Ceh v8 labs module 03 scanning networks

CEH Lab Manual

S c a n n i n g

N e t w o r k s
M o d u le 03

M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g a T a r g e t N e tw o rk
S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d
s e rv ic e s ru n n in g in

a n e tw o rk .

L a b S c e n a r io
I CON

KEY

Valuable
information
s

Test your
knowledge

H

Web exercise

Q

Workbook review

Vulnerability scanning determines the possibility of network security attacks. It
evaluates the organization’s systems and network for vulnerabilities such as missing
patches, unnecessary services, weak authentication, and weak encryption.
Vulnerability scanning is a critical component of any penetration testing assignment.
You need to conduct penetration testing and list die direats and vulnerabilities
found in an organization’s network and perform port s c a n n in g , n e tw o rk s c a n n in g ,
and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities.
L a b O b j e c t iv e s

The objective of diis lab is to help students in conducting network scanning,
analyzing die network vulnerabilities, and maintaining a secure network.
You need to perform a network scan to:
■ Check live systems and open ports
■ Perform banner grabbing and OS fingerprinting
■ Identify network vulnerabilities
■ Draw network diagrams of vulnerable hosts
ZZ7 T o o ls

L a b E n v ir o n m e n t

d e m o n stra te d in
t h is la b a r e
a v a ila b le in
D:CEHT o o ls C E H v 8
M o du le 0 3
S c a n n in g
N e tw o rk s

111

die lab, you need:
■ A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s
W in d o w s 8 or W in d o w s 7 with Internet access

S e rv e r 2008.

■ A web browser
■ Admiiiistrative privileges to run tools and perform scans
L a b D u r a t io n

Time: 50 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k s

Building on what we learned from our information gadiering and threat modeling,
we can now begin to actively query our victims for vulnerabilities diat may lead to a
compromise. We have narrowed down our attack surface considerably since we first
began die penetration test with everydiing potentially in scope.

C E H Lab M anual Page S5

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.


Note that not all vulnerabilities will result in a system compromise. When searching
for known vulnerabilities you will find more issues that disclose sensitive
information or cause a denial of service condition than vulnerabilities that lead to
remote code execution. These may still turn out to be very interesting on a
penetration test. 111 fact even a seemingly harmless misconfiguration can be the
nuiiing point in a penetration test that gives up the keys to the kingdom.
For example, consider FTP anonymous read access. This is a fairly normal setting.
Though FTP is an insecure protocol and we should generally steer our clients
towards using more secure options like SFTP, using FTP with anonymous read
access does not by itself lead to a compromise. If you encounter an FTP server that
allows anonymous read access, but read access is restricted to an FTP directory that
does not contain any files that would be interesting to an attacker, then die risk
associated with the anonymous read option is minimal. On die other hand, if you
are able to read the entire file system using die anonymous FTP account, or possibly
even worse, someone lias mistakenly left die customer's trade secrets in die FTP
directory that is readable to die anonymous user; this configuration is a critical issue.
Vulnerability scanners do have their uses in a penetration test, and it is certainly
useful to know your way around a few of diem. As we will see in diis module, using
a vulnerability scanner can help a penetration tester quickly gain a good deal of
potentially interesting information about an environment.
1 1 diis module we will look at several forms of vulnerability assessment. We will
1
study some commonly used scanning tools.
Lab T asks
TASK

1

Overview

Pick an organization diat you feel is worthy of your attention. This could be an
educational institution, a commercial company, or perhaps a nonprofit charity.
Recommended labs to assist you in scanning networks:
■ Scanning System and Network Resources Using A d v a n c e d

IP S c a n n e r

■ Banner Grabbing to Determine a Remote Target System Using

ID S e r v e

■ Fingerprint Open Ports for Running Applications Using the A m a p Tool
■ Monitor TCP/IP Connections Using die C u r r P o r t s
■ Scan a Network for Vulnerabilities Using G F I
_/
L Ensureyouhave
readyacopyof the
additional readings handed
out for this lab.

Tool

L an G u ard 2 0 1 2

■ Explore and Audit a Network Using N m ap
■ Scanning a Network Using die

N e t S c a n T o o ls Pro

■ Drawing Network Diagrams Using

LA N S u rv ey o r

■ Mapping a Network Using the

F r ie n d ly P in g e r

■ Scanning a Network Using die

N essu s

Tool

■ Auditing Scanning by Using G lo b a l
■ Anonymous Browsing Using P r o x y

C E H Lab M anual Page 86

N e tw o rk In v e n to ry
S w it c h e r

AB Rights Reserved. Reproduction is Strictly Prohibited.


■ Daisy Chaining Using P r o x y

W o rk b e n c h

■ HTTP Tunneling Using H T T P o r t
■ Basic Network Troubleshooting Using the

M e g a P in g

■ Detect, Delete and Block Google Cookies Using G -Z a p p e r
■ Scanning the Network Using the

C o la s o f t P a c k e t B u ild e r

■ Scanning Devices in a Network Using T h e

Dude

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on
your target’s security posture and exposure duough public and free information.

P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S
R E L A T E D TO TH IS LAB.




S c a n n in g S y s te m a n d N e tw o rk
R e s o u r c e s U s in g A d v a n c e d IP
S canner
I CON

KEY

/ =‫ ־‬Valuable
information
✓

Test your
knowledge

S

Web exercise

C Q

Workbook review

-A d v a n c e d IP

S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f

in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs .


this day and age, where attackers are able to wait for a single chance to attack an
organization to disable it, it becomes very important to perform vulnerability
scanning to find the flaws and vulnerabilities in a network and patch them before an
attacker intrudes into the network. The goal of running a vulnerability scanner is to
identify devices on your network that are open to known vulnerabilities.
111


l J
—

T o o ls

t h is la b a r e

The objective of this lab is to help students perform a local network scan and
discover all the resources 011 die network.
You need to:
■ Perform a system and network scan

a v a ila b le in
D:CEH-

■ Enumerate user accounts

T o o ls C E H v 8

■ Execute remote penetration

M o du le 0 3
S c a n n in g

■ Gather information about local network computers

N e tw o rk s


Q Y canalso
ou
dow A
nload dvancedIP
Scanner from
http:/1w wadvanced-ipw.
scanner.com
.


111

die lab, you need:
■ Advanced IP Scanner located at Z:C EH v8

M od ule 0 3 S c a n n in g

N e tw o rk s S c a n n in g T o o ls A d v a n c e d IP S c a n n e r

■ You can also download the latest version of A d v a n c e d
from the link http://www.advanced-ip-scanner.com

IP S c a n n e r



/ 7A
dvancedIPScanner
w onW s S
orks
indow erver
2003/ Server 2008andon
W s 7(32bit, 64bit).
indow

■ If you decide to download the
in the lab might differ
■ A computer running W in d o w s

8

la t e s t v e r s io n ,

as die attacker (host machine)

■ Another computer running W in d o w s
machine)
■ A web browser widi In te rn e t

then screenshots shown

se rve r 2008

as die victim (virtual

access

■ Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps
to install Advanced IP Scanner
■

A d m in is tra tiv e

privileges to run diis tool


Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g

Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open
ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining
t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any
suspicious or u n a u th o rize d IP connections, which may enable data theft and cause
damage to resources.
Lab T asks
S

T A S K

1

1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die
desktop

L a u n c h in g
A d v a n c e d IP
Scann er

FIG R 1 :W s8- D
U E .1 indow
esktopview
2. Click A d v a n c e d
(Windows 8).


IP S c a n n e r

from die S ta r t menu in die attacker machine

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited


Admin ^

S ta rt

WinRAR

Mozilla
Firefox

Command

Prompt
it t

Nc m

C om puter

m W A
ith dvancedIP
Scanner, youcanscan
hundreds ofIP addresses
sim
ultaneously.

M icrosoft
Clip
O rganizer

tS

Sports

Fngago
Packet
b uilder

2*

Advanced
IP Scanner

m

C ontrol
Panel

M icrosoft
O ffice 2010
Upload...

i i i l i l i

•

finance

FIG R 1 W s8- A
U E 2. indow
pps
3. The A d v a n c e d

IP S c a n n e r

main window appears.

Y canw any
ou
ake
m
achinerem w
otely ith
A
dvancedIP Scanner, if
theW
ake-on‫־‬LA feature
N
is supportedbyyour
netw card.
ork

FIG R 1 : T A
U E 3 he dvancedIPS
cannerm w
ain indow
4. Now launch die Windows Server 2008 virtual machine (v ic tim ’s


m a c h in e ).



L Y haveto guess a
_/ ou
rangeof IP address of
victimm
achine.

iik

O

jf f lc k 10:09 F J
M

FIG R 1 :T victimm W sserver2
U E .4 he
achine indow
008
a R in2.xand3.x
adm
Integrationenableyouto
connect (ifR inis
adm
installed) to rem
ote
com
puters w just one
ith
dick.

5. Now, switch back to die attacker machine (Windows 8) and enter an IP
address range in die S e le c t ra n g e field.
6. Click die S c a n button to start die scan.

The status of scanis
show at the bottomleft
n
sideofthew .
indow

7.

displays the s c a n


scans all die IP addresses within die range and
r e s u lt s after completion.

A d v a n c e d IP S c a n n e r

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11

L of com
ists
puters
savingandloadingenable
youtoperformoperations
w aspecificlist of
ith
com
puters.Just savealist
ofm
achines youneedand
A
dvancedIPScanner loads
it at startupautom
atically.

A d v a n c e d IP Scanner
File

Actions

J►

Scar'

View

Heip

IP c d id 3? f i l :

Jl

Like us on
■ 1 Facebook

r=£k=3 r f t o

1.0 .11.0 .1
0 .0 -0 .0 0
R esits

|

Favorites |

r

Status

w

0

MAC address

10.0.a2

DO:67:ES:1A:16:36
00: 5:5D: A8:6E:C6

M icrosoft Corporation
Dell Inc

10.0.03
10.0.05
10.0.07

00:09:5B:AE:24CC

Dell Inc
Microsoft Corporation

10.0.a1

WIN-MSSELCK4K41
WINDOWS#
WIN*LXQN3WR3R9M
WIN-D39MR5H19E4

15

®

Manufacturer
Nlctgear, Inc.

10.0.0.1

‫*£> ט‬
® &

m G
roup O
perations:
A featureofA
ny
dvanced
IP Scanner can beused
w anynum of
ith
ber
selectedcom
puters. For
exam youcanrem
ple,
otely
shut dow acom
n
plete
com classw afew
puter
ith
dicks.

Settings

00:15:5D:A8:&E:03
D4:3E.-D9: C3:CE:2D

1

5a iv*, 0 d«J0, S unknown

FIG R 1 :TheA
U E .6
dvancedIPS
cannerm w
ain indowafterscanning
8. You can see in die above figure diat Advanced IP Scanner lias detected
die victim machine’s IP address and displays die status as alive
M

T A S K

2

Extract Victim’
s
IP Address Info

9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut
down, and Abort Shut d o w n

5‫־‬
F ie

A d v a n c e d IP Scanner
A ctions

Scan

Settings

View

Helo

II

ip c

u u

*

W
i

Like us on
Facebook

*sS:

1.0 .11.0 .1
0 .0 -0 .0 0
Resuts

Favorites |

Status

Name

1.0 .1
0 .0

IHLMItHMM,
WINDOWS8

hi

WIN-LXQN3WR3
WIN‫ ־‬D39MR5HL<

1..1
0 01
0

—
t* p ‫׳‬ore
Copy

Add to ‘Favorites'

!

n

MAC address

to ru fa c tu re r
Netgear. In c

00:09:5B:AE:24CC
D0t67:E5j1A:16«36


□0:15 :‫צ‬U: A8:ofc:Ot>
00:15:SD:A8:6E:03

Dell Inc

CW:BE:D9:C3:CE:2D

Rescan selected
Sive selected...
Wdke‫־‬O n‫־‬LAN
Shut dcwn...
Abort shut dcwn

W
ake-on-L N Y
A : ou
canw anym
ake
achine
rem w A
otely ith dvancedIP
Scanner, ifW
ake-on-LA
N
featureis supportedby
your netw card.
ork

Radrnir

a

5 alive. 0 dead, 5 unknown

FIG R 1 :T A
U E .7 he dvancedIPS
cannerm w w A H list
ain indow ith live ost
10. The list displays properties of the detected computer, such as IP
address. N a m e , M A C , and N e t B I O S information.
11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die
selected victim machine/IP address


E th ic a l H ackin g and Counterm easures Copyright O by EC-Council


‫ ״‬si *
m

&

S h u td o w n o p tio n s

File

Actions

Settings

View

Help

r
Scan

W
infingerprint Input
O
ptions:
■ IPR (N askand
ange etm
InvertedN ask
etm
supported) IPL m
istS gle
H N
ost eighborhood

J!] .■ ]

Use Vtindcms authentifcation

Like us on
Facebook

Jser narre:

3

9essM ord:

11 0.0.0.1-100.0.10

rn e o c t (sec): [60
Results |

Favorites |
Message:

Status
® a

»

$
a

jre r

Name

MAC address
00;C9;5B:AE:24;CC

1a0.0.1
WIN-MSSELCK4K41
W IND O W S
WIN-LXQN3WR3R9M
WIN-D39MR5HL9E4

D0:67:E5:1A:16:36
It ion

I”

00:15:3C:A0:6C:06

It ion

00:13:3D:A8:6E:03
D4:BE:D9:C3:CE:2D

Forced shjtdo/vn

f " Reooot

S alive, Odcad, 5 unknown

FIG R 1 :TheA
U E .8
dvancedIPS
cannerC puterpropertiesw
om
indow
12. Now you have die
machine.

