Scanning and enumeration are the first phases of hacking and involve the hacker locating target systems or networks. Enumeration is the follow-on step once scanning is complete and is used to identify computer names, usernames, and shares.
Scanning
During scanning, the hacker continues to gather information regarding the network and its
individual host systems. Data such as IP addresses, operating system, services, and installed
applications can help the hacker decide which type of exploit to use in hacking a system.
Scanning is the process of locating systems that are alive and responding on the network. Ethical
hackers use it to identify target systems’ IP addresses.
Scanning Type Purpose
Port scanning Determines open ports and services
Network scanning IP addresses
Vulnerability scanning Presence of known weaknesses
Network scanning IP addresses
Vulnerability scanning Presence of known weaknesses
Port scanning is the process of identifying open and available TCP/IP ports on a system. Port-scanning tools enable a hacker to learn about the services available on a given system. For example, a port-scanning tool that identifies port 80 as open indicates a web server is running on that system.
Network scanning is a procedure for identifying active hosts on a network, either to attack them or as a network security assessment. Hosts are identified by their individual IP addresses. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses.
Vulnerability scanning is the process of proactively identifying the vulnerabilities of computer systems on a network. Generally, a vulnerability scanner first identifies the operating system and version number, including service packs that may be installed. Then, the vulnerability scanner identifies weaknesses or vulnerabilities in the operating system.
Port-Scan Countermeasures
Countermeasures are processes or tool sets used by security administrators to detect and possibly
thwart port scanning of hosts on their network. The following list of countermeasures
should be implemented to prevent a hacker from acquiring information during a port scan:
Proper security architecture, such as implementation of IDS and firewalls, should be
followed.
Ethical hackers use their tool set to test the scanning countermeasures that have been
implemented. Once a firewall is in place, a port-scanning tool should be run against hosts
on the network to determine whether the firewall correctly detects and stops the portscanning
activity.
The firewall should be able to detect the probes sent by port-scanning tools. The firewall
should carry out stateful inspections, which means it examines the data of the packet
and not just the TCP header to determine whether the traffic is allowed to pass through
the firewall.
Network IDS should be used to identify the OS-detection method used by some common
hackers tools, such as Nmap.
Only needed ports should be kept open. The rest should be filtered or blocked.
The staff of the organization using the systems should be given appropriate training on
security awareness. They should also know the various security policies they’re required
to follow.
Nmap is a free open source tool that quickly and efficiently performs ping sweeps, port scanning,
service identification, IP address detection, and operating system detection. Nmap has
the benefit of scanning of large number of machines in a single session. It’s supported by many
operating systems, including Unix, Windows, and Linux.
The state of the port as determined by an Nmap scan can be open, filtered, or unfiltered.
Open
means that the target machine accepts incoming request on that port.
Filtered
means a firewall or network filter is screening the port and preventing Nmap from discovering whether
it’s open.
Unfiltered
mean the port is determined to be closed, and no firewall or filter is interfering with the Nmap requests.
A proxy server is a computer that acts as an intermediary between the hacker and the target computer.
Using a proxy server can allow a hacker to become anonymous on the network. The hacker
first makes a connection to the proxy server and then requests a connection to the target computer
via the existing connection to the proxy. Essentially, the proxy requests access to the target
computer not the hacker’s computer. This lets a hacker surf the web anonymously or
otherwise hide their attack.
HTTP Tunneling Techniques
A popular method of bypassing a firewall or IDS is to tunnel a blocked protocol (such
as SMTP) through an allowed protocol (such as HTTP). Almost all IDS and firewalls
act as a proxy between a client’s PC and the Internet and pass only the traffic defined as
being allowed.
Most companies allow HTTP traffic because it’s usually benign web access. However, a
hacker using a HTTP tunneling tool can subvert the proxy by hiding potentially destructive
protocols, such as IM or chat, within an innocent-looking protocol packet.
HTTPort, Tunneld, and BackStealth are all tools to tunnel traffic though HTTP. They allow the
bypassing of an HTTP proxy, which blocks certain protocols access to the Internet. These
tools allow the following potentially dangerous software protocols to be used from behind an
HTTP proxy:
- IRC
- ICQ
- News
- AIM
- FTP
IP Spoofing Techniques
A hacker can spoof an IP address when scanning target systems to minimize the chance of detection.
One drawback of spoofing an IP address is that a TCP session can’t be successfully completed.
Source routing lets an attacker specify the route that a packet takes through the Internet.
This can also minimize the chance of detection by bypassing IDS and firewalls that may block
or detect the attack. Source routing uses a reply address in the IP header to return the packet
to a spoofed address instead of the attacker’s real address.
To detect IP address spoofing, you can compare the time to live (TTL) values: The
attacker’s TTL will be different from the spoofed address’s real TTL.
