6. M o d u le 0 3 - S c a n n in g N e tw o rk s
/ 7A
dvancedIPScanner
w onW s S
orks
indow erver
2003/ Server 2008andon
W s 7(32bit, 64bit).
indow
■ If you decide to download the
in the lab might differ
■ A computer running W in d o w s
8
la t e s t v e r s io n ,
as die attacker (host machine)
■ Another computer running W in d o w s
machine)
■ A web browser widi In te rn e t
then screenshots shown
se rve r 2008
as die victim (virtual
access
■ Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps
to install Advanced IP Scanner
■
A d m in is tra tiv e
privileges to run diis tool
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open
ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining
t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any
suspicious or u n a u th o rize d IP connections, which may enable data theft and cause
damage to resources.
Lab T asks
S
T A S K
1
1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die
desktop
L a u n c h in g
A d v a n c e d IP
Scann er
FIG R 1 :W s8- D
U E .1 indow
esktopview
2. Click A d v a n c e d
(Windows 8).
C E H Lab M anual Page 89
IP S c a n n e r
from die S ta r t menu in die attacker machine
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
7. M o d u le 0 3 - S c a n n in g N e tw o rk s
Admin ^
S ta rt
WinRAR
Mozilla
Firefox
Command
Prompt
it t
Nc m
C om puter
m W A
ith dvancedIP
Scanner, youcanscan
hundreds ofIP addresses
sim
ultaneously.
M icrosoft
Clip
O rganizer
tS
Sports
Fngago
Packet
b uilder
2*
Advanced
IP Scanner
m
C ontrol
Panel
M icrosoft
O ffice 2010
Upload...
i i i l i l i
•
finance
FIG R 1 W s8- A
U E 2. indow
pps
3. The A d v a n c e d
IP S c a n n e r
main window appears.
Y canw any
ou
ake
m
achinerem w
otely ith
A
dvancedIP Scanner, if
theW
ake-on־LA feature
N
is supportedbyyour
netw card.
ork
FIG R 1 : T A
U E 3 he dvancedIPS
cannerm w
ain indow
4. Now launch die Windows Server 2008 virtual machine (v ic tim ’s
C E H Lab M anual Page 90
m a c h in e ).
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
8. M o d u le 0 3 - S c a n n in g N e tw o rk s
L Y haveto guess a
_/ ou
rangeof IP address of
victimm
achine.
iik
O
jf f lc k 10:09 F J
M
FIG R 1 :T victimm W sserver2
U E .4 he
achine indow
008
a R in2.xand3.x
adm
Integrationenableyouto
connect (ifR inis
adm
installed) to rem
ote
com
puters w just one
ith
dick.
5. Now, switch back to die attacker machine (Windows 8) and enter an IP
address range in die S e le c t ra n g e field.
6. Click die S c a n button to start die scan.
The status of scanis
show at the bottomleft
n
sideofthew .
indow
7.
displays the s c a n
C E H Lab M anual Page 91
scans all die IP addresses within die range and
r e s u lt s after completion.
A d v a n c e d IP S c a n n e r
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
9. M o d u le 0 3 - S c a n n in g N e tw o rk s
L of com
ists
puters
savingandloadingenable
youtoperformoperations
w aspecificlist of
ith
com
puters.Just savealist
ofm
achines youneedand
A
dvancedIPScanner loads
it at startupautom
atically.
A d v a n c e d IP Scanner
File
Actions
J►
Scar'
View
Heip
IP c d id 3? f i l :
Jl
Like us on
■ 1 Facebook
r=£k=3 r f t o
1.0 .11.0 .1
0 .0 -0 .0 0
R esits
|
Favorites |
r
Status
w
0
MAC address
10.0.a2
DO:67:ES:1A:16:36
00: 5:5D: A8:6E:C6
M icrosoft Corporation
Dell Inc
10.0.03
10.0.05
10.0.07
00:09:5B:AE:24CC
Dell Inc
Microsoft Corporation
10.0.a1
WIN-MSSELCK4K41
WINDOWS#
WIN*LXQN3WR3R9M
WIN-D39MR5H19E4
15
®
Manufacturer
Nlctgear, Inc.
10.0.0.1
*£> ט
® &
m G
roup O
perations:
A featureofA
ny
dvanced
IP Scanner can beused
w anynum of
ith
ber
selectedcom
puters. For
exam youcanrem
ple,
otely
shut dow acom
n
plete
com classw afew
puter
ith
dicks.
Settings
00:15:5D:A8:&E:03
D4:3E.-D9: C3:CE:2D
1
5a iv*, 0 d«J0, S unknown
FIG R 1 :TheA
U E .6
dvancedIPS
cannerm w
ain indowafterscanning
8. You can see in die above figure diat Advanced IP Scanner lias detected
die victim machine’s IP address and displays die status as alive
M
T A S K
2
Extract Victim’
s
IP Address Info
9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut
down, and Abort Shut d o w n
5־
F ie
A d v a n c e d IP Scanner
A ctions
Scan
Settings
View
Helo
II
ip c
u u
*
W
i
Like us on
Facebook
*sS:
1.0 .11.0 .1
0 .0 -0 .0 0
Resuts
Favorites |
Status
Name
1.0 .1
0 .0
IHLMItHMM,
WINDOWS8
hi
WIN-LXQN3WR3
WIN ־D39MR5HL<
1..1
0 01
0
—
t* p ׳ore
Copy
Add to ‘Favorites'
!
n
MAC address
to ru fa c tu re r
Netgear. In c
00:09:5B:AE:24CC
D0t67:E5j1A:16«36
M icrosoft Corporation
M icrosoft Corporation
□0:15 :צU: A8:ofc:Ot>
00:15:SD:A8:6E:03
Dell Inc
CW:BE:D9:C3:CE:2D
Rescan selected
Sive selected...
Wdke־O n־LAN
Shut dcwn...
Abort shut dcwn
W
ake-on-L N Y
A : ou
canw anym
ake
achine
rem w A
otely ith dvancedIP
Scanner, ifW
ake-on-LA
N
featureis supportedby
your netw card.
ork
Radrnir
a
5 alive. 0 dead, 5 unknown
FIG R 1 :T A
U E .7 he dvancedIPS
cannerm w w A H list
ain indow ith live ost
10. The list displays properties of the detected computer, such as IP
address. N a m e , M A C , and N e t B I O S information.
11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die
selected victim machine/IP address
C E H Lab M anual Page 92
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
10. M o d u le 0 3 - S c a n n in g N e tw o rk s
״si *
m
&
S h u td o w n o p tio n s
File
Actions
Settings
View
Help
r
Scan
W
infingerprint Input
O
ptions:
■ IPR (N askand
ange etm
InvertedN ask
etm
supported) IPL m
istS gle
H N
ost eighborhood
J!] .■ ]
Use Vtindcms authentifcation
Like us on
Facebook
Jser narre:
3
9essM ord:
11 0.0.0.1-100.0.10
rn e o c t (sec): [60
Results |
Favorites |
Message:
Status
® a
»
$
a
jre r
Name
MAC address
00;C9;5B:AE:24;CC
1a0.0.1
WIN-MSSELCK4K41
W IND O W S
WIN-LXQN3WR3R9M
WIN-D39MR5HL9E4
D0:67:E5:1A:16:36
It ion
I”
00:15:3C:A0:6C:06
It ion
00:13:3D:A8:6E:03
D4:BE:D9:C3:CE:2D
Forced shjtdo/vn
f " Reooot
S alive, Odcad, 5 unknown
FIG R 1 :TheA
U E .8
dvancedIPS
cannerC puterpropertiesw
om
indow
12. Now you have die
machine.
IP address. Nam e,
and other
13. You can also try Angry IP scanner located at
details
of die victim
D:CEH-ToolsCEHv8
Module 03 Scanning NetworksPing Sweep ToolsAngry IP Scanner
It
also scans the network for machines and ports.
L a b A n a ly s is
Document all die IP addresses, open ports and dieir running applications, and
protocols discovered during die lab.
Tool/U tility
Information Collected/Objectives Achieved
Scan Information:
Advanced IP
Scanner
C E H Lab M anual Page 93
■
■
■
■
■
■
IP address
System name
MAC address
NetBIOS information
Manufacturer
System status
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
13. M o d u le 0 3 - S c a n n in g N e tw o rk s
■ You can also download the latest version of ID
http: / / www.grc.com/id/idserve.htm
S e rv e
■
then screenshots shown
If you decide to download the
in the lab might differ
■ Double-click id s e r v e to run
la t e s t v e r s io n ,
ID S e r v e
■ Administrative privileges to run die ID
■ Run this tool on W in d o w s
from the link
S e rv e
tool
S erv er 2012
L a b D u r a t io n
Time: 5 Minutes
O v e r v ie w o f ID S e r v e
ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull
and display die server's greeting message, if any, often identifying die server's make,
model, and v e r s io n , whether it's for F T P , SMTP, POP, NEW’S, or anything else.
Lab T asks
TASK
1
Id en tify w e b s it e
s e r v e r in fo rm atio n
1. Double-click id s e r v e located at D :C E H -T o o lsC E H v 8
M o d u le 0 3 S c a n n in g
N e tw o rk s B a n n e r G ra b b in g T o o lsID S e r v e
2. 1 1 die main window of ID
1
S e v e r Q u e ry tab
0
S erv e
show in die following figure, select die
ID Serve
ID Serve
Background
ri
Enter
01
r!
-׳r o
In rn tServer Id n a nU ,vl .0
te e
e tific tio tility 2
Personal SecurityFreew bySteveG so
are
ib n
Copyright (c) 2003 by Gibson Research Corp
Server Query | Q&A/Help
copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com)
Queiy The Server
^
When an Internet URL or IP has been provided above
press this button to rwtiate a query of the speahed server
Server
If anIPaddressis
enteredinsteadof aU L
R,
IDServew attem to
ill
pt
determ thedom
ine
ain
nam associatedw the
e
ith
IP
^
4
Copy
The server identified <se* as
goto ID Serve web page
E*it
FIG R 21: M w
UE
ain indowofIDS e
erv
3. Enter die IP address 01־URL address in E n t e r o r C o p y /p a ste
a n In te rn a l
s e r v e r U R L o r IP a d d r e s s h e re :
C E H Lab M anual Page 96
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
17. M o d u le 0 3 - S c a n n in g N e tw o rk s
■ A computer running Web Services enabled for port
80
■ Administrative privileges to run die A m a p tool
■ Run this tool on W in d o w s
S e rv e r 2012
L a b D u r a t io n
Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g
Fingerprinting is used to discover die applications running on each open port found
0 x die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking
1
up die responses in a list of response strings.
at T A S K
1
Id en tify
A p p lic a tio n
Lab T asks
1. Open die command prompt and navigate to die Amap directory. 1 1 diis lab
1
die Amap directory is located at D :C E H -T o o lsC E H v 8 M od ule 0 3 S c a n n in g
N e tw o rk s B a n n e r G ra b b in g T o o lsA M A P
P ro to c o ls R u n n in g
on P o rt 8 0
2. Type a m a p
w w w .c e r t if ie d h a c k e r .c o m 8 0 ,
and press E n te r.
Administrator: Command Prompt
33
[D : C E H ~ T o o ls C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g T o o l s A M A P > a n a p uw
[u . c e r t i f i o d h a c h e r . c o m 80
Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo
Jn id en tifie d p o rts:
2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>.
M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3
D : C EH -T 0 0 1 s C E H 08 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g Tool sAMAP>
Syntax: am [-A| ־
ap
B| -P|-W [-1buSR U
]
H dqv]
[[-m -o <file>]
]
[-D<file>] [־t/־T sec] [-c
cons] [-Cretries]
[-pproto] [־i <file>] [target
port [port]...]
FIG R 3 :A apw hostnam w w 1tifiedl1ack 1.com ithPort S
U E .1 m ith
e w .ce
e w
O
3. You can see die specific a p p lic a tio n protocols running 011 die entered host
name and die port 80.
4. Use die IP
a d d re ss
to check die applications running on a particular port.
5. 1 1 die command prompt, type die IP address of your local Windows Server
1
2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 )
and press E n t e r (die IP address will be different in your network).
✓ For A apoptions,
m
type am -help.
ap
C E H Lab M anual Page 100
6. Try scanning different websites using different ranges of switches like amap
www.certifiedhacker.com 1-200
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
18. M o d u le 0 3 - S c a n n in g N e tw o rk s
ד
D : C E H -T o o ls C E H u 8 Module 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g ToolsAMAP>amap I f
. 0 . 0 . 4 75-81
laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode
C piles on all U IX
om
N
basedplatform - even
s
M SX C inon
acO , ygw
W s, A M inuxand
indow R -L
Palm S
O
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2
W arn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g
p o r t <EUN
KN>
W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e ) t o
1 0 .0 .0 .4 :7 5 /tc p , d isab lin g
p o r t <EUN
KH>
W arn in g : Could n o t c o n n e c t < u n r e a c h a b l e > to
K>
H
W arning:
K>
N
1 0 .0 .0 .4 :7 7 /tc p , d isab lin g
p o r t <EUN
Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g
p o r t <EUN
W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o
|KN>
W arn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o
K>
N
1 0 .0 .0 .4 :7 9 /tc p , d isab lin g
p o r t <EUN
1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s
P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin
U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 /
kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>.
Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4
b : C E H - T o o l s C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g ToolsAMAP>
FIG R 3 :A apw IPaddressandw rangeofsw 7 -8
U E .2 m ith
ith
itches 3 1
L a b A n a ly s is
Document all die IP addresses, open ports and dieir running applications, and die
protocols you discovered during die lab.
Tool/U tility
Information Collected/Objectives Achieved
Identified open port: 80
WebServers:
■ 11ttp-apache2 ־
■ http-iis
■ webmin
Amap
C E H Lab M anual Page 101
Unidentified ports:
■ 10.0.0.4:75/tcp
■ 10.0.0.4:76/tcp
■ 10.0.0.4:77/tcp
■ 10.0.0.4:78/tcp
■ 10.0.0.4:79/tcp
■ 10.0.0.4:81/tcp
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
22. M o d u le 0 3 - S c a n n in g N e tw o rk s
FIG R 4.1T C ortsm w w allprocesses, ports, andIPaddresses
U E : lie urrP ain indow ith
2. CiirrPorts lists all die
/ /C
urrPorts utilityis a
standaloneexecutable,
w doesn't requireany
hich
installationprocess or
additional D L
L s.
and their IDs, protocols used, lo c a l
local and remote ports, and r e m o te h o s t
p ro ce sse s
a n d r e m o te IP a d d r e s s ,
n am e s.
3. To view all die reports as an HTML page, click V ie w
>־H T M L R e p o r t s
־A ll It e m s .
M °- x י
C urrP orts
File
Edit I View | Options
X B
1
Help
Show Grid Lines
Process K a1^ I Show Tooltips
J
Mark Odd/Even Rows
chrome.
C* chromel
HTML Report ־All I'errs
^ chrome.
HTML Report - Selected terns
C* chrome.
Choose Columns
^ chromc.
(£ firc fc x .c
Remote Host Nam *
173.1943526
).7
http
173.194.3526
).7
http
173.194.3526
bcmQ4s0l-in. 2 ־
f61
bcm04s0l-in-f26.1
bcm04s01 - n f 6 1
i-2.
).7
http
23.5720420
a23-57-204-20.dep S
https
173.194.3526
bom04501-in. 2 ־
f61
127.0.0.1
WIN-D39MR5HL9E
).7
R״fr#{h
127.0.0.1
WIN-D39MR5HL9E
443
https
173.1943622
bem04s01-in-f22.1
10.0.0.7
443
https
173.19436.15
bom04i01־in*f15.1
10.0.0.7
443
https
173.19436.0
bcm04s0l*in-f0.1<
100.0.7
1l i
(B fa e fc x u e
1368
TCP
J ftfM c o ta e
I368
TCP
45
16
® fr e fc x e te
1368
TCP
4158
---
4163
h t t o d . e x e
1800
TCP
443
https
741252*4.15
gruC3s05-1n־M5.1e
1800
TCP
1070
Q ls a s s e te
564
TCP
1028
561
TCP
3981
.0.1
oo
.a .o
1070
V h ttp d .e x e
3962
T. , .7
V0
V
F5
ס7קז
443
.0.1
(p firc fo x .e 1
(c
Q In thebottomleft of
theC
urrPorts w , the
indow
status of total ports and
rem connections
ote
displays.
Remote Address
http
Address
A uto Size Columns
g f-e fc x e
Rem..
).7
1028
0.0.0.0
0 .0
.0 .0
aaao
NirSoft Freeware, http.//w w w .rirs o ft.n e t
79Tct«l Ports, 21 Remote Connection!, 1 Selected
FIG R 4.2T C
U E he urrPortsw H LR - A Item
ith TM eport ll s
4. The HTML Report
a u t o m a t ic a lly
opens using die default browser.
E<e Ldr View History Bookmarks 1001 Hdp
צ
I TCP/UDP Ports List
^
j j f j__
( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>£,repcriJit ml
' •£־־־*־
- Google
P
^
י
T C P /U D P P o r ts L is t
=
E3 To checkthe
countries of therem IP
ote
addresses, youhaveto
dow thelatest IPto
nload
C
ountryfile. Y haveto
ou
put the IpToC
ountry.csv״
fileinthe sam folder as
e
cports.exe.
