2.

1 Introduction

2.2 Detect Live Hosts and Port

2.3 Service and OS detection

2.4 Firewall/IDS Evasion

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
The objective of the scanning phase is fairly straight forward.
Now that we have basic information on our target, we need
more detailed data on the devices in the target network. This
will help us in understanding how the network is composed
and thus, how to effectively mount our future attacks.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Similarly to the information gathering stage, methodical and
well thought-out scanning will result in a better assessment.
Be sure that you are both prepared to to track the large
amount of data you are about to discover on your target and,
ensure that it is stored in a usable format for future use.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Ports, Protocols, and Services (PPS) help us in identifying the
types of applications running on a system and subsequently
any potential weaknesses. This is due to that fact that, in the
past, security researchers not only discovered vulnerabilities
for specific applications but also, created exploits that would
allow adversaries to take advantage of these weaknesses.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In order to effectively utilize PPS information, one must know
where to uncover information about services and
applications running on a specific port. This is also valid for
potential malware that may already exist on the target
systems.
While there are many references available on the Internet,
having a locally stored copy ready for easy reference is always
beneficial.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following is a good reference for PPS: Service Name and
Transport Protocol Port Number Registry.
Of course, you can always use search engines to find this
information, but be sure to search for recent posting dates, as
many of the available resources are dated.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

 IMPORTANT

A word of caution on identified PPS information: a smart and

skilled network administrator may deploy anti-enumeration
techniques. In addition to this, network administrators may
deploy a service (on purpose or inadvertently) to a port that
commonly identifies as hosting malware.
In order to ensure that one covers all the bases, it is usually
best to run multiple scans, using different techniques.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
The best option in identifying PPS would be to scan all ports
of the remote system. Despite the fact that this is true, you
should be aware that scanning all 65535 ports takes a very
long time. Moreover, this type of scan will surely expose your
presence on the network therefore, it is best to create jobs
for specific smaller port ranges.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

By default, most of the tools that we are going to use scan
only a small set of ports. This means that they will scan only
the most common applications and services such as telnet,
FTP, SSH, HTTP, etc.
Be sure to experiment with all of the tools in order to see
how they effectively scan ports and protocols.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In order to understand how to acquire information from
networked assets, it is important to have a basic
understanding of how Transmission Control Protocol/Internet
Protocol (TCP/IP) establishes communications between two
entities.
All TCP based connections begin with a simple exchange of
messages called three way handshake, or three message
handshake.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The header fields involved in the handshake are:
• Sequence number 0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
• Acknowledgement numbers +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port |
• SYN and ACK flags +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F|
| Offset| Reserved |R|C|S|S|Y|I|
| | |G|K|H|T|N|N|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The steps in the handshake are used to synchronize the
sequence and acknowledgement numbers between the
server and the client.

SYN

SYN+ ACK

ACK
Time Time
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
During the first step, the client sends a TCP packet to the
server. This packet has the SYN flag enabled and a random
sequence number set.

SYN
SYN
Seq: 329 Ack: 0

Time Time
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
In the second step, the server replies by sending a packet
with both the SYN and ACK flag set and contains another
random sequence number.

SYN
SYN
Seq: 329 Ack: 0

SYN/ACK
Seq: SYN+
498 Ack:
ACK330

Time Time
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
The ACK number is always a simple increment of the SYN
number sent by the client.

SYN
SYN
Seq: 329 Ack: 0

SYN/ACK
Seq: SYN+
498 Ack:
ACK330

Time Time
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Finally, the client completes the synchronization by sending
an ACK packet. Note that the client behaves just like the
server when sending ACK packets.

SYN
SYN
Seq: 329 Ack: 0

SYN/ACK
Seq: SYN+
498 Ack:
ACK330

ACK
Seq: 330 Ack: 499

Time Time
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
This is the process that makes TCP/IP such a reliable protocol.
Knowing how hosts communicate via TCP and UDP can help
testers in analyzing packet traces and identifying the
responses in discovery scans.
Before inspecting tools and techniques that will allow us to
scan remote hosts, in the next video we will study a very
important packet analyzer software: Wireshark.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
You can find more information with the following links:
• IP Layer Network Administration with Linux.
• TCP/IP Tutorial and Technical Overview.
• Packet Analysis Reference Guide v3.0.
It is also a good idea to read the corresponding RFC for
communication protocols in order to understand the basis of
how they were designed to function. If you know how they
are designed to function, then the likelihood of your ability to
exploit that is greatly increased.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
In order to completely understand how port scanning and
host detection works, it’s useful to inspect protocols at a low
level.
Command-line packet builder/analyzer tools like Hping or
Nping will help us. They allow us to craft packets, therefore
they can be used to detect hosts, run port scans, evade
Firewall/IDS and so on.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s take a look at some options that hping offers in order to
both craft packets and set specific TCP flags.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In order to send a very simple TCP SYN packet to a given IP
address, we can use the following command:
hping3 –S [IP_address]-p 80

Using this, we repeatedly send SYN packets (-S), to

[IP_address], on port 80 (-p). Notice that if no port is
specified, hping will send it to port 0.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

This is the result of the previous command. Hping will
continue to send packets until we manually stop it.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s inspect what is occurring on the network.

1. Our host (192.168.0.21) sends a packet with the SYN flag

enabled to the address 192.168.0.1.
2. The target responds with a SYN-ACK (this means that the
port is open)
3. Our host closes the connection by sending a RST flag

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

We suggest you use Wireshark to better understand what
occurs when you run these commands.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Since hping will keep sending packets until we manually stop
it, we can alternatively instruct the tool to send a fixed
number of packets. To do this let’s add the option –c to our
previous command:
hping3 –S 192.168.0.1 -p 80 -c 4

In this case, the –c 4 option tells hping to send 4 packets,

and then stop.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following snapshot shows the results of the previous
command:

4 packets

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Please remember, if we do not specify a port, hping will send
it to port 0. Let us see the differences between the following
two commands.
hping3 –S 192.168.0.14 -c 3

hping3 –S 192.168.0.14 -p 445 -c 3

Notice that port 445 on the target address is open.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

When we send packets to port 0, the flags set are RA (Reset
and Acknowledgement - no service listening on port 0). In the
second screenshot however, we receive the flags SA (SYN and
ACK) meaning that the port is open.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Now that we know some of the basic hping commands, let’s
observe in the next video how to leverage the most
important features of this tool.
We strongly suggest you both try these commands by
yourself and, inspect the network traffic generated in order to
understand the details.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
In the previous section we saw both some techniques and
tools that enabled us to discover live hosts in the target
network.
What we are going to do now, is apply those skills and acquire
additional detailed information on these hosts. We will see
how to detect open ports, how to identify services, operating
systems and much more.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

It is important to know that with the advent of protocol
security in both firewalls and routers, this process has
become quite a bit more difficult than it used to be.
Software and hardware firewalls can limit the types of
protocols and messages permitted to and from hosts.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In order to do a thorough job at identifying live hosts, open
ports, services and so on, there are many techniques and
tools that we can leverage.
We must keep in mind that, based upon the type of discovery
launched against the target, the level of noise produced
varies therefore, making it essential that we are aware of the
various scanning and enumeration techniques we decide to
use.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

For example, running a straight ping sweep of a network is
surely going to announce that we are there and that we have
started identifying their systems.
On the other hand, a very random TCP connect scan may
appear to administrators as normal connect requests to
hosts.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

It is very important to gage (refer back to scope document)
the type of assessment and perform discovery accordingly. If
you are on a limited schedule and you must complete the
pen-test, a quiet scan, unfortunately, is not the right way to
go about that context of the assessment. It will take longer to
complete than a traditional open scan.
The best advice here is to not fall in a situation of having to
rush. Penetration testing takes time if you want to do it
correctly.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
As a side note, how does one convince the client to not rush a
penetration test? The answer is simple, tell a story that
educates the client(s) on the associated risk of rushing pen-
testers and the ramifications that are possible if a pen-tester
misses a security hole. If the correct recon and time where
taken, that security hole would have easily been discovered.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Our goal is to transform an unknown network into a useful
map. So we want to change this:

Continue…
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
And getting to something like this!

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s see some tools and techniques we can use to perform a
complete scanning phase of a target's live systems.
One of the best tools we can use when dealing with host
discovery, port scanning, service detection and more is Nmap.
In the next slides we will see what options and features it
offers in order to reach desired result.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Nmap (Network Mapper) is network enumeration and
auditing tool. Continuing from where we left in the
information gathering phase, we will now take a technical
deep dive into Nmap and discuss how it can be used to
identify alive hosts, open ports and so on.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

 IMPORTANT

A very important thing to know when using Nmap, is that the

scans should be ran with either root or administrator
privileges.
This is required due to the fact that some scans send raw
packets subsequently requiring privileged system access.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In the next slide, we will summarize the parameters and
options that we can use to run host discovery scans. Notice
that we have already used these in the Information gathering
phase.
Moreover, let us quickly recap the basic command line format
for Nmap:
nmap <scan type> <options> <target>

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following is a recap of the host discovery techniques that
Nmap offers.
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery
-PE/PP/PM: ICMP echo, timestamp, netmask request discovery
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In the next slides, we will inspect scanning techniques that
allow us to obtain additional information about open, closed
and filtered ports on target machines.
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce sca

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

SYN scans are the most popular type of scans as they can
both be performed quickly and, are not as obtrusive as other
types of scans.
A SYN scan is also one of the more accurate scans for
determining if a discovered port is in an open, closed, or in
filtered state.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Since the SYN scan does not open a full TCP connection, it is
often referred to as half-open scanning. This is how it works:
• Nmap sends the SYN packet to open the communications and
then awaits the response to determine the port states
• If a SYN/ACK message is received, Nmap knows the port is
open. If a RST (reset) flag is received, Nmap will report the
port as closed or not actively listening
• After receiving the response, our machine closes the
connection sending a RST packet
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
In the event that no response is received after several
attempts, Nmap will report the port as filtered.
A port will also be marked as filtered in the event that an
ICMP unreachable error is returned as a response.
Let us see some example to understand it better.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The first test we want to run is a SYN scan against the target
10.50.97.5 on port 135. The command will be:
nmap -sS -p 135 10.50.97.5

Nmap tells us that port 135 is open. This means that the
target probably sent a SYN-ACK in response to our SYN.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
While inspecting the traffic with Wireshark, we can see that
we start the communication setting the SYN flag (packet #6);
the remote host responds with a SYN-ACK (#7) and then we
close the connection by sending a RST flag (#8).
Remember that -sS does not open a full TCP connection.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

 IMPORTANT
In the previous slide, we saw how to set a specific port
however, you should also be aware that Nmap offers many
options in order to specify the ports we wish to scan:
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

 IMPORTANT

We will use some of the previous options during the study of

the module.
Moreover, if no ports are specified in the command, the
Nmap default range will be used. This includes the most
common 1000 ports for each scanned protocol.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let us now see what happens if we try to scan a port that we
know to be closed. We will use the same host used before,
but we will change the port to 53:
nmap -sS -p 53 10.50.97.5

As you can see above, Nmap tells us that the port is closed.
Once again let us inspect the traffic with Wireshark to see the
details.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
As we can see from the screenshot above, this time we sent
the packet with the SYN flag enabled and the remote
machine responds with a RST-ACK.
This means that the port is closed and does not accept any
communication.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The TCP connect scan is the default type of TCP scan when
SYN scan is not an option.
This type of scan is also used in the case of a network utilizing
the IPv6 protocol.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

With the TCP connect scan, Nmap relies on the underlying
operating system to establish a TCP connection to the target
host, and therefore it does not utilize raw packets as with
most other scans.
Since Nmap is relying on the OS to perform the connection, it
naturally has less reliable results compared to raw packets
therefore, is less efficient.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s see what happens when we try this scan against an open
port. We will use the same target we previously used.
nmap -sT -p 135 10.50.97.5

The output is very similar to the previous SYN scan, but if we

inspect the communication with Wireshark we will see some
differences.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
As we can see in the screenshot, once the target machine
responds with the SYN-ACK, our host completes the
communication by sending an ACK and finally it closes the
connection by sending an RST-ACK.
Establishing a full TCP communication, subsequently, is less
efficient than the previous SYN scan.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Although most services function over the TCP protocol, there
are also a number of other services that run and
communicate over UDP (IE: DNS, SNMP, DHCP…).
Nmap is able to use the UDP scan to discover these services
as well as identify / enumerate the services commonly used
to exploit systems.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In many instances, auditors will overlook the existence of UDP
services. To make matters worse, network administrators
often times leave them accessible.
It is important to know that, given the design of the protocol,
UDP scans are much slower and more difficult to conduct.
This does not mean they are less important! They should
always be a part of our security tests.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let us inspect what happens when we try to run an UDP scan
against both an open and a closed port. The first command
we will run is the following:
nmap -sU -p 137 10.50.97.5

As we can see, Nmap tells us that the port is open.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
If we inspect the traffic with Wireshark, we can see that we
start the UDP connection by sending a packet to the remote
host on port 137 (#8). Since the port is open, the host
responds to our request (#9). Right after, the remote host
closes the connection by sending an ICMP packet Destination
Unreachable.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s now explore what happens when we try to scan a closed
port. We will use the same scan as before but, change the
target port to 123.
nmap -sU -p 123 10.50.97.5

In this case, Nmap tells us that the port is closed.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
In contrast to the previous communications, this target host
immediately responds with an ICMP packet Destination
Unreachable, meaning that the port is closed.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The Idle scan is a stealth technique that involves the presence
of a zombie in the target network. A zombie is an host that is
not sending or receiving any packets thus, the reason its
called an idle scan.
In order to understand this technique you need to know that
the IP protocol implements a Fragmentation ID header and
that many operating systems increase its value by 1 (for each
packet).
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
 IMPORTANT

Let shed some light on the concept of fragmentation.

As you already know, data must be encapsulated in order to
be sent over the physical network link. In conjunction with
this, the data has to be small enough to fit the format of the
technology being used.
If the message is too large, it must be split into smaller
messages. In essence, this is the process of fragmentation.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
 IMPORTANT

When a device sends fragments of a message, the host on the

other side must be able to identify these fragments in order
to reassemble them.
This is achieved by assigning an unique identifier to each
fragment of the message called the fragmentation ID. This
way the receiver knows the correct sequence of the
fragments and can assemble them back into the original
message.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Now that you know what fragmentation is, you should be
aware that by probing fragmentation ID’s on the zombie, we
can infer if a port is either open or closed on our target. This
will become clear in a moment however, before mounting an
idle scan, there are two pre-requisites that must be met:
1. Find a zombie that assigns IP ID both incrementally and
globally
2. Find an idle zombie, meaning that there should be no other
traffic on the zombie that will disturb the IP ID
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
So, the question is how do we find a good candidate zombie?
We can use Nmap to perform OS fingerprinting on potential
candidate zombies. If we run this scan with the verbose mode
enabled, Nmap will determine if the IP ID sequence
generation is incremental (the one we need).
The command is as follows:
nmap -O -v [IP_ADDRESS]

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following snapshots show the results of the command:

As we can see, Nmap tells us that the IP ID Sequence

Generation is incremental thus, a good zombie.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Before seeing the attack in detail, let’s take a look at the steps
required to mount it:
1. Probe the zombie's IP ID and record its value
2. Forge a SYN packet with the source address of the zombie
and send it to the port of our target host.
• Depending on how the target reacts, it may or may not cause the zombie
IP ID to be incremented
3. Probe the zombie's IP ID again and, pending upon the ID
we can infer if the target port is open or closed.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s now take a look at all the tasks that we (the attackers)
have to perform once we discover a zombie:
1. Probe the zombie’s IP ID by
sending a SYN/ACK to it.
2. Since the communication is not
expected, the the zombie will
send back a RST with its IP ID.
3. Forge a SYN packets (IP spoofing) with the zombie source IP
address and send it to the target we wish to scan.
Once again, depending upon the port status (open or closed)
results may vary.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Let’s see what happens if the port on our target is open:
4. The target sends back a SYN/ACK to the zombie.
5. The zombie does not expect it therefore, it sends an RST back
to the target and increments its IP ID.
6. The attacker probes again the zombie’s IP ID.
7. The zombie sends back a RST. The attacker sees that the IP ID
is incremented by 2 (from the initial probe).

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following summarizes the idle scan steps:
Attacker Zombie Target

SYN|ACK
RST Ip FragID=100
SYN SRC IP: «Zombie»

SYN|ACK
RST Ip FragID=101
SYN|ACK

OPEN port: the ID RST Ip FragID=102

increments by 2

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s see what happens if the port on the target is closed:
4. The target sends back to the zombie a RST and the zombie
simply ignores the packet leaving its IP ID intact.
5. The attacker probes again the zombie’s IP ID.
6. The zombie sends back a RST and the attacker sees that the IP
ID is incremented by only 1.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following summarizes the idle scan steps:
Attacker Zombie Target

SYN|ACK
RST Ip FragID=100
SYN SRC IP: «Zombie»

RST
SYN|ACK

CLOSED port: the RST Ip FragID=101

ID increments by 1

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Now that we know how this technique works, let us see how
to run it by using Nmap with the -sI option. We need to use
an open port on the zombie, which in our case, is port 135:
nmap -Pn -sI 10.50.97.10:135 10.50.96.110 -v

• 10.50.97.10:135 is the zombie IP and port

• 10.50.96.110 is the target we wish to scan
• -Pn prevents pings from the original (our) IP
• -v sets the Nmap verbosity

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Notice that, in the previous command, we did not specify a
port to scan therefore, Nmap will use the default ports. If we
want to scan a single port, a set of ports or all the ports, we
can use the port specification options. For example, if we
want to scan only port 23 we will use the following
command:
nmap -Pn -sI -p23 10.50.97.10:135 10.50.96.110 -v

If we want to scan all the port (from 1 to 65535) we will use

the following:
nmap -Pn -sI -p- 10.50.97.10:135 10.50.96.110 -v
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
We are able to scan the target host without sending a single
packet from our original IP address. The following is the result
of our command:
nmap -Pn -sI 10.50.97.10:135 10.50.96.110 -v

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Indeed, if we inspect the traffic with Wireshark, we will not
see any communication between the target host and our
original IP address. This is a very stealthy method!

Note
You can see a detailed list of every packet sent and received with Nmap by
using the --packet-trace option.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
If you want to dig deeper in the details about how to both use
Nmap to perform idle scans and, how this technology is
implemented, then you should study the Nmap
documentation at the following link:
http://nmap.org/book/idlescan.html.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

These scans are a little tricky. They exploit a loophole in the
TCP RFC (page 65) in order to differentiate between open and
closed ports.
We must keep in mind that a TCP packet can be tagged with
six different flags (Synchronize (SYN), Finish (FIN),
Acknowledgement (ACK), Push (PSH), Reset (RST), and Urgent
(URG)).

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Basically, the TCP RFC states that if a destination port is
closed, an incoming packet segment not containing a Reset
(RST), causes a Reset (RST) to be sent (as the response).
The RFC goes on and states that packets sent to open ports
without the SYN, RST, or ACK bits set, should be dropped and
the packet should be returned.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

As a result, if a system compliant with the TCP RFC receives a
packet that does not contain the required bits (SYN, RST,
ACK), it will return:
• an RST if the port is closed
• no response if the port is open.
Moreover, as long as none of those three required bits are
included (SYN, RST, ACK), any combination of the other bits
(FIN, PSH, URG) are acceptable.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Nmap implements different scans to take advantage of this
loophole:
• Null scan (-sN)
• Does not set any bits (TCP flag header is 0)
• FIN scan (-sF)
• Only sets the TCP FIN bit
• Xmas scan (-sX)
• Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

At one time we could have considered these types of scans as
a means to bypass firewall and packet filtering rules however,
with both the proliferation of stateful firewalls and, the fact
that IDS sensors are set to look for this behavior, the stealth
in these techniques have been eliminated.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Keep in mind that many of the major operating systems (e.g.
Microsoft Windows, Cisco IOS, and IBM OS/400, Unix-based)
send a Reset response to the probes, regardless of whether
or not the port is actually open.
In addition, you should be aware that these scans cannot
always determine if a port is open or filtered. So Nmap will
return a open|filtered result and you will have to test further
to determine the actual state.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

This type of scan differs from the scans seen thus far due to
the fact that it is not used to determine open ports.
Instead it is used to map out the rulesets of firewalls and
determine if the devices are both stateful and which ports are
filtered.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In this particular scan, the ACK bit is the only one set. When
scanning unfiltered systems, both open and closed ports will
return a RST packet and Nmap will mark them as unfiltered.
Ports that do not respond, will then be labeled as filtered.
Let us see inspect how this functionality by analyzing the
traffic with Wireshark.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In the following test, we run the scan while the firewall on the
target machine is up and running.
nmap -sA 192.168.0.14 -p445

As we can see, Nmap marks the port 445 as filtered.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

If we inspect the traffic with Wireshark, we can see that the
target host does not reply to our packet.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let us now disable the firewall and scan the host once again.
nmap -sA 192.168.0.14 -p445

As expected, Nmap now reports the port as unfiltered.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

If we inspect the communications, we can see that now the
target host replies with a RST packet, thus Nmap is able to
detect that no firewalls are in place.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

This scan cannot be considered a port scanning technique
(ports can be specified in the command), as it actually just
enumerates the types of IP Protocols that a target system
supports.
It is similar to UDP scan however, instead of walking through
port number fields of a UDP packet, it walks through the
eight-bit IP protocol field.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Rather than watching for ICMP port unreachable messages,
protocol scans are on the lookout for ICMP protocol
unreachable messages.
If Nmap receives any response in any protocol from the target
host, Nmap marks that protocol as open.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The scan techniques used thus far will return a great deal of
information and, as you already know, you should always
keep track of these discoveries.
Nmap offers a few options to output the results in different
types and formats therefore, making it much easier to use for
documentation purposes. This will allow us to either inspect
our output at a later time or, import them into tools such as
Dradis, Nessus, Faraday, Metasploit and so on.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following is a snippet of the possible output options:
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt
kIddi3,and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater
effect)
-d: Increase debugging level (use -dd or more for greater
effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The most used output options are as follows:
• Normal output: -oN
• The normal output will be stored into a file
• XML output: -oX
• Creates an XML output that can be easily parsed by various tools.
• Grepable output: -oG
• Although deprecated (replaced by XML), it is still popular. This output lists
each host on one line and can be easily used to search and parse with Unix
tools such as grep, awl, cut, etc.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Even though the Nmap command line is the preferred
interface, the suite also includes an advanced GUI called
Zenmap.
It is very easy to use and it offers the same features as the
command line version. We will not cover the GUI version
during the course however, if you prefer it, you are welcome
to use it instead.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Now that we have a good overview of the Nmap scan
techniques, let us see a video that goes deeper into details of
this tool and its functionality.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
The next Nmap feature that we want to introduce is NSE:
Nmap Scripting Engine.
The Nmap Scripting Engine (NSE) is one of Nmap's most
powerful and flexible features. It allows users to write (and
share) simple scripts to automate a wide variety of
networking task.
Let us see a video about NSE.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
We have already given a brief introduction to hping so we will
begin by reviewing the tool. Although hping can be used to
perform various port scanning techniques, we are going to
focus, in the coming slides, on how to use it to perform an
idle scan.
Due to the fact that it has both flexible configuration and
useful outputs, it will be very extremely helpful in
understanding all the details around how an idle scan works.
As you probably remember, the first step when running an
idle scan is finding a good zombie host.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
In order to estimate the host (zombie) traffic with hping, we
use the following command:
hping3 -S -r -p [port] [IP_Address]

The –r option allows us to see the relative ID field therefore,

if the IP ID increases by one, it can be considered a viable
candidate. We can never be 100% sure because:
• We have to validate if it is a global or local increase
• Some hosts increase IP ID on a per host basis

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Before running the command in the previous slide, we need
to find an open port on the host. To do this we can either use
Nmap or the following hping command.
In this case the target host has two open ports: 21 and 135.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Now that we know there is at least one open port, we can
detect if the host is a good zombie by running the following
command:
hping3 -S -r -p 135 10.50.97.10

Let’s look at the command options:

• -r tells the tool to display ID increments instead of the
actual ID.
• -p sets the destination port, which in our case is 135

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s execute the command and see what happens.

Relative ID:
Likely a good
candidate

The ID increments by 1, meaning that the host does not send

or receive other communications thus, making it a possible
zombie candidate.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Once we find a good zombie, we can use hping to craft
packets that will be sent to the target host we want to scan.
Note that these packets must have the source IP address of
our zombie.
Moreover, while we send out these packets, we will also have
to monitor if the zombie ID increments.
The following slides will show the two commands to run.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

This first command tells hping to craft a packet with the
following configurations:
hping3 -a [ZombieIP] -S -p [TargetPort] [TargetIPaddress]

• The source IP address is specified after the option -a

(spoof the zombie source address)
• The packet will have the SYN flag enabled (-S)
• The destination port of the packet is specified with -p
• The target to scan is at the end of the command
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
To monitor the zombie ID, we need to continue running the
previous command in order to detect if it is a good zombie:
hping3 -S -r -p 135 10.50.97.10

If in the output the ID increment is +2, we can deduce that

the [TargetPort] on [TargetIPaddress] is open.
Let’s run the two commands and see what happens. The
target IP address will be 10.50.96.110 while the port we want
to check is 23.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
As we can see in the first terminal (top left), as soon as we
start sending crafted packets to our target, the ID increments
by 2, meaning that the port 23 on 10.50.96.110 is open.

Let us now see a video that explains the steps used in order
to run this scanning technique.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Although Nmap is the most popular tool for both network
discovery and security auditing, there are many other tools
freely available online that are very similar:
• Angry IP Scanner (Linux, Windows, Mac OS X)
• Masscan (Linux, Mac OS X, Windows)
• SuperScan (Windows)
We will not study these tools during this course however, we
do encourage you to try them in Hera lab in order to both see
how they work and what features they offer.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
During the previous phases of the assessment, we should
have gathered a list of not only alive hosts (in the target
network) but also, information about open and closed ports
for each host.
The next step is to identify which services are running on
these ports. This is a very important step simply because it
allows us to narrow down our attack surface. It gives us the
last bit of information necessary to begin researching
potential exploits on the target systems.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
There are different techniques that tools like Nmap use to
identify a service running on a specific port. The easiest way
to do this is a process known as banner grabbing.
The term banner refers to the message that the service,
running on the target host, sends back when another host
tries to establish a connection to it. Many banners contain
information such as the current version of the service
(commonly default settings).

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

To “grab” the banner, we can use tools like telnet, netcat or
ncat. These tools can be used to read an write data across
networks. In other words, they allow us to establish a
connection between two hosts, exchange files, attach and
execute applications and much more.
For now, let us see an example of how banner grabbing
works. We will attempt to establish a connection to port 22
on the host 192.168.0.25.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

You should already have familiarized yourself with the fact
that SSH usually runs on port 22 however, for our example,
we do not know the exact version of SSH running on the
target host therefore, forcing us to invoke the technique.
As a side note, many techniques do have a downside. The
downside of the banner grabbing technique is that if the
network administrator edits the default banner, we will get a
fake response. Do not worry, we will see more accurate
techniques in the coming slides.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Let us now run one of following commands:
ncat
ncat 192.168.0.25 22

netcat
nc 192.168.0.25 22

telnet
telnet 192.168.0.25 22

The string SSH-2.0-OpenSSH_6.7p1 Debian-5 is the banner.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
As you can see, by simply establishing the connection with
the remote service, we are able to gather very useful
information and detect the exact version of the service.
This method works for many services however, you should be
aware that each service and protocol works differently.
For example, if we try the banner grabbing technique on an
HTTP server, we will not receive an answer until we send the
server some data. You will see this in the Web App Pentesting
section.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Now that you know how banner grabbing works, you can see
we cannot solely rely on this information alone. We must
leverage increasingly more accurate techniques to detect the
exact version of the services running on the remote host.
To do this we can use tools such as Nmap and its service
detection features. This operates differently from the banner
grabbing technique used. Nmap probes the remote services,
parses the responses, and then attempts to verify if there is a
match within its signature database to the parsed data.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
By querying the services and analyzing the responses, Nmap
is able determine the service protocol, the application name,
the version number, hostname, and much more.
Let us see now how the Nmap service detection feature
works. The command to run is very simple:

nmap -sV [options] [TargetIP]

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let us try to run the previous command on our target host
(10.6.12.148) and see what the output looks like:

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

As you can see in the previous output, Nmap is able to
identify different services running on the remote machine.
Also notice that, since we did not specify another option,
Nmap tries to detect if the host is alive, runs a port scan and
then executes the service detection on the ports found.
Moreover, the service detection scan works similarly to the
other scan techniques therefore, we can use port options,
output options, timing options and so on.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

For example, if we want to instruct Nmap to run on a specific
port, we can use the -p option; in conjunction if we want to
increase the output verbosity we can use the -v. Also notice
that service detection has some specific options too:

SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: 0 (light) 9 (all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Once we identify the services running on the remote host, we
can move on and start the OS detection phase.
There are two types of OS fingerprinting: active and passive.
Passive OS Identifies the remote operating system with packets that are
fingerprinting received, without sending any packets. For example: analyzing
traffic that we have already captured.

Active OS Sends packets and waits for a response (or lack of one). Active
fingerprinting OS fingerprinting sometimes sends unexpected packets, because
different implementations respond differently to such errors.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

TCP/IP fingerprinting, also known as either TCP stack
fingerprinting or OS fingerprinting, is the process of
determining the identity of the target operating system.
TCP fingerprinting works by sending TCP packets to one or
more ports on the target and then analyzing how the host
TCP stack responds.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Many of the specifications for TCP/IP are left open to
interpretation. Each vendor implements the TCP/IP stack a bit
differently therefore, creating a unique identifier / fingerprint.
Nmap compares the results it obtains to its internal database
of OS fingerprints and, if there is a match, prints out the
detected OS.
Here you can find a detailed list of techniques used by Nmap,
while here you can read a good article that briefly explains
these fingerprinting methodologies.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Let’s now see how the OS fingerprint works with Nmap. The
command to enable OS detection is -O. Like many other
Nmap features, -O can be combined with other options,
providing the pen tester a more complete scan result.
In our case we will run the scan against a single target. Our
command will be as follows:
nmap -O -n 10.6.12.146

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

From the results below, we can see that Nmap identified the
OS as Linux 3.7 - 3.18. As you can imagine, this information
will be very useful later on during our exploitation phase.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

It is important to know that, at times, Nmap does not return
a result that is 100% accurate (for example if a firewall blocks
the communications and alters the results in the process). In
these cases, Nmap will return a list of all the possible OSes:
nmap -0 -n 10.6.12.148

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

If we do not obtain a match from the –O flag, we can still rely
on Nmap scripts. Most of the time, services and OS features
reveal important information that can assist us in ”guessing”
the OS on the remote machine.
In order to retrieve all the necessary information, let’s try to
run Nmap with the -A option. This option enables OS
detection, version detection, script scanning and traceroute.
Please know that this is a very noisy scan and will likely trip a
multitude of alerts.
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
As we can see, thanks to the smb-os-discovery script, we
obtain the correct version of the OS running on the remote
host: Windows 7 Professional SP1.
nmap -A -n 10.6.12.148

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

As you have seen, tools like Nmap are able to both identify
and fingerprint the target machine operating system.
This is a very important step as it will allow us to create and
focus our attacks during the next phases.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

 OS Fingerprinting and
Port Scanning

Create a VPN Tunnel using your

Hera Lab from our Members Area.
Perform port scanning, service
detection, OS fingerprinting and
much more.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Many of the techniques studied thus far, could be detected
and blocked by either Firewalls or IDS’s on the target
network.
This causes two main issues:
• Becoming exposed
• Obtaining incorrect results

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

During the host discovery and scan phase, a number of
Firewall/IDS evasion techniques must be applied if stealth is a
requirement.
Tools like Nmap offer options that can be used for this
purpose however, it important to know that subverting IDS
and firewalls systems takes both skills and experience.
In the coming slides we will see some of these techniques:

Fragmentation Decoys Timing Source ports

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The concept of fragmentation is quite simple, it is the process
of splitting a single packet into smaller ones. This can disable
the ability of some firewall and IDS systems to either apply
their packet filtering rules or, to process all the fragments. In
other words, they may inspect the single fragment but not
the whole packet.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

A word of caution in this regard, modern IDS’s are able to
rebuild the fragmented packets therefore, often times
rendering this technique ineffective.
In order to run the fragmentation technique with Nmap we
have to use the -f option. The command will then be similar
to the following:
nmap -sS -f [TargetIP]

–sS executes a SYN scan and -f tells it to fragment packets.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Note that the fragmentation option does not work with every
type of scan. For example, it does not work with these:
• -sT (TCP connect() scan)
• -sV ( Version Detection )
Notice that instead of using -f, we can use --mtu to specify
a custom offset size. It is important to know that the offset
must be a multiple of eight.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

To be sure that we are using fragmentation, we can use
packet analyzer tools (Wireshark…) to inspect the traffic:
No fragmentation

With fragmentation

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Although the traffic is different, the results that we will obtain
are the same:

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The aim of using Decoys is to add noise to the IDS by sending
scans from spoofed IP addresses. As a result, a list of forged
IP’s (decoys) will appear on the IDS, along with the real
attacker IP. This confuses the analysts watching the system,
making it harder to identify the actual attacker.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In order to work, a decoy attack requires the following:
1. All decoys are up and running (otherwise it’s easy to
determine the real attacker’s IP),
2. The real IP address should appear in random order to the IDS
(otherwise it is easy to infer the real attacker’s IP),
3. ISP’s traversed by spoofed traffic let the traffic go through.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Using this technique, your IP will appear in the IDS alert list
however, it will be among all the decoy IP addresses. It is
because of this that it will be more difficult to determine the
actual system that initiated the real scan.
We can execute this scan with Nmap, using the option –D (no
spaces after and before commas):
nmap –sS –D [DecoyIP#1],[DecoyIP#2],[DecoyIP#3],ME [target]

nmap –sS –D 192.168.1.1,ME,192.168.1.23 [target]

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In the example on the previous slide, the ME keyword is used
to define the position of our real IP address among the
decoys. If you do not specify ME, Nmap will put your IP in a
random position.
You can not use the Decoy attack with -sT and -sV scans
(these use full connect scan).

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following snapshot shows the traffic when we run the
command (our IP is 172.16.5.50):
nmap -sS -D 172.16.5.1,172.16.5.105,172.16.5.110,172.16.5.115,ME 10.50.97.1

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

In contrast to fragmentation, the timing attack does not
modify the way the packet is forged. The only purpose here is
to slow down the scan in order to blend with other traffic in
the logs of the Firewall/IDS.
You can define the interval between two scan probes, thus
decreasing the chances to being noticed.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

This technique is not listed in the Firewall/IDS evasion and
spoofing section of the help manual however, they are listed
in the timing and performance section.
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
--max-retries <tries>: Caps number of port scan probe retransmissions.
...

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

To perform a timing scan with Nmap we can use the -T
option in this way:
nmap –sS –T[0~5] [target]

The following table explain differences between the 5 timing

options: Option Template Time
-T0 Paranoid 5 min
-T1 Sneaky 15 sec
-T2 Polite 0,4 sec
-T3 Normal default
-T4 Aggressive 10 millisec
-T5 Insane 5 millisec

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

The following screenshot shows what happens when we set
the -T1 option. As you can see below, the packets are sent
every 15 seconds:
nmap -sS 10.50.97.5 -T1

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

As is common with Nmap, timing flags can be used together
with other Nmap options. Let’s tweak the previous command
a bit and now run:
nmap -sS 10.50.97.5 -T2 -p 22,23,135,443,444,445 --max-retries 1

where:
• -T2 tells Nmap to send the probes every 0.4 sec
• --max-retries 1 tells Nmap to resend the probe only
one time (if the host does not respond)
• -p can be used to scan only specific ports
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
The following screenshot shows the traffic sent. As you can
see, the probes are sent every 0.4 seconds. Moreover, if the
host does not respond, Nmap tries the probe once more.

Probes one Timing

more time if the
host does not
respond

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

This method is also very simple. It can be used to abuse
poorly configured firewalls that allow traffic coming from
certain ports.
For example, a firewall may allow only the traffic coming from
specific ports, such as 53 (DNS replies) or 20 (active FTP). We
can then simply change our source port in order to bypass
this restriction.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Once again, Nmap allows us to fixate the source port during
scans like –sS and –sU. To use this feature, we can simply
leverage one of the following two options:
• --source-port [portnumber]
• -g [portnumber]
With the following command we run a TCP SYN scan and all
the communications will be sent from port 53:
nmap –sS --source-port 53 [target]

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Let’s try to run the command and verify it the network traffic.
As you can see in the following screenshot, the entire scan
runs from port 80 of our machine.
nmap -g 80 -sS 10.50.97.0/24

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

As stated before, this can be useful for bypassing both
misconfigured firewalls and IDS systems that allow
communications from specific ports. In the next example, we
see that, when running the scan with the source port set to
53, we are able to detect an open port on the remote host.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

These are just few techniques that an attacker can use to
evade Firewall/IDS detection.
If you either wish to go deeper into details about Firewall/IDS
Evasion or, if you want to learn more about Nmap options,
please reefer to the online manual found here.
To conclude this module, let us see a video that will explain more
advanced features that Nmap and Hping offer.

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Professional Penetration Testing 4.0 - eLearnSecurity © 2016
 IP Layer Network Admin
Port number
with Linux

Packet Analysis
TCP/IP Tutorial
Reference Guide

Hping Nping

Nmap: Scanning
Nmap
techniques
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Fragmentation ID Nmap Idlescan

TCP RFC Zenmap

AngryIPScanner Masscan

SuperScan Telnet

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

Netcat Ncat

Nmap: Service Detection Nmap: OS Detection

Fingerprinting
OS Detection Techniques
Methodologies

Nmap: Bypass Firewall

and IDS
Professional Penetration Testing 4.0 - eLearnSecurity © 2016
Wireshark Introduction Hping Basics

Nmap Basics Nmap NSE

Idle Scan with Hping Advanced Port Scanning

and Nmap with Nmap and Hping

Professional Penetration Testing 4.0 - eLearnSecurity © 2016

 Scanning
Use scanning techniques and tool to
detect machines, ports and services
in the lab environment.

Powered by TCPDF (www.tcpdf.org)

Professional Penetration Testing 4.0 - eLearnSecurity © 2016