Lets talk about the most common TCP Scan types. There are full scan, half open scan, stealth scan, Xmas scan, and ack scan.
full scan: this completes 3 way TCP. it is the most effective & gives more accurate results. However, it is not safe and easily traced and detected.
half open scan: it is the second most effective scanning method, only uses first part of the handshake to get syn-ack but does not send 3rd part (ack) back to the remote host. The idea here is if the remote replies back to you after you have sent syn request, this means the port - we sent the syn to - must be open.
stealth scan: the idea here is to scan ports randomly(not in sequential order) & reduce the speed of scanning. If you scan all port from 1 to 65536 in sequence, your more visible to be detected, and usually scanning happens so fast, which is unusual since regular program does not connect to port that fast, so this can make it easier to be detected. Therefore you have to scan ports randomly & reduce the speed of scanning. To avoid IDS, you should not use full connection scan with stealth scan, you can use half-open scan(syn). syn is considered a stealth scan. In fact, syn scan is called syn-stealth scan, or you can use Xmas scan with stealth scan which helps you to evade detection, things like that! you get my point i guess.
Xmas scan: uses fin, urg, and push flags which are used to bypass some firewalls. Xmas scan works with UNIX system, it does not work with Windows system.
ack scan: this helps you evading IDS not to get you detected. You send only an ack packet to your target, your target won't know how to deal with it since there was no handshake. Thus, ack scan causes open ports in your target machine to return a reset packet(rst), rst packet gives you a hint that the port or service is not filtered between point A and point B, which usually firewal resides in between! Since the port replied you with rst packet this means there is no firewall between A(your machine) & B(port or service on the target machine) and rst packet also gives you an insight that the target port is open . If there is a firewall, your ack packet would not reach to the target port & because of that you won't get any rst packet. In addition, rst packet helps you indentify what system is running on the remote host.
These are the most common method of scans, there are hundreds of scanning methods! nmap allows you to set your own custom scan type e.g. instead of sending ack flags only, you can send ack flag and rst flag together and see what you get back from target ...
OK! we have talked about how TCP scanning works in general. Now, i will be talking about UDP & ICMP Scanning ... UDP and ICMP connections most of the times are blocked at the firewall level & even at the host level in some cases. We are going to scan on hosts & ports that respond via UDP. When you scan your target via UDP, there are many problem will occur during that process e.g. you can scan over the ports via UDP, assume you scanned port 1, and port 1 is closed, then host will send ICMP unreachable back to you, which gives an insight that port is closed because you didn't get any UDP response back from target! Making sense,right? Unfortunately, we will never get a response back from target to ensure you that port is open!
Thats how UDP call works, send the packet & forget it. Lets say we come across port 21, and 21 is open, then port 21 on target machine will not reply back to you because UDP does not give you the guarantee the delivery packets during communication process, it just send the packet and forget, unlike TCP which guarantees the delivery of packets with no loss or corruption. Since we didn't get reply back, then we can assume the port 21 is open *OR* maybe port 21 is closed and ICMP reply got lost somewhere so we didn't get it! A general rule, when you don't get a reply you assume port is open.
Some high professionals security person purposely configure ports to not to respond a UDP scanning. ICMP scanning is as same as UDP. ICMP scanning is noisy & can be picked by IDS very easily because ICMP sends random several pings to the network instead of a single host(ICMP scanning does a 'ping scanning' - sends ICMP packets - to the whole network instead of a single host). After you finish ICMP scanning, based on the replies you get back from the live hosts, then you can determine that your target network is listening for ICMP traffic and you might to do some exploit based on that. Unfortunately, there aren't alot of ICMP exploits going around, so you are just going to use ICMP for network enumeration, you just do it to see what hosts are up, host A is up , host B is up & host C is up, they are replying for my ICMP. Thus, this let us know these 3 hosts are running on the targeted network and potentially can be a target for us. IDS's are always listening for network scans & alot of network scanners provide a support for ICMP scanning, but do not have a way to make it stealthy! Therefore, ICMP can turn on the IDS alert which tells the security person there is somebody scans your whole network.
nmap is a great tool that is very popular, it is usually used to scan networks, hosts, ports, and does alot of other stuff. It is very intrusive tool and considered a hacking tool. Using nmap against systems you dont own or dont have permission to scan can be considered illegal. Lets see examples of some scanning method!
Example of ICMP Scanning(-sP) - this is called ping scan
nmap -v -sP xx.xxx.xxx.xx > filename
nmap: represents the program we are running which nmap.
-v: for increased verbosity, which means bring me extra details of the targeted system. (Optional - as far as i know)
-sP: the flag that determines the scanning method.
x's: target IP address.
> filename: output the results to the newly specified filename. In other words, save results in a file (Optional)
This above command shows you the systems that are up and running, so this shows what available to us on the targeted network. As a result, you will get simple info that shows you there are number of IP addresses that responded to ping request - Note: there could be alot more machines out there that are not responding to ICMP scanning.
Lets see an example of UDP scan, UDP scan not so speed.
nmap -v -sU xx.xxx.xxx.xx
Results of UDP scan(-sU) give more info than ping scan(-sP). Keep in mind there could be hundreds of other ports are listening on the system which simply don't respond to UDP connection.
Useful sources relates to scanning methods via nmap:
http://www.nmap-tutorial.com/pdf/nmap-tutorial.pdf
http://www.petri.co.il/port-scanning-with-nmap.htm
ALRIGHT, now you have a good basic understanding about scanning! Next, i will be talking about fingerprinting! So keep learning
Now lets get deeper! By now we have determined what nodes are running up on the network. So we are ready to gather large info on those live systems we discovered in the previous steps. Ok! now you need to discover what services (application) are running on your target's host. Every (or at least many) port has a service running on it. For example, web server usually are running on port 80. What we have to do is scan ports, see what kind of services(applications) are running on them, try to grab the versions of the services, this will help you to determine the OS as well. This is called 'Port & Service Enumeration(fingerprinting)'. We have to do this step to understand what potential vulnerabilities your target has & how to exploit them.
Assume after we have scanned our target system, we found our target runs "IIS 5.0 Server" on "port 80". Based on the scanning result, you can say the targer server is running IIS 5.0(IIS is set of Internet-based services, IIS is the second most popular web server - IIS is a Microsoft product), it is known IIS 5.0. has too many vulnerabilities & IIS 5.0 runs on Windows 2000, which Windows 2000 by itself has hundreds of vulns.
In other words, lets scan ports and services, and do OS fingerprinting, lets identify services on those live host in our target network. Once we know what services are running and what OS are running then we can start exploiting these services! - 'ping/port/service' scans are frequently run together using the same tool.
NOTE: identifying ports & services is the most critical part in hacking ... PERIOD
OS fingerprinting is used for determining OS type and version, then we exploit vulns. that resides into the OS. When you fingerprint a target, your targets' OS can be known from the TCP/IP stack, so fingerprinting happens on TCP/IP stack. Why? Because each OS has a unique implementation of TCP/IP, so TCP/IP stack is implemented differently from OS to OS, so an exact same query sent to one machine the respond of the result will be different than the other machine. Therefore, based on the response this can help the scanner determines the OS of the target, because every OS has its own unqiue response when you do OS fingerprinting request.
When you do a default install of OS, certain services will be installed by default, services that are needed for that OS to work properly, e.g. ports
137,138,139,and 445 which all combined together to produce Win 2000 OS or above. Another example, a combination of 139 and 445 can determine a certain version of windows such as Win XP or Win 2003, there are lots of ways to determine OS. Another example, if you see a service MS SQL is running on a certain port, you can determine the target OS is not in *nix family, it is in a Win family cause the target is running a Microsoft sql product. Thus, we can say port enumeration or service enumeration can help you in determining OS.
There tons of popular scanners out there:
SuperScan - Works good on Win OS.
Nmap - Works on *nix & Windows, *nix version is much more stable than Win version.
Most scanners offer full, half, stealth, and UDP scans.
You are goning to spend most of your time scanning your target machine to know whats available there, so you can exploit the vulns & penetrate the system. Therefore, you have to do some exploration on scanning methods & decide which method of scanning you feel more comfortable with...
Lets see an example of enumeration style scanning. Just keep in mind, this can be considered hacking! Make sure you do to your system, not somebody's else.
This is kind of a stealth scan:
nmap -v -sS -A -sV xx.xxx.xx.xx > filename
This above request gives you very specific details about your target. sV is for version information identification. Check out the manual to know what these flags do - type "man nmap" to see the manual...
Alright, after we have fingerprinted services & OS, now its the time to check for various vulns against application(services) & OS running on the target system. This is called vulnerability assessment. To do vulnerability assessment, you can use the tools available, such as nessus. Nessus is free vulnerability assessment, huge database, its the best assessment tool.
Lets scan vulns on the target system. Lets say target system is win 2000 SP1 IIS 5.0, nessus goes back to its database and check the vulns for win2000 & IIS 5.0. If there is vulns not discovered, vulnerability assessment tool actually can't catch it. However, if nessus couldn't find matching vulns for the target system, it will let you if the system can have some security issues or not. Such tools are considered as Automated Vulnerability Assessment Tools. You have to know about the target system OS so you can do vuln assessment on it. There are vuln assessment OS specific, e.g. MBSA tool(only scans Win OS).
NOTE: you can do vulnerability assessment manually, this depends on you and your skills. By doing it manually, you can discover vuln. that nobody knows about it, and you can use it for your own use. It is a powerful and very discrete.
After we determined what systems & what services contain vulnerability, then we can exploit it(means take a chance of this vulnerability to achieve what you want).
common vulnerabilities out there are:
OS vulnerabilities
Webserver vulnerabilities
Database vulnerabilities
TCP stack vulnerabilities
Application vulnerabilities
Malwares, viruses, trojans, can be used to exploit vulnerabilities.
There are several automated vulnerability scanners, such as Nessus, Nikto. Security websites is a good resource for vulnerabilities as well, e.g.
bugtraq, CVE(Common Vulnerabilities and Exposures) sites, etc. Another good source to find vulnerabilities is hacker web sites.
Lets talk about the tools:
*Nessus - this is a great vulnerability assessment tool. However, in alot of cases it will perform exploits to see if the OS or service is actually vulnerable or not.
*Metasploit Framework - this is not vuln assessment tool. It is an exploitation tool, it contains hundrands of exploits helps you to exploit the system by using a nice selection of tools.
I will explain shortly about the common vulns...
OS Vulns: OS exploits are used to gain access to the system. OS exploits can used for DoS attacks too. watch the video tutorial. Most OS holes exist from default configuration, services and applications.
Webserver Vulnerabilities: webservers are the most trageted section. All people contact the webserver, thus you never know the hacker than a normal user. Webservers examples, Apache, IIS, and Tomcat. After you exploit the vulnerability in your target webserver, you can gain many different things, such as root access(the gist), website defacement, DoS(put the server down), theft or alteration data on server, or further penetration into the network.
Webserver is a great place to start when you want to do a penetration test!
Database Vulnerabilities: those software vendors who create databases applications such as SQL, Oracle, etc - they dont have security in mind, they care more into effeciency and how to make it easy for the users to handle with the database. They care about making their customers happy without giving that much attention in security issues!
TCP Stack Vulnerabilities: this is not a common used method to hack systems. Google it!
part 3
full scan: this completes 3 way TCP. it is the most effective & gives more accurate results. However, it is not safe and easily traced and detected.
half open scan: it is the second most effective scanning method, only uses first part of the handshake to get syn-ack but does not send 3rd part (ack) back to the remote host. The idea here is if the remote replies back to you after you have sent syn request, this means the port - we sent the syn to - must be open.
stealth scan: the idea here is to scan ports randomly(not in sequential order) & reduce the speed of scanning. If you scan all port from 1 to 65536 in sequence, your more visible to be detected, and usually scanning happens so fast, which is unusual since regular program does not connect to port that fast, so this can make it easier to be detected. Therefore you have to scan ports randomly & reduce the speed of scanning. To avoid IDS, you should not use full connection scan with stealth scan, you can use half-open scan(syn). syn is considered a stealth scan. In fact, syn scan is called syn-stealth scan, or you can use Xmas scan with stealth scan which helps you to evade detection, things like that! you get my point i guess.
Xmas scan: uses fin, urg, and push flags which are used to bypass some firewalls. Xmas scan works with UNIX system, it does not work with Windows system.
ack scan: this helps you evading IDS not to get you detected. You send only an ack packet to your target, your target won't know how to deal with it since there was no handshake. Thus, ack scan causes open ports in your target machine to return a reset packet(rst), rst packet gives you a hint that the port or service is not filtered between point A and point B, which usually firewal resides in between! Since the port replied you with rst packet this means there is no firewall between A(your machine) & B(port or service on the target machine) and rst packet also gives you an insight that the target port is open . If there is a firewall, your ack packet would not reach to the target port & because of that you won't get any rst packet. In addition, rst packet helps you indentify what system is running on the remote host.
These are the most common method of scans, there are hundreds of scanning methods! nmap allows you to set your own custom scan type e.g. instead of sending ack flags only, you can send ack flag and rst flag together and see what you get back from target ...
OK! we have talked about how TCP scanning works in general. Now, i will be talking about UDP & ICMP Scanning ... UDP and ICMP connections most of the times are blocked at the firewall level & even at the host level in some cases. We are going to scan on hosts & ports that respond via UDP. When you scan your target via UDP, there are many problem will occur during that process e.g. you can scan over the ports via UDP, assume you scanned port 1, and port 1 is closed, then host will send ICMP unreachable back to you, which gives an insight that port is closed because you didn't get any UDP response back from target! Making sense,right? Unfortunately, we will never get a response back from target to ensure you that port is open!
Thats how UDP call works, send the packet & forget it. Lets say we come across port 21, and 21 is open, then port 21 on target machine will not reply back to you because UDP does not give you the guarantee the delivery packets during communication process, it just send the packet and forget, unlike TCP which guarantees the delivery of packets with no loss or corruption. Since we didn't get reply back, then we can assume the port 21 is open *OR* maybe port 21 is closed and ICMP reply got lost somewhere so we didn't get it! A general rule, when you don't get a reply you assume port is open.
Some high professionals security person purposely configure ports to not to respond a UDP scanning. ICMP scanning is as same as UDP. ICMP scanning is noisy & can be picked by IDS very easily because ICMP sends random several pings to the network instead of a single host(ICMP scanning does a 'ping scanning' - sends ICMP packets - to the whole network instead of a single host). After you finish ICMP scanning, based on the replies you get back from the live hosts, then you can determine that your target network is listening for ICMP traffic and you might to do some exploit based on that. Unfortunately, there aren't alot of ICMP exploits going around, so you are just going to use ICMP for network enumeration, you just do it to see what hosts are up, host A is up , host B is up & host C is up, they are replying for my ICMP. Thus, this let us know these 3 hosts are running on the targeted network and potentially can be a target for us. IDS's are always listening for network scans & alot of network scanners provide a support for ICMP scanning, but do not have a way to make it stealthy! Therefore, ICMP can turn on the IDS alert which tells the security person there is somebody scans your whole network.
nmap is a great tool that is very popular, it is usually used to scan networks, hosts, ports, and does alot of other stuff. It is very intrusive tool and considered a hacking tool. Using nmap against systems you dont own or dont have permission to scan can be considered illegal. Lets see examples of some scanning method!
Example of ICMP Scanning(-sP) - this is called ping scan
nmap -v -sP xx.xxx.xxx.xx > filename
nmap: represents the program we are running which nmap.
-v: for increased verbosity, which means bring me extra details of the targeted system. (Optional - as far as i know)
-sP: the flag that determines the scanning method.
x's: target IP address.
> filename: output the results to the newly specified filename. In other words, save results in a file (Optional)
This above command shows you the systems that are up and running, so this shows what available to us on the targeted network. As a result, you will get simple info that shows you there are number of IP addresses that responded to ping request - Note: there could be alot more machines out there that are not responding to ICMP scanning.
Lets see an example of UDP scan, UDP scan not so speed.
nmap -v -sU xx.xxx.xxx.xx
Results of UDP scan(-sU) give more info than ping scan(-sP). Keep in mind there could be hundreds of other ports are listening on the system which simply don't respond to UDP connection.
Useful sources relates to scanning methods via nmap:
http://www.nmap-tutorial.com/pdf/nmap-tutorial.pdf
http://www.petri.co.il/port-scanning-with-nmap.htm
ALRIGHT, now you have a good basic understanding about scanning! Next, i will be talking about fingerprinting! So keep learning
Now lets get deeper! By now we have determined what nodes are running up on the network. So we are ready to gather large info on those live systems we discovered in the previous steps. Ok! now you need to discover what services (application) are running on your target's host. Every (or at least many) port has a service running on it. For example, web server usually are running on port 80. What we have to do is scan ports, see what kind of services(applications) are running on them, try to grab the versions of the services, this will help you to determine the OS as well. This is called 'Port & Service Enumeration(fingerprinting)'. We have to do this step to understand what potential vulnerabilities your target has & how to exploit them.
Assume after we have scanned our target system, we found our target runs "IIS 5.0 Server" on "port 80". Based on the scanning result, you can say the targer server is running IIS 5.0(IIS is set of Internet-based services, IIS is the second most popular web server - IIS is a Microsoft product), it is known IIS 5.0. has too many vulnerabilities & IIS 5.0 runs on Windows 2000, which Windows 2000 by itself has hundreds of vulns.
In other words, lets scan ports and services, and do OS fingerprinting, lets identify services on those live host in our target network. Once we know what services are running and what OS are running then we can start exploiting these services! - 'ping/port/service' scans are frequently run together using the same tool.
NOTE: identifying ports & services is the most critical part in hacking ... PERIOD
OS fingerprinting is used for determining OS type and version, then we exploit vulns. that resides into the OS. When you fingerprint a target, your targets' OS can be known from the TCP/IP stack, so fingerprinting happens on TCP/IP stack. Why? Because each OS has a unique implementation of TCP/IP, so TCP/IP stack is implemented differently from OS to OS, so an exact same query sent to one machine the respond of the result will be different than the other machine. Therefore, based on the response this can help the scanner determines the OS of the target, because every OS has its own unqiue response when you do OS fingerprinting request.
When you do a default install of OS, certain services will be installed by default, services that are needed for that OS to work properly, e.g. ports
137,138,139,and 445 which all combined together to produce Win 2000 OS or above. Another example, a combination of 139 and 445 can determine a certain version of windows such as Win XP or Win 2003, there are lots of ways to determine OS. Another example, if you see a service MS SQL is running on a certain port, you can determine the target OS is not in *nix family, it is in a Win family cause the target is running a Microsoft sql product. Thus, we can say port enumeration or service enumeration can help you in determining OS.
There tons of popular scanners out there:
SuperScan - Works good on Win OS.
Nmap - Works on *nix & Windows, *nix version is much more stable than Win version.
Most scanners offer full, half, stealth, and UDP scans.
You are goning to spend most of your time scanning your target machine to know whats available there, so you can exploit the vulns & penetrate the system. Therefore, you have to do some exploration on scanning methods & decide which method of scanning you feel more comfortable with...
Lets see an example of enumeration style scanning. Just keep in mind, this can be considered hacking! Make sure you do to your system, not somebody's else.
This is kind of a stealth scan:
nmap -v -sS -A -sV xx.xxx.xx.xx > filename
This above request gives you very specific details about your target. sV is for version information identification. Check out the manual to know what these flags do - type "man nmap" to see the manual...
Alright, after we have fingerprinted services & OS, now its the time to check for various vulns against application(services) & OS running on the target system. This is called vulnerability assessment. To do vulnerability assessment, you can use the tools available, such as nessus. Nessus is free vulnerability assessment, huge database, its the best assessment tool.
Lets scan vulns on the target system. Lets say target system is win 2000 SP1 IIS 5.0, nessus goes back to its database and check the vulns for win2000 & IIS 5.0. If there is vulns not discovered, vulnerability assessment tool actually can't catch it. However, if nessus couldn't find matching vulns for the target system, it will let you if the system can have some security issues or not. Such tools are considered as Automated Vulnerability Assessment Tools. You have to know about the target system OS so you can do vuln assessment on it. There are vuln assessment OS specific, e.g. MBSA tool(only scans Win OS).
NOTE: you can do vulnerability assessment manually, this depends on you and your skills. By doing it manually, you can discover vuln. that nobody knows about it, and you can use it for your own use. It is a powerful and very discrete.
After we determined what systems & what services contain vulnerability, then we can exploit it(means take a chance of this vulnerability to achieve what you want).
common vulnerabilities out there are:
OS vulnerabilities
Webserver vulnerabilities
Database vulnerabilities
TCP stack vulnerabilities
Application vulnerabilities
Malwares, viruses, trojans, can be used to exploit vulnerabilities.
There are several automated vulnerability scanners, such as Nessus, Nikto. Security websites is a good resource for vulnerabilities as well, e.g.
bugtraq, CVE(Common Vulnerabilities and Exposures) sites, etc. Another good source to find vulnerabilities is hacker web sites.
Lets talk about the tools:
*Nessus - this is a great vulnerability assessment tool. However, in alot of cases it will perform exploits to see if the OS or service is actually vulnerable or not.
*Metasploit Framework - this is not vuln assessment tool. It is an exploitation tool, it contains hundrands of exploits helps you to exploit the system by using a nice selection of tools.
I will explain shortly about the common vulns...
OS Vulns: OS exploits are used to gain access to the system. OS exploits can used for DoS attacks too. watch the video tutorial. Most OS holes exist from default configuration, services and applications.
Webserver Vulnerabilities: webservers are the most trageted section. All people contact the webserver, thus you never know the hacker than a normal user. Webservers examples, Apache, IIS, and Tomcat. After you exploit the vulnerability in your target webserver, you can gain many different things, such as root access(the gist), website defacement, DoS(put the server down), theft or alteration data on server, or further penetration into the network.
Webserver is a great place to start when you want to do a penetration test!
Database Vulnerabilities: those software vendors who create databases applications such as SQL, Oracle, etc - they dont have security in mind, they care more into effeciency and how to make it easy for the users to handle with the database. They care about making their customers happy without giving that much attention in security issues!
TCP Stack Vulnerabilities: this is not a common used method to hack systems. Google it!
part 3
Labels:
part 2 how to hack websites
0 comments:
Post a Comment