Module 03: Scanning Networks Flashcards
What are the fundamental goals and activities of scanning networks?
The fundamental activity of scanning networks is host discovery, port discovery, service identification, OS detection, vulnerability identification and more.
What are the two types of scanning?
Active: involves actively engaging targets, sending specifically-crafted probes to target to elicit a specific response. This is part of our pre-attack mapping and creation of a profile of the target.
Passive: does not actively probe. Passive scanning uses public sources and existing network traffic rather than direct probes.
List the various TCP communication flags and their meanings
- URG (Urgent): data contained in the packet should be processed immediately
- FIN (Finish): there will be no further transmissions
- RST (Reset): resets a connection
- PSH (Push): sends all buffered data immediately
- ACK (Acknowledgement): acknowledges the receipt of a packet
- SYN (Synchronize): initiates a connection between hosts
What are all the components of a TCP segment?
- Source port
- Destination port
- Sequence number: uniquely sequences each byte transmitted. We have a unique sequence number for every 8 bits we send.
- Acknowledgement number- map to the sequence numbers sent by the receiving system to let us know that we did in fact receive those sequences and here’s the next one we’re ready for - this is what makes TCP reliable.
- DO (Data Offset): Specifies where the data begins within the segment by indicating the size of the TCP header.
- RSV (Reserved): Three bits set aside for future use, usually set to zero, to maintain compatibility in the TCP header structure.
- Flags
- Window
- Checksum
- URG pointer
- Options
What is nmap?
nmap is a network scanning tool and one of the most versatile tools in hacking and can be used to find:
- live host
- open ports
- services (application name and version)
- types of packet filters/firewalls
- OS’s and versions used
What are some unique characteristics that are analyzed for OS discovery?
TTL and TCP Window size. Or simple banner grabbing
How do you evade IDS or firewalls and what are some strategies to do so?
The main goal of evasion is to not match an intrusion signature, and tiptoeing takes time.
Attackers can manage to send intended packets by evading IDS/firewalls through:
- Packet Fragmentation: Splits malicious payloads into smaller fragments to bypass detection rules that scan entire packets.
- Source Routing: Specifies a custom path for packets, potentially avoiding monitoring systems on default routes.
- Source Port Manipulation: Changes the source port number to mimic trusted traffic, reducing suspicion by IDS/firewalls.
- IP Address Decoy: Sends packets from multiple IP addresses to mask the true source and overwhelm detection systems.
- IP Address Spoofing: Fakes the packet’s source IP address to hide the attacker’s identity and bypass IP-based filters.
- MAC Address Spoofing: Alters the MAC address to evade systems filtering by known devices or address lists.
- Create Custom Packets: Uses non-standard packets to confuse signature-based IDS that rely on typical patterns.
- Randomizing Host Order and Sending Bad Checksums: Disrupts IDS analysis by mixing target orders or sending corrupted packets that bypass checks but are reassembled by the attacker’s system.
- Proxy Servers: Routes traffic through intermediate servers to mask the attacker’s IP and avoid direct detection.
- Anonymizers: Hides the attacker’s identity by routing traffic through anonymizing networks, such as Tor, making tracing more difficult.
What are some IP spoofing detection techniques?
- Your TTLs will be different than the victim’s → big difference in hop variance
- IPID values → a huge difference in ranges
- TCP flow control method → if spoofed IPs continues to send packets after exhausting window size, it indicates they’re not receiving the window size negotiations / the window size from outbound targets
Summary of nmap:
-sS (scan type)
-PI (discovery type)
-T4 (timing options)
-O (OS fingerprinting)
-sV (service version)
-f (fragmentation)
List tools to perform host discovery
- nmap
-angryipscanner
List tools to perform port and service discovery
-megaping
-netscantoolspro
-sx tool
-nmap
-hping3
List tools to perform OS discovery
- Identify the target system’s OS with Time-to-Live (TTL) and TCP window sizes using Wireshark
- Perform OS discovery using Nmap Script Engine (NSE)
- Perform OS discovery using Unicornscan
- Scan beyond IDS and Firewall
What is scanning beyond IDS/Firewall, how is it accomplished, and what tools can be used?
Scanning beyond IDS and firewall refers to techniques attackers use to bypass intrusion detection systems (IDS) and firewalls to probe deeper into a network without being detected. This often involves:
- Using stealthy or fragmented scans (e.g., packet fragmentation, slow scans) to avoid triggering IDS rules.
- Employing non-standard ports or spoofed IP addresses to get past firewall filters.
- Applying advanced scanning techniques, like the Idle scan or IP address decoy, to gather network information while remaining under the radar.
These methods help attackers map a network or identify vulnerabilities beyond the initial perimeter defenses.
TOOLS:
Create custom packets using Colasoft Packet Builder or Hping3 to scan beyond the IDS/firewall
How can you scan a target network using Metasploit?
You can scan a target network in Metasploit by using auxiliary modules like scanner/portscan/tcp to detect open ports and services, enabling you to gather information for potential exploits.