IP address. Nam e,

and other

13. You can also try Angry IP scanner located at

details

of die victim

D:CEH-ToolsCEHv8

Module 03 Scanning NetworksPing Sweep ToolsAngry IP Scanner

It

also scans the network for machines and ports.
L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and
protocols discovered during die lab.
Tool/U tility

Information Collected/Objectives Achieved
Scan Information:

Advanced IP
Scanner


■
■
■
■
■
■

IP address
System name
MAC address
NetBIOS information
Manufacturer
System status



P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S

Q u e s t io n s

1. Examine and evaluate the IP addresses and range of IP addresses.

Internet Connection Required
□ Yes

0 No

Platform Supported
0 Classroom


0 iLabs

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council


B a n n e r G ra b b in g t o D e te r m in e a
R e m o t e T a r g e t S y s t e m u s i n g ID
S e rv e
ID S

S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r

s o fh v a re .

I CON

KEY

Valuable
information

y*

Test your
knowledge
Web exercise

O

Workbook review


1 1 die previous lab, you learned to use Advanced IP Scanner. This tool can also be
1
used by an attacker to detect vulnerabilities such as buffer overflow, integer flow,
SQL injection, and web application on a network. If these vulnerabilities are not
fixed immediately, attackers can easily exploit them and crack into die network and
cause server damage.
Therefore, it is extremely important for penetration testers to be familiar widi
banner grabbing techniques to monitor servers to ensure compliance and
appropriate security updates. Using this technique you can also locate rogue servers
or determine die role of servers within a network. 111 diis lab, you will learn die
banner grabbing technique to determine a remote target system using ID Serve.

The objective of diis lab is to help students learn to banner grabbing die website and
discover applications running 011 diis website.
111
O

T o o ls


diis lab you will learn to:
■ Identify die domain IP address
■ Identify die domain information

t h is la b a r e
a v a ila b le in
M o du le 0 3
S c a n n in g
N e tw o rk s



To perform die lab you need:
■ ID Server is located at D : C E H -T o o ls C E H v 8

M o d u le 0 3 S c a n n in g

N e t w o r k s B a n n e r G ra b b in g T o o ls ID S e r v e


■ You can also download the latest version of ID
http: / / www.grc.com/id/idserve.htm

S e rv e

■


If you decide to download the

■ Double-click id s e r v e to run


ID S e r v e

■ Administrative privileges to run die ID
■ Run this tool on W in d o w s

from the link

S e rv e

tool

S erv er 2012


Time: 5 Minutes
O v e r v ie w o f ID S e r v e

ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull
and display die server's greeting message, if any, often identifying die server's make,
model, and v e r s io n , whether it's for F T P , SMTP, POP, NEW’S, or anything else.
Lab T asks
TASK

1

Id en tify w e b s it e
s e r v e r in fo rm atio n

1. Double-click id s e r v e located at D :C E H -T o o lsC E H v 8


N e tw o rk s B a n n e r G ra b b in g T o o lsID S e r v e

2. 1 1 die main window of ID
1
S e v e r Q u e ry tab
0

S erv e

show in die following figure, select die

ID Serve

ID Serve
Background

ri

Enter

01

r!

‫ -׳‬r o

In rn tServer Id n a nU ,vl .0
te e
e tific tio tility 2
Personal SecurityFreew bySteveG so
are
ib n
Copyright (c) 2003 by Gibson Research Corp

Server Query | Q&A/Help

copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com)

Queiy The Server

^

When an Internet URL or IP has been provided above
press this button to rwtiate a query of the speahed server

Server

If anIPaddressis
enteredinsteadof aU L
R,
IDServew attem to
ill
pt
determ thedom
ine
ain
nam associatedw the
e
ith
IP

^
4
Copy

The server identified <se* as

goto ID Serve web page

E*it

FIG R 21: M w
UE
ain indowofIDS e
erv
3. Enter die IP address 01‫־‬URL address in E n t e r o r C o p y /p a ste

a n In te rn a l

s e r v e r U R L o r IP a d d r e s s h e re :

r©

ID Serve

ID Serve
Background
Entei or copy

In et Server IdentificationU vl .0
tern
tility, 2
Personal SecurityFreeware bySteve G
ibson
Cprig t(c) 2 0 b G s nR s a hCr .
o y h 0 3 y ibo e e rc op

Server Q
uery I Q&A/tjelp

I paste an Internet serve* URL or IP adtfress here (example

www microsoft com)

^ [w w certifiedhacker com
w
[

IDServecanaccept
the U Lor IP as a
R
com and-lineparam
m
eter

W h e n an Internet URL 0* IP has been piovided above,
piess this button to initiate a query 01 the s p e c fo d server

Query T h e S w v e i

(%

Server query processing

The server identified itse l as

G oto ID S eive web page

Copy

Ejjit

FIG R 22 E
U E nteringdieU Lforquery
R
4. Click Query The Server; it shows server query processed information
ID Serve

ID Serve
Background

,‫ ־‬m x

‫׳‬

In etServer IdentificationU vl .0
tern
tility, 2
Personal SecurityFreeware bySteve G
ibson
Cprig t(c) 2 0 b G s nR s a hCfp
o y h 0 3 y ibo e e rc o

Server Query | Q&A/Help

Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com)

< |
T www.certifiedhacker.com|

Q IDServecanalso
connect w non-w
ith
eb
servers toreceiveand
report that server'sgreeting
m
essage. Thisgenerally
reveals the server's m
ake,
m version, andother
odel,
potentiallyuseful
inform
ation.

r2 [

W h e n an Internet URL 0* IP has been piovided above,
press this button to initiate a queiy of the speafied server

Query The Server

(3

Seiver query processing

a

M ic r o s o f t - I I S / 6 . 0

In tin serverq e
itia g
u ry
Lo k gu IPaddressfo d m in w wcertified ackerc m
o in p
roa w
h
o
T eIPaddressfo th d minis 2 2 55 11
h
r eoa
0 .7 4 0
C n e tin toth servero sta d rdHTTPp rt: 8
o nc g e
n na
o 0
C n ected R u gth server's d fa ltp e
o n ] eq estin e
e u ag
The server identrfied itse l as

Copy

Goto ID Serve web page

Exit

FIG R 23: S processedinform
U E erver
ation

L a b A n a ly s is

Document all die IP addresses, dieir running applications, and die protocols you
discovered during die lab.


Tool/U tility

IP address: 202.75.54.101
Server Connection: Standard HT1P port: 80
Response headers returned from server:

ID Serve

■
■
■
■
■

H TTP/1.1 200
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/4.4.8
Transfer-Encoding: chunked
Content-Type: text/html

PLEA SE T A LK TO YOUR IN S T R U C T O R IF YOU H AV E

QUESTIONS

Q u e s t io n s

1. Examine what protocols ID Serve apprehends.
2. Check if ID Serve supports https (SSL) connections.
□ Yes

0 No

Platform Supported
0 Classroom


0 iLabs

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council


F in g e rp r in tin g O p e n P o r ts U s in g t h e
A m ap Tool
.- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t.

I CON KEY
2 ^

Valuable
information
Test vour
knowledge

g

Web exercise

Q


Computers communicate with each other by knowing die IP address in use and
ports check which program to use when data is received. A complete data transfer
always contains the IP address plus the port number required. 1 1 the previous lab
1
we found out that die server connection is using a Standard HTTP port 80. If an
attacker finds diis information, he or she will be able to use die open ports for
attacking die machine.

Workbook review

1 1 this lab, you will learn to use the Amap tool to perform port scanning and know
1
exacdy what a p p lic a t io n s are running on each port found open.
C 5 T o o ls
t h is la b a r e
a v a ila b le in
M o du le 0 3

The objective of diis lab is to help students learn to fingerprint open ports and
discover applications 11 inning on diese open ports.
hi diis lab, you will learn to:
■ Identify die application protocols running on open ports 80
■ Detect application protocols

S c a n n in g
N e tw o rk s


To perform die lab you need:
■ Amap is located at

D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g

N e t w o r k s B a n n e r G ra b b in g T o o lsV A M A P

■ You can also download the latest version of A M A P from the link
http: / / www.thc.org dic-amap.
■






■ A computer running Web Services enabled for port

80

■ Administrative privileges to run die A m a p tool
■ Run this tool on W in d o w s

S e rv e r 2012


Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g

Fingerprinting is used to discover die applications running on each open port found
0 x die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking
1
up die responses in a list of response strings.
at T A S K

1

Id en tify
A p p lic a tio n

Lab T asks

1. Open die command prompt and navigate to die Amap directory. 1 1 diis lab
1
die Amap directory is located at D :C E H -T o o lsC E H v 8 M od ule 0 3 S c a n n in g
N e tw o rk s B a n n e r G ra b b in g T o o lsA M A P

P ro to c o ls R u n n in g
on P o rt 8 0

2. Type a m a p

w w w .c e r t if ie d h a c k e r .c o m 8 0 ,

and press E n te r.

Administrator: Command Prompt

33

[D : C E H ~ T o o ls C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g T o o l s A M A P > a n a p uw
[u . c e r t i f i o d h a c h e r . c o m 80
Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo
Jn id en tifie d p o rts:

2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>.

M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3
D : C EH -T 0 0 1 s C E H 08 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g Tool sAMAP>

Syntax: am [-A| ‫־‬
ap
B| -P|-W [-1buSR U
]
H dqv]
[[-m -o <file>]
]
[-D<file>] [‫־‬t/‫־‬T sec] [-c
cons] [-Cretries]
[-pproto] [‫־‬i <file>] [target
port [port]...]
FIG R 3 :A apw hostnam w w 1tifiedl1ack 1.com ithPort S
U E .1 m ith
e w .ce
e w
O
3. You can see die specific a p p lic a tio n protocols running 011 die entered host
name and die port 80.
4. Use die IP

a d d re ss

to check die applications running on a particular port.

