Ceh V8 Labs Module 03 Scanning Networks.pdf 2w6l16

] [-D ] [‫־‬t/‫־‬T sec] [-c cons] [-Cretries] [-pproto] [‫־‬i ] [target port [port]...] FIGURE3.1:Amapwithhostnamewww.ce1tifiedl1acke1.comwithPort SO 3. You can see die specific a p p lic a tio n protocols running 011 die entered host name and die port 80. 4. Use die IP

a d d re ss

to check die applications running on a particular port.

5. 111 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 ) and press E n t e r (die IP address will be different in your network). ✓ For Amapoptions, type amap-help.

C E H Lab M anual Page 100

6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ד‬ D :\ C E H -T o o ls \C E H u 8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75-81 laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode

Compiles on all UNIX basedplatforms - even MacOSX, Cygwinon Windows, ARM-Linuxand PalmOS

P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arn in g : C ould n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g

p o r t <EUN

KN>

W a rn in g : C ould n o t c o n n e c t 

W arn in g : Could n o t c o n n e c t to

KH> W arning: KN>

1 0 .0 .0 .4 :7 7 /tc p , d isab lin g

p o r t <EUN

Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g

p o r t <EUN

W a rn in g : C ould n o t c o n n e c t t o |KN> W arn in g : C ould n o t c o n n e c t t o

KN>

1 0 .0 .0 .4 :7 9 /tc p , d isab lin g

p o r t <EUN

1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN

P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 / k 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>. Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b : \ C E H - T o o l s \ C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g Tools\AMAP>

FIGURE3.2:AmapwithIPaddressandwithrangeofswitches73-81 L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab. Tool/U tility

Information Collected/Objectives Achieved Identified open port: 80 WebServers: ■ 11ttp-apache2 ‫־‬ ■ http-iis ■ webmin

Amap


Unidentified ports: ■ 10.0.0.4:75/t ■ 10.0.0.4:76/t ■ 10.0.0.4:77/t ■ 10.0.0.4:78/t ■ 10.0.0.4:79/t ■ 10.0.0.4:81/t

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required 0 Y es

□ No

Platform ed 0 Classroom


□ iLabs

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.


M o n ito r in g T C P /IP C o n n e c t i o n s U s in g t h e C u r r P o r ts T o o l C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly o p e n e d T C P / IP

I CON K E Y Valuable information Test your knowledge

w

Web exercise

m

Workbook review

a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.

L a b S c e n a r io

111 the previous lab you learned how to check for open ports using the Amap tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing T connections and can have all the information in the IP and T headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the T connection. As a

a d m in is tra to r., your daily task is to check the T C P / IP of each server you manage. You have to m o n ito r all T and UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the C u r r P o r t s tool. n etw o rk

c o n n e c t io n s

C J T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in

L a b O b j e c t iv e s

The objective of diis lab is to help students determine and list all the T/IP and UDP ports of a local computer.

D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

111

in this lab, you need to: ■ Scan the system for currently opened

T C P / IP

■ Gather information 011 die

p ro cesses

■ List all the

IP a d d r e s s e s

p o r ts

and

and

UDP

ports

that are opened

that are currendy established connections

■ Close unwanted T connections and kill the process that opened the ports C E H Lab M anual Page 103

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.


L a b E n v ir o n m e n t

To perform the lab, you need: ■ CurrPorts located at

D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g

N e t w o r k s \ S c a n n in g T o o ls \ C u r r P o r t s

■ You can also the latest version of http: / / www.nirsoft.11e t/utils/orts.html ■

If you decide to the in the lab might differ

■ A computer running W in d o w s a Youcan

CuuPorts tool from http://www.nirsoft.net.

C u rrP o rts

la t e s t v e r s io n ,

from the link

then screenshots shown

S erv er 2012

■ Double-click c p o r t s .e x e to run this tool ■ privileges to run die

C u rrP o rts

tool

L a b D u r a t io n

Time: 10 Minutes O v e r v ie w M o n it o r in g T C P / IP

Monitoring T/IP ports checks if there are m u ltip le IP connections established Scanning T/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server. Lab T asks

The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o r t s .e x e to launch. TASK

1

1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports, IP and remote addresses, and their states.

D is c o v e r T C P /IP C o n n e c tio n

r‫ ־‬1 ‫ ״‬1 * ‫י‬

C urrP orts File

Edit

View

Option*

Help

xSD®v^!taer4*a-* Process Na..

Proces...

Protocol

L ocal...

Local Address

Rem...

Rem...

R e rc te Address

Remote Host Nam

( T enrome.ere

2 m

T

4119

10.0.0.7

80

h ttp

173.194.36.26

bcm04501 -in ‫־‬f26.1 bcmOisOl -in-f26.1

f f

<+1 rome.ere

2988

T

4120

10.0.0.7

80

h ttp

173.194.3626

chrome.ere

2988

T

4121

10.0.0.7

80

h ttp

173.194.3626

bom04501‫־‬in ‫־‬f26.1

chrome.exe

2 m

T

4123

10.0.0.7

80

h ttp

215720420

a23-57-204-20.dep

https

CT chrome.exe

2 m

T

414S

10.0.0.7

443

^ f i r t f c x ere

1368

T

3981

127.0.0.1

3982

£ fir « fc x « x •

1368

T

3982

127.0.0.1

3981

(£ fir« fc x «(«

1368

T

4013

10.0.0.7

443

https

fircfcx.cxc

1368

T

4163

100.0.7

443

h ttp j

173.194.36.15

bom04!01 in ‫־‬f15.1

f 1rcfcxc.cc

1368

T

4166

100.0.7

443

h ttp j

173.194.360

bcm04501 -in-f0.1«

443

h ttp ;

74.125234.15

gra03s05in-f15.1e

firef cx c

1368

T

4168

100.0.7

\s , httpd.exe

1000

T

1070

aaao

\th ttp d .e x e

1800

T

1070

Q lsass.occ

564

T

1028

3 l» 5 5 a e 564 ____ »_____ <1 ■11

T

1028

173.194 3626

bom04501 -in-f26.1

12700.1

WIN-D59MR5HL9F

12700.1

WIN-D39MR5HL9E

173.1943622

bom01t01-in-f22.1

0.0.0.0 =

0.0.0.0

0.0.0.0 = >

T

79 ~ctal Ports. 21 Remote Connections. 1Selected


Loc-

NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


FIGURE4.1:TlieCurrPortsmainwindowwithallprocesses, ports, andIPaddresses 2. CiirrPorts lists all die

/ / CurrPorts utilityis a standaloneexecutable, whichdoesn't requireany installationprocess or additional DLLs.

and their IDs, protocols used, lo c a l local and remote ports, and r e m o te h o s t

p ro ce sse s

a n d r e m o te IP a d d r e s s , n am e s.

3. To view all die reports as an HTML page, click V ie w

‫ >־‬H T M L R e p o r t s

‫ ־‬A ll It e m s .

M °- x ‫י‬

C urrP orts File

Edit I View | Options

X B

1

Help

Show Grid Lines

Process KJa1^ I Show Tooltips Mark Odd/Even Rows chrome. C* chromel HTML Report ‫ ־‬All I'errs ^ chrome. HTML Report - Selected terns C* chrome. Choose Columns ^ chromc.

Q In thebottomleft of theCurrPorts window, the status of total ports and remote connections displays.

(£ firc fc x .c

A uto Size Columns

g f-e fc x e

R‫״‬fr#{h

‫קז‬7‫ס‬

1l i

(B fa e fc x u e

1368

T

J ftfM c o ta e

I368

T

4156

® fr e fc x e te

1368

T

4158

---

4163

\h t t o d . e x e

1800

T

1070

V h ttp d .e x e

1800

T

1070

Q ls a s s e te

564

T

1028

561

T

1028

Remote Address

Remote Host Nam *

http

173.1943526

).7

http

173.194.3526

).7

http

173.194.3526

bcmQ4s0l-in‫־‬f26.1 bcm04s0l-in-f26.1 bcm04s01 -in-f26.1

).7

http

23.5720420

a23-57-204-20.dep S

https

173.194.3526

bom04501-in‫־‬f26.1

127.0.0.1

WIN-D39MR5HL9E

Address

).7

443

.0.1

3962

TV.V,0.7

127.0.0.1

WIN-D39MR5HL9E

443

https

173.1943622

bem04s01-in-f22.1

10.0.0.7

443

https

173.19436.15

bom04i01‫־‬in*f15.1

10.0.0.7

443

https

173.19436.0

bcm04s0l*in-f0.1<

100.0.7

443

https

741252*4.15

gruC3s05-1n‫־‬M5.1e

F5

(p firc fo x .e 1(c

Rem..

).7

3981

.0.1

o.ao.o

0.0.0.0

0.0.0.0

aaao

NirSoft Freeware, http.//w w w .rirs o ft.n e t

79Tct«l Ports, 21 Remote Connection!, 1 Selected

FIGURE4.2TheCurrPortswithHTMLReport- AllItems 4. The HTML Report

a u t o m a t ic a lly

opens using die default browser.

E<e Ldr View History Bookmarks 1001‫ צ‬Hdp I T/UDP Ports List ^

j j f j__

( J f t e /// C;/1/ Ad mini st ralor/Desfctop/ 0fts-xt>£,repcriJit ml

' ‫־־־*־‬£•

- Google

P

^ ‫י‬

T C P /U D P P o r ts L is t =

E3 To checkthe

countries of theremote IP addresses, youhaveto thelatest IPto Countryfile. Youhaveto put the IpToCountry.csv‫״‬ fileinthe samefolder as orts.exe.

C re a te d b v u sing C u rrP o rts

P m « j .Nam•

P ro titi ID

P ro to co l

I.o ra l

I A ra l P o rt

P o rt

X lB t

L o c a l A d d iv it

Remote P o rt

Rcm oU ‫׳‬ P o rt

R tm v l« A d d r t it

Name .

chxame rx c

2988

T

4052

10 0 0 7

443

https

173 194 36 4

chiome.exc

2988

T

4059

10.0.0.7

80

http

173.194.36.17

bo bo

ch101nc.exe

2988

T

4070

10.0.0.7

80

http

173.194.36.31

bo

daom e.exe

2988

T

4071

10.0.0.7

80

h ltp

173.194.36.31

bo!

daom e.exe

2988

T

4073

1 00.0.7

80

hup

173.194.36.15

boi

daom e.exe

2988

T

4083

10.0.0.7

80

http

173.194.36.31

bo!

cfcrorae.exe

2988

T

4090

100.0.7

80

hnp

173.194.36.4

bo!

chfomc.cxc

2988

T

4103

100.0.7

80

hup

173.194.36.25

bo

chrome exe

2988

T

4104

10 0 0 7

80

hnp

173 194 36 25

bo >

FIGURE4.3:HieWebbrowserdisplayingCurrPortsReport- AllItems 5. To save the generated CurrPorts report from die web browser, click F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S .




‫ד‬3 5 ■

T/UDP Ports List - Mozilla Firefox

m CurrPorts allowsyou to saveall changes (added andremovedconnections) into alogfile. In order to start writingto thelogfile, checkthe ,LogChanges' optionunder the File menu

«1ry> Hitory

‫ ו ז ק‬id *

Bookmaikt Took Hrlp

fJcw l i b

CW*T

N*w‫’ ׳‬Mnd<*1*

Ctrt*N

en Fie..

CcrUO

»f1‫׳‬Dcsttop/q)D1ts-x64/rEpor: html

C

*

S*.« Page As.. Ctr1*S Send LinkPag* Setup-. PrmtPi&Kw E rrt.

ti*

!, r o t i f j j >111•

!'!‫ ־‬o to co l

!.o ra l

I o r a l P o rt

P o rt

Name

Remote

Local A d d rv u

K em otc P o rt

P o ri

chiom c.exe

2988

T

4052

cfc10 me.exe

2988

T

4059

10.0.0.7

chrome.exe

2988

T

4070

10.0.0.7

chrome.exe

2988

T

4071

10.0.0.7

chrome exe

2988

T

4073

chrome exe

2988

T

408;

K e u io l* A d d n i t

Name

ID

2Zy"Bydefault, the logfile is savedas orts.the same folder where orts.exeis located. You canchangethe default log filenamebysettingthe LogFilenameentryinthe orts.cfgfile.

P

i f ' Google

https

173.194.36.4

boj

80

http

173.194.36.17

bo:

80

hnp

173.194.36.31

bo:

80

http

173.194.36.31

boi

100 0 7

80

http

173 194 36 15

boi

100 0 7

80

http

173 194 36 31

bo!

10.0.0.7

443

ch*omc exe

2988

T

4090

100 0 7

80

http

173 194 36 4

boi

chiome.exe

2988

T

4103

10.0.0.7

80

http

173.194.36.25

boj

daom e.exe

2988

T

4104

10.0.0.7

80

http

173.194.36.25

b03

FIGURE4.4: TheWebbrowsertoSaveCurrPortsReport- AllItems 6. To view only die selected report as HTML page, select reports and click V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬S e l e c t e d Ite m s .

1-1° ‫ ׳‬x-

C urrP orts File X

^ Be aware! The logfile isupdatedonlywhenyou refreshtheports list manually, orwhenthe AutoRefreshoptionis turnedon.

Edit | View | Options S

(3

Help

Show Grid L‫א חו‬

Process Na P I

Show Tooltips

C chrome.

Mark Odd/Even Rows

Address ).7 ).7

HTML Report - All Items C c h ro m e f

O'chrome “ ® ,fir e fc x e (gfircfcxe:

HTML Report ■ Selected terns Choose Columns Auto Size Columns

Refresh

F5

fircfcx e


Remote Host Nam

175.19436.26

bom04s01-1n‫־‬f26.1 bom04s01-1n-f26.1

80

h ttp

173.1943626

h ttp

173.1943626

bcm04s01-in‫־‬f26.1f

■0.7

80

h ttp

215720420

323-57-204-20.dep

P7 .0.1

445

h ttp :

.0.1

3982 3981

173.1943526

bcm04s01-in-f26.1

127.0.0.1

WIN-D39MR5HL9E

127JX011

WIN-D39MR5HL9E

J>.7

443

https

173.1943622

bom04s01 -in-f22.1

h ttp ;

173.194.36.15

bomOlsOl -in ‫־‬f1 5.1

1368

T

4163

1000.7

443

fircfcx.cxc

1368

T

4166

1000.7

443

h ttp :

173.194360

bomOlsOI -in ‫־‬f0.1c

^ firc fc x .c x c

1368

T

-4168

100.0.7

443

https

74125234.15

gruC3s05 in -f 15.1c

httpd.exe

1000

T

1070

0.0.0.0

1000

T

1070

Q lsa sse xe

564

T

1028

Q b a s te x e « -------a .--------

564 14nn

T T rn

1028 ‫י«׳*־ו־‬

79 ~ctel Ports. 21 Remote Connections, 3 Selected

clickonthe Webpageand savethe report.

Remote Address

h ttp

L f ircfox.cxc

httpd.exe

a Youcanalsoright-

Rem...

80

F

Ctrl ♦■Plus

Rem... 80

0.0.0.0 s

___

00.0.0

0.0.0.0

AAA A

AAAA Hi1 Soft Freew are. http.‫׳‬,‫׳‬,w w w .r irsoft.net

FIGURE4.5:CurrPortswithHTMLReport- SelectedItems 7. Tlie selected

re p o rt

automatically opens using the

d e fa u lt b r o w s e r .

E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited


T/UDP Ports List - Mozilla Firefox ffi'g |d : Vico

[ j T/UDP Ports List

In the filters dialog bos, youcanaddone or more filter strings (separatedbyspaces, semicolon, or CRLF).

^

1‫ ־‬n J~x

I

Hatory Bookmaiks Toob Help | +

P

W c/'/C /lherv‫׳‬ 1strotor/Dr5fctop/'ort5‫־‬r64/ro‫די‬i«0T1l

(?‫ ־‬Google |,f t I

T C P /V D P P o rts L is t

C reated b y m in g C iir r P o m

Process Name

Process ID

Local I>ocal Local K«mut« Remote Port Protocol Port Port Address Port Name .Name

Kvuiotc Address

RemoteHost Name

State

dbiome.cxc

2988

T

4148

10.0.0.7

443

https

173.194.36-26

bom04sC 1 m. £26.1 e 100.net

Established

c:

fire fo x exe

1368

T

4163

10 0 0 7

443

https

173 194 36 15

bom 04s01 tn - fl 5. Ie l0 0 .n e t

Established

C:

1800

T

1070

Listening

C:

h ttp d

cxc

FIGURE4.6: TheWebbrowserdisplayingCuaPortswithHTMLReport- SelectedItems / / The Syntaxfor Filter String: [include | exclude]: [local | remote | both | process]: [t | udp | tudp] : [IPRange | Ports Range].

8. To save the generated CurrPorts report from the web browser, click F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S T/‫׳‬UDP Ports List ‫ ־‬M ozilla Firefox Edfe Vir*

‫׳‬

r= > r* ‫י‬

Hutory Boolvfmki Took HWp

N**‫׳‬T*b

Clfl*T

|+ |

Open Fie...

Ctrl»0

S*.« P a g e A ;.

fi

1r/Desktop/o»ts x6Crepwthtml

an*N

*

Ctrl-S

Sir'd linkPage :er.p. Pnnt Preview P rm L .

fic it Offline

Name


Rem ote

Port

Kcm ole Po rt Nam e

Remote Address

Rem ote Ilo t l .N io it

2988

T

4148

1 0 0 0 .7

443

https

1 73 .19 43 6 26

boxu04s01 -ui-1‘26. Ie l0 0 .n e t

Established

C

fiiefox-cxc

1368

T

4163

100.0.7

443

https

173.19436 15

bom04s01-1a-115.lel00.net

Established

C

http de xe

1800

T

10‫׳‬0

chtoxne.exe

‫ ש‬Command-line option: /stext means savethelist of all opened T/UDPports into a regular text file.

T o ral Local Local Po rt Pori Nam e Address

ID

FIGURE4.7:TheWebbrcnvsertoSawQirrPortswithHTMLReport- SelectedItems 9. To view the

p r o p e r t ie s

of a port, select die port and click F ile

‫>־‬

P r o p e r tie s .



C urrP orts

r® 1 File J Edit I

View

Options

Close Selected T Connections

Ctri+T

Kill Processes Of Selected Ports Save Selected Items

CtiUS

Properties

AltÊntei

Process Properties

/stab means savethelist of all opened T/UDP ports intoa tab-delimitedtext file.

'

*

m

C trM

P N ctlnfo

b&i Command-line option:

I - ] “

Help

1

C tiU P

Local Address

Rem...

Rem..

Remote Address

Remote Host Nam ‫ י׳‬1

10.0.0.7

80

http

173.194.3626

bom04301 - in-f26.1

10.0.0.7

80

http

1‫׳־‬3.194.3626

bom04501 ‫ ־‬in-f26.1

10.0.0.7

80

http

1^3.194.36.26

10J3J3.7

80

http

23.57.204.20

https

bom04s01-in-f26.1 a23*57204-20‫־‬.dep ■

10.00.7

443

Log Changes

127.0.0.1

3982

Open Log File

127.0.0.1

3031

Clear Log File

10.0.0.7

443

httpc

10.0.0.7

443

https

173.194.3615

bom04s01-m-f15.1

10.0.0.7

443

https

173.194.360

bom04s01 m‫־‬f0.1c

10.0.0.7

443

https

74.12523415

gru03s05-in‫־‬f15.1 e

CtrU O

Advanced Options Exit \ j 1ttjd .e x e

1800

T

1070

\h tto d .e x e

1800

T

1070

□

lsass.exe

564

T

1028

Q lsass-exe

$64

T

1028

‫״‬

1Ti 194.36.26

bom 04s01-in-f2M

127.aa1

WIN-D39MR5Hl9f

127.0L0L1

WIM-D30MRSH10F

1‫־‬, 1 194.3622

bom04e01-m‫־‬f22.1

0 D S )S )

oaao

:: aao.o

0D S J J J

r. >

‫ ־‬T NirSoft Freeware, h ttp :'w w w .n irso ft.n e t

|7 9 Tctel Ports, 21 Remote Connections, 1 Selected

FIGURE4.8:CunPoitstoviewproperties foraselectedport 10. The P r o p e r t ie s window appears and displays all the properties for the selected port. 11. Click O K to close die

P r o p e r t ie s

window

Properties

Command-line option: /shtml means savethelist of all opened T/UDP ports into an HTMLfile(Horizontal).

Process Name: Process ID: Protocol: Local Port: Local Port Name: Local Address: Remote Port: Remote Port Name: Remote Address: Remote Host Name: State: Process Path: Product Name: File Description: File Version: Company: Process Created On: Name: Process Services: Process Attributes: Added On: Module Filename: Remote IP Country: Window Title:

*

firefox.exe 1368

T 4166 10.0.0.7 443 |https________________ 1173.194.36.0 bom04s01-in-f0.1e100.net Established C:\Program Files (x86)\M0zilla Firefox\firefox.exe Firefox Firefox 14.0.1 Mozilla Corporation 8/25/2012 2:36:28 PM WIN-D39MR5HL9E4\

8/25/2012 3:32:58 PM

OK FIGURE4.9:TheCurrPortsPropertieswindowfortheselectedport




12. To close a T connection you think is suspicious, select the process and click F ile ‫ >־‬C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ). S

T A S K

2

-_,»r

C urrPorts

‫ד‬

C lo s e T C P C o n n e c tio n

IPNetlnfo

Ctrt+1

Close Selected T Connections Kill Processes

C trl-T

OfSelected Ports

Save Selected Items

CtH-S

Properties

AH- Enter Ctrl—P

Process Properties

Rem...

Remote Address

Remote Host Nam ‫ י ׳‬I

http

173.19436.26

bom04s01-in‫־‬f26.1

10.0.0.7

80

http

173.19436.26

bom04s01-in‫־‬f26.1

10.0.0.7

80

http

173.19436.26

bom04sC1 in-f26.1

10.0.0.7

80

http

23.5730430

023-57 204 2C.dep =

https

0

10.0.0.7

443

127.00.1

3932

en Log File

127.00.1

3931

443 443 443 443

10.0.0.7

A d/snced Options

10.0.0.7

CtH+G

Exit

10.0.0.7

httpd.exe

1£03

T

1070

httpd.exe

1800

T

1070

□ is a s s ^ x e

564

T

1028

Q toS fcC N e

564

T

1Q28

^

Rem... 6

Log Changes

Clear Log File

^

Local Address 10.0.0.7

J

III

173.19436.26

bom04s01 in ‫־‬f26.1

127.0.0.1

WIN-D39MR5HL9e

127.0.0.1

WIN-D39MR5HL9£

http:

173.19436.22

bom04s01 -in-f22.1

https

173.19436.15

bom04s01-in-f15.1

https

173.19436.0

bom04s01 ■in-f0.1s

https

74.125.234.15

gru03s05-in-f151e

0D.0.0

0.0.0.0 r

om o

o .a a o r I>

‫־‬r

J

IlirSort fre e w a re . r-tto :‫׳‬v/Yv*/n rso tt.n et

7? Tot«! Porte, 21 Remote Connection! 1 Selected

FIGURE4.10: ,HieCunPoitsCloseSelectedTConnectionsoptionwindow 13. To

k ill

the

p ro ce sse s

of a port, select die port and click F i le

‫ >־‬K ill

P r o c e s s e s o f S e l e c t e d P o r ts .

I ~ I ‫* 'ם‬

C urrP orts

f i TASK 3

File

K ill P r o c e s s

j Edit

View

Options

Help

PNetlnfo

an♦!

Close Selected T Connection*

C*rt*‫־‬T

kin Processes Of Selected Ports Clri-S

5ave Selected Items

A t-E n te r

P ro p e rties

Process Properties

CtrKP

Rem...

Rem..

Remote Addrect

Remote Host Nam *

10.0.07

80

http

173.14436.26

bom04t01*in-f26.1

10.0.0.7

80

http

173.194.3626

bomC4t01-in‫־‬f26.1

10.0.0.7

80

http

173.194.3626

bomC4j01 -in-f26.1

10.0.0.7

80

http

215720420

a23-57-204-20.dep s

https

173.1943636

bcmC4s01-in-f26.1

127.0.0.1

WIN-D39MR5HL9E

10.0.0.7

443

Log Changes

127.0.0.1

3962

Open Log File

127.0.0.1

3981

127.0.0.1

WIN-D39MR5HL9E

Clear Log file

10.0.0.7

443

https

173.1943632

bomC4s01-in-f22.1

10.0.07

443

https

173.19436.15

bom04s01‫־‬in‫־‬f15.1

10.0.0.7

443

https

173.19436.0

bom04$0l‫־‬in‫־‬f0.1e

10.0.0.7

443

https

74125334.15

gru03s05-1n-M5.1e

Advanced Options Exit V httod.exe

1800

T

1070

V h ttp d .e x e

1800

T

1070

□ lw s s .e r e

564

T

1028

□

561

T

1028

‫ר‬

Loral Address

k a tc *re

O.Q.Q.O

0.0.0.0

o.aao ___

/ )A A A

II

79 Tctel Ports, 21 Remote Connections, 1 Selected

MirSoft Freeware. http-Jta/ww.rirsoft.net

FIGURE4.11: TheCurrPortsKillProcessesofSelectedPortsOptionWindow 14. To e x it from the CurrPorts utility, click F ile window c l o s e s .


‫ >־‬E x it .

The CurrPorts



1-1° ‫ ׳‬- ’

C u rrP on s File

Edit

View

Options

Help GH+I

P N etlnfo Close Selected T Connections

CtrK T

..

Local Address

Rem..

Rem‫״‬

Remcte Address

Remcte Host Nam

10.0.0.7

80

http

173.194.36.26

bom04s01-in-f26.1

10D.0.7

80

http

173.194.3626

bom04s01-in-f26.1

10.0.0.7

80

http

173.1943626

bom04s01-in‫־‬f26.1r

10.0.0.7

80

http

21 57.204.20

a23-57-204-20.de

10.0.0.7

443

httpt

173.194.3626

bom04t01-in-f26.1|

lo g Changes

127.0.0.1

3082

127.0.0.1

WIN-D3QMR5H19P

Open Log File

127.0.0.1

3981

127X10.1

WIN-039MR5HL9E

10.0.0.7

443

https

173.19436.22

bomC4101-in-f22.1

10.0.0.7

443

https

173.194.36.1S

bemC4i01 in ‫־‬f15.1

10.0.0.7

443

https

173.194.36i)

bcmC4s01 in f0.1q

10.0.0.7

443

https

74.125.234.15

gru03s05in-f15.1e

K il Processes O f Selected Ports

hid Command-line option:

/sveihtml Savethelist of all opened T/UDP ports into HTMLfile(Vertical).

Save Selected Items

Ctifc-S A t-E a te r

Properties

CtH«‫־‬P

Procccc Properties

Clear Log File Advanced O ption!

C tH -0

Ext

1

\th ttp d .e x e

1800

T

1070

0.0.0.0

0.0.0.0 =

\th ttp d .e x e

1800

T

1070

=

Q lsa s& e xe

564

T

1028

0.0.00

0.0.0.0

H ls a is - a c ■ ‫־־‬

564

T rrn

1028 /‫ ו‬a / \ a

= AAAA

__

79 ‫ ז‬ctal Ports. 21 Remote Connections. 1 Selected

J

Nil Soft free were. Mtpy/vvwvv.r it soft.net

FIGURE4.12: TheCurrPoitsExit optionwindow L a b A n a ly s is

Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab. feUIIn commandline, the syntaxof /close command:/close
Tool/U tility

Profile Details: Network scan for open ports

CurrPorts


Information Collected/Objectives Achieved

Scanned Report: ■ Process Name ■ Process ID ■ Protocol ■ Local Port ■ Local Address ■ Remote Port ■ Remote Port Name ■ Remote Address ■ Remote Host Name

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited


P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

Q CurrPorts allows you toeasilytranslate all menus, dialogboxes, and strings to other languages.

1. Analyze the results from CurrPorts by creating a filter string that displays

only packets with remote T poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. ‫ כ‬.

Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports Of Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State

Internet Connection Required □ Yes

0 No



0 !Labs



Lab

S c a n n in g f o r N e tw o rk V u ln e r a b ilitie s U s in g t h e G F I L a n G u a rd 2 0 1 2 G

F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity

v u ln e r a b ilitie s th a t a re fo u n d .

I CON K E Y Valuable information ✓

Test your knowledge Web exercise

Q

Workbook review

Z U T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEH-


You have learned in die previous lab to monitor T C P IP and U D P ports 011 your local computer or network using C u rrP o rts. This tool will automatically mark widi a pink color suspicious T/UDP ports owned by u n id e n tifie d applications. To prevent attacks pertaining to T/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b s e r v e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to le a p fro g and attack odier servers 011 the ISP network from diis compromised one. As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to conduct penetration testing in order to determine die list of t h r e a t s and v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities.

T o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

L a b O b j e c t iv e s

The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111

diis lab, you need to: ■ Perform a vulnerability scan




■ Audit the network ■ Detect vulnerable ports ■ Identify security vulnerabilities Q Youcan GFI LANguard from http://wwwgfi.com.

■ Correct security vulnerabilities with remedial action L a b E n v ir o n m e n t

To perform die lab, you need: ■ GFI Languard located at D :\C EH -T o o ls\C E H v 8

M o d u le 0 3 S c a n n in g

N e tw o rk sW u ln e ra b ility S c a n n in g T o o ls\G F I L a n G u a rd

■ You can also the latest version of link http://www.gfi.com/la1111etsca11 ■

If you decide to the in the lab might differ

■ A computer running W in d o w s ■

■ Microsoft ■NET F r a m e w o r k Q GFI LANguard compatiblyworks on Microsoft Windows Server 2008Standard/Enterprise, Windows Server 2003 Standard/Enterprise, Windows 7Ultimate, Microsoft Small Business Server 2008Standard, Small Business Server 2003 (SP1), and Small Business Server 2000(SP2).

la t e s t v e r s io n ,

2012 S e rv e r

W in d o w s S e r v e r 2 0 0 8 running

G F I L a n g u a rd

from the

then screenshots shown

as die host machine

in virtual machine

2 .0

■ privileges to run die G F I

LA N g u a rd N e tw o rk S e c u r it y

Scann er

■ It requires die to on the G F I w e b s it e http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y ■ Complete die subscription and get an activation code; the will receive an e m a il diat contains an a c tiv a tio n c o d e L a b D u r a t io n

Time: 10 Minutes O v e r v ie w o f S c a n n in g N e t w o r k

As an , you often have to deal separately widi problems related to v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively.

C-J GFI LANguard includesdefault Security scans or audits enable you to identify and assess possible r is k s within a configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a allowyoutorun immediate scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s installationis complete. and v u ln e ra b ilitie s , service infomiation, and or p r o c e s s information.




Lab T asks

Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. B

TASK

1

1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by hovering the mouse cursor in the lower-left corner of the desktop

S c a n n in g for V u ln e r a b ilitie s

Zenmap fileinstalls the followingfiles: ■ NmapCore Files ■ NmapPath ■ WinPcap 4.1.1 ■ NetworkInterface Import ■ Zenmap (GUI frontend) ■ Neat (ModernNetcat) ■ Ndiff

FIGURE5.1:WindowsServer2012- Desktopview 2. Click the window

G F I L an G u ard 2 0 1 2

Windows

app to open the

G FI L an G u ard 2 0 1 2

Google

Marager

bm

r

♦

*

£

SI

Nnd

V

e

FT‫־‬

2)12

0

FIGURE5.2WindowsServer2012- Apps 3. The GFI LanGuard 2012 m ain A u d it tab contents.

w in d o w

appears and displays die N e tw o rk

/ / To executeascan successfully, GFI LANguardmust remotely logonto target computers with privileges.




GFI LanGuard 2012 I

-|

dashboard

Seen

Remedy

ActMty Monitor

Reports

Configuration

UtSties

W

D13CIA3 this ■ ‫י‬

W elcome to GFI LanG uard 2012 GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites

Local Computer Vulnerability Level

e a The default scanning

us• ‫־‬Nana9#*gents‫־‬or Launch a scan‫ ־‬options 10, the entile network.

options whichprovide quickaccess to scanning modes are: ■ Quickscan ■ Full scan ■ Launcha customscan ■ Set up aschedule scan

JP 9 %

M< { 'M

o w

c a f h 'e .

—

iim jIW - .

Cunent Vulnerability Level is: High

V ie w D a s h b o a rd Inve30gate netvuor*wjinerawiir, status and audi results

R e m o diate S e cu rity Iss u e s Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and more

M anage A g e n ts Enable agents to automate netooric secant? audit and totfstribute scanning load across client machines

L a u n c h a S can Manually set-up andtn an aoerSess neVrxt seajrit/ audrt.

-I

LATES1 NLWS

1‫־‬

V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp \fe»g 1! Ttft ■mu lar ‫ ־‬l w mr‫»־‬ 1 ( 74 A q 701?

Patch Mfwtgnnnnl Added Dort for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd

tr.vi•n-

V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 101APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut

FIGURE5.3:TheGFILANguardmamwindow m Customscans are recommended: ■ Whenperforminga onetime scanwith particular scanning parameters/profiles ■ Whenperformingascan for particular network threats and/or system information ■ Toperformatarget computer scanusinga specific scanprofile

4. Click die L a u n c h

a Scan

option to perform a network scan. GFI LanGuard 2012

Doshboerd

> I «‫ ־‬I

Scan

Remediate

ty Monitor

Reports

Configuration

Ut*oes

«t

Di»e1«s thb version

W elcome to GFI LanG uard 2012

1

GFI LanGuard 2012 &ready to audit your network k* *AmafrMws

Local Computer Vulnerublllty Level use ‫־‬van a;# Agents‫־‬or Launch a scan‫ ־‬options 10 auoa the entire network.

JP

9 t - ‫יז‬.‫&־‬

^-‫־־־‬

iim jIM :

Cunent Vulnerability Luvul is; High

%

V ie w D a s h b o a rd Investigate network!wjineraMit, status andauairesults

R e m e diate S e cu rity Issu e s Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana more.

M anage A g e n ts Enable agents to automate neteror* secant* aud* and totfstnbute scanning load across client machines

L a u n c h a Scan Manually *
?4-Ajq-TOI? - fa it h M
V* 24A jq-2012

m eula -

IW 3 1

Patch MnnnQcjncnr Added forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard

-»‫־«־‬-

24-Aju-2012 -Patch Md11rfut!«1t*t -Added torAPS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ‫■»־‬

^ If intrusiondetection software (IDS) is running duringscans, GFI LANguard sets off a multitude of IDSwarnings andintrusionalerts inthese applications.

FIGURE5.4:TheGFILANguardmainwindowindicatingtheLaunchaCustomScanoption 5.

Launch a N ew sca n

i. ii. iii.

window will appear

111 die Scan Target option, select lo c a lh o s t from die drop-down list 111 die Profile option, select F u ll 111 die Credentials option, select drop-down list

Scan

from die drop-down list

c u rre n tly lo g g ed on u s e r

from die

6. Click S c a n . C E H Lab M anual Page 115



’‫ ן ־‬° r x ‫־‬

GF! LanGuard 2012

• rel="nofollow"> l«- I

Dashboard

Scan

Ranrdijle

Activ.tyMonitor

Reports

Conf!guraUon

CJ, Uiscuuttm1

Jt Urn

ta u a d ia tn e S a n

Scar‫־‬a02‫׳‬t: b a te :

P10•*: jf-J S^n

v M

Ot0en:‫־‬fck»/T«rt(r ockcCon uso‫־‬

v * ?axrrard:

V

IIZ

* 1

1

‫״‬

Scar Qaccre... Son ■ n d ti Ovrrvlew

SOM R ru lti Dcta ll<

m For largenetwork environments, aMicrosoft SQLServer/MSDE database backendis recommendedinsteadof theMicrosoft Access database.

FIGURE5.5: Selectinganoptionfornetworkscanning 7.

Scanning will s ta rt; it will take some time to scan die network. See die following figure

m Quickscans have relativelyshort scan durationtimes comparedto full scans, mainlybecause quickscans perform vulnerabilitychecks of only asubset of the entire database. It is recommendedto runa quickscanat least once a week.

8. After completing die scan, die s c a n


re s u lt

will show in die left



&

yI

I

Dashboaid

Scan

Remcdute

,‫ ־‬I□ ‫־‬x

GFI Lar>Guard2012 Actwty Monitor Reports Configuration

Lttrfrtm

ta u K k a lm k in

Kate:

ScanTarget ccaftoct

V

H

... | FalSar jsandffc:

Cj-rr&tbcaed on iser

Eaaswofd:

II

V

Scan R r u ik i ovrrvm n

Scan R r a k i Details

4 Scan target: locatbo»t - y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJvws .

m

Types of scans: Scana singlecomputer: Select this optionto scanalocal host or one specificcomputer. Scanarange of computers: Select this optionto scananumber of computers defined throughanIPrange. Scanalist of computers: Select this optionto import alist of targets fromafileor to select targets fromanetwork list. Scancomputers intest file: Select this optionto scantargets enumerated inaspecific text file. Scanadomain or workgroup: Select this optionto scanall targets connectedto adomain or workgroup.

*

S ca n c o m p le te d ! Summary 8f *ear resufs 9eneraf0fl <Jut>51

V u ln e ra b ility le v e l: The average vulnerabilty le.ei lor ttus sea‫־‬nr s 1

Results statistics: Audit operations processed;

1>703 aw*! operations processed

Missing scftwaie updates: Other vulnerabilities:

20 <20 C‫ ׳‬tcai‫׳‬Hgr> 1313 Crecol'-.qh)

Potential vulnerabilities:

3

•

Scanner ActMty Wkxkm ‫*ו^יז‬ W fa :ili« !* W

CanptJer VJUH> ra W J t« !a

Citar n » 11‫ ״‬t41:ate 101 r r s q v

i K t - n •can

wunr is*lvatd or not found

i ----------12- 1

FIGURE5.7:TheGFILanGuardCustomscanwizard 9. To check die Scan Result Overview, click IP right 10. It shows die V u ln e ra b ility A s s e s s m e n t click V u ln e ra b ility A s s e s s m e n t

ad d ress

of die machiiiein die

an d N e tw o rk & S o ftw a re A udit:

GFI LanGuard 2012

E-

J |^

|

Daihboard

Sean

R nrw U r

yMorilor

Reports

PceSe v j. . . | |F‫״‬IS1‫״־‬

ocafost

Qi33iT~.it.. Cj‫־‬end, bcaec

UtMws

W,

Dis c u m tvs vtssaan

* ‫*ו‬

rvaae:

on

Configuration

?a££‫׳‬.Crd:

II

J

•••

1 ___^

____

1

1Results Details #

V a n t n r y t : lornlhost

| - 1000

|

‫ר־‬V |WIW l)J9MIC>Mt9L4l (Window.

«

,

‫•־‬

n Net-war* & Softwire Audit

J] j

‫[ ׳‬W»UJ39MRSHL9f4| (Windows Server ?01? 164)

<1>rrafcj1ty W ^ n r r n t |

Vulnerability level: T►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * :

Y/lttt dim

irean?

Po s s ib le reaso n s:

t. Th• •can b not Inched yet 2.OsCectbn of missing paiches and vane‫ ׳‬abiEe* 8

smUta* ‫» »ליינ‬ca1‫׳‬nir aerode used to performthe scan.

3‫ ־‬The credentials used 10 scan this confute‫ ׳‬0 ‫ ג‬not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An wth s M i r r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fart of most

Scaruicr ActMty Window

flteetlKMQL

llirv^dl(klh•)

u. .‫״‬M

•'■ IIc— tfiiSldriIftwwl I

FIGURE5.8: SelectingVulnerabilityAssessment option




11. It shows all the V u ln e r a b ilit y V

/ 7 Duringa full scan,

GFI LANguard scans target computers to retrieve setupinformationand identifyall security vulnerabilities including: ■ MissingMicrosoft updates ■ Systemsoftware information, including unauthori2ed applications, incorrect antivirus settings and outdatedsignatures ■ Systemhardware information, including connectedmodems and USBdevices

A ssessm en t

indicators by category ‫־־‬T ^ P

GFI LanGuard 2012

L

d

>

Dashboard

«‫־‬

Scan

Rernediate

Activity Men!tor

Reports

Configuration

UUkbes

W,

‫־‬

x

Di 8cub 8 •»a v«a«on._

l a — d i a Merc Scan

Bar Target;

»roS»: H i scar-

v | | .. .

3 $

Jgynang:

c/fomess [am r#y iCQjjetf on

:

or

5

V1

Scmi Rr»ulU Ov*rvt*%»

Sc4nR*M1ft>0«UNk

<0 $ u a U r « « t : l1 ) u lm l

V u ln e ra b ility A sse ssm e n t

f S I S ItM J(m R-K M M U H U M ](W M tom . -

s«tea ene of the folowno wjfcerabilry 01*99'** ‫ייה»*ל‬

• Yuhefablty Assessment

A ‫ * *־י‬security wirerablofa (3) J l MeCtomSearity Vuherabirtes (6)

*qn security Vumeratxaties (3) Xbu you toanalyze the ‫־ ״‬security vjre tb i'.a

4 t

A

10

j , low Searity Viinerablitfes (4J PofanBd Vuherabltea (3)

Meshc service Packs and U3cate =&u>s (1}

^

■ Jedium Security VulneraNKies )6 ( ,‫ וגי‬toanajy7e thsrredun !earitytfjrerabises

.

Low Security Vulnerabilities 14( ycu to a‫ ׳‬iy» thelc« 9eculty

# Msarvs Security Updates (3)

- _* Hee*ak & Software Ault

^

.

15

Potential vulnerabilities )1( Xb>.s you to a-elvre tiie informationsecurity aJ‫־־‬o

«1

Ufesing S vtca P acks and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn

thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 Otfic] Bras

FIGURE5.9:List ofVulnerabilityAssessmentcategories 12. Click N e tw o rk

in die right , and then click S y s te m S t a t u s , which shows all die system patching statuses

P a tc h in g

& S o ftw a re A u d it

1- ‫ ״‬r ‫ ״‬1

C r i L in O u a rd 2012

to■ >

•4 -

1

Dashboard

Sran

Re‫*»״‬Aate

Activity Monitor

Rrpoits

Configuration

JM M et

D iic in t llm vm*an

la u a d ia New Sean Scar ’ • o e ‫־‬-

Ho ft*. - 1 1'‫־״‬

v |•

^

O afattab: |0 rrentf> o g c « or u er

Sari

‫ ־‬1

SCM R « M b Overview -

9

P315/.ord:

Jse n re ;

1Rem its Detais

Scan ta rve t iocalhost

- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K -

System Patching Status

m

Select one of tte Mtahg systemwtchro M U

S -4 (U‫!־‬f(hilY to n T e il

Duetothelarge amount ofinformation retnevedfromscanned targets, full scans often tendto belengthy. It is recommendedtorunafull scanat least onceevery2 weeks.

* *ehSecvltyV1*1eraM ittet(3) X rvfcdun Security VUrtrabilBe• (6) X *JnaraMt)••(‫)ג‬ t ServicePnrinmi1t3datr Roittn (1) f •1su1sSeu1UyUl>0at«*(3) I ‫\״‬ ftoary.a^ftraarcruOtI X

S %

Ports

U

rtor&Atrc

A

Minting Service P acks ■•nit llpduir Rciaup* )1( AI3v»1 you to andyM f*r rrs «‫־‬K! server parW r>f»—j i w

‫ יי»־‬Sec“ ' >ty\\1h»ab4U»» (4)

)Mk Missing Security Updates (,J ■ Alotwt Mu U nWy.'t u!« mistfio mcuICv update I

'0

- Jb j

m Missing Non-Security Updates )16( Alan* you to analyie the rwn-security ipaaws rfamssen

J%

staled Security Updates )2( A qt>syou‫■־ ט‬nay c tJic knitaifedsecurity!edatehfanala

1 2 J%!astaaed Non-SecurityUpdates )1(

*»- f i Software a system mibnnaaon

Alo‫״י‬you to analyze thenstslicd nor-securty5

Scanner A ctm ty Wmdow

X

Starting security scan of host \VIM.I)MMRSMl«4[100.0 T\

g

!■nr: I M k U PM

10

: ry Scan thread 1(idle) S a tllia i IM t ' . !

:‫ י‬t «. 3

™

FIGURE5.10: Systempatchingstatusreport 13. Click P o rts, and under diis, click O p en


T C P P o rts



m Acustomscanis a networkaudit basedon parameters, whichyou configure onthe flybefore launchingthe scanning process. Vanous parameters canbe customizedduringthis type of scan, including: ■ Typeof scanningprofile (Le., the typeof checks to execute/type ofdata toretrieve) ■ Scantargets ■ Logoncredentials

&

Scan

•> l«- I

jbcahoK

V I ... I |MSw1

Oc0en‫־‬.dfe. |0xt«rtK ocKcCon us®‫־‬

-

J l ‫)*־‬h Sacuity »\jh*r
^

POCWlOai Viiic'attittet (3)

0

• ft) so iDf*crpno‫״‬: Mytxrtrrt trerwfrr Protocol {^‫> ליודז‬sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI 5‫( כג‬Cwucto- DCC w»i1u‫ ״‬l ‫«׳‬sOl)0«‫־‬ £ 1 ►**CTt*0‫׳‬V HMKCR 5M»1‫ ׳‬S*rM» S*‫׳‬VCT r « » ‫״‬n] ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM*V a n Lrtnamn] B £ !027 piM otOor: !r#l»1fo, 1( tM&*e‫ ׳‬v<e h no* t1‫»׳‬Urt(d :*•>*« &• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* ratfc ;<■» o w : Ctotafipy Network x, Oath a owers / Ser

^9

10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _

X

1___ * = ____1

II

• viAwjBM y **OMtwrnt

f)

!

be-*ae

MsangSecuity Updates (3)

fimitw: caJO

m3

::- 2 |C«SObacn: Me Protect. MSrtQ, t ‫״‬te 1V. M>)eic ‫־‬-» -‫י‬- » * c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4‫׳‬

- 9 « £ 9 ^

# Moang Service Pocks 0‫״‬d tp d str lo tto s CO #

‫•ויי‬

-

^

1- 1■■ CJ, Uiscuu tins1

SasGword:

Uenvaae:

9 sr.Mi f .‫׳ר‬get‫ ־‬torn lho\t ‫ •־‬R : ;

B

GF! LanGuard 2012 £*!1vty Monitor Reports Corrfigura

Rancdijlr

l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^ 1433 [CesccCcr: Microsoft SQL Server database r a ‫־‬a j r w :

srtscnServer /S«‫>־‬ic*: LTknown]

*•ernoHc 81Software Audit *. ( ( System Patchrg Status

]‫־‬333 I . S eenHPParaW| •V Coen LC» Ports (5)

I

A Hardware .if Software

II

System [nfbmodon

YVlndvw

a — er ActKRy

*' f..<»t‫»*׳‬ceve‫ ׳‬y v a n thread 1 (tdlr)

S o ‫ ״‬nr rad ‫) י‬dp ( | 5 0 ‫ ־‬r *‫׳‬. vl ! ;<*)

error•

FIGURE5.11:T/UDPPortsresult 14. Click S y s t e m In fo rm atio n in die light side ; it shows all die details of die system information 15. Click P a s s w o r d

P o lic y

r‫־־‬° n n

GH LanGuard 2012 E

B

> 1 4 -1

Dathboaid

Scan

fn m ijlr

Act*«y Monitor

Reports

Corriiguratioo

Ualiwt

W.

