Upload
mahmoud-eladawi
View
136
Download
8
Tags:
Embed Size (px)
DESCRIPTION
LPTv4 Module 18 External Penetration Testing_NoRestriction
Citation preview
ECSA/LPT
EC Council Module XVIIIEC-Council Module XVIII
External Penetration TestingTesting
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
External Intrusion Test and AnalysisAnalysis
An external intrusion test and analysis identifies security weaknesses and strengths of the client's systems and networks as they appear from outside the client's security perimeter, usually from the Internet.
The goal of an external intrusion test and analysis is to d t t th i t f k l biliti th t ld b demonstrate the existence of known vulnerabilities that could be exploited by an external attacker.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How is it Done?
Gather externally accessible configuration informationGather externally accessible configuration information
Scan client external network gateways to identify services andt ltopology
Scan client Internet servers for ports and services vulnerable toattackattack
Attempt intrusion of vulnerable internal systems
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Client Benefits
The external penetration testing allows the client to anticipate externalThe external penetration testing allows the client to anticipate externalattacks that might cause security breaches and to proactively reducerisks to its information, systems, and networks.
This proactive approach will improve the security of the client'snetworked resources.
The external penetration testing can provide solutions for improving e-business and e-commerce operations with increased confidence in theirability to protect valuable data, resources, and reputation.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
External Penetration Testing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps – Conduct External Penetration TestingPenetration Testing
1 • Inventory the company’s external infrastructure
2 • Create topological map of the network
3 • Identify the IP address of the targets3
4 • Locate the traffic route that goes to the web servers
• Locate TCP traffic path to the destination5 Locate TCP traffic path to the destination
6 • Locate UDP traffic path to the destination
Id if h h i l l i f h7 • Identify the physical location of the target servers
8 • Examine the use IPV6 at the remote location
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
9 • Lookup domain registry for IP information
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
10 • Find IP block information about the target
11 • Locate the ISP servicing the client
12 • List open ports
13 • List closed ports
14 • List suspicious ports that are half open/close14
15 • Port scan every port (65,536) on the target’s network
16 • Use SYN scan on the target and see the response16 Use SYN scan on the target and see the response
17 • Use connect scan on the target and see the response
U XMAS th t t d th
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
18 • Use XMAS scan on the target and see the response
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
19 • Use FIN scan on the target and see the response
20 • USE NULL scan on the target and see the response
21 • Firewalk on the router’s gateway and guess the access-list
22 • Examine TCP sequence number prediction
23 • Examine the use standard and non-standard protocols
24 • Examine IPID sequence number prediction
25 • Examine the system uptime of target
26 • Examine the operating system used for different targets
27 • Examine the applied patch to the operating system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
28 • Locate DNS record of the domain and attempt DNS hijacking
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
29• Download applications from the company’s website and reverse engineer the
binary code
30• List programming languages used and application software to create various
programs from the target server
31• Look for error and custom web pages
• Guess different sub domain names and analyze different responses32
Guess different sub domain names and analyze different responses
33• Examine the session variables
34• Examine cookies generated by the server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
35• Examine the access controls used in the web applications
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
36• Brute force URL injections and session tokens
37• Check for directory consistency and page naming syntax of the web pages
• Look for sensitive information in web page source code38 • Look for sensitive information in web page source code
39 • Attempt URL encodings on the web pages
40 • Try buffer overflow attempts at input fields
41 • Try Cross Site Scripting (XSS) techniques41 y p g ( ) q
42 • Record and replay the traffic to the target web server and note the response
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
43 • Try various SQL injection techniques
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
44 • Examine hidden fields
45 • Examine e-commerce and payment gateways handled by the web server
46 • Examine welcome messages, error messages, and debug messages
47 • Probe the service by SMTP mail bouncing
48 • Grab the banner of HTTP servers48
49 • Grab the banner of SMTP servers
50 • Grab the banner of POP3 servers50 3
51 • Grab the banner of FTP servers
• Identify the web extensions used at the server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
52 • Identify the web extensions used at the server
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
53 • Try to use an HTTPS tunnel to encapsulate traffic
54 • OS fingerprint target servers
55 • Check for ICMP responses (type 3, port unreachable)
56 • Check for ICMP responses (type 8, echo request)
57 • Check for ICMP responses (type 13, timestamp request)
58 • Check for ICMP responses (type 15, information request)
59 • Check for ICMP responses (type 17, subnet address mask request)
60 • Check for ICMP responses from broadcast address
61 • Port scan DNS servers (TCP/UDP 53)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
62 • Port scan TFTP servers (Port 69)
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
63 • Test for NTP ports (Port 123)
64 • Test for SNMP ports (Port 161)
65 • Test for Telnet ports (Port 23)
66 • Test for LDAP ports ( Port 389)
67 • Test for NetBIOS ports ( Ports 135-139, 445)
68 • Test for SQL server ports (Port 1433, 1434)
69 • Test for Citrix ports (Port 1495)
70 • Test for Oracle ports (Port 1521)
71 • Test for NFS ports (Port 2049)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
72 • Test for Compaq, HP Inside Manager ports (Port 2301, 2381)
Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)
73 • Test for Remote Desktop ports (Port 3389)
74 • Test for Sybase ports (Port 5000)
75 • Test for SIP ports (Port 5060)
Test for VNC ports (Port 5900/5800)76 • Test for VNC ports (Port 5900/5800)
77 • Test for X11 ports (Port 6000)
78 • Test for Jet Direct ports (Port 9100)78 Test for Jet Direct ports (Port 9100)
79 • Port scan FTP data (Port 20)
80 • Port scan web servers (Port 80) 80
81 • Port scan SSL servers (Port 443)
82 • Port scan Kerberos-Active directory (Port TCP/UDP 88)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
83 • Port scan SSH servers (Port 22)
Step 1: Inventory Company’s External InfrastructureExternal Infrastructure
Locate all the external resource of the target’s networks
Look for the following:
S l i i i i• Server locations in cities• Partners• Links• Vendors Vendors
Create an inventory list with a map
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Inventory Company’s External Infrastructure (cont’d)Infrastructure (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Create Topological Map of the Network
Draw a topological diagram of the external IT infrastructure.
The drawing must contain the following:
• Servers.• Connection to ISP.• Infrastructure used.• How they are networked to other systems:
• Customers.• Partners.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Create Topological Map of the Network (cont’d)Network (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Identify the IP Address
Identify the IP address of the target network:
• Mail servers• Web servers
network:
• DNS servers• Proxy servers, etc.
• NeoTrace
Tools:
• IP Address 2 Country• IP Prober
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Locate the Traffic Route that Goes to the Web Serversthat Goes to the Web Servers
The network's topological map (or matrix) can be manually verified bylogging into each device on the network and using built-in operatingsystem commands such as tracert (Windows) or traceroute (Unix).
These commands show the path taken by an ICMPrequest as it traverses the network (hopping fromdevice to device) to its ultimate destination:
• C::>tracert xweb.xsecurity.com Tracing route to xweb.xsecurity.com [10.2.34.5] over a maximum of 30 hops: 1 69 ms 27 ms 14 ms
b it [10 2 3 ] 2 28 10 1 10 2 3 3 1
)
xboy.xsecurity.com [10.2.34.5] 2 28 ms <10 ms 14 ms 10.2.34.4 3 41 ms 27 ms 14 ms xweb.xsecurity.com [10.2.34.5] Trace complete.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tracert
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5/6: Locate TCP/UDP Traffic Path to the DestinationPath to the Destination
TCP/UDP trace tools:
IGI
pathChirpp p
Pathload
Pathrate Pathrate
tulip
Tcptrace
Netperf
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scriptroute
Step 7: Identify the Physical Location of the Target ServersLocation of the Target Servers
Use Neotrace tools to identify physical location of the targetservers.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Examine the Use IPV6 at the Remote Locationthe Remote Location
Verify if the target servers are using IPv6 protocol.y g g p
• 46BouncerTools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Lookup Domain Registry for IP Informationfor IP Information
Locate DNS servers All-Nettools.Com
Network tools include Whois, Traceroute, ping.
Completewhois Whois engine providing information on
Attempt DNS zone transfers
Look for primary and secondary servers
domain ownership and IP address.
DNS Report Comprehensive report of NS records at nameservers, SOA record, MX, Mail, and www records.
DNS Utilities Detailed domain and network information Online including specific queries of domain records.
DNSstuff Whois and DNS lookup. Trace route, Ping. Spam database lookup.
Global whois utility
Global domain ownership information.utility
Whois search -America
Reverse DNS lookup for American registry for Internet Numbers (ARIN)
Whois search -Asia Pacific
Reverse DNS lookup for Asia Pacific Network Information Center (APNIC)
Whois search -Europe
Reverse DNS lookup for Europe, Middle East and North Africa (RIPE)
Whois search -Latin America
Latin American and Caribbean Internet Addresses Registry (LACNIC)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WHOIS search for .il domain names
Israel Internet Society (.il) domain name registry.
Step 10: Find IP Block Information about the TargetInformation about the Target
Locate the IP block owned Locate the IP block owned by the company
• SAM SPADE
Tools :
• ARIN DATABASE
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: Locate the ISP Servicing the Clientthe Client
Look for the following:
• Name of the ISP• Pricing plans• Services provided• Services provided• Which other companies are assigned IP address from the
same block• Call the ISP and ask for the default equipment (hardware) q p ( )
delivered if you sign up a similar plan used by the target company
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: List Open Ports
7 Echo
13 DayTime
17 Quote of the Day (QOTD) Look for the following open portsQ y (Q )
20 and 21 File Transfer Protocol (FTP)
22 Secure Socket Shell (SSH)
23 Telnet
25 SMTP
Look for the following open ports
Tools:53 Domain Name System (DNS)
63 Whois
66 SQL*net (Oracle)
70 Gopher
79 Finger
• Super Scanner• NetScan Tools Pro
Tools:
80 HTTP
88 Kerberos
101 Host Name Server
109 Post Office Protocol 2 (POP2)
110 Post Office Protocol 3 (POP3)
• Nmap
110 Post Office Protocol 3 (POP3)
113 IDENT
115 Simple File Transfer Protocol (SFTP)
137, 138, and 139 NetBIOS
143 Internet Message Access Protocol (IMAP)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
161 and 162 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)
Open Ports on Web Server
Por
t 443
Port 21
Port 23
Port 53
0P
ort 8
0
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: List Closed Ports
Once a port is closed, any request made to a machine via thep , y qclosed port will result in a "this port is closed" acknowledgmentfrom the machine.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Port Scanning Tools
Cerberus Internet Scanner (formally NTInfoScan or NTIS) www.cerberus-infosec.co.uk
CyperCop Scanner www.nai.com
Firewalk www.packetfactory.netFirewalk www.packetfactory.net
HackerShield www.bindview.com
Hostscan www.savant-software.com
Internet Scanner www.iss.net
IpEye/WUPS www.ntsecurity.nuIpEye/WUPS www.ntsecurity.nu
Nessus www.nessus.org
Netcat www.atstake.com
Netcop www.cotse.com
NetScan Tools www.nwpsw.comNetScan Tools www.nwpsw.com
Nmap www.insecure.org
NmapNT www.eeye.com
SAINT/SATAN www.wwdsi.com
SARA www.www-arc.comSARA www.www arc.com
Scanport www.dataset.fr
Strobe www.freebsd.org
Super Scan/Fscan www.foundstone.com
Twwwscan www.search.iland.co.kr
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Twwwscan www.search.iland.co.kr
Whisker www.wiretrip.net
Winscan www.prosolve.com
Step 14: List Suspicious Ports that are Half Open/Closethat are Half Open/Close
Look out for stealth ports – stealth port will not generateany kind of acknowledgement from the target machine.
This lack of acknowledgement will typically cause therequesting machine to have to wait until its own internaltime-out mechanism gives up waiting for a reply.
h d f l h l d hThe advantage of a stealth port over a closed port is thatthe intruder's probing efforts are going to be slowed.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Port Scan Every Port (65,536) on the Target’s Network( 5,53 ) g
Scan for all ports including Trojan portsScan for all ports, including Trojan ports.
This scan is tedious and can take a long timeThis scan is tedious and can take a long time.
Carry the complete scan in stages – scanning 50 ports per hourCarry the complete scan in stages – scanning 50 ports per hour.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Use SYN Scan on the Target and See the ResponseTarget and See the Response
Th l ll d th "h lf " i thThe syn scan, also called the "half open" scan, is theability to determine a port’s state without making afull connection to the host.
Many systems do not log the attempt, and discard itas a communications erroras a communications error.
You must first learn the three-way handshake tounderstand the syn scan.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Use Connect Scan on the Target and See the ResponseTarget and See the Response
Use Nmap options to conduct a “connect” scan and examineUse Nmap options to conduct a connect scan and examinethe response returned by the server.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Use XMAS Scan on the Target and See the ResponseTarget and See the Response
Computer A Computer B
Xmas scan directed at open port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
Xmas scan directed at closed port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23192.5.5.92:4031 FIN/URG/PSH >192.5.5.110:23192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note:
• XMAS scan only works OS system's TCP/IP implementation is developedaccording to RFC 793.
• Xmas scan will not work against any current version of Microsoft Windows.X di d Mi f ill h ll h h
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Xmas scans directed at any Microsoft system will show all ports on the hostas being closed.
Step 19: Use FIN Scan on the Target and See the ResponseTarget and See the Response
Computer A Computer B
FIN scan directed at open port:
192.5.5.92:4031 -----------FIN----------------->192.5.5.110:23192.5.5.92:4031 <----------NO RESPONSE----------192.5.5.110:23
FIN scan directed at closed port:
192.5.5.92:4031 -------------FIN----------------192.5.5.110:23192.5.5.92:4031<-------------RST/ACK------------192.5.5.110:23
Note:
• FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793.
• FIN scan will not work against any current version of Microsoft Windows. FIN di d Mi f ill h ll h h
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• FIN scans directed at any Microsoft system will show all ports on the host as being closed.
Step 20: USE NULL Scan on the Target and See the ResponseTarget and See the Response
Computer A Computer B
NULL scan directed at open port:
192.5.5.92:4031 -----------NO FLAGS SET---------->192.5.5.110:23192 5 5 92:4031 <----------NO RESPONSE------------192 5 5 110:23192.5.5.92:4031 < NO RESPONSE 192.5.5.110:23
NULL scan directed at closed port:
192.5.5.92:4031 -------------NO FLAGS SET---------192.5.5.110:23192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note:
• NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793.
• NULL scan will not work against any current version of Microsoft Windows. NULL di t d t Mi ft t ill h ll t th h t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• NULL scans directed at any Microsoft system will show all ports on the host as being closed.
Use Fragmentation Scanning and Examine the ResponseExamine the Response
Instead of just sending the probe packet you break it into aInstead of just sending the probe packet, you break it into acouple of small IP fragments.
You are splitting up the TCP header over several packets tomake it harder for packet filters and so forth to detect what youare doing.
The -f switch instructs the specified SYN or FIN scan to use tinyfragmented packetsfragmented packets.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 21: Firewalk on the Router’s Gateway and Guess the Access-ListGateway and Guess the Access List
Firewalk is an active reconnaissance network security tool that attempts tod i h l l i IP f di d i illdetermine what layer 4 protocols a given IP forwarding device will pass.
Firewalk works by sending out TCP or UDP packets with a TTL one greaterthan the targeted gateway.
If the gateway allows the traffic, it will forward the packets to the next hopg y , p pwhere they will expire and elicit an ICMP_TIME_EXCEEDED message.
If the gateway host does not allow the traffic, it is likely to drop the packetsIf the gateway host does not allow the traffic, it is likely to drop the packetson the floor and we will see no response.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 22: Examine TCP Sequence Number PredictionNumber Prediction
Use tools like nmap and predict
C:\> nmapnt -O -p 130-140 10.0.0.1
Starting nmapNT V. 2.53 by [email protected]
eEye Digital Security ( http://www.eEye.com )Use tools like nmap and predictthe sequence numbers generatedby the targeted server.
y g y ( p // y )
based on nmap by [email protected]
( www.insecure.org/nmap/ )
Interesting ports on baseman.xsecurity.com
(10.0.0.1):
This information can be used forsession hijacking techniques.
(The 9 ports scanned but not shown
below are in state: closed)
Port State Service
135/tcp open unknown
139/tcp open unknown
TCP Sequence Prediction:
Class=random positive increments
Difficulty=14168 (Worthy challenge)
Remote operating system guess:
d h h f l lWindows 2000 RC1 through final release
Nmap run completed -- 1 IP address
(1 host up) scanned in 10 seconds
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 23: Examine the Use of Standard and Non-Standard Protocolsand Non Standard Protocols
The use of new protocols has an important impact on the Intrusion detection tools.
The IDSes must support each protocol to identify signs of misuse or l b h ianomaly behaviors.
The appearance of new protocols affects the NIDS (Network-based IDS) t ltools.
Almost no NIDS products can decode IPv6.p
Attacks can enable IPv6 tunneling within IPv4 blinding detection technologies
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
technologies.
Step 24: Examine IPID Sequence Number Prediction Number Prediction
Sequential IPID numbers expose the number of packets sent by a hostSequential IPID numbers expose the number of packets sent by a hostover a given period.
This can be used to estimate web site traffic, determine when people logon, etc.
Large sites use load balancing equipment so that a single address mapsto a small farm of servers.
By noting the IPID values you can determine how many machines arebehind the load balancer and which one you are connected with.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hping2 IPID Example
For example, the "id" fields in the hping2 execution reveals thatp , p gbeta.search.microsoft.com is handled by two machines behind a loadbalancer (207.46.197.115).
# hping2 -c 10 -i 1 -p 80 -S beta.search.microsoft.com.HPING beta.search.microsoft.com. (eth0 207.46.197.115): S set, 40 headers + 0 data bytes46 bytes from 207.46.197.115: flags=SA seq=0 ttl=56 id=57645 win=16616 rtt=21.2 ms46 bytes from 207.46.197.115: flags=SA seq=1 ttl=56 id=57650 win=16616 rtt=21.4 ms46 bytes from 207.46.197.115: flags=RA seq=2 ttl=56 id=18574 win=0 rtt=21.3 ms46 bytes from 207 46 197 115: flags=RA seq=3 ttl=56 id=18587 win=0 rtt=21 1 ms46 bytes from 207.46.197.115: flags=RA seq=3 ttl=56 id=18587 win=0 rtt=21.1 ms46 bytes from 207.46.197.115: flags=RA seq=4 ttl=56 id=18588 win=0 rtt=21.2 ms46 bytes from 207.46.197.115: flags=SA seq=5 ttl=56 id=57741 win=16616 rtt=21.2 ms46 bytes from 207.46.197.115: flags=RA seq=6 ttl=56 id=18589 win=0 rtt=21.2 ms46 bytes from 207.46.197.115: flags=SA seq=7 ttl=56 id=57742 win=16616 rtt=21.7 ms46 bytes from 207.46.197.115: flags=SA seq=8 ttl=56 id=57743 win=16616 rtt=21.6 ms46 bytes from 207.46.197.115: flags=SA seq=9 ttl=56 id=57744 win=16616 rtt=21.3 ms
--- beta.search.microsoft.com. hping statistic ---10 packets tramitted, 10 packets received, 0% packet lossround-trip min/avg/max = 21.1/21.3/21.7 ms
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 25: Examine the System Uptime of Target ServerUptime of Target Server
Look for the following i f i
• When was the last time the server rebooted?
information:
rebooted?• When was the last time the server
crashed?• When was the last time the server was
d DD S tt k?under a DDoS attack?• What is the uptime of the server?
• Netcraft
Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Uptime
Step 26: Examine Operating System Used for Different TargetsSystem Used for Different Targets
Use banner grabbing techniques to identify remote OS.
Look out for honey pots, packet crafters, and banner fakers.
Tools:
Nmap
Telnet
Nc
Netcraft
OS fingerprinting tool
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
OS fingerprinting tool
Step 27: Examine the Applied Patch to the Operating SystemPatch to the Operating System
List the dates for List the dates for patches applied to the server.
Look for version number, OS level, , ,and the date.
• NetcraftTools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 28: Locate DNS Record of the Domain and Attempt DNS HijackingDomain and Attempt DNS Hijacking
Locate the domain vendor Locate the domain vendor responsible for the DNS of the target server
Guess passwords and attempt to logon
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 29: Download Applications From the Company’s Website and Reverse Engineer the
Bi C dBinary Code
Ja a p og ams
Download program executables from the remote website:
h b d
• Java programs• Exe programs• Flash programs
Reverse engineer the binary code
• Programmer’s name
Look for:
• Programmer s name• Comments• Sensitive information• Programming style
• IDA Pro• Java Engineer
Fl hS
Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• FlashSaver• REC Decompiler
IDA Pro
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: List Programming Languages Used and Application Software to Create Various
Programs From the Target ServerPrograms From the Target Server
h k f i h d l d li iCheck for in-house developed application
Check for commercial application
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: List Programming Languages Used and Application Software to Create Various Programs
From the Target Server (cont’d)From the Target Server (cont d)
Identify the programming languages used by the web application:
• AppleScript• C• AWK• C++• JavaScript• C#• Perl• COBOL• PHP• Java• Python• J++
R b• Ruby• J#• Tcl• PowerBuilder• VBScript
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• VBScript• Visual Basic
Step 31: Look for Error and Custom Web PagesCustom Web Pages
Try various URL strings and look for Try various URL strings and look for strange messages thrown by the server.
• http://www.xsecurity.com/slkdjfslkdfj
• http://www.xsecurity.com/sdkfjsdlf.asp
Example:
p // y / j p
• http://www.xsecurity.com/global.asa
• http://www.xsecurity.com/sdlfkj.aspx
• http://www.xsecurity.com/sdfsdf/php?
• http://www.xsecurity.com/login?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 32: Guess Different Sub Domain Names and Analyze Responsesy p
Web servers sometimes operate under different sub domain names
They are not published and used for internal purposes only
Guess the sub-domain names
• sales.xsecurity.com• marketing.xsecurity.com
i l i
Example: xsecurity.com:
• internal.xsecurity.com• intranet.xsecurity.com• devl.xsecurity.com• test.xsecurity.com
b k it• backup.xsecurity.com• partner.xsecurity.com• beta.xsecurity.com• secret.xsecurity.com
i it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• preview.xsecurity.com• temp.xsecurity.com
Step 33: Examine the Session VariablesVariables
Session hijacking, grabbing someone’s URL and stealing their session, is one ofthe biggest security concernsthe biggest security concerns.
Try to alter session strings in URL.
• http://example com/cgi bin/phf?%0aid==haqr== phone=
Example:
• http://example.com/cgi-bin/phf?%0aid==haqr==_phone= • http://example.com/cgi-bin/phf?%0als%20-
la%20%7Esomeuser==haqr==_phone= • http://example.com/cgi-
bin/phf?%0acp%20/etc/passwd%20%7Esomeuser/passwd%0A==haqr==_phone= • http://example.com/~someuser/passwd • http://example.com/cgi-
bin/phf?%0arm%20%7Esomeuser/passwd==haqr==_phone=
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 34: Examine Cookies Generated by the Server Generated by the Server
Cookies offer a way to check the identity of the user by means of storing the CFID and CFTOKEN in client side cookies and using that information to uniquely identify the user.CFTOKEN in client side cookies and using that information to uniquely identify the user.
Log on to the web application as a normal user.
Select YES if the site offers “Keep me logged on this computer”.
A cookie will be downloaded to your computer.
• If encryptedE i d t
Examine the cookie:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Expiry date• Content stored
Step 35: Examine the Access Controls Used by the Web Applicationby b pp
Look for login pages and identify the th ti ti d b th b
• Form authentication
authentication used by the web server:
• Windows authentication• Biometrics authentication• Secret question authenticationSecret question authentication• Session based authentication• Digital certificates• Microsoft single-sign onMicrosoft single sign on
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 36: Brute Force URL Injections and Session TokensInjections and Session Tokens
Some web applications embed user IDs and other sensitive information into aURL, typically as parameters in the query component of the URL (the fields that
f h ? b l i URL)occur after the ? symbol in a URL).
Inject strings into the URL of a page and examine the response.
Inject into the following fields: Attempt injection here
Sessions Forms User ID Login Access
p j
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Check for Directory Consistency and Page Naming Syntax of the Web Pagesg g y g
A well-designed web application will
• Logical directory.
have the following:
Logical directory.• Files named based on naming conventions.• Repository for images, PDFs, and other documents.• Repository for sensitive informationRepository for sensitive information.• Structured links and pages.• Site outline.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Check for Directory Consistency and Page Naming Syntax of the Web Pages
(cont’d)(cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 38: Look for Sensitive Information in Web Page Source Codeo at o Web age Sou ce Code
HTML source might reveal the f ll i i f i
• Web authors.D l i f i
following information:
• Developer information.• User comments.• Login information.
i bl• Temp variables.• Revision numbers.• Project deadline.• Dates.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 39: Attempt URL Encodings on the Web PagesEncodings on the Web Pages
Try to access the website using various URL encodings.
Server might send different response when accessed using URL encodings.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 40: Try Buffer Overflow Attempts in Input FieldsAttempts in Input Fields
Input large amounts of data into the form and examine the response.p g p
Servers sometimes behave differently when large amounts of data issent to the form.
NTOM f d
Tools:
• NTOMax at www.foundstone.com• Hailstrom (www.cenzic.com)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Look for Invalid Rages in Input FieldsFields
A web developer may decide to use some of the built-in validationbili i f li id l ( h HTML J S icapabilities of a client-side language (such as HTML, JavaScript, or
VBScript) to ensure that an input value is no longer (or shorter) thanexpected.
Try random selection of input values or a large range of numbers testingtechniques such as equivalence partitioning and boundary valueq q p g yanalysis.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attempt Escape Character InjectionInjection
Some operating systems will execute system-level commands if they areembedded in an application's data input streamembedded in an application s data input stream.
This can occur when the system command is hidden in input data that is prefixedby special control (escape) characters, such as $$.
The application may permit the command to escape up to the process that iscurrently running the application.
T ti t l
The receiving process then attempts to execute the system command using itsown system privileges.
• APSwww.stratum8.com• G-Serverwww.gilian.com• iBroker SecureWebwww elitesecureweb com
Testing tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• iBroker SecureWebwww.elitesecureweb.com• URLScanwww.microsoft.com
Step 41: Try Cross Site Scripting (XSS) Techniques(XSS) Techniques
Modify the script and send Modify the script and send the page to the server
Examine various responses
Look for weakness
Examine various responses generated by the server
• JavaScript
Look for weakness in scripts:
p• VBScript
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 42: Record and Replay the Traffic to the Target Web Server and Note the Responseg p
Record and playback browser sessions.
Recording browser sessions allows you toautomate web site logins, and any other webt k th t f ith ttask that you perform with your computer.
A recording session will record everything youdo, including keystrokes, scrolling, link clicksetc. - and can then replay the entire session atany time with the click of a button.
Look for anomaliesLook for anomalies.
• CruiseControl• Webload (www.radview.com)Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• e-Test Suite (www.empirix.com)oo s:
Step 43: Try Various SQL Injection TechniquesTechniques
Attempt SQL injection techniques to the following:
• Form fields.• Directly in URL.• Login screens.
db k f• Feedback forms.• Guestbook.
Try the following:
• ' or 1=1--• " or 1=1--
Try the following:
Attempt SQL Injection• or 1=1--• ' or 'a'='a• " or "a"="a• ') or ('a'='a
") (" " "
Attempt SQL Injection here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• ") or ("a"="a
Step 44: Examine Hidden Fields
Hidden fields in web pages could reveal the f ll i i f ti
• Price.• Username.
following information:
Username.• Password.• Session.• URL characters.• Special instructors.• Encryption used.• Web page behaviors.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine Server Side Includes (SSI)(SSI)
Server Side Includes (SSI) are placeholders (or k ) i d h h b markers) in an HTML document that the web server
will dynamically replace with data just before sending the requested document to a browser:
• <HTML>• <HEAD><TITLE>Show SSI at work</TITLE></HEAD>• <BODY>• <P>Lots of really Interesting stuff to read</P>• <!--#Include file = "copywrite.Inc"-->
/BODY• </BODY>• </HTML>
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine Server Side Includes (SSI) (cont’d)(SSI) (cont d)
The danger with an include command comes when an intruder is able to manipulate a web page into including a file that would otherwise not be available.
For example, if an intruder is able to gain write access to a directory on For example, if an intruder is able to gain write access to a directory on a Unix web server (possibly a .temp directory that didn't have any sensitive information stored in it and was therefore not locked down), the intruder could upload a .shtml web page containing the following i l dinclude statement:
• <!--- #exec cmd="/bin/cat /etc/passwd" --->
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• <! #exec cmd= /bin/cat /etc/passwd >
Step 45: Examine E-commerce and Payment Gateways Handled by the Web Servery y
Look out for the following information:
In-house built e-commerce gateway
Outsourced e-commerce gatewayOutsourced e commerce gateway
Program logic
How payments are handled
Check for confirmation emails
Minimum order amount
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Account and merchant ID
Step 46: Examine Welcome Messages, Error Messages, and Debug Messagesg , g g
D h f ll i i f i
• Web application welcome message
Document the following information:
Web application welcome message• Web application error messages• Web application intrusion warning messages• Web application debugging messagesWeb application debugging messages• Web application site maintenance messages
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 47: Probe the Service by SMTP Mail BouncingSMTP Mail Bouncing
SMTP mail bouncing indicates that the user does not exist on that server.
Bounced mail carries information about SMTP server such as server i d i i i name, version, and various services running on server.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 48: Grab the Banner of HTTP ServersHTTP Servers
httprint is a web server fingerprinting tool which captures the b f htt banner of http servers.
It identifies http web servers despite the banner stringIt identifies http web servers despite the banner string.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 49: Grab the Banner of SMTP ServersSMTP Servers
GNIT NT vulnerability scanner captures banner message y p gfrom an SMTP server.
Install the following:
• perl Makefile.PL • make
Install the following:
• make • make test • make install
Class::Accessor::Fast
Required libraries:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Class::Accessor::Fast
Step 50: Grab the Banner of POP3 ServersPOP3 Servers
GNIT NT vulnerability scanner captures the banner of POP3 servers.GNIT NT vulnerability scanner captures the banner of POP3 servers.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 51: Grab the Banner of FTP ServersServers
Use netcat to banner grab an FTP serverUse netcat to banner grab an FTP server.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 52: Identify the Web Extensions Used at the ServerExtensions Used at the Server
GNIT NT vulnerability scanner determines the web extensions at the server.
The scanner displays web server type and version.
-It scans for 84 known vulnerable URL structures (easily modified).
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 53: Try to use HTTPS Tunnel to Encapsulate TrafficTunnel to Encapsulate Traffic
Install the GNU freeware tunneling software ‘HTTPTunnel’.
Encapsulate all P2P traffic as HTTP and forward to the corporate network's default gateway over Port 80.
Traffic takes the reverse path and appears as a legitimate web p pp grequest.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 54: OS Fingerprint Target ServersServers
Identifies OS using only ICMP packets
• NetScanTools Pro
Tools for OS fingerprint:
NetScanTools Pro • nmap
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 55: Check for ICMP Responses (Type 3, Port Unreachable)( yp 3, b )
SYN scan is the default and most popular scan option for good reasons.SYN scan is the default and most popular scan option for good reasons.
It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewallsa fast network not hampered by intrusive firewalls.
The port is also marked filtered if an ICMP unreachable error (type 3, code 1 2 3 9 10 or 13) is receivedcode 1,2, 3, 9, 10, or 13) is received.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 56: Check for ICMP Responses (Type 8, Echo Request)( yp , q )
The Echo request is an ICMP message that sends a packet of data to the q g phost and expects that data to be sent in return in an Echo reply.
The host must respond to all Echo requests with an Echo reply containing the exact data received in the request message.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 57: Check for ICMP Responses (Type 13, Timestamp Request)( yp 3, p q )
SYN scan is the default and most popular scan option for good reasonsSYN scan is the default and most popular scan option for good reasons.
It can be performed quickly, scanning thousands of ports per second on It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls.
The port is also marked filtered if an ICMP unreachable error (type 3 The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is received.
Use the following nmap command:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• nmap -sS –p X x.x.x.x
Step 58: Check for ICMP Responses (Type 15, Information Request)(Type 15, Information Request)
Enables a host to learn the network part of an IP address on itsEnables a host to learn the network part of an IP address on itssubnet by sending a message with the source address in the IPheader filled and all zeros in the destination address field.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 59: Check for ICMP responses (Type 17, Subnet Address Mask Request)7, q )
Requests for the correct subnet mask to be usedRequests for the correct subnet mask to be used
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 60: Check for ICMP Responses from Broadcast Address
Specifies the broadcast address in use on the client's subnet.
Check for a broadcast IP address by setting the net and subnet (if used) fields to all 1s and check if the address is all 1s.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 61: Port Scan DNS Servers (TCP/UDP 53)(TCP/UDP 53)
Use Nmap to scan for DNS servers on TCP/UDP port 53Use Nmap to scan for DNS servers on TCP/UDP port 53.
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.type such as SYN scan ( sS) to check both protocols during the same run.
UDP scan works by sending an empty (no data) UDP header to every targeted port.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 62: Port Scan TFTP Servers (Port 69)(Port 69)
By default, the TFTP server listens on UDP Port 69.By default, the TFTP server listens on UDP Port 69.
PortQry is a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues.
This utility reports the port status of target TCP and User D t P t l (UDP) t l l t Datagram Protocol (UDP) ports on a local computer or on a remote computer.
type a command that is similar to the following command: type a command that is similar to the following command:
portqry -n myserver.example.com -p udp -e 69
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
You receive the following output:
Step 63: Test for NTP Ports (Port 123)(Port 123)
Use nmap to scan for NTP ports.
By default, NTP Ports listen on port 123.
Use the following command to find the NTP service on the network:
nmap -sU –p 123 x.x.x.x
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p p
Step 64: Test for SNMP Ports (Port 161)(Port 161)
By default, SNMP listens on Ports 161 and 162.
Use nmap to locate the SNMP service on the network.
Use the following command to find the NTP service on the network:
• nmap –sU –p 161 x.x.x.x • nmap -sU –p 162 x.x.x.x
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 65: Test for Telnet Ports (Port 23)(Port 23)
Use nmap to scan for Telnet portsUse nmap to scan for Telnet ports.
