Module Objectives
After identifying the target system and performing the initial reconnaissance as discussed in the Footprinting and Reconnaissance module, attackers begin to search for an entry point into the target system. It should be noted that the scanning itself is not the actual intrusion, but an extended form of reconnaissance in which the attacker learns more about his/her target, including information about operating systems, services, and any configuration lapses. The information gleaned from this reconnaissance helps the attacker select strategies for the attack on the target system or network.
This module starts with an overview of network scanning and provides an insight into various techniques that can be used to check for live systems and open ports. It goes on to discuss various scanning techniques and ends with an overview of penetration testing (also called pen-testing) steps that an ethical hacker should follow to perform the security assessment of the target.
At the end of this module, you will be able to:
■ Describe the network scanning concepts
■ Use various scanning tools
■ Perform scanning to check for live systems and open ports
■ Perform scanning by using various scanning techniques
■ Scan beyond intrusion detection system (IDS) and firewall
■ Perform banner grabbing
■ Draw network diagrams using network discovery tools
■ Perform scanning penetration testing
Network Scanning Concepts
As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. He/she then uses this information in the scanning phase in order to gather more detailed information about the target.
Overview of Network Scanning
Scanning is the process of gathering additional detailed information about the target by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is one of the most important phases of intelligence gathering for an attacker which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the targets operating systems and system architecture, and the services running on each computer. The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and keep track of the ones that are responsive or useful to an attacker's particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more about the target system to find out if there are any configuration lapses in it. The attacker then uses the information obtained during the scan to develop an attack strategy.
Types of Scanning
■ Port Scanning - Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports on the target system to determine if the services are running or are in a listening state. The listening state provides information about the operating system and the application currently in use. Sometimes, active services that are listening may allow unauthorized user access to misconfigure systems or to run software with vulnerabilities.
■ Network Scanning - Lists IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or to assess the security of the network.
■ Vulnerability Scanning - Shows the presence of known weaknesses. Vulnerability scanning is a method used to check whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the Web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily, updated security patches, and a clean Web document.
The access points that a thief who wants to break into a house looks for are the doors and windows. These are usually the house's points of vulnerability, as they are easily accessible. When it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. A general rule for computer systems is that more the number of open ports on a system, more vulnerable is the system. However, there are cases, in which a system has fewer open ports compared to another machine, but the open ports present a much higher level of vulnerability.
Objectives of Network Scanning
The more the information at hand about a target organization, the greater the chances of knowing a network's security loopholes and consequently, for gaining unauthorized access to it.
Below are some objectives for scanning a network:
■ Discover the network's live hosts, IP addresses, and open ports of live. Using open ports, the attacker will determine the best means of entry into the system.
■ Discover the operating system and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the operating system's vulnerabilities.
■ Discover the services running/listening on the target system. Doing so gives the attacker an indication of vulnerabilities (based on the service) exploitation for gaining access to the target system.
■ Identify specific applications or versions of a particular service.
■ Identify vulnerabilities in any of the network systems. This helps an attacker to compromise the target system or network through various exploits.
TCP Communication Flags
TCP header contains various flags that control the transmission of data across a TCP connection. Six TCP control flags manage the connection between hosts and give instructions to the system. Four of these flags (namely: SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. The other two flags (namely: PSH and URG) provide instructions to the system. The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this section is 6 bits. When a flag value is set to "l/'that flag is automatically turned on.
The following are the TCP communication flags:
■ Synchronize alias "SYN": It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (3-way handshake) between two hosts.
■ Acknowledgement alias "ACK": It confirms the receipt of transmission and identifies next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1," implying that the receiver should pay attention to it.
■ Push alias "PSH": When its flag is set to "1," it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the time of start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
■ Urgent alias "URG": It instructs the system to process the data contained in packets as soon as possible. When the system sets the flag to "1," the remote system gives priority to the urgent data and processes it first, stopping all the other data processing.
■ Finish alias "FIN": Its flag is set to "1" to announce that it will not send more transmissions to the remote system and terminates the connection established by the SYN flag.
■ Reset alias "RST": When there is an error in the current connection, its flag is set to "1" and it aborts the connection in response to the error. Attackers make use of this to scan hosts in search of open ports.
SYN scanning mainly deals with three of the flags: SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process.
TCP/IP Communication
TCP is connection-oriented, which prioritizes connection establishment before data transfer between applications. This connection between protocols is possible through the process of the three-way handshake.
TCP Session initiates using a three-way handshake mechanism:
■ To launch a TCP connection, the source (10.0.0.2:21) sends a SYN packet to the destination (10.0.0.3:21).
■ On receiving the SYN packet, the destination responds by sending a SYN/ACK packet back to the source.
■ The ACK packet confirms the arrival of the first SYN packet to the source.
■ To conclude, the source sends an ACK packet for the ACK/SYN packet transmitted by the destination.
■ This triggers an "OPEN" connection, allowing communication between the source and the destination; this continues until one of them issues a "FIN" or "RST" packet to close the connection.
The TCP protocol maintains stateful connections for all connection-oriented protocols throughout the Internet, and works like an ordinary telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other end, until a person picks up the receiver and says, "Hello."
The system terminates the established TCP Session as follows:
After completing all the data transfers through the established TCP connection, the sender sends the connection termination request to the receiver by sending a FIN or RST packet. Upon
receiving the connection termination request, the receiver acknowledges the termination requests by sending ACK packet to the sender and finally sends its own FIN packet; then the system will terminate the established connection.
