1
00:00:00,150 --> 00:00:06,960
‫So in these end map lectures, we have seen no port scan, also known as ping scan, different ways

2
00:00:06,960 --> 00:00:15,840
‫of scanning ports since scan, also known as half open scanning TCP scan, also known as TCP Connect

3
00:00:15,870 --> 00:00:23,850
‫Scan, UDP, scan service and version detection, operating system detection and end map scripting engine

4
00:00:23,850 --> 00:00:24,480
‫in detail.

5
00:00:24,900 --> 00:00:30,930
‫Now let's see how we can cope with network security devices such as firewalls or packet filtering.

6
00:00:31,530 --> 00:00:32,100
‫You with me?

7
00:00:32,730 --> 00:00:36,810
‫You'll always face some security measures in your penetration test.

8
00:00:37,140 --> 00:00:38,100
‫They will got you.

9
00:00:38,100 --> 00:00:41,160
‫Drop your packets or reply some fake responses.

10
00:00:41,250 --> 00:00:45,360
‫So you have to find those measures and bypass them to go on.

11
00:00:45,660 --> 00:00:50,750
‫Network obstructions such as firewalls can make mapping and network exceedingly difficult.

12
00:00:51,940 --> 00:00:57,640
‫It will not get any easier as stifling casual reconnaissance is often a key goal of implementing the

13
00:00:57,640 --> 00:00:58,270
‫devices.

14
00:00:59,110 --> 00:01:05,410
‫Nevertheless, and MAP offers many features to help understand these complex networks and to verify

15
00:01:05,410 --> 00:01:07,330
‫that the filters are working as intended.

16
00:01:08,110 --> 00:01:12,300
‫It even supports mechanisms for bypassing poorly implemented defenses.

17
00:01:13,090 --> 00:01:18,610
‫One of the best methods of understanding network security posture is to try to defeat it.

18
00:01:19,440 --> 00:01:25,830
‫In addition to restricting network activity, companies are increasingly monitoring traffic with intrusion

19
00:01:25,830 --> 00:01:28,110
‫detection systems or IDs.

20
00:01:30,010 --> 00:01:37,390
‫All of the major indices ship with rules designed to detect and map scans because scans are sometimes

21
00:01:37,390 --> 00:01:38,770
‫a precursor to attacks.

22
00:01:39,740 --> 00:01:47,150
‫Many of these products have recently morphed into intrusion prevention systems, ISPs that actively

23
00:01:47,150 --> 00:01:54,410
‫block traffic deemed malicious, unfortunately for network administrators and its vendors, reliably

24
00:01:54,410 --> 00:01:57,740
‫detecting bad intentions by analyzing packet data.

25
00:01:57,770 --> 00:01:59,090
‫It's a tough problem.

26
00:01:59,780 --> 00:02:09,320
‫Attackers with patience, skill and the help of certain and map options can usually pass by IDs undetected.

27
00:02:10,070 --> 00:02:16,010
‫Meanwhile, administrators must cope with large numbers of false positive results where innocent activities

28
00:02:16,010 --> 00:02:19,850
‫misdiagnosed and alerted on or blocked.

29
00:02:21,000 --> 00:02:27,870
‫So there's no magic bullet for detecting and bypassing firewalls and I.D. systems, it takes skill and

30
00:02:27,870 --> 00:02:28,740
‫experience.

31
00:02:29,130 --> 00:02:37,020
‫So here I'm going to show you a few methods to bypass or detect the IEDs and IPS devices.

32
00:02:38,330 --> 00:02:45,260
‫Although timing techniques are used to improve scan times, they're also very good at being invisible

33
00:02:45,260 --> 00:02:52,490
‫against network security devices such as firewalls or IDs and Ipsus, we'll see the timing techniques

34
00:02:52,490 --> 00:02:57,140
‫in detail, but let's see the other techniques to bypass security measures.

35
00:02:58,360 --> 00:03:04,000
‫The option causes the requested scan to use tiny, fragmented IP packets.

