Scanning and Enumeration Flashcards
Scanning
Process of discovering systems on the network and taking a look at what open ports and applications may be running.
Transport Layer functions
At Layer 4 of the OSI, end-to-end delivery, segment order, reliability and flow control, TCP flags and port numbering.
Connectionless Communication
The sender doesn’t care whether the recipient has the bandwidth to accept the message and doesn’t care if the recipient gets the message. Fire and forget method. Faster way of sending datagrams. Accomplished with UDP. Low overhead, simple and fast transport protocol. Normally small amounts of data are moved.
Protocols that use UDP
TFTP, DNS lookups, and DHCP
Connection-Oriented Communication
Uses TCP. Requires more overhead than UDP. Slower than connectionless. Orderly data exchange and deals with larger data transfer. Senders reach out to recipients to ensure their availability and will continue to communicate to manage the flow of data. If overwhelmed or data gets lost, the recipient can request slow down or retransmission. Uses a three way handshake of SYN, SYN-ACK, ACK packets.
UDP datagram structure
Header fields are 16 bits. Source Port, Destination Port, Length, Checksum, Data
TCP header flags - SYN flag
Synchronize - negotiation of parameters and sequence numbers
TCP header flags - ACK flag
Acknowledgment - set as an acknowledgment to a SYN flag. Set on all segments after the initial SYN flag.
TCP header flags - RST flag
Reset - Forces a termination of communications in both directions.
TCP header flags - FIN flag
Finish - Signifies an ordered close to communication.
TCP header flags - PSH flag
Push - Forces the delivery of data without concern for buffering. The sender does not wait to fill up the buffer to send and the receiving device does not wait for the buffer to fill up before processing the data.
TCP header flags - URG flag
Urgent - Indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
Sequence Numbering
A sends to B
A-SYN - My Sequence # A
B-SYN/ACK - A Sequence # + 1 AND My Sequence # B
A-ACK - B Sequence # + 1 AND A Sequence #
Packet Crafting Tools
Netscan, Ostinato, WAN Killer, Packeth, LAN Forge Fire, Colasoft. Can also be used to create fragmented packets to bypass an IDS
Colasoft Packet Builder Views
Packet List,
Decode Editor to edit packets,
and Hex Editor for hex editing
Well Known Ports
0 - 1023
Registered Ports
1024 - 49,151
Dynamic Ports
49,152 - 65,535 AKA ephemeral ports
FTP Ports
20, 21 TCP
SSH Port
22 TCP
Telnet Port
23 TCP
SMTP Port
25 TCP
DNS Port
53 TCP and UDP
DHCP Port
67 UDP for server and 68 UDP for client
TFTP Port
69 UDP
HTTP Port
80 TCP
POP3 Port
110 TCP
RPC Port
135 TCP
NEBIOS Ports
UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)
IMAP Port
143 TCP
SNMP Ports
161 UDP 162 UDP (SNMPTRAP)
LDAP Port
389 TCP and UDP
HTTPS Port
443 TCP
SMB Port
445 TCP
Internet Printing Protocol (IPP) Port
631
BGP Port
179
Syslog Port
514
Listening State
Waiting for a connection.
Established State
Connected to a remote computer.
CurrPorts Tool
Displays all currently opened TCP and UPD ports
CLOSE_WAIT State
The remote side has closed the connection.
TIME_WAIT State
Your side has closed the connection
NETSTAT -an
Displays all connections and listening ports
NETSTAT -b
Can see the executable associated with a port
All bits in the host field of an IP address are binary 1s
Broadcast address
All bits in the host field of an IP address are binary 0s
Network address
Any other combination of host bits not all 1s or 0s
Usable IP address
IP address AND with SUBNET Mask equals
The network address
Limited broadcast address
255.255.255.255 or MAC: FF:FF:FF:FF:FF:FF - routers drop these
Subnet broadcast address
Routers may or may not process them
Routed protocol
IPV4 and IPV6
Routing protocols
BGP. OSPF, RIP
Scanning Steps
- Check for live systems
- Check for open ports
- Scan beyond IDS
- Perform banner grabbing and OS fingerprinting
- Scan for vulnerabilities
- Draw network diagrams
- Prepare proxies
Check for live systems
Normally done using ICMP
ICMP Message Type 0
0:Echo Reply - Answer to a Type 8 Echo Request