Creating Custom Packet Using TCP Flags
Packet Crafting Tools
Packet crafting tools are used to generate and analyze network traffic. These tools craft and send packet streams by using different protocols at different transfer rates.
■ Colasoft Packet Builder
Source: http://www.colasoft.com
Colasoft Packet Builder is a tool that allows an attacker to create custom network packets and helps security professionals to assess the network. The attacker can select a TCP packet from the provided templates and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder supports saving packets to packet files and sending packets to the network.
There are three views in the Packet Builder: Packet List, Decode Editor, and Hex Editor.
o The Packet List displays all constructed packets. When you select one or more packets in the Packet List, the first highlighted packet displays in both Decode Editor and Hex Editor for editing.
o In the Hex Editor, the data of the packet are represented as hexadecimal values and ASCII characters; nonprintable characters are represented by a dot in the ASCII section. You can edit either the hexadecimal values or the ASCII characters.
o Decode editor allows the attacker to edit packets without remembering value length, byte order, and offsets. You can select a field and change value in the edit box.
For creating a packet, you can use the add or insert packet command in the Edit menu or on the Toolbar to create a new packet.
The attacker can send a constructed packet to wire directly and control how Colasoft Packet Builder sends the packets, specifying, for example, the interval between every packet, loop times, and the delay time between loops.
This packet builder audits networks and checks network protection against attacks and intruders. Attackers may use this packet builder to create fragmented packets to bypass network firewalls and IDS systems. They can also create packets and flood the victim with a very large number of packets, which could result in denial-of-service attacks.
Some of the packet crafting tools include:
■ NetScanTools Pro (https://www.netscantools.com) ■ Ostinato (http://ostinato.org)
■ WAN Killer (http://www.solarwinds.com)
■ Packeth (http://packeth.sourceforge.net)
■ LANforge FIRE (http://www.candelatech.com) ■ Bit-Twist (http://bittwistsourceforge.net)
■ WireEdit (https://wireedit.com)
Scanning in IPv6 Networks
IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy. Traditional network scanning techniques are computationally less feasible because of larger search space (64 bits of host address space, or 264 addresses) provided by IPv6 in a subnet. Scanning in the IPv6 network is more difficult and complex when compared to the IPv4.Additionally, a number of scanning tools do not support ping sweeps on IPv6 networks. Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or "Received from" and other header lines in archived email or Usenet news messages to identify IPv6 addresses for subsequent port scanning. Scanning an IPv6 network, however, offers a large number of hosts in a subnet; if an attacker can compromise one subnet host, he can probe the "all hosts" link local multicast address, if hosts numbers are sequential, or use any regular scheme. An attacker needs to analyze 2M addresses to verify if a particular open service is running on a host in that subnet. At a conservative rate of one probe per second, such a scan would take about 5 billion years to complete.
Scanning Tools
Scanning tools scan and identify live hosts, open ports, running services on a target network, location-info, NetBIOS info and information about all TCP/IP, UDP open ports. Information obtained from these tools will assist an ethical hacker in creating the profile of the target organization and to scan the network for open ports of the devices connected.
■ Nmap
Source: https://nmap.org
Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Either a network administrator or an attacker can use this tool for their specific needs. Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions. Nmap includes a flexible data transfer, redirection, and debugging tool (Neat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Some of the features of N map are:
o It scans vast networks of literally hundreds of thousands of machines.
o It supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Nmap includes many port scanning mechanisms (TCP and UDP), OS detection, version detection, ping sweeps, and so on.
" Hping2 / Hping3
Source: http://www.hping.org
Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions. Hping2/Hping3 has a Traceroute mode which enables you to send files between covert channels. It can send custom TCP/IP packets and display target replies, as does a ping program with ICMP replies. It handles fragmentation, arbitrary packets' body and size, and uses them to transfer encapsulated files under supported protocols. It supports idle host scanning. IP-spoofing and network/host scanning can be used to perform an anonymous probe for services.
An attacker studies the behavior of an idle host to gain information about the target, such as the services that the host offers, the ports supporting the services, and the operating system of the target. This type of scan is a predecessor to either heavier probing or outright attacks.
The following are some of the features of Hping2/Hping3:
o It determines whether the host is up even when the host blocks ICMP packets, o It aids advanced port scanning and test net performance using different protocols,
packet sizes, TOS, and fragmentation. o Manual path MTU discovery
o Firewalk-like usage allows discovery of open ports behind firewalls. o Remote OS fingerprinting and TCP/IP stack auditing
ICMP Scanning
A ping sweep or Internet Control Message Protocol (ICMP) scanning is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up.
The operating system, router, switch, internet-protocol-based devices use this protocol via the ping command to Echo request and Echo response as a connectivity tester between different hosts.
ACK Scanning on Port 80
You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering allows you to establish a connection (packets with the ACKbitset), whereas a sophisticated stateful firewall does not allow you to establish a connection.
Hping Commands
Below are various Hping commands: ■ ICMP ping
Ex. hping3 -1 10.0.0.25
Hping performs an ICMP ping scan by specifying the argument -1 on the command line. You may use --ICMP of -1 argument in the command line. By issuing the above command, hping sends ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility.
■ ACK scan on port 80 Ex. hping3 -A 10.0.0.25 -p 80
Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.
■ UDP scan on port 80 Ex. hping3 -2 10.0.0.25 -p 80
Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in UDP mode. You may use either -udp of-2 arguments in the command line.
By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open.
■ Collecting Initial Sequence Number
Ex. hping3 192.168.1.103 -Q -p 139 -s
By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103).