1)1*1 lew •«« vnun

launch a Mewsean ScarTarget ocaKx:

P0.‫ «־‬t: v |... I (‫׳‬SjIScan

&ederate: Z~M~CTt, bcced on toe‫־‬

3 ?aaiwd:

•

1U1J

V

1__

Scaf 0 0 ‫^כפ‬.-. Scan R rta tf Overview % Sf A

open IX P Ports (5)

r1ard*«e

*50 ‫־ ׳‬1‫־‬fr»ane

|

Systsn Infer‫׳‬TMharj a 9ki\‫׳‬. W |l HW.\fxC. !■■>>•>1

L_J The next jobafter a networksecurityscanis to identifywhichareas and systemsrequireyour immediateattention. Do this byanalyzingand correctlyinterpretingthe informationcollectedand generatedduringanetwork securityscan.

,

Scan le a k ! Detalie

J *‫!־*׳‬run poaaw d length: chars J **‫״!־‬unoaa'w ordsgeiodays J >Mgw rfl mtary: n o h ttay 0

Vaxnuri EMSSiwrd age: 42days

J

J ! f a s « p f f r m ‫ ׳‬force 0

• S«r.c1ll> Audit Policy (OtO Wf Re0**v ft Net&OS Mao*3) ‫) ״‬ %

Computet

tj| 610Lpt (28) & s (4)

•!_ LoggedCns (11) ^

Sesscre (2)

% J
,

Remote TOO (Tme Of Oay)

Scanner AcUv«y Window

‫ ״ ׳ ••־‬I I >«- ‫ ׳‬V 1‫״‬n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41‫'׳' ! ־‬

’A) I ‫'"׳י י‬

FIGURE5.12InformationofPohcy 16. Click G ro u p s: it shows all die groups present in die system




m Ahighvulnerability level is the result of vulnerabilities or missing patches whose average severityis categorizedas high.

*

>‫־‬

Dashboard

Sun

ftftnca&e

vl W

**Scan

CrM e re s t

‫ר‬

:

*1

■cc':era Sc*• RevuJU DeUik

1R«f»*lt» Overview %

* tt Control AucUat* Cws abx1 ■ft * P n t t a w i •ft 0*Ji.s0u«1»to1‫׳‬ •X cmfcwaw#dccmwra

C0«nUOPPwts(5)

r A Hentesrc

• . 1 Soffaart • ^

Symrm tnk‫׳‬m»t»n

(V'teyjM‫^ויו^ו‬ ‫<׳‬- ‫ו׳‬ • aO • a CfctrtutedCCM* ‫ י‬a Guests • a K>pe‫ ׳‬V •a ‫ יי‬a E5JUSRS • a r.etY>=‫<׳‬Ccnfig.rstcn ‫״‬-a • a Pr‫־‬fty1r5rcc '\r~as • a PM^lSers » a RES Ehdpcut Servers •« ‫ז‬a

*k SN r~ W -4* Pd«wo1‫ ) ׳‬Pdiy - i» Sxunty Ault Pokey (Off)

& *n t Log Straefcrs

# ‫ ־‬lUotetry f t NetflCCS Narres (3) %

Adrritstrators

Computer

l*i groups(2a)I I W4}

‫־‬rators

Psrfertrsnce Log s

•?. -OXfC0‫ ״‬s (1 ‫)נ‬

Ascheduled scanis a networkaudit scheduledto run automaticallyona specificdate/time and at a specific frequency. Scheduledscans canbe set toexecuteonce or periodically.

U19CUB3UlttVWttKJR—

H

-igemane:

[cuT€r*f eooed cn

‫ ׳‬-T o -

GFI LanGuard 2012 ActmrtyMonitor Reports Configuration

%

S«ss»ns (2)

%5«14)8»:*‫ל‬a)

**?Operators

Ht ®rocrase* (76)

PCS Manage‫»״‬ent s « vers

‫ ג‬en»te too ‫ מיוחן‬Of 0»y)

W w rt* ‫ ״‬- .

S*rf« 1 l1f1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*)

*r«*d S * fe ) | & u « |

FIGURE5.13:InformationofGroups 17. Click die D a sh b o a rd tab: it shows all the scanned network information 1 °n ^ ‫׳‬ GFI LanGuard 2012 I Dashboardl > «5‫ ״‬I q

Sun

Km•*•(•

!t

Activity Monitor

Reports

\'i\

^

f# Cemctm

Gmp

it 6mel1n*ork

•w«v

Configuration

1ViAirrnhlfces

UUkbe;

4

‫זי‬/.‫ ־‬OitcuMlna vwawn.-

fei *J

V

* t Pale►**

►aH

v

(

SdNiare

E n tire N e tw o rk -1 c o m p u te r

f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-» Security Seniors

‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1>

It is recommended to use scheduled scans: ■ Toperform periodical/regular networkvulnerability scans automaticallyand usingthe same scanning profiles andparameters • To tngger scans automaticallyafter office hours andto generate alerts andautodistributionof scan resultsviaemail ■ To automaticallytrigger auto-remediation options, (e.g., Auto anddeploy missingupdates) m

rS \

wnwarn iwuw• 1 0 c«XT‫|־‬H1tcrs

^

Service Packs and UMost M rarane cawoJSfS V. S C 3 y ‫ ^ ׳‬L 3 6 4

Oaxrputers VulncraWWies 1co‫״‬pot«r9

‫ כ‬O _ I o

o

‫ ז‬K-p-w! Lratra-onied Aco*c

0 coneuteis Malware Protection ...

cj

Cco‫־‬pu‫־‬crj Ault SMTUt

: _

0 « ‫! »י ״י ד‬

j

•

‫ ו‬computers Agent Hemtn Issues 0 C0npu18C8

,AiirraNity Trend Owe' tme

w

Computer V14>erabfeyCBtnbulivi

Maraqe saerts *41 •»?i ■ .KTJlii...

ZjHar-scan...

Sc-=r a d rsfrar. !TfaraaLgi p.gyy

Sec :ppdy-.ai -

C^pm:-jr_

1

*aer*Stofcg|\>3tStafcg|

: o ‫ ־‬fu t M By Gperatng System

o

Computes S■O0«ath■ ■.| Compjters By rfeUai... |

FIGURE5.14: scannedreportofthenetvrork L a b A n a ly s is

Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process.




Tool/U tility

Information Collected/Objectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open T Ports Scan Results Details for Policy

GFI LanGuard 2012

Dashboard - Entire Network ■ Vulnerability Level ■ Security Sensors ■ Most Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System

P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing istrative tasks? If ves, how?

Internet Connection Required □ Yes

0 No



0 iLabs



E x p lo rin g a n d A u d itin g a N e tw o r k U s in g N m a p N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .

I C O N

K E Y

Valuable information Test vour knowledge S

Web exercise

‫ט‬

Workbook review


111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network. L a b O b j e c t iv e s

Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime. hi diis lab, you need to: ■ Scan T and UDP ports ■ Analyze host details and dieir topology ■ Determine the types of packet filters




■ Record and save all scan reports /—j T o o ls d e m o n stra te d in th is la b a r e

■ Compare saved results for suspicious ports L a b E n v ir o n m e n t

a v a ila b le in D:\CEH-

To perform die lab, you need:

T o o ls\ C E H v 8

■ Nmap located at D :\C E H -T o o ls\C EH v 8

M o du le 0 3

M o d u le 0 3 S c a n n in g

N e tw o rk s\ S c a n n in g T o o ls\N m ap

S c a n n in g N e tw o rk s

■ You can also the latest version of N m a p from the link http: / / nmap.org. / ■ If you decide to die la t e s t die lab might differ

.Q Zenmapworks on Windows after including Windows 7, and Server 2003/2008.

■ A computer running W in d o w s ■

W in d o w s S e r v e r 2 0 0 8

v e r s io n ,

S e rv e r 2012

dien screenshots shown in

as a host machine

running on a virtual machine as a guest

■ A web browser widi Internet access ■ istrative privileges to run die Nmap tool L a b D u r a t io n

Time: 20 Minutes O v e r v ie w o f N e t w o r k S c a n n in g

Network addresses are scanned to determine: ■ What services

a p p lic a t io n n a m e s

and v e r s i o n s diose hosts offer

■ What operating systems (and OS versions) diey run ■ The type of p a c k e t characteristics T AS K

1

In te n s e S c a n

f ilt e r s / f ir e w a lls

that are in use and dozens of odier

Lab T asks

Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W in d o w S e r v e r 2 0 1 2 ). 1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left corner of the desktop

FIGURE6.1:WindowsServer2012—Desktopview C E H Lab M anual Page 123



2. Click the

N m a p -Z e n m a p G U I

app to open the

S t 3 f t

l_

Zenmap fileinstalls

window A d m in is tra to r

Server Manager

Windows PowrShell

Google

Hy^-V Manager

■ NmapCoreFiles ■ NmapPath ■ WinPcap4.1.1 ■ NetworkInterface Import ■ Zenmap (GUI frontend) ■ Neat (ModernNetcat)

Sfe

m

*

‫וי‬

Control

»■vp*v Virtual Machine..

■ Ndiff

CWto*

the following files:

Zenm ap

Nmap Zenmap

w

o

Command Prompt

e *‫ח‬

Frtfo*

© Me^sPing

HTTPort iSW M

K

U 1

FIGURE6.2WindowsServer2012- Apps 3. The

N m ap - Z e n m a p G U I

window appears.

! Nmap Syntax: nmap [ScanType(s)] [Options] {target specification}

Inport scan techniques, onlyone methodmaybeused at a time, except that UDP scan (‫־‬sU) andanyone of the SCTPscantypes (‫־‬sY, -sZ) maybe combinedwithany one ofthe T scantypes. /

FIGURE6.3:TheZenmapmainwindcw 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4) t!1e j a r g e t: text field. You are performing a network inventory for r o J the virtual machine. 5. 111 tliis lab, die IP address would be your lab environment 6.

111 the p ro file


1 0 .0 .0 .4 ;

it will be different from

text field, select, from the drop-down list, the you want to scan. 111 diis lab, select In t e n s e S c a n .

P r o file :

ty p e o f



7. Click S c a n to start scantling the virtual machine. Zenmap Scan

I o o ls

Target:

P ro file

1 10.0.0.4|

C om m and:

Profile:

Intense scan

nm a p -T4 -A - v 10.0.0.4

H o s t!

WhileNmap attempts toproduce accurateresults, keepinmindthat all ofits insights are basedon packets returned bythe target machines or the firewallsin front ofthem

‫׳‬-‫ ׳‬° r x

Help

Services icc>

|

Nm ap O utput

Ports

f Hosts | T o po lo gy | Host Details | Scans

OS < Host

FIGURE6.4: TheZenmapmainwindowwithTarget andProfileentered !S "The sixport states recognized byNmap: ■ Open ■ Closed ■ Filtered ■ Unfiltered ■ Open| Filtered ■ Closed|Unfiltered

8. Nmap scans the provided IP address with

the

s c a n r e s u lt

below the

N m a p O u tp u t

Scan

I o o ls

E rofile

C om m and:

‫ז ם י‬

X

‫ן‬

H elp

10.0.0.4

‫׳י‬

Profile:

Intense scan

Scan:

nm a p -T4 -A - v 10.C0.4

N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans OS < Host ‫׳׳‬

n m ap -T4 •A ■v 10.00.4

^

|

| Details

10.0.0.4 S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g

Nmap accepts multiple host specifications onthe commandline, and theydon't needto be ofthe sametype.

^

Zenm ap

Target:

and displays

In te n s e s c a n

tab.

) at

2012 0 8 24

NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4

(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,

1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72

Filter Hosts

FIGURE6.5:TheZenmapmainwindowwiththeNmapOutputtabforIntenseScan 9. After the scan is c o m p le t e , Nmap shows die scanned results. C E H Lab M anual Page 125



T= I

Zenm ap Scan

I o o ls

£ ro file

Help

Target: C om m and:

The options available to control target selection: ■ -iL ■ -1R ■ -exclude [, [,...]] ■ -excludefile <exclude file>

Q The following options control host discovery: ■ -sL(list Scan) ■ -sn(Noport scan) ■ -Pn (Noping) ■ ■PS<port list> (T SYNPing) ■ -PA<port list> (T ACKPing) ■ -PU<port list> (UDP Ping) ■ -PY<port list>(SCTP INTTPing) ■ -PE;-PP;-PM(ICMP PingTypes) ■ -PO<protocol list> (IP Protocol Ping) ■ -PR(ARPPing) ■— traceroute (Tracepath tohost) ■ -n(NoDNSresolution) ■ -R(DNSresolutionfor all targets) ■ -system-dns (Use systemDNS resolver) ■ -dns-servers <server1>[,<server2>[,. ..]] (Servers touse for reverse DNSqueries)

Cancel

‫י‬

Details

nm a p -T4 -A - v 10.C.0.4

a

N m ap O utp ut | Ports / Hosts | T o p o lo g ) n m ap •T4 •A ■v 10.0.0.4

OS < Host ‫׳׳‬

Scan!

10.0.0.4

1 3 9 /tc p

open

445/t

open

5 3 5 7 /tc p open (SSOP/UPnP)

JH ost Details | Scans ‫פ כ‬

n e t b io s - s s n n c t b io s s sn h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0

|_http‫־‬m«thods: No Allow or Public h«ad«r in OPTIONS re s p o n s e ( s t a tu s code 5 03 ) | _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ ;0 7 :1 0 ( M ic r o s o f t ) MAC Address: 0( 1 5 : 5D: D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS E: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l 0 ‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )

‫ח‬

N ttw o rK D is t a n c e ; 1 hop T S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; E: c p e : / o : n ic r o s c f t : w in d o w s

Filter Hosts

FIGURE6.6:TheZenmapmainwindowwiththeNmapOutputtabforIntenseScan 10. Click the results.

P o r ts / H o s ts

11. Nmap also displays die the scan.

tab to display more information on the scan P o rt, P r o to c o l, S t a t e . S e r v ic e ,

Zenmap Scan Target:

I o o ls

P ro file

‫״״‬

of

T ‫ ־‬T

Scan

Cancel

nm a p -T4 -A - v 10.0.0.4 Services

OS

V e r s io n

H elp

10.0.0.4

C om m and:

and

Nm gp Out p

u

(

Tu[ . ul ut j y

Hu^t Details

Sk m :.

< Host 10.0.0.4

M in o a o ft W ind ow s RPC

13S

Up

open

rm tp c

139

t

open

n etbios-ssn

445

t

open

n etbios-ssn

5337

t

open

h ttp

M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD

49152 t

open

m srpc

M ic ro s o ft W indow s RPC

49153 t

open

m srpc

M ic ro s o ft W ind ow s RPC

49154 t

open

m srpc


49155 t

open

m srpc


49156

open

m srpc


t

FIGURE6.7:TheZenmapmainwindowwiththePorts/HoststabforIntenseScan




12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In t e n s e s c a n Profile.

7^t Bydefault, Nmap performs ahost discovery andthenaport scan against eachhost it determinesto be online.

FIGURE6.8:TheZenmapmainwindowwithTopologytabfor IntenseScan 13. Click the H o s t D e t a ils tab to see die details of all hosts discovered during the intense scan profile. Zenmap Scan

lo o ls

Target:

P rofile

10.0.0.4

C om m and:

Hosts

7^ ‫ ׳‬Bydefault, Nmap determinesyour DNS servers (for rDNS resolution) fromyour resolv.conffile(UNIX) or the Registry(Win32).

Scan

Conccl

nm a p -T4 -A - v 10.0.0.4

||

Services

I

I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t

Scan?

O.O.C.4

OS < Host -‫־׳‬

r^ r°r* 1

Help

10.0.0.4

H Host Status State:

up

O pen p o rtc

Q

Filtered ports:

0

Closed ports:

991

Scanned ports:

1000

U p tim e :

22151

Last b oo t:

Fri A u g 24 09:27:40 2012

#

B Addresses IPv4:

10.0.0.4

IPv6:

N o t available

M AC:

00:15:50:00:07:10

- Operating System Nam e:

M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1

Accuracy:

Ports used Filter Hosts

FIGURE6.9:TheZenmapmainwindowwithHostDetailstabforIntenseScan




14. Click the

Scans

tab to scan details for provided IP addresses. 1- 1 ° ‫ ׳‬x

Zenm ap Scan

Tools

C om m and:

Profile:

Services

|

Cancel

N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an;

Status

< Host

Com‫׳‬r»ard

Unsaved nmap -T4-A •v 10.00.4

1 0 0 .0 4

i f ■ A pp e nd Scan

a InNmap, option-p <port ranges> means scan onlyspecifiedports.

Intense scan

nm a p •T4 •A -v 100.0.4

\\

Hosts OS

Help

10.0.0.4

Target:

a Nmap offers options for specifyingwhichports are scannedandwhether the scanorder is random!2edor sequential.

Profile

»

Remove Scan

Cancel Scan

FIGURE6.10:TheZenmapmainwindowwithScantabforIntenseScan 15. Now, click the S e r v i c e s tab located in the right pane of the window. This tab displays the li s t of services. 16. Click the h ttp service to list all the HTTP Hostnames/lP Ports, and their s t a t e s (Open/Closed). Zenmap Scan

Tools

Target:

‫ י ־ז‬° ‫ד * מ‬

Help

10.0.0.4

Comman d:

Hosts

Profile

v]

Profile:

Intense scan

v|

Scan |

nm ap •T4 -A -v 10.0.0.4

|

Services

ad d re sse s.

Cancel

‫ו‬

N m ap O utput

Ports / Hosts

Topology | H o c tD rtJ iik | S ^ jn t

< Hostname A Port < Protocol « State « Version

Service

i

10.0.04

5357

t

open

M icroso ft HTTPAPI hctpd 2.0 (SSI

msrpc n etb io s5 5 ‫־‬n

Q InNmap, option-F means fast (limitedport) scan.

FIGURE6.11:TheZenmapmainwindowwithServicesoptionforIntenseScan C E H Lab M anual Page 128



17. Click the

m srp c

service to list all the Microsoft Windows RPC. Zenmap

Scan

I o o ls

Target:

InNmap, Option— port-ratio cratioxdedmal number between0and 1> means Scans all ports in nmap-services filewitha ratiogreater thanthe one given. must be between0.0and 1.1

P ro file

10.0.0.4

C om m and:

‫ ־ ז‬1‫ י ם‬x ‫׳‬

H elp ‫י‬

Profile:

Intense scan

Scan]

nm a p -T4 -A - v 10.0.0.4 Services

Nm ap O utput

Ports / Hosts

T o po lo gy | Host Details ^Scans

4 H o stnam e *‫ ־‬Port < P rotocol * State « Version

Service h ttp

netbios-ssn

•

100.0.4

49156

Up

open

M icro so ft W in d o ro RPC

•

100.0.4

49155

t

open


•

100.0.4

49154

t

open


•

100 .04

49153

t

open


•

1 0 0 .0 4

49152

t

open


•

100.0.4

135

t

open


FIGURE6.12TheZenmapmainwindowwithmsrpcServiceforIntenseScan 18. Click the

service to list all NetBIOS hostnames.

n e t b io s - s s n

TTT

Zenmap Scan

I c o ls

Target:

Hosts

H e lp

10.0.0.4

C om m and:

InNmap, Option -r means don't randomi2e ports.

E ro file

Scan

Cancel

nm a p -T4 -A - v 10.0.0.4 ||

Services

hid

Service h ttp msrpc

|

Nm ap O utput

Ports

f Hosts

T o po lo gy

Host D e oils

100.0J

445

t

open

100.0.4

139

t

open

Scans

FIGURE6.13:TheZenmapmainwindowwithnetbios-ssnServiceforIntenseScan TASK 2 X m as Scan


19.

sends a T C P fra m e to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS T/IP developed

X m as scan



according to RFC 793. The current version of Microsoft Windows is not ed. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P

y ‫ ׳‬Xmas scan(-sX) sets the FIN, PSH, andURG flags, lightingthe packet up likeaChristmas tree.

m The option— maxretries specifies the maximum number ofport scanprobe retransmissions.

21. On the

P r o file

tab, enter

Xm as Scan

in the

P r o file n a m e

text field.

P ro file E d ito r nm ap -T4 -A -v 10.0.0.4

Profile

Scan | Ping | Scripting | Target | Source[ O thct | Tim ing

Help Description

P ro file In fo rm a tio n Profile name D * « n ip t 10n

XmasScanj

The description is a fu ll description 0♦ v»hac the scan does, w h ich m ay be long.

m The option-hosttimeout givesup on slowtarget hosts.

Caned

0

Save Cl

a1yci

FIGURE6.15:TheZenmapProfileEditorwindowwiththeProfiletab


E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited


22. Click the S c a n tab, and select s c a n s : drop-down list. UDPscanis activated withthe -sUoption. It can be combinedwithaT scantype suchas SYNscan (‫־‬sS) to checkboth protocols duringthe same run.

from the

X m a s T r e e s c a n (‫־‬s X )

T

1_T□ ' x

P ro file E d ito r !m a p -T4 -A -v 10.0.0.4

Profile

Scan | Ping | Scripting | Target) Source | O ther

Help

Tim ing

Enable all arf/anced/aggressive o ptio ns

S u n optk>m Target? (optional):

10.00.4

T scan:

None

Non-T scans:

FI

Enable OS detection (-0 ). version dete ction (-5V), script scanning (s and traceroute (‫־־‬traceroute).

CM

None

T im in g tem plate:

ACK scan (-sA) ‫ ׳‬FIN scan (s F ) M aim on scan (-sM )

Q Nmap detects rate limitingand slows down accordinglyto avoid floodingthe networkwith useless packets that the target machinedrops.

□

Version detection (-sV)

N ull scan (-sN)

‫ח‬

Idle Scan (Zom bie) (-si)

T SYN scan (-5S)

□

FTP bounce atta ck ( ‫־‬b)

T co nn ect >can (‫»־‬T)

□

Disable reverse DNS resc

. W ind ow scan )‫ ־‬sW (

‫ם‬

IPv6 (■6)

| Xmas Tree scan (‫־‬sX)

Cancel

0

Save Changes

FIGURE6.16:TheZenmapProfileEditorwindowwiththeScantab 23. Select N o n e in die N o n -T C P s c a n s : drop-down list and T 4 ) in the T im in g t e m p la t e : list and click S a v e C h a n g e s

A g g r e s s iv e (‫־‬

1‫י ^ ם | ־‬

P ro file F riito r nm ap •sX •T4 ■A ■v 10.0.0.4

Profile

Scar

Ping | Scripting [ Target

Help

Source | O ther | Tim ing

Enable all ad/anced/aggressive o ptio ns

Scan o p tio n *

Q Youcanspeedup your UDPscans by scanningmorehosts in parallel, doingaquickscan of just the popular ports first, scanningfrombehind the firewall, andusing‫־־‬ host-timeout to skipslow hosts.

Target? (optional):

1D.0D.4

T scan:

Xmas Tle e scan (-sX)

|v |

Non-T scans:

None

[v‫] ׳‬


Aggressive (-T4)

[v |

@

Enab le all a d va n ced / ag g ressve options (-A)

□

O perating system detection (-0)

O

Version detection (-sV)

□

Idle Scan (Zom bie) ( - 51)

□

FTP bounce atta ck ( ‫־‬b)

O

Disable reverse DNS resolution (‫־‬n)

‫ח‬

IPv6 (-6)

Enable OS detection (-0 ). version d ete ction (-5V), script scanning (‫־‬ s Q and tra c e ro u te (—traceroute).

Cancel

0

Save Changes

FIGURE6.17:TheZenmapProfileEditorwindowwiththeScantab 24. Enter the IP address in die T a r g e t : field, select the from the P r o file : field and click S c a n .


X m as sca n

opdon



Zenm ap Scan

Tools

Target:

InNmap, option -sY (SCTPINITscan) is often referredto as half-open scanning, becauseyoudonft openafull SCTP association. Yousendan INITchunk, asifyouwere goingto open areal associationandthenwait for aresponse.

Help

10.0.0.4

C om m and:

(

Profile

Hosts

|v |

Profile- | Xmas Scan

|v |

|S can |

Cancel |

nm ap -sX -T 4 - A -v 1 0 0 .0 /

||

Services

0 5 < H ost

|

N m ap O u tp u t

P o rts /H o s ts | T o po lo gy

H ost Details

jScans V

A

1

|Details]

Filter Hosts

FIGURE6.18:TheZenmapmainwindowwithTarget andProfileentered 25. Nmap scans the target IP address provided and displays results on the N m a p O u tp u t tab. £Q! When scanning systems, compliant with this RFCtext, anypacket not containingSYN, RST, or ACKbits resultsin a returnedRST, if theport is closed, andnoresponse at all, iftheport is open.

Tools

T a rg e t

C om m and: Hosts

*

P ro file

H elp v l

10.0.0.4

OS « Host

Profile.

Xmas Scan

|Scani|

nm ap -sX -T 4 -A -v 1 0 0 .0 / Services

N ‫׳‬n a p O u tp u t

Ports / Hosts | T o po lo gy

H ost Details | Scans

nm a p -sX -T4 -A -v 10.0.0.4

10.0.0.4 S t a r t i n g Nmap 6 .0 1

a The option, -sA(T ACKscan) is usedtomap out firewall rulesets, determiningwhether they are stateful or not and whichports are filtered.

izc

Zenm ap Scan

( h ttp ://n m a p .o r g

) a t 2 0 1 2 - 0 8 -2 4

N
Initiating Scrvice scon ot 16:30 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .

FIGURE6.19: TheZenmapmainwindowwiththeNmapOutputtab 26. Click the S e r v i c e s tab located at the right side of die pane. It all die services of that host.


d is p la y s



‫־‬0

Zenm ap Scan

I o o ls

P ro file

10.0.0.4

Target:

C om m and:

Hosts

=1

H elp ^

P ro file

Xmas Scan

‫| 'י‬

| Scan |

nm ap -sX -T 4 -A -v 10.0.0.4

|

Services

|

N m ap O u tp u t

Ports / Hosts | T o p o lo g y | H o st Details | Scans

nm a p -sX T4 -A -v 10.0.0.4

S t a r t i n g Nmap 6 .0 1

( h ttp ://n m a p .o rg

Details

) a t 2 0 1 2 * 0 8 -2 4

: L oa de d 0 3 * c r i p t c f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P l r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f l n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d

‫ח‬ m

Nnap scan report for 10.0.0.4 H ost is

u p ( 0 .0 0 0 2 0 s l a t e n c y ) .

V

FIGURE6.20: ZenmapMainwindowwithServicesTab S

T A S K

3

Null S c a n

The optionNull Scan (-sN) does not set anybits (Tflagheaderis 0).

27.

N u ll s c a n works only if the operating system’s T/IP implementation is developed according to RFC 793.111 a 111111 scan, attackers send a T frame to a remote host with NO Flags.

28. To perform a 111111 scan for a target IP address, create a new profile. Click P r o file ‫ >־‬N e w P ro file o r C o m m a n d C trl+ P Zenmap [ New Prof Je or Command 9

|

Hosts

||

£d it Selected Prof <e

Scrvncct

C trk P | nas Scan

v

Scan

| Cancel |

Q rl+E

Nmap Output P ortj / Hosts | T opology] Ho»t D e t a S c e n t

OS « Host w

10.0.0.4

m The option, -sZ (SCTPCOOKIEECHO scan) isanadvanceSCTP COOKIEECHOscan. It takes advantageof the fact that SCTPimplementations shouldsilentlydroppackets containingCOOKIE ECHOchunks onopen ports but sendanABORT if the port is closed.

FIGURE6.21:TheZenmapmainwindowwiththeNewProfileorCommandoption




29. On die P r o file tab, input a profile name text field.

N u ll S c a n

in the

L ^ I

P ro file E d ito r

a The option, -si [:<probeport>] (idle scan) is anadvanced scan methodthat allows for a trulyblindTport scan of the target (meaningno packets are sent tothe target fromyour real IP address). Instead, aunique side-channel attackexploits predictableIP fragmentationIDsequence generationonthe zombie host togleaninformation about the openports on thetarget.

P r o file n a m e

nm ap -sX -T4 -A -v 10.0.0.4

Profile

Help

Scan | Ping | Scripting | Target | Source | O ther | Tim ing^

Profile name P ro file In fo rm a tio n Profile name

This is h o w the profile v/ill be id e n tf ied in the d ro p-d o w n co m b o box in th e scan tab.

| N u ll Scanj~~|

Description

FIGURE622: TheZenmapProfileEditorwiththeProfiletab 30. Click die m The option, -b (FTP bounce scan) allows a to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased ing it.

tab in the P r o file E d it o r window. Now select the option from the T C P s c a n : drop-down list.

Scan

S c a n (‫־‬sN )

N ull

P ro file E d ito r n m a p -6X -T4 -A -v 10.0.0.4

P ro file] Scan | p!ng | S cnp tm g j larget | Source

Jth e r

Help

Tim ing

P rof le name

Scan o ptio ns Targets (optional):

1C.0.0.4

T scan:

Xmas Tree scan (-sX)

Non-T scans:

None


ACK seen ( sA)

This is how the profile w ill be id entified n th e d ro p-d o w n co m b o box n th e scan tab.

|v

[Vj Enable all advanced/aggressu F N scan (‫ ־‬sF) □

O perating system detection (‫ ־‬M aim on t « n (•?M)

□

Version dete ction (■sV)

N u ll scan (•sN)

(71 Idle Scan (Zom bie) (•si)

T SYN scan(-sS)

O

T conn ect scan (‫־‬sT)

FTP bounce attack (-b)

(71 Disable reverse D N S resolutior W in cow scan (‫ ־‬sW)

The option, -r (Don't randomizeports): By default, Nmap randomizes the scannedport order (except that certain commonlyaccessibleports aremovednear the beginning for efficiency reasons). This randomizationis normally desirable, but youcan specify-r for sequential (sortedfromlowest to highest) port scanning instead.


Xmas Tree !can (-sX)

1 1 IPy 6 (-6)

Cancel

Save Changes

FIGURE6.23:TheZenmapProfileEditorwiththeScantab 31. Select

N one

from the N o n -T C P from the T im in g

A g g r e s s iv e (-T 4 )

32. Click S a v e

Changes

scan s:

drop-down field and select drop-down field.

t e m p la t e :

to save the newly created profile.



'-IT - '

P ro file E d ito r n m a p -sN -sX -74 -A -v 10.0.0.4

InNmap, option— version-all (Tryeverysingle probe) is analias for -version-intensity9, ensuringthat everysingle probeis attemptedagainst eachport.

Profile

Scan

|Scan[ Help

P in g | Scripting | Target | S o ir e e [ C th ci | Timing

Disable reverse DNS resolution Scan o ptio ns N e \er do reverse DNS. This can slash scanning times.

Targets (opbonal):

10.0.04

T scan:

N u l scan (•sN)

V

Non-T scans:

None

V

T im ing tem plate:

Aggressive (-T4)

V

C

O perating system dete ction (-0 )

[ Z Version detection (-5V) I

Idle Scan (Z om b ie) (-si)

Q

FTP bounce attack (-b)

I ! Disable reverse D N S resolution (-n)

□

IPv6 (-6)

£oncel

The option,-‫־‬topports scans the highest-ratioports foundin the nmap-services file. must be 1or greater.

E r j Save Change*

m

FIGURE6.24:TheZenmapProfileEditorwiththeScantab 33. 111 the main window of Zenmap, enter die t a r g e t IP a d d r e s s to scan, select the N u ll S c a n profile from the P r o file drop-down list, and then click S c a n . Zenmap Scfln

I o o ls

T a rg et

Hosts

P r o f 1‫•י‬:

N u ll Scan

nm a p -sN •sX •T4 -A *v 10.00.4

Services

N m ap O u tp jt

Ports / Hosts

T o po lo gy | H ost Detais ( Scans

< P ort < P rcto ccl < State < Service < Version

O S < H o st

*U

Help

| 10.0.0.4

C o m m a n d:

Q The option-sR(RPC scan), methodworksin conjunctionwiththe variousport scanmethods ofNmap. It takes all the T/UDPports found openandfloods themwith SunRProgramNULL commands inanattempt to determinewhether theyare RPorts, andif so, what programandversion number theyserveup.

E ro file

10.00.4

Filter Hosts

FIGURE6.25:TheZenmapmainwindowwithTarget andProfileentered 34. Nmap scans the target IP address provided and displays results in O u tp u t tab.


N m ap



Zenmap Scan

Tools

Target

P rofile

10.0.0.4

C o m m a n d:

u

v

Profile:

Scan!

Cancel

N u ll Scan

nm a p -s N -T 4 -A -v 10.C.0.4

Services

Hosts

N m ap O utp ut | P o rts / Hosts ] T o po lo gy [ H o st Details | Scans

‫פן‬

nm a p -sN •T4 • A - v 10.0.04

OS < H ost IM

B Q

Help

S ta r t in g

Mmap 6 .0 1

( h t t p : / / n 1r a p . o r g

) at

2012 0 8 24

N S t: Loaded 93 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ] C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t . 2t 1 5 :4 7 C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 , 0 .2 8 s e la p s e d i n i t i a t i n g n u l l sca n a t 1 6 :4 7 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e . C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7 I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la D s e c Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) .

The option-versiontrace (Traceversion scan activity) causesNmap to pnnt out extensive debugginginfo aboutwhat versionscanningis doing. It is a subset ofwhat you getwith— packet-trace,

Details

10.00.4

‫ח‬

Filter Hosts

FIGURE6.26: TheZenmapmainwindowwiththeXmapOutputtab 35. Click the

tab to view the details of hosts, such as and C lo s e d P o r ts

H o s t D e t a ils

H ost

S ta tu s , A d d re ss e s . O pen P o rts,

‫׳‬-[nrx

Zenmap Scan

Tools

£ r o fle

C o m m a n d:

Profile:

Cancel

N u ll Scan

nm ap -s N -T 4 •A -v 10.0.0.4

Hosts

Sen/ices

N m a p O utp ut | P o r ts / Hosts | T o p o lo g y

H ost Details | Scans

- 10.0.0.4!

OS « Host *

Help

10.0.0.4

Ta rg et

'

10.0.0.4

B Host Status State:

up

O pen ports: ports: Closed ports:

0 0

ie

1000

Scanned ports: 1000 Up tirr e :

N o t available

Last b oo t:

N o t available

S Addresses IPv4:

10.0.0.4

IPv6:

N o t a vailable

M AC:

00:15:5D:00:07:10

• C o m m e n ts

Filter Hosts

FIGURE627: TheZenmapmainwindowwiththeHostDetailstab T A S K

4

A C K F la g S c a n


36. Attackers send an A C K probe packet with a random sequence number. No response means the port is filtered and an R S T response means die port is not filtered. E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P . !^□T

Zenmap m The script: — scriptupdatedboptionupdates the script database foundin scripts/script.db, whichis usedbyNmapto determine the available default scripts and categories. It is necessaryto update the database onlyif youhaveaddedor removedNSEscripts from thedefault scriptsdirectory orifyouhavechangedthe categories ofanyscript. This optionisgenerally used byitself: nmap ‫־־‬ script-updatedb.

C om m and:

fj?l Edit Selected Profile !!m o p ■v» ■ n* ‫• **־‬v

Host* OS 4 Host IM

Services

]

0

Ctrl+E

N m ip O jtp u t

Porte / Ho«t«

T o p o lo g y | H o d Details

E

JSc an t

4 P o ‫׳‬t 4 P ro to co l 4 S t a tt 4 S e rv ice 4 Version

10.0.0.4

Filter Hosts

FIGURE6.28:TheZenmapmainwindowwiththeNewProfileorCommandoption 38. On the

P r o file

tab, input A C K

F la g S c a n

in the

P r o file n a m e

text field.

‫־‬r a n

P ro file E d ito r nm a p -sN -T4 -A -v 10.0.0.4

Profile [scan | Ping | Scripting | Target | S o ire e [ C thei | Tim ing

Help Description

P ro file In fo rm a tio n Profile name

|A C K PagScanj

The d e scrp tio n is a fu ll description o f wh at the scan does, w h ich m ay be long.

Description

The options: ‫״‬minparallelism ; -max-parallelism (Adjust probe parallelization) control the total number of probes that maybe outstandingfor ahost group. Theyareusedfor port scanningandhost discovery. Bydefault, Nmapcalculates aneverchangingideal parallelism basedon network performance.

£an cel

0

Save Changes

FIGURE6.29:TheZenmapProfileEditorWindowwiththeProfiletab 39. To select the parameters for an ACK scan, click the S c a n tab in die P ro file E d it o r window, select A C K s c a n (‫־‬s A ) from the N o n -T C P s c a n s : drop-down list, and select N o n e for all die other fields but leave the T a r g e t s : field empty.




!- !□ ‫י‬

Profile Editor n m a p -sA -sW -T4 -A -v 10.0.0.4

The option: —min-rtttimeout , --max-rtttimeout , —initialrtt-timeout (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.

Profile | Scan

Ping

S cnpting

x

‫׳‬

[ScanJ

T3rg=t

Source

Other

H e lp

Tim ing

Enablealladvanced,aggressive options

Scan o ptio ns Targets (optional):

10004

T scan:

ACK scan (‫־‬sA)

Non-T scans:

None


ACK s c a n ( sA)

|v |

Enable OS detection (-0 ), version detection (-5V), script scanning (■ sC), and traceroute (‫־־‬ttaceroute).

[34 Enable all advanced/aggressi\ FIN scan (-sF) □

O perating system detection (- M a im o n scan (-sM )

□

Version detection (-5V)

N u ll scan (-sNl

O

Idle Scan (Zom bie) (‫־‬si)

T SYN scan (-5S)

□

FTP bounce attack (‫־‬b)

T conn ect scan (-sT)

f l Disable reverse DNS resolutior Vbincov\ scan (-sW) 1 1 IPv6 su pp ort (-6)

Xmas Tree scan (-5X)

£ancel

Q

Save Changes

FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab 4 0 . N o w c li c k t h e Ping t a b a n d c h e c k IPProto probes (‫־‬PO) t o p r o b e t h e I P a d d r e s s , a n d t h e n c li c k Sa v e Changes.

Profile Editor [Scan]

n m a p -sA -sNJ -T4 -A -v -PO 100.0.4

G The Option: -maxretries (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simply lost on the network.

Profile

Scan

Ping

S cnp tin g| Target | Source

jOther

Tim ing

H e lp

ICMPtim«£tampr#qu*:t

Ping o ptio ns □

Send an ICMP tim e stam p probe to see targets are up.

i

D on't p ing before scanning (‫־‬Pn)

I I ICMP p ing (‫־‬PE) Q

ICMP tim e stam p request (-PP)

I I ICMP netmask request [-PM) □

ACK ping (-PA)

□

SYN p ing (-PS)

Q

UDP probes (-PU)

0

jlPProto prcb«s (-PO)i

( J SCTP INIT ping probes (-PY)

Cancel

Save Changes

FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab 4 1 . 111 t h e

Zenm ap m a i n w i n d o w , i n p u t d i e I P

a d d re ss

o f th e

m a c h i n e ( in d i i s L a b : 10.0.0.3), s e l e c t A C K Flag Sca n f r o m

ta rg e t

Profile:

d r o p - d o w n lis t, a n d t h e n c li c k Scan.

C EH Lab Manual Page 138

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited


‫־ם‬

Zenmap Scan

Tools

Target:

Profile

Help

10.0.0.4

C o m m a n d:

v

Profile:

‫פב‬

ACK Flag Scan

Scan

Cancel

nm a p -sA -PO 10.0.0.4

H osts

Services

N m ap O u tp u t

Ports / Hosts I T o p o lo g y ] H ost Details

Scans J

£ 3 The option: -‫־‬hosttimeout (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.

D e ta ils

Filter Hosts

FIGURE 6.32: The Zenmap main window with the Target and Profile entered 42. N m a p

s c a n s d ie ta rg e t I P

a d d re ss p ro v id e d

a n d d is p la y s r e s u l t s o n

Nmap Output ta b .

Sc$n

Tools

£ r o fle

C o m m a n d:

*

Profile:

ACK Flag Scan

Cancel

nm a p -s A -P 0 1C.0.0.4

Hosts OS

‫ן‬

Help

10.0.0.4

Target:

The option: —scandelay ; --max-scandelay (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.

X

Zenmap

r

Sen/ices

< Host

N m ap O u tp u t

j P o r ts /H o s ts [

T o po lo gy

H ost Details

Scans

nm a p -sA -PO 10D.0.4

Details

10.0.0.4 S t a r tin g

^map 6 .0 1

(

h ttp :/ / n m a p .o r g

) at

2012-08-24

1 7 :0 3

India Standard Tine Nmap s c a n

re p o rt

fo r

1 0 .0 .0 .4

Host is u9 (0.00000301 latency).

A ll 1000 scanned ports on 10.0.0.4 are unfiltered WAC A d d r e s s : Nmap d o n e :

3 0 :1 5 :5 0 :0 0 :0 7 :1 0

1 IP

a d d ress

(1

host

(M ic r o s o ft ) up)

scannec

in

7 .5 7

second s

Filter Hosts

FIGURE 6.33: The Zenmap main window with the Nmap Output tab 4 3 . T o v i e w m o r e d e ta i ls r e g a r d i n g t h e h o s t s , c li c k d i e Host Details t a b




Zenmap Scan

Tools

Target:

Q The option: —minrate ; —max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.

P rofile

H e lp [~v~|

10.0.0.4

C o m m a n d:

Hosts

ACK Flag Scan

Scan

Cancel

nm a p -s A -P O !0.0.04

||

Services

|

N m ap O u tp u t

J Ports /

Hosts

J Topo lo gy

H o s tD e ta ls

Scans

‫ ; ־‬10.0.04

OS « Host *

Profile:

10.0.0.4

5 H o st S tatus

State

IS

O pen portc: Filtered ports: Closed ports: S ea m e d ports:

B

1000

U p t im e

N o t available

Last b o o t

N o t available

A d d re s s e s

IPv4:

1a0.0.4

IPv6:

N o t available

M AC:

0Q15:50:00:07:10

♦ Comments

Filter Hosts

FIGURE 6.34: The Zenmap main window with the Host Details tab

L a b A n a ly s is D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d T y p es o f S can u sed : ■

In te n s e scan

■

X m as scan

‫י‬

N u ll sc a n

■

A C K F la g s c a n

I n te n s e S c a n —N m a p O u tp u t

N m ap

■

A R P P in g S c a n - 1 h o s t

■

P a ra lle l D N S r e s o lu ti o n o f 1 h o s t

■

S Y N S te a lth S c a n •

D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4 o


1 3 5 / tc p , 1 3 9 / tc p , 4 4 5 / tc p , . ..

■

M A C A d d re ss

■

O p e r a tin g S y s te m D e ta ils

■

U p tim e G u e s s

■

N e tw o r k D is ta n c e

■

T C P S e q u e n c e P re d ic tio n

■

I P I D S e q u e n c e G e n e ra tio n

■

S e rv ic e I n f o

Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited


YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Q u e s t io n s 1.

2.

A n a ly z e a n d e v a lu a te t h e r e s u lts b y s c a n n i n g a ta r g e t n e t w o r k u s in g ; a.

S te a l th S c a n ( H a l f - o p e n S c a n )

b.

nm ap -P

P e r f o r m I n v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d s e r v ic e s f o r a t a r g e t m a c h i n e i n d i e n e tw o r k .

I n te r n e t C o n n e c tio n R e q u ire d □

Y es

0 No

P la tfo rm S u p p o rte d 0


C la s s ro o m

0

iL a b s

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.


Scanning a Network Using the NetScan Tools Pro NetScanToolsPro is an integratedcollection of internetinformationgatheringand netirork troubleshootingutilitiesforNehrork P/vfessionals. ICON

KEY

2 3 ‫ ־‬Valuable information

L a b S c e n a r io Y o u h a v e a lr e a d y n o t i c e d i n d i e p r e v i o u s la b h o w y o u c a n g a d i e r i n f o r m a t i o n s u c h as A R P

p in g

scan, M A C

a d d re s s , o p e ra tin g

s y s te m

d e ta ils , I P

ID

sequence

Test your knowledge

g e n e r a t io n , s e r v ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d

‫ס‬

Web exercise

sin g le p a c k e t t o th e ta r g e t f r o m th e i r o w n I P a d d r e s s ; in s te a d , d i e y u s e a zombie

m

W orkbook review

ACK Flag Scan

111 N m a p . A 1 1 a tt a c k e r c a n s im p ly s c a n a ta r g e t w i d i o u t s e n d i n g a

host t o p e r f o r m

th e

sc a n re m o te ly a n d i f a n

intrusion detection report is

g e n e r a t e d , i t w ill d is p la y d i e I P o f d i e z o m b i e h o s t a s a n a tta c k e r . A tta c k e r s c a n e a s ily k n o w h o w m a n y p a c k e t s h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k i n g d i e I P p a c k e t fragment identification number ( I P I D ) . A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u l d b e a b le t o d e t e r m i n e w h e d i e r a T C P p o r t is o p e n t o s e n d a SYN ( s e s s io n e s t a b li s h m e n t ) p a c k e t t o t h e p o r t . T h e ta r g e t m a c h i n e w ill r e s p o n d w i d i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re s e t) i f d i e p o r t is c lo s e d a n d b e p r e p a r e d t o b l o c k a n y s u c h a tta c k s 0 1 1 t h e n e t w o r k 111 d iis l a b y o u w ill le a r n t o s c a n a n e t w o r k u s i n g NetScan Tools Pro. Y o u a ls o n e e d t o d i s c o v e r n e tw o r k , g a d i e r i n f o r m a t i o n a b o u t I n t e r n e t o r lo c a l L A N

n e tw o rk

d e v ic e s , I P a d d r e s s e s , d o m a i n s , d e v ic e p o r t s , a n d m a n y o t h e r n e t w o r k s p e c ific s .

L a b O b j e c t iv e s T h e o b je c tiv e o f d iis la b is a s s is t t o tr o u b l e s h o o t , d ia g n o s e , m o n i t o r , a n d d i s c o v e r d e v ic e s 0 1 1 n e tw o r k . 1 1 1 d iis la b , y o u n e e d to :

■

D i s c o v e r s I P v 4 / I P v 6 a d d r e s s e s , h o s t n a m e s , d o m a i n n a m e s , e m a il a d d re sse s, a n d U R L s D e t e c t lo c a l p o r t s




S 7Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

L a b E n v ir o n m e n t T o p e r f o r m d i e la b , y o u n e e d : ■

N e t S c a n T o o l s P r o l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning

Networks\Scanning Tools\NetScanTools Pro ■

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N etScan Tools Pro f r o m t h e l i n k h t t p : / / w w w . 1 1 e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h t m l

■

I f y o u d e c id e t o d o w n l o a d d i e l a t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r

■

A c o m p u t e r r u n n i n g Windows Server 2012

■

A d m in i s t r a ti v e p r iv ile g e s t o r u n d i e NetScan Tools Pro t o o l

L a b D u r a t io n T im e : 1 0 M i n u te s

O v e r v ie w o f N e t w o r k S c a n n in g N e t w o r k s c a n n i n g is d i e p r o c e s s o f e x a m i n in g d i e activity on a network, w h i c h c a n i n c l u d e m o n i t o r i n g data flow a s w e ll a s m o n i t o r i n g d i e functioning o f n e t w o r k d e v ic e s . N e t w o r k s c a n n i n g s e r v e s t o p r o m o t e b o d i d i e security a n d p e r f o r m a n c e o f a n e tw o r k . N e t w o r k s c a n n i n g m a y a ls o b e e m p l o y e d f r o m o u ts id e a n e t w o r k in o r d e r t o i d e n t if y p o te n t ia l network vulnerabilities. N e tS c a n T o o l P r o p e r f o r m s th e fo llo w in g to n e tw o r k sc a n n in g :

S

TASK

1

Scanning the Network

■

Monitoring n e t w o r k d e v i c e s a v a il a b il it y

■

Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n i n g

Lab T asks I n s ta ll N e t S c a n T o o l P r o i n y o u r W i n d o w S e r v e r 2 0 1 2 . F o ll o w d i e w i z a r d - d r i v e n in s ta l la t io n s te p s a n d in s ta ll NetScan Tool Pro. 1.

