Chapter 3 - Scanning & Enumeration Flashcards

1
Q

Connection-Oriented vs Connectionless Communication

A

Connectionless: UDP, Fire and forget, don’t care if recipient has bandwidth to accept message. Connection-Oriented: TCP, Error checkin and high overhead, uses TCP handshake.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SYN Flag

A

Synchronize flag that is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ACK Flag

A

Acknowledgement - This flag is set as an acknowledgement to SYN flags. This flag is set on all segments after the initial SYN flag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RST Flag

A

Reset - This flag forces a termination of communications (in both directions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

FIN Flag

A

Finish - This flag signifies an ordered close to communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PSH Flag

A

Push - This flag forces the delivery of data without concerns for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

URG Flag

A

Urgent - When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

TCP 3-way Handshake sequence numbers process

A

Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the purpose of the IANA (Internet Assigned Numbers Authority)

A

Maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations. Oversees global IP address allocation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What range of ports are considered to be “well-known”

A

0 - 1023

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What ports are registered ports

A

1024 - 1049, 51

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the Dynamic Ports

A

49, 152 - 165, 535

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

FTP port

A

TCP port 20/21

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SSH

A

TCP 22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Telnet

A

TCP 23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SMTP

A

TCP 25

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

DNS

A

TCP/UDP 53. (TCP 53 is zone transfer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

DHCP

A

UDP 67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

TFTP

A

UDP 69

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

HTTP

A

TCP 80

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

POP3

A

TCP 110

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

RPC

A

TCP/135

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

NetBIOS

A

TCP/UDP 137-139

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

IMAP

A

TCP/143

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

SNMP

A

UDP 161/162

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

LDAP

A

TCP/UDP 389

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

HTTPS

A

TCP 443

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

SMB

A

TCP 445

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

SYSLOG

A

UDP 514

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

When a port is open, a service is said to be _______

A

Listening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Once a servie has made a connection, the port is in an ________ state.

A

Established

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

IPv4 Main Address Types:

A

Unicast - Acted on by a single recipient.

Multicast - acted on by members of a specific group.

Broadcast - Acted on by everyone on the network.

Limited - Delivered to every system in the domain (255.255.255.255).

Directed - Delivered to all devices on a subnet and use that broadcast address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the Subnet Mask?

A

Determines how many addresses are available on a specific subnet. Represented by three methods: Decimal - 255.240.0.0. Binary - 1111111.1111111000.0000000.000000. CIDR - x.x.x.x/12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

CurrPorts (tool)

A

Tool that displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the processes that opened the port, the process name, full path, version information, the time it was created and the user who created it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

CLOSED_WAIT vs TIME_WAIT

A

CLOSE_WAIT indicates that the remote side of your connection has closed the connection, whereas a TIME_WAIT state indicates that your side has closed the connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Limited vs Directed Broadcast Address

A

Limited:: Are delivered to every system inside the broadcast domain, and use 255.255.255.255 (routers ignore all limited broadcasts). Directed: Are sent to all devices on a subnet, and they use the subnet’s broadcast address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Scanning Methodology Phases

A
  1. Check for live systems
  2. Check for open ports.
  3. Scan beyond IDS.
  4. Perform Banner Grabbing .
  5. Scan for vulnerabilities.
  6. Draw network diagrams.
  7. Prepare proxies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

ICMP Message Type: Echo Reply

A

Type: 0 . Answer to a Type 8 Echo Request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

ICMP Message Type: Destination Unreachable

A

Type 3: Error message indicating the host or network cannot be reached. Codes: 0 - network host unreachable. 1 - Destination Host unreachable. 6 - Network Unknown. 7 - Host Unknown 9 - Network Administratively prohibited. 10 - Host adinistratively prohibited. 13 - Communication administratively prohibited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

ICMP Message Type: Source Quench

A

Type 4: A Congestion control message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

ICMP Message Type: Redirect

A

Type: 5 : Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway. 0 - Redirect datagram of network 1- Redirect datagram for the host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

ICMP Message Type: Echo Request

A

Type: 8 A ping message , requesting echo reply

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

ICMP Message Type: Time Exceeded

A

Type 11: The packet took too long to be routed to the destination (Code 0 is TTL expired)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What tools would you use to check for live systems?

A

Ping Sweep (Easiest) , Nmap, ICMP Echo request, Angry IP Scanner, Solar-Winds engineer Toolkit, Advanced IP Scanner, Pinkie

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What does ICMP Type 3, Code 13 usually mean?

A

A poorly configured firewall is preventing the delivery of ICMP packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Full Connect (Port Scan)

A

TCP connect or full open scan - Full 3-way handshake connection and then tears down with RST. Easiest to detect, but most reliable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Stealth Scan

A

Half-open or SYN Scan. Only SYN packets are sent to ports. Useful for hiding and bypassing firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Inverse TCP Flag Scan

A

Uses the FIN, URG, or PSH flag to poke system ports. If port is open, there will be NO response at all. If closed, an RST/ACK will be sent in response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

XMAS Scan

A

All flags are turned on, so packet is lit up like a xmas tree. Port respnoses are the same as INVERSE TCP. No respnose is OPEN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

ACK Flag Probe Scan

A

Attacker sends ACK flag and looks at return header to determine port status. If TTL of returned RST packet is less than 64, port is OPEN. If Windows if the WINDOW size on the RST packet has anything other than zero, port is OPEN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What kind of scan can be used to check for Stateful firewall

A

Ack Flag Probe. If an ACK is sent and there is no response, this indicates a stateful firewall between the attacker and host.
nmap -sA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

IDLE Scan

A

Uses a spoofed IP address (idle zombie) to elicit port responses during a scan. Designed for stealth, uses a SYN flag and monitors response with SYN scan

53
Q

nmap -sA

A

ACK probe scan

Can help determine stateful firewall in place. No response = open

54
Q

nmap -sF

A

FIN scan

55
Q

nmap -sI

A

IDLE scan

56
Q

nmap -sL

A

DNS scan (list scan)

57
Q

nmap -sN

A

NULL scan

A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. … If the port is closed, the target will send an RST packet in response.

58
Q

nmap -sO

A

Protocol scan (tests which IP protocols respond)

59
Q

nmap -sP

A

Ping scan

60
Q

nmap -sR

A

RPC scan

61
Q

nmap -sS

A

SYN scan

62
Q

nmap -sT

A

TCP connect scan

63
Q

nmap -sW

A

Window scan

64
Q

nmap -sX

A

XMAS scan

65
Q

nmap -A

A

OS detection, version detection, script scanning and traceroute

66
Q

nmap -PI

A

ICMP ping

67
Q

nmap -Po

A

No ping

68
Q

nmap -PS

A

SYN ping

69
Q

nmap -PT

A

TCP ping

70
Q

nmap -oN

A

Normal output

71
Q

nmap -oX

A

XML output

72
Q

nmap -T0 through -T2

A

Serial scans. T0 is slowest

73
Q

nmap -T3 through -T5

A

Parallel scans. T3 is slowest

74
Q

By default what is the speed of nmap scan

A

T3

75
Q

hping3 -1

A

Sets ICMP mode

76
Q

hping3 -2

A

Sets UDP mode

77
Q

hping3 -8

A

Sets scan mode. Expects port range without -p flag

78
Q

hping3 -9

A

Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0)

79
Q

hping3 –flood

A

Sends packets as fast as possible without showing incoming replies

80
Q

hping3 -Q

A

Collects sequence numbers generated by the host

81
Q

hping3 -p

A

Sets port number

82
Q

hping3 -F

A

Sets the FIN flag

83
Q

hping3 -S

A

Sets the SYN flag

84
Q

hping3 -R

A

Sets the RST flag

85
Q

hping3 -P

A

Sets the PSH flag

86
Q

hping3 -A

A

Sets the ACK flag

87
Q

hping3 -U

A

Sets the URG flag

88
Q

hping3 -X

A

Sets the XMAS scan flags

89
Q

Active vs Passive OS Fingerprinting

A

Active: Sending crafted, nonstandard packets to the target. Passive: Sniffing network traffic for things such as TTL windows DF (Don’t Fragment) flags and ToS (Type of Service) fields

90
Q

Why is using the scan type: “ nmap -f “ useful for evading IPS

A

The -f flag is used for fragmenting packets. By cracking apart the packets before they’re sent will be unrecognizable by IDS.

91
Q

What should you be aware of before spoofing an IP address?

A

IP Spoofing can only be used when you don’t expect a response back to your machine.

92
Q

Source Routing

A

Specifies the path a packet should take on the network. Most systems do not allow this anymore.

93
Q

IP Address Decoy

A

sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from. EX: nmap -D RND:10 x.x.x.x nmap -D decoyIP1….sourceIP…[target]

94
Q

Proxy (evasion)

A

For evasion, hackers can use proxy technology in reverse. By sending commands and requests to the proxy and letting the proxy relay them to the targets. So anyone monitoring the subnet sees the proxy trying all these actions, not the attacker

95
Q

Proxy Chains

A

Multiple proxies further hide your activities. Tools for this: Proxy Switcher, Proxy Workbench, SoftCab’s Proxy Chain Builder, CyberGhost, and Proxifier

96
Q

ToR

A

The Onion Routin. Tor works by installing a small client on the machine, which then gets a list of other clients running Tor from a directory server. The client then bounces internet requests off random ToR clients, making it nearly impossible to trace a request back to source.

97
Q

Anonymizers (Evasion)

A

Anonymizers hides identity on HTTP traffic (port 80)

98
Q

Anonymizer Tools

A

Guardster, Ultrasurf, Psiphon, Tails

99
Q

Gzapper

A

A tool that can be used to remove Google cookie on system.

100
Q

Vulnerability Scanning Tools

A

Tenable’s Nessus (Standard), GFI LanGuard, Qualys, FreeScan, OpenVAS

101
Q

Enumeration Definition

A

Defined as listing the items that are found within a specific target. Always active in nature.

102
Q

Security Context (Windows System)

A

User identifiy and authentication information

103
Q

Security Identifier (SID)

A

Identifies a user, group or computer account

104
Q

Resource Identifier (RID) (Windows)

A

Portion of the SID identifying a specific user, group or computer.

105
Q

Example SID: S-1-5-21-3874928736-367528774-1298337465-500

A

Administrator Account - SID of 500

106
Q

Administrator vs Regular Account SID

A

Admin - 500 and Regular accounts - Start with SID of 1000

107
Q

Where can you find info about users and groups in Linux?

A

/etc/passwd can find user IDs (UID) and group IDs (GID)

108
Q

SAM Database

A

File where all local passwords are stored (encrypted). Stored in C:\Windows\System32\Config

109
Q

Linux Enumeration: Finger

A

Linux command to get info on users and the host machine

110
Q

Linux Enumeration: rpcinfo and rpcclient

A

Info on RPC in the environment

111
Q

Linux Enumeration: showmount

A

displays all shared directories on the machine

112
Q

Banner Grabbing is apart of what scanning methodology?

A

Enumeration.

113
Q

Active vs Passive Banner Grabbing

A

Active - Sending specially crafted packets to the remote systems and comparing responses to determine OS. Passive - reading error messages, sniffing network traffic, or looking at page extensions.

114
Q

What are a couple ways to perform a banner grab?

A

telnet or telnet 25 or use netcat: nc

115
Q

What does NetBIOS do?

A

NetBIOS provides name servicing, connectionless communication and some Session layer stuff. NetBIOS is a 16 character ASCII string used to identify devices. DOES NOT WORK ON IPv6.

116
Q

NetBIOS Remote Machine Name Table

A

<1B> UNIQUE Domain Master Browser. <1C> UNIQUE Domain Controller. <1D> GROUP Master browser for subnet. <00> UNIQUE Hostname. <00> GROUP Domain Name. <03> UNIQUE Service running on system. <20> UNIQUE Server service running.

117
Q

Command to display NetBIOS

A

nbtstat (gives your own info), nbtstat -n (local table), nbtstat -A IPAddress (remote info) , nbtstat -c (gives cache info).

118
Q

Tools to use for NetBIOS Enumeration

A

SuperScan, Hyena, NetBIOS Enumerator, NSAuditor

119
Q

SNMP

A

Port 161, Consists of a manager and agents. A simple central management system set up on the network will make requests of SNMP agents on the devices.

120
Q

SNMP - MIB vs OID

A

OID - Object Identifiers for information stored in MIB. MIB - Management Information Base: Holds information and is arranged with numeric identifiers (OIDs)

121
Q

SNMP GET vs SNMP SET

A

SNMP GET : Gets information about the system SNMP SET: Sets information about the system

122
Q

SNMP: Scalar vs Tabular

A

Two types of manageed objects in SNMP: Scalar defines a single object, whereas tabular defines multiple related objects that can be grouped together in MIB tables.

123
Q

Tools to enumerate SNMP

A

SNMP Scanner, OpUtils 5, SNScan, Engineers Toolkit (solarwinds)

124
Q

LDAP Enumeration

A

Designed to be queried. Connects on 389 to a Directory System Agent (DSA). Returns info such as valid user names, domain information, addresses, telephone numbers, system data, organization structure, etc.

125
Q

Tools for LDAP Enumeration

A

Softerra, Jxplorer, Lex, LDAP Admin Tool

126
Q

NTP Enumeration

A

UDP on port 123. Sets time across network. Querying the NTP server can give you information such as a list of systems connected to the server (name and IP) and possibly IP of internal systems.

127
Q

Tools for NTP enumeration

A

NTP Server Scanner, AtomSync Nmap, Wireshark, Ntptrace (command), ntpdc, ntpq

128
Q

SMTP Enumeration Commands

A

VRFY - Validates user. EXPN - provides actual delivery address of mailing list and aliases. RCPT TO - defines recipients

129
Q

Syslog Port

A

UDP/514