Scanning

Question 0

What is the TCP handshake?

Answer 0

1. SYN
2. SYN/ack
3. RST

Question 1

What are the TCP header flags?

Answer 1

Syn (Synchronize) - used to negotiate parameters and sequence numbers for communication establishment.

Ack (Acknowledgement) - set on all segments after the initial SYN flag.

RST -forces a termination of communication in both directions.

FIN - This flag signifies an ordered close to communications.

PSH (PUSH) - This flag forces the delivery of data without concern for any buffering.

URG (Urgent) - when this flag is set, it indicates the data inside is being sent out of band.

Question 2

What is EC council’s scanning methodology?

Answer 2

1. Check for live systems.
   - e.g. Something as simple as a ping.
2. Check for open ports
3. Scan beyond IDS
   - scanning to avoid intrusion detection systems
4. Perform banner grabbing
   - Banner grabbing and OS fingerprinting indicates the OS on the machine
5. Scan for vulnerabilities
6. Draw network diagrams
   - network diagram will display all the logical and physical pathways to targets you might like.
7. Prepare proxies
   - e.g. This obscure your efforts to keep hidden.

5.

Question 3

What are the TCP number ranges?

Answer 3

The number ranges are:
Well-known: 0 - 1023
Registered: 1024 - 49151
Dynamic: 49152 - 65535

Question 4

What are the well known port numbers ?

1. FTP 8. POP3
2. SSH 9. RPC
3. Telnet 10. NetBIOS
4. SMTP 11. IMAP
5. DNS 12. SNMP
6. TFTP 13. HTTPS
7. HTTP 14. SMB

Answer 4

1. FTP -20/21- TCP 8. POP3-110 -TCP
2. SSH- 22-TCP 9. RPC- 135 - TCP
3. Telnet-23 -TCP 10. NetBIOS- 137-139 -TCP and UDP
4. SMTP-25-TCP. 11. IMAP -143 - TCP
5. DNS- 53- TCP and UDP 12. SNMP- 161/162 -UDP
6. TFTP-69 - UDP 13. HTTPS- 443- TCP
7. HTTP- 80- TCP 14. SMB - 445 - TCP
8. DHCP- 67-UDP 16. LDAP -389- TCP and UDP

Question 5

What are the common NMAP commands?

Answer 5

• SA (Ack scan)
• sF (FIN scan)
• sI (IDLE scan)
• sL (DNS scan (a.ka. List scan)
• sN (NULL scan)
• sO (Protocol scan)
• sP (Ping scan)
• sR( RPC scan)
• sS (SYN scan)
• sT (TCP connect)
• sW ( Windows scan)
• PI (ICMP Ping)
• Po (No ping)
• PS (SYN ping)
• PT ( TCP ping)
• oN (Normal output)
• oX (XML output)
• T0 (serial, slowest scan)
• T1 (Serial, slowest scan)
• T2 (Serial, normal speed scan)
• T3 (Parallel, normal speed scan)
• T4 (Parallel, fast scan)

Question 6

What are the scan types and the associated responses?

Answer 6

1. Scan type - FULL (TCP Connect)
Initial Flag set = SYN
Open Port Response = SYN/ACK
Closed Port Response = RST
NOTES= Noisiest but most reliable.

2. Scan type = Half open (Stealth or SYN Scan)
   Initial Flags Set= SYN
   Open Port Response= SYN/ACK
   Closed Port Response= RST
   NOTES= No completion of three-way handshake; desoigned for stealth but may be picked up on IDS sensors.

3. Scan Type=XMAS
Initial Flag set= FIN/URG/PSH
Open Port Response=No response
Closed Port Response= RST/ACK
NOTES: Doesn't work on Windows machines

4. Scan Type= FIN
Initial Flag set= FIN
Open Port Response=No response
Closed Port Response= RST/ACK
NOTES: Doesn't work on Windows machines

5. Scan Type= NULL
Initial Flag set= No flags set
Open PORT response= No response
Closed Port Response= RST/ACK
NOTES: Doesn't work on Windows Machines

6. Scan Type= ACK
Initial Flag set = ACK
Open Port Response= RST
Closed Port Response = No Response
Notes: Used in firewall filter tests