Basic hacking techniques - Part II

***** Scanning *****
=== Author: Fantomas311 ===

If the Foot Printing is collecting all the information related to the target organization, the Scan is a step that determines whether the other is "usable" with ping scans, port scans and tools. automatic detection

If the zone transfer technique gives us an IP address, the scan will help us determine which port it is and whether it is a real IP or not. There are some servers that display both IPs of private networks (eg 10.10.10.0). Such an IP address cannot be routed (see http://www.ietf.org/rfc/rfc1918.txt for more details).

The most basic insights to becoming a Hacker - Part 1

++ Scanning Ping Network: In addition to the traditional ping scan by opening the DOS window and tyoe Ping command as we all know, there are some other ping scan types such as:
+ Fping: used in Unix (http://ftp.tamu.edu/pub/Unix/src) fping is a utility that sends mass ping requests in parallel so fping scans more IP addresses compared to ping
+ Nmap (http://insecure.org/nmap): Perhaps there is no need to say much about this utility, there are quite a few full instructions on how to use and function of nmap on the network. Nmap provides ping scanning with -sP option
+ Pinger: used for Windows, the free product of Rhino9 (http://207.98.195.250/software/) is one of the fastest utilities available.
+ Ping Sweep: Solarwinds products, run quite fast, but this tool can saturate a network with a slow link (This is not good in Vietnam, so do not introduce details)
+ WS Ping Proback (http://www.ipswich.com) and netscan tools (http://www.nwpsw.com) enough to scan a small, handy network and simple interface, but rather slow versus pinger and ping sweep. Beginners should use this type!

Basically, ping is the process of sending and receiving ICMP (Internet Control Messaging Protocol) packets. What if ICMP is blocked by the network administrator of the target site? A typical case is when the type of command that pings a domain without receiving any reply, then ICMP at the edge router is blocked or has an established fire wall. In this case we have two options:

+ Ignore the ping scan that performs port scan (port Scan): Will be covered later in this article.

+ Perform TCP ping:

- Use Nmap with -PT option. This option sends TCP SYN packets to the destination network and waits for a response, the "live" host systems respond with a TCP SYN / ACK packet. This method is quite effective to determine if the server is alive even if the domain has blocked ICMP. You should repeat this type of scan several times on common ports like SMTP (25), POP (110), IMAD (143), or ports may be unique for certain areas

- HPing (http://www.kyuzz.org/antirez/) is another TCP ping utility with additional TCP capabilities over Nmap. Hping allows users to control specific TCP packet options that can allow it to go through certain access control devices. By assigning a destination port with the -P option, you can break down some access control devices similar to the trace route techniques mentioned in Part I that can use Hping to perform ICMP scans and possibly assign [fragment] piece of packets with potential to ignore some access control devices .Hping will be mentioned in more detail later.

In summary, this step allows to correctly determine whether the systems are alive via ICMP or through selective scanning port. In doing so, we have significantly reduced the process of targeting, saving time for testing and narrowing the focus of activities.

++ ICMP query: You can collect all kinds of valuable information about a system by simply sending an ICMP packet to it, the tools can be downloaded at http://securityfocus.com

++ Scanning port (port scan): At this point, we have identified live systems using scans of ICMP or TCP pings and collected some ICMP information. Now we are ready to scan each system port. Port scanning is the process of connecting TCP and UDP ports on the destination system to determine which services are running or are in LISTENNING status. We must identify the ports that are waiting if we want to determine the type of operating system and the applications we are using. Listenning services can allow an unauthorized user to gain access to misconfigured systems. Here, we consider that the systems we identified in the previous step are alive (alive), the goal of port scanning is:

+ Identify running TCP and UDP services on the target system
+ Identify the type of operating system of the target system
+ Identify specific applications or versions of a specific service

** Types of scanning: before introducing major port scanning tools, we must consider the available port scanning techniques:

* TCP connection scan: this type of scan connects to the destination port and completes a full three-way handshake (SYN, SYN / ACK, ACK) the target system can easily detect it. TCP three-way handshake process includes:

= Send SYN packet to server
= Receive a SYN / ACK packet from the server
= Send the ACK packet to the server

* TCP SYN scan: this technique is to perform a full TCP connection, ie: sending a SYN packet to the destination port, we can deduce it is in listenning state. If an RST / ACK is received, it usually indicates that the port is not waiting: a RST / ACK will be sent by the system to perform port scanning so that a full pot route is never set. is more sneaky than a full TCP connection.

* Scanning TCP FIN: This technique sends a FIN packet to the destination port. Based on RFC 793 (http://www.ietf.org/rfc/rfc0793.txt) the target system will return an RTS to all closed ports. This technique usually works only on TCP / IP stacks. original Unix.

Here's how I hack 40 websites in 7 minutes

* TCP Xmas Tree scan: This technique sends a FIN packet, URG and PUSH to the destination port based on RFC 793, the destination system sends a RST of all closed ports.

* Scan TCP Null: same as TCP Xmas Tree

* UDP scan: This technique sends a UDP packet to the destination port. If the destination port responds with an "ICMP port unreachable" message, the port is closed. On the contrary, if we don't receive the above message, we can infer the open gate! The accuracy of this technique depends very much on factors related to the use of network and system resources. When performing UDP port scans, the results may vary. Some IP implementations will return all RTSs of all scanned ports whether they are waiting or not

* Identifying running TCP and UDP services: The utility of a best port scanning tool is an important component of the imprinting process. Although there are many port scanners available for both Unix and NT, I will mention some common and fast port scanners:

- Strobe: strobe is one of the fast and reliable TCP scanners available, written by Julian Arrange (ftp.win.or.jp/pup/network/misc/strobe-105.ta.gz) Some counts Strobe's main features include the ability to optimize network, system resources and scan destination systems effectively. In addition to efficiency, strobe's version 1.04 will later hold the combined banners of each port they connect to. This can help identify the operating system and the running service. The banner hold feature will be more talked about in Part III
However, Strobe also has some disadvantages: it does not provide UDP scanning capabilities and the target system can be easily detected

- Up_Scan: If Strobe provides TCP scanning, Up_Scan is one of the most reliable UDP scanners (http://wwdsilx.wwdsi.com) Disadvantages: easily detected

- Netcat: this utility can do a lot of work, just like nmap, it is an indispensable tool in hacking as well as security. To scan TCP and UDP, use the -v and -vv, -z, -wz, -u options

- PortPro and PortScan: In WinNT, portPro and PortScan are the two fastest port scanning utilities. PortPro by StOrM (http://securityfocus.com) and portScan are Rhad's products. PortScan provides a port domain to scan while the portpro simply increments its ports, but both do not provide IP address domains .Portpro is one of the fastest port scanning tools available, however Its options are limited!

- In addition, the strongest port scanning tool is still nmap (introduced in the previous section).

** Automatic detection tools:

+ Cheops (http://www.marko.net/cheops/) provides ping scanning, trace route, port scanning capabilities and OS detection feature
+ Tkined is part of the Scotty suite available at http://wwwhome.cs.wtwente.nl/~choenw/Scotty/ is a network editor written in TCL that integrates various network management tools, allowing You detect IP networks.

Part II - Next will be Part III - Enumeration

See Part I: Basic Hacking Techniques - Part I

See section 3: Basic hacking techniques - Attendance - Part III