Cyber SECURITY 6

Scanning
========

Objective: To find the alive hosts in the same network, to find the open ports on those hosts, services running on those ports, the vulnerabilities on those services

Types of scanning:
1. N/W scanning - Hosts alive
2. Port scanning - Open ports on the hosts
3. Vulnerability scanning - Vulnerabilites

Ports - Logical ports are the entry and exit points for services.
There are 65536 (0-65535) logical ports

Logical ports are divided into 3 categories

1. Well known ports (0 - 1023)  --> Used for well known services or protocols universally
2. Registered ports (1024 - 49151) --> used for 3rd party tools
3. Dynamic ports (49152 - 65535) --> Used for browser connections
Well known port numbers : https://www.webopedia.com/reference/portnumbers/

Understanding the port status of our own machine:
-----------------------------------------------------------------------
Win/Linux : netstat  ( we only see established, closed_wait, time_wait)

To see all the connections : 						netstat -a
To see IP address info instead of hostname - 	netstat -an
To see the process IDs -		   - 					netstat -ano

To terminate a process : taskkill /F /PID <no>

Graphical Method : Currports

Linux:
To see all the connections 					: netstat -a
To see the IP address 							: netstat -an
To see the TCP connections only				: netstat -ant
To see the UPD connections as we:			:netstat -antu
To see the process id:							: netstat -pantu

Port statuses:

1. Established - Communication is established. 
2. Listening - Our machine has the port open. It is waiting for a connection
3. Time_wait - Session was established once and later got disconnected from OUR end
4. Closed_wait - Session was established once but later got disconnected from the TARGET end.
5. Syn_sent - The connection was established from our end but the target has not yet accepted it.

TCP - Transmission Control Protocol - connection-oriented(acknowledgments sent), error-checking, sequencing of data

UDP - User Datagram Protocol

Scanning Contd.
===============

NMAP

Transmission Control Protocol (TCP) - connection-oriented protocol, error-checking, sequencing, slow protocol for data transfer

User Datagram Protocol (UDP) - Connection-less, light-weight faster protocol for transferring data.

TCP Flags:
1. SYN - Synchronize  ( used to initiate communication)
2. ACK - Acknowledgement ( Used for confirmation to tell the sender that they have recieved the previous flag)
3. URG - Urgent (To prioritize a packet)
4.PSH - Push ( To push a packet out of the buffer)
5. FIN - Finish (To terminate a communication after it got established)
6. RST - Reset (To reject a communication before establishing it)


	SYN-Scan(Half-open, Steatlh Scan)				TCP Scan (Full, Connect Scan)
1. This is known as Half-open scan because			1. This is known as connect scan because the  
communication is not initiated						ACK flag in the end initiates connection
2. Connection is not established						2. Connection is established
3. LOgs are not created								3. Log is initated and attacker's ip present
4. NMAP, Superscan4 use syn-scan by default.		4. ANgryIP, superscan3 use TCP Scan
5. In the end RST flag is sent							5. In the end ACK flag is sent













NMAP 

By default nmap scans for 1000 ports.

Syntax : nmap <scan_type> <options> <ip address/range of IP addresses / Domain Name>

Scan Types:										Options:

-sn : Ping scan ( For network scanning)			-O : OS info gives the OS info of the target
-sT : TCP connect scan ( For TCP Ports)			-o : output file To store the output in a file
-sS : Syn Scan ( For TCP Ports)						-F : Fast scan only 100 ports are scanned
-sU : UDP scan (For UDP Ports)					-f : fragmentation
-sA : Ack scan										-p : ports to specify			
-sF : Fin Scan										-D : Decoy (Used to spoof your IP when scanning)
-sX : XMAS Scan									-T : Timing Option
-sN : Null scan										-v : verbose ( Detailed output of background proc)
-sV : Version Scan ( For version details)

Ctrl + C : To stop any ongoing scan.

-p- : To scan all the 65535 ports at once.

