We have covered brief introduction about port scanning and its techniques in our previous topic. Here we are, with requirements of a good port scanner.

Dynamic delay time calculations: Delay time is necessary for some scanners to send the data chunks.  So you need to check whether it is working properly or not with ping, which gives replies to every execution. But that is some time cumbersome, so you can use connect ( ) to a closed port on target. Which can gives you an initial delay time you’re your scanner. Simple, isn’t it!!!
 
Parallel Port Scanning: Scanners generally scans orts linearly and one by one till total ports are reached, but this old technique only works better with TCP on a faster network. So you need to test whether your port scanner has parallel port scanning or not because we have to scan over larger area or wide area network.

Port Scanners

Flexible Port Specification: Can you believe we need to scan all 65535 ports. It will be slow and tiresome process. Also, the scanners which only allow you to scan ports 1 – N often fall short of an intruder’s need. Test whether your scanner has ranges option available which can allow you to scan the ports in better manner.

Flexible target specification: On a larger network you may surely want to scan more than one or two hosts.  So you should have flexible target specification available on your port scanner.

Retransmission: Sending chunks and collecting for response is a way old technique for scanners. But this can lead to false positives or negatives in the case where packets are dropped. So, check whether your scanner have automated retransmission available.

So these are some of the primary facts of considerations. Some secondary consideration includes Down Host Detection, Own IP detector, and IP scanner etc.

Continues From Last Post  . . .

So each machine has unique identification to send and receive data and avoid the confusion. This doesn’t happen with dial-up modems; because it is assumed that any data you send to the modem is destined for the other side of the phone line. But when you send data out onto an Ethernet wire, you have to be clear which machine you intend to send the data to.

In many cases we can analyze today that mostly to machines make communication to each other and few scenarios are like a conference But Ethernet is designed to share plenty of machines to covers together. This is accomplished by putting a unique 12-digit hex number in every piece of Ethernet hardware.

This is so important from the aspect of data and information security. Ethernet was designed to carry other traffic than just TCP/IP, and TCP/IP was designed to run over other wires (such as dial-up lines, which use no Ethernet).

NETBEUI is something that many home users use to share files or data. This does not use TCP/IP protocols to transfer the data. It makes harder for intruders to hack the data.  Raw transmission and reception on Ethernet is governed by the Ethernet equipment. You just can’t send data raw over the wire; you must first do something to it that Ethernet understands. In much the same way, you can’t stick a letter in a mailbox, you must first wrap it in an envelope with an address and stamp. This is what used in traditional TCP/IP Architecture. 

So this is how sniffing attacks get vulnerable to Ethernet.  There are many techniques which gives internet and networks a flexibility through Ethernet is exploited by the use of packet sniffing.

This is not just a dark side, all packet sniffers can be detected even if they have stealth inside them. Also Non promiscus mode conversion can be a great way to stop all types of  packet sniffing attacks.

Computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as “protocol analysis”, which allow them to “decode” the computer traffic and make sense of it. We don’t directly need to break in to actual communication, we can install device on network and tap other network’s conversation which is the other advantage of packet Sniffer.

This shared technology is known as promiscus mode in sniffing, but bad news for black hats is this shared technology is getting transferred to Non-promiscus mode which is making it harder for intruder to install the sniffing programs.Internet is place where no place is available to see the all communication. Means we need to concentrate on single communication at a time. This architecture of internet prevents any single point of packet sniffing.

Packet Sniffing

If we have two machines in our own office talking to each other, and both are on the Internet. They take a direct route of communication, and the traffic never goes across the outside public portion of the Internet. Any communication anywhere in the net follows a similar “least-cost-path” principle.  Ethernet was built around a “shared” principle: all machines on a local network share the same wire.

This scenario implies that all the machines are able to “see” all the traffic on the same wire. Therefore, the next Ethernet hardware is built with a “filter” that ignores all traffic that doesn’t belong to it. It does this by ignoring all frames whose MAC address doesn’t match their own. A wiretap program effectively turns off this filter, putting the Ethernet hardware into “promiscuous mode”. MAC works on non promiscus mode and so only that traffic can be heard who is on same Ethernet wire. Like victim and intruder should share same Ethernet wire to make any attack possible.

To be Continued in Next Post . . .

Firewalk which was developed by two masterminds known as developed by Mike Schiffman and Dave Goldsmith furthers the techniques used both by static port traceroutes and hping.

It can be successfully implemented to scan a host downstream from a security gateway to assess what rules relate to the target system, without any packets having to reach it.

Firewalk utilizes the TTL functions to carry out the whole attack. This was different to analyze by any firewall. And so it was called as beyond the boundaries of security.

Some of the fact that should be true for any kind of firewall responses are:

If the packet is passed by the Firewall, a TTL expired should be received.

If the packet is blocked by the Firewall, this could be caused be either of the following:
An ICMP administratively prohibited response is received or The packet is dropped without comment. Again, uncertainty is introduced through packets lost in transit. Some security gateways will detect the packet is due to expire and send the expired message whether the policy would have allowed the packet or not.

Firewalls and intruders are always the big rivals as firewalls updates with technologies implemented by intruders. Which sometimes makes it harder for firewall vendors and sometimes for hackers.

This Wednesday, The Security of State Bank Of India (SBI) Noticed that the traffic suddenly increased on their corporate website www.sbi.co.in . By suspecting this is a try from hackers who are trying to get information about the website for further break-in attack they temporarily shuts down the this website as a security measure.

The attack was instantly reported to Central Government and Mumbai Cyber Cell Who are now working the insights of these attacks and criminals behind them. They haven’t commented anything about it in the public except that they are still investigating. Surely this is the part of National Security and these details should never be exposed to media.

Many banks in India have faced such trouble in past but SBI is the one of the newest, which are being attacked. This may be because from last 2 years SBI is promoting mostly its Internet Banking Services.

The website www.sbi.co.in was made temporarily unavailable by its security department which was quick and perfect step to avoid that attack. The security department is working in best possible ways to diagonose this attack and avoid such situation in he future.

But Question remains  . . .

Can Indian Cyber Crime Experts catch these criminals ?

As an Indian Ethical Hacker  – My Answer Will be Yes.