Chapter 3 - Scanning & Enumeration Flashcards
Connection-Oriented vs Connectionless Communication
Connectionless: UDP, Fire and forget, don’t care if recipient has bandwidth to accept message. Connection-Oriented: TCP, Error checkin and high overhead, uses TCP handshake.
SYN Flag
Synchronize flag that is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.
ACK Flag
Acknowledgement - This flag is set as an acknowledgement to SYN flags. This flag is set on all segments after the initial SYN flag
RST Flag
Reset - This flag forces a termination of communications (in both directions)
FIN Flag
Finish - This flag signifies an ordered close to communications
PSH Flag
Push - This flag forces the delivery of data without concerns for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing data.
URG Flag
Urgent - When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
TCP 3-way Handshake sequence numbers process
Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.
What is the purpose of the IANA (Internet Assigned Numbers Authority)
Maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations. Oversees global IP address allocation
What range of ports are considered to be “well-known”
0 - 1023
What ports are registered ports
1024 - 1049, 51
What are the Dynamic Ports
49, 152 - 165, 535
FTP port
TCP port 20/21
SSH
TCP 22
Telnet
TCP 23
SMTP
TCP 25
DNS
TCP/UDP 53. (TCP 53 is zone transfer)
DHCP
UDP 67
TFTP
UDP 69
HTTP
TCP 80
POP3
TCP 110
RPC
TCP/135
NetBIOS
TCP/UDP 137-139
IMAP
TCP/143
SNMP
UDP 161/162
LDAP
TCP/UDP 389
HTTPS
TCP 443
SMB
TCP 445
SYSLOG
UDP 514
When a port is open, a service is said to be _______
Listening
Once a servie has made a connection, the port is in an ________ state.
Established
IPv4 Main Address Types:
Unicast - Acted on by a single recipient.
Multicast - acted on by members of a specific group.
Broadcast - Acted on by everyone on the network.
Limited - Delivered to every system in the domain (255.255.255.255).
Directed - Delivered to all devices on a subnet and use that broadcast address
What is the Subnet Mask?
Determines how many addresses are available on a specific subnet. Represented by three methods: Decimal - 255.240.0.0. Binary - 1111111.1111111000.0000000.000000. CIDR - x.x.x.x/12
CurrPorts (tool)
Tool that displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the processes that opened the port, the process name, full path, version information, the time it was created and the user who created it
CLOSED_WAIT vs TIME_WAIT
CLOSE_WAIT indicates that the remote side of your connection has closed the connection, whereas a TIME_WAIT state indicates that your side has closed the connection.
Limited vs Directed Broadcast Address
Limited:: Are delivered to every system inside the broadcast domain, and use 255.255.255.255 (routers ignore all limited broadcasts). Directed: Are sent to all devices on a subnet, and they use the subnet’s broadcast address.
Scanning Methodology Phases
- Check for live systems
- Check for open ports.
- Scan beyond IDS.
- Perform Banner Grabbing .
- Scan for vulnerabilities.
- Draw network diagrams.
- Prepare proxies.
ICMP Message Type: Echo Reply
Type: 0 . Answer to a Type 8 Echo Request
ICMP Message Type: Destination Unreachable
Type 3: Error message indicating the host or network cannot be reached. Codes: 0 - network host unreachable. 1 - Destination Host unreachable. 6 - Network Unknown. 7 - Host Unknown 9 - Network Administratively prohibited. 10 - Host adinistratively prohibited. 13 - Communication administratively prohibited.
ICMP Message Type: Source Quench
Type 4: A Congestion control message
ICMP Message Type: Redirect
Type: 5 : Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway. 0 - Redirect datagram of network 1- Redirect datagram for the host
ICMP Message Type: Echo Request
Type: 8 A ping message , requesting echo reply
ICMP Message Type: Time Exceeded
Type 11: The packet took too long to be routed to the destination (Code 0 is TTL expired)
What tools would you use to check for live systems?
Ping Sweep (Easiest) , Nmap, ICMP Echo request, Angry IP Scanner, Solar-Winds engineer Toolkit, Advanced IP Scanner, Pinkie
What does ICMP Type 3, Code 13 usually mean?
