Timeliness, Bandwidth and Other Factors Essential When Performing Scans or Enumeration - Term Paper Example

Scanning and Enumeration According to Hsu and Marinucci (2013) increased technological advancement has brought about much higher cybersecurity threats. With most companies and governments being forced to adopt technological changes, so has the risk against unauthorized information access been elevated. In most cases, governments and organizations store, transmit and share private and confidential information across the vast network. In most cases, some of these networks have a lot of vulnerabilities that might put this data at risk of getting accessed. Following this, it has seen the emergence of white hat hackers, also referred to as ethical hackers (Patil and Bhakkad, 2014). The firms and governments hire such individuals to help in detecting any vulnerability within their information systems that malicious hackers can use in gaining access to the information (Simpson, Backman, and Corley, 2010). In most cases, the white hat hacker will employ the use of similar hacking techniques as the malicious hacker to test the security strength of a system. Additionally, the ethical hackers will provide people with more services such as retrieving data that has been affected by various factors making it inaccessible. However, before one qualifies to become an ethical hacker, he/she must have a certification. It will ensure that the hacker fully understands the ethical responsibilities of the access information systems (Allsopp, 2017). Through acquiring the certification, it will provide the ethical hacker can carry out system hacking, different forms of attacks on the system such as planting Trojan horses and other viruses, SQL injections, scanning, and enumeration. All these techniques form part of the penetration testing means of accessing an organizations information system and identify any existing and potential vulnerabilities (Allsopp, 2017). After the tests, the results will become forwarded to the firm’s information technology personnel who will use the outcomes in coming up with recommendations and plans strengthening their system and reduce any likelihood of future attacks. Scanning and enumeration form part of the penetration testing techniques employed by an ethical hacker when accessing the system. However, one must adhere to various rues a regulation throughout the entire process. The client in question must first approve all the steps that the ethical hacker will employ and have the approval in writing. These will be contained in the “Rules of Engagement” document (Faircloth, 2011). It will outline all the parties involved during the penetration testing period. These will include the IT personnel and testers detailing their contact information and amount of hours spent in testing the system for the entire period. The document should correspondingly outline all the IP addresses that will need testing and those that will not require any testing. The Rules of Engagement will similarly describe all liability limitations that might result from the entire testing process (Faircloth, 2011). Through this, it will ensure that all parties involved have a common ground for conducting the penetration testing. In most cases, an ethical hacker will be provided with various targets that will require testing. However, it is still essential that one tests even the other remaining target operate within a trusted subnet environment that a client might not have full awareness. After one figure out which of the targets might have some vulnerability and those that do not, it is then much more straightforward for the ethical hacker to outline and choose the best penetration techniques. In most cases, using a poorly designed system scanning and enumeration layout will reduce the testing’s efficiency. Additionally, it might lead to denial of services on the system for using a method that does not fully work with a specific target Scanning During this process, the ethical hacker must gather all information related to the target’s goals for the services/ports it offers (Kimberly, 2007). Through this information, will allow one in entering the type of information system the organization is using. The data collected from the scanning process includes; applications installed, ports/services, operating systems and the IP addresses that allow for sharing of information between the users of the system the data collected will allow the ethical hacker in determining the best tool for in the hacking process. Overall, the primary aim of scanning is for the ethical hacker to determine which part of the system is alive and responsive within the overall organizational network (Henry, 2012). Some of the underlying scanning protocols and techniques employed include transmission control protocols (TCP), and the Internet Control Message Protocol (ICMP). In most cases, the information related to the targets that are gathered during this reconnaissance stage is extensive. Therefore, it is essential that the ethical hacker determines first which of the systems within the network appear to be responsive and live. As for the unresponsive systems, the scanning might miss them out; however, through using ICMP protocols, one can still have the chance of detecting the unresponsive targets. Types of Scanning Port Scanning Through this, an ethical hacker can identify available and open TCP/IP ports within the network. Accessing this will allow