Stealth Scanning Strategies
Risk = Discovery By The Target.
Camouflage tool signatures to avoid detection.
Hide attack in legitimate traffic.
Modify attack to hide source, type of traffic.
Make attack invisible using non-standard traffic types & encryption.
Adjust Source IP Stack & Tool ID - STEALTH 1
Disable Unnecessary Services:
chkconfig dhcpd off
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable = 1
Tools often tag packets with an id sequence that can trigger IDS. Test tools against VM's and review system logs for the tool's name. Use Wireshark
to capture traffic then search pcaps for keywords attributed to the testing tool.
Set Metasploit UserAgent to Google Indexing Spider
set UserAgent Googlebot/2.1 (+http://www.google.com/bot.html)
Modify Packet Parameters - STEALTH 2
Identify the goal before scanning
and send the minimum number of packets.
Avoid scans that connect with target system
and leak data.
Do not ping the target or use
synchronize (SYN) and nonconventional packet scans, such as acknowledge (ACK), finished (FIN), and reset (RST) packets.
Randomize / spoof packet settings
source IP, port address, MAC address.
to slow the arrival of packets at the target.
Change packet size by fragmenting
packets or appending random data to confuse packet inspection devices.
must be run as root
nmap stealth http://nmap.org/book/man-bypass-firewalls-ids.html
Anonymity (Tor & Privoxy) - STEALTH 3
Onion routing enables online anonymity
by encrypting user traffic and then transmitting it through a series of onion routers. At each router, a layer of encryption is removed to obtain routing information, and the message is then transmitted to the next node.
apt-get install tor
socks 5 127.0.0.1 9050
service tor start
Verify Source IP
service tor status
Invoke Tor Routing with Proxychains
Whois lookup the IP to confirm Tor is active.
Tor Verify ttps://check.torproject.org
DNS Leak Test www.dnsleaktest.com
Owners of exit nodes can sniff traffic
proxychains iceweasel www.whatismyip.com
and may be able to access credentials.
Vulnerabilities in Tor Browser Bundle
can be used by law enforcement to exploit systems
ProxyChains does not handle UDP
Some applications will not run
- Metasploit, Nmap... Stealth SYN scan breaks out of proxychains and can leak information to the target.
Browser applications can leak your IP
(ActiveX, PDF, Flash, Java, RealPlay, QuickTime).
Clear & block cookies before browsing.
Allows you to control how frequently the Tor IP is refreshed
Zenmap - STEP 1
The Official Nmap Security Scanner GUI.
Use this an entry point and then use nmap scans to gather additional data.
is an open source intelligence and forensics
application for visualizing relationships among data that use data mining and link analysis.
Identifying Network Infrastructure
provides basic information on packet filtering abilities.
Uses two DNS- and HTTP-based techniques to detect load balancers
Identifies universal plug-and-play and UPNP devices
Detects devices and determines the operating systems and their version
nmap -sSV -A -p- -T5 192.168.56.101
search engine identifies devices connected to the Internet, including those with default passwords, known misconfigurations, and vulnerabilities
Live Host Discovery
Run ping sweeps against a target address space and look for responses that indicate a particular target is live. (TCP, UDP, ICMP, ARP)
alive6 detect-new-ip6 - IPv6 host detection. detect-new-ip6 runs on a scripted basis and identifies new IPv6 devices when added.
dnmap nmap - nmap is the standard network enumeration tool. dnmap is a distributed client-server implementation of the nmap scanner. PBNJ stores nmap results in a database, and then conducts historical analyses to identify new hosts.
fping hping2 hping3 nping - Packet crafters that respond to targets in various ways to identify live hosts
Determining Active Services
Identify default ports and services.
netcat nmap telnet
Review Default Web Pages: Some applications install with default administration, error, or other pages.
Review Source Code: Poorly configured web-based applications may respond to certain HTTP requests such as HEAD or OPTIONS with a response that includes the web server software version, and possibly, the base operating system or the scripting environment in use.
Fingerprinting the OS
Active: The attacker sends normal and malformed packets to the target and records its response pattern (fingerprint) which is compared to the database to determine the OS
Passive: The attacker sniffs, or records and analyses the packet stream to determine the characteristics of the packets.
xprobe2 uses different TCP, UDP, ICMP packets to bypass firewalls and avoid detection by IDS / IPS systems.
Nmap Scripting Engine (NSE)
Modules are written in python.
information on how the module works.
options that can be set.
sets the options.
(whois, jigsaw, linkedin, twitter)(use the mangle module to extract and present e-mail data)
Identify geographical locations
of hosts and individuals using hostop, ipinfodb, maxmind, uniapple, wigle
Identify host information
using netcraft and related modules
Identify account and password information
that has previously been compromised and leaked onto the Internet (the pwnedlist modules, wascompanyhacked, xssed, and punkspider)
Loud and easily detected
Usually signature based
and can only detect known vulnerabilities with recognition signatures.
Falsepositive results with a rate as high as 70%
Network Scanning Watch List
for devices known to fail when scanned www.digininja.org
Scanning may breach laws
in some countries
In Kali, found in Vulnerability Analysis submenu and Web Vulnerability Scanners menu.
Open Vulnerability Assessment System