C re a te d b v u sing C u rrP o rts
P m « j .Nam•
P ro titi
ID
P ro to co l
I.o ra l
I A ra l P o rt
P o rt
X lB t
L o c a l A d d iv it
Remote
P o rt
Rcm oU ׳
P o rt
R tm v l« A d d r t it
Name .
chxame rx c
2988
TCP
4052
10 0 0 7
443
https
173 194 36 4
chiome.exc
2988
TCP
4059
10.0.0.7
80
http
173.194.36.17
bo
bo
ch101nc.exe
2988
TCP
4070
10.0.0.7
80
http
173.194.36.31
bo
daom e.exe
2988
TCP
4071
10.0.0.7
80
h ltp
173.194.36.31
bo!
daom e.exe
2988
TCP
4073
1 00.0.7
80
hup
173.194.36.15
boi
daom e.exe
2988
TCP
4083
10.0.0.7
80
http
173.194.36.31
bo!
cfcrorae.exe
2988
TCP
4090
100.0.7
80
hnp
173.194.36.4
bo!
chfomc.cxc
2988
TCP
4103
100.0.7
80
hup
173.194.36.25
bo
chrome exe
2988
TCP
4104
10 0 0 7
80
hnp
173 194 36 25
bo
>
FIG R 4 :HieW brow d lay gC ortsR - A Item
U E .3
eb ser isp in urrP eport ll s
5. To save the generated CurrPorts report from die web browser, click
F ile >־S a v e P a g e A s ...C t r l+ S .
C E H Lab M anual Page 105
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
23. M o d u le 0 3 - S c a n n in g N e tw o rk s
■ 5 3ד
TCP/UDP Ports List - Mozilla Firefox
m C
urrPorts allow you
s
to saveall changes (added
andrem connections)
oved
into alogfile. In order to
start w to thelogfile,
riting
checkthe ,LogC
hanges'
optionunder the F
ile
m
enu
«ry> Hitory
1
ו ז קid *
Bookmaikt Took Hrlp
fJcw l i b
CW*T
N*w’ ׳Mnd<*1*
Ctrt*N
Cpen Fie..
CcrUO
» ׳Dcsttop/q)D1ts-x64/rEpor: html
f1
C
*
S*.« Page As.. Ctr1*S
Send LinkPag* Setup-.
PrmtPi&Kw
E rrt.
ti*
!, r o t i f j j >111•
!.o ra l
I o r a l P o rt
P o rt
!'! ־o to co l
Name
Remote
Local A d d rv u
K em otc
P o rt
P o ri
chiom c.exe
2988
TCP
4052
cfc10 me.exe
2988
TCP
4059
10.0.0.7
chrome.exe
2988
TCP
4070
10.0.0.7
chrome.exe
2988
TCP
4071
10.0.0.7
chrome exe
2988
TCP
4073
chrome exe
2988
TCP
408;
K e u io l* A d d n i t
Name
ID
2Z B default, the logfile
y" y
is savedas cports.loginthe
sam folder w
e
here
cports.exeis located. Y
ou
canchangethe default log
filenam bysettingthe
e
L
ogFilenam entryinthe
e
cports.cfgfile.
P
i f ' Google
https
173.194.36.4
boj
80
http
173.194.36.17
bo:
80
hnp
173.194.36.31
bo:
80
http
173.194.36.31
boi
100 0 7
80
http
173 194 36 15
boi
100 0 7
80
http
173 194 36 31
bo!
10.0.0.7
443
ch*omc exe
2988
TCP
4090
100 0 7
80
http
173 194 36 4
boi
chiome.exe
2988
TCP
4103
10.0.0.7
80
http
173.194.36.25
boj
daom e.exe
2988
TCP
4104
10.0.0.7
80
http
173.194.36.25
b03
FIG R 4 : T W brow toS eC
U E .4 he eb ser av urrPortsR - A Item
eport ll s
6. To view only die selected report as HTML page, select reports and click
V ie w >־H T M L R e p o r t s ־S e l e c t e d Ite m s .
1-1° ׳x-
C urrP orts
File
X
Edit | View | Options
S
(3
Help
Show Grid Lא חו
Process Na P I
^ B aw The logfile
e are!
isupdatedonlyw you
hen
refreshtheports list
m
anually, orw the
hen
A R
uto efreshoptionis
turnedon.
Show Tooltips
C chrome.
Mark Odd/Even Rows
Address
).7
).7
O'chrome “
® ,fir e fc x e
(gfircfcxe:
HTML Report ■ Selected terns
Choose Columns
Auto Size Columns
Rem...
Remote Address
Remote Host Nam
h ttp
175.19436.26
bom04s01-1n־f26.1
bom04s01-1n-f26.1
80
h ttp
173.1943626
80
h ttp
173.1943626
bcm04s01-in־f26.1f
■0.7
HTML Report - All Items
C c h ro m e f
Rem...
80
80
h ttp
215720420
323-57-204-20.dep
P7
.0.1
445
h ttp :
F
Ctrl ♦■Plus
Refresh
F5
fircfcx e<
v
.0.1
bcm04s01-in-f26.1
WIN-D39MR5HL9E
127JX011
3981
173.1943526
127.0.0.1
3982
WIN-D39MR5HL9E
J>.7
443
https
173.1943622
bom04s01 -in-f22.1
h ttp ;
173.194.36.15
bomOlsOl -in ־f1 5.1
L f ircfox.cxc
1368
TCP
4163
1000.7
443
fircfcx.cxc
1368
TCP
4166
1000.7
443
h ttp :
173.194360
bomOlsOI -in ־f0.1c
^ firc fc x .c x c
1368
TCP
-4168
100.0.7
443
https
74125234.15
gruC3s05 in -f 15.1c
httpd.exe
1000
TCP
1070
0.0.0.0
1000
TCP
1070
Q lsa sse xe
httpd.exe
564
TCP
1028
Q b a s te x e
« -------a .--------
564
14nn
TCP
T rn
1028
י«׳*־ו־
79 ~ctel Ports. 21 Remote Connections, 3 Selected
a Y canalsorightou
clickonthe W pageand
eb
savethe report.
C E H Lab M anual Page 106
0.0.0.0
s
00.0.0
___
0.0.0.0
AAA A
AAAA
Hi1 Soft Freew are. http. ,׳,׳w w .r irsoft.net
w
FIG R 4 :C
U E .5 urrPortsw H M R - S
ith T L eport electedItem
s
7. Tlie selected
re p o rt
automatically opens using the
d e fa u lt b r o w s e r .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
24. M o d u le 0 3 - S c a n n in g N e tw o rk s
TCP/UDP Ports List - Mozilla Firefox
ffi'g |d : Vico
[ j TCP/UDP Ports List
In the filters dialog
bos, youcanaddone or
m filter strings
ore
(separatedbyspaces,
sem
icolon, or C L ).
RF
^
1 n J~x
־
I
Hatory Bookmaiks Toob Help
| +
P
W c/'/C /lherv׳Admin 1strotor/Dr5fctop/'cport5־r64/rcpoדיi«0T1l
(? ־Google |,f t I
T C P /V D P P o rts L is t
C reated b y m in g C iir r P o m
P
rocess
N e
am
P
rocess
ID
ol
Local I> ca Local K u R o
«m t« em te
Port
P
rotocol Port Port A
ddress Port
N e
am
.Nm
ae
K
vuiotc
A
ddress
R o H N e
em te ost am
State
dbiome.cxc
2988
TCP
4148
10.0.0.7
443
https
173.194.36-26
bom04sC 1 m. £26.1 e 100.net
Established
c:
fire fo x exe
1368
TCP
4163
10 0 0 7
443
https
173 194 36 15
bom 04s01 tn - fl 5. Ie l0 0 .n e t
Established
C:
1800
TCP
1070
Listening
C:
h ttp d
cc
x
FIG R 4 : T W brow d lay gC
U E .6 he eb ser isp in uaPortsw H M R - S
ith T L eport electedItem
s
/ / The Syntaxfor Filter
S [include | exclude]:
tring:
[local | rem | both |
ote
process]: [tcp | udp |
tcpudp] : [IPR | Ports
ange
R
ange].
8. To save the generated CurrPorts report from the web browser, click
F ile >־S a v e P a g e A s ...C t r l+ S
TCP/׳UDP Ports List ־M ozilla Firefox
Edfe Vir*
׳
r= > r* י
Hutory Boolvfmki Took HWp
N**׳T*b
Clfl*T
|+ |
Open Fie...
Ctrl»0
S*.« P a g e A ;.
fi
1r/Desktop/cpo»ts x6Crepwthtml
an*N
*
Ctrl-S
Sir'd linkPage :er.p.
Pnnt Preview
P rm L .
fic it Offline
N e
am
Local Local T o ral
Po rt
Pori Nam e A
ddress
ID
Rem ote
Port
Kcm ole
Po rt
Nam e
R ote
em
A
ddress
Rem ote Ilo t l .N io it
2988
TCP
4148
1 0 0 0 .7
443
https
1 73 .19 43 6 26
boxu04s01 -ui-1‘26. Ie l0 0 .n e t
Established
C
fiiefox-cxc
1368
TCP
4163
100.0.7
443
https
173.19436 15
bom04s01-1a-115.lel00.net
Established
C
http de xe
10
80
TCP
1 0׳
0
chtoxne.exe
שC m
om and-line option:
/stext < 11enam m
F
e> eans
savethelist of all opened
TCP/UDPports into a
regular text file.
