Chapter 3 - Scanning & Enumeration Flashcards
1
Q
Connection-Oriented vs Connectionless Communication
A
Connectionless: UDP, Fire and forget, don’t care if recipient has bandwidth to accept message. Connection-Oriented: TCP, Error checkin and high overhead, uses TCP handshake.
2
Q
SYN Flag
A
Synchronize flag that is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.
3
Q
ACK Flag
A
Acknowledgement - This flag is set as an acknowledgement to SYN flags. This flag is set on all segments after the initial SYN flag
4
Q
RST Flag
A
Reset - This flag forces a termination of communications (in both directions)
5
Q
FIN Flag
A
Finish - This flag signifies an ordered close to communications
6
Q
PSH Flag
A
Push - This flag forces the delivery of data without concerns for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing data.
7
Q
URG Flag
A
Urgent - When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
8
Q
TCP 3-way Handshake sequence numbers process
A
Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.
9
Q
What is the purpose of the IANA (Internet Assigned Numbers Authority)
A
Maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations. Oversees global IP address allocation
10
Q
What range of ports are considered to be “well-known”
A
0 - 1023
11
Q
What ports are registered ports
A
1024 - 1049, 51
12
Q
What are the Dynamic Ports
A
49, 152 - 165, 535
13
Q
FTP port
A
TCP port 20/21
14
Q
SSH
A
TCP 22
15
Q
Telnet
A
TCP 23
16
Q
SMTP
A
TCP 25
17
Q
DNS
A
TCP/UDP 53. (TCP 53 is zone transfer)
18
Q
DHCP
A
UDP 67
19
Q
TFTP
A
UDP 69
20
Q
HTTP
A
TCP 80
21
Q
POP3
A
TCP 110
22
Q
RPC
A
TCP/135
23
Q
NetBIOS
A
TCP/UDP 137-139
24
Q
IMAP
A
TCP/143
25
SNMP
UDP 161/162
26
LDAP
TCP/UDP 389
27
HTTPS
TCP 443
28
SMB
TCP 445
29
SYSLOG
UDP 514
30
When a port is open, a service is said to be _______
Listening
31
Once a servie has made a connection, the port is in an ________ state.
Established
32
IPv4 Main Address Types:
Unicast - Acted on by a single recipient.
Multicast - acted on by members of a specific group.
Broadcast - Acted on by everyone on the network.
Limited - Delivered to every system in the domain (255.255.255.255).
Directed - Delivered to all devices on a subnet and use that broadcast address
33
What is the Subnet Mask?
Determines how many addresses are available on a specific subnet. Represented by three methods: Decimal - 255.240.0.0. Binary - 1111111.1111111000.0000000.000000. CIDR - x.x.x.x/12
34
CurrPorts (tool)
Tool that displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the processes that opened the port, the process name, full path, version information, the time it was created and the user who created it
35
CLOSED_WAIT vs TIME_WAIT
CLOSE_WAIT indicates that the remote side of your connection has closed the connection, whereas a TIME_WAIT state indicates that your side has closed the connection.
36
Limited vs Directed Broadcast Address
Limited:: Are delivered to every system inside the broadcast domain, and use 255.255.255.255 (routers ignore all limited broadcasts). Directed: Are sent to all devices on a subnet, and they use the subnet's broadcast address.
37
Scanning Methodology Phases
1. Check for live systems
2. Check for open ports.
3. Scan beyond IDS.
4. Perform Banner Grabbing .
5. Scan for vulnerabilities.
6. Draw network diagrams.
7. Prepare proxies.
38
ICMP Message Type: Echo Reply
Type: 0 . Answer to a Type 8 Echo Request
39
ICMP Message Type: Destination Unreachable
Type 3: Error message indicating the host or network cannot be reached. Codes: 0 - network host unreachable. 1 - Destination Host unreachable. 6 - Network Unknown. 7 - Host Unknown 9 - Network Administratively prohibited. 10 - Host adinistratively prohibited. 13 - Communication administratively prohibited.
40
ICMP Message Type: Source Quench
Type 4: A Congestion control message
41
ICMP Message Type: Redirect
Type: 5 : Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway. 0 - Redirect datagram of network 1- Redirect datagram for the host
42
ICMP Message Type: Echo Request
Type: 8 A ping message , requesting echo reply
43
ICMP Message Type: Time Exceeded
Type 11: The packet took too long to be routed to the destination (Code 0 is TTL expired)
44
What tools would you use to check for live systems?