L a u n c h t h e Sta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p

^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..


4

'1J#

W in d o w s S e r \ * f 201 2

*taataiermXnifaemeCvcidilcOetoceitc EMtuaian copy, luld M>:

FIGURE /.l: Windows Server 2012- Desktop view 2.

C l i c k t h e N etScan Tool Pro a p p t o o p e n t h e N etScan Tool Pro w i n d o w



A

S ta rt Server Manager

Windows PowwShel

Googfe Chrome

H jperV kb-uoa

NetScanT... Pro Demo

h

m

o

‫וי‬

f*

Control Pan*l

Hjrpw-V Mdchir*.

Q

V ('nmittnd I't. n.".‫־‬

e

w rr

*I

©

20‫ ז‬2

n

x-x-ac

9 FIGURE 7.2 Windows Server 2012 - Apps

3.

I f y o u a r e u s i n g t h e D e m o v e r s i o n o f N e t S c a n T o o l s P r o , t h e n c li c k

Start the DEMO £L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3

4.

T h e Open or C reate a N ew Result Database-NetScanTooIs Pro w i n d o w w ill a p p e a r s ; e n t e r a n e w d a t a b a s e n a m e i n D atabase Name

(enter new name here) 5.

S e t a d e f a u l t d i r e c t o r y r e s u l t s f o r d a t a b a s e file l o c a t i o n , c li c k Continue Open or Create a New Results Database - NetScanTools® Pro

*‫ו‬

N etScanToote P ro a u to m a b c a ly s a v e s resu lts n a d a ta b a s e . T h e d a ta b a s e «s re q u re d . C r e a te a n e w R esu lts D a ta b a s e , o p en a p re viou s R e s d t s D a ta b a s e , or u s e this s o ftw a re r T r a n n g M ode with a tem po rary R esu lts D a tab a s e . ■‫״‬T rain rtg M ode Qutdc S t a r t: P re s s C r e a te Training M ode D a ta b a s e then p re ss C o ntinue.

D a ta b a s e N am e (e n te r n e w n am e h e re )

A N E W R e s u lts D a ta b a s e w l b e a u to m a b c a ly p re fixed with ,NstProO ata-' a n d w i en d w ith ,. d b ? . N o sp ace s o r periods a r e allowed

Test|

w h en e n te r n g a n e w d a ta b a s e nam e.

S e le c t A n o th er R esu lts D a tab a s e

R esu lts D a ta b a s e File Location R esu lts D a ta b a s e D irectory

‫ *״‬C re a te Trainmg M ode D a ta b a s e

C : ^jJsers\ d o c u m e n ts

P ro je ct N am e (o pb on al) S e t D e fau lt D irectory

A n a ly s t In form ation (o pb on al, c a n b e c isp laye d r\ rep o rts if desired)

i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫ ־‬it is normally in the /nstpro directory p

N am e

Telep h on e Number

Title

Mobile Number

O rganization

Email A d dress

U p d a te A n a lys t In form a bon

U s e L a s t R e s u lts D a ta b a s e

Continue

E x it Program

FIGURE 7.3: setting a new database name for XetScan Tools Pro 6.

T h e N etScan Tools Pro m a i n w i n d o w w ill a p p e a r s a s s h o w i n d i e fo llo w in g fig u re


Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited


test • NetScartTools* Pro Demo Version Build 8-17-12 based o n version 11.19 file

— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9

Eflit

A«es51b!11ty

View

IP«6

Help

1

Wefccrwto NrtScanTooh#f^5 [W o Vbtfen 11 TH fattwaiv n a drro ro< k>* •re* t00“i Cut Th■ du ro M i a be ccn«e>ted to j W vtfden

todi hav• niror luiti

H m x x d '•on ■hr A Jo i^ e d cr Vtao.a tads cr 1» ‫ »|כ‬groined by fuidian on the kft

R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I8!en to net« 11k traff c. ttu ; icon tooo ‫*®•ו‬ oca sy*em. end groy !con loots •hid p51t> w * a w Fleet ' i t FI

Autom ated too is

( i p v 6 .g o o g l e .c o m )

wfyoj '«&,to vie‫ ״‬C
M3nu3l lo ci: 13III fw o rn e tools

o r ::1 (internal loopback address

*LCrre Dtt
P 3 « tt 1*vn toon tx tm u l >00is

proown into

FIGURE 7.4: Main window of NetScan Tools Pro S e l e c t Manual Tools (all) o n t h e l e f t p a n e l a n d c li c k A R P Ping. A

7.

w i n d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P i n g T o o l . C li c k OK

8.

test File

fd it

AccettibHity

View

IM

NetScanToois® Pro Demo Version Build 8 17 12 based on version 11.19

‫־היד‬°• - ‫ז‬

MHp

Klrt'iianTooltS Pio ' J Automata!! Tool Manual Tool( Ml

About the ARP Ping Tool •

use rhK tool to ‫*חקי‬. ' an IPv4 address on your subnet usino ARP packers. »s :‫*'׳‬£ tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and

•

A R P Pina require*,‫ ג‬target IPv4 address on your LAN.

does not respc *d to ‫־׳‬egu a Pn g . •

D o n 't miss th is special fe a t u re in th is to o l: Identify duplicate IPv4 address b y ‘singing‘ a ssecfic IPv4 address. If more th a - Gne Cevice (tw o or rrore MAC addresses} responds, you areshow n the a d d ie a o f each o f the deuces. D o n 't fo r g e t to r!ght d k * in th e results for a menu with more options.

mac

im

£ 7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN

•

ARP Scan (MAC U a

D em o I im ita tio n s. • None.

ij

Ca«h« F m n it d

♦ Co*n«t»o« Monit. c Tooll

A111vc Dhiuveiy To‫׳‬ Piss ‫״‬re Otttovety T« o n s roots p 3c« t Level

root

brcemai toots Pro 0r3m Into | ( <x Help pres* FI

FIGURE 7.5: Selecting manual tools option 9.

S e l e c t t h e Send Bro adcast A RP, then U nicast A R P r a d i o b u t t o n , e n t e r t h e I P a d d r e s s i n Target IPv4 Address, a n d c li c k Send Arp




test File

Q Send Broadcast ARP, and then Unicast ARP this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box

Fdit

Accessibility

View

,- !‫ ״‬s i

NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19

IPv6

Help

A u tow ted Tools

U9e ARP Padtets to Pnc an [Pv« adjf c55 on y a r

►.lanual Tools lalf)

subnet.

E Send B‫־‬

ooCC35t ARP, then

O send B-oaCcae: O

arp

U ito st ARP Dupi:a;-5 S-‫־‬c ‫מ‬

cnly

(f:00.00 Ol^FAd*

S e * th for Dipica te IP Addesoss

TargetIPv4Aadett

U ARP Ping

y

I ndex

ip

0

10.0.0.1

-

•• • * ♦

cc

0.002649

Broadcast

1

10.0.0.1

‫־‬

< * ♦

cc

:. o : :» t o

Unicast

Stop

2

10.0.0.1

-

- ■+

ce

0.003318

tin Ic a a t

3

10.0.0.1

cc

0.002318

Onieaae

4 5

10.0.0.1

•

cc

0.0:69*3

10.0.0.1

-

f

10.0.0.1

N jr b n to Send

Cache Forensic{ Cyde T ne (ms)

Connwtwn Monitor |v |

Report? Q Add to Psvorftoc

iendArc

AflP^can ■an |MA£ |MAC S<»n)

u

A n ® To Automated |

Aaaress

mac

Address

Response Tine (aaeci -

•• — ♦

Type

ur.ic a a t

cc

0.007615

Cr.le a s t

cc

0.002518

Cr.Ic a a t

I“00 EJ

‫ל‬

1 0.0.0.1

-

cr

0.M198C

Tinic a a t

WnPcap Interface P

8

10 .0 .0 .1

• • » • ‫'־ ♦ •־‬

cc

0.0:165$

Onieaae

3

10.0.0.1

-

•••♦ ♦ ‫־‬

cc

0.0:231.8

Ur.ic a a t

cc

0.002649

U n icast

-

*•

cc

0.0:2649

U n icast

Fawortte Tooli Aa!re DHtovery Tool! Pj 11!x< Oiiovcry Tooli O t« Tools P a « « level rools trte m ji looit

10

10.0.0.1

11

1 0.0.0.1

*• • * <»

<•>

12

10.0.0.1

-

cc

0.002318

U n icast

13

10.0.0.1

• • • • • • » «♦ ‫״‬

cc

0.002318

Unicast

14

10.0.0.1

•

cc

O.OS2649

15

10.0.0.1

Vnicaat Unicast

f*‫־‬coram Into

FPuiger 7.6: Result of ARP Ping 1 0. C li c k A R P Sca n (MAC Sca n ) i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n t o o l . C l i c k OK test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 File

Fdit

Accessibility

View

IPv6

Help

!alTool! •ARPPi‫׳׳‬y J Automated Tool

‫ ש‬ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.

About the ARP Scan Tool •

y

•

Use U ib t o o l l o s e n d a n A R P R o q iM & t t o e v u ry IP v 4 ad d ress o n y o u r LAN. IPv4 connected d «v u et c s n n o th n to f tv r ‫ ־‬ARP 3acfc«C» and mu»t ru p o n d with t h • ! IP and MAC a d f i r • * • . Uncheck w e ResoKr? box for fssrti scan co‫׳‬r p i« o n ome.

•

Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.

f>5

mo L im itation s. H one.

p•‫־‬ oadcast

ic o s t

lease

ARPStan 1mac sea

le a s t le a s e ic a s t

Ca
le a s t le a s t le a s t

ic a a t e a s t!

Attn* Uncovefy 10‫׳‬

east !

relive l>K0v»ry l«

le a s t

icaat

H 3«rt level Tool

FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 1 1. E n t e r t h e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending

IPv4 Address t e x t b o x e s 1 2. C li c k Do Arp Scan


Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited


test File

Edil

Accessibility

View

‫“־היו‬

NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»00 11.19

IPv6

‫י ־־‬

Help

Manual Too 4 -ARP Scan (MAC Scan) $ in tonated Toots U9e thE tool a fine al

kUnuai Tools laif)

active IPv4 d r ie r s o‫י׳‬ youi n im -t.

adjKocc

Staraic F v 4 Accrea‫־‬

| :0. 0

[ J j ‫׳‬p 0 ‫ ־‬A 1 2 r a a l

&v4ngIPv4A<*jrc55

‫־‬ar The Connection Detection tool listens for incoming connections on T or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.

can (M AC Scan) ASP Scan (MAC

I ]AddtsâvaKat

1 0 .0 .0 .1

W1CAdtireflfl 0( ‫׳‬

n e t;c a r, la c .

10.0.0.2

EC .

&»11 lac

ip v l M . . .

ARP Ping

I / r M 4 n u r* c f3 re r

B c a ta ■ *

1

vm-MSSCL.

E n tr y Type

l>5c•!

dynam o

10. 0.0

d y n azd c

1 0 .0 .0

wrtpeap Interfax i p

I 10.0.0.7

u

Scon OSsy T n c {•>»)

Cache forennct

(IZZ₪ 0 Resolve P s

Connection Monitor Favorite Tools Active OhcC‫׳‬vify Tool! Pasiive Ofitovtry Too 11 o m Tools P3<Mt LPV81 Tools

‫פב‬

exttmai toon rôoram Into

FIGURE 7.8 Result of ARP Scan (MAC Scan) 1 3 . C li c k DH Se rve r D iscovery i n t h e l e f t p a n e l , a w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C li c k OK f*:

test - NetScanTods® Pro Demo Version Build 8-17-12 based on version 11.19 f4 e

Ed*

Accessibility

View

IPv6

!‫־‬

n '

*

Help

RPScan IMAC Son ,

Automatedlool Manual 10011!all

Alum! Hit* DH Sorv 1*f Discovery Tool •

Cathe Forensic!

♦ Connection Monitc

LJ DH is a method of dynamically asg IP addresses and other network parameter information to network clients from DH serv.

Use Uib 1004 to jitn n iy locate DH *ervur*
cry Type lo c a l n a x le

1 0 .0 .0

naxic

10.0.0

O K PSfw r Oucorc

a J

DNS-Tools Tools-core «

Pn u n r DutoveiyTc

P « l r l level Tool External Too 11

FIGURE 7.9: Selecting DH Server Discovery Tool Option 14. S e l e c t a ll t h e D iscover Options c h e c k b o x a n d c li c k Discover DH

Servers




y

test - NetScanTools* Pro Demo Version Build 8 -1 7-12 based o r version 11.19

I

Aurcmated To015 Fnri DHServers an fa r

Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations

T~Tn 1 « '

AddItoie

For Hdo. p‫׳‬-e£8F:

IM A

‫ ס׳יד״־ג‬A.‫־‬omv‫־‬rd

'‫ * ״‬° ] ‫־‬

Cache F orenwes

Ode or mtrrfacc bdow then crcos Discover

B

Discover ( X P Server*

.:n n cc t o n Monitor

TM

A d d re ss

‫[ ־‬

KIC A dd reas

I n t « r f « r • D e s c r ip tio n

L . Jfc j%‫» ־‬v 411 iD

Hyper-V V ir ta • ! Eth ern et Adapter #2

10.0.0.7

Stop

‫*״*־‬

QAddtoP®»«nre5

Wat Time (sec)

DH S«1 1 » ‫ ׳‬Dfccovtry

a

DiscouB‫ ־‬Opttans

DfIS T Took ook --!Cote

a

‫ ׳י‬H05tn3r1e V Subnet M5*r V‫ ׳‬Donor ftairc

OWSTools ■Advanced

Rssordnc DH servers EHCr Server IP

Server Hd3LnoM Offered I?

Offered Subnet Mask IP Address I

10.0.0.1

10.0.0.1

‫ י‬SS.2SS.2SS.0

10.0.0.2

3 days, 0:0(

‫ ׳י‬d n s p ‫ ׳י‬Router P fa* KTP Servers

F‫־‬worit« Tools A «» t r r t l TooH W * rnjl Tools P10 g r« n into

FIGURE 7.10: Result of DH Server Discovery 1 5 . C li c k Ping scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t P i n g S c a n n e r t o o l . C li c k OK test F8e

EdK

AtcesiibiRty

A

j.jA IC WtKOIM AUtOIMt«J ToOh M jn g jJ T00K (411:

Pn g

m

Graphi cal

a

NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19

IPv6

H«tp

N«tSunT00i13 P 10 S?

About the Ping Scanner (aka NetScanner) lool •

ErV1«K«J

fir,g m £0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.

Vltw

• •

use rim rooJ ro pmo .‫ י‬ranoe or lm of IPv4 addresses. rtvstool shows you cb rompute‫׳‬s are active w tJiir! tr*ranoîi5t(tJ1* hav« to rapond to omo). Uso it *vith * * u t o f F adflf«s«s. To teeafl ee*‫׳‬ces n your subnrt mdudmg trios*blocking ping, you can um ARP Son tool. You can ■nport a text lest of IPv4 addresses to png Don't mres this speaal feature m this took use the Do SMB/NBNS scan ‫ כס‬qg: n « B » S resoonscs fiom unprotected W!ndo*s computers. Don't forget td nght didc m the results for a menu with more opaons.

1

>10

Demo Im itations. • Packet Delay (time between sending each ping) is limited to a lower tamt of SO iMlBeconds. packet Delay can be as low as zero (0) ms ‫ מ‬the f ill version. In other words, the full version w i be a bit faster.

Port Scanner

.J

P ’o am u o in Mod* *><«

ravontf 001‫ז‬:

Mint Ducoycnr to ‫׳‬ Paijivt Discovery 10 DNS roou

P a a e ti m l tool} t
FIGURE 7.11: selecting Ping scanner Option 16. S e l e c t t h e U se Default System DNS r a d i o b u t t o n , a n d e n t e r t h e r a n g e o f I P a d d r e s s i n Sta rt IP a n d End IP b o x e s 1 7 . C li c k Start




--«e

test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19

6dK

Accessibility View IPv6

Aurc mated To 015

Start iP 10.0.0.:

£Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.

©

‫׳י‬

‫חח‬

|‫ '•׳‬Lke Defadt Systen DN5j

O Use Specific DNS: - 1*1 1307.53.8.8 vl l *

End JP 10.0.0.S0 Fa Hdp, press F1

AKANrtSeannw

0 Resolve TPs

J?

□ Add»Po»

T a r g e t IP Hostname

Time (m |

10.0.0.1 ?

0

Statao 0:0 t e a : s c p i v

1 0.5.0.2

tnK-KSSELOUKU

0

0:0 tchs toply

10.0.0.5

my:-UQM3MRiR«M

0

0:0 Echs ta p ly

1 0 .0 .0 .7

WIN-D39HRSHL9E4

0

0:0 Echs Reply

MSttp.0/.25SWl

Port Scanner

Addtbnal Scan Tests:

m Pro»ucuou5 Mode S
1 103 I oca ARP Scat

□ D 3 S * ‫׳‬E.fc8\S5car

F‫־‬r»01 » * Tools

□ Do Sulnel M ai: Sea‫!־‬

Arthit Oil cover? Tools

EnaSfc Post-Scan

Pais** Discovery Tools

M O b lg of

rton-Resso'dn; P s

DNS Too 11 S*‫׳‬J «I L c rtl Tool I M e m * Tools Pfogr•!* info

|

irw : »vu«:

I

Oeof IwpQUr t tn»

FIGURE 7.12: Result of sail IP address 18. C li c k Port scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r t o o l . C li c k OK

F

test F ie

Edit

Acceuibilrty

View

ri1h 3■‫>ב‬I^ M «nu«ITouu lair

x

‫ך‬

Help

Welcome •,‫׳‬u tw ateO Tooli

- _ l n l

NetScanTod‘ $ Pro Demo Version Build 8-17-12 based on version 11.19

IPv6

unnei/N etSiannei 9

\

About the Poit Scanner Iool NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN. •

noo

Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query

tnrunced

• • • P nq Scanner

Port Scanner

U

P =f»»cu0\j1 Mode ‘

use rtm ‫ ז‬ool to scan j taro** for I or ‫ יוגווו‬ports that .‫ מור‬iKrrnang (open wirh senna*

fcstenino).

lypes of scanning ed ruli Connect T Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, T SYN only scan and t son. Don't miss this special feature in this tool: After a target has bee scanned, an a‫״‬alfss .vineow will open in >our Oeh J t web browser. Don't fo rg e t ‫ מז‬nght c*
orrer

Notes: settings that strongly affect scan speed: • Come:San Timeout. use 200c* less on a fact networkcorrection yjdhneaiby cor‫״‬p.te i. - « 3 ) 3003 ‫ ־‬seconds) or more ona dau: cameao‫־׳‬. • Wot After Connect -J i s c-110•• o5 ‫־׳‬each port test worts before deodng that ih ; port is not 5c»»e. • settirxcAXbv settee* ccmccxns. Try0, (hen (ry lire. Notice the dfference.

• SetOnqsâx°«<MConnectors Domo KmlUtlons. • Hone.

FIGURE 7.13: selecting Port scanner option 19. E n t e r t h e I P A d d r e s s i n t h e Target Hostnam e or IP Address f i e ld a n d s e l e c t t h e T C P Ports only r a d i o b u t t o n 2 0 . C li c k S ca n Range of Ports




1-1°‫׳ ״ ־‬

test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19

fte

Ed*

Accessibility

View

6‫י\)ו‬

Help

Manual Fools - Port Scanner ^

Automated Tool?

Manual Toots (alij

m

T3r0ut HKTSire 3r P A:d‫־‬£S3

I10.0-01

Pore Range are! Sarvfcafc

I

1

I • ■ 'T C P P o r t s I LDP P 3te O T4UJP Ports O t syn

(

B'd f a

OlaMM

□^toônt•

Start WARNING: the- to d scan? r * rargrfr- ports.

Cny

Scan C irp lrtr.

I

Show Al S an r« d Ports, Actlvi 0! Not

Sea‫ ״‬R.anoc of ! v s St * ‫י‬

A npTO AutOHHted |

Comnon

Path

| E d tc o n w ■ Part{ Let

P o rt

P o r t Dvac

P r o to c o l

80

h te p

T

R r » u lt»

O a t• ft• » .v » d

P o r t A c tiv e

Poit Scanner

J

Pro«ucuom Mode ‘

f3vor1t* Tools A
MrPasp :-ir-âcr :‫־‬ 10.D.0. Comect T rcout ( 100D= !second]

: watAfte'Conncc (ICOO -1 s*aofl

: FIGURE 7.14: Result of Port scanner

L a b A n a ly s is D o c u m e n t a ll d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b . T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d A R P S c a n R e s u lts :

N e tS c a n T o o ls p ro

■

IP v 4 A d d re ss

■

M A C A d d re ss

■

I / F M a n u fa c tu re r

■

H o s tn a m e

■

E n try T y p e

■

L o c a l A d d re ss

In f o r m a tio n fo r D is c o v e r e d D H C P S e rv e rs: ■ ■

I P v 4 A d d r e s s : 1 0 .0 .0 .7 I n t e r f a c e D e s c r i p t i o n : H y p e r-V V irtu a l E th e r n e t A d a p te r # 2


■

D H C P S e r v e r I P : 1 0 .0 .0 .1

■

S e r v e r H o s t n a m e : 1 0 .0 .0 .1

■

O f f e r e d I P : 1 0 .0 .0 .7

■

O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0

Ethical Hacking and Countermeasures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited


YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Q u e s t io n s 1.

D o e s N e t S c a i i T o o l s P r o s u p p o r t p r o x y s e r v e r s o r fire w a lls ?

In te rn e t C o n n e c tio n R e q u ire d

□ Y es

0

No

Pla tfo rm ed 0 C lassroom


0 iLabs



Drawing Network Diagrams Using LANSurveyor l^42\s/nvejordiscoversa nehvorkandproducesa comprehensivenehvork diagram thatintegrates OSILayer2 andLajer 3 topologydata. I CON K E Y 27

Valuable information

L a b S c e n a r io A i l a tt a c k e r c a n g a t h e r i n f o r m a t i o n f r o m A R P S c a n , D H C P S e r v e r s , e tc . u s i n g N e t S c a n T o o l s P r o , a s y o u h a v e l e a r n e d i n d i e p r e v i o u s la b . U s i n g d iis i n f o r m a t i o n

‫ס‬

Test your knowledge

a n a tt a c k e r c a n c o m p r o m i s e a D H C P s e r v e r 0 1 1 t h e n e tw o r k ; t h e y m i g h t d i s r u p t

Web exercise

B y g a in i n g c o n t r o l o f a D H C P s e r v e r , a tt a c k e r s c a n c o n f i g u r e D H C P c lie n ts w i t h

m Workbook review

n e t w o r k s e r v ic e s , p r e v e n t i n g D H C P c lie n ts f r o m c o n n e c t i n g t o n e t w o r k r e s o u r c e s . f r a u d u l e n t T C P / I P c o n f i g u r a t i o n i n f o r m a t i o n , in c l u d in g a n in v a lid d e f a u l t g a te w a y o r D N S s e r v e r c o n f i g u r a t io n . 111 d ii s la b , y o u w ill l e a r n t o d r a w n e t w o r k d ia g r a m s u s i n g L A N S u r v e y o r . T o b e a n e x p e r t network a n d

penetration te s te r y o u n e e d t o d is c o v e r

n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e tw o r k s .

L a b O b j e c t iv e s T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d is c o v e r a n d d ia g r a m n e t w o r k to p o l o g y a n d m a p a d is c o v e r e d n e t w o r k 1 1 1 d iis la b , y o u n e e d to :

■

D ra w ’ a m a p s h o w i n g d i e lo g ic a l c o n n e c t iv it y o f y o u r n e t w o r k a n d n a v ig a te a r o u n d d ie m a p

■


C r e a te a r e p o r t d i a t in c lu d e s a ll y o u r m a n a g e d s w itc h e s a n d h u b s



ZZy Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

L a b E n v ir o n m e n t T o p e r f o r m d i e la b , y o u n e e d : ■

L A N S u r v e y o r l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning

Networks\Network Discovery and Mapping Tools\LANsurveyor ■

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f LAN Surveyor f r o m d i e l i n k h ttp : / / w w w .s o la r w i11d s . c o m /

■

I f y o u d e c id e t o d o w n l o a d d i e la t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r

■

A c o m p u t e r r u n n i n g Windows Server 2012

■

A w e b b ro w s e r w id i In te r n e t a ccess

■

A d m in i s t r a ti v e p riv ile g e s t o m i l d i e LANSurveyor t o o l


O v e r v ie w o f L A N S u r v e y o r S o la r W in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e r s y o u r n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e network diagram t h a t c a n b e e a sily e x p o r t e d t o M i c r o s o f t O f f i c e V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s t o network

topology. I t s im p lifie s i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts , a d d r e s s e s r e p o r t i n g n e e d s f o r P C I c o m p l i a n c e a n d o t h e r r e g u l a to r y r e q u i r e m e n ts .

TASK

1

Draw Network Diagram

Lab T asks I n s ta ll L A N S u r v e y o r o n y o u r Windows Server 2012 F o l l o w d i e w i z a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll L A N S u r v y o r . 1.

L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p

4

W indow s Server 2012 * I S M fcnar X ltl(Wmw CjnMditt (*akrtun lopy. lull) •40:

FIGURE 8.1: Windows Server 2012 - Desktop view 2.


C li c k t h e LANSurvyor a p p t o o p e n t h e LANSurvyor w i n d o w

Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited


LANsurveyor's Responder client Manage remote Window’s, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files

S ta rt

A d m in istra to r £

S e rw M o ra le r

Windows

G oo*

H»p«V

PowetShd

Chrwne

1•■,XU j .

b

m

o

91

IANmny...

■

Panal Q

w

w :a

e rwn«t hptom

‫ף״‬

l i MegaPing

NMScanL. Pto Demo

*s

FIGURE 8.2 Windows Server 2012 - Apps 3.

R e v i e w t h e l i m i t a t i o n s o f t h e e v a l u a t i o n s o f t w a r e a n d t h e n c li c k

Continue w ith Evaluation t o c o n t i n u e t h e e v a l u a t i o n S olarW in ds LA N surveyor TFile

Edit

Men aye

Monitor

Report

Tods

Window

‫ ן‬- ‫יי * ים י‬

Help s o la rw in d s

^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)

FIGURE 8.3: LANSurveyor evaluation window 4.

T h e Getting Started w ith LANsurveyor d i a l o g b o x is d is p la y e d . C li c k

S ta rt Scanning Network


Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited


r

Getting Started with LANsurveyor

■

a u

so larw in d s7'

What you can do with LANsurveyor. S can and map Layer 1. 2. 3 network topology

f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.

&]

Export maps to Microsoft Vtito » V ie w exam ple mgp

"2

Continuously scan your network automatically

Onca aavod, a I cuatom ‫׳‬nap■a car be uotd m SelarV/nda not/.o‫׳‬k and opplcotor management software, learn more »

V/atch a vdae nt'oto barn more

» thwack LANsurveyor forum thwack is 8 community site orovidiro SobrtVrds js e ‫־‬s with useful niomaton. toos and vauable reso jrces

» Qnfcne Manual For additional hep on using the LAIJsu‫־‬veyor read the LANSurveyor Gude

» Evaluation Guide

1

Tha LAMaurvayor Evaiuabon Guida prcvdaa an irtr»d »cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor.

» TheSohrwinds Supoorl W et»i» offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yo»r SohrWind* appleations v b t tne <]1a w js a i£ .g a 2 s ,

I I Don't show agah

r ic q y y r ty

Q vy»t9»». o r Jp o a ic

Start Scanrir.g Neta 0 *1:

] [

FIGURE 8.4: Getting Started with LANSurveyor Wizard 5.

T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d i a g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End

Address, a n d c li c k Sta rt Network Discovery




‫מ־‬

Create A New Network Map

NetuioikParaneetr Eecin Acdres;

E rd Address

10.00.1

10.D.0.254

Enter Ke>t Address Here

Hops

(Folowtrg cuter hopj requires SN M P rouier access! Rotfers. Switches and □ her SN M P Device Dijcovery ■-M*

=‫=&־‬

0

S N M P v l D * v k # j ••S M M P /I Community Strng(*)

[ ptfefc private Q S H W P v 2 c Devices •• SN M Pv2 c Community Strngfs) | pubiu. pmats

—LANsurveyor's network

□ SNK‫׳‬Pv3Devbe5

discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address

I SNMPv3 Options..

Other IP Service Dixovery Ivi lANsuveya F e j pender;

1j P

LAN survefor Responder :

0 IC M P (P r g )

0 N e l8 IC S Clwvs M S P Clients

I I A ctve Directory DCs

Mapping Speed

0

Slower

Faster

ConfigurationMaâperon* Save0KcovetyConfgwa‫׳‬ion. |

I D isco ver Configuafon..

Start Notv»o*k Dioco/cry

Cored

FIGURE 8.5: New Network Map window 6.

T h e e n t e r e d I P a d d r e s s mapping process w ill d i s p l a y a s s h o w n i n t h e fo llo w in g fig u re

Mapping Progress Searching for P nodes HopO: 10.0.0.1-10.0.0.254 SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped

03 LANsurveyor rs capable o f discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, nonconsecutive VLANs

Last Node ed:

WIN-D39MR5HL9E4

Cancel

FIGURE 8.6: Mapping progress window 7.


LAN surveyor d is p la y s d i e m a p o f y o u r n e t w o r k



| ^

S c la A V in d s LA N su rv eyo r - [M a p 1] ■ Me

Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.

‫נ‬

&

Edit h

a>

K H ‘> e

©.

E tf=d

ff £

-4

Manage j

Monitor 1*

Report

1 51 v

id ‫* ״י|| ; ס‬

s

Tools 3

a

Avdow 0

*ft

X -

H ♦ ‫׳‬ s o la rw in d s •‫׳‬

r& ©

|

‫־־‬

11

1

Wti '.'SilLC M W I Wf.-WSC'tlXMK-O

M

hC as

s

=

v

Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP Reuter LANsurveyor Responder Nodes SNMP Nodes SNMP SvntchesHubs SIP (V IPJ Nodes Layer i Nodes Active Directory DCs Groups

ffc-

a

Help

veisor W1N-DWlllR»lLSt4 WIN D3JI H5HJ* «

O vervie w

f*~|

0

‫נ‬.‫נ‬.0.0- • (.0.0.255

■ ‫״‬V*4 UCONJWRSfWW

‫ ׳‬non•'

10091

MN-LXQN3WRJNSN 10006

12-

FIGURE 8.7: Resulted network diagram

L a b A n a ly s is D o c u m e n t all d ie I P a d d r e s s e s , d o m a i n n a m e s , n o d e n a m e s , I P r o u t e r s , a n d S N M P n o d e s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c liie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4 I P N o d e s D e ta ils :

L A N S u rv e y o r

■

S N M P S en d - 62

■

I C M P P i n g S e n d 31‫־‬

■

I C M P R e c e ip ts 4 ‫־‬

■

N odes M apped 4 ‫־‬

N e tw o r k s e g m e n t D e ta ils : ■


IP A d d re ss - 4

■

D o m a in N a m e s - 4

■

N ode N am es - 4



Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.

RELATED TO

Q u e s t io n s 1.

D o e s L A N S u i v e y o r m a p e v e r y I P a d d r e s s t o its c o r r e s p o n d i n g s w it c h o r h u b p o rt?

2.

C a n e x a m i n e n o d e s c o n n e c t e d v ia w ir e le s s a c c e s s p o i n t s b e d e t e c t e d a n d m apped?

I n te rn e t C o n n e c tio n R e q u ire d

□

Yes

0 No

Platfo rm ed 0 C lassroom


0 iL a b s

Ethical Hacking and Countermeasures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.


Mapping a Network Using Friendly Pinger Friendly Pingeris a -friendlyapplicationfor netirork istration, monitoring, andinventory. I CON K E Y 27


L a b S c e n a r io 111 d i e p r e v i o u s la b , y o u f o u n d d i e S N A I P , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils u s i n g d i e t o o l L A N S u i v e y o r . I f a n a tt a c k e r is a b le t o g e t a h o l d o f th is in f o r m a t i o n ,

Test your knowledge

‫ס‬

h e o r s h e c a n s h u t d o w n y o u r n e t w o r k u s i n g S N M P . T h e y c a n a ls o g e t a lis t o f in t e r f a c e s 0 1 1 a r o u t e r u s i n g d i e d e f a u l t n a m e p u b li c a n d d is a b le d i e m u s i n g d i e r e a d -

Web exercise

w r ite c o m m u n it y . S N M P M I B s in c l u d e i n f o r m a t i o n a b o u t t h e i d e n t i t y o f t h e a g e n t's

m Workbook review

h o s t a n d a tt a c k e r c a n ta k e a d v a n ta g e o f d iis i n f o r m a t i o n t o in itia te a n a tta c k . U s in g d i e I C M P r e c o n n a i s s a n c e te c h n i q u e a n a tt a c k e r c a n a ls o d e t e r m i n e d i e t o p o l o g y o f d i e t a r g e t n e t w o r k . A tta c k e r s c o u l d u s e e i t h e r d i e I C M P

,’T i m e e x c e e d e d " 0 1 ‫־‬

" D e s tin a tio n u n re a c h a b le " m e ssa g e s. B o d i o f d ie s e I C M P m e s sa g e s c a n c a u se a h o s t t o im m e d i a te l y d r o p a c o n n e c t i o n . A s a n e x p e r t Network a n d Penetration T e ste r y o u n e e d t o d i s c o v e r n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e t w o r k s a n d b lo c k a tt a c k s b y d e p lo y i n g fire w a lls 0 1 1 a n e t w o r k t o filte r u n - w a n t e d tra ffic . Y o u s h o u l d b e a b le t o b l o c k o u t g o i n g S N M P tr a f f ic a t b o r d e r r o u t e r s o r fire w a lls. 111 d iis la b , y o u w ill l e a n i t o m a p a n e t w o r k u s i n g d ie t o o l F r i e n d ly P in g e r .

L a b O b j e c t iv e s T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d i s c o v e r a n d d ia g r a m n e t w o r k t o p o l o g y a n d m a p a d is c o v e re d n e tw o r k h i d iis la b , y o u n e e d to :


■

D i s c o v e r a n e t w o r k u s i n g discovery te c h n i q u e s

■

D i a g r a m t h e n e t w o r k to p o l o g y

■

D e t e c t n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o l o g y

■

P e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts



L a b E n v ir o n m e n t ZZ7 Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

T o p e r f o r m d i e la b , y o u n e e d : ■

F r i e n d ly P i n g e r l o c a t e d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning

Networks\Network Discovery and Mapping Tools\FriendlyPinger ■

Y o u can also die latest version o f Friendly Pinger from the

link http://www.kilierich.com/fpi11ge17.htm ■

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r

■

A c o m p u t e r r u n n i n g Windows Server 2 0 1 2

■

A w e b b ro w s e r w id i I n te rn e t a ccess

■

A d m in i s t r a ti v e p riv ile g e s t o r u n d i e Friendly Pinger t o o l


O v e r v ie w o f N e t w o r k M a p p in g N e t w o r k m a p p i n g is d i e s t u d y o f d i e p h y s ic a l connectivity o f n e tw o r k s . N e t w o r k m a p p i n g is o f t e n c a r r ie d o u t t o discover s e r v e r s a n d o p e r a t i n g s y s te m s r u i n i n g o n n e tw o r k s . T h i s te c l u ii q u e d e te c ts n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o lo g y . Y o u c a n p e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts . F rie n d ly P in g e r p e r f o r m s th e fo llo w in g to m a p th e n e tw o rk : ■

Monitoring n e t w o r k d e v i c e s a v a il a b il it y

■

Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n

■

Ping o f a ll d e v i c e s i n p a r a l l e l a t o n c e

■ Audits hardw are a n d softw are c o m p o n e n t s i n s t a l l e d o n t h e c o m p u t e r s o v e r th e n e tw o rk

Lab T asks

task

I n s ta ll F r i e n d ly P i n g e r

2.

F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll F r i e n d ly P in g e r .

3.

L a u n c h t h e Sta rt m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n d i e lo w e r - le f t

1

Draw Network Map


0 x1 y o u r Windows Server

1.

2012

c o rn e r o f th e d e s k to p




C li c k t h e Friendly Pinger a p p t o o p e n t h e Friendly Pinger w i n d o w

S ta r t ^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.

A d m in is tra to r

Sen*r M anager

Windows PowerSMI

r _

m

C om piler

GOOQte Chrome

*

Control Panol

W**r-V

Uninstall

%

&

^

Hyp«-V Mac f.inf .

£ Eaplewr

V

9

«

Command Prompt

M02111a Firefox

Patti A ra^zer Pro

!‫ר״‬

€>

i l

SeorchO.

Fnendty PWêr

o

fl* IG

■

Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IPaddresses for scanning

2.7

Km

O rte f

FIGURE 9.2 Windows Server 2012 - Apps 5.

T h e Friendly Pinger w i n d o w a p p e a r s , a n d F r i e n d l y P i n g e r p r o m p t s y o u to w a tc h a n o n lin e d e m o n s tr a tio n .

6.

C li c k No

Friendly Pinger [Demo.map] file

Edit

View

Pinq

Notification

Scan

FWatchcr

Inventory

1‫& □ צ‬£ - y a fit V Denro

H

‫ם‬ 1

& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map

Help ‫*־‬

* ‫׳‬

D em ons tra tio n m ap

S

-

Internet M.ui S hull cut Sm v ti

W oik Statio n

Workstation (*mall)

dick the client orco to add ‫ ג‬new device...

^

2 1 /2 4 /3 7

& OG 00:35

FIGURE 9.3: FPinger Main Window




S e l e c t File f r o m t h e m e n u b a r a n d s e l e c t d i e Wizard o p t i o n

7.

r ‫ ם‬Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network

□

L-!»j x ‫׳‬

Friendly Pinger [Demo.map]

File | Edit

View

Ping

WeA

Notification

Scan

F/fatdier

Inventory

*‫ י‬C ‫*־‬%!‫ צ‬ft

x

Help

CtrUN

Gtfr Open...

Ct11+0

Reopen

|

Uadate

CtrhU

U

Save..

C tfU S

Sava At... Close

fcV Save A j Image... ^

Print...

^

Lock...

^

Create Setup...

0

Options...

‫ קד‬m

‫ מ‬g

t b Close All

Ctrl* B

5T In la n d fr!

S c iy c i

F9

X L Frit

Alt*■)(

Imen-pr H ail S h o itcu l Se n w r

-----

Hob

Mndpn

JJ W n f k S t A lio n

a

W in k S ta tiu n I 1,11 |

r'r;m

CiedtOdllinitialllldL C] Map occupies the most part of the window. Rightclick it. In the appeared contest menu select "Add” and then ‫״‬Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture

FIGURE 9.4: FPinger Staiting Wizard 8.

T o c r e a t e i n i t i a l m a p p i n g o f t h e n e t w o r k , t y p e a r a n g e o f IP addresses i n s p e c i f i e d f i e ld a s s h o w n i n t h e f o l l o w i n g f i g u r e c li c k Next

---

Wizard

Local IP address:

10.0.0.7

The initial map will be created by query from DNS-server the information about following IP-addresses:

10.0.0.1•2d You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 •5.1 •10

1000

| I Timeout

The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged

Timeout allows to increase searching, but you can miss some addresses.

? Help

4*

gack

=►Mext

X Cancel

FIGURE 9.5: FPinger Intializing IP address range 9.

T h e n t h e w i z a r d w ill s t a r t s c a n n i n g o f IP addresses 111 d i e n e t w o r k , a n d li s t t h e m .

1 0 . C li c k Next




Wizard IP address

Name

0 10.0.0.2

W1N-MSSELCK4K41

0

10.0.0.3

W indows8

0

10.0.0.5

W1N-LXQN3WR3R9M

□

10.0.0.7

W1N-D39MR5HL9E4

£L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window The inquiry is completed. 4 devices found.

R em o ve tick from devices, which you d on t want to add on the map

?

4*

Help

B ack

3 ‫ ►־‬N ext

X

C ancel

FPinger 9.6: FPmger Scanning of Address completed

11. Set the default options in the Wizard selection windows and click Next Wizard £0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.

Q e v i c e s ty p e:

W orkstation

Address

OUse IP-address | ® Use DNS-name |

Name ‫ח‬

Remove DNS suffix

Add* ion

OA dd devices to the new map (•> Add devices to the current map

7

Help

!► Next

X

Cancel

FIGURE 9.7: FPinger selecting the Devices type 12. T h e n t h e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p i n t h e FPinger w in d o w




V

_

Friendly Pinger [Default.map]

File

Edit

View/

Ping

NotificaTion

Scan

FWatcher

inventory

□1

x ‫י‬

Help

H ‫>׳״‬

£ ft J* & g

‫ ם‬If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets through. Your network should do it for you. Same with the proxy server.

FIGURE 9.8 FPmger Client area with Network architecture 13. T o s c a n th e s e le c te d c o m p u te r in th e n e tw o r k , s e le c t d ie c o m p u te r a n d s e l e c t t h e Sca n t a b f r o m t h e m e n u b a r a n d c li c k Scan F rie n d ly P in g e r [D e fa u lt.m a p ] file

^ You may the latest release: http: / / www. kilievich.com/ fpinger■

Lb

Edit ‫ם‬

View - y

Ping a

Notification *

e

?

Scan M

Scan..

click the clicnt area to add c new devicc..

Q Select ‫״‬File | Options, and configure Friendly Pinger to your taste.


F W rtc h p

Inventory

Help

F61

50* m

233:1

S i. 3/4/4

^

00:00:47

FIGURE 9.9: FPinger Scanning the computers in the Network 14. I t d is p la y s scanned details i n t h e Scanning w i z a r d



Scanning Service

Compute

Command f a

& ] HTTP

W1N-MSSELCK...

h ttp://W IN -M S S ELC X 4M 1

£ ] HTTP

W1N-D39MR5H...

http://W IN -D39M R5H L9E 4

£□ Double-click tlie device to open it in Explorer.

S c a n n in g c o m p le te

^‫׳‬J Bescan

Progress

y ok

? Help

X Cancel

FIGURE 9.10: FPinger Scanned results 1 5 . C l i c k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t i o n d e ta i ls o f th e s e le c te d c o m p u te r £□ Audit software and hardware components installed on tlie computers over the network

Tracking access and files opened on your computer via the network

V Pk

T ^ rr‫־‬

F rie n d ly P in g e r fD e fa u lt.m a p l Edit

V1«w

Ping

1 ‫ ג‬C a :* B S J m

Notification

S<*n

FWat

Irvcnto

\&\^ ‫* ׳‬

ry\Ndp________________

E l Inventory Option!.‫״‬

Ctil-F#

FIGURE 9.11: FPinger Inventory tab 1 6. T h e General t a b o f t h e Inventory w i z a r d s h o w s d i e com puter name a n d i n s t a l l e d operating system




W File

Inventory E d it

V ie w

R eport

O p tio n s

H e lp

la e:

0 ‫־‬S ? 1 1 ■ E

W IN-D39MR5HL9E4

|g

General[

Misc| M'j

Hardware]

Software{ _v)

History| ^

K

>

Computer/

CQ Assignment of external commands (like telnet, tracert, net.exe) to devices

Host name

|W IN-D39MR5HL9E4

name

!

W indows Name

|W indows Server 2012 Release Candriate Datacenter

Service pack

C otecton tme Colecbon time

18/22 /2 0 12 11 :2 2:3 4 AM

FIGURE 9.12: FPinger Inventory wizard General tab 1 7 . T h e M isc t a b s h o w s t h e Netw ork IP addresses. MAC addresses. File

System , a n d Size o f t h e d is k s 5 Search of HTTP, FTP, e-mail and other network services

x '

Inventory File

E dit

e i g?

V ie w

R eport

O p tio n s

H e lp

0 ₪ *a a

<^0 G*?

fieneraj

Misc

hardware |

Software |

History |

Network IP addresses

110.0.0.7

MAC addresses

D4-BE-D9-C3-CE-2D

J o ta l space

465.42 Gb

Free space

382.12 Gb

Display $ettng$ display settings

Function "Create Setup" allows to create a lite freeware version with your maps and settings

[ 1366x768,60 H z, T rue Color (32 bit)

Disk

Type

Free, Gb

Size, Gb

£

3 C

Fixed

15.73

97.31

84

NTFS

S D

Fixed

96.10

97.66

2

NTFS

—

—

-

File System

A

■—

FIGURE 9.13: FPinger Inventory wizard Misc tab 18. T h e H ardw are t a b s h o w s t h e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r n e tw o rk e d c o m p u te rs




TT File

Edit

View

Report

Options

Help

0 ^ 1 3 1 0 H

w

1N-D39MFS5HL9E4||

General

Miscl

Mi

H a rd w a re [^ ]

Software

History |

>1

<

4x Intel Pentium III Xeon 3093 B

Memory

<2

4096 Mb - Q j B IO S

Q| AT/AT COMPATIBLE D ELL

•6222004 02/09/12

- £ ) ‫ י‬Monitors Genetic Pn P Monitor

- ■V

D isplays ad ap ters B j ) lnte
E O

^

-

-^

D isk drives q

ST3500413AS (Serial: W2A91RH6)

N etw ork ad ap ters | j | @netrt630x64.inf,%rtl8168e.devicedesc%êaltekPQeGBE Family Controller S C S I and R A ID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller

I

J FIGURE 9.14: FPinger Inventory wizard Hardware tab

1 9 . T h e So ftw are t a b s h o w s d i e i n s t a l l e d s o f t w a r e o n d i e c o m p u t e r s Inventory File

Edit

View

Report

Options

[£) Q 5r WIN-D39MR5HL9E4

-----------H

Help

0 ‫י‬€ 1 3 1 0 G§*

general |

M ‫׳‬sc

\

H«fdware| S

Software |

Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 O ff*** Prnnfirxi (Pnnli^hl ? flirt T e ta S

Q Visualization of your computer network as a beautiful animated screen

>

History | QBr < A

V

Name Version Developer Homepage

|

ft

Go

FIGURE 9.15: FPinger Inventory wizard Software tab

L a b A n a ly s is D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b .




T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 0 F o u n d IP a d d re ss: ■

1 0 .0 .0 .2

■

1 0 .0 .0 .3

■

1 0 .0 .0 .5

■

1 0 .0 .0 .7

D e t a i l s R e s u l t o f 1 0 .0 .0 .7 :

j

F r i e n d l v P i n g» e r

■

C o m p u te r n a m e

■

O p e r a tin g s y s te m

■

IP A d d re ss

■

M A C a d d re ss

■

F ile s y s t e m

■

S iz e o f d i s k

■

H a rd w a re in fo rm a tio n

■

S o ftw a re in f o rm a tio n

Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.