C E H Lab M anual Page 107
FIG R 4 :TheW b v toSawQ
U E .7
eb rcn ser
irrPortsw H M R - S
ith T L eport electedItem
s
9. To view the
p r o p e r t ie s
of a port, select die port and click F ile
>־
P r o p e r tie s .
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
25. M o d u le 0 3 - S c a n n in g N e tw o rk s
C urrP orts
r®
1 File J Edit
I
View
Options
I - ] “
'
*
m
Help
C trM
P N ctlnfo
Close Selected TCP Connections
Ctri+T
Local Address
Alt^Entei
Process Properties
b&i C m
om and-line option:
1
C tiU P
Remote Address
Remote Host Nam 1 י׳
http
173.194.3626
bom04301 - in-f26.1
10.0.0.7
CtiUS
Properties
Rem..
80
80
http
16263.491.3׳־
bom04501 ־in-f26.1
10.0.0.7
80
http
1^3.194.36.26
10J3J3.7
Save Selected Items
Rem...
10.0.0.7
Kill Processes Of Selected Ports
80
http
23.57.204.20
https
bom04s01-in-f26.1
a23*57204-20.־dep ■
443
127.0.0.1
3982
Open Log File
127.0.0.1
3031
Clear Log File
10.0.0.7
443
httpc
10.0.0.7
443
https
173.194.3615
bom04s01-m-f15.1
10.0.0.7
/stab <Filenam m
e> eans
savethelist of all opened
TCP/UDP ports intoa
tab-delim text file.
ited
10.00.7
Log Changes
443
https
173.194.360
bom04s01 m־f0.1c
10.0.0.7
443
https
74.12523415
gru03s05-in־f15.1 e
CtrU O
Advanced Options
Exit
j 1 .e x e
ttjd
1800
TCP
1070
h tto d .e x e
1800
TCP
lsass.exe
564
TCP
1028
Q lsass-exe
$64
TCP
1028
״
bom 04s01-in-f2M
WIN-D39MR5Hl9f
127.0L0L1
WIM-D30MRSH10F
12263.491 1 ־
,
bom04e01-m־f22.1
0 D S )S )
1070
□
1Ti 194.36.26
127.aa1
oaao
::
aao.o
0D S J J J
r.
>
־T
NirSoft Freeware, h ttp :'w w w .n irso ft.n e t
|7 9 Tctel Ports, 21 Remote Connections, 1 Selected
FIG R 4 :C
U E .8 unPoitstoviewproperties foraselectedport
10. The P r o p e r t ie s window appears and displays all the properties for the
selected port.
11. Click O K to close die
P r o p e r t ie s
window
Properties
C m
om and-line option:
/shtm <Filenam m
l
e> eans
savethelist of all opened
TCP/UDP ports into an
H Lfile(H
TM
orizontal).
Process Nam
e:
Process ID:
Protocol:
Local Port:
Local Port Nam
e:
Local Address:
Remote Port:
Remote Port Nam
e:
Remote Address:
Remote Host Nam
e:
State:
Process Path:
Product Nam
e:
File Description:
File Version:
Com
pany:
Process Created O
n:
User Nam
e:
Process Services:
Process Attributes:
Added O
n:
Module Filename:
Remote IP Country:
Window Title:
*
firefox.exe
1368
TCP
4166
10.0.0.7
443
|https________________
1 7 .194.36.0
13
bom
04s01-in-f0.1e100.net
Established
C:Program Files (x86)M zilla Firefoxfirefox.exe
0
Firefox
Firefox
1 .0
4 .1
Mozilla Corporation
8/2 /2 1 2:36:28 PM
5 02
WIN-D39MR5HL9E4Administrator
8/2 /2 1 3:32:58 PM
5 02
O
K
FIG R 4 :TheC
U E .9
urrPortsPropertiesw
indowfortheselectedport
C E H Lab M anual Page 108
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
26. M o d u le 0 3 - S c a n n in g N e tw o rk s
12. To close a TCP connection you think is suspicious, select the process
and click F ile >־C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ).
S
T A S K
2
-_,»r
C urrPorts
ד
C lo s e T C P
C o n n e c tio n
IPNetlnfo
Ctrt+1
Close Selected TCP Connections
C trl-T
Local Address
Save Selected Items
AH- Enter
Ctrl—
P
Process Properties
Remote Address
Remote Host Nam י ׳I
http
173.19436.26
bom04s01-in־f26.1
80
http
173.19436.26
bom04s01-in־f26.1
10.0.0.7
CtH-S
Properties
Rem...
6
10.0.0.7
OSelected Ports
f
Rem...
10.0.0.7
80
http
173.19436.26
bom04sC1 in-f26.1
10.0.0.7
Kill Processes
80
http
23.5730430
023-57 204 2C.dep =
https
0
10.0.0.7
43
4
Log Changes
127.00.1
3932
Cpen Log File
127.00.1
A d/snced Options
10.0.0.7
CtH+G
Exit
^
3931
43
4
43
4
43
4
43
4
10.0.0.7
Clear Log File
10.0.0.7
httpd.exe
1£03
TCP
1070
httpd.exe
1800
TCP
564
TCP
1028
Q toS fcC N e
564
TCP
127.0.0.1
WIN-D39MR5HL9£
173.19436.22
bom04s01 -in-f22.1
https
173.19436.15
bom04s01-in-f15.1
https
173.19436.0
bom04s01 ■in-f0.1s
https
74.125.234.15
gru03s05-in-f151e
1Q28
^
J
III
bom04s01 in ־f26.1
WIN-D39MR5HL9e
http:
1070
□ is a s s ^ x e
173.19436.26
127.0.0.1
0D.0.0
0.0.0.0
r
om o
o .a a o
r
I>
־r
J
IlirSort fre e w a re . r-tto :׳v/Yv*/n rso tt.n et
7? Tot«! Porte, 21 Remote Connection! 1 Selected
FIG R 4 0 ,H C
U E .1 : ie unPoitsC S
lose electedT PC
C onnectionsoptionw
indow
13. To
k ill
the
p ro ce sse s
of a port, select die port and click F i le
>־K ill
P r o c e s s e s o f S e l e c t e d P o r ts .
I ~ I * 'ם
C urrP orts
f i TASK 3
File
j Edit
View
Options
Help
PNetlnfo
K ill P r o c e s s
a♦
n!
Close Selected TCP Connection*
C*rt*־T
Loral Address
CtrKP
Remote Host Nam *
173.14436.26
bom04t01*in-f26.1
80
http
173.194.3626
bomC4t01-in־f26.1
80
http
173.194.3626
bomC4j01 -in-f26.1
10.0.0.7
Process Properties
Remote Addrect
http
10.0.0.7
A t-E n te r
Rem..
80
10.0.0.7
Clri-S
5ave Selected Items
P ro p e rties
Rem...
10.0.07
kin Processes Of Selected Ports
80
http
215720420
a23-57-204-20.dep s
https
173.1943636
bcmC4s01-in-f26.1
127.0.0.1
WIN-D39MR5HL9E
10.0.0.7
443
Log Changes
127.0.0.1
3962
Open Log File
127.0.0.1
3981
127.0.0.1
WIN-D39MR5HL9E
Clear Log file
10.0.0.7
443
https
173.1943632
bomC4s01-in-f22.1
10.0.07
443
https
173.19436.15
bom04s01־in־f15.1
10.0.0.7
443
https
173.19436.0
bom04$0l־in־f0.1e
10.0.0.7
443
https
74125334.15
gru03s05-1n-M5.1e
Advanced Options
Exit
V httod.exe
1800
TCP
1800
TCP
1070
□ lw s s .e r e
564
TCP
1028
□
561
TCP
O. .
.Q
QO
1070
V h ttp d .e x e
1028
ר
k a tc *re
0.0.0.0
oa
.a o
___
/ )A A A
II
79 Tctel Ports, 21 Remote Connections, 1 Selected
MirSoft Freeware. http-Jta/ww.rirsoft.net
FIG R 4 1 T C ortsK P
U E .1 : he urrP ill rocessesofS
electedPortsO W
ption indow
14. To e x it from the CurrPorts utility, click F ile
window c l o s e s .
C E H Lab M anual Page 109
>־E x it .
The CurrPorts
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Coundl
A ll Rights Reserved. Reproduction is Strictly Prohibited
27. M o d u le 0 3 - S c a n n in g N e tw o rk s
1-1° ’ - ׳
C u rrP on s
File
Edit
View
Options
Help
GH+I
P N etlnfo
Close Selected TCP Connections
CtrK T
..
Local Address
Rem..
