Lesson 7 - Analyzing Scanning Results Flashcards
What are Nmap’s timing options
-T
0 - Paranoid
1- Sneaky
2 - Polite
3 - Normal - default
4 - Aggressive
5 - Insane
What can networks enforce that can limit the data flow by policing or shaping the traffic
Rate Limiting
What is the difference between a TCP scan and UDP scan
TCP will provide more detailed results and is specific to determining OS and other details
UDP is generally slower and more difficult since open and filtered ports rarely send a response. UDP is useful for determining if server UDP protocols such as DNS, SNMP, and DHCP can be exploited.
What are the TCP Flags in Nmap
-sA - TCP Ack used to bypass firewall rulesets
-sT - Full TCP 3 wah handshake
-sX - Christmas Tree send a TCP segment with FIN, PSH, and URG Flags - for bypassing firewall or IDS
What are the UDP Flags
-sU
If port is open the target might return a UDP packet with provides proof that the port is open. No response is closed or filtered.
Best to use with banner grab -sV to validate
Port Close-Type/Code 3
If filtered might get an ICMP error type 3 codes, 1,2,9,10, or 13
What is the flag to specify the port and if no flag is used what is the default.
-p <port></port>
syntax
Nmap -p 110,25,443 IP Address
by default it scans the top 1000 common ports
What are core components of Nmap that allows uses to customize and automate the scanning process
Nmap Scripting Engine (NSE)
syntax
-sC or
Nmap –script=name of script
What are the 3 main categories of Nmap scripts
Malware Discovery
Discovery of networks, services and hosts
Vulnerabilities and exploitation commands
by default, Nmap uses the following during host discovery
TCP SYN packet to port 443
TCP ACK packet to port 80
ICMP type 8 (echo request)
ICMP type 13 (timestamp request)
ARP requests to obtain MAC address details
if a firewall is blocking ICMP ping what are other Nmap options they can try
TCP ACK Ping -PA <portlist> This will set the acknowledgement (ACK) flag in the TCP header.</portlist>
UDP Ping -PU <portlist> This scan uses User Datagram Protocol (UDP).</portlist>
SCTP Initiation Ping - sY <portlist> This scan uses the Stream Control Transmission Protocol (SCTP) , an alternative to using either a TCP or UDP scan to see if a host is alive.</portlist>
TCP SYN Scan -sS <target> This scan will send a TCP SYN to whatever port(s) you specify. If you don’t indicate a port number, Nmap will try all ports and then display the findings. For example, running the command nmap -PS scanme.nmap.org, will result in the following:</target>
During discovery host phase using Nmap what are options to treat all hosts and they are online
Complete the discovery without during a port scan
-Pn
-sn
What does unfiltered mean in a Nmap scan
Port is accessible but Nmap is unable to determine if open or closed
What are the two types of DNS Servers involved in a DNS query
Authoritative nameserver house the records for a namespace and responds to DNS requests
Recursive server holds a copy of the records for namespace. Can ask other servers if DNS info does not exist in cache
What is a DNS Zone Transfer and what is it referred to as
Authoritative Transfer (AXFR)
Mechanism by which a secondary name server obtains a read-only copy of zone records from the primary server.
What is the text file that contains information and resource records for a specific namespace.
A Zone File
A Records for IPv4
AAAA Records for IPv6
PTR records for reverse lookup
MX for mail records