■ Firewallsand Time Stamps
Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
Many firewalls drop those TCP packets that do not have TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, you can enable TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).
■ SYN scan on port 50-60
Ex. hping3 -8 50-60 -S 10.0.0.25 -V
By using the argument -8 (or) --scan in the command, you are operating Hping in scan mode in order to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan.
Therefore, the above command performs a SYN scan on ports 50-60 on the target host. ■ FIN, PUSH and URG scan on port 80
Ex. hping3 -F -P -U 10.0.0.25 -p 80
By adding the arguments -F, -P, and -U in the command, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open on the target, you will not receive a response. If the port is closed, Hping will return an RST response.
■ Scan entire subnet for live host Ex. hping3 -1 10.0.1.x —rand-dest -I ethO
By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends ICMP-echo request randomly (-rand-dest) to all the hosts from 10.0.1.0 -10.0.1.255 that are connected to the interface ethO. The hosts whose ports are open will respond with an ICMP-reply. In this case, you have not set a port, so Hping sends packets to port 0 on all IP addresses by default.
■ Intercept all traffic containing HTTP signature Ex. hping3 -9 HTTP -I ethO
The argument -9 will set the Hping to listen mode. So, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface ethO), intercepts all the packets containing HTTP signature, and dump from signature end to the packet's end.
For example, on issuing the command hping2 -9 http, if Hping reads a packet that contains data 234-09sdflkjs45-HTTPhello_world, it will display the result as hello_world.
■ NetScanTools Pro
Source: http://www.netscantools.com
NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. You can easily gather information about the local LAN, as well as Internet users, IP addresses, ports, and so on using this tool. You can find vulnerabilities and exposed ports in your system. NetScanTools Pro combines many network tools and utilities categorized by their functions, such as active, passive, DNS, and local computer.
o Active Discovery and Diagnostic Tools: Used for testing and locating devices connected to your network.
o Passive Discovery Tools: Monitor the activities of the devices connected to your network and gather information from third parties.
o DNS Tools: Help to detect DNS problems.
o Local Computer and General Information Tools: Provide details about your local computer's network.
Benefits:
o The information gathering process is made simpler and faster by automating the use of many network tools.
o Clearly produces the result reports in your web browser.
scanning tools
Some of the scanning tools are listed below:
■ SuperScan (https://www.mcafee.com)
■ PRTG Network Monitor (https://www.paessler.com)
■ Omni Peek (https://www.savvius.com)
■ MiTeC Network Scanner (http://www.mitec.cz)
■ NEWT Professional (http://www.komodolabs.com)
■ MegaPing (http://www.magnetosoft.com)
■ Slitheris Network Discovery (http://www.komodolabs.com)
■ TamoSofts CommView (http://www.tamos.com)
■ IP Scanner (https://community.spiceworks.com)
■ IP-Tools (https://www.ks-soft.net)
■ Network Scanner (http://www.10-strike.com)
■ Global Network Inventory (http://www.magnetosoft.com)
■ SoftPerfect Network Scanner (https://www.softperfect.com)
■ Advanced Port Scanner (https://www.advanced-port-scanner.com)
■ CurrPorts (http://www.nirsoft.net)
■ Masscan (https://github.com)
■ DRACNMAP (https://github.com)
■ NEET (https://github.com)
Scanning Tools for Mobile
■ IP Scanner
Source: http://10base-t.com
IP Scanner for iOS scans your local area network to determine the identity of all its active machines and Internet devices.
Features:
o In-built Ping, Portscan, and WOL tools.
o Traverse to native VNC, web browser, or any custom service directly from the scan results.
o Customizable display options for assigning names and icons to discovered devices, o Ability to create your custom device categories with your images.
o Ability to export, email, and print scan results. ■ Fing
Source: https://www.fing.io
Fing is a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location.
Features:
o Discovers all devices connected to a Wi-Fi network o Displays MAC Address and device manufacturer
o Full search by IP, MAC, Name, Vendor, and Notes
o Wake On LAN: Allows you to switch on your devices from mobile or tablet
o Ping and traceroute: Assesses network performance
o Automatic DNS lookup and reverse lookup
o Tracks when a device has gone online or offline
o Launch Apps for specific ports, such as Browser, SSH, FTP
o Displays NetBIOS names and properties
o Supports identification by IP address for bridged networks
o Sort by IP, MAC, Name, Vendor, State, and Last Change Some of the scanning tools for mobile devices include:
■ Hackode (https://play.google.com) ■ zANTI (https://www.zimperium.com) ■ cSploit (http://www.csploit.org)
■ FaceNiff (http://www.effecthacking.com)
■ PortDroid Network Analysis (https://play.google.com) ■ Pamn IP Scanner (https://play.google.com)
Scanning Techniques
Scanning is the process of gathering information about systems that are "alive" and responding on the network. Port scanning techniques help an attacker to identify the open ports on a targeted server or host. Administrators often use port scanning techniques to verify security policies of their networks, whereas attackers use them to identify running services on a host with the intent of compromising the network.
The first step in scanning networks is to check for live systems. This section highlights how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools. Once the attackers detect live systems in the target network, they try to find open ports in the discovered live systems. The next step in the network scanning process involves checking the open ports in live systems. Sometimes users unknowingly keep unnecessary open ports on their systems. Attacker takes advantages of such open ports to launch attacks. This section describes the tools and techniques used by an attacker to do so.
Scanning techniques are further split into three categories as shown below; this is according to the type of protocol used for communication at the transport layer of the network.
