rome.ere
chrome.e5re
f ehrome.ere
CT chrome.«e
^ f ir t fc x ere
£fir«fcx«x•
(£fir«fcx «(«
fircfcx.cxc
Proces...
2 m
2988
2988
2 m
2 m
1368
1368
1368
1368
1368
1368
f 1rcfcxc.cc
firef cx c.<c
\s , httpd.exe
1000
\thttpd.exe
Qlsass.occ
3 l» 5 5 a e
1800
564
564
____ »_____
<1
■>1
Protocol
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local...
4119
4120
4121
4123
414S
3981
3982
4013
4163
4166
4168
1070
1070
1028
1028
T
79 ~ctal Ports. 21 Remote Connections. 1 Selected
Loc..
Local Address
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
127.0.0.1
127.0.0.1
10.007
1000.7
100.0.7
100.0.7
00.0.0
Rem...
80
80
80
80
443
3982
3981
443
443
443
443
Rem...
http
http
http
http
https
https
httpj
httpj
http;
Rercte Address Remote Host Nam
173.194.36.26
bcm04501 -in‫־‬f26.1
173.194.3626
bom04s01 -in-f26.1
173.194.3626
bom04501‫־‬in‫־‬f26.1
215720420
a23-57-204-20.dep
173.194 3626
bomOdsOI -in-f26.1
WIN-D59MR5HL9F
12700.1
12700.1
WIN-D39MR5HL9E
173.1943622
bom01t01‫־‬in-f22.1
173.19436.15
bom04!01 •in-flS.1
173.194360
bcm04501 -in-f0.1«
74.125234.15
gra03s05in-f15.1e
0.0.0.0
=
0.0.0.0
0.0.0.0
=
>
N irS o ft F re e w a re . ht1p;/A nrA «v.rirsoft.net
E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬C oundl
FIGURE 4.1: Tlie CuaPoits main window with all processes, ports, and IP addresses
2. CiirrPorts lists all die processes and their ID s, protocols used, local
and remote IP address, local and remote ports, and remote host
names.
/ / CurrPorts utility is a
standalone executable,
which doesn't require any
installation process or
additional DLLs.
3. To view all die reports as an HTM L page, click View ‫ >־‬HTML Reports
‫־‬All Items.
M °- x ‫י‬
CurrPorts
F ile
Ed it I V iew | O p tio n s
X B 1
Process KJa 1 ^ I
Show Tooltips
o.ao.o
Remote Address
173.1943526
173.194.3526
173.194.3526
23.5720420
173.194.3526
127.0.0.1
127.0.0.1
173.1943622
173.19436.15
173.19436.0
741252*4.15
0.0.0.0
aaao
0 .0 .0.0
Mark Odd/Even Rows
c h ro m e .
C * c h ro m e l
^
H elp
Show Grid Lines
HTML Report ‫ ־‬All I'errs
c h ro m e .
HTML Report - Selected terns
C * c h ro m e .
^
Choose Columns
ch ro m c .
( £ fir c fc x .c
Auto Size Columns
g f-e fc x e
R‫״‬f r # { h
‫קז‬7‫ס‬
1l i
(Bfaefcxue
JftfM co ta e
1368
I368
1368
1800
1800
564
561
TCP
TCP
TCP
TCP
TCP
TCP
TCP
® fre fc x e te
\h tto d .e x e
Vhttpd.exe
Qlsassete
Q In the bottom left of
the CurrPorts window, the
status of total ports and
remote connections
displays.
F5
( p f ir c f o x . e 1(c
Address
).7
).7
).7
).7
).7
443
.0.1
.0.1
3962
3981
--- TV.V,0 .7
10.0.0.7
10.0.0.7
100.0.7
4163
4156
4108
1070
1070
1028
1028
443
443
443
443
Rem..
http
http
http
http
https
https
https
https
https
Remote Host Nam *
b c m Q 4 s 0 l-in ‫־‬f26.1
b c m 0 4 s0 l-in -f2 6 .1
bcm04s01 -in-f26.1
a23-57-204-20.dep S
bom 04501-in‫־‬f26.1
W IN -D 39M R 5H L 9E
W IN -D 39M R 5H L 9E
bem04s01-in-f22.1
bom04i01‫־‬in*f15.1
bom04s0l*in-f0.1<
gruC3s05-1n‫־‬fl5.1e
NirSoft F re e w a re . h ttp ‫־‬.//w w w .rirs o ft.n e t
79Tct«l Ports, 21 Remote Connection!, 1 Selected
FIGURE 4.2 The CunPorts with HTML Report - All Items
4. The HTM L Report automatically opens using die default browser.
E<e Ldr View History Bookmarks 1001‫ צ‬Hdp
I TCP/UDPPorts List
^
j j f j_
( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/cp0 fts-xt>£,repcriJit ml
' ‫־־־*־‬£•
- Google
P
^
‫י‬
T C P /U D P P orts L ist
=
E3 To check the
countries of the remote IP
addresses, you have to
download the latest IP to
Country file. You have to
put the IpToCountry.csv‫״‬
file in the same folder as
cports.exe.
Created bv using CurrPorts
P m « j .Nam•
P rotiti
Protocol
ID
I.oral
Port
I Aral Port
N a*e
Local Addivit
Remote
Port
RcmoU‫׳‬
Port
Name.
Rtmvl« Addrtit
chxame rx c
2988
TCP
4052
10 0 0 7
443
https
173 194 36 4
chiome.exc
2988
TCP
4059
10.0.0.7
80
http
173.194.36.17
bo
ch101 nc.exe
2988
TCP
4070
10.0.0.7
80
http
173.194.36.31
bo
daome.exe
2988
TCP
4071
10.0.0.7
80
hltp
173.194.36.31
bo!
daome.exe
2988
TCP
4073
100.0.7
80
hltp
173.194.36.15
boi
daome.exe
2988
TCP
4083
10.0.0.7
80
http
173.194.36.31
bo!
cfcrorae.exe
2988
TCP
4090
100.0.7
80
hnp
173.194.36.4
bo!
chfomc.cxc
2988
TCP
4103
100.0.7
80
hltp
173.194.36.25
bo
chrome exe
2988
TCP
4104
10 0 0 7
80
hnp
173 194 36 25
bo
bo
>
FIGURE 4.3: Hie Web browser displaying CunPorts Report - All Items
5. To save the generated CiirrPorts report from die web browser, click
File ‫ >־‬Save Page As...Ctrl+S.
‫ד‬3 5 ■
TCP/UDP Ports List - Mozilla Firefox
‫ ו ז ק‬id *
m CurrPorts allows you
to save all changes (added
and removed connections)
into a log file. In order to
start writing to the log file,
check the ,Log Changes'
option under the File
menu
«1ry>
H ito r y
fJ c w l i b
B o o k m a ik t
Took
H rlp
C W *T
Window/
Ctr1*N
C p e n F ie . .
»f1‫׳‬D cstto p/q )D 1 ts-x64/ rEpor: h tm l
C
*
S * .« Page A s.. Ctr1*S
Send L in k Pag* Setup-.
P rm tP i& K w
Errt.
tl*
!, r o t i f j j
>111•
r ro to c o l
!.o ral
P o rt
TCP
4052
I o r a l P o rt
Name
L ocal A d d r v u
Rem ote
P o ri
Kemotc
P o rt
Nam e
443
https
ID
2988
chiom e.cxc
2Zy" By default, the log file
is saved as cports.log in the
same folder where
cports.exe is located. You
can change the default log
filename by setting the
LogFilename entry in the
cports.cfg file.
P
• ! 1 ‫ ־‬Google
C crU O
10.0.0.7
Keu1ul« A d d n i t
173.194.36.4
boj
cfc1 0 me.exe
2988
TCP
4059
10.0.0.7
80
http
173.194.36.17
bo:
chrome.exe
2988
TCP
4070
10.0.0.7
80
hnp
173.194.36.31
bo:
chrome.exe
2988
TCP
4071
10.0.0.7
80
http
173.194.36.31
boi
chrome exe
2988
TCP
4073
100 0 7
80
http
173 194 36 15
boi
chrome exe
2988
TCP
408;
100 0 7
80
http
173 194 36 31
boi
chrome exe
2988
TCP
4090
100 0 7
80
http
173 194 36 4
boi
chiome.cxe
2988
TCP
4103
10.0.0.7
80
http
173.194.36.25
boi
daome.exe
2988
TCP
4104
10.0.0.7
80
http
173.194.36.25
b03
FIGURE 4.4: The Web browser to Save CurrPorts Report - All Items
6. To view only die selected report as HTM L page, select reports and click
V ie w ‫ >־‬HTML R ep o rts ‫ ־‬S e le c te d Item s.
1- 1° ‫ ׳‬x -
CurrPorts
File Edit | View | Option)
X S
(3
Help
Show Grid L‫אחו‬
Process Na P I Show Tooltips
^ Be aware! The log file
is updated only when you
refresh the ports list
manually, or when the
Auto Refresh option is
turned on.
C
chrome.
C
c h ro m e f
Address
).7
).7
AAAA
AAAA
HTML Report - All Items
F
■0.7
H T M L Report ■ Selected te rn s
O ' c h ro m e “
®,firefcxe
(g fir c f c x e :
fircfcx e<v
fircfox.exe
fircfcx.cxc
^fircfcx.ccc
httpd.exe
^ httpd.exe
Qlsassexe
Q ls a w a c
« ---------a . -------
Choose Columns
Auto Size Columns
P7
.0.1
.0.1
F5
J>.7
1000.7
1000.7
100.0.7
0.0.0.0
Ctrl♦■Plus
Refresh
1368
1368
1368
1000
1000
564
564
TCP
TCP
TCP
TCP
TCP
TCP
TCP
4163
4166
416S
1070
1070
1028
1028
14nn
T rn
‫י«׳*־ו־‬
79 'ctel Ports. 21 Remote Connections, 3 Selected
a You can also rightclick on the Web page and
00.0.0
Remote Address Remote Host Nam
175.19436.26
bom04s01-1n‫־‬f26.1
173.1943626
bom04s01-1n‫־‬f26.1
173.1943626
bcm04s01-in‫־‬f26.1f
215720420
323-57-204-20.dep
173.1943526
bcm04s0l-in-f26.1
12700.1
WIN-D39MR5HL9E
12700.1
WIN-D39MR5HL9E
173.1943622
bom04s01 -in-f22.1
173.194,36.15
bomOlsOI -in‫־‬f15.1
173.194360
bomOlsOI -in‫־‬f0.1c
gruC3s05 in-f 15.1c
74125234.15
0.0.0.0
s
0.0.0.0
Mark Odd/Even Rows
__
Rem...
80
80
80
80
443
3982
3981
443
443
443
443
Rem...
http
http
http
http
http:
https
http;
http:
https
H irS o ft F re e w a re . h ttp . ‫׳‬,‫׳‬,w w w . r ir s o ft.n e t
FIGURE 4.5: CurrPorts with HTML Report - Selected Items
7.
The selected rep ort automatically opens using the d e fa u lt b row ser.
save the report.
TCP/UDP Ports List - Mozilla Firefox
1‫ ־‬n J~x
I
ffi'g |d : V‫»־‬cv» Hatory Bookmaiks Toob Help
[
In the filters dialog
bos, you can add one or
more filter strings
(separated by spaces,
semicolon, or CRLF).
] TCP/UDP Ports List
^
| +
W c /'/C /l h e r v ‫׳‬Admin 1strotor/Dr 5fctop/'cport5 ‫־‬r 64/rcp o ‫די‬i«0T1l
(? ‫ ־‬GoogleP |,f t I
T C P / V D P Ports L is t
Created by ining CiirrPom
Process
Name
Process
Local
Protocol
ID
Port
I>ocal
Local
Port
Address
.Name
Reuiotv
Port
Remote
Port
Name
Kvuiotc
Address
Remote Host Name
State
c:
dbiome.cxc 2988
TCP
4148
10.0.0.7
443
https
173.194.36-26 bom04sC 1 m. £26.1e 100.net Established
firefox exe
1368
TCP
4163
10 0 0 7
443
https
173 194 36 15 bom04s01 tn-fl 5. Iel00.net Established C:
hUpd cx c
1800
TCP
1070
Listening
C:
FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items
/ / The Syntax for Filter
String: [include | exclude]:
[local | remote | both |
process]: [tcp | udp |
tcpudp] : [IP Range | Ports
Range].
8. To save the generated CurrPorts report from the web browser, click
File ‫ >־‬S a v e P a g e A s...C trl+ S
TCP/‫׳‬UDP Ports List ‫ ־‬Mozilla Firefox
‫׳‬
r= > r* ‫י‬
Edfe Vir* Hutory Boolvfmki Took HWp
N**‫׳‬T*b
Clrl-T
|+ |
an*N
Open Fie...
Ctrl»0
S*.« PageA;.
Ctrl-S
fi *
»r/Deslctop/cpo»ts x6A<repwthtml
Sir'd l in k -
Page :er.p.
Pnnt Preview
PrmL.
ficit Offline
Name
‫ ש‬Command-line option:
/stext <F11ename> means
save the list of all opened
TCP/UDP ports into a
regular text file.
Local
Pori
ID
Local
Kcmole
Toral Remote
Port
Port
Address
Port
Name
Name
Remote
Address
Remote Ilotl .Nioit
chtoxne.exe 2988
TCP
4148
1000.7
443
https
173.1943626 boxu04s01 -ui-1‘26. Iel00.net
fiiefox-cxc
1368
TCP
4163
100.0.7
443
https
173.19436 15 bom04s01-1a-115.lel00.net Established C
httpdexe
1800
TCP
10‫׳‬0
Established C
FIGURE 4.7: The Web brcnvser to Saw QirrPorts with HTML Report - Selected Items
9. To view the p ro p e rtie s o f a port, select die port and click File ‫>־‬
P ro p erties.
CurrPorts
r®
1 File J Edit
I
View Options
*
m
CtrM
PNctlnfo
Close Selected TCP Connections
Ctri+T
Local Address
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
10.00.7
127.0.0.1
127.0.0.1
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
Kill Processes Of Selected Ports
Save Selected Items
CtiUS
Properties
b&i Command-line option:
/stab <Filename> means
TCP/UDP ports into a
tab-delimited text file.
I - ] “ '
Help
AltÊntei
Process Properties
1
CtiUP
Log Changes
Open Log File
Clear Log File
CtrUO
Advanced Options
Exit
\ j 1ttjd.exe
\httod.exe
□ lsass.exe
Qlsass-exe
1800
1800
564
$64
TCP
TCP
TCP
TCP
Rem..
http
http
http
http
https
httpt
https
https
https
oaao
1070
1070
1028
1028
Remote Address Remote Host Nam ‫ י׳‬1
173.194.3626
bom04301 - in-f26.1
1‫׳־‬3.194.3626
bom04501 ‫ ־‬in-f26.1
1^3.194.36.26
bom04s01-in-f26.1
23.57.204.20
a23*57204-20‫־‬.dep ■
1Ti 194.36.26
bom04s01-in-f2M
127.aa1
WIN-D39MR5Hl9f
127.0L0L1
WIM-D30MRSH10F
1‫־‬,1 194.3622
bom04e01-m‫־‬f22.1
173.194.3615
bom04s01-in-f15.1
173.194.360
bom04s01 m‫־‬f0.1c
74.12523415
gru03s05-in‫־‬f15.1e
0DS)S)
::
aao.o
0DSJJJ
r.
‫־‬T
‫״‬
Rem...
80
80
80
80
443
3982
3031
443
443
443
443
>
NirSoft Freeware, http:/wvrw.nircoft.net
|79 Tctel Ports, 21 Remote Connections, 1 Selected
FIGURE 4.8: CunPorts to view properties for a selected port
10. The P ro p e rtie s window appears and displays all the properties for the
selected port.
11. Click OK to close die P ro p e rtie s window
*
Properties
Process N am e:
fire fo x .e x e
Process ID:
1368
Protocol:
TC P
Local Port:
4166
Local Port N am e:
Local A ddress:
R em ote Port:
Command-line option:
/ shtml <Filename> means
TCP/UDP ports into an
HTML file (Horizontal).
1 0.0 .0 .7
4 43
R em ote Port N am e:
|https_________________
R em ote A ddress:
1173.1 9 4 .3 6 .0
R em ote H ost N am e:
bo m 04s01-in -f0.1 e 1 0 0.n e t
State:
E s tab lis h e d
Process Path:
C:\Program Files (x 86 )\M 0 z illa F ire fo x \fire fo x .e x e
Product N am e:
Flrefox
File D escription:
Firefox
File Version:
14.0.1
Com pany:
M o z illa Corporation
Process C reated On:
8 /2 5 /2 0 1 2 2 :36 :2 8 PM
U s e r N am e:
W IN -D 3 9 M R 5 H L 9 E 4 \A d m in is tra to r
Process S e rv ice s :
Process Attributes:
Added On:
8 /2 5 /2 0 1 2 3:32 :5 8 PM
M o d u le F ile n a m e :
R em ote IP Country:
W in d o w Title:
OK
FIGURE 4.9: Hie CunPorts Properties window for the selected port
S TASK
12. To close a TCP connection you think is suspicious, select the process
and click File ‫ >־‬C lo s e S e le c te d T C P C o n n e c tio n s (or Ctrl+T).
2
-_,»r
CurrPorts
C lo se TCP
Connection
IPNetlnfo
Clrf♦■‫ו‬
Ctrl-T
Local Address
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
127.00.1
127.00.1
10.0.0.7
10.0.0.7
Kill Processes Of Selected Ports
SaveSelected Items
CtH-S
Properties
AH- Enter
Ctrl—P
Process Properties
Log Changes
Cpen Log File
Clear Log File
Ad/snced Options
Ctrl+0
Exit
^ httpd.exe
httpd.exe
□isass^xe
QtoSfcCNe
^
1£03
1800
564
564
J
10.0.0.7
0D.0.0
TCP
1070
TCP
TCP
TCP
1070
1028
1Q28
Rem...
60
80
80
80
443
3932
3931
443
443
443
443
Rem...
http
http
http
http
https
http:
https
https
https
Remote Address
173.19436.26
173.19436.26
173.19436.26
23.5730430
173.19436.26
127.0.0.1
127.0.0.1
173.19436.22
173.19436.15
173.19436.0
74.125.234.15
0.0.0.0
Remote Host Nam ‫ י׳‬I
bom04s01-in‫־‬f26.1
bom04s01-in‫־‬f26.1
bom04sC1 in-f26.1
023-57 204 2C.dep =
bom04s01 in‫־‬f26.1
WIN-D39MR5HL9e
WIN-D39MR5HL9£
bom04s01 -in-f22.1
bom04s01-in-f15.1
bom04s01 ■in-f0.1s
gru03s05-in-f151e
r
o.aao
r
om o
I>
‫״ ד‬
III
‫ד‬
HirSoft freeware. r-tto:‫׳‬v/Yv*/n rsott.net
7? Tot«! Porte, 21 Remote Connection! 1 Selected
FIGURE 4.10; ,Hie CunPoits Close Selected TCP Connections option window
13. To kill the p r o c e s s e s o f a port, select die port and click F ile ‫ >־‬Kill
P r o c e s s e s o f S e le c te d Ports.
I ~ I‫* ' ם‬
CurrPorts
File j Edit
fi
TASK
3
View Options Help
an♦!
P N e tln f o
C lo s e Se lected T C P C o n n e c tio n !
Kill P ro ce s s
Clil^T
Loral Addrect
10.0.07
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
127.0.0.1
127.0.0.1
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
O.Q.Q.O
kin Processes Of Selected Ports
Ctrt-S
Save Selected Items
A t -E n t e r
P r o p e r tie c
CtrKP
P r o c e s s P r o p e r t ie s
Log Changes
Open Log File
Clear Log file
Advanced Options
Exit
V htt3d.exe
Vbttpd.exe
□l«ss.ete
□ katc *1*
‫ר‬
1800
1800
564
561
TCP
TCP
TCP
TCP
1070
1070
1028
1028
Rem...
80
80
80
80
443
3962
3981
443
443
443
443
fam..
http
http
http
http
https
https
https
https
https
Remote Addrect
173.14436.26
173.194.3626
173.194.3626
215720420
173.1943636
127.0.0.1
127.0.0.1
173.1943632
173.19436.15
173.19436.0
74125334.15
0.0.0.0
Remote Host Nam *
bom04t01*in-f26.1
bomC4t01-in‫־‬f26.1
bomC4j01 -in-f26.1
a23-57-204-20.dep s
bcmC4s01-in-f26.1
WIN-D39MR5HL9E
WIN-D39MR5HL9E
bomC4s01-in-f22.1
bom04s01‫־‬in‫־‬f15.1
bom04s0l‫־‬in‫־‬f0.1e
gru03s05-1n-M5.1e
o.aao
___
/)A A A
II
79 Tctel Ports, 21 Remote Connections, 1 Selected
M irSoft F re e w a re . h ttp -J ta /w w .rirs o ft.n e t
FIGURE 4.11: The CurrPorts Kill Processes of Selected Ports Option Window
14. To e x it from the CurrPorts utility, click File ‫ >־‬Exit. The CurrPorts
window c lo s e s .
1- 1° ‫ ׳‬- ’
CurrPons
File
Edit
View Options
Help
PNetlnfo
QH+I
CtrKT
..
Kil Processes Of Selected Ports
h id Command-line option:
/ sveihtml <Filename>
Save the list of all opened
TCP/UDP ports into
HTML file (Vertical).
Save Selected Items
Ctrfc-S
Properties
At-Eater
Process Properties
CtH«‫־‬P
log Changes
Open Log File
Clear Log File
Advanced Option!
CtH-0
Ext
\thttpd.exe
\thttpd.exe
Qlsas&cxe
H lsais-ae
■
‫־־‬
1
1800
1800
564
564
TCP
TCP
TCP
TCP
rrn
1070
1070
1028
1028
itnt
__
Local Address
10.0.0.7
10D.0.7
10.0.0.7
10.0.0.7
10.0.0.7
127.0.0.1
127.0.0.1
10.0.0.7
10.0.0.7
10.0.0.7
10.0.0.7
0.0.0.0
=
0.0.00
Rem...
80
80
80
80
443
3987
3981
443
443
443
443
Rem‫״‬
http
http
http
http
https
https
https
https
https
/‫ ו‬a /\ a
Remcte Address
173.194.36.26
173.194.3626
173.194.3626
21572Q420
173.194.3626
127DD.1
127X10.1
173.194.36-22
173.194.36.1S
173.194.36i)
74.125.234.15
0.0.0.0
=
0.0.0.0
=
AAAA
Remcte Host Nam
bom04s01-in-f26.1
bom04s01-in-f26.1
bom04s01-in‫־‬f26.1r
a23-57-204-20.deJ
bom04t01-in-f26.1|
WIN-D39MR5H19P
WIN-039MR5HL9E
bomC4101-in-f22.1
bomC4i01 in‫־‬f15.1
bcmC4s01 in f0.1q
gru03sG5in-f15.1e
Nil Soft fre e w ere. Mtpy/vvwvv.r it soft.net
79 T ctal Ports. 21 Remote Connections. 1 P ie c e d
FIGURE 4.12: The CurrPoits Exit option window
Lab Analysis
Document all die IP addresses, open ports and dieir running applications, and
protocols discovered during die lab.
feUI In command line, the
syntax of / close
command :/close < Local
Address> <Local Port>
< Remote Address >
< Remote Port ‫ * נ‬.
T o o l/U tility
Profile D etails: Network scan for open ports
S canned Report:
C urrP orts
■
■
■
■
■
■
■
■
■
Process Name
Process ID
Protocol
Local Port
Local Address
Remote Port
Remote Port Name
Remote Address
Remote H ost Name
PL E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
Q uestions
Q CurrPorts allows you
to easily translate all menus,
dialog boxes, and strings to
other languages.
1. Analyze the results from CurrPorts by creating a filter string that displays
only packets with remote TCP poit 80 and UDP port 53 and running it.
Analyze and evaluate die output results by creating a filter that displays only
die opened ports in die Firefox browser.
‫כ‬.
Determine the use o f each o f die following options diat are available under
die options menu o f CurrPorts:
a.
Display Established
b. Mark Ports O f Unidentified Applications
c.
Display Items Widiout Remote Address
d. Display Items With Unknown State
□ Yes
0 No
0 C lassroom
0 !Labs
Lab
Scanning for Network
Vulnerabilities Using the GFI
LanGuard 2012
GFI LA N gw rd scans networks andports to detect, assess, and correct any security
vulnerabilities that arefound.
I CON KEY
Valuable
information
✓
Test your
knowledge
Web exercise
Q
W orkbook review
Z U Tools
dem on strated in
this lab are
a va ila b le in
D:\CEHTools\CEHv8
M odule 03
S canning
N etw orks
Lab S cenario
You have learned in die previous lab to monitor TCP IP and UDP ports 011 your
local computer or network using CurrPorts. This tool will automatically mark widi a
pink color suspicious T C P/U D P ports owned by unidentified applications. To
prevent attacks pertaining to TC P/IP; you can select one or more items, and dien
close die selected connections.
Your company’s w e b serve r is hosted by a large ISP and is well protected behind a
firewall. Your company needs to audit the defenses used by die ISP. After starting a
scan, a serious vulnerability was identified but not immediately corrected by the ISP.
An evil attacker uses diis vulnerability and places a b ack d oor on th e server. Using
die backdoor, the attacker gets complete access to die server and is able to
manipulate the information 011 the server. The attacker also uses the server to
leapfrog and attack odier servers 011 the ISP network from diis compromised one.
As a se cu rity adm inistrator and penetration te s te r for your company, you need to
conduct penetration testing in order to determine die list o f th re a ts and
vulnerabilities to the network infrastructure you manage. 111 diis lab, you will be
using GFI LanGuard 2 0 12 to scan your network to look for vulnerabilities.
Lab O bjectives
The objective o f diis lab is to help students conduct vulnerability scanning, patch
management, and network auditing.
111
diis lab, you need to:
■
Perform a vulnerability scan
■ Audit the network
Q You can download
GFI LANguard from
http: / /wwwgfi. com.
■
Detect vulnerable ports
■
Identify sennit}‫ ־‬vulnerabilities
■
Correct security vulnerabilities with remedial action
Lab Environm ent
To perform die lab, you need:
■
GFI Languard located at D:\CEH-Tools\CEHv8 M odule 03 Scanning
N etw orksW ulnerability Scan ning Tools\GFI LanGuard
■ You can also download the latest version o f GFI L an gu ard from the
link h ttp ://www.gfi.com/la 1111etsca 11
■
■ A computer running W indow s 2 0 12 S erver as die host machine
Q GFI LANguard
compatibly works on
Microsoft Windows Server
2008 Standard/Enterprise,
Windows Server 2003
Standard/ Enterprise,
Windows 7 Ultimate,
Microsoft Small Business
Server 2008 Standard,
Small Business Server 2003
(SP1), and Small Business
Server 2000 (SP2).
■
W indows S erver 2008 running in virtual machine
■
Microsoft ■NET Fram ew ork 2.0
■ Administrator privileges to run die GFI LANguard N etw ork S ecu rity
S can n er
■
It requires die user to register on the GFI w e b site
http: / / www.gii.com/la 1111etsca11 to get a lic e n se key
■
Complete die subscription and get an activation code; the user will receive
an em ail diat contains an activation c o d e
Lab D uration
Time: 10 Minutes
O verview o f Scanning N e tw o rk
As an adminisuator, you often have to deal separately widi problems related to
vulnerability issues, patch m an agem ent, and network auditing. It is your
responsibility to address all die viilnerability management needs and act as a virtual
consultant to give a complete picture o f a network setup, provide risk an alysis, and
maintain a secure and com pliant n etw ork state faster and more effectively.
C -J GFI LANguard
includes default
configuration settings that
allow you to run immediate
scans soon after the
installation is complete.
Security scans or audits enable you to identify and assess possible risks within a
network. Auditing operations imply any type o f ch eck in g performed during a
network security audit. These include open port checks, missing Microsoft p a tch e s
and vulnerabilities, service infomiation, and user or p ro c e s s information.
Lab Tasks
Follow die wizard-driven installation steps to install die GFI LANguard network
scanner on die host machine windows 2012 server.
1.
B
T AS K 1
Navigate to W in dow s S e rv e r 2 0 12 and launch the S ta rt m enu by
hovering the mouse cursor in the lower-left corner o f the desktop
Scanning for
V ulnerabilities
Zenmap file installs
the following files:
■ Nmap Core Files
■ Nmap Path
FIGURE 5.1: Windows Server 2012 - Desktop view
2. Click the GFI LanG uard 2 0 12 app to open the GFI LanG uard 2 0 12
window
■ WinPcap 4.1.1
■ Network Interface
Import
■ Zenmap (GUI frontend)
■ Neat (Modern Netcat)
Windows
Google
Marager
bm
■ Ndiff
r
♦
*
£
SI
N nd
V
e
FT‫־‬
2 )G
0
FIGURE 5.2 Windows Server 2012 - Apps
3. The GFI LanGuard 2012 main w in d ow appears and displays die N etw ork
Audit tab contents.
/ / To execute a scan
successfully, GFI
LANguard must remotely
log on to target computers
with administrator
privileges.
GFI LanGuard 2012
I
- |
dashboard
Seen
R em edy
ActMty Monitor
Reports
Configuration
UtSties
W
D13CIA3 this ■
‫י‬
Welcome to GFI LanGuard 2012
GFI LanGuard 2012 is ready to audit your network iw rtireta& dites
L o ca l C o m p u te r V u ln e ra b ility L ev el
ea The default scanning
u s • ‫־‬N an a 9# *gents‫ ־‬or Launch a scan‫ ־‬options 10 ,
the entile network.
options which provide
quick access to scanning
modes are:
JP
V iew Dashboard
Invest!gate netvuor* wjinprawiir, status and a u til results
Rem odiate Security Issues
M<
9
{'Mow
cafh'e.
■ Quick scan
■ Full scan
Deploy missing patches untnsta«w w uih0rt»d30*1‫׳‬a‫״‬e. turn on ondviius and more
— iihjIJ■:
%
C u n e n t V u ln e ra b ility L ev el is: High
M anage A g e n ts
Enable agents to automate ne*vroric secant? au d i and to tfstribute scanning load
across client macrones
■ Launch a custom scan
Launch a Scan
■ Set up a schedule scan
Manually set-up andtnuser an aoerSess ne*rrxfcseajrit/ audit
-I
LATES1 NLWS
V#
? *-A jq -7 01 7 - Patch MmuxirTimri - N n pi t x k u l a ^ n t e d
1(
74 A q 701?
V*,
24-AJO-2012 - Patch M4 u u « m < - A dd'd n u w l
Patch Mnrvtgnnnnl
I D I -XI } u n j p W ‫־‬t>m ? !1 7 ( ft m » la r ‫ ־‬l w
mr‫»־‬
Added MCOort fo r APS81? IS . M ohr. Arrvhm !) 5 2 Pro and Standivri
10(
APS812-1S.
Mobm Acrobat
10.1.4 Pro
mtd
tr.vi • n -
St— a - 0 - - M j u t
FIGURE 5.3: Hie GFI LANguard mam window
m Custom scans are
recommended:
■ When performing a
onetime scan with
particular scanning
parameters/profiles
■ When performing a scan
for particular network
threats and/or system
information
4.
Click die Launch a S c a n option to perform a network scan.
GFI LanGuard 2012
Ooshboerd
Scan
Remediate
A d M ty Monitor
Reports
Configuration
Ut*ties
«t
D i»e 1«s thb version
Welcome to GFI LanGuard 2012
G FI LanGuard 2012 1& ready to audit your network V * * A m a b M w s
L o ca l C o m p u te r V u ln e ra b ility L ev el
u se ‫־‬van a ;# Agents ‫ ־‬or Launch a scan‫ ־‬options 10 auoa
the entire network.
JP
V iew Dashboard
Investigate network! wjineraMit, status an d auai results
R em ediate Security Issues
■ To perform a target
computer scan using a
specific scan profile
9
t -
‫יז‬.‫&־‬
^ -‫־־־‬
iim j M
:
C u n e n t V u ln e ra b ility Lovel is; High
%
Deploy missing patches uninsia■ un8uv>o<Ue4soS«rare. turn on antivirus ana more
M anage A g e n ts
Enable agents to automate noteror* secant* aud* and to tfstnbute scanning load
across client machines
Launch a Scan
Manually *<rt-up andtnooer an ag erttest rw‫׳‬tw j‫»׳‬. »ta in t / audit
L A I L S I NLWS
<j
?4 -A jq-?01? - f a i t h M<au»)«nenl - N r . p n x k jrf ! ^ p o r t e d P O F-X D u m ^r M e n a 2 ‫ ל‬TOb meu l a - R m i
V*
2 4 A jq -2012
Patch Management
Added support fo r A P S 812-16. Adobe Acrobat 9 5 2 Pro and Standard
-»‫־«־‬-
24-A ju -2012 - Patch MdHdumuiri - Added s u v o it lor A PS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ‫■ »־‬
^ If intrusion detection
software (IDS) is running
during scans, GFI
LANguard sets off a
multitude of IDS warnings
and intrusion alerts in these
applications.
FIGURE 5.4: The GFI LANguard main window indicating die Launch a Custom Scan option
5.
Launch a N ew s c a n window will appear
i.
111 die Scan Target option, select lo ca lh o st from die drop-down list
ii.
111 die Profile option, select Full S ca n from die drop-down list
iii.
111 die Credentials option, select currently logged on u ser from die
drop-down list
6. Click Scan.
’‫ ן ־‬° r x ‫־‬
GF! LanGuard 2012
•> l « - I
Dashboard
Scan
Ranrdijle
Activ.tyMonitor
Reports
Conf!guraUon
III41m
CJ,
Uiscuu ttm1
ta u a d ia t n e S a n
pooac:
SCar‫ ־‬aro2t:
b a te :
v
jf- J S ^ n
M
O t0 e n :‫־‬fc-
v *
?axrrard:
k»/T«rt(r ockcC on uso‫־‬
V
II
‫—י‬
II
Scar Qaccre...
S o n ■ n d t i O vrrvle w
SOM R r u l t i O rta 1l<
m For large network
environments, a Microsoft
SQL Server/MSDE
database backend is
recommended instead of
the Microsoft Access
database.
FIGURE 5.5: Selecting an option for network scanning
7.
Scanning will start; it will take some time to scan die network. See die
following figure
m Quick scans have
relatively short scan
duration times compared to
full scans, mainly because
quick scans perform
vulnerability checks of only
a subset of the entire
database. It is
recommended to run a
quick scan at least once a
week.
8. After completing die scan, die s c a n result will show in die left panel
&
, ‫ ־‬I□
GFI Lar>Guard2012
y I
I
Dashboard
Scan
Rcfnrdutr
Actwty Monitor
Reports
Configuration
‫ ־‬x
Lttrfrtm
tauKkalnikin
Scan Target
K a te :
ccaftoct
V
... | F a lS a r
H
j£c1'«arr:
C j-rr& t bcaed on iser
II
Scan R r a k i D etail*
Scan R n a k i o vrrv irw
m
4
•team ta rg e t: lo r.ilho s t
-
y\
10 0 0 7 | WM-D39MRSIIL9I41 (WiixJwwa .
*
The average vulnefabilty B.e (or ttus sea‫ ־‬nr s 1
H jjjjtfiia fl
Scan a single computer:
Select this option to
scan a local host or one
specific computer.
Scan a list of computers:
Select this option to
import a list of targets
from a file or to select
targets from a network
list.
R e s u lts s ta tis tic s :
1>703 a u * operations processed
Audit operations processed;
20<20C‫׳‬tcai‫׳‬Hgr>
LKssina software updates:
Other vulneraNlthcs:
1313 Crecol'-.qh)
3
Potential vulnerabilities:
Scanner Ac tM ty Wkxkm
‫*ו^יז‬
•
CanptJar
Citar
VJU H > ra W Jt« !a
fhe ! ‫ז<יו‬4‫ ו‬: ate 101 f r s q v aftw m r■ w unr is atvaM or not found
*nan? p ifc tv * scar
i
----------- 12- 1
FIGURE 5.7: The GFI LanGuard Custom scan wizard
9. To check die Scan Result Overview, click IP a d d ress o f die machinein die
right panel
Scan computers in test
file: Select this option to
scan targets enumerated
in a specific text file.
Scan a domain or
workgroup: Select this
option to scan all targets
connected to a domain
or workgroup.
Scan completed!
SutnmwY 8f *ear resuts 9eneraf0<1 du T >51
V u ln e r a b ility l e v e l:
Types of scans:
Scan a range of
computers: Select this
option to scan a number
of computers defined
through an IP range.
Eaasword:
v
10. It shows die V ulnerability A s se s s m e n t and N etw ork & S o ftw a re Audit:
click V ulnerability A sse ssm e n t
GFI LanGuard 2012
E-
J
| ^
|
Daihboaid
Sean
SCafiTaroiC:
R annU (
A d M y M o r ilo r
Reports
Configuration
Ut44«s
W,
Dis c u m tvs vtssaan
Piofe:
ocafost
v
j . . . | |F‫ ״‬IS 1‫״ ־‬
Q ederufe:
* 1 •
Userrvaae:
?a££0.‫׳‬rd:
C j‫ ־‬end, bcaec on user
J
II
•••
1 ___ ^
_____1
1Results Details
#
| -
V a n t n r y t : lornlh ost
|
0 1 0 0 ‫ ר ־‬V |WIW-OJ9MtOHL9L4| (W im km s J ] j
‫[ ׳‬YVM-03 9 MR%ML<H4 | (Windows Server ?01? 164)
<1> w a H 1ty W ^ n r r n t |
.
,
‫•־‬
n Net-war* & Softwire Audit
V u ln e ra b ility le v e l:
f►•* corrvwar dues not have a Vuhe'a Hty te .e l •VII. * :
Y/fcat dim
iraan?
Possible rea s o n s :
t. Tha •can b not Inched yet.
2. OsCectbn o f missing patches and vuiner abif.es 8 3«at>«d * a ■ n a scannira profle used to perform the scan.
3‫ ־‬The credentfeia used 10 3c8n this compute' <‫ נג‬nor »»:«* • * w a r t y ecamer 10 refrteve 81! required hformaton tor
eum atro we VutteroBlty Level An account w th s a u n r r a , • :rs -e o e i or rne target computer is requred
* Certan securty srttnqs on the remote CDtrputer Dtoct r * access of Ite security scanner. Betam s a fart of msst
Scaruicr A c tM ty Window
flte e tlK M Q L
H1rv *d I (k ill•)
U ..‫ ״‬M
•' ■<v > I Ic — t f i i s l d r i I ft w w l
FIGURE 5.8: Selecting Vulnerability Assessment option
11. It shows all the V u ln era b ility A s s e s s m e n t indicators by category
-‫־‬Tbl‫ ־‬x ‫־‬
V
GFI LanGuard
L d > «‫־‬
2012
/ 7 During a full scan,
GFI LANguard scans
target computers to retrieve
setup information and
identify all security
vulnerabilities including:
■ Missing Microsoft
updates
Dashboard
Sun
R&neddte
Activity Men!tot
Reports
Configuration
JUbties
W,
D18CUB8 •as v«a«on._
la a o d i a Merc Scan
Bar Target;
»roS»:
‫ | ׳ י‬j ...
5o r
Scan lU n u tti Overvttm
^
Password:
V1
[cu rfrS r twftfonutier
f
3$
MScarJgynang:
c/fomess
Stan R evifttO eU N a
$ u a U r « « t:lQ u lm l
S IS
-
■ System software
information, including
unauthori2ed
applications, incorrect
antivirus settings and
outdated signatures
Vulnerability Assessm ent
ItM J ( m R - K M M U H U M ](W M to m .
5«tea ene of the 4U01Mrx) wjfcerabilry
• «uhefeblty Astastrocnt
‫»*ל‬3‫יי‬
A ‫ * *־י‬security wirerablof a (3)
Jl M
eCtomScanty Vuherabirtes (6)
-
A
*qn security Vumerabtmes (3)
X b u you to analyze the 1‫ ״‬0‫־‬secuirty v j r e t b i : a
j , low Searity Viinerablitfes (4J
4 PofanBd Vuherabltea (3)
t
Meshc service Packs and Usdate =&u>s (1}
#
Msarvs Security Lfxlates (3)
^
_* Hec*alt&S0ftAareA1rft
■Jedium Security VulneraMKies (6)
ilo«.sycutoanaJy 7e t h s r r « lu n 1ec1rityvurerai> i 5es
.
Lo w Security Vulnerabilities 14(
yeu to a‫׳‬15iy » the lc« 9ecu Ity
^
■ System hardware
connected modems and
USB devices
Potential vuln erab ilitie s ) 1 (
Xb>.s y«u to a-elvre tiie information security aJ ‫־־‬o
.
t tit-fung Stiivfca Packs and Updalo Rollups (1)
U>»3ycutoane(yK th crm eiro iervm p K tsn Vm evn
thread I (Idle) |Scan Pvead 7 ( d t ' I 5 u n t 1 « : 3 Otfic]
B ras
FIGURE 5.9: List of Vulnerability Assessment categories
12. Click N etw ork & S o ftw a re Audit in die right panel, and dien click System
Patching S tatu s, which shows all die system patching statuses
LinOuard
1- ‫ ״‬r ‫ ״‬1
<U) '
Rrpoiti
to ■ > 1
C ri
• 4 -
Dmhboard
Sran
Re‫*»״‬Aate
2012
Activity Monitor
Configuration
JM airt
lliir in it n v n w m
ta u a d ts New Scan
Scar ’ • o e ‫־‬-
Ho ft*.
* |« &
- 1 1'‫־״‬
h -‫״ ״ ״‬
O a fa tta b:
Sari
‫ ־‬1
1 R em its Detais
Scan R esafe Overview
-
9
Scan ta r v e t iocalhost
- 3 1 8
5
4
S ystem P a tc h in g S tatus
m
I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K -
Select one of tte M ta h g system w tc h ro M U
M iia eb itv t o n T e i l
A
Due to the large
amount of information
retneved from scanned
targets, full scans often
tend to be lengthy. It is
recommended to run a full
scan at least once every 2
weeks.
Pais/.ord:
J s e n re ;
|0 rren#» o g c « or u er
‫־‬, C*' SecultY ViiieraMitte( (3)
rv*4un security vUrcrabilBe• (6)
X
X taw Security V\J*»ablt11s (4)
X c‫״‬or»«nal vunrrahltif# (‫)ג‬
I
t
*toarq Service Pata wv4 itodate RaJl«M {I)
f
> W < 1Saq1 UyUD0«Ufctt)
M in ting Servlet‘ P a c k* ■•nit Update RoSupa (1)
AlsmyeutaaiYilyiethrrnaingap'verpttlMnfarmaw
Mk
m
S % Ports
U A
*)-
fi
a
Missing Security Updates ( ,J)
Alowt Mu U nWy.'t U1« mlBtfiO Mcvltv updatat »1fo‫׳‬Tnalor
‫\ ״‬ftoary- a ^ V flfc nuflt I
Missing Non-Security Updates (16)
Alan* you to analyie the rwn-security ipaatea rfam ssen
J%
rtor&Atrc
staled Security Updates (2)
JUave you ‫ ט‬an4 >2s tJlc ilitaifed security U>Ca‘x h ftm ala■
Software
system inlbnnaaon
J%
instated Non-Security Updates ( 1 )
Alo5‫ ״י‬you to analyze the nstalicd nor-setuity
Scanner A ctm ty VVaitkm
X
Starting security scan of hoar WII1-I139MMSMI 9t 4[1 c 0.0 /]
lane: I M I t U PM
g
: 1 .v 'r y
Scan thread 1 (idle)
S c it r a a : I( d * :
*\m ~ ‫־‬.! t » . 3
:rrgr*
FIGURE 5.10: System patching status report
13. Click Ports, and under diis, click Open TCP Ports
m A custom scan is a
network audit based on
parameters, which you
configure on the fly before
launching the scanning
process.
&
GFl LanGuard 2012
•> l«- I
Scan
jbcahoK
R arm fcale
v ‫־‬a«1 tn rprT-. lorn lho*r
•
* = _____
U i s c u u tins 1
1
so iDf*crpno‫ ״‬: Mytxrtrrt Trerwftr Protocol {^‫ > ליודז‬s r -w r : h ttp
ft)
^ 9
J l ‫)*־‬h Sacuity ‫״<«ו\י‬rfiltr* (1)
*.
1__
II
- • viAwjBMy**owtwfnt
B
CJ,
‫•ויי‬
-
‫ •־‬R : ; 10.0.0.7 |WIN-039MR5IIL9t4| (W m dvn _
■ Type of scanning profile
(Le., the type of checks
to execute/type of data
to retrieve)
Corrfigura
SasGword:
U envaae:
|0xt«rtK ocKcC on us®‫־‬
9
1- 1 ■■
Reports
V I .. . I |M S w 1
Q c0 en ‫־‬.dfe.
Vanous parameters can be
customized during this type
of scan, including:
£*!1v t y M onitor
(kt/0er re»t Tfonjfcr PttitoroO]
5‫( כג‬C w u c to - DCC w»i1u‫ ״‬l ‫« ׳‬sOl)0«‫־‬
£
1f ) ►**CTt*0‫׳‬V NMKOS 5 M » 1 ‫ ׳‬S*fM » I SOTOt r « » ‫״‬n]
^
*4J P fia p to n : MooioftOS k t t * O m la v , VMntfcwt V a n fim it w : Lrtnamn]
^
X
Mtdum Scanty Miner dMIUet (6}
Law Seeunty VUnerabttiei (4}
B £
s ^
^
PoewtOii VOwaMitfeC (3)
-
10J7 piMotooon: !r#t»1fo, 1( tM&*ervce h not t1‫»׳‬Urt(d :*•>*« caJO &• Croj^r: eiandwtjne, Oaufipy *rd others / Sev»c
t-.H |Deunpecn: LSASS, If tha » m « is not ratafc* be-*ae catfc ;<■ trsjan: Ctotafipy Network x, Oath am3 etners / Ser
: : - 2 |C«sobacn: Me Protect. MSrtQ, t " t e 1 v. M >)elc ‫־‬-» ‫י‬- » a)c ro( r •-U wJ D*m«r* COuU ttt uojan: BLA trojan . S e 4‫׳‬
9
# Moang Service Pocks ond tp4?te R0I 1O9 CO
« £
1241 | t « c r o o c : Ne35u5 Jcarity Scanner /S erver: 1r*no«nJ
#
9
1433 (O sac & cn : Microsoft SQL Server database r a ‫־‬a j r w : srts c n Ser .er j S a -kx ; Ofcnown]
M sangSecuity Updates (3)
^
*•ernoHc 81Software Audit
( ( System Patchr g Status
]‫־‬333
■ Scan targets
I
.
floe ‫ ״‬1‫׳>־‬P torts {Sj I
w Coen LC» Ports • ) 5(
A Hardware 1
■ Logon credentials
i f Software .
System [nfbmodon
11
w ooer ActKRy Wtaiduw
‫־‬1pr..«t4scev * ‫ ׳‬y v a n thread 1 (td lr)
Sea‫ ״‬wrfad ‫) י‬/ Ip ( | 5 0 ‫׳*־■ ־‬.vl ! :<*>)
error•
FIGURE 5.11: T C P/U D P Ports result
14. Click S y ste m Information in die light side panel; it shows all die details of
die system information
15. Click P assw ord Policy
r‫ ־ ־‬° n n
GH LanGuard 2012
E
B
> 1 4 - 1
Dathboatd
Scan
Ravrwifcalr
ActHity Monitor
Reports
Configuration
UaUwt
W.
1)1*1 lew •«« m u i i
tauach a Mew scan
ScarTargtc
P0.‫ «־‬t :
a ih x :
v
| . . . I (‫׳‬SjIScan
&ederate:
3
L&c‫ ״‬iaBL
Z~M~CTt, bcced on toe‫־‬
•
? aaiw d :
V
1 U1J
1__
S a r Co'janu...
Scan R e ta k t O vn vm n
Scan I r a k i Deta lie
% open IX P Ports (5)
Sf A
‫־‬ta‫־‬d/.«e
*‫ ׳‬I 50fr»gne___
|
L_/ The next job after a
network security scan is to
identify which areas and
systems require your
immediate attention. Do
this by analyzing and
correctly interpreting the
information collected and
generated during a network
security scan.
Systsn Infotmabotj
J
*‫!־*׳‬run poaawd length: 0char-
J
Vaxnuri EMSSiwrd age: 42days
J
* * ‫״!־‬unoaa'wordsgeiodays
J ! Peace « p f f r e iw force
a 9ki\‫׳‬. W
,|l HW
.\fxC.!■■>>•>1
>Mgw0rd mtary: n o h ttay
J
• S * .u l(. Audit Policy (Off)
W f Re0**v
f t Net&JOS Mamas (3)
% Computet
t j | 610Lpt (28)
& Users (4)
Logged Cn Users ( 11)
^
Sesscre (2)
% J<rvce5 (148)
■U Processes (76)
,
Remote TOO (Tme O f Oay)
Scanner Activity Window
■t- ‫ ״ ׳‬I
1
,
V 1‫״‬n thrv*d I (k llr)
S c a n th e flU C *) i f< * 41‫' ׳ ' ! ־‬
’A )
I ‫'" ׳ י י‬
FIGURE 5.12 Information of Password Pohcy
16. Click Groups: it shows all die groups present in die system
‫ ׳‬-T o -
G FI L a n G u a r d 2 0 1 2
m
A high vulnerability
level is the result o f
vulnerabilities or missing
patches w hose average
severity is categorized as
high.
*
>‫־‬
D ashboard
Sun
ftftn c a & e
vl W
R eports
Configuration
!)19CUB3 Ultt VWttKJR—
‫ר‬
H
**S c a n
CrM e r e s t
-igemane:
Password:
H
[c u T € r*f eooed cn user
■c c ':era
1 R tfv n lti Overview
r
S c *• RevuJU D e U ik
Control A u cU at* Cws abx 1
* ft
■ ft* P n t t a w i
• ft0*Ji.s Ouvrctgrv
• ftcmfcw aw# dccmwcm
* ftO (V'tey jM ‫>׳‬- t w i t s ' !
■ ftCfctrtutedCCMUser*
‫ י‬ft& *n t Log Straefcrs
• ftGuests
% C0 «nUOPPwts( 5)
Menfciore
A
• . 1 Softo•'(
• ^ Symrmtnknranon
S h » » ( 6)
«
• 4• Pd«wo1‫ ) ׳‬Pd iy
i»
-
Sxunty AudtPotcy (Off)
# ‫ ־‬lUotetry
f t NetflCCS Narres (3)
* ft
‫ יי‬ft
% Computer
l*i groups(2a)I
I W 4}
%
Psrfertrsnce Log Users
P r‫־‬fty1r 5rcc '\ r
~a users
P M v lS e r s
• ft
‫ ז‬a
‫ ג‬en»te t o o ‫ מיו חן‬O f 0 »y)
- .
E5JUSRS
r^tv>:‫ < ׳‬Ccnfig.rstcn Cp‫־‬rators
♦a
» a **?Operators
S«ss»ns (2)
% Servfcee (l•*©)
H i ®rocrase* (76)
W w rt* ‫״‬
K>pe‫ ׳‬V Adrritstrators
* ft
‫־״‬ft
• ft
•? . -OXfC 0 ‫ ״‬users ( 1 ‫)נ‬
A scheduled scan is a
network audit scheduled to
run automatically on a
specific date/tim e and at a
specific frequency.
Scheduled scans can be set
to execute once or
periodically.
Actmrty M onitor
S*rf« 1l 1f 1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*)
RES Ehdpcut Servers
PCS Manage‫»״‬ent Servers
Soan *read S * fe ) | 8 ‫ י‬0‫| • ׳‬
FIGURE 5.13: Information of Groups
17. Click die D ashboard tab: it shows all the scanned network information
1 ° n ^ ‫׳‬
GFI LanGuard 2012
> 45‫ ״‬I q
Crap
I Dashbcurdl
it 6mel1n*ork
Sun
Remedy!*
!t
Activity Monitor
f#
V»'
Ce m ctm
•w «v
Reports
1
Configuration
to
*
UUkbe;
4t
‫זי‬/.‫־‬
V
ViAirrnhlfces
O u c u M ln a varam ..
fei
*J
PeA*
v
(
SdNiare
Entire Network -1 com puter
f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-»
Security S«1tors
w n w a rn i w u w •
‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1>
I t is recommended to
use scheduled scans:
m
rS \
___ H T«W 9M IM ^g
1
0 cc<rpute5‫־‬
^
■ T o perform
periodical/regular
network vulnerability
scans automatically and
using the same scanning
profiles and parameters
• T o tngger scans
automatically after office
hours and to generate
alerts and autodistribution o f scan
results via email
Most M ra ra n e caw oJSfS
V. SC 3y ‫ ^ ׳‬L
Occrrputers
Lra tra -on ie d Aco*c
‫כ‬
364
Vulnerabilities
1 CO‫״‬p0t«r9
O
_
Io
0 cancuters
Malware Protection ...
C co‫ ־‬pu‫־‬c r j
‫ ו‬computers
A u l t Sure*
: _
0 « ‫! »י ״י ד‬
;
•
Agent Hemm Issues
0 C0npu18C8
,A iirraN ity Trend Owe' tm e
w
Computer V14>erabfey CBtnbLiivi
Maraqe saerts
■HLsr-.‘.K
rxfl*n...
S
c-=radrsfrar.tfggnaMnp.ra
Z star can...
j
■ T o automatically trigger
auto-remediation
options, (e.g., Auto
download and deploy
missing updates)
o
‫ ז‬C S ^ lK I
Service Packs and U-
Sec :w dg-.as.‫״‬
C^pm:-jr_
1*aer*Stofcg|\>3tStafcg|
: o ‫ ־‬f u t M By G peratng Syftem
o
1v,vo>5Se‫«׳‬
C om putes S ■O0€>ath. ■. | C onpjters By r te t» o rt.. I
FIGURE 5.14: scanned report o f the network
Lab A nalysis
Dociunent all die results, dueats, and vulnerabilities discovered during die scanning
and auditing process.
T o o l/U tility
Vulnerability Level
Vulnerable Assessment
System Patching Status
Scan Results Details for O pen TCP Ports
Scan Results Details for Password Policy
G F I L an G u ard
2012
D ash b o ard - E n tire N etw o rk
■ Vulnerability Level
■ Security Sensors
■ M ost Vulnerable Computers
■ Agent Status
■ Vulnerability Trend Over Time
■ Computer Vulnerability Distribution
■ Computers by Operating System
PLEASE TALK TO
Y O U R I N S T R U C T O R IF YO U
R E L A T E D TO T H IS LAB.
HAVE
QUESTIONS
Q uestions
1. Analyze how GFI LANgtiard products provide protection against a worm.
2. Evaluate under what circumstances GFI LAXguard displays a dialog during
patch deployment.
3. Can you change die message displayed when G FI LANguard is performing
administrative tasks? If ves, how?
In tern e t C o n n ectio n R eq u ired
□ Yes
0 No
P latfo rm S u p p o rted
0 C lassroom
0 iLabs
Exploring and Auditing a Network
Using Nmap
N/nap (Zenmap is the officialA',map GUI) is afree, open source (license) utilityfor
netirork exploration and security auditing.
ICON KEY
Valuable
inform ation
T est vour
knowledge
S
W eb exercise
‫ט‬
W orkbook review
Lab S cenario
111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to
find out die vulnerability level, system patching status, details for open and closed
ports, vulnerable computers, etc. A 11 administrator and an attacker can use die same
tools to fix or exploit a system. If an attacker gets to know all die information about
vulnerable computers, diey will immediately act to compromise diose systems using
reconnaissance techniques.
Therefore, as an administrator it is very important for you to patch diose systems
after you have determined all die vulnerabilities in a network, before the attacker
audits die network to gain vulnerable information.
Also, as an ethical hacker and network adm inistrator for your company, your job
is to carry out daily security tasks, such as network inventory, service upgrade
schedules, and the monitoring o f host or service uptime. So, you will be guided in
diis lab to use Nmap to explore and audit a network.
Lab O bjectives
H ie objective o f diis lab is to help students learn and understand how to perform a
network inventory, manage services and upgrades, schedule network tasks, and
monitor host or service uptime and downtime.
h i diis lab, you need to:
■
Scan TCP and U DP ports
■ Analyze host details and dieir topology
■
Determine the types o f packet filters
Tools
demonstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Networks
/— j
■
Record and save all scan reports
■
Compare saved results for suspicious ports
Lab Environm ent
■
■ You can also download the latest version o f Nmap from the link
http: / / nmap.org. /
■
. Q Zenmap works on
Windows after including
Windows 7, and Server
2003/2008.
Nmap located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Scanning Tools\Nmap
I f you decide to download die latest version, dien screenshots shown in
die lab might differ
■ A computer running Windows Server 2012 as a host machine
■
Windows Server 2008 running on a virtual machine as a guest
■ A web browser widi Internet access
■ Administrative privileges to run die Nmap tool
Lab D uration
Time: 20 Minutes
Netw ork addresses are scanned to determine:
■ W hat services application nam es and versions diose hosts offer
■ W hat operating systems (and OS versions) diey run
■
T AS K 1
Intense Scan
The type o f pack et filters/firew alls that are in use and dozens o f odier
characteristics
Lab Tasks
Follow the wizard-driven installation steps and install N m ap (Zenmap) scanner
in die host machine (Window Server 2012).
1. Launch the Start menu by hovering die mouse cursor in the lower-left
corner o f the desktop
FIGURE 6.1: Windows Server 2012—Desktop view
2. Click the Nmap-Zenmap GUI app to open the Zenm ap window
S t3 ft
l__ Zenmap file installs
the following files:
■ Nmap Core Files
Administrator
Server
Manager
Windows
PowrShell
Sfe
m
Control
Panel
■ Nmap Path
o
■ WinPcap 4.1.1
■ N etw ork Interface
Im port
e
Manager
*
‫וי‬
H y p *V
Virtual
Machine..
Command
Prompt
F rtfo *
©
Me^sPing
HTTPort
iS W M
■ Neat (Modem Netcat)
CWto*
■ Ndiff
Nmap Zenmap
w
*‫ח‬
■ Zenm ap (GUI frontend)
Google
K
U
1
3. The Nmap - Zenmap GUI window appears.
! Nmap Syntax: nmap
[Scan Type(s)] [Options]
{target specification}
FIGURE 6.3: The Zenmap main window
/ In port scan
techniques, only one
method may be used at a
time, except that UDP scan
(‫־‬sU) and any one of the
SCI1P scan types (‫־‬sY, -sZ)
may be combined with any
one of the TCP scan types.
4. Enter the virtual machine Windows Server 2008 IP ad d ress (10.0.0.4)
t !1e j a rge t: text field. You are performing a network inventory for
r
o
J
th e v ir tu a l I11acllil1e.
5.
111 this lab, die IP address would be 10.0.0.4; it will be different from
your lab environment
6. 111 the Profile: text field, select, from the drop-down list, the type of
profile you want to scan. 111 diis lab, select Intense Scan.
7. Click Scan to start scantling the virtual machine.
‫׳‬- ‫ ׳‬°r x
Zenmap
Scan
Iools
Profile
Help
Target: 110.0.0.4|
C om m and:
Intense scan
nm a p -T4 -A - v 10.0.0.4
Host!
While Nmap attempts
to produce accurate results,
keep in mind that all of its
insights are based on
packets returned by the
target machines or the
firewalls in front of them.
Profile:
Services
icc>
|
Nmap Output Ports f Hosts | Topology | Host Details | Scans
OS < Host
FIGURE 6.4: The Zenmap main window with Target and Profile entered
! S " The six port states
recognized by Nmap:
■ Open
8. N m ap scans the provided IP address with In ten se scan and displays
the scan resu lt below the Nmap Output tab.
■ Filtered
■ Unfiltered
^
Zenmap
■ Closed
Scan
Target:
I o o ls
E rofile
X
‫ן‬
H elp
10.0.0.4
C om m and:
‫ז ם י‬
‫׳י‬
Profile:
Intense scan
Scan:
nm a p -T4 -A - v 10.C.0.4
■ Open | Filtered
Nn ■ap Output [ports / Hosts | Topolog) | Host Details | Scans
■ Closed | Unfiltered
OS < Host
‫׳׳‬
nmap-T4 •A -v 10.00.4
S to r tin g
Nmap accepts
multiple host specifications
on the command line, and
they don't need to be of the
same type.
|
^
| Details
10.0.0.4
Nmap C . O l
(
h ttp ://n m s p .o r g
)
at
2012 0 8
NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g .
MSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d
h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a
C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t
0 .5 0 s e la p s e d
I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on
D is c o v e r e d o pe n p o r t 1 3 9 / t c p on
D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on
I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬
o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e .
D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4
24
(1 t o t a l
t 1 5 :3 5
1 5 :3 5 ,
1 6 .0 .0 .4
1 0 .0 .0 .4
1 6 .0 .0 .4
d ee t o 72
Filter Hosts
FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan
9. After the scan is com plete, N m ap shows die scanned results.
T=I
Zenmap
Scan
Iools
£rofile
Help
Target:
a
Command:
Cancel
‫י‬
Details
nmap -T4 -A -v 10.C.0.4
The options available
to control target selection:
■ -iL <inputfilename>
Scan!
J
Nrr^p Output | Ports / Hosts | Topolog) Host Details | Scans
OS
nmap •T4 •A ■v 10.0.0.4
< Host
‫׳׳‬
‫פ כ‬
n e tb io s -s s n
1 3 9 /tc p
open
4 4 5 /tc p
open
n c tb io s ssn
h ttp
M ic ro s o ft HTTPAPI h ttp d 2.0
5 3 5 7 /tc p
open
(SSOP/UPnP)
| _ h t t p ‫ ־‬m « th o d s : No A llo w o r P u b lic h « a d « r i n OPTIONS
re s p o n s e ( s t a tu s code 5 03 )
10.0.0.4
■ -1R <num hosts>
■ -exclude
<host 1 > [,<host2> [,...]]
| _ r r t t p - t it le : S ervice U na va ila b le
M i c r o s o f t W indow s RPC
4 9 1 5 2 / t c p o pe n
m srp c
4 9 1 5 3 / t c p open
m srp c
4 9 1 5 4 / t c p o pe n
m srp c
4 9 1 5 5 / t c p open
m srp c
4 9 1 5 6 / t c p open
m srp c
______________
;0 7 :1 0 ( M ic r o s o f t )
MAC A d d r e s s : 0( 1 5 : 5D:
D e v ic e t y p e : g e n e r a l p u rp o s e
R u n n in g : M i c r o s o f t WindONS 7 | 2008
OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : /
o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l
(?‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1
U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )
■ -excludefile
<exclude file>
‫ח‬
Nttwort Distance; 1 hop
TCP S eq u en ce P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! )
I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l
S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s
Q The following
options control host
discovery:
Filter Hosts
■ -sL (list Scan)
FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan
■ -sn (No port scan)
■ -Pn (No ping)
■ ■PS <port list> (TCP
SYN Ping)
■ -PA <port list> (TCP
ACK Ping)
■ -PU <port list> (UDP
Ping)
■ -PY <port list> (SCTP
INTT Ping)
■ -PE;-PP;-PM (ICMP
Ping Types)
■ -PO <protocol list> (IP
Protocol Ping)
■ -PR (ARP Ping)
■ —traceroute (Trace path
to host)
■ -n (No DNS resolution)
■ -R (DNS resolution for
all targets)
10. Click the Ports/H osts tab to display more information on the scan
results.
11. N m ap also displays die Port, Protocol, S tate. Service, and Version o f
the scan.
T‫־‬T
Zenmap
Scan
Target:
Iools
Profile
10.0.0.4
Command:
‫״״‬
Scan
Cancel
nmap -T4 -A -v 10.0.0.4
Services
OS
Help
Nmgp Out p
u
(
Tu[.ul u1jy
Hu^t Details Sk m :.
< Host
10.0.0.4
Minoaoft Windows RPC
13S
tcp
open
rmtpc
139
tcp
open
netbios-ssn
445
tcp
open
netbios-ssn
5337
tcp
open
http
Microsoft HTTPAPI httpd 2.0 (SSD
49152 tcp
open
msrpc
Microsoft Windows RPC
49153 tcp
open
m srpc
49154 tcp
open
msrpc
49155 tcp
open
msrpc
49156 tcp
open
msrpc
■ -system-dns (Use
system DNS resolver)
■ -dns-servers
< server 1 > [,<server2 > [,.
..]] (Servers to use for
reverse DNS queries)
FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Coundl
12. Click the Topology tab to view N m ap’s topology for the provided IP
address in the Intense scan Profile.
7 ^ t By default, Nmap
performs a host discovery
and then a port scan
against each host it
determines to be on line.
FIGURE 6.8: The Zenmap main window with Topology tab fot Intense Scan
13. Click the Host Details tab to see die details o f all hosts discovered
during the intense scan profile.
r^r°rx 1
Zenmap
Scan
lools
Target:
Profile
10.0.0.4
Command:
Hosts
7^ ‫ ׳‬By default, Nmap
determines your DNS
servers (for rDNS
resolution) from your
resolv.conf file (UNIX) or
the Registry (Win32).
Scan
Conccl
nmap -T4 -A -v 10.0.0.4
||
Services
OS < Host
-‫־׳‬
Help
10.0.0.4
I
I Nm ap Output I Porte / H octt | Topologyf * Host Detail‫׳‬: Scan?
13.0.C .4
H Host Status
S ta t e :
up
O p e n p o rtc
Q
Filtered poits:
0
Closed ports:
991
Scanned ports: 1000
Uptime:
22151
Last boot:
Fri Aug 24 09:27:40 2012
#
B Addresses
IPv4:
10.0.0.4
IPv6:
Not available
MAC: 00:15:50:00:07:10
- O perating System
Name:
Microsoft Windows 7 or Windows Seiver 2008 SP1
Accuracy:
P o rts used
Filter Hosts
FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan
14. Click the S cans tab to scan details for provided IP addresses.
1- 1° ‫ ׳‬x
Zenmap
Scan
a
Nmap offers options
for specifying winch ports
are scanned and whether
the scan order is
random!2ed or sequential.
Tools
Profile
Help
10.0.0.4
Target:
Command:
Hosts
Profile:
Cancel
nmap •T4 •A -v 100.0.4
|[
Services
|
Nmap Output J Ports.' Hosts | Topology | Host Detail;| S:an;
Sta!us
OS < Host
Com‫׳‬r»ard
Unsaved nmap -14-A •v 10.00.4
100.04
if■ Append Scan
a
In Nmap, option -p
<port ranges> means scan
only specified ports.
Intense scan
»
Remove Scan
Cancel Scan
FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan
15. Now, click the Services tab located in the right pane o f the window.
This tab displays the list o f services.
16. Click the http service to list all the H TTP H ostnam es/lP a d d resses.
Ports, and their s ta te s (Open/Closed).
‫ י ־ז‬° ‫ד * מ‬
Zenmap
Scan
Tools
Target:
Help
10.0.0.4
Comman d:
Hosts
Profile
v]
Profile:
Intense scan
v|
Scan |
‫ו‬
nmap •T4 -A -v 10.0.0.4
|
Services
Cancel
|
Nmap Output Ports / Hosts Topology HoctDrtaik | Sânt
< Hostname A Port < Protocol « State « Version
Service
i
10.0.04
5357
tcp
open
Microsoft HTTPAPI hctpd 2.0 (SSI
msrpc
n e t b i o s 5 5 ‫־‬n
Q In Nmap, option -F
means fast (limited port)
scan.
<L
FIGURE 6.11: The Zenmap main window with Services option for Intense Scan
17. Click the m srpc service to list all the Microsoft Windows RPC.
‫ ־ ז‬1‫ י ם‬x ‫׳‬
Zenmap
Scan
Iools
Target:
In Nmap, Option —
port-ratio <ratio><dedmal
number between 0 and 1>
means Scans all ports in
nmap-services file with a
ratio greater than the one
given. <ratio> must be
between 0.0 and 1.1
Profile
Help
10.0.0.4
Command:
‫י‬
Profile:
Intense scan
Scan]
nmap -T4 -A -v 10.0.0.4
Services
Nmcp Output Ports / Hosts Topology | Host Details ^Scans
4 Hostname *‫ ־‬Port < Protocol * State « Version
Service
http
netbios-ssn
•
100.0.4
49156 Up
open
M kroioft Windoro RPC
•
100.0.4
49155 tcp
open
•
100.0.4
49154 tcp
open
•
100.04
49153 tcp
open
•
100.04
49152 tcp
open
•
100.0.4
135
tcp
open
FIGURE 6.12 The Zenmap main window with msrpc Service for Intense Scan
18. Click the netbios-ssn service to list all NetBIOS hostnames.
TTT
Zenmap
Scan
Icols
Target:
Hosts
Help
10.0.0.4
Command:
h id In Nmap, Option -r
means don't randomi2e
ports.
Erofile
Scan
Cancel
nmap -T4 -A -v 10.0.0.4
||
Services
|
Nmap Output Ports f Hosts Topology Host Deoils Scans
Service
http
msrpc
100.0.4
445
tcp
open
100.0.4
139
tcp
open
FIGURE 6.13: The Zenmap main window with netbios-ssn Service for Intense Scan
T AS K 2
Xmas Scan
19. Xmas scan sends a TCP frame to a remote device with URG, ACK, RST,
SYN, and FIN flags set. FIN scans only with OS T C P /IP developed
according to RFC 793. The current version o f Microsoft Windows is not
supported.
20. Now, to perform a Xmas Scan, you need to create a new profile. Click
Profile ‫ >־‬New Profile or Command Ctrl+P
y ‫ ׳‬Xmas scan (-sX) sets
the FIN, PSH, and URG
flags, lighting the packet up
like a Christmas tree.
m The option —maxretries <numtries>
specifies the maximum
number of port scan probe
retransmissions.
21. O n the Profile tab, enter Xmas Scan in the Profile nam e text field.
Profile Editor
‫!׳‬map -T4 -A -v 10.0.0.4
Profile Scan | Ping | Scripting | Target | Source[ Other | Timing
Help
Description
Profile Inform ation
Profile name
XmasScanj
The description is a full description
0♦v»hac the scan does, which may
be long.
D * c e r ip t io n
m The option -hosttimeout <time> gives up
on slow target hosts.
Caned
0
Save C h ang e s
FIGURE 6.15: The Zenmap Profile Editor window with the Profile tab
E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬Counc11
22. Click the Scan tab, and select Xmas Tree scan (‫־‬sX) from the TCP
scan s: drop-down list.
UDP scan is activated
with the -sU option. It can
be combined with a TCP
scan type such as SYN scan
(‫־‬sS) to check both
protocols during the same
run.
1_T□ ' x
Profile Editor
!map -T4 -A -v 10.0.0.4
Help
Profile Scan | Ping | Scripting | Target | Source | Other Timing
Enable all ad/anced/aggressive
options
Sun optk>m
Target? (optional):
10.00.4
TCP scam
None
Non-TCP scans:
None
Timing template:
FI
Enable OS detection (-0). version
detection (-5V), script scanning (sCMand traceroute (‫־־‬traceroute).
ACK scan (-sA)
‫ ׳‬FIN scan ( sF)
Mamon scan (-sM)
Q Nmap detects rate
limiting and slows down
accordingly to avoid
flooding the network with
useless packets that the
target machine drops.
□ Version detection (-sV)
Null scan (-sN)
‫ח‬
Idle Scan (Zombie) (-si)
TCP SYN scan (-5S)
□
FTP bounce attack (-b)
TCP connect >can (‫»־‬T)
□
Disable reverse DNS resc
. Window scan (-sW)
‫ם‬
IPv6 support (■6)
| Xmas Tree scan (‫־‬sX)
Cancel
0Save Changes
FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab
23. Select None in die Non-TCP scan s: drop-down list and A ggressive (‫־‬
T4) in the Timing tem plate: list and click Save Changes
1‫י ^ ם | ־‬
Profile Friitor
nmap •sX •T4 -A ■v 10.0.0.4
Help
Profile Scar Ping | Scripting [ Target Source | Other | Timing
Enable all ad/anced/aggressive
options
Scan o p tio n *
Q You can speed up
your UDP scans by
scanning more hosts in
parallel, doing a quick scan
of just the popular ports
first, scanning from behind
the firewall, and using ‫־־‬
host-timeout to skip slow
hosts.
Target? (optional):
1D.0D.4
TCP scan:
Xmas Tlee scan (‫־‬sX)
|v |
Non-TCP scans:
None
[v‫] ׳‬
Timing template:
Aggressive (-T4)
[v |
@
Enable OS detection (-0). version
detection (-sV), script scanning (sQ and traceroute(--traceroute).
E n a b le a ll a d v a n c e d / a g g r e s s v e o p t i o n s ( - A )
□ Operating system detection (•O)
O Version detection (-sV)
□
Idle Scan (Zombie) (- 51)
□
FTP bounce attack (-b)
O Disable reverse DNS resolution (‫־‬n)
‫ח‬
IPv6 support (-6)
Cancel
0 Save Changes
24. Enter the IP address in die T arget: field, select the Xmas scan opdon
from the Profile: held and click Scan.
Zenmap
Scan
Tools
Target:
( Hosts
05
Help
10.0.0.4
Command:
In Nmap, option -sY
(SCTPINIT scan) is often
referred to as half-open
scanning, because you donft
open a full SCTP
association. You send an
INIT chunk, as if you were
going to open a real
association and then wait
for a response.
Profile
|v |
Profile- | Xmas Scan
|v |
|Scan|
Cancel |
nmap -sX -T4 -A -v 100.0/
||
Services
< Host
|
Nmap Output Potts/Hosts | Topology Host Details j Scans
V
A
1
| Details]
Filter Hosts
25. N m ap scans the target IP address provided and displays results on the
Nmap Output tab.
£Q! When scanning
systems, compliant with
this RFC text, any packet
not containing SYN, RST,
or ACK bits results in a
returned RST, if the port is
closed, and no response at
all, if the port is open.
Tools
Target
Command:
Hosts
*
Profile
Help
vl
10.0.0.4
OS « Host
Profile.
Services
|Scani|
N-nap Output Ports / Hosts | Topology Host Details | Scans
nm a p -sX -T4 -A -v 10.0.0.4
10.0.0.4
S t a r t i n g Nmap 6 .0 1
a
Xmas Scan
nmap -sX -T4 -A -v 100.0/
N < F ‫ ל‬lo a d e d
The option, -sA (TCP
ACK scan) is used to map
out firewall rulesets,
determining whether they
are stateful or not and
which ports are filtered.
iz c
Zenmap
Scan
93
( h ttp ://n m a o .o r g
s c r ip ts
fo r
) a t 2 0 1 2 - 0 8 -2 4
s c a n n in g .
NSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g S can a t 1 6 :2 9
S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l
h o s ts )
I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9
c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 ,
0 .0 0 s e la p s e d
I n i t i a t i n g XMAS S can a t 1 6 :2 9
S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ]
I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34
o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e .
C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l
p o r ts )
I n i t i a t i n g S c r v i c e scon o t 1 6 :3 0
I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4
NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 .
I n i t i a t i n g MSE a t 1 6 :3 0
C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d
Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4
H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .
FIGURE 6.19: The Zenmap main windowwith the Nmap Output tab
26. Click the S ervices tab located at the right side o f die pane. It displays
all die services o f that host.
Zenmap
Scan
Iools
Target:
Profile
10.0.0.4
Command:
Hosts
‫־‬
0
=
1
Help
^
Profile
Xmas Scan
‫ | | 'י‬Scan |
nmap -sX -T4 -A -v 10.0.0.4
|
Services
|
Nmap Output Ports / Hosts | Topology | Host Dttails | Scans
nmap -sX T4 -A -v 10.0.0.4
S t a r t i n g Nmap 6 .0 1
Details
( h ttp ://n m a p .o rg
) a t 2 0 1 2 * 0 8 -2 4
: Loaded 03 s c r i p t s f o r s c a n n in g .
I n i t i a t i n g ARP P i r g S can a t 1 6 :2 9
S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l
h o s ts )
I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9
C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f 1 n e s t , a t 1 6 : 2 9 ,
0 .0 0 s e la p s e d
I n i t i a t i n g XMAS S can a t 1 6 :2 9
S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34
o u t o f 84 d ‫־׳‬o p p e d p ro o e s s in c e l a s t in c r e a s e .
C o m p le te d XHAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l
p o r ts )
I n i t i o t i n g S e r v i c e sca n at 1 6 :3 0
I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4
I n i t i a t i n g USE a t 1 6 :3 0
C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 e s e la p s e d
N nap
scan
H ost is
re p o rt
fo r
‫ח‬
m
1 0 .0 .0 .4
u p ( 0 .0 0 0 2 0 s l a t e n c y ) .
V
FIGURE 6.20: Zenmap Main window with Services Tab
S
T A S K
3
Null Scan
27. Null scan works only if the operating system’s T C P /IP implementation
is developed according to RFC 793.111 a 111111 scan, attackers send a TCP
frame to a remote host with N O Flags.
28. To perform a 111111 scan for a target IP address, create a new profile.
Click Profile ‫ >־‬New Profile or Command Ctrl+P
The option Null Scan
(‫־‬sN) does not set any bits
(TCP flag header is 0).
Zenmap
[ New ProfJe or Command
9 £d it Selected Prof<e
|
Hosts
||
Scrvncct
CtrkP | nas Scan
v
Scan
| Cancel |
Qrl+E
Nmap Output P ortj / Hosts | T opology] Host D e t o S c e n t
OS « Host
w
10.0.0.4
m The option, -sZ
(SCTP COOKIE ECHO
scan) is an advance SCTP
COOKIE ECHO scan. It
takes advantage of the fact
that SCTP implementations
should silently drop packets
containing COOKIE
ECHO chunks on open
ports but send an ABORT
if the port is closed.
FIGURE 6.21: The Zenmap main window with the New Profile or Command option
29. O n die Profile tab, input a profile name Null Scan in the Profile nam e
text field.
a
The option, -si
<zombie
host>[:<probeport>] (idle
scan) is an advanced scan
method that allows for a
truly blind TCP port scan
of the target (meaning no
packets are sent to the
target from your real IP
address). Instead, a unique
side-channel attack exploits
predictable IP
fragmentation ID sequence
generation on the zombie
host to glean information
about the open ports on
the target.
L ^ I
Profile Editor
n m a p - s X - T 4 - X - v 1 0 .0 .0 .4
Help
Profile Scan | Ping | Scripting | Target | Source | Othc | Timing^
Profile name
Profile Information
This is how the profile v/ill be
identf ied in the drop-down combo
box in the scan tab.
Profile name | Null Scanj~~|
D e s c r ip t io n
FIGURE 622: The Zenmap Profile Editor with the Profile tab
m T he option, -b
< F T P relay h o st> (FT P
bounce scan) allows a
user to connect to one
F T P server, and then
ask that files be sent to a
third-party server. Such
a feature is ripe for
abuse o n m any levels, so
m ost servers have
ceased supporting it.
30. Click die Scan tab in the Profile Editor window. N ow select the Null
Scan (‫־‬sN) option from the TCP scan : drop-down list.
Profile Editor
nmap -eX -T4 -A -v 10.0.0.4
H e lp
Profile] Scan | Ping | Scripting| larget | Source Jther Timing
Prof le name
Scan options
Targets (optional):
1C.0.04
TCP scan:
Xmas Tree scan (-sX)
Non-TCP scans:
None
Timing template:
ACKscen ( sA)
|v
This is how the profile will be
identified n the drop-down combo
box n the scan tab.
[Vj Enable all advanced/aggressu FN scan (‫־‬sF)
□ Operating system detection (‫ ־‬Maimon «can (•?M)
The option, -r (Don't
randomize ports): By
default, Nmap randomizes
the scanned port order
(except that certain
commonly accessible ports
are moved near the
beginning for efficiency
reasons). This
randomization is normally
desirable, but you can
specify -r for sequential
(sorted from lowest to
highest) port scanning
instead.
□ Version detection (■sV)
Null scan (•sN)
(71 Idle Scan (Zombie) (•si)
TCP SYN scan(-sS)
O FTP bounce attack (-b)
TCP connect scan (‫־‬sT)
(71 Disable reverse DNSresolutior Win cow scan (‫־‬sW)
Xma; Tree !can (-sX)
1 1 IPy6 support (-6)
Cancel
Save Changes
FIGURE 6.23: The Zenmap Profile Editor with the Scan tab
31. Select None from the Non-TCP scan s: drop-down field and select
A ggressive (-T4) from the Timing tem plate: drop-down field.
32. Click Save C hanges to save the newly created profile.
'-IT - '
Profile Editor
nmap -sN -sX -74 -A -v 10.0.0.4
In Nmap, option —
version-all (Try every single
probe) is an alias for -version-intensity 9,
ensuring that every single
probe is attempted against
each port.
P r o f ile
S can
|Scan[
Help
P i n g | S c r i p t in g | T a r g e t | S o i r e e [ C t h c i | T im in g
Disable reverse DNS resolution
Scan options
Targets (opbonal):
N e \er do reverse DNS. This can
slash scanning times.
1 0 .0 .0 .4
TCP scan:
Nul scan (•sN)
V
Non-TCP scans:
None
V
Timing template:
Aggressive (-T4)
V
C Operating system detection (-0)
[Z
Version detection (-5V)
I
I d le S c a n ( Z o m b ie ) ( -s i)
Q FTP bounce attack (-b)
I
! D i s a b l e r e v e r s e D N S r e s o lu t io n ( - n )
□
IPv6 support (-6)
£oncel
m The option,-‫־‬topports <n> scans the <n>
highest-ratio ports found in
the nmap-services file. <n>
must be 1 or greater.
E rj Save Change*
FIGURE 6.24: The Zenmap Profile Editor with the Scan tab
33. 111 the main window o f Zenmap, enter die ta rg e t IP a d d re ss to scan,
select the Null Scan profile from the Profile drop-down list, and then
click Scan.
Zenmap
Scfln
Iools
Erofile
Help
Target | 10.0.0.4
Command:
Hosts
Q The option -sR (RPC
scan), method works in
conjunction with the
various port scan methods
of Nmap. It takes all the
TCP/UDP ports found
open and floods them with
SunRPC program NULL
commands in an attempt to
determine whether they are
RPC ports, and if so, what
program and version
number they serve up.
OS
Services
Null Scan
Nmap Outpjt Ports / Hosts Topology | Host Detais ( Scans
< Port
< H ost
*U
Prof1‫•י‬:
nmap -sN •sX •T4 -A *v 10.00.4
< Prctoccl
< State
<
Service < Version
10.00.4
Filter Hosts
34. N m ap scans the target IP address provided and displays results in Nmap
Output tab.
B Q
Zenmap
Scan
Tools
Target
Profile
10.0.0.4
Com m and:
v
Profile:
Null Scan
Scan!
Services
Nmap Output | Ports/ Hosts ] Topology [ Host Details | Scans
‫פן‬
nmap -sN •T4 •A -v 10.0.04
OS < Host
10.0.0.4
S ta r t in g
Mmap 6 .0 1
( h t t p : / / n 1r a p . o r g
) at
2012 0 8 24
N S t: Loaded 93 s c r i p t s f o r s c a n n in g .
I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7
S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ]
C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l
h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 5 :4 7
C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 ,
0 .2 8 s e la p s e ti
i n i t i a t i n g n u l l sca n a t 1 6 :4 7
S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68
o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e .
C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l
p o r ts )
I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7
I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4
I n i t i a t i n g NSE a t 1 6 :4 7
C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la p s e c
Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4
H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) .
The option -versiontrace (Trace version scan
activity) causes Nmap to
pnnt out extensive
debugging info about what
version scanning is doing.
It is a subset of what you
get with —packet-trace,
Cancel
n m a p - s N - T 4 - A - v 1 0 .C .0 .4
Hosts
IM
u
Help
Details
‫ח‬
Filter Hosts
FIGURE 6.26: The Zenmap main window with the Nmap Output tab
35. Click the Host Details tab to view the details o f hosts, such as Host
S tatu s, A ddresses. Open Ports, and Closed Ports
‫׳‬-[nrx '
Zenmap
Scan
Tools
£rofle
Com m and:
Profile:
Null Scan
Cancel
n m a p - s N - T 4 • A - v 1 0 .0 .0 .4
Hosts
Sen/ices
OS « Host
*
Help
10.0.0.4
Target
Nmap Output | Ports/ Hosts | Topology Host Details | Scans
- 10.0.0.4!
10.0.0.4
B Host Status
State:
Open ports:
ports:
Closed ports:
up
0
0
ie
1000
Scanned ports: 1000
Up tirre:
Not available
Last boot:
Not available
S Addresses
IPv4: 10.0.0.4
IP v 6:
N o t a v a ila b le
MAC: 00:15:5D:00:07:10
• C o m m e n ts
Filter Hosts
FIGURE 627: ‫׳‬Hie Zenmap main window with the Host Details tab
T A S K
4
ACK Flag Scan
36. Attackers send an ACK probe packet w ith a random sequence number.
N o response means the port is filtered and an RST response means die
port is not filtered.
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Coundl
37. To perform an ACK Flag Scan for a target IP address, create a new
profile. Click Profile ‫ >־‬New Profile or Command Ctrl+P.
!^□T
Zenmap
m The script: —scriptupdatedb option updates
the script database found in
scripts/script.db, which is
used by Nmap to
determine the available
default scripts and
categories. It is necessary to
update the database only if
you have added or
removed NSE scripts from
the default scripts directory
or if you have changed the
categories of any script.
This option is generally
used by itself: nmap —
script-updatedb.
Command:
fj?l Edit Selected Profile
!!mop ■v» ■n* ‫ • **־‬v
Hoete
Services ]
E
Nmip Ojtput Porte / Hoete Topology | Hod Details J Scant
4 Po‫׳‬t 4 P rotocol 4 S ta tt 4 Service < V trsicn
OS < Host
IM
0
Ctrl+E
10.0.0.4
Filter Hosts
FIGURE 6.28: The Zenmap main window with the New Profile or Command option
38. O n the Profile tab, input ACK Flag Scan in the Profile nam e text field.
‫־‬r a n
Profile Editor
nmap -sN -T4 -A -v 10.0.0.4
Profile [scan | Ping | Scripting | Target | Soiree[ Cthei | Timing
Help
Description
Profile Information
Profile name |ACK PagScanj
The descr ption is a full description
of what the scan does, which may
be long.
Description
The options: -minparallelism <numprobes>;
-max-parallelism
<numprobes> (Adjust
probe parallelization)
control the total number of
probes that may be
outstanding for a host
group. They are used for
port scanning and host
discovery. By default,
Nmap calculates an everchanging ideal parallelism
based on network
performance.
£ancel
0
Save Changes
FIGURE 6.29: The Zenmap Profile Editor Window with the Profile tab
39. To select the parameters for an A CK scan, click the Scan tab in die
Profile Editor window, select ACK sc a n (‫־‬sA) from the Non-TCP
scan s: drop-dow n list, and select None for all die other fields but leave
the T argets: field empty.
!-!□ ‫י‬
Profile Editor
‫׳‬
[ScanJ
n m a p - s A -s W - T 4 - A - v 1 0 .0 .0 .4
The option: —min-rtttimeout <time>, —max-rtttimeout <time>, —initialrtt-timeout <t1me> (Adjust
probe timeouts). Nmap
maintains a running
timeout value for
determining how long it
waits for a probe response
before giving up or
retransmitting the probe.
This is calculated based on
the response times of
previous probes.
x
Help
Profile | Scan Ping Scnpting T3rg=t Source Other Timing
E n a b le a ll a d v a n c e d , a g g r e s s iv e
Scan options
o p tio n s
Targets (optional):
10004
TCP scan:
ACK scan (-sA)
Non-TCP scans:
None
Timing template:
ACK scan( sA)
|v |
Enable OS detection (-0), version
detection (-5V), script scanning (■
sC), and traceroute (‫־־‬ttaceroute).
[34 Enable all advanced/aggressi\ FIN scan (-sF)
□ Operating system detection (- Maimon scan (-sM)
□ Version detection (-5V)
Null scan (-sNl
O Idle Scan (Zombie) (‫־‬si)
TCP SYN scan (-5S)
□ FTP bounce attack (‫־‬b)
TCP connect scan (-sT)
f l Disable reverse DNS resolutior Vbincov\ scan (-sW)
1 1 IPv6 support (-6)
Xmas Tree scan (-5X)
£ancel
Q Save Changes
40. N ow click the Ping tab and check IPProto probes (-PO) to probe the IP
address, and then click Save Changes.
Profile Editor
[Scan]
n m a p - s A -sNJ - T 4 - A - v - P O 1 0 0 .0 .4
G The Option: -maxretries <numtries> (Specify
the maximum number of
port scan probe
retransmissions). When
Nmap receives no response
to a port scan probe, it can
mean the port is filtered.
Or maybe the probe or
response was simply lost
on the network.
Profile Scan Ping Scnpting| Target | Source | Other Timing
Help
I C M P ta m « £ ta m p r# q u * :t
Ping options
□ Don't ping before scanning (‫־‬Pn)
Send an ICMP timestamp probe to
see i targets are up.
I I ICMP ping (-PE)
Q ICMP timestamp request (-PP)
I I ICMP netmask request [-PM)
□ ACK ping (-PA)
□ SYN ping (-PS)
Q UDP probes (-PU)
0 jlPProto prcb«s (-PO)i
(J SCTP INIT ping probes (-PY)
Cancel
Save Changes
FIGURE 6.31: The Zenmap Profile Editor window with the Pmg tab
41. 111 the Zenm ap main window, input die IP address o f the target
machine (in diis Lab: 10.0.0.3), select ACK Flag Scan from Profile:
drop-down list, and then click Scan.
‫־ם‬
Zenmap
Scan
Tools
Target:
Profile
Help
10.0.0.4
Command:
v
Profile:
ACK Flag Scan
‫פב‬
Scan
Cancel
nmap -sA -PO 10.0.0.4
Hosts
Services
Nmap Output Ports / Hosts I Topology] Host Details Scans J
£ 3 The option: -‫־‬hosttimeout <time> (Give up
on slow target hosts). Some
hosts simply take a long
time to scan. Tins may be
due to poody performing
or unreliable networking
hardware or software,
packet rate limiting, or a
restrictive firewall. The
slowest few percent of the
scanned hosts can eat up a
majority of the scan time.
Details
Filter Hosts
FIGURE 6.32: The Zenmap main window with the Target and Profile entered
42. N m ap scans die target IP address provided and displays results on
Nmap Output tab.
r
Sc$n
Tools
£rofle
Command:
*
<
Profile:
ACK Flag Scan
Cancel
nmap -sA -P0 10.0.0.4
Hosts
OS
‫ן‬
Help
10.0.0.4
Target:
The option: —scandelay <time>; --max-scandelay <time> (Adjust delay
between probes) .This
option causes Nmap to
wait at least the given
amount of time between
each probe it sends to a
given host. This is
particularly useful in the
case of rate limiting.
X
Zenmap
Sen/ices
Nmap Output j Ports/Hosts[ Topology Host Details Scans
nmap -sA -PO 10D.0.4
Host
Details
10.0.0.4
S t a r t in g ^map 6 .0 1 ( h tt p : / / n m a p .o r g ) a t 2 0 12 -0 8-2 4 17 :03
I n d ia S ta n d a rd T i n e
Nmap s c a n r e p o r t f o r 1 0 .0 . 0 .4
H ost i s
u9 (0 .0 0 0 0 0 3 0 1
la t e n c y ).
A l l 1000 scanned p orts on 1 0 .0 .0 .4 a re u n f ilt e r e d
WAC A d d re s s : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 ( M ic r o s o f t )
Nmap d o n e :
1 IP
a d d re s s
(1 h o s t u p ) s c a n n e c i n
7 .5 7 se co n d s
Filter Hosts
FIGURE 6.33: The Zenmap main window with the Nmap Output tab
43. To view more details regarding the hosts, click die Host Details tab
Zenmap
Scan
Tools
Target:
Q The option: —minrate <number>; —mas-rate
< number> (Directly
control the scanning rate).
Nmap's dynamic timing
does a good job of finding
an appropriate speed at
which to scan. Sometimes,
however, you may happen
to know an appropriate
scanning rate for a
network, or you may have
to guarantee that a scan
finishes by a certain time.
Profile
[~v~| Profile:
10.0.0.4
Command:
Hosts
ACK Flag Scan
Scan
Cancel
nmap -sA-PO !0.0.04
||
Services
|
J
J
Nmap Output Ports / Hosts Topology HostDetals
Scans
‫; ־‬10.0.04
OS « Host
*
Help
10.0.0.4
5 Host Status
btate
IS
Open portc:
Filtered ports:
Closed ports:
Scanned ports: 1000
Uptime:
Not available
Last boot
Not available
B A ddresses
IPv4:
1a0.0.4
IPv6:
Not available
MAC:
0Q15:50:00:07:10
♦ Com m ents
Filter Hosts
FIGURE 6.34: The Zenmap main window with the Host Details tab
Lab A nalysis
Document all die IP addresses, open and closed ports, sendees, and protocols you
T o o l/U tility
T y p es o f Scan used:
■
■
‫י‬
■
Intense scan
Xmas scan
Null scan
ACK Flag scan
In ten se Scan —N m a p O u tp u t
N m ap
■
■
■
■
■
■
■
■
■
■
ARP Ping Scan - 1 host
Parallel D N S resolution o f 1 host
SYN Stealth Scan
• Discovered open p o rt on 10.0.0.4
o 13 5 /tcp, 13 9 /tcp, 4 4 5 /tcp, ...
MAC Address
Operating System Details
Uptime Guess
N etw ork Distance
TCP Sequence Prediction
IP ID Sequence Generation
Service Info
YOUR INSTRUCTOR
IF YOU HAVE Q U E S T IO N S
T H IS LAB.
RELATED
TO
Q uestions
1. Analyze and evaluate the results by scanning a target network using;
a.
Stealth Scan (Half-open Scan)
b. nmap - P
2. Perform Inverse TCP Flag Scanning and analyze hosts and services for a
target machine in die network.
□ Yes
0 No
0 C lassroom
0 iLabs
Scanning a Network Using the
NetScan Tools Pro
iN
\etScanT001s Pro is an integrated collection of internet information gathering and
netirork troubleshooting utilitiesfor Netirork P/vfessionals.
I CON
KEY
2 3 ‫ ־‬Valuable
inform ation
T est your
knowledge
‫ס‬
W eb exercise
m
W orkbook review
Lab S cenario
You have already noticed in die previous lab how you can gadier information such
as ARP ping scan, MAC address, operating system details, IP ID sequence
generation, service info, etc. duough Intense Scan. Xmas Scan. Null Scan and
ACK Flag Scan 111 Nmap. An attacker can simply scan a target without sending a
single packet to the target from their own IP address; instead, they use a zombie
host to perform the scan remotely and if an intrusion detection report is
generated, it will display die IP o f die zombie host as an attacker. Attackers can
easily know how many packets have been sent since die last probe by checking die
IP packet fragment identification number (IP ID).
As an expert penetration tester, you should be able to determine whether a TCP
port is open to send a SYN (session establishment) packet to the port. The target
machine will respond widi a SYN ACK (session request acknowledgement) packet if
die port is open and RST (reset) if die port is closed and be prepared to block any
such attacks 011 the network
111 this lab you will learn to scan a network using NetScan Tools Pro. You also need
to discover network, gadier information about Internet or local LAN network
devices, IP addresses, domains, device ports, and many other network specifics.
Lab O bjectives
The objective o f diis lab is assist to troubleshoot, diagnose, monitor, and discover
devices 011 network.
111
■
Discovers IPv4/IPv6 addresses, hostnames, domain names, email
addresses, and URLs
Detect local ports
S 7Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Networks
Lab Environm ent
■
NetScaii Tools Pro located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Scanning Tools\NetScanTools Pro
■ You can also download the latest version o f N etScan Tools Pro from
the link http:/ / www.11etscantools.com /nstprom ai 11.html
■ I f you decide to download die latest version, dien screenshots shown in die
lab might differ
■ A computer running Windows Server 2012
■ Administrative privileges to run die NetScan Tools Pro tool
Lab D uration
Time: 10 Minutes
Network scanning is die process o f examining die activity on a network, which can
include monitoring data flow as well as monitoring die functioning of network
devices. Network scanning serves to promote bodi die security and performance
o f a network. Network scanning may also be employed from outside a network in
order to identify potential network vulnerabilities.
NetScan Tool Pro perform s the following to network scanning:
■
Monitoring network devices availability
■
Notifies IP address, hostnames, domain names, and p o rt scanning
S TASK 1
Lab Tasks
Scanning the
Network
Install NetScan Tool Pro in your Window Server 2012.
Follow die wizard-driven installation steps and install NetScan Tool Pro.
1. Launch the S tart menu by hovering die mouse cursor in the lower-left
^ Active Discovery and
Diagnostic Tools that you
can use to locate and test
devices connected to your
network. Active discovery
means that we send packets
to the devices in order to
obtain responses..
4 Windows Ser\*f 2012
'1*
* ta ataierm X ni faemeCvcidilcOetoceitc
EMtuaian copy, luld M>:
FIGURE /.l: Windows Server 2012- Desktop view
2. Click the N etScan Tool Pro app to open the N etScan Tool Pro window
Administrator A
Start
Server
Manager
Windows
PowwShel
Google
Chrome
H jp erV
kWvwcr
NetScanT...
Pro Demo
h
m
o
‫וי‬
f*
Control
Pan*l
Mjrpw-V
Mdchir*.
Q
V
( onviund
I't. n.".‫־‬
e
'»‫ **“־׳‬1■»***‫■׳‬
w rr
*I
©
20 ‫ ז‬2
n
x-x-ac
9
3. I f you are using the D em o version o f NetScan Tools Pro, then click
S tart th e DEMO
£L) Database Name be
created in the Results
Database Directory and it
will have NstProDataprefixed and it will have the
file extension .db3
4. The Open or C reate a New R esult D atabase-N etScanTooIs Pro
window will appears; enter a new database name in D atabase Name
(enter new nam e here)
5. Set a default directory results for database file location, click Continue
Open or Create a New Results Database - NetScanTools® Pro
*‫ו‬
NetScanToote Pro au to m a tica l saves results n a database. The database «s requred.
Create a new Results Database, open a previous Resdts Database, or use this software r Tranng Mode with a
temporary Results Database.
■‫״‬Trainrtg Mode Qutdc Start: Press Create Training Mode Database then press Continue.
Database Name (enter new name here)
Test|
Select Another Results Database
A NEW Results Database w l be automabcaly prefixed with
MstProOata-' and w i end with ,.db?. No spaces or periods are allowed
when enterng a new database name.
Results Database File Location
Results Database Directory
‫*״‬Create Trainmg Mode Database
C :^Msers\Administrator documents
Project Name (opbonal)
Set Default Directory
Analyst Information (opbonal, can be cisplayed r\ reports if desired)
i—' USB Version: start the
software by locating
nstpro.exe on your USB
drive ‫ ־‬it is normally in the
/nstpro directory p
Name
Telephone Number
Fitie
Mobile Number
Organization
Email Address
Update Analyst Information
Use Last Results Database
Continue
Exit Program
FIGURE 7.3: setting a new database name for XetScan Tools Pro
6. The N etScan Tools Pro main window will appears as show in die
following figure
_ - n |
test • NetScanTools* Pro Demo Version Build 8-17-12 based on version 11.19
file
— IP version 6 addresses
have a different format
from IPv4 addresses and
they can be much longer or
far shorter. IPv6 addresses
always contain 2 or more
colon characters and never
contain periods. Example:
2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9
( i p v 6 . g o o g l e . com)
o r : : 1 (in te rn a l
lo o p b a c k a d d r e s s
Eflit
A«es51b!11ty
View
IP«6
V
-
Help
Wefccrwto NrtScanToobePiJ [ W o Vbtfen 11 TH1 «a<Kw1n> n a d r r o r o < k > * •r e * T00“i Cut
Th■ duro carrnot be cj>« vt»>0 to a U v * d c n
to d i hav• nir or luiti
H m x x d '•o n ■hr A J o i^ e d cr Vtao.a la d s cr 10311 groined by fm d ia n on the k ft panel
R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I 8!en to noucrktniffc.
ttu ; icon tooo ‫ * ® •ו‬we• y o j oca sy*em. end groy !con 100b contact ihid party
Fleet ' i t FI '«&, to vie‫ ״‬e<? a t e r g h * local help ircLidng Gerttirg Suited >r a n d tia i
Automated tools
M3nu3l tool: 13III
fw o rn e tools
*LCrre Dttcover/tools
Pass ‫״‬re 0‫ י‬scow 1y ro ols
Otis 0015 ‫ז‬
P 3«et le v * tools
tx t m u l tools
pro otam into
FIGURE 7.4: Main window of NetScan Tools Pro
7. Select Manual Tools (all) on the left panel and click ARP Ping. A
window will appears few inform ation about die ARP Ping Tool.
8. Click OK
test
File
fd it
A<<f\11bil1ly
V irw
NetScanToois® Pro Demo Version Build 8 17 12 based o r version 11.19
IPv6
‫־היד‬°• - ‫ז‬
MHp
Klrt'iianTooltS P io 'J
Automata!! Tool
A b o u t th e A R P P in g T o o l
Manual Tool( Ml
•
•
•
•
£ 7 Arp Ping is a useful
tool capable of sending
ARP packets to a target IP
address and it can also
search for multiple devices
sharing the same IP address
on your LAN
use th is to o l to "PiMti‘ an IPv4 address o n y o u r s u b n e t usino a r p paefcrts. •se !r on your
L A N to find the 1a4>: ' a tkne o ' a device to an ARP_REQl)EST jacket evai if ‫ «יכ‬d&r ce s hidden and
does not respond to ‫־׳‬egu a P n g .
A R P P in a re q u ire * , ‫ ג‬t a r g e t I P v 4 address on your LA N .
D o n 't m is s t h i s s p e c ia l f e a t u r e in t h i s t o o l: Identify d u p licate IPv4 add ress b y ‘sin g in g ‘ a s s e c f ic
IPv4 add ress. If m ore th 2 - Gne d e v ic e ( tw o or rrore MAC addresses} responds, y o u are sh o w n th e
m a c add ress o f e ec h o f t h e d e u c e s .
D o n 't f o r g e t to r!ght d k * in t h e results for a m en u w ith m ore option s.
im
ARP Scan (MAC
Ua
D em o I im ita tio n s
•
None.
ij
Ca«h« F m n it d
♦
C0* n « t» 0rt Monrt.
Pjv<mKc Tooll
A111 vc Dhccnrcry To‫׳‬
P iss ‫״‬re Oacovety T«
orisroots
P3c«1Leveltool:
bcemai toots
Pro 0r3m Into
| ( <x Hel p pres? FI
FIGURE 7.5: Selecting manual tools option
9. Select the Send B roadcast ARP, then U nicast ARP radio button, enter
the IP address in T arget IPv4 A ddress, and click Send Arp
test
File
Q Send Broadcast ARP,
and then Unicast ARP this mode first sends an
ARP packet to the IPv4
address using the broadcast
ARP MAC address. Once it
receives a response, it sends
subsequent packets to the
responding MAC address.
The source IP address is
your interface IP as defined
in the Local IP selection
box
Fdit
Accessibility
View
,- ! ‫ ״‬s i
NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19
IPv6
Help
Automated Tools
U9e ARP Padtets to Pnc
an [Pv« adjfc55 on ya r
►.Unual Tools lalf)
subnet.
E
Send & 0‫־‬acc35T ARP, then in to s t ARP
D upi:a ;es S-‫־‬c ‫מ‬
O send B-oaCcae: arp cnly
(f:00.00
Ol^FAa*
O Se*th for Dipicate IP Addesoss
U
iendArc
u
u
index
ip
0
1 0.0.0.1
10.0.0.1
10.0.0.1
‫־‬
-
10.0.0.1
10.0.0.1
10.0.0.1
•
Stop
1
2
N j r b n to Send
3
A flP ?c«
■ann |M
|MA£
A C i< ‫ ״‬n)
4
5
Cache Forensic!
cvcte Tne (ms)
I“00 EJ
Co‫ ״‬n«t»on M onitor |v |
WnPcap I‫״‬Tcrfe<T P
Fawonte Tooli
Aa!re DHtovery Tool!
Pj1 1 !x< Oiiovcry Tooli
trte m ji looit
mac
A ddress
•• • * ♦
< * ♦
- ■+
R esponse T ine (a se c i
-
-
•• — ♦
10.0.0.1
-
*• • * <»
1 0 .0 .0 .1
3
1 0 .0 .0 .1
••» •‫'־ ♦•־‬
- •••« » ♦
10
1 0 . 0 .0 . 1
11
10.0.0.1
10.0.0.1
-
10.0.0.1
10.0.0.1
••••••» « ♦ ‫״‬
•
1 0 . 0 .0 . 1
13
14
15
P a « « level rools
A ddress
f
‫ל‬
8
12
O t« Tools
Report?
Q Add to Psvorftac
Target IPva A adett
ARP Ping
‫ ® ו * ג‬To Aa tom* ted |
-
a. ■* <» ♦
cc 0.0 0 2 6 4 9
cc :.o ::» to
ce 0.0 0 3 3 1 8
Type
B road cast
U n ic a st
OnI c a a t
cc
cc
cc
cc
cc
0.002318
U n ic a st
0 .0 :6 9 * 3
ur.ic a a t
0.0 0 7 6 1 5
Cr.l e a s t
O.OC25IC
Cr.I c a a t
0.00198C
(In ic a a t
cc
cc
cc
cc
cc
o.ooiess
0.0:2318
Onicaat
Ur.ica a t
0 .0 :2 6 * 9
U r.icaat
0 .0 :2 6 4 9
tin ic a a t
(Tnic a a t
cc
cc
0.0 0 2 3 1 8
U n iea a t
:.0 : 2 6 4 9
V n ica a t
0.002318
1 0 . 0 .0 . 1
Cr. ic a a t
f*‫־‬coram Into
FPuiger 7.6: Result of ARP Ping
10. Click ARP Scan (MAC Scan) in the left panel. A window will appear
with inform ation about the ARP scan tool. Click OK
test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
File
Fdit
Accessibility
View
IPv6
Help
1al Tools • ARP Pti• y J
Automated Toot
‫ ש‬ARP Scan (sometimes
called a MAC Scan) sends
ARP packets to the range
of IPv4 addresses specified
by the Start and End IP
Address entry boxes. The
purpose of this tool is to
rapidly sweep your subnet
for IPv4 connected devices.
A bou t the A R P Scan T ool
•
•
•
y
Use U ib tool lo send an ARP RoqiM&t to evury IPv4 addrtsA on your LAN. IPv4 connected
devices cswtrt Arts from ARP . K u n and mu»t rupond with th«f IP •nd MAC *d fir•* •.
Uncheck we ResoKre f>5 box for fssrti scan co‫׳‬rp i« o n ome.
Don't Cornet to 1io : d tk n the 1e>ute for a menu with moio options.
mo L im ita tio n s .
p•‫־‬
Hone.
oadcaat
ARPStan 1mac sea
ic a a t
le a st
le a st
lea se
Ca<n« ForcnsKs
ic a st
ic a a t
le a st
le a st
ica at
e a st!
A ttn * Uncovery 10
ea st!
relive l>K0v»ryl«
le a s t
ic a a t
Tool
FIGURE 7.7: Selecting ARP Scan (MAC Scan) option
11. Enter the range o f IPv4 address in Starting IPv4 A ddress and Ending
IPv4 A ddress text boxes
12. Click Do Arp Scan
test
File
Edil
Accembility
View
‫י ־־ “ ־ היו‬
NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»0n !1.19
IPv6
Help
Manual Too 4 - ARP Scan (MAC Stan) $
i i / t o n a t e d Toots
U9e thE tod a fine al
active IPv4 d rie rs o‫י׳‬
you! n im -t.
Manual Tools lalf)
Adsnocc
Staroic F v 4 Acerea‫־‬
| :0 . 0
&v4ngIPv4Adjress
[ J j ‫׳‬p 0 ‫ ־‬A 1 2 r a a l
I ]AddtsâvaKat
ip v i M . . .
ARP Ping
‫־‬ar The Connection
Detection tool listens for
incoming connections on
TCP or UDP ports. It can
also listen for ICMP
packets. The sources of the
incoming connections are
shown in the results list and
are logged to a SQLite
database.
w e Adflreofl
1 0 .0 .0 .1
0(
1 0 .0 .0 .2
EC .
‫׳‬
« - ...
r / r M 4 n u r * c f3 r e r
E ntry Type
l>5c•!
1
d yr.arie
10 . 0.0
vm -M SS C L .
dynaxac
1 0 .0 .0
B c tta M C
n e t;ca r, la c .
&»11 la c
iVnPcwInterfaxS'
A«P*can(M
can (MAC
AC5<an)
I 10.0.0.7
u
Scon OSsy T n c {•>»)
Cache forensic(
(IZZ₪
0 Resolve P s
Connection Monitor
FawxKe Tools
Active Discovery Tool!
Pîiixe Discovery Too 11
o tis roois
PSCttt LCV(I Tools
exttmai toon
‫פב‬
»0‫־י‬gram into
FIGURE 7.8 Result of ARP Scan (MAC Scan)
13. Click DHCP Server Discovery in the left panel, a window will appear
with inform ation about D H C P Server Discovery Tool. Click OK
f*:
f4 e
Ed*
Accessibility
View
IPv6
!‫־‬
n '
*
H e#
RPSean tMAC Son,
*u»0*n8ted lool
M anual 10011 tall
About Hit* DHCP Sorv 1*f Discovery Tool
•
Cat ha Forrniict
♦
Connection Monitc
LJ DHCP is a method of
dynamically assigning IP
addresses and other
network parameter
information to network
clients from DHCP serv.
•
U se U i b 1 004 t o j i t n n i y t o u t e DHCP a a n r o r s ( IP v 1 o n l y ) o n y o u r lo c a l n e t w o r k . It ifto m th«
P addrau and
k « : ‫־‬g» * » b «n g landed o u t by DHCP
Ih i t too! a n a to find unknown
or rooue' DHCP * r v e rj.
D o n 't I o t g e t to rig h t d c k n th« results for a menu with more options.
Dano limitations.
•
N one.
c r y T ype
lo c a l
n a x le
1 0 .0 .0
n a x ic
1 0 .0 .0
O K P S f w r O ucorc
a
DNS>Tools-core
T00IS - ‫י‬
J
P n tn r Ditcaveiy Tc
P « l r l level Tool
External Too 11
FIGURE 7.9: Selecting DHCP Server Discovery Tool Option
14. Select all the Discover Options check box and click Discover DHCP
Servers
test - NetScanTools* Pro Demo Version Build 8-1 7-12 based o r version 11.19
I
V
Aurc mated To 015
Fnri DHCP Servers an f a r
Q NetScanner, this is a
Ping Scan or Sweep tool. It
can optionally attempt to
use NetBIOS to gather
MAC addresses and
Remote Machine Name
Tables from Windows
targets, translate the
responding IP addresses to
hostnames, query the target
for a subnet mask using
ICMP, and use ARP
packets to resolve IP
address/MAC address
associations
Add Itoie
For Hdo. p‫׳‬-e£8 F :
IM A
*rtonoted
Cache F o renjio
Ode or mtrrfacc bdow then crcos Discover
B
Discover ( X P Server*
.:n n c c to n Monitor
TM
A d d re ss
KIC A ddreas
1 0 .0 .0 .7
Stop
L. A
A
«» I I
QAddtoP®»flnre5
I n t « r f « r • D e s c r ip tio n
iD
H y p e r-V V i r t a • ! E t h e r n e t A d a p te r #2
W a t Time (sec)
DHCP S«1 1 » ‫ ׳‬Discovery
a
DiscouB0 ‫?־‬H3n t
DIIS T o o k - Coie
!
‫ ׳ י‬H05tn 3r 1e
V Subnet M5*r
V‫ ׳‬D o n o r ftairc
a
DMSloo's ■Advanced
R sxordnc DHCP Servers
EHCr S e r v e r I P
S e r v e r Hd3 L n oM
O ffe re d I ?
O f f e r e d S u b n e t Mask
IP A d d re ss I
1 0 .0 .0 .1
1 0 .0 .0 .1
10. 0. 0. 2
‫ י‬SS. 2 SS. 2 SS. 0
3 days, 0 :0 (
‫ ׳י‬d n s p
‫ ׳י‬Router P
fa* KTP Servers
FiwoiiU Tools
A<tfc« Dii coveiy Tools
Paislv* Discovery Tools
DNS Too 11
C rrtl Tooli
W * ‫ *וזז‬Tools
Pioqrtm Inro
FIGURE 7.10: Result of DHCP Server Drscovery
15. Click Ping sc a n n e r in the left panel. A window will appear with
inform ation about Ping Scanner tool. Click OK
test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
F8e
EdK
Atcesiiblfity
A
j . j A I C
V ltw
IPv6
H«tp
WtKOIM
AUtOIMt«J To Oh
N ttS u n T o o ii* P!o S?
A b o u t th e P in g S c a n n e r (a k a N e tS c a n n e r) lo o l
M jn g jl T00K (411
Rngm
ErvurKcJ
m
fir,
a
g - Graphi cal
£0 Port Scanner is a tool
designed to determine
which ports on a target
computer are active Le.
being used by services or
daemons.
•
u se r i m r o d ro p m g a ra n o e o r l m o f IP v 4 add resses. this tool shows you
ch co m puw ‫ ׳‬s
are acOve w tJiir! ? 0 * 106, h t ( : r e » hav« to ra p o n d to p ing). Uso it *vith an* u t o f
F
a d f lf « s « . To **e a fl ee*‫ ׳‬c*s n your subrtrt indudmg trios*blocking ping, you can j m u m ARP S o n
tool.
Y o u can ■ n p o rt a t e x t lest o f IP v 4 ad d resses t o p m g .
•
D o n 't mres th is s p w a l f e a tu r e m th is t o o k use the Do SMB/NBNS Scan to per NetBIOS r« o o m « 5
fiom unprotected W in d o * * corrput&s.
D o n 't f o r g e t td n g h t d!dc m th e results for a menu with more opaons.
•
D em o Im ita tio n s .
•
P a c k e t D elay ( tim e b e tw e e n s e n d in g ea ch p m g ) is lim ite d t o a lo w e r tam t o f SO
nulliseconds. P a rk e r D elay can b e a s lo w a s ze ro ( 0 ) m s m t h e f i l l ve rs io n . In o t h e r w o rd s ,
t h e fu ll ve rs io n w i b e a b it fa s te r.
Port Scanner
.J
P’ o a m u o in M od f *><«
ravontc toon
Dticovery!0‫׳‬
Discovery10
DNS 10011
Mint
P x te t L trti tooii
Tools
°rooram inro
FIGURE 7.11: selecting Ping scanner Option
16. Select the Use Default System DNS radio button, and enter the range
o f IP address in S tart IP and End IP boxes
17. Click S tart
----«e
test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19
6dK
Accessibility
View
IPv6
Aurc mated To 015
Start iP
©
CQ Traceioute is a tool that
shows the route your
network packets are taking
between your computer
and a target host. You can
determine the upstream
internet provider(s) that
service a network
connected device.
EndJP
10.0.0.:
‫׳י‬
10.0.0.S0
-
‫ח ח‬
IH
|‫ ' •׳‬Lke Defadt System DN5j
O Use Specific DNS:
vll*
F a Hdp, press F1
AKANrtSeannw
H ostnam e
1 0.5.0.2
10.0.0.5
tnK‫־‬KS3ELOUK41
my:-UQM3MRiR«M
0
0
0:0 tchs toply
0:0 Ech s taply
1 0 .0 .0 .7
WIN-D39HRSHL9E4
0
0:0 Echs Reply
10.0.0.1 ?
0 ResolveTPs
Time ( M |
□ *5<J r0f®«0n?r3
T a r g e t IP
0
S tA to a
0:0 t e a : s c p i v
MSttp.0/.255W l
Port Scanner
Addtbnal Scan Tests:
m
1 103 I oca
P r o » u c u o u 5 M o d e S<onr ^
ARP Seen
□ 0 3 S*‫׳‬E .fc8\S Scar
FaroiK• Tools
□ Do Sulnel M a i: Sea‫!־‬
Attfci* Oil cover? Tools
EnaSfc Post-Scan
M O b lg o f
Msn-decso'dns Ps
P a is ** Discovery Tools
DNS Too 11
| irw:»vu«:
S* ‫׳‬J «I L*vtl Tool I
M * 1nal Tools
I
Pfogr•!* Info
Oeof Imported tm
FIGURE 7.12: Result of sail IP address
18. Click Port sc a n n e r in the left panel. A window will appear with
inform ation about die port scanner tool. Click OK
F
-_lnl
test NetScanTool‘ $ Pro Demo Version Build 8-17-12 based on version 11.19
F ie
Ed 11
Accembilrty
View
IPv6
x ‫ך‬
Help
ri i h 3■‫>ב‬I^
WeKom*
Automated T0011
u n n ti/N e tS u n n ei 9
\
A b o u t th e P o r t S c a n n e r 1 ool
M«nu«ITouU Iall
NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’ S PERMISSION TO SCAN.
PW0 tnnanced
Whois is a client utility
that acts as an interface to a
remote whois server
database. This database
may contain domain, IP
address or AS Number
registries that you can
access given the correct
query
use rtm ‫ז‬ool to scan
fcstening).
•
l y p e s o f s c a n n in g s u p p o r t e d : ‫״‬ull C on n ec t TCP Scan ( s e e n o te s b e lo w } . U 0P port u 'r e o c h a sle
•
•
P nq Scanner
u
P 0 1 » K U 0 u t M ode ‘
sc a n , c om b ined TCP ful c o r r e c t and UOP scan, TCP SYN o n ly scan and t c p OTêr s o n .
D o n 't m is s t h is s p e c ia l l e d t u r e in t h ' s t o o l: After a target h as b een sca n n ed , an a ‫ ״‬alf s s .v in e o w
w ill o p e n in > o u r O eh J t w e b brow ser.
D o n 't f o r g e t ‫ מז‬n g h t c*<k n w e r e sjits for 3 m enu w ith m ore o p tio n s.
Notes: settings that strongly affect scan speed:
•
•
Port Scanner
1 target for icp or ‫ *וגווו‬ports that .‫ מור‬listening (open with senna*
•
•
•
Com e::ton Timeout use 200 c* less on a fa st network correction yjdhneaiby cor‫״‬p . t e i . _ * 3
more on a d a u : conneoo‫־׳‬
W ot After Connect - J i s c- ►‫י‬
‫ י‬0 « long each port test w aits before deoting thot ih ; port is ,‫־‬o r a o e .
setfln<cA>ebv settee* ccmccxns. Try 0, (hen (ry lire. Notice the dfferexe.
SfetU1» ° ‫־‬
M G m e c jir *
) 3003 ‫ ־‬seconds) or
Domo KmlUtlons.
• Hone.
FIGURE 7.13: selecting Port scanner option
19. Enter the IP Address in the T arget H ostnam e or IP A ddress field and
select the TCP Ports only radio button
20. Click Scan Range of Ports
1-1° ‫׳ ״ ־‬
fte
Ed*
Accessibility
View
6‫י\)ו‬
Help
M anual Fools - Port Scanner ^
Automated Tool?
Manual Toots (alij
m
T3r0ut H K T S ire 3r P A:d‫־‬£S3
I10.0-01
Pore Range are! Sarvfcafc
I
Start
WARNING: the- tod scan? r * rargrfr- ports.
I •■ 'T C P P o rtsI
LDP P3te C ny
1
O TCP4UJP Ports
O tcpsyn
B'd f a
OlCPaMM
Scan C i r p lr tr .
A rip T O *utOHMted |
(
I
□^toônt•
Show Al S an r«d Ports, Actlvi 0 ‫ ז‬Not
Sea‫ ״‬R.anoc of ! v s
St * ‫ י‬Comnon Path
| & d tco n w > Parts Let
P o rt
P o rt D vac
P ro to c o l
80
h te p
TCP
R e s u lt ■
O a t • R» » .v » d
P o r t A c t iv e
Port Stunner
J
P ro«ncuou5 M ode 1
f3vor1t* Tools
/»<t*‫ «׳‬Discoreiy Tools
MrPasp:-ir-âcr :‫־‬
10.D.0.
Connect T rco u t
( 100D = !second]
:
Passr/t Discovery tools
DNS roois
p « * « t t m l loon
w a t Aftc‫ ׳‬co‫־‬¥>co
( I COD - 1 **to n tf
t x ttm ji Tools
Program inro
:
FIGURE 7.14: Result of Port scanner
Lab A nalysis
Document all die IP addresses, open and closed ports, services, and protocols you
T o o l/U tility
ARP Scan R esults:
■
■
■
■
■
■
N etS can T ools
p ro
In fo rm atio n for D iscovered D H C P Servers:
■
■
■
■
■
■
IPv4 Address
MAC Address
I / F Manufacturer
Hostname
Entry Type
Local Address
IPv4 A ddress: 10.0.0.7
In terface D escription: Hyper-V Virtual
E thernet A dapter # 2
D H C P Server IP: 10.0.0.1
Server H o stn am e: 10.0.0.1
O ffered IP: 10.0.0.7
O ffered S u b n et M ask: 255.255.255.0
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Coundl
YOUR INSTRUCTOR
IF YOU HAVE Q U E S T IO N S
T H IS LAB.
RELATED
TO
Q uestions
1. Does NetScaii Tools Pro support proxy servers or firewalls?
□ Y es
0 No
0 C lassroom
0 iLabs
Drawing Network Diagrams Using
LANSurveyor
l^42\s/nvejor discovers a nehvork andproduces a comprehensive nehvork diagram
that integrates OSI Layer 2 and Lajer 3 topology data.
I CON
27
KEY
Valuable
inform ation
T est your
knowledge
‫ס‬
W eb exercise
m
W orkbook review
Lab S cenario
Ail attacker can gather information fiom ARP Scan, D HCP Servers, etc. using
NetScan Tools Pro, as you have learned in die previous lab. Using diis information
an attacker can compromise a DHCP server 011 the network; they might disrupt
network services, preventing DHCP clients from connecting to network resources.
By gaining control o f a DHCP server, attackers can configure DHCP clients with
fraudulent T C P /IP configuration information, including an invalid default gateway
or DNS server configuration.
diis lab, you will learn to draw network diagrams using LANSurveyor. To be an
expert network adm inistrator and penetration te s te r you need to discover
network topology and produce comprehensive network diagrams for discovered
networks.
111
Lab O bjectives
The objective o f diis lab is to help students discover and diagram network topology
and map a discovered network.
111
■
Draw’ a map showing die logical connectivity o f your network and navigate
around die map
■
Create a report diat includes all you! managed switches and hubs
ZZy Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Networks
Lab Environm ent
■ LANSurveyor located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Network Discovery and Mapping Tools\LANsurveyor
■ You can also download the latest version o f LANSurveyor from die link
http: / / www.solarwi11ds.com /
■
I f you decide to download die latest version, dien screenshots shown in die
lab might differ
■ A computer miming Windows Server 2012
■ Administrative privileges to mil die LANSurveyor tool
Lab D uration
Time: 10 Minutes
O verview o f LA N Surveyor
SolarWinds LANsurveyor automatically discovers your network and produces a
comprehensive network diagram that can be easily exported to Microsoft Office
Visio. LANsurveyor automatically detects new devices and changes to network
topology. It simplifies inventory management for hardware and software assets,
addresses reporting needs for PCI compliance and other regulatory requirements.
TASK 1
Draw Network
Diagram
Lab Tasks
Install LANSurveyor on your Windows Server 2012
Follow die wizard-driven installation steps and install LANSurvyor.
4 Windows Server 2012
« m m to w JOii «*<*•* C«:*d1tr 0«jce‫■׳«׳‬
(vafcrtun copy. lull) •40:
2. Click the LANSurvyor app to open the LANSurvyor window
LANsurveyor's
Responder client Manage
remote Windows, Linus,
and Mac OS nodes from
the LANsurveyor map,
including starting and
stopping applications and
distributing files
Start
A d m in is tr a to r £
S e rw
M o rale r
Windows
PowetShd
Goo*
Chrwne
H»p«V
1- 'X vj j.
lANswv..
b
m
o
*
■
Pamrt
Q
w
e
rwn«t hptom
V
£ 2 ?
w : a
Megafing
N eeanL.
Pto Demo
‫ף״‬
l i
3. Review the limitations o f the evaluation software and then click
Continue with Evaluation to continue the evaluation
SolarW inds LANsurveyor
[fie
‫ ן‬- ‫יי * י ם י‬
Edit Menage Mcnitoi Report Tods Window Help
s o la r w in d s
^ LANsurveyor uses an
almost immeasurable
amount of network
bandwidth. For each type
of discovery method
(ICMP Ping, NetBIOS,
SIP, etc.)
FIGURE 8.3: LANSurveyor evaluation window
4. The Getting S tarted with LANsurveyor dialog box is displayed. Click
S tart Scanning Network
E th ica l H a c k in g an d C o u n term easu res Copyright C by E C ‫־‬Counc11
r
Getting Started with LANsurveyor
■
a
u
s o la rw in d s 7'
What you can do with LANsurveyor.
Scan and map Layer 1. 2. 3 network topology
f i LANsurveyor uses a
number of techniques to
map managed switch/hub
ports to their
corresponding IP address
nodes. It's important to
remember switches and
hubs are Layer 2 (Ethernet
address) devices that don't
have Layer 3 (IP address)
information.
&]
Export maps to Microsoft V tito » View example mgp
"2
Continuously scan your network automatically
Onca aavod, a I cuatom ‫׳‬nap■a c a r
be u o td
m S e la rV /n d a n o t/.o ‫׳‬k and o p p lc a to r
m anagerrcnt s o ftw a re , le a rn more »
V /atch a v d a e n t 'o t o b arn more
» thwack LANsurveyor forum
t h w a c k is 8 com m unity site o r o v id ir o S o b r t V r d s j s e ‫־‬s w ith u s e fu l n io m a to n . t o o s a n d v a u a b le r e s o j r c e s
» Qnfcne Manual
For additional h e p on using the LAIJsu‫־‬ve yo r read the LANSurveyor Administrator G ude
» Evaluation Guide
T h a L A M a u r v a y o r E v aiu ab o n G u id a p r c v d a a a n ir tr » d 1»cton to L A M a u r v a y o r fa a tu ra a a r d r a t n ic b c n a fe r n t t a lin j . c o n f g u r n j , an d
j s m g L A H s u rv e y o r.
» Support
T h e S o h r w in d s S u p o o rl W e b * i» o f fe r * a s e n p r e h e r s v e se t o f to o l* to h e lp y o u n a n a o e a ‫׳‬uJ n a r t a m y o » r S o h rW in d * a p p le a tio n s
v b t tne < ii^ y d£ a 1 £ .e a 2 s ,
I I Don't show agah
fic ^ t y
Q v y » t9 » » . o r J p o a ic
S tart S c a n r ir g fJet.‫׳‬. o ‫־‬k
] [
FIGURE 8.4: Getting Started with LANSurveyor Wizard
5. The C reate A Network Map window will appears; in order to draw a
network diagram enter the IP address in Begin A ddress and End
A ddress, and click S tart Network Discovery
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Coundl
‫מ ־‬
Create A New Network Map
Netuioik Paraneetr
Eecin Acdies;
Erd Address
10.00.1
10.D.0.254
Enter Ke>t Address Here
H ops
(Folowtrg cuter hopj requires SNMP fouler access!
Rotfers. Switches and □her SNMP De/ice Dijcovery
■-M*
0 SNMPvl D*vk#j •• SMMP/I Community Strng(*)
=‫=&־‬
[ p t fe fc p riv ate
QSHWPv2c Devices •• SNMPv2c Community Strngfs)
| pubiu. pmats
— LANsurveyor's network
discovery discovers aU
network nodes, regardless
of whether they are end
nodes, routers, switches or
any other node with an IP
address
QSNNPv3 Devices
I SNMPv3 Options..
Other IP Service Dixovery
Ivi LANsuveya Fejpcnder;
1j P
LANsurvefo* Responder Password:
SlC M P prg)
0Nel8ICS Ciwvs
I I A ctve Directory DCs
MSPCSer*
Mapping Speed
Faster
Slower
0
Configuration Maâperon*
Save 0 ixovery Confgwaiion.
I Discovery Donfûiaiijn..
|
Start Notv»o*k Dioco/cry
Cored
FIGURE 8.5: New Network Map window
6. The entered IP address mapping p ro cess will display as shown in the
following figure
Mapping Progress
Searching for P nodes
HopO: 10 .0 .0 . 1 - 10 .0 .0.254
SNMP Sends
SNMP R ecess:
03 L A N surveyor rs
capable o f discovering
and m appm g m ultiple
V L A N s o n Layer 2. F or
exam ple, to m ap a
switch connecting
m ultiple, nonconsecutive V LA N s
ICMP Ping Sends:
Last Node Contacted:
ICMP Receipts
Subnets Mapped
Nodes Mapped
WIN-D 39 MR5HL9 E4
Routers Mapped
Switches Mapped
Cancel
FIGURE 8.6: Mapping progress window
7.
LANsurveyor displays die map o f your network
|^ =
SclaAVinds LANsurveyor - [Map 1]
■
Q LANsurveyor
Responder Clients greatly
enhance the functionality
of LANsurveyor by
providing device inventory
and direct access to
networked computers.
Me
Edit
‫ & נ‬h
KH‘> e
M anage
j
00
©.
M onitor
1*
Report
Tools
Avdow
X
- 1-1 ‫■־‬
♦ ‫| ׳‬
solarwinds •‫׳‬
151 v s 3 a 0 a s r& ©
id *T |100*;
&m o
v
E tf=d N etwork Segments (1}
ff £
Help
‫־־‬
111
P Addresses (4)
D omain Names (4)
-4
fP
M
ffc-
W ti '.'S ilL C M W I
N ode Names (4)
Wf.-WSC'tlXMK-O
R e u te r
veisor
W1N-DWlllR»lLSt4
WIN D3JI H5HJ * «
LANjurveyor Responder Nodes
SNMP Nodes
Overview
f*~|
SNM P Svntches H u b s
hC
as
*
ft
SIP (V0 IPJ Nodes
la ye r J Nodes
Actrve Directory DCs
Groups
‫נ‬. ‫ נ‬. 0 .0 - • (.0.0.255
■
‫״‬V*4UCONJWRSfWW
M
N-LXQN3W
RJNSN
‫ ׳‬non•'
100 9 1
10006
12-
FIGURE 8.7: Resulted network diagram
Lab A nalysis
Document all die IP addresses, domain names, node names, IP routers, and SNMP
nodes you discovered during die lab.
T o o l/U tility
In fo rm atio n C o llected /O b jectiv es A cliieved
IP address: 10.0.0.1 -10.0.0.254
IP N o d e s D etails:
LA N Surveyor
■
■
■
■
SNMP Send - 62
ICMP Ping Send 31‫־‬
ICMP Receipts 4 ‫־‬
Nodes Mapped 4 ‫־‬
N etw o rk seg m en t D etails:
■
■
■
IP Address - 4
Domain Names - 4
N ode Names - 4
YOUR INSTRUCTOR
IF YOU H A VE Q U E S T IO N S
T H IS LAB.
RELATED
TO
Q uestions
1. Does LANSurveyor map every IP address to its corresponding switch or
hub port?
2. Can examine nodes connected via wireless access points be detected and
mapped?
□
Yes
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al P ag e 15S
0 iLabs
Mapping a Network Using Friendly
Pinger
Friendly Pinger is a user-friendly applicationfor network administration, monitoring,
and inventory
I CON
27
KEY
Valuable
inform ation
T est your
knowledge
‫ס‬
W eb exercise
m
W orkbook review
Lab S cenario
111 die previous lab, you found die SNAIP, ICMP Ping, Nodes Mapped, etc. details
using die tool LANSurveyor. If an attacker is able to get ahold o f this information,
he or she can shut down your network using SNMP. They can also get a list o f
interfaces 011 a router using die default name public and disable diem using die readwrite community. SNMP MIBs include information about the identity o f the agent's
host and attacker can take advantage o f diis information to initiate an attack. Using
die ICMP reconnaissance technique an attacker can also determine die topology o f
die target network. Attackers could use either die ICMP ,’Time exceeded" or
"Destination unreachable" messages. Bodi o f diese ICMP messages can cause a
host to immediately drop a connection.
As an expert Network Administrator and Penetration T e ste r you need to discover
network topology and produce comprehensive network diagrams for discovered
networks and block attacks by deploying firewalls 011 a network to filter un-wanted
traffic. You should be able to block outgoing SNMP traffic at border routers or
firewalls. 111 diis lab, you will leani to map a network using die tool Friendly Pinger.
Lab O bjectives
The objective o f diis lab is to help students discover and diagram network topology
and map a discovered network.
hi
■
Discover a network using discovery techniques
■
Diagram the network topology
■
Detect new devices and modifications made in network topology
■
Perform inventory management for hardware and software assets
Lab Environm ent
ZZ7 Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Networks
■
Friendly Pinger located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Network Discovery and Mapping Tools\FriendlyPinger
■ You can also download the latest version o f Friendly Pinger from the
link h ttp :// www.kilievich.com/fpinge17do\vnload.htm
■
If you decide to download the latest version, dien screenshots shown in die
lab might differ
■ Administrative privileges to run die Friendly Pinger tool
Lab D uration
Time: 10 Minutes
O verview o f N e tw o rk M apping
Network mapping is die study o f die physical connectivity of networks. Network
mapping is often carried out to discover servers and operating systems ruining on
networks. This tecluiique detects new devices and modifications made in network
topology You can perform inventory management for hardware and software
assets.
Friendly Pinger performs the following to map the network:
■ Monitoring network devices availability
■ Notifies if any server wakes or goes down
■ Ping o f all devices in parallel at once
■ Audits hardw are and softw are components installed on the computers
over the network
Lab Tasks
1. Install Friendly Pinger 0 x1 your Windows Server 2012
2. Follow die wizard-driven installation steps and install Friendly Pinger.
task
1
Draw Network
Map
3. Launch the S tart menu by hovering die mouse cursor in die lower-left
corner of the desktop
4. Click the Friendly Pinger app to open the Friendly Pinger window
Administrator
S ta rt
^ You are alerted when
nodes become
unresponsive (or become
responsive again) via a
variety of notification
methods.
Sen*r
Manager
Windows
PowerSMI
r_
m
C o m p ile r
Control
Panol
Uninaall
%
*
&
H y p « -V
Machine..
£
Eaplewr
V
9
¥
Command
Prompt
M 02111a
Firefbx
Path
Ana»/zer
Pro 2.7
!‫ר״‬
■
Friendly Pinger will
display IP-address of your
computer and will offer an
exemplary range of IPaddresses for scanning
GOOQte
Chrome
^
€>
i l
Km
O rte f
Sm nfcO L.
Fnendty
PW^ff
o
fl*
IG
5. The Friendly Pinger window appears, and Friendly Pinger prom pts you
to watch an online demonstration.
6. Click No
V ie w
P in q
N o t ific a tio n
S can
F W a tc h c r
In v e n to r y
1‫& □ צ‬£ - y a fit
V
H
E d it
1
Friendly Pinger [Demo.mapl
fife
‫ם‬
& To see the route to a
device, right-click it, select
"Ping, Trace" and then
"TraceRoute".
In the lower part of the
map a TraceRoute dialog
window will appear.
In the process of
determination of the
intermediate addresses,
they will be displayed as a
list in this window and a
route will be displayed as
red arrows on the map
H e lp
‫*־‬
D o to
*
‫׳‬
Demons tration
map
s
-
In la n d
M .ui
S h u ll cut S m v t i
WoikStation
W ndc S ta tio n
(*mall)
^
d ick the client orco to add ‫ ג‬new derice...
21/24/37
&
OG00:35
FIGURE 9.3: FPinger Main Window
7. Select File from the menu bar and select die Wizard option
L-!»j x ‫׳‬
Friendly Pinger [Demo.map]
r
F ile | E d it
‫ ם‬Scanning allows you to
know a lot about your
network. Thanks to the
unique technologies, you
may quickly find all the
HTTP, FTP, e-mail and
other services present on
your network
V ie w
P in g
N o t if ic a t io n
S ca n
F /fa tc l‫»׳‬er
In v e n to r y
H e lp
*‫ י‬C‫ *־‬%!‫ צ‬ft x
□
CtrUN
W eA
Gtfr Open...
Ctil+O
Uadate
►
Ctr!‫»־‬U
Save.
CtrUS
Reopen
|
U
S «v« A t...
Clow
P rin t...
^
Lo ck ...
^
C reate
0
Options...
m
f c V S a ve A s Im a ge...
^
‫קד‬
‫מ‬g
t b Close A ll
C trl'-B
Setup...
5T
fr!
In la n d
S c iy c i
F9
X L F rit
Alt*■)(
JJ
Workstation
a
Internet Hail
Shoitcul Server
--------Mnriem
Hob
W inkStatiun
I1,11|
r'r;m
Cicdt
O d ll in itia l llldL
C] Map occupies the most
part of the window. Rightclick it. In the appeared
contest menu select "Add”
and then ‫״‬Workstation". A
Device configuration dialog
window will appear. Specify
the requested parameters:
device name, address,
description, picture
FIGURE 9.4: FPinger Starting Wizard
8. To create initial mapping o f the network, type a range o f IP a d d re sse s
in specified field as shown in the following figure click Next
-----
Wizard
10.0.0.7
Local IP address:
The initial map will be created by query from DNS-server
the information about following IP-addresses:
10.0.0.1 •2d
You can specify an exacter range of scanning to speed up
this operation. For example: 10.129-135.1 •5.1 •10
| I Timeout
The device is displayed
as an animated picture, if it
is pinged, and as a black
and white picture if it is not
pinged
1000
Timeout allows to increase searching,
but you can miss some addresses.
