Scanning and Enumeration Flashcards
Port Scanning
Determines open ports and services
Network Scanning
Determines IP addresses
Vulnerability Scanning
Determines Presence of known weaknesses
CEH Scanning Methodology
Check for Live Systems
Check for Open Ports
Service Identification
Banner Grabbing / OS Fingerprinting
Vulnerability Scanning
Draw Network Diagrams of Vulnerable Hosts
Prepare Proxies
Attack
Ping Sweep Techniques
A ping sweep (also known as an ICMP sweep) is a basic network scanningtechnique used to determine which of a range of IP addresses map to livehosts (computers). Whereas a single ping will tell you whether one specified host computer exists on the network, a ping sweep consists of ICMP(Internet Control Message Protocol) ECHO requests sent to multiple hosts.
Nmap Command Switches
Nmap Command Scan Performed
- sT TCP connect scan
- sS - SYN scan * -sF - FIN scan * -sX - XMAS tree scan * -sN - Null scan
- sP Ping scan * -sU UDP scan * -sO Protocol scan * -sA ACK scan
- sW Windows scan * -sR RPC scan * -sL List / DNS scan * -sI Idle scan * -Po Don’t ping
- PT TCP ping * -PS SYN ping * -PI ICMP ping * -PB TCP and ICMP ping
- PB ICMP timestamp * -PM ICMP netmask
SYN Scan
A SYN or stealth scan is also called a half-open scan because it doesn’t complete the
TCP three-way handshake.
Stealth Scan
SYN stealth scan This is also known as half-open scanning. The hacker send a SYN packet and receives a SYN-ACK back from the server. It’s stealthy because a full TCP connection isn’t opened.
XMAS Scan
XMAS tree scan The attacker checks for TCP services by sending XMAS-tree packets, which are named as such because all the “lights” are on meaning the FIN,URG and PSH flags are set.
Doesn’t work against any version of Windows.
NULL Scan
Null scan This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on UNIX systems.
Sends a packet with no flags set
IDLE Scan
A TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer called a “zombie” (that is not transmitting or receiving information) and observing the behavior of the ‘‘zombie’’ system.
FIN Scan
Scanning in which a TCP packet is used to terminate a connection, or can be used as a more stealthy method to look for open ports. Receiving a FIN scan doesn’t mean your system is compromised, that only means someone (hacker?) or something (virus?) is trying to peek around your computer without being noticed.
TCP Communication Flag Types
TCP contains ACK, RST, SYN, URG, PSH, and FIN flags. The following list identifies the function of the TCP flags:
SYN—Synchronize. Initiates a connection between hosts.
ACK—Acknowledge. Established connection between hosts.
PSH—Push. System is forwarding buffered data.
URG—Urgent. Data in packets must be processed quickly.
FIN—Finish. No more transmissions.
RST—Reset. Resets the connection.
War Dialing Hacking Tools
THC-Scan
Phonesweep
War dialer
Telesweep
Tools used for Banner Grabbing
Telnet
Netcat
Nmap
ID Serve
Get Requests
NetCraft
OS Fingerprinting Techniques
IP TTL values;
IP ID values;
TCP Window size;
TCP Options (generally, in TCP SYN and SYN+ACK packets);
DHCP requests;
ICMP requests;
HTTP packets (generally, User-Agent field).
How do Anonymizers Work
Anonymizers are services that attempt to make web surfing anonymous by utilizing a website
that acts as a proxy server for the web client.
HTTP Tunneling Techniques
By tunnel a blocked protocol (such as SMTP) through an allowed protocol (such as HTTP). Almost all IDS and firewalls act as a proxy between a client’s PC and the Internet and pass only the traffic defined as being allowed.
HTTPort, Tunneld, and BackStealth are all tools to tunnel traffic though HTTP. They allow the bypassing of an HTTP proxy, which blocks certain protocols access to the Internet. These tools allow the following potentially dangerous software protocols to be used from behind an HTTP proxy:
E-mail IRC ICQ News AIM FTP
IP Spoofing Techniques
A hacker can spoof an IP address when scanning target systems to minimize the chance of detection.
What Is Enumeration?
The objective of enumeration is to identify a user account or system account for potential use in hacking the target system.
Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services. It also refers to actively querying or connecting to a target system to acquire this information.
Tools: DumpSec DumpSec
The SMB Auditing Tool is a password-auditing tool for the Windows and Server Message Block (SMB) platforms.
What Is Meant by Null Sessions?
A null session occurs when you log in to a system with no username or password.
