SRINIVAS UNIVERSITY

INSTITUTE OF ENGINEERING AND

TECHNOLOGY
MUKKA, MANGALURU

DEPARTMENT OF CYBER SECURITY AND CYBER FORENSIC

ENGINEERING

NOTES
ON
ETHICAL HACKING AND NETWORK DEFENSE
SUBJECT CODE: 19SCSF73

COMPILED BY:
Mrs. SWATHI R, Assistant Professor

2023-2024
 MODULE 2
FOOTPRINTING AND RECONNAISSANCE

Footprinting - Gathering Information Using Open Sources

Definition:
 Footprinting is the initial phase of ethical hacking that involves collecting information about a
target system, network, or organization to identify vulnerabilities.
 Gathering information using open sources is a passive approach, involving publicly available
information.

Passive Footprinting:

- Passive footprinting refers to collecting information without direct interaction with the target
systems.

- It relies on publicly available sources, minimizing the risk of detection.

- Information collected is not invasive and doesn't trigger security alerts.

Active Footprinting:

- Active footprinting involves probing and interacting with target systems to gather information.

- This approach carries a higher risk of detection as it involves direct interaction.

- Active footprinting is best conducted with proper authorization to avoid legal implications.

Key Techniques:

1. WHOIS

- WHOIS databases store information about domain registrations.

- Queries reveal details such as domain ownership, registration date, expiration date, and contact
information.

- Useful for identifying domain-related information.

2. Search Engines:

- Search engines like Google are powerful tools for passive footprinting.
 - Advanced search operators (e.g., site:, intitle:, filetype:) can be used to focus searches on specific
domains or document types.

- Helps uncover exposed documents, subdomains, and web presence.

3. Social Media:

- Social media platforms can provide a wealth of information.

- Attackers can gather information about employees, job titles, relationships, and even potential
locations.

- Useful for building a detailed profile of the organization's personnel.

4. Network Scanning:

- Network scanning involves probing target networks to identify active hosts, open ports, and
services.

- Nmap is a popular tool for network scanning.

- Reveals the network's topology and services that might be potential attack vectors.

5. DNS Enumeration:

- DNS enumeration involves discovering DNS records associated with a domain.

- Helps identify subdomains, mail servers, and network infrastructure.

- Tools like Dig or NSlookup are commonly used.

6. Email Harvesting:

- Attackers collect email addresses from public sources or websites.

- Harvested email addresses can be used for targeted phishing attacks.

- Scraper tools automate this process.

7. Web Scraping:

- Web scraping involves extracting information from websites.

- Useful for gathering contact details, employee names, and other publicly available information.

- Respect website terms of use and legal limitations.

8. Job Postings and Recruitment:

- Job postings reveal details about required skills and technologies.

- Provides insights into the organization's technology stack and potential vulnerabilities.

9. Publicly Available Documents:

- Reports, whitepapers, and presentations published by the organization can contain valuable
technical information.

- Analyzing these documents can aid in understanding the target's technologies and infrastructure.

Ethical Considerations:

- Footprinting should only be conducted with proper authorization.

- Unauthorized and malicious use is illegal and unethical.

- Ethical hackers and penetration testers follow guidelines and legal requirements.

DNS enumeration and zone transfers:

Introduction to DNS

Domain Name System (DNS) enables you to use hierarchical, friendly names to easily locate
computers and other resources on an IP network. This naming system allows for growth on the
Internet and the creation of names that are unique throughout the Internet and private TCP/IP-based
intranets.

Domain Namespace

The naming system on which DNS is based is a hierarchical and logical tree structure called the domain
namespace. Organizations can also create private networks that are not visible on the Internet, using their
own domain namespaces.

Figure shows part of the Internet domain namespace, from the root domain and top-level Internet DNS domains, to
the fictional DNS domain named reskit.com that contains a host (computer) named Mfgserver.
Each node in the DNS tree represents a DNS name. Some examples of DNS names are DNS domains, computers, and
services. A DNS domain is a branch under the node. For example , reskit.com is a DNS domain. DNS domains can
contain both hosts (computers or services) and other domains (referred to as subdomains). Each organization is
assigned authority for a portion of the domain namespace and is responsible for administering, subdividing, and
naming the DNS domains and computers within that portion of the namespace. Subdividing is an important concept
in DNS. Creating subdivisions of the domain namespace and private TCP/IP network DNS domains supports new
growth on the Internet and the ability to continually expand name and administrative groupings. Subdivisions are
generally based on departmental or geographic divisions. For example, the reskit.com DNS domain might include
sites in North America and Europe. A DNS administrator of the DNS domain reskit.com can subdivide the domain to
create two subdomains that reflect these groupings: noam.reskit.com. and eu.reskit.com.

Fig: Subdomains

Domain Name

Computers and DNS domains are named based on their position in the domain tree. For example, because reskit is a
subdomain of the .com domain, the domain name for reskit is reskit.com. Every node in the DNS domain tree can be
identified by a fully qualified domain name (FQDN).

DNS servers

Computers that run DNS server programs containing DNS database information about the DNS
domain tree structure. DNS servers also attempt to resolve client queries. When queried, DNS servers
can provide the requested information, provide a pointer to another server that can help resolve the
query, or respond that it does not have the information or that the information does not exist.
DNS resolvers

Programs that use DNS queries to query for information from servers. Resolvers can communicate
with either remote DNS servers or the DNS server program running on the local computer. Resolvers
are usually built into utility programs or are accessible through library functions. A resolver can run
on any computer, including a DNS server.

