University of Babylon

College of Information Technology

Department of Information Security

Ethical Hacking
Lecture 6: Scanning
Networks III

Asst.Lect. Rasha Hussein

 OS Discovery / Banner Grabbing
Banner grabbing or OS fingerprinting is the method used to determine the operating system running
on a remote target system. There are two types of banner grabbing: active and passive.
Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities
possessed by the system and the exploits that might work on a system to further carry out additional
attacks.

• Active Banner Grabbing Passive Banner Grabbing

• Specially crafted packets are Banner grabbing from error messages
sent to the remote OS and the Error messages provide information such as the type of server,
responses are noted. type of OS, and SSL tool used by the target remote system.
Sniffing the network traffic
• The responses are then compared Capturing and analyzing packets from the target enables an
with a database to determine the OS. attacker to determine the OS used by the remote system.
• Responses from different OSes Banner grabbing from page extensions
vary due to differences in the TCP/IP Looking for an extension in the URL may assist in
stack implementation. determining the application’s version.
Example: .aspx => IIS server and Windows platform
 OS Discovery using Nmap and Unicornscan
• In Nmap , the –O option is used to • In Unicornscan , the OS of the target
perform OS discovery , Providing OS machine can be identified by observing
details of the target machine. the TTL values in the acquired scan result
 OS Discovery

• Nmap –O IP target
IDS and Firewall Evasion Techniques
 IDS and Firewall Evasion Techniques

• Through firewalls and IDSS can prevent malicious traffic (packets) from entering a network, attackers can
manage to send intended packets to the target by evading and IDS or firewall through the following techniques:
1. Packet Fragmentation
2. Source Routing
3. Source Port Manipulation
4. IP Address Decoy
5. IP Address Spoofing
6. Creating Custom Packets
7. Randomizing Host Order
8. Sending Bad Checksums
9. Proxy Servers
10. Anonymizers
 Packet Fragmentation

• Packet Fragmentation: The attacker sends fragmented probe packets to the intended target,
which reassembles the fragments after receiving all of them.
Source Routing

• Source Routing: The attacker specifies the routing path for the malformed packet to reach
the intended target.
 Source Port Manipulation

• Source Port Manipulation: The attacker manipulates the actual source port with the common
source port to evade the IDS/firewall.
IP Address Decoy

• IP Address Decoy: The attacker generates or manually specifies IP addresses of decoys so

that the IDS/firewall cannot determine the actual IP address.
Example
 IP Address Spoofing

• IP Address Spoofing: The attacker changes the source IP addresses so that the attack appears to
be coming from someone else.
• IP Spoofing using Hping3 : Hping3 www.certifiedhacker.com –a 7.7.7.7
 Creating Custom Packets
• Creating Custom Packets: The attacker sends custom packets to scan the intended target
beyond the firewalls
Creating Custom Packets
 Randomizing Host Order and Sending Bad Checksums

Randomizing Host Order: The attacker scans the Sending Bad Checksums: The attacker
number of hosts in the target network in a sends packets with bad or bogus TCP/UPD
random order to scan the intended target that lies checksums to the intended target.
beyond the firewall.
 Proxy Servers

• Proxy Servers: The attacker uses a chain of proxy servers to hide the
actual source of a scan and evade certain IDS/firewall restrictions
• A proxy server is an application that can serve as an intermediary for
connecting with other computers.
• Why Attacks use proxy servers ?
1. To hide the source IP address so that they can hack without any legal
corollary.
2. To mask the actual source of the attack by impersonating a fake source
address of the proxy.
3. To remotely access intranets and other website resources that are
normally off limits.
4. To interrupt all the requests sent by a user and transmit them to a third
destination, hence victims will only be able to identify the proxy server
address.
5. Attackers chain multiple proxy servers to avoid detection.
• Note: A search in Google will list thousands of free proxy servers
 Proxy Chaining
• Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used
for fetching the target application; the larger the number of proxy servers used, the greater is the attacker's anonymity.
• The proxy chaining process is described below:
1. The user requests a resource from the destination.
2. A proxy client in the user's system connects to a proxy server and passes the request to the proxy server.
3. The proxy server strips the user's identification information and passes the request to the next proxy server.
4. This process is repeated by all the proxy servers in the chain.
5. Finally, the unencrypted request is passed to the web serve
 Anonymizers

• Anonymizers: The attacker uses anonymizers, which allows them to bypass Internet censors and
evade certain IDS and firewall rules.
• An anonymizer removes all the identifying information from the user’s computer while the user
surfs the Internet.
• Anonymizers make activity on the Internet untraceable.
• Anonymizers allow you to bypass Internet censors.
• Why use Anonymizer?
• Privacy and anonymity
• Protects from online attacks
• Access restricted content
• Bypass IDS and Firewall rules
 Anonymizers
• Types of Anonymizers
• An anonymizer is a service through which one can hide one's identity when using certain Internet services. It encrypts
the data from your computer to the Internet service provider. Anonymizers are of two basic types: networked
anonymizers and single-point anonymizers.
1- Networked Anonymizers
• A networked anonymizer first transfers your information through a network of Internet- connected computers before
passing it on to the website. Because the information passes through several Internet computers, it becomes
cumbersome for anyone trying to track your information to establish the connection between you and the anonymizer.
• Example: If you want to visit any web page, you have to make a request. The request will first passthrough A, B, and
C Internet computers before going to the website.
• Advantage: Complication of the communications makes traffic analysis complex.
• Disadvantage: Any multi-node network communication incurs some degree of risk of compromising confidentiality at
each node.
2- Single-Point Anonymizers
• Single-point anonymizers first transfer your information through a website before sending it to the target website and
then pass back the information gathered from the target website to you via the website to protect your identity.
• Advantage: Arms-length communication hides the IP address and related identifying information.
• Disadvantage: It offers less resistance to sophisticated traffic analysis
Thank
You