Scanning and Enumeration Flashcards
Port Scanning
Determines open ports and services
Network Scanning
Determines IP addresses
Vulnerability Scanning
Determines Presence of known weaknesses
CEH Scanning Methodology
Check for Live Systems
Check for Open Ports
Service Identification
Banner Grabbing / OS Fingerprinting
Vulnerability Scanning
Draw Network Diagrams of Vulnerable Hosts
Prepare Proxies
Attack
Ping Sweep Techniques
A ping sweep (also known as an ICMP sweep) is a basic network scanningtechnique used to determine which of a range of IP addresses map to livehosts (computers). Whereas a single ping will tell you whether one specified host computer exists on the network, a ping sweep consists of ICMP(Internet Control Message Protocol) ECHO requests sent to multiple hosts.
Nmap Command Switches
Nmap Command Scan Performed
- sT TCP connect scan
- sS - SYN scan * -sF - FIN scan * -sX - XMAS tree scan * -sN - Null scan
- sP Ping scan * -sU UDP scan * -sO Protocol scan * -sA ACK scan
- sW Windows scan * -sR RPC scan * -sL List / DNS scan * -sI Idle scan * -Po Don’t ping
- PT TCP ping * -PS SYN ping * -PI ICMP ping * -PB TCP and ICMP ping
- PB ICMP timestamp * -PM ICMP netmask
SYN Scan
A SYN or stealth scan is also called a half-open scan because it doesn’t complete the
TCP three-way handshake.
Stealth Scan
SYN stealth scan This is also known as half-open scanning. The hacker send a SYN packet and receives a SYN-ACK back from the server. It’s stealthy because a full TCP connection isn’t opened.
XMAS Scan
XMAS tree scan The attacker checks for TCP services by sending XMAS-tree packets, which are named as such because all the “lights” are on meaning the FIN,URG and PSH flags are set.
Doesn’t work against any version of Windows.
NULL Scan
Null scan This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on UNIX systems.
Sends a packet with no flags set
IDLE Scan
A TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer called a “zombie” (that is not transmitting or receiving information) and observing the behavior of the ‘‘zombie’’ system.
FIN Scan
Scanning in which a TCP packet is used to terminate a connection, or can be used as a more stealthy method to look for open ports. Receiving a FIN scan doesn’t mean your system is compromised, that only means someone (hacker?) or something (virus?) is trying to peek around your computer without being noticed.
TCP Communication Flag Types
TCP contains ACK, RST, SYN, URG, PSH, and FIN flags. The following list identifies the function of the TCP flags:
SYN—Synchronize. Initiates a connection between hosts.
ACK—Acknowledge. Established connection between hosts.
PSH—Push. System is forwarding buffered data.
URG—Urgent. Data in packets must be processed quickly.
FIN—Finish. No more transmissions.
RST—Reset. Resets the connection.
War Dialing Hacking Tools
THC-Scan
Phonesweep
War dialer
Telesweep
Tools used for Banner Grabbing
Telnet
Netcat
Nmap
ID Serve
Get Requests
NetCraft
OS Fingerprinting Techniques
IP TTL values;
IP ID values;
TCP Window size;
TCP Options (generally, in TCP SYN and SYN+ACK packets);
DHCP requests;
ICMP requests;
HTTP packets (generally, User-Agent field).
How do Anonymizers Work
Anonymizers are services that attempt to make web surfing anonymous by utilizing a website
that acts as a proxy server for the web client.
HTTP Tunneling Techniques
By tunnel a blocked protocol (such as SMTP) through an allowed protocol (such as HTTP). Almost all IDS and firewalls act as a proxy between a client’s PC and the Internet and pass only the traffic defined as being allowed.
HTTPort, Tunneld, and BackStealth are all tools to tunnel traffic though HTTP. They allow the bypassing of an HTTP proxy, which blocks certain protocols access to the Internet. These tools allow the following potentially dangerous software protocols to be used from behind an HTTP proxy:
E-mail IRC ICQ News AIM FTP
IP Spoofing Techniques
A hacker can spoof an IP address when scanning target systems to minimize the chance of detection.
What Is Enumeration?
The objective of enumeration is to identify a user account or system account for potential use in hacking the target system.
Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services. It also refers to actively querying or connecting to a target system to acquire this information.
Tools: DumpSec DumpSec
The SMB Auditing Tool is a password-auditing tool for the Windows and Server Message Block (SMB) platforms.
What Is Meant by Null Sessions?
A null session occurs when you log in to a system with no username or password.