the hacker to get information about the various services operating within the system (Baloch, 2014). Within a system, every service has a unique port number. SYN scan is the most common scan used during port scanning. In case the port is available, it will respond with an SYN/ACK and an RST in case it turns out as unavailable (Duffy, 2015). The main aim of port scanning is that the hacker will send various data packers o all ports and wait for a response which will be used in the analysis of the security nature of the respective ports. Another essential type of port scanning is the TCP flags such as the URG, PUSH, and FIN. In most cases, various networks will have diverse responses to the type of ports can employ by the hacker. Network Scanning It is essential for the hacker to identify the entire host accessing various services from a system. Through network scanning, after the hacker identifies the respective hosts, he/she can choose to attack them or just carry out some security assessments about the network (Kimberly, 2007). It will similarly provide the hacker with each host’s IP address. Vulnerability scanning It is the means through which the hacker identifies various vulnerabilities existing in the system. Through the scan, it will provide the hacker with all applications installed on the system and the operating systems version numbers (Graves, 2010). In the end, the hacker will determine the weakness existing n the system and plan an attack with the aim of getting access to various services allowed by the system CEH Scanning Methodology Every Certified Ethical Hacker must have full awareness of the scanning methodology high will outline will the necessary step used in scanning the system. Through this, one will not let any vulnerability to bypass the scanning process. Through this, one will have all the essential information necessary to attack the targets. Checking for Live Systems The first step is ensuring that the hacker identifies any live and available systems within the network. In case the hacker sends any packets to the targets, they should respond back. The primary means through which a hacker checks for live targets IP’s within the system is through conducting ping sweeps also referred to as ICMP sweeps (Kimberly, 2007). A ping reply back to the hacker will indicate the destination is responsive. Different tools are used in doing ping sweeps, some of these include; Nmap and fping command. The diagrams below highlight some of the ping sweep commands. Nmap ping sweeps diagram Source: https://www.binarytides.com/ping-sweep-network-nmap/ According to the picture, the –sP option used is to determine which of the hosts is up (Dieterle, 2016). From the image, it indicates that there are 254 IP addresses and out of these only four are up. The diagram below shows a ping sweep using fping command. Through this, it allows the hacker to send an ICMP echo request to large numbers of hosts. In case the host does not reply to the ICMP echo, it will assume the respective host is not available. Source: https://www.slashroot.in/what-ping-sweep-and-how-do-ping-sweep Checking for Open Ports and Service Identification Through this second step of the CEH scanning methodology, it will allow the hacker know the number of open ports. Through this, it will provide the hacker with information relating to the various vulnerabilities about a particular system. The most common tool used in port scanning is Nmap. It will give the number of posts active for a specific network. The figure below outlines the results of a Nmap scan using the –sS option using the SYN scan (Dieterle, 2016). The main reason for choosing this type of Nmap scan is due to its compatibility, stealth, and speed with various kinds of OS’s. The third step is service identification. It allows the hacker to identify all services performed by the hosts via their respective port numbers. The tools used in conducting port scanning can similarly help in producing results for this step. Nmap port scan results diagram Source: https://nmap.org/book/man-port-scanning-techniques.html OS Fingerprinting It is necessary for the hacker to have operating system fingerprinting awareness. As a result of this, it will help him/her in designing and implementing better security measures in the system. Additionally, the technique is a vital penetration testing ability. The hacker will look out for the most natural means through which they can use in gaining access to the system. As a result, they will focus on specific exploitable vulnerabilities. In most cases, every operating system has its own set of weaknesses that are unique to its operation. However, in case an attacker determines these sets of flaws, they will have an easy time accessing data from the system. OS fingerprinting techniques can become divided into two sub-groups; Active OS Fingerprinting It is much simpler as compared to the passive method. More importantly, the hacker will have a much easier means of accessing the required information (Henry, 2012). The technique allows the hacker to analyze the results of packets sent to the respective targets/the primary tool used in active fingerprinting is Nmap. Passive OS fingerprinting The technique, it does not focus on sending packets to the TCP/IP, instead, its sniffs through the ports (Kimberly, 2007). It will ensure the hacker’s intrusions will not quickly be noticed by the firewalls. The primary tools used for this type of technique includes the satori network miner Vulnerability Scanning It is the fifth step of the CEH scanning methodology. It allows the hacker to exploit potential exploitation points with the aim of determining holes in the system’s security (Kimberly, 2007). As a result, it will classify and detect all the weaknesses of the system. The scanning in most cases is run form the hacker’s endpoint. There is two type of vulnerability scanning; unauthenticated and authenticated (Graves, 2010). For the latter, the hacker will access the system similar to an intruder without any trusted access to the system. For the former, one accesses the system as a trusted user and determines the vulnerabilities that a trusted user would try to obtain. Drawing Vulnerability Hosts Network Diagrams The hacker will then use the network nodes in coming up with network diagram leading to the victim's computer. The hacker will then point al the loopholes that one can use in accessing the victim’s system. However, in most cases, when the victim switches off their computer or I not connected to the internet, it might affect the hacker’s accessibility into the system Proxies Preparations and Attack It is essential or the hacker to design a proxy server which will act as a link between his computer and the victims. Through this, it will allow the hacker to remain unknown as he/she is accessing the victim’s system. The hacker should employ the use of anonymizers which will erase all the information relating to a specific computer user thus enabling for privacy and confidentiality to become maintained. According to Kimberly (2007), it is essential that the hacker has an awareness of various anonymizers techniques such as HTTP tunneling. The hacker will turn on any protocol that is blocked using an allowed protocol, in this case, the HTTP.As such, the hacker will have the ability to hide any potentially destructive protocols through subverting the proxy. Additionally, it is essential for the hacker to know relating to IP spoofing to reduce any chances of getting detected (Kimberley, 2007). Finally, the hacker has an opportunity to attack the entire system after carefully studying the vulnerabilities thoroughly. Enumeration It occurs after the hacker has completed scanning the entire system. It will allow the hacker in compiling all services, shares, network resources, machine names and usernames into one report (Henry, 2012). Through this, one will, therefore, be aware of any services that he/she can access from their end. Through enumeration, it will give the hacker confidence that a particular system is running and can quickly become attacked (Dieterle, 2016). During the enumeration phase, it is essential that the hacker keeps the right notes. These will be used by a client who might want to inquire about the various switches or flags used when running a particular tool and the results. Additionally, these notes will provide a client with all the output and critical loggings used during the scanning process. Performing Null Sessions These sessions have been in existence for a long time since the development of Windows 2000. Though null sessions, it will allow the hacker to access every bit of useful data form a system which will be used in performing an attack after creating a NetBIOS connection (Graves,2010). When undertaking penetration testing, a hacker in most cases must accomplish this. In most cases, an identity will become provided to a user by an operating system. When one remotely accesses a system, it will provide one with a session for creating a username and password this offer him/her the ability to access resources from the system. Therefore, for a null session to occur, it indicates that a user will access the system without requiring a password or username. It is only availed through an IPC share with the standard protocol used in most cases being the SMB (Graves, 2010). Through this, the hacker will, therefore, have a chance to get an extensive enumeration into the system which will provide one with all the services, permissions, username, policies among other relevant information from the network NetBIOS Enumeration and Null Sessions When hacker connects to a remote system without requiring a username and password, it leads to the creation of a NetBIOS null session. In most cases, this occurs in operating systems or devices using Server Message Block (SMB) or Common Internet File System (CIFS) (Graves, 2010).After the hacker creates a null session, it will allow one accessing all relevant information form victim’s system. The vulnerabilities found in the SMB make it easier for the creation of a null session (Kimberley, 2007). They allow for the creation of a connection between the hacker and victim’s system. For NetBIOS and null session attacks to be performed, the following ports must be open, 135,137,138,139 and 445 (Kimberly, 2007).For the hacker t check whether a port is accessible for a null session connection, one should type the following commands C: \> net use \\IP_Address \IPC$.After this, one should then type C: \> net use \\192.21.7.1 \IPC$ "" /u: "" (Kimberley, 2007). The "/u: "indicates that one would like to connect to a system without a password and username (Kimberley, 2007). To check for more information, one should then type C: \> net view\\IP_Address and it will show the hacker a list of devices, computers, and shares among other information. SNMP Enumeration The Simple Network Management Protocol (SNMP) is the best means through which a hacker can employ during enumeration. In most case, every network infrastructure has an SMP that plays the role of managing the entire system for the device (Kimberley, 2007). In most cases, the SNMP will send messages to an agent to which in return response is sent back. When a hacker accesses the SNMP, it will provide one with comprehensive data related a particular system or device. In most cases; the SNMP will contain two password sets. The hacker will use the two passwords to gain access and configure the SNMP agent from the management’s station. Through this, it allows the hacker to access all information related to the system or device’s configuration. The password is referred to as the read community string (Kimberley, 2007). The other password is the read/write community string (Kimberley, 2007). Through this, the hacker can edit the entire system or device configuration. However, in most cases for a system to ensure that it is easily accessible, the IT personnel can remove the SNMP agent or turn off all services related to the SNMP (Gregg, 2015). Therefore, they will prevent any form of unauthorized access to the system. Factors to consider During Scanning and Enumeration Before one decides to choose a type of scanning or enumeration, various factors must become considered. In the case of is conducting a scanning and enumeration in a system whereby the organization's IT administrators do not know the activity, it is essential that one maintains a stealth approach. In most cases, in case one passes through traffic being monitored by administrators it might make the entire testing activity null and void for they might shut down the system thus hindering access. Timing is an essential factor when performing scans or enumeration. In case one runs the process at a slower rate, it might increase chances of getting detected. Additionally, bandwidth issues might affect the penetration testing. When one is scanning a lot of targets on business broadband, it might change the entire process. It will make the system administrators notice something is changing the bandwidth thus might hinder the testing. More importantly, any uncommon packet information sent to the targets might impair the testing process. In case the program used in scanning and enumeration sends uncommon flags and send them over to the victims, the firewalls might pick them up and this block such packets from passing. It is thus essential that the hacker has in mind the type of data packets being sent to the targets. References Allsopp, W. (2017). Advanced Penetration Testing: Hacking the World's Most Secure Networks. Somerset: John Wiley & Sons, Incorporated. Baloch, R. (2014). Ethical hacking and penetration testing guide. CRC Press. Dieterle, D. W. (2016). Basic security testing with Kali Linux 2: Test your computer system security by using the same tactics that an attacker would use. Duffy, C. (2015). Learning penetration testing with Python: Utilize Python scripting to execute effective and efficient penetration tests. Faircloth, J. (2011). Penetration Tester's Open Source Toolkit. Burlington: Elsevier Science. Graves, K. (2010). CEH: Certified ethical hacker study guide. Indianapolis, Ind: Wiley Pub. Gregg, M. (2015). The network security test lab: A step-by-step guide. Henry, K. M. (2012). Penetration testing: Protecting networks and systems. Ely, Cambridgeshire, U.K: IT Governance Pub. Hsu, D. F., & Marinucci, D. (2013). Advances in cyber security: Technology, operations, and experiences. Kimberly, G. (2007). CEH Official Certified Ethical Hacker. Review Guide‖. In Patil, D. B., & In Bhakkad, D. D. (2014). Redefining management practices and marketing in modern age. Simpson, M. T., Backman, K., & Corley, J. (2010). Hands-on ethical hacking and network defense. Cengage Learning. Bayuk, J. L. (2010). CyberForensics: Understanding information security investigations. New York: Humana. Contos, B. T. (2007). Physical and logical security convergence powered by enterprise security management. Burlington, MA: Syngress Pub. Gadhiya, S., & Bhavsar, K. (2013). Techniques for malware analysis. International Journal of Advanced Research in Computer Science and Software Engineering, 3(4). International Conference on Computer Science and Its Applications, Park, J. J., Loia, V., Yi, G., & Sung, Y. (2017). Advances in computer science and ubiquitous computing: CSA-CUTE 17. Singapore: Springer. Ligh, M., Adair, S., Hartstein, B., & Richard, M. (2010). Malware analyst's cookbook and dvd. Hsu, D. F., & Marinucci, D. (2013). Advances in cyber security: Technology, operations, and experiences. Penning, N., Hoffman, M., Nikolai, J., & Wang, Y. (2014, May). Mobile malware security challeges and cloud-based detection. In Collaboration Technologies and Systems (CTS), 2014 International Conference on (pp. 181-188). IEEE. Shiraishi, Y., Kamizono, M., Hirotomo, M., & Mohri, M. (2017). Multi-environment analysis system for evaluating the impact of malicious web sites changing their behavior. IEICE TRANSACTIONS on Information and Systems, 100(10), 2449-2457. Sikorski, M., & Honig, A. (2012). Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software. San Francisco: No Starch Press. Vasilomanolakis, E., Karuppayah, S., Mühlhäuser, M., & Fischer, M. (2014, September). Hostage: a mobile honeypot for collaborative defense. In Proceedings of the 7th International Conference on Security of Information and Networks (p. 330). ACM. Read More