Chapter 5 Scanning Networks Flashcards

1
Q

Generally found in Scanning phase is:

A

1) IP addresses
2) open/closed PORTS on live HOSTS
3) Info on OS(s) & system architecture
4) SERVICES or processes running on hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Wardialing

A

old technique that dials a block of phone #s using a standard modem to locate system that also have a modem attached & accept connection

Modems & dial-up are still used as a backup to existing technologies such as cable, DSL, etc; It is low cost and a safety net if there were to be a major outage; great way to access bc of the lack of attention modems get

Firewalls, routers, & fax machines sometimes have modems attached; attacker can dial in and gain access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Wardriving

A

the process of driving around w/ wireless-enabled laptop or device with the goal of mapping out access points, usually w/ the help of GPS device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Pinging

A

the process of using the ping command to detect whether a system is live & gain info about the nature of the connection between your system & the target (TTL, speed of packets)

involves using Internet Control Msg Protocol (ICMP) msg, which is why this process is also called ICMP scanning

Process works by sending an ICMP ECHO request to another system, if that system is live, it will respond by sending back an ICMP ECHO reply

command prompt –> ping or ping

*Best to always ping by IP address bc pinging hostname may not get a reply bc DNS problems

NMAP also used here –> NMAP -sP -v

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Ping Sweep

A

scan or sweep a range of IPs looking for hosts that are live; can build inventory of systems quickly

CON - most NW admins block ping at firewall, IDS or IPS can detect

nmap -sP -PE - PA

nmap -sn -PE -PA21,23,80,3389 192.168.10.1-50

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Port Scanning

A

once live system found, perform port scan to see what ports are open

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

TCP Flags - (6)

A

1) SYN - Initiates connection between 2 hosts to facilitate communication
2) ACK - acknowledge the receipt of packet of info
3) URG - indicates that the data contained in the packet is urgent & should be processed immediately
4) PSH - instructs the sending system to send all buffered data immediately
5) FIN - tells the remote system that no more info will be sent, close connection
6) RST - resets a conneciton

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

packet crafter

A

utility designed to create a packet w/ the flags you specify

HPING2 and HPING3 - command-line only creating custom packets for testing

Create an ACK packet & send it to port 80:
Hping3 -A -p 80
Create a SYN scan against different ports:
Hping3 -8 50-56 -s -v
Create packet w/ FIN, URG -p 80

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Types of Scans that can be done for port scanning (7)

A

1) Full Open Scan
2) Stealth Scan, or Half Open Scan
3) Xmas Tree Scan
4) Fin Scan
5) Null Scan
6) Ack Scan
7) UDP Scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Full Open Scan

A

1) Full Open Scan - systems involved initiated & completed the 3 way handshake. Attacker sends ACK+RST to tear down connection
PRO - positive feedback of if host is up and running
CON - the target knows who you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Stealth Scan / Half Open Scan

A

2) Stealth Scan, or Half Open Scan - similar to Full open scan except attacker sends RST packet as final packet to tear down connection unless victim port is closed in which case, the victim will fire back RST
PRO - less likely to trigger detection mechnisms
CON - less reliable than Full Open Scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Xmas Tree Scan

A

3) Xmas Tree Scan - Single packet is sent to client with ACK, SYN, URG, RST, & FIN all set (all except PSH). Having all flags set is illegal combo, receiving system either ignores/drops the packets, or some systems the lack of response means the port is open whereas a single RST tells you port is closed

Xmas tree in Nmap –> NMAP -sX -v

CON - Windows do not respond to this type of attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Fin Scan

A

4) Fin Scan - similar to Xmas tree except only FIN flag is set and sent; If open, no response, if closed RST response

NMAP -sF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Null Scan

A

5) Null Scan - sends frames w/ no flags set; no response means open, if RST port closed

NMAP -sN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Ack Scan

A

6) Ack Scan - used to test whether any filtering is being done on a port (tells attacker whether a firewall or router is in use)

NMAP -sA -P0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

**what to do if packet filters, firewalls, or other devices pick up evidence of your attack?

A

FRAGMENTING works by breaking a packet into multiple pieces w/ goal of preventing detection devices from seeing what the original unfragmented packet intends to do

NMAP -sS -T4 -A -f -v

17
Q

UDP scan

A

7) previous techniques assume TCP is beign used;
For UDP if a port is open, NO response
If a port is closed, ICMP port unreachable msg returned

Remember UDP does not use 3 way handshake, TCP is connection oriented whereas UDP is connecitonless

18
Q

types of OS Fingerprinting (2)

A

1) Passive - uses sniffing techniques to capture packets coming from a system; the responses are analyzed looking for details of OS; chance of detection is LOW b/c sniffing does not introduce traffic to the NW
2) Active - uses specifically crafted packets; responses are compared to DB of known responses; chance of detection is HIGH bc introduces traffic to NW

19
Q

Banner Grabbing

A

determine information about services running on a system

Tools –> Telnet

a Banner is what a service returns to the requesting program to give info about the service itself (i.e. HTTP would return server SW, version, etc)

Banners are grabbed by connection to a host & then sending a request to a port associated w/ a specific service such as 80 for http

telnet 80 head/http/1.0

20
Q

Vulnerability Scanning

A

special type of automated utility designed to identify problems & holes in OS & apps

CON - designed to look for group of known issues, if not found, leaves impression that ur system is safe

can be used by attacker or victim for diff reasons

Tools –> Nmap, Rapid7, Retina, etc