5. 1 1 die command prompt, type die IP address of your local Windows Server
1
2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 )
and press E n t e r (die IP address will be different in your network).
✓ For A apoptions,
m
type am -help.
ap


6. Try scanning different websites using different ranges of switches like amap
www.certifiedhacker.com 1-200

‫ד‬
D : C E H -T o o ls C E H u 8 Module 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g ToolsAMAP>amap I f
. 0 . 0 . 4 75-81
laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode

C piles on all U IX
om
N
basedplatform - even
s
M SX C inon
acO , ygw
W s, A M inuxand
indow R -L
Palm S
O

P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2
W arn in g : C ould n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g

p o r t <EUN

KN>

W a rn in g : C ould n o t c o n n e c t 

W arn in g : Could n o t c o n n e c t to

K>
H
W arning:
K>
N

1 0 .0 .0 .4 :7 7 /tc p , d isab lin g

p o r t <EUN

Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g

p o r t <EUN

W a rn in g : C ould n o t c o n n e c t t o
|KN>
W arn in g : C ould n o t c o n n e c t t o

K>
N

1 0 .0 .0 .4 :7 9 /tc p , d isab lin g

p o r t <EUN

1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN

P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin
U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 /
kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>.
Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4
b : C E H - T o o l s C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g ToolsAMAP>

FIG R 3 :A apw IPaddressandw rangeofsw 7 -8
U E .2 m ith
ith
itches 3 1
L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and die
protocols you discovered during die lab.
Tool/U tility

Identified open port: 80
WebServers:
■ 11ttp-apache2 ‫־‬
■ http-iis
■ webmin

Amap


Unidentified ports:
■ 10.0.0.4:75/tcp
■ 10.0.0.4:76/tcp
■ 10.0.0.4:77/tcp
■ 10.0.0.4:78/tcp
■ 10.0.0.4:79/tcp
■ 10.0.0.4:81/tcp


P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S

Q u e s t io n s

1. Execute the Amap command for a host name with a port number other
than 80.
2. Analyze how die Amap utility gets die applications running on different
machines.
3. Use various Amap options and analyze die results.
0 Y es

□ No

Platform Supported
0 Classroom


□ iLabs



M o n ito r in g T C P /IP C o n n e c t i o n s
U s in g t h e C u r r P o r ts T o o l
C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly
o p e n e d T C P / IP

I CON K E Y
Valuable
information
Test your
knowledge

w

Web exercise

m

Workbook review

a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.


111 the previous lab you learned how to check for open ports using the Amap
tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block
such attacks by using appropriate firewalls or disable unnecessary services
running 011 the computer.
You already know that the Internet uses a software protocol named T C P / IP to
format and transfer data. A11 attacker can monitor ongoing TCP connections
and can have all the information in the IP and TCP headers and to the packet
payloads with which he or she can hijack the connection. As the attacker has all
die information 011 the network, he or she can create false packets in the TCP
connection.
As a

a d m in is tra to r., your daily task is to check the T C P / IP
of each server you manage. You have to m o n ito r all TCP and
UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the
C u r r P o r t s tool.
n etw o rk

c o n n e c t io n s

C J T o o ls
t h is la b a r e
a v a ila b le in


The objective of diis lab is to help students determine and list all the TCP/IP
and UDP ports of a local computer.

M o du le 0 3
S c a n n in g
N e tw o rk s

111

in this lab, you need to:
■ Scan the system for currently opened

T C P / IP

■ Gather information 011 die

p ro cesses

■ List all the

IP a d d r e s s e s

p o r ts

and

and

UDP

ports

that are opened

that are currendy established connections

■ Close unwanted TCP connections and kill the process that opened the
ports


To perform the lab, you need:
■ CurrPorts located at

D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g

N e t w o r k s S c a n n in g T o o ls C u r r P o r t s

■ You can also download the latest version of
http: / / www.nirsoft.11e t/utils/cports.html
■


a Y candow
ou
nload

CuuPorts tool from
http://w w
w .nirsoft.net.

C u rrP o rts


from the link


S erv er 2012

■ Double-click c p o r t s .e x e to run this tool
■ Administrator privileges to run die

C u rrP o rts

tool


Time: 10 Minutes
O v e r v ie w M o n it o r in g T C P / IP

Monitoring TCP/IP ports checks if there are m u ltip le IP connections established
Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and
also displays all established IP addresses on die server.
Lab T asks

The CurrPorts utility is a standalone executable and doesn’t require any installation
process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die
desired location and double click c p o r t s .e x e to launch.
TASK

1

1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports,
IP and remote addresses, and their states.

D is c o v e r T C P /IP
C o n n e c tio n

r‫י * 1 ״ 1 ־‬

C urrP orts
File

Edit

View

Option*

Help

xSD®v^!taer4*a-*
Process Na..

Proces...

Protocol

L ocal...

Local Address

Rem...

Rem...

R e rc te Address

Remote Host Nam

( T enrome.ere

2 m

TCP

4119

Loc-

10.0.0.7

80

h ttp

173.194.36.26

bcm04501 -in ‫־‬f26.1
bcmOisOl -in-f26.1

f

<+1 rome.ere

2988

TCP

4120

10.0.0.7

80

h ttp

173.194.3626

chrome.ere

f

2988

TCP

4121

10.0.0.7

80

h ttp

173.194.3626

bom04501‫־‬in ‫־‬f26.1

chrome.exe

2 m

TCP

4123

10.0.0.7

80

h ttp

215720420

a23-57-204-20.dep

https

CT chrome.exe

2 m

TCP

414S

10.0.0.7

443

^ f i r t f c x ere

1368

TCP

3981

127.0.0.1

3982

£ fir « fc x « x •

1368

TCP

3982

127.0.0.1

3981

(£ fir« fc x «(«

1368

TCP

4013

10.0.0.7

443

https

fircfcx.cxc

1368

TCP

4163

100.0.7

443

h ttp j

173.194.36.15

bom04!01 in ‫־‬f15.1

f1
rcfcxc.cc

1368

TCP

4166

100.0.7

443

h ttp j

173.194.360

bcm04501 -in-f0.1«

443

h ttp ;

74.125234.15

gra03s05in-f15.1e

1368

TCP

4168

100.0.7

s , httpd.exe

firef cx c<c

1000

TCP

1070

aaao

th ttp d .e x e

1800

TCP

1070

Q lsass.occ

564

TCP

1028

3 l» 5 5 a e
564
____ »_____
<1
■1
1

TCP

1028

bom04501 -in-f26.1
WIN-D59MR5HL9F

12700.1

WIN-D39MR5HL9E

173.1943622

bom01t01-in-f22.1

0.0.0.0
=

0.0.0.0

0.0.0.0
=
>

T

7 ~ctal Ports. 2 Remote Connections. 1Selected
9
1


173.194 3626
12700.1

NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net

FIG R 4.1T C ortsm w w allprocesses, ports, andIPaddresses
U E : lie urrP ain indow ith
2. CiirrPorts lists all die

/ /C
urrPorts utilityis a
standaloneexecutable,
w doesn't requireany
hich
installationprocess or
additional D L
L s.

and their IDs, protocols used, lo c a l
local and remote ports, and r e m o te h o s t

p ro ce sse s

a n d r e m o te IP a d d r e s s ,
n am e s.

3. To view all die reports as an HTML page, click V ie w

‫ >־‬H T M L R e p o r t s

‫ ־‬A ll It e m s .

M °- x ‫י‬

C urrP orts
File

Edit I View | Options

X B

1

Help

Show Grid Lines

Process K a1^ I Show Tooltips
J
Mark Odd/Even Rows
chrome.
C* chromel
HTML Report ‫ ־‬All I'errs
^ chrome.
HTML Report - Selected terns
C* chrome.
Choose Columns
^ chromc.
(£ firc fc x .c

Remote Host Nam *

173.1943526

).7

http

173.194.3526

).7

http

173.194.3526

bcmQ4s0l-in‫. 2 ־‬
f61
bcm04s0l-in-f26.1
bcm04s01 - n f 6 1
i-2.

).7

http

23.5720420

a23-57-204-20.dep S

https

173.194.3526

bom04501-in‫. 2 ־‬
f61

127.0.0.1

WIN-D39MR5HL9E

).7

R‫״‬fr#{h

127.0.0.1

WIN-D39MR5HL9E

443

https

173.1943622

bem04s01-in-f22.1

10.0.0.7

443

https

173.19436.15

bom04i01‫־‬in*f15.1

10.0.0.7

443

https

173.19436.0

bcm04s0l*in-f0.1<

100.0.7

1l i

(B fa e fc x u e

1368

TCP

J ftfM c o ta e

I368

TCP

45
16

® fr e fc x e te

1368

TCP

4158

---

4163

h t t o d . e x e

1800

TCP

443

https

741252*4.15

gruC3s05-1n‫־‬M5.1e

1800

TCP

1070

Q ls a s s e te

564

TCP

1028

561

TCP

3981

.0.1

oo
.a .o

1070

V h ttp d .e x e

3962

T. , .7
V0
V

F5

‫ס7קז‬

443

.0.1

(p firc fo x .e 1
(c

Q In thebottomleft of
theC
urrPorts w , the
indow
status of total ports and
rem connections
ote
displays.

Remote Address

http

Address

A uto Size Columns

g f-e fc x e

Rem..

).7

1028

0.0.0.0

0 .0
.0 .0

aaao

NirSoft Freeware, http.//w w w .rirs o ft.n e t

79Tct«l Ports, 21 Remote Connection!, 1 Selected

FIG R 4.2T C
U E he urrPortsw H LR - A Item
ith TM eport ll s
4. The HTML Report

a u t o m a t ic a lly

opens using die default browser.

E<e Ldr View History Bookmarks 1001 Hdp
‫צ‬
I TCP/UDP Ports List
^

j j f j__

( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>£,repcriJit ml

' ‫•£־־־*־‬

- Google

P

^
‫י‬

T C P /U D P P o r ts L is t
=

E3 To checkthe

countries of therem IP
ote
addresses, youhaveto
dow thelatest IPto
nload
C
ountryfile. Y haveto
ou
put the IpToC
ountry.csv‫״‬
fileinthe sam folder as
e
cports.exe.

C re a te d b v u sing C u rrP o rts

P m « j .Nam•

P ro titi
ID

P ro to co l

I.o ra l

I A ra l P o rt

P o rt

X lB t

L o c a l A d d iv it

Remote
P o rt

Rcm oU ‫׳‬
P o rt

R tm v l« A d d r t it

Name .

chxame rx c

2988

TCP

4052

10 0 0 7

443

https

173 194 36 4

chiome.exc

2988

TCP

4059

10.0.0.7

80

http

173.194.36.17

bo
bo

ch101nc.exe

2988

TCP

4070

10.0.0.7

80

http

173.194.36.31

bo

daom e.exe

2988

TCP

4071

10.0.0.7

80

h ltp

173.194.36.31

bo!

daom e.exe

2988

TCP

4073

1 00.0.7

80

hup

173.194.36.15

boi

daom e.exe

2988

TCP

4083

10.0.0.7

80

http

173.194.36.31

bo!

cfcrorae.exe

2988

TCP

4090

100.0.7

80

hnp

173.194.36.4

bo!

chfomc.cxc

2988

TCP

4103

100.0.7

80

hup

173.194.36.25

bo

chrome exe

2988

TCP

4104

10 0 0 7

80

hnp

173 194 36 25

bo
>

FIG R 4 :HieW brow d lay gC ortsR - A Item
U E .3
eb ser isp in urrP eport ll s
5. To save the generated CurrPorts report from die web browser, click
F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S .

‫■ 5 3ד‬

TCP/UDP Ports List - Mozilla Firefox

m C
urrPorts allow you
s
to saveall changes (added
andrem connections)
oved
into alogfile. In order to
start w to thelogfile,
riting
checkthe ,LogC
hanges'
optionunder the F
ile
m
enu

«ry> Hitory
1

‫ ו ז ק‬id *

Bookmaikt Took Hrlp

fJcw l i b

CW*T

N*w‫’ ׳‬Mnd<*1*

Ctrt*N

Cpen Fie..

CcrUO

» ‫׳‬Dcsttop/q)D1ts-x64/rEpor: html
f1

C

*

S*.« Page As.. Ctr1*S
Send LinkPag* Setup-.
PrmtPi&Kw
E rrt.

ti*

!, r o t i f j j >111•

!.o ra l

I o r a l P o rt

P o rt

!'!‫ ־‬o to co l

Name

Remote

Local A d d rv u

K em otc
P o rt

P o ri

chiom c.exe

2988

TCP

4052

cfc10 me.exe

2988

TCP

4059

10.0.0.7

chrome.exe

2988

TCP

4070

10.0.0.7

chrome.exe

2988

TCP

4071

10.0.0.7

chrome exe

2988

TCP

4073

chrome exe

2988

TCP

408;

K e u io l* A d d n i t

Name

ID

2Z B default, the logfile
y" y
is savedas cports.loginthe
sam folder w
e
here
cports.exeis located. Y
ou
canchangethe default log
filenam bysettingthe
e
L
ogFilenam entryinthe
e
cports.cfgfile.

P

i f ' Google

https

173.194.36.4

boj

80

http

173.194.36.17

bo:

80

hnp

173.194.36.31

bo:

80

http

173.194.36.31

boi

100 0 7

80

http

173 194 36 15

boi

100 0 7

80

http

173 194 36 31

bo!