Scanning ICMP Network Services: ■ ICMP Scanning
■ Ping Sweep
■ ICMP Echo Scanning
Scanning TCP Network Services:
■ Open TCP Scanning Methods o TCP Connect / Full Open Scan
■ Stealth TCP Scanning Methods o Half-open Scan
o Inverse TCP Flag Scanning
• Xmas Scan
• FIN Scan
• NULL Scan
o ACK Flag Probe Scanning
■ Third Party and Spoofed TCP Scanning Methods o IDLE/IP ID Header Scanning
Scanning UDP Network Services: ■ UDP Scanning
ICMP Scanning - Checking for Live Systems
Attackers use ICMP scanning to send ICMP packets to the destination system to gather all necessary information about it. This is so because ICMP does not have a port abstraction and it is not the same as port scanning. However, it is useful to determine what hosts in a network are running by pinging them all (Nmap uses the -P option to ICMP scan in parallel, which can happen quickly). The user can also increase the number of pings in parallel using the -L option. It can also be helpful to tweak the ping timeout value using the -T option. Ping scan involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
ICMP Query
The UNIX tool ICMP query or ICMPush requests the system time (to learn the system time zone) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined using ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, a user can determine all the subnets in use. Then, the user can target only one particular subnet and avoid hitting the broadcast addresses.
ICMP query has both a timestamp and address mask request option:
-t: ICMP timestamp request (default) -m: ICMP address mask request
-d: delay to sleep between packets is in microseconds
-T - specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses.
Ping Sweep- Checking for Live Systems
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique that is employed to determine which range of IP addresses map to live hosts (computers). Although a single ping will tell the user whether one specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply.
Ping sweeps are among the oldest and slowest methods used to scan a network. This utility distributed across almost all the platforms acts as a roll call for systems; a system that is active on the network answers the ping query that another system sends out.
To understand pings better, one should be able to understand the TCP/IP packet. When a system pings, it sends a single packet across the network to a specific IP address. This packet contains 64 bytes (56 data bytes and 8 bytes of protocol header information). The sender then waits or listens for a return packet from the target system. If the connections are good and the target computer is "alive/ a good return packet is expected. However, this will not be the case if there is a disruption in the communication. Ping also details the amount of time it takes for a packet to make the complete trip called the "round-trip time." Ping also helps in resolving hostnames. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then the system is unable to resolve the name to the specific IP address.
Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts that are present in the subnet. Attackers subsequently use ping sweep to create an inventory of live systems in the subnet.
Ping Sweep Tools
Ping sweep tools ping an entire range of network IP addresses to identify the live systems. Given below are ping sweep tools that enable one to determine live hosts on the target network by sending multiple ICMP ECHO requests to various hosts on the network at a time.
■ Angry IP Scanner
Source: http://www.angryip.org
Angry IP scanner is an IP address and port scanner. It can scan IP addresses at any range as well as any of their ports. It pings each IP address to check if they are alive, then it optionally resolves its hostname, determines the MAC address, scans ports, and so on. The amount of data gathered about each host extends with plugins. Angry IP scanner has additional features, such as NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, and customizable openers. The tool allows the user to save the Scanning results to CSV, TXT, XML, or IP-Port list files. To increase scanning speed, it uses a multithreaded approach: a separate scanning thread created for each scanned IP address.
Listed below are a few more ping sweep tools that an attacker one to determine live hosts on the target network:
■ SolarWinds Engineer's Toolset (http://www.solarwinds.com)
■ NetScanTools Pro (https://www.netscantools.com)
■ Colasoft Ping Tool (http://www.colasoft.com)
■ Visual Ping Tester (http://www.pingtester.net)
■ OpUtils (https://www.manageengine.com)
■ Advanced IP Scanner (http://www.advanced-ip-scanner.com}
■ PinglnfoView (http://www.nirsoft.net)
■ Ping Monitor (http://www.niliand.com)
■ Pinkie (http://www.ipuptime.net)
■ MegaPing (http://www.magnetosoft.com)
ICMP Echo Scanning
ICMP echo scanning pings all the machines in the target network to discover live machines. Attackers send ICMP probes to the broadcast or network address which relays to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of the ICMP echo probe.
UNIX/Linux and BSD-based machines use ICMP echo scanning; the TCP/IP stack implementations in these operating system respond to the ICMP echo requests to the broadcast addresses. This technique does not work on Windows-based networks, as their TCP/IP stack implementation does not reply to ICMP probes directed at the broadcast address.
ICMP echo scanning is not same as port scanning because it does not have a port abstraction. ICMP echo scanning is used to determine the particular hosts that are active in a network by pinging all of them. Active hosts are displayed in Zenmap as "Host is up (0.0000s latency)/' as shown in the screenshot above.
TCP Connect / Full Open Scan
Source: http://insecure.org
TCP Connect/Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning, the operating system's TCP connect!) system call tries to open a connection to every interesting port on the target machine. If the port is listening, the connect!) call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable.
TCP Connect scan completes a three-way handshake with the target machine. In the TCP three- way handshake, the client sends a SYN packet, which the recipient acknowledges with a SYN+ACK packet. In turn, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection. Once the handshake is completed, the scanner sends a RST packet to end the connection.
Making a separate connect!) call for every targeted port in a linear fashion would take a long time over a slow connection. The attacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all the sockets simultaneously.
The drawback ofthis type of scan is that it is easily detectable and filterable. The logs in the target system will disclose the connection. This type of scanning does not require the superuser privileges.