?
Help
4 * gack
=►Mext
X
Cancel
FIGURE 9.5: FPinger Intializing IP address range
9. Then the wizard will start scanning o f IP a d d re sse s
list them.
111
die network, and
10. Click Next
Wizard
IP address
Name
0 10. 0. 0.2
W1N-MSSELCK4K41
0
10.0.0.3
Windows8
0
10.0.0.5
W1N-LXQN3WR3R9M
□
10.0.0.7
W1N-D39MR5HL9E4
£L) Press CTRL+I to get
more information about
the created map. You will
see you name as the map
author in the appeared
dialog window
The inquiry is completed. 4 devices found.
Remove tick from devices, which you
dont want to add on the map
?
Help
4 * Back
3 ‫► ־‬Next
X
Cancel
FPinger 9.6: FPmger Scanning of Address completed
11. Set the default options in the Wizard selection windows and click Next
Wizard
£0 Ping verifies a
connection to a remote
host by sending an ICMP
(Internet Control Message
Protocol) ECHO packet to
the host and listening for
an ECHO REPLY packet.
A message is always sent to
an IP address. If you do
not specify an address but a
hostname, this hostname is
resolved to an IP address
using your default DNS
server. In this case you're
vulnerable to a possible
invalid entry on your DNS
(Domain Name Server)
server.
Qevices type:
W orkstation
Address
O Use IP-address
| ® Use DNS-name |
Name
‫ ח‬Remove DNS suffix
A dd* ion
O A dd devices to the new map
(•> Add devices to the current map
7
Help
!► Next
X
Cancel
FIGURE 9.7: FPinger selecting the Devices type
12. T hen the client area will displays the Network map in the FPinger
window
_
Friend ly Ping er [Default.map]
V
F ile
E d it
View/
P in g
N o t ific a T io n
S can
F W a tc h e r
in v e n t o ry
□1
x ‫י‬
H e lp
H ‫>׳״‬
£ ft J* & g
‫ ם‬If you want to ping
inside the network, behind
the firewall, there will be no
problems If you want to
ping other networks behind
the firewall, it must be
configured to let the ICMP
packets pass through. Your
network administrator
should do it for you. Same
with the proxy server.
FIGURE 9.8 FPmger Client area with Network architecture
13. To scan the selected computer in the network, select die com puter and
select the Scan tab from the menu bar and click Scan
Friendly P ing er [Default.map]
file
^ You may download the
latest release:
http: / /www. kilievich.com/
fpinger.
Edit View Ping Notification
Lb ‫ם‬
-y a *
Scan FWrtchp Inventory Help
e? M
Scan..
click the clicnt area to add snew devicc..
Q Select ‫״‬File | Options,
and configure Friendly
Pinger to your taste.
F61
50* m
233:1
3 / i/ 4
^
00:00:47
FIGURE 9.9: FPinger Scanning tlie computers in the Network
14. It displays scan n ed details in the Scanning wizard
Scanning
Service
Compute
Command f a
& ] HTTP
W1N-MSSELCK...
h ttp://W IN -M S S ELC X 4M 1
£ ] HTTP
W1N-D39MR5H...
http://W IN -D39M R5H L9E 4
£□ Double-click tlie device
to open it in Explorer.
S c a n n in g co m p le te
^‫׳‬JBescan
Progress
? Help
y
ok
X
Caned
FIGURE 9.10: FPinger Scanned results
£□ Audit software and
hardware components
installed on tlie computers
over the network
Tracking user access
and files opened on your
computer via the network
15. Click the Inventory tab from menu bar to view die configuration details
o f the selected computer
T ^ rr‫־‬
Friendly P h g e r fD efault.m apl
V
P k
E d it
V 1« w
P in g
1‫ ג‬C a : * BS J
m
N o t if ic a t io n
S<*n
F W a tc h c r
I r v c n t o ry \ N d p ___________________
\&\^ ‫* ׳‬
E l Inventory Option!.‫״‬
Ctil-F#
FIGURE 9.11: FPinger Inventory tab
16. The General tab o f the Inventory wizard shows die com puter name
and installed operating system
W
File
Inventory
Edit
View
Report
Options
Help
la e:
0 ‫־‬S ? 1 1 ■ E
W IN-D39MR5HL9E4
|g
General[
M isc| M 'j
H ardware]
Software{ _v)
History| ^
K
>
Computer/User
CQ Assignment of external
commands (like telnet,
tracert, net.exe) to devices
Hos* name
|W IN-D39MR5HL9E4
User name
!Administrator
W indows
Name
|W indows Server 2012 Release Candriate Datacenter
Service pack
C otecton tme
Colecbon time
18/22 /2 0 12 11 :2 2:3 4 AM
FIGURE 9.12: FPinger Inventory wizard General tab
17. The Misc tab shows the Network IP ad d resses. MAC a d d re sse s. File
System , and Size o f the disks
5 Search of
HTTP, FTP, e-mail
and other network
services
x '
Inventory
File
Edit
e i g?
View
Report
Options
Help
0 ₪ *a a
©
G*?
fieneraj
Misc
hardware |
Software |
History |
Network
IP addresses
110.0.0.7
MAC addresses
D4-BE-D9-C3-CE-2D
J o ta l space
465.42 Gb
Free space
382.12 Gb
Display $ettng$
display settings
Function "Create
Setup" allows to create a
lite freeware version with
your maps and settings
[ 1366x768,60 H z, T rue Color (32 bit)
Disk
Type
Free, Gb
Size, Gb
£
3 C
Fixed
15.73
97.31
84
NTFS
S D
Fixed
96.10
97.66
2
NTFS
—
—
-
File System
A
■—
FIGURE 9.13: FPinger Inventory wizard Misc tab
18. The H ardw are tab shows the hardware com ponent details o f your
networked computers
T T
File
E dit
V ie w
R e p o rt
O p tio n s
H e lp
0 ^ 1 3 1 0
H
w
1N-D39MFS5HL9E4||
General
Miscl
Mi
H a rd w a re [^ ]
Software
History |
>1
<
4x Intel Pentium III Xeon 3093
B
Mem ory
<2
4096 Mb
- Q j BIOS
Q|
A T/AT COMPATIBLE DELL
• 6222004 0 2/0 9/1 2
- £ ) ‫ י‬Monitors
-
Genetic PnP Monitor
■ V Displays a dapters
B j) lnte<R) HD Graphics Family
E O
D is k drives
q
^
-
ST3500413AS (Serial: W2A91RH6)
N e tw o rk a dapters
| j | @ netrt630x64.inf,% rtl8168e.devicedesc% êaltekPQeG BE Family Controller
-^
S CS I a nd R A ID controllers
@spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller
I
J
FIGURE 9.14: FPinger Inventory wizard Hardware tab
19. The Softw are tab shows die installed software on die computers
Inventory
File
Edit
View
Report
Options
[£) Q5r
WIN-D39MR5HL9E4
------------------ H
Help
0 ‫י‬€ 1 3 1 0
G§*
general |
M ‫׳‬sc \
H«fdware| S
Software
Adobe Reader X (10.1.3)
eMaiTrackerPro
EPSON USB Display
Friendfy Priger
IntelfR) Processor Graphics
Java(TM) 6 Update 17
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Appfcation Error Reporting
Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
O ff*** Prnnfirxi (Pnnli^hl ? fllfl
T e ta S
Q Visualization of
your com puter
network as a
beautiful
anim ated screen
>
History | QBr <
A
V
Name
Version
Developer
Homepage
|f t
Go
FIGURE 9.15: FPinger Inventory w!2ard Software tab
Lab A nalysis
Document all die IP addresses, open and closed ports, services, and protocols you
T o o l/U tility
IP address: 10.0.0.1 -10.0.0.20
F o u n d IP address:
■
■
■
■
10.0.0.2
10.0.0.3
10.0.0.5
10.0.0.7
D etails R esult o f 10.0.0.7:
F rien d ly P in g er
YOUR INSTRUCTOR
■
■
■
■
■
■
■
■
Computer name
Operating system
IP Address
MAC address
File system
Size o f disk
Hardware information
Software information
IF YOU H A VE Q U E S T IO N S
T H IS LAB.
RELATED
TO
Q uestions
1. Does FPinger support proxy servers firewalls?
2. Examine the programming o f language used in FPinger .
□ Yes
0 No
0 C lassroom
0 iLabs
Lab
Scanning a Network Using the
NessusTool
Nessus allowsyou to remotely audit a netirork and determine if it has been broken
into or misused in some n ‫׳‬ay. It alsoprovides the ability to locally audit a specific
machinefor vulnerabilities.
I CON KEY
7= 7‫־‬Valuable
m form ation
s
T est your
knowledge
W eb exercise
m
W orkbook review*
Lab S cenario
111 the previous lab, you learned to use Friendly Pinger to m onitor network
devices, receive server notification, ping information, track user access via the
network, view grapliical traceroutes, etc. Once attackers have the information
related to network devices, they can use it as an entry point to a network for a
comprehensive attack and perform many types o f attacks ranging from DoS
attacks to unauthorized administrative access. I f attackers are able to get
traceroute information, they might use a methodology such as firewalking to
determine the services that are allowed through a firewall.
I f an attacker gains physical access to a switch 01 other network device, he or
she will be able to successfiUly install a rogue network device; therefore, as an
administrator, you should disable unused ports in the configuration o f the
device. Also, it is very im portant that you use some methodologies to detect
such rogue devices 011 the network.
As an expert ethical h ack er and penetration te ste r, you m ust understand how
vulnerabilities, com pliance specifications, and co n ten t policy violations are
scanned using the N essus rool.
Lab O bjectives
This lab will give you experience 011 scanning the network for vulnerabilities,
and show you how to use Nessus. It will teach you how to:
■
Use the Nessus tool
■
Scan the network for vulnerabilities
Lab Environm ent
£ ‫ ז‬Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Networks
To cany out die lab, you need:
■
Nessus, located at D:\CEH-Tools\CEHv8 Module 03 Scanning
NetworksW ulnerability Scanning Tools\N essus
■ You can also download the latest version o f Nessus from the link
http: / / \vw\v. tenable.c om / products/nessus/nessus-dow nloadagreement
■
I f you decide to download the la te s t version, then screenshots shown
■ A web browser with Internet access
■ Administrative privileges to run the Nessus tool
Lab D uration
Time: 20 Minutes
O verview o f N essus Tool
m Nessus is public
Domain software related
under the GPL.
Nessus helps students to learn, understand, and determine vulnerabilities and
w eaknesses o f a system and network 111 order to know how a system can be
exploited. Network vulnerabilities can be network topology and OS
vulnerabilities, open ports and running services, application and service
configuration errors, and application and service vulnerabilities.
Lab Tasks
8
TA sK
1
Nessus
Installation
1. To install Nessus navigate to D:\CEH-Tools\CEHv8 Module 03
Scanning NetworksW ulnerability Scanning Tools\N essus
2. Double-click the Nessus-5.0.1-x86_64.msi file.
3. The Open File - Security Warning window appears; click Run
‫־ד‬5‫ך‬
O pen File Security Warning
D o y o u w a n t t o r u n t h is f i e ?
fJ a n e ‫־‬
P u d s h t ‫׳‬:
Type
From;
/ lk g r t \ A d m in irt r a t 0 r \ D e t H 0 D 'v N e c s 1 K - 5 0 2 -6 £ & ‫ר‬C. r r K
I c n a M c N e t w o r k S e c u r it y I n t.
W in d o w s Installe r P a c k a g e
C ;\lb c m A d m in i3 t‫׳‬ato1\Doklop\Ne11u1-5.02-*66 $ 4 -.
Run
" ^ 7 Nessus is designed to
automate the testing and
discovery of known
security problems.
CencH
V A lw a y s e sk c e fc r e o p e n in g t h e file
W h Jr f i : « f r o m t h e In t& n e t c a n b e u sefu l, t h is f ile t y p e can p o te n tia lly
^
harm > o u r c o m p u t e r O n ly run s o ftw a r e f r o m p u b lt ih e n y e n t r u s t
W h a t s th e nsk?
FIGURE 10.1: Open File ‫ ־‬Security Warning
4. The N essus - InstallShield Wizard appears. D ining the installation
process, the wizard prom pts you for some basic information. Follow
die instructions. Click Next.
Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
$
Welcome to the InstallShield Wizard for
Tenable Nessus (x64)
The In sta lS h 1eld(R) W izard wdl n s t a l Tenable N essus (x64) on
your com puter. T o continue, d d c N e x t.
m The updated Nessus
security checks database is
can be retrieved with
commands nessus-updatedplugins.
W ARN ING : T h s program is p ro te cte d b y cop yrig ht law and
n te rn a tio n a l treaties.
< Back
Next >
Cancel
FIGURE 10.2: The Nessus installation window
5. Before you begin installation, you must agree to the license agreem ent
as shown in the following figure.
6. Select the radio button to accept the license agreement and click Next.
!‫;ל‬
Q Nessus has the ability to
test SSLized services such as
http, smtps, imaps and more.
Tenable Nessus (x64) - InstallShield Wizard
L ic e n s e A g r e e m e n t
P lease read the following k e n s e a greem en t carefully.
Tenable Network Security, Inc.
NESSUS®
software license Agreement
This is a legal agreement ("Agreement") between Tenable Network
Security, Inc., a Delaware corporation having offices at 7063 Columbia
Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you,
the party licensing Software (“You‫)״‬. This Agreement covers Your
permitted use of the Software BY CLICKING BELOW YOU
!unir.ATF v m iB Ar.r.FPTAMr.F np tw/.q ArtPFPMFUT auh
0
Nessus security scanner
includes NASL (Nessus
Attack Scripting Language).
P rin t
acce p t the term s in the k e n s e ag reem en t
O I d o n o t a cc e p t the term s n the k e n s e a greem en t
In s ta lS h ie k J-------------------------------------------------------------< Back
Next >
Cancel
FIGURE 10.3: Hie Nessus Install Shield Wizard
7. Select a destination folder and click Next.
D e s t in a t i o n F o ld e r
Click Next to instal to this folder, or ckk Change to instal to a different folder.
Ibdl Nessus gives you the
choice for performing regular
nondestructive security audit
on a routinely basis.
£>
Instal Tenable Nessus (x64) to:
C:\Program Ftes\Tenable Nessus \
Change...
InstalSh ield
< Back
Next >
Cancel
FIGURE 10.4: Tlie Nessus Install Shield Wizard
8. The wizard prom pts for Setup Type. W ith die Com plete option, all
program features will be installed. Check Complete and click Next.
Se tu p T ype
Choose the setup type that best smts your needs.
Q Nessus probes a range
of addresses on a network to
determine which hosts are
alive.
FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type
9. Tlie Nessus wizard will prom pt you to confirm the installation. Click
Install
R e a d y t o In s t a ll th e P r o g r a m
Nessus probes network
services on each host to
obtain banners that contain
software and OS version
informatioa
The w izard is r e a d y to b e g n n s ta la tio n .
Click Instal to begn the nstalatoon.
I f you want to review or change any of your installation settings, dfck Back. C kk Cancel to
exit the wizard.
InstalShield
< Back
Instal
Cancel
FIGURE 10.6: Nessus InstallShield Wizard
10. Once installation is complete, click Finish.
InstalShield Wizard Completed
The InstalShield Wizard has successfuly nstaled Tenable
Nessus (x64). Ckk Finish to exit the wizard.
Q Path of Nessus home
directory for windows
\programfiles\tanable\nessus
Cancel
FIGURE 10.7: Nessus Install Shield wizard
N essus Major D irectories
■
The major directories o f Nessus are shown in the following table.
N essus H om e D ire c to ry
Nessus S u b -D ire c to rie s
P urpose
\conf
Configuration files
\data
Stylesheet templates
\nessus\plugins
Nessus plugins
\nassus\us«rs\<username>\lcbs
User knowledgebase
saved on disk
1 W in d o w s
\Program
Files\Tenable\Nessus
feUI During the installation
and daily operation of
Nessus, manipulating the
Nessus service is generally not
required
\ no33us\ logs
>----------------------- - 1
, Nessus log flies
-------------------------- 1
TABLE 10.1: Nessus Major Directories
11. A fter installation Nessus opens in your default browser.
12. The W elcome to N essus screen appears, click die here link to connect
via SSL
w e lc o m e to N essus!
P Im m
c o n n e c t v ia S S L b y c lic k in c J h » r « .
Y o u a r e h k e ly t o g e t a s e c u r it y a le r t f r o m y o u r w e b b r o w s e r s a y in g t h a t t h e S S L c e r t if ic a t e i s in v a lid . Y ou m a y e it h e r c h o o s e t o te m p o r a r ily a c c e p t t h e r isk , or
c a n o b t a in a v a lid S S L c e r t if ic a t e f r o m a r e g is t r a r . P le a s e r e f e r t o t h e N e s s u s d o c u m e n t a t i o n f o r m o r e in fo r m a tio n .
FIGURE 10.8: Nessus SSL certification
13. Click OK in the Security Alert pop-up, if it appears
Security Alert
— T h e N essus
Server Manager
used in N essus 4
has been
deprecated
‫ע‬
J j You are about to view pages over a secure connection.
Any information you exchange with this site cannot be
viewed by anyone else on the web.
În the future, do not show this warning
OK
More Info
FIGURE 10.9: Internet Explorer Security Alert
14. Click the Continue to this w eb site (not recom m ended) link to
continue
&* ^
X
Snagit
g j
II
Ccrtficate Error: Mavigation... '
£t
1
There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this websrte was issued for a different website's address.
Sccunty certificate problems may indicate an attempt to fool you or intercept any data you send to the
server.
W c recommend th a t you close this webpage and do not continue to this website.
d Click here to close this webpage.
0 Continue to this website (not recommended).
M ore information
FIGURE 10.10: Internet Explorer website’s security certificate
15. on OK in the Security Alert pop-up, if it appears.
£Q! Due to die technical
implementation of SSL
certificates, it is not possible
to ship a certificate with
Nessus that would be trusted
to browsers
Security Alert
1C. i ) ôu are aôut t0 view pages over a secure connection
Any information you exchange with this site cannot be
viewed by anyone else on the web.
HI In the future, do not show this warning
1
OK
More Info
FIGURE 10.11: Internet Explorer Security Alert
16. Tlie Thank you for installing N essus screen appears. Click the Get
S tarted > button.
R ff
W e lc o m e t o N e s s u s ‫׳‬
T W 1k you loi I11«ldlll1 •j
m warning, a custom
certificate to your
organization must be used
tin• w uM 1
• >>< h * i 1i
Nwmu*
dllim i v»u to pwloiin
1I *ah 3pe«d vulnerability discovery, to <Je?e‫־׳‬r re *Ivcn hcets are njmlna nhich se1v1r.es
1 AijnnlUiai Auditing, la 1 m U w t« no Im l
)■ »
ia
aacurlty |W ■I ■>!!
> L-umplianca chocks, to verify and prove that eve‫ ־‬, host on your network adheres to tho security potcy you 1
‫ י‬Scan scliHliJing, to automatically iu i *cant at the
you
‫ ׳‬And morel
!!•< stofted >
FIGURE 10.11: Nessus Getting Started
17. 111 Initial A ccount Setup enter the credentials given at the time o f
registration and click Next >
p
• o («*•*<‫»*״‬.‫>״‬. e c
Wefconeu Neaus
In it ia l A cco u n t S etu p
First, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete
users, stop ongoing scans, and change the scanner configuration.
loo*n: admin
Confirm P.ivwvoiri.
< Prev
| Next > |
Because fAe admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be
i that the admin user has the same privileges as the *root‫( ״‬or administrator) user on the remote ho■
FIGURE 10.12: Nessus Initial Account Setup
18. 111 Plugin Feed R egistration, you need to enter die activation code. To
obtain activation code, click the http://w w w .nessus.org/register/ link.
19. Click the Using N essus a t Home icon in Obtain an Activation Code
>
m If you are using tlie
Tenable SecurityCenter, the
Activation Code and plugin
updates are managed from
SecurityCenter. Nessus needs
to be started to be able to
communicate with
SecurityCenter, which it will
normally not do without a
valid Activation Code and
plugins
■ el
mi (A*CAftCMin ‫ז‬
<9> TENABLE Network Security*
I n CertiriMtion
Resources
Support
IriM h lr Product*.
PiotfuU Oi'eniB*
Nksui AudHai
.1ndi■
N w m Plug**
Obtain an Activation Code
Using Nesaus a l Work?
A l’ 1nW*a4» . ^ - ‫״‬
wUk1uV4cM *
fu< all
Using Nessus at Home?
A Ham■( ■ml lUbtCltpMl Is
DM 4r«l tec h t m Mia ootj
.Sjirplr Repom
N«MUi FAQ
Vk«le Ostlrtt FAQ
in
Dtptovmam 1>:001u
Mewos Evukoiion
Training
FIGURE 10.13: Nessus Obtaining Activation Code
20. 111 N essus for Home accept the agreement by clicking the Agree button
as shown in the following figure.
ecem •‫ ••־■ י• ׳‬-•‫־■״‬. nr.• ■
■ U s u ilv U tn ir n N t
Wokerne 10 NaMi
Bw* m s i
1*vtl ProtoiaioaaJFetid
mbbithiiii enjoy You M ! •otu u 1
. The Netare rtoaaafecd
do*1*c* gn* you io : w
to
of 1K0v>yov to perform <
dedR 0( *S* Tw Nes*u» llrtual apCliMK*
Product Overview
Features
1Nmhh Hom Fnd Mibscilpllon it a■elable lot ptnoia) mm ‫ •י‬a I
( oaty. tt is net lot use by any commercial oigani/atna !on 1q«t!
c*«»*| or v w * I n m * i i w M n i tr.iimvj
Trawtoa Program ft* n•**) 0<>1ri; ■itlonf.
t
N055ue b> Buwwct
Naasus ter Horn*
W*y U p* «rit> to New#* * 7
Nesius MoMe A!(n
To »w •^ • # ! 1k* M m ii HowFbwJ »«tncri|40n lot lo »1 «m |f c w cfe* ‘ ^ 7‫ ’ • •׳‬to
k u « i *to Himi «1 «m and bagln the downlMd prooaat•
N w m PlufllM
SU8VCWII0M ACM I Ml NI
Sarnia Rapatto
N m a i fAQ
•‫־ » ׳ ״‬SuypmW n m •‫■יי‬Ini 01 Ope‫״‬nlr*j SyvtMn otw*tov>on1e)1nok1a»«to to•
f%9 a fA Q 0t Naasaai fA£ lound on arry lenaUc1 Mveelfe
«v*&01 ncto4 n! n n u n M o iy
• • R •**«»•wna#-»*<1 S«4xc>|pl«n You agio• 10 r«v to *•‫ *«<« ״‬to• 10
T<«atd» to• each •yatoan which You havo inetrJted a Prjntr'K l Scam*•
T‫ « »׳‬r ^ (Vg n v tiloni K.:»*iht1i«1iirg 1N» pitîfcrtcn 0• c o m w cid v•• m
S*c»m 2141.1 Vau ar« a *akiarxj otsnrkalon. You may copy M M !•*g et
•MMMaM T t N t V t NM«U» M d Tm1U» HonMF«*d S<Mot*«M rw g to M
toa<trw h •ad to« * ♦ e»»»ootn &e«lng onV Upon eompteôti ot # * d m f*»
J a to T i rigM to d a Itia Pkj£n& piotUfed by Via HomaFaad Subscription is
K»
VWtlu 0#>lM4 I AQ
Deployment Options
*
on
«#F«d S»t‫־‬vjlp‫־‬i:1‫«( ׳‬. actable n*coxtone* «rthtoeSuts<‫־‬i*
Ayeeâeann r«ftj
(of ana pay an! <?AcaM«• tee■■associated - r t»•!
Subscriptia• You awv not u&e tw H>r‫ *׳‬f sad SutricripUo $1anted to You lot
»[‫ גי»» י‬puipoMS to aacuia Y«u>01 any third party’s, itatrvoifcs or to any efea■
•■ **e 'ltt dM M oai !raning h a r*xvp10A 1clon «nv»on‫׳‬n*rr T m U a an y
k t a a u h it o a Sut«rp#on undat this Soctnn 2 1311 to•!
C i s t * Massus Ftegm L«.<lopmcnt
I
apmant and Dtsoibullan
Tenable I
« & ‫ ״‬JM 1a<(1 at fta Subscriptions 10 mfle and d a v £ f 1
{c
I*«raaI
FIGURE 10.14: Nessus Subscription Agreement
21 Fill in the R egister a HomeFeed section to obtain an activation code
S l f you do not
register your copy
of Nessus, you
will not receive
any new plugins
and will be unable
to start the
N essus server.
Note: The
Activation Code is
not case
sensitive.
and click Register.
ENTER SEARCH TEXT
*
GO!
TE N A B LE N e tw o rk S e c u rity
Partner*
Ira in in g
ft
(V rttflratto n
R eso u rces
.Support
• print |
Iriu ih lr I'rorfiirtr
Pioduct O v m v Iow
Register a HomeFeed
Nos»us Auditor OuntSes
N«84ua Ptu^lns
Documentation
Sample Repona
‫ס‬
T0 stay up to dah» with tlwi N 11tit>u1>pljgint you must tt‫;•־‬
em ai M td rn t to utilch an activation code wll be *ert Ye
IM
#tl4vjfed
>1 1 U nil! not t
shared ‫׳‬.vtth any 3rd pany.
N«5 sus FAQ
Motde Devices FAQ
Deployment Options
■‫• *•*• ־‬
con^
Nes3u3 Evaluation
□ Check lo receive updates from Tenable
Training
I npqi<;tpr I
FIGURE 10.15: Nessus Registering HomeFeed
22. The Thank You for R egistering window appeals for T enable N essus
HomeFeed.
. ‫׳‬V j .
*>■ «Y«.to ‫י‬
EN TER SEARCH I E ■ (
TE N A B LE N e tw o rk S e c u rity 1
solutions
Products
Services
Partners
iraimna & certification
Resources
Support
About tenable
Store
>print | » sltare Q
Ten a b le P ro d u c ts
nessus
Thank You for Registering!
Thank jrou tor reghletlag your ‫ ז‬eon bit‫ ׳‬Ni-viun HomeFeed An
em al eonraMng w a actlvafen rode hA» just b««n Mint to you
al tie email • M m you ptavWed
Product Overview
Nessus Auditor
Bundles
217After the initial
registration,
N essus will
download and
compile the
plugins obtained
from port 443 of
plugins.nessus.or
gpluginscustom ers.nessus
.org
Te nable N c t i n i l S c a iH y offers N essu s
I'rc tttw o M f eed 1uMcnp«on• •t no
cost to ctiirttabi• orqarization• I
Please note that »*• Tenable Ne-uut HomeFeed 11 available for
hoata u m oolr If you want to uaa Naasu* at your place of
business, you must outcKase the Nessus Proteaaowageed
Akemaiet. you n ay purchase a subscription to the Nessus
Porimolot S arnica and te a * in Mis cioudl Tha N a t t u i Ponawlci
Nessus Plugins
Service does no( require any software download.
Documentation
Foi more artonnafon on t w HomsFeed. Professional eed and
Nessus Perimeter Ser.ice. please visit our Discussions Forum.
Sample Reports
T e n a b le C h a rita b le & Train in g
O rg a n iz a tio n P ro g ra m
Nessus FAQ
Mobile Devices FAQ
Deployment Options
S m u t Evaluation
I raining
FIGURE 10.16: Nessus Registration Completed
23. N ow log in to your email for the activation code provided at the time o f
registration as shown in the following figure.
r
I
< d 1X»»S •UfKftCiC
X
_ uSm9 Sma yanooco-n' ‫•״‬
• •> • » •
Sm>Cu1
Oft■•■ >
Y A H O O ! MAIL
1t»e Homefaea Activation Cooe
‫ י‬N M tut K i g i i i o i
MIMDtlalt
•
10 1■■ -•OnHOOOOl*
Th■* )0ulw rejnlem j row N n w i k » * x
a t»ll> scanting
Th* M»«u» H«mef««d gubKtcton •mII keep <»1» Netful
I you usa Hat (us n ‫ ג‬professoral 09301 10u
• «« k «Mr
tie lalnl fluent ler
a s*:fess1crulF«c 2ut>cagttc«1 :
Tns6*one4m »‫׳‬o » n ‫ ׳‬#ou•u new wtepswirascamtriiiHinario
cu itm*
C««eusngmt srccediret Strpw.
Pltat*CCnWtlf*HWtl1t i **ttliaWn &•&
■
w «,!te.^ffiwr.flgm.'iti'HMiitltinMSua^jaiiifrtiiwft*‫• ***יי‬
■c n m te la poem
No Inlfmel Acoe1» an 1 w Mm«ui
M>t« MeH4J« 1n«t|11»1»ncamoi ‫׳‬
‫י*ז«•׳‬f •
You can Andot>n« 1c‫־‬jlst11l»Jt1irutveasnj *
t — »** ‫״‬e»a ‫*>»**׳‬Me• in MWmtt' ptsteOir* to pMtie U*l ana c
>»»a « m u a 1j ‫ •מ׳‬immi puj-<n»
Mtx caaa initaiaiaftBfl
FIGURE 10.17: Nessus Registration mail
24. N ow enter the activation code received to your email I D and click Next.
F
" •‫״‬
- ,®[‫ ן‬Wekcm* 10 Meuvt 9
P lu g in Feed R e g is tra tio n
As• in fo rm a tio n ab o u t n ew vu ln e ra b ilitie s 18 d is co ve re d an d re lea se d in to th e p ublic d o m a in , T en a b le 's re se arc h s ta ff d esig n s p ro g ra m s (" p lu g in s ”) th a t e n a b le
N es su s t o d e te c t th e ir p res en c e. T h e plugins co n tain v u ln e ra b ility In fo rm a tio n , t h e alg o rith m to te s t fo r th e pres en c e o f th e se cu rity Issue, a n d a se t of
re m e d ia tio n actio n s. T o u se Nessus, y o u n eed to sub scribe to a "Plugin F eed *. You can do so b y v o t in g h ttp . / / w w w .n es su s .o rQ y reo ls te r/ to o b ta in a n
A c tiv a tio n C o d e.
IbsdJ Once the plugins liave
been downloaded and
compiled, the Nessus GUI
toUinitialize and the Nessus
server will start
•
To use Nessus at your workplace, pufdiaae a
commetGd Prgfcaatonalfccd
• To u m N c M u ti a t 10 a n o n ■com m ercial h o m e e n v iro n m e n t, yo u ca n g et 11 H o iim F e od for fre e
• Te n a b le Securltv C e n to r usore: E n ter 'S o a irlty C e n te r* in th e field b elow
• To p e rfo rm o fflin e plu g in u p d ates , e n te r 'o fflin e ' In th e field b elow
A c tiv atio n C ode
P lease e n te r y o u r A ctiv atio n C o d e :|9 0 6 1 -0 2 6 6 - 9 0 4 6 -S 6 E 4 - l8 £ 4 |
x |
O p tio n al P ro xy Settin g s
< Prev
N ext >
FIGURE 10.18: Nessus Applying Activation Code
25. Tlie Registering window appears as shown in die following screenshot.
C
*
fx
P • 0 Cc**uttemH S C
*-h o *
B s ~ ** ■
J wefc<•*‫ <׳‬to
m
ft *
d
o
1
R e g is te rin g ...
R egistering th e scan n er w ith T e n a b le ...
FIGURE 10.19: Nessus Registering Activation Code
26. After successful registration click, Next: Download plugins > to
download Nessus plugins.
m Nessus server
configuration is managed via
the GUI The nessusdeonf
file is deprecated In addition,
proxy settings, subscription
feed registration, and offline
updates are managed via the
GUI
P • O Ce*rt<*e««o« &
C|
Wetcone to Nessus
a
‫[ ן‬x
■ ‫־־‬
‫׳ ־‬-ft * *‫יי‬
o
R e g is te rin g ...
S u ccessfu lly re g istere d th e sc an n e r w ith T e n a b le.
Su c ce ss fu lly c rea te d th e user.
|
N e x t: D o w n lo ad plugin a >
|
FIGURE 10.20: Nessus Downloading Plugins
27. Nessus will start fetching the plugins and it will install them, it will take
time to install plugins and initialization
N ess u s is fe tc h in g th e n e w e s t p lu g in set
P le a a e w a it...
FIGURE 10.21: Nessus fetching tlie newest plugin set
28. H ie N essus Log In page appears. Enter the U sernam e and Passw ord
given at the time o f registration and click Log In.
/>. 0
• T A S K
tc
2
Network Scan
Vulnerabilities
nessus
I
« •« ‫״‬
‫׳‬
Q For the item SSH user
name, enter the name of the
account that is dedicated to
Nessus on each of the scan
target systems.
TENA»Lg
i
L
FIGURE 10.22: The Nessus Log In screen
29. The N essus HomeFeed window appears. Click OK.
, 1
/
/
/
1
nessus
inn r m m i v a u u r a h m k M to Itw id T B tH il lr» n m r ■ ■ ] • tntima to
MMW uNM y i M W M u w may load 10 (*iMoaAon
J m i u h (eepenew.
w l oaiiUtanter any oust fton* oroigMtaAofii
M • to a PTOtoMknalFMd Subecrtpfcxi ha<•
190* - ?0121)nM 1 N M M s*.o r* / nc
OK I
FIGURE 10.23: Nessus HomeFeed subscription
30. After you successfully log in, the N essus Daemon window appears as
shown in the following screenshot.
m To add a new policy,
chck Policies ‫ ^־־‬Add Policy.
FIGURE 10.24: The Nessus main screen
31. I f you have an A dm inistrator Role, you can see die U sers tab, which
lists all U sers, their Roles, and their Last Logins.
New policies are
configured using the
Credentials tab.
FIGURE 10.25: The Nessus administrator view
32. To add a new policy, click Policies ‫ >־‬Add Policy. Fill in the General
policy sections, namely, Basic, Scan, Network C ongestion, Port
S canners, Port Scan Options, and Perform ance.
^W ARNING: Any
changes to the
N essus scanner
configuration will
affect ALL N essus
users. Edit these
options carefully
FIGURE 10.26: Adding Policies
33. To configure die credentials o f new policy, click die C redentials tab
shown in the left pane o f Add Policy.
m The most effective
credentials scans are those for
which the supplied credentials
have root privileges.
FIGURE 10.27: Adding Policies and setting Credentials
34. To select the required plugins, click the Plugins tab in the left pane o f
Add Policy.
P •
m If you are using
Kerberos, you must configure
a Nessus scanner to
authenticate a KDC.
. ‫״״»׳‬
W OWBlc/Otr!«c»
U rir
^
18W8 eo?1Ax aunt 0+m
* ‫ *י‬7
O ‫י יני יי‬
‫ ין‬..‫■ וי‬OCUkttO'ta ••
r»
u « !j Suit# 1« o !v .b
Oan ottKdfenwct,
O
o
(a) 0«neral
Vj GenlTOUKBlS*aj‫*׳‬yChK*»
y mp-ux L0Ca Seaifty c ‫ ׳‬k » i
Jurat UjcU Sacunty ChKM
- J ’UrKlnl IoiiiiiIii «>>uII.W
A»««l fc**‫ ״‬ftM ■*2m* L*»r> *> Ik n U .
1‫ ע ט י‬BaiHir r>KM1 &a.*3r Pa« 20 AO. R ntrciin ftwaia
O 1CWI ■■!Cl 1 Pi■ ‫ — ן‬C 1 1 * Mawagwwew Oefcnon
O 1&‫ מ ז‬C C H o AfflUM* p*01 ( « ‫׳‬Melon
O
c« 1tar« KTTP P ra ! Si t * ! Hcd H a t tt Rurola DoS
<J 120M C tc d P o * F.irVVal 4■, 1 ‫ו‬. uae VjInentollB |0 f . FS|
3wopn» Trie *m att tc*
f*»1 Cik r e
TCP p o ll *22 1WO. ‫ ז‬75‫יי***ד‬
ffj»wy U ely B ia lK W 5 isA O io a i* sc rtr
**••*nee wmpars
‫־‬TCP&221‫ מ>׳»!יא‬1‫ ני‬W vwrtce‫־‬CT. 17* M t i K t A w k l m s j . TCP.'1781 4‫־*יז‬.‫ )ייי*ו‬tc firtocn U xlum g
FIGURE 10.28: Adding Policies and selecting Plugins
35. To configure preferences, click the P references tab in the left pane o f
Add Policy.
36. In the Plugin field, select D atabase se ttin g s from the drop-down list.
a
If the policy is
successfully added, then the
Nessus server displays the
massage
38.
37. Enter the Login details given at die time o f registration.
Give the Database SID: 4587, Database port to use: 124, and select
Oracle auth type: SYSDBA.
39. Click Submit.
CD Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
FIG U R E 10.29: Adding Policies and setting Preferences
40. A message P olicy “N etw ork S can _P olicy‫ ״‬w a s s u c c e s s fu lly added
displays as shown as follows.
FIG U R E 10.30: The NetworkScan Policy
To scan the window,
input the field name, type,
policy, scan target, and target
file. ‘
41. Now, click S c a n s ‫ >־‬Add to open the Add S ca n window.
42. Input the field N am e, T ype, P olicy, and S ca n T arget
43. 111 S ca n T argets, enter die IP address o f your network; here in this lab
we are scanning 10.0.0.2.
44. Click Launch S ca n at die bottom-right o f the window.
N ote: The IP addresses may differ in your lab environment
Nessus lias the ability to
save configured scan policies,
network taigets, and reports
as a .nessus file.
FIG U RE 10.31: Add Scan
45. The scan launches and sta r ts sca n n in g the network.
FIG U RE 10.32: Scanning in progress
S ' Tools
dem onstrated in
this lab are
available in
D:\CEH•
Tools\CEHv8
Module 03
Scanning
Netw orks
46. After the scan is complete, click the R eports tab.
FIG U RE 10.33: Nessus Reports tab
47. Double-click Local N etw ork to view the detailed scan report.
^
fc
‫י‬..-*—
■ d
Bn■ B
.
•
Cvwii
'
So-Mity
gMtyi
‫—« ״‬
H m n t ■w 11 ■1 I K INWI
‫״׳• *־׳‬
•M m
m tn
Me
Z
M Ul-a* •*«-—■».»» * «Qi
C«uMUrm tlmb«n rf
UTMMB1W . i■■— 1
•M M •
•‫נ־י■׳‬
‫<•< ז*ו‬
£ [
l«v>
HM
KTT* I n ■ T!•• M VIWMH
Wt
N « M < N ilr a W U II M tW M « l
W M W lK M l
HM
m jm
M .-~ > •rm *m
H9W
• x fn
1-01
H
Into
Iftte
W i ll- '
WiMom
M m x M tC o tn m k U u iu im
w m m uv» fro^jMren
G&a»1fcsKr<
CwMot
f o r r J . i « H « a ‫־‬r 1r m
UB
•MO.
»y%ttn 1•hm lU n C M * * •
McmcC A» : •an i t f i LMO10 ?nb> njlutPu <» Fun tu t SID Ewneutan
riC n ilto U D ■
0. 0. ‫*=־‬
In*)
FIG U R E 10.34: Report o f the scanned target
48. Double-click any resu lt to display a more detailed synopsis, description,
security level, and solution.
Q
If you are manually
creating"nessusrc" files,
there are several parameters
that can be configured to
specify SSH authentications.
FIG U RE 10.35: R eport o f a scanned target
49. Click the Dow nload Report button in the left pane.
50. You can download available reports with a .n e s s u s extension from the
drop-down list.
X
D o w n lo a d R ep o rt
D o w n lo a d F o rm a t 1
C h a p te rs
Chapter Selection Not Allowed
G 3 To stop Nessus servei,
go to the Nessus Server
Manager and click Stop
Nessus Server button.
Cancel
S u b m it
FIG U R E 10.36: Download R eport w ith .nessus extension
51. Now, click Log out.
52. 111 the Nessus Server Manager, click S top N e ss u s Server.
B‫■׳־׳‬
>M
P ■
*6
a
■69■
FIG U R E 10.37: Log o ut Nessus
Lab Analysis
Document all die results and reports gadiered during die lab.
T o o l/U tility
Scan T a rg e t M ach in e: Local H ost
P erfo rm ed Scan Policy: N etw ork Scan Policy
N e ssu s
T arg e t IP A ddress: 10.0.0.2
R esult: Local H ost vulnerabilities
Questions
1. Evaluate the OS platforms that Nessus has builds for. Evaluate whether
Nessus works w ith the security center.
2. Determine how the Nessus license works in a V M (Virtual Machine)
environment.
0 \ es
□ No
0 C lassroom
□ iLabs
ICON
KEY
a - Valuable
information
s
Test your
knowledge
Web exercise
m
W orkbook review
Auditing Scanning by using Global
Network Inventory
Global]Seh) •ork Inventory is used as an audit scanner in ~ero deployment and
agent-free environments. It scans conrptiters by IP range, domain, con/p!iters or single
computers, defined by the GlobalNet!/‫׳‬ork Inventory hostfie.
Lab Scenario
W ith the development o f network technologies and applications, network
attacks are greatly increasing both in number and severity. Attackers always look
for s e r v ic e vulnerabilities and ap p lication vulnerabilities on a network 01
servers. If an attacker finds a flaw or loophole in a service run over the Internet,
the attacker will immediately use that to compromise the entire system and
other data found, thus he or she can compromise other systems 011 the
network. Similarly, if the attacker finds a workstation with ad m in istrative
p riv ileg es with faults in that workstation’s applications, they can execute an
arbitrary code 01 implant viruses to intensify the damage to the network.
As a key technique in network security domain, intrusion detection systems
(IDSes) play a vital role o f detecting various kinds o f attacks and secure the
networks. So, as an administrator you shoiild make sure that services do not run
as the root u ser, and should be cautious o f patches and updates for applications
from vendors 01 security organizations such as CERT and CVE. Safeguards can
be implemented so that email client software does not automatically open or
execute attachments. 111 this lab, you will learn how networks are scanned using
the Global Netw ork Inventory tool.
Lab Objectives
This lab will show you how networks can be scanned and how to use Global
N etw ork Inventory. It will teach you how to:
Use the Global N etw ork Inventory tool
Lab Environment
ZZ‫ ל‬Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
■
Global Network Inventory tool located at D:\CEH-Tools\CEHv8 Module
03 Scanning Networks\Scanning Tools\Global Network Inventory
Scanner
■
You can also download the latest version o f Global N etw ork Inventory
from this link
http://w w w .m agnetosoft.com /products/global network inventory/gn
i features.htm /
■
I f you decide to download the latest version, then s c r e e n s h o ts shown
■ A computer running W indows Server 2012 as attacker (host machine)
■ Another computer running Window Server 2008 as victim (virtual
machine)
■
Follow die wizard-driven installation steps to install Global Network
Inventory
■ Administrative privileges to run tools
Lab Duration
Time: 20 Minutes
Overview of Global Network Inventory
Global Network Inventory is one o f die d e fa cto tools for security auditing and
testin g o f firewalls and networks, it is also used to exploit Idle Scanning.
Lab Tasks
t a s k
1
Scanning th e
network
1. Launch the Start menu by hovering die mouse cursor in the lower-left
corner o f die desktop.
2. Click die Global Network Inventory app to open die Global Network
Inventory window.
5 t 9 |‫־׳‬£
Server
M a n age r
fL
Administrator
Win dows
PcrwerShell
m
C o n trol
Panel
Scan computers by IP
range, by domain, single
com puters, or computers,
defined by the Global
N etw ork Inventory host
file
*J
£
Mw w &plcm
*
‫וי‬
H y p r-V
Virtual
M a ch in e .
SQ L S ervs
■F
*
C o m m an d
Prom pt
M ozfla
Firefo*
B
S-
PutBap
Hn>er.V
M anager
G oogle
C hrom e
Bui
Search 01..
Global
N e c » o rt
©
H
FIGURE 112: Windows Server 2012 - Apps
3. The Global Network Inventory Main window appears as shown in die
following figure.
4. The Tip of Day window also appears; click Close.
& S c a n only
item s that you
need by
custom izing sca n
elem en ts
FIGURE 11.3 Global Network Inventory Maui Window
5. Turn 011 W indows Server 2008 virtual machine from Hyper-V Manager.
□ Reliable IP
d etectio n and
identification of
network
ap p lian ces such
a s network
printers,
docum ent
cen ters, hubs,
and other d e v ic e s
FIGURE 11.4: Windows 2008 Virtual Machine
6. N ow switch back to Windows Server 2012 machine, and a new Audit
Wizard window will appear. Click N ext (01‫ ־‬in die toolbar select S can tab
and click Launch audit wizard).
New Audit Wizard
Welcome to the New Audit Wizard
T hs wizard will guide you through the process of creating a
new inventory audit.
V I E WS S C A N
RESUL TS,
/
NCL UD/ NC
HI STORI C
RESUL TS
FOR ALL
To continue, click Next.
SCANS,
I N D I V I DU A L
MACHINES,
OK
c Back
Next >
Cancel
FIGURE 11.5: Global Network Inventory new audit wizard
7. Select IP range scan and dien click Next in die Audit Scan Mode wizard.
SELECTED
NUMB E R OF
ADDRESSES
N ew Audit Wizard
A u d it S c a n M ode
To start a new audfc scan you must choose the scenario that best fits how you w i
be using this scan.
Is■ (^ M
O Single address scan
Choose this mode i you want to audit a single computer
Q Fully customizable
layouts and color schemes
on all views and reports
(•) IP range scan
Choose this mode i you want to audit a group of computers wttwn a sr>gle IP range
O Domain scan
Choose this mode i you want to audit computers that are part of the same doma»1(s)
0 Host file scan
Choose this mode to audt computers specified in the host file The most common
scenario is to audt a group of computers without auditing an IP range or a domain
O Export audit agent
Choose this mode i you want to audit computers using a domain login script.
An audit agent vwi be exported to a shared directory. It can later be used in the
domain loain scriot.
To continue, c ic k Next.