Resource records

Sets of information in the DNS database that can be used to process client queries. Each DNS server
contains the resource records it needs to answer queries for the portion of the DNS namespace for
which it is authoritative. (A DNS server is authoritative for a contiguous portion of the DNS
namespace if it contains information about that portion of the namespace.)

Zones

Contiguous portions of the DNS namespace for which the server is authoritative. A server can be
authoritative for one or more zones. Zone files that contain resource records for the zones for which the
server is authoritative. In most DNS implementations, zones are implemented as text files.

DNS Enumeration:

DNS enumeration is the process of gathering information about a target domain's DNS infrastructure.
It involves querying DNS servers to obtain various details about domain names, IP addresses, mail
servers, and other DNS records associated with the target domain. This reconnaissance activity helps
security professionals, penetration testers, and attackers understand the target's network topology and
potential vulnerabilities.

Common Techniques for DNS Enumeration:

1. DNS Query Types:

- A Records: Query for IPv4 addresses associated with domain names.

- AAAA Records: Query for IPv6 addresses.

- MX Records: Obtain mail server information for the domain.

- NS Records: Retrieve authoritative name server details.

- TXT Records: Obtain textual information, often used for SPF records and other domain
verification purposes.

2. Subdomain Enumeration:
 - Brute-Force: Generate a list of possible subdomains and query DNS servers for their existence.

- Dictionary Attack: Use common words or keywords to generate potential subdomains for
enumeration.

3. Reverse DNS Lookup:

- Query DNS servers for hostnames associated with given IP addresses.

4. Google Dorking:

- Use Google search operators to find DNS-related information indexed by search engines.

Zone Transfers:

A zone transfer is the process of replicating DNS records from a primary DNS server to secondary
DNS servers. It's a crucial mechanism for ensuring DNS redundancy and availability. However,
improperly configured DNS servers can lead to unauthorized zone transfers, exposing sensitive
information.

Steps for Zone Transfers:

1. Identify Authoritative Name Servers:

- Determine the primary authoritative name server for the target domain.
2. Query for SOA Record:

- Use DNS queries to obtain the Start of Authority (SOA) record from the primary DNS server.

- SOA record contains information about the primary server and the authoritative secondary
servers.

3. Request Zone Transfer:

- Use the secondary name servers identified in the SOA record to initiate a zone transfer request.

- Zone transfers are often requested using the `AXFR (Asynchronous Transfer Full Range)` query
type.

AXFR is a mechanism for replicating DNS data across DNS servers.

If, for example, the yale.edu administrator has two DNS servers, a.ns.yale.edu and b.ns.yale.edu, he
can edit the yale.edu data on a.ns.yale.edu, and rely on AXFR to pull the same data to b.ns.yale.edu.

4. Analyze Results:

- The zone transfer result provides a comprehensive list of DNS records for the target domain.

- This includes A, AAAA, MX, NS, and other records associated with the domain.

Countermeasures and Security Best Practices:

- Access Control:

- Limit zone transfers to authorized secondary DNS servers.

- Configure DNS servers to deny zone transfers to unauthorized sources.

- Minimize Exposure:

- Avoid exposing unnecessary DNS records publicly.

- Use wildcard DNS entries judiciously to prevent revealing internal hostnames.

- Subdomain Management:

- Regularly scan and assess subdomains, removing unused or unnecessary ones.

- DNS Firewall:
 - Implement a DNS firewall to detect and block suspicious or unauthorized DNS queries.

- Regular Audits:

- Conduct periodic security audits to identify and rectify DNS-related vulnerabilities.

DNS enumeration and zone transfers can provide valuable insights into a target's infrastructure, but
they can also be exploited for malicious purposes. Implementing proper security measures and
following best practices helps protect your DNS infrastructure and the overall security of your
network.

Extracting Metadata from Websites and Documents:

Metadata refers to the descriptive information embedded within digital content, such as websites and
documents. Extracting metadata can provide valuable insights into the content's origin, authorship,
creation date, and more. This information is useful for various purposes, including research, digital
forensics, and content management. Here's a comprehensive overview of extracting metadata from
both websites and documents:

Metadata from Websites:

1. HTML Metadata:

- Title Tag: The `<title>` tag in the HTML source code provides the title of the webpage.

- Meta Tags:`<meta>` tags can include metadata like author, description, keywords, and charset.

2. HTTP Headers:

- Response Headers: HTTP headers from the server response can reveal server software, content
type, and more.

- Link Headers: Used for defining relationships between resources, e.g., `<link>` headers for style
sheets.

3. Robots.txt and Sitemap.xml:

- Robots.txt: Provides directives for web crawlers, often revealing directories disallowed from
indexing.
 - Sitemap.xml: Lists URLs for pages on the site, aiding in understanding site structure.

4. JavaScript and DOM:

- Document Object Model (DOM): JavaScript can manipulate and access elements in the DOM,
revealing dynamic content and metadata.

5. Browser Extensions and Developer Tools:

- Browser Extensions: Some extensions can extract metadata from web pages.

- Developer Tools: Inspect network requests, view source code, and analyze the Document Object
Model.

Metadata from Documents (PDFs, Office Files, etc.):

1. PDF Files:

- Author, Title, and Subject: PDF metadata often includes authorship, title, and subject information.

- Creation and Modification Dates: Shows when the PDF was created and last modified.

