om

l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Module 3: Scanning and
89
Assessment
y6

Ninja-Sec.com
br
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Network Enumeration and
89
Mapping
y6

Ninja-Sec.com
br
Network Enumeration Goals

om
Identify live hosts on customer network ranges and the services, or

l.c
applications, running on those hosts.
Steps for network enumeration are the same for both internal and

ai
external assessments.

gm
Try to identify live hosts first.
Then use scanning techniques to gain additional information that
1@
can aid in uncovering sensitive hosts and further exploitation.
Port Scanning
89
Version Scanning
Service Enumeration
y6

OS Fingerprinting
br

There may be a variety of filtering devices in place to limit network

331
enumeration, so you may use techniques to avoid filters.
Nmap (Network Mapper)

om
We will list several tools that can be used for network

l.c
enumeration, however Nmap will be the primary one we
focus on.

ai
Reasons:

gm
Nmap is capable of every type of network enumeration we cover.

1@
Runs on a command line or a GUI.
Runs on both Windows and *nix.
With Nmap we will only have to cover one interface.
89
Nmap is one of the only network enumeration tools that is
consistently updated.
y6

Very active development community

br

New features come out frequently. 332

Network Mapping

om
First type of scanning performed on customer network ranges.

l.c
Can be combined with port scanning, however can be performed
on by itself to speed up subsequent scanning.

ai
Called ping sweeping, although good network mapping

gm
doesnt just use pings (ICMP echo reply messages)
Used to determine network issues as well as judging latency.
1@
Can be important for planning for scan timings and thoroughness.
Determine whether the assessment team will assess the all target
89
hosts or a sample set.
y6
br

334
Network Mapping

om
A host may not respond to a ping request due to multiple

l.c
factors:
A network device, usually a firewall, may be preventing the

ai
responses.

gm
The host may be configured to not respond to pings through local
settings or software firewalls.
1@
Can often be determined by a discussion with the client.
89
y6
br

335
Network Mapping Using Nmap

om
When Nmap is used to ping sweep, it actually sends out 3

l.c
packets:

ai
ICMP Ping
TCP port 80 SYN scan.

gm
TCP port 443 SYN scan.
Used to attempt to get through firewalls
1@
On a local network, Nmap sends ARP requests to every IP
For very fast scanning.
89

Many more Mapping options

y6

Almost any type of probe you want to send can be supported

br

336
Network Mapping with Nmap

om
nmap -sn <IP range> - standard ICMP, TCP 80 and TCP 443

l.c
scan

ai
gm
1@
89
y6
br

337
Network Mapping

om
Types of Network Mapping Probes

l.c
Various ICMP messages
Echo Reply most common

ai
Various TCP Ports and Flags

gm
SYN scans to common ports probably best
A Few Network Mapping Tools
Nmap (most common)
1@
Hping (allows a lot of customization)
89
Foundstones Superscan (older)

y6

Fping
Angry IP Scanner (nice GUI)
br

Ping Sweep from SolarWinds

338
ICMP Enum
Tracerouting

om
Tracerouting is a technique to determine the network path

l.c
from your host to the target host.
Designed as a troubleshooting tool, but useful for penetration

ai
testers for mapping.

gm
Conducting traceroutes can tell you a few things:


1@
Possible multiple paths to the customer network.
Subnets that are physically close together (probably)
Layer 3 network devices in the customer network
89
Where boundary and filtering devices reside.
y6

May block traceroutes from coming in the network, although this

really only works for certain types.
br

May not respond to traceroutes themselves 339

Tracerouting

om
Operates by sending packets with low Time-To-Live (TTL)

l.c
values and incrementing values successively to each network
devices in the path.

ai
Traceroutes can use any type of payload packet because the

gm
TTL is in the IP header.
ICMP, TCP or UDP (or anything really)
1@
89
y6
br

340
Example Traceroute Using
VisualRoute

om
l.c
ai
gm
1@
89
y6
br

342
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Network scanning
89
Ninja-Sec.com
y6
br
Port Scanning

om
TCP / UDP ports are what applications use to listen on the

l.c
network.
When an application is listening to serve client requests, its

ai
called a service.

gm
At the most basic level, port scanning is just identifying the
services listening on live hosts on the network.
1@
Some implementations and options provide greatly enhanced
speed.
89
But can decrease accuracy.
There are many different ways to attempt to bypass filters.
y6

