Ethical hacking: Stealthy network recon techniques complete Guide by Blackhat Pakistan 2023

In this article, we will discuss Ethical hacking and some secret reconnaissance techniques that should be used during a hacking exercise. It is important to know which scan to use, especially when you are getting blacklisted or when the scan results are filtered out.

Many hackers use tools like nmap without properly understanding what certain switches mean and why they should be turned on. We will not discuss nmap in this article; however, we will look at how it and some other scanners work, especially for stealth scanning.

Overview[Ethical hacking: Stealthy network recon techniques]

Before we start attacking any system, we must first understand the type of system we are dealing with. Unfortunately, in order to properly probe a target, we use probing techniques that are largely noisy and non-stealthy. These will largely be captured by network devices such as firewalls, SIEMs and IDS devices.

The focus now becomes identifying targets without alarming system administrators or the Security Operations Center team. The techniques discussed below will either confuse the available defense mechanisms or make it more difficult to detect activity from our attacking machine.

But before we dive deeper, it’s important to understand what a stealth scan is.

What is a non-stealth scan?

A TCP connection works through a three-way handshake, where the client and server communicate in a certain way before the connection is established. This communication takes place in the following steps:

• The client sends a TCP packet to the server with the SYN flag set
• The server responds to the client with a TCP packet with the SYN and ACK flags set if it says the port being tested is open.
• If the port is closed, the server responds with a TCP packet with the RST flag set
• If the port is open, the client responds with an ACK to the server
• The above communication is known as a three-way handshake and must occur before a TCP connection can be established between the client and the server.

A non-stealthy scan will implement the TCP “connect()” method that operating systems allow for connecting to target hosts. This scan uses the three-way handshake described above and will only respond with the list of hosts with open ports as shown at the start of the scan.

This scan is easily detected due to the scanner’s numerous attempts to establish connections to many ports on the target host in a short period of time. Also remember that login attempts that fail will most certainly be logged and can be retrieved during a security audit.

Also Read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023

What are the hidden strategies for network recovery?

In computer security and hacking, stealth is considered the ability to remain undetected within a network when we perform activities, whether malicious or not. These activities will often work against defense mechanisms and may or may not be allowed. Of course, we recommend that you ONLY run these commands with permission from the network owners. Here are two main views:

• Identifying ports and services for defense: This will apply to the blue team
• Identifying ports and services for attack: This will apply to the Red Team

There are several stealth scans that can be performed. These include inverse mapping, semi-open, X-mas tree, UDP, null, and more. We will discuss these types of scans in detail in the following sections.

Inverse mapping

The reverse mapping check involves sending specially crafted packets, including SYN-ACK packets, RST packets, and DNS packets, that merely detect which hosts are online and which are offline on the network. Hosts found to be offline would receive an “ICMP host unreachable” error message. This scan does not attempt to discover open ports, thus achieving some level of stealth.

Slow scanning

This is one of the most effective stealth scans that can be performed on the network. The intention is to significantly reduce the speed of port scanning. The attacker introduces a delay that prevents the host’s IDS or firewalls from catching excessive connection attempts to the TCP port.

While this scan has great success in achieving stealth, the main drawback would be the amount of time it takes to complete the scan. The only way to detect this scan is to analyze the traffic log files.

Half-open scan

This scan is also known as a SYN scan. The name comes from the method by which this scan is implemented. While the TCP connect() scan uses a three-way handshake to perform the scan, the SYN scan implements a modified two-way communication channel.

A SYN scan will initiate a handshake just like TCP connect(). The client sends a SYN packet to the server, then the server responds with a SYN-ACK packet to the client if the port is open. If the port is not open, the server responds with an RST packet. Instead of responding with an ACK to acknowledge receipt of the RST, the client sends an RST packet to the server. This makes SYN scanning different from TCP connect() scanning.

This scan has two main disadvantages. It is caught by a large number of firewalls and requires root permission to run.

FIN scan

This scan is very successful because it tries to defeat the methods established to detect SYN scans. Here, packets are sent to the server with the FIN flag set. If the port is open, the server ignores the FIN flag; however, if the port is closed, the server will respond with the RST flag set. The scanner is able to defeat packet loggers that would otherwise log SYN packets.

Christmas tree scan

This secret inspection sends invalid packet header flags to the server. It differs from FIN scanning in that it sends multiple flags along with the FIN flag in an attempt to confuse any logging mechanism present. By default, the nmap scanner has three enabled flags. They are the FIN, URG and PSH flags. Other scanners will go beyond nmap and turn on all the TCP header flags – hence the name X-mas tree scan because everything is turned on and lit up like a Christmas tree.

There are also some other stealth scans that can be done. These are null scan, UDP scan and dumb scan.

What are some secret scanning techniques?

The following techniques are implemented in multiple scanners to make scan detection much more difficult even when we perform the scans discussed above.

Fragmentation

By using fragmentation scanning, we can make it harder for the administrators of our target network to detect our activities. This scanning involves breaking the TCP header into many smaller packets that cannot be caught by packet filters and IDS. This method is adopted by firewalls or systems that collect packets and assemble them before forwarding them. The idea behind this technique is to hide the intent of packets originating from an attacker.

Spoofing

This attack is very common. It works by an attacker impersonating a whitelist and a known IP address to scan the network . As the system administrator monitors the network, the observed traffic will appear to originate from a trusted IP address; however, it will come from the attacker. This stealth technique is quite obvious and noticeable and IDS will definitely pick it up.

There is also the possibility of impersonating other machines within the network by exploiting the Address Resolution Protocol (ARP). The Address Resolution Protocol allows hosts on a network to determine a host’s MAC address based on its IP address. The network maintains a table of MAC addresses and IP addresses to keep network traffic low. If we can spoof packets and ARP replies, we can scan the network undetected. We can spoof the MAC address using tools like macchanger on Kali Linux.

Enticing

This technique involves spoofing legitimate IP addresses within a network while performing port scans. The idea is to bury the attacker’s IP address in a huge list of online IP addresses. When this happens, it confuses the system administrator by making it appear that all IP addresses are involved in the attack.

The larger the number of spoofed IP addresses, the more difficult it is to eliminate the attacking IP address. However, some host security systems such as firewalls and IDS may be able to filter traffic and determine the attacking machine.

Hopping

This technique allows attackers to “bounce” their traffic from hosts on the network to their target host. This works due to the ability of some services to allow entry through them. Services such as “finger” and FTP are commonly abused to achieve this goal.

What are some trading tools that can be used?

There are many good port scanners available out there. The best known and most appreciated of all is nmap. Nmap is capable of performing all of the scans described above and allows you to tailor each scan to the uniqueness of your environment.

nmap’s success lies in its ability to do much more than just scan ports. Below are some common port scanners you can use today:

• Angry IP Scanner
• Unicornscan
• Netcat
• Zenmap
• Conclusion

Stealth scanning is extremely important in that it allows you to bypass any defenses implemented on the network. We recommend that you be able to understand different scanning techniques so that you know what to use in your environment during hacking exercises.

By no means have we exhausted the stealth scanning techniques available. You should consider exploring UDP scanning to see how it can also be used for stealth. Because the system administrator is monitoring the network, the observed traffic will appear to come from a trusted IP address; however, it will come from the attacker. This stealth technique is quite obvious and noticeable and IDS will definitely pick it up.

There is also the possibility of impersonating other machines within the network by exploiting the Address Resolution Protocol (ARP). The Address Resolution Protocol allows hosts on a network to determine a host’s MAC address based on its IP address. The network maintains a table of MAC addresses and IP addresses to keep network traffic low. If we can spoof packets and ARP replies, we can scan the network undetected. We can spoof the MAC address using tools like macchanger on Kali Linux.

Enticing

This technique involves spoofing legitimate IP addresses within a network while performing port scans. The idea is to bury the attacker’s IP address in a huge list of online IP addresses. When this happens, it confuses the system administrator by making it appear that all IP addresses are involved in the attack.

The larger the number of spoofed IP addresses, the more difficult it is to eliminate the attacking IP address. However, some host security systems such as firewalls and IDS may be able to filter traffic and determine the attacking machine.

Hopping

This technique allows attackers to “bounce” their traffic from hosts on the network to their target host. This works due to the ability of some services to allow entry through them. Services such as “finger” and FTP are commonly abused to achieve this goal.

What are some trading tools that can be used?
There are many good port scanners available out there. The best known and most appreciated of all is nmap. Nmap is capable of performing all of the scans described above and allows you to tailor each scan to the uniqueness of your environment.

nmap’s success lies in its ability to do much more than just scan ports. Below are some common port scanners you can use today:

• Angry IP Scanner
• Unicornscan
• Netcat
• Zenmap

Conclusion

Stealth scanning is extremely important in that it allows you to bypass any defenses implemented on the network. We recommend that you be able to understand different scanning techniques so that you know what to use in your environment during hacking exercises.

By no means have we exhausted the stealth scanning techniques available. You should consider exploring UDP scanning to see how it can also be used for stealth.

Sources

• Stealth Port Scanning Methods, GIAC
• Top 5 Best Port Scanners, SecurityTrails