Chapter 3 - Scanning & Enumeration Flashcards
Connection-Oriented vs Connectionless Communication
Connectionless: UDP, Fire and forget, don’t care if recipient has bandwidth to accept message. Connection-Oriented: TCP, Error checkin and high overhead, uses TCP handshake.
SYN Flag
Synchronize flag that is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.
ACK Flag
Acknowledgement - This flag is set as an acknowledgement to SYN flags. This flag is set on all segments after the initial SYN flag
RST Flag
Reset - This flag forces a termination of communications (in both directions)
FIN Flag
Finish - This flag signifies an ordered close to communications
PSH Flag
Push - This flag forces the delivery of data without concerns for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing data.
URG Flag
Urgent - When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
TCP 3-way Handshake sequence numbers process
Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.
What is the purpose of the IANA (Internet Assigned Numbers Authority)
Maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations. Oversees global IP address allocation
What range of ports are considered to be “well-known”
0 - 1023
What ports are registered ports
1024 - 1049, 51
What are the Dynamic Ports
49, 152 - 165, 535
FTP port
TCP port 20/21
SSH
TCP 22
Telnet
TCP 23
SMTP
TCP 25
DNS
TCP/UDP 53. (TCP 53 is zone transfer)
DHCP
UDP 67
TFTP
UDP 69
HTTP
TCP 80
POP3
TCP 110
RPC
TCP/135
NetBIOS
TCP/UDP 137-139
IMAP
TCP/143
SNMP
UDP 161/162
LDAP
TCP/UDP 389
HTTPS
TCP 443
SMB
TCP 445
SYSLOG
UDP 514
When a port is open, a service is said to be _______
Listening
Once a servie has made a connection, the port is in an ________ state.
Established
IPv4 Main Address Types:
Unicast - Acted on by a single recipient.
Multicast - acted on by members of a specific group.
Broadcast - Acted on by everyone on the network.
Limited - Delivered to every system in the domain (255.255.255.255).
Directed - Delivered to all devices on a subnet and use that broadcast address
What is the Subnet Mask?
Determines how many addresses are available on a specific subnet. Represented by three methods: Decimal - 255.240.0.0. Binary - 1111111.1111111000.0000000.000000. CIDR - x.x.x.x/12
CurrPorts (tool)
Tool that displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the processes that opened the port, the process name, full path, version information, the time it was created and the user who created it
CLOSED_WAIT vs TIME_WAIT
CLOSE_WAIT indicates that the remote side of your connection has closed the connection, whereas a TIME_WAIT state indicates that your side has closed the connection.
Limited vs Directed Broadcast Address
Limited:: Are delivered to every system inside the broadcast domain, and use 255.255.255.255 (routers ignore all limited broadcasts). Directed: Are sent to all devices on a subnet, and they use the subnet’s broadcast address.
Scanning Methodology Phases
- Check for live systems
- Check for open ports.
- Scan beyond IDS.
- Perform Banner Grabbing .
- Scan for vulnerabilities.
- Draw network diagrams.
- Prepare proxies.
ICMP Message Type: Echo Reply
Type: 0 . Answer to a Type 8 Echo Request
ICMP Message Type: Destination Unreachable
Type 3: Error message indicating the host or network cannot be reached. Codes: 0 - network host unreachable. 1 - Destination Host unreachable. 6 - Network Unknown. 7 - Host Unknown 9 - Network Administratively prohibited. 10 - Host adinistratively prohibited. 13 - Communication administratively prohibited.
ICMP Message Type: Source Quench
Type 4: A Congestion control message
ICMP Message Type: Redirect
Type: 5 : Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway. 0 - Redirect datagram of network 1- Redirect datagram for the host
ICMP Message Type: Echo Request
Type: 8 A ping message , requesting echo reply
ICMP Message Type: Time Exceeded
Type 11: The packet took too long to be routed to the destination (Code 0 is TTL expired)
What tools would you use to check for live systems?
Ping Sweep (Easiest) , Nmap, ICMP Echo request, Angry IP Scanner, Solar-Winds engineer Toolkit, Advanced IP Scanner, Pinkie
What does ICMP Type 3, Code 13 usually mean?
A poorly configured firewall is preventing the delivery of ICMP packets.
Full Connect (Port Scan)
TCP connect or full open scan - Full 3-way handshake connection and then tears down with RST. Easiest to detect, but most reliable
Stealth Scan
Half-open or SYN Scan. Only SYN packets are sent to ports. Useful for hiding and bypassing firewall
Inverse TCP Flag Scan
Uses the FIN, URG, or PSH flag to poke system ports. If port is open, there will be NO response at all. If closed, an RST/ACK will be sent in response.
XMAS Scan
All flags are turned on, so packet is lit up like a xmas tree. Port respnoses are the same as INVERSE TCP. No respnose is OPEN
ACK Flag Probe Scan
Attacker sends ACK flag and looks at return header to determine port status. If TTL of returned RST packet is less than 64, port is OPEN. If Windows if the WINDOW size on the RST packet has anything other than zero, port is OPEN
What kind of scan can be used to check for Stateful firewall
Ack Flag Probe. If an ACK is sent and there is no response, this indicates a stateful firewall between the attacker and host.
nmap -sA