CEH Module 3 Labs 1-6

Leave a comment

Objective: Conduct a network scan to analyze vulnerabilities. 

  • Check live systems and open ports
  • Identify services running in live systems
  • Perform banner grabbing/OS fingerprinting
  • Identify network vulnerabilities
  • Draw network diagrams of vulnerable hosts

Machines Used:

  • Windows 10
  • Parrot OS

Applications/Tools Overview:

  • Host Discovery
    • Nmap 
    • Angry IP Scanner
  • Port and Service Discovery
    • MegaPing
    • NetScanTools Pro
    • Nmap
    • Hping3
  • Operating System Discovery
    • Wireshark
    • Nmap Script Engine (NSE)
    • Unicorn Scan
  • Beyond IDS and Firewall
    • Evasion Techniques 
    • Colasoft
    • Hping3
    • Nmap
  • Drawing Network Diagrams
    • Network Topology Mapper
  • Other Scanning Tools
    • Metasploit

Category: Host Discovery   

Name: Nmap 

Objective: Use Nmap to discover a list of live hosts in the target network

Function: Use Nmap to scan the active hosts in the target network using various host discovery techniques such as ARP ping scan, UDP ping scan, ICMP ECHO ping scan, ICMP ECHO ping sweep, etc.

Commands and Options:

Basic Usage

  • nmap <options> <Target IP>

Target IP can be a range of hosts

  • nmap 10.10.10.1-100

The -sn option removes port scanning which may set off IDS alerts and only does host discovery.

  • nmap -sn 10.10.10.16

The -sL (List Scan) and -Pn (no ping) flags skip host discovery entirely or disable it. 

  • nmap -Pn -sL 10.10.10.16

Results: Depending on the options you select, the services running on the hosts, or any firewalls in place can affect the result. Conduct multiple scans to verify your results.

Name: Angry IP Scanner

Objective: Perform Host Discovery Using Angry IP Scanner

Function: Angry IP Scanner is open source and cross platform GUI network scanning tool that resolves host names and running services. It presents this information in an Excel like format. 

Commands and Options: Set a single IP address or a range of addresses. Use the preferences menu to select the type of scan, what ports to scan, and other miscellaneous options. 

Results: The list presented gives you the host name, the associated IP address, and the ports that are open on that host. 

Category: Port and Service Discovery

Name: MegaPing

Objective: Perform Port and Service Discovery using MegaPing. 

Function: It is a network scanning tool aimed at system administrators to detect hosts and open ports on the network. It will provide information about shared resources, users and groups, trusted domains and gives you a dropdown list of integrated utilities. 

Commands and Options: Select your IP address range and decide what utility from the left hand side of the menu that you want to use. This can be a range or a single host. 

Results: Mega Ping will list out and show the type of connection what port is open and provide a description of the service. This can be saved and printed out as a report. 

Name: NetScanTools Pro

Objective: Perform Port and Service Discovery using NetScanTools Pro

Function: Another GUI based network host/port/service discovery tool. 

Commands and Options: There is a graphical drop down menu to select the type of scan you want to make and it formats the scan on the middle of the screen. When finished it gives you a summary report in a clean readable format.   

Results: The report itself allows you to go into each host and perform various attacks to test the network. The Active Directory tools seem interesting however they were not included in the lab. 

Name: Nmap

Objective: Explore Various Network Scanning Techniques using Nmap 

Function: Not only can nmap act as a host discovery tool, it also has the ability to deep scan the network for open services and ports. This works by using the built in scripting engine to perform TCP, UDP, OS detection, and can even get specific with tactics like an X-mas scan. 

Commands and Options:

Basic Usage

  • nmap <options> <Target IP>

    <options>

    -sT     (Performs the TCP connect/full open scan, performs a TCP 3-way handshake)

    -v    (Verbose, output scan to the screen)

    -sS     (Performs the stealth scan/TCP half-open scan, the stealth scan involvesresetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.)

    -sX     (Performs the Xmas scan, the Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.)

    -sM     (Performs the TCP Maimon scan, the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open | Filtered, but if the RST packet is sent as a response, then the port is closed.)

-sA    (Performs the ACK flag probe scan, (The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.)

-sU    (Performs the UDP scan, just uses UDP with no TCP 3-way handshake)

-sV    (Detects service versions)

-A    (Aggressive, turns on -O, -sV, sC, and –traceroute)

Results: This lab goes pretty in depth with good scanning techniques using nmap. There is some detail provided as to why you are choosing one scan over another but they could have gone into some more depth. As a basic overview of the ways to scan a network this teaches some of the best options to use when using the nmap scanner.

