Chapter 5 Scanning Networks

Question 1

Phase 2: Network Scanning

Answer 1

a methodical process that involves probing a target NW to reveal the nature of system NWs as well as the vulnerabilities present

Question 2

Generally found in Scanning phase is:

Answer 2

1) IP addresses
2) open/closed PORTS on live HOSTS
3) Info on OS(s) & system architecture
4) SERVICES or processes running on hosts

Question 3

Types of Scans

Answer 3

1) Port scanning - sending crafted messages/packets to a target computer w/ the intent of learning more about it (typically through well-known port #s or those

Question 4

Common ways to check for Live Systems

Answer 4

Wardialing, Wardriving, Pinging, and Port Scanning

Question 5

Wardialing

Answer 5

old technique that dials a block of phone #s using a standard modem to locate system that also have a modem attached & accept connection

Modems & dial-up are still used as a backup to existing technologies such as cable, DSL, etc; It is low cost and a safety net if there were to be a major outage; great way to access bc of the lack of attention modems get

Firewalls, routers, & fax machines sometimes have modems attached; attacker can dial in and gain access

Question 6

Wardriving

Answer 6

the process of driving around w/ wireless-enabled laptop or device with the goal of mapping out access points, usually w/ the help of GPS device

Question 7

Pinging

Answer 7

the process of using the ping command to detect whether a system is live & gain info about the nature of the connection between your system & the target (TTL, speed of packets)

involves using Internet Control Msg Protocol (ICMP) msg, which is why this process is also called ICMP scanning

Process works by sending an ICMP ECHO request to another system, if that system is live, it will respond by sending back an ICMP ECHO reply

command prompt –> ping or ping

*Best to always ping by IP address bc pinging hostname may not get a reply bc DNS problems

NMAP also used here –> NMAP -sP -v

Question 8

Ping Sweep

Answer 8

scan or sweep a range of IPs looking for hosts that are live; can build inventory of systems quickly

CON - most NW admins block ping at firewall, IDS or IPS can detect

nmap -sP -PE - PA

nmap -sn -PE -PA21,23,80,3389 192.168.10.1-50

Question 9

Port Scanning

Answer 9

once live system found, perform port scan to see what ports are open

Question 10

TCP Flags - (6)

Answer 10

1) SYN - Initiates connection between 2 hosts to facilitate communication
2) ACK - acknowledge the receipt of packet of info
3) URG - indicates that the data contained in the packet is urgent & should be processed immediately
4) PSH - instructs the sending system to send all buffered data immediately
5) FIN - tells the remote system that no more info will be sent, close connection
6) RST - resets a conneciton

Question 11

packet crafter

Answer 11

utility designed to create a packet w/ the flags you specify

HPING2 and HPING3 - command-line only creating custom packets for testing

Create an ACK packet & send it to port 80:
Hping3 -A -p 80
Create a SYN scan against different ports:
Hping3 -8 50-56 -s -v
Create packet w/ FIN, URG -p 80

Question 12

Types of Scans that can be done for port scanning (7)

Answer 12

1) Full Open Scan
2) Stealth Scan, or Half Open Scan
3) Xmas Tree Scan
4) Fin Scan
5) Null Scan
6) Ack Scan
7) UDP Scan

Question 13

Full Open Scan

Answer 13

1) Full Open Scan - systems involved initiated & completed the 3 way handshake. Attacker sends ACK+RST to tear down connection
PRO - positive feedback of if host is up and running
CON - the target knows who you are

Question 14

Stealth Scan / Half Open Scan

Answer 14

2) Stealth Scan, or Half Open Scan - similar to Full open scan except attacker sends RST packet as final packet to tear down connection unless victim port is closed in which case, the victim will fire back RST
PRO - less likely to trigger detection mechnisms
CON - less reliable than Full Open Scan

Question 15

Xmas Tree Scan

Answer 15

3) Xmas Tree Scan - Single packet is sent to client with ACK, SYN, URG, RST, & FIN all set (all except PSH). Having all flags set is illegal combo, receiving system either ignores/drops the packets, or some systems the lack of response means the port is open whereas a single RST tells you port is closed

Xmas tree in Nmap –> NMAP -sX -v

CON - Windows do not respond to this type of attack

Question 16

Fin Scan

Answer 16

4) Fin Scan - similar to Xmas tree except only FIN flag is set and sent; If open, no response, if closed RST response

NMAP -sF

Question 17

Null Scan

Answer 17

5) Null Scan - sends frames w/ no flags set; no response means open, if RST port closed

NMAP -sN

Question 18

Ack Scan

Answer 18

6) Ack Scan - used to test whether any filtering is being done on a port (tells attacker whether a firewall or router is in use)

NMAP -sA -P0

Question 19

**what to do if packet filters, firewalls, or other devices pick up evidence of your attack?

Answer 19

FRAGMENTING works by breaking a packet into multiple pieces w/ goal of preventing detection devices from seeing what the original unfragmented packet intends to do

NMAP -sS -T4 -A -f -v

Question 20

UDP scan

Answer 20

7) previous techniques assume TCP is beign used;
For UDP if a port is open, NO response
If a port is closed, ICMP port unreachable msg returned

Remember UDP does not use 3 way handshake, TCP is connection oriented whereas UDP is connecitonless

Question 21

types of OS Fingerprinting (2)

Answer 21

1) Passive - uses sniffing techniques to capture packets coming from a system; the responses are analyzed looking for details of OS; chance of detection is LOW b/c sniffing does not introduce traffic to the NW
2) Active - uses specifically crafted packets; responses are compared to DB of known responses; chance of detection is HIGH bc introduces traffic to NW

Question 22

Banner Grabbing

Answer 22

determine information about services running on a system

Tools –> Telnet

a Banner is what a service returns to the requesting program to give info about the service itself (i.e. HTTP would return server SW, version, etc)

Banners are grabbed by connection to a host & then sending a request to a port associated w/ a specific service such as 80 for http

telnet 80 head/http/1.0

Question 23

Countermeasures

Answer 23

disable or change banner

tools –> IIS Lockdown, ServerMask, etc

hide file extensions to hide technology used to generate pages

tools –> PageXchanger

Question 24

Vulnerability Scanning

Answer 24

special type of automated utility designed to identify problems & holes in OS & apps

CON - designed to look for group of known issues, if not found, leaves impression that ur system is safe

can be used by attacker or victim for diff reasons

Tools –> Nmap, Rapid7, Retina, etc

Question 25

Drawing NW diagrams

Answer 25

visualize NW environment, can clearly see holes that can be exploited

Mappers can generate a lot of traffic so be careful

Question 26

Using Proxies

Answer 26

system acting as a stand-in between the scanner & target; The proxy acts as an agent for the scanning party, thus giving anonymity;

Question 27

Proxy servers can perform several functions

Answer 27

1) Filtering Traffic in & out of NW
2) Anonymizing web traffic
3) Providing a layer of protection between the outside world & the internal NW

Tools –> TOR the onion router used to improve privacy & security for internet; packets cannot be traced; encrypt traffic

Question 28

Setting Web Browser to use Proxy

Answer 28

Setup proxy to hide self –>

1) Find ur IP –> whatismyip.com
2) Search for proxies with IP and port #
3) change proxy settings in browser
4) Find ur IP

Question 29

What is used for Network Scans?
What is used for Banner Grabbing?
What is used to identify Web Server OS

Answer 29

Nmap - NW scans
Telnet - Banner Grabbing
Netcraft - ID web server OS