A poorly configured firewall is preventing the delivery of ICMP packets.
Full Connect (Port Scan)
TCP connect or full open scan - Full 3-way handshake connection and then tears down with RST. Easiest to detect, but most reliable
Stealth Scan
Half-open or SYN Scan. Only SYN packets are sent to ports. Useful for hiding and bypassing firewall
Inverse TCP Flag Scan
Uses the FIN, URG, or PSH flag to poke system ports. If port is open, there will be NO response at all. If closed, an RST/ACK will be sent in response.
XMAS Scan
All flags are turned on, so packet is lit up like a xmas tree. Port respnoses are the same as INVERSE TCP. No respnose is OPEN
ACK Flag Probe Scan
Attacker sends ACK flag and looks at return header to determine port status. If TTL of returned RST packet is less than 64, port is OPEN. If Windows if the WINDOW size on the RST packet has anything other than zero, port is OPEN
What kind of scan can be used to check for Stateful firewall
Ack Flag Probe. If an ACK is sent and there is no response, this indicates a stateful firewall between the attacker and host.
nmap -sA
IDLE Scan
Uses a spoofed IP address (idle zombie) to elicit port responses during a scan. Designed for stealth, uses a SYN flag and monitors response with SYN scan
nmap -sA
ACK probe scan
Can help determine stateful firewall in place. No response = open
nmap -sF
FIN scan
nmap -sI
IDLE scan
nmap -sL
DNS scan (list scan)
nmap -sN
NULL scan
A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. … If the port is closed, the target will send an RST packet in response.
nmap -sO
Protocol scan (tests which IP protocols respond)
nmap -sP
Ping scan
nmap -sR
RPC scan
nmap -sS
SYN scan
nmap -sT
TCP connect scan
nmap -sW
Window scan
nmap -sX
XMAS scan
nmap -A
OS detection, version detection, script scanning and traceroute
nmap -PI
ICMP ping
nmap -Po
No ping
nmap -PS
SYN ping
nmap -PT
TCP ping
nmap -oN
Normal output
nmap -oX
XML output
nmap -T0 through -T2
Serial scans. T0 is slowest
nmap -T3 through -T5
Parallel scans. T3 is slowest
By default what is the speed of nmap scan
T3
hping3 -1
Sets ICMP mode
hping3 -2
Sets UDP mode
hping3 -8
Sets scan mode. Expects port range without -p flag
hping3 -9
Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0)
hping3 –flood
Sends packets as fast as possible without showing incoming replies
hping3 -Q
Collects sequence numbers generated by the host
hping3 -p
Sets port number
hping3 -F
Sets the FIN flag
hping3 -S
Sets the SYN flag
hping3 -R
Sets the RST flag
hping3 -P
Sets the PSH flag
hping3 -A
Sets the ACK flag
hping3 -U
Sets the URG flag
hping3 -X
Sets the XMAS scan flags
Active vs Passive OS Fingerprinting
Active: Sending crafted, nonstandard packets to the target. Passive: Sniffing network traffic for things such as TTL windows DF (Don’t Fragment) flags and ToS (Type of Service) fields
Why is using the scan type: “ nmap -f “ useful for evading IPS
The -f flag is used for fragmenting packets. By cracking apart the packets before they’re sent will be unrecognizable by IDS.
What should you be aware of before spoofing an IP address?
IP Spoofing can only be used when you don’t expect a response back to your machine.
Source Routing
Specifies the path a packet should take on the network. Most systems do not allow this anymore.
IP Address Decoy
sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from. EX: nmap -D RND:10 x.x.x.x nmap -D decoyIP1….sourceIP…[target]
Proxy (evasion)
For evasion, hackers can use proxy technology in reverse. By sending commands and requests to the proxy and letting the proxy relay them to the targets. So anyone monitoring the subnet sees the proxy trying all these actions, not the attacker
Proxy Chains
Multiple proxies further hide your activities. Tools for this: Proxy Switcher, Proxy Workbench, SoftCab’s Proxy Chain Builder, CyberGhost, and Proxifier
ToR
The Onion Routin. Tor works by installing a small client on the machine, which then gets a list of other clients running Tor from a directory server. The client then bounces internet requests off random ToR clients, making it nearly impossible to trace a request back to source.
Anonymizers (Evasion)
Anonymizers hides identity on HTTP traffic (port 80)
Anonymizer Tools
Guardster, Ultrasurf, Psiphon, Tails
Gzapper
A tool that can be used to remove Google cookie on system.
Vulnerability Scanning Tools
Tenable’s Nessus (Standard), GFI LanGuard, Qualys, FreeScan, OpenVAS
Enumeration Definition
Defined as listing the items that are found within a specific target. Always active in nature.
Security Context (Windows System)
User identifiy and authentication information
Security Identifier (SID)
Identifies a user, group or computer account
Resource Identifier (RID) (Windows)
Portion of the SID identifying a specific user, group or computer.
Example SID: S-1-5-21-3874928736-367528774-1298337465-500
Administrator Account - SID of 500
Administrator vs Regular Account SID
Admin - 500 and Regular accounts - Start with SID of 1000
Where can you find info about users and groups in Linux?
/etc/passwd can find user IDs (UID) and group IDs (GID)
SAM Database
File where all local passwords are stored (encrypted). Stored in C:\Windows\System32\Config
Linux Enumeration: Finger
Linux command to get info on users and the host machine
Linux Enumeration: rpcinfo and rpcclient
Info on RPC in the environment
Linux Enumeration: showmount
displays all shared directories on the machine
Banner Grabbing is apart of what scanning methodology?
Enumeration.
Active vs Passive Banner Grabbing
Active - Sending specially crafted packets to the remote systems and comparing responses to determine OS. Passive - reading error messages, sniffing network traffic, or looking at page extensions.
What are a couple ways to perform a banner grab?
telnet or telnet 25 or use netcat: nc
What does NetBIOS do?
NetBIOS provides name servicing, connectionless communication and some Session layer stuff. NetBIOS is a 16 character ASCII string used to identify devices. DOES NOT WORK ON IPv6.
NetBIOS Remote Machine Name Table
<1B> UNIQUE Domain Master Browser. <1C> UNIQUE Domain Controller. <1D> GROUP Master browser for subnet. <00> UNIQUE Hostname. <00> GROUP Domain Name. <03> UNIQUE Service running on system. <20> UNIQUE Server service running.
Command to display NetBIOS
nbtstat (gives your own info), nbtstat -n (local table), nbtstat -A IPAddress (remote info) , nbtstat -c (gives cache info).
Tools to use for NetBIOS Enumeration
SuperScan, Hyena, NetBIOS Enumerator, NSAuditor
SNMP
Port 161, Consists of a manager and agents. A simple central management system set up on the network will make requests of SNMP agents on the devices.
SNMP - MIB vs OID
OID - Object Identifiers for information stored in MIB. MIB - Management Information Base: Holds information and is arranged with numeric identifiers (OIDs)
SNMP GET vs SNMP SET
SNMP GET : Gets information about the system SNMP SET: Sets information about the system
SNMP: Scalar vs Tabular
Two types of manageed objects in SNMP: Scalar defines a single object, whereas tabular defines multiple related objects that can be grouped together in MIB tables.
Tools to enumerate SNMP
SNMP Scanner, OpUtils 5, SNScan, Engineers Toolkit (solarwinds)
LDAP Enumeration
Designed to be queried. Connects on 389 to a Directory System Agent (DSA). Returns info such as valid user names, domain information, addresses, telephone numbers, system data, organization structure, etc.
Tools for LDAP Enumeration
Softerra, Jxplorer, Lex, LDAP Admin Tool
NTP Enumeration
UDP on port 123. Sets time across network. Querying the NTP server can give you information such as a list of systems connected to the server (name and IP) and possibly IP of internal systems.
Tools for NTP enumeration
NTP Server Scanner, AtomSync Nmap, Wireshark, Ntptrace (command), ntpdc, ntpq
SMTP Enumeration Commands
VRFY - Validates user. EXPN - provides actual delivery address of mailing list and aliases. RCPT TO - defines recipients
Syslog Port
UDP/514
