MOD3: Scanning Networks

Question 1

Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network.

True / False.

Answer 1

True.
Network scanning is one of the components of intelligence gathering which can be used by an attacker to create a profile of the target organization.

Question 2

Which one(s) is an objective of network scanning?

a) to discover live hosts, IP address, and open ports of live hosts
b) to discover OSs and system architecture
c) to discover services running on hosts
d) to discover vulnerabilities in live hosts
e) all of the above

Answer 2

All of the above.

Question 3

TCP communication flags:
Data contained in a packet should be processed immediately.
a) FIN
b) ACK
c) PSH
d) SYN
e) RST
f) URG

Answer 3

f) URG (urgent)

Question 4

TCP communication flags:
Resets a connection.
a) FIN
b) ACK
c) PSH
d) SYN
e) RST
f) URG

Answer 4

e) RST (reset)

Question 5

TCP communication flags:
Acknowledges the receipt of a packet.
a) FIN
b) ACK
c) PSH
d) SYN
e) RST
f) URG

Answer 5

b) ACK (acknowledgement)

Question 6

TCP communication flags:
There will be no further transmission.
a) FIN
b) ACK
c) PSH
d) SYN
e) RST
f) URG

Answer 6

a) FIN (finish)

Question 7

TCP communication flags:
Sends all buffered data immediately.
a) FIN
b) ACK
c) PSH
d) SYN
e) RST
f) URG

Answer 7

c) PSH

Question 8

TCP communication flags:
Initiates a connection between hosts.
a) FIN
b) ACK
c) PSH
d) SYN
e) RST
f) URG

Answer 8

d) SYN (synchronize)

Question 9

Which is better, TCP or UDP?

Answer 9

TCP is better because packets are more concise.

UDP is not as strict, it’ll just say ‘send another request’.

Question 10

TCP sequence number of bits.
First 16 bits = \_\_\_\_\_\_\_\_\_\_\_
Next 16 bits = \_\_\_\_\_\_\_\_\_\_\_
Next 32 bits = \_\_\_\_\_\_\_\_\_\_\_
Next 32 bits = \_\_\_\_\_\_\_\_\_\_\_

Answer 10

First 16 bits = source port
Next 16 bits = destination port
Next 32 bits = sequence no.
Next 32 bits = ACK (acknowledgement no.)

Question 11

What type of handshake is for TCP session establishing and for TCP session termination?

Answer 11

TCP Session Establishment –> 3 way handshake

TCP Session Termination –> 4 way handshake for shut down

Question 12

What tool is useful for making payloads?

Answer 12

Metasploit.

It also has built in scanners!

Question 13

How many ports are there per TLP (Transport Layer Protocol?

Answer 13

65,536

Question 14

How many ports will NMAP scan?

Answer 14

NMAP will scan the top 1,000 ports.

Question 15

What is RFC73 compliant?

Answer 15

It describes how a system should react to illegal requests.
RFC-Compliance code is code that follows the formal requirements for the protocols in the TCP/IP stack is specified in a number ofRFCdocuments published by the Internet Engineering Task Force, aka the IETF.

Question 16

What is a Christmas tree packet?

Answer 16

A Christmas Tree Attack is a very well known attack that is designed to send a very specifically crafted TCP packet to a device on the network.

Question 17

Why would an attacker send TCP probe packets set with an ACK flag to a remote device?

Answer 17

To analyze the header information (TTL and WINDOW field) of received RST packets to determine if the port is open or closed.

Question 18

If the TTL value of the RST packet on a particular port is less than the boundary value of 64, then that port is open.
True/False.

Answer 18

True.

Question 19

If the window value of the RST packet on a particular port has a non-zero value, then that port is open.
True/False.

Answer 19

True.

Question 20

IPV6 scanning increases the IP address size from 32 bit to 128 bits to support more levels of address hierarchy.
True/False.

Answer 20

True.

Question 21

What is the benefit of detecting service version from an NMAP scan?
ex. NMAP -sV 10.10.10.10

Answer 21

• attackers obtain info about running services and their versions on a target system
• determine the vulnerability of a target system to particular exploits

Question 22

What tool can be used to observe the TTL and TCP window size fields?

Answer 22

Wireshark.

