2.2.2 Information gathering & Vulnerability scanning: active reconnaissance/ Detecting and Evading Defenses & Packet Crafting

Question 1

Detecting and Evading Defenses: what is a load balancer ?

Answer 1

A core networking solution that distributes traffic across multiple servers inside a server farm. It allows multiple servers to answer as a single server

Question 2

Detecting and Evading Defenses: what is a Load Balancer Detector (LBD) ?

Answer 2

Determines the presence of a load balancer

Question 3

Detecting and Evading Defenses: what issue can you have while scanning a network that have load balancers ?

Answer 3

Load balancers can throw off (fausser/perturber) scan results with increased false positives or false negatives

Question 4

Detecting and Evading Defenses: what is a firewall?

Answer 4

A type of network security device that monitors and filters incoming and outgoing network traffic. Relies on a set of rules known as an access control list (ACL)

Question 5

Detecting and Evading Defenses: while scanning a network, how to detects if an organization uses a firewall?

Answer 5

Use traceroute

Question 6

Detecting and Evading Defenses: what is Firewalk?

Answer 6

● An active reconnaissance tool that tries to determine what layer 4 protocols a given firewall will actually pass past it
● Lets you move through the firewall and identify the rule sets

Question 7

Detecting and Evading Defenses: what is a Web Application Firewall (WAF)?

Answer 7

Utilizes specific rule sets to prevent common attacks against web applications, such as cross-site scripting and SQL injections

Question 8

Detecting and Evading Defenses: how to bypass a WAF?

Answer 8

Use obfuscation techniques to confuse these web applications such as
● Personalized cookies in HTTP packets
● Header alterations
● WAF notifications

Question 9

Detecting and Evading Defenses: what is an antivirus?

Answer 9

A specific type of software that is used to prevent, scan, detect, and delete viruses or malware

Question 10

Detecting and Evading Defenses: how to bypass an antivirus (4)?

Answer 10

● Metamorphic virus
● Signature obfuscation
● Fileless malware
● Encryption

Question 11

Packet Crafting: what is it ?

Answer 11

A technique that allows for the generation of a network packet with the specific data content described by an attacker or penetration tester

Question 12

Packet Crafting: why should you use it?

Answer 12

● Setting up unusual TCP flags to see firewall response
● Fragmenting packets

Question 13

Packet Crafting: what are the different stages of packet crafting (4)?

Answer 13

1/ Assemble: creates a packet to be sent
2/ Edit: modifies the content of the created packet
3/ Play: sends or resends packet onto the network
4/ Decode: capture and analyzes traffic generated by the packet sent

Question 14

Packet Crafting: what methods can you use to craft a packet?

Answer 14

● Command line (Hping)
● GUI
● Script (Scapy)

Question 15

Packet Crafting: what is hping3 and why it is used by pentester?

Answer 15

An open-source spoofing tool that provides a pen tester with the ability to craft network packets to exploit vulnerable firewalls and IDS/IPS

Question 16

Packet Crafting: what can you do with hping3?

Answer 16

• A powerful packet crafting tool
• Customize any packet in any form
• Bypass the firewall rules
• Perform Port Scanning
• Exploit the TCP / IP stack known vulnerabilities

Question 17

Packet Crafting: using hping3, what do you use for host/port detection and firewall testing?

Answer 17

Sends a SYN or ACK packet to conduct detection and testing

Question 18

Packet Crafting: explain this command “hping3 –S –p80 –c1 192.168.1.1”

Answer 18

Send 1 SYN packet to port 80

Question 19

Packet Crafting: what command would you be using to send 1 ACK packet to port 80 using hping3?

Answer 19

hping3 –A –p80 –c1 192.168.1.1

Question 20

Packet Crafting: what the timestamping is used for in hping3 and give the command line for using it

Answer 20

• Timestamping is used to determine the system’s uptime.
• For ex this command send 2 SYN packets to port 80 to determine uptime, hping3 –c2 –S p80 –tcp-timestamp 192.168.1.1

Question 21

Packet Crafting: can you traceroute with hping3 and why?

Answer 21

Yes you can, traceroute uses arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network.

Question 22

Packet Crafting: how to set traceroute mode with hping3?

Answer 22

Add –traceroute in your hping3 command

Question 23

Packet Crafting: can you fragment the packet with hping3 and why?

Answer 23

Yes you can. It attempts to evade detection by IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly

Question 24

Packet Crafting: how to set packet fragmentation mode with hping3?

Answer 24

Add -f in your hping3 command

Question 25

Packet Crafting: can you do a DoS with hping3 and why?

Answer 25

Yes you can. It can be used to perform flood-based DoS attacks from randomized source Ips

Question 26

Packet Crafting: what is the issue nowadays with using hping3 for DoS and fragmentation?

Answer 26

Fragmentation and DoS are not likely to be effective against most modern OS and network appliances

Question 27

Packet Crafting: what is Scapy?

Answer 27

A powerful, interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer, and more in one script.
o Scapy: Runs on Python 2
o Scapy 3: Runs on Python 3