Rem״
Remcte Address
Remcte Host Nam
10.0.0.7
80
http
173.194.36.26
bom04s01-in-f26.1
10D.0.7
80
http
173.194.3626
bom04s01-in-f26.1
10.0.0.7
80
http
173.1943626
bom04s01-in־f26.1r
10.0.0.7
80
http
21 57.204.20
a23-57-204-20.de
10.0.0.7
443
httpt
173.194.3626
bom04t01-in-f26.1|
lo g Changes
127.0.0.1
3082
127.0.0.1
WIN-D3QMR5H19P
Open Log File
127.0.0.1
3981
127X10.1
WIN-039MR5HL9E
10.0.0.7
443
https
173.19436.22
bomC4101-in-f22.1
10.0.0.7
443
https
173.194.36.1S
bemC4i01 in ־f15.1
10.0.0.7
443
https
173.194.36i)
bcmC4s01 in f0.1q
10.0.0.7
443
https
74.125.234.15
gru03s05in-f15.1e
K il Processes O f Selected Ports
hid C m
om and-line option:
/sveihtm <Filenam
l
e>
S thelist of all opened
ave
TCP/UDP ports into
H Lfile(V
TM
ertical).
Save Selected Items
Ctifc-S
A t-E a te r
Properties
CtH«־P
Procccc Properties
Clear Log File
Advanced O ption!
C tH -0
Ext
1
th ttp d .e x e
1800
TCP
1070
0.0.0.0
J
0.0.0.0
=
th ttp d .e x e
1800
TCP
1070
=
Q lsa s& e xe
564
TCP
1028
0.0.00
0.0.0.0
H ls a is - a c
■
־־
564
TCP
rrn
1028
/ וa / a
=
AAAA
__
79 זctal Ports. 21 Remote Connections. 1 Selected
Nil Soft free were. Mtpy/vvwvv.r it soft.net
FIG R 4 2 T C
U E .1 : he urrPoitsE optionw
xit
indow
L a b A n a ly s is
Document all die IP addresses, open ports and their running applications, and
protocols discovered during die lab.
feU In com andline, the
I
m
syntaxof /close
com and:/close <L
m
ocal
A
ddress> <Local Port>
<R oteA
em ddress>
<R ote Port.* נ
em
Tool/U tility
Profile Details: Network scan for open ports
CurrPorts
C E H Lab M anual Page 110
Information Collected/Objectives Achieved
Scanned Report:
■ Process Name
■ Process ID
■ Protocol
■ Local Port
■ Local Address
■ Remote Port
■ Remote Port Name
■ Remote Address
■ Remote Host Name
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
31. M o d u le 0 3 - S c a n n in g N e tw o rk s
Lab T asks
Follow die wizard-driven installation steps to install die GFI LANguard network
scanner on die host machine windows 2012 server.
B
TASK
1
1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by
hovering the mouse cursor in the lower-left corner of the desktop
S c a n n in g for
V u ln e r a b ilitie s
Zenm fileinstalls
ap
the follow files:
ing
■ N apC F
m ore iles
■ N apPath
m
■W
inPcap 4
.1.1
■ N orkInterface
etw
Im
port
■ Zenm (G I frontend)
ap U
■ N (M N
eat odern etcat)
■N
diff
FIG R 5 :W sS 2012- D
U E .1 indow erver
esktopview
2. Click the
window
G F I L an G u ard 2 0 1 2
Windows
app to open the
G FI L an G u ard 2 0 1 2
Google
Marager
bm
r
♦
*
£
SI
Nnd
V
e
FT־
2)12
0
FIG R 5.2W sS 2012- A
UE
indow erver
pps
3. The GFI LanGuard 2012 m ain
A u d it tab contents.
w in d o w
appears and displays die N e tw o rk
/ / To executeascan
successfully, G
FI
LA guardm rem
N
ust otely
logonto target com
puters
w adm
ith inistrator
privileges.
C E H Lab M anual Page 114
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
32. M o d u le 0 3 - S c a n n in g N e tw o rk s
GFI LanGuard 2012
I
-|
dashboard
Seen
Remedy
ActMty Monitor
Reports
Configuration
UtSties
W
D13CIA3 this ■
י
W elcome to GFI LanG uard 2012
GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites
Local Computer Vulnerability Level
e a The default scanning
us• ־
Nana9#*gents־or Launch a scan ־options 10,
the entile network.
options w provide
hich
quickaccess to scanning
m are:
odes
■ Q scan
uick
■ Full scan
■ Launcha customscan
■ Set up aschedule scan
JP
9
%
M
<
{ 'M
o w
c a f h 'e .
—
iim jIW - .
Cunent Vulnerability Level is: High
V ie w D a s h b o a rd
Inve30gate netvuor*wjinerawiir, status and audi results
R e m o diate S e cu rity Iss u e s
Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m
ore
M anage A g e n ts
Enable agents to automate netooric secant? audit and totfstribute scanning load
across client machines
L a u n c h a S can
Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt.
I
LATES1 NLWS
1
־
V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp fe»g 1! Ttft ■ u lar ־l w mr»־
m
1 ( 74 A q 701?
Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd
tr.v •ni
V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 1 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut
0
FIG R 5 :T G L N m w
U E .3 he FI A guard am indow
m C
ustomscans are
recom ended:
m
■ W perform a
hen
ing
onetim scanw
e
ith
particular scanning
param
eters/profiles
■ W perform ascan
hen
ing
for particular netw
ork
threats and/or system
inform
ation
■ Toperformatarget
com scanusinga
puter
specific scanprofile
4. Click die L a u n c h
a Scan
option to perform a network scan.
GFI LanGuard 2012
Doshboerd
> I « ־I
Scan
Remediate
AdMty Monitor
Reports
Configuration
Ut*oes
«t
Di»e1«s thb version
W elcome to GFI LanG uard 2012
1
GFI LanGuard 2012 &ready to audit your network k* *AmafrMws
Local Computer Vulnerublllty Level
use ־a;# Agents־or Launch a scan ־options 10 auoa
van
the entire network.
JP
9
t - &־.יז
^-־־־
iim jIM :
Cunent Vulnerability Luvul is; High
%
V ie w D a s h b o a rd
Investigate network!wjineraMit, status andauairesults
R e m e diate S e cu rity Issu e s
Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana m
ore.
M anage A g e n ts
Enable agents to automate neteror* secant* aud* and totfstnbute scanning load
across client machines
L a u n c h a Scan
Manually * rt- p andtnwer anagerttest network»taint/ autirl
< u
LAI LSI NLWS
<j
?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 לTOb
V* 24A jq2012
mla e
u
IW 3 1
Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard
-־»«
־
24-Aju-2012 -Patch Md11r u ! 1t*t -Added support t rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand f d - F=ad ■»־
ft«
o
cf
^ If intrusiondetection
softw (ID is running
are S)
duringscans, G
FI
LA guard sets off a
N
m
ultitude of ID w
S arnings
andintrusionalerts inthese
applications.
FIG R 5 :T G L N m w indicatingtheL aC
U E .4 he FI A guard ain indow
aunch ustomS option
can
5.
Launch a N ew sca n
i.
ii.
iii.
window will appear
1 1 die Scan Target option, select lo c a lh o s t from die drop-down list
1
1 1 die Profile option, select F u ll
1
1 1 die Credentials option, select
1
drop-down list
Scan
from die drop-down list
c u rre n tly lo g g ed on u s e r
from die
6. Click S c a n .
C E H Lab M anual Page 115
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
33. M o d u le 0 3 - S c a n n in g N e tw o rk s
’ ° ן ־r x ־
GF! LanGuard 2012
• l«- I
>
Ds b a
a h o rd
S n
ca
Ranrdijle
A
ctiv.tyM n r
o ito
R p rts
eo
Cn u Un
o f!g ra o
C Uiscuuttm1
J,
Jt Urn
ta u a d ia tn e S a n
Scar־a02׳t:
b a te :
P10•*:
jf-J S^n
v M
Ot0en:־fck»/T«rt(r ockcCon uso־
v *
?axrrard:
V
IIZ
* 1
1
״
Scar Qaccre...
Son ■ n d ti Ovrrvlew
SOM R ru lti Dcta ll<
m For largenetw
ork
environm aM
ents, icrosoft
SQ Server/M E
L
SD
database backendis
recom endedinsteadof
m
theM
icrosoft A
ccess
database.
FIG R 5 : S ganoptionfornetw scanning
U E .5 electin
ork
7.
Scanning will s ta rt; it will take some time to scan die network. See die
following figure
m Q scans have
uick
relativelyshort scan
durationtim com to
es pared
full scans, m because
ainly
quickscans perform
vulnerabilitychecks of only
asubset of the entire
database. It is
recom endedto runa
m
quickscanat least once a
w
eek.