By default, Telnet listens on port 23.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 66: Test for LDAP Ports (Port 389)(Port 389)
PortQry version 1.22 is a TCP/IP connectivity testing utility that is Q y / y g yincluded with the Microsoft Windows Server 2003 support tools.
PortQry can send an LDAP query by using both TCP and UDP and interpret an LDAP server's response to that query correctly.
PortQry parses, formats, and then returns the response from the LDAP server to the user.
For example, type the following command:
portqry -n myserver -p udp -e 389
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
portqry n myserver p udp e 389
LDAP Query Response
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 67: Test for NetBIOS Ports (Ports 135-139, 445)(Ports 135 139, 445)
Th d f l d b N BIOS i 6 8 d The default ports used by NetBIOS service are 135,136,137,138,139, and 445.
Use nmap to scan for open NetBIOS ports.
You can also use NAT (NetBIOS Auditing Tool) for checking open You can also use NAT (NetBIOS Auditing Tool) for checking open NetBIOS ports.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 68: Test for SQL Server Ports (Port 1433, 1434)Ports (Port 1433, 1434)
By default, the SQL server listens on port 1433 and 1434.
Use a network scanner to identify open SQL server ports.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 69: Test for Citrix Ports (Port 1495)(Port 1495)
B d f l Ci i li P By default, Citrix listens on Port 1495.
Scan for the service using a network port scanner.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 70: Test for Oracle Ports (Port 1521)(Port 1521)
1521 is the typical port number used by Oracle.
Oracle uses port 1521 for networking services.
Use a port scanner such as Nmap to scan services on port Use a port scanner such as Nmap to scan services on port 1521.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 71: Test for NFS Ports (Port 2049)(Port 2049)
Use RPC scan of nmap to discover NFS ports.
By default, NFS listens on port 2049.
Use the following command to detect NFS port:
• nmap -v –sR –p 2049 x.x.x.x
NFS port:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 72: Test for Compaq, HP Inside Manager ports (Port 2301, 2381)g p ( 3 , 3 )
Port 2301 is used for the Compaq Insight Management Web Port 2301 is used for the Compaq Insight Management Web Agents.
Port 2381 is also known as Compaq-https port.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 73: Test for Remote Desktop Ports (Port 3389)Ports (Port 3389)
Port 3389 is typically blocked to enhance network securityPort 3389 is typically blocked to enhance network security.
Remote Desktop connections use port 3389Remote Desktop connections use port 3389.
Use a network port scanner to scan for port 3389Use a network port scanner to scan for port 3389.
Use the command in nmap to detect the remote desktop service:Use the command in nmap to detect the remote desktop service:
• nmap –sT –p 3389 X.X.X.X
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 74: Test for Sybase Ports (Port 5000)(Port 5000)
By default Sybase listens on port 5000By default, Sybase listens on port 5000.
Use a network scanner to detect the service.
For nmap use the following command:
• nmap –sT -p 5000 x.x.x.x
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 75: Test for SIP Ports (Port 5060)5060)
SIP can be regarded as the enabler protocol for telephony SIP can be regarded as the enabler protocol for telephony and voice over IP (VoIP) services.
By default, SIP listens on port 5060.
Run a port scan on the network to find whether any VoIP service is running.g
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 76: Test for VNC Ports (Port 5900/5800)5900/5800)
VNC works on P t b
The Java Viewer k P t
Scan for these default ports
Port 5900 by default.
works on Port 5800.
pusing network
scanner.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 77: Test for X11 Ports (Port 6000)6000)
By default, the X server listens on port
6000 for incoming 6000 for incoming connections.
Scan for port 6000 using nmapusing nmap.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 78: Test for Jet Direct Ports (Port 9100)(Port 9100)
Test for Jet Direct ports (Port 9100) by using the:
• Nmap tool.
HP printers use this port for the JetDirect protocol.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 79: Port Scan FTP Data (Port 20)(Port 20)
In PORT mode, the FTP server always sends data
from TCP port 20.
Use nmap to scan the network for open FTP
ports.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 80: Port Scan Web Servers (Port 80) (Port 80)
Determines TCP and UDP ports that use port 80 for C U p p 80transporting HTTP data from a web server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 81: Port Scan SSL Servers (Port 443)(Port 443)
• “–sV” scan option is able to identify SSL services
Scan with nmap scanner:
F V
sV scan option is able to identify SSL services
nmap -F -sV x.x.x.x
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 82: Port Scan Kerberos-Active Directory (Port TCP/UDP 88)y ( / )
Kerberos Active Directory uses port 88 as its default portKerberos-Active Directory uses port 88 as its default port.
P t th t k f i li t i t 88Port scan the network for services listening on port 88.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 83: Port Scan SSH Servers (Port 22)(Port 22)
By default SSH servers listen on port 22By default, SSH servers listen on port 22.
• nmap -sS -p 22 x.x.x.x
Use nmap to identify the service:
nmap sS p 22 x.x.x.x
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
We have reviewed the various steps involved in external penetration testing.
We have scanned for default ports of various services.p
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited