PenTest+ Study Notes 6 Flashcards
??? is a technique used during reconnaissance to gather information about network hosts and the services running on open ports. The process involves attempting to open a session with a service and getting the service to identify itself. You can use Wget, Netcat, and other tools to grab banners from services and protocols such as FTP, SSH, HTTP, SMTP, POP3, DNS, Telnet, Microsoft netbios-ssn, and more. Acquiring these banners can help you focus your attacks on specific services.
Banner Grabbing :
??? can be used to grab a banner using the following syntax: ??? -S. When using this command, -S will print the HTTP headers that are sent by the server.
Another option is netcat (nc), a popular tool for Unix and Linux. The following screenshot shows using an HTTP GET request to elicit the web server type and version: echo -en “GET / HTTP/1.0\n\n\n” |nc www.comptia.org 80 | grep Server
You can also grab a banner by using curl, which is an open-source command line protocol used to transfer data. An example using the command curl -I example.com to retrieve the banner.
Wget
??? is an essential first step in the active reconnaissance phase of the PenTest. This process uses active probing to gather essential information related to the network. Information includes: (1) MAC and IP addresses, ports, services, and operating systems. (2) Device types, virtual machines, and host names. (3) Protocols running on the network (4) Subnets and how the devices are interconnected. Popular network mappers include SolarWinds, Intermapper, WhatsUp Gold, PRTG, Spiceworks, Nmap, and Zenmap.
Network mapping :
WAF is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks.
??? is a technique that uses a combination of traceroute and port scanning to discover the details of the internal network. The Firewalk tool, which is available on Kali Linux, creates specially crafted packets to see what traffic can pass through a device.
In addition to ???, the team can attempt to access a blocked port by using applications such as Datapipe to redirect the traffic to another port. In addition to custom nmap scripts, there are several automated tools for WAF detection available on GitHub such as Wafw00f and WAFNinja.
Firewalking
When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems. Once you have run the scan, you can select different elements to examine more details, such as services running, ports in use, along with any software vendors that were recognized. In addition, the team can run a scan using the Open Vulnerability Assessment Scanner. When run, OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested. Below the summary, you will see details that include the Common Vulnerability Scoring System (CVSS) value and the Common Vulnerabilities and Exposures (CVE) number.
info
For example, the Christmas (XMAS) scan turns on the FIN, URG, and PSH flags all in the same TCP segment. This scan will be able to bypass firewalls that follow a strict interpretation of RFC 793, the original TCP specification. While this has been updated in most implementations, this vulnerability still exists in the wild.
info
In addition to scanning for general weaknesses related to an organization’s website, the team may also be tasked to check for SQL-specific vulnerabilities. To achieve this goal, the team has several specialized scanners and testers at their disposal. One tool that the team can use is SQLmap , which is an open-source database scanner that searches for and exploits SQL injection flaws. SQLmap is included with Kali Linux and is easy to use.
info
??? can weaken the encryption complexity. ??? attacks the RSA-export keys and can allow a malicious actor to decrypt the communication stream. ??? alters the way SSL 3.0 handles block cipher mode padding to be able to select content within the SSL session.
Logjam vulnerability / Freak vulnerability / Poodle vulnerability
A discovery scan is used during reconnaissance to find hosts on a network to reveal potential targets. Commonly called a ping sweep, this scan will use Nmap (or a comparable program), which sends out a series of probes on the LAN to see if any hosts are up and responding.
Full scans produce the most results but are also the “noisiest” and the most likely to be detected. Common ways to evade detection include randomizing the IP addresses and ports and slowing the scan down, so as not to appear too obvious.
info
??? (1) TCP SYN (or half-open) scan is the original stealth scan. The scan sends a packet to the target with the SYN flag set. This is called a “half-open” scan because the attacker does not complete the TCP three-way handshake. (2) FIN scan sends a packet to the target with only the FIN flag set. (3) NULL scan is a packet sent without any flags set. (4) XMAS Tree scan sends a packet with the FIN, URG, and PSH flags set and appears to be “lit up like a Christmas Tree.”
A ??? uses credentials such as usernames and passwords, to take a deep dive during the vulnerability scan, which will produce more information while auditing the network.
A ??? is a scan that uses fewer permissions, and many times can only find missing patches or updates.
Stealth Scans / credentialed scan / non-credentialed scan