Stealth Scan (Half-open Scan)
The Stealth scan involves resetting the TCP connection between client and server abruptly before completion of the three-way handshake signals, hence, making the connection half open. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This type of scan sends a single frame with the expectation of a single response. The half-open scan partially opens a connection but stops halfway through. The stealth scan is also called a "SYN scan," because it only sends the SYN packet. This prevents the service from notifying the incoming connection. TCP SYN or half-open scanning is a stealth method of port scanning.
The stealth scan also implements the three-way handshake methodology. In the last stage, it examines the packets entering the interface and terminating the connection before triggering a new initialization to identify remote ports. The stealth scan process is shown below.
■ The client sends a single SYN packet to the server on the appropriate port.
■ If the port is open, subsequently, the server responds with an SYN/ACK packet.
■ If the server responds with an RST packet, then the remote port is in the "closed" state. ■ The client sends the RST packet to close the initiation before a connection can ever be
established.
Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual under network traffic.
Inverse TCP Flag Scanning
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.
Security mechanisms such as firewalls and IDS detect the SYN packets sent to the sensitive ports of the targeted hosts. Programs such as Synlogger and Courtney are available to log half-open SYN flag scan attempts. At times, the probe packets enabled with TCP flags can pass through filters undetected, depending on the security mechanisms installed.
Inverted Technique is an act of probing a target using a half-open SYN flag because the closed ports can only send the response back. According to RFC 793, an RST/ACK packet sent for connection reset, when the host closes a port. Attackers take advantage of this feature to send TCP probe packets to each port of the target host with various TCP flags set.
Common flag configurations used for a probe packet include:
■ A FIN probe with the FIN TCP flag set
■ An XMAS probe with the FIN, URG, and PUSH TCP flags set ■ A NULL probe with no TCP flags set
■ A SYN/ACK probe
All closed ports on the targeted host will send an RST/ACK response. Since operating systems such as the Windows completely ignore the RFC 793 standard, you cannot see the RST/ACK response when connected to a closed port on the target host. However, this technique is effective when used with UNIX-based operating systems.
Advantages
■ Avoids many IDS and logging systems, highly stealthy Disadvantages
■ Needs raw access to network sockets, thus requiring super-user privileges
■ Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against MicrosoftWindows hosts, in particular).
Note: Inverse TCP flag scanning is known as FIN, URG, and PSH scanning based on the flag set in the probe packet. If there is no flag set, it is known as null scanning.
Xmas Scan
Xmas scan is a port scan technique with FlN, URG, and PUSH flags set to send a TCP frame to a remote device. If the target has opened the port, then you will receive no response from the remote system. If the target has closed the port, then you will receive a remote system reply with a RST. You can use this port scanning technique to scan large networks and find which host is up and what services it is offering. It is a technique to describe all TCP flag sets. When all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. Attackers use TCP XMAS scan to determine if ports are closed on the target machine via RST packet. This scan only works when systems are compliant with RFC 793-based TCP/IP implementation. It will not work against any current version of Microsoft Windows.
BSD Networking Code
This method relies on BSD networking code. Thus, you can use this only for UNIX hosts; it does not support Windows NT. If the user scans any Microsoft system, it will show that all the ports on the host are open.
Transmitting Packets
You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts the packet and does not send any response, it means that the port is open. If the target system sends RST flag, then it implies that the port is closed.
Adva ntages
■ It avoids the IDS and TCP three-way handshake. Disadvantages
■ It works on the UNIX platform only.
ACK Flag Probe Scanning
Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed. The ACK flag probe scanning exploits the vulnerabilities within BSD derived TCP/IP stack. Thus, this scanning is effective only on those operating systems and platforms on which the BSD derives TCP/IP stacks.
■ TTL-based ACK flag probe scanning
In this scanning technique, you will first need to send ACK probe packets (thousands in number) to different TCP ports, and then analyze the TTL field value of the RST packets received.
If the TTL value of RST packet on a particular port is less than the boundary value of 64, then that port is open. Here is an example displaying a log of the first four RST packets received:
■ WINDOW based ACK flag probe scanning
In this scanning technique, you will first need to send ACK probe packets (thousands in number) to different TCP ports, and then analyze the Window field value of the received RST packets. The user can use this scanning technique when all the ports return the same TTL value.
If the WINDOW value of RST packet on a particular port has a non-zero value, then that port is open. Here is an example displaying a log of the first four RST packets received
The above figure shows that the TTL value returned for each packet is the same, so you cannot perform TTL based ACK flag probe scanning to find the open ports. Therefore, when you observe the window value, the third packet has a non-zero window value, which means that the port is open.
Advantages:
■ This type of scan can evade IDS in most cases. Disadvantages:
■ This scan is very slow and can exploit only older operating systems with vulnerable BSD derived TCP/IP stacks.
Checking the Filtering Systems of Target Networks
The ACK flag probe scanning technique also assists in checking the filtering systems of target networks. The attacker sends an ACK probe packet to check the filtering mechanism (Firewalls) of packets employed by the target network.
Sending an ACK probe packet with a random sequence number and getting No Response from the target means that the port is filtered (stateful firewall is present); an RST response from the target means that the port is not filtered (No Firewall is Present).
nmap -sA -PO 10.10.0.25
Starting nmap 6.49DETA4 (https://nmap.org) at 2017-07-2108:02 EDT Nmap scan report for 10.10.0.25
Host is up (0.00076s latency).
All 1000 scanned ports on 10.10.0.25 are unfiltered.
Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds.
