CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [25]
Network scanning Network scanning is a procedure for identifying active hosts on a network, either to attack them or as a network security assessment. Hosts are identified by their individual IP addresses. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses.
Vulnerability scanning Vulnerability scanning is the process of proactively identifying the vulnerabilities of computer systems on a network. Generally, a vulnerability scanner first identifies the operating system and version number, including service packs that may be installed. Then, the vulnerability scanner identifies weaknesses or vulnerabilities in the operating system. During the later attack phase, a hacker can exploit those weaknesses in order to gain access to the system.
An intrusion detection system (IDS) or a sophisticated network security professional with the proper tools can detect active port-scanning activity. Scanning tools probe TCP/IP ports looking for open ports and IP addresses, and these probes can be recognized by most security intrusion detection tools. Network and vulnerability scanning can usually be detected as well, because the scanner must interact with the target system over the network.
Understand the CEH Scanning Methodology
As a CEH, you're expected to be familiar with the scanning methodology presented in Figure 3.1. This methodology is the process by which a hacker scans the network. It ensures that no system or vulnerability is overlooked and that the hacker gathers all necessary information to perform an attack.
We'll look at the various stages of this scanning methodology throughout this book, starting with the first three steps-checking for systems that are live and for open ports and service identification the following section.
On Windows systems, well-known port numbers are located in the C: \wi ndows\ system32\dri vers\etc\servi ces file. Services file is a hidden file. To view it, show hidden files in Windows Explorer, double-click the file, and open it with Notepad. The CEH exam expects you to know the well-known port numbers for common applications; familiarize yourself with the port numbers for FTP (21), Telnet (23), HTTP (80), SMTP (25), POP3 (110), and HTTPS (443).
FIGURE 3.1 CEH scanning methodology
Understand Ping Sweep Techniques
The CEH scanning methodology starts with checking for systems that are live on the network, meaning that they respond to probes or connection requests. The simplest, although not necessarily the most accurate, way to determine whether systems are live is to perform a ping sweep of the IP address range. All systems that respond with a ping reply are considered live on the network.
Internet Control Message Protocol (ICMP) scanning is the process of sending an ICMP request or ping to all hosts on the network to determine which ones are up and responding to pings. A benefit of ICMP scanning is that it can be run in parallel, meaning all system are scanned at the same time; thus it can run quickly on an entire network. Most hacking tools include a ping-sweep option, which essentially means performing an ICMP request to every host on the network.
One considerable problem with this method is that personal firewall software and networkbased firewalls can block a system from responding to ping sweeps. Another problem is that the computer must be on to be scanned.
Hacking Tools
Pinger, Friendly Pinger, and WS_Ping_Pro areal I tools that perform ICMP queries. You should be familiar with all these tools for the exam.
Detecting Ping Sweeps
Almost any IDS or intrusion prevention system (IPS) system will detect and alert the security administrator to a ping sweep occurring on the network. Most firewall and proxy servers block ping responses so a hacker can't accurately determine whether systems are available using a ping sweep alone. More intense port scanning must be used if