MOD3: Scanning Networks Flashcards
Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network.
True / False.
True.
Network scanning is one of the components of intelligence gathering which can be used by an attacker to create a profile of the target organization.
Which one(s) is an objective of network scanning?
a) to discover live hosts, IP address, and open ports of live hosts
b) to discover OSs and system architecture
c) to discover services running on hosts
d) to discover vulnerabilities in live hosts
e) all of the above
All of the above.
TCP communication flags: Data contained in a packet should be processed immediately. a) FIN b) ACK c) PSH d) SYN e) RST f) URG
f) URG (urgent)
TCP communication flags: Resets a connection. a) FIN b) ACK c) PSH d) SYN e) RST f) URG
e) RST (reset)
TCP communication flags: Acknowledges the receipt of a packet. a) FIN b) ACK c) PSH d) SYN e) RST f) URG
b) ACK (acknowledgement)
TCP communication flags: There will be no further transmission. a) FIN b) ACK c) PSH d) SYN e) RST f) URG
a) FIN (finish)
TCP communication flags: Sends all buffered data immediately. a) FIN b) ACK c) PSH d) SYN e) RST f) URG
c) PSH
TCP communication flags: Initiates a connection between hosts. a) FIN b) ACK c) PSH d) SYN e) RST f) URG
d) SYN (synchronize)
Which is better, TCP or UDP?
TCP is better because packets are more concise.
UDP is not as strict, it’ll just say ‘send another request’.
TCP sequence number of bits. First 16 bits = \_\_\_\_\_\_\_\_\_\_\_ Next 16 bits = \_\_\_\_\_\_\_\_\_\_\_ Next 32 bits = \_\_\_\_\_\_\_\_\_\_\_ Next 32 bits = \_\_\_\_\_\_\_\_\_\_\_
First 16 bits = source port
Next 16 bits = destination port
Next 32 bits = sequence no.
Next 32 bits = ACK (acknowledgement no.)
What type of handshake is for TCP session establishing and for TCP session termination?
TCP Session Establishment –> 3 way handshake
TCP Session Termination –> 4 way handshake for shut down
What tool is useful for making payloads?
Metasploit.
It also has built in scanners!
How many ports are there per TLP (Transport Layer Protocol?
65,536
How many ports will NMAP scan?
NMAP will scan the top 1,000 ports.
What is RFC73 compliant?
It describes how a system should react to illegal requests.
RFC-Compliance code is code that follows the formal requirements for the protocols in the TCP/IP stack is specified in a number ofRFCdocuments published by the Internet Engineering Task Force, aka the IETF.
What is a Christmas tree packet?
A Christmas Tree Attack is a very well known attack that is designed to send a very specifically crafted TCP packet to a device on the network.
Why would an attacker send TCP probe packets set with an ACK flag to a remote device?
To analyze the header information (TTL and WINDOW field) of received RST packets to determine if the port is open or closed.
If the TTL value of the RST packet on a particular port is less than the boundary value of 64, then that port is open.
True/False.
True.
If the window value of the RST packet on a particular port has a non-zero value, then that port is open.
True/False.
True.
IPV6 scanning increases the IP address size from 32 bit to 128 bits to support more levels of address hierarchy.
True/False.
True.
What is the benefit of detecting service version from an NMAP scan?
ex. NMAP -sV 10.10.10.10
- attackers obtain info about running services and their versions on a target system
- determine the vulnerability of a target system to particular exploits
What tool can be used to observe the TTL and TCP window size fields?
Wireshark.
What is the TTL for the following? Linux = \_\_\_\_ Windows 95 = \_\_\_\_ Windows 2000 = \_\_\_\_ Windows XP = \_\_\_\_ iOS 12.4 (Cisco Routers) = \_\_\_\_ Solaris 7 = \_\_\_\_
Linux = 64 Windows 95 = 32 Windows 2000 = 128 Windows XP = 128 iOS 12.4 (Cisco Routers) = 255 Solaris 7 = 255
In NMAP, the -O option is used to perform what?
OS discovery. It will provide OS details of the target machine.
In Unicornscan, the OS of the target machine can be identified by observing what?
The TTL values in the scan.
What are some IP spoofing countermeasures?
- encrypt all network traffic
- use multiple firewalls
- don’t rely on IP-based authentication
- use a random initial sequence number
- ingress and egress filtering
Why would an attacker want to scan the number of hosts in a target network?
ex. nmap –randomize-hosts 10.10.10.10
Attackers scan the number of hosts in the target network in random order to scan an intended target that is behind a firewall.
Why would attackers want to send bad TCP/UDP checksums to the intended target?
ex. nmap –badsum 10.10.10.10
To avoid certain firewall rulesets.
What is a proxy server?
An application that can serve as an intermediary for connecting with other computers.
Why do attackers use proxy servers?
a) to hide the actual source of a scan and evade certain IDS/firewall restrictions
b) to mask the actual source of an attack
c) to remotely access intranets that are normally restricted
d) to interrupt all requests sent by a user and transmit them to a 3rd destination
e) to chain multiple proxy servers to avoid detection
f) all of the above
f) all of the above
A search in Google will list thousands of free proxy servers.
True/False.
True
List the 3 types of scanning.
- Port Scanning: Lists open ports and services
- Network Scanning: Lists the active hosts and IP addresses
- Vulnerability Scanning: Shows the presence of known weaknesses
In NMAP, what does the -PU perform?
the -PU performs the UDP ping scan
The UDP ping scan sends UDP packets to the target host; a UDP response means that the host is active
In NMAP, what does the -PE perform?
the -PE performs the ICMP ECHO ping scan
The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host is alive, it will return an ICMP ECHO reply.
In NMAP, what does the ICMP ECHO ping sweep do?
The ICMP ECHO ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is alive, it will return an ICMP ECHO reply.
In NMAP, what does the -O perform?
-O performs the OS discovery.
In NMAP, what does the -A perform?
-A enables aggressive scan.
The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (–traceroute). You should not use -A against target networks without permission.
In NMAP, what does the -sV perform?
-sV detects service versions
Service version detection helps you to obtain information about the running services and their versions on a target system. Obtaining an accurate service version number allows you to determine which exploits the target system is vulnerable to.
In NMAP, what does the -sU perform?
-sU is for performing UDP scan
The UDP scan uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.
In NMAP, what does the -sA perform?
-sA is for performing the ACK flag probe scan.
The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.
In NMAP, what does the -sM perform?
-sM is for performing the TCP Maimon scan
In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.
In NMAP, what does the -sX perform?
-sX is for xmas scan
Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
In NMAP, what does the -sS perform?
-sS is for performing stealth scan/TCP half-open scan
The stealth scan involves resetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.
In NMAP, TCP connect scan completes a three-way handshake with the target machine.
How is this handshake completed and what would the client need to send to end the connection?
In the TCP three-way handshake, the client sends a SYN packet, which the recipient acknowledges with the SYN+ACK packet. In turn, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection.
Once the handshake is completed, the client sends an RST packet to end the connection.
In NMAP, what does -sT perform?
-sT: performs the TCP connect/full open scan
In NMAP, what does -v perform?
-v: enables the verbose output (include all hosts and ports in the output).