IDLE/IPID Header Scan
The IDLE/IPID Header scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available. It offers complete blind scanning of a remote host. Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered "open" if an application is listening on the port. One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. The target machine will send back a "SYN | ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed. A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored. Every IP packet on the Internet has a "fragment identification" number (IPID). OS increases the I PI D for each packet sent, thus probing an IPID gives an attacker the number of packets sent since the last probe.
FIGURE 3.3: IDLE/IPID Header scan using Nmap
The attacker performs this scan by impersonating another computer through spoofing. The attacker does not send a packet from her/his own IP address; instead, they use another host, often called a "zombie," to scan the remote host and identify any open ports. In this attack, the attacker expects the sequence numbers of the zombie host, and if the remote host checks the IP of the scanning party, the IP of the zombie machine will display.
IDLE Scan
EveryIP packet on the Internet has a fragment Internet protocol identification (IPID) number that uniquely identifies fragments of an original IP datagram. As many operating systems simply increase this number for each packet they send, probing for the IPID can tell an attacker how many packets the user sent since the last probe.
■ Step 1
The first step in performing an idle scan is to find an appropriate zombie. The zombie that assigns IPID packets incrementally on a global basis is an appropriate or idle zombie to perform the idle scan. The lower the time interval for request/response between the attacker-zombie and the zombie-target, the faster the scan.
Choose a “Zombie" and Probe for Its Current IP Identification (IPID) Number
In the first step, you will send the SYN+ACK packet to the zombie machine to probe its IPID number. Here, the reason for sending the SYN+ACK packet is to probe the IPID number but not establish a TCP connection (3-way handshake).
Since every IP packet has a "fragment identification" number, which increases by one for every packet transmission, this time the zombie will use its next available IPID, i.e., 31338 (X + l).
Idle Scan:
Step 2.2 (Closed Port)
Assume that the port on the target is closed. Subsequently, on receiving the SYN packet from the attacker (you), the target will respond with a RST, and the zombie will remain idle without taking any further action.
■ Step 3
Now, follow step 1 again to probe the IP ID number.
Send a SYN+ACKpacket to the zombie, and it will respond with a RST packet containing the IPID. Assuming that the port on the target was open, and the zombie has already sent a RST packet to the target; then the IPID number has increased by 1. This time the zombie responds with a RST packet to the attacker by using its next IPID, i.e., 31339 (X + 2). Consequently, the IPID has increased by 2, which implies that the port on the target machine was open. Thus, using an Idle scan, an attacker can find out the open ports and services on the target machines by spoofing his /her IP address with a zombie's IP address.
UDP Scanning
UDP Raw ICMP Port Unreachable Scanning
UDP port scanners use the UDP protocol instead of the TCP. There is no three-way handshake for
UDP scan. The UDP protocol can be more challenging to use than the TCP scanning because you can send a packet, but you cannot determine whether the host is alive, dead, or filtered. However, you can use one ICMP that checks for open or closed ports. If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. If any port returns an ICMP error, it will close up thereby, leaving the ports that did not answer if they are open or filtered through the firewall.
This happens because open ports do not have to send an acknowledgement in response to a probe, and closed ports are not even required to send an error packet.
UDP Packets
Source: https://nmap.org
When you send a packet to a closed UDP port, most of the hosts send an ICMP_PORT_UNREACH error. Thus, you can determine whether a port is NOT open if UDP packets or ICMP errors are not guaranteed to arrive. Thus, UDP scanners of this sort must implement retransmission of packets that appear lost. UDP scanners interpret lost traffic as open ports.
In addition, this scanning technique is slow because it limits the ICMP error message rate as compensation to machines that apply RFC 1812 section 4.3.2.8. A remote host will require access to the raw ICMP socket to distinguish closed from unreachable ports.
UDP RECVFROM () and WRITE () Scanning
Although non-root users cannot read unreachable port errors directly, Linux informs you indirectly when they receive messages.
■ Example:
For example, a second write () call to a closed port will usually fail. Various scanners, such as Netcat and Pluvial pscan.c do reevfrom () on non-blocking UDP sockets, and usually return EAGAIN ("Try Again," errno 13) if the ICMP error has not been received, and ECONNREFUSED ("Connection refused," errno 111), if it has. This is the technique used for determining open ports when non-root users use -u (UDP). The root users can also use the -I (lamer UDP scan) options to force this process.
Advantage:
The UDP scan is less informal regarding an open port because there is no overhead of a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed those from a TCP scan. Microsoft-based operating systems do not usually implement any ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.
Disadvantage:
The UDP scan provides port information only. If the additional version of information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-0).
The UDP scan requires privileged access; hence, this scan option is only available on systems with the appropriate user permissions.
Most networks have huge amounts of TCP traffic; as a result, the efficiency of the UDP scan is lost. The UDP scan will locate these open ports and provide the security manager with valuable information for identifying successful attacker invasions on open UDP ports caused by spyware applications, Trojan horses, and other malicious software.
List Scanning
In a list scan, the discovery of the active network host is indirect. A list scan simply generates and prints a list of IPs/Names without actually pinging or scanning the hosts. As a result, the list scan shows all IP addresses as "not scanned" (0 hosts up). By default, a reverse DNS resolution is still carried out on each host by Nmap for learning their names.
Advantages:
■ A list scan can perform a good sanity check.
■ The list scan detects incorrectly defined IP addresses on the command line or in an option file. It primarily repairs the detected errors to run any "active" scan.