10.0.0.7

443

ch*omc exe

2988

TCP

4090

100 0 7

80

http

173 194 36 4

boi

chiome.exe

2988

TCP

4103

10.0.0.7

80

http

173.194.36.25

boj

daom e.exe

2988

TCP

4104

10.0.0.7

80

http

173.194.36.25

b03

FIG R 4 : T W brow toS eC
U E .4 he eb ser av urrPortsR - A Item
eport ll s
6. To view only die selected report as HTML page, select reports and click
V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬S e l e c t e d Ite m s .

1-1° ‫ ׳‬x-

C urrP orts
File
X

Edit | View | Options
S

(3

Help

Show Grid L‫א חו‬

Process Na P I

^ B aw The logfile
e are!
isupdatedonlyw you
hen
refreshtheports list
m
anually, orw the
hen
A R
uto efreshoptionis
turnedon.

Show Tooltips

C chrome.

Mark Odd/Even Rows

Address
).7
).7

O'chrome “
® ,fir e fc x e
(gfircfcxe:

HTML Report ■ Selected terns
Choose Columns
Auto Size Columns

Rem...

Remote Address

Remote Host Nam

h ttp

175.19436.26

bom04s01-1n‫־‬f26.1
bom04s01-1n-f26.1

80

h ttp

173.1943626

80

h ttp

173.1943626

bcm04s01-in‫־‬f26.1f

■0.7

HTML Report - All Items
C c h ro m e f

Rem...
80

80

h ttp

215720420

323-57-204-20.dep

P7
.0.1

445

h ttp :

F

Ctrl ♦■Plus

Refresh

F5

fircfcx e<
v

.0.1

bcm04s01-in-f26.1
WIN-D39MR5HL9E

127JX011

3981

173.1943526
127.0.0.1

3982

WIN-D39MR5HL9E

J>.7

443

https

173.1943622

bom04s01 -in-f22.1

h ttp ;

173.194.36.15

bomOlsOl -in ‫־‬f1 5.1

L f ircfox.cxc

1368

TCP

4163

1000.7

443

fircfcx.cxc

1368

TCP

4166

1000.7

443

h ttp :

173.194360

bomOlsOI -in ‫־‬f0.1c

^ firc fc x .c x c

1368

TCP

-4168

100.0.7

443

https

74125234.15

gruC3s05 in -f 15.1c

httpd.exe

1000

TCP

1070

0.0.0.0

1000

TCP

1070

Q lsa sse xe

httpd.exe

564

TCP

1028

Q b a s te x e
« -------a .--------

564
14nn

TCP
T rn

1028
‫י«׳*־ו־‬

79 ~ctel Ports. 21 Remote Connections, 3 Selected

a Y canalsorightou

clickonthe W pageand
eb
savethe report.


0.0.0.0
s

00.0.0
___

0.0.0.0

AAA A

AAAA
Hi1 Soft Freew are. http.‫ ,׳,׳‬w w .r irsoft.net
w

FIG R 4 :C
U E .5 urrPortsw H M R - S
ith T L eport electedItem
s
7. Tlie selected

re p o rt

automatically opens using the

d e fa u lt b r o w s e r .

E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl

TCP/UDP Ports List - Mozilla Firefox
ffi'g |d : Vico

[ j TCP/UDP Ports List

In the filters dialog
bos, youcanaddone or
m filter strings
ore
(separatedbyspaces,
sem
icolon, or C L ).
RF

^

1 n J~x
‫־‬

I

Hatory Bookmaiks Toob Help
| +

P

W c/'/C /lherv‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r64/rcpo‫די‬i«0T1l

(?‫ ־‬Google |,f t I

T C P /V D P P o rts L is t

C reated b y m in g C iir r P o m

P
rocess
N e
am

P
rocess
ID

ol
Local I> ca Local K u R o
«m t« em te
Port
P
rotocol Port Port A
ddress Port
N e
am
.Nm
ae

K
vuiotc
A
ddress

R o H N e
em te ost am

State

dbiome.cxc

2988

TCP

4148

10.0.0.7

443

https

173.194.36-26

bom04sC 1 m. £26.1 e 100.net

Established

c:

fire fo x exe

1368

TCP

4163

10 0 0 7

443

https

173 194 36 15

bom 04s01 tn - fl 5. Ie l0 0 .n e t

Established

C:

1800

TCP

1070

Listening

C:

h ttp d

cc
x

FIG R 4 : T W brow d lay gC
U E .6 he eb ser isp in uaPortsw H M R - S
s
/ / The Syntaxfor Filter
S [include | exclude]:
tring:
[local | rem | both |
ote
process]: [tcp | udp |
tcpudp] : [IPR | Ports
ange
R
ange].

8. To save the generated CurrPorts report from the web browser, click
F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S
TCP/‫׳‬UDP Ports List ‫ ־‬M ozilla Firefox
Edfe Vir*

‫׳‬

r= > r* ‫י‬

Hutory Boolvfmki Took HWp

N**‫׳‬T*b

Clfl*T

|+ |

Open Fie...

Ctrl»0

S*.« P a g e A ;.

fi

1r/Desktop/cpo»ts x6Crepwthtml

an*N

*

Ctrl-S

Sir'd linkPage :er.p.
Pnnt Preview
P rm L .

fic it Offline

N e
am

Local Local T o ral
Po rt
Pori Nam e A
ddress

ID

Rem ote

Port

Kcm ole
Po rt
Nam e

R ote
em
A
ddress

Rem ote Ilo t l .N io it

2988

TCP

4148

1 0 0 0 .7

443

https

1 73 .19 43 6 26

boxu04s01 -ui-1‘26. Ie l0 0 .n e t

Established

C

fiiefox-cxc

1368

TCP

4163

100.0.7

443

https

173.19436 15

bom04s01-1a-115.lel00.net

Established

C

http de xe

10
80

TCP

1 ‫0׳‬
0

chtoxne.exe

‫ ש‬C m
om and-line option:
/stext < 11enam m
F
e> eans
savethelist of all opened
TCP/UDPports into a
regular text file.


FIG R 4 :TheW b v toSawQ
U E .7
eb rcn ser
irrPortsw H M R - S
s
9. To view the

p r o p e r t ie s

of a port, select die port and click F ile

‫>־‬

P r o p e r tie s .

C urrP orts

r®
1 File J Edit
I

View

Options

I - ] “

'

*

m

Help
C trM

P N ctlnfo
Close Selected TCP Connections

Ctri+T

Local Address

Alt^Entei

Process Properties

b&i C m
om and-line option:

1

C tiU P

Remote Address

Remote Host Nam ‫1 י׳‬

http

173.194.3626

bom04301 - in-f26.1

10.0.0.7

CtiUS

Properties

Rem..

80
80

http

1‫6263.491.3׳־‬

bom04501 ‫ ־‬in-f26.1

10.0.0.7

80

http

1^3.194.36.26

10J3J3.7

Save Selected Items

Rem...

10.0.0.7

Kill Processes Of Selected Ports

80

http

23.57.204.20

https

bom04s01-in-f26.1
a23*57204-20‫.־‬dep ■

443

127.0.0.1

3982

Open Log File

127.0.0.1

3031

Clear Log File

10.0.0.7

443

httpc

10.0.0.7

443

https

173.194.3615

bom04s01-m-f15.1

10.0.0.7

/stab <Filenam m
e> eans
TCP/UDP ports intoa
tab-delim text file.
ited

10.00.7

Log Changes

443

https

173.194.360

bom04s01 m‫־‬f0.1c

10.0.0.7

443

https

74.12523415

gru03s05-in‫־‬f15.1 e

CtrU O

Advanced Options
Exit
j 1 .e x e
ttjd

1800

TCP

1070

h tto d .e x e

1800

TCP

lsass.exe

564

TCP

1028

Q lsass-exe

$64

TCP

1028

‫״‬

bom 04s01-in-f2M
WIN-D39MR5Hl9f

127.0L0L1

WIM-D30MRSH10F

1‫2263.491 1 ־‬
,

bom04e01-m‫־‬f22.1

0 D S )S )

1070

□

1Ti 194.36.26
127.aa1

oaao

::
aao.o

0D S J J J

r.
>

‫ ־‬T
NirSoft Freeware, h ttp :'w w w .n irso ft.n e t

|7 9 Tctel Ports, 21 Remote Connections, 1 Selected

FIG R 4 :C
U E .8 unPoitstoviewproperties foraselectedport
10. The P r o p e r t ie s window appears and displays all the properties for the
selected port.
11. Click O K to close die

P r o p e r t ie s

window

Properties

C m
om and-line option:
/shtm <Filenam m
l
e> eans
TCP/UDP ports into an
H Lfile(H
TM
orizontal).

Process Nam
e:
Process ID:
Protocol:
Local Port:
Local Port Nam
e:
Local Address:
Remote Port:
Remote Port Nam
e:
Remote Address:
Remote Host Nam
e:
State:
Process Path:
Product Nam
e:
File Description:
File Version:
Com
pany:
Process Created O
n:
User Nam
e:
Process Services:
Process Attributes:
Added O
n:
Module Filename:
Remote IP Country:
Window Title:

*

firefox.exe
1368

TCP
4166
10.0.0.7
443
|https________________
1 7 .194.36.0
13
bom
04s01-in-f0.1e100.net
Established
C:Program Files (x86)M zilla Firefoxfirefox.exe
0
Firefox
Firefox
1 .0
4 .1
Mozilla Corporation
8/2 /2 1 2:36:28 PM
5 02
WIN-D39MR5HL9E4Administrator

8/2 /2 1 3:32:58 PM
5 02

O
K
FIG R 4 :TheC
U E .9
urrPortsPropertiesw
indowfortheselectedport


12. To close a TCP connection you think is suspicious, select the process
and click F ile ‫ >־‬C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ).
S

T A S K

2

-_,»r

C urrPorts

‫ד‬

C lo s e T C P
C o n n e c tio n

IPNetlnfo

Ctrt+1


C trl-T

Local Address

Save Selected Items

AH- Enter
Ctrl—
P

Process Properties

Remote Address

Remote Host Nam ‫ י ׳‬I

http

173.19436.26

bom04s01-in‫־‬f26.1

80

http

173.19436.26

bom04s01-in‫־‬f26.1

10.0.0.7

CtH-S

Properties

Rem...

6

10.0.0.7

OSelected Ports
f

Rem...

10.0.0.7

80

http

173.19436.26

bom04sC1 in-f26.1

10.0.0.7

Kill Processes

80

http

23.5730430

023-57 204 2C.dep =

https

0

10.0.0.7

43
4

Log Changes

127.00.1

3932

Cpen Log File

127.00.1

A d/snced Options

10.0.0.7

CtH+G

Exit
^

3931

43
4
43
4
43
4
43
4

10.0.0.7

Clear Log File

10.0.0.7

httpd.exe

1£03

TCP

1070

httpd.exe

1800

TCP

564

TCP

1028

Q toS fcC N e

564

TCP

127.0.0.1

WIN-D39MR5HL9£

173.19436.22

bom04s01 -in-f22.1

https

173.19436.15

bom04s01-in-f15.1

https

173.19436.0

bom04s01 ■in-f0.1s

https

74.125.234.15

gru03s05-in-f151e

1Q28

^

J

III

bom04s01 in ‫־‬f26.1
WIN-D39MR5HL9e

http:

1070

□ is a s s ^ x e

173.19436.26
127.0.0.1

0D.0.0

0.0.0.0
r

om o

o .a a o
r
I>

‫־‬r

J

IlirSort fre e w a re . r-tto :‫׳‬v/Yv*/n rso tt.n et

7? Tot«! Porte, 21 Remote Connection! 1 Selected

FIG R 4 0 ,H C
U E .1 : ie unPoitsC S
lose electedT PC
C onnectionsoptionw
indow
13. To

k ill

the

p ro ce sse s

of a port, select die port and click F i le

‫ >־‬K ill

P r o c e s s e s o f S e l e c t e d P o r ts .

I ~ I ‫* 'ם‬

C urrP orts

f i TASK 3

File

j Edit

View

Options

Help

PNetlnfo

K ill P r o c e s s

a♦
n!

Close Selected TCP Connection*

C*rt*‫־‬T

Loral Address

CtrKP

Remote Host Nam *

173.14436.26

bom04t01*in-f26.1

80

http

173.194.3626

bomC4t01-in‫־‬f26.1

80

http

173.194.3626

bomC4j01 -in-f26.1

10.0.0.7
Process Properties

Remote Addrect

http

10.0.0.7

A t-E n te r

Rem..

80

10.0.0.7

Clri-S

5ave Selected Items
P ro p e rties

Rem...

10.0.07

kin Processes Of Selected Ports

80

http

215720420

a23-57-204-20.dep s

https

173.1943636

bcmC4s01-in-f26.1

127.0.0.1

WIN-D39MR5HL9E

10.0.0.7

443

Log Changes

127.0.0.1

3962

Open Log File

127.0.0.1

3981

127.0.0.1

WIN-D39MR5HL9E

Clear Log file

10.0.0.7

443

https

173.1943632

bomC4s01-in-f22.1

10.0.07

443

https

173.19436.15

bom04s01‫־‬in‫־‬f15.1

10.0.0.7

443

https

173.19436.0

bom04$0l‫־‬in‫־‬f0.1e

10.0.0.7

443

https

74125334.15

gru03s05-1n-M5.1e

Advanced Options
Exit
V httod.exe

1800

TCP

1800

TCP

1070

□ lw s s .e r e

564

TCP

1028

□

561

TCP

O. .
.Q
QO

1070

V h ttp d .e x e

1028

‫ר‬

k a tc *re

0.0.0.0

oa
.a o
___

/ )A A A

II

79 Tctel Ports, 21 Remote Connections, 1 Selected

MirSoft Freeware. http-Jta/ww.rirsoft.net

FIG R 4 1 T C ortsK P
U E .1 : he urrP ill rocessesofS
electedPortsO W
ption indow
14. To e x it from the CurrPorts utility, click F ile
window c l o s e s .


‫ >־‬E x it .

The CurrPorts


1-1° ‫’ - ׳‬

C u rrP on s
File

Edit

View

Options

Help
GH+I

P N etlnfo

CtrK T

..

Local Address

Rem..

Rem‫״‬

Remcte Address

Remcte Host Nam

10.0.0.7

80

http

173.194.36.26

bom04s01-in-f26.1

10D.0.7

80

http

173.194.3626

bom04s01-in-f26.1

10.0.0.7

80

http

173.1943626

bom04s01-in‫־‬f26.1r

10.0.0.7

80

http

21 57.204.20

a23-57-204-20.de

10.0.0.7

443

httpt

173.194.3626

bom04t01-in-f26.1|

lo g Changes

127.0.0.1

3082

127.0.0.1

WIN-D3QMR5H19P

Open Log File

127.0.0.1

3981

127X10.1

WIN-039MR5HL9E

10.0.0.7

443

https

173.19436.22

bomC4101-in-f22.1

10.0.0.7

443

https

173.194.36.1S

bemC4i01 in ‫־‬f15.1

10.0.0.7

443

https

173.194.36i)

bcmC4s01 in f0.1q

10.0.0.7

443

https

74.125.234.15

gru03s05in-f15.1e

K il Processes O f Selected Ports

hid C m
om and-line option:

/sveihtm <Filenam
l
e>
S thelist of all opened
ave
TCP/UDP ports into
H Lfile(V
TM
ertical).

Save Selected Items

Ctifc-S
A t-E a te r

Properties

CtH«‫־‬P

Procccc Properties

Clear Log File
Advanced O ption!

C tH -0

Ext

1

th ttp d .e x e

1800

TCP

1070

0.0.0.0

J

0.0.0.0
=

th ttp d .e x e

1800

TCP

1070

=

Q lsa s& e xe

564

TCP

1028

0.0.00

0.0.0.0

H ls a is - a c
■
‫־־‬

564

TCP
rrn

1028
/‫ ו‬a / a

=
AAAA

__

79 ‫ ז‬ctal Ports. 21 Remote Connections. 1 Selected

Nil Soft free were. Mtpy/vvwvv.r it soft.net

FIG R 4 2 T C
U E .1 : he urrPoitsE optionw
xit
indow
L a b A n a ly s is

Document all die IP addresses, open ports and their running applications, and
protocols discovered during die lab.
feU In com andline, the
I
m
syntaxof /close
com and:/close <L
m
ocal
A
ddress> <Local Port>
<R oteA
em ddress>
<R ote Port‫.* נ‬
em

Tool/U tility

Profile Details: Network scan for open ports

CurrPorts



Scanned Report:
■ Process Name
■ Process ID
■ Protocol
■ Local Port
■ Local Address
■ Remote Port
■ Remote Port Name
■ Remote Address
■ Remote Host Name


P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S

Q u e s t io n s

Q C
urrPorts allow you
s
toeasilytranslate all m
enus,
dialogboxes, and strings to
other languages.

1 Analyze the results from CurrPorts by creating a filter string that displays
.

only packets with remote TCP poit 80 and UDP port 53 and running it.
Analyze and evaluate die output results by creating a filter that displays only
die opened ports in die Firefox browser.
‫.כ‬

Determine the use of each of die following options diat are available under
die options menu of CurrPorts:
a. Display Established
b. Mark Ports Of Unidentified Applications
c. Display Items Widiout Remote Address
d. Display Items With Unknown State

□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



Lab

S c a n n in g f o r N e tw o rk
V u ln e r a b ilitie s U s in g t h e G F I
L a n G u a rd 2 0 1 2
G

F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity

v u ln e r a b ilitie s th a t a re fo u n d .

I CON K E Y
Valuable
information
✓

Test your
knowledge
Web exercise

Q

Workbook review

Z U T o o ls
t h is la b a r e
a v a ila b le in
D:CEH-


You have learned in die previous lab to monitor T C P IP and U D P ports 011 your
local computer or network using C u rrP o rts. This tool will automatically mark widi a
pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To
prevent attacks pertaining to TCP/IP; you can select one or more items, and dien
close die selected connections.
Your company’s w e b s e r v e r is hosted by a large ISP and is well protected behind a
firewall. Your company needs to audit the defenses used by die ISP. After starting a
scan, a serious vulnerability was identified but not immediately corrected by the ISP.
All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using
die backdoor, the attacker gets complete access to die server and is able to
manipulate the information 011 the server. The attacker also uses the server to
le a p fro g and attack odier servers 011 the ISP network from diis compromised one.
As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to
conduct penetration testing in order to determine die list of t h r e a t s and
v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be
using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities.

T o o ls C E H v 8
M o du le 0 3
S c a n n in g
N e tw o rk s


The objective of diis lab is to help students conduct vulnerability scanning, patch
management, and network auditing.
111

diis lab, you need to:
■ Perform a vulnerability scan




■ Audit the network
■ Detect vulnerable ports
■ Identify security vulnerabilities
Q Y candow
ou
nload
GFI L N
A guard from
http://w w com
w gfi. .

■ Correct security vulnerabilities with remedial action

To perform die lab, you need:
■ GFI Languard located at D :C EH -T o o lsC E H v 8


N e tw o rk sW u ln e ra b ility S c a n n in g T o o lsG F I L a n G u a rd

■ You can also download the latest version of
link http://www.gfi.com/la1111etsca11
■


■

■ Microsoft ■NET F r a m e w o r k
Q G LN
FI A guard
com
patiblyw on
orks
M
icrosoft W s Server
indow
2008Standard/Enterprise,
W s Server 2003
indow
Standard/E
nterprise,
W s 7U ate,
indow ltim
M
icrosoft S all B
m usiness
Server 2008Standard,
S all B
m usiness Server 2003
(S 1), and S all B
P
m usiness
Server 2000(S 2).
P


2012 S e rv e r

W in d o w s S e r v e r 2 0 0 8 running

G F I L a n g u a rd

from the


as die host machine

in virtual machine

2 .0

■ Administrator privileges to run die G F I

LA N g u a rd N e tw o rk S e c u r it y

Scann er

■ It requires die user to register on the G F I w e b s it e
http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y
■ Complete die subscription and get an activation code; the user will receive
an e m a il diat contains an a c tiv a tio n c o d e

Time: 10 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k

As an administrator, you often have to deal separately widi problems related to
v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your
responsibility to address all die viilnerability management needs and act as a virtual
consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and
maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively.

C-J GFI L N
A guard
includesdefault
Security scans or audits enable you to identify and assess possible r is k s within a
configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a
allowyoutorun im ediate
m
scans soonafter the
network security audit. These include o p e n port checks, missing Microsoft p a t c h e s
installationis com
plete.
and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information.




Lab T asks

Follow die wizard-driven installation steps to install die GFI LANguard network
scanner on die host machine windows 2012 server.
B

TASK

1

1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by
hovering the mouse cursor in the lower-left corner of the desktop

S c a n n in g for
V u ln e r a b ilitie s

Zenm fileinstalls
ap
the follow files:
ing
■ N apC F
m ore iles
■ N apPath
m
■W
inPcap 4
.1.1
■ N orkInterface
etw
Im
port
■ Zenm (G I frontend)
ap U
■ N (M N
eat odern etcat)
■N
diff

FIG R 5 :W sS 2012- D
U E .1 indow erver
esktopview
2. Click the
window

G F I L an G u ard 2 0 1 2

Windows

app to open the

G FI L an G u ard 2 0 1 2

Google

Marager

bm

r

♦

*

£

SI

Nnd

V

e

FT‫־‬

2)12

0

FIG R 5.2W sS 2012- A
UE
indow erver
pps
3. The GFI LanGuard 2012 m ain
A u d it tab contents.

w in d o w

appears and displays die N e tw o rk

/ / To executeascan
successfully, G
FI
LA guardm rem
N
ust otely
logonto target com
puters
w adm
ith inistrator
privileges.



GFI LanGuard 2012
I

-|

dashboard

Seen

Remedy

ActMty Monitor

Reports

Configuration

UtSties

W

D13CIA3 this ■
‫י‬

W elcome to GFI LanG uard 2012
GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites

Local Computer Vulnerability Level

e a The default scanning

us• ‫־‬
Nana9#*gents‫־‬or Launch a scan‫ ־‬options 10,
the entile network.

options w provide
hich
quickaccess to scanning
m are:
odes
■ Q scan
uick
■ Full scan
■ Launcha customscan
■ Set up aschedule scan

JP
9
%

M
<
{ 'M

o w

c a f h 'e .

—

iim jIW - .

Cunent Vulnerability Level is: High

V ie w D a s h b o a rd
Inve30gate netvuor*wjinerawiir, status and audi results

R e m o diate S e cu rity Iss u e s
Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m
ore

M anage A g e n ts
Enable agents to automate netooric secant? audit and totfstribute scanning load
across client machines

L a u n c h a S can
Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt.

I

LATES1 NLWS

1
‫־‬

V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp fe»g 1! Ttft ■ u lar ‫ ־‬l w mr‫»־‬
m
1 ( 74 A q 701?

Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd

tr.v •ni

V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 1 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut
0

FIG R 5 :T G L N m w
U E .3 he FI A guard am indow
m C
ustomscans are
recom ended:
m
■ W perform a
hen
ing
onetim scanw
e
ith
particular scanning
param
eters/profiles
■ W perform ascan
hen
ing
for particular netw
ork
threats and/or system
inform
ation
■ Toperformatarget
com scanusinga
puter
specific scanprofile

4. Click die L a u n c h

a Scan

option to perform a network scan.
GFI LanGuard 2012

Doshboerd

> I «‫ ־‬I

Scan

Remediate

AdMty Monitor

Reports

Configuration

Ut*oes

«t

Di»e1«s thb version

W elcome to GFI LanG uard 2012

1

GFI LanGuard 2012 &ready to audit your network k* *AmafrMws

Local Computer Vulnerublllty Level
use ‫ ־‬a;# Agents‫־‬or Launch a scan‫ ־‬options 10 auoa
van
the entire network.

JP

9
t - ‫&־.יז‬

^-‫־־־‬

iim jIM :

Cunent Vulnerability Luvul is; High

%

V ie w D a s h b o a rd
Investigate network!wjineraMit, status andauairesults

R e m e diate S e cu rity Issu e s
Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana m
ore.

M anage A g e n ts
Enable agents to automate neteror* secant* aud* and totfstnbute scanning load
across client machines

L a u n c h a Scan
Manually * rt- p andtnwer anagerttest network»taint/ autirl
< u
LAI LSI NLWS
<j

?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ‫ ל‬TOb

V* 24A jq2012

mla e
u

IW 3 1

Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard

-‫־‬»«
‫־‬

24-Aju-2012 -Patch Md11r u ! 1t*t -Added support t rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand f d - F=ad ‫■»־‬
ft«
o
cf

^ If intrusiondetection
softw (ID is running
are S)
duringscans, G
FI
LA guard sets off a
N
m
ultitude of ID w
S arnings
andintrusionalerts inthese
applications.

FIG R 5 :T G L N m w indicatingtheL aC
U E .4 he FI A guard ain indow
aunch ustomS option
can
5.

Launch a N ew sca n

i.
ii.
iii.

window will appear

1 1 die Scan Target option, select lo c a lh o s t from die drop-down list
1
1 1 die Profile option, select F u ll
1
1 1 die Credentials option, select
1
drop-down list

Scan

from die drop-down list

c u rre n tly lo g g ed on u s e r

from die

6. Click S c a n .

’‫ ° ן ־‬r x ‫־‬

GF! LanGuard 2012

• l«- I
>

Ds b a
a h o rd

S n
ca

Ranrdijle

A
ctiv.tyM n r
o ito

R p rts
eo

Cn u Un
o f!g ra o

C Uiscuuttm1
J,

Jt Urn

ta u a d ia tn e S a n

Scar‫־‬a02‫׳‬t:
b a te :

P10•*:
jf-J S^n

v M

Ot0en:‫־‬fck»/T«rt(r ockcCon uso‫־‬

v *
?axrrard:

V

IIZ

* 1

1

‫״‬

Scar Qaccre...
Son ■ n d ti Ovrrvlew

SOM R ru lti Dcta ll<

m For largenetw
ork
environm aM
ents, icrosoft
SQ Server/M E
L
SD
database backendis
recom endedinsteadof
m
theM
icrosoft A
ccess
database.

FIG R 5 : S ganoptionfornetw scanning
U E .5 electin
ork
7.

Scanning will s ta rt; it will take some time to scan die network. See die
following figure

m Q scans have
uick
relativelyshort scan
durationtim com to
es pared
full scans, m because
ainly
quickscans perform
vulnerabilitychecks of only
asubset of the entire
database. It is
recom endedto runa
m
quickscanat least once a
w
eek.

8. After completing die scan, die s c a n


re s u lt

will show in die left panel

&

yI

I

Ds b a
a h o id

S n
ca

Rm u
e cd te

,‫ ־‬I□ ‫־‬x

GFI Lar> uard2012
G
A ty M n r R p rts C n u tio
ctw o ito
eo
o fig ra n

L fr
ttr tm

ta u K k a lm k in

Kte
a:

ScanTarget
ccaftoct

V

H

... | FalSar
jsandffc:

C tbcaed on iser
j-rr&

Eaaswofd:

II

V

Scan R r u ik i ovrrvm n

Scan R r a k i Details

4 Scan target: locatbo»t
- y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJ
vws .

m

T of scans:
ypes
Scana singlecom
puter:
Select this optionto
scanalocal host or one
specificcom
puter.
Scanarange of
com
puters: Select this
optionto scananum
ber
of com
puters defined
throughanIPrange.
Scanalist of com
puters:
Select this optionto
im alist of targets
port
fromafileor to select
targets fromanetw
ork
list.
Scancom
puters intest
file: Select this optionto
scantargets enum
erated
inaspecific text file.
Scanadom or
ain
w
orkgroup: Select this
optionto scanall targets
connectedto adom
ain
or w
orkgroup.

*

S ca n c o m p le te d !
Summ 8f *ear resufs 9eneraf0fl <Jut>51
ary

V u ln e ra b ility le v e l:
The average vulnerabilty le.ei lor ttus sea‫־‬nr s 1

Results statistics:
Audit operations processed;

1>703 aw*! operations processed

Missing scftwaie updates:
Other vulnerabilities:

20 <20 C tcai‫׳‬Hgr>
‫׳‬
1313 Crecol'-.qh)

Potential vulnerabilities:

3

•

Scanner ActMty Wkxkm
‫*ו^יז‬
W fa :ili« !* W

CanptJer
VJUH> ra W J t« !a

Citar
n » 1‫ ״‬t41:ate 101 r r s q v
1

i K t - n •can

wunr is*lvatd or not found

i
----------12- 1

FIG R 5 :T G L uardC scanw
U E .7 he FI anG ustom
izard
9. To check die Scan Result Overview, click IP
right panel
10. It shows die V u ln e ra b ility A s s e s s m e n t
click V u ln e ra b ility A s s e s s m e n t

ad d ress

of die machiiiein die

an d N e tw o rk & S o ftw a re A udit:

GFI LanGuard 2012

E-

J |^

|

Daihboard

Sean

R nrw U r

AdMyMorilor

Reports

PceSe
v j. . . | |F‫״‬IS1‫״־‬

ocafost

Q3~t..
i3iT.i
Cj‫־‬end, bcaec

UtMws

W,

Dis c u m tvs vtssaan

* ‫*ו‬

Userrvaae:

oue
nsr

Configuration

?a££‫.׳‬C
rd:

II

J

•••

1 ___^

____

1

1Results Details
#

V a n t n r y t : lornlhost

| - 1000

|

‫ר־‬V |WIW l)J9MIC>Mt9L4l (Window.

«

,

‫־‬
•

J] j

‫[ ׳‬W»UJ39MRSHL9f4| (Windows Server ?01? 164)

<
1>rrafcj1 W ^ n r r n t |
ty

n N ar* & Softwire Audit
et-w
Vulnerability level:
T • corrvwar dues not have a Vuhe'aHty te.el •VII. * :
►*

Y/lttt dim

irean?

Po s s ib le reaso n s:

t. Th• •can b not Inched yet
2.O ectbn of m
sC
issing paiches and vane‫ ׳‬abiEe* 8

s U * ‫» »ליינ‬ca1‫׳‬nir aerode used to performthe scan.
mta

3‫ ־‬The credentials used 10 scan this confute‫ ג 0 ׳‬not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10•
escmatra we Vjheraoity Level An account wth s M i r r a , • :rvjeges or rne target computer B requrM
* Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fa of most
rt

Scaruicr ActMty Window

flteetlKMQL

liv dl(l•
lr ^ kh)

u. M
.
‫״‬

•■V> I c tfiiS
'< I —
ldriI
ftwwl
I

FIG R 5 : S gV
U E .8 electin ulnerabilityA ent option
ssessm

11. It shows all the V u ln e r a b ilit y
V

/ 7D
uringa full scan,

GFI L N
A guard scans
target com
puters to retrieve
setupinform and
ation
identifyall security
vulnerabilities including:
■M M
issing icrosoft
updates
■ Systemsoftw
are
inform including
ation,
unauthori2ed
applications, incorrect
antivirus settings and
outdatedsignatures
■ Systemhardw
are
inform including
ation,
connectedm s and
odem
U Bdevices
S

A ssessm en t

indicators by category
‫־־‬T ^ P

GFI LanGuard 2012

L

d

>

Dashboard

«‫־‬

Scan

Rernediate

Activity Men!tor

Reports

Configuration

UUkbes

W,

‫־‬

x

Di 8cub 8 •»a v«a«on._

l a — d i a Merc Scan

Bar Target;

»roS»:
H i scar-

v | | .. .

3 $

Jgynang:

c/fomess
[am r#y iC jjetf onuser
Q

Password:

or

5

V1

Scmi Rr»ulU Ov*rvt*%»

Sc4nR*M1ft>0«UNk

<0 $ u a U r « « t : l1 ) u lm l

V u ln e ra b ility A sse ssm e n t

f S I S ItM J(m R-K M M U H U M ](W M tom .
-

s«tea ene of the folowno wjfcerabilry 01*99'** ‫ייה»*ל‬

• Yuhefablty Assessment

A ‫ * *־י‬security wirerablofa (3)
J l MeCtomSearity Vuherabirtes (6)

*qn security Vumeratxaties (3)
Xbu you toanalyze the ‫־ ״‬security vjre tb i'.a

4
t

A

10

j , low Searity Viinerablitfes (4J
PofanBd Vuherabltea (3)

Meshc service Packs and U3cate =&u>s (1}

^

■
Jedium Security VulneraNKies )6 (
,‫ וגי‬toanajy7e thsrredun !earitytfjrerabises

.

Low Security Vulnerabilities 1 (
4
ycu to a‫ ׳‬iy» thelc« 9eculty

# Msarvs Security Updates (3)

- _* Hee*ak & Software Ault

^

.

1
5

Potential vulnerabilities )1(
Xb>.s you to a-elvre tiie inform
ationsecurity aJ‫־־‬o

«
1

Ufesing S vtca P acks and Updala RolHipc (1)
U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn

thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 O
tfic] Bras

FIG R 5 :L ofV
U E .9 ist ulnerabilityA
ssessm categ ries
ent o
12. Click N e tw o rk

in die right panel, and then click S y s te m
S t a t u s , which shows all die system patching statuses

P a tc h in g

& S o ftw a re A u d it

1 ‫״‬r ‫1 ״‬
-

C r i L in O u a rd 2012

to■ >

•4 -

1

Dashboard

Sran

Re‫*»״‬Aate

Activity Monitor

Rrpoits

Configuration

JM M et

<U) '

D iic in t llm vm*an

la u a d ia New Sean
Scar ’ • o e ‫־‬
-

Ho ft*.
- 11
'‫־״‬

v |•

^

O afattab:
|0 rrentf> o g c « or u er

Sari

‫1 ־‬

SCM R « M b Overview
-

9

P315/.ord:

Jse n re ;

1Rem its Detais

Scan ta rve t iocalhost

- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K -

System Patching Status

m

Select one of tte Mtahg systemwtchro M U

S -4 (U‫!־‬f(hilY to n T e il

Duetothelarge
am ofinform
ount
ation
retnevedfromscanned
targets, full scans often
tendto belengthy. It is
recom endedtorunafull
m
scanat least onceevery2
w
eeks.

* *hevyV1eMe( )
e Sclt 1 r it t3
*at
X rvfcdun Security VUrtrabilBe• (6)
X
*nrM • )
J aa t•(‫ג‬
)
t
SricPrn i1t3datr Roittn (1)
e en m
v i
f •1su1sSeu1UyUl>0at«*(3)
I ‫ ״‬aa fracutI
foy ^tar rO
tr
.
X

Minting Service P acks ■ nit llpduir Rciaup* )1(
•
AI3v»1 you to andyM f*r rrs «‫־‬K! server parW r>f»—j i w

‫ יי»־‬Sec“ ' >ty1h»ab4U»» (4)

S %

■
Alotwt Mu U nWy.'t u!« mistfio mcuICv update I

- Jb j

Alan* you to analyie the rwn-security ipaaws rfamssen

rtor&Atrc

A

'0

m Missing Non-Security Updates )16(

Ports

U

)Mk Missing Security Updates (,
J

J%

staled Security Updates )2(
A q syou‫ ■־ ט‬c tJic knitaifedsecurity!edatehfanala
t>
nay

1
2
J !astaaed Non-SecurityUpdates )1(
%

*»- f i Software
a
system mibnnaaon

Alo‫״י‬you to analyze thenstslicd nor-securty5

Scanner A ctm ty Wmdow

X

Starting security scan of host VIM.I)MMRSMl«4[100.0 T

g

!■nr: I M k U PM

10

: ry Scan thread 1(idle) S a tllia i IM t ' . !

:‫ י‬t «. 3

™

FIG R 5 0 S patchingstatusreport
U E .1 : ystem
13. Click P o rts, and under diis, click O p en


T C P P o rts

m Acustomscanis a
netw audit basedon
ork
param w you
eters, hich
configure onthe flybefore
launchingthe scanning
process.
V
anous param canbe
eters
custom duringthis type
ized
of scan, including:
■ T of scanningprofile
ype
(L the typeof checks
e.,
to execute/type ofdata
toretrieve)
■ Scantargets
■ Logoncredentials

&

S n
ca

• l«- I
>

jbcahoK

V I ... I |MSw1

Oc0en‫־‬dfe.
.
|0xt«rtK ocKcCon us®
‫־‬

-

J l ‫)*־‬h Sacuity »jh*r<t14t*» (!)
M«Jum Sttuity VllnefdMIUe( « }
Law Seeunty VUnerabttiei (4}

^

0

• ft) so iDf*crpno‫ :״‬Mytxrtrrt trerwfrr Protocol {^‫> ליודז‬
sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI
5 (Cwucto- D w»i1u‫ ״‬l ‫«׳‬sOl)0«‫־‬
‫כג‬
CC
£ 1 ►**CTt*0‫׳‬V HMKCR 5M»1‫ ׳‬S*rM» S*‫׳‬VCT r « » ‫״‬n]
^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM V a n
*
Lrtnamn]
B £ !027 piM otOor: !r#l»1fo, 1( tM *e‫ ׳‬v<e h no* t1
&
‫»׳‬Urt(d :*•>*«
&• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C
s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc*
ratfc ;< » o w : Ctotafipy Network x, Oath a owers / Ser
■

^9

10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _

X

1 * = ____1
___

II

• viAwjBM y **OMtwrnt

POCWlOai Viiic'attittet (3)

f)

!

b-*e
ea

MsangSecuity Updates (3)

f it :
imw
cJ
aO

m
3

::- 2 |C«SObacn: M Protect. MSrtQ, t ‫״‬te 1 . M>)eic ‫ * » -י- »-־‬c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4
e
V
‫׳‬

- 9
« £
9 ^

# Moang Service Pocks 0‫״‬d tp d str lo tto s CO
#

‫•ויי‬

-

^

1- 1■■
C Uiscuu tin 1
J,
s

S w
asG ord:

Uenvaae:

9 sr.Mi f .‫׳ר‬get‫ ־‬torn lhot
‫ ־‬R : ;
•

B

GF! LanGuard 2 1
02
£ 1 M n r R p rts C rrfig ra
*!vty o ito
eo
o u

Rancdijlr

l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^
1433 [CesccCcr: Microsoft SQL Server database r a ‫ ־‬j r w :
a

stc Server /S«‫>־‬ic*: LTknown]
rsn

*•ernoHc 8 Software Audit
1
*. ( ( System Patchrg Status

]‫333־‬
I . S n P a W|
e HPr
e a
•V Coen LC» Ports (5)

I

A Hardware
.if Software

II

System [nfbmodon

YVlndvw

a — er ActKRy

*' f..<»t‫»*׳‬ceve‫ ׳‬y v a n thread 1 (tdlr)

S o ‫ ״‬nr rad ‫) י‬dp ( | 5 0 ‫ ־‬r *‫ .׳‬vl ! ;<*)

error•

FIG R 5 1 TCP/U PPortsresult
U E .1 :
D
14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of
die system information
15. Click P a s s w o r d

P o lic y

r‫ °־־‬n n

GH LanGuard 2012
E

B

> 1 4 -1

Dathboaid

Scan

fn m ijlr

Act*«y Monitor

Reports

Corriiguratioo

Ualiwt

W
.

1)1*1 lew •«« vnun

launch a Mewsean
ScarTarget
ocaKx:

P0.‫ ־‬t:
«
v |... I (‫׳‬SjIScan

&ederate:
Z~M~CTt, bcced on toe‫־‬

3
?aaiwd:

•

1
U1J

V

1
__

Scaf 0 0 ‫.-.^כפ‬
Scan R rta tf Overview
%
Sf A

open IX P Ports (5)

r1ard*«e

*50 ‫־1־ ׳‬fr»ane

|

Systsn Infer‫׳‬T h
M arj
a 9ki‫ .׳‬W
|l HW.fxC. !■>• 1
■>>

L_J The next jobafter a
netw securityscanis to
ork
identifyw areas and
hich
system requireyour
s
im ediateattention. D
m
o
this byanalyzingand
correctlyinterpretingthe
inform collectedand
ation
generatedduringanetw
ork
securityscan.

,

Scan le a k ! Detalie

J *‫!־*׳‬run poaaw d length: chars
J **‫״!־‬unoaa'w ordsgeiodays
J >Mgw rfl mtary: n o h ttay
0

Vaxnuri EMSSiwrd age: 42days

J

J ! f a s « p f f r m ‫ ׳‬force
0

• S«r.c1ll> Audit Policy (OtO
Wf Re0**v
ft Net&OS M
ao*3) ‫) ״‬
%

Computet

tj| 610Lpt (28)
& Users (4)

•!_ LoggedCnUsers (11)
^

Sesscre (2)

% J<rvcc5 {148}
■U Processes (76)

,

Remote TOO (Tme Of Oay)

Scanner AcUv«y Window

‫ ״ ׳ ••־‬I I > - ‫ ׳‬V 1‫״‬n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41‫'׳' ! ־‬
«

A
’ ) I ‫'"׳י י‬

FIG R 5.12Inform ofP ordP
UE
ation assw ohcy
16. Click G ro u p s: it shows all die groups present in die system

m Ahighvulnerability
level is the result of
vulnerabilities or m
issing
patches w average
hose
severityis categorizedas
high.

*

>
‫־‬

Ds b a
a h o rd

Sun

ftftnca&e

vl W

**Scan

CrM e re s t

‫ר‬

Password:

*1

■ ':e r a
cc
Sc*• RevuJU DeUik

1R«f»*lt» Overview
%

* tt Control AucUat* Cws abx1
■ft * P n t t a w i
*i.s u1to‫׳‬
•ft 0J 0«»1
fcw # cm ra
•X cm aw dc w

C0«nUOPPwts(5)

r A Hentesrc

• . 1 Soffaart
• ^

Symrm tnk‫׳‬m»t»n

( y ‫ו׳ <׳‬
V • a O 'tejM‫^ויו^ו‬
• a CfctrtutedCCMUser*
‫ י‬a Guests
• a K>pe‫ ׳‬V
•a
‫ יי‬a E5JUSRS
• a r.etY>=‫<׳‬Ccnfig.rstcn
‫-״‬a Pr‫־‬fty1r5rcc 'r~ users
a
•a
• a PM^lSers
» a RES Ehdpcut Servers
•«
‫ז‬a

*k SN r~ W
-4* Pd«wo1‫ ) ׳‬Pdiy
- i» Sxunty Ault Pokey (Off)

& *n t Log Straefcrs

# ‫ ־‬lUotetry
f t NetflCCS Narres (3)
%

Adrritstrators

Computer

l* gop(aI
i rus2)
I W
4}

Cp‫־‬rators

Psrfertrsnce Log Users

•?. -OXfC0‫ ״‬users (1 ‫)נ‬

Ascheduled scanis a
netw audit scheduledto
ork
run autom
aticallyona
specificdate/tim and at a
e
specific frequency.
Scheduledscans canbe set
toexecuteonce or
periodically.

U9 U3U V ttK —
1 C B ltt W JR

H

-igemane:

[cuT€r*f eooed cn user

‫ -׳‬o T

GFI LanGuard 2 1
02
A tm M n r R p rts C n u tio
c rty o ito
eo
o fig ra n

%

S«ss»ns (2)

%51 8:*)
«4 »‫ל‬
) a

**?Operators

Ht ®rocrase* (76)

PCS Manage‫»״‬ent s « vers

‫ ג‬en»te too ‫ מיוחן‬Of 0»y)

W w rt* ‫. - ״‬

S*rf« 1 l1f1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*)

*r«*d S * fe ) | & u « |

FIG R 5 3 Inform ofG
U E .1 :
ation roups
17. Click die D a sh b o a rd tab: it shows all the scanned network information
1 °n ^ ‫׳‬
GFI LanGuard 2012
I Dashboardl
>«
5‫ ״‬I q

Sun

Km•*•(•

!t

Activity Monitor

Reports

i
'

^

f#
C
emctm

Gmp

it 6mel1n*ork

•w«v

Configuration

1
ViAirrnhlfces

UUkbe;

4

‫ ־./זי‬OitcuMlna vwawn.-

fei
*J

V

* t
Pale►**

►
aH

v

(

SdNiare

E n tire N e tw o rk -1 c o m p u te r

f j UKJ»-c«t: ttlh-03»M
a.5rt.4£-»
Security Seniors

‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1>

It is recom ended to
m
use scheduled scans:
■ Toperform
periodical/regular
netw vulnerability
ork
scans autom
aticallyand
usingthe sam scanning
e
profiles andparam
eters
• To tngger scans
autom
aticallyafter office
hours andto generate
alerts andautodistributionof scan
resultsviaem
ail
■ To autom
aticallytrigger
auto-rem
ediation
options, (e.g., A
uto
dow anddeploy
nload
m updates)
issing
m

rS

wnwarn iwuw•
1
0 cX ‫1 ־‬
« T|H tcrs

^

Service Packs and U
Most M rarane cawoJSfS
V. S C 3 y ‫ ^ ׳‬L 3 6 4

Oaxrputers
VulncraWWies
1co‫״‬pot«r9

‫ כ‬O
_
I o

o

‫ ז‬K-p-w!
Lratra-onied Aco*c

0 coneuteis
Malware Protection ...

cj

Cco‫־‬pu‫־‬crj
Ault SMTUt

: _

0 « ‫! »י ״י ד‬

j

•

‫ ו‬com
puters
Agent Hemtn Issues
0C n u 8 8
0p1C

,AiirraNity Trend Owe' tme

w

C pu V 4 era feyCBtnbulivi
om ter 1 > b

Maraqe saerts
*41 •»?i ■ .KTJlii...

Z a-cn.
j r sa.
H .

Sc-= a d rsfrar. !TfaraaLgi p yy
r
.g

Sec :ppdy-.ai -

Cp :-jr_
^m

1

*aer*Stofcg|>3tStafcg|

: o ‫ ־‬fu t M By Gperatng System

o

Computes S■O
0«ath■ ■| Compjters By rfeUai... |
.

FIG R 5 4 scannedreportofthenetvrork
U E .1 :
L a b A n a ly s is

Dociunent all die results, direats, and vulnerabilities discovered during die scanning
and auditing process.


Tool/U tility

Vulnerability Level
Vulnerable Assessment
System Patching Status
Scan Results Details for Open TCP Ports
Scan Results Details for Password Policy

GFI LanGuard
2012

Dashboard - Entire Network
■ Vulnerability Level
■ Security Sensors
■ Most Vulnerable Computers
■ Agent Status
■ Vulnerability Trend Over Time
■ Computer Vulnerability Distribution
■ Computers by Operating System

P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S

Q u e s t io n s

1. Analyze how GFI LANgtiard products provide protection against a worm.
2. Evaluate under what circumstances GFI LAXguard displays a dialog during
patch deployment.
3. Can you change die message displayed when GFI LANguard is performing
administrative tasks? If ves, how?

□ Yes

0 No

Platform Supported
0 Classroom


0 iLabs



E x p lo rin g a n d A u d itin g a N e tw o r k
U s in g N m a p
N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r
n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .

I C O N

K E Y

Valuable
information
Test vour
knowledge
S

Web exercise

‫ט‬


1 1 die previous lab you learned to use GFI LanGuard 2012 to scan a network to
1
find out die vulnerability level, system patching status, details for open and closed
ports, vulnerable computers, etc. A11 administrator and an attacker can use die same
tools to fix or exploit a system. If an attacker gets to know all die information about
vulnerable computers, diey will immediately act to compromise diose systems using
reconnaissance techniques.

Workbook review

Therefore, as an administrator it is very important for you to patch diose systems
after you have determined all die vulnerabilities in a network, before the attacker
audits die network to gain vulnerable information.
Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job
is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade
s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in
diis lab to use Nmap to explore and audit a network.

Hie objective of diis lab is to help students learn and understand how to perform a
network inventory, manage services and upgrades, schedule network tasks, and
monitor host 01 service uptime and downtime.
hi diis lab, you need to:
■ Scan TCP and UDP ports
■ Analyze host details and dieir topology
■ Determine the types of packet filters




■ Record and save all scan reports
/—j T o o ls
th is la b a r e

■ Compare saved results for suspicious ports

a v a ila b le in
D:CEH-

To perform die lab, you need:

T o o ls C E H v 8

■ Nmap located at D :C E H -T o o lsC EH v 8

M o du le 0 3


N e tw o rk s S c a n n in g T o o lsN m ap

S c a n n in g
N e tw o rk s

■ You can also download the latest version of N m a p from the link
http: / / nmap.org. /
■ If you decide to download die la t e s t
die lab might differ

.Q Zenm w on
ap orks
W s after including
indow
W s 7, and S
indow
erver
2003/2008.

■

W in d o w s S e r v e r 2 0 0 8

v e r s io n ,

S e rv e r 2012

dien screenshots shown in

as a host machine

running on a virtual machine as a guest

■ A web browser widi Internet access
■ Administrative privileges to run die Nmap tool

Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g

Network addresses are scanned to determine:
■ What services

a p p lic a t io n n a m e s

and v e r s i o n s diose hosts offer

■ What operating systems (and OS versions) diey run
■ The type of p a c k e t
characteristics
T AS K

1

In te n s e S c a n

f ilt e r s / f ir e w a lls

that are in use and dozens of odier

Lab T asks

Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner
in die host machine (W in d o w S e r v e r 2 0 1 2 ).
1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left
corner of the desktop

FIG R 6 :W sS 2012—esktopview
U E .1 indow erver
D



2. Click the

N m a p -Z e n m a p G U I

app to open the

S t 3 f t

l
_

Zenm fileinstalls
ap

Zenm ap

window
A d m in is tra to r

Server
Manager

Windows
PowrShell

Google

Hy^-V
Manager

■ N apC F
m ore iles
■ N apPath
m
■W
inPcap4
.1.1
■ N orkInterface
etw
Im
port
■ Zenm (G I frontend)
ap U
■ N (M N
eat odern etcat)

S
fe

m

*

‫וי‬

Control
Panel

»
■vp*v
Virtual
Machine..

■ Ndiff

CWto*

the following f l s
ie:

Nmap Zenmap

w

o

Command
Prompt

e
*‫ח‬

Frtfo*

©
Me^sPing

HTTPort
iSW M

K

U
1

FIG R 6.2W sS er2012- A
UE
indow erv
pps
3. The

N m ap - Z e n m a p G U I

window appears.

! N ap S
m yntax: nm
ap
[S T
can ype(s)] [O
ptions]
{target specification}

Inport scan
techniques, onlyone
m m beused at a
ethod ay
tim except that U P scan
e,
D
(‫־‬sU andanyone of the
)
SC scantypes (‫־‬sY -sZ
TP
, )
m be com w any
ay
bined ith
one ofthe TC scantypes.
P
/

FIG R 6 :TheZ apm w
U E .3
enm ain indcw
4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4)
t!1e j a r g e t: text field. You are performing a network inventory for
r
o
J
the virtual machine.
5. 1 1 tliis lab, die IP address would be
1
your lab environment
6
.

111 the
p ro file


1 0 .0 .0 .4 ;

it will be different from

text field, select, from the drop-down list, the
you want to scan. 11 diis lab, select In t e n s e S c a n .
1

P r o file :

ty p e o f


7. Click S c a n to start scantling the virtual machine.
Zn a
e mp
Scan

I o o ls

Target:

P ro file

1 10.0.0.4|

C om m and:

Profile:

Intense scan

nm a p -T4 -A - v 10.0.0.4

H o s t!

W N ap attem
hile m
pts
toproduce accurateresults,
keepinm that all ofits
ind
insights are basedon
packets returned bythe
target m
achines or the
firew in front ofthem
alls

‫ ° ׳-׳‬r x

Help

Services
icc>

|

Nm ap O utput

Ports

f Hosts | T o po lo gy | Host Details | Scans

OS < Host

FIG R 6 : T Z apm w w T andP entered
U E .4 he enm ain indow ith arget rofile
!S "The sixport states
recognized byN ap:
m
■O
pen
■C
losed
■ Filtered
■U
nfiltered
■ O | Filtered
pen
■ C |U
losed nfiltered

8. Nmap scans the provided IP address with

the

s c a n r e s u lt

below the

N m a p O u tp u t

Scan

I o o ls

E rofile

C om m and:

‫ז ם י‬

X

‫ן‬

H elp

10.0.0.4

‫׳י‬

Profile:

Intense scan

Scan:

nm a p -T4 -A - v 10.C0.4

N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans
OS < Host
‫׳׳‬

n m ap -T4 •A ■v 10.00.4

^

|

| Details

10.0.0.4
S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g

N ap accepts
m
m
ultiple host specifications
onthe com andline, and
m
theydon't needto be ofthe
sam type.
e

^

Zenm ap

Target:

and displays

In te n s e s c a n

tab.

) at

2012 0 8 24

NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g .
MSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d
h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a
C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t
0 .5 0 s e la p s e d
I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on
D is c o v e r e d o pe n p o r t 1 3 9 / t c p on
D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on
I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬
o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e .
D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4

(1 t o t a l
t 1 5 :3 5
1 5 :3 5 ,

1 6 .0 .0 .4
1 0 .0 .0 .4
1 6 .0 .0 .4
d ee t o 72

Filter Hosts

FIG R 6 :TheZ apm w w theN apO tabforIntenseS
U E .5
enm ain indow ith m utput
can
9. After the scan is c o m p le t e , Nmap shows die scanned results.

T= I

Zenm ap
Scan

I o o ls

£ ro file

Help
Scan!

Target:
C om m and:

The options available
to control target selection:
■ -iL<inputfilenam
e>
■ -1R<numhosts>
■ -exclude
<host1 [,<host2>[,...]]
>
■ -excludefile
<exclude file>

Q The follow
ing
options control host
discovery:
■ -sL(list S
can)
■ -sn(N port scan)
o
■ -Pn (N ping)
o
■ ■S<port list> (T P
P
C
SY P
N ing)
■ -PA<port list> (T P
C
A Ping)
CK
■ -PU<port list> (U P
D
Ping)
■ -PY<port list>(SC P
T
IN TPing)
T
■ -PE;-PP;-PM(IC P
M
PingT
ypes)
■ -PO<protocol list> (IP
Protocol Ping)
■ -PR(A PPing)
R
■—
traceroute (T path
race
tohost)
■ -n(N D Sresolution)
o N
■ -R(D Sresolutionfor
N
all targets)
■ -system (U
-dns se
systemD S resolver)
N
■ -dns-servers
<server1 [,<server2>[,.
>
..]] (Servers touse for
reverse D Squeries)
N

‫י‬

Details

nm a p -T4 -A - v 10.C.0.4

a

N m ap O utp ut | Ports / Hosts | T o p o lo g )
n m ap •T4 •A ■v 10.0.0.4

OS < Host

1 3 9 /tc p

10.0.0.4

open

445/tcp

‫׳׳‬

Cancel

open

5 3 5 7 /tc p
open
(SSOP/UPnP)

JH ost Details | Scans
‫פ כ‬

n e t b io s - s s n
n c t b io s s sn
h ttp
M i c r o s o f t HTTPAPI h t t p d 2 .0

|_http‫־‬m«thods: No Allow or Public h«ad«r in OPTIONS
re s p o n s e ( s t a tu s code 5 03 )
| _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le
M i c r o s o f t W indow s RPC
4 9 1 5 2 / t c p o pe n
m srp c
4 9 1 5 3 / t c p open
m srp c
4 9 1 5 4 / t c p o pe n
m srp c
4 9 1 5 5 / t c p open
m srp c
4 9 1 5 6 / t c p open
m srp c
______________ 0 1 5 : 5D:
;0 7 :1 0 ( M ic r o s o f t )
MAC Address: (
D e v ic e t y p e : g e n e r a l p u rp o s e
R u n n in g : M i c r o s o f t WindONS 7 | 2008
OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : /
o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l
0 ‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1
U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )

‫ח‬

N ttw o rK D is t a n c e ; 1 hop
TCP S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! )
I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l
S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s

Filter Hosts

FIG R 6 :T Z apm w w theN apO tabforIntenseS
U E .6 he enm ain indow ith m utput
can
10. Click the
results.

P o r ts / H o s ts

11. Nmap also displays die
the scan.

tab to display more information on the scan
P o rt, P r o to c o l, S t a t e . S e r v ic e ,

Zn a
e mp
Scan
Target:

I o o ls

P ro file

‫״״‬

of

T ‫ ־‬T

Scan

Cancel

nm a p -T4 -A - v 10.0.0.4
Services

OS

V e r s io n

H elp

10.0.0.4

C om m and:

and

Nm gp Out p

u

(

Tu[ . ul ut j y

Hu^t Details

Sk m :.

< Host
M in o a o ft W ind ow s RPC

13S

Up

open

rm tp c

139

tcp

open

n etbios-ssn

445

tcp

open

n etbios-ssn

5337

tcp

open

h ttp

M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD

49152 tcp

open

m srpc

M ic ro s o ft W indow s RPC

49153 tcp

open

m srpc

M ic ro s o ft W ind ow s RPC

49154 tcp

open

m srpc


49155 tcp

open

m srpc


49156

10.0.0.4

open

m srpc


tcp

FIG R 6 :TheZ apm w w thePorts/H tabforIntenseS
U E .7
enm ain indow ith
osts
can

12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP
address in the In t e n s e s c a n Profile.

7^t B default, N ap
y
m
perform ahost discovery
s
andthenaport scan
against eachhost it
determ to be online.
ines

FIG R 6 :TheZ apm w w T
U E .8
enm ain indow ith opologytabfor IntenseS
can
13. Click the H o s t D e t a ils tab to see die details of all hosts discovered
during the intense scan profile.
Zn a
e mp
Scan

lo o ls

Target:

P rofile

10.0.0.4

C om m and:

Hosts

7^ ‫ ׳‬B default, N ap
y
m
determ your D S
ines
N
servers (for rD S
N
resolution) fromyour
resolv.conffile(U IX or
N )
the R
egistry(W
in32).

Scan

Conccl

nm a p -T4 -A - v 10.0.0.4

||

Services

I

I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t

Scan?

O.O.C.4

OS < Host
-‫־׳‬

r^ r°r* 1

Help

10.0.0.4

H Host Status
State:

up

O pen p o rtc

Q

Filtered ports:

0

Closed ports:

991

Scanned ports:

1000

U p tim e :

22151

Last b oo t:

Fri A u g 24 09:27:40 2012

#

B Addresses
IPv4:

10.0.0.4

IPv6:

N o t available

M AC:

00:15:50:00:07:10

- Operating System
Nam e:

M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1

Accuracy:

Ports used
Filter Hosts

FIG R 6 :TheZ apm w w H D tabforIntenseS
U E .9
enm ain indow ith ost etails
can

14. Click the

Scans

tab to scan details for provided IP addresses.
1- 1 ° ‫ ׳‬x

Zenm ap
Scan

Tools

C om m and:

Profile:

Services

|

Cancel

N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an;

Status

< Host

Com‫׳‬r»ard

Unsaved nmap -T4-A •v 10.00.4

1 0 0 .0 4

i f ■ A pp e nd Scan

a InN ap, option-p
m
<port ranges> m scan
eans
onlyspecifiedports.

Intense scan

nm a p •T4 •A -v 100.0.4

Hosts
OS

Help

10.0.0.4

Target:

a N ap offers options
m
for specifyingw ports
hich
are scannedandw
hether
the scanorder is
random2edor sequential.
!

Profile

»

Remove Scan

Cancel Scan

FIG R 6 0 TheZ apm w w S tabforIntenseS
U E .1 :
enm ain indow ith can
can
15. Now, click the S e r v i c e s tab located in the right pane of the window.
This tab displays the li s t of services.
16. Click the h ttp service to list all the HTTP Hostnames/lP
Ports, and their s t a t e s (Open/Closed).
Zn a
e mp
Scan

Tools

Target:

‫ד * מ ° י ־ז‬

Help

10.0.0.4

Comman d:

Hosts

Profile

v]

Profile:

Intense scan

v|

Scan |

nm ap •T4 -A -v 10.0.0.4

|

Services

ad d re sse s.

Cancel

‫ו‬

N m ap O utput

Ports / Hosts

Topology | H o c tD rtJ iik | S ^ jn t

< Hostname A Port < Protocol « State « Version

Service

i

10.0.04

5357

tcp

open

M icroso ft HTTPAPI hctpd 2.0 (SSI

msrpc
n etb io s5 5 ‫־‬n

Q InN ap, option-F
m
m fast (lim port)
eans
ited
scan.

<L

FIG R 6 1 TheZ apm w w S icesoptionforIntenseS
U E .1 :
enm ain indow ith erv
can

Ceh v8 labs module 03 scanning networks

Ceh v8 labs module 03 scanning networks

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (11)

Semelhante a Ceh v8 labs module 03 scanning networks

Semelhante a Ceh v8 labs module 03 scanning networks (20)

Último

Último (20)

Ceh v8 labs module 03 scanning networks