Chapter 5 Scanning Networks Flashcards
Generally found in Scanning phase is:
1) IP addresses
2) open/closed PORTS on live HOSTS
3) Info on OS(s) & system architecture
4) SERVICES or processes running on hosts
Wardialing
old technique that dials a block of phone #s using a standard modem to locate system that also have a modem attached & accept connection
Modems & dial-up are still used as a backup to existing technologies such as cable, DSL, etc; It is low cost and a safety net if there were to be a major outage; great way to access bc of the lack of attention modems get
Firewalls, routers, & fax machines sometimes have modems attached; attacker can dial in and gain access
Wardriving
the process of driving around w/ wireless-enabled laptop or device with the goal of mapping out access points, usually w/ the help of GPS device
Pinging
the process of using the ping command to detect whether a system is live & gain info about the nature of the connection between your system & the target (TTL, speed of packets)
involves using Internet Control Msg Protocol (ICMP) msg, which is why this process is also called ICMP scanning
Process works by sending an ICMP ECHO request to another system, if that system is live, it will respond by sending back an ICMP ECHO reply
command prompt –> ping or ping
*Best to always ping by IP address bc pinging hostname may not get a reply bc DNS problems
NMAP also used here –> NMAP -sP -v
Ping Sweep
scan or sweep a range of IPs looking for hosts that are live; can build inventory of systems quickly
CON - most NW admins block ping at firewall, IDS or IPS can detect
nmap -sP -PE - PA
nmap -sn -PE -PA21,23,80,3389 192.168.10.1-50
Port Scanning
once live system found, perform port scan to see what ports are open
TCP Flags - (6)
1) SYN - Initiates connection between 2 hosts to facilitate communication
2) ACK - acknowledge the receipt of packet of info
3) URG - indicates that the data contained in the packet is urgent & should be processed immediately
4) PSH - instructs the sending system to send all buffered data immediately
5) FIN - tells the remote system that no more info will be sent, close connection
6) RST - resets a conneciton
packet crafter
utility designed to create a packet w/ the flags you specify
HPING2 and HPING3 - command-line only creating custom packets for testing
Create an ACK packet & send it to port 80:
Hping3 -A -p 80
Create a SYN scan against different ports:
Hping3 -8 50-56 -s -v
Create packet w/ FIN, URG -p 80
Types of Scans that can be done for port scanning (7)
1) Full Open Scan
2) Stealth Scan, or Half Open Scan
3) Xmas Tree Scan
4) Fin Scan
5) Null Scan
6) Ack Scan
7) UDP Scan
Full Open Scan
1) Full Open Scan - systems involved initiated & completed the 3 way handshake. Attacker sends ACK+RST to tear down connection
PRO - positive feedback of if host is up and running
CON - the target knows who you are
Stealth Scan / Half Open Scan
2) Stealth Scan, or Half Open Scan - similar to Full open scan except attacker sends RST packet as final packet to tear down connection unless victim port is closed in which case, the victim will fire back RST
PRO - less likely to trigger detection mechnisms
CON - less reliable than Full Open Scan
Xmas Tree Scan
3) Xmas Tree Scan - Single packet is sent to client with ACK, SYN, URG, RST, & FIN all set (all except PSH). Having all flags set is illegal combo, receiving system either ignores/drops the packets, or some systems the lack of response means the port is open whereas a single RST tells you port is closed
Xmas tree in Nmap –> NMAP -sX -v
CON - Windows do not respond to this type of attack
Fin Scan
4) Fin Scan - similar to Xmas tree except only FIN flag is set and sent; If open, no response, if closed RST response
NMAP -sF
Null Scan
5) Null Scan - sends frames w/ no flags set; no response means open, if RST port closed
NMAP -sN
Ack Scan
6) Ack Scan - used to test whether any filtering is being done on a port (tells attacker whether a firewall or router is in use)
NMAP -sA -P0