- Embedded Fonts and Images: Can reveal information about the document's creation software.

2. Office Documents (Word, Excel, PowerPoint):

- Document Properties: These properties include author, title, subject, and keywords.

- Revision History: Some files maintain a revision history within the document.

- Embedded Metadata: Files can contain hidden metadata like tracked changes, comments, and
hidden text.

3. Image Files (JPEG, PNG, etc.):

- EXIF Metadata: Image files often contain EXIF data with details like camera model, aperture,
and GPS coordinates.

4. Audio and Video Files:

- ID3 Tags (Audio): Audio files (e.g., MP3) can contain ID3 tags with artist, album, and other
details.
 - Metadata (Video): Video files may have metadata including resolution, codec, and creation date.

Tools for Extracting Metadata:

1. Web Scraping Libraries:

- Python libraries like Beautiful Soup and Scrapy help extract HTML-based metadata from
websites.

2. Browser Extensions:

- Extensions like "META SEO inspector" for Chrome can extract and display metadata from web
pages.

3. Command-Line Tools:

- Tools like `curl` and `wget` can retrieve HTTP headers and HTML source code for analysis.

4. Document Editors and Properties:

- Software like Adobe Acrobat, Microsoft Office, and image editors allow viewing and editing
metadata.

5. Metadata Extraction Tools:

- Tools like `exiftool` for images and `pdfinfo` for PDFs can extract metadata from documents.

Privacy and Security Considerations:

- Sensitive Information: Extracted metadata might contain sensitive information that wasn't intended
for public consumption. Be cautious while sharing or publishing metadata.

- Redaction: Always sanitize documents of sensitive metadata before sharing publicly.

- Legal and Ethical Considerations: Ensure compliance with privacy laws and ethical guidelines
when extracting metadata from documents or websites.

- Consent: Respect website terms of use and obtain necessary permissions before scraping websites
for metadata.

Extracting metadata can provide a deeper understanding of digital content, but it's important to do so
responsibly and ethically, while considering privacy and security concerns.
Network scanning techniques, IP addressing, and subnetting:

Network Scanning Techniques:

Network scanning is the process of discovering active hosts, services, and devices within a network.
It is a fundamental step in network reconnaissance and security assessment. Various techniques are
employed to achieve this, each offering unique insights into the network's architecture and potential
vulnerabilities.

1. Ping Sweeps:

- ICMP Echo Request (Ping): Sends ICMP echo requests to multiple IP addresses to identify
active hosts.

- Ping Sweeps: Scanning a range of IP addresses for responsive hosts.

2. Port Scanning:

-TCP Connect Scanning: Attempts a full TCP handshake to identify open ports.

- TCP SYN Scanning (Half-Open): Sends SYN packets and analyzes responses to identify open
ports.

- UDP Scanning: Identifies open UDP ports by sending UDP packets and observing responses.

- Stealth Scanning:

Techniques like FIN, Xmas, and NULL scans attempt to avoid detection by sending unusual packets.
Stealth scanning is a technique used by network administrators, security professionals, and attackers
to scan computer networks or hosts for open ports and vulnerabilities while attempting to avoid
detection by intrusion detection systems (IDS) and firewalls. The FIN, Xmas, and NULL scans are
three specific types of stealth scans:

1. FIN Scan:

- In a FIN scan, the attacker sends a TCP packet with the FIN (Finish) flag set to 1 and all other
flags set to 0.

- The purpose of this scan is to determine if a port is open or closed. If the target system's TCP/IP
stack responds with an RST (Reset) packet, it indicates that the port is closed. If it doesn't respond at
all, it suggests the port is open.

- The idea behind a FIN scan is that legitimate connections often send FIN packets to gracefully
close a connection, so the scan may go unnoticed by some IDS systems.
2. Xmas Scan:

- An Xmas scan is similar to a FIN scan but with additional flags set in the TCP packet. It sets the
FIN, URG (Urgent), and PSH (Push) flags to 1 while setting all other flags to 0.

- Like the FIN scan, the Xmas scan is used to probe for open ports. If the target system responds
with an RST packet, it indicates a closed port; no response suggests an open port.

- This scan is named "Xmas" because the combination of flags resembles the pattern of lights on a
Christmas tree.

3. NULL Scan:

- In a NULL scan, the attacker sends a TCP packet with all flags set to 0 (i.e., no flags are set).

- Similar to the FIN and Xmas scans, the goal is to determine whether a port is open or closed
based on the response. A closed port typically responds with an RST packet, while an open port may
not respond at all.

- NULL scans are stealthy because they don't contain any flags that indicate a particular type of
TCP connection.

These stealth scanning techniques can be used by both ethical security professionals to assess
network security and by malicious actors seeking to exploit vulnerabilities. However, it's important to
note that network administrators and security systems are becoming increasingly sophisticated at
detecting and blocking such scans. Therefore, using these techniques for ethical and authorized
security testing is recommended to avoid legal and ethical issues.

3. Banner Grabbing:

Banner grabbing is a network reconnaissance technique used by security professionals and attackers
to gather information about a target system or service by capturing the banner or identifying
information that a service or application typically reveals when a connection is established. This
technique is primarily used to determine the software, version, and sometimes additional details
about a running service on a remote system.

Here's how banner grabbing typically works:

1. Establish a Connection: The first step is to establish a connection to the target system's service.
This could be done using various networking tools, such as Telnet or netcat, or by writing custom
scripts.

2. Retrieve Banner: Once a connection is established, the service often responds with a banner or
greeting message. This banner contains information about the service, including its name, version,
and sometimes additional details. For example, when connecting to an FTP server, the banner might
reveal something like "220 FTP Server ready."

3. Analyze Banner: The attacker or security professional analyzes the retrieved banner to gain
insights into the target system's software and configuration. This information can be valuable for
identifying potential vulnerabilities or misconfigurations that could be exploited.

4. Decision Making: Based on the banner information, the attacker or security analyst can make
decisions about potential attack vectors, such as searching for known vulnerabilities associated with
the identified service and version.

Banner grabbing is often used as part of the reconnaissance phase of a penetration test or security
assessment to gather information about a target system's attack surface. It can also be used by
attackers to identify vulnerable systems or services that may be targeted for exploitation.

While banner grabbing itself is not inherently malicious, it's essential to conduct such activities
within the bounds of legal and ethical guidelines. Unauthorized or aggressive banner grabbing
attempts may be considered invasive and potentially illegal, depending on jurisdiction and intent.
Therefore, it's crucial to obtain proper authorization before performing banner grabbing as part of a
security assessment. Collects banners or service identification strings from network services to
determine the software and version running.

4. Network Sweep:

- Scans multiple networks by sending probes to each network's broadcast address to discover live
hosts.

5. Vulnerability Scanning:

- Identifies known vulnerabilities by comparing target services and versions with vulnerability
databases.

6. OS Fingerprinting:

- Determines the operating system of a remote host by analyzing its responses to certain packets.

7. Service Discovery:

- Utilizes protocols like SNMP and SSDP to discover active network services.

8. DNS Enumeration:

- Gathers information about DNS servers, subdomains, and associated IP addresses.

Understanding IP Addressing and Subnetting:

IP addressing and subnetting are fundamental concepts in networking that enable the organization
and segmentation of IP networks.

IP Addressing:

- IPv4 Address Format: Consists of four octets (8 bits each) separated by periods, e.g., 192.168.1.1.

- Classes of IP Addresses: IPv4 addresses were initially divided into classes (A, B, C, D, E) based on
the address range and network size.

- Private IP Addresses: Reserved address ranges for private networks (e.g., 10.0.0.0/8,
192.168.0.0/16).

- Public IP Addresses: Addresses assigned for use on the public internet.

Subnetting:

- Subnet Mask: A 32-bit value that segments an IP address into network and host portions.

- Subnetting Benefits: Efficient utilization of IP addresses, improved network performance, and

enhanced security.

- CIDR Notation: Compact representation of an IP address and subnet mask (e.g., 192.168.1.0/24).

- Subnetting Components: Network ID, Subnet ID, and Host ID.

Subnetting Techniques:

Subnetting is the process of dividing a large IP network into smaller, more manageable subnetworks
or subnets. It's a fundamental networking concept used to efficiently allocate IP addresses and
optimize network performance. There are several techniques and methods for subnetting, and I'll
explain some of the most commonly used ones:

1. **Classful Subnetting:**

- In classful addressing, IP addresses were divided into three main classes: Class A, Class B, and
Class C. Each class had a default subnet mask.

- Classful subnetting involves using these default subnet masks to create subnets. For example, a
Class B network with the default subnet mask of 255.255.0.0 can be subnetted into smaller networks.

2. **Classless Inter-Domain Routing (CIDR):**

- CIDR allows for flexible subnetting by specifying the subnet mask using a notation like "/24,"
where the number indicates the number of network bits in the mask. For example, "/24" represents a
subnet mask of 255.255.255.0.

- CIDR eliminates the strict class boundaries of classful addressing and provides greater flexibility
in allocating IP addresses.
3. **Variable-Length Subnet Masking (VLSM):**

- VLSM is an advanced subnetting technique that allows you to use different subnet masks within
the same major network. This means you can have subnets of varying sizes.

- VLSM is particularly useful when you need to allocate IP addresses efficiently in a network with
various requirements for different subnets.

4. **Binary Subnetting:**

- Binary subnetting involves converting IP addresses and subnet masks into binary form to perform
subnetting calculations.

- By converting IPs and masks to binary, you can quickly determine network and host portions,
making it easier to create subnets.

5. **Subnetting Cheat Sheets and Tables:**

- Many network professionals use subnetting cheat sheets or tables that list common subnet masks
and their corresponding binary representations. These resources can expedite subnetting calculations.

6. **Subnetting Apps and Calculators:**

- There are numerous online tools, mobile apps, and software calculators available that can assist
with subnetting. These tools often provide automatic calculations and validation to ensure correct
subnet configurations.

7. **Practice and Familiarity:**

- The most effective technique for mastering subnetting is practice. Regularly working through
subnetting exercises and problems helps build proficiency and confidence in subnetting.

To subnet effectively, it's essential to understand binary numbering, IP addressing, and the
relationship between IP addresses and subnet masks. Additionally, practicing subnetting problems is
crucial to becoming proficient in this skill, especially if you're pursuing a career in networking or
network administration.

1. Fixed-Length Subnet Masking (FLSM):

- Divides an IP address range into equal-sized subnets.

- Offers simplicity but may lead to inefficient use of IP addresses.

2. Variable-Length Subnet Masking (VLSM):

- Allows subnets of different sizes within the same IP address range.

- Offers more efficient IP address allocation.

3. Supernetting (CIDR):

- Aggregates multiple IP address ranges into a single routing entry using CIDR notation.

- Enhances routing efficiency and reduces routing table size.

Subnetting Steps:

1. Determine the required number of subnets and hosts per subnet.

2. Choose an appropriate subnet mask based on requirements.

3. Calculate subnet addresses, broadcast addresses, and valid host ranges.

4. Assign addresses to network devices and allocate subnets as needed.

IP Address Allocation:

- Static IP Addressing: Manually assign IP addresses to devices.

- Dynamic Host Configuration Protocol (DHCP): Automates IP address assignment and

configuration.

IPv6 Addressing:

- IPv6 Address Format: Uses 128 bits, represented in eight groups of four hexadecimal digits
separated by colons.

- Address Types: Includes unicast, multicast, and any cast addresses.

- IPv6 Advantages: Larger address space, simplified header format, and improved security features.

Understanding IP addressing and subnetting is essential for network administrators, as it forms the
foundation for designing and managing efficient and secure networks. Proper subnetting allows
efficient allocation of IP addresses and helps in optimizing network resources.

Port scanning methods and tools:

Port scanning is a critical phase of network reconnaissance that involves probing a target system's
ports to discover which services are active and potentially vulnerable. Different scanning techniques
and tools provide varying levels of insight into a target's network topology and security posture.
1. TCP Connect Scanning:

- Description: Initiates a full three-way TCP handshake with the target port to determine whether
it's open, closed, or filtered.

- Purpose: Accurate and reliable, but generates logs on the target system.

2. TCP SYN (Half-Open) Scanning:

- Description: Sends SYN packets to target ports and analyzes the responses. If a SYN-ACK is
received, the port is considered open.

- Purpose: Faster than TCP connect scanning, and less likely to generate logs on the target system.

3. TCP ACK Scanning:

Description: Sends ACK packets with specific flag combinations and analyzes the responses. Can
determine whether a firewall is present.

Purpose: Detects filtering and access control lists (ACLs), but doesn't reveal open ports.

4. TCP Window Scanning:

Description: Exploits the TCP window field to determine open ports. Closed ports respond with a
specific flag configuration.

Purpose: Detects open, closed, or filtered ports; less common due to modern TCP implementations.

5. UDP Scanning:

Description: Sends UDP packets to target ports and analyzes the responses. If an ICMP Port
Unreachable message is received, the port is likely closed.

Purpose: Identifies open UDP ports, which are often overlooked; may result in false positives due
to unreliable nature of UDP.

6. Idle (Zombie) Scanning:

Description: Utilizes an intermediary host with an idle connection to the target. The intermediary's
IP address is used to initiate scans.

Purpose: Conceals the true source of the scan, useful for evading detection.

7. FIN, Xmas, and NULL Scans:

 Description: Sends packets with certain flags set to scan target ports. Responses (or lack thereof)
indicate open or closed status.

Purpose: Stealthy scans that aim to avoid detection by bypassing stateful firewalls.

Port Scanning Tools:

1. Nmap

Nmap stands for "Network Mapper", it is the most popular network discovery and port scanner in the
history.

It's a free and open source application used by system administrators, devops and network engineers
for security auditing on local and remote networks.

Available for Linux, Windows and Mac OS, it can be run from the classic command line terminal, or
by using a GUI interface.

Nmap features

Active Port scanning: allows you to scan and discover open ports on specific networks/hosts.

Host discovery: lets you identify potential hosts that are responding to network requests.

OS detection: used to discover operating system name and version, along with network details where
the host is running.

Application version detection: nmap can also be used to determine what kind of apps are running and
along with the version number.

Installing Nmap

Let's see how Nmap can be installed on the most popular Linux distros, as well as for MacOS users:

CentOS/RHEL based distros:

yum install nmap

Ubuntu/Debian users:

apt-get install nmap

For MacOS:

fink install nmap

or

sudo port install nmap

Windows users should read these instructions.

¶Nmap scan examples

Detecting connected devices on the network

For this we will use -sP parameters, this will send ICMP and ARP packets to all possible addresses
inside the 192.168.2.0/24 range.

Once finished will show you a resume revealing the devices found in that range.

This simple command will send various packets (ARP, ICMP, etc.) to every address within the
192.168.1.0/24 range, and will report any devices that respond. The results will look similar to those
in the example below:

[[email protected]:~]nmap -sP 192.168.2.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:44 EDT

Nmap scan report for 192.168.2.43

Host is up (0.0075s latency).

Nmap scan report for 192.168.2.50

Host is up (0.0081s latency).

Nmap scan report for 192.168.2.51

Host is up (0.0078s latency).

Nmap scan report for 192.168.2.53

Host is up (0.0075s latency).

Nmap scan report for 192.168.2.76

Host is up (0.0082s latency).

Nmap scan report for 192.168.2.91

Host is up (0.0078s latency).

Nmap scan report for 192.168.2.92

Host is up (0.0075s latency).

Nmap done: 256 IP addresses (22 hosts up) scanned in 30.42 seconds

[[email protected]:~]

¶Scanning specific ports

Once you have a defined host to scan, you can go against a specific port range (between 1 and
65535), for example:

[[email protected]:~] nmap -p 1-512 192.168.2.92

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:52 EDT

Nmap scan report for 191.239.213.197

Host is up (0.079s latency).

Not shown: 510 filtered ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

443/tcp open https

As you see here, we have ports 21, 80 and 443 open to the public.

This is just a tiny example of how nmap can be used to discover network services and scan remote
ports, start reading our own Nmap Cheat Sheet guide to learn more advanced Nmap techniques.

Nmap
 Nmap stands for "Network Mapper", it is the most popular network discoveryand port
scanner in the history.

It's a free and open source application used by system administrators, devopsand network
engineers for security auditing on local and remote networks.

Available for Linux, Windows and Mac OS, it can be run from the classiccommand
line terminal, or by using a GUI interface.

Nmap features

 Active Port scanning: allows you to scan and discover open ports onspecific
networks/hosts.
 Host discovery: lets you identify potential hosts that are responding tonetwork
requests.
 OS detection: used to discover operating system name and version,along
with network details where the host is running.
 Application version detection: nmap can also be used to determine whatkind of
apps are running and along with the version number.

Installing Nmap

Let's see how Nmap can be installed on the most popular Linux distros, aswell as for
MacOS users:

CentOS/RHEL based distros:

yum install nmap

Ubuntu/Debian users:

apt-get install nmap

For MacOS:

fink install nmap

or

sudo port install nmap

Nmap scan examples

Detecting connected devices on the network

 For this we will use -sP parameters, this will send ICMP and ARP packets toall possible
addresses inside the 192.168.2.0/24 range.

Once finished will show you a resume revealing the devices found in thatrange.

This simple command will send various packets (ARP, ICMP, etc.) to everyaddress within
the 192.168.1.0/24 range, and will report any devices that respond. The results will look
similar to those in the example below:

[[email protected]:~]nmap -sP 192.168.2.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:44 EDT

Nmap scan report for 192.168.2.43

Host is up (0.0075s latency).

Nmap scan report for 192.168.2.50
Host is up (0.0081s latency).

Nmap scan report for 192.168.2.51

Host is up (0.0078s latency).

Nmap scan report for 192.168.2.53

Host is up (0.0075s latency).

Nmap scan report for 192.168.2.76

Host is up (0.0082s latency).

Nmap scan report for 192.168.2.91

Host is up (0.0078s latency).

Scanning specific ports

Once you have a defined host to scan, you can go against a specific portrange (between
1 and 65535), for example:

[[email protected]:~] nmap -p 1-512 192.168.2.92

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:52 EDT
Nmap scan report for 191.239.213.197

Host is up (0.079s latency).

Not shown: 510 filtered ports
PORT STATE SERVICE

21/tcp open ftp

As you see here, we have ports 21, 80 and 443 open to the public.

This is just a tiny example of how nmap can be used to discover networkservices and
scan remote ports, start reading our own Nmap Cheat Sheet guide to learn more
advanced Nmap techniques.
2. Unicornscan
Unicornscan is the second most popular free port scanner after Nmap. It's widely known
because of its asynchronous TCP and UDP scanning capabilities, along with non-common
network discovery patterns that providealternative ways to explore details about remote
operating systems and services.

Unicornscan features

 Asynchronous stateless TCP scanning.

 Asynchronous UDP scanning.
 IP port scanner and service detection.
 Remote operating system detection.
 Enable multiple modules from command-line

nstalling Unicornscan

The best suggestion to run Unicornscan is to grab it from the free tools included at Kali
Linux distribution, although you can also install it on the mostpopular Linux distros:

For Ubuntu/Debian users:

sudo apt-get install postgresql libdnet-dev libpq-dev libpcap-dev bison

flex

Download the source code:

wget

tar jxvf unicornscan-0.4.7-2.tar.bz2

cd unicornscan-0.4.7/

For Fedora users:

yum install unicornscan

Unicornscan scan examples

Let's see what Unicornscan has to offer, for this we will type:

unicornscan --help, and we will get the full list of available options
Unicornscan uses a really simple syntax. Let's try our first basic TCP SYNscan:

[[email protected] ~]# unicornscan 192.168.2.101

TCP open http[ 21] from 192.168.2.101 ttl 110

TCP open http[ 80] from 192.168.2.101 ttl 110

Scan multiple hosts:

[[email protected] ~]# unicornscan 192.168.2.102 192.168.2.103

TCP open http[ 21] from 192.168.2.101 ttl 110
TCP open http[
TCP open https[ 80] from
443] from192.168.2.101
192.168.2.101 ttl
ttl 110
110
[[email protected] ~]#

Now we will scan the entire /24 range, but try to detect which one has telnetopen (port
23):

[[email protected] ~]# unicornscan 192.168.2.0/24:23

TCP open telnet[ 23] from 192.168.2.154 ttl 110

TCP open telnet[ 23] from 192.168.2.193 ttl 110

And if you want to send a fake the scan source IP address you just need toadd the -s
argument, as you see below:
 [[email protected] ~]# unicornscan -s 1.1.1.1
www.securitytrails.com/24:80
TCP open http[ 80] from 151.139.243.1 ttl 55
TCP open http[
TCP open http[ 80] from 151.139.243.2 ttl 55
TCP open http[ 80] from 151.139.243.3 ttl 55
TCP open http[
TCP open http[ 80] from 151.139.243.4 ttl 55
TCP open http[
80] from 151.139.243.5 ttl 55
TCP open http[
TCP open

[[email protected] ~]#

In this case, we scanned the full /24 range that belongs

to www.securitytrails.com IP range, and a service detection against 80 port.

Need more unicorn examples? The old beloved man page is always there tohelp you:

man unicornscan

3. Angry IP Scan
Angry IP scanner is our third recommended port scan tool for network discovery. It's
popular for its fast scanning speed thanks to its multi-threadapproach separating each
scan.

It's also free and multiplatform, available for Windows, Mac or Linux operatingsystems.

Angry IP scanner main features include:

 Download and run, no installation needed.

 Scan for open ports on any remote network.
 Webserver & NetBIOS information detection.
 Export scan results into TXT, XML or CSV files.
 Easy plugin integration with Java language.

Installing Angry IP scanner

Angry IP scanner can be installed on Windows, Linux, and MacOS, all therequired
packages can be downloaded from the official website.

Ubuntu/Debian:
 wget

d64.deb

CentOS/RHEL/Fedora:

wget https://github.com/angryip/ipscan/releases/download/3.5.2/ipscan-
3.5.2-1.x86\_64.rpm

Angry IP scanner scan examples

Open up a terminal and type ipscan.

From there you will be launching a GUI that will help you to scan hosts from afriendly
human interface.

As you see you will be able to specify an IP to scan, or even scan a random IPfrom the
selector at the upper-right corner.

Hit start and let the fun begin. Once completed you will get the full stats including total scan
time, average time per host, the number of hosts scanned,and how many are alive.

Netcat

Netcat is one of the oldest network tools in the "Unixverse", it's been there since 1995,
and the last official version is from 2004. Although it has many forks and variants that
work pretty well on modern operating systems,
like ncat from the Nmap suite, or this alternative Netcat version from MikeFrysinger.

While their creators always claimed that Netcat was just a read and write UDP
/ TCP tool, it can be used for a very wide range of objectives, like open remoteconnections,
tunneling and proxying, run remote commands, as well as port scanning.

Netcat features:

 Built-in port-scanning capabilities.

 TCP and UDP port scan support.
 Verbose port scanning.
 Read command line arguments from standard input.
 Forks available for Windows, Linux, and MacOS.

Installing Netcat

Installing netcat on Ubuntu/Debian:

sudo apt-get install netcat

Installing netcat on CentOS/RHEL/Fedora:

yum install nc

Netcat scan examples

Establish a connection to a remote port if open:

[[email protected] ~]# nc -vn 192.168.2.101 22

Ncat: Connected to 192.168.2.101:22.

As you see, netcat was able to reach 22 port and establish the connectionsuccessfully.

UDP port connections are also allowed with netcat, as you can see in the nextexample:

[[email protected] ~]# ncat -v -u 1.1.1.1 53

Ncat: Version 7.60 ( https://nmap.org/ncat )

tcat also has the ability to open a remote backdoor on the target system for5000ms, see
below:

[[email protected] ~]# ncat -l 54321 -e /bin/bash -v -w 5000ms

Ncat: Version 7.60 ( https://nmap.org/ncat )

Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert
to use a permanent one.

Ncat: SHA-1 fingerprint: 18E1 2645 4F8C 9E87 EAD3 DBC5 0901 B9B9 393D 0E77

This will open the backdoor on port 54321 on the local system, then we willhave to open
a connection to gain system access:

[[email protected] ~]# ncat 127.0.0.1 54321 -v

Ncat: Version 7.60 ( https://nmap.org/ncat )

Ncat: Connected to 127.0.0.1:54321.

ls

anaconda-ks.cfg
el\_dlurls.txt
file

pwd

/root
whoami
root
This technique is widely used by penetration testers, and by maliciouscrackers.

Take a look at ncat --help option if you want to learn more examples abouthow to use
netcat.

4. Zenmap
 Zenmap is not a new port scanner, but the official NMAP Front End interface (GUI). For
those who are not familiar with command line terminals, Nmap creators launched this GUI
release that will allow you to scan remote hosts ina fancy and friendly way.

Zenmap features include:

 Save scan results in a database.

 Search the results database.
 Compare current scan results with previous scans.
 Save port scan profiles for frequently used port discovery options.

Installing Zenmap
Ubuntu/Debian users:

sudo apt-get install zenmap

CentOS/RHEL/Fedora users:

yum install nmap-frontend

Zenmap scan examples

As we told before, Zenmap is just the front end human-friendly interface of

Nmap, the classic network mapper that is present on almost every Linux
distribution.

When conducting port scanning, ethical considerations are crucial. Always ensure you have
proper authorization and are in compliance with applicable laws and regulations.
Unauthorized port scanning can be seen as a hostile action and may have legal consequences.

Identifying live hosts and services on a network is a fundamental step in network

reconnaissance and security assessment. It involves discovering active devices (hosts) and the
services they're running. This information is crucial for network mapping, vulnerability
assessment, and penetration testing.

Here are some notes on how to identify live hosts and services:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 1

1. Ping Sweeps and ICMP Scanning:

 ICMP (Internet Control Message Protocol) is commonly used to check if a host is

alive. Tools like `ping` or `fping` send ICMP echo requests and wait for echo replies.
 ICMP scans can help identify active hosts, but they might be blocked by firewalls or
routers.

2. TCP SYN Scanning (Half-Open Scanning):

 Tools like Nmap use TCP SYN packets to identify open ports on a target system.
 If a target responds with a SYN-ACK, the port is open; if it responds with a RST, the
port is closed.

3. TCP Connect Scanning:

 This involves connecting to the target's ports using full TCP connections.
 If a connection is successfully established, the port is open; otherwise, it's closed.

4. UDP Scanning:

 Unlike TCP, UDP doesn't have a handshake mechanism, making its scanning more
challenging.
 Nmap and other tools can perform UDP scans by sending packets to various UDP
ports and analyzing responses.

5. ACK and Window Scanning:

 These techniques can help identify whether a port is filtered by a firewall.

 If a system responds with a RST packet, the port is unfiltered (open or closed); if it
doesn't respond, the port might be filtered.

6. Banner Grabbing:

 After identifying open ports, you can perform banner grabbing to retrieve service-
specific information.
 This involves connecting to a service and capturing the initial banner message that
services often send upon connection.

7. Network Discovery Tools:

 Commercial and open-source tools like Nmap, Masscan, and Angry IP Scanner offer
various scanning techniques and features.
 These tools can help automate and streamline the process of identifying live hosts and

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 2

 services.

8. Passive Discovery:

 Some tools and techniques can discover hosts and services without directly interacting
with the target network.
 Passive discovery involves monitoring network traffic, DNS records, and other
publicly available information.

9. Network Topology Mapping:

 Once live hosts and services are identified, mapping the network topology helps
understand how devices are interconnected.
 This information is vital for vulnerability assessment and security planning.

10. Considerations:

 Respect legal and ethical boundaries. Always have proper authorization before
scanning a network.
 Use scanning techniques carefully to avoid disrupting network services.
 Some hosts might be configured to respond differently to scanning techniques, so
results can vary.

Remember that the goal of identifying live hosts and services is to gain an accurate picture of
the network's layout and potential vulnerabilities. It's often a starting point for more in-depth
security assessments and penetration testing.

Vulnerability Assessment Process:

1. Vulnerability Assessment Tools and Introduction to Nessus:

Vulnerability Assessment: A systematic process of identifying security vulnerabilities in

systems, applications, and networks to assess potential risks.

Nessus: A popular vulnerability scanning tool that automates the process of identifying and
assessing vulnerabilities.

2. Preparing for the Assessment:

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 3

Scope Definition: Clearly define the scope of the assessment, including target systems, IP
ranges, and network segments.

Authorization: Obtain proper authorization from the organization's management or relevant

stakeholders before conducting any scanning.

3. Configuring and Running Nessus Scans:

Scanning Targets: Configure Nessus to scan specific IP ranges, hosts, or web applications.

Scan Types:

- Network Scan: Identifies vulnerabilities in the network infrastructure.

- Web Application Scan: Focuses on vulnerabilities in web applications.

- Credential-Based Scan: Uses provided credentials to perform deeper analysis.

- Compliance Scan: Checks for compliance with specific standards (e.g., PCI DSS, HIPAA).

Scan Parameters:

Set scan parameters like scan type, scan intensity (normal, aggressive), and timing options.

4. Analyzing Scan Results:

- Vulnerability Identification: Nessus identifies vulnerabilities, misconfigurations, and

potential security issues based on plugins and signatures.

- Severity Assessment: Evaluate the severity of each vulnerability based on factors like CVSS
scores, potential impact, and exploitability.

- Plugin Information: Nessus provides detailed information about each vulnerability,

including a description, affected software, and remediation steps.

5. Prioritizing Vulnerabilities:

- CVSS Scoring:

- Common Vulnerability Scoring System (CVSS): Provides a standardized way to assess the
severity of vulnerabilities.

- CVSS Components: Base, Temporal, and Environmental metrics contribute to the overall
score.

Risk Assessment:

- Impact: Consider the potential impact on confidentiality, integrity, and availability.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 4

 - Exploitability: Evaluate how likely the vulnerability is to be exploited.

- Affected Assets: Assess the criticality of affected systems or data.

- Prioritization Matrix: Create a matrix to map vulnerabilities based on severity and business
impact, helping prioritize remediation efforts.

6. Generating Vulnerability Assessment Reports:

Report Content:

Executive Summary: High-level overview for non-technical stakeholders.

Technical Details: Detailed information about identified vulnerabilities.

Risk Ratings: CVSS scores, risk assessments, and potential business impact.

Recommended Actions: Detailed steps for remediation or mitigation.

Customization: Tailor reports to the audience's needs, providing both technical and non-
technical perspectives.

Visual Representation: Include charts, graphs, and tables to visualize vulnerability

distribution, severity, and trends.

-Trend Analysis: Compare results over time to identify improvements and ongoing
vulnerabilities.

7. Remediation and Follow-Up:

Patch Management: Develop a plan to apply patches and updates to address vulnerabilities.

Mitigation Strategies: Implement temporary measures or compensating controls if immediate

patching is not feasible.

Verification: After applying fixes, rescan systems to verify the successful resolution of
vulnerabilities.

8. Continuous Improvement:

Regular Assessments: Conduct vulnerability assessments at regular intervals to stay current

with emerging threats.

Feedback Loop: Use assessment results to improve security policies, procedures, and incident
response plans.

Education and Training: Train staff on security best practices to reduce the introduction of
new vulnerabilities.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 5

Threat Intelligence: Stay informed about emerging vulnerabilities and threats through reliable
sources.

Conclusion:

Vulnerability assessment is a critical process for identifying and addressing security

weaknesses. Tools like Nessus streamline the assessment process, allowing organizations to
systematically analyze vulnerabilities, prioritize remediation efforts, and generate
comprehensive reports. The process helps organizations reduce risk, maintain compliance,
and enhance overall security posture in the ever-evolving threat landscape.

ETHICAL HACKING AND NETWORK DEFENSE (19SCF73) Page 6