What Is SNMP Enumeration?
The process of using SNMP to enumerate user accounts on a target system.
Steps Involved in Performing Enumeration?
- Extract usernames using enumeration.
- Gather information about the host using null sessions.
- Perform Windows enumeration using the Superscan tool.
- Acquire the user accounts using the tool GetAcct.
- Perform SNMP port scanning.
Types of scanning
Scanning Type Purpose Port scanning - Determines open ports and services Network scanning - IP addresses Vulnerability scanning - Presence of known weaknesses
Well known Ports
FTP (21), Telnet (23), HTTP (80), SMTP (25), POP3 (110), and HTTPS (443)
Hacker tools for Ping Sweeping
Pinger,
Friendly Pinger,
WS_Ping_Pro
are all tools that perform ICMP queries
Type of scan that only works on UNIX
ACK scan
Common Nmap Commands (OutPuts)
-oN Normal output * -oX XML output * -oG Greppable output * -oA All output
Common Nmap Commands (Timing)
- T Paranoid Serial scan; 300 sec between scans
- T Sneaky Serial scan; 15 sec between scans
- T Polite Serial scan; .4 sec between scans
- T Normal Parallel scan
- T Aggressive Parallel scan, 300 sec timeout, and 1.25 sec/probe
- T Insane Parallel scan, 75 sec timeout, and .3 sec/probe
TCP Scan Types
XMAS Scan Flags sent by hacker
XMAS scan All flags set (ACK, RST, SYN, URG, PSH, FIN)
FIN scan FIN
NULL Scan No flags set
TCP connect / full-open scan SYN, then ACK
SYN scan / half-open scan SYN, then RST
TCP Scan Types
XMAS Scan Flags sent by hacker
XMAS scan All flags set (ACK, RST, SYN, URG, PSH, FIN)
FIN scan FIN
NULL Scan No flags set
TCP connect / full-open scan SYN, then ACK
SYN scan / half-open scan SYN, then RST
Inter Process Communication share (IPC$).
Inter Process Communication share (IPC$). This hidden share is accessible using the net use
command.
SNMP Enumeration Countermeasures
Turn off the SNMP service
Change the default read and read/write community names
Make a NetBIOS null session
To make a NetBIOS null session to a system with the IP address 192.21.7.1 with the built-in anonymous user account and a null password using the net use command, the syntax is as follows:
C: \> net use \192.21.7.1 \IPC$ “” /u: “”
SNMP passwords
read community string
read/write community string
Hacking Tools
SNMPUtil and IP Network Browser are SNMP enumeration tools.
How Many TCP Flags are there?
EIGHT TCP FLAGS
FIN = 1 SYN = 2
RST = 4 PSH = 8 ACK = 16
URG = 32 ECE = 64 CWR = 128
HOW DO YOU DEFEND AGAINST ARP Spoofing
Use ARPWALL and block ARP spoofing attacks
Use private VLANS
Place static ARP entries on servers
How do you defend against Privilege Escalation?
Use Encryption to protect sensitive data
Restrict the innteractive logon privileges
Run services as unprivileged accounts
Run users and applications on the least privileges
ICMP reply Code 3/Type 13
Router is blocking ICMP
What port number is used by Kerberos protocol
Port 88
What is the most accurate scanning method?
A TCP Connect scan is the most accurate scanning method
A Xmas port scan has multiple flags set to 1, what flags are set?
FIN
URG
PSH
You need to descover as many different protocols as possible which kind of scan would you use?
Nmap with the -sO (Raw IP packets) switch.
ICMP (Code 13) normally indicates?
The packet has been administratively dropped in transit.
ICMP message types
Type 3 messages
0
8
11
13
17
0 is Echo Reply
8 is Echo request
11 is time exceeded
13 is timestamp
17 is subnet mask request
The proper response for a FIN scan or X-MAS scan if the port is closed?
Closed ports respond to a FIN scan with a RST
The proper response for a FIN scan or Xmas scan, if the port is open?
Packet ignored no response.
What flags are set in a X-MAS scan?
PSH
URG
FIN
3 most popular tools
Nessus Vulnerability scanner
Nmap is scanning
Hping packet generator and analyzer
Which organization coordinates computer crime investigations throughout the United States?
NPC
Tools that can be used for zone transfer?
NSLookup
Dig
Sam Spade
Host
NetBIOS ports
135,139,445
Zone file record information
SOA - Start of Authority
NS - Name Server record
MX - Mail eXchange record
A - Address record