36
00:03:04,300 --> 00:03:10,780
‫The idea here is to split up the TCP header over several packets to make it harder for packet filters,

37
00:03:10,780 --> 00:03:17,650
‫intrusion detection systems and other annoyances to detect what you were doing, specify this option

38
00:03:17,650 --> 00:03:23,860
‫once and and MAP splits the packets into eight bytes or less after the IP header.

39
00:03:24,520 --> 00:03:28,150
‫So a 20 byte TCP header would be split into three packets.

40
00:03:28,690 --> 00:03:29,830
‫So be careful with this.

41
00:03:30,560 --> 00:03:33,650
‫Some programs have trouble handling these tiny packets.

42
00:03:35,290 --> 00:03:43,270
‫Fragmentation is only supported for and maps raw packet features, which includes DCP and UDP port scans

43
00:03:43,270 --> 00:03:44,740
‫and OS detection.

44
00:03:45,700 --> 00:03:51,370
‫Features such as version detection and the unmap scripting engine generally don't support fragmentation

45
00:03:51,370 --> 00:03:56,770
‫because they rely on your host TCP IP stack to communicate with target services.

46
00:03:58,110 --> 00:04:03,420
‫Using well-known ports as a source, part of the package that will send is another technique to bypass

47
00:04:03,420 --> 00:04:11,480
‫firewalls, to trust traffic based only on the source port number is one surprisingly common misconfiguration.

48
00:04:12,150 --> 00:04:14,430
‫It's easy to understand how this comes about.

49
00:04:14,760 --> 00:04:20,220
‫An administrator will set up a shiny new firewall, only to be flooded with complaints from ungrateful

50
00:04:20,220 --> 00:04:22,500
‫users whose applications stopped working.

51
00:04:22,920 --> 00:04:29,640
‫In particular, DNS may be broken because the UDP DNS replies from external servers can no longer enter

52
00:04:29,640 --> 00:04:30,330
‫the network.

53
00:04:31,390 --> 00:04:36,490
‫Here and MAP offers the source port option to exploit this weakness.

54
00:04:37,880 --> 00:04:43,490
‫Simply provide a port number and and map will send packets from that port where possible.

55
00:04:44,740 --> 00:04:52,300
‫Randomise, hosts tell and map to shuffle each group of hosts before it scans them, this can make the

56
00:04:52,300 --> 00:04:58,720
‫scans less obvious to various network monitoring systems, especially when you combine it with slow

57
00:04:58,720 --> 00:04:59,680
‫timing options.

58
00:05:00,640 --> 00:05:06,070
‫You can use the uppercase s to spoof the scan to make the targets think that someone else is scanning

59
00:05:06,100 --> 00:05:10,120
‫them, note that you won't usually receive reply packets back.

60
00:05:10,390 --> 00:05:13,540
‫They will be addressed to the IP you are spoofing.

61
00:05:14,020 --> 00:05:17,020
‫So and MAFF won't produce useful reports.

62
00:05:18,370 --> 00:05:22,750
‫You can also use some techniques to understand the existence of the security measures.

63
00:05:22,930 --> 00:05:28,960
‫The first technique is to analyze the ttle, the time to live values of the incoming packet's.

64
00:05:29,410 --> 00:05:35,740
‫The total values of the packets coming from the destination systems may differ from the total values

65
00:05:35,740 --> 00:05:38,620
‫of the packets coming from a network security device.

66
00:05:39,560 --> 00:05:47,060
‫So find incoming packets which result to different results and analyze their ttle values.

67
00:05:48,380 --> 00:05:56,210
‫Bad, some option asks and map to use an invalid TCP or UDP, some four packets sent to target hosts,

68
00:05:56,520 --> 00:06:03,140
‫since virtually all host IP stacks properly drop these packets, any responses received are likely coming

69
00:06:03,140 --> 00:06:07,100
‫from a firewall, the radius that didn't bother to verify the checksum.