SSDP Scanning
SSDP (Simple Service Discovery Protocol) is a network protocol that generally communicates with machines when querying them with routable IPv4 or IPv6 multicast addresses. The SSDP service controls communication for the Universal Plug and Play (UPnP) feature. It generally works when the machine is not firewalled; however, it can sometimes work through a firewall. The SSDP service will respond to the query sent over IPv4 or IPv6 broadcast addresses. This response includes information about the Universal Plug and Play (UPnP) feature associated with it. The attacker uses SSDP scanning to detect UPnP vulnerabilities that may allow him/her to launch buffer overflow or DoS attacks.
The attacker may use the UPnP SSDP M-SEARCH information discovery tool to check whether the machine is vulnerable to the UPnP exploits. The UPnP SSDP M-SEARCH information discovery tool gleans information from UPnP-enabled systems as shown in the above slide.
■ Hackers use tools such as Nmap and perform OS-detection methods to sniff the details of a remote operating system. Thus, it is important to employ intrusion detection systems in such cases. Snort (http://www.snort.org) is an intrusion detection and prevention technology that can be very useful, mainly because signatures are frequently available from the public authors.
■ Keep as few ports open as necessary and filter the rest, as the intruder will try to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135-159, 256-258, 389, 445, 1080, 1745, and 3268.
■ Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of a company's main firewall.
■ Attackers try to perform source routing and send packets to the targets (which may not be reachable via the Internet) by making use of an intermediate host that can interact with the target. Such mechanisms can be adapted for hacking purposes to ensure that your firewall and router can block such source-routing techniques.
■ Ensure that the mechanism used for routing and filtering at the routers and firewalls respectively cannot be bypassed using a particular source port or source-routing methods.
■ Test your IP address space using TCP and UDP port scans as well as ICMP Probes to determine network configuration and accessible ports.
■ Ensure that the anti-scanning and anti-spoofing rules are configured. ■ If a commercial firewall is in use, then ensure that:
o It is patched with the latest updates
o It has correctly defined antispoofing rules
o Its Fastmode services are unusable in Check Point Firewall-1 environments
Scanning Beyond IDS and Firewall
An Intrusion Detection System (IDS) and firewall are the security mechanism intended to prevent an attacker from accessing a network. But even IDSs and firewalls have some security limitations. Attackers try to launch attacks with the aim of exploiting these limitations. This section highlights various IDS/firewall evasion techniques such as packet fragmentation, source routing, IP address spoofing, etc.
IDS/Firewall Evasion Techniques
Though firewalls and IDSs avoid malicious traffic (packets) from entering a server, attackers manage to send intended packets to the destination server by implementing techniques such as:
■ Packet Fragmentation: Here, the attacker sends fragmented probe packets to the intended server which re-assembles it after receiving all the fragments.
■ Source Routing: The attacker specifies the routing path for the malformed packet to reach the intended server.
■ IP Address Decoy: Generating or manually specifying IP addresses of the decoys so that the IDS/Firewall cannot determine the actual IP address.
■ IP Address Spoofing: The attacker changes source IP addresses so that the attack appears to be coming in as someone else.
■ Proxy Server: This is a process in which the attacker uses a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions.
IDS/Fire wall Evasion Techniques
Though firewalls and IDSs avoid malicious traffic (packets) from entering a server, attackers manage to send intended packets to the destination server by implementing techniques such as:
■ Packet Fragmentation: Here, the attacker sends fragmented probe packets to the intended server which re-assembles it after receiving all the fragments.
■ Source Routing: The attacker specifies the routing path for the malformed packet to reach the intended server.
■ IP Address Decoy: Generating or manually specifying IP addresses of the decoys so that the IDS/Firewall cannot determine the actual IP address.
■ IP Address Spoofing: The attacker changes source IP addresses so that the attack appears to be coming in as someone else.
■ Proxy Server: This is a process in which the attacker uses a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions.
Packet Fragmentation
Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, IDSs and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU consumption as well as network resources, the configuration of most of the IDSs makes it skip fragmented packets during port scans.
Therefore, attackers use packet fragmentation tools such as Nmap and fragroute to split the probe packet into smaller packets that circumvent the port-scanning techniques employed by intrusion detection systems. Once these fragments reach the destined host, they again re assemble to form a single packet.
SYN/FIN Scanning Using IP Fragments
SYN/FIN Scanning using IP fragments is not a new scanning method but a modification of the previous techniques. This process of scanning was created to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet let the remote host reassemble the packet upon receipt via an Internet protocol module that detects the fragmented data packets using field equivalent values of the source, destination, protocol, and identification.
In this scan, the system splits the TCP header into several fragments and transmits them over the network. However, IP reassembly on the server-side may result in unpredictable and abnormal results, such as fragmentation of IP header data. Some hosts may fail to parse and reassemble the fragmented packets, thus leading to crashes, reboots, or even network device monitoring dumps.
Some firewalls might have rule sets that block IP fragmentation queues in the Kernel (e.g., CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented because of adverse effects on performance. Since many IDSs use signature-based methods to indicate scanning attempts on IP and/or TCP headers, the use of fragmentation will often evade this type of packet filtering and detection, resulting in a high probability of causing problems on the target network. Attackers use SYN/FIN scanning method with IP fragmentation to evade this type of filtering and detection.
Source Routing
An IP datagram contains various fields, including the IP options field, which stores source routing information and includes a list of IP addresses through which the packet travels to its destination. As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination.
