KALI LINUX NETWORK SCANNING COOKBOOK
Description
Book DescriptionKali Linux Network Scanning Cookbook is intended for information security professionals and casual security enthusiasts alike. It will provide the foundational principles for the novice reader but will also introduce scripting techniques and in-depth analysis for the more advanced audience. Whether you are brand new to Kali Linux or a seasoned veteran, this book will aid in both understanding and ultimately mastering many of the most powerful and useful scanning techniques in the industry. It is assumed that the reader has some basic security testing experience.What you will learn
Develop a networktesting environment that can be used to test scanning tools and techniques
Understand the underlying principles of network scanning technologies by building custom scripts and tools
Perform comprehensive scans to identify listening on TCP and UDP sockets
Examine remote services to identify type of service, vendor, and version
Evaluate denial of service threats and develop an understanding of how common denial of service attacks are performed
Identify distinct vulnerabilities in both web applications and remote services and understand the techniques that are used to exploit them
Who this book is for
All prices
More details
Other editions
Additional editions
Person
Justin Hutchens currently works as an intrusion detection specialist, network vulnerability analyst and malware forensic investigator for a large enterprise network with over 55,000 networked systems. He has filled numerous different roles in the Information Technology field to include network design, system development, database administration and network security. He has previously written articles on forensic analysis and ethical hacking and has been published in both eForensics Magazine and Hakin9 Magazine. He currently holds a Bachelor's degree in Information Technology and multiple professional information security certifications, to include OSCP (Offensive Security Certified Professional), CISSP (Certified Information Systems Security Professional), CNDA (Certified Network Defense Architect), CEH (Certified Ethical Hacker), ECSA (EC-Council Certified Security Analyst) and CHFI (Computer Hacking Forensic Investigator).
Content
Introduction
Discovery Scanning
TCP Scanning
Service / OS Identification
Network Reconnaissance
Service Vulnerability Mapping
Web-Application Vulnerability Mapping
Automating Industry Tools
Chapter 2. Discovery Scanning
Discovery scanning is the process of identifying live hosts on a network. In the context of penetration testing, this is usually performed to identify potential targets for attack. The objective here is not to exhaust resources in gathering information about targets, but instead, to merely find out where the targets are logically located. The final product of our discovery should be a list of IP addresses that we can then use for further analysis. In this chapter, we will discuss how to discover hosts on a network by using protocols operating at layer 2, layer 3, and layer 4 of the OSI model. This chapter will include each of the following recipes:
- Using Scapy to perform layer 2 discovery
- Using ARPing to perform layer 2 discovery
- Using Nmap to perform layer 2 discovery
- Using NetDiscover to perform layer 2 discovery
- Using Metasploit to perform layer 2 discovery
- Using ICMP ping to perform layer 3 discovery
- Using Scapy to perform layer 3 discovery
- Using Nmap to perform layer 3 discovery
- Using fping to perform layer 3 discovery
- Using hping3 to perform layer 3 discovery
- Using Scapy to perform layer 4 discovery
- Using Nmap to perform layer 4 discovery
- Using hping3 to perform layer 4 discovery
Prior to addressing each of these scanning techniques specifically, we should first address a few underlying principles. The Open Systems Interconnection (OSI) model is an International Organization for Standardization (ISO) standard that defines how networked systems communicate. This model is divided into seven layers that define how application content can be sent by one system and/or received by another. The upper layers of the OSI model tend to be more visible to the end user, whereas the lower layers operate transparently to most casual users. These layers consist of the following:
OSI model
Layer description
Protocols
Layer 7 - Application
This layer involves the application software that is sending and receiving data
HTTP, FTP, and Telnet
Layer 6 - Presentation
This layer defines how data is formatted or organized
ASCII, JPEG, PDF, PNG, and DOCX
Layer 5 - Session
This layer involves application session control, management, synchronization, and termination
NetBIOS, PPTP, RPC, and SOCKS
Layer 4 - Transport
This layer involves end-to-end communication services
TCP and UDP
Layer 3 - Network
This layer involves logical system addressing
IPv4, IPv6, ICMP, and IPSec
Layer 2 - Data link
This layer involves physical system addressing
ARP
Layer 1 - Physical
This layer involves the data stream that is passed over the wire
The lower layers of the OSI model are largely used to ensure that network traffic successfully arrives at its intended destination. Many of the commonly used protocols at these lower layers necessitate a response from the destination system and, as such, can be leveraged by potential attackers to identify live systems. Techniques discussed in the remainder of this section will leverage layers 2, 3 and 4 protocols to discover live network systems. Prior to addressing each of the specific recipes, we will briefly discuss the protocols used and how they can be leveraged for discovery.
The pros and cons of layer 2 discovery with ARP are as follows:
- Pros:
- Very fast
- Highly reliable
- Cons:
- Cannot discover remote systems (non-routable protocol)
Layer 2 discovery scanning is performed by making use of Address Resolution Protocol (ARP) traffic. ARP is a layer 2 protocol that primarily serves the function of translating logical layer 3 IP addresses to physical layer 2 MAC addresses. When a system needs to locate the physical address that corresponds to a destination IP address, it will broadcast an ARP request packet on the local network segment. This ARP request simply asks the entire network, "Who has this IP address?" The system with the specified IP address will then directly respond to the inquiring system with an ARP reply that contains its layer 2 MAC address. The inquiring system will update its ARP cache, which is a temporary record of IP address and MAC address associations, and will then initiate its communications with the host. The ARP protocol can be useful in discovering live hosts on a network, because it does not employ any form of identification or authorization prior to responding to requests.
As a result of this, it is possible and even trivial for an intruder to connect to a local network and enumerate live hosts. This can be performed by sending a series of ARP requests for a comprehensive list of IP addresses and then recording a list of queried IP addresses for which responses were received. ARP discovery has both advantages and disadvantages. It is useful in discovery scanning because it is the fastest and most reliable discovery protocol. Unfortunately, it is also a nonroutable protocol and can only be used to discover hosts on the local subnet.
The pros and cons of layer 3 discovery with ICMP are as follows:
- Pros:
- Can discover remote systems (routable protocol)
- Still relatively fast
- Cons:
- Slower than ARP discovery
- Often filtered by firewalls
Layer 3 discovery is probably the most commonly known and used discovery technique among network administrators and technicians. The famous ping command-line utility, which is found natively on both Windows and *nix systems, uses layer 3 discovery. This form of discovery makes use of Internet Control Message Protocol (ICMP). While ICMP has several functions, one that can be particularly useful to identify live systems is the use of echo request and echo response messages. An ICMP echo request is the technical equivalent of one system asking another system, "Are you there?" An ICMP echo response is how the receiving system can answer, "Yes I am." To determine if a host exists at a particular IP address, a system can send an ICMP echo request to that address. If there is a host with that IP address and everything works as desired, the host will then return an ICMP echo reply. This protocol can be leveraged in the host discovery by performing this sequence in a loop for a comprehensive list of IP addresses.
The output would consist of a list of only the IP addresses for which a reply was received. Layer 3 discovery is effective because it uses a routable protocol to identify live hosts. However, there are also certain disadvantages associated with its use. ICMP discovery is not as fast as ARP discovery. Also, ICMP discovery is not as reliable as ARP discovery, as some hosts are intentionally configured to not respond to ICMP traffic, and firewalls are frequently configured to drop ICMP traffic. Nonetheless, it is still a fast and commonly used approach to discover potential targets on a remote address range.
Layer 4 discovery is highly effective because publicly routable systems are usually only in the public IP space, as they are hosting networked services that are available over Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). In poorly secured environments, a reply can often be solicited from a remote server by sending nearly any UDP or TCP request to its IP address. However, if stateful filtering is employed, it may be possible to only solicit a response from a remote service with a SYN request directed to a port address associated with a live service. Even in highly secure environments with advanced filtering, discovery is still possible in most cases if the right request is supplied. However, with 65,536 possible port addresses for both UDP and TCP services, a fully comprehensive discovery process can be very time-consuming. The best approach to layer 4 discovery with both TCP and UDP techniques is to find the right balance between thoroughness and expediency.
The pros and cons of layer 4 discovery with TCP are as follows:
- Pros:
- Can discover remote systems (routable protocol)
- More reliable than ICMP (filters are less common or selectively implemented)
- Cons:
- Stateful firewall filters can produce unreliable results
- Thorough discovery can be time-consuming
Layer 4 discovery with TCP consists of sending TCP packets to potential destination addresses with various TCP flag bits activated. Different flag configurations can trigger various responses that can be used to...
