03 Back Pocket Scan

FTP Bounce Attack Idlescan, both allows you to scan devices through firewall completely ignoring firewall rules and filters.

FTP Bounce Attack

What's a bounce attack.
The FTP bounce attack introduces the third workstation to act as a proxy between the nmap and the remote device.

FTP Bounce attack wouldnt be possible if it is not set to ftp transfer mode known as passive mode.

With ftp passive mode, ftp command connections are completely seperate from ftp data connections.

user name is anonymous
password is anonpass
192.168.0.5 is remote device
-P0 tells nmap that i dont want to ping to remote device.

FTP Bounce attack is a attack that hides the originating station, if we ping the remote device, there will be a way to trace connection between our nmap station and target device. When ping disabled we remain hidden.

If Nmap manages to successfully logon to an FTP server but you receive the following:


“Your ftp bounce server doesn't allow privileged ports, skipping them.”

It means the FTP server is configured to not send anything to ports 0-1024 less for port 20 & 21 – this was an early way of preventing such things as Nmap from connecting to ‘well known’ ports except for 20 & 21 – which is mostly the only ports it will need to connect too to send a file.

If your FTP Bounce server does not allow it to act as a proxy at all, eventually you will get the message:

Quote:

Your ftp bounce server sucks, it won't let us feed bogus ports!

Advantages
- Scanning through a firewall is easy.
- Standard FTP, nothing special is required

Disadvantages
- It is diffcult to find an older, insecure FTP server that allows this capability
Newer FTP servers provide built-in protection by default.

Idlescan
Idlescan is another method to scan without direct communication. This attack is more reliable than outdated FTP bounce attack.

Before launching idlescan, a zombie station must be identified.  There are two requirements associatedfor this station, the zombie station must be idle, and must provide consistent and predictable IP Identification IPID values. If the zombie station doesnot give predictable IPID's nmap will provide a warning before the scan begins.

IP Identification Field
Each IP header includes a 2 byte field called Identification field. Every frame that is transmitted from a device carries a unique identification number. These IPID values are very important to the operation of IP protocol. If ip packet is large which network cant handle, then the packet is fragmented into smaller pieces. Each fragement then has a special field set that help the end station to determine the number of fragement packets and the order of reassembly.

Even thought the original frame is splitted into smaller pieces, all the fragments still carry the original IPID value.

In many operating systems the IPID changes incrementally, for each transmitted frame, this means that we can predict the IPID of many systems before the next frame appears. This is the type of operation that will need for a idle scan session.

However not all operating systems work so predictively some operating systems randomize their IPID's for every frame, which makes those operating systems useless for idle scan.

02 Scan for every occasion

Nmap includes fifteen separate scanning methods, and each scanning technique has its own characteristics, advantages, and disadvantages. Some of these scanning methods are simple to understand and execute, while others are more complex and require additional information before the scan can begin.

Nmap scan summary
This chart summarizes the nmap scans and compares the usability for privileged users. The chart also includes a summary of which scans identify TCP ports and which identify UDP ports

TCYP SYN Scan -sS
The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed.

TCP SYN Scan Operation
Most of the ports queried during the TCP SYN scan will be probably closed. These closed port resopnses to the TCP SYN frame will be met with a RST frame from the destination station.

if nmap recieves an acknowledgement to a SYN request, then the port is open. Nmap then sends an RST to reset the session, and the handshake is never completed.

Example
nmap -sS 192.168.3.126

The scan completed very quickly, in 3.790 seconds, that means we are very closed to this device.

The above is packet captured during the scan.
In the above capture, packet 2 arrived 0.042591 seconds later packet 1, it originated from 192.168.0.107 and the destination was 192.168.30.126, the TCP frame was a SYN frame, from TCP port 52719 to TCP port 22, the summary also include the sequency number, length and MSS (Maxiumu Segment Size) information.

The yellow color is SYN packets, and the red color shows when  a RST is returned.

 the green color one shows, port 3389 is open on the remote device. Remember SYN scan never completes 3 way handshake, the packet 44 shows our nmap station sending RST back to port 3389

Advantages of the TCP SYN Scan
The TCP SYN scan never actually creates a TCP session, so isn't logged by the destination host's applications.

When to use TCP SYN scan
The SYN scan is a common scan when looking for open ports on a remote device, and its simple SYN methology works on all operating systems.

TCP connect() scan -sT
TCP connect scan is helpful if you dont have root access to your system.
The TCP connect() does complete full 3 way handshake because TCP connect completely relys on operating system it needs to complete 3 way handshake before it sends the RST frame.

if the TCP port is closed, then the tcp connect looks identicle to TCP SYN scan.

The TCP connect() scan is smilar to TCP SYN scan
nmap -sT 192.168.1.1

Disadvantages of TCP Connect() scan
The remtoe device will log the scan

Ping Scan
Sometimes you just need to know if the device is on the network, the ping scan is the quickest way you can find out. The ping scan requires only 2 frames, the source device send ICMP echo request, and the remote device sends ICMP echo reply if its on the network.

ping scan to a local subnet use ARP request
example
nmap -sP 192.168.1.0/24

Scan a remtote subnet
nmap -sP 68.35.218.1/24

UDP Scan -sU
UDP is popular on on internet because of the steaming protocols used on the internet to communicate.
nmap -sU 192.168.1.0/24