RELATED TO

Q u e s t io n s 1.

D o e s F P i n g e r s u p p o r t p r o x y s e r v e r s fire w a lls?

2.

E x a m i n e th e p r o g r a m m i n g o f la n g u a g e u s e d i n F P in g e r .

I n te r n e t C o n n e c tio n R e q u ire d

□ Yes

0 No



0 iL a b s



Lab

Scanning a Network Using the N essus Tool Ness/zsallowsyou toremotelyaudita nehvorkanddeter/nineif it has beenbroken into ormisusedin somenay.It alsoprovidestheability tolocally audita specific machinefor vulnerabilities. I C O N

7 =

7‫־‬

K E Y



111 t h e p r e v i o u s l a b , y o u l e a r n e d t o u s e F r i e n d l y P i n g e r t o m o n i t o r n e t w o r k

Test your knowledge

n e t w o r k , v i e w g r a p h i c a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e t h e i n f o r m a t i o n

Web exercise

d e v i c e s , r e c e i v e s e r v e r n o t i f i c a t i o n , p i n g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia t h e re la te d to n e tw o r k d e v ic e s , th e y c a n u s e i t as a n e n tr y p o i n t to a n e tw o r k f o r a c o m p r e h e n s iv e a tta c k a n d p e r f o r m m a n y ty p e s o f a tta c k s ra n g in g f r o m D o S a tta c k s

m

W orkbook review

to

u n a u th o r iz e d

a d m in is tra tiv e

access.

I f a tta c k e rs

a re

a b le

to

get

tr a c e r o u t e in f o r m a t io n , th e y m i g h t u s e a m e t h o d o lo g y s u c h as fire w a lk in g to d e t e r m i n e t h e s e r v i c e s t h a t a r e a l l o w e d t h r o u g h a f ir e w a ll. I f a n a tta c k e r g a in s p h y s ic a l a c c e s s to a s w itc h o r o t h e r n e tw o r k d e v ic e , h e o r s h e w ill b e a b l e t o s u c c e s s f u l l y i n s t a l l a r o g u e n e t w o r k d e v i c e ; t h e r e f o r e , a s a n a d m in is tra to r, y o u

s h o u ld

d is a b le u n u s e d p o r ts in

th e c o n f ig u r a tio n o f th e

d e v ic e . A l s o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o l o g i e s t o d e t e c t s u c h r o g u e d e v ic e s 0 1 1 th e n e tw o rk . A s a n e x p e r t ethical h ack er a n d penetration tester, y o u m u s t u n d e r s t a n d h o w

vulnerabilities, com pliance specifications, a n d content policy violations a r e s c a n n e d u s i n g t h e Nessus t o o l .

L a b O b j e c t iv e s T h i s l a b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n i n g t h e n e t w o r k f o r v u l n e r a b i l i t i e s , a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to :


■

U s e th e N e s s u s to o l

■

S c a n th e n e tw o r k f o r v u ln e r a b ilitie s



L a b E n v ir o n m e n t £ ‫ ז‬Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

T o c a n y o u t d ie la b , y o u n e e d : ■

N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning

N etw orksW ulnerability Scanning Tools\Nessus ■

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N e s s u s f r o m t h e l i n k h t t p : / / w w w . t e n a b l e .c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d a g re e m e n t

■

I f y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n in th e la b m ig h t d if fe r

■

A c o m p u t e r r u n n i n g W indow s Server 2012

■

A w e b b ro w s e r w ith I n te r n e t access

■

A d m in is tr a tiv e p riv ile g e s to r u n th e N e s s u s to o l


O v e r v ie w o f N e s s u s T o o l

m

Nessus is public Domain software related under the GPL.

N e s s u s h e lp s s t u d e n t s t o le a r n , u n d e r s t a n d , a n d d e t e r m i n e vulnerabilities a n d

w eaknesses o f a s y s te m a n d network 111 o r d e r t o k n o w h o w a s y s te m c a n b e exploited. N e t w o r k v u ln e r a b ilitie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n i n g s e r v ic e s , application and service c o n f i g u r a t i o n e r r o r s , a n d a p p li c a ti o n a n d service vulnerabilities.

Lab T asks 8

TAs K 1 Nessus Installation

1.

T o i n s t a l l N e s s u s n a v i g a t e t o D:\CEH-Tools\CEHv8 Module 03

Scanning Netw orksW ulnerability Scanning Tools\Nessus 2.

D o u b l e - c l i c k t h e Nessus-5.0.1-x86_64.msi file .

3.

T h e Open File - Secu rity Warning w i n d o w a p p e a r s ; c li c k Run O p e n File

‫־ד‬5‫ך‬

S e c u rit y W a r n in g

Do you want to run this fie ? fJan e‫־‬

Pud sht‫׳‬:

2 £&‫ר‬C.rrK

/lk g rt\A d m in irtrat0 r\D etH 0 D 'v N e cs1 K -5 0 -6

IcnaMc Network Security Int.

Type Windows Installer Package

From; G\U«ra\ottatot\Doklop\No>uj*5.0.2-*66 64‫״‬ Run

"^7 Nessus is designed to automate the testing and discovery of known security problems.

CencH

V Always esk cefcre opening the file

Wh Jr fi:« from the Internet can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust. ^ What s the nsk?

FIGURE 10.1: Open File ‫ ־‬Security Warning




4.

T h e N essus - InstallShield Wizard a p p e a r s . D u r i n g t h e i n s t a l l a t i o n p r o c e s s , th e w iz a r d p r o m p ts y o u f o r s o m e b a s ic in f o r m a tio n . F o llo w d i e i n s t r u c t i o n s . C l i c k Next.

&

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard W elcome to th e InstallShield Wizard for Tenable N essus (x64)

The InstalSh1eld(R) Wizard wdl nstal Tenable Nessus (x64) on your computer. To continue, ddc Next.

m

The updated Nessus security checks database is can be retrieved with commands nessus-updatedplugins.

WARNING: Ths program is protected by copyright law and nternational treaties.

< Back

Next >

Cancel

FIGURE 10.2: The Nessus installation window 5.

B e f o r e y o u b e g i n i n s t a l l a t i o n , y o u m u s t a g r e e t o t h e license agreem ent a s s h o w n i n t h e f o l l o w i n g f ig u r e .

6.

S e l e c t t h e r a d i o b u t t o n t o a c c e p t t h e l i c e n s e a g r e e m e n t a n d c li c k Next.

!‫;ל‬ Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.

Tenable Nessus (x64) - InstallShield Wizard

License Agreement Please read the following kense agreement carefully.

Tenable Network Security, Inc. NESSUS® software license Agreement This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You‫)״‬. This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F n p tw /.q ArtPFPMFUT auh 0 Print accept the in the kense agreement

Nessus security scanner includes NASL (Nessus Attack Scripting Language).

O I do not accept the n the kense agreement InstalShiekJ------------------------------------------< Back

Next >

Cancel

FIGURE 10.3: Hie Nessus Install Shield Wizard 7.


S e le c t a d e s t i n a t i o n f o l d e r a n d c li c k Next.



Tenable Nessus (x64) - InstallShield Wizard Destination Folder Click Next to instal to this folder, or ckk Change to instal to a different folder.

£>

Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.

Instal Tenable Nessus (x64) to: C:\Program F*es\TenableNessus \

Change...

InstalShield < Back

Next >

Cancel

FIGURE 10.4: Tlie Nessus Install Shield Wizard 8.

T h e w i z a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll p r o g r a m f e a t u r e s w ill b e i n s t a l l e d . C h e c k Complete a n d c li c k Next.

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard Setup Type Choose the setup type that best smts your needs.

Q Nessus probes a range of addresses on a network to determine which hosts are alive.

FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9.

T h e N e s s u s w i z a r d w ill p r o m p t y o u t o c o n f i r m t h e i n s t a l l a t i o n . C li c k

Install




Tenable Nessus (x64) - InstallShield Wizard Ready to Install the Program The wizard is ready to begn nstalation.

Nessus probes network services on each host to obtain banners that contain software and OS version information

Click Instal to begn the nstalatoon. If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard.

InstalShield < Back

Instal

Cancel

FIGURE 10.6: Nessus InstallShield Wizard 1 0 . O n c e i n s t a l l a t i o n is c o m p l e t e , c li c k Finish.

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard In stalS hield W izard Completed

The InstalShield Wizard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.

Q Path of Nessus home directory for windows \programfiles\tanable\nessus

Cancel

FIGURE 10.7: Nessus Install Shield wizard

Nessus Major D irectories ■


T l i e m a j o r d i r e c t o r i e s o f N e s s u s a r e s h o w n i n t h e f o l l o w i n g ta b l e .



Nessus Home Directory

Nessus Sub-Directories

Purpose

\conf

Configuration files

\data

Stylesheet templates

\nessus\plugins

Nessus plugins

\nassus\us«rs\<name>\lcbs

knowledgebase saved on disk

1Windows \Program Files\Tenable\Nessus feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required

>-------------------------------- -1

\no33us\logs

, Nessus log files --------------------1

TABLE 10.1: Nessus Major Directories 11. A f te r in s ta lla tio n N e s s u s o p e n s in y o u r d e fa u lt b ro w s e r. 1 2 . T h e W elcom e to Nessus s c r e e n a p p e a r s , c li c k d i e here l i n k t o c o n n e c t v ia S S L

w e lc o m e to Nessus! PI m m

c o n n e c t v i a S S L b y c lic k in c J h » r « .

You are hkely to get a security alert from your web browser saying that the SS L certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid S S L certificate from a registrar. Please refer to the Nessus documentation for more information.

FIGURE 10.8: Nessus SSL certification 1 3 . C li c k OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s

Security Alert — The Nessus Server Manager used in Nessus 4 has been deprecated

‫ע‬

J j You are about to view pages over a secure connection. Any information you exchange with this site cannot be viewed by anyone else on the web. În the future, do not show this warning OK

More Info

FIGURE 10.9: Internet Explorer Security Alert 14. C li c k t h e Continue to this w ebsite (not recommended) l i n k t o c o n tin u e




* ^

&

X

Snagit g j

II

C crtfica te Error: M avigation... '

£t

1

There is a problem with this website's security certificate. The security certificate presented by this w ebsite w as not issued b y a trusted certificate authority. The security certificate presented by this websrte w as issued fo r a different w eb site s address. Sccu n ty certificate problem s m a y indicate an ottem pt to fool y o u o r intercept a n y data you send to the server.

W c recommend that you close this webpage and do not continue to this website. d Click here to close this webpage. 0 Continue to this website (not recommended). M ore information

FIGURE 10.10: Internet Explorer website’s security certificate 1 5. o n OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s . £Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers

Security Alert 1C. i )

You are about to view pages over a secure connection

tr

Any information you exchange with this site cannot be viewed by anyone else on the web. H I In the future, do not show this warning

1

OK

More Info

FIGURE 10.11: Internet Explorer Security Alert 1 6 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l i c k t h e Get

Started > b u t t o n .

R ff W elcom e to N e s s u s ‫׳‬

m

warning, a custom certificate to your organization must be used

T W ik you foi liintrtllli •j

tin• w uM 1

•>>< h * H i

N m iii •v* tflknv y!>u l <1 portoim

1I *ah 3pe«d vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es 1 A1j« n lU 1a1 mtrlili mj, la 1m U w t« no Im l )■ » ia •acurlly |W ■I w. >L-umplianca chocks, to and prove that « v v , host on your network adheres to tho security pokey you 1 ‫ י‬Scan sehwliJnm, to automatically rui *cant at the freijwncy you ‫ ׳‬And morel

!!•< stofted *

FIGURE 10.11: Nessus Getting Started 1 7 . 111 Initial Setup e n t e r t h e c r e d e n t i a l s g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Next >




p

• o («*•*<‫»*״‬.‫>״‬.e c

Wefconeu Neaus

In itia l Setup First, w e need to create an for the scanner. This will have istrative control on the scanner; the has the ability to create/deiete s, stop ongoing scans, and change the scanner configuration.

loo*n: Confirm P«*Mword: < Prev

| Next > |

Because f/* can change the scanner configuration, the has (he ability to execute commands on the remote host. Therefore, It should be i that the has the same privileges as the *root ‫( ״‬or ) on the remote ho:

FIGURE 10.12: Nessus Initial Setup 1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o o b t a i n a c t i v a t i o n c o d e , c li c k t h e

http://www.nessus.org// lin k .

19. C li c k t h e Using Nessus at Home i c o n i n Obtain an Activation Code

>

■ el

m

If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins

m i (A *CAftCM i n ‫ז‬

<9>T E N A B L E Network Security* I n Certift&ttH)!!

Resource*

Supicot

if'tMhk■ ProdiKls * Protfua Ovenfe Nk s u i AudHai

n lu 1.

'!‫•••׳‬Ml‫ ׳‬Plug**

Obtain an Activation Code Using Nesaus at Work?

Using Nessus at Home?

A wuk1uV4cM *

A Ham■( ■ml »m>*Cripr«l Is Dm jn l toth tm Mia ootj

fu< ail

.Sjirplr Report! N«MUi FAQ Vk«le D»14CMFAQ

in

Dtptovmam 1>:001u Mowus Evukoiion Training

FIGURE 10.13: Nessus Obtaining Activation Code 2 0 . 111 N essus for Home a c c e p t t h e a g r e e m e n t b y c l i c k i n g t h e Agree b u t t o n a s s h o w n in th e fo llo w in g fig u re .




Wckcme 10Mawt

■ Mom fc<Mama|t«nat1l«

ow*« m ss t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat •otu u 1 . The Netare rtoaaafocd do*1 *c* gn* you i o : w to of 1K0v>yov to perform < dedR 0( *S* Tw Nes*u» llrtual

Product Ovenv* Faaiuraa Nossue

1 Nmhh Hom Fnd Mibscilpllon it a■alatile lot ptnoia) mm ‫ •י‬a I ( o• tf. * Is ink lot use by any commercial otqam/atn■ t !on 1q «t!

Buwwct

c*«»*| or vw *Inm * iiw M n i tr.iinrvj

Noasus ter Homa W*y

to New#* ‘t‫’־‬

Nesius V « 1lf A!(n

Trtontoa Ptoarjm tor

0<>1r(;■ttionf.

‫ » ז‬a ro a jJ •#! 1k* M m ii HowFbwJ Mtncri|40n lot lo » 1 «m | f c w cfe* ‘^7 ‫ ’••׳‬to k u « i *to turn• 01•M 4ml bwjln iho <Jc‫׳‬#nlMd prooaat•

N W III PluflM

SU8VCWII0M ACM I Ml NI

S41v(Ju Rapotto N m a i fAQ

•‫* «׳״‬SuyôtW w m •‫•יי‬Ini 01 Ope‫״‬nlr*j SyvtMn otwMbwaowi) moa>«»« 1■to• •vaeelto ncto«n| n n u n M o iy IVrjalAQor rtaouis fA<J lound cti arr, lenaUa1mvCcI K» •• Ratoawonarf-aod S«4xc>|pt«n You agiaa 10 r«v * «*•<> «<«* to• to TtâUa to••ach ayatoan on which You have inttaltod a Prjntr'Kl Scama• T‫<«» ׳‬pj Ojaniriton MiVAPthntandiuj 1N» pitîfcrtcn ow cotnwcM »a* m S*C»m 2141.1 Vau ara * *atimj 01!>trifi10n You m*» copy M M iwget * 4 •MMMaM T t N t V t »IM«M Md Tm1U» HonMF«*d s<Mot*«M rwgto to — <1rt>to »1*dto« *♦ ew‫׳‬w00‫׳‬tn teeing onV Upon eompteôti ot #* d m t*» rigM to * a lt>« Pkj£n& ptmUtod by to* HomaFaad SubfeuipCanis

M<«I6 Dtotc** FAQ Deployment Options

Ptc/w*‘. ;■wFwd SK.t‫־‬vjlp‫־‬i:»1 («. *(fle a b*e n *•‫־‬,ox !tent# •*> toe Suts<‫־‬i * *0 ‫״‬c«aa( an r«ftj (of 4nd pay 81) !« ‫■׳‬ >associated « P Tmi Su&ttrfpaa• You awv not u&a tw H>r‫ *׳‬f sad Subscripted 91anted to You lot * ‫■!־‬inj pu>p0M± to aacuf• Y«u>01 any third party's, laatwoifcs or to any etoa■ tw cl«M«o« taning h * rorvpioductrxi «nv»or1‫׳‬r>*r1• T e a M a m tofanuci a fr«* Sut«rp#on undat this Suction 21c|al t coti apmant and DiMnbttoan tenable I C is t* Metsus Ftogm Deralopment 1 « & ‫ ״‬JM ■am at lha Subbcitpttaoa 10wtto and dovobp 1

FIGURE 10.14: Nessus Subscription Agreement

21 S l f you do not your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive.

F ill i n t h e R egister a Hom eFeed s e c t i o n t o o b t a i n a n a c t i v a t i o n c o d e a n d c li c k .

ENTER SEARCH TEXT

GO!

* TEN A BLE Network Security Partner*

1raining li fortification

Resources

Si

port >paint |

!enableProducts Product O v m v Iow

a HomeFeed

No s m s Auditor OuniSes N«84u « Ptu^lns Documentation Sample Repoita

‫ס‬

T0 May up todato with 11m* Nut.uit. pljgint you n w tl tt>■; etrnU iMlilte-11 to utilch an activation code wll be *ert Ye

1«#h4vjfed > 1 1 U nil! not I

th a r td with any 3rd patty.

N*5»u 9 FAQ Motde Devices FAQ

■ ‫• ־‬am» *

Deployment Options

con^

Nes3u3 Evaluation

□ Check lo receive updates from Tenable

Training

|

Hpql^ter

|

FIGURE 10.15: Nessus ing HomeFeed 2 2 . T h e Thank You for ing w i n d o w a p p e a l s f o r Tenable Nessus

HomeFeed.


Ethical Hacking and Countermeasures Copyright C by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited


. ‫׳‬V j .

*>■« Y«.to ‫י‬ ENTER SEARCH IE■(

TENABLE Network Security1 Products

Solutions

Services

Partners

iraimna & certification

Resources

Atout !enable

Store

>print | » sltare Q

T en able P ro d u c ts

nessus

Product Overview Nessus Auditor Bundles Nessus Plugins Documentation

217After the initial registration, Nessus will and compile the plugins obtained from port 443 of plugins.nessus.or gpluginscustomers.nessus .org

Sample Reports

Thank You for ing! Thank jrou tor reghlMlag your I eonbit‫ ׳‬Nt-viun HomeFeed An emal conraMng w a activation 604• hA* just boon Mint to you •l tie email K k tm you pravWed

Tenable Charitable & !raining Organization Program Tenable N c t in il Security offers Nessus l ‫ ׳‬rot••won•( •*4 •uMcnpcon• •t no cod to ct1*ftut4• oroartaation• I

Please note *at tie !enable Nessus HomeFeed h uvislUiMt- for home um oo»r If you wantto use Nasaus at your place of business, you nuat ouicnase the Nessus Proleaaowageed Akemaiet. you nay purchase a subscriptionto the Nessus PofimoHM Sarnica and scan in tM cioudl Tha N a ttu i Ponawlci Service does no( require any software . For more mtetraabon on t w HomsFeed. Professional eed and Nessus Perimeter Sec.ice. please visit our Discussions Forum.

Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining

FIGURE 10.16: Nessus Registration Completed 2 3 . N o w lo g in to y o u r e m a il f o r th e a c tiv a tio n c o d e p r o v id e d a t th e tim e o f r e g is tr a tio n as s h o w n in th e fo llo w in g fig u re .

P

•uflKfccjr X

_ uSmqSma yaH00.C0‫׳‬n ' •

|

Y

- Sm>Cu1 Omu > a

h

o

o

! m a il

MIMDttalt

1b4e Homefeeo Activation CoO* ‫ י‬NMtut K ig L iio i 10

•

aw‫ ■ ׳‬. ■ounoooor*

th«r* )Oulw rtanlairtj row N n w i m » w 1 * w sully gcannng

Th* W««U» Hamafaad gubKiCton will >*er |M» Netful

»you usa rusius n ‫ ג‬professorial 09301 10u

ms •r, 3onMme 0»

n‫׳‬cu ir-n‘1-4 *aorta

1

<• %) «w* •‫ *י‬tiel*le41■lupntlw

a ftcftsslcruiFoaa suBcagimi

\-‫ ״־‬is >0u •11t1wo»repsK »ri1(».f1if10t.‫ו‬

‫ ‘ •**׳‬:

C « «u sn g 1nt srcceSires Stlpw.

i 1

PtaawconW t If!• Nmmii n*tt »wn ^•9»

■w* ^ . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum" ‫• ***יי ״‬

I cnm ««!• STOCMt

Ne inttmal Aixeii «‫ ״‬i w Mnaui *‫ « *׳‬- '‫׳‬ M>t« tl'MU• inttiiiilnr camoi‫ •׳‬a t * 1 ‫•׳‬ You an Andottna ic-jlsti 1t»jr m ilv a n at

t— «** ‫״‬e»a *aM e• in anamit* p‫«»״״‬.»* y>p* tia uw. ana c*>»*

>*

1• ‫•יזו‬MatpUJ-

M t x caaa toittiaiaftBfl

FIGURE 10.17: Nessus Registration mail 2 4 . N o w e n t e r t h e a c t i v a t i o n c o d e r e c e i v e d t o y o u r e m a i l I D a n d c li c k Next.




F

" • ‫ ״‬- ,®[‫ ן‬Wekcm* 10 Meuvt 9

P l u g in

Feed

R e g is t r a t io n

As• information about new vulnerabilities 18 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins”) that enable Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code.

IbsdJ Once the plugins liave been ed and compiled, the Nessus GUI will initialize and the Nessus server will start

• To use Nessus at your workplace, pufdiaae a commetG d Prgfcaatonalfccd • To um NcMuti at In a non ■commercial homo environment, you can get HomeFeed (or free • Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below • To perform offline plugin updates, enter 'offline' In the field below

11

Activation Code Please enter your Activation Code:|9061-0266-9046-S6E4-l8£4|

x|

Optional Proxy Settings < Prev

Next >

FIGURE 10.18: Nessus Applying Activation Code 2 5 . T h e ing w i n d o w a p p e a r s a s s h o w n i n d i e f o l l o w i n g s c r e e n s h o t . C *

*-ho*

P • 0 Cc**uttemH SC J wefc<•*‫<׳‬to

m

ft * o

fx Bs~** ■ d

1

R e g is t e r in g . . . ing the scanner with Tenable...

FIGURE 10.19: Nessus ing Activation Code 2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c li c k , Next: plugins > t o d o w n lo a d N e s s u s p lu g in s .

m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI

P • O Ce*rt<*e««o« & C | ‫[ן‬x

WetconetoNessus

a =f

■ ‫־ ־‬

‫׳ ־‬* ‫יי‬ ft * o

R e g is t e r in g . . . Successfully ed the scanner with Tenable. Successfully created the . | Next: plug!mi > |

FIGURE 10.20: Nessus ing Plugins 2 7 . N e s s u s w ill s t a r t f e t c h i n g t h e p l u g i n s a n d i t w ill i n s t a l l t h e m , i t w ill t a k e tim e to in s ta ll p lu g in s a n d in itia liz a tio n

N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t P le a a e w a it...

FIGURE 10.21: Nessus fetching the newest plugin set 2 8 . H i e Nessus p a g e a p p e a r s . E n t e r t h e nam e a n d w ord g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k .




•TASK

/>.0

2

Network Scan Vulnerabilities

tc

nessus I

«•«‫״‬

‫׳‬ L

Q For the item SSH name, enter the name of the that is dedicated to Nessus on each of the scan target systems.

T E N A »L g

i

FIGURE 10.22: The Nessus screen 2 9 . T h e Nessus Hom eFeed w i n d o w a p p e a r s . C li c k OK.

,1

/

/ /

1

n essu s

inn r m m i v a u u r a h m k M to llm id TBtH il lr» nanatamO » M M to MMWuNMy i M W M u w may load 10(*iMoaAon J m i u h (eepenew.

w l oaiiUtanter any oust fton* oroigMtaAofii M• to a PTOtoMknalFMd Subecrtpfcxi ha<•

190* -?0121)nM1 N M M s*.o r*/ nc

OK

I

FIGURE 10.23: Nessus HomeFeed subscription 3 0 . A f t e r y o u s u c c e s s f u l l y l o g i n , t h e Nessus Daemon w i n d o w a p p e a r s a s

m

s h o w n in th e fo llo w in g s c r e e n s h o t.

To add a new policy, dick Policies ‫ ^־־‬Add Policy.

FIGURE 10.24: The Nessus main screen 3 1 . I f y o u h a v e a n inistrator Role, y o u c a n s e e d i e U sers t a b , w h i c h li s t s a ll s, t h e i r Roles, a n d t h e i r Last s.




New policies are configured using tlie Credentials tab.

FIGURE 10.25: The Nessus view 3 2 . T o a d d a n e w p o li c y , c li c k Po licie s ‫ >־‬Add Policy. F il l i n t h e General p o l i c y s e c t i o n s , n a m e l y , B asic, Sca n , Network Congestion, Port

Scanners, Port Sca n Options, a n d Performance.

^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus s. Edit these options carefully

FIGURE 10.26: Adding Policies 3 3 . T o c o n f i g u r e d i e c r e d e n t i a l s o f n e w p o l i c y , c li c k d i e Credentials t a b s h o w n i n t h e l e f t p a n e o f Add Policy.




m The most effective credentials scans are those for which the supplied credentials have root privileges.

FIGURE 10.27: Adding Policies and setting Credentials 3 4 . T o s e l e c t t h e r e q u i r e d p l u g i n s , c li c k t h e Plugins t a b i n t h e l e f t p a n e o f

Add Policy. P •

m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.

. ‫״ ״ »׳‬

WOWBlc/Otr!«c» U rir

18W8eo?1Axaunt 0+m *‫*י‬7 O ‫יינייי‬ ‫ ין‬..‫• וי‬OCUkttO'ta•• -J’UrKlnl IoiiiiiIii«>>uII.<W

^ r» u«!j Suit#1«o!v.b OanottKdfenwct, (a) 0 «neral Vj GenlTOUKBlS*aj‫*׳‬yChK*» y mp-uxL0 Ca Seaiftyc‫׳‬k»i Jurat UjcUSacuntyChKM

O A««r«lfc**‫ ״‬ftM■*2m* L*»r>*>IknU. o 1‫ עטי‬BaiHir r>KM1Su‫־‬orPar20AO.Weilmiinftwaia O 16TOCCHO P1W) 01Melon O 14M0C*1tar«KTTPPra! Si f * ! Hcd Hattr RurolaDoS <J 120MCtcdPowF.irVVal 4■, 1 ‫ו‬. uaeVjInentollB|0f. FS|

3wopn» Trie*matt tc* f*»1Cikre Tpoll*22 1WO.‫ז‬75‫יי***ד‬ ffj»wyUelyBialKW5 isAOioai*scrtr sc*<**nce pars T.E221‫מ>׳»!יא‬1‫ ני‬W v*‫׳‬.v.e‫־‬CT.17* MtiKtAwklinsj‫ ׳‬T.'17814‫־*יז‬.‫)ייי*ו‬tcfirttxnUxlumg

FIGURE 10.28: Adding Policies and selecting Plugins 3 5 . T o c o n f i g u r e p r e f e r e n c e s , c li c k t h e Preferen ces t a b i n t h e l e f t p a n e o f

Add Policy. 3 6 . I n t h e Plugin f ie ld , s e l e c t Database settings f r o m t h e d r o p - d o w n lis t. If the policy is successfully added, then the 3 7 . E n t e r t h e d e t a i l s g i v e n a t d i e t i m e o f r e g i s t r a t i o n . Nessus server displays the massage 3 8 . G i v e t h e D a t a b a s e S I D : 4587, D a t a b a s e p o r t t o u s e : 124, a n d s e l e c t

a

O r a c l e a u t l i ty p e : SY SD BA . 3 9 . C li c k Submit.



CD Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

FIGURE 10.29: Adding Policies and setting Preferences 4 0 . A m e s s a g e Po licy “ N etw o rk Scan _Po licy‫ ״‬w as successfu lly added d is p la y s a s s h o w n a s f o l l o w s .

FIGURE 10.30: The NetworkScan Policy To scan the window, input the field name, type, policy, scan target, and target file. ‘

4 1 . N o w , c li c k Sca n s ‫ >־‬Add t o o p e n t h e Add Sca n w i n d o w . 4 2 . I n p u t t h e f i e ld Name, Type, Policy, a n d S ca n Target 4 3 . 111 S ca n Targets, e n t e r d i e I P a d d r e s s o f y o u r n e t w o r k ; h e r e i n t h i s l a b w e a r e s c a n n i n g 1 0 .0 .0 .2 . 4 4 . C li c k Launch S ca n a t d i e b o t t o m - r i g h t o f t h e w i n d o w .

Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r l a b e n v i r o n m e n t


Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11


Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file.

FIGURE 10.31: Add Scan 4 5 . T h e s c a n l a u n c h e s a n d starts scanning t h e n e t w o r k .

FIGURE 10.32: Scanning in progress

S ' Tools demonstrated in this lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Networks

4 6 . A f t e r t h e s c a n is c o m p l e t e , c li c k t h e Reports ta b .

FIGURE 10.33: Nessus Reports tab 4 7 . D o u b l e - c l i c k Local Network t o v i e w t h e d e t a i l e d s c a n r e p o r t .

fc

^

‫י‬..-*—

•

■d

Bn■ B

< Cvwii

'

So-Mity

gMtyi

‫—« ״‬ Hm n t ■w11■1I K IN W I

‫״׳•*־׳‬ •M m

m tn

Z

Me MUl-a* •*«-—■».»» * «Qi

C«uMUrm tlmb«n rf

UTMMB1 W . i■■— 1

•MM•

•‫נ־י■׳‬ ‫<•< ז*ו‬

£[

l«v>

HM

KTT* Im i T>»•M VIWMH

Wt

N « M < N ilr a W U IIM t W M « l

W M W lK M l

HM tMM M .»~« •Tnl *m

H9W •xfn

1-01

H

lrrt> Iftte

U B •MO.

NHHl^«ll>H|«i iW .I»

UhmlUn C M * * •

McmcC o 1o -*« it f i LMdicr^ntarnjlutPu <» Funtut SID Ewneutan

WiMom

M m x M tC o t n m k U u iu im

w m m uv* no^jMren

L‫׳‬i 1»«-cruttn

Un»

hgr r J• O aH K Qn-a• U r . riCK) SnaUU-

C«M

Infe

FIGURE 10.34: Report of the scanned target




4 8 . D o u b l e - c l i c k a n y result t o d i s p l a y a m o r e d e t a i l e d s y n o p s i s , d e s c r i p t i o n , s e c u r ity le v e l, a n d s o lu tio n .

Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications.

FIGURE 10.35: Report of a scanned target 4 9 . C l i c k t h e Report b u t t o n i n t h e l e f t p a n e . 5 0 . Y o u c a n d o w n l o a d a v a il a b le r e p o r t s w i t h a .nessus e x t e n s i o n f r o m t h e d r o p - d o w n lis t. X

R eport Format 1 Chapters C hap ter Selectio n N ot A llow ed

G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button. Cancel

Subm it

FIGURE 10.36: Report with .nessus extension 5 1 . N o w , c li c k Log out. 5 2 . 111 t h e N e s s u s S e r v e r M a n a g e r , c li c k Stop Nessus Server.

B ‫■׳־׳‬ >M

P ■

*6

a

■69■ FIGURE 10.37: Log out Nessus

L a b A n a ly s is D o c u m e n t all d i e r e s u lts a n d r e p o r t s g a d i e r e d d u r i n g d i e la b .




T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d S c a n T a rg e t M a c h in e : L o cal H o st

Perfo rm ed Scan P o lic y : N e t w o r k S c a n P o l i c y N e ssu s T arg et I P Address: 1 0 .0 .0 .2 R esult: L o c a l H o s t v u l n e r a b i l i t i e s

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q u e s t io n s 1.

E v a lu a te th e O S p la tfo rm s th a t N e s s u s h a s b u ild s fo r. E v a lu a te w h e th e r N e s s u s w o r k s w ith th e s e c u r ity c e n te r.

2.

D e te r m in e h o w th e N e s s u s lic e n s e w o r k s in a V M (V ir tu a l M a c h in e ) e n v iro n m e n t.

In te rn e t C o n n e c tio n R e q u ire d

0 \ es

□

No

□

iL a b s



Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.


I CON K E Y a-

s

Valuable information Test your knowledge Web exercise

m W orkbook review

Auditing Scanning by using Global Network Inventory Global]Seh)•orkInventoryis usedasanauditscannerin ~erodeploymentand agent-freeenvironments. It scansconrp!itersbyIP range, domain, con/p!itersorsingle computers, definedbythe GlobalNetirork Inventory hostfile. L a b S c e n a r io W ith

th e

d e v e lo p m e n t o f n e tw o rk

te c h n o lo g ie s

and

a p p lic a tio n s , n e tw o r k

a t t a c k s a r e g r e a t l y i n c r e a s i n g b o t h i n n u m b e r a n d s e v e r ity . A t t a c k e r s a lw a y s l o o k f o r service v u l n e r a b i l i t i e s a n d

application v u l n e r a b i l i t i e s o n a n e t w o r k

01

s e r v e r s . I f a n a t t a c k e r f i n d s a f la w o r l o o p h o l e i n a s e r v i c e r u n o v e r t h e I n t e r n e t , t h e a t t a c k e r w ill i m m e d i a t e l y u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s t e m a n d o th e r d a ta

fo u n d , th u s

he

n e t w o r k . S im ila r ly , i f t h e

or

she

can

a tta c k e r fin d s

c o m p ro m is e

o th e r

a w o rk s ta tio n w ith

s y s te m s

0 11

th e

inistrative

privileges w i t h f a u l t s i n t h a t w o r k s t a t i o n ’s a p p l i c a t i o n s , t h e y c a n e x e c u t e a n a rb itr a r y c o d e 0 1 im p la n t v iru s e s to in te n s ify th e d a m a g e to th e n e tw o rk . A s a k e y te c h n iq u e in n e tw o r k s e c u r ity d o m a in , in t r u s i o n d e te c tio n s y s te m s (ID S e s ) p la y a v ita l r o le o f d e te c tin g v a r io u s k in d s o f a tta c k s a n d s e c u r e th e n e t w o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n a s t h e root , a n d s h o u l d b e c a u t i o u s o f p a t c h e s a n d u p d a t e s f o r a p p l i c a t i o n s f r o m v e n d o r s 0 1 s e c u r i t y o r g a n i z a t i o n s s u c h a s C ER T a n d CVE. S a f e g u a r d s c a n b e im p le m e n te d s o t h a t e m a il c lie n t s o f tw a re d o e s n o t a u to m a tic a lly o p e n o r e x e c u t e a t t a c h m e n t s . 1 1 1 t h i s l a b , y o u w ill l e a r n h o w n e t w o r k s a r e s c a n n e d u s i n g th e G lo b a l N e t w o r k I n v e n t o r y to o l.

L a b O b j e c t iv e s T h i s l a b w ill s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e G l o b a l N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to : U s e th e G lo b a l N e tw o r k I n v e n to r y to o l




L a b E n v ir o n m e n t ZZ‫ ל‬Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

T o c a n y o u t d ie la b , y o u n e e d : ■

G l o b a l N e t w o r k I n v e n t o r y t o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module

03 Scanning Networks\Scanning Tools\Global Network Inventory Scanner ■

Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f G l o b a l N e t w o r k I n v e n t o r y f r o m th is lin k h t t p : / /w w w .m a g n e to s o f t.c o m /p r o d u c ts /g lo b a l n e tw o rk in v e n to r y /g n i f e a tu re s .h tm /

■

I f y o u d e c i d e t o d o w n l o a d t h e l a t e s t v e r s i o n , t h e n screenshots s h o w n in th e la b m ig h t d iffe r

■

A c o m p u t e r r u n n i n g Windows Server 2012 a s a tt a c k e r ( h o s t m a c h i n e )

■

A n o t h e r c o m p u t e r r u n n i n g Window Server 2008 a s v ic t im (v irtu a l m a c h in e )

■

A w e b b ro w s e r w ith I n te r n e t acc e ss

■

F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s t o in s ta ll Global Network

Inventory ■

A d m in i s t r a ti v e p r iv ile g e s t o r u n to o l s


O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y G l o b a l N e t w o r k I n v e n t o r y is o n e o f d i e de facto to o l s f o r security auditing a n d

testing o f fire w a lls a n d n e tw o r k s , i t is a ls o u s e d t o e x p lo i t Idle Scanning.

Lab T asks task

1 1.

Scanning the network

L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f d ie d e s k to p .


C lic k d i e Global Network Inventory a p p t o o p e n d i e Global Network

Inventory w in d o w .




5 t 9 |‫־׳‬£

Server Manager

fL

Windows PcrwerShell

m Control

*J

Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file

£

Mww&plcm

Hn>er.V Manager

Google Chrome

*

‫וי‬

Hypr-V Wtual Machine.

SQLServs

*

■F Command Prompt

Mozfla £11*10*

B S- Bui

PutBap

Search01..

Global Nec»ort

©

H FIGURE 112: Windows Server 2012 - Apps

3.

T l i e Global Network Inventory M a i n w i n d o w a p p e a r s a s s h o w n i n d ie fo llo w in g fig u re .

4.

T h e Tip of Day w i n d o w a ls o a p p e a r s ; c lic k Close.

& S c a n only items that you need by customizing scan elements

FIGURE 11.3 Global Network Inventory Maui Window 5.


T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h i n e f r o m H v p e r - V M a n a g e r .



□ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices

FIGURE 11.4: Windows 2008 Virtual Machine 6.

N o w s w it c h b a c k t o W i n d o w s S e r v e r 2 0 1 2 m a c h i n e , a n d a n e w A u d i t W i z a r d w i n d o w w ill a p p e a r . C lic k Next ( o r i n d i e t o o l b a r s e le c t Scan ta b a n d c lic k Launch audit wizard).

New Audit Wizard Welcome to the New Audit Wizard T h s wizard will guide you through the process of creating a n ew inventory audit.

VIEWS SCAN RE S UL TS , / NCL UD/ NC HISTORIC RE S UL TS FOR ALL SCANS, INDIVIDUAL MACHINES, OK SELECTED NUMBER OF ADDRESSES


To continue, click Next.

c Back

Next >

Cancel

FIGURE 11.5: Global Network Inventory new audit wizard 7.

S e le c t IP range s c a n a n d t h e n c lic k Next i n d i e Audit Scan Mode w iz a r d .



New Audit Wizard A u d it S c a n M o d e To start a new audfc scan you must choose the scenario that best fits how you w i be using this scan.

Is ■ (^

M

O Single address scan Choose this mode

Q Fully customizable layouts and color schemes on all views and reports

(•) IP range scan Choose this mode O Domain scan Choose this mode 0

i you want to audit a single computer i you want to audit a group of computers wttwn a sr>gle IP range i you want to audit computers that are part of the same doma»1(s)

Host file scan Choose this mode to a u d t computers specified in the host file The most common scenario is to a u d t a group of computers without auditing an IP range or a domain

O Export audit agent Choose this mode you want to audit computers using a domain script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scnoi.

i

To continue, c ic k Next.

1

< Back

N®d>

Cancel

______

FIGURE 11.6: Global Network Inventory Audit Scan Mode 8.

S e t a il IP range s c a n a n d t h e n c lic k Next in d ie IP Range Scan w iz a r d .

9.

111 d i e Authentication Settings w iz a r d , s e le c t Connect as a n d fill t h e

Export data to HTML, XML, Microsoft Excel, and text formats

Licenses are networkbased rather than based. In addition, extra licenses to cover additional addresses can be purchased at any time if required

r e s p e c t e d c r e d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d c lic k Next.




New Audit Wizard Authentication Settings

£□ The program comes with dozens of customizable reports. New reports can be easily added through the interface

Specify the authentication settings to use to connect to a remote computer

OConnect as cxrrertiy logged on ( • ) Connect as Domain \ name

a d ^ iriS '3 (-‫•׳‬

...........'

To continue, dck Next

Nert >

Caned

FIGURE 11.8 Global Network Inventory Authentication settings 10. L iv e d i e s e ttin g s a s d e f a u l t a n d c lic k Finish t o c o m p l e t e d i e w iz a r d . New Audit Wizard Completing th e N ew Audit Wizard

(—7Ability to generate reports on schedule after every scan, daily, weekly, or monthly

You are ready to start a new IP range scan You can set the following options for this scan:

@ Do not record unavailable nodes @ Open scan progress dialog when scan starts Rescan nodes that have been su ccessfJy scanned Rescan, but no more than once a day

(§₪ T o configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently

To complete this wizard, d ic k Finish.

finah

Cancel

FIGURE 11.9: Global Network Inventory final Audit wizard 11. I t d is p la y s d i e Scanning progress i n d i e Scan progress w in d o w .




iJ

Scan progress ‫מ‬ 0 1 2 3 4 5 6 7 8 9 10 ‫וו‬ ‫ו‬2

Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s)

Address 10.0.0.2 10.0.0.3 10.0.0.4 ‫ ו‬0.0.0.5 ‫ ו‬0.0 06 10.0.0.7 10.0.08 10.009 100010 100011 10.0.0.12 100013 10.0.014

Name

Percent —

E ! %

E* W1N-ULY858KHQIP

852

E !* AOMINPC WIN-039MR5HL9E4 ! z ^

92*4

|

92*

|

z z

_ W

E* E* E* E*

' '

I

@ Open this dialog sdien scan starts

1A Tmestamp 06/22/1215 38:3 08/22/1215:36:23 08/22/1215:36:25 08/22/1215:36:23 = 06/22/1215:36:23 06/22/1215:36:22 08/22/1215:36:23 08/22/1215:36 24 06/22/1215:36 24 08/22/1215:36:24 08/22/1215:36:24 08/22/1215:36:24 06/22/1215:36:24 m‫ר‬

rtn

Elapsed time: 0 min 6 sec

@ Close this dialog when scan completes

Scanned nodes: 0 /24

@ D o n l display completed scans

. Sl0p

_ Cl°”

1/

FIGURE 11.10: Global Network Inventory Scanning Progress 12. A f t e r c o m p l e t i o n , scanning results c a n b e v ie w e d a s s h o w n i n t h e f o llo w in g fig u re .

Pi'v fie

Globa' Network Inventory - Uned

V ie w

Stan

Tools

Reports

H elp

□]E

r

BlBW talri~»EI] u *‫? י‬

a

Niirt - MpIa■addresses $ ‫ ־‬WORKGROUP

NotBlOS |A Shanes Carrîe♦ s>«en Q PiocMMn ^ ‫ז»רס‬Hotftxet |A)*tat»Syttern]rcmnaon mrrr . :.-‫ ז־‬Networt Scar M W i

^

(^p#rat:r.r

:■I 10.0JX7 (WIN-D39... ■m 1a0JX‫(«־‬W1N-ULV8...

JW litergr-tn ; Man beard Q

^ 5‫׳‬1‫׳‬ \ Logged or Memory mu Memorydeuces ‫ך‬

|Q

g

!•rwit

|Tircitamp ‫ ־י‬HoalN... ▼J Status

‫ ־י‬MAC A..

Verrfa

'

03 Mams

‫ »־‬FtoccJia ... *‫ ־‬Coimtert‫״־‬

d Doran WORKGROUP [COUNT-2) IP A dd © « : ‘ 0.0 0.4 (C0UNT-11 T n «to ro :& 2 2 /2 0 1 2 3 36:49PM (COUNT-1)

0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column

‫ »■־‬C o ro j.. |v/N LLV05(| Succcii

|C0-15 5DQ01 Micro:)*Ca V irccw ; Server |

JIP A dde « .1 0 .a 0 .7 |C O U N T 1 ‫| ־‬ 1Trrcj »a36. 30 3 2012‫ ״‬3 . &‫׳‬22>‫׳‬PM (C0UNT «1] •» C«‫־‬K>j..[v/N€3SMn|Succ0M

Tow ?Henr(t)

[

|D4‫־‬BE‫־‬D3‫־‬C'|R«rtek

r

|lnts(Rl Co!e(fM' Serial; H2D2<

1

R tJu ltJfT iito ry d e p t^ L iJtu a rio rta c h a M re ^ s

O isp la ye^ ro iJp ^ J^ ro u p s

FIGURE 11.11: Global Network Inventory result window 13. N o w s e le c t Windows Server 2008 m a c h i n e f r o m v ie w r e s u lts t o v ie w in d iv id u a l re s u lts .



:>

H

Detfl


Global Network Inventory ‫ ־‬Uniegislered Me

view

-

in

scan

Tool(

Report <

l - l ° W *

Help

%-u110 |s^ P ig ¥ B|Q|^|a|D|B-B # ® , ■'‫י‬-‫מ‬

t* ss 3 □ 8

‫־‬-Loocad!s\s^ Port a rre d o R

N*rrc

^

B ‫ י^יי‬AH addresses B- <* WORKGROUP

Orvces

j|

|

System dots

3

NetBIOS

Computer yysten

Q

§,

Scan •unrary

*rfcT1DC.07tV/1N-D^Tn

|

|^

^

Hot fxes Shores

L » ^cvps

Po ;c3:cn> ^

'•';‫ ־׳י‬bosd

^

,ft

0 :.:‫־‬,:tn3 '‫ ׳‬.:ten

Z»: ‫ ־‬-‫ל•־‬:* B ' ‫ ״‬tens■£‫־‬Netr*of. adapter:

3e;jr**•certer

| 3 ‫ ■׳‬Startup

^

Lbcre

Morer)

■

|J

Desktoo Logged cr

B8

K3

»• ‘‫ מ‬C J 4 ‘fw¥-ULY3‫‘״‬

Type

& * Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors

‫״‬

HoitN

» SMtu:

‫י‬

* Vanda

MAC A

» CJS

*

Proceisci

wCornu w r »

J Duiein * ‫׳‬o ^ e n a j p COUNT-11 JIPA ddrew 10XL0.7 (COUNT =1‫ן‬ TncU aro: G/22/2012 3:36:38 PM (COUNT-1) ■» C5T0J. jV/N 039MR Succe«

Re»dy

|D4‫־‬BE D 9 C |R cakk

ntsfR] Corc(TM' Send: H202!

êsufc^jto^jegtôj^caôôc^cdfcj^

FIGURE 11.12 Global Network Inventory Individual machine results 14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d i e m a c h i n e s t h a t have been scan n ed

1- ‫ ^־‬r

Global Network Inventory ‫ ־‬Uned fie

VHvr

Scan

Tools

Reports

*5 ' n

▼ a x

‫ נכ‬k

a

Nam• - ‫ !■ י‬A 1addrestM

WORKGROUP

^lj1CM7îN-D^.‫־‬.‫־‬l

Mcritofj |{jjjj

y w cto i Sn

a w-

1^-sa

□ ]e t 1

1*a □ * S ‫״‬f

Melo

Dovcoi

( j

[# J

-: Tp-M

Logical dska

NoifcKJS

Q

^

Sêton dot• |^

:■^:•;ore

CX>k&tszi

Hoi focce

Q

Sharoe ^

"Sntcn

| j*

Socuty ccrto■

mo

J

U w group(

^

Networx ooteo Startup

U*«ra

|H

Dcck!op LoggoCon^

MantcsrdJ

*5

®]^ jan rm y Scanl#||

uperatmg

:.,‫ !־■=!;•׳‬Q

p

!=■‫| »־‬

:■I lOiXOi’^N-ULYC"

‫ ם‬To configure results history level choose Scan | Results history level from the main menu and set the desired history level

Hcs4 H.. - Status d t ' o m a r : \ v t R r . i i - O U ‫ ׳ ־‬l .‫־‬JLrJ ^

‫ ־״‬MAC A... ‫ ■״־‬barrio-

~

O S K s rw

‫ ־י‬Prco3350r.. ‫ ״י‬Corrmert■‫״‬

-‫־‬

P 3 d * e « : IC .0 .0 : CQUNT=1J _____________________________ Id

Tn rg ra « p

B /2 2 ;2 P lZ 3 -3 6 ^ P M [ C D U H r = l l

rU-BF-D»C:|R^rri

| ;*» Ccnpu |WM-039VIR|S1jrowt

Total 4 ‫ו‬em(s)

1‫־‬

r

lrvel(R)Core(TM; Seiial H?‫?ר‬

1‫־‬

r

^c^ltîiitorydepthj

FIGURE 11.13: Global Inventory Scan Summary tab 15. T h e Bios s e c t i o n g iv e s d e ta ils o f B io s s e ttin g s .