Ping Sweep (Easiest) , Nmap, ICMP Echo request, Angry IP Scanner, Solar-Winds engineer Toolkit, Advanced IP Scanner, Pinkie
45
What does ICMP Type 3, Code 13 usually mean?
A poorly configured firewall is preventing the delivery of ICMP packets.
46
Full Connect (Port Scan)
TCP connect or full open scan - Full 3-way handshake connection and then tears down with RST. Easiest to detect, but most reliable
47
Stealth Scan
Half-open or SYN Scan. Only SYN packets are sent to ports. Useful for hiding and bypassing firewall
48
Inverse TCP Flag Scan
Uses the FIN, URG, or PSH flag to poke system ports. If port is open, there will be NO response at all. If closed, an RST/ACK will be sent in response.
49
XMAS Scan
All flags are turned on, so packet is lit up like a xmas tree. Port respnoses are the same as INVERSE TCP. No respnose is OPEN
50
ACK Flag Probe Scan
Attacker sends ACK flag and looks at return header to determine port status. If TTL of returned RST packet is less than 64, port is OPEN. If Windows if the WINDOW size on the RST packet has anything other than zero, port is OPEN
51
What kind of scan can be used to check for Stateful firewall
Ack Flag Probe. If an ACK is sent and there is no response, this indicates a stateful firewall between the attacker and host.
nmap -sA
52
IDLE Scan
Uses a spoofed IP address (idle zombie) to elicit port responses during a scan. Designed for stealth, uses a SYN flag and monitors response with SYN scan
53
nmap -sA
ACK probe scan
Can help determine stateful firewall in place. No response = open
54
nmap -sF
FIN scan
55
nmap -sI
IDLE scan
56
nmap -sL
DNS scan (list scan)
57
nmap -sN
NULL scan
A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. ... If the port is closed, the target will send an RST packet in response.
58
nmap -sO
Protocol scan (tests which IP protocols respond)
59
nmap -sP
Ping scan
60
nmap -sR
RPC scan
61
nmap -sS
SYN scan
62
nmap -sT
TCP connect scan
63
nmap -sW
Window scan
64
nmap -sX
XMAS scan
65
nmap -A
OS detection, version detection, script scanning and traceroute
66
nmap -PI
ICMP ping
67
nmap -Po
No ping
68
nmap -PS
SYN ping
69
nmap -PT
TCP ping
70
nmap -oN
Normal output
71
nmap -oX
XML output
72
nmap -T0 through -T2
Serial scans. T0 is slowest
73
nmap -T3 through -T5
Parallel scans. T3 is slowest
74
By default what is the speed of nmap scan
T3
75
hping3 -1
Sets ICMP mode
76
hping3 -2
Sets UDP mode
77
hping3 -8
Sets scan mode. Expects port range without -p flag
78
hping3 -9
Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0)
79
hping3 –flood
Sends packets as fast as possible without showing incoming replies
80
hping3 -Q
Collects sequence numbers generated by the host
81
hping3 -p
Sets port number
82
hping3 -F
Sets the FIN flag
83
hping3 -S
Sets the SYN flag
84
hping3 -R
Sets the RST flag
85
hping3 -P
Sets the PSH flag
86
hping3 -A
Sets the ACK flag
87
hping3 -U
Sets the URG flag
88
hping3 -X
Sets the XMAS scan flags
89
Active vs Passive OS Fingerprinting
Active: Sending crafted, nonstandard packets to the target. Passive: Sniffing network traffic for things such as TTL windows DF (Don't Fragment) flags and ToS (Type of Service) fields
90
Why is using the scan type: " nmap -f " useful for evading IPS
The -f flag is used for fragmenting packets. By cracking apart the packets before they're sent will be unrecognizable by IDS.
91
What should you be aware of before spoofing an IP address?
IP Spoofing can only be used when you don’t expect a response back to your machine.
92
Source Routing
Specifies the path a packet should take on the network. Most systems do not allow this anymore.
93
IP Address Decoy
sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from. EX: nmap -D RND:10 x.x.x.x nmap -D decoyIP1….sourceIP…[target]
94
Proxy (evasion)
For evasion, hackers can use proxy technology in reverse. By sending commands and requests to the proxy and letting the proxy relay them to the targets. So anyone monitoring the subnet sees the proxy trying all these actions, not the attacker
95
Proxy Chains
Multiple proxies further hide your activities. Tools for this: Proxy Switcher, Proxy Workbench, SoftCab's Proxy Chain Builder, CyberGhost, and Proxifier
96
ToR
The Onion Routin. Tor works by installing a small client on the machine, which then gets a list of other clients running Tor from a directory server. The client then bounces internet requests off random ToR clients, making it nearly impossible to trace a request back to source.
