1
00:00:00,060 --> 00:00:07,830
Active scanning is done through sending multiple requests and recording the responses because passive

2
00:00:07,830 --> 00:00:11,430
scanners are limited to looking at existing traffic.

3
00:00:11,430 --> 00:00:15,210
They suffer in terms of overall completeness and accuracy.

4
00:00:15,210 --> 00:00:21,870
For example a passive scanner can't detect an application that no one ever uses and it can be fooled

5
00:00:21,870 --> 00:00:27,040
easily by a system intentionally spewing out misinformation and disinformation.

6
00:00:28,330 --> 00:00:32,610
The tools seen on the slide are a few examples of active scanning tools.

7
00:00:33,120 --> 00:00:38,620
In this course, we will examine the NMAP and Nessus tools in detail.

8
00:00:38,850 --> 00:00:47,560
Hping: is an excellent command-­line oriented TCP/IP packet assembler/analyser. The interface is inspired by the ping(8)

9
00:00:47,760 --> 00:00:48,860
unix command

10
00:00:49,120 --> 00:00:59,300
but hping isn't only able to send ICMP echo requests.	It supports TCP, UDP, ICMP and RAW-­IP protocols,

11
00:00:59,840 --> 00:01:05,390
has a traceroute mode,  ability to send files between a covered channel, and many other features.

12
00:01:06,390 --> 00:01:13,470
So a subset of the stuff you can do using hping: Firewall Testing, Advanced Port Scanning Network, Network

13
00:01:13,470 --> 00:01:21,120
testing, using different protocols, TOS, fragmentation manual path MTU discovery, Advanced Traceroute,

14
00:01:21,180 --> 00:01:23,130
under all the supported protocols

15
00:01:23,640 --> 00:01:33,060
Remote OS fingerprinting, Remote uptime guessing and don't forget TCP/IP stacks auditing

16
00:01:33,060 --> 00:01:39,510
Hping can also be useful to students that are learning TCP/IP. Although it's a packet analyzer tool is widely used for

17
00:01:39,510 --> 00:01:40,310
DoS.

18
00:01:40,310 --> 00:01:46,960
(Denial of Service) tests and attacks to create IP-­spoofed packets and send them to the target system.

19
00:01:48,070 --> 00:01:54,960
Let’s see how we can use HPING command to scan the network simply: •	Go to Kali and open a terminal screen

20
00:01:55,870 --> 00:01:59,510
hping3 is embedded into Kali and defined in the path,

21
00:01:59,650 --> 00:02:01,270
so you can use it anywhere.

22
00:02:01,330 --> 00:02:08,740
Just  typing the name of the command, hping3. Type ”hping3 -­h” or “hping3 -­help”

23
00:02:08,830 --> 00:02:13,710
to see the detailed usage of hping3 command.

24
00:02:13,730 --> 00:02:19,960
Let’s look at a few parameters important for scanning mode: Under the “mode” title

25
00:02:19,960 --> 00:02:24,590
we have a scan mode and the help shows a sample usage of the mode as well.

26
00:02:24,670 --> 00:02:34,090
We’ll use "scan" or "­8 parameter" to use hping in scan mode. Under TCP/UDP title,

27
00:02:34,230 --> 00:02:38,830
we have the parameters to set the flags of TCP or UDP packets. Well,

28
00:02:39,210 --> 00:02:44,640
you’ll see the flags and meaning in this course in following lectures, so, just see the hping in

29
00:02:44,640 --> 00:02:45,560
action now.

30
00:02:47,230 --> 00:02:58,730
For example, -­S (uppercase S) or -syn parameter is used to set the SYN flag of TCP or UDP packets. Let`s prepare the hping

31
00:02:58,730 --> 00:03:01,440
the command to make a network scan.

32
00:03:01,490 --> 00:03:03,730
The first parameter is scan.

33
00:03:03,950 --> 00:03:09,550
” to use hping in scan mode. Here we should say in which ports we will scan. In this example, 0-­500 means that the ports between 0 and 500 will be scanned.

34
00:03:09,550 --> 00:03:16,990
In this example, 0-­500 means that the ports between 0 and 500 will be scanned.

35
00:03:17,040 --> 00:03:22,100
You can give a port range like this with a dash between the lower bound and the upper bound.

36
00:03:22,230 --> 00:03:28,650
Or you can give the ports one by one separating them by a comma or you can use a combination of these

37
00:03:28,650 --> 00:03:30,360
two.

38
00:03:30,360 --> 00:03:35,180
Now I want to set the SYN flag of the packet. Because all TCP connections start with a SYN packet.

39
00:03:35,340 --> 00:03:40,620
Well, again, we’ll show you how a TCP handshake is made later on in the following lectures.

40
00:03:41,650 --> 00:03:46,820
Here comes the IP address to scan.  Hit enter to start the scan.

41
00:03:46,870 --> 00:03:55,570
Here we have the responding ports. And flags column says what the reply is. We sent  SYN packets

42
00:03:55,570 --> 00:03:57,680
and get SYN-­ACK packets,

43
00:03:57,880 --> 00:04:01,930
that means, ports are accessible and open to us.

44
00:04:01,950 --> 00:04:10,220
Now let’s make another scan. In this time, I’ll use -­X (uppercase X) to make an Xmas scan. In this scan, PUSH,

45
00:04:10,520 --> 00:04:19,250
URGENT and FIN flags are set in the packet, which is not seen in regular traffic. Since the packets they

46
00:04:19,250 --> 00:04:21,279
received are not valid packets.

47
00:04:21,320 --> 00:04:25,090
they dropped them, and returned no response.

48
00:04:26,470 --> 00:04:30,560
Although it’s not the subject of our course, because it’s very common usage,

49
00:04:30,640 --> 00:04:39,360
I’d like to show you how to perform an IP-­Spoofed DoS (Denial of Service) attack using hping tool.

50
00:04:39,360 --> 00:04:45,550
I’m going to attack my own server. First, I test if I can connect to the application.

51
00:04:46,290 --> 00:04:54,680
So open a terminal screen and ping the application: www.owaspbwa.com. OK,

52
00:04:54,810 --> 00:04:59,840
I have a connection through the application. Open a browser and visit the website.

53
00:05:05,730 --> 00:05:12,460
Here I click a few links to show the response time of the server.

54
00:05:12,530 --> 00:05:13,800
Ok it's really fast.

55
00:05:14,010 --> 00:05:17,700
It responses as soon as a click to links.

56
00:05:17,710 --> 00:05:24,410
Now let’s prepare the hping command to prepare a DoS attack.

57
00:05:24,560 --> 00:05:29,930
The first parameter of the command is “-­flood”.

58
00:05:30,080 --> 00:05:35,300
Let’s run “hping3 -­-­help” in another terminal screen to see the meanings of the

59
00:05:35,300 --> 00:05:36,360
parameters.

60
00:05:40,670 --> 00:05:47,380
Flood parameter is used to send packets as fact as possible.  To make it a SYN flood attack

61
00:05:47,450 --> 00:05:53,270
I set the SYN flag using -­S parameter. When I send a SYN packet,

62
00:05:53,270 --> 00:05:59,030
since it’s a legitimate TCP handshake starter, the server will try to response all the packets at the

63
00:05:59,030 --> 00:06:01,770
the start of the TCP communication. ­

64
00:06:01,880 --> 00:06:07,510
So the server will be very very busy. -V is to open verbose mode,

65
00:06:07,750 --> 00:06:12,770
that means, we’d like to see the results of sent packets.

66
00:06:13,010 --> 00:06:16,000
The next parameter is Rande source.

67
00:06:16,160 --> 00:06:23,000
This parameter will randomize the source IP addresses as if they are requested by different systems.

68
00:06:23,000 --> 00:06:30,440
So the attack is distributed denial of service now and since the IP addresses are random the victim

69
00:06:30,770 --> 00:06:32,940
doesn't know about you.

70
00:06:33,060 --> 00:06:35,660
You have the target domain as a last parameter.

71
00:06:36,140 --> 00:06:39,580
Oh by the way the order of the parameters is not important.

72
00:06:40,760 --> 00:06:45,410
It does start the attack because we're in flood mode.

73
00:06:45,410 --> 00:06:47,480
No replies has shown.

74
00:06:47,710 --> 00:06:52,410
Let's try to click a few links to see the response time of the server while it's under attack.

75
00:06:54,330 --> 00:06:55,880
Click a link.

76
00:06:56,030 --> 00:06:58,410
It's waiting waiting.

77
00:06:58,450 --> 00:07:02,330
Waiting is obviously so down.

78
00:07:02,340 --> 00:07:04,810
Maybe our request will be time down.

79
00:07:04,860 --> 00:07:11,760
So this is how a simple denial of service attack is perform. I stop the flood by stopping the run of the command

80
00:07:11,760 --> 00:07:17,020
using “ctrl + c” keys. As you see, in less than a minute,

81
00:07:17,030 --> 00:07:20,900
we sent more than 1 million SYN packets to the victim server.

82
00:07:21,200 --> 00:07:25,890
No packets received because we randomise the source IP addresses of the packet.

83
00:07:25,910 --> 00:07:29,510
That means the responses were sent to different IP addresses.

84
00:07:29,510 --> 00:07:34,360
This is why we didn't receive any packets since I stopped sending packets.

85
00:07:34,410 --> 00:07:38,500
The servers now responding in good time again.

86
00:07:38,520 --> 00:07:44,370
Now let’s repeat the attack while Wireshark is running to see what is happening under the hood. Start Wireshark.

87
00:07:44,370 --> 00:07:45,750
Wireshark.

88
00:07:45,780 --> 00:07:50,940
Since we’re using the eth0 interface of Kali, I double click to eth0 on the home screen to start

89
00:07:50,940 --> 00:07:56,820
to start to listen to the traffic passing thorough the eth0 interface. There are still some packets

90
00:07:56,820 --> 00:07:59,310
on the queue because of our previous attack.

91
00:07:59,310 --> 00:08:04,530
I restart capturing by pressing the green button at the upper left corner of Wireshark to clean the

92
00:08:04,530 --> 00:08:09,050
screen before the second attack. Continue without saving.

93
00:08:09,470 --> 00:08:11,970
OK Wireshark is running and clean.

94
00:08:12,440 --> 00:08:22,190
We're ready to repeat the attack.

95
00:08:22,210 --> 00:08:26,360
You can see the number of packets at the bottom of Wireshark. As you see

96
00:08:26,500 --> 00:08:29,470
we sent hundreds of thousands of packets in seconds.