‫י *י‬ êrvces


1‫ ' ־‬° ' x ‫ז‬

Global Network Inventory ‫ ־‬Uned view

fit

5tan

Tools

89 £

‫׳ייי‬ □

Help

SJ1'’‫ □־‬E T? |5|□ ! H i ] H5•‫״‬El

1^ ‫־ ז‬ icwresufts *

Report(

X

^

J5

‫^־ד‬

N a rrc

Por. -annccfcrc Derive*

_

‫״‬

Q

2

System dots MdBIOS

H * P A ll addresses B

& ,to

k.

P

5 ‫ ־‬W ORKG RO UP

J.

. ■rr-

^

Shares

q

3"

)£•

Mar :>c*od

Opcra.i-1 0 Cvs.or

.7 :

Srcurti‫ ־‬ca te r jscr j a n

Pocessots

J^

S c ai aum anr

■ fcf1M0T'(\vi‘N-639.7

Hct fixes

1555

Mcrcry

Q

■>

f,7. . •

Startup

>*‫י‬

fc l

■

|^

Desktop Lccocd or

Memory devices ‫ יי‬rent

‘

{■

a Scan only items that you need by customizing scan elements

10. 0. 1‫>נ* ר‬V IN -IJI Y8...

101*1‫ו‬

»U»d/

R «t u ttt h itto ry d«pth: Latt t o n fo r ta c ft a f lc r t t;

Q 't p lt /« d group: All gro u p t

FIGURE 11.14: Global Network Inventory Bios summary tab 16. T l i e Memory ta b s u m m a r i z e s d i e m e m o r y i n y o u r s c a n n e d m a c h i n e .

£□ E-mail address Specifies the email address that people should use when sending email to you at this . The email address must be in the format name(ftcompany— for example, someone@mycom pany.com

Global Network Inventory - Uned Fie

*

View

Scan

Tools

Reports

• ‫ח‬

H e

vw w r» u R <

** s« a

▼

□

‫מ‬

a x

«

4

■»

V

"J*

‫*■־‬w

p y ‫־‬

Mentors tf|

y - . ‫•■ ־ ■ ־ ־‬

D»ve*t

WORKGROUP

L• j0>

A ll *d d tess e*

#

i B l B & l m l H F i - ii i

\ M 0© coofirokn

* I

N am * H %

help

|g j

® Logical d ak s

c t*n o c t«

[#]

N *BI0S

t M

|I

‫׳׳■)׳‬ti‫״‬

Shw*1

■ t•5

fff

p

- ‫!־־־‬:•-

Oak ± n

Operating S,‫׳‬d-•

UMfcro‫״‬

Q

%-

•>

Network a d ^ c n !

1‫י»ת‬0 ‫ו׳*חווו‬

| 'J.

b*r/1r*c

‫■׳‬startup |k ‫>י»»«ים‬ IIwt

j

or MwitMV f l w f «

■m I0.C .0.4 (W IN -U L Y 8 ...

Td a lP h ^ c d v e n w x / .M a

d[D

-

S a la b le H -yrea... -

Total vfc u a L. ~

A v a to e V rtja ... -

lo t a ...- -

ftvalable..■-

V .C R t 5 F 0 U P [C r M J N '= ] J Hcsr Marre 3 9 ^ ^ ‫־‬MF 5 HL 9 E4 (C0U !\iT=1) J

‫ ־‬hres-aap

f t 2 ‫ ׳‬22/‫׳‬C12 3:36 3B PM (COUNT‫| ) ־‬ 3317

7 o b i 1 its u ;1

Results history depth: Last scan for each address

O iip la /e d group: A ll groups

FIGURE 11.15: Global Network Inventory Memory tab 1 7 . I n d i e N etBIO S s e c t io n , c o m p l e t e d e ta ils c a n b e v ie w e d .




;-!or

Global Network Inventory ‫ ־‬Uned F ie

v ie w

Son

Tools

Reports

Help

! □

is ?

i B i a i a s p

5 ! ■ !a

&

»

B

V*y* results

Mencry

Narre -

Message subject Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject

4•

&I addresses B-fi‫־‬WORKGROUP 1C.0.C.’ (WIN-D39.

‫ד‬

Scan

3JTTmarv

Port conrwctre

♦

Memory device(

hitdted«yt*sre Cl nvmmgrt

S)

Cl

®S

S*drt/M ‫׳‬t«r

Qf

|."3‫ל‬

Startup

|; &

Services

■

Destdop logged on

19 1 0 ^ f^ U L Y « ::

zJ Harr l l i n* 0 33* | , ‫י\ ׳‬v F5H. =)E4 (COLNT=3) Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T3‫)־‬ *[V/K-039M Ro-LSE4<0>aJ>

Lmqj?

X

Unque

Fie Server Service

Group

Domain Name

WKC •SMR^LSE4

3 WORKGROUP

<0x00>

Woikstatcr Service

Toid3i.enld Remits history depth ia
Rea fly

t»< pt»/»d g ro u p : All g ro u p s

FIGURE 11:16: Global Network Inventory NetBIOS tab 18. T h e Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i t h d i e w o r k g r o u p .

I ‫ ־‬1‫ם‬

G'obel Network Inventory ‫ ־‬Uned F ie

□ Name Specifies the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages

V ie w

Scan

Tools

Reports

Help

[□ E T |E p |g |B ) |• ‫ ־‬IB; * a

HI as a □ *3 $ Narr« *i* All address•: - i f WORKGROUP

? S iiilL »•ia iJiw N S :‫׳‬

■a

em ory ‫ מ‬Mcntcrycfcvccs 2 Conjutasrrf— Q Prccc350ra |^ Marboard I^J) M »‫־‬ccc •I‫־‬: k Vent‫רה‬ Locicoldbks ^ D»sdr>c* ‫ ■י‬Prrtco •> Netted‫־‬,odatfco m #> CIO‫ כ‬jj] OpcralinqCyslcrr Q n -nvrormont cr 7‫י‬ Q ij0 «• ^ Devicc: It#] NetClDC ^ Shares |J? Jxryw A - _bera I, Lojj=dor J

Ctoitup

■

Deaktoo

H o s tN c n e ‫־‬/ / * -D39-4R5H L9E4(C OU N T-51 z i ' rre s c a n p : E /2 2 '2 0 1 2 3:36:38 FM ( COUN5- ‫] ל‬ z i G io jj

^ r w 'is ’rafcr: (C 0U N T =1)

/ / ! S 0 CEN R 5HL3E4'>Adrim$tratoi

U5cr occcurt

z i Gr^JD : C K ttK ited CUM Useis (COUN I - 1 1 W lS-O394R5HL3E4\Ad1rini?trdt01

U ;e 1 accourt

_ J G r» ^ o : Gue:»; C O U N T -1 ) Jk• Ul f l r<03‫־‬E M R 5 H L g 5 \ 4 ‫־‬ussl d C 1 0 * .IIS J U S fiS

z i G ro w

U8#f accourt

C O U N T■ !)

% N T >‫ ־‬F \lZcV^crlSc«vor

Pfftavure*1 r g

VV«# krcv‫ ׳‬n gtcup oooounl

U n i t (COUNT ■1)

TU0I5 i cn|i| Rsad/

RcsuMts history depth: Lost scan foi each ooaes!

Displayed group; All qioupa

FIGURE 11.17: Global Network Inventory groups section 19. T h e Logged on t a b s h o w s d e ta ile d lo g g e d o n d e ta ils o f d ie m a c h i n e .




Globa! Network Inventory ‫ ־‬Uned Me

view

5<ar

tools

Reports

Help

§3-□Is ? Hc1®e/ V«w resuKs

J

*2 »‫ □ ־־ י‬m

‫ וג ב‬a id syiefi

-•1a

Q

N e ir c

_

m

Scansuranaiy

E % All addresses S f WORKGROUP

^

Port comedo*

BICS

£

^

L > j1 d j s v j

C‫־־‬r ■^r .

|.§)

'* {3 0 S

Main beard

|

Sfia'es

Nenoiy

w

^

>

Memory de/ces £■

l£‫ )־‬totaled software | ( |

Hotfixes

2'

^

Di:-•. J .

Q

Ooefatro System

System slots

Q}

& ‫׳״‬

Processors

\

1 - 1‫■ ״ ■ ״‬

S e a it) eerier

_J■

U stty.

Net ■-.

Environment

Services |

3.< n:u,__H L_2 s5 tlSB_J

s

| j>

Logged or

J

;1dbix7"(wi‫׳‬N-D3g...

& Port ‫ ־‬Specifies the port number you connect to on your outgoing email (SM TP) server. This port number is usually 25.

;■ '160.04 (WIN-ULY8...

Ho a N o k WH-033NR5HL3E4 (COUNTS 1 NT SERV.CE >MsDisServerl 10 f H” SERVCE'MSSQLFDLounchct *, N‫ ־‬S£RVC£\MS$QLSERVER f N‫ ־‬SERVCE'MSSQLSer/eiOLAPSeiviee * , N‫ ־‬SERVCE'RortScrva £ \A H D39MREHL9E4\A

Rod/

38/22/12 09:01:20

Results fcitory depth lost icon lor toch address

Oowove^rou^lUroups

FIGURE 11.18: Global Network Inventory Lowed on Section 2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d i e n e tw o r k .

ST

Globa' Network Inventory - Uned Scan

File

Toolt

Report(

Help

1S vipwrûi:

Outgoing mail (SMTP) ‫ ־‬Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages

Name H-

wax

NetBIOS

a ‫ ש‬b #

n L.

All SddtKteS f r £* WORKGROUP

; c j n c u r r r jr ,

*

Portconnectors

JO

■»F ll^ T fMM‫־״‬Di‫־‬9■‫־־־־־‬

Sharps

£ Fiocessois

l-bntcrj

WOS

|S )

£

^

J i.

Logcal disks

0p«1fcrg S y r« r

^

Lfte

M<ji1 b0 f J

1

*

•£‫׳־‬

hrr ‫י‬

Q

Logged on Memory d evus

D:

‫—ן‬

|

may

Networx 0d3?1cr:

fcrvronm^nt | a

Startup

!r j

S «m :« Desktop

0 ^10 ‫«־‬.(W‫׳‬fW‫׳‬N‫־‬ULY8""

Dorian. V/D^KOROU? (C0UNT=25I

J he*•Hare:t*‫׳‬T.D39MR5HLJ3E4(COUNT-25) J

1■‫*״‬ttaro : &'22/2D12 33638 PM (COUNT =26)

’73‫״‬DH ‫ז‬7‫»ככ‬ ’7ODH ’703H t7o0 h ’70311 ,703H ‫ ז‬alal 25 A tris

SerialPor1S55CAConpattle Keyt»01dPort Moucori USB USB UCD USB

Fes jts nistory deptn: Last scan foi ecdi cCtite><

D69‫־‬.Male FS/2

FS/2 &m > 51bus

*CCOH.blM Aco#st.but Disj ayecl arouo; All aroups

FIGURE 11.19: Global Network Inventory Port connectors tab 2 1 . T h e Service s e c t io n g iv e d i e d e ta ils o f d ie s e r v ic e s in s ta l le d i n d i e m a c h i n e .




S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button

Globa! Network Inventory ‫ ־‬Uned Me

view

5rar

Tools

Reports

Help

‫ ־‬- $*]‫ ־® בס‬H e p H B ]® e | View re

croups

*1*9 2 □ m

Mainboard

N e ir c

|

_

E % All addresses S

f

"»

W O RKGRO UP

Loaaedor

D

^

Memory

Port cornedas

n

Msrrcryde/ces

System slots

Qf

|

Hotfixes

—

^

Secut) center

i

M

= r

& ‫׳״‬

•-•Eg

Jsers NetBOS |

R

1•

3

0 .‫ גי‬c t i u Svtte ‫״‬

ig (

Startup

£

'

■

Desktoo

jjjj* 13

:‫ ויין‬u n i c i t

|

S c r r is o

|

• 1 ‫־‬y 'a a ’7 iw i‘N-D38’‫’ "״‬ ;■ '160.04 (WIN-ULY8...

N»♦

-

z i Domr* V»ORC13RO UP |CDUMI«l4/) _!J Hcs‫* ׳‬sLan^ WIM^»IR5HL9E4(COUNT■!47| rr^ an p 3/22!20H 3 3&38FM [COUNT =147)

zi

.

Ldcte A c x b 2t U pcare S e r/ c e

41loma1‫׳‬e

R u fM rg

‫־־‬: 'P?! 1g -a n F ilei [vf‫־‬fc)\Comrmn Fite'iAdobi

, £ p f teanon E>o=r1enee

Manual

R u m rg

C‫ ־‬vV.mdowt\system32\svehott eye •k netsv

.

Automatic

R j 'i ' i r g

C «V.»Klowt\^1srern32\fivch0ftexe •k apphr

Manual

S tc ff e d

C‫\*־‬fcmdow1\svstem32\svc*r0ft.exe •k Local

Manual

R im r g

C »V.m
Manual

S iq ^ ie d

C ,V,mdowt\S3i5tem32Ulg )=«‫<־‬

fcanon Host Helper Service

^ A p p fc a n o n Identtji A pflcanon Intonation . Apffcrariofi Layer 5 areway Service A pffcarion M anarjenenr

Manual

C »\Mn
10taH47 toart:J

Rod/

Oowove^rou^lUroups

Results fcitory depth lost icon lor to
FIGURE 11J20: Global Network Inventory Services Section 2 2 . T h e Network Adapters s e c t i o n s h o w s d i e Adapter IP a n d Adapter type.

1‫־‬

Global Network Inventory ‫ ־‬Uned Fie

view

I* ‫״‬

Stan

Tools

& A security is created to make sure that no other can log on to Global Network Inventory. By default, Global Network Inventory uses a blank

Help

Q 'l l & < ‫׳״‬

1 t*g a • □ e v

'/cwrcsuR;

r-l

Reports

▼ ‫ ל‬X

^ □E $

^

D c*c«

[# J

j|

Conputer ‫>־ת‬€*‫ו‬

Narr<

y

Tort c«m ed oo

B V^l All addr»<«#e

H

Scan ajrrrcrv

y ~ * £ WORKGROUP

h■ v®00

NetBIOS Q Q

^

| ^

SK3X3

Prooeaaora System alots

80S

|‫׳‬jgj]

|^

4■

U3cr

Mom boane Hotfixes

oratrj Syotom

^

fjj

JL•

Ccc^rfy eerier IrwUkd •oftwuo

1-

Uacn

Memory j* B

^

B?1 Startup

Envtrontnonrt

?‫מ‬

Looocdon

Memory devices |H I ‫׳‬J,

Desktop Sorvcoo

|v

■- m o ‫״‬M ( w n ' u’l ^ " . " ’

- Tinettarp: ‫ך‬

1rj2>2 3 3 6 : 3 3 3 2 ‫ ־‬FM (COUNT-11

g • W w iih w lE fo . |P4:BE:D9:C|100.D7

l2552EE.2g|1H.01

[vicreolt

|E therrct QIC|N0

I otall ren^j

Rea^

êsujt^jjto^jepthâsâô^seJ^ddrts^

FIGURE 11.21: Global Network Inventory Network Adapter tab

L a b A n a ly s is D o c u m e n t all d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d ie la b .




T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 .5 0 S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4 R e s u lt:

G lo b a l N e tw o r k In v e n to ry

■

S can su m m a ry

■

B io s

■

M e m o ry

■

N e tB IO S

■

U se rG ro u p

■

L ogged O n

■

P o rt c o n n e c to r

■

S e rv ic e s

■

N e tw o rk A d a p te r

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q u e s t io n s 1.

C a n G lo b a l N e tw o r k In v e n to r y a u d it re m o te c o m p u te rs a n d n e tw o rk a p p lia n c e s , a n d i f y e s , h o w ?

2.

H o w c a n y o u e x p o r t th e G lo b a l N e tw o r k a g e n t to a s h a re d n e tw o rk d ir e c to r y ?

In te r n e t C o n n e c tio n R e q u ire d

□ Yes

0 No

P la tfo rm ed 0 C lassro om


0 iL a b s



A nonym ous B row sing u sin g P roxy S w itc h e r Proxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection. I C O N p=7

K E Y

V a lu a b le in f o r m a t io n

L a b

S c e n a r io

111 t h e p r e v i o u s l a b , y o u g a t h e r e d i n f o r m a t i o n l i k e

scan

s u m m a ry , N e tB IO S

d e t a ils , s e r v ic e s r u n n i n g o n a c o m p u t e r , e tc . u s i n g G l o b a l N e t w o r k I n v e n t o r y . Test your k n o w le d g e

N e tB IO S

p r o v id e s

p ro g ra m s w ith

a u n if o r m

set o f c o m m a n d s

f o r r e q u e s t in g

d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t w

Q

W e b e x e r c is e

W o r k b o o k r e v ie w

s e s s io n s , a n d been

send

id e n tifie d

o v e r T C P /IP s e r v ic e , t h e

in

d a ta g ra m s

b e tw e e n

nodes

on

M ic r o s o ft W in d o w s , w h ic h

( N e t B T ) s e r v ic e s , t h e N e t B I O S

a tta c k e r c a n

fin d

a c o m p u t e r ’s I P

a n e tw o r k . V u ln e r a b ility

in v o lv e s

one

o f th e

lia s

N e tB IO S

N a m e S e rv e r ( N B N S ) . W it h d iis a d d re s s

by

u s in g it s

N e tB IO S

n a m e , a n d v ic e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a in ra n d o m

d a ta

fro m

th e

d e s tin a tio n

c o m p u t e r ’s m e m o r y ; a n a tta c k e r c o u ld

seek

to e x p lo it th is v u ln e r a b ilit y b y s e n d in g th e d e s tin a tio n c o m p u t e r a N e t B T n a m e s e r v ic e q u e r y a n d t h e n l o o k i n g a n y ra n d o m

d a ta f r o m

c a r e fu lly a t th e

re s p o n s e

to

d e te r m in e w h e t h e r

t h a t c o m p u t e r 's m e m o r y is in c l u d e d .

A s a n e x p e r t p e n e t r a t io n te s te r, y o u s h o u ld f o llo w

t y p ic a l s e c u r ity p r a c tic e s , t o

b lo c k s u c h In t e r n e t- b a s e d a tta c k s b lo c k th e p o r t 1 3 7 U s e r D a ta g r a m (U D P )

a t th e

fir e w a ll. Y o u

m u s t a ls o

u n d e rs ta n d

h o w

n e tw o rk s

a re

P ro to c o l scanned

u s in g P r o x y S w it c h e r .

L a b

O b je c t iv e s

T h is la b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w S w it c h e r . I t w i l l te a c h y o u h o w


to use P ro x y

to :

■

H id e y o u r IP a d d re s s f r o m

th e w e b s ite s y o u v is it

■

P r o x y s e rv e r s w itc h in g f o r im p r o v e d a n o n y m o u s s u r fin g



L a b

E n v ir o n m e n t

T o c a n y o u t th e la b , y o u n e e d :

2 " Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks

a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itch er

■

P r o x y S w it c h e r is lo c a t e d

■

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f

P ro x y W o rk b e n c h

fro m

th is l i n k h t t p : / / w w w . p r o x y s w it c h e r . c o m / ■

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A

■

A w e b b ro w s e r w ith In te r n e t access

■

F o l lo w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll

■

A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

L a b

c o m p u te r r u n n in g

W indows Server 2012

■

Proxy Sw itch er

D u r a t io n

T im e : 1 5 M in u te s

O v e r v ie w

o f P r o x y S w it c h e r

P r o x y S w it c h e r a llo w s y o u t o a u t o m a t ic a lly e x e c u te a c tio n s , b a s e d o n th e d e te c te d n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w it c h e r c o m e s w i t h s o m e d e f a u l t a c t i o n s , f o r e x a m p l e , s e t t i n g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x , a n d O p e ra .

L a b

T a s k s

C l A u to m a tic

change o f proxy c o n fig u ra tio n s (or any o th e r a ctio n ) based on n e tw o rk in fo rm a tio n

W indows Server 2012

1.

In s t a ll P r o x y W o r k b e n c h i n

2.

P r o x y S w it c h e r is lo c a t e d a t

3.

F o llo w

D:\CEH-Tools\CEHv8 Module 03 Scanning Netw orks\Proxy Tools\Proxy S w itch e r

o f th e 4.

( H o s t M a c h in e )

th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s

W indow s operating system .

T h is la b w i l l w o r k i n th e C E H

la b e n v ir o n m e n t - o n

W indow s S e rve r

2012, W indow s S e rve r 2008‫ י‬a n d W indow s 7 5.

O p e n th e F ir e fo x b r o w s e r in y o u r c lic k


Options

W indows Server 2012, g o

to

Tools,

and

in d ie m e n u b a r.



Google Moiillo Fitefox colt | HtJp Qownloatfs

CW-I

moderns

c m * v ‫*«״‬A

e

fi *

•!1• -■cc9u

S<* UpS^K.

C3 Often different

♦You

Search

Images

Documents

Web Developer

Calendar

Mote •

Page Info

internet connections require com pletely different proxy server settings and it's a real pain to change them m anually

Sign n Cle«r Recent Ustsr.

01 +“ Sh1ft*IW

G o o g le Gocgie Search

I'm feeling Lucky

6 11

A .««t> ng Piogam m ei

Business SolUion*

•Google

P ir a c y t Te

Aboul Google

Google com

F IG U R E 121 : F ire fo x o p tio n s tab

6.

G o

to

d ie

Network

Advanced

d i e Options Settings.

p r o file in

ta b , a n d d ie n c lic k

w i z a r d o f F i r e f o x , a n d s e le c t

Options

‫§י & ם‬ General

Tabs

General | MetworV

Content

% Applications

p

* k

Privacy

Secuiity

3

S>nc

Advanced

j Update | Encryption j

Connection

3‫׳‬k

|

Configure how h re fo i connects to the Internet

P r o x y S w itc h e r fu lly

c o m p a tib le w ith In te r n e t

S g tn g i.

Cached W eb Content

E x p lo r e r , F ir e fo x , O p e ra Your vreb content cache >scurrently using 8.7 M B of disk space

a n d o th e r p ro g ra m s

Clear Now

I I Override a u to m ate cache m anagem ent

Limit cache to | 1024-9] MB of space Offline Web Content and Data Clear Nov/

You 1 application cache is c jiie n t l/ using 0 bytes 0 1 disk space

Exceptions..

M Tell me when a wefccite aclrt to store Hat* fo r offline uce The follov/ing tvebsites aie a lowed to store data for offline use

B a r eve..

OK

Cancel

Help

F IG U R E 1 2 2 F ire fo x N e tw o rk Settin g s

7.


S e le c t d i e

Use System proxy settings

r a d io b u t t o n , a n d c lic k

OK.



Connection Settings

‫ייי ־‬

Configure Poxies to Access the Internet O

No prox^

'‫ )־‬Auto-detect proxy settings fo r this network (•) Use system proxy settings M a n u a l p roxy co n fig u ra tio n :

f i proxy switcher s following command line options:

HTTP 5rojjy:

127.0.0.1 @ U je this prcxy server fo r all protocols

-d: Activate direct connection

SSLVoxy:

127.0.0.1

P firt

FTP *ro xy.

127.0.0.1

P o rt

SOCKS H o s t

127.0.0.1 O SOCKS v4

P o rt ®

SOCKS v5

No Pro>y f o r localhcst, 127.0.0.1

Example: .mozilla.org, .net.nz, 192.168.1.0/24 O

Autom atic proxy configuration URL: Reload

OK

Cancel

Help

F IG U R E 12.3: F ire fo x C o n n e c tio n Settin g s

8.

N o w

t o I n s t a ll P r o x y S w it c h e r S ta n d a r d , f o l l o w

th e w iz a r d - d r iv e n

in s t a lla t io n s te p s . 9.

T o la u n c h P r o x y S w it c h e r S ta n d a r d , g o t o

S ta rt

m e n u b y h o v e r in g d ie

m o u s e c u r s o r in d ie lo w e r - le ft c o r n e r o f th e d e s k to p .

TASK

1

Proxy Servers ing

F IG U R E 1 2 4 : W m d cK vs S e rv e r 2012 - D e s k to p v ie w

10. C lic k d ie

P roxy S w itc h e r S tandard

a p p t o o p e n d ie

Proxy S w itc h e r

w in d o w . O R C lic k


P roxy S w itc h e r

f r o m d i e T r a y I c o n lis t .



A d m in is tra to r ^

S ta rt

Server Manager

£□ Proxy S w itch er is free to use w ith o ut lim itations for personal and com m ercial use

Windows RowerShetl

Google Chrome

Hyper-V Marvager

Global Network Inventory

91

S I

W

*

Compute

Control

Hyper-V Machine...

Centof...

y

v

9

K

Command Prompt

M021I4

PKKVSw*

Fsb

.

v rr

£«p«-

Frefox *

<0

*

Proxy Checker

.‫►ר‬

,‫י‬

CM*up

F IG U R E 125 : W in d o w s S e rv e r 2012 - A p p s

at* ‫ם‬

o

i f th e s e rv e r b e c o m e s

in a c c e s s ib le P r o x y S w itc h e r

Customize...

s S e rv e r.

w ill tr y to fin d w o rk in g p ro x y s e rv e r ‫ ־‬a re d d is h

A /Q

b a c k g ro u n d w ill b e

ja te

\ t— 1 l A r - r ‫ ״‬/ 1‫! ׳‬

D a ta c e n te r

^ D p ^ u ild

8400

d is p la y e d t ill a w o rk in g p ro x y s e rv e r is fo u n d .

F IG U R E 126 : S e le ct P ro x y S w itc h e r

11. T h e

P roxy L is t W izard

w ill a p p e a r as

s h o w n i n d ie f o llo w in g fig u r e ; c lic k

N ext




Proxy List Wizard

£3 ‫ ־‬P roxy S w itc h e r ssu pp orts fo r LAN, dialup, VPN and o th e r RAS c o n n e ctio n s

W elcom e to th e Proxy S w itcher Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next

@ Show Wizard on Startup

Next >

Cancel

F IG U R E 12 7 : P ro x y L is t w iz a rd

1 2 . S e le c t d i e fro m

Find N ew Server, Rescan Server, R echeck Dead

Com m on Task,

a n d c lic k

r a d io b u t t o n

Finish.

Proxy List Wizard Uang this wizard you can qcackly complete common proxy lot managment tasks Cick finish to continue.

& ‫ ־‬Proxy s w itc h in g from com m and line (can be used a t logon to a u to m a tic a lly s e t co n n e ctio n se tting s).

Common Tasks (•) find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers

0 Show Wizard on Startup

< Back

Finish

Caned

F IG U R E 12.8: S e le c t co m m o n tasks

13. A


lis t o f

dow nloaded proxy servers

w i l l s h o w i n d ie l e f t p a n e l.



I

Proxy Switcher Uned ( Direct Connection ] File

Edit

A ction s

V iew

M

Help

‫א‬

Filer Proxy Servers W h e n P r o x y S w itc h e r is r u n n in g in K u fh A U v e m o d e it trie s to m a in ta in w o rk in g p ro x y s e rv e r c o n n e c tio n b y s w itc h in g to d iffe r e n t p ro x y s e rv e r i f c u rre n t d ie s

Roxy Scanner M * New (683) B ‫ &־‬high Aronymsus (0) SSL (0) £ : Bte(O) i ‫ מ‬Dead (2871) 2 Permanently (656?) 1— Book. Anonymity (301) ‫—ן‬-£ 5 ‫ ־‬Pnva!e (15) V t t Dangerous (597) f~‫ &־‬My P0‫ *׳‬/ Servere (0) :— PnwcySwitchcr (0)

Serve* , ? 93.151.160.197:1080 £ 93.151.1€0.195:108Q 93.150.9.381C80 knnel-113-68vprforge.com , f 93 126.111210:80 £ 95.170.181 121 8080 < ? 95.159 368 ‫ו‬C 95.159.31.31:80 95.159 3M 4 80 , f 94.59.250 71:8118

*

-

................

State Testino Teetirg Testing Lhtested Lhtested lht*ct*d Lhtested Lhtested Lhtested Lhtoetod __ Lt itcatgd___

ResDDnte 17082ns 17035n« 15631ns

Countiy H RJSSIAN FEDERATION m a RJSSIAN FEDERATION RJSSIAN FEDERATION *

A

UNITED STATES

m a RJSSIAN FEDERATION

“ — “ ^ 5

SYR;AM ARAD REPUBLIC b ‫ ׳‬KAN AKAB KtPUBLIt SYRIAN ARAB REPUBLIC UNITED ARAB EMIRATES UNITED AR\B EMIRATES

C

Caned S

State

te fre

Core PrcxyNet

Progress

MZ3

Conpbte

28 kb

Fbu‫»׳‬d 1500

wviw.aliveoroxy .com ‫״‬mw .cyberayndrome .net

Conpfcte

w!w nrtime.com<

DL

& F IG U R E 1 2 9 : L is t o f d o w n lo a d e e d P r o s y S e rv e r

14. T o

stop

d o w n lo a d in g d ie p r o x y s e rv e r c lic k Proxy Switcher U ned ( Direct Connection )

File

Edit

Actions

View

L = Jg ' x 1

Help filer Fox/ Servers

‫ ־‬Proxy Scanner ♦ N#w (?195) W h e n a c tiv e p ro x y

H

s e rv e r b e c o m e s in a c c e s s ib le P r o x y S w itc h e r w ill p ic k d iffe r e n t s e rv e r fro m P r o x y S w it c h e r c a te g o r y I f th e a c tiv e p ro x y s e rv e r is c u r r e n tly a l i v e th e b a c k g ro u n d w ill b e g re e n

\y

Serve* £ 001 147 48 1€‫«»* ־‬tw n«t

Aicnymouo (0)

I••••©‫ ׳‬SSL (0)

|

fc?Bte(0)

B ~ # Dead (1857) =••••{2' Permanently 16844] Basic Anonymity (162) | ^ Private (1) j - ‫ &־‬Dangerous \696) h ‫ &־‬My Proxy Servers (0J - 5 ‫ ׳}־‬ProocySwtcher (0)

£ £

lml5+1S»-11065.a«vwd»

218152.121 184:8080 95.211.152.218:3128 95.110.159.54:3080 9156129 24 8)80 u>4 gpj 1133aneunc co p jf dsd»cr/2'20Jcvonfcrc com: 91.144.44.86:3128 £ 91.144.44.8$:&80‫נ‬ 92.62.225.13080: ‫ר־‬

£ £ £

Slate (Aliv«-$SL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (.*Jive-SSL) (Alive-SSL) (.Alive-SSL) (Alive-SSL)

Resronte 13810nt 106Nh* 12259ns 11185ns 13401ns 11&D2ns 11610m 15331ns 11271ns 11259ns 11977ns

«

Couriry J HONG KONG | ITALY »: REPUBLIC OF KOREA “ NETHERLANDS !IT A LY ™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN “ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC

r

Cancel DsajleJ

Keep Ali/e

Auto Swtcf‫־‬

108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection •jmed out.

V

F IG U R E 1 21 0: C lic k o n S ta rt b u tto n

1 5 . C lic k

Basic Anonymity i n

d ie r i g h t p a n e l; i t s h o w s a lis t o f d o w n lo a d e d

p r o x y s e rv e rs .




| _ ; o ^

Proxy Switcher Uned ( Direct Connection) File

£z‫ ־‬W hen running in A u t o S w i t c h m ode Proxy S w itc h e r w ill s w itc h a c tiv e proxy servers regularly. S w itc h in g period can be s e t w ith a s lid e r fro m 5 m inu te s to 1 0 seconds

Edit

A ctions

& s►□

View

Ia a a

x

g? Proxy Scanner j ~ # New (853) B ‫&־‬ Anonymous (0) h & SSL(0) Bte(0) ■‫ »־‬-& Dead (2872) Femanently (6925)

1513 ■

Help

'‫‘י‬.. . "<<1 ‫־"׳‬

Pnvale (16) ;—£5 Danoerous (696) \ & My Proxy Sorvoro (0) -■‫־‬ ProxySwltcher (0) \—

K

Server , f 91 14444 65 3128
1

RespxKe 10160ns 59/2rre 10705ns 12035ns 11206ns 10635n • 11037ns 10790ns 10974m 10892m 11115ns

State (Alve-SSU (Aive-SSU (Alve-SSL) (Alve-SSU Alve Alvo (Alve-SSL) Alve (Alve-SSU (Alve-SSU (Alve-SSU

Countiy — Sv RAfi ARAB REPUBI INDONESIA ^ INDONESIA ► )E SOUTH AFRICA m BRAZIL H iT A IV /A M REPUBLIC OF KOREA BRAZIL

pg

gq b razil ‫ נ ס‬brazil

■1 Caned

Keep Alive

Cis^bled

AUd Swtd‫־‬

177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive] 119252.170.34.80 tested as [(Alive-SSL)] 33/32

IS illi& S S itS iS k

F IG U R E 1211: S e le ctin g d o w n lo a d e d P ro x y se rve r fro m B a s ic A n o n y m ity

1 6 . S e le c t o n e

Proxy server IP address

fTJ

p r o x y s e rv e r, a n d c lic k d ie f lit a (3 File

,Actions

View

Server

J•••‫ * ל‬New )766(

rtgh Anonymous )0( & SSL)0<

;‫־־‬B1te 01)0(

f , 91.14444.65:3123 ,.f 001.147.48.1U.ctabcrct lx>stS4159?, ‫ל־‬1&‫־‬.aemef.95 f , 218.152.121.184:3030

& } ‫ ־‬: Dead )2381( a d d / re m o v e / e d it fu n c tio n s p ro x y m a n a g e r c o n ta in s fu n c tio n s u s e fu l fo r a n o n y m o u s s u rfin g an d

.......... Pemanently

)6925(

95.110159.545080

Basic Anonymity )467'

h ‫ & ־‬Pn‫ ׳‬ate 116( j‫ & ־ ־‬Dangerous )696!‫׳‬ r ‫&־‬ Proxy Ser/ere )0( :— ProxySvtitcher )0(

p ro x y a v a ila b ility te s tin g

3 i.5 6 .2 ‫־‬S.2-i.8GS:)..

i f 95.211152.218:3123 f u54jpj1135aTTSjnocoJcr:• , f 91.82.65.173:8080
4 ‫ד‬.89.130.23128

,f 9‫ ו‬14444863123

Ctaeblcd

[[

Koep Alive

1~

l~a

!

*

Help

3 #‫ □ ׳‬n [a a. a a if j \

In a d d itio n to sta n d a rd

ic o n .

P ro x y S w itc h e r U n r e g is te r e d ( D ir e c t C o n n e c tio n ) Edit

Px»y Scanner £5

^

f r o m r i g h t p a n e l t o s w i c h d i e s e le c t e d

2 \y State (Alve-SSU (Alve-SSL (Alve-SSU Alh/e (Alve-SSU (Alve-SSL:• (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSL) (Alve-SSU (AlveSSU (Alve-SSU

A

Li s |

He>ponte 10159ms 131 5‫־‬m 10154TBS 10436ns 13556ns n123me 10741ns 10233ns 10955ns 11251m 10931ns 15810ns 10154ns

‫י‬/ |

Proxy S«rvera

|X j

Lointiy “ SYRIAN ARAB REPUBLIC [ J HONG KONG 1 | ITALY REPUBLIC OF IQOREA ;-S W E D E N 1 ITALY ------NETHERLANDS REPUBLIC OF KOREA “ HUNGARY ^ ^ IR A C S3£5 KENYA “ SYRAN ARAB REPUBLIC

][ Auto Swtch |

218 152. 121.I84:8030tested as ((Alve-SSL:] tested as [Alive]

218.152.121.184:8030 ha*»54-159-l 10-95senieriedieatiambait 8080te**d» (‫׳‬Alve-SSL)] 031.147.48.1K>.«atb.net/ig3tor.com:3123teatsd05[(ASveSSL)]

P‫׳־‬

F IG U R E 1 2 1 2 S e le ctin g th e p ro x y se rve r

1 7 . T h e s e le c t e d

pro xy se rve r w

ill c o n n e c t, a n d i t w ill s h o w d ie f o llo w in g

c o n n e c t io n ic o n .




Proxy Switcher Uned ( Active Proxy: 95.110.159.54:8030 ‫ ־‬ITALY) p FFile ik

Edit

Actions

View

$5 Proxy Scanner

H * New !766) Ugh Anonymous (0) • g t SSL(O) H 2 ? a te (0» B - R Dead (2381) P»m*n#ntly (G975) • f y 003‫״‬. Anonymity (4G7) Pnvate (16) | 0 ‫ ־־‬Dangerous (6961‫׳‬ l‫ & ״‬My Proxy Servere (0) :—ProxySviitcha 25 ‫) ־‬0(

Serve! ^ 9 1 .1 4 4 4 4 65:3123 001.147.48. ilS.etatic .re t.. , ? host54-159-110-95.server.. & 218.152.121.1(4:3080 , f dedserr2i23Jevonlme to n L 95 110159 54 8080 , ? 95 211 152 21( 3128

u54aDJl133a‫׳‬r»unfl,co.kr:l , f 91 82 £5 173:8080 g

86.111 144.194.3128

, ? 41.89.130^3128 £

91 14444 86 3123

>I

Dsebicd

11 Keep Alive

I~ l‫ ם‬f x

Help

State (Alve-SSU (Alve-SSU (Alve-SSU Alive (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (AlveSSU (Alve-SSU (Alve-SSU (Alve-SSU

Response 10159ms 13115n* 10154ns 10436ms 13556ms 11123™• 10740ms 10233ms 10955ms 1l251r»a 10931ms 158101s 10154ns

Comtiy SYRAN ARAB REPUBLIC [ J HONG KONG | |IT A LY > : REPJBLIC OF KOREA ■■SW ED EN I ITA tr UNI ILL) ARAD CMIRATCS “ NETHERLANDS REP JBLIC OF KOREA “ HUNGARY “ IRAG g g K E N rA “ SYRIAN ARAB REPUBLIC “

‫״י‬

|[" Auto Switch

2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive] host54-159-110-95 9»rverdedicati arnba 8080 ‫ ג‬tested as RAIve-SSL)] 031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL))

ML

E a u c An on ym ity

F IG U R E 1213: S u c c e s fiil c o n n e c tio n o f selected p ro x y

£□ S ta rtin g from version 3.0 Proxy S w itc h e r in co rp o ra te s in te rn a l pro xy server. It is useful w hen you w a n t to use o th e r a p p lic a tio n s (besides In te rn e t E xplorer) th a t s u p p o rt HTTP p ro xy v ia Proxy S w itc h e r. By d e fa u lt it w a its fo r c o n n e c tio n s on localhost:3 128

18. G o to a

w e b b ro w se r

( F ir e fo x ) , a n d ty p e d ie f o llo w in g U R L

h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d i e s e le c t e d p r o x y s e r v e r c o m i e t i v i t y ; i f i t i s s u c c e s s f u l l y c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g fig u r e . Detecting your location 3?

r 1 0‫ ־‬C x 1

M07illa Firefox

£ri!t ¥"■'‫ '״‬History BookmorH Iool*• Jjdp 0*r»
C *‘I

4‫ ־‬-.IUU-..J.UU,I

Your possible IP address is: Location:

Go®,I.

f i

f!

2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 U nknow n

Proxy Inform ation Proxy Server:

DFTFCTFD

Proxy IP:

95.110.159.67

Proxy Country:

Unknown

F IG U R E 121 4: D e te c te d P ro x y se rve r

19. O p e n a n o th e r ta b i n d ie

w eb brow ser,

a n d s u r f a n o n y m o s ly u s in g d iis

p ro x y .




proxy server

Cerca con G oogle - Mozilla Fiiefox

rlc Edit yie* Histoiy Bookmark: Tools Udp | pray ic ‫־‬.« -C e r a con Google

Ottecbngyour location.. ^

<9wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&^ 0&g?_ f-taq-pro>fy‫»־‬scrvcr&pt-p8b1»-

*Tu

Ricerca

G o o g le 03

Immagini

Maps

Play

YouTube

Mews

Gmail

Document!

Calendar

C

P

‫ ־‬Gccgie

*

Utao

proxy server

A fte r th e an o n ym o u s

p ro x y se rve rs h ave b eco m e

Ricerca

ava ila b le fo r sw itc h in g yo u c a n a ctiv a te a n y o n e to

Proxy Wikipodia

b e co m e in v is ib le fo r th e sites y o u v isit.

Immagin■ Maps

1

11

it.wkj ped a.org/tv k •Pioxy

In informatica e telecomunicaôw un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ... Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate

Video

Public Proxy Servers - Free Proxy Server List

Noose Shopping Ptu contanuti

ivwiv publifoxyserveis conV Tiacua questa pagina Public Proxy Server* is a free and *!dependent proxy checking system. Our service helps you to protect your Ktently and by surfing restrictions since 2002. Proxy Servers -Sored By Rating -Proxy Servers Sorted By Country -Useful Links

Proxy Server - Pest Secure, rree. Online Proxy ItaHa Camtm localit.l

wvwproxyserver com‫• '׳‬Traduci questa pagma Tho boet fin‫ ״‬Pioxy Sarvef out there* Slop soarching a proxy list for pioxies that are never fa»1 or do noi even get onl«1e Proxy Server com has you covered from ...

Proxoit -Cuida alia naviaazione anonima

I proxy server

F IG U R E 1214: S u r f u sin g P ro x y se rve r

L a b

A n a ly s is

D o c u m e n t a ll d ie

IP addresses o f live (SSL) proxy servers

a n d th e c o n n e c tiv ity

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility

In f o r m a tio n

C o lle c t e d / O b je c t iv e s A c h ie v e d

S e r v e r : L i s t o f a v a ila b le P r o x y s e r v e r s S e le c te d P r o x y S e r v e r I P

A d d r e s s : 9 5 .1 1 0 .1 5 9 .5 4

P r o x y S w it c h e r S e le c te d P r o x y C o u n t r y N a m e : I T A L Y R e s u lte d P r o x y s e r v e r I P

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T O

T H I S

I F

A d d r e s s : 9 5 .1 1 0 .1 5 9 .6 7

Y O U

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s


1.

E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r .

2.

E v a lu a t e w h y P r o x y S w it c h e r is n o t o p e n s o u r c e .



In t e r n e t C o n n e c tio n R e q u ir e d 0

Y es

P la tfo r m 0


□

N o

□

iL a b s

S u p p o rte d

C la s s r o o m

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


Lab w 1

3

i

D aisy Chaining using Proxy W orkbench Proxy Workbench is a uniquep/vxy server, idealfor developers, security experts, a n d twiners, which displays data in real time. I C O N

K E Y

2 3 ‫ ־‬V a lu a b le

L a b

S c e n a r io

Y o u h a v e le a r n e d i n d ie p r e v io u s la b h o w

to

in fo r m a tio n

S w it c h e r a n d Test your k n o w le d g e

‫ס‬


m


can

pose

as

o r O nce

b ro w s e som eone

bank

a tta c k e r

in d iv id u a l’s m u lt ip le

bank

p ro x y

e ls e

d e ta ils

g a in s

h id e y o u r a c tu a l IP

a n o n y m o u s ly . S im ila r ly a n a tta c k e r w i t h u s in g

o f an

r e le v a n t

fo r

a p ro x y

in d iv id u a l

s e rv e r by

in f o r m a t io n o n lin e

s e rv e rs f o r s c a n n in g a n d

and

o r

s h o p p in g .

in te n t

g a th e r in fo r m a t io n

p e r fo r m in g he

u s in g a P r o x y

m a lic io u s

she

lik e

s o c ia l e n g in e e rin g . can

A tta c k e rs

hack

in to

s o m e tim e s

th a t use

a tta c k in g , m a k in g i t v e r y d i f f i c u lt f o r

a d m in is tr a to r s t o tra c e d ie re a l s o u rc e o f a tta c k s . A s a n a d m i n i s t r a t o r y o u s h o u l d b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p l o y i n g a n in t r u s io n d e te c tio n s y s te m w it h w h ic h y o u c a n c o lle c t n e t w o r k in f o r m a t io n a n a ly s is t o

d e t e r m in e

P roxy W o rk b e n c h L a b

i f a n a tta c k o r in tr u s io n

h a s o c c u rre d . Y o u

fo r

c a n a ls o u s e

to u n d e rs ta n d h o w n e tw o r k s a re s c a n n e d .

O b je c t iv e s

T h is la b w i l l s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y W o r k b e n c h . I t w ill te a c h y o u h o w to : ■

U s e th e P r o x y W o r k b e n c h to o l

■

D a i s y c h a i n t h e W ’i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h i n e s

L a b


T o c a r r y o u t th e la b , y o u n e e d : ■


a t D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks\P roxy Tools\Proxy W orkbench

P r o x y W o r k b e n c h is lo c a t e d




fro m

h ttp ://p ro x y w o rk b e n c h .c o m

th is lin k

ZZ7 Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks

P ro x y W o rk b e n c h

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A


W indow s Server 2012

A n o t h e r c o m p u te r r u n n in g v ic tim

as a tta c k e r ( h o s t m a c h in e )

W indow Server 2008, and W indow s 7

as

( v ir t u a l m a c h in e )

A w e b b ro w s e r w ith In te rn e t access F o l l o w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll

Proxy W orkbench


L a b

D u r a t io n


O v e r v ie w

o f P ro x y W o rk b e n c h

P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d i s p l a y s i t s d a t a i n r e a l t i m e . T h e d a t a f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d a c tiv e m o d e s .

L a b

C S ecu rity: Proxy servers provide a level o f s e c u rity w ith in a n e tw o rk . They can help preve nt s e c u rity a tta c k s as th e only w a y in to th e n e tw o rk fro m th e In te rn e t is via th e p ro xy serve r

T a s k s

\

I n s t a ll P r o x y W o r k b e n c h o n a ll p la t f o r m s o f d ie W in d o w s o p e r a t in g s y s te m

‫׳‬W indow s Server 2012. W indow s Server 2008. ‫ר‬

W indow s 7)

D:\CEH-Tools\CEHv8 M odule 03 S ca n n in g N e tw o rk s \P ro x y T o o ls \P ro x y W o rkb e n ch

P r o x y W o r k b e n c h is lo c a t e d a t


P roxy W o rkb e n ch

fro m

th is l i n k h t t p : / / p r o x y w o r k b e n c h . c o m

4.

F o llo w o f

th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s

W in d o w s o p e ra tin g sy s te m

_ T h is la b w i l l w o r k i n th e C E F I la b e n v ir o n m e n t - o n

6.

W in d o w s S e rve r

2012, W in d o w s S e rve r 2 0 0 8 ‫י‬

and

O p e n F ir e fo x b r o w s e r in y o u r

W in d o w s S e rve r 2012,

a n d c lic k


and

W in d o w s 7 a n d g o to

T o o ls

o p tio n s

E th ic a l H ackin g and Counterm easures Copyright O by E C •Council A ll Rights Reserved. Reproduction is Strictly Prohibited.


Google Moiillo Fitefox colt | HtJp Qownloatfs

CW-I

moderns

c m * v ‫*«״‬A

e

fi *

•!1• -■cc9u

S<* UpS^K.

♦You

Search

Images

Documents

Web Developer

Calendar

Mote •

Page Info

Sign n

5‫ «ז‬1 £ ‫ו‬1*«)‫ ז‬6 ‫ ״ ז י ה י‬9 Cle«r Recent U stsr.

Cl 1+“ Sh1ft*IW

G o o g le Gocgie Search

I'm feeling Lucky

11

AtfM«t «Mg Piogammei

Piracy t Te

Bumoeti SolUion*

•Google

Aboul Google

Google com

F IG U R E 13.1: F ire fo x o p tio n s tab

7.

t o A dvanced N e tw o rk t a b , a n d

G o

p r o file in d ie n c lic k

d i e O ptions Settings.

w i z a r d o f F i r e f o x , a n d s e le c t d i e

Options

‫§י & ם‬ General f t T h e s o c k e ts p a n e l

Tabs

Content

% Applications

j

General | MetworV Update | Encryption

p Privacy

Security

3

S>nc

Advanced

j

sh o w s th e n u m b e r o f A liv e s o c k e t c o n n e c tio n s th a t P r o x y W o r k b e n c h is

Connection | S g t n g i.

Configure h o * h re fo i connects to the Internet

m a n a g in g . D u r in g p e rio d s o f n o a c tiv ity th is w ill d ro p

Cached Web Content

b a c k to z e ro S e le c t

Your w eb content cache 5‫י‬currently using 8.7 M B of disk space

Clear Now

I I Override a u to m ate cache m anagem ent

Limit cache to | 1024-9] MB of space Offline Web Content and Data Clear Nov/

You 1 application cache is c jiie n t l/ using 0 bytes of disk space

Exceptions..

M Tell me when a wefccite aclrt to store data fo r offline uce The follow ing websites are a lowed to store data for offline use

B a r eve..

OK

Cancel

Help

F IG U R E 13.2 F ire fo x N e tw o rk Settin g s




S T he s ta tu s bar show s th e d e ta ils o f Proxy W orkbench*s a c tiv ity . The firs t disp lays th e a m ou nt o f data Proxy W orkbench c u rre n tly has in m em ory. The a c tu a l am o un t of m em ory th a t Proxy W orkbench is consum ing is g e n e ra lly m uch m ore th a n th is due to overhead in m anaging it.

8.

C heck

9.

Type

Manual proxy c o n fig u ra tio n 111

HTTP Proxy as 127.0.0.1

d ie o p t io n o f

th e

C onnection S e ttin g s

a n d e n t e r d ie p o r t v a lu e as

Use th is proxy se rve r fo r a ll p rotocols,

w iz a r d .

8080‫ י‬a n d

a n d c lic k

check

OK.

Connection Settings Configure Proxies to Access th e Internet O No prox^ O A uto-detect proxy settings for this network O ii** system proxy settings (§) Manual proxy configuration: HTTP Proxy:

Port

127.0.0.1 @ Use this proxy server for all protocols

SSL Proxy:

127.0.0.1

Port

8080—

£TP Proxy:

127.0.0.1

Port

8080y |

PorJ:

8080v

SO£KS H ost

127.0.0.1 D SOCKS v4

No Proxy fo r

(S) SOCKS ^5

localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24

O Automatic proxy configuration URL Rgload

OK

Cancel

Help

F IG U R E 13.3: F ire fo x C o n n e c tio n Settin g s

10. W h ile c o n fig u r in g , i f y o u e n c o u n te r a n y 1 1 . L a u n c h th e

S ta rt

p o rt e rro r please ignore it

m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

S c a n c o m p u te rs b y I P ra n g e , b y d o m a in , s in g le c o m p u te rs , o r c o m p u te rs , d e fin e d b y th e G lo b a l N e tw o r k In v e n to r y h o s t file

4

W indows Server 2012 WaoomW1P iW 2 taeneCjickttr 0H iK tT r baLMcncowtuid MO.

g. - ?• F IG U R E 13.4: W in d o w s S e rv e r 2012 - D e s k to p v ie w

1 2 . C lic k d ie


Proxy W orkbench


Proxy W orkbench

w in d o w



S

T h e e v e n ts p a n e l

Server Manager

Windows PowerShell

Google Chrome

Hyper-V Manager

Fa

m

•

‫וי‬

Control Pand

HyperV Virtual Machine ‫״‬

SO I Server

MO? 113 Firefox

Searct101_

d is p la y s th e to ta l n u m b e r o f e v e n ts th a t P ro x y W o r k b e n c h h a s in m e m o ry . B y c le a rin g th e

W

d a ta ( F ile ‫ > ־‬C le a r A ll D a t a ) th is w ill d e c re a s e to z e ro i f th e re a re n o c o n n e c tio n s th a t a re A liv e

Command Prompt

£

H

O Proxy Woricbenu.

dobai Network Inventory

Si

Detkc

F IG U R E 13.5: W in d o w s S e rv e r 2012 - A p p s

13. T h e

Proxy W orkbench

m a in w in d o w a p p e a rs as s h o w n i n d ie f o llo w in g

fig u r e .

Proxy Workbench File

& The la s t d isp lays th e c u rre n t tim e as re ported by your o p eratin g system

V ie w

T o o ls

H I

H e lp

m

‫ו ם‬

_‫עב ש‬

Monitorirg: WIND33MR5HL9E4 (10.0.0.7)

K N JH

Details for All Activity To

From

SMTP • Outgoing e-mal (25) ^ &

^

m

| Started

173.194.36.24:80 (www g .

HTTP

18:23:39.3^

127.0.0.1:51201

74.125.31.106:80 (p5 4ao

HTTP

18:23:59.0‫־‬

J l l 127.0.0.1:51203

173.194 36 21:443 (m aig

HTTP

18:24:50.6(

J d 127.0.0.1:51205

173.194.36.21 M 2 (m a ig .

HTTP

18:24:59.8'

J d 127.0.0.1:51207

173.194.36 21:443 (maig..

HTTP

18:25:08.9‫־‬

W ' l ! ? 7 n n 1‫ו ל ו ^ ו‬

173‫ ־‬K M TC. 71 •A n (m ‫־‬d ‫״‬

H T T P ____

1 fi‫־‬jR - 1 fir

31 Od 7a 6£ 77 34 3b 6f 2f 6f 78 2d 43 70 2d 61 69 Od 0a

SS 6c 20 72 30 31

JJ127 .0.0.1:51199

POP3 • Incoming e-mail (110) HTTP Proxji • Web (80B0) HTTPS Proxy • SecureWeb (443) FTP • File T!ansfer Protocol (21) Through ■For Testing Apps (1000)

1 Protocol

3eal time data for All Activity

000032 000048 000064 000080 000096 000112 000128 000144 000160 000176 <

Memory: 95 KByte Sockets: 1CO

Events: 754

/I .1. .—Agent : Mozilla/5.0 (¥ indows NT 6.2; V OU64; r v :14.0) G ecko/20100101 Fi refox/14.0.1..Pr oxy-Connection: koop-alivo. Host : mail.google.co m ....

2f 3a 69 4f 65 ?2 6f 6b 3a 6d

2e 4d 64 36 6b b5 66 73 79 65 65 20 6d Od Qa 31 20 6e 57 63

III u n ; 1iciu ic . u n ; 11

Si

0A 69 73 20 32 2f 6f 61 6c

73 6c 4e 76 31 34 60 6e 6c 69 2e 67 ,

1

7angwrrx?n— Luyymy. u n ; .

>

J

F IG U R E 13.6: P ro x v W o rk b e n c h m a in w in d o w

14. G o to


T ools

o n d i e t o o l b a r , a n d s e le c t

C onfigure Ports



Proxy Workbench File

View ILô o ls J Help

U- 3

Save Data... 5

Configure Ports.

Monitoring: W

& The *Show th e real tim e data w in d o w ' a llo w s th e u ser to s p e c ify w h e th e r th e re al-tim e d ata pane should be displayed o r no t

=tails for All Activity

Failure Simulation...

All Activity ^ SMTF POPd

| T0

J 127.0.0.151199

Real Tim e 9‫־י‬099 ‫• ח י‬ Options...

tJ 127.0.0.1 51201

HTTPS Proxy • Secure Web |443) FTP • File T ransler Protocol (21) Through ■For Testing Apps (1000)

I Protocol

| Started

173.194.36.24:80(w»w*.g.. HTTP 74.125.31.106:80|pt4ao HTTP 173.19436.21:443(naig. HTTP 173.19436.21:443(na*g HTTP 173.1943621:443(naig HTTP 17‫׳‬n ‫*־‬c‫״* ול־‬n ‫ » ו*י׳ו‬HTTP

3d 127.0.0.1 51203 £ J 127.0.0.151205 ;jd 127.0.0.1 51207 l1?7nn1-5‫־‬R1911 >

k # HTTP T‫־־‬TWny TTWU(WW)

^ ^

m n ih m

|10m

^

18:23:39.3} 18:23:59.0‫־‬ 18:24:50.6( 18:24:59.8' 18:25:08.9‫־‬ ■ m - w ip r

Real time data for All Activity

000032 000048 000064 000080 000096 000112 000128 000144 000160 000176 Memory: 95 KByte Sockets: 100

Events: 754

/ l.1 ..-Agent : Mozilla/5.0 (W indows NT 6.2; U OU64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m. . . .

I eiiim a ic UII

11c1u4c. uu

2f 3a 69 4f 65 72 6f 6b 3a 6d

unuuic u i i

31 2e 20 4d be 64 57 36 b3 6b 65 66 ?8 79 b5 65 20 6d Od 0a

L‫« ׳‬ty1c u n

31 Od 6f 7a 6f 77 34 3b 6£ 2f 6£ 78 2d 43 70 2d 61 69 Od 0a

0a 69 ?3 20 32 2f 6f 61 6c

1_<.yymy. u n

55 6c 20 72 30 31 6e 6c 2e

73 6c 4e 76 31 34 6e 69 67

‫ ׳‬ju i

F IG U R E 13.7: P ro x y W o rk b e n c h C o n F IG U R E P o rts o p tio n

1 5 . 111 d i e

C onfigure Proxy W orkbench

i i i d ie le f t p a n e o f

8080 HTTP P roxy - Web

P orts to lis te n on.

HTTP 111 d i e l i g h t p a n e o C onfigure HTTP fo r p o rt 8080

16. C h e c k

f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k

Configure Proxy Workbench

C L l P e o p le w h o b e n e fit fro m P r o x y W o rk b e n c h

w i z a r d , s e le c t

Proxy Ports Ports to listen on:

Home s w ho have taken the first step in understanding the Internet and are starting to ask "B a t how does it work?” People who are curious about how their web browser, email client or FTP client communicates w ith the Internet.

Protocol assigned to port 8080

Port [ Description 25 un

18080 443

21 1000

; >>Don't use

SMTP • Outgoing e-mail PHP3 - lnnnmino ft-maiI HTTP Proxy ■Web HTTPS Proxy ‫ ־‬Secure Web FTP ‫ ־‬File Transfer Protocol Through ■Foe Testing Apps

: ■✓ Through HTTPS □ POP3 □ ‫ ח‬FTP

People who are concerned about malicious programs sending sensitive information out in to the Internet. The inform ation that programs are sending can be readily identified. Internet software developers w ho are w riting programs to existing protocols. Software development fo r die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol : - T-1-■ > Internet Security experts w ill benefit fro m seeing the data flowing in real-time This wiH help them see w ho is doing what and when


&dd-

|

Qetete

| |

Configure H T TP tor poet 8080.|

W Sho^ this screen at startup

Close

F IG U R E 13.8: P r o s y W o rk b e n c h C o n fig u rin g H T T P fo r P o r t 8080

17. T h e

HTTP P roperties

proxy,

e n te r y o u r

Proxy Server,

w in d o w a p p e a rs . N o w c h e c k


a n d e n te r

8080

C onnect via an o th e r

v ir t u a l m a c h in e I P a d d re s s i n

in P o r t a n d d ie n c lic k

OK



HTTP Properties General

^

C

On the web server, connect to port:

(•

Connect via another proxy

Proxy server

|10.0.0.7|

Port:

Iftfififi

M a n y p e o p le

u n d e rs ta n d s o c k e ts m u c h b e tte r th e n th e y th in k . W h e n y o u s u r f th e w e b a n d g o to a w e b s ite c a lle d w w w a lta v is ta .c o m , y o u a re a c tu a lly d ire c tin g y o u r w e b b ro w s e r to o p e n a s o c k e t c o n n e c tio n to th e s e rv e r c a lle d " w w w .a lta v ia ta .c o m " w ith p o r t n u m b e r 80

OK

Cancel

F IG U R E 13.9: P r o s y W o rk b e n c h H T T P fo r P o r t 8080

C lose i n d i e C onfigure Proxy W orkbench c o n fig u ra tio n s e ttin g s

18. C lic k

w iz a r d a fte r c o m p le tin g d ie

Configure Proxy Workbench Proxy Ports 3orts to listen on: Protocol assigned to port 8080

Port | Description 25

110 T h e re a l tim e lo g g in g a llo w s y o u to re c o rd e v e ry th in g P ro x y W o r k b e n c h d o e s to a te x t

8080 443

21 1000

SMTP • Outgoing e-mail POP3 ‫ ־‬Incoming e-mail HTTP Proxy - Web HTTPS Proxy-Secure Web FTP ‫ ־‬File Transfer Protocol Through - For T esting Apps

□ ____________ □ Through □ HTTPS □ POP3 □FTP

file . T h is a llo w s th e in fo r m a tio n to b e re a d ily im p o rte d in a sp re a d s h e e t o r d a ta b a se so th a t th e m o s t a d v a n c e d a n a ly s is c a n b e p e rfo rm e d o n th e d a ta

Add

delete

Configure HTTP for port 8080

W Show this screen at startup

Close

F IG U R E 13.10: P ro x v W o rk b e n c h C o n fig u re d p ro x y

1 9 . R e p e a t d ie c o n f ig u r a t io n s te p s o f P r o x y W o r k b e n c h f r o m

Step 1 1 to Step

1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .




2 0 . 111


ty p e d ie I P a d d re s s o f W in d o w s 7 V ir t u a l

M a c h in e . 21. O p e n a

F irefox


b ro w s e r in

a n d b ro w s e w e b pages.

2 2 . P r o x y W o r k b e n c h G e n e ra te s d ie t r a f f ic w i l l b e g e n e ra te d as s h o w n i n d ie

& Proxy W orkbench changes th is . Not o nly is it an aw esom e proxy server, but you can see all o f th e data flo w in g through it, v is u a lly d isp la y a socket co n n e ctio n h is to ry and save it to HTML

f o llo w in g fig u r e o f 2 3 . C h e c k d ie

To


C o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o

10.0.0.3

( W in d o w s

S e rv e r 2 0 0 8 v ir t u a l M a c h in e ) .

Mcnfanj MN1r2CiU.‫׳;־‬43110002| | £4AOT*!> ^ SHIP 0.*!>>‫ו\»*<»׳‬1‫מ ן‬

0‫ ל‬7

I.(flff:iilffllW'/tilHIUII

vr. u -‫י‬ < 1‫׳‬ *1‫נ^י‬

^1 CQC•) ■l^ff»-0^r»IH1(l y HTI R F W -S.o i» W.6 (4431 6 FIP Hori^ra *<X0:d|71) V p*m (110*i !-f« r»»njA«c*no301

w Muon 144a laccc

»105‫גג‬.‫זמ‬ » 0525&43 « 052*100 «05 261E ®0526217 K.W263K

*0010041

laaaixzo 1000 )»#

Mtaiaon

* lira •'f J

14441400 *0 0 )•CM 14441«cm 1404 HCW 1400 )■IB 144a IK M 1400 )•CM 144a m e 1444 ItOM 140a1«:w 144 a 1t a t

u il .‫«־‬ :‫«־‬ .I• •41 >1 . ‫נ‬ >1 ‫י‬ 11 :‫נ־‬

11•■‫י‬

U .‫נ‬

lOOQlKW

2—1

«0M4S 1 •0 17 34 a n

SotExterna0M&4 CSC[ 10 S . . : : i l 00 52 «::>*€ 4‫ י‬a ir u . - u

1 1 10)1112 *>: w0 ct «t i r2*t 1‫ י‬F .'r0i . 1023>04 3C]‫׳‬141 >3 n :*dta-Caat

000160 o: .ji-age >: 3«0 000174 «t0‫׳‬1? 2

»0$27»‫נ‬

; v W> »».< * < * 1 1 9 9 06 052:7

. *‫״‬

»05;‫יי»י‬

1»1

M 4ca1facc tWJ 2110 >•‫•*»*►•*)«׳‬

3(95

K rez'S) acr.rte

(*0127 104

H B700

14,0127 ;71 m< k 27 411 (6 052743( C60127M• (6 0527 597 (6052702 £05£‫ נ‬7‫ ט‬3 0605275S7

06»27» 0e « 2? 5ae 06052»»l

»0J2n01

1444 laQHl 144a 14CM

UK

« 0526 IK tiiir, :1 iw. (6 0526 734

n n :1 19,

1000)acta

.*1 •

A ‫׳•«־־‬-=‫־‬

* « ‫? ׳•<״‬ 06052C92? CV9►*. ■ * 1 5 7 06®274B 06 052* ‫*׳* ? מ‬SfwAcwirw* 1556 utre^rw r » 9 rM 0 ( a < rM . ‫נ מ ו‬ 'V**►—* 1191 * —' ■‫״‬ K052CTO «®27ug IV* 06052706

te«it*1 KKrT

1444 ]•cto

10011)**a

1J -‫נ‬ *J ‫י־‬

06.K2S.31T 06052? ‫סט‬

06052*173

IV J 3J41

h■■<»(a‫•״‬a ‫׳‬

in

•‫»►••י‬.-*)«‫•׳‬-«

PAthtf
s au szs

t£S IS :4?

06052• 3‫ י‬5 CV*3hM41«x>«dt

1120

1T\

31 20 10 30 78 4d 39 66 74 47 tl Od

70 2 6 6345

20 u 64 30

32 30 31 4; 41 0• 38 20 >> 10 ?0

45 0‫ ל‬M 4c

61 6‫ י‬7*

£1 30 6‫י‬ 20 IJ Ic 0.

72 47 65 32 64 3a 43

Qo 13 tl 04 d 61 7a« 20 ?.( b I «m Cm

31 ro 0‫נ‬ 4c (1 7 i

20«( Sf <4

?2 W 2c

32 (3 3d (3

3d U 41 74

3» K »7 (1

30 I I

45 M H

F IG U R E 13.11: P ro x y W o ik b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2012 H o s t M a c h in e

2 4 . N o w lo g in in to

W indow s Server 2008 V i r t u a l M a c h i n e , a n d c h e c k 10.0.0.7 ( W i n d o w s 7 V i r t u a l

d ie

To

c o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o M a c h in e ) .

Fife View Tod* Hrip M irilcrrfj ‫ וי•׳‬hin i'iii/'l 3 |10 0 0 3|

!'*!41.

$ AMr/M|y

1

1

‫■ ׳‬IT IF* F' t »v •W<*b(>]CH])

fm■ ^d¥)006«ff)ft •lr«Mfiin3 £J10.00.6»10 jtJ':a:fc3 114 £ J'].0 0.6 9015 & mo 0.6 to 10 0.0 7 £ J 6 ; 0 : ‫־‬snt £J10 0 06 9819 " W FrP-Fielienifei Ftolord 1•Nol Lit* £ h !0 a.6 9820 PdssThiojî F01 Tastroô*nOOOl fJ jh J'I 0 0.&9B22 £1100169824 £110 00 69826 £1100069828 £1*100.6 9830 £110 0 0&9H32 ^

,iM T P •Outguny ••fr«l(25|

POP3 0n»iir1C1 Qwpnmamm ■H1QOQ2I01QQQ7 HT1P5Ro«v-SeojicWeb(4431 |21

£ 7 A n d n o w , P ro x y W o r k b e n c h in c lu d e s c o n n e c tio n fa ilu re

1 1000701CO 1a0.a?;8D80 lQ0D7-mm 1aoa7.83E0 ‫ ו‬00 07:‫שנט‬ 1Q007:83EO 1ao.a?;83a1 1aoa7!ffiEa 1a0.a7:83EO 1Q0a7:fflffl 1000.7:8303 1a0.Q7.83EO mon7rmgo

*1

fted cMsFoiHrTPPiceay•V/H3|B0B]| 6 :1:064 SxpiroD Sot 2 010080 IUr 2011 00 G2

s im u la tio n stra te g ie s. W h a t th is m e a n s is th a t y o u c a n

‫ ־ ־ ־‬09* 060112

sim u la te a p o o r n e tw o rk , a

00012C 060144 060160

s lo w In te r n e t o r u n re s p o n s iv e se rv e r. T h is

060176 080192

is m a k e s it th e d e fin itiv e

<0 CUT hint. Nrd 11 t.wd. f t 1 . 23 0 c t 2009 20•10 04 GMT. . C»cho-Cont roL max-oge-360 0. Connect io a k oe p - o livc

11‫ *!י׳‬f .•1‫״‬i K su w 0T) tB 40 !00 F 061B33 750 06tt»41156 K 06.05 40109 Q 3 40 !0‫<־‬ ‫׳‬BU. 9 (h 41 070 F 06.(E « 375 03 00.41.625 F (£06 41437 0,0141 ms F 0606 *3 531 05 05 41 281 F 06.05 « 546 06.0541.281 F 05<E 40 578 (E05 40Bt3 F 06:0=4:655 06 05:41.828 F 06 05*3 906 (K OS41 593 F 06<e 41015 0605 41 406 F 06 05 41 718 F 06.0C41 *09 (KtR 41 TIB as 05 41 ^11 Fj

HTTP H IIP HUP HTTP HITP HTTP HUP HUP HTTP HTTP HTTP HTTP H1IP

d

2J

1

a 76 4d 39 66 74 47 6t Od 65

70 61 20 69 20 4d 6c

69 72 72 20 47 Id 6S 64 32 30 JJ 30 20 0 9 43 61 70 2d 61

65 73 3a 32 30 31 S4 0d 04 20 16 30 39 20 G« <3 61 fd 61 78 6« 60 65 (c 69 6‫ל‬

20 S3 i l 74 ? ‫פ‬ 31 20 30 30 3a ic 61 73 74 .?rf 7 2 b'3 2c 20 32

32 30 3.‫ י‬31 30

63 2d 63 65

b0 61 74 Od

65 2d ■43 6? 65 3d bl 6• 0o Od 0o

t ')

T C P a p p lic a tio n te s te r T» 1mnate 01( R cIlb c Qr

Mar a y 3ES KBylei

J

Start |

Proxy Worfctxfyh

'h rb»f‫־‬

C m ^ !‫ ׳‬CK -oggrg 01( 613AM 6:15 AM

A iL d

F IG U R E 1 3 .12 P ro x y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2003 V irtu a l M a c h in e




p o rt 80

2 5 . S e le c t O n d i e w e b s e r v e r , c o n n e c t t o

in

W indow s 7

v ir t u a l m a c h in e ,

OK

a n d c lic k

-TTTP Properties

General |

(• On the *tcb server, connect to port: C " Connect vb atoihcr proxy

Pro
[fiflffi

H I I t a llo w s y o u to 's e e ' h o w y o u r e m a il c lie n t c o m m u n ic a te s w ith th e e m a il s e rv e r, h o w w e b p ag es a re d e liv e re d to y o u r b ro w s e r a n d w h y y o u r F T P c lie n t is n o t c o n n e c tin g to its s e rv e r

OK

il

C«r>cd

F IG U R E 13.13: C o n fig u rin g H T T P p ro p e rtie s in W in d o w s 7

2 6 . N o w C h e c k d ie tr a f f ic i n

10.0.0.7

( W in d o w s 7 V ir t u a l M a c h in e )

c o lu m n s h o w s t r a f f ic g e n e ra te d f i o m

“ TO”

d ie d if f e r e n t w e b s ite s b r o w s e d i n

W indow s Server 2008 " Unix p i?

w a»

r*e

Wd

iso

‫הו‬7‫צ&ו‬

VWur Toeli Help

n*Vlet»7naQa7}

DcUI1 t a H T T P IW - W « b 180801

f t All«5ctr»*y

^ SMTP •Ouiflonfl e ‫״‬id |25| K » ‫־‬C‫־‬C Ir«m^1*fflalf110l ‫ד‬ClClCl3to10005 10003to 203.85.231.83 |m‫־‬j.Brc> ’00031# 6871 209176|abc goc 100031a 502706207|edn>m)k| 100031a 58.27.86.123ledge Bus 100031a 6871 220165|abc cm 100031a 20279210 121 Ibi.ta* 10003b) 205 12884.126 100031a 502786 105|f«*\1ur 100031a 5827.06.21; I1d1«u.«t> 100031a 157166255216Mdi c 100031a 157 16625531 |r«iv, 100031s 20385211 148lilt 100031a 2031068551 |bkcmc 100031a 502706225|s etrrcd 100031a 157.166.226.26Iwmc 100031a 1999362 126 100031a 203.106.85.65 |1pe.<Mr 1000310 20746148 32!view* 100031a 6623513059Ix-ffccm 100Q3la 203.106.85.177Ib.scae 100031a 026207126ledn vrtt 100031a 15716622632|tve±a 100031a 58272272|r.«*\tum 100031a 19070206 126|icchk 100031a 157 166226.46ledlnr^ 100031a 6623514224|rrel1b)< 100031a 203 10605 176Idi Mrw 1000311 157.166.255.13Immma 100031a 6871 209173 |4bc fl0<

ISL

m il►

From *010.0 D32237 )0 1 0 0 0 32239

‫י‬: .‫ גן‬.*3 ‫ד‬26E0 I1 :-.h< . •571SS22G.aK:£0|adi

)8100032239 ;0100032240 )0 10 0 0 32241 ) 0 10 0 0 3 2242

‫ * י‬7820612£»0 6 ‫»*<י‬ ‫ י‬9878206126* 0 * 0* » 1337320612!6c0|ic>*1t.. 2027921012140 (t * K 1

06:0634.627 0&£634643

U sE ^ rl 1 laslSUto 06.05:35.436 FV»B ho? J'.ccrncc•... 0 £ < 6 2 « 3 fVt'B hai d : c f r r « l

B/*5 C25 1 BylesS 1577 0 1555 0

C6X634S66 C6:(634$G6 06:C&34.336 ££.0634 S£3

06(636390 06(635624 060636624 c e c & x 21e

FV>B bn d s O T iw l‫״‬ Km d : « r r « l

1556 1950 1131

FWB hat d n c r m l . ha* d if fr r w l

I

Q2 In the C onnectio n Tree, if a p ro to c o l o r a c lie n t/s e rv e r p a ir is se le cte d , th e D etails Pane d isp lays th e sum m ary in fo rm a tio n o f all o f th e s o c k e t c o n n e c tio n s th a t a re in progress fo r th e se le c te d ite m on th e C onnection Tree.

'*wts c « > » w

>»: ® o 11 1► ;> ■

«

Pictocoi HUP HTTP HTTP HTTP

P*J»3 l « J i « r r « l . . . f*■‫ ?״‬hasdaxrrecJ...

06C636030 C6 (& .X. 2l£ 0 fe » 354 »

(6(636186 060&355W C M & X T tS

)9100032246 )0 10 0 0 22 ‫נ‬c )610 0 0 3229 ) 0 10 0 0 3 224)

HTTP HTTP HTTP 57‫ י‬iffi 2262(680|**» 56214311‫ מ‬lOtCImet71c . h i TP HTTP : 01106 9517&»<‫>ן‬4« » ‫ו‬ ‫ ־‬,‫־ ׳‬ ••-. 1 1 :-1 |. . : HI TP HI IP '» ra 2 D 5 1 2 e w 0 a * u HUP J0n>206120WI1«ht HTTP

06:0636483 06C03CW3 06.06 3U6U6 flf.r»3570?

',W10 0 0 3 2250

1«7820612S8000

) 0 10 0 0 32251 ) 0 1 OOO 322C

•‫קי‬

HUP h i IP HTTP

t e a . 56 786 060U363W C fr» X C 7 ?

HTTP HI TP HI TP HTTP HTTP HTTP

C6:0636124 C6:Cfc36.166 06:0636216 C£C&36‫־‬££

(6 (C!36 (66 (*(CJ&124 0606J6243 rv>V bm d iw riK l... ff .f fT V W * ® K » d n (rr « 1 . • > COOUJCW 1 8 ‫ ״י‬h o d im r M l. M hoi d iM r m i 06(636718 ^ I « n l 1a r r « l... 0606367*9 ‫ *יי‬8 060636611 FVrtJ he! diccrriKl.. 0&0K36&2? PV.9‫־‬hatiic e r r c c t..

C6C636366 06.C&36.606

060637.436

50100032243 )0 1 0 0 0 3 224( )0 10 0 0 3 2245

‫־‬M 1000 32253 )0100032254 ) 0 10 0 0 32255 )01OOO322S )0 10 0 0 32257 )010.0.0.32258

‫ ן‬ftfC|v».»w

828 >18 1 -Sani2 a h b j '»ra20612t<«)BCTht •3873206126t01icdn.. 397920G1;&£C|1‫«־‬fce ‫־‬i»78206l260Hiceht 157.1652262660) l«fc

06(6368(6

t te d 2« r r« * ... FVjB h s d.ccrrecl...

2110 447S 2710 1572 ‫ויי‬ 11« IA » 2‫ ט‬3 1183 2i03 ., MS

3333

0 0 0 0 0 0 112 0 0 0 0 0 0 0 0

2125

358

2(21

0 0 0 0

1124

1120

1533

p e al line dsis is• HTTP P * • / ■Web (9060) 000160

000176 000192 000206

61 72 64 69 4f i l 4e 32 32 74 ?4

Wi 30(« 5et. 55 000224 26 bar 2011 00 20 000240 ?2 31 CUT Conn* 3S 000256 ct*oc .iv s * . Co 61 60 000272

Btwt-Uimh 20

75 3a 20 Od 4? 4? 22 Od 36 20 4d 3a 33 31 6 ? 6 ( 6■ 656a ?4

60 6 P 20 id

41 0a 56 0» 61 20 3• 2d

63 60 61 44 ?2 47 20 4c

63 33

20 61 20 4tJ 6) 65

6 5 ? 0 7 4 2 d 4 61 3 6 ‫ ־ ג‬.‫־‬

SO if 74 32

3a 2043 50 3d 22 ?5 S220 42 5? 53 65 3•20 53 (1 74 30 3131 20 30 30 ?4 011 0a4 ) ii 6e (e &c Cl ?3 65 CJ 0■ 43 t>0 67 30 32 20 *3 68

40 20 2c 3a 65 il 4‫ל‬

_L*a

F IG U R E 13.14: P r o s y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s 7 V ir tu a l M a c h in e

L a b

A n a ly s is

D o c u m e n t a ll d ie

IP addresses, open p o rts

and

running a p p lica tio n s,

and

p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b .




T o o l/U tility

In fo r m a tio n


P r o x y s e r v e r U s e d : 1 0 .0 .0 .7 P o rt s c a n n e d : 8080 P ro x y W o rk b e n c h R e s u lt: T r a f f ic c a p tu re d b y w in d o w s 7 v ir t u a l m a c h in e ( 1 0 .0 .0 .7 )

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T O

I F

T H I S

Y O U

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s 1.

E x a m in e t h e C o n n e c t io n F a i lm e - T e r m i n a t io n a n d R e fu s a l.

2.

E v a lu a te h o w r e a l- tim e lo g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .

In t e r n e t C o n n e c tio n 0

Y es

P la tfo r m 0


R e q u ir e d □

N o

S u p p o rte d

C la s s r o o m

□

iL a b s



HTTP T unneling U sing H TTPort H T T P o / f is a program f r o m H T T H o s f that mates a transparent tunnel through a p m x j server orf/renall

I CON

KEY

L a b

S c e n a r io

V a lu a b le

A tta c k e rs

in fo r m a tio n

th e y c a n e n te r th e s e

Test vour k n o w le d g e

3


Q


a tta c k e r

a r e a lw a y s i n

can

get

a t t a c k e r s a r e a b le

a h u n t f o r c lie n ts

n e tw o rk s w it h

p a c k e ts to

IP a

s p o o fin g

fir e w a ll

to

by

dam age

s p o o fin g

la b ,

h ija c k in g

a tta c k s , e tc ., w h ic h

can

p e rfo rm

T r o ja n

can p ro v e

a tta c k s ,

to

be

r e g is tr y

d is a s t r o u s

a tta c k e r m a y u s e a n e tw o r k p r o b e

and

o r s te a l d a ta . T h e d ie

IP

c a p tu r e n e t w o r k t r a f f ic , as y o u h a v e le a r n e d

p r e v io u s

n e tw o rk . A n

th e y

th ro u g h

t h a t c a n b e e a s ily c o m p r o m i s e d

fo r

a d d re s s . to

d o in

a tta c k s , an

If th e

p a s s w o rd

o r g a n iz a tio n ’s

t o c a p tu r e r a w p a c k e t d a ta a n d

th e n u s e th is r a w p a c k e t d a ta t o r e tr ie v e p a c k e t i n f o r m a t io n s u c h as s o u rc e a n d d e s tin a tio n

IP

a d d re s s ,

s o u rc e

and

d e s tin a tio n

p o rts ,

fla g s ,

header

le n g th ,

c h e c k s u m , T im e t o L iv e ( T I L ) , a n d p r o t o c o l ty p e . T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y e x tr a c tin g in f o r m a t io n

fro m

c a p tu re d tr a ffic

s u c h as s o u rc e a n d d e s tin a tio n I P

a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , s o u rc e c o m p a r e th e s e d e ta ils w i t h

a n d d e s tin a tio n

m o d e le d a t t a c k s ig n a tu r e s t o

p o r t s , e tc . a n d

d e te r m in e i f a n a tta c k

h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d ta k e e v a s iv e a c t io n s . A ls o , y o u s h o u ld b e f a m ilia r w i t h

th e H T T P

can

r is k s

id e n tify

a d d itio n a l

s e c u r ity

th a t

t u n n e lin g te c h n iq u e b y w h ic h y o u m ay

n o t

be

r e a d ily

v is ib le

by

c o n d u c t in g s im p le n e t w o r k a n d v u ln e r a b ilit y s c a n n in g a n d d e t e r m in e th e e x t e n t to w h ic h a n e tw o r k ID S

c a n i d e n t i f y m a lic io u s t r a f f i c w i t h i n a c o m m u n ic a t io n

c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P

L a b

O b je c t iv e s

T h is la b w i l l s h o w y o u h o w and

n e tw o rk s c a n b e s c a n n e d a n d h o w

to use

H T T P ort

H T T H o st

L a b

111d i e


T u n n e lin g u s in g H T T P o r t .

E n v ir o n m e n t la b , v o u n e e d d ie H T T P o r t to o l.



D:\CEH-Tools\CEHv8 M odule 03 S canning N e tw o rk s \T u n n e lin g T o o ls\H T T P o rt

■

H T T P o r t i s lo c a t e d a t

■


H T T P o rt

fro m

d ie lin k

h t t p : / / w w w .t a 1 g e t e d . o r g / ■

£ " Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv8 M odule 03 Scanning N e tw o rks

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n th e la b m i g h t d i f f e r

W in d o w s S erver 2008

■

I n s t a ll H T T H o s t o n

■

I n s t a ll H T T P o r t o il

■

F o l lo w t h e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d

■

A d m in is tra tiv e p riv ile g e s

■

T h is la b m ig h t n o t w o r k i f r e m o te s e r v e r f ilt e r s / b lo c k s H T T P

W in d o w s S e rve r 2 0 1 2

V ir t u a l M a c h in e H o s t M a c h in e

in s ta ll it.

is r e q u i r e d t o r u n d i i s t o o l tu n n e lin g

p a c k e ts

L a b

D u r a t io n


O verview o f H TTPort HTTPort

c re a te s a t r a n s p a r e n t t u n n e lin g t u n n e l d ir o u g h a p r o x y s e r v e r o r fir e w a ll.

H T T P o r t a llo w s u s in g a ll s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h i n d d ie p r o x y . I t byes

L a b

Stopping IIS S ervices

HTTP p ro xie s

and

HTTP, fire w a lls ,

and

T a s k s B e fo r e r u n n in g d ie t o o l y o u n e e d t o s to p

W ide W eb Publishing se rvices 2.

tra n sp a re n t a ccelerators.

G o to

on

A d m in is tra tiv e P rivileges

c lic k a n d c lic k th e

Stop

IIS A dm in S ervice

and

World

W indow s S erver 2008 v irtu a l m achine. S ervices

IIS in Service,

r ig h t

o p tio n .

01 HTTPort cre a te s a tra n sp a re n t tu nn el th ro ug h a proxy se rve r or fire w a ll. T his a llo w s you to use a ll so rts o f In te rn e t s o ftw a re fro m behind th e proxy.




IIS Scrvict Sioo th- service

5.estart thesevce Docrpton: Enabltc 6‫ י‬11 « ‫ « > ־‬to * d 1‫־‬n v j ! t ‫ •־‬::s ‫ » ׳ ׳‬: « * « ‫ «יי־‬H5 ‫׳‬X 'J tK C »r*ou‫׳‬M10n *or ‫ «ימ‬SK*® one FTP :‫»־‬ i « ‫׳‬v«' n il * u « * to am f g.«« S or ftp. :, the servce e c jx c «. an,

1*rvior* thumvte•ttauprd. 2 16 -— 3 se1/‫׳׳‬ee* *v9!t»porv dfpeo; o• *mI

Ka-n- * '*,FurcBon Discovery Provide Host P-rcoco Decovery Resource PJ>lc3ten ■C^C-rOvOPoicy Cent Key aid Cerbfeate Mens9»trp-t £,h\jma1 :rtc'frc• Devi:• Access CfchyMr-v m u txchanoa s w a <|1Hyoer-VGue»t Shutdown Se‫׳‬v»oe <£^Hyp*r«VUtatoeat Stive* '^,hvsf'-v Tir* Syndvonuaton Save• ‫•'־׳‬X‫ « ׳‬V0iuneSh«30WC00VR«UMCDr

I CeKri3bcn | 5:afc_s hostcroca.. , Stated P-behes t... Started The serve... Started P-o-rde*X... E'aolas 9a P0‫־‬vd81 a .. . started fvovdes a .. . Started Va-iton th... 5hr ted Syrdvcnj . SUr'tid cocfdnjte _ 1urted

fa I tottait.

S tJt________

£.32 a‫־־‬d Au0!:p tPMC *CeyUg ModJet CfeInteractive services Detection 4 Internet Cornecton Shwrng CCS) IP helper £,IPsec PoIcy Agent :£JkctR.t1* v ‫<־‬£trbuted Transaction Coordnsso‫־‬ Îrtt-tover To»og>•Discovery1“tepee?iwicroajft KETFrans0‫ ״‬rk NGB « '■*, M0090* Fb‫־׳‬e Channel ^stfo'Ti Res^Cstcn Se* ^ MCT0 M*t 6 CSI ]ntigtor Service ^Vbon*! Software Shacton Copy P'ordfi Q,MoJU Manteimce Save•

P.-llv Res-re R«3rt

‘

St* lid jn...

Started . 5:cited AITmks ►3te , Started -- ‫ ־‬0 ... Started Proprf br% t .... Stated 8‫ ־‬t.. wb ,‫ן‬ ! * "

W ragn «... Th*M00IU..

_J

Stana*.- J ~

‫ץ‬

>t:p jcrvce IL Acrrr StrVtt on LOCOCaiOutt* F IG U R E 14.1: S to p p in g I I S A d m in S e rv ic e in W in d o w s S e rv e r 2008

3.

A d m in is tra tiv e P rivileges

G o to

Publishing Services, & It byes HTTPS and HTTP proxies, tra n sp a re n t a c c e le ra to rs , and fire w a lls . It has a b u ilt-in SOCKS4 server.

*te

Action jjen

S ervices

r ig h t - c lic k a n d c lic k d ie

W orld W ide Web

Stop

o p tio n .

Kels

E f IB [ >rrf | E N^ltwl ‫ רי‬AbServwj ClomJ)

I

S « v « « (lo ca l) v;‫ ״‬tid Wide Web PwbW-mg SrrvK

2 8 11 1

.1

1

CwJOCor

‫־‬ SfcvOU

C«so aion: (V» ‫׳‬d f Web a n ‫־‬w r< r r end » ‫דדלמי׳ו־כ‬: ‫ ח‬rr y .y ■ f c :‫ ־‬rr‫ ״‬r lnforrr~-.cn 5e r a * ‫ ־‬Hjrage-

S’ Mijs. Coov

CfetYea Marâoerent S e ‫<׳־‬ce

MWU0K*... TUtWtbM..

% Vrd

Mo'eOcS a...

AudO

^ «v‫׳‬xto/.9 Aucto ErekJrtit s J s e

0

I S !a w

j

P1cr>*0M ‫זו‬...

'1 1 >/.9 1 0 3 0 8 »/.9

‫ י צ‬n e servce Rf*t»r; ‫ «י‬t t ' t e

Ha'sOeid... ‫־‬he W a P l..

^ Y ‫<־־‬to/.S Cotor SySteri £ (M fld M Dectoymeot Sevces Serve ^ M m s Driver Fourdaoon -Lee ‫״‬cce Diver “ ‫ ׳ * ־‬xr-

Ha-aoesr... Ha‫־׳‬aoe; u...

1‫■״‬ ‫־‬.. «Y‫־־‬d ‫׳‬/.s & ‫ ׳ ׳‬Repo ‫ יט ׳‬Semoe

Ab ‫־‬.-sero...

Ste tec

i^ %Yrd

Thssevfc... Thssevfc...

Stated

ViW owsF.. .

Stated

Adds, mod■.‫״‬ ftovd » a ...

Stated

& » a b « n s...

Stated

‫•יזל‬ V J« o ‫» ״‬B... M ints‫ *׳‬S.. .

Stated Stated stated

? ‫׳‬e i: Cotecto

% \V'tkr/.$ ®‫׳‬e it uw ^!Y rd o/.s F»e.\dl $*Yrd>/.e CngUi/ler

I

CJt«Yrtto/.9 1 1 «v‫־׳‬d0/9 ModJes trwtalei

aat

‫ו׳‬5«‫קמי׳י׳«יו״‬

C i« v‫׳‬xto/.® BioceM Activation Seivd

30

^ ■V'cto/n 5«mote M ‫׳‬V e‫*«״‬nt M try

Undo...

I ^ r Re*»t a it m

^ %Y‫׳‬Yfew,« uoflat*

*■

»

^ * v r H n p webP'oxvAuto-oaeovJ ^ . v ‫<»׳‬-Autocar *c Perfcrwsrce Aflao*‫׳‬ •\'08>'‫׳‬taecr

1

stated KrHTTPl... ^***TMC...

060

H n y r B fi

Pre‫* ^־‬

‫״‬ Stated

bet)

JE 3 S JB \ £ x a r d e ; A Sarri8•: /

£‫־‬:c -T ‫;'׳‬g .‫'־‬,o'c y-1:c • ■er: -vb1?‫־‬n; ' r ‫׳‬c t.:• r: ; 0 ‫־־‬0 ^ ‫־‬ F IG U R E 1 4 2 : S to p p in g W o r ld W id e W e b S e rv ic e s in W in d o w s S e rv e r 2008

‫ ט‬It supp orts stro n g tra ffic e n cryp tio n , w h ic h m akes proxy logging useless, and suppo rts NTLM and o th e r a u th e n tic a tio n schem es.


“ CEH-Tools" Z:\CEHv8 M odule 03 Scanning N etw orks\T unneling Tools\H TTH ost

4.

O p e n M a p p e d N e tw o r k D r iv e

5.

O pen

6.

T lie

7.

O n d ie

H TTHost

H TTH ost

fo ld e r a n d d o u b le c lic k

htthost.exe .

w i z a r d w i l l o p e n ; s e le c t d i e

O ptions

w ord fie ld ,

O ptions

ta b .

t a b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t

Personal

w h i c h s h o u l d b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s

la b , d ie p e r s o n a l p a s s w o r d is

km a g ic.'?



8.

C h e c k d ie

R evalidate DNS nam es

and

Log C onnections

o p t io n s a n d c lic k

A pply HTTHost 1.8.5 N etw ork B ind lis te n in g to :

P o rt:

B ind e x t e r n a l to :

|0.0.0.0

[80

10.0.0.0

Allow a c c e s s fr o m :

P e r s o n a l p a s s w o rd :

10.0.0.0 [‫־‬

& To s e t up H TTPort need to p o in t yo u r b ro w s e r to 127.0.0.1

P a s s th r o u g h u n r e c o g n iz e d r e q u e s t s to :

H o s t n a m e o r IP :

P o rt:

O rig in a l IP h e a d e r fie ld :

1127.0.0.1

|81

| x ‫ ־‬O rig in a l‫ ־‬IP

M ax. local b u ffe r:

T im e o u ts :

‫־‬3

|0=1‫־‬2

R e v a lid a te DNS n a m e s Apply

Log c o n n e c tio n s ‫־‬

S ta tis tic s ] A p p lic a tio n log | ^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift) F IG U R E 14.3: H T T H o s t O p tio n s tab

9.

N o w le a v e

HTTHost

in ta c t, a n d d o n ’t t u r n o f f

W indow s S erver 2008

V i r t u a l M a c h in e . 10. N o w s w itc h to fio m

a n d in s t a ll H T T P o r t

D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks\Tunneling

Tools\H TTPort & H TTPort goes w ith th e predefined m apping "E x te rn a l HTTP p ro xy‫ ״‬o f local po rt

W indow s Server 2012 H ost M achine, a n d d o u b le - c lic k

1 1 . F o llo w d ie w iz a r d - d r iv e n 1 2 . L a u n c h th e

S ta rt

h ttp o rt3 sn fm .e xe

in s ta lla tio n steps.

m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t


F IG U R E 14.4: W in d o w s S e rv e r 2012 - D e s k to p ^ ie w

1 3 . C lic k d ie


HTTPort 3.SNFM


HTTPort 3.SNFM

w in d o w .



5 t3 ft

T ools d e m on stra te d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 Scanning N e tw o rks

Server Manager

Windows PowerShell

i.

m

Con>puter

Control

*‫נ‬

Hyper-V Manager

HTTPort 3.SNPM

»

91

1

Wyper-V Virtual Machine...

SOI Server incaknor Cent•!.‫״‬

Google Chrome

n

V Command Prompt

£

F‫־־־‬

■ “ ‫יי ■ ״ ״‬-

M021IU Firefox

Nctwodc

©

if

Proxy Workbea.

MegaPng

-T

*8 F IG U R E 14.5: W in d o w s S e rv e r 2012 - A p p s

14. T h e

HTTPort 3.SNFM

w in d o w a p p e a rs as s h o w n i n d ie fig u r e d ia t f o llo w s .

HTTPort 3.SNFM

'‫ ־‬r°

S y s te m j Proxy :j por^ m a p p in g | A bout | R e g iste r | HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s :

Port:

F o r e a c h s o ftw a re to

Proxy re q u ire s a u th e n tic a tio n

c re a te c u s to m , g iv e n a ll th e

U se rn a m e :

a d d re sse s fro m w h ic h it

P assw ord!

o p e ra te s . F o r a p p lic a tio n s th a t a re d y n a m ic a lly c h a n g in g th e p o rts th e re

Misc. o p tio n s

S o c k s 4 - p ro x y m o d e , in

U ser-A gent:

w h ic h th e s o ftw a re w ill

B y m o d e :

IE 6 .0

c re a te a lo c a l s e rv e r S o c k s (1 2 7 .0 .0 .1 )

U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s :

Port:

I------------------------------ P ?

\ 4

P assw ord:

I--------------

— This b u tto n h elp s

S tart

F IG U R E 14.6: H T T P o r t M a in W in d o w

1 5 . S e le c t d i e

Proxy

ta b a n d e n te r d ie

h ost nam e

or

IP address

o f ta rg e te d

m a c h in e .

W indow s Server 2008 Port num ber 80

1 6 . H e r e as a n e x a m p le : e n t e r

address,

a n d e n te r

1 7 . Y o n c a n n o t s e t d ie 1 8 . 111 d i e

nam e

and

U ser personal rem ote host a t

d ie n e n te r d ie ta r g e te d

v ir t u a l m a c h in e

IP

f ie ld s .

s e c tio n , c lic k

H ost m achine IP address

s ta rt and

d ie n

sto p

and

a n d p o r t , w h ic h s h o u ld

b e 80.




19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d as

‘*m agic‫״‬

In real w o rld environm ent, people som e tim e s use w ord p ro te c te d pro xy to m ake com pany em ployees to ac c e s s th e In terne t.

r|a

HTTPort3.SNFM | 3

S y s te m

' ‫־‬

x

Proxy | p 0 rt m a p p in g | A bout | R e g iste r |

HTTP p roxy to b y p a s s (b la n k = direct o r firewall) H ost n a m e o r IP a d d re s s :

Port:

| 1 0 .0 .0 .4

|8 0

Proxy re q u ire s a u th e n tic a tio n U s e rn a m e :

P assw ord:

Misc. o p tio n s U se r-A g en t:

B y p ass m o d e :

| IE 6 .0

| R e m o te h o s t

U se p e rs o n a l re m o te h o s t a t (b la n k * u s e public) H ost n a m e o r IP a d d re s s :

*ort:

P a s sv » rd :

|1 0 .0 .0 .4

I80

|............1

? | <—T his b u tto n h e lp s

S ta rt

F IG U R E 14.7: H T T P o r t P ro x v settin g s \ rin d o w

2 0 . S e le c t d ie

Port M apping

Add

ta b a n d c lic k

t o c re a te

N ew M apping

HTTPort 3.SNFM 1 - 1 °

*‫ב‬ S y s te m | Proxy

Port m a p p in g

A bout | R e g iste r J

Static T C P /IP p o rt m a p p in g s (tu n n e ls )

1‫ םייים‬1

Q New m a p p in g Q Local po rt

1-0 Q

(3 R e m o te h o s t — re m o te , h o s t, n a m e □ R e m o te port

H T T H o s t s u p p o rts th e

r e g is tra tio n , b u t it is fre e

1_0

a n d p a s s w o rd - fre e - y o u w ill b e is s u e d a u n iq u e ID , w h ic h y o u c a n c o n ta c t th e

S e le c t a m a p p in g to s e e sta tistic s :

s u p p o rt te a m a n d a sk y o u r

No s ta t s - s e le c t a m a p p in g n /a x n /a B /sec n /a K

q u e s tio n s .

LEDs:

‫□□□ם‬ O Proxy

Built-in SOCKS4 se rv e r W

R un SOCKS s e rv e r (p o rt 108 0 )

A vailable in "R e m o te H ost" m o d e : r

Full SOCKS4 s u p p o rt (BIND)

? | 4— This b u tto n h e lp s

F IG U R E 14.8: H T T P o r t cre a tin g a N e w M a p p in g

2 1 . S e le c t


N ew M apping Node,

a n d r ig h t- c lic k

N ew Mapping,

a n d c lic k

Edit



HTTPort 3.SNFM S y s te m | Proxy

T33

m a p p in g | A bout | R e g iste r |

Static T C P /IP p o rt m a p p in g s (tu n n e ls ) New m a o □ Local p Edit 0 ■ 0 R e m o te h o s t re m o te , h o s t, n a m e (=J R e m o te po rt

‫ש‬ Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv8 M odule 03 Scanning N e tw o rks

Add R em o v e

L_o S e le c t a m a p p in g to s e e sta tistic s :

LEDs:

□ □□□ O Proxy

No s ta ts - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 s e rv e r R un SOCKS s e rv e r (p o rt 1080)

W

A vailable in " R e m o te H ost" m o d e : r


? |

T his b u tto n h e lp s

4—

F IG U R E 14.9: H T T P o r t E d itin g to assign a m a p p in g

ftp c e rtifie d hacker,

2 2 . R e n a m e th is t o c lic k

E dit

a n d e n te r P o r t v a lu e t o

a n d s e le c t

R em ote h o st node ftp .c e rtifie d h a c k e r.c o m

2 3 . N o w r ig h t c lic k o n

2 4 . N o w r ig h t c lic k o n

R em ote p o rt

1 r* 1 S y s te m | Proxy

Local p o rt node;

th e n lig h t-

21 to

n o d e to

E dit

E dit

HTTPort 3.SNFM

-

a n d r e n a m e i t as

a n d e n te r d ie p o r t v a lu e t o 1° r x

21

•

Port m a p p in g | A bout | R e g iste r |

r Static T C P /IP p o rt m a p p in g s (tu n n e ls ) 1 =1

-

/s

•.•‫=•׳‬.

Add

0 ‫ ־‬Local p o rt R em o v e

5 -2 1

0 R e m o te h o s t ftp .c e rtifie d h a c k e r.c o m R e m o te port I—21

S In th is kind o f environm en t, th e fe d e ra te d search w e b p a rt of M ic ro s o ft Search Server 2008 w ill n o t w o rk out-ofthe-box because w e o n ly suppo rt non-w ord p ro te c te d proxy.

= V

S e le c t a m a p p in g to s e e s ta tistic s : No s ta ts - inactive n /a x n /a B /sec dulit‫־‬in

W R un

n /a K

LEDs:

‫□□□ם‬ O

Proxy

server

1

SOCKS s e rv e r (p o rt 1 080)

A vailable in " R e m o te H ost" m o d e : I”

J


? |

T his b u tto n h e lp s

F IG U R E 14.10: H IT P o r t S ta tic T C P / IP p o rt m a p p in g

2 5 . C lic k


S ta rt

o n d ie

Proxy

ta b o f H T T P o r t t o m i l d ie H T T P tu n n e lin g .



HTTPort 3.SNFM ‫־‬r a : S y s te m

^ o x y | Port m a p p in g | A bout | R e g iste r |

- HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s :

Port:

|1 0 .0 .0 .4

[80

Proxy re q u ire s a u th e n tic a tio n U s e rn a m e :

P assw ord:

Misc. o p tio n s B y p ass m o d e :

U ser-A gent: IE 6 .0

‫נ ד‬

[ R e m o te h o s t

U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s :

Port:

P assw ord:

|10.0.0.4

[So

‫*״***ן‬

? | ^— T his b u tto n h e lp s

( J3 H T T P is th e b a sis fo r W e b s u rfin g , so i f y o u c a n fr e e ly s u r f th e W e b fro m

F IG U R E 14.11: H T T P o r t to start tu n n e lin g

w h e re y o u axe, H T T P o r t w ill b rin g y o u th e re s t o f th e In te r n e t a p p lic a tio n s .

2 6 . N o w s w it c h t o d ie

A p p lic a tio n s log


v ir t u a l m a c h in e a n d c lic k d ie

ta b .

2 7 . C h e c k d ie la s t lin e i f

L is te n e r liste n in g a t 0.0.0.0:80,

a n d d i e n i t is m i m i n g

p r o p e r ly .

HTTHost 1 A 5 A p p lic a tio n lo g :

Q

T o m a k e a d a ta tu n n e l

th ro u g h th e p a s s w o rd p ro te c te d p ro x y , s o w e c a n m a p e x te rn a l w e b s ite to lo c a l p o rt, a n d fe d e ra te th e s e a rc h re s u lt.

M A IN : H T T H O S T 1 . 8 . 5 P ER S O N A L G IF T W A R E D E M O s t a r t i n g ^ M A IN : P r o je c t c o d e n a m e : 9 9 re d b a llo o n s M A IN : W r it t e n b y D m it r y D v o in ik o v M A IN : ( c ) 1 9 9 9 - 2 0 0 4 , D m it r y D v o in ik o v M A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n ( s ) M A IN : n e tv /o r k s t a r t e d M A IN : R S A k e y s in it ia liz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . . M A IN : lo a d e d f i l t e r " g r a n t . d l l " ( a llo w s a ll c o n n e c tio n s w ith in M A IN : lo a d e d f i l t e r " b l o c k . d l l " ( d e n ie s al I c o n n e c tio n s w ith ir M A IN : d o n e , t o t a l 2 f i l t e r ( s ) lo a d e d M A IN : u s in g t r a n s f e r e n c o d i n g : P r im e S c r a m b le r 6 4 / S e v e n T e g r a n t . d l l: f ilt e r s c o n e c tio n s b lo c k . d ll: f ilt e r s c o n e c tio n s !L IS T E N E R : lis t e n in g a t C.C.0.C:sT|

z] S ta tis tic s

( Application log

O p t io n s

S e c u r ity | S e n d a G ift

F IG U R E 14.12 H T T H o s t A p p lic a tio n lo g se ctio n

2 8 . N o w s w it c h t o d ie


h o s t m a c h in e a n d t u r n

ON

d ie

W indow s F irew all 2 9 . G o t o W in d o w s F ir e w a ll w it h


A dvanced S e cu rity



O utbound rules f r o m d i e l e f t p a n e o N ew Rule i n d i e r i g h t p a n e o f d i e w i n d o w .

3 0 . S e le c t

f d ie w in d o w , a n d d ie n c lic k

■ -:°‫ ־‬- ‫־‬

Windows Firewall v/ith Advanced Security Fie

Action

View

Help

WindowsFircw.511withAdv! Q InboundRuin ■

Outbound Rules |

Outbound Ruin Name

©B'anchCache Content R«t1i«val (HTTP.O... ConnectionSecurityRu © BranchC ache Horted Ca
‫ ^ •ן‬Monitoring

©BranchCache Hosted Cache Se»ve1(HTTP. ©BranchC ache Peer Dncovery (WSDOut) © C o ‫׳‬e Networking •DNS 1v>m-e Config... © Core Networking ‫ ־‬Dynamic Host Config... ©CoreNetworkng ‫ ־‬Grcup Policy (ISA5S‫~־‬ © Core Networking - 5‫׳‬cup Poky (NP-Out) ©CoreNetworkeig - Group Policy CT-O-. © Core Networking - Internet Group Mana...

£ ‫ ז‬T ools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv8 M odule 03 Scanning N e tw o rks

Group BranchCache- Content Retr... BranchCache - Hosted Cech BranchCache - Hosted C ad i. BranchCache - PeerOtscove... Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking

© Core Networking ‫ ־‬IPHT7PS (T-Out] © Core Networking- IP v ffM C u l) © Core Networkng ‫ ־‬Mulbcost listener Do-. © Core Networking - Mulocast Listener Qu~ © Core Network*!g -Mufceost listener Rep~ © Core Networking •Mutecjst Listener Rep... © Core Networking - Neighbor Dncovery A... Core Networking © Core Networking *fc1(j‫־׳‬oo‫ ׳‬Ceccvery S... Core Networking © Core Networkrig ‫ ־‬Packet loo Big (ICMP-. Core Networking © Core Networking Par3meterProblem (1- Core Networking © Core Networking - ficutet Advertnement... Care Networking © Core Networking - P.cuur Soictaeon (1C.. Core Networking © Core Networkng - Itird o iLOP-Outl Core Networking

"■i

T

Profile Al Al Al Al Al Al Al

tnatfed A No No No No Vet ■ Yes rei

Deane■! Domain Dcm5»1 Al Al Al Al

Ves Yes Yes Yes

O utbound Rule* New Rule... V

Filter by Profile

V

Filter by State

7 FilterbyGroup View O

Refresh Export List...

Q

Help

Yes Ves Ves Yes

Al Al Al Al Al Al Al Al

Ves Yec Ves Ves Ves Ves Vet

Al Al

Yes Vet

‫ז‬-

r" .......

v'

F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d v a n c e d S e c u n ty w in d o w in W in d o w s S e rv e r 2008

3 1 . 111 d i e

N ew Outbound Rule W izard,

s e c tio n a n d c lic k

s e le c t d i e

Port

Rule Type

o p t io n in d ie

N ext New O utb o u n d Rule Wizard

■

p R u le T y p e Select the type cf firewall rule to create Steps. ■j

Rule Type

What :ype d rue wodd you like to create?

w Protocol and Ports « Action

S Tools d em o nstrate d in th is lab are ava ila b le in Z:\ Mapped N e tw o rk D rive in V irtu a l M achines

«

Profle

«

flame

O Program Rde Bidt controls connections for a program. ‫ >§י‬Port | RJe W controls connexions for a T or UDP W . O Predefined: | BranrhCacne - Content Retrieval (Ueee HTTP)

v

1

RUe t a controls connections for a Windows experience O Custom Cu3tomrJe

< Beck

Next >

11

Cancel

F IG U R E 14.14: W in d o w s F ire w a ll se lectin g a R u le T y p e




32. N o w

s e le c t

All re m o te ports

in

P rotocol and Ports

d ie

s e c tio n , a n d c lic k

N ext New Outbound Rule Wizard P ro to co l and Porta Specify the protocols and ports to which ths r ie apofes Steps

+ Ru• 'yp•

Doest‫*־‬sruleaopf/toTorUDP?

4 PrctocolandPorts

T

4

O UDP

Acaor

4 Profile 4 Q

Name

Does tnis nie aoply tc all remote ports or specific renote port*9

H T T P o r t d o e s n 't r e a lly

!? m o te p o d s

c a re f o r th e p ro x y as s u c h ,

O Specific remoteports:

i t w o rk s p e r fe c tly w ith

Example 80.443.5000-5010

fire w a lls , tra n s p a re n t a c c e le ra to rs , N A T s a n d b a s ic a lly a n y th in g th a t le ts H T T P p r o to c o l th ro u g h .

<Eacx

Ned >

Cancel

F IG U R E 14.15: W in d o w s F ire w a ll assig n in g P ro to c o ls an d P o rts

3 3 . 111 d i e

A c tio n

s e c t i o n , s e le c t

d ie

B lo ck th e c o n n e c tio n '’

o p t io n a n d c lic k

N ext New O utbound Rule Wizard

Action Q Youneedtoinstall htthost onaPC, whois generally accessibleontheInternet typicallyyour "home" PC. This means that if yon starteda Webserver on thehome PC, everyoneelsemust be ableto connect toit. There aretwo showstoppers for htthost on homePCs

Specify the acton to be taken when ‫ ס‬connect!:>n notches the condticno specified in the n ie .

Steps: 4

HUe Type

What acbon ohodd b« taken whon a connexion match08 tho opochod conoticno7

4

Protocol and Porta

O Alowttv connection

4 Action

4

Profile

4

Name

Tho nclxJes cornoctiona that 0‫ סו‬piotectod wth IPaoc 09 wel cs t103‫׳‬c otc not.

O AlowItic cwviediui If MIs secuie Ths ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes r the Correction Security RuteTode.

'• )


H o c k th e c o n n e c tio n



F IG U R E 14.16: Windows Firewall setting an Action

P rofile s e c t i o n , Domain, Public. P rivate

3 4 . 111 d i e

Q N A T /firew all issues: You need to enable an inco m in g p ort. For H TThost it w ill ty p ic a lly be 8 0(h ttp ) or 44 3(https), but any po rt can be used - IF the HTTP p ro xy a t w o rk sup p orts it ‫־‬ som e proxys are c o nfig ured to a llo w o n ly 80 and 443.

s e le c t

a ll

th re e

a n d d ie n c lic k

o p tio n s .

The

r u le

w ill

a p p ly

to :

N ext *

New O utb o u n d Rule Wizard

Profile Specify the prof les for which this rule applies

Skin *

When does #‫ מו‬rule apply7

Ru*Typ#

4 3rctocolanorts #

*cbor

171 Daman Vpfces *I en a computer is connected to Is corporate doman.

3rcfile

0 Private 3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orwori ce

B Public Vp*‫״‬c3

0‫ ד‬a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon

c Eacx

Next >

Cancel

F IG U R E 14.17: W in d o w s F ire w a ll P ro file setting s

ZZy Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks

35. T y p e

P ort 21 B locked

i n d ie

Nam e

fie ld , a n d c lic k

Finish

New O utbound Rule Wizard N am e S06dfy the rams and desorption of this lie.

None |?or. 2 ' B b d c e J Desaiption (optional):

£ 3 T h e d e fa u lt T C P p o r t fo r F T P c o n n e c tio n is p o r t

< Back

Finish

Cancel

2 1. S o m e tim e s th e lo c a l In te r n e t S e rv ic e P r o v id e r b lo c k s th is p o r t a n d th is w ill re s u lt in F T P

C®W<EAfl*1MaW&al Page 231

E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


F IG U R E 14.18: W in d o w s F ire w a ll assig n in g a n am e to P o e t

3 6 . T h e n e w m le

Port 21 B locked

is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e .

1-1“ 1 * :

Windows Firewall with Advanced Security Fie

Action

View

Hdp

Windows Firewall with Adv; C nfcound Rules Na C Outbound Rules [O^Port 21 Blocked Connection SecuntyRul ©BranchCache Content Rctrcvtl (HTTP-0.. BranchCache •Content Retr.. t Monitoring ^ Branch(a 1he Hotted Cache Client (H it . Branch( at hr •Hotted ( ach ^

0 BianchCach* Hosted Cache $erv*1(HTTP... BranchCach• •HuiteJCach ©BranchCache Peer Cn
H T T P o r t d o e s n 't re a lly

c a re f o r th e p ro x y as su ch : i t w o rk s p e r fe c tly w ith fire w a lls , tra n s p a re n t

© Core Networking -Group Pcfccy CLSASS-- Core Networking @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) © Core Networking - Group Poicy (T-O-. Core Networking

b a s ic a lly a n y th in g th a t le ts

© Core Networking - internet Group Mana...

th e H T T P p ro to c o l

© Core Ndwwiing- lPHTTPS(T-OutJ © Core Networking (Pw6-0ut)

th ro u g h .

New Rule...

Al :1

V

Al

V

Fliter by Stirte

V

Filter by Group

Al Al Al Al

View

[a» Export List... Li

Domain

Core Networking Cote Networking Core Networking

Filter by Profit•

(Oj Refresh

Domain

Help

Al Al

Port 21Blocked

Al

4 cut

*

Al Al Al Al

© Core Networking Listener Do‫ ״‬Core Networking © Core Networking Muh < yt* listener O j‫״‬. Core Networking © Cote Networking -Mul!< aU Iktenet Rep. Core Networking © Cor« Networking •Vuh cast .!s:«n«r Rep. Cor• Networking © Core Networking rfcignfccf Discovery A... Core Networking © C or.1NetmD1tmg ‫ ־‬Meaghbct Discoveiy 5 , Core Networking © C 016 Nstworking - Pe.ktlT v. Big K M P .. © Core Networking - Parameter Protolem (I.. © Core Networking ‫ ־‬Router A
Outbound Rules

Domain

CoreNetworking

a c c e le ra to rs , N A T s a n d

Actions

Disable Rule

Gfe Copy

X

D«l«t«

(£ |

Propeitie*

U

Help

Al

Al Al

CortNttwQiking Core Networking

Al Al Al

Core Networking Core Networking

F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le

3 7 . R i g h t - c l i c k d i e n e w l y c r e a t e d r u l e a n d s e le c t

*

W indows Firewall w ith Advanced Security

File

Action

* ‫►י‬

View

^

Hdp

q

!

g f Windows Firewall with Adv; f t inbound Rules O Outbound Rules

ConnectionSecurityRul X/ Monitoring

S

P roperties

H T T P o r t th e n

in te rc e p ts th a t c o n n e c tio n a n d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y .

I Actions Name

Group

Profie

*

O.P01t21 Blocked

Ervsl

Outbound Rules

-

New Rule...

Disable Rale

^BranchCache Content Retrieval (HTTP-O‫״‬. Branc hCac he ‫ ־‬Cor Cut

V

Filter by Profile

►

©BranchCache Hosted Cechc Saver(HTTP_ BranchCache ‫ ־‬Ho: ©BranchCache Peet Disccvay (WSD-Ckjt) BranchCache - Pee Core Networking © Cote Networbng - Df5 (U0P-0ut) © Core Networking D>rwm : Host Ccnfig. Lore Networking

Copy

V

Filter by State

►

Delete

V

Fliter by Group

►

Vi*w

►

© Core Networbng •D>neo>c Most Config... © Cote Networbng •Group Policy (ISASS-... ©Core Networking Group Policy (NP-Out) © Core Networbng Group PolKy(T-0.© Core Networbng •Internet Group kbiu..

Core Networking

Hdp

©Core Networbng IPHTTPS(T-0ut) © Core Networbng -IPv6 (1P»‫׳‬$‫<־‬XjtJ © C oie Netwoibng -Mufticsst Listener Do... © Core Networbng - Multicast Listener Qu...

©BranchCache Hosted Cache Ciem(HTT‫״‬.

BranchCache - Hos

Properties

jO! Refresh

Core Networking

Dom*n

Yet

^

Export Litt...

Core Networking

Dom»n

Ves

Q

Help

Core Networking

Dom»n

Yes

Core Networking

Al

Yet

Port 21 Blocked

Core Networking

Al

Yes

♦ Disable Rule

Core Networking

Al

Yes

Core Networking

Al

Yes

4

Core Networking

Al

Yes

•41 Copy

©CoreNerwcrbng -MJbcsst Listener Rep... Core Networking © Cote Netwoibng - Mulbcest Listener Rep... Core Networking © Core Networbng - Neighbor Discovery A‫״‬. Core Networking

Al

Yes

X

Delete

Al

Yes

Al

Yes

© Core Networbng Neighbor Discovery S... Core Networking I^ C cie Netwoibng ■Packet Too Big (ICMP... Core Networking

Al

Yes

0

Help

Al

Yb

© Cote Networbng •Parameter Problem (1-‫ ״‬Core Networking

Al

Yes

© Core Networbng Reuter Atf^trtscment.- Core Networking © Core Netwoibng * Rcotei Sol*‫׳‬tation (1C~ Core Networking

Al

YCS

Al

Yes

-

c ‫״‬t

Properties

r ... n -.----- 11—

the properties dialog box foi the tuner it ^le»un

F IG U R E 14.20: W in d o w s F ire w a ll n e w ru le p ro p e rtie s

P rotocols and P orts t a b . C h a n g e d i e R em ote Port S p e cific P orts a n d e n t e r d i e Port num ber a s 21

3 8 . S e le c t d i e £ 7

E n a b le s y o u to b yp a ss

y o u r H T T P p ro x y in ca se it b lo c k s y o u fro m th e In te r n e t


3 9 . L e a v e d i e o t h e r s e t t in g s a s d i e i r d e f a u l t s a n d c l i c k

A pply

o p tio n to

d ie n c lic k

OK.



* ‫ד‬

Port 21 Blocked Properties jerteral_________Pngams and Services Protocolt and Fore

|

Scope

|

Advancec

Remote Conpjiefs j

Local Prinab

FVwocob and po*s Prctocdtype: Prctocd runber

Loco port

All Potto

Exampb. 80. 443.5003-5010

SpecifePats [21

Remote port

Example. 80. 443.5003-5010 hten‫־‬et Gortnd Message Protocol (CMP)«ting*:

I Custonizo.

i— ‘ W it h H T T P o r t , y o u c a n u se v a rio u s In te r n e t s o ftw a re fr o m b e h in d th e p ro x y , e .g ., e - m a il, in s ta n t m e sse n g e rs, P 2 P file sh a rin g , IC Q , N e w s , F T P , IR C e tc . T h e b a s ic id e a is th a t y o u se t u p y o u r In te r n e t s o ftw a re

F IG U R E 14.21: F ire w a ll P o r t 21 B lo c k e d P ro p e rtie s

ftp ftp .c e rtifie d h a c k e r.c o m i n t h e c o m m a n d p r o m p t a n d p r e s s Enter. T h e c o n n e c t i o n i s b l o c k e d i n W indow s Server 2008 by fire w a ll

40. T yp e

£ 3 H T T P o r t d o e s n e ith e r fre e z e n o r h a n g . W h a t y o u a re e x p e rie n c in g is k n o w n as ‫ ״‬b lo c k in g o p e ra tio n s ”

F IG U R E 14.22: ftp c o n n e c tio n is b lo ck e d

4 1 . N o w o p e n d ie c o m m a n d p r o m p t m a c h in e a n d ty p e

7 ^

ftp 127.0.0.1

0 11 d i e W indow s S erver 2012 h o s t

a n d p re s s

E nter

H T T P o r t m a k e s it

p o s s ib le to o p e n a c lie n t sid e o f a T C P / IP c o n n e c tio n a n d p ro v id e it to a n y s o ftw a re . T h e k e y w o rd s h e re a re : "c lie n t " a n d "a n y s o ftw a re ".




F IG U R E 14.23: E x e c u tin g ftp co m m a n d

L a b

A n a ly s is

D o c u m e n t a ll d i e I P

a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o t o c o ls

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility

In f o r m a tio n


P r o x y s e r v e r U s e d : 1 0 .0 .0 .4 H T T P o rt

P o rt s c a n n e d : 80 R e s u lt: f t p

P L E A S E

T A L K

T O

Y O U R

1 2 7 .0 .0 .1 c o n n e c t e d t o

I N S T R U C T O R

R E L A T E D

T O

T H I S

I F

Y O U

1 2 7 .0 .0 .1

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s 1.

H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u d o o k , M e s s e n g e r , e tc . ) ?

2.

E x a m in e i f s o ft w a r e d o e s n o t a llo w e d it in g d ie a d d re s s t o c o n n e c t to .

In t e r n e t C o n n e c tio n 0

Y es

P la tfo r m 0


R e q u ir e d □

N o

□

iL a b s

S u p p o rte d

C la s s r o o m



B asic N etw ork T roubleshooting Using M egaPing MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor information system s a n d I T solutionproviders. i con /

k e y

/ V a lu a b le

L a b

S c e n a r io

Y o u h a v e le a r n e d in th e p r e v io u s la b t h a t H T T P

t u n n e l i n g is a t e c h n i q u e w h e r e

in f o r m a t io n

c o m m u n ic a tio n s

s

n e tw o rk

p r o t o c o ls

Test your

p r o t o c o l. F o r a n y c o m p a n ie s t o e x is t

k n o w le d g e

These


w eb


s e rv e rs

p ro v e

to

be

a

a tt a c k e r u s u a lly e x p lo it s d ie W W W access

m

w ith in

to

th e

s y s te m .

O nce

u p lo a d s a p r e c o m p ile d

a

tr a ffic

to

th e

SRC

h ig h

d a ta

c o n n e c tio n

s y s te m

0 11 p o r t 8 0 o f t h e h o s t W W W

c a p tu re s th e t r a f f ic in

H T T P

v a lu e

s e rv e r r u n n in g IIS

v e r s io n o f th e

p o r t o f th e

c a p tu re d

u s in g

th e

H T T P

0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .

has

H T T P

s e r v e r s e t u p th e a tta c k e r th e n s ta rts a c lie n t

lis te n s

a re

been

ta rg e t

fo r

a tta c k e rs .

The

a n d g a in s c o m m a n d l i n e e s ta b lis h e d ,

th e

t u n n e l s e r v e r ( lits ) . W i t h

a tta c k e r th e

lits

0 11 h is o r h e r s y s te m a n d d ir e c ts its

r u n n in g and

th e lit s

r e d ir e c ts

s e rv e r. T h is

lits

p ro c e s s

tr a ffic .

lits

p ro c e s s

h e a d e rs a n d fo rw a rd s it to

The

th e W W W

s e rv e r p o r t

8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k . M e g a P in g s e c u r ity s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t ia l v u ln e r a b ilit ie s t h a t m ig h t b e u s e d t o a tt a c k y o u r n e t w o r k , a n d s a v e s in f o r m a t io n i n s e c u r ity r e p o r t s .

111 t h i s

la b

you

w ill

le a r n

to

use

M e g a P in g

to

check

fo r

v u ln e r a b ilit ie s

and

t r o u b l e s h o o t is s u e s .

L a b

O b je c t iv e s

T h is la b g iv e s a n i n s ig h t i n t o p i n g in g t o a d e s t in a t io n a d d r e s s lis t . I t te a c h e s h o w to :


■

P in g a d e s tin a tio n a d d re s s lis t

■

T ra c e ro u te

■

P e rfo rm

N e tB IO S

s c a n n in g



L a b


T o c a n y o u t d ie la b , y o u n e e d :

d em o nstrate d in th is lab are a va ila b le in D:\CEH• Tools\CEHv8 M odule 03 S canning N e tw o rks

M e g a P in g is lo c a t e d a t

■


M egaping

fro m

th e lin k

h ttp : / / w w w .m a g n e to s o ft.c o m / ■

I f y o u d e c id e t o d o w n l o a d t h e

la te s t ve rs io n ,

th e n s c re e n s h o ts s h o w n

i n th e la b m ig h t d if f e r ■

A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls

■ T/IP ■

P IN G

D:\CEH-Tools\CEHv8 M odule 03 S canning N e tw o rk s \S c a n n in g T ools\M egaP in g

■

C D Tools

s e t t i n g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib l e D N S

T h is la b w i l l w o r k i n th e C E H

2012, W in d o w s 2008,

sta n d s fo r

and

la b e n v ir o n m e n t , o n

s e rv e r

W in d o w s S e rve r

W in d o w s 7

P a c k e t In te r n e t G ro p e r.

L a b

D u r a t io n


O v e r v ie w

o f P in g

T h e p in g c o m m a n d s e n d s p a c k e ts t o

d ie

In te rn e t C ontrol M essage P rotocol (ICMP)

ta r g e t h o s t a n d w a its

fo r an

ICMP response.

re s p o n s e p ro c e s s , p in g m e a s u re s d ie tim e f r o m d ie

round-trip tim e ,

L a b TASK

1

1.

D u r in g

e c h o re q u e s t d iis

re q u e s t-

tr a n s m is s io n t o r e c e p tio n , k n o w n as

a n d r e c o r d s a n y lo s s p a c k e ts .

T a s k s L a u n c h th e

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le ft


IP Scanning

F IG U R E 13.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

2.


C lic k d ie

M egaPing


MegaPing

w in d o w .



F IG U R E 15.2: W in d o w s S e rv e r 2012 - A p p s

3.

TQ i^M e g aP ing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ 1‫־‬g u1^ ^ ^ 55

MegaPing (Uned)

File View

*

Tools

-

□ '

x

‫ד‬

Hdp

DNS Lookup Name

‫ &י־‬DNSLidrtosfe

Q Fngcr 1S Network Time gg Ping C Q A ll S c a n n e rs c a n sca n

g g Traceroute

in d iv id u a l c o m p u te rs , a n y

Who 11 ^

ra n g e o f I P ad d re sse s,

Network R#toufc#t

<<•>Process Info Systam Info £ IP Scanner $ NetBIOS Scanner •'4? Share Scanner ^ Security Scanner -J? Port Scanner Jit Host Monitor

d o m a in s , a n d se le c te d ty p e o f c o m p u te rs in s id e d o m a in s

*S Lbt Ho>ts F ig u r e 15.3: M e g a P in g m a in w in d o w s

S e c u r ity s c a n n e r

4.

S e le c t a n y o n e o f d ie

5.

S e le c t

p ro v id e s th e fo llo w in g

C o n fig u ra tio n in fo , o p e n

6.

Y o u c a n s e le c t t h e

fro m

d ie le f t p a n e o f d ie w in d o w .

IP range i n d i e From a n d To 1 0 .0 .0 .1 t o 10.0.0.254. C l i c k S ta rt

a n d ty p e in th e

t h is la b t h e I P r a n g e is f r o m

in fo rm a tio n : N e t B IO S n a m e s,

IP s c a n n e r,

o p tio n s

IP range

fie ld ; i n

d e p e n d in g o n y o u r n e t w o r k .

T C P a n d U D P p o rts , T ra n s p o rts , S h a re s , U s e rs , G r o u p s , S e rv ic e s , D r iv e r s , L o c a l D r iv e s , S e s s io n s , R e m o te T im e o f D a te , P r in te r s




MegaPing (Uned)

fs r File

V«‫*׳‬/

Took

^ 3‫^>׳‬ ^<

_

‫־‬

° r

Help

List ‫״‬DNS !‫״‬U X .Hosts IWU

r

^

v

^ eg

—

r « a

P - 1 'S W W

* t DNS Lookup Name ^

Finger Network Time

I3 Scanner

t

8a8 Ping iraccroutc

Select

^

Whois

I

Network Resources

► Scam•‫׳׳‬

IP Sconncr SKtngj

“ I

| 10

0

0

1

10

0

0

254 | 1

SM

1

<§> Process Info ^

System Info

■*iiaui.111 ■ £ NetBIOS Scanner Y* Share Scanner

j & Security Scanncr ^ Port Scanner ^

Host Monitor

F IG U R E 15.4: M e g a P in g I P S c a n n in g

IP a d d re sse s

I t w i l l lis t d o w n a ll th e ( T im e t o L iv e ) ,

S ta tu s

u n d e r d ia t ra n g e w it h th e ir

(d e a d o r a liv e ) , a n d d ie

s ta tis tic s

TTL

o f th e d e a d

a n d a liv e h o s ts . MegaPing (Uned) Pie

View

Tools

11 g

CD N e t w o r k u t ilit ie s :

Help

ft A <>

i , DN: List Hosts

D N S lis t h o s t, D N S lo o k u p

,p, DNS Lookup Name

n a m e , N e tw o r k T im e

Q

Finger

S y n c h ro n i2 e r, P in g ,

a

Network Time

T ra c e ro u te , W h o is , a n d

i t Ping Traceroute

F in g e r.

HVhols 1 “ 5 Network Resources % rocess Info ^ System Info NetBIOS Scanner y * Share Scanner

$

Security Sconner

l. Jj? Port Scanner

JSi Host Monitor

IP5i«nnw

X

IP Scanner

$

IP Scanner Satnge

Setect. |R5rg‫»־‬

10 . 0

0 . 1

10

0

0

254 I

TTL

Statj*

F S ca re Status: ZoTDCTCC 25^ accroco33 m 15 8CCS3 A tte s t

Name

Start o— l —

Tme

.=1 10.0.0.1

0

54

g g £

1a0.04

1

128 A kvt

iao.o.6

0

1ao.o.7

0

128 A ive 128 Afcve

£

Afivc

□

Show MAC

Addresses HostsStats To!d. 254

1a0.0.10 j q 10.0.0.100

D e lDest..

Active

^

1CL0.0.I0I

D « t-

Faicd: 250

10.0.0.102

Dest — De«t._

£

iclo .o.io j

j l 10.0.0.1m

Dest —

g

Dest._

1a0.0.105

4

Ron

F IG U R E 15.5: M e g a P in g I P S c a n n in g R e p o r t

S

T A S K

2

NetBIOS Scanning


8.

NetB IO S S c a n n e r f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e i n t h e From a n d To f i e l d s . 111 t h i s l a b , t h e IP ra n g e is f r o m 10.0.0.1 t o 1 0.0.0 .2 54 C l i c k S ta rt S e le c t th e



W

T IP I

f/egaPing (Uned)

File

View

Tools

Hdp

rP- A J* | DNS List Hosts

N c G C S Ssonrcr

,5, DNS Lookup Name ‫ ס‬M egaPing can scan yo u r e n tire n e tw o rk and provide in fo rm a tio n such as open shared resources, open ports, se rvice s/drivers a c tiv e on th e co m p u te r, key re g is try en trie s, s and groups, tru s te d dom ains, p rin te rs, and more.

g

Finger

3

Network Time

t S P1n9 Traceroute

« £ Whols

Network Resource <$> Process Info System Info ^ IP Scanncr

i! \ Share Scanner ^

Security Scanner

^

Port Scanner Host Monitor

NetBIOS Scanner F IG U R E 15.6: M e g a P in g N e t B IO S S c a n n in g

9.

N etB IO S s c a n w a d a p te r a d d re sse s

The

i l l lis t a ll th e h o s ts w i t h t h e ir

N etB IO S nam es

and

MegaPing (Uned)

VtfA

Me

Tori?

Help

JL JL 4S & *“8 88 &

& ‫ ־‬Scan results can be saved in HTML or TXT reports, w h ic h can be used to secure your n e tw o rk ■‫־‬fo r exam ple, by s h u ttin g dow n unnecessary ports, clo sin g shares, etc.

JJ, DNSListHosts j!LDNSLookupNam• Q Finger !31NetworkTime

&

K«BIT$ Scarrer

^

Net90$ Scanrer

MenBIOS Scarrra

t i p,n9 g*3 Traceroute ^ Whole %

] | 10 . 0 . 0 . 1 |

|Rerg5

0 . 0 .254

ZoroeecQuemg NetBOS Names on

Process Info

Stop

‫י‬Expard 1Names

‫״״‬J ^ System Info ^ IP Scanner

Name STctus WIN-ULY833KHQ.. A l* «

100.0.4

$m ggnn1

» 2 ) NetBIOS Names

4jp Share Scanner Security Scanner /‫״‬y

10

NstEtOS Scanner aJatLS‫־‬

- O Network Resources

Port Scanner

2 ( Host Munitur

W gf Adopter Address

00 15-5D 00-07 . . Microsoft ‫״‬

A

WORKGROUP

□cmam

iac.0.6

• PC

fr] NetBIOS Nome:

6

W B Adapter Addre«

Alive

Summary

Sots Told. 131 Actvc

00-15-50-00-07‫־‬..

M
4^ Domain

WORKGROUP

100.0.7

WIN-D39MRSHL.. A lv#

» j | ] NetBIOS Names X f Adapter Address

Expand

3

3

=a!od 123

3 D4-BE-D9-C3-CE..

Report

NetBIOS Scanner

F IG U R E 15.7: M e g a P in g N e t B IO S S c a n n in g R e p o r t

10. R ig h t- c lic k th e I P

a d d r e s s . 111 t h i s l a b , t h e s e l e c t e d I P i s 1 0 . 0 . 0 . 4 ; i t w i l l

b e d iffe r e n t in y o u r n e tw o r k . 5

TAs K 3

1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e

T ra c e ro u te

o p tio n .

T ra ce ro u te




v

MegaPing (Uned)

File

View

^ ‫ם‬

O th e r fe a tu re s in c lu d e

m u ltith re a d e d d e s ig n th a t a llo w s to p ro c e s s a n y

Tools

DNS List Hosts Finger

3

Network Time

n u m b e r o f re q u e s ts in a n y

t®* Pin9 A Traceroute

to o l a t th e sam e tim e , real-

4 $ Whois

tim e n e tw o rk c o n n e c tio n s s ta tu s a n d p ro to c o ls

$

Rom:

Range

v |

Network Resources

NetElOS S eine r

Process Info System Info

Satus

^

in fo r m a tio n a n d u sag e,

•‫ ^־‬IP Scanner ‫׳‬J ^ NetBIOS Scanner

^

o p e n n e tw o rk file s , syste m

g l Host Monitor

0

B A £

3 0 ( jj

* Export To File

NetBIOS f■ AdapeerA

Start

Dand

b‫ ?׳‬Summary

Merge Hosts

i - J | NetBIOS S ? Adopter A ^ Comain

tr a y s u p p o rt, a n d m o re

254

Names Nome

A Comain - j j 10.0.0.5

Port Scanner

0

0

Carotored ? M addresses m M secs

* D

Security Scanner

n e tw o r k c o n n e c tio n s , a n d

10

_______ B 0 B ■

Share Scanner

in fo rm a tio n , in c lu d in g

M

NetBIOS Scanner S9

M *3 0 S Scarner Soeci:

s ta tis tic s , re a l- tim e p ro c e s s

re a l- tim e n e tw o rk

I

NetBICS Scarre‫־‬

; j , DNS Lookup Name g

I

Hdp

Hoete Slate

Open Share

Total: 254

View Hotfix Detab

Active

Apply Hot Fixes

Failed251 ‫־‬

3

Copy selected item

10.0.0.7 NetBIGS ‫ף‬

Copy selected row

■3 Adopter A

Copy all result; Save As

Traceroute Tnccroutcs the selection

F IG U R E 15.8: M e g a P in g T ra c e ro u te

1 2 . I t w i l l o p e n th e

T ra c e ro u te

w in d o w , a n d w i l l tra c e d ie I P

a d d re s s

s e le c t e d . MegaPing (Uned) Fie

Vie■a

Tools

Help

S. JL 4$ 151*« 88 Jj, DNS List Ho>b

Tracerout*

J!L DNS Lookup Nam•

& T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks

| J Finger i l l Network Time

^ -O

aa TracerouteSetthot

**

Whois

Destrebon: 1050.4

Network Resources

Ztestrawn \Jdrcs5 Jst

□ Resolve I4an‫־‬s

Process Info System Info

■ ^

□ Select Al

IP Scanner NetBIOS Scanner

Add

*jp Share Scannei Ddctc

Security Scanner ‫>׳‬y

Port Scanner

jtA Ho»t Monitor Time

hoo 9 >91 ‫י‬ 1 m £ ‫ ־‬A ' * 4

1 1

0 ‫ו‬

Name Dstafc WIN-ULY8S8KHUIP [1_ Complete. 10.0.0.4

<»73/1210t44tf

PC [10.0.0.6]

Complete.

10.0.0.6

08/23/12 IQ4SJ1 Repoit

|

F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o r t

S

TAs K 4

P ort Scanning

1 3 . S e le c t P o r t S c a n n e r f r o m

d ie l e f t p a n e a n d a d d

w w w .c e rtifie d h a c k e r.c o m 111 c l i c k t h e S ta rt b u t t o n . 14. A f t e r c lic k in g th e

S ta rt

th e

D e s tin a tio n A d d re ss L is t

b u t t o n i t to g g le s t o

a n d th e n

S top

1 5 . I t w i l l lis t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d ie k e y w o r d , r is k , a n d p o r t n u m b e r .




‫ ך‬- ‫ז ״י‬

MegaPing (Uned) File

View

Tools

A A £ G J 8s 8s <5 J ' b -jj, DNS List Hosts ,5, DNS Lookup Name ^

Finger

54 Network Time f t Ping

M e g a P in g s e c u rity

g g Traceroute

sc a n n e r c h e c k s y o u r

^ Whois

n e tw o rk fo r p o te n tia l

Network Resources

v u ln e ra b ilitie s th a t m ig h t

-^

&

r

H

I

J

&

GO

J‫!׳‬ ^ AotScamcr

jftjf F01 Sc*1r*‫׳‬ T an: U

PrttowlB Scan Type

m m < ‫»־‬V**tv30‫׳‬fl‫׳<»־׳‬n

-11

A/!h»1»S Pab

P ick m Info

□S*t*dAl

U IP Sc«nn«< ' f f NetBIOS Sc *nnei

a n d s a v e s in fo rm a tio n in

Share Seanner 4P S«cjntyScanner

s e c u rity re p o rts

S100

Desindo^ A i^nt Ua>

System Into

u se to a tta c k y o u r n e tw o rk ,

v ‫ן‬

Help

w»!* |

Jjf

J f) , H05‫ ז‬Monitor

81

2o r*

T>oe

=S

Scanning—(51 %) 99 Sccon ds Remain ‫ח‬g File Transfer [Control] T ftp T www-http World V.'1de Web HTTP

3 Ce2 fc

,y 1 .* 2

.y ! .*5 '

rje echo ditcntd

R*

De a ctor

UDP tmux T Port Servkc MultL. JOP compress.. Management Utility compten . CompreiMoo Proem

UDP JOP JOP UOP

j *

Keyword

Remote Job Entr>‫׳‬ Echo Discard

Eksatcd Elevated Ele.xed L<*m Law Low Low Law

■

F IG U R E 15.10 : M e g a P iiig P o r t S c a n n in g R e p o r t

L a b

A n a ly s is

D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility

In f o r m a tio n IP


S can R ange:

1 0 .0 .0 .1 — 1 0 .0 .0 . 2 5 4

P e r fo r m e d A c tio n s : ■

I P S c a n n in g

■

N e tB IO S

■

T ra c e ro u te

■

P o r t S c a n n in g

S c a n n in g

M e g a P in g

R e s u lt: ■


L is t o f A c tiv e H o s t

■

N e tB io s N a m e

■

A d a p te r N a m e



P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T O

T H I S

I F

Y O U

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s 1.

H o w d o e s M e g a P in g d e te c t s e c u r it y v u ln e r a b ilit ie s o n d ie n e t w o r k ?

2.

E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .

In t e r n e t C o n n e c tio n R e q u ir e d □

Y es

P la tfo r m 0


0

N o

0

iL a b s

S u p p o rte d

C la s s r o o m



L ab

D e te c t, D elete a n d B lock G oogle C o o k ies U sing G -Z apper G-Zapper is a utility to block Goog/e cookies, dean Google cookies, a n d help yon stay anonymous while searching online. I CON

KEY

V a lu a b le

L a b

S c e n a r io

Y o u

have

le a r n e d

your

n e tw o rk

in

d ie

p r e v io u s

la b

d ia t M e g a P in g

s e c u r ity

scanner checks

in f o r m a t io n

Test your k n o w le d g e

m .


n e tw o rk ,

and

in fo r m a t io n

fo r

p o t e n t ia l v u ln e r a b ilit ie s

saves

a b o u t a ll c o m p u t e r s


in

tru s te d

th a t

m ig h t

s e c u r ity

a n d n e tw o rk

n e t w o r k a n d p r o v id e s in f o r m a t io n s e r v ic e s / d r iv e r s a c tiv e

o

in fo r m a t io n

be

re p o rts .

used It

a p p lia n c e s . I t

s u c h as o p e n

to

a tta c k

p r o v id e s

your

d e ta ile d

s c a n s y o u r e n tir e

s h a re d re s o u rc e s , o p e n p o rts ,

0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r i e s , u s e r s a n d g r o u p s ,

d o m a in s , p r in t e r s , e tc .

S can

r e s u lts

can

be

saved

in

H T M L

o r

T X T

re p o r ts , w h ic h c a n b e u s e d t o s e c u re y o u r n e tw o r k . A s

an

a d m in is tr a to r ,

u n n e c e s s a ry

p o rts ,

you

c lo s in g

can

o r g a n iz e

s h a re s , e tc .

s a fe ty

m e a s u re s

b lo c k

a tta c k e rs

to

by

s h u ttin g

fro m

dow n

in tr u d in g

th e

n e t w o r k . A s a n o th e r a s p e c t o f p r e v e n t io n y o u c a n u s e G - Z a p p e r , w h ic h b lo c k s G o o g le

c o o k ie s , c le a n s G o o g le

c o o k ie s , a n d

h e lp s y o u

s ta y a n o n y m o u s w h ile

s e a r c h in g o n lin e . T h is w a y y o u c a n p r o t e c t y o u r id e n t i t y a n d s e a rc h h is t o r y .

L a b

O b je c t iv e s

T h is la b e x p la in h o w G - Z a p p e r a u t o m a t ic a lly

d e te c ts

and

c le a n s

th e G o o g le

c o o k ie e a c h t im e y o u u s e y o u r w e b b r o w s e r .

L a b


T o c a r r y o u t th e la b , y o u n e e d :




D:\CEH-Tools\CEHv8 M odule 03 S canning N e tw o rk s \A n o n ym ize rs\G -Z a p p e r

G - Z a p p e r is lo c a t e d a t

S ’ Tools dem onstrate d in th is lab are available in D:\CEHTools\CEHv8 M odule 03 Scanning N etw orks

Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f

G‫־‬Z a p p e r

fro m

th e lin k

lit t p : / / w w w . d u m m y s o ftw a re .c o m / I f y o u d e c id e t o d o w n l o a d t h e

la te s t v e rs io n ,

th e n s c re e n s h o ts s h o w n

i n th e la b m ig h t d i f f e r In s ta ll

G -Z apper

in W in d o w s S e r v e r 2 0 1 2 b y f o llo w in g w iz a r d d r iv e n

in s t a lla t io n s te p s A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls A

L a b


W in d o w s S e rv e r 2012

D u r a t io n


O v e r v ie w

o f G - Z a p p e r

G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d i e

Google co o k ie i n s t a l l e d o n y o u r searches h a v e

lo n g

Z a p p e r a llo w s c o o k ie f r o m

L a b S

t ask

1

1.

D e te ct & D elete

you

to

y o u r P C , d is p la y d ie d a te i t w a s in s t a lle d , d e t e r m in e h o w been

tra cke d ,

a u to m a tic a lly

and

de le te

d isp la y

o r e n tir e ly

y o u r G o o g le

b lo c k

d ie

s e a rc h e s . G -

G o o g le

s e a rc h

f u t u r e in s t a lla t io n .

T a s k s L a u n c h th e

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t

c o m e r o f t h e d e s k t o p . _____________________________________________________

Google Cookies

! 3 Windows Serve! 2012 * ttcua Stfwr JOtJ ReleaseCmadtte Oatacert* ftabslanuwy. 1uMM>:


2.


C lic k d ie

G-Zapper a p p

t o o p e n d ie

G‫־‬Z apper

w in d o w .



£

S ta rt

Server Manager

Wruiows PowerShel

V

fLm

m

G - Z a p p e r xs

6 009* Chrome

Wjpw-V t/druê-

Ancrym.. Surfog Tutonal

#

11

HyperV Virtual M«tww

SOL Sena

□

Computer

Control Pwl

*J

w

Q

Command Prompt

M v ii l.retox

n

$

51

NetSca'iT... Pro Demo

Standard

c o m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2 0 0 0 , X P , V is ta , W in d o w s 7. '-x-olglan

11

r*

Maw

G-Zapper

F IG U R E 162 : W in d o w s S e rv e r 2012 - A p p s

3.

The

G -Zapper

m a in w i n d o w w i l l a p p e a r a s s h o w n i n th e f o l l o w i n g

s c re e n s h o t.

G-Zapper ‫ ־‬TRIAL VERSION W h a t is G -Zapper G-Zapper - Protecting y o u Se arch Privacy Did you know •Google stores a unique identifier in a cookie on your PC , vrfich alo w s them to track the keywords you search fo r G-Zapper w i autom atically d etect and clean this cookie in your w eb browser. Ju s t run G-Zapper, m rw nee the w ndow , and en!oy your enhanced search privacy

2 ' I A Google Tracking ID oasts on your PC. Your G oogle ID (Chrome) 6b4b4d9fe5c60cc1 Google n sta le d the co okie on W ednesday. Septem ber 05.2012 01 54 46 AM

L J G - Z a p p e r h e lp s p ro te c t y o u r id e n tity a n d s e a rc h

Your searches h ave been tracked for 13 hours

h is to ry . G - Z a p p e r w ill re a d th e G o o g le c o o k ie in s ta lle d

«>| No Google searches found n Internet Explorer or Frefox

o n y o u r P C , d is p la y th e d a te it w a s in s ta lle d ,

How to U se It

d e te rm in e h o w lo n g y o u r s e a rch e s h a v e b e e n tra c k e d ,

«

a n d d is p la y y o u r G o o g le

To delete the G oogle cookie, d c k the D elete Cookie button Your identity w i be obscured from previous searches and G-Zapper w i re g Ja rly d e an future cookies.

se a rch e s T 0 restore the Google search cookie d ick the Restore Cookie button

htto //www dummvsoftwar e. com

D elete Cookie

Resto re Cookie

T est Google

Settings

F IG U R E 16.3: G - Z a p p e r m a in w in d o w s

4.

T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e

D e le te C o o kie

b u tto n ; a

w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie lo c a t io n . C lic k


OK



‫י‬

■ ]j l F

G-Zapper - TRIAL VERSION

x

‫י‬

W h at is G-Zapper G-Zapper ‫ ־‬Pro tectn g your S e arch Privacy

■#

Did you know ■Google stores a unique identifier n a cookie on y o u P C , v*»ch alo w s them 10 track the keywords you search for G-Zapper w i autom atically defect and d e an this co okie in your w eb browser. _.lm tJun_G 7an nftj

the, w ndnw * in i ftninu.unui ^ n h ao cad

joauacu_______ _______

G‫־‬Zapper

©

C ] A n e w c o o k ie w ill b e g e n e ra te d u p o n y o u r n e x t v is it to G o o g le , b re a k in g

The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located a t (Firefox) C:\s\\Application Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite

th e c h a in th a t re la te s y o u r se a rch e s. Howt

OK

T 0 block and delete the G oogle search cookie, click the B lo ck Cookie button (Gm ail and A dsense w i be u n avaJab le with the cookie blocked)

http //www. dumm vsoftware com

Delete Cookie

Block Cookie

T e st Google

Settings

F IG U R E 1 6 .4 : D e le tin g s e a rc h c o o k ie s

5.

T o b lo c k th e G o o g le s e a rc h c o o k ie , c lic k d ie

B lo c k c o o k ie

b u tto n . A

w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a lly b lo c k th e G o o g le c o o k ie . C l i c k

Yes G‫־‬Zapper ■TRIAL VERSION

'- m

W h a t is G -Zapper G-Zapper - Pro tectn g y o u Se arch Privacy

‫ ס‬T he tin y tra y icon runs in th e background, ta k e s up very little space and can n o tify you by sound & a nim ate w hen th e Google c o o k ie is blocked.

Did you know - G oogle stores a unique identifier in a cookie on your P C . w hich alo w s them to track the keywords you search for. G-Zapper will autom atically d etect and d e an this cookie in y o u w eb browser. p____ .L M

iijn fi- Z a n rre t m rnnnre the, w nrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara_________ _______

Manually Blocking the Google Cookie Gmail and other Google services will be unavailable while th e cookie is manually blocked. If you use these services, we recom m end not blocking the cookie and instead allow G-Zapper to regularly clean th e cookie automatically. Are you sure you wish to manually block the Google cookie? How

Yes

No

T 0 block and delete the Google search cookie, click the Blo ck Cookie bU ton (Gm ail and A dsense w l be unavaiaW e with the cookie blocked)

http //www dummvsoftware, com

Delete Cookie

Block Cookie

T est Google

Settings

F IG U R E 1 6 .5 : B lo c k G o o g le c o o k ie

6.

I t w i l l s h o w a m e s s a g e d i a t th e G o o g le c o o k ie h a s b e e n b lo c k e d . T o v e r if y , c lic k


OK E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited


G‫־‬Zapper -TRIAL VERSION W h a t is G-Zapper G-Zappef - Protechng your Se arch Privacy

1 ^ 0

Did you know ■G oogle stores a unique kfentifiet in a cookie on your P C . w hich alo w s them to track the keywords you search for G-Zapper will autom atically d etect and d e a n this cookie n y o u w eb browser. Ju s t run G-Zapper, mmmize the w rxlo w , and enjoy your enhanced search privacy

G‫־‬Zapper The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to .

H ow t

OK

Your identity will be obscured from previous searches and G-Zapper w i regularly clean M u re cookies

T0 restore the Google search cookie c lc k the Restore Cookie button

& ‫ ־‬G-Zapper can also cle an your Google search h is to ry in In te rn e t E xplo re r and M ozilla Firefox. It's fa r to o easy fo r som eone using your PC to g e t a glim p se o f w h a t you've been searching for.

http //www dum m vsoltware com

Restore Cookie

Delete Cookie

Settings

Test Google

F IG U R E 16.6: B lo c k G o o g le c o o k ie (2 )

7.

T o te s t th e G o o g le c o o k ie t h a t h a s b e e n b lo c k e d , c lic k th e

T e s t G oogle

b u tto n .

8.

Y o iu d e fa u lt w e b b r o w s e r w ill n o w o p e n t o G o o g le ’s P re fe re n c e s p a g e . C lic k

OK. AA

goog... P - 2 (5 [ 0 ?references

‫יו‬

♦You Search Images Maps Play YouTube News Gmal More ‫־‬

Google

Preferences

Sign in

1

Goflflls 5£tt303 Piefeiences Help I About Google Save Preferences

Save your preference* when finished and !*turn to iw r c h

Global Preferences (changoc apply to al Googio sorvtcos)

Your cookies seem fo be disabled. Setting p referen ces will not w o rk until you enable co o kies in y ou r browser.

BaHiflafcfllttg Interface Language

Display Googio Tips and messages in: Engiisn If you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program

Search I anguag*

P iefei pages m itten in the*e language(*)

□ Afrikaans

b£ English

□ Arabic

L.EsperantoU Italian

U Indonesian L I Setblan

□ Slovak

D Armenian

I~ Estonian

F I Japanese

0 Slovenian

□ Belarusian U Bulgarian

C Ftipino L Finnish

□ Koiean U Latvian

G Spanish L I Swahi

F IG U R E 16.7: C o o k ie s d is a b le d m a ssag e

9.

T o v i e w th e d e le t e d c o o k ie i n f o r m a t io n , c lic k d ie c lic k


V ie w Log

S e ttin g

b u tto n , a n d

i n t h e c le a n e d c o o k ie s l o g .



G-Zapper - TRIAL VERSION

‫׳‬- m

W h a t is G -Zapper

G-Zapper Settings Sounds f*

R a y sound effect w hen a cookie is deleted d efault w av

Preview

Browse

C lear Log

V ie w Log

G oogle Analytics T iack rtg Q

W

Y o u c a n s im p ly ru n

Blo ck Google Analytics fiom tia ck n g w eb sites that I visit.

G - Z a p p e r, m in im iz e th e w in d o w , a n d e n jo y y o u r D eaned Cookies Log

e n h a n c e d s e a rc h p r iv a c y

W

Enab le logging of cookies that h ave recently been cleaned.

I”

S a v e my G oogle ID in the d ean ed cookies log.

OK

Delete Cookie

Resto re Cookie

T e st Google

R egister

Settings

F IG U R E 16.8: V ie w in g th e d e le te d lo g s

1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .

cookiescleaned - Notepad File

S ' T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks

Edit

Format

View

t

‫ ־־[ם‬x

Help

(Firefox) C:\s\\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 AM (Chrome) C:\s\\AppData\Local\Google\Chrome\ Data \Default\Cookies Friday, August 31, 2012 11:04:20 AM (Firefox) C:\s\\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 AM (Firefox) C:\s\\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sq lite Wednesday, September 05, 2012 02:52:38 PM|

F IG U R E 16.9: D e le te d lo g s R e p o r t

L a b

A n a ly s is

D o c u m e n t a ll t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .




T o o l/U tility

In fo r m a tio n


A c tio n P e rfo rm e d :

G ‫־‬Z a p p e r

■

D e t e c t d i e c o o k ie s

■

D e le t e t h e c o o k ie s

■

B l o c k t h e c o o k ie s

R e s u l t : D e le t e d c o o k ie s a re s t o r e d i n C :\U s e r s \A d m in is tr a to r \ A p p lic a tio n D a ta

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T O

I F

T H I S

Y O U

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s 1.

E x a m i n e h o w G - Z a p p e r a u t o m a t i c a l l y c le a n s G o o g l e c o o k ie s .

2.

C h e c k t o s e e i f G - z a p p e i i s b l o c k i n g c o o k i e s o n s ite s o t h e r t h a n G o o g l e .

In t e r n e t C o n n e c tio n R e q u ir e d 0

Y es

P la tfo r m 0


□

N o

□

iL a b s

S u p p o rte d

C la s s r o o m



Lab

S canning th e N etw ork Using th e C olasoft P ack e t Builder The Colasoft Packet Builder is a useful toolfor creating custom netirork packets. I CON

KEY

V a lu a b le in fo r m a tio n

L a b

S c e n a r io

11 1 d i e p r e v i o u s l a b y o u h a v e l e a r n e d l i o w y o u c a n d e t e c t , d e le t e , a n d b l o c k c o o k ie s . A tta c k e rs


Q


e x p lo it

d ie

XSS

v u ln e r a b ilit y ,

m a lic io u s J a v a S c r ip t c o d e i n t o

w h ic h

in v o lv e s

an

a tta c k e r

p u s h in g

a w e b a p p lic a tio n . W h e n a n o d ie r u s e r v is its a p a g e

w i d i d i a t m a lic io u s c o d e i n it , d ie u s e r ’s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r lia s

110 w a y o f t e l l i n g t h e d i f f e r e n c e b e t w e e n l e g i t i m a t e a n d m a l i c i o u s c o d e . I n j e c t e d

c o d e is a n o d i e r m e c h a n i s m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i j a c k i n g : b y d e f a u l t

Q


c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n r e a d a u s e r ’ s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d i e a tt a c k e r . A s a n e x p e rt

e th ic a l h a c k e r

and

p e n e tra tio n te s te r

y o u s h o u l d b e a b le t o p r e v e n t

s u c h a tt a c k s b y v a l id a t in g a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m

fie ld s , a n d h id d e n

f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a w e b a p p lic a t io n f ir e w a ll t o b l o c k th e e x e c u t io n o f m a lic io u s s c r ip t . A n o d i e r m e t h o d o f v u ln e r a b ilit y c h e c k in g is t o P acket

B u ild e r .

111 t h i s

la b ,

you

w ill

be

le a r n

s c a n a n e t w o r k u s in g th e C o la s o ft about

s n iffin g

n e tw o rk

p a c k e ts ,

p e r f o r m in g A R P p o is o n in g , s p o o f in g th e n e t w o r k , a n d D N S p o is o n in g .

^ T T o o ls

d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks


L a b

O b je c t iv e s

T h e o b je c t iv e o f d i is la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r it y p o li c y , p o li c y e n f o r c e m e n t , a n d p o l i c y a u d it s .

L a b


11 1 d i i s l a b , y o u n e e d :

D:\CEH-Tools\CEHv8 M odule 03 S canning N etw orks\C ustom P acket C reator\C olasoft P a cke t B uilder

■

C o la s o f t P a c k e t B u ild e r lo c a t e d a t

■

A



as h o s t m a c h in e



■

W indow 8

■

Y o u c a n a ls o d o w n l o a d d i e l a t e s t v e r s i o n o f

B uilde r

r u n n i n g o n v ir t u a l m a c h in e as ta r g e t m a c h in e

fro m

A dvanced C olasoft P acket

d ie lin k

h t t p : / / w w w .c o la s o ft.c o m / d o w n lo a d /p r o d u c ts /d o w n lo a d _ p a c k e t_ b u ild e r . php ■

I f y o u d e c id e t o d o w n l o a d d i e

la te s t version,

d ie n s c re e n s h o ts s h o w n in

d ie la b m ig h t d if f e r . ■

L a b

A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t io n n u u iin g i n h o s t m a c liin e

D u r a t io n


O v e r v ie w

o f C o la s o f t P a c k e t B u ild e r

C olasoft P acket B uild e r

c r e a t e s a n d e n a b le s c u s t o m n e t w o r k p a c k e t s . T h i s t o o l c a n

b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a tt a c k s a n d in t r u d e r s . C o la s o f t P a c k e t B u i l d e r f e a t u r e s a d e c o d i n g e d i t o r a l l o w i n g u s e r s t o e d i t s p e c i f i c p r o t o c o l f i e l d v a lu e s m u c h e a s ie r . U s e r s a r e a l s o a b le t o e d i t d e c o d i n g i n f o n n a t i o n i n t w o e d i t o r s :

Hex Editor. U s e r s c a n s e l e c t a n y o n e o f IP P acket, ARP P acket, o r T Packet. L a b S

t a s k

and

E thernet Packet,

T a s k s

1

S canning N e tw o rk

Decode E d ito r

d ie p r o v id e d te m p la te s :

1.

In s t a ll a n d la u n c h d ie

2.

L a u n c h th e

S ta rt

C olasoft P acket Builder.

m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t



3. y “Q Y o
C l i c k t h e C o la s o ft P a c k e t B u ild e r 1.0 P a c k e r B u ild e r w i n d o w

a p p to o p e n th e

C o la s o ft

fro m h ttp : / / w w w . c o la s o ft. co m .




S ta rt

Windows PowerSM

Googte Chrome

Es

m

*

compule r

control 1'and

Manager

V

91

9

Command Prompt

U3LWv«r Irn-.aljt 0‫י־‬ Center.

MfrtjpaC* Studc

Sew

Cotaoft Pacto?! Bunder t.O

*

* v

Mochn#.

*J

e

te r

V s-

e

.

3

euMa

r»efax

Nnwp 7«ftmap GUI

$

o

M

CMtoo

F IG U R E 17.2 W in d o w s S e rv e r 2012 - A p p s

4.

T h e C o la s o f t P a c k e t B u ild e r m a in w i n d o w a p p e a rs . Colasoft Packet Builder

Fie # Import

Edt

Send ^

1-

= 1 ‫ך־־‬

Help

1 S ?’ & Add Insert

1

♦ Packet No.

4 $ Oecode Edro*‫־‬

No pxkec elected:

Checksum

\$Packet Lilt

[As^J

!

55

Colasoft

Adapter Packets

0

Selected

0

1

Delta Time Sourer

O p e ra tin g syste m re q u ire m e n ts :

^

fatal

He«Edfcor

>0:0

0 byte* |

W in d o w s S e rv e r 200 3 a n d

6 4 - b it E d itio n W in d o w s 2 0 0 8 a n d 6 4 - b it E d itio n W in d o w s 7 a n d 64-b it E d itio n

F IG U R E 17.3: C o la s o ft P a c k e t B u ild e r m a in screen

5.

B e fo re

s ta r tin g

o f y o u r ta s k , c h e c k

d e fa u lt a n d d ie n c lic k

th a t d ie

A d a p te r

s e t t in g s

a re

se t to

OK. Select Adapter

*

A d ap ter:

Ph ysical Address

D 4 :BE:D 9 :C 3 :C E:2 D 0

Link Sp eed

100.0 l* )p s

M ax Fram e Size

1500 b ytes

IP Address

10.0.0.7/255.255.255.0

D efau lt G atew ay

10.0.0.1

A d ap ter Sta tu s

O perational

OK

C ancel

Help

F IG U R E 17.4: C o la s o ft P a c k e t B u ild e r A d a p te r settings


E th ic a l H ackin g and Counterm easures Copyright <0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


6.

T o add

0 1 c r e a t e d i e p a c k e t , c l i c k Add 111 d i e m e n u s e c t i o n .

T h e re a re tw o w a y s to c re a te a p a c k e t - A d d a n d In s e rt. T h e d iffe re n c e

File

b e tw e e n th e s e is th e n e w ly

Edit

Send

Help

a d d e d p a c k e t's p o s itio n in th e P a c k e t L is t . T h e n e w

ff 1 Import

p a c k e t is lis te d as th e la s t

0 Export‫־״־‬

Insert

Add

p a c k e t in th e lis t i f ad d e d b u t a fte r th e c u rre n t p a c k e t

[ ^

Decode Editor

i f in s e rte d . F IG U R E 17.5: C o la s o ft P a c k e t B u ild e r cre a tin g d ie p ack et

7.

A dd P a cke t

W h e n an a n d c lic k

d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d i e t e m p la t e

OK.

Q c o la s o f t P a c k e t B u ild e r s u p p o rts * .c s c p k t

Add Packet

(C a p s a 5 .x a n d 6 .x P a c k e t

‫־‬n n

F ile ) a n d * c p f (C a p s a 4.0 P a c k e t F ile ) fo rm a t. Y o u

Select Template:

ARP Packet

Delta Time:

0.1

m a y a ls o im p o rt d a ta fro m ‫ ״‬.c a p (N e tw o r k A s s o c ia te s S n iffe r p a c k e t file s ), * .p k t (E th e r P e e k v 7 / T o k e n P e e k /

Second

A 1 ro P e e k v 9 / O m n iP e e k v 9 p a c k e t file s ), * .d m p (T C P D U M P ), a n d * ra w p k t (ra w p a c k e t file s ).

OK

Help

Cancel

F IG U R E 17.6: C o la s o ft P a c k e t B u ild e r A d d P a c k e t d ia lo g b o x

8.

Y ou

can

v ie w

d ie

added

p a c k e ts

lis t

0 11 y o u r r i g h t - h a n d s id e o f y o u r

w in d o w .

Packets

Packet List S

t a s k

2

1

_______ U sl______ Delta Tims . S o u r c e 1

0.100000

Selected

1

D e s tin a tio n _______,

00:00:00:00:00:00

Decode E ditor F IG U R E 17.7: C o la s o ft P a c k e t B u ild e r P a c k e t L is t

9.

C o la s o f t P a c k e t B u ild e r a llo w s y o u t o e d it d ie t w o e d it o r s :


Decode E ditor

and

decoding

in f o r m a t io n i n d ie

H ex Editor.



Decode Editor

Q B u s t M o d e O p tio n : I f y o u c h e c k th is o p tio n , C o la s o ft P a c k e t B u ild e r se n d s p a c k e ts o n e a fte r a n o th e r w ith o u t in te rm is s io n . I f y o u w a n t to s e n d p a c k e ts a t th e o rig in a l d e lta tim e , d o n o t c h e c k th is o p tio n .

Packet: B-© Ethernet Type I I le s tin a tio n Address: J© Source Address: j ! ^ P r o to c o l: - sj ARP - Address Resolution Protocol !••••<#>Hardware type: ! ‫ץ‬#( Protocol Type: j..© Hardware Address Length: ‫ן‬..© Protocol Address Length: ! \

Num:000001 Length:64 Captured:• [0/14] FF: FF: FF: FF: FF: FF [0/6] 00:00:00:00:00:00 [6/6] (ARP) [12. 0x0806 [14/28] (Ethernet) 1 0x0800 [16/2] 6 [18/1] 4 [19/1] (ARP Reque. 1 00:00:00:00:00:00 [22/6] 0.0.0.0 [28/4] 00:00:00:00:00:00 [32/6] 0.0.0.0 [38/4] [42/18] 18 bytes [42/18]

|—<#1ype: -^J>S0urce Physics:

j3 ‫ ״‬Source IP : D estination Physics: j D estination IP : - •© Extra Data: Number of Bytes: FCS: L # FCS: ■

0xF577BDD9

111

j

‫>״‬J

...... ; ......,.... ‫־‬....

F IG U R E 17.8: C o la s o ft P a c k e t B u ild e r D e c o d e E d ito r

^ Hex Editor 0000 FF FF FF 000E 00 01 08 001C 00 00 00 002A 00 00 00 0038 00 00 00

Total FF 00 00 00 00

FF 06 00 00

FF 04 00 00

00 00 00 00

00 01 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

08 00 00 00

60 bytes

06 00 00 00 ....

V

F IG U R E 17.9: C o la s o ft P a c k e t B u ild e r H e x E d ito r

1 0 . T o s e n d a ll p a c k e ts a t o n e t im e , c lic k 11. C h e c k d ie d ie n c lic k

Burst Mode

o p t io n i n d ie

Send All

f r o m d ie m e n u b a r.

Send All Packets

d ia lo g w in d o w , a n d

Start. ‫ר‬

£ 0 1 O p tio n , L o o p S e n d in g :

^4

T h is d e fin e s th e re p e a te d

Jown Checksum

tim e s o f th e se n d in g e x e c u tio n , o n e tim e in d e fa u lt. P le a s e e n te r z e ro i f y o u w a n t to k e e p se n d in g p a c k e ts u n til y o u p a u se o r s to p it m a n u a lly .

1

1

Packet Analyzer Packets

Packet List No.

C o la s o f t C a p s a

Send Send All

Delta Time Source 0.100000 00:00:00:00:00:00

1

Selected

1

Destination FF:FF:FF:FF:FF:FF

F IG U R E 17.10: C o la s o ft P a c k e t B u ild e r S e n d A ll b u tto n




£ 3 S e le c t a p a c k e t fro m th e p a c k e t lis tin g to a c tiv a te S e n d A ll b u tto n

F IG U R E 17.11: C o h s o ft P a c k e t B u ild e r S e n d A H P a c k e ts

12.

C lic k

S ta rt

Send All Packets O p tions A d a p te r:

Select...

R e a lte k P C Ie G 8 E Fam rfy C o n tro ller

□

B u rs t M ode (n o d e la y b e tw e e n p a ck e ts)

□

Lo op S e n d n g :

A 1 000 A 1000 -

1

D e la y B e tw e e n Lo o p s:

loops (z e ro fo r in fin ite lo o p )

m illiseconds

Sen d in g In fo rm a tio n £ 0 T h e p ro g re s s b a r

T o tal P a c k e ts :

1

P a c k e ts S e n t:

1

p re s e n ts a n o v e r v ie w o f th e s e n d in g p ro c e s s y o u are e n g a g e d in a t th e m o m e n t. P ro g re ss:

S ta r t

S to p

C lo se

H elp

F IG U R E 1 7 .12 C o la s o ft P a c k e t B u ild e r S e n d A H P a c k e ts

13.

T o

e x p o rt

d ie

p a c k e ts

sent

fro m

d ie

F ile

m enu,

s e le c t

F ile ‫ ^־‬E x p o rt‫ ^־‬A ll Packets.


E th ic a l H ackin g and Counterm easures Copyright <0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


‫ר״‬ Colas

‫ י‬li‫״‬ File

Edit

Send

Import...

1* ►

Export

10

Help

^

Exit +^T Packet:

All Packets...

X glete

Selected Packets...

ketNo. |_ jJ I

0 1

‫ ׳‬a

Num: 00( ] 0/14[ ‫ן‬ FF: FF:1

El••© E thernet Type I I

^ D e s tin a tio n Address: Source Address:

00:00:( ,

F IG U R E 17.13: E x p o r t A ll P a c k e ts p o tio n

Q

Save As

O p tio n , P a c k e ts S e n t

T h is s h o w s th e n u m b e r o f

x I

5avein‫!"! ־‬:o la e c -ft

p a c k e ts s e n t s u c c e s s fu lly .

f lf c l

C o la s o ft P a c k e t B u ild e r

Nome

D«tc modified

Type

No items match your search.

d is p la y s th e p a c k e ts se n t

Rcccnt plocca

u n s u c c e s s fu lly , to o , i f th e re is a p a c k e t n o t s e n t o u t.

■ Desktop

<

3

Libraries lA f f Computer

Network

[>1

...

r n _______ F1Un»m*

|

Fjiekct• e « c p ld

S»v• •c typ♦

(Colafloft Packot Rio (v6) (*.ookt)

v j

Sav•

v |

C«rc«l

|

F IG U R E 17.14: S e le c t a lo c a tio n to save th e ex p o rted file

U Packets.cskt F IG U R E 17.15: C o la s o ft P a c k e t B u ild e r e x p o rtin g p ack et

L a b

A n a ly s is

A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o t h e l a b e x e r c is e .

T o o l/U tility

In fo r m a tio n


A d a p t e r U s e d : R e a lte k P C I e F a m ily C o n t r o lle r C o la s o ft P a c k e t S e le c t e d P a c k e t N a m e : A R P P a c k e ts B u ild e r R e s u lt : C a p tu r e d p a c k e ts a re s a v e d i n p a c k e ts .c s c p k t




P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T O

I F

T H I S

Y O U

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s 1.

A n a ly z e

how

C o la s o ft P a c k e t B u ild e r a ffe c ts

y o u r n e tw o rk

tr a ffic

w h ile

a n a ly z in g y o u r n e t w o r k . 2.

E v a lu a te w h a t ty p e s o f in s t a n t m e s s a g e s C a p s a m o n it o r s .

3.

D e te r m in e w h e t h e r d ie p a c k e t b u f f e r a ffe c ts p e r fo r m a n c e . I f y e s , th e n w h a t s te p s d o y o u ta k e t o a v o id o r r e d u c e it s e f f e c t o n s o ft w a r e ?

In t e r n e t C o n n e c tio n R e q u ir e d □

Y es

P la tfo r m 0


0

N o

S u p p o rte d

C la s s r o o m

0

iL a b s

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


Lab

S canning D evices in a N etw ork Using T h e Dude I CON

KEY

The D n d e automatically scans all devices within specified subnets, draws a n d lays out a w a p of y o ur networks, monitors services ofy ou r devices, a n d a/eftsyon in case

5 V a lu a b le

in fo r m a tio n




some service hasp roblems. L a b

S c e n a r io

111 t h e

p r e v io u s

la b

you

le a r n e d

ho w

p a c k e ts

can

be

c a p tu re d

u s in g

C o la s o ft

P a c k e t B u ild e r . A tta c k e r s t o o

c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m

n e tw o rk

n e tw o rk

and

o b ta in

c o m m u n ic a tio n

s p e c if ic

in fo r m a t io n .

The

a tta c k e r

b e tw e e n h o s ts a n d c lie n ts b y m o d if y in g s y s te m

can

a

d is r u p t

c o n fig u r a tio n s ,

o r t h r o u g h th e p h y s ic a l d e s t r u c t io n o f th e n e t w o r k . a n e x p e r t e th ic a l h a c k e r, y o u s h o u l d b e a b l e t o g a d i e r i n f o r m a t i o n 0 11 o rg a n iz a tio n s n e tw o rk to c h e c k fo r v u ln e ra b ilitie s and fix th e m b e fo re an a tta c k e r g e ts to c o m p ro m is e th e m a c h in e s using th o s e v u ln e ra b ilitie s . I f

A s

you

d e te c t

any

a tta c k

th a t

has

been

p e rfo rm e d

0 11 a n e t w o r k , im m e d ia t e ly

im p le m e n t p r e v e n t a tiv e m e a s u re s t o s to p a n y a d d itio n a l u n a u th o r iz e d a c c e s s .

111 t h i s

l a b y o u w i l l le a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k

a n d th e t o o l w i l l a le r t y o u i f a n y a tt a c k h a s b e e n p e r f o r m e d

L a b

0 11 t h e n e t w o r k .

O b je c t iv e s

T h e o b j e c t i v e o f t h i s l a b i s t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s

0 11 d i e

n e tw o rk .

V—J Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N e tw o rks C E H Lab M anual Page 258

L a b


T o c a r r y o u t th e la b , y o u n e e d :

D:\CEH-T0 0 ls\C EH v8 M odule 03 S canning N e tw o rk s \N e tw o rk D is c o v e ry and M apping T o o ls\T h e Dude

■

T h e D u d e is lo c a t e d a t

■


The Dude

fro m

th e

h ttp : / / w w w .m ik r o tik .c o m / th e d u d e .p h p



■

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n

s c re e n s h o ts

show n

i n th e la b m ig h t d if f e r ■ ■

A

c o m p u te r r u n n in g W in d o w s S e rv e r 2 0 1 2

D o u b le - c lic k d ie in s t a ll

■

L a b

The Dude

a n d f o l l o w w i z a r d - d r iv e n in s t a lla t io n s te p s t o

The Dude


D u r a t io n


O v e r v ie w

o f T h e

D u d e

T h e D u d e n e t w o r k m o n i t o r is a n e w a p p lic a t io n d i a t c a n d r a m a t ic a lly i m p r o v e d ie w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t i c a l l y s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s o f y o u r d e v ic e s , a n d a l e r t y o u i n c a s e s o m e s e r v ic e l i a s p r o b l e m s .

L a b 1.

T a s k s

S ta rt

L a u n c h th e

m e n u b y h o v e r in g th e m o u s e c u r s o r o n th e lo w e r - le f t


i|

Windows Server 2012

Ser*? 2012M«a1e CandWateDitaceM* ____________________________________________________________________________Ev^mbonoopy BuildWX:

F IG U R E

E

t a s k

1

18.1: Windows Server 2012 - Desktop view

1 1 1 t h e S ta rt m e n u , t o l a u n c h T h e Dude, c l i c k T he Dude i c o n .

Launch The Dude

S ta rt

Server Maiwgcr

Computer

b

U

~ v

- —1

‫יי‬

command Prompi

1n»0u0f

M m n ttr.

T<xJ1

e

Onm

SS?

*

f>

^

%

0

—l»p




F IG U R E 182 : W in d o w s S e rv e r 2012 - S ta rt m e n u

3.

T h e m a in w in d o w o f

w ill a p p e a r. ’ - l ° l

in@ localhost - The Dude 4.0beta3

fS m m (§)

The Dude

5references

9 Local Server

Setting*

H do

jjy i2 m

c * ‫״‬

X

‫י‬

m

CJ O

71S E 1

Contert*

*

Ssttnst j

Cikovot

*70011

W

‫•־‬. .*.‫ ־‬Lay* irk(

V J

□ A3<*T3S USS A n#

H 0 ‫»ו»י‬ H

D*wic«»

?5? Flea □ Functona M Htfay Action* H □

5

Lntu Lc0*

£7 £7 Cecus £ 7 &‫׳‬em £7 Syslog E

-A

Notic?

J

- B Keftroric Maps B Lccd t- ! U n i r t i

Cterl. w

[.Ca 1MU«d

Uj « /U

334 bw«

S*‫׳ ״*־‬x215bc*.'UM2bc«

F IG U R E 18.3: M a in w in d o w o f T h e D u d e

4.

D is c o v e r

C lic k th e ---- -------------®

5reference*

■■

—

Ca-ite‫*!־׳‬ Q Addra# list* A ‫׳‬vamro □ 0 ‫יו*ו‬ f‫“־‬l OmiaN f * . Ftea f=1 F_nccon8 B Haay Action* n 1^‫“*י‬ □ Legs £ ? ActJcn £7 Defcus £7 Event £7 Sjobg R Mb Notie? - Q Network Maos B Lccdl M

c‫׳‬

.

@localhost - The Dude 4.0beta3

9 Local Seiver

a

b u t t o n o n th e t o o lb a r o f d ie m a in w in d o w .

*b

rh tZ

3

‫ ״‬1 x E

® IIIIJH b

* o

-1+‫״‬

*

Sottrco

Dkov* ‫* | ־‬Too•

‫•־‬. •v

‫| ?יי׳‬lrk*

_d

2

‫י‬

'‫׳‬

Cfert. ix $59bus /tx 334bp*

|!Corrected

:«<* a215bc«<'u642bc«

F IG U R E 18.4: S e le c t d is c o v e r b u tto n

5.


The

D e vice D is c o v e ry

w in d o w a p p e a rs .



Device Discovery General Services Device Types Advanced

Discover Cancel

Enter subnet number you want to scan for devices

Scan Networks: 110.0.0.0/24 Agent: |P£g?

!-

P Add Networks To Auto Scan Black List: |1 Device Name Preference: |DNS. SNMP. NETBIOS. IP Discovery Mode: (• fast (scan by ping) C reliable (scan each service) Recursive Hops: ‫פ ר ־ י ו‬

/ ‫י‬ 2

I 4

I 6

I 8

I 10

I 14

I I I 20 50

F Layout Map /tfter Discovery Complete

F IG U R E 18.6: D e v ic e d is c o v e ry w in d o w

6.

111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y

d e fa u lt

fro m

IP f r o D iscover.

and

m

d ie d ie

A g e n t d ro p -d o w n

S can N e tw o rk s r a n g e , s e l e c t DNS, SNMP, NETBIOS.

l i s t , s e le c t

D e vice N am e P re fe re n ce

d r o p - d o w n lis t, a n d c lic k

Device Discovery General Services Device Types Advanced number you want to scan for

Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none

3

Device Name Preference DNS. SNMP. NETBIOS. IP

Discovery Mode (• fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]▼] /—r ‫ —ו —ר‬1 —1 — 1 -----------------------------------------2

4

6

8

10

14

20

SO

I- Layout Map /tfter Discovery Complete

F IG U R E 18.7: S e le ctin g d e vic e n am e p re fe re n ce

7.

O n c e t h e s c a n is c o m p l e t e , a ll t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r n e t w o r k w i l l b e d is p la y e d .




adrmn@localhost

11d Locd •fat Sanhfla!_ 11■ s +-_ Ccrtemt____________ f~l *ricteo Lata Adnns4. B« * < 2 □ ‫ ק‬Chats Oevteaa □ ‫*׳‬- * Pie

»Q Fu1dion

»et10n*07*40 H 1-‫׳*י״‬ □ ‫י‬-00« £7^ 6•‫י‬

‫־‬f t ^ t

The Dude 4.0beta3

C: _e [o * | Sey I |Dhcovef | ^Tooia tt 1a s ‫י‬- |l‫־‬ks

Qy

WW*IXY858KH04P (DU I 9 N tn c n t 63 % vM: 27% disk 75%

.t

•

WIN.D39MR5HLSE-:

AOMN

\

MflMMrtttLCXUUl

*

I

‫י‬

N.

w in ? U 't '. ic . '. - t f s

L f Uofcoa L?rv«n1

‫ ב רז‬- ‫^ נ‬

asy*B

□ tob>10«m

^ 209m : [10

‫י‬

\

‫א‬

‫ו‬

d n

‫ *ס״״^־ז‬Map* Q Local ‫ ק‬r‫־‬fcnwortc»

Q NotActfont H□

PjTriS

Q adrrin 127.0,0.1 Q P t 638 5> Sennco Q Tcde

VI1hK.K0H)1m3^M

Qm - ‫׳‬x 3 2 5 ■ ‫ ׳‬oc« ‫ ׳‬w I 95bpj

F IG U R E

8.

Saver r 1 ( ( 4 (>> * 3 9 t®c«

1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n

Select a device and place d ie mouse cursor o n i t to display the detailed in fo rm a tio n about d ia t device.

C artvM 5 Ad<*«3a Lota A r* R Afl*rta

□ Chat*

Q 08V1008 ^ Plea Q Functions

□ HatovV*•*®

□ Lnk* ‫ □ ־‬Lcoa ]J? Acton

♦• ‫ ״‬%

~*1Zoom . [TO

j o ^ StfttKujo Dwovw

t f t t e O T . JLYKSO-Ci P IP• 100 0 9

Wrdcvnaxnpucr‘,

M ACCtt ■- 10

S*'42 m (7V U > i 1 Q r«0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck

SjcrT!‫ז‬.‫*־״‬.vw.-’.‫׳‬-Y35am3ip C esacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M /MCOUPATBU 6001WipxnsrFix)

V irc 0*5 I t o i a i 6 & End

Ipwue 0028‫<־‬J771

C7 Detua £? Ewr L7S«bg Mb Mod*® rielwork Maps B local n NHwwk•

B

2 N9Ulc4B0r• Q Parris

H•*™ 127.00.1 □ P‫׳‬cN» Q> Samcas H

J?*

I? •#

I !_•« a M■ «L'

1‫ג‬4<

u:a

12:40

F IG U R E

12: X

| mdiv 0 vnn-uiYKBocnP

C V t m 2 4 5 Upa/tx 197bpa


)>«• n-n ■ ••:‫ י‬uUCMKJP

Tocte

12:3 I ecu • lam 0 «■ a.'iaaeoip

9.

‫«נו‬

iwttdai e UU liriM M O ll-

1*•: ■

. W * ‫־‬. n m ‫־‬,

13:ta

t

«W -ll‫־‬r8!a.H0TP

n .1 5 4 ttp a /fc 3 3 k b c «

1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v i c e

N o w , c lic k the d o w n a rro w fo r die L o ca l d ro p -d o w n lis t to see in fo rm a tio n o n H is to ry A c tio n s , T o o ls, F iles. Logs, and so on.

E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited


F IG U R E

1 8 .1 0 : S e le c tin g L o c a l i n f o r m a t i o n

10. Select o p tio n s fro m d ie d ro p -d o w n lis t to v ie w com plete in fo rm a tio n . ‫ ־ < _ ־‬X ‫־‬,

!r1@iocalha5t ‫ ־‬The Dude 4.0beta3 ® | | Preferences | f r Local Swar

•O

SetBngj

e• I ~ , M

Co‫׳‬not?

Heb

S

«

Aden NttwOlk Map Be‫׳‬nrfl dn1£1‫*׳‬d 13024CNer*e«k Map Be‫׳‬n»ntchanjed 13024S fJrtocik Map btmrU 1l»a•‫׳‬ 130;49Netv«ak Map B1‫׳־‬r*«changed 'i:Jw j*0 1302S0 fM o w k Map blvw 130?5? Httitcik Map Bf«wmchanged »w1!(.11•‫׳‬j«0 130254 fM o cik Map H (302K Merwak Map Bememchanged 130258 fjnC*«k Map b c w : changtd 130340tkfmcik Map Bemem changed 130302 NttWClk Map Be lt# ills' jeO 1303-03lJer«e(k Map Berotm changed 13.03.06 r«(.«c«k Map 0c1‫*׳‬s‫׳‬r. da'jed 130348liefMCik Map Beroen: changed 13.03.14 ta t« a k Map Bc1*‫׳‬T.cha'Sed 130316tieCMdk Map B fw t changed wnertchanoed 13.03.20 Netwak Map B 130322I jefMCik Map Berne'S changed mnlchrxl 130324 heCaak Map Bw 130327Net‫*־‬c«k Map Beroen! changed

Q Add's** Lilt( 4 ‫יי‬4 ‫י‬1‫! ו‬ Q *s»t‫״‬U

130245

‫ ו‬u

2u 3u au 5U cu

□ Owl• r*1 LVvn.•* ‫ *׳‬Fto* Q I undior•

□ IMay/towns

7U

M U K» ‫ □ >־‬Logs

fi U

9u 10 u ‫ וו‬u 12 u 13U 14 U 15U

£7A= < 10n £? Debug £ 7 E v « rf

£? Stfog ‫ ם‬Mb Me**

•6 U

7‫ ו‬u 16 U

19U

20 u

Crr«

0 *rt «9 17kbpa/|x 1 I2kbp«

S«nv‫ ־‬a 3?4Ktv* ■» H ?*ten

a d ^ n ^ io c a lh o s t - The Dude 4,Obela3 ®

fafaenoee

oI

O toca s«n

GrtBfgj

L‘

*‫־‬

‫־‬

a

*

ih ti^ rS S B S S X S A l

‫׳*״‬

_ ..L J U

Conterts 3 Address Usts £ AcJ-rriS Q Ao-nls

gowns

Q Devicw 5!‫ ׳‬Fte» Q Functor•

Q Ktolciy Actons ‫ם‬ ‫ ־‬1‫ס‬

Lrk» 1‫יה״‬

C7 Aden

CfOebuo

r7Ev«4 LfS ^ o fl CJ Mbr*d».

i

l

l

l

Type, (*

L^v:c 100a! 1000.12 1000255 ADVf, V/V2H9STOSG WttOUMRSHL WHCSCI• S G1 WIUJO0MI w!H«5sr.c1u W K M W S8

w*C0w»

UiZ.-r'tnT‫׳‬,c«‫>־‬ j«-=le incte

MTCfc

iincte M-rle

WCte w‫•*־־‬ tncb u-de vmo M‫* |״‬ *mcl*

Cflrr ‫׳‬x2 91 kbpa/ tx276bf>t

F IG U R E


3

M * f‫^ ־ ־‬i

T]

□ ‫י‬

Mao Local Local Local Local Local Local Local Local Local Local Local Local

S f l n 0 ‫־‬9‫־׳‬t 2 l6 -‫׳‬rp * ■* ‫ ל‬2‫ ׳ל‬4 ‫?» ן‬

1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t io n

E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited


11. A s described previously, you m ay select all die o th e r o p tio n s fro m the d ro p -d o w n lis t to v ie w d ie respective in fo rm a tio n . 12. O nce scanning is com plete, c lic k the

b u tto n to disconnect.

a d m in © lo c a lh o s t - Th e D u d e 4.0beta3 Fwfcwnooa

•‫ל‬

9

Local Sorvor

jCtnas d G'

*•to

” + ‫״‬

r

C. O

k

S*crgc

Onoowf

‫ ״‬Too*

M

\

•*.‫״‬

L* ,*

[irk T

R AddressU8I8 £ AdnlrM □

t<

Agert«

□ Chate

□ Gevces

r* =1« n F_racn8

‫י‬

,1

W ik U L Y S S B K H Q IP tpu 2 2 % IM fT t S 0 % v.it 3 4 % disk 7 5 %

W IN-D39NRSH1.91=4

Q HistoryActions H Linlcs =3 Leg*

‫י‬

C‫־‬fActon

_

(ZJ Dcbuo

v

WIN-2N95T0SGIEM

\

‫י‬ 1000

Even!

O □

S/*log Mto Nodoo

Q ISetwoifcMips r

<|

B - l gcjj

1■

j [>

‫ ־‬r ‫ ־ \־ ^־־‬T ^ ‫־ ר ^ ל ^ ה־ רז‬ .1 WM-LXQ\3\VR3!WM

nZ

W k b w ' b 135 bps

5
i.

1 2 c p 5 't * 3 •15 *bps

FIGURE 18.12:Connectionof systemsin network

L a b A n a ly s is Analyze and docum ent die results related to die lab exercise. T o o l/U tility

In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d IP A d d re s s R a n g e : 10.0.0.0 — 10.0.0.24 D e v ic e N a m e P re fe re n ce s: D N S , S N M P ,

The D ude

N E T B IO S , IP O u tp u t: L is t o f connected system, devices in N e tw o rk




PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

In te r n e t C o n n e c tio n R e q u ire d □ Y es

0 No

P la tfo r m S u p p o rte d 0 C la s s ro o m


0 iLabs

Ceh V8 Labs Module 03 Scanning Networks.pdf 2w6l16

Overview 5o1f4z

More details 6z3438

Related Documents c2h70

Ceh V8 Labs Module 03 Scanning Networks.pdf 2w6l16

Ceh V8 Labs Module 05 System Hacking 76o5b

Ceh V8 Labs Module 12 Hacking Webservers.pdf z1p6o

Ceh Module 05: Scanning 2v2bd

Ceh V7 Module 03 a3e63

Ceh V8 Labs Module 02 Footprinting And Reconnaissance.pdf 6xj37

More Documents from "Mehrdad" 30193z

Cehv8 Module 15 Hacking Wireless Networks.pdf 5b3i3t

Cehv8 Module 11 Session Hijacking.pdf 58yf

Ceh V8 Labs Module 12 Hacking Webservers.pdf z1p6o

Ceh V8 Labs Module 03 Scanning Networks.pdf 2w6l16

Ceh V8 Labs Module 02 Footprinting And Reconnaissance.pdf 6xj37

Cehv8 Module 13 Hacking Web Applications .pdf 462g4x