Name: Hping3

Objective: Explore Various Network Scanning Techniques using Hping3

Function: A network scanning and packet crafting tool that sends custom TCP/IP packets and displays the replies. Used to;

  • Test firewall rules
  • Advanced port scanning
  • Test network performance using different protocols, packet size, TOS, and fragmentation.
  • Path MTU discovery
  • Transfer files even with North Korean like firewall rules
  • Remote OS fingerprinting
  • TCP/IP stack auditing

Commands and Options: 

    Basic Usage

  • hping3 <mode> <host> <options>

Results: A deep and thorough tool that really deserves an entire lab to explore its true depth, hping3 enumerates the network. This is done by gathering specific data fields that are returned from the host based on the protocols being used. This data is then formatted into a readable format with port information, service info, tty, id, lengths, flags returned, window sizes. All of this information be used for finding vulnerabilities on the host system being scanned.

Category: Operating System Discovery

Name: Wireshark

Objective: Identify the Target System OS with TTL and TCP Window Size with Wireshark

Function: Wireshark is a network protocol analyzer that allows capturing and monitoring live network traffic. It allows you to analyze the information and save the traffic in .pcap files. Of note is that the traffic capture is raw data.

Commands and Options:

  • Interface Selection
  • Deep Packet analysis
  • OSI breakdown with individual layers capturing unique data
  • Source and Destination IP addresses
  • MAC addresses
  • Provides specific filtering capabilities based on IP address, port number, protocol, TCP/IP streams, HTTP streams, TTL.

Results: The information gathered can be used in this scenario to verify that the TTL matches that of a Linux Ubuntu system. It is noted that this information can be spoofed by an attacker, but it is good information to note down in an investigation.

Name: Nmap Script Engine (NSE)

Objective: Perform OS discovery using Nmap Script Engine (NSE)

Function: Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time of a target system.

Commands and Options: 

Usage

nmap –script <script name> <IP address>

This can be done by using just one script

  • nmap –script smb-os-discovery.nse 10.10.10.10 

Or use it in a wild card format that runs everything against the chosen protocol

  • nmap –script smb-\* 10.10.10.10

Results: If you suspect a target has a protocol running on a host that is vulnerable, you can use the nmap scripting engine to enumerate more information about it. Nmap has a deep library of scripts to choose from, the default option -sC can also be used. 

Name: Unicorn Scan

Objective: Perform OS Discovery using Unicorn Scan

Function: Using this tool you are going to determine the operating system of the target based on the TTL of the host response. 

Commands and Options:

Basic Usage

  • Unicornscan <Host Options> <IP Address> <Mode> <Module> <Domain:Ports>

Category: Beyond IDS and Firewall

Name: Evasion Techniques with nmap

Objective: Scan beyond IDS/Firewall using various evasion techniques. 

Function: Use nmap to send crafted packets to avoid being filtered or alerting a system. Use fragmented packets, source port manipulation, mtu specifiers and decoys. These are options pre built into the nmap network analyzer.   

Commands and Options:

Basic Usage

  • nmap <options> <Target IP>
  • -f  -mtu<MTU>

-D <Decoy IP> <Decoy IP2> <…>

-g <port number>

Results: Running a standard nmap scan may not present you with any results if a firewall or IDS is blocking your probes. By using nmaps built in functionality to craft your packets and hide your IP address you might just be able to sneak past the defenses. 

Name: Colasoft

Objective: Create Custom Packets using Colasoft Packet Builder to Scan beyond IDS/FIrewalls

Function: Colasoft lets you create custom packets that can be used to test network security. It provides templates to choose from and allows you to modify and save the crafted design. 

Commands and Options: Example Usage

Open Colasoft

  1. Click on the Adapter icon
  2. Select the adapter to use
  3. To add or create a packet, click the Add icon
  4. In the Add Packet dialog box, select the ARP Packet template, set Delta Time as 0.1 seconds, and click OK.
  5. Inspect the Packet list to view and edit the packet.
  6. Click send.
  7. In the Send Selected Packets window, select the Burst Mode.
  8. Click start.
  9. Watch the scan progress
  10. To export the packet, click Export –> Selected Packets…
  11. Save the file for future reference. 

Results: In this example you can use this packet crafter to flood the ARP table and poison it. This can allow you to view all of the traffic flow on that switch. It can also be used in a MiTM attack by spoofing a grabed MAC address or by telling one of the hosts to connect to it by offering a response. 

Name: Hping3

Objective: Create Custom UDP and TCP Packets using Hping3 to Scan beyond IDS/Firewalls.

Function: Hping3 is a scriptable program that uses the TCL language, whereby packets can be received and sent via a binary or string representation describing the packets.

Commands and Options:

Basic Usage

  • hping3 <mode> <host> <options>

    <mode>

  • -S specifies the TCP SYN request on the target machine

    <options>

  • –udp specifies sending the UDP packets to the target host
  • –rand-source enables the random source mode
  • –data specifies the packet body size
  • -p specifies assigning the port to send the traffic
  • -c is the count of the packets sent
  • –flood: performs the TCP flooding

Results: While monitoring this kind of attack with Wireshark it is easy to see that crafting a packet can easily fool anyone monitoring the traffic. 

Name: Nmap

Objective: Create Custom Packets using Nmap to Scan beyond IDS/Firewalls

Function: Nmap can also be used to scan inside of a network. 

Commands and Options:

Basic Usage

  • nmap <options> <Target IP>

<options>

  • –data [hex string] Sends the binary data (o’s and 1’s) as payloads in the sent packets to scan beyond firewalls.
  • –data-string [string] Sends a regular string as payloads in the sent packets to the target machine for scanning beyond the firewall.
  • –data-length [len] Appends the number of random data bytes to most of the packets sent without any protocol-specific payloads.
  • –randomize-hosts Scan the number of hosts in the target network in random order to scan the intended target that is beyond the firewall.
  • –badsum Send the packets with bad or bogus TCP/UDP checksums to the intended target to avoid certain firewall rulesets.

Results: Much like the previous nmap technique you can use the built in functions to actually craft packets with the –data-length and –data-string functions. 

Category: Drawing Network Diagrams

Name: Network Topology Mapper

Objective:  Draw Network Diagrams using Network Topology Mapper

Function: This tool produces a network diagram that can be used for mapping a network on layers 1-3 and can be used for inventory management. It actually uses Orion which famously was exploited and caused a massive government cybersecurity data breach. It would be interesting to see the level of access that this requires to run. Also what changes have been made since the attack. 

Commands and Options: Example Usage

Open SolarWinds Topology Mapper 

  1. The Network Topology Scan window appears. In the SNMP Credentials section, select the private credential under the Stored Credentials section and public credential under the Discovery Credentials section, and then click Next.
  2. Leave the WMI Credentials and VMWare Credentials section to default and click Next.
  3. The Network Selection section appears. Click the IP Ranges tab in the right-pane, enter the IP address range (10.10.10.3 – 10.10.10.254) in the Start Address and End Address fields, and click Next.
  4. The Discovery Settings section appears. Enter a name under the Scan name field (here, “Network Topology”) and click Next.
  5. The Scheduling section appears. Ensure that Once is selected in the Frequency drop-down menu; under the Execute immediately radio button Yes, run this discovery now is selected; then, click Next.
  6. The Summary section appears; click Discover.
  7. The New Network Scan window appears; the Network Topology Mapper starts scanning the network for live hosts.
  8. The display now shows the entire network.
  9. From this view you can inspect and organize the topology to your deepest desires.
  10. You can also do cool things like remote into a host with RDP(Attack Vector? YES)

Results:  A really neat tool that gives you an easy method of viewing your topology in a very large network, however without proper security measures in place it can be used by an attacker to do all the same. 

Category: Other Scanning Tools

Name: Metasploit

Objective: Scan a Target Network using Metasploit

Function: The Metasploit framework is a versatile tool where you can add modules and carry out an entire cyber killchain attack from the recon to establishing a c2. This task has you start a SQL server that will store nmap information so you can craft your attack based on information gathered in the recon phase and then automates the process by importing the scan into the msf_db. 

Commands and Options:

Example Attack

  1. Start postgresql 
    • service postgresql start
  2. Start msf
    • msfconsole
    • Verify connection to the server
    • db_status
  3. Scan the network with nmap
    • nmap -Pn -sS -A -oX Test 10.10.10.0/24
  4. Import the scan to  your database
    • db_import Test
  5. View information gathered from the scan
    • hosts
    • services
    • db_services
  6.  Look for open services/ports in the hosts that were found in the host discovery
    • use auxiliary/scanner/portscan/syn
      1. set INTERFACE 
      2. set PORTS 
      3. set RHOSTS 
      4. set THREADS 
      5. run           
    • use auxiliary/scanner/portscan/tcp 
      1. hosts -R
      2. run
    • use auxiliary/scanner/smb/smb_version
      1. set RHOSTS 10.10.10.5-20
      2. set THREADS 11
      3. run
    • use auxiliary/scanner/ftp/ftp_version
      1. set RHOSTS
      2. run
      3. hosts
  7. Export the information to a .csv
    • hosts -o /root/Desktop/Metasploit_Scan_Results.csv

Results: The results presented in this give you more than enough information to research where you can check for things like out of date versions to open and valuable services that are running on an entire network. 

Personal Reflection: 

Similar to the previous modules this series of labs ranges from great tools to repetitive exercises that do not further the understanding of the general concepts that are presented. The format of host discovery to evasion is a nice way to move through the scanning concepts however the explanations given are brief and the amount of information is overwhelming. As an overview of high level concepts, this works as a good introduction to scanning. Nmap is a great tool and I am happy for its inclusion, but I wish it was all kept together rather than bouncing around between other tools. The Metasploit lab could have been greatly expanded on and I do not think that the lab presented you with nearly enough information to have any idea exactly what you are doing. The hping3 was a nice lab that went into good detail on what you are doing and how to use the tool. The other labs were too short or did not seem very relevant. Packet shaping is a cool concept but I do not think the colasoft lab explored it well. The topology mapper is a neat tool but I don’t really get its inclusion because it’s not like as an attacker you are going to install this on a host. 

Works Cited (MLA):

EC-Council. Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volumes 1 through 4). International Council of E-Commerce Consultants (EC Council), 2020. [VitalSource Bookshelf].

Leave a comment