When attackers send malformed packets to a target, these packets hop through various routers and gateways to reach the destination. In some cases, routers in the path might include configured firewalls and IDSs that blocks such packets. To avoid this, attackers enforce a loose or strict source routing mechanism, in which they manipulate the IP address path in the IP options field so that the packet takes the attacker-defined path (without firewall-/IDS-configured routers) to reach the destination, thereby evading firewalls and IDSs.
IP Address Decoy
IP address decoy technique refers to generating or manually specifying IP addresses of the decoys in order to evade IDS/firewall. It appears to the target that the decoys, as well as the host(s), are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address was actually scanning the network and which IP addresses were decoys.
Nmap scanning tool comes with a built-in scan function called decoy scan, which cloaks a scan with decoys. This technique generates multiple IP addresses to perform a scan function, thus, making it difficult for the target security establishments like IDS, firewall, etc. to identify the original source from the registered logs. The target IDS might report scanning from 5 - 10 IP addresses, however, it cannot differentiate between the actual scanning IP address to the innocent decoy IPs.
You can perform two types of decoy scans using Nmap:
■ nmap -D RND:10 [target]
By using this command, Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IPs.
Ex. Consider 192.168.100.50 is the target IP address to be scanned. Thus, the Nmap decoy scan command will be:
# nmap -D RND:10 192.168.100.50
■ nmap -D decoyl,decoy2,decoy3,...,ME,... [target]
Using this command, you can manually specify the IP addresses of the decoys to scan the victim's network. Here, you have to separate each decoy IP's with commas (,) and you can optionally use the ME command in order to position your real IP in the decoy list. If you place ME in the 4th position of the command, your real IP will be positioned at 4th position accordingly. This is an optional command, and if you do not mention ME in your scan command, then Nmap will automatically place your real IP in any random position.
Ex. consider 192.168.100.1 is the real source IP and 192.168.100.50 is the target IP address to be scanned. Then the Nmap decoy command will be: 3.4.2.1,192.168.111.15,192.168.100.50
These decoys can be generated in both initial ping scans like ICMP, SYN, ACK, etc., and during the actual port scanning phase.
IP address decoy is a useful technique for hiding your IP address. However, this cannot be successful if the target employs any of the active mechanisms like router path tracing, response dropping, etc. Also, using many decoys can slow down the scanning process and affect the accuracy of scan performance.
IP Address Spoofing
Most of the firewalls filter packets are based on the source IP address. These firewalls examine the source IP address and decide whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use the IP spoofing technique to bypass such IDSs/firewalls.
IP address spoofing is a hijacking technique in which an attacker obtains a computer's IP address, alters the packet headers, and sends request packets to a target machine, pretending to be a legitimate host. The packets appear to be sent from the legitimate machine but are actually sent from the attacker's machine, while his/her machine's IP address is concealed. When the victim replies to the address, it goes back to the spoofed address and not to the attacker's real address. Attackers mostly use IP address spoofing to perform DoS attacks.
When the attacker sends a connection request to the target host, the target host replies and sends it to the spoofed IP address. When spoofing a nonexistent address, the target replies to a nonexistent system, and then hangs until the session times out, thus consuming the target's resources.
IP spoofing using Hping3:
Hping3 www.certifiedhacker.com -a 7.7.7.7
You can use Hping3 to perform IP spoofing. The above command helps you to send arbitrary TCP/IP packets to network hosts.
Note: You will not be able to complete the three-way handshake and open a successful TCP connection with a spoofed IP addresses.
IP Spoofing Detection Techniques
■ Direct TTL Probes
In this technique, you initially send a packet (ping request) to the legitimate host and wait for a reply. Check whether the TTL value in the reply matches that of the packet you are checking. Both will have the same TTL if they are using the same protocol. Although the initial TTL values vary according to the protocol used, a few initial TTL values are commonly used: for TCP/UDP, the values are 64 and 128; for ICMP, 128 and 255.
If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. Deduct the TTL value in the reply from the initial TTL value to determine the hop count. It is a spoofed packet if the reply TTL does not match the TTL of the packet you are checking. It will be very easy to launch an attack if the attacker knows the hop count between the source and the host. In this case, the test result is a false negative. This technique is successful when the attacker is in a different subnet from that of the victim.
Note: Normal traffic from one host can contrast TTLs depending on traffic patterns
■ IP Identification Number
Users can identify spoofed packets by monitoring the IP identification (IPID) number in the IP packet headers. The IPID increases incrementally each time a system sends a packet. Every IP packet on the network has a "fragment identification" number, which is increased by one for every packet transmission. To identify whether a packet is spoofed, send a probe packet to the source IP address of the packet and observe the IPID number in the reply. The IPID value in the response packet must be close to, but slightly higher than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet.
This method is effective even when both the attacker and the target are on the same subnet.
■ TCP Flow Control Method
The TCP can optimize the flow control on both the sender and the receiver's end with its algorithm. The algorithm accomplishes the flow control using the sliding window principle. The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. The sender should stop sending data whenever the window size is set to zero.
In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information might continue to send data to the victim. If the victim receives data packets beyond the window size, they are spoofed packets. For effective flow control method and early detection of spoofing, the initial window size must be very small.
Most spoofing attacks occur during the handshake, as it is challenging to build multiple spoofing replies with the correct sequence number. Therefore, apply the flow control spoofed packet detection at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting the SYN request from a genuine client ora spoofed one, set the SYN-ACK to zero. If the sender sends an ACK with any data, it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet, without additional data.
Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets. Attackers cannot be responsive to change in the congestion window size. When received traffic continues after a window size is exhausted, most probably the packets a re spoofed.