Different port statuses in nmap
1. open - port is open and the connection can be established on that listening port and the mentioned service runs on that port
2. closed - port is closed and no service is running
3. filtered - the port is open and a service is running but it is protected by a firewall
4. unfiltered - the port is open but nmap can't conclude whether the port is behind a firewall or not.

-sn : To get the alive hosts in the same network
There are two methods to scan the whole network
nmap -sn 192.168.1.0-255
nmap -sn 192.168.1.0/24
-sT : TCP Connect Scan : Gives the list of all the open tcp ports
-sS : Syn Scan : Gives the list of all the open tcp ports
-sU : UDP scan : Gives the list of all the open udp ports
-sV : Version scan : Gives the version details of the services running

Ack scan : The attacker sends an ACK flag to the target machine and waits for a response to check for the firewall.

FIN Scan : Sends the fin flag to check for the response

Null Scan : Sends random bits of data in binary to check for the firewall

XMAS Scan : Send firstly the fin flag, then FIN+PSH flag and then FIN+PSH+URG flag

		SYN				ACK
		SYN-ACK
		ACK

				FIN

			      FIN + PSH
			FIN + PSH + URG


THese scan types only work for Linux OS and won't work for WIndows.

NMAP by default scans for the most important 1000 ports

use the -p option to specify our own ports to scan

-T(0-5) :the lower the number the slower the packets are sent and the higher the faster.
By default nmap used T4

 Bypassing methods: Special options of nmap to bypasss a firewall depending on the rule set.
-----------------------------
i.  Misconfiguration on the packet size
-f : fragmentation option allows nmap to send packets of random sized
IF we want to set a specific size we have the --mtu option and we have to give the size as a multiple of 8.
Maximum transferable unit (MTU)
Ex : nmap --mtu 24 <ip/domain>

or we can also use the option --data-length <no>
ex:
nmap --data-length 25 <target>

ii. Misconfiguration on the Source IP of the packet.
By spoofing the IP address by using the decoy option so the firewall gets confused where the packet is initiating from
Ex: nmap -D IP1,IP2,IP3 <target>

OR 

we can use the -S option for source.
Ex : nmap -sS -S <spoofed IP> -e eth0 <target>

Note: Whatever decoys we use should be online when we use this method.

iii. By spoofing the source port - if the firewall allows all traffic through a specific port such as 53, which is usually allowed, we can exploit this configuration to send packets from that port itself
nmap --source-port <port_num> <target>

iv. By spoofing the mac address - when the firewall allows traffic based on the MAC Address, we can exploit this by using the --spoof-mac option
Ex:
--spoof-mac Dell/Apple/		--> Gives the mac of that vendor
--spoof-mac 0			--> gives random mac
--spoof-mac 00:11:22:33:44:55	--> Uses our specified mac

		0A:1B:2C:3D:4E:5F

macchanger 

192.168.1.10
192.168.1.20
192.168.1.30
192.168.1.40
192.168.1.50

 NMAP IP range and port range options:
---------------------------------------

1. -iL : input list : we can mention the IPs to scan in a text file and then scan for those mentioned IP
2. --exclude : to exclude a range of IPs from a bigger range
3. --exclude-ports : to exclude a few ports from the default range

nmap -sn -iL <path_for_the_file>
nmap -sn -iL /root/Desktop/ip

nmap -sn <complete_range> --exclude <range_to_exclude>
nmap -sn 192.168.1.0-255 --exclude 192.168.1.100-200

nmap -sS <target_ip> --exclude-ports <ports_to_exclude>
nmap -sS 192.168.1.7 --exclude-ports 21,22,53,80,1000-5000




Windows:(Subnet Mask)			Linux(CIDR - Classless Inter-Domain Routing)
						
Class A : N.H.H.H	255.0.0.0			/8
Class B : N.N.H.H	255.255.0.0		/16
Class C : N.N.N.H 	255.255.255.0		/24