Network Mapping

Network Mapping Identify Live Hosts Determine running Services

TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery

Identify Perimeter Network (Router / Firewalls) Tracerouting Scan Default Firewall/Router

Ports Perform FIN/ACK Scan Map Router / Firewall

Rule-Base

Passive OS Guessing Active OS Guessing

TCP/IP Stack Fingerprinting HTTP Packet Analysis ICMP Packet Analysis Telnet Handshake Analysis

Host Enumeration Systems Enumeration

Heorot.net

Identify Live Hosts

Project Scope will restrict scan spectrum

Tools:pingnmaphpingtraceroutetpctraceroute

Heorot.net

Identify Live Hosts

ping Demonstration

Identify Live Hosts

nmap Demonstration

Identify Live Hosts

hping Demonstration

Identify Live Hosts

traceroute Demonstration

Identify Live Hosts

tcptraceroute Demonstration

Hands-On Exercise Identify Live Hosts

Tools:pingnmaphpingtraceroutetpctraceroute

Man pages# man ping# man nmap# man traceroute# man tcptraceroute

Difference between:TCPUDP

What is an “ICMP echo request”?#man icmp

Heorot.net

Determine Running Services

TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery

Heorot.net

Determine Running Services

TCP Port Scanning

Tools:nmapnetcathping

Heorot.net

Determine Running Services

nmap Demonstration

Determine Running Services

netcat Demonstration

Determine Running Services

hping Demonstration

Determine Running Services

UDP Port Scanning

Tools:nmapnetcathping

Heorot.net

Determine Running Services

nmap Demonstration

Determine Running Services

netcat Demonstration

Determine Running Services

hping Demonstration

Determine Running Services

Banner Grabbing

Tools:nmapamapnetcattelnet

Heorot.net

Determine Running Services

nmap Demonstration

Determine Running Services

amap Demonstration

Determine Running Services

netcat Demonstration

Determine Running Services

telnet Demonstration

Determine Running Services

ARP Discovery

Tools:arpingarp + protocol analyzer

Heorot.net

Hands-On Exercise Determining Running Services

Tools:nmapnetcathpingamapnetcattelnet

TCP Services5 “open” services

UDP Services1 “closed” service

(or is it???)

BannersHow many banners can you

grab?Version InformationApplication Name

TCP 3-way Handshake

Heorot.net

Operating System Guessing

Operating System Query

Tools:httprintnetcatnmap

Heorot.net

Operating System Guessing

httprint Demonstration

Operating System Guessing

netcat Demonstration

Operating System Guessing

ICMP Packet Analysis

Tools:xprobe

Heorot.net

Operating System Guessing

xprobe Demonstration

Operating System Guessing

Telnet Handshake Analysis

Tools:nmaptelnetfp

Heorot.net

Operating System Guessing

nmap Demonstration

Host Enumeration

What did you miss?Unknown application?

Unusual OS?

Time to read up:RFC (Request for Comments)White PapersManuals

Heorot.net

Hands-On Exercise Operating System Guessing / Host Enumeration

Tools:xprobenmap

RFCsWhat they areWho produces themRFC 793, 768, 792

○ Bonus: 854, 4251○ Super-Geek Bonus: 3766

White PapersLinuxSlackware

DocumentationSlackware

Heorot.net

Module 4 – Conclusion

Phase II Controls Assessment Scheduling

○ Information Gathering○ Network Mapping

Identify Live HostsDetermine running ServicesIdentify Perimeter Network (Router / Firewalls)Passive OS GuessingActive OS GuessingHost Enumeration

Heorot.net