Question 23

What is the TTL for the following?
Linux = \_\_\_\_
Windows 95 = \_\_\_\_
Windows 2000 = \_\_\_\_
Windows XP = \_\_\_\_
iOS 12.4 (Cisco Routers) = \_\_\_\_
Solaris 7 = \_\_\_\_

Answer 23

Linux = 64
Windows 95 = 32
Windows 2000 = 128
Windows XP = 128
iOS 12.4 (Cisco Routers) = 255
Solaris 7 = 255

Question 24

In NMAP, the -O option is used to perform what?

Answer 24

OS discovery. It will provide OS details of the target machine.

Question 25

In Unicornscan, the OS of the target machine can be identified by observing what?

Answer 25

The TTL values in the scan.

Question 26

What are some IP spoofing countermeasures?

Answer 26

• encrypt all network traffic
• use multiple firewalls
• don’t rely on IP-based authentication
• use a random initial sequence number
• ingress and egress filtering

Question 27

Why would an attacker want to scan the number of hosts in a target network?
ex. nmap –randomize-hosts 10.10.10.10

Answer 27

Attackers scan the number of hosts in the target network in random order to scan an intended target that is behind a firewall.

Question 28

Why would attackers want to send bad TCP/UDP checksums to the intended target?
ex. nmap –badsum 10.10.10.10

Answer 28

To avoid certain firewall rulesets.

Question 29

What is a proxy server?

Answer 29

An application that can serve as an intermediary for connecting with other computers.

Question 30

Why do attackers use proxy servers?

a) to hide the actual source of a scan and evade certain IDS/firewall restrictions
b) to mask the actual source of an attack
c) to remotely access intranets that are normally restricted
d) to interrupt all requests sent by a user and transmit them to a 3rd destination
e) to chain multiple proxy servers to avoid detection
f) all of the above

Answer 30

f) all of the above

Question 31

A search in Google will list thousands of free proxy servers.
True/False.

Answer 31

True

Question 32

List the 3 types of scanning.

Answer 32

1. Port Scanning: Lists open ports and services
2. Network Scanning: Lists the active hosts and IP addresses
3. Vulnerability Scanning: Shows the presence of known weaknesses

Question 33

In NMAP, what does the -PU perform?

Answer 33

the -PU performs the UDP ping scan

The UDP ping scan sends UDP packets to the target host; a UDP response means that the host is active

Question 34

In NMAP, what does the -PE perform?

Answer 34

the -PE performs the ICMP ECHO ping scan

The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host is alive, it will return an ICMP ECHO reply.

Question 35

In NMAP, what does the ICMP ECHO ping sweep do?

Answer 35

The ICMP ECHO ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is alive, it will return an ICMP ECHO reply.

Question 36

In NMAP, what does the -O perform?

Answer 36

-O performs the OS discovery.

Question 37

In NMAP, what does the -A perform?

Answer 37

-A enables aggressive scan.

The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (–traceroute). You should not use -A against target networks without permission.

Question 38

In NMAP, what does the -sV perform?

Answer 38

-sV detects service versions

Service version detection helps you to obtain information about the running services and their versions on a target system. Obtaining an accurate service version number allows you to determine which exploits the target system is vulnerable to.

Question 39

In NMAP, what does the -sU perform?

Answer 39

-sU is for performing UDP scan

The UDP scan uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.

Question 40

In NMAP, what does the -sA perform?

Answer 40

-sA is for performing the ACK flag probe scan.

The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.

Question 41

In NMAP, what does the -sM perform?

Answer 41

-sM is for performing the TCP Maimon scan

In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.

Question 42

In NMAP, what does the -sX perform?

Answer 42

-sX is for xmas scan

Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.

Question 43

In NMAP, what does the -sS perform?

Answer 43

-sS is for performing stealth scan/TCP half-open scan

The stealth scan involves resetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.

Question 44

In NMAP, TCP connect scan completes a three-way handshake with the target machine.

How is this handshake completed and what would the client need to send to end the connection?

Answer 44

In the TCP three-way handshake, the client sends a SYN packet, which the recipient acknowledges with the SYN+ACK packet. In turn, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection.

Once the handshake is completed, the client sends an RST packet to end the connection.

Question 45

In NMAP, what does -sT perform?

Answer 45

-sT: performs the TCP connect/full open scan

Question 46

In NMAP, what does -v perform?

Answer 46

-v: enables the verbose output (include all hosts and ports in the output).