1
< Back
Nexi >
Cancel
______
FIGURE 11.6: Global Network Inventory Audit Scan Mode
8. Set ail IP range scanand then click N ext in die IP Range S can wizard.
E xport data to HTML,
XML, M icrosoft Excel, and
text formats
Licenses are networkbased rather than userbased. In addition, extra
licenses to cover additional
addresses can be purchased
at any time if required
9. 111 die Authentication S ettin gs wizard, select C onnect a s and fill the
respected credentials o f your W indows Server 2 008 Virtual M achine, and
click Next.
N ew A u d it W izard
£□ The program
c o m e s with
d ozen s of
cu stom izable
reports. N ew
reports can be
ea sily added
through th e user
interface
A u th e n tica tio n Setting s
Specify the authentication settings to use to connect to a remote computer
O Connect as cxrrertiy logged on user
(•) Connect as
Domain \ User name
adîriS'3(-‫•׳‬
Password
...............'
To continue, d c k Next
< Back
Nert >
Caned
FIGURE 11.8 Global Network Inventory Authentication settings
10. Live die settings as default and click Finish to complete die wizard.
N ew A u d it W izard
Completing the New Audit Wizard
(— 7 Ability to generate
reports on schedule after
every scan, daily, weekly, or
monthly
You are ready to start a new IP range scan
You can set the following options for this scan:
@ Do not record unavailable nodes
@ Open scan progress dialog when scan starts
Rescan nodes that have been successfJy scanned
Rescan, but no more than once a day
(§₪ T o configure reports
choose R ep o rts |
C onfigure rep o rts from
the main m enu and select a
report from a tree control
on a left. Each report can
be configured
independently
To complete this wizard, dick Finish.
< Back
Frwh
Caned
FIGURE 11.9: Global Network Inventory final Audit wizard
11. It displays die Scanning progress in die S can progress window.
iJ
Q Filtering is a quick way
to find a subset o f data
within a dataset. A filtered
gnd displays only the nodes
that m eet the criteria you
specified for a column(s)
Scan progress
‫מ‬
Address
0
1 0 .0 .0 . 2
1
10.0.0.3
2
10.0.0.4
3
‫ ו‬0.0.0.5
4
‫ ו‬0.0 0 6
A O M INPC
5
10.0.0.7
W IN-039M R5HL9E4
6
1 0 .0 .0 8
7
1 0 .0 0 9
8
100010
Tmestamp
Percent
Name
—
E*
E
W1N-ULY858KHQIP
! z
^
08/2 2 /1 2 1 5 :3 6 :2 3
8 52
08/2 2 /1 2 1 5 :3 6 :2 5
!*
08/2 2 /1 2 1 5 :3 6 :2 3
92*
|
0 8/2 2 /1 2 1 5 :3 6 :2 3
92*
|
08/2 2 /1 2 1 5 :3 6 :2 2
0 8 /2 2 /1 2 1 5 :3 6 24
_
0 8 /2 2 /1 2 1 5 :3 6 24
E*
E*
E*
E*
W
9
100011
10
1 0 .0 .0 . 1 2
‫וו‬
10.0.0.13
‫ ו‬2
10.0.014
=
08/2 2 /1 2 1 5 :3 6 :2 3
z
z
1A
0 8 /2 2 /1 2 1 5 3 8 :3
E !%
'
I
'
0 8 /2 2/1 21 5:3 6 :2 4
08/2 2 /1 2 1 5 :3 6 :2 4
08/2 2 /1 2 1 5 :3 6 :2 4
0 8 /2 2/1 21 5:3 6 :2 4
m‫ ר‬ic . v . ^ 1
rtn
@ Open this dialog sdien scan starts
Elapsed time: 0 min 6 sec
@ Close this dialog when scan completes
Scanned nodes: 0 /24
@ D o n l display completed scans
.
Sl0p
_
Cl°”
[
FIGURE 11.10: Global Network Inventory Scanning Progress
12. After completion, scanning results can be viewed as shown in the
following figure.
Pi'v fie
Globa' Netw ork Inventory - Unregistered
V ie w
S ta n
T o o ls
R ep o rts
H elp
□]E r BlBWtalri~»EI] u *‫? י‬
a
U te r r
C a r r i e ♦ s> « en
Nirrt
- MpIa■addresses
Q
‫ ז»ר ס‬Syttern *tat»
|A )
i w r a r r r . :•-•‫ד‬
$ ‫ ־‬W ORKGROUP
S car M W
i
rjqr
N etB IO S
| A
0
P rr*» M r*
^
HM ftte r c m n a o n
^ rrtm
1
A.‫־־‬
JW ‫־ ־! ■־‬.W
Memory
pin
Memory
]*
Networt
^p#rat:r.r
p
Shanes
M a n beard
|Q
g
m e rit
:■I 1 0.0JX7 (W IN -D 3 9 ...
■m 1 a 0 J X ‫ ( «־‬W 1N -U LV 8 ...
| Tircitamp
‫־י‬
d
D o ra r
H o a tN ... ▼J Status
‫־י‬
M A C A..
V e r r fa
w
0 3 M am s
‫»־‬
R o c e s s a ...
*‫־‬. Com ment ‫»־‬
W O R K G R O U P [C O U N T -2 )
I P A d d e « : 1 0.0 0 .4 (C O U N T -1 1
T r r e s t a r o : G £ 2 /2 0 1 2 3 36:4B PM (C O U N T -1 )
0 Global N etw ork
Inventory lets you change
grid layout simply by
dragging column headers
using the mouse. D ropping
a header onto the
Grouping pane groups data
according to the values
stored within the
"grouped" column
‫ » ■־‬C o r o j . . |v/N ULV85(| S u c c c ii
100-15 5D 001 M ic r o :)* C a V ir c c v M Server |
IP A d d c m . T 0 .0 0 .7 (C0UNT-=11
I T r r e jt a r .3 . & 36. 30 3 2012 ‫׳‬
22 >‫׳‬PM ( C 0 U N T -1 ]
•» C « ‫־‬k >j ..[ v / N € 3 S M F ||S u c c o m
Tow ?nwr(t)
[
iD ^ -O E -D O -C ^ n o a lc ‘.
r
|lnts(Rl CoiefTM' S olid. H202
1
R « ju ltjn 1 it0 r y d e p t^ L » !ts < a r 1 0 r ^
Oisplaye^roijp^l^roups
FIGURE 11.11: Global Network Inventory result window
13. N ow select W indows Server 2008 machine from view results to view
individual results.
l - l ° W *
Global Network Inventory ‫ ־‬Unregistered
Me
v ie w
-
in
& S9 3
sca n
T o o l(
R ep o rt <
H ?p
%-u110 | s ^ P i g
¥
B |Q |^ |a |D |B - B
#
® ,
|^
Hot fxes 3 e ;jr**• certer
■' ‫י‬-‫מ‬
‫־‬-
□ »
Port a r r e d o R
N e rrc
^
B ‫ י^יי‬AH addresses
B - <* WORKGROUP
O rvces
j
|
System dots
3
Q
Shores
L » ^ cvp s
Po;c3:cn>
§,
Scan •u n ra ry
| ^
NetBIOS
Computer 3y3tcn
^
| 3 ‫■׳‬
'•'ci‫ ־׳‬b o s d
0 ‫ נ כ‬ctn3 C,ctcn
^
Startup
^
■
Desktoo
Lbcre
M orer)
(ji)
| J
Logged c r
B8
Q
*|^r)0.a7(WN-D3T~1
»• ‫ נ י ו‬C J 4 iv>‫׳‬N-ULV3.r.
Type
Global Netw ork
Inventory grid color
scheme is completely
customizable.
Y ou can change Global
N etw ork Inventory colors
by selecting T o o ls | G rid
colors from main m enu
and changing colors
J
‫״‬
HikIM
» Sfdlin
*
» MAC A
V btkIh
» CJS
* PlOCHZM (
* C0I1HIMf »
Duiein *‫׳‬o ^ e n a j p COUNT-11
JIP A d d rew 10.Cl07(C O U N T1‫) ־‬
TncU aro: G/22/2012 3 GG: 38 PM (CO UN T-1)
■» C5t o j . |V/NC39MR Succc«
|D4 BE D9-C|Realck
ntefR] CorcfTM' Send: H202!
01011‫ ז‬i‫׳‬a»(j)
^jgl^c^roug^l^r
êsufc^jto^jegtôj^caôôc^cdfcj^
Re»dr
FIGURE 11.12 Global Network Inventory Individual machine results
14. The Scan Summary section gives you a brief summary o f die machines diat
have been scanned
1 - ‫ ^־‬r
f ie
View
Scan
Tools
Reports
Melo
□ ]e
*5 '
n 1* a □ * a
Nam•
- ‫ !■י‬A1addrestM
^
£
WORKGROUP
Sn
‫ נ כ‬tin>lcr5
k
yw don
( j
D ovcoi
J
l# |
1 ^ -sa
t1
▼ a x
[# j
- .r% xi*rty rt» r
Scan a n r m y
V crito o
a w-
| jjjjj
Logical d sk a
Sêton d o t•
NoifcKJS
| £
Q
j^
Sharoe
:■^:•;ore
®]
^
Hoi tacoe
^
CX>k & ts z i
Q
Jt
mo
"Sntcn
S o c u ty ccrto■
0 $orgroupt
M a n te s :
J
^
| j*
Networx oocp to o
Startup
U*«ra
*5
fa
B*S
|H
Dcckiop
LoggoCon ^
M enoiy cevicee
Q |
ijperatmg
:mtOiXOi’^N-ULYC"
‫ ם‬To configure
results history
level c h o o s e Scan
| R esults history
level from th e
main menu and
s e t th e desired
history level
Hcs4 H.. -
Status
‫ ־״‬MAC A .. ‫■״־‬barrio-
~ OSKsrw
‫ ־י‬Prco3350r.. ‫ ״י‬Corrmert■‫״‬
d t 'o m a r :\v tR r .ii-O U ‫ ׳־‬l .‫־‬JLrJ -‫־‬
^
P i d i e w : 1C.O.O : CQUNT=1J _________________________
Id Tnrgra«p B/22;2PlZ3-36 ^ P M p = D U H r= ll
| ;*» Ccnpu |W K-039M R|Succg«
Tolall 4em(s)
rU-BF-D»C:| R ^ r r i
1‫־‬
r
h!el(R)Cme|TM: Seiial H?‫?ר‬
1‫־‬
r
^cÛîiitorydepthj
FIGURE 11.13: Global Inventory Scan Summary tab
15. The B ios section gives details o f Bios settings.
Looc a d!s\s
^
Z»: ‫ ־‬- ‫־‬
f it
v ie w
1^ ‫ז‬
5ta n
T o o ls
‫־‬
‫׳יי‬
X
^
89 £ □ J5
k.
‫^־ד‬
Narrc
_
Derive*
2
Hct fixes
^
MdBIOS
P
•»|1a616T(w’1^039.7'''
‫״‬
System dots
. ■rr-
£
q
.s r jx x p s
3"
)£•
Mar ?pad
Opcra.i-10 Cvs.or
.7 :
Scaabr e a te r
Shares
Poeewots
J^
Ssaâumanr
5 ‫ ־‬W ORKGROUP
a
jij
Q
Por. -annccfcrc
H * P A ll a d d r e s s e s
B
1‫ ' ־‬° '
x
‫ז‬
H e lp
S J 1 '’‫ □־‬E T? | 5 | □
icwresufts
*
R e p o rt(
1555
Merer?
Q
■>
fid . . •
Startup
>*‫י‬
fc l
■
| ^
Desktop
Lccocd o r
Memory donees
‫׳‬cut
{ ■ 10.0.1‫>נ*ר‬VIN-IJI Y8...
Scan only items that
you need by customizing
scan elements
1 01* 1 ‫ו‬
»U»d/
Ret jt t t hutory depth: Latt t o n for tacft aflcret;
Q 't p lt / « d g r o u p : All g r o u p t
FIGURE 11.14: Global Network Inventory Bios summary tab
16. The Memory tab summarizes die memory in your scanned machine.
£□ E-mail
ad d ress S p ecifies th e email ad d ress that
p eop le should u se
w hen sending email to you at this
a ccou n t. The email ad d ress m ust
be in th e format
name(ftcompany—
for exam ple,
som eone@ m ycom
pany.com
Global Network Inventory - Unregistered
F ie
V ie w
*
•
S ca n
T o o ls
R e p o rts
‫ח‬
H e V iB lB & lm lH F i- iii
v ie w retuR*
▼ a x
■»
** s« a □ ‫« מ‬
\M »0 coofirokn
y -. ‫•■ ־■ ־ ־‬
D*Ye*t
All edd resse*
4 # WOWCROUP
;h
p
Mentors
iff)
‫י ן״‬
‫*■־‬w
L.
>#H
N am *
H %
h e lp
y
‫־‬
|g j
®
Logical daks
ct encct f
[#]
NmBIOS
t M
- ‫!־־־‬:•-
Oak ± n
|
H
Shw*1
‫■•יי‬fff
11 ‫׳‬
p
Uttramu
■t•5 ‫־‬
%-
•>
1‫י»ת‬0‫ו׳*חוח‬
Q
Operating ‫ל‬,‫׳‬d-•
‫׳‬
Network a d ^ c n !
Startup
| 'j
tk # n
a
1
ber/ r*c
|K
or
Memory f l w f «
I0.C.0.4 (WIN-ULY8...
Tc<alPh3^cdven>0f/.M 3
d[D
-
S a la b le H -yrea...
Total vfcuaL. ~ A v a to e V rtja ... »•
lo t a . . . - -
&valabl&.. ‫»י‬
V .C R t5F 0U P [C rM JN '= ]J
Hcsr Marre 3 9 ^ ^ ‫־‬MF5HL9E4 (C0U!\iT=1)
J
‫ ־‬hrescnp
V22J20123:36-38 PM (COUNT‫| ) ־‬
3317
7 o b i 1 it s u ;1
Results history depth: Last scan fo i each address
O ii p la / e d g r o u p : A ll g r o u p s
FIGURE 11.15: Global Network Inventory Memory tab
17. In die NetBIOS section, complete details can be viewed.
;- !o r
G lobal Netw ork Inventory ‫ ־‬Unregistered
F ie
v ie w
Son
T o o ls
R ep o rts
H elp
!□is? iBiaiasp 5!■!a & » B
v * y * re s u lts
Memcry
N a 1r «
Scan 3 jm a r y
4•
&I addresses
-
♦
Port c o n r w c t r c
‫ד‬
h it d t e d « y t * sre
S)
C l
C l
S * d r t / M ‫׳‬t« r
Qf
®a
Memory d e v ic e c
n vm m g rt
| ."3 ‫ל‬
|;&
Startup
H - f i‫ ־‬W ORKGROUP
M essag e su bject Type the Subject o f your
message. Global
N etw ork Inventory cannot
post a message that does
n ot contain a subject
Services
■
D esktop
lo g g e d on
1C.0.C.’ (WIN-D39...
19 1 0 ^ f^ U L Y « ::
zJ Hart l l i n * 0 33* | , ‫ י\ ׳‬VF 5 H. =)E4 (COLNT=3)
T r^ rta rtp
8/22V2012 3:3ft 38 FM (COUN T 3‫) ־‬
* [ W K - 0 3 9 M R o - LSE4<C>tt>>
L m q j?
W o ik s ta t c r Service
X
W K C •SM R^rLSE4<0x2O5‫־‬
L nque
F ie Server Service
3
W ORKGROUP
Group
Domain N am e
<0x00>
T o id 3 i . e n ld
Rem its history depth H i t scan re t earh naorett
R ea fly
t»<pt»/ed g ro u p : A ll g r o u p s
FIGURE 11:16: Global Network Inventory NetBIOS tab
18. The U ser Groups tab shows user account details with die work group.
I ‫ ־‬1‫ם‬
G'obel Network Inventory ‫ ־‬Unregistered
Fie
□ Nam e S p ecifies
th e friendly nam e
a sso c ia te d with
your e-mail
ad dress. When
you sen d
m e s sa g e s , this
nam e appears in
th e From box of
your outgoing
m essa g es
View
Scan
Tools
Reports
Help
1□ c V | B p |g |m |
2
C o n j u t a s r r f—
S3 5) □ *3 $
N jit«
* i* A ll a d d r e s s • :
- i f
WORKGROUP
»‫־‬ccc
• I ‫ ־‬:
m
7‫י‬
^
a
Q
k
P^ cc350ra
Vent ‫רה‬
#>
CIO ‫כ‬
jj]
Opcralinq Cyslcrr
It#]
M a r board
^
Net Cl DC
^
S hares
I^J)
D 9sdr>c*
M em ?y
‫מ‬
‫■י‬P r r t c o
•>
Q
ij0
Q
D e v ic c :
|^
Locicoldbks
El
«•
| J?
cr
!nvronmcrrt
j•
A-
-b w g rx x »
Memory c fc v c c s
N e t t e d ‫־‬.
Startup
_bera
■
I,
Deaktoo
Lojj=d o r
? S iiilL
»• i a i J i w N S : ‫׳‬
H o s t N c n e ‫־‬/ / * -D 3 9 -4 R 5 H L 9 E 4 (C O U N T -5 1
z i ' r r e s c a n p : E /2 2 '2 0 1 2 3:36:38 F M ( C OU N 5- ‫] ל‬
G io u j
£< *ar> sfrafo:(C0U NT= 1)
‫ !׳■׳י‬S 0 C E N R 5HL3E4'>Adrim $tratoi
U 5 cr o c c c u r t
z i C r^ JD : C K t t K it e d CO M Usets (C O U N I - 1 1
v / ls C 2 S N R 5 H _ 3 E 4 \ A d f 1 i‫ ״‬istj<)(01
U ;e t a c c o u rt
_ J G r» ^ o : Guc:»; C O U N T -1 )
Jk• u A N 0 3 E M R 5 H L 9 E 4 \ G u t s l
d C 1 0 *.IIS J U S fiS
z i G r a if
U :* f « ccou rt
CO UN T■ !)
% N T >‫ ־‬F \lZ c V ^ c p c rlS c « v o r
VV«# k r c v ‫ ׳‬n gtcup oooounl
p M t a v u r e * 1 r g U t t r t ( C Q I J N T ■1)
T U 0 I 5 i c n | i|
R sa d /
RcsuMts h isto r y d e p th : Last s c a n f o i e a c h o o a e s !
D sp la y c C g r o u p ; All q io u p a
FIGURE 11.17: Global Network Inventory User groups section
19. The Logged on tab shows detailed logged on details o f die machine.
1 - 1‫״‬
Globa! Network Inventoiy ‫ ־‬Unregistered
Me
v ie w
5<ar
T o o ls
R e p o rts
§ 3 - □Is ? H c 1 ® e /
V « w re<uKs
*2 »‫□ ־־ י‬
J
m
E
%
S
_
A l l a d d re s s e s
f
‫ ו ג ב‬a i d s y ie fi
-•1a & ‫׳״‬
Q
Processors
\
N errc
■ ‫■ ״‬
H e lp
^
m
S c a n s u r a n a iy
‫?יי‬
^
BCS
Port c o m e d o s
W O RKGRO UP
| .§ )
'* { 3 0 S
M ain beard
Q
O o e fa tr o System
System slots
C‫־־‬r ■^ r .
£
L>j1d j s v j
|
l£ ‫)־‬
H o tfix e s
2'
S h a ‫׳‬e&
^
N e n o iy
w
Di:-•. J .
t o t a le d software
^
>
Memory d e / c e s
£■
|(|
S e a i t ) e e r ie r
Net ■..
Environment
%
U s e tu .
S ervices
|
3 .< n : u ,_ _ H L _ 2 s 5 tlS B _ J
Users
| j>
Logg ed o r
J
;1abix7"(wi‫׳‬N-D3g...
& Port ‫ ־‬S p ecifies
th e port number
you co n n ect to on
your outgoing email (SMTP)
server. This port
number is usually
;■ '1 6 0 . 0 4 (W IN -U LY 8 ...
H oaN ok
W H -033N R 5H L3£4 (C O U N T S
1 N T S E R V .C E >M s D is S e rv e rl 10
f
H ” S E R V C E 'M S S Q L F D L o u n c h a
f
N ‫ ־‬£ £ R V lC E VM S S Q L S E R V E R
f
N ‫ ־‬S E R V C E 'M S S Q L S e r / e iO L A P S e iv ie e
* , N ‫ ־‬S E R V C E 'R e p o r t S c r v a
25.
5 \ A H D 3 9 M R E H L 9 E 4 \A < in h a tr‫*־‬or
3 8 /2 2/1 2 09:01:20
R e su lts f r i t pry d e p th la s t ;c a n lo r t e c h a d d r c n
R ea dy
Oowove^rou^lUroups
FIGURE 11.18: Global Network Inventory Lowed on Section
20. Tlie Port con n ectors section shows ports connected in die network.
G lob a ' N e tw ork Inventory - U nregistered
ST
F ile
Scan
T o o lt
R ep o rt(
H elp
1S
v ie w re s u t;
O u tg o in g m ail
(SM T P) ‫ ־‬Specifies your
Simple Mail Transfer
Protocol (SMTP) server for
outgoing messages
w a x
n
Name
H-
£
NetBIOS
a ‫ש‬b #
L.
AH a d d re s s e s
f r £* W O R K G R O U P
■»r10bn‫־‬7‫^־‬N-big".'‫־‬.‫־‬
;can currrjr,
*
P « t c on n ecto rs
JO
91‫־‬ares
F io c e s s o is
l- b n t c r j
WOS
| S)
£
Ji>
LSe
L o g c a l d isk s
0p«1fcrg Syren•
^
1
Users
|
m ay
^
: -t‫־‬KC1:
D:
‫—ן‬
Q
•£‫׳־‬
fcrvron m en t
a
hrr ‫י‬
Logg ed o n
Memory devotes
Startup
Netw ork 0d3?1cr:
|
■1
S « m :«
D esktop
0^10 ‫«־‬.(W‫׳‬fW‫׳‬N‫־‬ULY8""
D o r ia n . V / D ^ K O R O U ? (C0U N T = 2 5I
J
he*• H a r e : t*‫׳‬T . D 3 9 M R 5 H L J 3 E 4 (C O U N T -2 5 )
J
‫ ז‬alal 25
1 ■‫ * ״‬t t a r o : & '2 2 /2 D 1 2 3 3 6 3 8 PM (C O U N T =26)
’ ‫א כ כו׳ן‬
S e r a i P o r 1S55CA C o n p a r t le
D 6 9 ‫־‬.M ale
‫ ז‬7 ‫»ככ‬
K e l o i d P011
FS /2
‫ ז‬7 ‫»נ כ‬
M ou cc Po ri
F S /2
’ 703H
USB
a< r*51 bus
t7
USB
00h
‫ י‬7 3 ‫ווכ‬
UCD
A c c 0 H .b u 4
, 703H
USB
A c o e s t.b u t
Atris
Fes j t s nistory deptn: Last scan foi eatfi address
D isj ayecl arouo; All aroups
FIGURE 11.19; Global Network Inventory Port connectors tab
21. Tlie Service section give die details o f die services installed in die machine.
S To cr ea te a
n ew cu stom
report that
includes more
than on e sca n
elem en t, click
c h o o s e Reports |
Configure reports
from th e main
menu, click
th e Add button on
th e reports dialog,
cu stom ize
se ttin g s a s
desired, and click
th e OK button
Globa! Network Inventory ‫ ־‬Unregistered
Me
v ie w
5<ar
T o o ls
R e p o rts
‫ ־‬- $ * ]‫ י ® ב ס‬H e p H B ] ® e |
V ie w re<ufts
*1 *9 2 □
pf
m
E
%
S
Devices
|
Qf
Port cornedas
_
*i
f
M
£
Shares
Q
D
A l l a d d re s s e s
W O RKGRO UP
= r
•-•Eg & ‫׳״‬
NetBOS
et30S
g
N e ir c
R
H e lp
Ci
System slots
'
|
User croups
Main board
Hotfixes
^
3
Memory
|
ig )
Msrrcryde/ces
Startup
—
0 . ‫ גי‬c t i U S vtte‫״‬
Loaaedor
n
£
Secut) center
jjjj
1•
Jsers
^
■
Desktoo
|
|
S c r r is c a
|
»"
13
iii'iu n ic il
•1 ‫ ־‬y ' a a ’7 i w i ‘N -D 3 8 ’‫’ "״‬
;■ '1 6 0 . 0 4 (W IN -U LY 8 ...
N»♦
-
z i D om r* V»ORC13RO UP |CD UM I«l4/)
_!J Hcs‫* ׳‬sLan^ '*1 N 0 ‫»־‬IR5HL9E4(CO UN T■!47|
zi
rr^ a n p
3 /2 2 !2 0 H 3 3&38FM [COUNT =147)
. Ldcte A cxbat U pcare Ser!/ce
41loma1‫׳‬c
RufM rg
, £ p f teanon E>o=r1 ence
Manual
R u m rg
C‫ ־‬vV.mdowt\system32\svehott eye •k netsv
. Appicanon Host Helper Service
Automatic
R j'i'ir g
C «V.»Klowt\^1stern32\fivch0ftexe •k apph(
Â p p fc a n o n Idenfctji
Manual
Stepped
C‫\*־‬fcmdow1\svstem32\svc*10ft.exe •k Local
Manual
R im r g
C »V.m<tem(t\systern32\svcf10fr.exe •k net?•/
Manual
Stepped
C ,V,mdowt\S3i5tem32Ulg ew>
Manual
Stepped
C »\v!n<kw?\system32\svcf10‫־‬tt exe •k ne lw
tpflr9r»0nlnf1‫־‬rml1on
. Apftlcanon Layer 5 ‫־‬rewau Service
Apffcarion Manafjenenr
‫־־‬: 'P n g -a n Filei [vf‫־‬fc)\Comrmn Fite'iAdobi
I0 la l1 < 7 toart :J
Ready
Oowoye^KOu^lUroups
Results fcitory depth lost icon lor to<h address
FIGURE 11J20: Global Network Inventory Services Section
22. The Network Adapters section shows die Adapter IP and Adapter type.
1‫־‬
G lob al N etw ork Inventory ‫ ־‬Unregistered
Fie
view
Stan
Tools
Reports
I* ‫״‬
□
V cw rcsu R ;
r-l
& A security
accou n t
passw ord is
created to m ake
sure that no other
u ser can log on to
Global Network
Inventory. By
default, Global
Network
Inventory u s e s a
blank passw ord
▼ ‫ל‬
X
^ □ E $
Narre
B
1^‫י‬
Help
e
D c*cca
j|
C o n p u te r ‫>־ת‬€*‫ו‬
y
All addr*<«#<
H
y~ * £ W O RKGRO UP
■- m o ‫״‬M
Q 'l l
v
^
[# J
Pc‫ ׳‬t c o r r c c t o o
S ca n s jr r r c r v
h■ v®00
N e tBIO S
Q
Q
^
&
| ^
<‫׳״‬
SK3X3
Prooeaaora
System alota
80S
|‫׳‬jgj]
|^
4■
U3cr<rouF3
Mom boane
H o t fx c a
O p o r s trg Syrtom
^
fjj
JL•
Ccc^ rfy e e r ie r
h w U to d t c ftv m o
1-
Uaera
M em ory
j*
B
^
B?1
Startup
Envtronmoat
?‫מ‬
Looocdon
Memory d e v ic e s
|^
| ‫״‬j ,
Deoksop
S o rv cm
|v
( w n ' u ’l ^ " . " ’
- Tinettarp: £ / ^ 2 3 36:33 3 2 ‫ ־‬FM (COUNT-11
n ^ ^ v V ^ E t ,.|D 4 : B E :D 9 :C |1 0 0 .D 7
l2 S 2 S .2 g |1 D C .0 1
[vicreolt
|E therrct QIC|N 0
Iotall 1enlj
êsujt^jjto^jepthâsâô^scj^ddrts^
Rea^
^jjjteê^roup^lUôup^
FIGURE 11.21: Global Network Inventory Network Adapter tab
Lab Analysis
Document all die IP addresses, open ports and miming applications, and protocols
you discovered during die lab.
T o o l/U tility
IP Scan R ange: 10.0.0.1 —10.0.0.50
S can n ed IP A ddress: 10.0.0.7,10.0.0.4
Result:
G lobal N etw o rk
Inventory
■ Scan summary
■ Bios
■ Memory
■ NetBIOS
■ UserGroup
■ Logged O n
■ Port connector
■ Services
■ N etw ork Adapter
Questions
1. Can Global N etw ork Inventory audit remote computers and network
appliances, and if yes, how?
2.
How can you export the Global N etw ork agent to a shared network
directory?
□ Yes
0 No
P latfo rm S u p p o rted
0 C lassroom
0 iLabs
Anonymous Browsing using Proxy
Switcher
Proxy Switcher allowsyou to automatically execute actions; based on the detected
netnork connection.
ICON
KEY
p =7 Valuable
information
Test your
knowledge
w
Web exercise
Q
Workbook review
Lab Scenario
111 the previous lab, you gathered inform ation like scan summary, NetBIOS
details, services running on a computer, etc. using Global Netw ork Inventory.
N etBIOS provides programs with a uniform set o f commands for requesting
the lower-level services that the programs must have to manage names, conduct
sessions, and send datagrams between nodes on a network. Vulnerability lias
been identified in Microsoft Windows, which involves one o f the NetBIOS
over T C P /IP (NetBT) services, the NetBIOS N am e Server (NBNS). W ith this
service, the attacker can find a com puter’s IP address by using its N etBIOS
name, and vice versa. The response to a N etBT name service query may contain
random data from the destination com puter’s memory; an attacker could seek
to exploit this vulnerability by sending the destination com puter a N etBT name
service query and then looking carefully at the response to determine whether
any random data from that computer's memory is included.
As an expert penetration tester, you should follow typical security practices, to
block such Internet-based attacks block the port 137 User Datagram Protocol
(UDP) at the firewall. You m ust also understand how networks are scanned
using Proxy Switcher.
Lab Objectives
This lab will show you how networks can be scanned and how to use Proxy
Switcher. It will teach you how to:
■
Hide your IP address from the websites you visit
■
Proxy server switching for improved anonymous surfing
Lab Environment
To cany out the lab, you need:
■
Proxy Switcher is located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Proxy Tools\Proxy Sw itcher
2 " Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
■ You can also download the latest version o f Proxy W orkbench from
this link http:/ / www.proxyswitcher.com/
■
I f you decide to download the latest version, then screenshots shown in
the lab might differ
■ A computer running W indows Server 2012
■
Follow’ Wizard-driven installation steps to install Proxy Sw itcher
Lab Duration
Time: 15 Minutes
Overview of Proxy Switcher
Proxy Switcher allows you to automatically execute actions, based on the detected
network connection. As the name indicates, Proxy Switcher comes with some
default actions, for example, setting proxy settings for Internet Explorer, Firefox,
and Opera.
Lab Tasks
Cl Autom atic
ch a n g e of proxy
configurations (or
any other action)
b ased on network
information
1. Install Proxy Workbench in W indows Server 2 012 (Host Machine)
2. Proxy Switcher is located at D:\CEH-Tools\CEHv8 Module 03 S can nin g
N etw orks\P roxy T ools\Proxy S w itch er
3. Follow’ the wizard-driven installation steps and install it in all platforms
o f the W indow s op eratin g sy stem .
4. This lab will work in the C EH lab environm ent - on W indow s S erver
2 0 1 2 , W indow s S erver 20 0 8 , and W indow s 7
5.
Open the Firefox browser in your W indows Server 2012, go to Tools, and
click Options in die menu bar.
G o o g le
M o iillo Firefox
colt | HtJp
Qownloatfs
CW -I
moderns
cm * v ‫*«״‬A
C3Often different
S e a r ch
Im ages
fi
e •!1• -■cc9u
S<* UpS^K.
♦You
D ocu m en ts
Web Developer
C alendar
*
M ote •
Page Info
internet
co n n ectio n s
require
com pletely
different proxy
server settin g s
and it's a real pain
to ch a n g e them
manually
Sign n
Cle«r Recent Ustsr.
01+“ Sh1ft*IW
Google
Gocgle Search
I'm feeling Lucky
A6 .««t>11ng P io g a m m e i
Bu sin ess SolUion*
P ir a c y t Te
•Google
Aboul Google
Google com
FIGURE 121: Firefox options tab
6.
Go to die Advanced profile in die Options wizard o f Firefox, and select
Network tab, and dien click Settings.
Options
‫ם‬
&
G e n e ra l
G e n e ra l | M e tw o rV
%
‫§י‬
Tabs
C o n te n t
A p p l ic a t io n s
j U p d a t e | E n c r y p t io n
p
P r iv a c y
*k
S e c u r it y
3
S> nc
A dvanced
j
C o n n e c tio n
3‫׳‬k Proxy Switcher fully
compatible w ith Internet
Explorer, Firefox, Opera
and other programs
|
C o n f ig u r e h o w h r e f o i c o n n e c t s t o t h e I n te r n e t
S g t n g i.
C a c h e d W e b C o n te n t
C le a r N o w
Y o u r v r e b c o n t e n t c a c h e 5 ‫ י‬c u r r e n t ly u s in g 8 .7 M B o f d i s k s p a c e
I
I O v e r r id e a u t o m a t e c a c h e m a n a g e m e n t
Limit cache to | 1024-9] MB of space
O f f lin e W e b C o n t e n t a n d U s e r D a ta
You
1 a p p lic a t io n
M
T e ll m e w h e n a w e fc c ite a c lr t t o s t o r e H a t* f o r o f f l in e u c e
C le a r N o v /
c a c h e i s c j i r e n t l / u s in g 0 b y t e s 01 d is k s p a c e
Exceptions..
T h e f o llo v / in g t v e b s it e s a r e a lo w e d t o s to r e d a ta f o r o f f lin e u s e
B a r eve..
OK
Cancel
H e lp
FIGURE 122 Firefox Network Settings
7. Select die U se S ystem proxy se ttin g s radio button, and click OK.
C onnection Settings
‫ייי־‬
Configure P oxies to Access the Internet
O
N o prox^
'‫ )־‬Auto-detect proxy settings fo r this network
(•) Use system proxy settings
M anual proxy configuration:
f i proxy switcher
supports following
command line
options:
HTTP 5rojjy:
127.0.0.1
@ U je this prcxy server for all protocols
-d: Activate direct
connection
SSLVoxy:
127.0.0.1
P firt
FTP *roxy.
127.0.0.1
P o rt
SOCKS H o s t
127.0.0.1
O
SOCKS v4
P o rt
® SOCKS v5
N o Pro>y f o r
localhcst, 127.0.0.1
Example: .mozilla.org, .net.nz, 192.168.1.0/24
O
Autom atic proxy configuration URL:
Reload
OK
Cancel
Help
FIGURE 12.3: Firefox Connection Settings
8. N ow to Install Proxy Switcher Standard, follow the wizard-driven
installation steps.
9. To launch Proxy Switcher Standard, go to Start menu by hovering die
mouse cursor in die lower-left corner o f the desktop.
T A S K
1
Proxy Servers
Downloading
FIGURE 124: WmdcKvs Server 2012 - Desktop view
10. Click die Proxy Sw itcher Standard app to open die Proxy Sw itcher
window.
OR
Click Proxy S w itch er from die Tray Icon list.
Administrator ^
S tart
S e rv er
M anager
£□ Proxy Sw itcher
is free to u se
without lim itations
for personal and
com m ercial u se
W indow s
Pow ershell
W
Fs b
G oogle
C h ro m e
Hyper-V
M a n ag e r
*
91
SI
H yper-V
C o m p u te r
C ontrol
Panel
y
v
9
K
C o m m an d
P ro m p t
M021I*
Fre f o x
PKKVSw*
M achine...
.
£«p«-
vrr
Global
N etw ork
Inventory
<0
C entof...
**
Proxy
C hecker
,‫י‬
CM*u p
.‫►ר‬
a t*
‫ ם‬i f the server becomes
inaccessible Proxy Switcher
will try to find working
proxy server ‫ ־‬a reddish
background will be
displayed till a working
proxy server is found.
s Server.
A /Q
\
o
Customize...
t — 1 l A r - r ‫ ״‬/ 1‫! ׳‬
jate Datacenter
^ D p ^ u ild 8400
FIGURE 126: Select Proxy Switcher
11. The Proxy List Wizard will appear as shown in die following figure; click
Next
Proxy List Wizard
£3‫ ־‬Proxy Sw itcher
ssu pp orts for
LAN, dialup, VPN
and other RAS
co n n ectio n s
Welcome to the Proxy Switcher
Using this wizard you can quickly complete common proxy
list managment tasks.
To continue, dick Next
@ Show Wizard on Startup
<Back
Next >
Caned
FIGURE 127: Proxy List wizard
12. Select die Find N ew Server, R escan Server, R ech eck Dead radio button
fiom Common Task, and click Finish.
Proxy List Wizard
Uang this wizard you can qc*ckly complete common proxy
lot managment tasks
Cick finish to continue.
& ‫ ־‬Proxy
sw itchin g from
com m and line
(can be u sed at
logon to
autom atically s e t
con n ection
settin gs).
Common Tasks
(•) find New Servers. Rescan Servers. Recheck Dead
O Find 100 New Proxy Servers
O find New Proxy Severs Located in a Specific Country
O Rescan Working and Anonymous Proxy Servers
0 Show Wizard on Startup
< Back
Finish
Caned
FIGURE 12.8: Select common tasks
13. A list o f dow nloaded proxy servers will show in die left panel.
I
Proxy Switcher Unregistered ( Direct Connection ]
F ile
E d it
A c t io n s
V ie w
M
H e lp
Filer Proxy Servers
W hen Proxy Switcher
is running in Keep-A.live
m ode it tries to maintain
working proxy server
connection by switching to
different proxy server if
current dies
Roxy Scanner
* N e w (683)
B ‫ &־‬high Aronymsus (0)
SSL (0)
£ : Brte(O)
i ‫ מ‬Dead (2871)
2 Permanently (656?)
1—
B o ok . Anonymity (301)
‫—ן‬-£5 ‫ ־‬Pnva!e (15)
V t t Dangerous (597)
f~‫ &־‬My P‫ “׳‬V Server• (0)
:—
PnwcySwitchcr (0)
Serve*
, ? 93.151.160.1971080
£ 93.151.180.195:1080
93.150.9.381C80
tu1rd-113-68 vprtage.com
, f 93 126.111213:80
£ 95.170.181 121 8080
<? 95.159 368 ‫ו‬C
95.159.31.31:80
95.159 3 M 4 8 0
, f 94.59.260 71:8118
*
- ..............
State
Testira
Teetirg
Testing
Lhtested
Lhtested
Lht*ct*d
Lhtested
Lhtested
Lhtested
Lhtoetod
__ L>!tested___
ResDDnte
17082ns
17035n«
15631ns
‫א‬
Countiy
H
RJSSIAN FEDERATION
m a RJSSIAN FEDERATION
RJSSIAN FEDERATION
A
*
UNITED STATES
m a RJSSIAN FEDERATION
“
SYR;AM ARAD REPUBLIC
—
b ‫ ׳‬KAfJ AHAB KtPUBLIC
“
SYRIAN ARAB REPUBLIC
^ 5 UNITED ARAB EMIRATES
C
UNITED AR\B EMIRATES
Caned
S
State
tefre
Core PrcxyNet
Progress
MZ3
Conpbte
28 kb
Fbu‫»׳‬d
1500
wviwali veproxy .com
‫״‬mw .cyberayndrome .net
Conpfcte
w!w nrtime.com<
DL
&
FIGURE 129: List of downloadeed Prosy Server
14. To stop downloading die proxy server click
Proxy Switcher Unregistered ( Direct Connection )
File
Edit
Actions
View
L=Jg' x 1
Help
filer F o x / Servers
‫ ־‬Proxy Scanner
♦ N#w (?195)
When active proxy
server becomes inaccessible
Proxy Switcher will pick
different server from
P roxyS w itcher category
I f the active proxy server is
currently a l i v e the
background will be green
H
\y
Serve*
A ic n y m o u o (0)
I••••©‫ ׳‬SSL (0)
|
fc?Bte(0)
B ~ # Dead (1857)
=••••{2' P e rm a n e n tly 16844]
Basic Anonymity (162)
| ^ Private (1)
j--& Dangerous \696)
h ‫ &־‬My Proxy Servers (0J
- 5 ‫ ׳}־‬ProocySwtcher (0)
Slate
001 147 48 1€‫«»* ־‬tw n«t
1‫י‬:<*54-159‫ד־‬10‫־‬95 ‫ג»ב‬,»‫ זז‬1‫יס‬
218152.121 184:8080
95.211.152.218:3128
95.110.159.54:3080
9156129 24 8)80
u>4 gpj 1133aneunc co
pjf dsd»cr/2'20Jcvonfcrc com:
91.144.44.86:3128
£ 91.144.44.88:8080
92.62.225.13080: ‫ר־‬
£
£
£
£
£
£
(Aliv«-SSL)
(Alive-SSL)
(Alive-SSL)
(Alive-SSL)
(Alive-SSL)
(Alive-SSL)
(Alive-SSL)
(.*Jive-SSL)
(Alive-SSL)
(.Alive-SSL)
(Alive-SSL)
Resroroe
13810nt
106Nh*
12259ns
11185ns
13401ns
11&D2ns
11610m
15331ns
11271ns
11259ns
11977ns
«
Couriry
J HONG KONG
| ITALY
»: REPUBLIC OF KOREA
“ NETHERLANDS
!IT A L Y
™ UNITED ARAB EMIRATES
•: REPUBLICOF KOREA
5 SWEDEN
“ SYRIAN ARAB REPUBLIC
” SYRIAN ARAB REPUBLIC
— CZECH REPUBLIC
r
Cancel
DsajleJ
Keep Ali/e
Auto Swtcf‫־‬
108.21.59 69:18221 tested 09 (Deod) bccousc ccrre oo n bmed out
2 ' 3.864.103.80 tested as [Deod] because connection llrrcd 0U
123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out.
68 134253.197 5563tested as [Dead] because comection •jmed out.
V
FIGURE 1210: Click on Start button
15. Click B asic Anonymity in die right panel; it shows a list o f downloaded
proxy servers.
| _ ; o ^
Proxy Switcher Unregistered ( Direct Connection)
File
£z‫ ־‬When running
in Auto Switch
m ode Proxy
S w itch er will
sw itch active
proxy servers
regularly.
Sw itching period
can be s e t with a
slider from 5
m inutes to 10
secon d s
Edit
Actions
View
Help
& s►□ x I a a a
g ? Proxy Scanner
j~ # New (853)
B ‫&־‬
Aronyrroue (0)
h & SSL(0)
Bte(0)
■
‫ »־‬-& Dead (2872)
Femanently (6925)
1513 ■
\—
j~ &
1■&
-■‫־‬
A
Server
91 14444 65 3128
119252.170.34:80..
114110*4.353128
41 164.142.154:3123
2‫כי‬1 49101 10? 3128
2D3 66 4* 28C
203 254 223 54 8080
200253146.5 8080
199231 211 1078080
1376315.61:3128
136233.112.23128
<1
,f
<f
,f
f
,f
,f
,f
<f
<f
,f
if
'‫‘י‬.. . "<<1‫־"׳‬
Pnvale (16)
Dancerous (696)
My Proxy Sorvoro (0)
PraxySwltcher (0)
L i 0■ 0
A 1!l) 2 )
RespxKe
10160ns
99/2rre
10705ns
12035ns
11206ns
10635n•
11037ns
10790ns
10974m
10892m
11115ns
State
(Alve-SSU
(Aive-SSU
(Alve-SSL)
(Alve-SSU
Alve
Alvo
(Alve-SSL)
Alve
(Alve-SSU
(Alve-SSU
(Alve-SSU
K
=*° *‘‫״‬,‫׳‬
Countiy
— Sv R A fi ARAB REPUBI
INDONESIA
^
INDONESIA
► )E SOUTH AFRICA
m
BRAZIL
H iT A IV /A M
REPUBLIC OF KOREA
p g BRAZIL
P 3 BRAZIL
1 ‫ ס‬BRAZIL
■
1
Caned
Dsabled
K e e p A liv e
A u to S w t d ‫־‬
177 38.179.26 80 tested as [Alwej
17738.179.26:80 tested as [(Aive-SSU]
119252.170.34:80 tested a< (Alive]
119252.170.34.80 tested as [(Alive-SSL)]
33/32
ISilli&SSitSiSk
FIGURE 1211: Selecting downloaded Proxy server from Basic Anonymity
16. Select one Proxy server IP ad dress from right panel to swich die selected
fTJ icon.
proxy server, and click die
flit
a 13
P ro x y S w itc h e r U n re g is te re d ( D ire c t C o n n e c tio n )
F ile
E d it
,A c t io n s
#‫□ ׳‬
O
V ie w
n [a
a . a
,.
lx>stS4 1 59 ? , ‫ל־‬1&‫־‬.a e m e f .95
S S L )0 <
f ,2 1 8 .152.121.184:3030
Dead )2381(
B Y
95.110159.545080
.... P e m a n e n tly 7 $ )6 9 2 5 (
Basic A n o n ym ity )467'
h‫& ־‬
P n ‫ ׳‬a t e 116(
j‫ & ־ ־‬Dangerous )696!‫׳‬
r ‫&־‬
:—
j \
f ,9 1 .1 4 4 4 4 .65:3123
f 0 0 1 .147.48.1 U . c t a b c r c t
r t g h A n o rry m o u * )0 (
&
;‫־־‬B1te 01)0(
In addition to standard
add/rem ove/edit functions
proxy manager contains
functions useful for
anonymous surfing and
proxy availability testing
^
a if
Server
P x » y S ca n n e r £ 5
J•••‫ *ל‬New )766(
P ro x y S e r/e re )0 (
P ro x y S v tttch e r )0 (
C ta e b lc d
[[
K o e p A liv e
1 ~ l~a !
*
H e lp
3i.S6.2‫־‬S.2-i.S)SD..
if
9 5 .2 1 1 1 5 2 .2 1 8 :3 1 2 3
f
u 5 4 jp j1 1 3 5 a T T S jn o coJcr:•
,f
9 1 .8 2 .6 5 .1 7 3 :8 0 8 0
< f 8 6 . 1 1 1 1 A 4 .T 9 4 .3 1 2 3
$
4 ‫ד‬.89.130.23128
,f
9 ‫ ו‬1 4 4 4 4 86 3123
][ A u to S w t c h
2 \y
State
(Alve-SSU
(Alve-SSL
(Alve-SSU
Alh/e
(Alve-SSU
(Alve-SSL:•
(Alve-SSU
(Alve-SSU
(Alve-SSU
(Alve-SSL)
(Alve-SSU
(AlveSSU
(Alve-SSU
A
Lis |
Hesponte
10159ms
131 5‫־‬m
10154‫*״‬
10436ns
13556ns
n123me
10741ns
10233ns
10955ns
11251m
10931ns
15810ns
10154ns
‫י‬/ |
Proxy S«rvera
|X j
Lointiy
“
[ J HONG KONG
1 | ITALY
REPUBLIC OF IQOREA
;-S W E D E N
1 ITALY
----- NETHERLANDS
REPUBLIC OF KOREA
“
HUNGARY
^ ^ IR A fl
S3£5 KENYA
“
|
218 152. 121.I84:8030tested as ((Alve-SSL:]
2 1 8 .152.121.144:8030 tested as [Alive]
ha * » 5 4 -1 5 9 -l 1 0-9 5 s e n ie r ie d ie a ti a m b a « 8 0 8 0 t e 4 » d »
(‫ ׳‬A lv e - S S L ) ]
0 3 1 .1 4 7 .4 8 .1 1 6 .w a tb .n e t/ ig 3 to r.c o m :3 1 2 3 te a ts d 0 5 [(ASve S S L ) )
h‫׳‬
FIGURE 1212 Selecting the proxy server
17. The selected proxy server will connect, and it will show die following
connection icon.
Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫ ־‬ITALY)
p FFiile
k
E d it
A c t io n s
V ie w
Proxy Scanner
H * New !766)
Ugh Anonymous (0)
• g t SSL(O)
- ‫־־‬e ? Bte(O)
B - R Dead (2381)
P»m*n#ntly (G975)
003‫״‬. Anonymity(4G7)
Pnvate lib)
| 0 ‫ ־־‬Dangerous (696)
l‫ & ״‬My Proxy Servere (0)
:—ProxySviitcha 2 5 ‫) ־‬0(
Serve!
$5
£
9 T.144 4^.65:3123
001.147.48. ilS.etatic .ret..
, ? host54-159-110-95.server..
&
2 1 8 .152.121.194:3030
,f
d e d se rr2i 2 3 Jevonlm e
L
to n
95 110159 54 8080
, ? 95 211 152 218:3123
u54aDJl133a‫׳‬r»unfl,co.kr:l
, f 91 82 £5 173:8080
g 86.111 144.194.3128
, ? 41.89.130^3128
£ 91 14444 86 3123
>I
Dseblcd
11 Keep Alive
I~ l ‫ ם‬f
x
H e lp
State
(Alve-SSU
(Alve-SSU
(Alve-SSU
Alive
(Alve-SSU
(Alve-SSU
(Alve-SSU
(Alve-SSU
(Alve-SSU
(AlveSSU
(Alve-SSU
(Alve-SSU
(Alve-SSU
Response
10159ms
13115n*
10154ns
10436n s
13556n s
1123‫־‬n.«
107^0rn»
10233n s
10955n s
1l251r»a
10931ns
158101s
10194ns
Comtiy
SVRAM ARAB REPUBLIC
HONG KONG
| |IT MY
> : REPJBLIC OF KOREA
■■SWEDEN
I ITAtr
UNI ILL) ARAD CMIRATCS
“
NETHERLANDS
REP JBLIC OF KOREA
“
HUNGARY
“
IRAG
g g K E N rA
“
S ^ A N ARAB REPUBLIC
“
[ J
‫״י‬
|[" Auto Switch
2l8.152.121.1&4:8030tested as [fAlve-SSL!
218.152.121.184:8030tested as (Alive]
h o s t5 4 - 1 5 9 -1 1 0 -9 5 9 » rv e rd e d ic a ti a rn b a 8 ‫ג‬C 8 0 te s te d a s R A Iv e -S S L )]
0 3 1 .1 4 7 .4 8 .1 1 6 .a to tc .n c tv ig a to r.c o n > :3 1 2 3 te s te d 0 9 [(M rvc S S L ))
ML
E a u c A n o n y m it y
FIGURE 1213: Succesfiil connection o f selected proxy
£□ Starting from
version 3.0 Proxy
Sw itcher
incorporates
internal proxy
server. It is useful
w hen you w ant to
u se other
applications
(b esid es Internet
Explorer) that
support HTTP
proxy via Proxy
Sw itcher. By
default it w a its for
co n n ectio n s on
localh ost:3128
18. Go to a w eb brow ser (Firefox), and type die following URL
http: / / w ^v.proxy switcher, com/ checLphp to check die selected proxy
server comietivity; if it is successfully conncted, then it show's die following
figure.
Detecting your location
3?
£ri!t
¥"■'‫ '״‬History
Bookm orH
Iool*•
M 07 illa Firefox
r 1 0‫ ־‬Cx 1
Jjdp
0*r»<ring your kx‫ «־‬io ‫׳‬v
4‫ ־‬-.IUU-..J.UU,I
C
Your possible IP address is:
Location:
*‘I Go®,I.
fi
f!
2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1
Unknown
Proxy In fo rm a tio n
Proxy Server:
DFTFCTFD
Proxy IP:
95.110.159.67
Proxy C ountry:
U n kn o w n
FIGURE 1214: Detected Proxy server
19. Open anodier tab in die w eb browser, and surf anonymosly using diis
proxy.
p ro x y
r lc
Edit y ie *
History
Bookmark:
Tools
Ottecbngyour location..
| p r a y i c ‫־‬. « - C e r a c o n G oogle
< 9 wvw* g c o g k .it ?hb(t& g5_nf=1& pq-prcr)■ w r ‫^־‬rc?cr>- 0&g?_<l-22t51.1t>f-taq-pro>fy‫»־‬scfvcr& pt-p8b 1»-
^
*Tu
R ic e r c a
Google
0 3 After the anonymous
proxy servers have become
available for switching you
can activate any one to
become invisible for die sites
you visit.
server Cerca con Google - Mozilla Firefox
fcWp
I m m a g in i
M aps
P la y
Y ouT ube
M ew s
G m a il
D o cu m e n t!
C a le n d a r
C
‫ ־‬G ccgfc
P
*
U ttio
proxy server
Ricerca
P ro xy
Immagini
Maps
Wikipodia
it w k jp e d ia .o tg A v ik n 'P ro x y
In in fo rm atica e te le c o m u n ic a ^ o w u n p r o x y 6 un prog ram m a c h e s i ml e i pone tra un
c lie nt ed un s e r v e r fa re n d o d a tr a m r e o n e e rfa c c ia tra 1 d u e h ost ow ero ...
A ltri u si d e l term rne P r o x y
P io x y H T T P
Note
V o a correlate
V id e o
M oaze
S h o pp in g
Public Proxy Servers - Free Proxy Server List
ivwiv p u b lic p r o x y s e r v e r s c o n V
T ia C u a q u e s ta pagina
P u b lic P r o x y S e r v e r * is a free a n d *!dependent proxy c h e c k in g s y s le m . O u r service
h elps you to protect y ou r K te n tly and b y p a s s surfing re strictio n s s in c e 2 002.
Ptu contanuti
P r o x y S ervers - S o r e d B y R a tin g - P r o x y S ervers S orted B y C o u n try - U s e fu l L in k s
ItaHa
w v w p r o x y s e r v e r c o m ‫ • '׳‬T ra d u c i q u e s ta pagm a
Cemtm locnKtA
Thn boet fi!!*‫ י‬P io x y S e r v e r out thar®' S lo p s e a rc h in g a proxy list (or p roxies that are
never taut or do n o i even get anl* 1e P r o x y S e r v e r c o m h as you covered from ...
Proxy Server - Pest Secure, rree. Online Proxy
Proxoit - Cuida alia naviaazione anonima I proxy server
FIGURE 1214: Surf using Proxy server
Lab Analysis
Document all die IP a d d r esses of live (SSL) proxy servers and the connectivity
T o o l/U tility
Server: List o f available Proxy servers
S elected Proxy Server IP A ddress: 95.110.159.54
Proxy Sw itcher
S elected Proxy C o u n try N am e: ITALY
R esulted Proxy server IP A ddress: 95.110.159.67
PL E A S E TA LK T O Y O U R I N S T R U C T O R IF Y OU H A V E Q U E S T I O N S
Questions
1. Examine which technologies are used for Proxy Switcher.
2. Evaluate why Proxy Switcher is not open source.
0 Y es
□ No
0 C lassroom
□ iLabs
Lab
w
1
3
i
Daisy Chaining using Proxy
Workbench
Proxy Workbench is a uniquepivxy server, idealfor developers, security experts, and
twiners, which displays data in real time.
ICON
KEY
2 3 ‫ ־‬Valuable
information
Test your
knowledge
‫ס‬
Web exercise
m
W orkbook review
Lab Scenario
You have learned in the previous lab how to h id e your a ctu a l IP using a Proxy
Switcher and browse anonymously. Similarly an attacker with malicious intent
can pose as someone else using a proxy server and gather inform ation like
account or bank details o f an individual by performing so c ia l en gin eerin g.
Once attacker gains relevant information he or she can hack into that
individual’s bank account for online shopping. Attackers sometimes use
multiple proxy servers for scanning and attacking, making it very difficult for
administrators to trace die real source o f attacks.
As an administrator you should be able to prevent such attacks by deploying an
intrusion detection system with which you can collect network inform ation for
analysis to determine if an attack or intrusion has occurred. You can also use
Proxy W orkbench to understand how networks are scanned.
Lab Objectives
This lab will show you how networks can be scanned and how to use Proxy
W orkbench. It will teach you how to:
■
Use the Proxy W orkbench tool
■
Daisy chain the Windows H ost Machine and Virtual Machines
Lab Environment
To carry out the lab, you need:
■
Proxy Workbench is located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Proxy Tools\Proxy Workbench
AB Rights Reserved. Reproduction is Strictly Prohibited
You can also download die latest version o f Proxy W orkbench from
this link h ttp://proxyw orkbench.com
ZZ7 Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
A computer running W indows Server 2012 as attacker (host machine)
Another computer running Window Server 2008, and W indows 7 as
victim (virtual machine)
A web browser widi Internet access
Follow Wizard-driven installation steps to install Proxy Workbench
Administrative privileges to run tools
Lab Duration
Time: 20 Minutes
Overview of Proxy Workbench
Proxy Workbench is a proxy server diat displays its data in real time. The data
flowing between web browser and web server even analyzes FTP in passive and
active modes.
Lab Tasks
C Security: Proxy
servers provide a
level of security
within a
network. They
can help prevent
security a ttack s
a s th e only w ay
into th e network
from th e Internet
is via th e proxy
server
\
Install Proxy Workbench on all platforms o f die Windows operating system
‫׳‬W indows Server 2012. W indows Server 2008. and W indows 7)
-
Proxy W orkbench is located at D:\CEH-Tools\CEHv8 M odule 03
S can n in g N etw orks\P roxy T ools\Proxy W orkbench
‫ ר‬You can also download the latest version o f Proxy W orkbench from
this link h ttp ://proxyworkbench.com
4. Follow the wizard-driven installation steps and install it in all platforms
o f W indow s operatin g s y s te m
_
6.
This lab will work in the CEFI lab environment - on W indow s S erver
2 0 1 2 , W indow s S erver 2 0 0 8 ‫ י‬and W indow s 7
O pen Firefox browser in your W indow s S erver 2012, and go to T ools
and click op tion s
E th ica l H a c k in g an d C o u n term easu res Copyright O by EC •Council
AU Rights Reserved. Reproduction is Strictly Prohibited.
Google Moiillo Firefox
colt | HtJp
CW-I
a<*SM»A
Downloads
moderns
S e a r ch
Im a g es
fi
e •!1• -■cc9u
St*UpS^K.
♦You
D ocu m en ts
Web Developer
C alendar
*
M ote •
Page Info
5‫«ז‬1£‫ו‬1*«)‫ז‬6 ‫ ״זי הי‬9
Cle«r Recent Ustsr.
Sign n
01+“ Sh1ft*W
Google
Google Search
I'm feeling Lucky
AtfM«t1«M1g P io g a m m e i
Bu sin ess Soltiion*
P ir a c y t Te
• Google
About Google
Google com
FIGURE 13.1: Firefox options tab
7.
Go to Advanced profile in die Options wizard o f Firefox, and select die
Network tab, and dien click Settings.
Options
‫§י & ם‬
G e n e ra l
f t The sockets panel
shows the num ber o f Alive
socket connections that
Proxy W orkbench is
managing. During periods
o f n o activity this will drop
back to zeroSelect
Tabs
G e n e ra l | M e tw o rV
C o n te n t
%
A p p l ic a t io n s
j U p d a t e | E n c r y p t io n
p
P ii v a c y
S e c u r it y
3
S> nc
A dvanced
j
C o n n e c tio n
|
C o n f ig u r e h o w h r e f o i c o n n e c t s t o t h e I n te r n e t
S g t n g i.
C a c h e d W e b C o n te n t
C le a r N o w
Y o u r v r e b c o n t e n t c a c h e >s c u r r e n t ly u s in g 8 .7 M B o f d i s k s p a c e
I
I O v e r r id e a u t o m a t e c a c h e r r a n a g e m e n t
Limit cache to | 1024-9] MB of space
O f f lin e W e b C o n t e n t a n d U s e r D a ta
You
1 a p p lic a t io n
M
T e ll m e w h e n a * refccit* a c lr t t o s t o r e H a t* f o r o f f l in e u c e
C le a r N o v /
c a c h e i s c j i i e n t l / u s in g 0 b y t e s o f d is k s p a c e
Exceptions..
T h e f o llo v / in g t v e b s it e s a t e a lo w e d t o s to r e d a ta f o r o f f lin e u s e
Bar eve..
OK
Cancel
H e lp
FIGURE 13.2 Firefox Network Settings
S The sta tu s bar
sh o w s th e d etails
o f Proxy
Workbench*s
activity. The first
panel displays th e
am ount of data
Proxy Workbench
currently h as in
memory. The
actual am ount of
m emory that
Proxy Workbench
is consum ing is
generally much
more than this
due to overhead
in m anaging it.
8. Check Manual proxy configuration 111 the C onnection S ettin gs wizard.
9. Type HTTP Proxy a s 127.0.0.1 and enter die port value as 8 0 8 0 ‫ י‬and check
die option o f U se th is proxy server for all protocols, and click OK.
Connection Settings
Configure Proxies to Access the Internet
O No prox^
O Auto-detect proxy settings for this network
O iis * system proxy settings
(§) Manual proxy configuration:
HTTP Proxy:
Port
127.0.0.1
@ Use this proxy server for all protocols
SSL Proxy:
127.0.0.1
Port
8080—
£TP Proxy:
127.0.0.1
Port
8080y |
PorJ:
8080v
SO£KS Host
127.0.0.1
D SOCKS v4
No Proxy fo r
(S) SOCKS ^5
localhost, 127.0.0.1
Example .mozilla.org, .net.nz, 192.168.1.0/24
O Automatic proxy configuration URL
Rgload
OK
Cancel
Help
FIGURE 13.3: Firefox Connection Settings
10. While configuring, if you encounter any port error p le a se ignore it
corner o f the desktop.
Scan computers by IP
range, by domain, single
com puters, or computers,
defined by the Global
N etw ork Inventory host
file
4 Windows Server 2012
WaoomW1PiW
2(dentCjiCkttr0HiKtTr
baLMcncowtuidMO.
g. - ?•
12. Click die Proxy Workbench app to open die Proxy Workbench window
S The events panel
displays the total num ber
o f events that Proxy
W orkbench has in
memory. By clearing the
data (File‫ >־‬C lear All
D ata) this will decrease to
zero if there are no
connections that are Alive
S erver
M anager
W in d o w s
Pow erShell
G o o g le
C h ro m e
H y p e r-V
M anager
Fa
m
•
‫וי‬
C o n tro l
Pa n d
H yper• V
V irtu a l
M a c h in e ‫״‬
S O I S e rve r
M O ? 113
Firefox
Searct101_
W
Com m and
Prom pt
£
H
O
Prox y
dobaI
N e tw o rk
In v en tory
W oricbenu.
Si
D e tk c
FIGURE 13.5: Windows Server 2012 - Apps
13. The Proxy Workbench main window appears as shown in die following
figure.
Proxy W orkbench
File
& The last panel
displays the
current tim e a s
reported by your
operating sy stem
View
Tools
H I
Help
‫ו ם‬
_‫עבש‬
m
Mooitorirg: WIND33MR5HL9E4 (10.0.0.7)
To
From
SMTP • Outgoing e-mal (25)
^
&
^
1 Protocol
| Started
173.194.36.24:80 (www.g..
HTTP
18:23:39.3^
127.0.0.1:51201
74.125.31.106:80 (p5 4ao
HTTP
18:23:59.0‫־‬
J l l 127.0.0.1:51203
173.194 36 21:443 (m aig
HTTP
18:24:50.6(
J d 127.0.0.1:51205
173.194.36.21 :443 (m a ig .
HTTP
18:24:59.8'
J d 127.0.0.1:51207
W 'l!? 7 n n 1‫ו ל ו ^ ו‬
173.194.36.21:443 (maig..
HTTP
18:25:08.9‫־‬
17‫ ר‬K M
H T T P ____
1 Q .T C .1 Q M
J J 1 2 7 .0 .0.1:51199
POP3 • Incoming e-mail (110)
HTTP Proxji •Web (80B0)
HTTPS Proxy • SecureWeb (443)
FTP • File T!ansfer Protocol (21)
Pass Through ■For Testing Apps (1000)
KNJHm
Details for All Activity
TC.
71 • A n ( m ‫־‬d ‫״‬
3eal time data for All Activity
000032
000048
000064
000080
000096
000112
000128
000144
/ I . 1 . . U s e r —A g
: M o z i ll a / 5 .0
in d o w s N T 6 .2
OU6 4 ; r v : 1 4 .0
e c k o /2 0 1 0 0 1 0 1
re fo x /1 4 .0 .1 .
o x y - C o n n e c t io
k o o p - a liv o . H
000160
000176
: m a il.g o o g le .c o
m . . . .
<
Memory: 95 KByte Sockets: 1CO
Events: 754
ent
(¥
; W
) G
F i
. Pr
n :
ost
2f
3a
69
4f
65
?2
6f
6b
3a
6d
31
20
6e
57
63
b5
73
65
20
Od
2e
4d
64
36
6b
66
79
65
6d
0o
31
Od
S i
6£
34
6f
6f
7a
77
3b
2f
78
43
2d
69
0a
2d
70
61
Od
SS
0A
69
73
20
32
2f
6f
6c
20
72
30
31
61
6c
6c
2e
60
III
u n ; 1 iciu ic . u n ; 11
7angwrrx?n— Luyymy. u n ; 1 .
73
6c
4e
76
31
34
6e
69
67
,
>
J
FIGURE 13.6: Proxv Workbench main window
14. Go to T ools on die toolbar, and select Configure Ports
Proxy Workbench
File
View IL^ oo lsJ Help
U-
Save Data...
5
Configure Ports.
Monitoring: W
All Activity
^ SMTF
& The *Show the
real tim e data
window' allow s
th e u ser to
sp ecify w hether
th e real-time data
pane should be
displayed or not
3
=tails for All Activity
Failure Simulation...
|10m
Real Tim e L°99in9 •
mnihm
| T0
| Started
173.194.36.24:80 (w»w*.g..
74.125.31.106:80 |pt4ao
HTTP
HTTP
18:23:39.3}
18:23:59.0‫־‬
3 d 127.0.0.1 51203
173.194 36.21:443 (n a ig .
HTTP
18:24:50.6(
£ J 127.0.0.1 51205
173.194 36.21:443 (na*g
HTTP
18:24:59.8!
;jd 127.0.0.1 51207
4 - | ‫ ל ו‬7 ‫ ח וו‬1 51‫ו ו ל‬
173.194 36 21:443 (n a ig
•m 1 ‫*־‬c ‫״* ול־‬n ‫» ו *י׳ו‬
HTTP
HTTP
18:25:08.9‫־‬
■ m -w ip r
J 127.0.0.1 51199
tJ 127.0.0.1 51201
POPd
Options...
k # HTTP T‫־־‬TWny T T W U (W W )
^ HTTPS Proxy • Secure Web |443)
^ FTP • File T ransler Protocol (21)
Pass Through ■For Testing Apps (1000)
I Protocol
>
^
Real time data for All Activity
000032
000048
000064
000080
000096
000112
000128
000144
000160
000176
Memory: 95 KByte Sockets: 100
Events: 754
/ l . 1 . .U s e r-A g e n t
: M o z i l l a / 5 . 0 (W
in d o w s NT 6 . 2 ; U
O U64; r v : 1 4 . 0 ) G
e cko /2 0 1 0 0 1 0 1 F i
r e £ o x / 1 4 .0 .1 . P r
o x y - C o n n e c t io n :
k e e p - a liv e . . H ost
: m a il. g o o g le . c o
m
....
I eiiim a ic UII
11c1u4c. u u
2£
3a
69
4£
65
72
6f
6b
3a
6d
u n u u ic u i i
31
20
be
57
b3
65
?8
b5
20
Od
2e
4d
64
36
6b
66
79
65
6d
0a
L‫« ׳‬ty1c u n
31
6f
6f
34
6£
6£
2d
70
61
Od
Od
7a
77
3b
0 a 55 73
69 6 c 6 c
? 3 20 4 e
20 72 76
2 £ 3 2 30 31
78 2 f 31 34
43 6 f 6 e 6 e
2d 61 6 c 69
69 6 c 2e 67
0a
1_<.yymy. u n
‫ ׳‬ju i
FIGURE 13.7: Proxy Workbench ConFIGURE Ports option
15. 111 die Configure Proxy W orkbench wizard, select 8 080 HTTP Proxy - Web
111 die left pane o f Ports to listen on.
16. Check HTTP 111 die right pane o f protocol assigned to port 8080, and click
Configure HTTP for port 8080
CLl People w ho benefit
from Proxy W orkbench
Configure Proxy Workbench
Proxy Ports
Ports to listen on:
Home users who have taken
the first step in understanding
the Internet and are starting to
ask "Bat how does it work?”
People who are curious about
how their web browser, email
client or FTP client
communicates with the
Internet.
Port [ Description
SMTP • Outgoing e-mail
PI‫־‬lP3 - lnnnmino ft-maiI
18080 HTTP Proxy ■Web
443
HTTPS Proxy ‫ ־‬Secure Web
21 FTP ‫ ־‬File Transfer Protocol
1000 Pass Through ■Foe Testing Apps
Protocol assigned to port 8080
25
un
; >>Don't use
: ■✓
Pass Through
HTTPS □
POP3 □
‫ ח‬FTP
People who are concerned
about malicious programs
sending sensitive information
out into the Internet. The
information that programs are
sending can be readily
identified.
Internet software developers
who are writing programs to
existing protocols. Software
development for die Internet is
often verv complex especially
when a program is not
properly adhering to a
protocol. Proxy Workbench
allows developers to instantly
identify protocol problems.
Internet software developers
who are creating new
protocols and developing the
client and server software
simultaneously. Proxy
Workbench will help identify
non-compliant protocol
:- T-1-■>
Internet Security experts will
benefit from seeing the data
flowing in real-time This wiH
help them see who is doing
what and when
&dd-
|
Qetete
| |
Configure H TTP tor poet 8080.|
Close
W Sho^ this screen at startup
FIGURE 13.8: Prosy Workbench Configuring HTTP for Port 8080
17. The HTTP Properties window appears. N ow check C onnect via another
proxy, enter your W indows Server 2 003 virtual machine IP address 111
Proxy Server, and enter 8080 in Port and dien click OK
HTTP Properties
General
C On the web server, connect to port:
(• Connect via another proxy
Proxy server
|10.0.0.7|
Port:
Iftfififi
^
Many people
understand sockets much
better then they
think. W hen you surf the
web and go to a web site
called www.altavista.com,
you are actually directing
your web browser to open
a socket connection to the
server called
"www.altaviata.com" with
p ort num ber 80
OK
Cancel
FIGURE 13.9: Prosy Workbench HTTP for Port 8080
18. Click C lose in die Configure Proxy W orkbench wizard after completing die
configuration settin g s
Configure Proxy Workbench
Proxy Ports
3orts to listen on:
T he real time logging
allows you to record
everything Proxy
W orkbench does to a text
file. This allows the
inform ation to be readily
im ported in a spreadsheet
or database so that the
m ost advanced analysis can
be perform ed o n the data
Port | Description
25
SMTP • Outgoing e-mail
POP3 ‫ ־‬Incoming e-mail
110
8080 HTTP Proxy - Web
443
HTTPS Proxy-Secure Web
21
FTP ‫ ־‬File Transfer Protocol
1000 Pass Through - For Testing Apps
Add
delete
Protocol assigned to port 8080
□ <Don't use>___________
□ Pass Through
□ HTTPS
□ POP3
□FTP
Configure HTTP for pent 8080
Close
W Show this screen at startup
FIGURE 13.10: Proxv Workbench Configured proxy
19. Repeat die configuration steps o f Proxy Workbench from S tep 11 to Step
15 in Windows Server 2008 Virtual Machines.
20. 111 W indows Server 2008 type die IP address o f Windows 7 Virtual
Machine.
21. Open a Firefox browser in W indows Server 2008 and browse web pages.
& Proxy
Workbench
ch a n g es this. Not
only is it an
a w e so m e proxy
server, but you
can s e e all of th e
data flowing
through it,
visually display a
so c k e t
con n ection
history and s a v e it
to HTML
22. Proxy Workbench Generates die traffic will be generated as shown in die
following figure o f W indows Server 2008
23. Check die To Column; it is forwarding die traffic to 10.0.0.3 (Windows
Server 2008 virtual Machine).
McnfanjMN1r2CtU.2 0010|43‫|׳;־‬
| MAOAOy
^ ship 0.*!>>‫ ו\»*<»׳‬1‫מ ן‬
^1CQC•)
I.(flff J'.f'AIBI'/tllilUII
y HT‫ מ ז‬F W - Sioim W.b (4431
6 FTp.Fteriattfa *<xo:d|71)
V p*m111*h11-f«r»»njA«c*no30)
0‫ ל‬7
uv r.-‫י‬
11 ‫׳‬
‫־־‬.**»
fJ'•
U
w
anton
aaa aca!
la
ooitCM
maiaxo
1
1000 )•CB)
10011 > rw
ra a a ir a
M00 )•CIO
laaaiKm
.41• •I
>1. ‫נ‬
160527496
£605275.*
*0 5 27 59?
(6052702
£05£27 ‫ ט‬3
laaa iax a
uaaiaceo
lOOOKW
2—1
1 ( 0 17 34 <3TT
E x t e r n Sot 26
S .. : : t l 00 52
4‫ י‬a i r 1 u > - ) u
t f «J F r i . 23 0
c« 2* 1‫ י‬.'0 10 • 4
:•dta-C aat
c : . J i- a g e >: 3«0
1
>
3n
060527*3
tSOlJMM HB700 *AttkaacaiNMt
h■■aita‫ •׳״‬a
» 05;‫יי»י‬
»ct00127
J2n0331 ««27»
De«r?«e
M 0*27 411
Mtaian
.*1 •
•d<?5on
>?2
(C05:?(CT
taaaiacta
M00 )•CM
MaaiKHi
144a]•QM
1000)«:w
laaaiaao
11• ■‫י‬
U .‫נ‬
3C]‫׳‬141
• 00160
»11!»r 0IB;v?W
»».< * < * 1 1 9 9
100a )■m
>1 ‫י‬
11:‫נ־‬
2
••0
0C
)‫די‬11
:■«
ce05 25&43
« 052*100
Mtaiaon
taaa ‫•ו‬cm
>1 ‫י‬
u
11.‫«־‬
:‫«־‬
•0(448
•00D&4
•a [csc
»105‫גג‬.‫ זמ‬06.K2S.31T
A‫׳•«־־‬-=‫ ־‬UK
06052?‫סט‬
-*<o»e£ 577‫ז‬
06052C92?
«0521102 06®274B <V13r>M4ca1facc tWJ
1556
06052*16?
®0526217
O r» 9 rM 0 (a < rM . ‫נ מו‬
KOI.2t.3K
KKrT
1191
ccosjt*1 utre^riT
(tiiir,
SO
S?:1M
B K05267W
2110
4r,
arezrui
I’JK
« 05 2(. 734
» 05.‫י» י‬6 *v«**<*3ntrr»»t 3(85
n n ; 1 19,
KT , s z a
IVJ
1
C605275S7
31 20 10 30
45 78 70 63
4d £1 72 20 32 30 31
39 30 47 u 4; 41 0•
66 6‫ י‬65 64 38 20 >>
74 20 32 30 10 3» ?0
47 Id 14 Od Qo 13 11
t l I c 3a d« 20 61 71
Od 0 . 43 ?< bI «m Cm
31
4c
?2
32
(3
3d
<3
.* ‫״‬
I3S
1Wi
06052»»l
PAthtf<ka»Mcc
06052*173
FV»9hn<*co<ra<t
sauszs
t£3524:45
06052• 3‫ י‬3
ro
11
W
3d
U
41
74
‫»ה‬9►«•*»«‫ *■*׳״‬1120
0‫נ‬
7i
2c
3»
K
k(1
2‫ת‬
Sf <4
2300 I«I(
450‫ ל‬MtC61$‫ י‬7* «} MH
FIGURE 13.11: Proxy Workbench Generated Traffic in Windows Server 2012 Host Machine
24. Now log in in to W indows Server 2008 Virtual Machine, and check die To
column; it is forwarding die traffic to 10.0.0.7 (Windows 7 Virtual
Machine).
Fife View Tod*
Hrip
M irilcrrfj y1cbncni<2(’.3|10Q0 3|
9
r**»h':1H TIP P n» y‫'־‬Veb(0C8])
T rd
1
1
or, 05 4n !00
K
F
K
1)• (h 41 070
F
CB OG ■41 625
F
HUP
06.(E *3 375
(£ 0 6 41437
(COS 41 015
F
HTTP
0506 *3 531
(C 05 41 281
F
HTTP
HTTP
06.05 4Q 546
0E<E 4a 578
06.05 41.281
05 05 40 B43
F
F
06 05:41.828
(KOS415Q3
F
F
F
1 0 0 0 7 0 1 CO
HTTP
POP3 •IruM fiinjoniilplC I
4J10.QO.6SWO
1 a o .a ? ;» 8 0
lQ 0 D ;- m m
HUP
HUP
£ J ' ] . 0 0.69615
£ J 6 ; 0 : ‫־‬snt
1aoa7.83E0
HTTP
‫ ו‬0 0 0 7 : ‫ש נט‬
£ J 1 0 0 0 6 9819
100 07:83 EO
100.07:8360
1aoa7!m E 0
jU ': a : f c 3 1 i4
HITP5 Ro«v - Seojic Web(4431
"W
FTP ■ Fie 1 lend® FVolard |211 • Nol L ila
£ J 1 a a 0.6 9620
PdssThiojî F01 Tastroôo*nOOOl f«
j h J ' I Q 0.&9B22
£ 7 A nd now, Proxy
W orkbench includes
connection failure
simulation strategies. W hat
this means is that you can
simulate a poor network, a
slow Internet or
unresponsive server. This
is makes it the definitive
TC P application tester
£ | - : . 0 : . 6 5824
1a0.a7:83EO
HTTP
0 6 0 = 4 :6 5 5
£ 1 1 0 .0 0 69626
‫ ו‬0 0 0 7 :‫ש ש‬
HTTP
06 0 5 *3 906
£1100069828
1000.7:8303
HTTP
06<e 41015
£ 1 * 1 0 0 .6 9830
1ClO.a7.83EO
HTTP
06.0C 41 *09
06 05 41 406
06 05 41 718
£ 1 1 0 0 0 &9H32
m o n 7 rm g o
HUP
( K f f i 41 TIB
O, ( h 41 ‫׳׳‬HI
*1
cM s tei Hr TP Ptcay •V/H3 |B0B]|
: ‫ ״‬064
010080
‫ ־ ־ ־‬09*
060112
00012C
060144
060160
060176
080192
Mar a y 3ES KBylei
S x p iro D
ot
Hnx 2011S 0
a G226
<0 CUT T.m t Hrd
f t 1. 23 0
c t 2009 2 0 • 10 04
GMT. . C»ch0-C011t
ro L
m a x-o g e -3 6 0
0 . C on n e ct io a
k
o e p - o l iv c
76
4d
39
66
74
47
70
69 72
61
72 20
20
47 <d
69
6564
20
32 30
4d
Od
6t 6 c 30 20
Od 0 9
43 61
65 70
2d 61
T»!mnale 01( RcIlbc Qr 'h rb »f‫־‬
Proxy Worfctxfyh
F
Fj
d
2J
1
ffe d
J Start |
| 1 ■.,* 1 •.f ‫״‬I
06 1*41 15 6
£ J *)O O G « fflO
Q■H
wpnm
am m
1QOQ2I0 1QQQ7
&10.00.6!0100.0?
S te M
05 flfl 0^7 3‫ג‬
06.05 40109
( E tft * 6 9 ‫נ נ‬
^ ,iMTP•IJ1*yt«nyvm«1l(2&|
65
32
64
30
G«
6d
te
6c
73
30
Od
20
39
<3
61
in
69
3c
31
0«
1e
20
61
78
15
6‫ל‬
S3
3a
4r
b'3
32
63
2d
63
65
i l 20 74
30
61
2c
30
b0
61
74
Od
30
73
2?
3.‫י‬
65
6?
69
0o
a
?‫פ‬
20 31
‫ ל‬rf?. 4
20 32
31 30
2d ■(3
65 3d
bl 6•
Od 0o
C m ^ ! ‫ ׳‬CK - o g g r g 01( 613A M
6:15AT1‫׳‬
AiLd
FIGURE 13.12 Proxy Workbench Generated Traffic in Windows Serve! 2003 Virtual Machine
25. Select O n die web server, connect to port 80 in W indows 7 virtual machine,
and click OK
-TTTP P r o p e r tie s
G e n e ra l |
(•
O n th e * tcb s e rv e r, c o n n e c t to port:
C " Connect v b
0 T0*her p ro x y
Pro<y :errer 110.0.0.5
Port:
[fiflffi
HI I t allows you to 'see'
h ow your email client
communicates w ith the
email server, how web
pages are delivered to your
browser and why your FTP
client is n ot connecting to
its server
OK
C«r>cd
il
FIGURE 13.13: Configuring HTTP properties in Windows 7
26. N ow Check die traffic in 10.0.0.7 (Windows 7 Virtual Machine) “TO”
column shows traffic generated fiom die different websites browsed in
W indows Server 2008
" Unix
p i?
«
w a»
'*w ts c « > » w
>•
<§>o
Wd
is o
11 1► ;>■
‫ הו‬7 ‫צ&ו‬
r*e
Toeli
Help
£< ‫& •ג&ל ! ־‬
nfl. Vicim-iT naOLCLTl
f t All«5ctr»*y
^ SMT P - Ouiflonfl e ‫ ״‬id |25|
‫ ד‬ClClCl3 to 10 0 0 5
1a a a 3 h> 203.85.231.83 |m‫־‬j .Brc>
’ 0 00 3 1# 68 71 209 176 |abc goc
1 00031a 50 27 06 207 |edn>m)k|
1a a a 3 la 58.27.86.123 ledue qua
100031a 68 71 220 165 |abc cm
100031a 202 79 210 121 Ibi tav
1QOCl3 b1 205 128 84.126 l£ « to
100031a 50 27 86 105 | f « * \ 1ur
100031a 58 27 86 217
100031a 157 166 255 216 |4d1‫ ׳‬c
100031a 157 166 255 31 im iiv,
100031a 203 85 231 148 lilt
100031a 203 106 85 51 |b kcmc
100031a 50 27 06 225 |s etrrcd
100031a 157.166.226.26 Iw m c
100031a 199 93 62 126 |i2.« * \u
100031a 203.106.85.65 liF c.^r
100031a 207 46 148 32|vi*va(£
100031a 66 235 130 59 Ix-ffccm
10.0031a 203.106.85.177 Ib.scc‫״‬
100031a 0 26 207 126 ledn vrtt
100031a 157 166 226 32 |tve± a
100031a 58 27 22 72 |r.«*\h4m
100031a 190 70 206 126 |icchk
100031a 157 166 226.46 ledlnr^
100031a 66 235 142 24 |rre41b)<
100031a 203 106 05 176 Idi Mrw
1 0 0 Q3 I1 157.166.255.13 Immma
1000310 68 71 209173 |4bc fl0<
12L
D c U I1 taH T T P IW -W « b 180801
m il►
From
*010.0 D 32237
) 0 1 0 0 0 32239
‫י‬:
.‫ גן‬.*3
‫ ד‬26E0 I1:..h <.
•571SS22G.aK:£0|adi
)8 100032239
;0 1 0 0 0 3 2 2 4 0
) 0 1 0 0 0 3 2241
) 0 10 0 0 3 2242
‫ * י‬78206126 »0 &‫»*<י‬
i3 8 7 8 2 0 S 1 2 6 £ 0 ( a h t
133 73 336126.tC |ic ‫ *־‬U
2027921012140 (t*K 1
50100032243
) 0 10 0 0 3 2244
) 0 1 0 0 0 3 2245
57‫ י‬if f i 2262(68(U *te
56 ZJ5 14311 l&C0lme*c
201l0&9517&a>fd»1e1
1-: ►1.
‫ ־‬, ‫ ־ ׳‬I..:
) B 1 0 0 0 3 224S
)010 0 0 22 ‫ נ‬c
)610 0 0 3 2 2 9
) 0 10 0 0 3 224)
',W10 0 0 3 2250
) 0 10 0 0 3 2251
)01O O O 3 2 2 C
‫־‬M 1 0 0 0 3 2253
)0 1 0 0 0 3 2 2 5 4
) 0 10.0.0 3 2255
)01O O O 322S
) 0 1 0 0 0 3 2257
)010.0.0.32258
I
Q2 In the
C onnection Tree,
if a protocol or a
client/server pair
is s e le c te d , the
D etails Pane
displays th e
summary
information of all
o f th e s o c k e t
co n n ectio n s that
are in progress for
th e s e le c te d item
on th e C onnection
Tree.
VWwr
Pidocoi
HUP
HTTP
HTTP
HTTP
06:0634.627
0&£634643
HTTP
HTTP
HTTP
|U * E - * r l 1 LMlSUto
06.C635.436 FV»B ho? dfOcmecC..
CE<62SG 3 fVt'B hai d ; c f r r « l
C6(6 3 4 6 6 6
(6:0634.836
060634.336
C&C634963
0 6 (6 3 6 3 9 0
0 6 (6 3 5 6 2 4
060636624
cec& x21e
P*J»3 l « J i « r r « l . . .
f*■‫ ? ״‬t e d t a r r e d .
FV»B h n J ‫־‬.ccrreO ...
Km d : « r r « l
(6(6S6(E3C
CC.Ct.X.X^
0 f e » 35 4 »
(6 (6 3 6 1 8 6
C60& X 3W
C M & X T tS
FWB hat d n c r m l .
hat d i f f r r w l
06:0636483
06C03BW 3
CC.CVXUC
flf.r»3570?
( 6 (C! 36 (66
c u r *124
0C.CtX.4V•
f f.f f T V
. • >
B/*5 C25 1 BylesS
1577
0
1555
0
1556
1950
1131
2110
0
0
0
0
4176
2710
1572
‫וי י‬
11«
IA »
2‫ ט‬3
0
0
112
'» r a 2 0 5 1 2 e w 0 a * u
1 » 7 8 a * 1 2 M 0 |l « h t . .
1 9 1vV..'X .;fflT11^1.
h i TP
HTTP
HI TP
HI IP
HUP
HTTP
1«7820612S8000<ht
,. ‫ ״‬: . • . . ! . u u ‫ ־‬..
•57166 2 ® 1 6 £ 0 (wmm....
HUP
h i IP
HTTP
t e a . 56 786
060U 36W 9
c tc e - x c 7 ?
8 2 6 >2» « 81 :6 ‫ י‬a h (u
'38JB20612t<a)|iCT*U
•3 8 7 3 2 0 6 1 2 6 t0 1 ic d n ..
•3a7320£1;& £C|1‫ «־‬fce
‫־‬i» 7 8 2 0 6 l2 6 0 H ic e h t
157.165Z262C6e0l«fc
HTTP
HI TP
(6:0636124
C6:Cfc36.166
0606X 216
CfcC&XSCS
0 6 (6 3 6 7 1 8
C6C63E7*9
8 * ‫ יי‬hoj 4 1 « f f « l ..
HTTP
HTTP
HTTP
HTTP
06.0636611
< £ ffiX fi2 7
F h o ! dtccrrccC..
PV.‫־‬B h atiic e rrc c t..
3333
2125
2421
112i
06*636396
06C 636606
(6 (6 3 6 8 (6
060637.436
P*v»8
FVjB h s d .c crre cl...
1120
1533
f . « ‫׳‬J n c r r « l
rv>V bm d iw r iK l...
►V.T1
dtecrreel
P * 8 tu a d K c r re c 1...
06C 6 XU>1 1 8 ‫ ״ י‬h o d i m r M l .
t t C f i X f ® M Km • i i t f r r f f l
0
0
0
0
0
0
0
1183
2103
.‫ »י‬5
0
398
0
0
0
0
p e al line dsis t i HTTP P * • / ■Web (9060)
0 0 01 60
000176
0 0 01 92
00 0206
000224
0 0 02 40
0 0 02 56
000272
C‫־‬S I
3 0 l«
5 e l.
2 6 b a r 2011 00
5 2 31 CUT C onn*
c t *oc
. : ! » • . Co
Btwt-Uimh 20
61
M
4f
55
20
3S
61
72
69
il
4e
32
32
74
60 ?4
75 3 a 20 4 1 6 3 63
60 6 ? Od 0a 6 0 33
20 i d 4 ? 5 6 61 20
4 ? 22
36 20
3a 33
6? 6(
65 6a
Od
4d
31
6■
?4
0»
61
20
3•
2d
44
?2
47
20
4c
61
20
4d
6)
65
65
SO
if
74
32
?4
&c
?0
3a
?5
65
30
011
Cl
60 6 7
74
20
S2
3•
31
0a
?3
‫ל‬4
2d
43
20
20
31
4)
65
68
4 61 3 6 ‫ג‬
5 0 3d 2 2
4 2 5 ? 53
5 3 ( 1 74
2 0 30 3 0
i i 6e ( e
C J 0■ 43
3* 20 32
‫ ־‬.‫־‬
40
20
2c
3a
65
il
30
_
L*a
FIGURE 13.14: Prosy Workbench Generated Traffic in Windows 7 Virtual Machine
Lab Analysis
Document all die IP a d d resses, open ports and running applications, and
protocols you discovered during die lab.
T o o l/U tility
Proxy server U sed: 10.0.0.7
Proxy W o rk b en ch
P ort scan n ed : 8080
R esult: Traffic captured by windows 7 virtual
machine( 10.0.0.7)
P L E A S E TALK T O YO U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S L AB.
Questions
1. Examine the Connection Failme-Termination and Refusal.
2. Evaluate how real-time logging records everything in Proxy Workbench.
In tern e t C o n n ectio n R equired
0 Yes
□ No
0
C lassroom
□ iLabs
HTTP Tunneling Using HTTPort
HTTPo/f is aprogramfrom HTTHosf that mates a transparent tunnel through a
pm xj server o r f renal!
ICON
KEY
Valuable
information
Test your
knowledge
3
Web exercise
Q
W orkbook review’‫׳‬
Lab Scenario
Attackers are always in a hunt for clients that can be easily compromised and
they can enter these networks with IP spoofing to damage or steal data. The
attacker can get packets through a firewall by spoofing die IP address. If
attackers are able to capture network traffic, as you have learned to do in the
previous lab, they can perform Trojan attacks, registry attacks, password
hijacking attacks, etc., which can prove to be disastrous for an organization’s
network. An attacker may use a network probe to capture raw packet data and
then use this raw packet data to retrieve packet information such as source and
destination IP address, source and destination ports, flags, header length,
checksum, Time to Live (TIL), and protocol type.
Therefore, as a network administrator you should be able to identify attacks by
extracting inform ation from captured traffic such as source and destination IP
addresses, protocol type, header length, source and destination ports, etc. and
compare these details with modeled attack signatures to determine if an attack
has occurred. You can also check the attack logs for the list o f attacks and take
evasive actions.
Also, you should be familiar with the H TTP tunneling technique by which you
can identify additional security risks that may n ot be readily visible by
conducting simple network and vulnerability scanning and determine the extent
to which a network IDS can identify malicious traffic within a communication
channel. 111 this lab you will learn H TTP Tunneling using HTTPort.
Lab Objectives
This lab will show you how networks can be scanned and how to use HTTPort
and HTTHost
Lab Environment
111 die lab, you need die HTTPort tool.
■
H T T P o rtis located at D:\CEH-Tools\CEHv8 M odule 03 S can nin g
N etw orks\T unneling Tools\HTTPort
■ You can also download the latest version o f HTTPort from die link
littp :/ Avww. targeted.org/
■
£ " Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
■ Install H TTH ost 011 W indow s Server 2 0 0 8 Virtual Machine
■ Install H TTPort 011 W indow s S erver 2 0 1 2 H ost Machine
■ Follow the wizard-driven installation steps and install it.
■ A dm inistrative p riv ileg es is required to run diis tool
■ This lab might n ot work if remote server filters/blocks H TTP tunneling
packets
Lab Duration
Time: 20 Minutes
Overview of HTTPort
HTTPort creates a transparent tunneling tunnel dirough a proxy server 01 firewall.
HTTPort allows using all sorts o f Internet Software from behind die proxy. It
bypasses HTTP proxies and HTTP, firew alls, and transparent accelerators.
Lab Tasks
Stopping IIS
S erv ices
Before running die tool you need to stop IIS Admin S ervice and World
Wide Web Publishing se r v ic e s on W indows Server 2008 virtual m achine.
2.
Go to Administrative Privileges
click and click the Stop option.
S ervices
IIS Admin Service, right
01 HTTPort
cr e a te s a
transparent
tunnel through a
proxy server or
firewall. This
allow s you to u se
all sorts of
Internet softw are
from behind th e
proxy.
Ka-n- *
IIS Admin Scrvict
I CeKri3bcn
'*,FurcBon Discovery Provide Host
Sioo th - service
5.estart t h e s e v c e
D o cr p to n :
611
1nvj! t ‫ •־‬::s
»r*ou‫ ׳‬M10
n *or ‫ «ימ‬SK*®one FTP
i«‫׳‬v«' nil 2
* u 1«6* to amfg.«« S-—
3
or ftp. :, the servce e d s x c d . an,
Enabltc ‫ «> ־ « י‬to *d ‫־‬
‫ »׳׳‬:« * «
‫ « יי־‬H5 ‫׳‬X 'J tK C
1*rv io r*
t h u m v t e • tta u p rd . :‫»־‬
s e 1 /‫׳׳‬ee* * v 9 !t» p o r v d fp e o ;
fa I to tU t t.
| 5:«b_s
N w t a o c e .. ,
S ta te d
P -rcocn Decovery Resource P J > l3 te n
P -b e h e s t...
Started
-C^C-rOiP Poicy C e n t
Key a id Cerbftrate Mens9»trp-t
The se rv e ...
Started
P‫־‬ov d e * X ...
£ ,h \jm a 1 i r t e ' f c • Devise A ttest
E -ajtet os
3 . * v o r •v m u txchanoa s w a
P 0 ‫־‬v d 81 a .. .
Started
fv o v d e s a .. .
M o 'ib n th.. .
Started
5 la ‫׳‬t*d
Syrxh'Cnj..
5 :* U d
1Cfcnyoer-v Gue»t Shutdown Se‫ ׳‬v»oe
■S^Hyp*r*V HurBjM t 5 n v c »
'^ ,h v sf'-v Tir* Synctvon m t o ' S a v e •
‫ • '־׳‬x ‫ « ׳‬voiu neSh jaow C oovR M u M B r
*mI
c o c td n jte . _ 1 u ‫־׳‬ted
S t J t __________
£ , 3 2 a ‫־־‬d Au0!:P !P t•: Ktyttg ModJ«t
CfeInter acave services Detection
4
S t* lid
P .-llv
Internet C ornecton Shwrng CCS)
j n ...
R es - r e
•£ !P h d p ‫־‬f
S la te d
R essrr
£ ,: P s e c Polcy Agent
:£J kctR.t1 *cr 3£trb uted Tra-sam on C oordnsso ‫־‬
AIT mks
^ I n it - t o v e ‫ ־׳‬T oso o c v Discovery 1“tepee-
.
S ta ted
► 3te ,
----- ‫ ־‬0 ...
Started
R£^G^1
?iw ic r o a jft KETFrans0‫ ״‬rk NGB< v3 0.50727_kfr■
^.M toosoft .KCTFraiKWOrkNS&l v : 0.5 0 7 2 7 _ > «
Sia-ted
P rop rf br%
t ....
8‫ ־‬t..
, ‫ן‬
'■*, M 00 9 0 * Fbre channel ?Istfo'n R e 3 s t 3 ‫ »־‬n Se‫״‬
w b
^ Mictom4? 6CSI ]ntigtor Service
‘
^ V b o n * ! 5 ‫ ז » י \ | ) כ‬Shacton Copy P 'o r d fi
W r a g n « ...
Q,M0 J la M anttnaioa S w v c t
‫ •ויז‬Mojll*..
S ta te d
J
>t:p jcrvce IL Acrrr S trV tt on loco CaiOutt*
FIGURE 14.1: Stopping IIS Admin Service in Windows Server 2008
3.
Go to Administrative Privileges
S erv ices
World Wide Web
Publishing S ervices, right-click and click die Stop option.
-Tllx]
& It b y p a sse s
HTTPS and HTTP
proxies,
transparent
accelera to rs, and
firew alls. It h as a
built-in SOCKS4
server.
*te
Action
jjen
tela
E
N + l t w l ‫ רי‬A
Servwj ClomJ)
I
f I[B > rrf | £
l -'
S f n » M ( lo c a l)
World VVxic Web PwbW-mg S t m i
12 r!ttt’.ct
C«so1aion:
(V»1‫׳‬df 1Web a n ‫־‬w r< rr end
ari'iprsron rry.y■fc :‫־‬r r
Infonrnston SerMoes Hjrage‫ י צ‬ne servce
!<” ‫׳‬v
‫־‬
(^<r1tu4
^ vau''* S‫*״‬to/. Cooy
CîVeo Mir^wwnt Se‫<׳־‬ce
£fetYrd»/.e Audo
^ \'‫<־׳‬to/.s Aucto ErekJrtit S
^ Y‫<־־‬to/.S Cotor SySteri
£(Mfld M DectoymeotSevcesSesa
£ . %Yf‫־‬tto/.9 Driver Fourdsoon - Lee ‫״‬cce Drver “ ‫ ׳ * ־‬xr■
«Y‫־־‬d ‫׳‬/.s &‫ ׳ ׳‬Repo ‫ יט ׳‬Ser\ ce
flj%Yrd»/.9 E‫׳‬e t Cotecto
®‫׳‬e i: uw
^>Yrd /,s F»e.\dl
(^»Y‫־׳‬d
tnsteller
I aat
CJt«Yrtto/.9 »^1‫?׳‬gen‫־‬e1t 1‫י׳ז‬5«‫קמי׳ י׳«יו״‬
«v‫־׳‬d
Modiies Injuler
Ci«Y‫׳‬xto/.® Biocen Activation Setv'd I ^ r
C( •Y'-do’/.* 5«mote
M Re*»t
£^.\'‫־׳‬rt>/.« try
AlTMka
^ iV'tte/.fl updat#
^*vrH np web pw v Auto-ceeovJ
^ . v ‫<»׳‬- Autocar*c
H n y rB fi
Perfcrwsrce Aflao*f
1CwJOCor
1
Jan
1
0
5
3 0 8 1
1
%\V'tkr/.$
0
0/.9
0/,9
*
•\'08>'‫׳‬t3ecr
£‫־‬:c -T ‫;'׳‬g .‫'־‬,o 'c
\£ x a r d e ; A
/
'■,.e: -vt»e-‫־‬n ; s r .- g
.:•r: co‫־־‬t x : r
IS !aw
Ptcr>*0M‫זו‬...
MWU0K*...
TUtWtbM..
Mo'eOcS a...
Ha'sOeid...
‫־‬he WaPl..
Ha'cOes r...
Ma-aoe; u...
Ab ‫־‬.-sero...
Thssevfc...
Thssevfc...
ViWowsF.. .
Adds, mod■.‫״‬
ftovd» a ...
&»ab«ns...
‫ •יזל‬wndo...
VJ«o‫» ״‬B...
Mints‫ *׳‬.
‫־י‬...
KrHTTPl...
1
S..
j
Sated
Stated
Stated
Stated
Stated
Stated
Stated
stand
statid
Pre0 6*0^‫ ־‬..
bet)
Stared
JE 3 S JB
FIGURE 142: Stopping World Wide Web Services in Windows Server 2008
‫ ט‬It supports
strong traffic
encryption, w hich
m ak es proxy
logging u s e le ss,
and supports
NTLM and other
authentication
sc h e m e s.
4.
Open Mapped Network Drive “CEH-Tools" Z:\CEHv8 Module 03
Scanning Networks\Tunneling Tools\HTTHost
5.
Open HTTHost folder and double click htth ost.exe.
6. Tlie HTTHost wizard will open; select die Options tab.
7.
O n die Options tab, set all die settings to default except Personal
Passw ord field, which should be filled in widi any other password. 111 diis
lab, die personal password is km agic.'?
8. Check die Revalidate DNS n am es and Log C onnections options and click
Apply
H TTH ost 1.8.5
N e tw o rk
B in d lis t e n in g t o :
P ort:
B in d e x t e r n a l to :
|0 . 0 .0 .0
[80
1 0 .0 .0 .0
A llo w a c c e s s f r o m :
P e rs o n a l p a s s w o rd :
10.0.0.0
[‫־‬
& To s e t up
HTTPort need to
point your
brow ser to
127.0.0.1
P a s s t h r o u g h u n r e c o g n iz e d r e q u e s ts to :
H o s t n a m e o r IP :
P o rt:
O r ig in a l I P h e a d e r f ie ld :
112 7 .0 .0 .1
|8 1
| x ‫ ־‬O r ig in a l‫ ־‬IP
M a x . lo c a l b u f f e r :
T im e o u ts :
‫־‬3
| 0 =1 ‫ ־‬2
R e v a lid a t e D N S n a m e s
A p p ly
Log c o n n e c tio n s ‫־‬
S ta tis tic s ] A p p lic a tio n lo g |^
3 p t io n s jj" S e c u r'ty
| S e n d a G ift)
FIGURE 14.3: HTTHost Options tab
9. N ow leave HTTHost intact, and don’t turn off W indows Server 2008
Virtual Machine.
10. Now switch to Windows Server 2 012 H ost Machine, and install HTTPort
fiom D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Tunneling
Tools\HTTPort and double-click httport3snfm .exe
& HTTPort g o e s
with the
predefined
mapping
"External HTTP
proxy‫ ״‬of local
port
11. Follow die wizard-driven installation step s.
13. Click die HTTPort 3.SNFM app to open die HTTPort 3.SNFM window.
5 t3 ft
Server
Manager
T ools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Networks
i.
Con>puter
*‫נ‬
£
■“ ‫ י י ■ ״ ״‬-
Administrator
W indow s
Power Shell
G oogle
Chrome
Hyper-V
M anager
HTTPort
3.SNPM
1
m
»
91
C ontrol
Panel
Hyper-V
Virtual
Machine...
SOI 5 f ‫ ׳‬w r
in c a k n o r
Ccntof.~
M021IU
Firefox
N ctwodc
n
V
C om m and
Prompt
F‫־־‬
©
if
Proxy
W orkbea.
M egaP n g
*8
- T
14. The HTTPort 3.SNFM window appears as shown in die figure diat follows.
HTTPort 3.SNFM
'‫־‬r°
S y s te m j Proxy :j por^ m a p p in g | A b o u t | R e g is te r |
H T T P p ro x y to b y p a s s ( b la n k = d ire c t o r fire w a ll)
H o s t n a m e o r IP a d d re s s :
For each software to
create custom, given all the
addresses from which it
operates. For applications
that are dynamically
changing the ports there
Socks 4-proxy mode, in
which the software will
create a local server Socks
(127.0.0.1)
Port:
P ro x y re q u ire s a u th e n tic a tio n
U s e rn a m e :
Passw o rd !
Misc. o p tio n s
U s e r-A g e n t:
Bypass m o d e :
IE 6 .0
U s e p e rs o n a l r e m o te h o s t a t ( b la n k = u s e p ub lic)
I-------------------------------- P
P o rt:
Passw o rd :
I--------------
? \ 4— T h is b u tto n h elp s
S ta rt
FIGURE 14.6: HTTPort Main Window
15. Select die Proxy tab and enter die h ost nam e or IP ad d ress o f targeted
machine.
16. Here as an example: enter W indows Server 2008 virtual machine IP
ad dress, and enter Port number 80
17. You cannot set die U sernam e and Passw ord fields.
18. 111 die User personal rem ote h ost at section, click start and dien sto p and
dien enter die targeted H ost m achine IP ad d ress and port, which should
be 80.
19. Here any password could be used. Here as an example: Enter die password
as ‘*magic‫״‬
In real world
environm ent,
p eop le so m etim es
u se passw ord
protected proxy
to m ake com pany
em p lo y ees to
a c c e s s the
Internet.
r|a
HTTPort3.SNFM | 3
S y s te m
' ‫־‬
x
P ro x y | p 0 rt m a p p in g | A b o u t | R e g is te r |
H T T P p ro x y to b y p a s s ( b la n k = d irect o r fire w a ll)
H o st n a m e o r IP a d d re s s :
Port:
| 1 0 . 0 . 0 .4
|8 0
U s e rn a m e :
P a ssw ord:
M isc. o p tio n s
U s e r -A g e n t:
B ypass m o d e :
| IE 6 .0
| R e m o te h o s t
U s e p e rs o n a l r e m o te h o s t a t ( b la n k * u s e p u b lic)
H o st n a m e o r IP a d d re s s :
* o r t:
P a s s v » rd :
| 1 0 . 0 .0 .4
I80
|............ 1
? | <— T h is b u tto n h e lp s
S ta rt
FIGURE 14.7: HTTPort Proxv settings \rindow
20. Select die Port Mapping tab and click Add to create N ew Mapping
*‫ב‬
HTTPort 3.SNFM 1 - 1 °
S y s te m | P ro x y
Po rt m a p p in g
A b o u t | R e g is te r
J
S tatic T C P /IP p o rt m a p p in g s (tu n n e ls )
Q
New m a p p in g
Q
Local p o rt
1
‫ םייי ם‬1
1-0
(3 R e m o te ho s t
Q H T T H ost supports the
registration, b ut it is free
and password-free - you
will be issued a unique ID ,
which you can contact the
support team and ask your
questions.
—
□
r e m o te , h o s t, n a m e
R e m o te port
1_0
S e le c t a m a p p in g to s e e statistics:
No s ta ts - s e le c t a m a p p in g
n /a x
n / a B /s e c
n /a K
LEDs:
‫□□□ם‬
O Proxy
B u ilt-in S O C K S 4 s e rv e r
W
R u n SO CK S s e rv e r (p o r t 1 0 8 0 )
A v a ila b le in " R e m o te H o st" m o d e :
r
Full S O C K S 4 s u p p o rt (B IN D )
? | 4— T h is b u tto n h elp s
FIGURE 14.8: HTTPort creating a New Mapping
21. Select N ew Mapping Node, and right-click N ew Mapping, and click Edit
HTTPort 3.SNFM
T3 3
Po rt m a p p in g | A b o u t | R e g is te r |
‫ש‬
New m a o
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
Add
□
Local p
0
R e m o te ho s t
r e m o te , h o s t, n a m e
0
Edit
Rem ove
■
(=J R e m o te p o rt
L_o
LEDs:
□ □□□
No s ta ts - s e le c t a m a p p in g
n /a x
n / a B /s e c
n /a K
O Proxy
B u ilt-in S O C K S 4 s e rv e r
W
R u n SO CK S s e rv e r (p o r t 1 0 8 0 )
r
? | 4 — T h is b u tto n h elp s
FIGURE 14.9: HTTPort Editing to assign a mapping
22. Rename this to ftp certified hacker, and select Local port node; then lightclick Edit and enter Port value to 21
23. N ow right click on R em ote h ost node to Edit and rename it as
ftp.certifiedhacker.com
24. Now right click on R em ote port node to Edit and enter die port value to 21
HTTPort 3.SNFM
I
r *
1
r
-
r
x
•
Po rt m a p p in g | A b o u t | R e g is te r |
1=1
•.•‫=•׳‬.
0 ‫ ־‬Local p o rt
/s
5 -2 1
=
E5 R e m o te port
I— 2 1
S In this kind of
Add
Rem ove
R e m o te ho s t
ftp .c e rtifie d h a c k e r.c o m
0
environm ent, the
federated search
w ebpart of
M icrosoft Search
Server 2 0 0 8 will
not work out-ofthe-box b e c a u se
w e only support
non-password
protected proxy.
1 °
V
No s ta ts ‫ ־‬in active
n /a x
n / a B /s e c
d u
lit ‫ ־‬in
n /a K
LEDs:
‫□ □ □ם‬
O Proxy
se rve r
1
R u n S O C K S s e rv e r (p o r t 1 0 8 0 )
W
I”
|
? |
T h is b u tto n h elp s
FIGURE 14.10: H IT P ort Static T C P /IP port mapping
25. Click Start on die Proxy tab o f HTTPort to run die HTTP tunneling.
HTTPort 3.SNFM ‫־‬r a :
S y s te m
^ o x y | P o rt m a p p in g | A b o u t | R e g is te r |
- H T T P p ro x y to b yp a s s ( b la n k = d ire c t o r fire w a ll)
P ort:
|1 0 .0 .0 .4
[8 0
U s e rn a m e :
P a ssw ord:
M isc. o p tio n s
B y pass m o d e :
U s e r-A g e n t:
IE 6 .0
‫נ ד‬
[ R e m o te h o s t
U s e p e rs o n a l r e m o t e h o s t a t ( b la n k = u s e p u b lic)
(J3 H T T P is the basis for
W eb surfing, so if you can
freely surf the W eb from
where you axe, H T TPort
will bring you tlie rest o f
the Internet applications.
Port:
Passw ord:
|1 0 .0 .0 .4
[So
‫*״ * * *ן‬
? | ^— T h is b u tto n h e lp s
FIGURE 14.11: HTTPort to start tunneling
26. N ow switch to die W indows Server 2 0 0 8 virtual machine and click die
Applications log tab.
27. Check die last line if L isten er listening at 0.0.0.0:80, and then it is running
properly.
HTTHost 1.8.5
Application log:
Q T o make a data tunnel
through the password
protected proxy, so we can
m ap external website to
local port, and federate tlie
search result.
MAIN: HTTHOST 1.8 .5 PERSONAL G IFT WARE DEMO s ta rtin g ^
MAIN: Project codename: 99 red balloons
MAIN: Written by Dmitry Dvoinikov
MAIN: (c) 19 99-20 04 , Dmitry Dvoinikov
MAIN: 64 total available connection(s)
MAIN: netv/ork started
MAIN: RSA keys initialized
MAIN: loading security filters...
MAIN: loaded filter "grant.dll" (allows all connections within
MAIN: loaded filter "block.dll" (denies al I connections withir
MAIN: done, total 2 filter(s) loaded
MAIN: using transfer encoding: PrimeScrambler64/SevenTe
grant.dll: filters conections
block.dll: filters conections
!LISTENER: listening at C .C .0 .C :s T |
z]
Statistics ( A p p lic a t io n lo g
Options
Security | Send a Gift
FIGURE 14.12 HTTHost Application log section
28. Now7switch to die W indows Server 2 0 1 2 host machine and turn ON die
W indows Firewall
29. Go to Windows Firewall with A dvanced Security
30. Select Outbound rules from die left pane o f die window, and dien click
N ew Rule in die right pane o f die window.
Windows Firewall v/ith Advanced Security
F ie
A ction
V iew
W in d o w s F 1rew,5ll w ith Adv!
Q
■
Inb ou nd R u in
O u tb o u n d Rules |
C o n n e c tio n Security Ru
‫^ •ן‬
■ -:° ‫־‬
- ‫־‬
H elp
M o n ito rin g
£ ‫ ז‬Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
O u tb o u n d R u i n
N am e
G roup
Profile
© B ‫ ׳‬a n c h C a ( h e C 0n t« n :R at 1i«val (H TT P-0...
B ra n ch C a c h e - Con ten t Retc...
A l
Inab ied A
No
© B r s n c h C e c h e H o rfe d Ca<t!e Cbent IHTT...
B ran ch Cach e - Hosted C e c h -
Al
No
© B r a n c h C e ih e K n W J C • c h • S*rvw(HTTP.
B ran ch Cach e - H o tted C a d i .
Al
No
© B r a n c h C ache Peer D n co v ery (W S D O u t)
B r a n c h ( a r h r - PeerOtseove...
Al
No
© C o ‫ « ׳‬N e tw orkin g • D N S < U0P-0ut)
C ore N e tw orkin g
Al
Yes
© C o r e N e tw o rk in g - D>1v > m -e H o * C o n fig ... C ore N e tw orkin g
Al
Yes
© C o r e Ne tw orkin g ‫ ־‬D y n a m ic H o s t Config...
C ore N e tw orkin g
Al
Yes
© C o r e N e t w o r k n g ‫ ־‬G rcu p P olicy (ISA5S‫~ ־‬
C ore N etw orking
Deane■!
Ves
Dom ain
Yes
© C o r e N etw orking - 5 ‫ ׳‬c u p P o k y (N P -O ut)
C ore N etw orking
© C o r e N e tw o r k w ig - Group P olicy CTCP-0-.
C ore N etw orking
Deane•!
Yes
© C o r e N etw ork ing - Internet G ro u p M an a...
C ore N etw orking
Al
Yes
© C o r e N etw orln ng - IPHTTPS CTCP-Out]
C ore N etw orking
Al
Yes
© C o r e N etw ork ing - IPv6 ( I P v 6 0 ‫־‬u t)
C ore N etw orking
Al
Ves
© C o r e N etw orV w g ‫ ־‬M ulb eost lis te n e r D o-.
C ore N etw orking
Al
Ves
© C o r e N etw orking - M u locast Listener Q u ~
Core N etw orking
Al
Yes
© C o r e N etw ork *!g - M ulticast I!sten er R ep~ C ore N etw orking
Al
Ves
© C o r e N etw orking • M u tec jst Listener Rep... C ore N etw orking
Al
res
© C o r e N etw ork ing - N eigh b or D nc every A... C ore N etw orking
Al
Ves
Core N etw orking
Al
Yes
© C o r e N etw orking
N eigh b or D isc o v er y S .-
© C o r e N r t w o f k n g ‫ ־‬P acket 1 c o Big (ICMP-. C ore N etw orking
Al
Vo
Core N etw orking
Al
Ves
© C o r e N etw orking
Param eter P rob lem ( I -
© C o r e N etw ork ing - P.cutei A d v ertn em en t... C are N etw orking
Al
Vet
© C o r e N etw orking - P.cuur S o i c t a e o n (1C..
Core N etw orking
Al
Yes
© C ore N etw ork * ^ ‫ *! ־‬r e d o (UO P-O ut (
C ore N etw orking
Al
Vet
Outbound Rule*
N ew Rule...
V
■
Filter by Profile
V
Filter by State
7
Filter by G ro up
View
O Refresh
Export List...
Q
Help
v '
"■i
T
‫ז‬-
r " ...........
FIGURE 14.13: W 1ndcra*s Firewall with Advanced Secunty window in Window's Server 2008
31. 111 die N ew Outbound Rule Wizard, select die Port option in die Rule Type
section and click Next
N e w O u t b o u n d R u le W iz a rd
■
p
R u le T y p e
Select the type cf firewall rule to create
Steps.
*
Rule Type
4
Protocol and Ports
« Action
S Tools
dem onstrated in
this lab are
available in Z:\
Mapped Network
Drive in Virtual
M achines
«
Profle
«
flame
What :ype of rue wodd you like to create?
O Program
Rde Bidt controls connections for a program.
‫ >§י‬Port |
R Je tw l controls connexions for a TCP or UDP W .
O Predefined:
|BranrhCacne - Content Retrieval (Ueee HTTP)
v
1
R Je t a controls connections for a Windows experience.
O Custom
Cu3tomrJe
<Beck
Next >
11
Cancel
FIGURE 14.14: Windows Firewall selecting a Rule Type
32. Now select All rem ote ports in die Protocol and Ports section, and click
Next
New Outbound Rule Wizard
P ro to co l and Porta
Specify the protocols and ports to which ths rJe apofes
Steps
+
R u • 'y p •
Does t‫*־‬s rule aopty to TCP or UDP?
4
Prctocol and Ports
<!•> TCP
4 Acao r
4
O UD P
Profile
4 Nam e
Q H T T P ort doesn't really
care for the proxy as such,
it works perfectly with
firewalls, transparent
accelerators, N ATs and
basically anything that lets
H T T P protocol through.
Does tnis n ie aoply tc all remote ports or specific re n o te port*9
!? m o te p o d s
O Specific remoteports:
Example 80.443.5000-5010
< Eacx
Ned >
Cancel
FIGURE 14.15: Windows Firewall assigning Protocols and Ports
33. 111 die Action section, select die Block th e con n ection '’ option and click
Next
A c t io n
Q You need to install htthost
on a PC, who is generally
accessible on the Internet typically your "home" PC. This
means that if you started a
Webserver on the home PC,
everyone else must be able to
connect to it. There are two
showstoppers for htthost on
home PCs
Spccify the a c to n to b e tak e n w hen ‫ ס‬con ncctio n •nacchea the c o n d ticn a specified in the n i e .
Steps
4
H U e Type
W h a t a c b o n o h o J d b « t a k e n w h o n a c o n n e x io n m a t c h 08 th o o p o c / io d c o n c it ic n Q 7
4
P r o t o c o l a n d Porta
4
A c io n
O Alowttv connection
4
P rofile
4
Nam e
T T w n c l x J e s c o r n c c t io n a th a t a ie p io t e c to d w t h I P a o c 0 9 w e l c s t ‫־‬w 3 e a t e n ot.
O Alow Itic cw iic d iu i If MIs secuie
Ths ncbdes only conrections thar. have been a1ihent1:ated by usng IPsec. Connections
wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes n the Conrecion Security
RuteTode.
'• ) H o c k t h e c o n n e c t i o n
FIGURE 14.16: Windows Firewall setting an Action
34. 111 die Profile section, select all three options. The rule will apply to:
Domain, Public. Private and then click N ext
Q NAT/firewall
issu es: You need
to en ab le an
incom ing port. For
HTThost it will
typically be
80(http) or
443(https), but
any port can be
u sed - IF the
HTTP proxy at
work supports it ‫־‬
so m e proxys are
configured to
allow only 80 and
443.
*
P ro file
Specify the prof les for which this rule applies
Skin
* Ru*Typ#
When does #‫ מו‬rule apply’
4 3rctocol anc Ports
#
*cbor
171 D a m a n
Vpfces * I en a computer is connected to Is corporate doman.
3rcfile
0
P r iv a te
3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home
3rwor<pi ce
B
Public
V p * ‫״‬c3
c n a ccm putcr io c c o n c c tc d to a p j b lc nctw oiK k co o o n
c Eacx
Next >
Cancel
FIGURE 14.17: Windows Firewall Profile settings
ZZy Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
35. Type Port 21 Blocked in die Nam e field, and click Finish
Nam e
Specify the name and desorption of this l i e .
N one
|?or.
2' BbdceJ
Desaiption (optional):
£ 3 T he default TCP port
for FTP connection is port
21. Sometimes the local
Internet Service Provider
blocks this p ort and this
will result in FTP
C®W<EAfl*1MaW&al P ag e 231
<Back
Finish
C ancel
FIGURE 14.18: Windows Firewall assigning a name to Port
36. The new rule Port 21 Blocked is created as shown in die following figure.
1- 1 “1 * :
Windows Firewall with Advanced Security
F ie
A c tio n
V iew
H dp
W in d o w s Firew all w ith Adv;
C
nfcound Rules
C
Outbound Rules
[O ^Port 21 Blockcd
C o n n e c b o n Security Rul
t
A» tio r o
Na
O u tb o u n d Rules
M o n ito rin g
H T T Port doesn't really
care for the proxy as such:
it works perfectly with
firewalls, transparent
accelerators, N ATs and
basically anything that lets
the H T T P protocol
through.
^
N e w Rule...
© B r a n c h C a c h e C on ten t R c t r c v t l ( H T T P -0 ..
B ran ch C ach e • C o n te n t Retr..
Al
©
B i. n c h ( m h r • H o tte d C a c h
:1
V
© B ta n ch C a c h e H osted C ach e $erv* 1(HTTP... B ran ch C ach e • H o tte d C a c h
Al
V
F liter by State
© B r a n c h C a c h e Peer Oise every //SD C u t)
B ran ch C ach e • Peer D isco ve ..
A l
V
Filter by G io u p
© C o r e N e tw o rk in g ‫ ־‬O N S (U O P-O u tJ
C o re N e tw orkin g
Al
© C o i e N e tw o r k in g - D y n am ic H o d C o n fig ..
Al
© C o r e N e tw o rk in g - D y n a m ic H o s t Config...
A l
Q
Refresh
© C o r e N e tw o rk in g - G ro u p Pcfccy CLSAS S --
D o m a in
[a »
Export List...
Li
H elp
B r a n c h ( * ! h e H o tte d C a c h e C lie n t ( H IT .
Filter by Profit•
V iew
@ P C o re N e tw o rk in g - G ro up P c E c y (fJP -O u t)
C ore N etw orking
D o m a in
© C o r e N e tw o rk in g - G ro up P o ic y (T C P -O -.
D o m ain
© C o r e N e tw o rk in g - internet G ro up M ana...
A l
© C o r e N e tw o r k in g - lP H T T P 5 (T C P -O u tJ
C o te N e tw orkin g
Al
*
D isable Rule
© C o t e N e tw o rk in g - Pv 6 (Pw 6 -0 ut)
C o te N e tw orkin g
A l
4
cut
Al
Al
© C o i e K iel w o rt m g • M u l 1 < «U Ik te n e t Rep.
Al
© C o r « N e tw o rk in g • V u h cast -K ten er Rep.
C o r • N e tw orkin g
Al
rfcig nfccf D isco ve ry A... C o re N e tw orkin g
Al
© C o r e N e tw o rk in g
V u h cast Listener Do‫״‬
M u h <yt* liste n e r O j ‫ ״‬.
Al
©Coie Networking - F«.h&Tv. Big K M P .. CortNttwQiking
A l
© C o r . 1N e tw o rk m g • N e ig h b o r D iscovery 5 ,
A l
© C o r e N e tw o rk in g ‫ ־‬R ou te r A d .e rtc e m e n t... C o re N e tw orkin g
Al
© C o r e N e tw o rk in g - R ou te r S oK ck ation (1C... C o re N e tw orkin g
Al
© C o r e N e tw o rk in g - Param eter P ro b le m (I..
Port 21 Blocked
G fe C o p y
X
‫♦ז »ו » ם‬
(£ |
P ro p e itie *
U
H elp
FIGURE 14.19: Windows Firewall New rule
37. Right-click die newly created rule and select Properties
*
Windows Firewall with Advanced Security
File
A c t io n
V iew
* ‫►י‬
^
H dp
q
!
I Actions
g f W in d o w s Firew all w ith Adv;
C l in b o u n d Rules
O
O u tb o u n d Rulea
Co n n e c tio n S e c u rity Rul
X/
S
H T T Port then
intercepts that connection
and runs it through a
tunnel through the proxy.
M o n ito rin g
Nam e
G ro up
*
O .P 0 rt 2 1 B lo c k c d
P ro fie
Enal
Outbound Rules
-
N e w Rule...
D isable Rule
^ B r a n c h C a c h e C on ten t Retrieval (H T T P -O ‫ ״‬. Bra nc hCac he ‫ ־‬C o r
© B r a n c h C a c h e H osted C a ch e C ie m (H T T ‫ ״‬.
Bran ch C ach e - Hos
Cut
V
F ilter b y Profile
►
© B r a n c h C a c h e H osted C a ch e S aver(H T T P _
Bran ch C ach e ‫ ־‬H o:
Copy
V
Filter b y State
►
© B r a n c h C a c h e P ee t D is c c v a y (WSO‫־‬OulJ
Bran ch C ach e - Pee
Delete
V
© C o i e N etw ork ing - D f 5 (U 0 P - 0 u t )
Core N e tw o rk in g
© C o r e N etw ork ing
L o re N e tw orkin g
D >n anvc H c it C c n f ig ..
F liter b y G ro up
►
Properties
V iew
►
Hdp
Refresh
Most C onfig...
© C o r e N e tw o r b n g • G roup P olicy (ISA SS-...
Dom *n
Vet
G roup P olic y (NP-O ut)
Core N e tw orkin g
Do»n*n
Ves
© C o r e N e tw o r b n g • D >nrn»
^
Export List...
Q
H elp
G roup P olic y ( TCP0 ‫־‬-
Core N e tw orkin g
D o m ain
Ye*
© C o r e N e tw o r b n g • Intern*! G iou p M ana..
Al
Vet
Port 21 Blocked
♦
D isable Rule
c ‫״‬t
Core N e tw orkin g
Al
Yes
© C o r e N e tw o r b n g - IPv6 (1P»‫׳‬$‫<־‬XjtJ
Core N e tw orkin g
Al
Yes
© C o r e N e tw o r b n g - M ufticest Listener Do...
Core N e tw orkin g
Al
Yes
4
© C o r e N e tw o r b n g - M J c c a s t Listener Qu...
Core N e tw orkin g
Al
Yes
•41 C o p y
© C o r e N e r w c r b n g - M J b c s s t Listener Rep... Core N e tw orkin g
Al
Yes
X
Delete
© C o r e N e tw o r b n g - M u lb ce si Listener Rep... Core N e tw orkin g
Al
Yes
© C o r e N e tw o r b n g - N eig h b o r D iscovery A ‫״‬.
Core N e tw orkin g
Al
Yes
© C o r e N e tw o r b n g
N eig h b o r D iscovery S...
Core N e tw orkin g
Al
Yes
0
H elp
IPHTTPSfTCP-Out)
l© C c r e N e tw o r b n g ■ P acket T oo Big (ICMP...
Core N e tw orkin g
Al
Yb
© C o r e N e tw o r b n g • P aiam eter P rob lem (1-‫״‬
Al
Yes
© C o r e N e tw o r b n g
R euter A d v c n sc m c n t...
Core N e tw orkin g
Al
YCS
© C o r e N e tw o r b n g * R cu le t Solicitation (IC~
r . . . *■------- 11—
Al
Yes
-
Properties
1 th e p rop erties d ia lo g box for th e current s e le a jo n
FIGURE 14.20: Windows Firewall new rule properties
£ 7 Enables you to bypass
your H T T P proxy in case it
blocks you from the
Internet
38. Select die Protocols and Ports tab. Change die R em ote Port option to
Specific Ports and enter die Port number as 21
39. Leave die other settings as dieir defaults and click Apply dien click OK.
* ‫ד‬
Port 21 Blocked Properties
jerteral_________Pngams and Services
Protocolt and F o re
|
Sco pe
|
Ad vance c
Remote Conpjtefs
j
Local P rin cp ab
FVwocob and po*s
Prctocdtype:
P rcto cd ru n b e r
Loco port
All Potto
Exam pb. 80. 443.5003-5010
Remote p3rt:
S pecifc Pats
[21
Example. 80. 443.5003-5010
hten‫־‬e t Gortnd M essage Protocol
( C M P ) « tin g * :
I Custonizo.
i— ‘ W ith H TTPort, you
can use various Internet
software from behind the
proxy, e.g., e-mail, instant
messengers, P2P file
sharing, IC Q , News, FTP,
IRC etc. The basic idea is
that you set up your
Internet software
FIGURE 14.21: Firewall Port 21 Blocked Properties
40. Type ftp ftp.certifiedhacker.com in the command prompt and press
Enter. The connection is blocked in W indows Server 2008 by firewall
£ 3 H T T P ort does neither
freeze n or hang. W hat you
are experiencing is known
as ‫״‬blocking operations”
FIGURE 14.22: ftp connection is blocked
41. N ow open die command prompt 011 die W indows Server 2012 host
machine and type ftp 127.0.0.1 and press Enter
7 ^ H T TPort makes it
possible to open a client
side o f a T C P /IP
connection and provide it
to any software. The
keywords here are: "client"
and "any software".
FIGURE 14.23: Executing ftp command
Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols
Tool/Utility
Information Collected/Objectives Achieved
Proxy server U sed: 10.0.0.4
H T T P o rt
P o rt scan n ed : 80
R esult: ftp 127.0.0.1 connected to 127.0.0.1
R E L A T E D T O T H I S L AB.
Questions
1. How do you set up an HTTPort to use an email client (Oudook,
Messenger, etc.)?
2. Examine if software does not allow editing die address to connect to.
Internet Connection Required
0 Y es
□ No
0 C lassroom
□ iLabs
Basic Network Troubleshooting
Using MegaPing
MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor
information system administrator and IT solutionproviders.
icon key
Lab Scenario
/
/ Valuable
information
s
Test your
knowledge
You have learned in the previous lab that H TTP tunneling is a technique where
communications within network protocols are captured using the H TTP
protocol. For any companies to exist 011 the Internet, they require a web server.
These web servers prove to be a high data value target for attackers. Tlie
attacker usually exploits die WWW server running IIS and gains command line
access to the system. O nce a connection has been established, the attacker
uploads a precompiled version o f the H TTP tunnel server (lits). W ith the lits
server set up the attacker then starts a client 011 his 01‫ ־‬her system and directs its
traffic to the SRC port o f the system running the lits server. This lits process
listens 011 port 80 o f the host WW W and redirects traffic. Tlie lits process
captures the traffic in H TTP headers and forwards it to the WWW server port
80, after which the attacker tries to log in to the system; once access is gained he
or she sets up additional tools to further exploit the network.
Web exercise
m
W orkbook review
MegaPing security scanner checks your network for potential vulnerabilities that
might be used to attack your network, and saves inform ation in security reports.
111 diis lab you will learn to use MegaPing to check for vulnerabilities and
troubleshoot issues.
Lab Objectives
This lab gives an insight into pinging to a destination address list. It teaches
how to:
■
Ping a destination address list
■
Traceroute
■
Perform NetBIOS scanning
Lab Environment
■ MegaPing is located at D:\CEH-Tools\CEHv8 M odule 03 S can nin g
CD Tools
N etw ork s\S can n in g T ools\M egaPing
dem onstrated in
this lab are
available in
D:\CEH•
Tools\CEHv8
Module 03
Scanning
Netw orks
P IN G stands for
Packet Internet Groper.
■ You can also download the latest version o f M egaping from the link
http: / / www.magnetosoft.com/
■ I f you decide to download the la te s t version , then screenshots shown
■ TCP/IP settings correcdy configured and an accessible DNS server
■ This lab will work in the C EH lab environment, on W indow s S erver
2 0 1 2 , W indow s 2 0 0 8 , and W indow s 7
Lab Duration
Time: 10 Minutes
Overview of Ping
Tlie ping command sends Internet Control M essa g e Protocol (ICMP) echo request
packets to die target host and waits for an ICMP respon se. During diis requestresponse process, ping measures die time from transmission to reception, known as
die round-trip tim e, and records any loss packets.
Lab Tasks
T A S K
1
IP Scanning
1.
Launch the Start menu by hovering die mouse cursor on the lower-left
2. Click die MegaPing app to open die MegaPing window.
3. TQi^Meg a P in g ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ 1‫־‬g u 1^ ^ ^
55
MegaPing (Unregistered)
F ile
V ie w
T o o ls
-
□ '
x
‫ד‬
H dp
*
DN S Lookup N am e
Q
Fng cr
1S
N e t w o r k T im e
‫&י־‬
D N S L id rto s fe
g g P in g
CQ All Scanners can scan
individual computers, any
range o f IP addresses,
domains, and selected type
o f com puters inside
domains
gg
T r a c e ro u te
W ho 11
^
N e t w o r k R # to u fc # t
<<•> P r o c e s s I n fo
S y s ta m In fo
£
IP S c a n n e r
$
N e tB I O S S c a n n e r
•'4? S h a re S c a n n e r
^
S e c u r it y S c a n n e r
- J ? P o rt S ca n n e r
J i t H o s t M o n it o r
*S L b t H o > ts
Figure 15.3: MegaPing main windows
4. Select any one o f die o p tio n s from the left pane o f the window.
Security scanner
provides the following
information:
NetB IO S names,
Configuration info, open
TC P and U D P ports,
Transports, Shares, Users,
G roups, Services, Drivers,
Local D hves, Sessions,
Remote Time o f Date,
Printers
5. Select IP sca n n er, and type in the IP range in die From and To field; in
this lab the IP range is from 10.0.0.1 to 1 0 .0 .0 .2 5 4 . Click Start
6. You can select the IP range depending on your network.
fs r
‫ ־‬°r
F ile
V « ‫ *׳‬/
Took
H e lp
ft ft
‫׳‬3<_ .
DNS L s t H o sts
* %v
^
r
^
^
a* 3
—
r « a
P -1 'S W W
* t DNS Lookup N am e
§
F in g e r
I3 Scanner
t
N e tw o r k T im e
8 a8 P in g
IP S ca n n e r S s t n g j
S elect
ir a c c r o u t c
W hoK
I
N e tw o r k R e s o u rc e s
► S c a m • ‫׳׳‬
“ I
|
10
0
0
1
10
0
0
254
| 1
S M
1
<§> P ro c e s s In fo
^
S y s te m Info
■*iiaui.111
■ £ N e tB I O S S ca n n e r
Y * S h a re S c a n n e r
j&
S e c u r ity S c a n n e r
^
P o rt S ca n n e r
^
H o s t M o n it o r
F IG U R E 15.4: MegaPing IP Scanning
It will list down all the IP a d d r e s s e s under that range with their TTL
(Time to Live), S ta tu s (dead or alive), and die s t a t is t ic s o f the dead
and alive hosts.
P ie
CD N etw o rk utilities:
D N S list host, D N S lookup
name, N etw ork Time
Synchroni2er, Ping,
Traceroute, Wliois, and
Finger.
V ie w
1 1
i ,
g
d
T o o ls
ft
H e lp
A <>
r j ‫ כ‬L .st 1 l o s t i
I P 5 i« n n w
,p , D N S L o o k u p N a m e
Q
F in g e r
a
t l P in g
X
IP S a n n a r
$
IP S ca n n e r S a tn g e
Setect-
T r a c e rc u t e
H V hols
|R a rg e
10
1“ 5 N e t w o r k R e so u rc e s
F S ca re
%
ro c e s s Info
Status:
^
S y s t e m Info
y * Share Scanner
$
S e c u r ity S c o n n e r
l . J j ? P o rt Scanner
J S i H o s t M o n it o r
.
0
0
.
1
10
0
0
251
I
Start
Z o ro e te c 25^ adcresees in 15 8ccs
True
TTL
. = 1 10.0.0.1
0
&4
A fiv e
g
1 a 0 .0 4
1
128
Abve
* ddrest
Nam e
S ta tj*
g
10.0.0.6
0
128
A S ve
£
1 a o .o .7
0
128
Afcve
g
1 a 0 .0 .1 0
O a t..
JQ
10.0.0.100
D e s t..
g
1010.0.101
D e s t ._
1 a0 .0 .1 0 2
D est —
£
10.0.0.105
D e « t._
g
10.0.0.104
D est —
g
10.0.0.105
Dest
Show MAC
Addresses
Hosts Stats
T o ld .
254
A ctiv e
4
Paled : 2 5 0
Report
FIG U RE 15.5: MegaPing IP Scanning Report
S
T A S K
2
NetBIOS
Scanning
8. Select the NetBIOS S ca n n er from the left pane and type in the IP range
in the From and To fields. 111 this lab, the IP ran ge is from 10.0.0.1 to
1 0 .0 .0 .2 5 4 Click Start
W
T IP I
f/egaPing (Unregistered)
F ile
V ie w
T o o ls
H dp
rP- A
J* | D N S L is t H o s t s
N c G C S S so n rc r
,5,D N S L o o k u p N a m e
‫ ס‬MegaPing can
sca n your entire
network and
provide
information such
a s open shared
reso u rces, open
ports,
services/drivers
a ctiv e on the
com puter, key
registry entries,
u sers and groups,
trusted dom ains,
printers, and
more.
g
F in g e r
3
Network Time
tS
P1n9
T r a c e ro u t e
&
W h o ls
N e tw o r k R e s o u r c e
<$> P r o c e s s Info
4
^
S y s te m I n fo
IP S c a n n c r
i!\
S h a re S c a n n e r
^
S e c u r ity S c a n n e r
^
P o rt S ca n n e r
H o s t M o n it o r
N etB IO S S c a nn er
FIG U RE 15.6: MegaPing N etB IO S Scanning
9. The NetBIOS scan will list all the hosts with their NetBIOS n am es and
ad ap ter a d d r e s s e s
M e
V tfA
T o r i?
H e lp
JL JL 4S & *“8 8a &
&r S can results
can be saved in
HTML or TXT
reports, which
can be u sed to
se c u r e your
network ■‫־‬for
exam ple, by
shutting down
u n n ecessa ry
ports, closin g
sh ares, etc.
J J , D N S L is t H o s t s
•j! L DNS Lookup N am
Q
$
K«BIT$ Sc^rrer
^
Net 9 0 $ S c a n r e r
F in g e r
N e t w o r k T im e 3 1 !
Men BIO S S c a r r r a
t i p,n9
g*3 T r a c e ro u t e
] | 10 . 0 . 0 . 1 |
|R e rg 5
W h o le ^
O
N e t w o r k R e s o u rc e s -
aJatLS‫־‬
P r o c e s s Info %
.
0
.2 5 4
Stop
‫ י‬E x p a rd
1Names
Nam e
IP S c a n n e r ^
m g g n n 1$
/‫״‬y
0
Z o r o e e c Q u e m g Net B O S Nam es on
‫ ״ ״‬J ^ S y s t e m In fo
:S h a re S c a n n e r ?
10
N stE JO S S can n er
»
1
1 0 0 .0 .4
W IN -U L Y 8 3 3 K H Q .. A I v «
2 ) N e tB I O S N a m e s
3
Wgf A d o p t e r A d d r e s s
0 0 1 5 -5 D 0 0 -0 7 . .
A
W ORKGROUP
P o rt S ca n n e r
iac.0.6
A D M IN • P C
fr] N e tB IO S N o m e :
6
H o s t M o n it o r 2 1
»
STctus
D o m a in
W B A d a p te r A d d re ss
00-15-50-00-07‫־‬..
4^
W ORKGROUP
D o m a in
1 0 0 .0 .7
W I N - D 3 9 M R S H L ..
j | ] N e tB I O S N a m e s
3
X f A d a p te r A d d re ss
D 4 - B E - D 9 - C 3 - C E ..
Exp and
Summary
M ic r o s o f t ‫״‬
A J iv c
M < ro s o ft ‫״‬
Stats
T o ld .
131
A c tvc
3
=a!od
123
A lv #
Report
N e tB IO S S c a n n e r
FIG U R E 15.7: MegaPing NetB IO S Scanning Report
10. Right-click the IP address. 111 this lab, the selected IP is 10.0.0.4; it will
be different in your network.
5
TA sK
3
11. Then, right-click and select the T racerou te option.
Traceroute
v
V ie w
^
‫ ם‬O ther features include
m ultithreaded design that
allows to process any
num ber o f requests in any
tool at the same time, realtime network connections
status and protocols
statistics, real-time process
inform ation and usage,
real-time network
netw ork connections, and
open network files, system
tray support, and m ore
I I M
F ile
T o o ls
Hdp
D N S L is t H o s t s
NctBICS S c a rr e ‫־‬
;j, DNS Lookup Nam e
g
F in g e r
3
$
t®* P in 9
A
M * 3 0 S Scarner
Rom:
T r a c e ro u t e
Range
W h o ls
v |
N e t w o r k R e s o u rc e s
N e tE lO S S e i n e r
P r o c e s s In fo
Satus
^
S y s te m In fo
•‫^־‬
IP S c a n n e r
10
0
B
D
S h a re S ca n n e r
A
P o rt S ca n n e r
-
j j
g l H o s t M o n it o r
Stdft
Names
Nome
■
3 0 ( jj
A d a p e e rA
M e r g e H o s ts
C c m a in
O p e n S h a re
Hoete Slate
Total:
C o m a in
254
V ie w H o t f ix D e t a b
A ctve
A p p l y H o t F ix es
F ailed251 ‫־‬
N e tB IO S
S ? A d o p te r A
^
Dcpand
* b‫ ?׳‬Summary
E x p o rt T o File
N e tB I O S f■
10.0.0.5
i- J |
B A
254
Oroteted ?M addresses m M secs
0 B
*
0
0
_____
‫׳‬J ^ N e tB I O S S c a n n e r
^
NetBIOS Scanner S9<tngs
So eci:
3
C o p y s e le c t e d it e m
10.0.0.7
£
C o p y s e le c t e d r o w
N e tB IG S ‫ף‬
C o p y a ll re s u lt;
■3 A d o p t e r A
S ave A s
T r a c e ro u te
T r a c c r o u t c s t h e s e le c t io n
FIG U RE 15.8: MegaPing Traceroute
12. It will open the T racerou te window, and will trace die IP address
selected.
F ie
V ie w
T o o ls
H e lp
S. JL 4$ 151 *« 88
J j , D N S L is t H o > b
Trace r 0« *
J!L D N S L o o k u p N a m e
& T ools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
| J F in g e r
i l l N e t w o r k T im e
**
aa
Trace ro ute S e tth o t
Destrebon:
^
-O
W h o ls
1 0 0 0 .4
N e t w o r k R e s o u rc e s
Z te s tr a w n \Jd rc s 5 J s t
□
R e so lv e I4an‫־‬s
*■{?> P r o c e s s Info
S y s t e m Info
■^
□ Select Al
IP S c a n n e r
Add
*jp S h a re S c a n n e i
D d c tc
‫>׳‬
y
P o rt S ca n n e r
j t A H o » t M o n it o r
Tim e
hoo
9 >91 ‫י‬
1
‫־‬
m
£
1
0
A'
*
4
N am e
D s ta fc
W I N - U L Y 8 S 8 K H C J I P [ 1 _ C o m p le t e .
1
‫ו‬
10.0.0.4
0 & '2 3 / 1 2 1 0 t 4 4 t f
A D M I N P C [ 1 0 .0 .0 .6 ]
C o m p le t e .
10.0.0.6
0 8 / 2 3 /1 2 1 Q 4 S J 1
Report
|
FIG U R E 15.9: MegaPing Traceroute Report
S
TA sK
4
Port Scanning
13. Select Port Scanner from die left pane and add
w w w .ce rtifie d h a ck er .co m 111 the D estin ation A d d ress List and then
click the S tart button.
14. After clicking the Start button it toggles to Stop
15. It will lists the ports associated with www.certifiedl1 acker.com with die
keyword, risk, and port number.
‫ך‬
File
A
View
A
Tools
- ‫ז ״ י‬
v
‫ן‬
Help
£ GJ 8s 8s <5
J 'b
&
r H
I
J
&
GO
- j j , DNS List Hosts
,5 , DNS Lookup N am e
Finger
5 4 Netw ork T im e
MegaPing security
scanner checks your
network for potential
vulnerabilities that might
use to attack your network,
and saves inform ation in
security reports
J ‫!׳‬
^ AotScamcr
jftjf F01 S c * 1r * ‫׳‬
f t Ping
g g T rac ero u te
^Whois
N etw o ik R esources
-^
m m <‫ »־‬V **tv 3 0 ‫ ׳‬fl‫׳<»־׳‬n
Pnxowte
TCP an: UCP
Scan Type
A /!h » » S P a b
-11
P ick m Info
System Info
^
S100
D eslnrtor A i ^ n t Ua>
□ S*t*dAl
IP Sc«nn«<
-j j j ’ NetBIOS Sc *nn*i
Share Seanner
w»!* |
j P S * u n t y Scanner
j/
J 4 H 05‫ ז‬Monitor
2 o r*
Type
Keyword
O s8cr»on
R *
S c ann in g— (51 %)
= S
3
C e 2 fc
99 Sccon ds R em ain ‫ ח‬g
TCP
ftp
File T ransfer [Control]
E k satcd
TCP
w w w -http
World V.'ide W eb HTTP
Elevated
UDP
E le .x e d
,y 1
.J‫*״‬
.y!
tcp m u x
TCP Port Servkc M ultL.
UOP
com press..
M a nagem ent Utility
UOP
com p t e n . Com preiM oo P r o e m
Law
.* 5
UOP
rje
R em ote Job Entry
Low
UOP
ech o
Echo
Low
y *
'
•
UOP
ditcntd
Discard
Law
L<*m
FIG U RE 15.10: MegaPing P ort Scanning Report
Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols
Tool/Utility
Information Collected/Objectives Achieved
IP Scan R ange: 10.0.0.1 —10.0.0.254
P erfo rm ed A ctions:
M eg aP in g
■
■
■
■
IP Scanning
NetBIOS Scanning
Traceroute
Port Scanning
Result:
■ List o f Active H ost
■ NetBios Name
■ Adapter Name
Questions
1. How does MegaPing detect security vulnerabilities on die network?
2. Examine the report generation o f MegaPing.
Internet Connection Required
□ Yes
0 No
0 C lassroom
0 iLabs
Lab
Detect, Delete and Block Google
Cookies Using G-Zapper
G-Zapper is a utility to block Goog/e cookies, dean Goog/e cookies, and help yon stay
anonymous nhile searching online.
ICON
KEY
Valuable
information
Test your
knowledge
m. Web exercise
o
W orkbook review
Lab Scenario
You have learned in die previous lab diat MegaPing security scanner checks
your network for potential vulnerabilities that might be used to attack your
network, and saves inform ation in security reports. It provides detailed
inform ation about all computers and network appliances. It scans your entire
network and provides inform ation such as open shared resources, open ports,
services/drivers active 011 the computer, key registry entries, users and groups,
trusted domains, printers, etc. Scan results can be saved in HTM L 01‫ ־‬TXT
reports, which can be used to secure your network.
As an administrator, you can organize safety measures by shutting down
unnecessary ports, closing shares, etc. to block attackers from intruding the
network. As another aspect o f prevention you can use G -Zapper, which blocks
Google cookies, cleans Google cookies, and helps you stay anonymous while
searching online. This way you can protect your identity and search history.
Lab Objectives
This lab explain how G -Zapper automatically d e t e c t s and c le a n s the Google
cookie each time you use your web browser.
Lab Environment
To carry out the lab, vou need:
G -Zapper is located at D:\CEH-Tools\CEHv8 M odule 03 Scan nin g
N etw orks\A nonym izers\G -Z apper
S ’ Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 03
Scanning
Netw orks
You can also download die latest version o f G‫־‬Z apper from the link
littp://w w w . dumm ysoftware.com /
I f you decide to download the la te s t version , then screenshots shown
Install G-Zapper 111 Windows Server 2012 by following wizard driven
installation steps
Administrative privileges to run tools
A com puter running W indow s S erver 2 0 1 2
Lab Duration
Time: 10 Minutes
Overview of G-Zapper
G-Zapper helps protect your identity and search history. G-Zapper will read die
G oogle cook ie installed on your PC, display die date it was installed, determine how
long your se a r c h e s have been tracked, and display your Google searches. GZapper allows you to automatically d e lete or entirely block die Google search
cookie from future installation.
Lab Tasks
S
t a
s
k
1
D etect & D elete
1.
Launch the Start menu by hovering die mouse cursor on the lower-left
com er o f the desktop.____________________________________
G oogle C ookies
!3 Windows Serve! 2012
* ttcua Stfwr JOtJ Release Cmadtte Oatacert*
ftabslanuwy. 1uMM>:
2. Click die G-Zapper app to open die G‫־‬Zapper window.
Start
Server
Manager
m G-Zapper xs
compatible with Windows
95,98, ME, NT, 2000, XP,
Vista, Windows 7.
Administrator £
W ruiows
PowerShel
H-jpw-V
Manager
6009*
Chrome
A ncrym ..
Surfog
Tutonal
fLm
V
#
11
Computer
Control
Pwl
ItyperV
Virtual
M « tw w
SOL S e n a
w
‫י‬
G-Zapper
□
Q
Command
Prompt
M v <1
l.retox
n
$
51
Ns’tSca'iT...
Pro D em o
Standard
T*
M aw
11
3. The G-Zapper main window will appear as shown in die following
screenshot.
G-Zapper ‫ ־‬TRIAL VERSION
What is G-Zapper
G-Zapper - Protecting you Search Privacy
Did you know • Google stores a unique identifier in a cookie on your PC, vrfich alows them to track the
keywords you search for. G-Zapper w i automatically detect and clean this cookie in your web browser.
Just run G-Zapper, mrwnee the wndow, and en!oy your enhanced search privacy
2 ' I A G oogle Tracking ID o a s ts on your PC.
LJ G-Zapper helps protect
your identity and search
history. G-Zapper will read
the Google cookie installed
on your PC, display the
date it was installed,
determine how long your
searches have been tracked,
and display your Google
searches
Your Google ID (Chrome) 6b4b4d9fe5c60cc1
Google nstaled the cookie on Wednesday. September 05.2012 01 54 46 AM
Your searches have been tracked for 13 hours
«>| No Google searches found n Internet Explorer or Frefox
How to Use It
«
To delete the Google cookie, dck the Delete Cookie button
Your identity w i be obscured from previous searches and G-Zapper w i regiiariy dean future cookies.
T0 restore the Google search cookie dick the Restore Cookie button
htto //www dummvsoftware. com
Delete Cookie
R estore Cookie
T e st G oogle
S ettings
Register
FIGURE 16.3: G-Zapper main windows
4. To delete the Google search cookies, click the D e le te C ookie button; a
window will appear that gives information about the deleted cookie
location. Click OK
‫י‬
■ ]jlF x
G-Zapper - TRIAL VERSION
‫י‬
What is G-Zapper
G-Zapper ‫ ־‬Protectng your Search Privacy
■#
Did you know ■Google stores a unique identifier n a cookie on you PC, v*»ch alows them 10 track the
keywords you search for G-Zapper w i automatically defect and dean this cookie in your web browser.
- J 1 1 s L ( 1 j n - f i- 7 a n n f t t
th e , w n d n w
* i n i f t n in u .u n u i ^ n h a o c a d
n c i Y ^ u _________ _________
G‫־‬Zapper
C] A new cookie will be
generated upon your next
visit to Google, breaking
the chain that relates your
searches.
©
The Google search cookie was removed and w ill be re-created with a
new ID upon visiting www.google.com
The cookie was located a t
(Firefox) C:\Users\Administrator\Application
Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite
Howt
OK
T0 block and delete the Google search cookie, click the Block Cookie button
(Gmail and Adsense w i be unavaJable with the cookie blocked)
http //www. dummvsoftware com
Delete Cookie
Block Cookie
T e s t G oogle
Register
S ettings
FIGURE 16.4: Deleting search cookies
5. To block the Google search cookie, click die B lock c o o k ie button. A
window will appear asking if you want to manually block the Google
cookie. Click Y es
' - m
G‫־‬Zapper - TRIAL VERSION
What is G-Zapper
G-Zapper - Protectng you Search Privacy
‫ ס‬The tiny tray
icon runs in th e
background,
ta k es up very
little s p a c e and
can notify you by
sound & anim ate
w hen th e G oogle
co o k ie is blocked.
p__
Did you know - Google stores a unique identifier in a cookie on your PC. which alows them to track the
keywords you search for. G-Zapper will automatically detect and dean this cookie in you web browser.
.LMiijnfi-Zanrret mrnnnre the, wnrinw and pjiinu .unu..ftnhanrari sftatnh nrtwra______ _____
Manually Blocking the Google Cookie
Gm ail and other Google services w ill be unavailable while the cookie is
manually blocked.
If you use these services, we recom mend not blocking the cookie and
instead allow G-Zapper to regularly clean the cookie automatically.
Are you sure you wish to m anually block the Google cookie?
How
No
Yes
T0 block and delete the Google search cookie, click the Block Cookie bUton
(Gmail and Adsense w l be unavaiaWe with the cookie blocked)
http //www dummvsoftware, com
Delete Cookie
Block Cookie
T e st G oogle
S ettings
R egister
FIGURE 16.5: Block Google cookie
6. It will show a message diat the Google cookie has been blocked. To
verify, click OK
What is G-Zapper
G-Zappef - Protecbng your Search Privacy
1 ^ 0
Did you know ■Google stores a unique identtfier in a cookie on your PC. which alows them to track the
keywords you search for GZapper will automatically detect and dean this cookie n you web browser.
Just run GZapper, mmmize the wrxlow. and enjoy your enhanced search privacy
G‫־‬Zapper
The Google cookie has been blocked. You may now search
anonym ously on google.com . Click the Test Google button to verify.
How t
OK
Your identity will be obscured from previous searches and G-Zapper w i regularly clean future cookies
T0 restore the Google search cookie clck the Restore Cookie button
& ‫ ־‬G-Zapper can
a lso clea n your
G oogle search
history in Internet
Explorer and
Mozilla Firefox.
It's far too e a sy
for so m eo n e using
your PC to g e t a
glim pse of w hat
you've been
searching for.
http //www dummvsoftware com
Restore Cookie
Delete Cookie
T e st G oogle
Settings
Regtster
FIGURE 16.6: Block Google cookie (2)
7. To test the Google cookie that has been blocked, click the T e s t G oogle
button.
8. Yoiu default web browser will now open to Google’s Preferences page.
Click OK.
AAgoog... P - 2 (5 [ 0 ?references
‫יו‬
♦You Search Images Maps Play YouTube News Gmal More ‫־‬
Google
Preferences
Sign in
1
Goflflls Account 5£tt303 Piefeiences Help I About Google
S a v e y o u r p r e f e r v n c v » w h e n f in i s h e d a n d ! * t u r n t o i w r c h
S a v e P re fe re n c e s
Global Preferences (changoc apply to al Googio sorvtcos)
Y o u r c o o k ie s s e e m t o b e d is a b le d .
Setting preferences will not work until you enable cookies in your
browser.
Interface Language
Display Googio Tips and messages in: Engiisn
tt you do not find your native language in the pulldown above you can
help Google create it through our Google in Your I anfliiage program
Search I anguage
Piefei pages mitten in these language(*)
□ Afrikaans
b£ English
U Indonesian LI Serbian
□ Arabic
L. Esperanto U Italian
□ Slovak
D Armenian
I~ Estonian FI Japanese 0 Slovenian
□ Belarusian
C Flipino □ Koiean
G Spanish
U Bulgarian
L Finnish
U Latvian
LI Swahi
FIGURE 16.7: Cookies disabled massage
9. To view the deleted cookie information, click die S ettin g button, and
click V iew Log in the cleaned cookies log .
‫׳‬- m
What is G-Zapper
G‫־‬Zapper Settings
Sounds
f* Ray sound effect when a cookie is deleted default wav
Preview
Browse
Clear Log
View Log
Google Analytics Trackng
W Block Google Analytics fiom tiackng web sites that I visit.
Q You can simply run
G-Zapper, minimize the
window, and enjoy your
enhanced search privacy
Deaned Cookies Log
W Enable logging of cookies that have recently been cleaned.
I” Save my Google ID in the deaned cookies log.
OK
Delete Cookie
Restore Cookie
Test Google
Register
Settings
FIGURE 16.8: Viewing the deleted logs
10. The deleted cookies information opens in Notepad.
cookiescleaned - Notepad
File
S ' T ools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv 8
Module 03
Scanning
Netw orks
Edit
Format
View
t
‫ ־־[ ם‬x
Help
(Firefox) C :\Users\Administrator\Application Data\Mozilla\Firefox
\Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012
10:42:13 AM
(Chrome) C :\Users\Administrator\AppData\Local\Google\Chrome\User Data
\Default\Cookies Friday, August 31, 2012 11:04:20 AM
\Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012
11:06:23 AM
\Profiles\5vcc40ns.default\cookies.sqlite Wednesday, September 05, 2012
02:52:38 PM|
FIGURE 16.9: Deleted logs Report
Lab A nalysis
Document all the IP addresses, open ports and running applications, and protocols
T ool/U tility
Inform ation C ollected/O bjectives Achieved
Action Performed:
G‫־‬Zapper
■ Detect die cookies
■ Delete the cookies
■ Block the cookies
Result: Deleted cookies are stored in
C:\Users\Administrator\Application Data
PLEASE
TALK TO
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H IS LAB.
HAVE
QUESTIONS
Q uestions
1. Examine how G-Zapper automatically cleans Google cookies.
2. Check to see if G-zappei is blocking cookies on sites other than Google.
Internet C onnection R equired
0 Y es
□ No
Platform Supported
0 Classroom
□ iLabs
Lab
Scanning the Network Using the
Colasoft Packet Builder
The Colasoft Packet Builder is a useful toolfor creating custom nehrorkpackets.
ICON
KEY
Valuable
inform ation
T est vour
knowledge
Q
W eb exercise
Q
W orkbook review
Lab S cenario
111 die previous lab you have learned how you can detect, delete, and block cookies.
Attackers exploit die XSS vulnerability, which involves an attacker pushing
malicious JavaScript code into a web application. When anodier user visits a page
widi diat malicious code in it, die user’s browser will execute die code. The browser
lias 110 way of telling the difference between legitimate and malicious code. Injected
code is anodier mechanism diat an attacker can use for session liijacking: by default
cookies stored by the browser can be read by JavaScript code. The injected code can
read a user’s cookies and transmit diose cookies to die attacker.
As an expert ethical h acker and penetration t e s t e r you should be able to prevent
such attacks by validating all headers, cookies, query strings, form fields, and hidden
fields, encoding input and output and filter meta characters in the input and using a
web application firewall to block the execution of malicious script.
Anodier method of vulnerability checking is to scan a network using the Colasoft
Packet Builder. 111 this lab, you will be learn about sniffing network packets,
performing ARP poisoning, spoofing the network, and DNS poisoning.
^ T T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv 8
Module 03
Scanning
Netw orks
Lab O bjectives
The objective of diis lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
Lab Environm ent
111 diis lab, you
need:
■ Colasoft Packet Builder located at D:\CEH-Tools\CEHv8 Module 03
Scanning Networks\Custom P ack et Creator\Colasoft P ack et Builder
■ A computer running W indows Server 2012 as host machine
■
Window 8 running on virtual machine as target machine
■ You can also download die latest version of A dvanced Colasoft P acket
Builder from die link
http:/ / www.colasoft.com/download/products/download_packet_builder.
php
■ If you decide to download die la test version, dien screenshots shown in
die lab might differ.
■ A web browser widi Internet connection nuuiing in host macliine
Lab D uration
Time: 10 Minutes
O verview o f C olasoft P acket B uilder
Colasoft P ack et Builder creates and enables custom network packets. This tool can
be used to verify network protection against attacks and intmders. Colasoft Packet
Builder features a decoding editor allowing users to edit specific protocol field values
much easier.
Users are also able to edit decoding infonnation in two editors: D ecod e Editor and
Hex Editor. Users can select any one of die provided templates: Ethernet Packet,
IP Packet, ARP Packet, or TCP Packet.
Lab Tasks
S
ta sk
1
Scanning
Network
1. Install and launch die Colasoft P ack et Builder.
2. Launch the Start menu by hovering die mouse cursor on the lower-left
< can download
“Q y
You
from
http: / /www. colasoft. com.
3. Click the C olasoft P a ck et Builder 1.0 app to open the C olasoft
P ack er Builder window
Start
Sem *
Adm inistrator
Windows
PowerSN>ll
Googte
Chrome
S»#Th
m
*
*
ik
com p ute r
C otaoft
Packpt
Bunder t.O
*
v
control
1'anrt
ManagM
V
91
9
Command
Prompt
SQL J*rv*‫׳‬
Irn-.aljt 0 ‫י־‬
C enter.
MfrtjpaC*
Studc
M och n#.
*J
e
te r
3
V
s-
e
.
CMtoo
MeuMa
r»efax
Nnwp
7«ftmap
GUI
$
o
4. Tlie Colasoft Packet Builder main window appears.
F ie
#
Import
Edt
Send
^
1-
1 S?’
Add
1
55
♦
Checksum [ A
Packet
No.
N o p x k e c elected:
\$
s
^
fa ta l
He«Edfcor
J
Packets
0
Selected
0
1
Sourer
0 byte* |
>0:0
Windows Server 2003 and
64-bit Edition
<L
Windows 2008 and 64-bit
Edition
FIGURE 17.3: Colasoft Packet Builder main screen
Windows 7 and 64-bit
Edition
C o la s o ft
Adapter
Packet Lilt
Delta Time
^
‫ך ־ ־‬
!
&
Insert
4 $ Oecode Editor
Operating system
requirements:
= 1
Help
5. Before starting of vonr task, check diat die Adapter settings are set to
default and dien click OK.
Select Adapter
Adapter:
*
‫ ? י‬-iF.W lT.rtf&TaTi.Fi
Physical Address
Link Speed
D4:BE:D9:C3:CE:2D0
100.0 l*)ps
Max Frame Size
1500 bytes
IP Address
10.0.0.7/255.255.255.0
Default Gateway
10.0 .0.1
Adapter Status
Operational
OK
Cancel
Help
FIGURE 17.4: Colasoft Packet Builder Adapter settings
E th ica l H a c k in g an d C o u n term easu res Copyright <0 by EC-Council
6. To add 01 create die packet, click Add 111 die menu section.
There are two ways to
create a packet - Add and
Insert. The difference
between these is the newly
added packet's position in
the Packet List. The new
packet is listed as the last
packet in the list if added
but after the current packet
if inserted.
File
Edit
0
1 Import
[ ^
Send
Export‫־״־‬
Help
Add
0
Insert
Decode Editor
FIGURE 17.5: Colasoft Packet Builder creating die packet
7. When an Add P ack et dialog box pops up, you need to select die template
and click OK.
£ 2 Colasoft Packet
Builder supports *.cscpkt
(Capsa 5.x and 6.x Packet
File) and*cpf (Capsa 4.0
Packet File) format. You
may also import data from
‫ ״‬.cap (Network Associates
Sniffer packet files), *.pkt
(EtherPeekv7/TokenPeek/
A1roPeekv9/ OmniPeekv9
packet files), *.dmp (TCP
DUMP), and *rawpkt (raw
packet files).
‫־‬n n
Add Packet
Select Template:
ARP Packet
Delta Time:
0.1
OK
Second
Cancel
Help
FIGURE 17.6: Cohsoft Packet Builder Add Packet dialog box
8. You can view die added packets list 011 your right-hand side of your
window.
Packets
Packet List
S
TA sK
2
_____ Usl____Delta Tims . Source
1
0.100000
1
S elected
1
Destination______,
00:00:00:00:00:00
D ecod e Editor
FIGURE 17.7: Colasoft Packet Builder Packet List
9. Colasoft Packet Builder allows you to edit die decoding information in die
two editors: D ecod e Editor and Hex Editor.
Decode Editor
P a c k e t:
Num:000001 L e n g th :64 C a p tu re d :•
B - © E t h e r n e t Type I I
[0 /1 4 ]
l e s t i n a t i o n A d d re ss:
FF: FF: F F : FF: FF: FF
J © S o u rc e A d d re s s :
Q B u s t Mode Option: If
you check this option,
sends packets one after
another without
intermission. If you want to
send packets at the original
delta time, do not check
this option.
j
! ^ P ro to c o l:
- s j ARP - A d d re s s R e s o lu t io n P r o t o c o l
(ARP)
[12.
1
0x0800
( E th e r n e t)
! ‫ץ‬#( P ro to c o l T ype:
j...© H ardw are A d d re ss L e n g th :
6
[1 8 /1 ]
‫ן‬...© P r o t o c o l A d d re s s L e n g th :
4
|—
<#1ype:
1
00: 0 0 : 0 0 :0 0 : 0 0 :0 0
[1 9 /1 ]
(ARP Reque.
-^J>S0 u r c e P h y s ic s :
j3 ‫ ״‬S o u rc e IP :
D e s t i n a t i o n P h y s ic s :
D e s t i n a t i o n IP :
j
[6 /6 ]
0x0806
[1 4 /2 8 ]
!••••<#> H ardw are t y p e :
!
\
[0 /6 ]
00: 0 0 : 0 0 :0 0 : 0 0 :0 0
0 .0 .0 .0
[2 2 /6 ]
[2 8 /4 ]
00: 0 0 : 0 0 :0 0 : 0 0 :0 0
0 .0 .0 .0
- •© E x t r a D a ta :
[3 2 /6 ]
[3 8 /4 ]
[4 2 /1 8 ]
Number o f B y te s :
18 b y t e s
FCS :
L # FCS:
,< L
[1 6 /2 ]
[4 2 /1 8 ]
0xF577BDD9
j
111
...... ; ..... ,.... ‫־‬...
‫ >״‬J
FIGURE 17.8: Cohsoft Packet Builder Decode Editor
^
Total
Hex Editor
0000
000E
001C
002A
0038
FF FF FF FF FF FF
00 01 08 00 06 04
00 00 00 00 00 00
00 00 00 00 00 00
00 00 00 00
00
00
00
00
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
60 bytes
00 08 06
00 00 00
00 00 00
00 00 00
....
V
FIGURE 17.9: Colasoft Packet Builder Hex Editor
10. To send all packets at one time, click Send All from die menu bar.
11. Check die Burst Mode option in die Send All Packets dialog window, and
dien click Start.
‫ר‬
.^ O p tio n , Loop Sending:
This defines the repeated
times of the sending
execution, one time in
default. Please enter zero if
you want to keep sending
packets until you pause or
stop it manually.
Colasoft Capsa
^4
Jown Checksum
1
Send
Packets
Packet List
No.
1
Packet Analyzer
Send All
Delta Tim e
Source
0.100000 00:00:00:00:00:00
1
S elected
1
Destination
FF:FF:FF:FF:FF:FF
FIGURE 17.10: Colasoft Packet Builder Send All button
£ 3 Select a packet from
the packet listing to activate
Send All button
FIGURE 17.11: Colasoft Packet Builder Send AHPackets
12.
Click Start
Send All Packets
Options
Adapter:
Realtek PCIe G8E Famrfy Controller
Select...
□ Burst Mode (no delay between packets)
A
1000 A
1000
-
1
□ Loop Sendng:
Delay Between Loops:
loops (zero for infinite loop)
milliseconds
Sending Information
£ 0 T h e progress bar
presents an overview of the
sending process you are
engaged in at the moment.
Total Packets:
1
Packets Sent:
1
Progress:
Start
Stop
Close
Help
FIGURE 17.12 Colasoft Packet Builder Send AHPackets
13.
To
export die packets
File‫^־‬Export‫^־‬All Packets.
sent
from
die
File
menu,
select
E th ica l H a c k in g an d C o u n term easu res Copyright <0 by E C ‫־‬Counc11
‫ר״‬
Colas
‫ י‬L?
File
Edit
Send
Import...
1*
►
Export
10
Help
Exit
+^ T Packet:
X
glete
0 1
‫ ׳‬a
All Packets...
^
ketN o . |_ jJ I
Selected Packets...
Num: 00(
EJ-@ E th e r n e t Type I I
] 0 /1 4 [
^ D e s t i n a t i o n A d d re ss:
‫ן‬
FF: FF:1
S o u rce A d d re ss:
0 0 :0 0 :(
,
FIGURE 17.13: Export All Packets potion
Q Option, Packets Sent
This shows the number of
packets sent successfully.
displays the packets sent
unsuccessfully, too, if there
is a packet not sent out.
Save As
x I
5avein‫ ! " ! ־‬: o l a e c - f t
flfc l
Nome
D«tc modified
Type
No items match your search.
Rcccnt plocca
■
Desktop
< 3
Libraries
lA ff
Computer
Network
r n ______
...
r >1
F1Un»m*
| Fjiekct• e«cpld
vj
Sav•
S»v• •c typ♦
(Colafloft Packot Rio (v6) (*.oocpkt)
v|
C«rc«l
|
FIGURE 17.14: Select a location to save the exported file
U
Packets.cscpkt
FIGURE 17.15: Colasoft Packet Builder exporting packet
Lab A nalysis
Analyze and document die results related to the lab exercise.
T ool/U tility
A dapter Used: Realtek PCIe Family Controller
Colasoft Packet
Builder
Selected Packet N am e: ARP Packets
Result: Captured packets are saved in packets.cscpkt
PLEASE TALK TO
HAVE
QUESTIONS
Q uestions
1. Analyze how Colasoft Packet Builder affects your network traffic while
analyzing your network.
2. Evaluate what types of instant messages Capsa monitors.
3. Determine whether die packet buffer affects performance. If yes, dien what
steps do you take to avoid or reduce its effect on software?
Internet C onnection Required
□ Yes
0 No
Platform Supported
0 Classroom
0 iLabs
Lab
Scanning Devices in a Network
Using The Dude
I CON KEY
5 Valuable
information
The Dnde automatically scans all devices within specified subnets, draws and lays out
a wap ofyour networks, monitors services ofyour devices, and a/eftsyon in case
some service hasp roblems.
Test your
knowledge
Lab S cenario
Web exercise
111 the previous lab you learned how packets can be captured using Colasoft
Packet Builder. Attackers too can sniff can capture and analyze packets from a
network and obtain specific network information. The attacker can disrupt
communication between hosts and clients by modifying system configurations,
or through the physical destruction of the network.
Workbook review
As an expert eth ic a l h ack er, you should be able to gadier information 011
organ ization s n etw ork to c h e c k for vu ln erab ilities and fix th em b efo re an
a tta ck er g e t s to co m p ro m ise th e m a c h in e s using th o s e vu ln erab ilities. If
you detect any attack that has been performed 011 a network, immediately
implement preventative measures to stop any additional unauthorized access.
111 this lab you will learn to use The Dude tool to scan the devices in a network
and the tool will alert you if any attack has been performed 011 the network.
Lab O bjectives
The objective of diis lab is to demonstrate how to scan all devices widiin specified
subnets, draw and layout a map o f your networks, and monitor services 011 die
network.
V
—
J Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv 8
Module 03
Scanning
Netw orks
Lab Environm ent
To carry out the lab, you need:
■ The Dude is located at D:\CEH-T00 ls\CEHv 8 Module 03 S can nin g
N etw ork s\N etw ork D iscovery and Mapping T ools\T h e Dude
■ You can also download the latest version o f The Dude from the
http: / / www.1nikiodk.com / thedude.php
■ If you decide to download the latest version, then s c r e e n s h o ts shown
■ Double-click die The Dude and follow wizard-driven installation steps to
install The Dude
Lab D uration
Time: 10 Minutes
O verview o f T h e Dude
The Dude network monitor is a new application that can dramatically improve die
way you manage your network environment It will automatically scan all devices
within specified subnets, draw and layout a map of your networks, monitor services
o f your devices, and alert you in case some service lias problems.
Lab Tasks
1. Launch the Start menu by hovering the mouse cursor on the lower-left
corner of the desktop.
i | Windows Server2012
Ser*r 2012 M « a 1e Candklate DitaceM*
______________________________________________________________________________________ Ev^mbonoopy BuildWX:
FIGURE 18.1: Windows Server 2012- Desktop view
E
ta sk
1
Launch The Dude
111 the Start m enu, to launch T he Dude, click T he Dude icon.
Administrator ^
Start
Server
Maiwgcr
Computer
iL
U
~
v
-—J
‫יי‬
M m n itr.
T<xJ1
command
Prompt
1 n» 0u0f
*
f>
e
%
0—l»p
FIGURE 182: Windows Server 2012 - Start menu
3. The main window o f The Dude will appear.
fS mm
(§)
Setting*
Local Server
71S E 1
□ A3<*T3S USS
A Admn#
H
□
E
- B
I-
O*
Ssttnst
j
Dkovo 70011*
‫־‬
W
‫• ־‬.
.*.‫־‬
vJ
irk*
Lay*
0 ‫»ו »י‬
D*wic«»
?5?
□
M
X
!
Hdo
CJ
Contert*
H
H
’- l ° l
‫י‬
jjyi2m c*‫ ״‬m .TffB
a d m in @ lo c a lh o s t - T h e D u d e 4 .0 b e ta 3
9
5references
Flea
FLnctona
H tfa y Action*
Lntu
Lc0*
£ 7 Aîcn
£ 7 Cecus
£ 7 & ‫׳‬ent
£ 7 Syslog
Notic?
Keftroric Maps
B Lccd
1 U n ir t i
5
-A
[.Ca 1MU«d
Ctert. a 9‫ מ‬bu« /t x 384 M
S * ‫׳ ״*־‬x 2 1 5 b c *.'U M 2 b c «
FIGURE 18.3: Main window of The Dude
4. Click the D iscover button on the toolbar of die main window.
--------------------------
—
■■
a d m i r t @ l o c a l h o s t - T h e D u d e 4 .0 b e t a 3
®
‫ ־‬reference*
9
Local Seiver
a
Ca-'teri*
c ‫׳‬
* b
r h tZ
3
.
‫״‬
E
®
x
IIIIJHb
*
- 1 + ‫״‬
1
o
*
Sett re#
D ko v * ‫| ־‬
*T oo•
‫•־‬.
•v
1*«
|lrk*
_d 2
Q Addra# list*
A ‫׳‬vawro
□ 0 ‫יו *ו‬
f‫“־‬l Om icM
f * . Ftes
n F_nccon8
B
n
□
‫י‬
H a a y Action*
1^‫“*י‬
Leo*
£ ? Acttcn
£7 Defcus
£7 Event
R
- Q
M
| !Connected
£ 7 Sjobg
Mb No tie?
fcw ortc Ma08
B
Lccdl
'‫׳‬
Cie‫ ׳‬t. 1x
$59bus / t x 334bp*
:«<* a215bo*<'u642bc«
FIGURE 18.4: Select discover button
5. The D ev ice D iscovery window appears.
Device Discovery
General
Services
Device Types
Advanced
Discover
Enter subnet number you want to scan for devices
Cancel
Scan Networks: 110.0.0.0/24
!-
Agent: |P£g?
P Add Networks To Auto Scan
Black List: |i
Device Name Preference: |DNS. SNMP. NETBIOS. IP
Discovery Mode:
(•
fast (scan by ping)
Recursive Hops: ‫פ ר ־ י ו‬
/ ‫י‬
2
F
reliable (scan each service)
C
I I I I I
I I I
4
20
6
8
10
14
50
Layout Map /tfter Discovery Complete
FIGURE 18.6: Device discovery ^‫־‬uxicra‫־‬
6. 111 the Device Discovery window, specify S ca n N etw ork s range, select
d efau lt from die A gent drop-down list, select DNS, SNMP, NETBIOS,
and IP from die D ev ice N am e P referen ce drop-down list, and click
D iscover.
Device Discovery
General
Services
Device Types
Advanced
number you want to scan for
Scan Networks: (10.0.0.0/24
Agent: 5 S S H B I
r
Add Networks To Auto Scan
Black List: [none
Device Name Preference
Discovery Mode
DNS. SNMP. NETBIOS. IP
(•
fast (scan by ping)
3
reliable (scan each service)
C
0
Recursive Hops: [1
]▼] / —r
2
I-
‫ —ו —ר‬1— ‫ו —ו‬--------------------------------------------------------------4
6
8
10
14
20
SO
Layout Map /tfter Discovery Complete
FIGURE 18.7: Selecting device name preference
7. Once the scan is complete, all the devices connected to a particular
network will be displayed.
‫־‬f t ^t
adrmn@localhost The Dude 4.0beta3
11d Locd
Sanhfla! _
Ccrtemt_______________
f~ l *ric teo Lata
Adnns 4 .
•fat
ll B S
+
- _
^
e:
Chats
Oevteaa□
‫*׳‬- *Pie
»Q Fu1dion
| S W
| ^Tooia
tt 1a
s
‫י‬-
|l‫־‬ks
^
209m: [10
.•
WW*IXY858KH04P
WN-D39MR5 HL9E4
AOMN
I
r
*
MflfeMtttLUUKAl
ptVem
asy*B
\
‫י‬
WIN
N.
‫י‬
?U't'.lO'.-tfS \
‫ ב ר ז‬-‫ו א ^נ‬
□ tob>10«m
dn ‫*ס״״^־ז‬M
ap*
‫ק‬
| | Dhcovef
ecu 19N fn«r: 63 %vM: 27%disk 75%
»Aeten07*40
H1-‫׳*י״‬
□ ‫י‬-00*
127A*en
L f Uofcoa
*
Qy
B«*<2□
‫ק‬
_e [o
Q Local
Metwortc*
Q NotActfont
H□ PjTriS
Q adrrin 127.0,0.1
QPxtee
5 > Sennco
QTcde
YHhH.K0H)ftR3fi?M
r i'r -r ^ r
Q m - ‫׳‬x 3 2 5 ■‫׳‬oc« ‫ ׳‬w I95bpj
Saver r | ( ( 4(>> * 3 9 t ® c «
FIGURE 18.8: Overview of network connection
8. Select a device and place die m ouse cursor o n it to display the detailed
inform ation about diat device.
CartvM
♦• ‫ ״‬%
~*1Zoom.[TO
j o ^ StfttKujo Dwovw
Ad<*«3a Lota 5
*AAdm
r
R Afl*rta
*Chat □
Q08V
1008
^ Plea
Q Functions
® *•* H atovV □
Lnk□ *
‫□ ־‬
Lcoa
J?Acton]
tftteO
T. JLYKSO-CiPW
rd
cvn
a
xn
p
u
cr‘,
IP• 100 0 9
M
ACCtt ■- 10
S*'42m (7V
U>.da3 rcOiM 1C2 coj fnemcry vrtuai memoiy. cfck
SjcrT!‫ז‬.‫*־״‬.vw.-’.‫׳‬-Y35am3ip
-fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M/M COUPATBU 6C0esacto01WipxnsrFix)
Virc0*5 I to ia i 6 & End
Ipwue 0028‫<־‬J771
C7 Detua
Ewr ?£
L7S«bg
®* Mb Mod
tetwo*M
aps,!
B
B local
•n Nnwwk
«No!llc<Uor2
Q Parris
H • * ™ 127.00.1
□ P‫ »׳‬cN
Q>Samcas
)>*
l*»
I»_i**W
U«L'i»tX>:»
1‫ ג‬a t
(<»•
1‫» נ‬
iwttdai e UU liriMMOll-
n-n
■■11*••:‫ י‬.1rc»1c:r
H Tocte
1 2 :3
12:31
Iecu•
lam0«■a.'iaaeoip
12:40
1*•:
12: X
| mdiv0vnn-uiYKBocnP
C V t m 2 45 kbp* ‫'׳‬tx 197bp»
■
13: ta
. W * ‫־‬. n m ‫־‬, t «W -ll‫־‬r8!a.H0TP
n .1 3 4 ttp a /fc 3 3 k b c «
FIGURE 18.9: Detailed information of the device
9.
N o w , click the d ow n arrow for die Local drop-dow n list to see
inform ation 011 H istory A ctio n s, T ools, F iles. Logs, and so 011.
FIGURE 18.10: Selecting Local information
10. Select options from die drop-down list to view complete information.
‫־ < _ ־‬
adm1r!@iocalha5t ‫ ־‬The Dude 4.0beta3
® | | Preferences
•O
19
Local S w »
SetBngj
I
Q Add's** Luts
4 Mm»
130245
‫ ו‬u
Aq*0U
13024S
130?44
1302S0
3U
* u
5U
Q I undior*
□ IW « y /towns
M Lrk»
‫ □ >־‬Logs
£7A=1‫״‬n
£7 Debug
£ ? Stfog
Mb Nedcx
Aden
NetwOlk Map Be‫׳‬nnt dn1£1‫*׳‬d
Ner*e«k Map Be‫׳‬n»nt chanjed
tM « a k Map b tm rU tf»a•‫׳‬
Nerwak Map B 1‫׳־‬r * « changed
FMflCik Mat' blvw'i: J w j*0
Nmv»c«k Map Br‫׳‬nf‫׳‬r! changed
fMocik Map
Merwak Map Be-nem changed
fjnC*«k Map b c w : changed
Nef«c<k Map Bemem changed
NetWClk Map
Netwcik Map Berotm changed
r«(.«c«k Map 0 c1‫*׳‬s‫׳‬r. changed
r‫״‬er*cfk Map Beroen: changed
ta t« a k Map Bc1 * ‫׳‬T. cha' Sed
tieCMdk Map B f w t changed
Netwcik Map Bwnert changed
rjefMCik Map Berne'S changed
13024C
7 U
□
Owl•
r*1LVvis••
‫ליי‬rte»
Q
C U
130 ? ‫ע‬
7U
130254
fi U
130? K
9u
u
‫ וו‬u
u
13 U
10
12
130258
130302
14 U
130348
15 U
13.03.14
130340
1303-03
13.0306
H»w1! «.<>•‫׳‬j«0
Be'IW >.»«' jeO
•6 U
1303 16
7‫ ו‬u
13.0320
16 U
130322
130324 Netwcik Map Bwmnl
jed
1303 27 Netwcik Map Beroen! changed
eta'
19 U
20u
0*rt ‫׳‬x9 17kbps/|x 1 I 2 kbp•
CemtcM
a d ^ n ^ io c a lh o s t - The
®
fafaenoee
oI
‫־‬,
e• I ~
Co‫׳‬not?
Q
X
Heb
Dude 4,Obeta3
L‘
*‫־‬
‫־‬
a
*
ih ti^rS S B S S X S A l
O toca s«n
Getnrgj
S«nv‫ ־‬a 3 74 Ktv* 11 & ‫ ׳׳‬Tklcn
‫׳*״‬
J‫ ״‬C J U
Comats
3 Address Lists
& Adms
Q Agents
Q O w i•
i l l l
Type, ( *
De*c*
100 a !
Q Devicw
1000.12
'<■ Fte»
Q Functor•
1000255
A D **
V/N2H9STOSG
Q Ktateiy Actons
‫ם‬
Lrkj
‫־‬1‫ ס‬C17‫יה״‬Aclcn
C f CebuQ
r> E v .rt
Lf Sôo
CJ Mb!*<!».
WMOUMR5HL
V / f N « 6t< SG1
W IU J O 0 M I
w!s«5sn.c1u
W KMW S8
w woowss
U iZ.-r'tn ‫»ז<ז‬
n -= te
in c te
MTCte
Mncte
M‫ ־‬rle
WCte
w ‫• *־‬
unci*
M‫ ־‬de
trmo
M‫* |״‬
*met*
3
M * f‫^ ־ ־‬i
T]
□ ‫י‬
lias
Local
Local
Local
Local
Local
Local
Local
Local
Local
Local
Local
Local
C flrr ‫׳‬x 2 91 kbps / tx 276 bps
Ser.'?‫־‬0t2I6‫׳־‬rc* ■^‫ל‬2‫׳ל‬4‫מז‬
FIGURE 18.11: Scanned network complete information
11. As described previously, you may select all the other options from the
drop-down list to view die respective information.
12. Once scanning is complete, click the
button to disconnect.
admin©localhost - The Dude 4.0beta3
Freferences
•‫ל‬
9
S e ttn o )
Local Server
d
C*
*•to
”
+ ‫״‬
R
£
□
Agert«
□
Chate
□
O w c es
C.
n
FLnaens
History Actions
Linlcs
Onoowf
‫ ״‬Tooli
ft
\
•*.‫״‬
,1
* i"
‫י‬
W IN -D 39N R SH 1.91=4
‫י‬
_
(ZJ Dcbuo
Event
r
S*Crgc
Leg*
C ‫־‬f A cton
<|
k
t>
Q
H
□
Q
O
WikULYSSBKHQIP
t p u 22% IM fT t SOS. v .it 34% d isk 75%
r* =1«
= 3
r
Address U8I8
Adn<rM
ADMIN
v.
W IN -2N 95T 0S G IE M
\
‫י‬
1000
O S/*>og
Mto Nodeo
Netv.'Oik Mips
B - l g cjj
1■
j [>
‫ ־‬r ‫ ־\־ ^־־‬T
^ ‫־ ר ^ ל ^ ה ־ רז‬
.1
WM -LXQ \3\VR3!W M
nZ W kbw 'b 135 bps
5<?vrr rt i.12cp5 't* 3 •15 *bps
FIGURE 18.12: Connection of systems in network
Lab A nalysis
Analyze and document die results related to die lab exercise.
T ool/U tility
IP A ddress Range: 10.0.0.0 —10.0.0.24
T he D ude
Device N am e Preferences: DNS, SNMP,
NETBIOS, IP
O utput: List of connected system, devices in
Network
PLEASE TALK TO
HAVE
QUESTIONS
In te r n e t C o n n e c tio n R e q u ire d
□ Y es
0 No
P la tfo r m S u p p o rte d
0 C la s s ro o m
0 iLabs

Scanning Networks - SMKN 4 Padalarang

Transcription

Similar documents

Flatbed

HP Scanjet Datasheet

Guide to scanning in eClinical Works

OpticPro A320

F300 MFP Specifications

SmartWorks Pro Datasheet

The VS120: Providing a Complete Spectrum of

Radiant Impressions Custom Breast Prosthesis

SEMView – An 8K SEM Image Control System