Ethical Hacking: Scanning Networks

Pluralsight is not an official partner or accredited training center of EC-Council. You know how to recon your target, now it's time to learn how to dig around what you've found for important, relevant data in preparation for your attack.
Course info
Rating
(260)
Level
Beginner
Updated
Oct 2, 2018
Duration
3h 50m
Table of contents
Overview of Scanning
Understanding the 3-way Handshake
Checking for "Live" Systems and Their Open Ports
Types of Scanning
Banner Grabbing and OS Fingerprinting
Vulnerability Scanning and Drawing Out the Network
Preparing Proxies and Other Anonymizing Techniques
Description
Course info
Rating
(260)
Level
Beginner
Updated
Oct 2, 2018
Duration
3h 50m
Description

Pluralsight is not an official partner or accredited training center of EC-Council. So, after reconnaissance, we need to scan for basics, kind of like knocking on all the doors to see who is home and what they look like. Then, when you find a machine that's "live", we need to get to know it really well, asking some rather personal questions like, "what OS are you running?" or "what applications are you running?" and "which ports are listening on the network?". We'll go over all you'll need to know for the exam regarding scanning, and play with some pretty fun tools along the way. This course is part of the Ethical Hacking Series. http://blog.pluralsight.com/learning-path-ethical-hacking

About the author
About the author

Dale Meredith received his Certified Ethical Hacker and Certified EC-Counsel Instructor certifications back in 2006, as well as being a Microsoft Certified Trainer since 1998 (yes we had computers back then). Dale takes great pride in helping students comprehend and simplify complex IT concepts.

More from the author
More courses by Dale Meredith
Section Introduction Transcripts
Section Introduction Transcripts

Types of Scanning
Listen, the one thing that an attacker or a pin tester doesn't want to do that is be visible when he's doing his scanning. In this module, we're going to go through and take a look at the types of scanning that we can accomplish. Some of them are a little sneaky, while others are pretty blatant. Again, if you remember from our previous module, we talked about looking for live systems, and you know, here comes the Star Trek geek in me. What we're doing here is we're, again, scanning for signs of life, but we want to do it, and thank Spock for that quote, I appreciate that, "Live long and prosper, " we want to be able to do this again so that we're not recognized as doing what we're doing. So we'll go through in this module and we'll take a look at a, oh, yes, I get to use my word again, a plethora of different ways that we can scan. One of the ways that we'll look at is called a full scan. It's extremely noisy. It's very blatant and very easily detectable. But we'll also go through and take a look at half-opens scans and also take a look at a Xmas tree scan, as well as a FIN scan. Now some of these should be looking familiar to you because we talked about the 3-way handshake, and now you'll understand where this comes into play. We'll also go through and take a look at what they refer as a Null scan, null meaning nothing, and we'll take a look at doing UDP scans. We'll also go through and take a look at different ways that we can avoid being detected by intrusion detection systems. And, of course, we probably want to know what are some of the countermeasures. As being a security expert, this is great that you know these scans are being done, but what are the countermeasures for them? So, get your tricorders and let's get scanning!

Banner Grabbing and OS Fingerprinting
So we've gone through and we've found our live targets. We've scanned them to see which ports were open. Our next step is to go and try to identify the systems and how we're going to do that, and when I say identify, I'm talking about very, very specifically finding out what operating systems and what applications are possibly running on that machine. We're going to do that with Banner Grabbing and OS Fingerprinting. You know and I guess maybe the best way to sum up what this module is about was best phrased by the famous scholar Joey Tribbiani who said, 'how you doin? ' That's exactly what we're doing here. We're trying to get to know the system, the target. We're trying to identify it. So we'll go through and we'll take a look at OS fingerprinting, which is the process of going through and identifying the operating system by the way that it responds to a certain type of packets we're going to send to it. Now there's something else we can do, it's called banner grabbing. This is a very direct way of identifying the system and it's something you can't stop as an IT professional. It's just the way that operating systems are designed to work, they respond a specific way to different requests and then eventually we'll go through and take a look at our countermeasures. Again, there are some things that you can't stop but I can definitely, my purpose, remember, as an ethical hacker is my purpose is to slow the attacker down. I can't stop them. You're going to give yourself heart attack thinking you can stop them, but you can't.

Preparing Proxies and Other Anonymizing Techniques
Okay, so we've gone through and before we actually start attacking systems or launching our attack at a company, we need to first go through and do a couple of things. One of them is preparing our proxies and there are also other ways that we can use different anonymizing techniques to kind of hide who we are and where we're coming from. I think a great quote representing this technique was done by a famous Parowan who grew up to be a Jedi. Obi-Wan once said, "these are not the droids you're looking for, " and that's what we want to do here is we want to create this environment where it's almost like a magician in this direction. Look over here while I attack you from here. So first we'll go through and take a look at placing the blame on someone else and that's what we do. In this world where we have hundreds of thousands of devices hooked up, why not utilize them to go through and create proxies? So we'll look at what is a proxy and when I say them, I'm not talking about them personally, but more to the point they're systems. We'll also take a look at why we use a proxy and then of course, how do you use a proxy? Then we'll take a look at a technique that's being utilized today that's really scary; it should have you very concerned. It's called HTTP Tunneling. So when you see it, trust me, you'll go, wait a minute; my users can do what? And of course we'll also take a look at some other types of anonymizers that are out there. So let's go take a look at those droids.