Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH Exam Guide 3rd Ed, for CEH Exam v9 > Chapter 3 - Scanning and Enumeration (Scanning Networks) > Flashcards

Chapter 3 - Scanning and Enumeration (Scanning Networks) Flashcards

1
Q

Definitions

Scanning

Footprinting

A

Scanning - discovering systems on the network and taking a look at what open ports and applications may be running

Footprinting - learning how big the network is and general information about its makeup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Definitions

Frame
Packet
Segment

A

Layer 2, includes physical addresses

Layer 3, includes network address

Layer 4, aka Protocol Data Unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Definition

User Datagram Protocol (UDP)

A

Layer 4, Transport, Protocol

Connectionless

examples: TFTP, DNS, DHCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

6 TCP Flags that can be set in the TCP Header

SYN
ACK
RST
FIN
PSH
URG
A

SYN - Synchronize
ACK - Acknowledgement
RST - Reset. Forces termination in both directions
FIN - Finish. Ordered close to communications
PSH - Push. Forces delivery, ignores buffering
URG - Urgent. Data inside being sent out of band. ie cancelling a message mid-stream

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Know what protocols use these ports

20-21
22
23
25
53
67
69
80
A 
20 and 21 - FTP (TCP)
22 - SSH (TCP)
23 - Telnet (TCP)
25 - SMTP (TCP)
53 - DNS (TCP and UDP)
67 - DHCP (UDP)
69 - TFTP (UDP)
80 - HTTP (TCP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Know what protocols use these ports

110
135
137-139
143
161-162
389
443
445
A 
110 - POP3 (TCP)
135 - RPC  (TCP)
137-139 NetBIOS (TCP and UDP)
143 - IMAP  (TCP)
161-162 SNMP (UDP)
389 - LDAP (TCP and UDP)
443 - HTTPS  (TCP)
445 - SMB (TCP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Difference between these 2 types of port states

CLOSE_WAIT
TIME_WAIT

A

CLOSE_WAIT - remote side of connection closed connection

TIME_WAIT - local (your) side closed the connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Two types of broadcast addresses

Limited Broadcast

Directed Broadcast

A

Limited Broadcast addresses are delivered to every system inside the broadcast domain and use 255.255.255.255. (dest. MAC FF:FF:FF:FF:FF:FF)

Directed Broadcasts are sent to all devices on a subnet and use the subnet’s broadcast address. Routers may take action on these packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

7 Steps of EC Scanning Methodology

Check for live systems
Check for open ports
Scan beyond IDS
Perform Banner Grabbing
Scan for vulnerabilities
Draw network diagrams
Prepare proxies
A

Check for live systems - simple ping can provide this. Tells you what responds on network

Check for open ports - find listening ports on live systems

Scan beyond IDS - may need to alter your scans to avoid IDS devices

Perform Banner Grabbing - This and OS fingerprinting tell what OS is on the system, what services they run

Scan for vulnerabilities - Perform more focused look at vulnerabilities that haven’t been patched

Draw network diagrams - display all logical and physical pathways to targets

Prepare proxies - obscure your efforts to stay hidden

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ICMP Message Types

0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
9: Time Exceeded

A

0: Echo Reply - answer to Type 8
3: Destination Unreachable - error message indicating host or network can’t be reached. 7 codes used
4: Source Quench - congestion control message
5: Redirect - when 2 or more gateways available and the best route is not the configured gateway
8: Echo Request - ping message requesting echo reply
9: Time Exceeded - packet took too long (Code 0 TTL expired)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ICMP Message Types

0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
9: Time Exceeded

A

0: Echo Reply - answer to Type 8
3: Destination Unreachable - error message indicating host or network can’t be reached. 7 codes used (know code 13 - communication administratively prohibited. ie blocked by firewall)
4: Source Quench - congestion control message
5: Redirect - when 2 or more gateways available and the best route is not the configured gateway
8: Echo Request - ping message requesting echo reply
9: Time Exceeded - packet took too long (Code 0 TTL expired)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Full Connect Port Scan 1

aka TCP connect or full open scan

A

runs through full connection (3 way handshake) on all ports, tearing it down with RST at the end.

Easiest to detect, probably the most reliable

open ports respond with SYN/ACK
closed ports respond with RST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Port Scan 1

Full Connect aka TCP connect or full open scan

A

runs through full connection (3 way handshake) on all ports, tearing it down with RST at the end.

Easiest to detect, probably the most reliable

open ports respond with SYN/ACK
closed ports respond with RST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Port Scan 2

Stealth aka half-open or SYN scan

A

Only SYN packets are sent to ports, no full 3-way handshake ever occurs

Responses are same as for the TCP connect scan

Useful for hiding your scanning efforts, possibly bypassing firewalls and monitoring by hiding as normal traffic

Doesn’t get noticed because no connection to notice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Port Scan 3

Inverse TCP Flag

A

Uses FIN, URG, PSH flag or no flag at all to poke system ports

If port is open, there will be no response.
If port is closed, RST/ACK will be sent in response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Port Scan 4

XMAS

A

Named Christmas scan because all flags are turned on, so the packet is “lit up” like a Christmas tree.

Port responses are same as with inverse TCP scan.

Do not work against Windows computers because Microsoft’s

17
Q

Port Scan 4

XMAS

A

Named Christmas scan because all flags are turned on, so the packet is “lit up” like a Christmas tree.

Port responses are same as with inverse TCP scan.

Do not work against Windows computers because Microsoft’s TCP/IP stack is not RFC 793 compliant

18
Q

Port Scan 5

ACK Flag Probe

A

2 versions. Both use the same method

Attacker sends ACK flag and looks at return header (TTL or Windows fields) to determine port status

in TTL version, if TTL < 64, the port is open
in Window version, if Window Size != 0 then port is open

19
Q

Port Scan 6

IDLE

A

Uses a spoofed IP address to elicit port responses during a scan.

Designed for stealth, it uses a SYN flag and monitors responses as with a SYN scan

20
Q

Port Scan 6

IDLE

A

Uses a spoofed IP address (idle zombie system) to elicit port responses during a scan.

Designed for stealth, it uses a SYN flag and monitors responses as with a SYN scan

21
Q

Port Scan 7

UDP Scan

A

Send a datagram to the port and see what the response is.

Since there is no handshake, if the port is open you don’t receive a response.

If the port is closed, you receive an ICMP port unreachable message

22
Q

IDLE Scanning process enumerated

6 steps

A
  1. Attacker sends SYN/ACK packet to zombie.
  2. Zombie doesn’t expect SYN/ACK and sets RST. Attacker notes the responding IPID
  3. Attacker sends packet with spoofed IP of zombie and SYN flag set, to the target
  4. If target port is open, it sends SYN/ACK to zombie to complete the handshake
  5. Zombie responds to target with a RST which increments the IPID by one.
  6. Attacker sends another SYN/ACK to zombie and notes the IPID. If IPID increased by two, the idle (zombie) system sent a packet and the port was open. If the port was closed, the IPID increments by one
23
Q

Nmap switches

-s
P
o
T

A

-s determines the type of scan to run

P sets up ping sweep options

o commands deal with output

T commends control speed and stealth of scan

24
Q

Nmap switches 1-6

  • sA
  • sF
  • sl
  • sL
  • sN
  • sO
A
  • sA - ACK scan
  • sF - FIN scan
  • sl - IDLE scan
  • sL - DNS scan (list scan)
  • sN - NULL scan
  • sO - Protocol scan
25
Q

Nmap switches 7-12

  • sP
  • sR
  • sS
  • sT
  • sW
  • sX
A
  • sP - Ping scan
  • sR - RPC scan
  • sS - SYN scan
  • sT - TCP connect scan
  • sW - Windows scan
  • sX - XMAS scan
26
Q

Nmap switches 13-18

  • PI
  • Po
  • Ps
  • PT
  • oN
  • oX
A
  • PI - ICMP ping
  • Po - No ping
  • Ps - SYN ping
  • PT - TCP ping
  • oN - Normal output
  • oX - XML output
27
Q

Nmap switches 19-23

  • T0
  • T1
  • T2
  • T3
  • T4
A
  • T0 - Serial, slowest scan
  • T1 - Serial, slowest scan
  • T2 - Serial, normal speed scan
  • T3 - Parallel, normal speed scan
  • T4 - Parallel, fast scan
28
Q

Hping (Hping2 or Hping3) attributes

A

Similar to Nmap for ping sweeps and port scans
also a packet crafting tool
command line only
runs on Windows and Linux

29
Q

Hping switches 1-6

  • 1
  • 2
  • 8
  • 9
  • -flood
  • Q –seqnum
A
  • 1 - sets ICMP mode
  • 2 - sets UDP mode
  • 8 - sets scan mode, expects argument for ports to scan
  • 9 - sets Hping in listen mode
  • -flood - sends packets as fast as possible
  • Q –seqnum - use to collect sequence numbers generated by target. Use to see if sequences are predictable or not
30
Q

Hping switches 7-13

  • F
  • S
  • R
  • P
  • A
  • U
  • X
A
  • F - sets FIN flag
  • S - sets SYN flag
  • R - sets RST flag
  • P - sets PSH flash
  • A - sets ACK flag
  • U - sets URG flag
  • X - sets XMAS scan flags
31
Q

Evading an IDS by fragmenting packets

define and give example with nmap

A

crack apart the packets before they’re sent so IDS can’t recognize them

nmap -sS -A -f 172.17.15.12 could fragment a SYN scan and do OS fingerprinting (-A)

32
Q

Definitions of ECC Active and Passive fingerprinting

A

Active - sending crafted nonstandard packets to target and analyzing replies

Passive - sniffing packets without injecting anything, and examining things like TTL, window sizes, Don’t Fragment (DF) flags and Type of Service (ToS) fields

33
Q

Spoofing an IP address

define and give examples of tools to use

caveat about spoofing

A

use a packet crafting tool to obscure source

hping
scapy
komodia
ettercap
cain
even nmap

spoofing means any data returned to the fake address won’t be seen by the attacker

34
Q

Evasion by source routing

A

worked in the 1995 but modern firewalls and routers detect and block it

applications could specify the route a packet would take to the destination, ignoring the route tables between the systems

35
Q

Evasion with proxies

A

Attacker can use proxies in reverse, by sending commands and requests the proxy and letting it relay them to the targets

Anyone monitoring the subnet sees the proxy sending the attack, not the attacker

Can use a single or multiple proxies

36
Q

Proxy chains

A

use multiple proxies to hide your tracks

proxyswitcher.com
proxyworkbench.com
proxychains.sourceforge.net
cyberghost
proxifier

37
Q

Evasion with Tor

A

The onion router

way to anonymize traffic by relaying between tor clients

the final endpoint decrypts the traffic, and it can be anyone

38
Q

Evasion with anonymizers

A

web proxies that hide your identity
thousands available, not all are safe

ones referenced by ECC:
guardster.com
ultrasurf.us
psiphon.ca
tails (the live OS)
39
Q

Vulnerability Scanners

A 
Qualys FreeScan (qualsys.com)
GFI LanGuard (also does patch mgmt)
OpenVAS (probably the best, like nessus but free)

CEH Exam Guide 3rd Ed, for CEH Exam v9 (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions