2.2.1 Information gathering & Vulnerability scanning: active reconnaissance/ scanning & recon Flashcards
What is active reconnaissance?
Engaging with the targeted systems or networks to gather information about their vulnerabilities
Scanning & enumeration: name the type of scan that can be done (3):
- Discovery scan: ping scan that identifies what host are online and port scan that identifies whether the ports on those hosts are open/closed
- Enumeration: it digs deep into target systems and links identified components into known vuln
- Nmap/Zenmap: nmap require exact syntax and zenmap provides dropdown menu, there is also other scan like ping scan, quick scan and intense scan
Scanning & enumeration: what is scanning?
Actively connecting to a system and getting a response to identify hosts, open ports, service, users, domain names and URLs used by a given organization
Scanning & enumeration: what is fingerprinting ?
The identification of an OS, service or specific software version that is use by a host, system or network
Scanning & enumeration: what is banner grabbing refers to?
Using a program like Netcat, wget or telnet to connect to a given port that is running a service
Scanning & enumeration: what’s the difference between scanning, enumeration and fingerprinting ?
- Scanning: more generic
- Enumeration: more in depth
- Fingerprinting: most detailed
Scanning & enumeration: what is host enumeration?
Enumeration of any server, workstation, client, which can also include mobile devices, tablets, and IoT devices, or even a networking device like a switch, router, or access point
Scanning & enumeration: how to proceed to a host enumeration?
We can enumerate the hosts using command line-based Windows tools or BASH command line tools for Linux hosts or servers to learn more about the target network
Scanning & enumeration: list and explain the most common commands line tools for enumeration on Windows
- net: A suite of tools that can be used to perform operations on groups, users, account policies, network shares, and more
- arp: Used when enumerating a Windows host. Address Resolution Protocol (ARP) Cache
provides a list of all the other machine’s MAC addresses that have recently communicated with the host you are currently on - ipconfig: Determines the IP address of the machine you are currently on
- ipconfig /displaydns: Displays any DNS names that have recently been resolved
Scanning & enumeration: list and explain the most common commands line tools for enumeration on Linux
- finger: Used to view a user’s home directory, their login, and their current idle time
- uname -a: Shows the OS’s name, version, and other relevant details displayed to the terminal
- env: Gives a list of all of the environment variables on a Linux system
Scanning & enumeration: can service be enumerated and why?
Yes, they can be enumerated to provide us with additional details about a given host
Scanning & enumeration: how service can be enumerated?
By conducting an intensive scan using Nmap, it returns information about the services running on a host’s open ports
Scanning & enumeration: what is Active Directory (AD)?
A database that stores, organizes, and enables access to other objects under its control
Scanning & enumeration: in AD, what is Organizational Unit (OU)?
Used within a domain to group similar objects (i.e., computers, groups, or even users) together
Scanning & enumeration: in AD, what is a user?
Used to represent a person or process that will access a given resource in the domain