Big differences between TCP and UDP scans.

br

344
Port Scanning

om
Types of Port Scanning

l.c
TCP Scanning
Connect Scanning

ai
TCP SYN Scanning

gm
Other TCP Flags

UDP Scanning
*Asynchronous Scanning 1@
Very fast scan technique, but limited accuracy
89
A Few Network Mapping Tools
y6

Nmap
SuperScan
br

Scanrand - Asynchronous Scanner 345

Unicornscan
Types of Port Scans

om
TCP Connect Scanning

l.c
Full TCP Handshake

ai
Because it is conducting a full handshake, very accurate
Generally uses the OS call to open port

gm
It can be run it without administrative privileges
Can be much slower than other TCP scans
1@
89
y6
br

346
Types of Port Scans

om
TCP Half-Open (SYN) Scan

l.c
The most common type of port scanning.

ai
Much faster than a Connect scan and can be paralyzed.
Only sends first part of TCP handshake.

gm
Also often called a stealth scan.

1@
Full TCP connections often get logged on a host
However, SYN scans are obvious to an IDS.
89
y6
br

347
Types of Port Scans

om
TCP ACK Scan

l.c
Used to determine if port is behind a stateless firewall
Router ACLs, etc

ai
Works on the principle that the ACK bit set means a connection is

gm
already established.
Stateless firewall may let the packet through thinking it is part of
1@
an already established connection.
An unexpected ACK packet will generate a RST response.
89
TCP FIN Scan
y6

Another scan used for firewall/IDS evasion to avoid SYN port scan
detection
br

Many others (basically any combination of TCP flags) 348

Port Scanning with Nmap

om
Nmap -sS <IP Range> - Standard SYN scan of top 1000 ports

l.c
ai
gm
1@
89
y6
br

349
Firewalking

om
A combination of port scanning and tracerouting techniques

l.c
designed to discover firewall rulesets.
Detects ports that forwarded by the firewall, but not

ai
responding hosts on internal network.

gm
Works by sending a probe with a Time to Live value one higher
than the route to the gateway.
1@
If forwarded by the gateway, the attacker will receive a
ICMP_Time_Exceeded reply.
89
y6
br

350
UDP Port Scanning

om
UDP is designed for speed, which means no connection setup

l.c
process.
Relies on ICMP Destination Unreachable messages to indicate

ai
closed ports.

gm
Usually filtered by firewall.
A port will only respond when sent a correctly formatted message
for that specific protocol. 1@
Means Open|Filtered response is given unless port scanner is
89
able to communicate with protocol in operation.
UDP usually takes much longer to scan due to increased
y6

timeout requirements.
br

May just be better to use a protocol specific client/scanner 351

(snmpwalk, dig, tftp).
UDP Scanning with Nmap

om
l.c
ai
gm
1@
89
y6
br

352
Interpreting Nmap Output

om
NMAP Output Types

l.c
Normal Human readable format.
Greppable Results are presented at 1 host per line for analysis via

ai
grep.

gm
XML Results are in XML that can be universally used in other tools.
Dradis Framework
Armitage 1@
Results include:
89

Command Run
IP Addresses
y6

Ports Open, Closed, and Filtered per IP Address

br

353
Interpreting Nmap Output Greppable Format

om
Grep is a very powerful command for extracting the useful bits

l.c
of information for an nmap scan.
Hosts Scanned

ai
Applications Running

gm
Statuses of Services

1@
Can be output to text files or to other commands for further
analysis via piping or output redirection operator.
wc l can be used in conjunction with grep to count how many
89

instances of the specified data appear.

y6

Example:
br

354
Fingerprinting Host Operating Systems

om
Many methods exist to determine the operating system of a

l.c
target host. Some methods can easily be accomplished by the
tester:

ai
Banner Grabbing Service banners can reveal specific

gm
information about a targets operating system (although they can
be faked)
1@
HINFO Records The DNS server may store HINFO records which
detail a host and its corresponding operating system
SNMP An unprotected SNMP server can yield much information
89
about a host
A legacy version of SNMP with default credentials is sometimes
y6

found within the client environment

Often, however, you wont have this information (or it could
br

be wrong), so a more technical approach must be used to 355

determine operating system versions
Fingerprinting Host Operating Systems

om
One of the most reliable methods to fingerprint an OS is by its

l.c
TCP/IP stack
This is because TCP protocol does not specify every aspect of how

ai
the protocol will operate
Leaves these areas up to interpretation to the operating system

gm
developers.
Field values and responses of the packets will help to determine OS

1@
Some fields that will generally vary between operating systems:
Initial packet size (16 bits)
Initial TTL (8 bits)
89
Window size (16 bits)
Max segment size (16 bits)
y6

Window scaling value (8 bits)

don't fragment" flag (1 bit)
br

"sackOK" flag (1 bit) 356

"nop" flag (1 bit)
OS Fingerprinting with Nmap

om
Nmap -O <IP range> - Fingerprint the OS along with

l.c
portscanning

ai
gm
1@
89
y6
br

357
OS Fingerprinting Tools

om
OS Fingerprinting Techniques

l.c
Manual methods
Reading banners, records, SNMP

ai
TCP/IP Fingerprinting

gm
Active TCP/IP stack analysis
Passive TCP/IP stack analysis
Service enumeration 1@
Nmap
89
P0f (passive finger printer)
Xprobe2 (not updated anymore)
y6
br

358
Service Fingerprinting

om
Service fingerprinting is used to determine what the actual

l.c
application listening on a give port.
Hopefully the version of the application can be determined as

ai
well

gm
Some reasons to determine the service and version include:
Often the application running only runs on a certain OS (or states
1@
the OS it is running on), aiding in OS detection
Software vulnerabilities occur in specific versions of software.
89
Knowing the specific version allows the tester to research
discovered vulnerabilities specifically associated with it
y6

Some administrators will rely on security through obscurity. They

may open a vulnerable telnet server on TCP port 22, because port
br

22 may be allowed through the firewall. 359

Service Fingerprinting

om
Fingerprinting Methods

l.c
Many services are simply fingerprinting by the banner displayed
This can be dangerous because banners can be easily spoofed

ai
Some tools (such as Nmap) can attempt to match a service

gm
against a fingerprint database
Various algorithms can be used to identify specific services, but
1@
generally these tools have to be specific to that service
Ike-scan, etc
89
The most common and easiest method is to fingerprint with
Nmap
y6
br

360
Service Fingerprinting with Nmap

om
Nmap -sV <Host> -

l.c
Aggressive scan, do OS

ai
fingerprinting, service

gm
fingerprinting and
limited NSE scripts
(covered later)
1@
89
y6
br

361
Network Enumeration Considerations

om
Network architecture issues:

l.c
High latency Due to mis-configuration of devices and route
management

ai
Firewalls Firewalls may be configured so as not to allow traffic

gm
through the network, which may prevent discovery.
Timing
1@
Depending on network latency and the amount of data collected,
scanning will take different levels of time.
Being cognizant of these limitations will factor into the
89
engagement time management.
Problem Results:
y6

Running scans on a small amount of hosts and analyzing the

br

results will allow a pen tester to determine any network 362

limitations or issues with port scanning.
Network Enumeration Considerations

om
Speed vs. thoroughness

l.c
Depending on network latency and architecture, adjustments to
scanning may be required:

ai
Timing How fast scans will be delivered to the targets.

gm
Parallelism How many scans will be performed at once.
Retries If a scan fails, the number of attempts will be retried to
scan the targets.
1@
Timeout How long the port scanner will wait for a response from
the target.
89

Extending scanning times will ensure maximum accuracy because

y6

it allows more time for the port scanner to receive responses

from the targets.
br

Adjustments may need to be made to stay within the 363

engagement window.
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Vulnerability Identification and
89
Assessment
y6

Ninja-Sec.com
br
Vulnerability Identification

om
Vulnerability identification is the last step necessary prior to

l.c
exploiting customer hosts.
Technically, vulnerability identification isnt required

ai
Exploits could just be sent randomly or based on informed

gm
guesses.
However, would have a pretty low chance of success.
1@
The goal is to identify as specifically as possible the OS and
application software and software versions running on
89

customer systems
y6

This can be used to research specific vulnerabilities associated

with the software running.
br

380
Vulnerability Identification Methods

om
Several methods can be used:

l.c
Identifying software and software versions in use by the customer
during information gathering.

ai
Reference the Information Gathering Section.

gm
Identifying software versions based on host responses during
network enumeration (OS and service fingerprinting).
1@
Already covered in the Network Enumeration section.
Conducting network checks for certain vulnerabilities (limited
89
vulnerability scanning).
Conducting full vulnerability scans against hosts on the network.
y6

Manual configuration checks of hosts on the network.

br

381
Network Checks for Vulnerabilities

om
Checking for vulnerabilities over the network provides a very

l.c
limited capability for identification.
Most network vulnerabilities cant be identified without at least

ai
causing a DoS condition.

gm
Vulnerabilities in software that doesnt listen on the network
(client-side) will not be identified.
1@
A vulnerability scanner used without credentials will only
check for network vulnerabilities.
89
Although, Nmap with the Nmap Scripting Engine can provide
the same capability.
y6
br

382
Nmap Scripting Engine (NSE)

om
Powerful and flexible Lua scripting engine that greatly extends the

l.c
functionality of Nmap.
Provides much more functionality than just network vulnerability

ai
identification.

gm
NSE provides several features:
Increased Network Discovery Capabilities
Additional service enumeration
1@
More Sophisticated Version Detection
Additional probes and service interactions
89
Vulnerability Detection
Checks for known vulnerabilities, generally non-intrusive
y6

Backdoor Detection
Reliably detect more complex backdoors
br

Vulnerability Exploitation 383

Limited ability to actually exploit weaknesses
Nmap Scripting Engine (NSE)

om
NSE has a very large (and constantly growing) number of

l.c
scripts.
Currently there are 221 scripts.

ai
Some notable scripts include:

gm
Citrix enumeration scripts


1@
Database enumeration scripts
DNS enumeration scripts (zone transfers, etc)
Various HTTP enumeration scripts
89
Enumeration scripts for several database variants
Sniffer detection
y6

Several SNMP interactions

br

Several Windows enumeration and interaction scripts (including

psexec) 384
Scanning and Enumeration with NSE

om
nmap -A <host> | nmap -sC <host> - Execute all scripts listed

l.c
as default against the services with open ports
nmap --script=<script name> - Execute a specific script

ai
gm
1@
89
y6
br

385
Vulnerability Scanners

om
Several vulnerability scanners out there, but in essence they

l.c
all do the same thing

ai
gm
1@
When given the right credentials and configuration,
vulnerability scanners can comprehensively identify almost all
89
known vulnerabilities
For example, Nessus has over 30,000 checks
y6
br

386
Use of Vulnerability Scanners for Penetration Tests

om
Many penetration testers think of using vulnerability scanners

l.c
as cheating.
Many customers think they are not getting a true

ai
penetration test if vulnerability scanners are used.

gm
Some reasons include:
They are very loud
1@
To get meaningful results, they require administrative credentials,
which a real attacker wouldnt have.
89

However, during a time-limited penetration test, the tester

y6

doesnt have nearly the time a real attacker would have.

Days vs. Months
br

387
Use of Vulnerability Scanners for Penetration Tests

om
A penetration test should assess:

l.c
Actual risk presented by the vulnerabilities.
Impacts of successful compromises,.

ai
NOT how fast testers can get into the system.

gm
If time a factor, vulnerability scanning allows testers to focus
on identifying real risks.
1@
Instead of poking around for vulnerabilities.
89
y6
br

388
Use of Vulnerability Scanners for Penetration Tests

om
Credentialed scans:

l.c
Use administrative credentials to log into a device.
Verify the device has appropriate patch/configuration applied.

ai
Un-credentialed scans only detect vulnerabilities in network

gm
facing services.
1@
No checks for user installed and non-networked software (i.e.
Internet Explorer).
Are a best guess for network services.
89
Version strings in banners can easily be faked.
y6

Many clients will NOT accept un-credentialed scan results. (or

at least they shouldnt)
br

If running the scans for a vulnerability assessment. 389

Difference Between Credentialed vs. Un-credentialed Scans

om
Windows Server 2008 R2 Enterprise Example

l.c
ai
gm
1@
CentOS 5.5 (Linux) Example
89
y6
br

390
What is Needed for Credentialed Scans

om
Administrative Credentials

l.c
Recommend customer create a separate user, ex. NinjaTest, and
enable the account only during testing.

ai
Linux \ UNIX

gm
Secure Shell access (SSH) & root or sudo password.
Network Devices
1@
SSH access and device admin credentials.
89
y6
br

391
What is Needed for Credentialed Scans

om
Windows

l.c
Configure to authenticate remote access as local user (typically
only requires admin rights on the host)

ai
Test account must have local admin rights.

gm
The Windows Management Interface (WMI) service should be
enabled for thorough results.
1@
Remote Registry service must be enabled.
File & Printer Sharing must be enabled.
Ports 139 and 445 must be accessible to the scanner.
89
User Access Control (UAC) should be disabled (Windows Vista,
y6

Windows 7, & Windows Server 2008 only).

Firewall must allow inbound file and printer connections.
br

(Windows Vista, Windows 7, & Windows Server 2008 only)

392
Manual Configuration Checks

om
For some systems, it is very difficult to identify vulnerabilities.

l.c
Systems that do not respond well to scanning (mainframes, etc)
Highly specialized systems

ai
Various odd, or old, operating systems

gm
The only way to identify vulnerabilities in these systems is
through manual review.
1@
Manual reviews can also check for configuration weaknesses
sometimes missed by scanners.
89
This is very much not a penetration testing activity.
Although, penetration testers can very likely find themselves
y6

doing them.
The only way to thoroughly cover this type of activity is to
br

393
follow a vendor guide (or sometimes industry best practice).
Analyzing Vulnerability Results for Exploitation

om
Goal: Identify risk associated with specific vulnerabilities

l.c
Customer-specific concerns should be taken into account

ai
Are there specific protocols that the client is using that is insecure?
Do they want you to demonstrate the effect of vulnerabilities on a

gm
specific hosts?

1@
Vulnerabilities can be given statistics:
How many web servers/printers/Windows hosts/Unix hosts/network
devices are available in the network?
89
How many systems do not seem to be patched regularly?
How many hosts affected by X vulnerability?
y6

Automation is crucial for larger engagements (thousands of

br

hosts). 394
Analyzing Vulnerability Results for Exploitation

om
Devise attack scenarios for approval by the customer.

l.c
Ensure that they are approved or signed prior to initiating.

ai
Look for publically available exploits for particular vulnerabilities.
Consider alerting the client to critical findings as soon as possible.

gm
Presence of backdoor software.
1@
Client-specific concerns.
89
y6
br

395
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Evasion and Avoidance
89
Techniques
y6

Ninja-Sec.com
br
Determine Web Server Version with Third Party

om
Tools

l.c
ai
gm
1@
89
y6
br

366
Limited Port Scanning with Third Party

om
Tools

l.c
ai
gm
1@
89
y6
br

367
Netcraft Reporter

om
l.c
ai
gm
1@
89
y6
br

368
Many Intel Gathering Activities can be Conducted
Online

om
l.c
ai
gm
1@
89
y6
br

369
Evading Detection During Network Enumeration

om
Any IDS or Monitoring Capability has a noise threshold for

l.c
alerts, especially for network enumeration
The trick is to conduct any scanning beneath the threshold, or

ai
raise the threshold above the level of your activities

gm
Some methods to evade detection:


Slow down scans
Scan with decoys
1@
Fragmenting packets
89
Modifying standard scan packets
y6

Often evasion requires a good amount of trial and error

br

Good possibility in a time limited penetration test, you will not

370
have the time to conduct many of the following activities
Slowing Down Scans

om
Nmap has probably the largest number of options for

l.c
adjusting scan timing.
Using default timing templates is the quickest way to adjust

ai
settings.

gm
-T3 (Normal) is the default option.
Using option -T1 (Sneaky) or -T0 (Paranoid) will likely evade most
1@
IDS, however scans will take very long.
89
y6
br

371
Fragmenting Packets

om
Fragmenting packets involves splitting normal IP packets into

l.c
very small chunks (often payloads of no more that 8 bytes).
Can aid in evading some IDS.

ai
Some IDS cant process the large volume of fragments because of

gm
the overhead caused and simply drop the packets.
Fragments will be assembled at the distant endpoint.
1@
Can be a very noisy attack. IP packets are not often fragmented.
Be careful, because it can cause a DoS condition.
89
Nmaps -f option will fragment scans into 8-byte chunks.
The tool Fragroute will fragment all outbound traffic.
y6
br

373
Avoiding Filtering During Network Enumeration

om
Bypassing network filters allows you to map internal network

l.c
resources, identify attack vectors and potentially launch
additional attacks.

ai
Some methods to bypass network filters:

gm
Scan from a specific source port.
UDP scanning
Source Routing 1@
Some methods to map network filters:
89
Firewalk
Bad checksums
y6

Often network filtering mechanisms (firewalls, etc) are

br

closely tied to IDS as filters should alert the monitoring

374
capability.
Specifying a Source Port

om
Some (possibly mis-configured) filtering devices will let any

l.c
source port through.
Firewalls that maintain a state table should not be vulnerable.

ai
Specifying a source port for all outbound packets can bypass

gm
these filters.
Possible candidate ports include:

1@
TCP and UDP port 53 (DNS)

89
TCP port 20 (FTP)
TCP port 80 (HTTP)

y6

TCP and UDP port 88 (Kerberos)

br

Nmaps -g option will set the outgoing source port.

375
Scanning UDP ports

om
Fewer services listen on UDP ports than TCP ports.

l.c
These ports can be overlooked by firewall administrators.

ai
Or allowed through because they are not seen as dangerous.

gm
As discussed in the Network Protocols section, UDP scanning
is much slower than TCP scanning.
1@
Best bet is to scan for only a relatively few well known ports.
Some candidate ports could include
89
Port 53 DNS
Port 88 Kerberos
y6

Port 161 SNMP

Best option may be to just use Nmaps top 10 UDP ports
br

376
Nmaps -sU will scan UDP ports.
Bad Checksums

om
TCP and UDP both have checksums on their packets to allow

l.c
the end system to know the packet has not been corrupted.
All endpoint systems will drop packets with bad checksums,

ai
thinking the packet was corrupted.

gm
However, some filtering devices will not calculate the
checksums to increase throughput.
1@
Instead responding to the packet.
Intentionally sending packets with bad checksums then can
89

aid in identifying firewalls and other filtering devices.

y6

Nmaps --badsum option will send packets with bad

checksums.
br

377
Port Scanning Using Decoys

om
Scanning using decoys can confuse IDS monitors by generating

l.c
a (potentially very) large number of alerts, concealing real
scanning activity.

ai
nmap -D RND:10 -p 21,23,25,80,110,53,3306,3389,135,139,445

gm
192.168.23.131

1@
Scanning using decoys has the potential to generate a very
large number of packets.
89
10 decoys x 1 class C x 65,000 ports x 3 retries = 549,120,000
y6

packets.
Network resources could get quickly overloaded, so be careful.
br

372
Evading firewall options :

om
l.c
ai
gm
1@
89
y6
br
Network Enumeration and Mapping - References

om
SuperScan: http://www.mcafee.com/us/downloads/free-

l.c
tools/superscan3.aspx
Angry IP Scanner: http://www.angryip.org/w/Home

ai
Scanrand: http://it.toolbox.com/wiki/index.php/Scanrand

gm
Xprobe2: http://sourceforge.net/news/?group_id=30984

1@
89
y6
br

601
Network Scanning References

om
Online Port Scanners

l.c
http://www.t1shopper.com/tools/port-scan/
http://nmap-online.com/

ai
http://www.hashemian.com/tools/port-scanner.php

gm
Nmap: http://nmap.org/
From the Nmap Book:
1@
Scanning Types: http://nmap.org/book/man-port-scanning-
89
techniques.html
Scanning Performance: http://nmap.org/book/man-
y6

performance.html
Version Scanning: http://nmap.org/book/vscan-technique.html
br

OS Fingerprinting: 600
http://nmap.org/book/osdetect.html#osdetect-intro
Vulnerability Assessment and Identification - References

om
NSE Script Repository: http://nmap.org/nsedoc/index.html

l.c
NSE Guide: http://nmap.org/book/nse.html
NSE Usage: http://nmap.org/book/nse-usage.html#nse-

ai
categories

gm
Nexpose: http://www.rapid7.com/products/vulnerability-
management.jsp
1@
Nessus: http://www.tenable.com/products/nessus
Ncircle: http://www.ncircle.com/index.php?s=products_ip360
89
y6
br

613
Evasion and Avoidance Techniques- References

om
Nmap Evasion Guide: http://nmap.org/book/man-bypass-

l.c
firewalls-ids.html
Loose Source Routing Discussion:

ai
http://www.synacklabs.net/OOB/LSR.html

gm
LSRTunnel: http://www.synacklabs.net/projects/lsrtunnel/
LSRScan: http://www.synacklabs.net/projects/lsrscan/
1@
89
y6
br

608