Ethical Hacking Pen Testing, Purpose and Penetration testing tools

Fingerprinting in Ethical Hacking means a method used for determining the current running operating system on a remote computer.

Fingerprinting can be Active or Passive.

  • Active Fingerprinting – By Active fingerprinting, special crafted packets are being sent to a target computer and the responses are noted and the information is analyzed to determine the OS.
  • Passive Fingerprinting – Based on the sniffer traces (such as Wireshark) of the packets, the operating system of the remote host can be determined by Passive Fingerprinting.
Fingerprinting

Important elements to determine the operating system

  • TTL βˆ’ What the operating system sets the Time-To-Live on the outbound packet.
  • Window Size βˆ’ What the operating system sets the Window Size at.
  • DF βˆ’ Does the operating system set the Don't Fragment bit.
  • TOS βˆ’ Does the operating system set the Type of Service, and if so, at what.

The remote operating system can be determined by analyzing these four factors of a packet. This is not cent percent accurate and may be better for some operating systems and not to others.

Basic Steps

Initially get the information about the details of the operating system hosted by a website. Then determine the vulnerabilities present to exploit the target system.

Below is a simple nmap command which is used to identify the operating system of a website and the ports opened which are associated with domain name i.e., the IP address.

$nmap -O -v wisdomjobs.com 

The following sensitive information about the given domain name or IP address appearsβˆ’

Starting Nmap 5.51 ( https://nmap.org ) at 2015-10-04 09:57 CDT Initiating Parallel DNS resolution of 1 host. at 09:57 Completed Parallel DNS resolution of 1 host. at 09:57, 0.00s elapsed Initiating SYN Stealth Scan at 09:57 Scanning wisdomjobs.com (66.135.33.172) [1000 ports] Discovered open port 22/tcp on 66.135.33.172 Discovered open port 3306/tcp on 66.135.33.172 Discovered open port 80/tcp on 66.135.33.172 Discovered open port 443/tcp on 66.135.33.172 Completed SYN Stealth Scan at 09:57, 0.04s elapsed (1000 total ports) Initiating OS detection (try #1) against wisdomjobs.com (66.135.33.172) Retrying OS detection (try #2) against wisdomjobs..com (66.135.33.172) Retrying OS detection (try #3) against wisdomjobs.com (66.135.33.172) Retrying OS detection (try #4) against wisdomjobs..com (66.135.33.172) Retrying OS detection (try #5) against wisdomjobs.com (66.135.33.172) Nmap scan report for wisdomjobs.com (66.135.33.172) Host is up (0.000038s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql TCP/IP fingerprint: OS:SCAN(V=5.51%D=10/4%OT=22%CT=1%CU=40379%PV=N%DS=0%DC=L%G=Y%TM=56113E6D%P= OS:x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFF OS:D7ST11NW7%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S)

nmap command can be installed in the Linux system using yum command by:

$yum install nmap 

Quick Fix

The main system can be made hidden behind VPN or Secure proxy server so that the identity and the main system are safe.

Port Scanning

nmap command provides information about the list of ports opened on a given server.

PORT       STATE   SERVICE
22/tcp     open    ssh
80/tcp     open    http
443/tcp    open    https
3306/tcp   open    mysql

The following command can also be used to check if a particular port is opened:

$nmap -sT -p 443 wisdomjobs.com 

The output result appears as:

Starting Nmap 5.51 ( https://nmap.org ) at 2015-10-04 10:19 CDT
Nmap scan report forwisdomjobs.com (66.135.33.172) 
Host is up (0.000067s latency). 
PORT    STATE SERVICE 
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Information about the open ports makes the hacker plan for different techniques to attack through the ports which are open.

  • Quick Fix - To protect the system from malicious attacks, check and close all the ports which are unwanted.

Ping Sweep

To determine IP address from a range of IP addresses which maps the live hosts, a network scanning technique is used, known as Ping Sweep, also known as ICMP sweep.

fping command is used for ping sweep. To determine whether a host is up, Internet Control Message Protocol (ICMP) echo request is used by fping.

fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. If a host does not respond within a certain time limit and/or retry limit, it will be considered unreachable.

  • Quick Fix - By blocking the ICMP ECHO requests from outside sources, ping sweeps can be disabled on a network. This is done by the following code, which will create a firewall rule in iptable.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

DNS Enumeration

Domain Name Server (DNS) is like a map or an address book. To translate an IP address 192.111.1.120 to a name www.example.com and vice versa, DNS Enumeration is used.

All the DNS servers and the corresponding records of an organization are located by the process of DNS enumeration. By this process, much more information is gathered about the target before hacking.

nslookup command is used to get DNS and other host-related information

DNS Enumeration

Quick Fix - DNS Enumeration prevention is a big challenge as it does not have a quick fix.

Sensitive information about the network and organization can go outside, if DNS is not configured in a secure way. There are possibilities of untrusted internet user performing a DNS zone transfer.