8. After completing die scan, die s c a n
C E H Lab M anual Page 116
re s u lt
will show in die left panel
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
34. M o d u le 0 3 - S c a n n in g N e tw o rk s
&
yI
I
Ds b a
a h o id
S n
ca
Rm u
e cd te
, ־I□ ־x
GFI Lar> uard2012
G
A ty M n r R p rts C n u tio
ctw o ito
eo
o fig ra n
L fr
ttr tm
ta u K k a lm k in
Kte
a:
ScanTarget
ccaftoct
V
H
... | FalSar
jsandffc:
C tbcaed on iser
j-rr&
Eaaswofd:
II
V
Scan R r u ik i ovrrvm n
Scan R r a k i Details
4 Scan target: locatbo»t
- y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJ
vws .
m
T of scans:
ypes
Scana singlecom
puter:
Select this optionto
scanalocal host or one
specificcom
puter.
Scanarange of
com
puters: Select this
optionto scananum
ber
of com
puters defined
throughanIPrange.
Scanalist of com
puters:
Select this optionto
im alist of targets
port
fromafileor to select
targets fromanetw
ork
list.
Scancom
puters intest
file: Select this optionto
scantargets enum
erated
inaspecific text file.
Scanadom or
ain
w
orkgroup: Select this
optionto scanall targets
connectedto adom
ain
or w
orkgroup.
*
S ca n c o m p le te d !
Summ 8f *ear resufs 9eneraf0fl <Jut>51
ary
V u ln e ra b ility le v e l:
The average vulnerabilty le.ei lor ttus sea־nr s 1
Results statistics:
Audit operations processed;
1>703 aw*! operations processed
Missing scftwaie updates:
Other vulnerabilities:
20 <20 C tcai׳Hgr>
׳
1313 Crecol'-.qh)
Potential vulnerabilities:
3
•
Scanner ActMty Wkxkm
*ו^יז
W fa :ili« !* W
CanptJer
VJUH> ra W J t« !a
Citar
n » 1 ״t41:ate 101 r r s q v
1
i K t - n •can
wunr is*lvatd or not found
i
----------12- 1
FIG R 5 :T G L uardC scanw
U E .7 he FI anG ustom
izard
9. To check die Scan Result Overview, click IP
right panel
10. It shows die V u ln e ra b ility A s s e s s m e n t
click V u ln e ra b ility A s s e s s m e n t
ad d ress
of die machiiiein die
an d N e tw o rk & S o ftw a re A udit:
GFI LanGuard 2012
E-
J |^
|
Daihboard
Sean
R nrw U r
AdMyMorilor
Reports
PceSe
v j. . . | |F״IS1״־
ocafost
Q3~t..
i3iT.i
Cj־end, bcaec
UtMws
W,
Dis c u m tvs vtssaan
* *ו
Userrvaae:
oue
nsr
Configuration
?a££.׳C
rd:
II
J
•••
1 ___^
____
1
1Results Details
#
V a n t n r y t : lornlhost
| - 1000
|
ר־V |WIW l)J9MIC>Mt9L4l (Window.
«
,
־
•
J] j
[ ׳W»UJ39MRSHL9f4| (Windows Server ?01? 164)
<
1>rrafcj1 W ^ n r r n t |
ty
n N ar* & Softwire Audit
et-w
Vulnerability level:
T • corrvwar dues not have a Vuhe'aHty te.el •VII. * :
►*
Y/lttt dim
irean?
Po s s ib le reaso n s:
t. Th• •can b not Inched yet
2.O ectbn of m
sC
issing paiches and vane ׳abiEe* 8
s U * » »ליינca1׳nir aerode used to performthe scan.
mta
3 ־The credentials used 10 scan this confute ג 0 ׳not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10•
escmatra we Vjheraoity Level An account wth s M i r r a , • :rvjeges or rne target computer B requrM
* Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fa of most
rt
Scaruicr ActMty Window
flteetlKMQL
liv dl(l•
lr ^ kh)
u. M
.
״
•■V> I c tfiiS
'< I —
ldriI
ftwwl
I
FIG R 5 : S gV
U E .8 electin ulnerabilityA ent option
ssessm
C E H Lab M anual Page 117
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
35. M o d u le 0 3 - S c a n n in g N e tw o rk s
11. It shows all the V u ln e r a b ilit y
V
/ 7D
uringa full scan,
GFI L N
A guard scans
target com
puters to retrieve
setupinform and
ation
identifyall security
vulnerabilities including:
■M M
issing icrosoft
updates
■ Systemsoftw
are
inform including
ation,
unauthori2ed
applications, incorrect
antivirus settings and
outdatedsignatures
■ Systemhardw
are
inform including
ation,
connectedm s and
odem
U Bdevices
S
A ssessm en t
indicators by category
־־T ^ P
GFI LanGuard 2012
L
d
>
Dashboard
«־
Scan
Rernediate
Activity Men!tor
Reports
Configuration
UUkbes
W,
־
x
Di 8cub 8 •»a v«a«on._
l a — d i a Merc Scan
Bar Target;
»roS»:
H i scar-
v | | .. .
3 $
Jgynang:
c/fomess
[am r#y iC jjetf onuser
Q
Password:
or
5
V1
Scmi Rr»ulU Ov*rvt*%»
Sc4nR*M1ft>0«UNk
<0 $ u a U r « « t : l1 ) u lm l
V u ln e ra b ility A sse ssm e n t
f S I S ItM J(m R-K M M U H U M ](W M tom .
-
s«tea ene of the folowno wjfcerabilry 01*99'** ייה»*ל
• Yuhefablty Assessment
A * *־יsecurity wirerablofa (3)
J l MeCtomSearity Vuherabirtes (6)
*qn security Vumeratxaties (3)
Xbu you toanalyze the ־ ״security vjre tb i'.a
4
t
A
10
j , low Searity Viinerablitfes (4J
PofanBd Vuherabltea (3)
Meshc service Packs and U3cate =&u>s (1}
^
■
Jedium Security VulneraNKies )6 (
, וגיtoanajy7e thsrredun !earitytfjrerabises
.
Low Security Vulnerabilities 1 (
4
ycu to a ׳iy» thelc« 9eculty
# Msarvs Security Updates (3)
- _* Hee*ak & Software Ault
^
.
1
5
Potential vulnerabilities )1(
Xb>.s you to a-elvre tiie inform
ationsecurity aJ־־o
«
1
Ufesing S vtca P acks and Updala RolHipc (1)
U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn
thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 O
tfic] Bras
FIG R 5 :L ofV
U E .9 ist ulnerabilityA
ssessm categ ries
ent o
12. Click N e tw o rk
in die right panel, and then click S y s te m
S t a t u s , which shows all die system patching statuses
P a tc h in g
& S o ftw a re A u d it
1 ״r 1 ״
-
C r i L in O u a rd 2012
to■ >
•4 -
1
Dashboard
Sran
Re*»״Aate
Activity Monitor
Rrpoits
Configuration
JM M et
<U) '
D iic in t llm vm*an
la u a d ia New Sean
Scar ’ • o e ־
-
Ho ft*.
- 11
'־״
v |•
^
O afattab:
|0 rrentf> o g c « or u er
Sari
1 ־
SCM R « M b Overview
-
9
P315/.ord:
Jse n re ;
1Rem its Detais
Scan ta rve t iocalhost
- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K -
System Patching Status
m
Select one of tte Mtahg systemwtchro M U
S -4 (U!־f(hilY to n T e il
Duetothelarge
am ofinform
ount
ation
retnevedfromscanned
targets, full scans often
tendto belengthy. It is
recom endedtorunafull
m
scanat least onceevery2
w
eeks.
* *hevyV1eMe( )
e Sclt 1 r it t3
*at
X rvfcdun Security VUrtrabilBe• (6)
X
*nrM • )
J aa t•(ג
)
t
SricPrn i1t3datr Roittn (1)
e en m
v i
f •1su1sSeu1UyUl>0at«*(3)
I ״aa fracutI
foy ^tar rO
tr
.
X
Minting Service P acks ■ nit llpduir Rciaup* )1(
•
AI3v»1 you to andyM f*r rrs «־K! server parW r>f»—j i w
יי»־Sec“ ' >ty1h»ab4U»» (4)
S %
■
Alotwt Mu U nWy.'t u!« mistfio mcuICv update I
- Jb j
Alan* you to analyie the rwn-security ipaaws rfamssen
rtor&Atrc
A
'0
m Missing Non-Security Updates )16(
Ports
U
)Mk Missing Security Updates (,
J
J%
staled Security Updates )2(
A q syou ■־ טc tJic knitaifedsecurity!edatehfanala
t>
nay
1
2
J !astaaed Non-SecurityUpdates )1(
%
*»- f i Software
a
system mibnnaaon
Alo״יyou to analyze thenstslicd nor-securty5
Scanner A ctm ty Wmdow
X
Starting security scan of host VIM.I)MMRSMl«4[100.0 T
g
!■nr: I M k U PM
10
: ry Scan thread 1(idle) S a tllia i IM t ' . !
: יt «. 3
™
FIG R 5 0 S patchingstatusreport
U E .1 : ystem
13. Click P o rts, and under diis, click O p en
C E H Lab M anual Page 118
T C P P o rts
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
36. M o d u le 0 3 - S c a n n in g N e tw o rk s
m Acustomscanis a
netw audit basedon
ork
param w you
eters, hich
configure onthe flybefore
launchingthe scanning
process.