97
Anonymizers (Evasion)
Anonymizers hides identity on HTTP traffic (port 80)
98
Anonymizer Tools
Guardster, Ultrasurf, Psiphon, Tails
99
Gzapper
A tool that can be used to remove Google cookie on system.
100
Vulnerability Scanning Tools
Tenable's Nessus (Standard), GFI LanGuard, Qualys, FreeScan, OpenVAS
101
Enumeration Definition
Defined as listing the items that are found within a specific target. Always active in nature.
102
Security Context (Windows System)
User identifiy and authentication information
103
Security Identifier (SID)
Identifies a user, group or computer account
104
Resource Identifier (RID) (Windows)
Portion of the SID identifying a specific user, group or computer.
105
Example SID: S-1-5-21-3874928736-367528774-1298337465-500
Administrator Account - SID of 500
106
Administrator vs Regular Account SID
Admin - 500 and Regular accounts - Start with SID of 1000
107
Where can you find info about users and groups in Linux?
/etc/passwd can find user IDs (UID) and group IDs (GID)
108
SAM Database
File where all local passwords are stored (encrypted). Stored in C:\Windows\System32\Config
109
Linux Enumeration: Finger
Linux command to get info on users and the host machine
110
Linux Enumeration: rpcinfo and rpcclient
Info on RPC in the environment
111
Linux Enumeration: showmount
displays all shared directories on the machine
112
Banner Grabbing is apart of what scanning methodology?
Enumeration.
113
Active vs Passive Banner Grabbing
Active - Sending specially crafted packets to the remote systems and comparing responses to determine OS. Passive - reading error messages, sniffing network traffic, or looking at page extensions.
114
What are a couple ways to perform a banner grab?
telnet or telnet 25 or use netcat: nc
115
What does NetBIOS do?
NetBIOS provides name servicing, connectionless communication and some Session layer stuff. NetBIOS is a 16 character ASCII string used to identify devices. DOES NOT WORK ON IPv6.
116
NetBIOS Remote Machine Name Table
<1B> UNIQUE Domain Master Browser. <1C> UNIQUE Domain Controller. <1D> GROUP Master browser for subnet. <00> UNIQUE Hostname. <00> GROUP Domain Name. <03> UNIQUE Service running on system. <20> UNIQUE Server service running.
117
Command to display NetBIOS
nbtstat (gives your own info), nbtstat -n (local table), nbtstat -A IPAddress (remote info) , nbtstat -c (gives cache info).
118
Tools to use for NetBIOS Enumeration
SuperScan, Hyena, NetBIOS Enumerator, NSAuditor
119
SNMP
Port 161, Consists of a manager and agents. A simple central management system set up on the network will make requests of SNMP agents on the devices.
120
SNMP - MIB vs OID
OID - Object Identifiers for information stored in MIB. MIB - Management Information Base: Holds information and is arranged with numeric identifiers (OIDs)
121
SNMP GET vs SNMP SET
SNMP GET : Gets information about the system SNMP SET: Sets information about the system
122
SNMP: Scalar vs Tabular
Two types of manageed objects in SNMP: Scalar defines a single object, whereas tabular defines multiple related objects that can be grouped together in MIB tables.
123
Tools to enumerate SNMP
SNMP Scanner, OpUtils 5, SNScan, Engineers Toolkit (solarwinds)
124
LDAP Enumeration
Designed to be queried. Connects on 389 to a Directory System Agent (DSA). Returns info such as valid user names, domain information, addresses, telephone numbers, system data, organization structure, etc.
125
Tools for LDAP Enumeration
Softerra, Jxplorer, Lex, LDAP Admin Tool
126
NTP Enumeration
UDP on port 123. Sets time across network. Querying the NTP server can give you information such as a list of systems connected to the server (name and IP) and possibly IP of internal systems.
127
Tools for NTP enumeration
NTP Server Scanner, AtomSync Nmap, Wireshark, Ntptrace (command), ntpdc, ntpq
128
SMTP Enumeration Commands
VRFY - Validates user. EXPN - provides actual delivery address of mailing list and aliases. RCPT TO - defines recipients
129
Syslog Port
UDP/514
