Chapter 3 - Scanning and Enumeration (Scanning Networks) Flashcards
Definitions
Scanning
Footprinting
Scanning - discovering systems on the network and taking a look at what open ports and applications may be running
Footprinting - learning how big the network is and general information about its makeup
Definitions
Frame
Packet
Segment
Layer 2, includes physical addresses
Layer 3, includes network address
Layer 4, aka Protocol Data Unit
Definition
User Datagram Protocol (UDP)
Layer 4, Transport, Protocol
Connectionless
examples: TFTP, DNS, DHCP
6 TCP Flags that can be set in the TCP Header
SYN ACK RST FIN PSH URG
SYN - Synchronize
ACK - Acknowledgement
RST - Reset. Forces termination in both directions
FIN - Finish. Ordered close to communications
PSH - Push. Forces delivery, ignores buffering
URG - Urgent. Data inside being sent out of band. ie cancelling a message mid-stream
Know what protocols use these ports
20-21 22 23 25 53 67 69 80
20 and 21 - FTP (TCP) 22 - SSH (TCP) 23 - Telnet (TCP) 25 - SMTP (TCP) 53 - DNS (TCP and UDP) 67 - DHCP (UDP) 69 - TFTP (UDP) 80 - HTTP (TCP)
Know what protocols use these ports
110 135 137-139 143 161-162 389 443 445
110 - POP3 (TCP) 135 - RPC (TCP) 137-139 NetBIOS (TCP and UDP) 143 - IMAP (TCP) 161-162 SNMP (UDP) 389 - LDAP (TCP and UDP) 443 - HTTPS (TCP) 445 - SMB (TCP)
Difference between these 2 types of port states
CLOSE_WAIT
TIME_WAIT
CLOSE_WAIT - remote side of connection closed connection
TIME_WAIT - local (your) side closed the connection
Two types of broadcast addresses
Limited Broadcast
Directed Broadcast
Limited Broadcast addresses are delivered to every system inside the broadcast domain and use 255.255.255.255. (dest. MAC FF:FF:FF:FF:FF:FF)
Directed Broadcasts are sent to all devices on a subnet and use the subnet’s broadcast address. Routers may take action on these packets.
7 Steps of EC Scanning Methodology
Check for live systems Check for open ports Scan beyond IDS Perform Banner Grabbing Scan for vulnerabilities Draw network diagrams Prepare proxies
Check for live systems - simple ping can provide this. Tells you what responds on network
Check for open ports - find listening ports on live systems
Scan beyond IDS - may need to alter your scans to avoid IDS devices
Perform Banner Grabbing - This and OS fingerprinting tell what OS is on the system, what services they run
Scan for vulnerabilities - Perform more focused look at vulnerabilities that haven’t been patched
Draw network diagrams - display all logical and physical pathways to targets
Prepare proxies - obscure your efforts to stay hidden
ICMP Message Types
0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
9: Time Exceeded
0: Echo Reply - answer to Type 8
3: Destination Unreachable - error message indicating host or network can’t be reached. 7 codes used
4: Source Quench - congestion control message
5: Redirect - when 2 or more gateways available and the best route is not the configured gateway
8: Echo Request - ping message requesting echo reply
9: Time Exceeded - packet took too long (Code 0 TTL expired)
ICMP Message Types
0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
9: Time Exceeded
0: Echo Reply - answer to Type 8
3: Destination Unreachable - error message indicating host or network can’t be reached. 7 codes used (know code 13 - communication administratively prohibited. ie blocked by firewall)
4: Source Quench - congestion control message
5: Redirect - when 2 or more gateways available and the best route is not the configured gateway
8: Echo Request - ping message requesting echo reply
9: Time Exceeded - packet took too long (Code 0 TTL expired)
Full Connect Port Scan 1
aka TCP connect or full open scan
runs through full connection (3 way handshake) on all ports, tearing it down with RST at the end.
Easiest to detect, probably the most reliable
open ports respond with SYN/ACK
closed ports respond with RST
Port Scan 1
Full Connect aka TCP connect or full open scan
runs through full connection (3 way handshake) on all ports, tearing it down with RST at the end.
Easiest to detect, probably the most reliable
open ports respond with SYN/ACK
closed ports respond with RST
Port Scan 2
Stealth aka half-open or SYN scan
Only SYN packets are sent to ports, no full 3-way handshake ever occurs
Responses are same as for the TCP connect scan
Useful for hiding your scanning efforts, possibly bypassing firewalls and monitoring by hiding as normal traffic
Doesn’t get noticed because no connection to notice
Port Scan 3
Inverse TCP Flag
Uses FIN, URG, PSH flag or no flag at all to poke system ports
If port is open, there will be no response.
If port is closed, RST/ACK will be sent in response
Port Scan 4
XMAS
Named Christmas scan because all flags are turned on, so the packet is “lit up” like a Christmas tree.
Port responses are same as with inverse TCP scan.
Do not work against Windows computers because Microsoft’s
Port Scan 4
XMAS
Named Christmas scan because all flags are turned on, so the packet is “lit up” like a Christmas tree.
Port responses are same as with inverse TCP scan.
Do not work against Windows computers because Microsoft’s TCP/IP stack is not RFC 793 compliant
Port Scan 5
ACK Flag Probe
2 versions. Both use the same method
Attacker sends ACK flag and looks at return header (TTL or Windows fields) to determine port status
in TTL version, if TTL < 64, the port is open
in Window version, if Window Size != 0 then port is open
Port Scan 6
IDLE
Uses a spoofed IP address to elicit port responses during a scan.
Designed for stealth, it uses a SYN flag and monitors responses as with a SYN scan
Port Scan 6
IDLE
Uses a spoofed IP address (idle zombie system) to elicit port responses during a scan.
Designed for stealth, it uses a SYN flag and monitors responses as with a SYN scan
Port Scan 7
UDP Scan
Send a datagram to the port and see what the response is.
Since there is no handshake, if the port is open you don’t receive a response.
If the port is closed, you receive an ICMP port unreachable message
IDLE Scanning process enumerated
6 steps
- Attacker sends SYN/ACK packet to zombie.
- Zombie doesn’t expect SYN/ACK and sets RST. Attacker notes the responding IPID
- Attacker sends packet with spoofed IP of zombie and SYN flag set, to the target
- If target port is open, it sends SYN/ACK to zombie to complete the handshake
- Zombie responds to target with a RST which increments the IPID by one.
- Attacker sends another SYN/ACK to zombie and notes the IPID. If IPID increased by two, the idle (zombie) system sent a packet and the port was open. If the port was closed, the IPID increments by one
Nmap switches
-s
P
o
T
-s determines the type of scan to run
P sets up ping sweep options
o commands deal with output
T commends control speed and stealth of scan
Nmap switches 1-6
- sA
- sF
- sl
- sL
- sN
- sO
- sA - ACK scan
- sF - FIN scan
- sl - IDLE scan
- sL - DNS scan (list scan)
- sN - NULL scan
- sO - Protocol scan
Nmap switches 7-12
- sP
- sR
- sS
- sT
- sW
- sX
- sP - Ping scan
- sR - RPC scan
- sS - SYN scan
- sT - TCP connect scan
- sW - Windows scan
- sX - XMAS scan
Nmap switches 13-18
- PI
- Po
- Ps
- PT
- oN
- oX
- PI - ICMP ping
- Po - No ping
- Ps - SYN ping
- PT - TCP ping
- oN - Normal output
- oX - XML output
Nmap switches 19-23
- T0
- T1
- T2
- T3
- T4
- T0 - Serial, slowest scan
- T1 - Serial, slowest scan
- T2 - Serial, normal speed scan
- T3 - Parallel, normal speed scan
- T4 - Parallel, fast scan
Hping (Hping2 or Hping3) attributes
Similar to Nmap for ping sweeps and port scans
also a packet crafting tool
command line only
runs on Windows and Linux
Hping switches 1-6
- 1
- 2
- 8
- 9
- -flood
- Q –seqnum
- 1 - sets ICMP mode
- 2 - sets UDP mode
- 8 - sets scan mode, expects argument for ports to scan
- 9 - sets Hping in listen mode
- -flood - sends packets as fast as possible
- Q –seqnum - use to collect sequence numbers generated by target. Use to see if sequences are predictable or not
Hping switches 7-13
- F
- S
- R
- P
- A
- U
- X
- F - sets FIN flag
- S - sets SYN flag
- R - sets RST flag
- P - sets PSH flash
- A - sets ACK flag
- U - sets URG flag
- X - sets XMAS scan flags
Evading an IDS by fragmenting packets
define and give example with nmap
crack apart the packets before they’re sent so IDS can’t recognize them
nmap -sS -A -f 172.17.15.12 could fragment a SYN scan and do OS fingerprinting (-A)
Definitions of ECC Active and Passive fingerprinting
Active - sending crafted nonstandard packets to target and analyzing replies
Passive - sniffing packets without injecting anything, and examining things like TTL, window sizes, Don’t Fragment (DF) flags and Type of Service (ToS) fields
Spoofing an IP address
define and give examples of tools to use
caveat about spoofing
use a packet crafting tool to obscure source
hping scapy komodia ettercap cain even nmap
spoofing means any data returned to the fake address won’t be seen by the attacker
Evasion by source routing
worked in the 1995 but modern firewalls and routers detect and block it
applications could specify the route a packet would take to the destination, ignoring the route tables between the systems
Evasion with proxies
Attacker can use proxies in reverse, by sending commands and requests the proxy and letting it relay them to the targets
Anyone monitoring the subnet sees the proxy sending the attack, not the attacker
Can use a single or multiple proxies
Proxy chains
use multiple proxies to hide your tracks
proxyswitcher.com
proxyworkbench.com
proxychains.sourceforge.net
cyberghost
proxifier
Evasion with Tor
The onion router
way to anonymize traffic by relaying between tor clients
the final endpoint decrypts the traffic, and it can be anyone
Evasion with anonymizers
web proxies that hide your identity
thousands available, not all are safe
ones referenced by ECC: guardster.com ultrasurf.us psiphon.ca tails (the live OS)
Vulnerability Scanners
Qualys FreeScan (qualsys.com) GFI LanGuard (also does patch mgmt) OpenVAS (probably the best, like nessus but free)