V
anous param canbe
eters
custom duringthis type
ized
of scan, including:
■ T of scanningprofile
ype
(L the typeof checks
e.,
to execute/type ofdata
toretrieve)
■ Scantargets
■ Logoncredentials
&
S n
ca
• l«- I
>
jbcahoK
V I ... I |MSw1
Oc0en־dfe.
.
|0xt«rtK ocKcCon us®
־
-
J l )*־h Sacuity »jh*r<t14t*» (!)
M«Jum Sttuity VllnefdMIUe( « }
Law Seeunty VUnerabttiei (4}
^
0
• ft) so iDf*crpno :״Mytxrtrrt trerwfrr Protocol {^> ליודז
sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI
5 (Cwucto- D w»i1u ״l «׳sOl)0«־
כג
CC
£ 1 ►**CTt*0׳V HMKCR 5M»1 ׳S*rM» S*׳VCT r « » ״n]
^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM V a n
*
Lrtnamn]
B £ !027 piM otOor: !r#l»1fo, 1( tM *e ׳v<e h no* t1
&
»׳Urt(d :*•>*«
&• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C
s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc*
ratfc ;< » o w : Ctotafipy Network x, Oath a owers / Ser
■
^9
10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _
X
1 * = ____1
___
II
• viAwjBM y **OMtwrnt
POCWlOai Viiic'attittet (3)
f)
!
b-*e
ea
MsangSecuity Updates (3)
f it :
imw
cJ
aO
m
3
::- 2 |C«SObacn: M Protect. MSrtQ, t ״te 1 . M>)eic * » -י- »-־c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4
e
V
׳
- 9
« £
9 ^
# Moang Service Pocks 0״d tp d str lo tto s CO
#
•ויי
-
^
1- 1■■
C Uiscuu tin 1
J,
s
S w
asG ord:
Uenvaae:
9 sr.Mi f .׳רget ־torn lhot
־R : ;
•
B
GF! LanGuard 2 1
02
£ 1 M n r R p rts C rrfig ra
*!vty o ito
eo
o u
Rancdijlr
l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^
1433 [CesccCcr: Microsoft SQL Server database r a ־j r w :
a
stc Server /S«>־ic*: LTknown]
rsn
*•ernoHc 8 Software Audit
1
*. ( ( System Patchrg Status
]333־
I . S n P a W|
e HPr
e a
•V Coen LC» Ports (5)
I
A Hardware
.if Software
II
System [nfbmodon
YVlndvw
a — er ActKRy
*' f..<»t»*׳ceve ׳y v a n thread 1 (tdlr)
S o ״nr rad ) יdp ( | 5 0 ־r * .׳vl ! ;<*)
error•
FIG R 5 1 TCP/U PPortsresult
U E .1 :
D
14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of
die system information
15. Click P a s s w o r d
P o lic y
r °־־n n
GH LanGuard 2012
E
B
> 1 4 -1
Dathboaid
Scan
fn m ijlr
Act*«y Monitor
Reports
Corriiguratioo
Ualiwt
W
.
1)1*1 lew •«« vnun
launch a Mewsean
ScarTarget
ocaKx:
P0. ־t:
«
v |... I (׳SjIScan
&ederate:
Z~M~CTt, bcced on toe־
3
?aaiwd:
•
1
U1J
V
1
__
Scaf 0 0 .-.^כפ
Scan R rta tf Overview
%
Sf A
open IX P Ports (5)
r1ard*«e
*50 ־1־ ׳fr»ane
|
Systsn Infer׳T h
M arj
a 9ki .׳W
|l HW.fxC. !■>• 1
■>>
L_J The next jobafter a
netw securityscanis to
ork
identifyw areas and
hich
system requireyour
s
im ediateattention. D
m
o
this byanalyzingand
correctlyinterpretingthe
inform collectedand
ation
generatedduringanetw
ork
securityscan.
,
Scan le a k ! Detalie
J *!־*׳run poaaw d length: chars
J **״!־unoaa'w ordsgeiodays
J >Mgw rfl mtary: n o h ttay
0
Vaxnuri EMSSiwrd age: 42days
J
J ! f a s « p f f r m ׳force
0
• S«r.c1ll> Audit Policy (OtO
Wf Re0**v
ft Net&OS M
ao*3) ) ״
%
Computet
tj| 610Lpt (28)
& Users (4)
•!_ LoggedCnUsers (11)
^
Sesscre (2)
% J<rvcc5 {148}
■U Processes (76)
,
Remote TOO (Tme Of Oay)
Scanner AcUv«y Window
״ ׳ ••־I I > - ׳V 1״n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41'׳' ! ־
«
A
’ ) I '"׳י י
FIG R 5.12Inform ofP ordP
UE
ation assw ohcy
16. Click G ro u p s: it shows all die groups present in die system
C E H Lab M anual Page 119
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
37. M o d u le 0 3 - S c a n n in g N e tw o rk s
m Ahighvulnerability
level is the result of
vulnerabilities or m
issing
patches w average
hose
severityis categorizedas
high.
*
>
־
Ds b a
a h o rd
Sun
ftftnca&e
vl W
**Scan
CrM e re s t
ר
Password:
*1
■ ':e r a
cc
Sc*• RevuJU DeUik
1R«f»*lt» Overview
%
* tt Control AucUat* Cws abx1
■ft * P n t t a w i
*i.s u1to׳
•ft 0J 0«»1
fcw # cm ra
•X cm aw dc w
C0«nUOPPwts(5)
r A Hentesrc
• . 1 Soffaart
• ^
Symrm tnk׳m»t»n
( y ו׳ <׳
V • a O 'tejM^ויו^ו
• a CfctrtutedCCMUser*
יa Guests
• a K>pe ׳V
•a
ייa E5JUSRS
• a r.etY>=<׳Ccnfig.rstcn
-״a Pr־fty1r5rcc 'r~ users
a
•a
• a PM^lSers
» a RES Ehdpcut Servers
•«
זa
*k SN r~ W
-4* Pd«wo1 ) ׳Pdiy
- i» Sxunty Ault Pokey (Off)
& *n t Log Straefcrs
# ־lUotetry
f t NetflCCS Narres (3)
%
Adrritstrators
Computer
l* gop(aI
i rus2)
I W
4}
Cp־rators
Psrfertrsnce Log Users
•?. -OXfC0 ״users (1 )נ
Ascheduled scanis a
netw audit scheduledto
ork
run autom
aticallyona
specificdate/tim and at a
e
specific frequency.
Scheduledscans canbe set
toexecuteonce or
periodically.
U9 U3U V ttK —
1 C B ltt W JR
H
-igemane:
[cuT€r*f eooed cn user
-׳o T
GFI LanGuard 2 1
02
A tm M n r R p rts C n u tio
c rty o ito
eo
o fig ra n
%
S«ss»ns (2)
%51 8:*)
«4 »ל
) a
**?Operators
Ht ®rocrase* (76)
PCS Manage»״ent s « vers
גen»te too מיוחןOf 0»y)
W w rt* . - ״
S*rf« 1 l1f1 .nl 1 (tdl• | )׳Scan tfve*0 ? frt*)
*r«*d S * fe ) | & u « |
FIG R 5 3 Inform ofG
U E .1 :
ation roups
17. Click die D a sh b o a rd tab: it shows all the scanned network information
1 °n ^ ׳
GFI LanGuard 2012
I Dashboardl
>«
5 ״I q
Sun
Km•*•(•
!t
Activity Monitor
Reports
i
'
^
f#
C
emctm
Gmp
it 6mel1n*ork
•w«v
Configuration
1
ViAirrnhlfces
UUkbe;
4
־./זיOitcuMlna vwawn.-
fei
*J
V
* t
Pale►**
►
aH
v
(
SdNiare
E n tire N e tw o rk -1 c o m p u te r
f j UKJ»-c«t: ttlh-03»M
a.5rt.4£-»
Security Seniors
^' ־ucj1!)<»w>:y10«j<1iR<x1>
It is recom ended to
m
use scheduled scans:
■ Toperform
periodical/regular
netw vulnerability
ork
scans autom
aticallyand
usingthe sam scanning
e
profiles andparam
eters
• To tngger scans
autom
aticallyafter office
hours andto generate
alerts andautodistributionof scan
resultsviaem
ail
■ To autom
aticallytrigger
auto-rem
ediation
options, (e.g., A
uto
dow anddeploy
nload
m updates)
issing
m
rS
wnwarn iwuw•
1
0 cX 1 ־
« T|H tcrs
^
Service Packs and U
Most M rarane cawoJSfS
V. S C 3 y ^ ׳L 3 6 4
Oaxrputers
VulncraWWies
1co״pot«r9
כO
_
I o
o
זK-p-w!
Lratra-onied Aco*c
0 coneuteis
Malware Protection ...
cj
Cco־pu־crj
Ault SMTUt
: _
0 « ! »י ״י ד
j
•
וcom
puters
Agent Hemtn Issues
0C n u 8 8
0p1C
,AiirraNity Trend Owe' tme
w
C pu V 4 era feyCBtnbulivi
om ter 1 > b
Maraqe saerts
*41 •»?i ■ .KTJlii...
Z a-cn.
j r sa.
H .
Sc-= a d rsfrar. !TfaraaLgi p yy
r
.g
Sec :ppdy-.ai -
Cp :-jr_
^m
1
*aer*Stofcg|>3tStafcg|
: o ־fu t M By Gperatng System
o
Computes S■O
0«ath■ ■| Compjters By rfeUai... |
.
FIG R 5 4 scannedreportofthenetvrork
U E .1 :
L a b A n a ly s is
Dociunent all die results, direats, and vulnerabilities discovered during die scanning
and auditing process.
C E H Lab M anual Page 120
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
40. M o d u le 0 3 - S c a n n in g N e tw o rk s
■ Record and save all scan reports
/—j T o o ls
d e m o n stra te d in
th is la b a r e
■ Compare saved results for suspicious ports
L a b E n v ir o n m e n t
a v a ila b le in
D:CEH-
To perform die lab, you need:
T o o ls C E H v 8
■ Nmap located at D :C E H -T o o lsC EH v 8
M o du le 0 3
M o d u le 0 3 S c a n n in g
N e tw o rk s S c a n n in g T o o lsN m ap
S c a n n in g
N e tw o rk s
■ You can also download the latest version of N m a p from the link
http: / / nmap.org. /
■ If you decide to download die la t e s t
die lab might differ
.Q Zenm w on
ap orks
W s after including
indow
W s 7, and S
indow
erver
2003/2008.
■ A computer running W in d o w s
■
W in d o w s S e r v e r 2 0 0 8
v e r s io n ,
S e rv e r 2012
dien screenshots shown in
as a host machine
running on a virtual machine as a guest
■ A web browser widi Internet access
■ Administrative privileges to run die Nmap tool
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g
Network addresses are scanned to determine:
■ What services
a p p lic a t io n n a m e s
and v e r s i o n s diose hosts offer
■ What operating systems (and OS versions) diey run
■ The type of p a c k e t
characteristics
T AS K
1
In te n s e S c a n
f ilt e r s / f ir e w a lls
that are in use and dozens of odier
Lab T asks
Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner
in die host machine (W in d o w S e r v e r 2 0 1 2 ).
1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left
corner of the desktop
FIG R 6 :W sS 2012—esktopview
U E .1 indow erver
D
C E H Lab M anual Page 123
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
42. M o d u le 0 3 - S c a n n in g N e tw o rk s
7. Click S c a n to start scantling the virtual machine.
Zn a
e mp
Scan
I o o ls
Target:
P ro file
1 10.0.0.4|
C om m and:
Profile:
Intense scan
nm a p -T4 -A - v 10.0.0.4
H o s t!
W N ap attem
hile m
pts
toproduce accurateresults,
keepinm that all ofits
ind
insights are basedon
packets returned bythe
target m
achines or the
firew in front ofthem
alls
° ׳-׳r x
Help
Services
icc>
|
Nm ap O utput
Ports
f Hosts | T o po lo gy | Host Details | Scans
OS < Host
FIG R 6 : T Z apm w w T andP entered
U E .4 he enm ain indow ith arget rofile
!S "The sixport states
recognized byN ap:
m
■O
pen
■C
losed
■ Filtered
■U
nfiltered
■ O | Filtered
pen
■ C |U
losed nfiltered
8. Nmap scans the provided IP address with
the
s c a n r e s u lt
below the
N m a p O u tp u t
Scan
I o o ls
E rofile
C om m and:
ז ם י
X
ן
H elp
10.0.0.4
׳י
Profile:
Intense scan
Scan:
nm a p -T4 -A - v 10.C0.4
N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans
OS < Host
׳׳
n m ap -T4 •A ■v 10.00.4
^
|
| Details
10.0.0.4
S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g
N ap accepts
m
m
ultiple host specifications
onthe com andline, and
m
theydon't needto be ofthe
sam type.
e
^
Zenm ap
Target:
and displays
In te n s e s c a n
tab.
) at
2012 0 8 24
NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g .
MSE: S c r i p t P r e - s c a n n in g .
I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ]
C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d
h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a
C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t
0 .5 0 s e la p s e d
I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5
S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ]
D is c o v e r e d o pe n p o r t 135! ׳t c p on
D is c o v e r e d o pe n p o r t 1 3 9 / t c p on
D is c o v e r e d o pe n p o r t 4451 ׳t c p on
I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o צ
o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e .
D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4
D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4
D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4
(1 t o t a l
t 1 5 :3 5
1 5 :3 5 ,
1 6 .0 .0 .4
1 0 .0 .0 .4
1 6 .0 .0 .4
d ee t o 72
Filter Hosts
FIG R 6 :TheZ apm w w theN apO tabforIntenseS
U E .5
enm ain indow ith m utput
can
9. After the scan is c o m p le t e , Nmap shows die scanned results.
C E H Lab M anual Page 125
E th ic a l H ackin g and Counterm easures Copyright O by E C ־Counc11
A ll Rights Reserved. Reproduction is Strictly Prohibited
44. M o d u le 0 3 - S c a n n in g N e tw o rk s
12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP
address in the In t e n s e s c a n Profile.
7^t B default, N ap
y
m
perform ahost discovery
s
andthenaport scan
against eachhost it
determ to be online.
ines
FIG R 6 :TheZ apm w w T
U E .8
enm ain indow ith opologytabfor IntenseS
can
13. Click the H o s t D e t a ils tab to see die details of all hosts discovered
during the intense scan profile.
Zn a
e mp
Scan
lo o ls
Target:
P rofile
10.0.0.4
C om m and:
Hosts
7^ ׳B default, N ap
y
m
determ your D S
ines
N
servers (for rD S
N
resolution) fromyour
resolv.conffile(U IX or
N )
the R
egistry(W
in32).
Scan
Conccl
nm a p -T4 -A - v 10.0.0.4
||
Services
I
I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t
Scan?
O.O.C.4
OS < Host
-־׳
r^ r°r* 1
Help
10.0.0.4
H Host Status
State:
up
O pen p o rtc
Q
Filtered ports:
0
Closed ports:
991
Scanned ports:
1000
U p tim e :
22151
Last b oo t:
Fri A u g 24 09:27:40 2012
#
B Addresses
IPv4:
10.0.0.4
IPv6:
N o t available
M AC:
00:15:50:00:07:10
- Operating System
Nam e:
M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1
Accuracy:
Ports used
Filter Hosts
FIG R 6 :TheZ apm w w H D tabforIntenseS
U E .9
enm ain indow ith ost etails
can
C E H Lab M anual Page 127
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited
45. M o d u le 0 3 - S c a n n in g N e tw o rk s
14. Click the
Scans
tab to scan details for provided IP addresses.
1- 1 ° ׳x
Zenm ap
Scan
Tools
C om m and:
Profile:
Services
|
Cancel
N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an;
Status
< Host
Com׳r»ard
Unsaved nmap -T4-A •v 10.00.4
1 0 0 .0 4
i f ■ A pp e nd Scan
a InN ap, option-p
m
<port ranges> m scan
eans
onlyspecifiedports.
Intense scan
nm a p •T4 •A -v 100.0.4
Hosts
OS
Help
10.0.0.4
Target:
a N ap offers options
m
for specifyingw ports
hich
are scannedandw
hether
the scanorder is
random2edor sequential.
!
Profile
»
Remove Scan
Cancel Scan
FIG R 6 0 TheZ apm w w S tabforIntenseS
U E .1 :
enm ain indow ith can
can
15. Now, click the S e r v i c e s tab located in the right pane of the window.
This tab displays the li s t of services.
16. Click the h ttp service to list all the HTTP Hostnames/lP
Ports, and their s t a t e s (Open/Closed).
Zn a
e mp
Scan
Tools
Target:
ד * מ ° י ־ז
Help
10.0.0.4
Comman d:
Hosts
Profile
v]
Profile:
Intense scan
v|
Scan |
nm ap •T4 -A -v 10.0.0.4
|
Services
ad d re sse s.
Cancel
ו
N m ap O utput
Ports / Hosts
Topology | H o c tD rtJ iik | S ^ jn t
< Hostname A Port < Protocol « State « Version
Service
i
10.0.04
5357
tcp
open
M icroso ft HTTPAPI hctpd 2.0 (SSI
msrpc
n etb io s5 5 ־n
Q InN ap, option-F
m
m fast (lim port)
eans
ited
scan.
<L
FIG R 6 1 TheZ apm w w S icesoptionforIntenseS
U E .1 :
enm ain indow ith erv
can
C E H Lab M anual Page 128
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited