Chapter 3 - Scanning & Enumeration

Question 1

Connection-Oriented vs Connectionless Communication

Answer 1

Connectionless: UDP, Fire and forget, don’t care if recipient has bandwidth to accept message. Connection-Oriented: TCP, Error checkin and high overhead, uses TCP handshake.

Question 2

SYN Flag

Answer 2

Synchronize flag that is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.

Question 3

ACK Flag

Answer 3

Acknowledgement - This flag is set as an acknowledgement to SYN flags. This flag is set on all segments after the initial SYN flag

Question 4

RST Flag

Answer 4

Reset - This flag forces a termination of communications (in both directions)

Question 5

FIN Flag

Answer 5

Finish - This flag signifies an ordered close to communications

Question 6

PSH Flag

Answer 6

Push - This flag forces the delivery of data without concerns for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing data.

Question 7

URG Flag

Answer 7

Urgent - When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.

Question 8

TCP 3-way Handshake sequence numbers process

Answer 8

Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.

Question 9

What is the purpose of the IANA (Internet Assigned Numbers Authority)

Answer 9

Maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations. Oversees global IP address allocation

Question 10

What range of ports are considered to be “well-known”

Answer 10

0 - 1023

Question 11

What ports are registered ports

Answer 11

1024 - 1049, 51

Question 12

What are the Dynamic Ports

Answer 12

49, 152 - 165, 535

Question 13

FTP port

Answer 13

TCP port 20/21

Question 14

SSH

Answer 14

TCP 22

Question 15

Telnet

Answer 15

TCP 23

Question 16

SMTP

Answer 16

TCP 25

Question 17

DNS

Answer 17

TCP/UDP 53. (TCP 53 is zone transfer)

Question 18

DHCP

Answer 18

UDP 67

Question 19

TFTP

Answer 19

UDP 69

Question 20

HTTP

Answer 20

TCP 80

Question 21

POP3

Answer 21

TCP 110

Question 22

RPC

Answer 22

TCP/135

Question 23

NetBIOS

Answer 23

TCP/UDP 137-139

Question 24

IMAP

Answer 24

TCP/143

Question 25

SNMP

Answer 25

UDP 161/162

Question 26

LDAP

Answer 26

TCP/UDP 389

Question 27

HTTPS

Answer 27

TCP 443

Question 28

SMB

Answer 28

TCP 445

Question 29

SYSLOG

Answer 29

UDP 514

Question 30

When a port is open, a service is said to be _______

Answer 30

Listening

Question 31

Once a servie has made a connection, the port is in an ________ state.

Answer 31

Established

Question 32

IPv4 Main Address Types:

Answer 32

Unicast - Acted on by a single recipient.

Multicast - acted on by members of a specific group.

Broadcast - Acted on by everyone on the network.

Limited - Delivered to every system in the domain (255.255.255.255).

Directed - Delivered to all devices on a subnet and use that broadcast address

Question 33

What is the Subnet Mask?

Answer 33

Determines how many addresses are available on a specific subnet. Represented by three methods: Decimal - 255.240.0.0. Binary - 1111111.1111111000.0000000.000000. CIDR - x.x.x.x/12

Question 34

CurrPorts (tool)

Answer 34

Tool that displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the processes that opened the port, the process name, full path, version information, the time it was created and the user who created it

Question 35

CLOSED_WAIT vs TIME_WAIT

Answer 35

CLOSE_WAIT indicates that the remote side of your connection has closed the connection, whereas a TIME_WAIT state indicates that your side has closed the connection.

Question 36

Limited vs Directed Broadcast Address

Answer 36

Limited:: Are delivered to every system inside the broadcast domain, and use 255.255.255.255 (routers ignore all limited broadcasts). Directed: Are sent to all devices on a subnet, and they use the subnet’s broadcast address.

Question 37

Scanning Methodology Phases

Answer 37

1. Check for live systems
2. Check for open ports.
3. Scan beyond IDS.
4. Perform Banner Grabbing .
5. Scan for vulnerabilities.
6. Draw network diagrams.
7. Prepare proxies.

Question 38

ICMP Message Type: Echo Reply

Answer 38

Type: 0 . Answer to a Type 8 Echo Request

Question 39

ICMP Message Type: Destination Unreachable

Answer 39

Type 3: Error message indicating the host or network cannot be reached. Codes: 0 - network host unreachable. 1 - Destination Host unreachable. 6 - Network Unknown. 7 - Host Unknown 9 - Network Administratively prohibited. 10 - Host adinistratively prohibited. 13 - Communication administratively prohibited.

Question 40

ICMP Message Type: Source Quench

Answer 40

Type 4: A Congestion control message

Question 41

ICMP Message Type: Redirect

Answer 41

Type: 5 : Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway. 0 - Redirect datagram of network 1- Redirect datagram for the host

Question 42

ICMP Message Type: Echo Request

Answer 42

Type: 8 A ping message , requesting echo reply

Question 43

ICMP Message Type: Time Exceeded

Answer 43

Type 11: The packet took too long to be routed to the destination (Code 0 is TTL expired)

Question 44

What tools would you use to check for live systems?

Answer 44

Ping Sweep (Easiest) , Nmap, ICMP Echo request, Angry IP Scanner, Solar-Winds engineer Toolkit, Advanced IP Scanner, Pinkie

Question 45

What does ICMP Type 3, Code 13 usually mean?

Answer 45

A poorly configured firewall is preventing the delivery of ICMP packets.

Question 46

Full Connect (Port Scan)

Answer 46

TCP connect or full open scan - Full 3-way handshake connection and then tears down with RST. Easiest to detect, but most reliable

Question 47

Stealth Scan

Answer 47

Half-open or SYN Scan. Only SYN packets are sent to ports. Useful for hiding and bypassing firewall

Question 48

Inverse TCP Flag Scan

Answer 48

Uses the FIN, URG, or PSH flag to poke system ports. If port is open, there will be NO response at all. If closed, an RST/ACK will be sent in response.

Question 49

XMAS Scan

Answer 49

All flags are turned on, so packet is lit up like a xmas tree. Port respnoses are the same as INVERSE TCP. No respnose is OPEN

Question 50

ACK Flag Probe Scan

Answer 50

Attacker sends ACK flag and looks at return header to determine port status. If TTL of returned RST packet is less than 64, port is OPEN. If Windows if the WINDOW size on the RST packet has anything other than zero, port is OPEN

Question 51

What kind of scan can be used to check for Stateful firewall

Answer 51

Ack Flag Probe. If an ACK is sent and there is no response, this indicates a stateful firewall between the attacker and host.
nmap -sA

Question 52

IDLE Scan

Answer 52

Uses a spoofed IP address (idle zombie) to elicit port responses during a scan. Designed for stealth, uses a SYN flag and monitors response with SYN scan

Question 53

nmap -sA

Answer 53

ACK probe scan

Can help determine stateful firewall in place. No response = open

Question 54

nmap -sF

Answer 54

FIN scan

Question 55

nmap -sI

Answer 55

IDLE scan

Question 56

nmap -sL

Answer 56

DNS scan (list scan)

Question 57

nmap -sN

Answer 57

NULL scan

A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. … If the port is closed, the target will send an RST packet in response.

Question 58

nmap -sO

Answer 58

Protocol scan (tests which IP protocols respond)

Question 59

nmap -sP

Answer 59

Ping scan

Question 60

nmap -sR

Answer 60

RPC scan

Question 61

nmap -sS

Answer 61

SYN scan

Question 62

nmap -sT

Answer 62

TCP connect scan

Question 63

nmap -sW

Answer 63

Window scan

Question 64

nmap -sX

Answer 64

XMAS scan

Question 65

nmap -A

Answer 65

OS detection, version detection, script scanning and traceroute

Question 66

nmap -PI

Answer 66

ICMP ping

Question 67

nmap -Po

Answer 67

No ping

Question 68

nmap -PS

Answer 68

SYN ping

Question 69

nmap -PT

Answer 69

TCP ping

Question 70

nmap -oN

Answer 70

Normal output

Question 71

nmap -oX

Answer 71

XML output

Question 72

nmap -T0 through -T2

Answer 72

Serial scans. T0 is slowest

Question 73

nmap -T3 through -T5

Answer 73

Parallel scans. T3 is slowest

Question 74

By default what is the speed of nmap scan

Answer 74

T3

Question 75

hping3 -1

Answer 75

Sets ICMP mode

Question 76

hping3 -2

Answer 76

Sets UDP mode

Question 77

hping3 -8

Answer 77

Sets scan mode. Expects port range without -p flag

Question 78

hping3 -9

Answer 78

Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0)

Question 79

hping3 –flood

Answer 79

Sends packets as fast as possible without showing incoming replies

Question 80

hping3 -Q

Answer 80

Collects sequence numbers generated by the host

Question 81

hping3 -p

Answer 81

Sets port number

Question 82

hping3 -F

Answer 82

Sets the FIN flag

Question 83

hping3 -S

Answer 83

Sets the SYN flag

Question 84

hping3 -R

Answer 84

Sets the RST flag

Question 85

hping3 -P

Answer 85

Sets the PSH flag

Question 86

hping3 -A

Answer 86

Sets the ACK flag

Question 87

hping3 -U

Answer 87

Sets the URG flag

Question 88

hping3 -X

Answer 88

Sets the XMAS scan flags

Question 89

Active vs Passive OS Fingerprinting

Answer 89

Active: Sending crafted, nonstandard packets to the target. Passive: Sniffing network traffic for things such as TTL windows DF (Don’t Fragment) flags and ToS (Type of Service) fields

Question 90

Why is using the scan type: “ nmap -f “ useful for evading IPS

Answer 90

The -f flag is used for fragmenting packets. By cracking apart the packets before they’re sent will be unrecognizable by IDS.

Question 91

What should you be aware of before spoofing an IP address?

Answer 91

IP Spoofing can only be used when you don’t expect a response back to your machine.

Question 92

Source Routing

Answer 92

Specifies the path a packet should take on the network. Most systems do not allow this anymore.

Question 93

IP Address Decoy

Answer 93

sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from. EX: nmap -D RND:10 x.x.x.x nmap -D decoyIP1….sourceIP…[target]

Question 94

Proxy (evasion)

Answer 94

For evasion, hackers can use proxy technology in reverse. By sending commands and requests to the proxy and letting the proxy relay them to the targets. So anyone monitoring the subnet sees the proxy trying all these actions, not the attacker

Question 95

Proxy Chains

Answer 95

Multiple proxies further hide your activities. Tools for this: Proxy Switcher, Proxy Workbench, SoftCab’s Proxy Chain Builder, CyberGhost, and Proxifier

Question 96

ToR

Answer 96

The Onion Routin. Tor works by installing a small client on the machine, which then gets a list of other clients running Tor from a directory server. The client then bounces internet requests off random ToR clients, making it nearly impossible to trace a request back to source.

Question 97

Anonymizers (Evasion)

Answer 97

Anonymizers hides identity on HTTP traffic (port 80)

Question 98

Anonymizer Tools

Answer 98

Guardster, Ultrasurf, Psiphon, Tails

Question 99

Gzapper

Answer 99

A tool that can be used to remove Google cookie on system.

Question 100

Vulnerability Scanning Tools

Answer 100

Tenable’s Nessus (Standard), GFI LanGuard, Qualys, FreeScan, OpenVAS

Question 101

Enumeration Definition

Answer 101

Defined as listing the items that are found within a specific target. Always active in nature.

Question 102

Security Context (Windows System)

Answer 102

User identifiy and authentication information

Question 103

Security Identifier (SID)

Answer 103

Identifies a user, group or computer account

Question 104

Resource Identifier (RID) (Windows)

Answer 104

Portion of the SID identifying a specific user, group or computer.

Question 105

Example SID: S-1-5-21-3874928736-367528774-1298337465-500

Answer 105

Administrator Account - SID of 500

Question 106

Administrator vs Regular Account SID

Answer 106

Admin - 500 and Regular accounts - Start with SID of 1000

Question 107

Where can you find info about users and groups in Linux?

Answer 107

/etc/passwd can find user IDs (UID) and group IDs (GID)

Question 108

SAM Database

Answer 108

File where all local passwords are stored (encrypted). Stored in C:\Windows\System32\Config

Question 109

Linux Enumeration: Finger

Answer 109

Linux command to get info on users and the host machine

Question 110

Linux Enumeration: rpcinfo and rpcclient

Answer 110

Info on RPC in the environment

Question 111

Linux Enumeration: showmount

Answer 111

displays all shared directories on the machine

Question 112

Banner Grabbing is apart of what scanning methodology?

Answer 112

Enumeration.

Question 113

Active vs Passive Banner Grabbing

Answer 113

Active - Sending specially crafted packets to the remote systems and comparing responses to determine OS. Passive - reading error messages, sniffing network traffic, or looking at page extensions.

Question 114

What are a couple ways to perform a banner grab?

Answer 114

telnet or telnet 25 or use netcat: nc

Question 115

What does NetBIOS do?

Answer 115

NetBIOS provides name servicing, connectionless communication and some Session layer stuff. NetBIOS is a 16 character ASCII string used to identify devices. DOES NOT WORK ON IPv6.

Question 116

NetBIOS Remote Machine Name Table

Answer 116

<1B> UNIQUE Domain Master Browser. <1C> UNIQUE Domain Controller. <1D> GROUP Master browser for subnet. <00> UNIQUE Hostname. <00> GROUP Domain Name. <03> UNIQUE Service running on system. <20> UNIQUE Server service running.

Question 117

Command to display NetBIOS

Answer 117

nbtstat (gives your own info), nbtstat -n (local table), nbtstat -A IPAddress (remote info) , nbtstat -c (gives cache info).

Question 118

Tools to use for NetBIOS Enumeration

Answer 118

SuperScan, Hyena, NetBIOS Enumerator, NSAuditor

Question 119

SNMP

Answer 119

Port 161, Consists of a manager and agents. A simple central management system set up on the network will make requests of SNMP agents on the devices.

Question 120

SNMP - MIB vs OID

Answer 120

OID - Object Identifiers for information stored in MIB. MIB - Management Information Base: Holds information and is arranged with numeric identifiers (OIDs)

Question 121

SNMP GET vs SNMP SET

Answer 121

SNMP GET : Gets information about the system SNMP SET: Sets information about the system

Question 122

SNMP: Scalar vs Tabular

Answer 122

Two types of manageed objects in SNMP: Scalar defines a single object, whereas tabular defines multiple related objects that can be grouped together in MIB tables.

Question 123

Tools to enumerate SNMP

Answer 123

SNMP Scanner, OpUtils 5, SNScan, Engineers Toolkit (solarwinds)

Question 124

LDAP Enumeration

Answer 124

Designed to be queried. Connects on 389 to a Directory System Agent (DSA). Returns info such as valid user names, domain information, addresses, telephone numbers, system data, organization structure, etc.

Question 125

Tools for LDAP Enumeration

Answer 125

Softerra, Jxplorer, Lex, LDAP Admin Tool

Question 126

NTP Enumeration

Answer 126

UDP on port 123. Sets time across network. Querying the NTP server can give you information such as a list of systems connected to the server (name and IP) and possibly IP of internal systems.

Question 127

Tools for NTP enumeration

Answer 127

NTP Server Scanner, AtomSync Nmap, Wireshark, Ntptrace (command), ntpdc, ntpq

Question 128

SMTP Enumeration Commands

Answer 128

VRFY - Validates user. EXPN - provides actual delivery address of mailing list and aliases. RCPT TO - defines recipients

Question 129

Syslog Port

Answer 129

UDP/514