Scanning and Enumeration Flashcards
Scanning
Process of discovering systems on the network and taking a look at what open ports and applications may be running.
Transport Layer functions
At Layer 4 of the OSI, end-to-end delivery, segment order, reliability and flow control, TCP flags and port numbering.
Connectionless Communication
The sender doesn’t care whether the recipient has the bandwidth to accept the message and doesn’t care if the recipient gets the message. Fire and forget method. Faster way of sending datagrams. Accomplished with UDP. Low overhead, simple and fast transport protocol. Normally small amounts of data are moved.
Protocols that use UDP
TFTP, DNS lookups, and DHCP
Connection-Oriented Communication
Uses TCP. Requires more overhead than UDP. Slower than connectionless. Orderly data exchange and deals with larger data transfer. Senders reach out to recipients to ensure their availability and will continue to communicate to manage the flow of data. If overwhelmed or data gets lost, the recipient can request slow down or retransmission. Uses a three way handshake of SYN, SYN-ACK, ACK packets.
UDP datagram structure
Header fields are 16 bits. Source Port, Destination Port, Length, Checksum, Data
TCP header flags - SYN flag
Synchronize - negotiation of parameters and sequence numbers
TCP header flags - ACK flag
Acknowledgment - set as an acknowledgment to a SYN flag. Set on all segments after the initial SYN flag.
TCP header flags - RST flag
Reset - Forces a termination of communications in both directions.
TCP header flags - FIN flag
Finish - Signifies an ordered close to communication.
TCP header flags - PSH flag
Push - Forces the delivery of data without concern for buffering. The sender does not wait to fill up the buffer to send and the receiving device does not wait for the buffer to fill up before processing the data.
TCP header flags - URG flag
Urgent - Indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
Sequence Numbering
A sends to B
A-SYN - My Sequence # A
B-SYN/ACK - A Sequence # + 1 AND My Sequence # B
A-ACK - B Sequence # + 1 AND A Sequence #
Packet Crafting Tools
Netscan, Ostinato, WAN Killer, Packeth, LAN Forge Fire, Colasoft. Can also be used to create fragmented packets to bypass an IDS
Colasoft Packet Builder Views
Packet List,
Decode Editor to edit packets,
and Hex Editor for hex editing
Well Known Ports
0 - 1023
Registered Ports
1024 - 49,151
Dynamic Ports
49,152 - 65,535 AKA ephemeral ports
FTP Ports
20, 21 TCP
SSH Port
22 TCP
Telnet Port
23 TCP
SMTP Port
25 TCP
DNS Port
53 TCP and UDP
DHCP Port
67 UDP for server and 68 UDP for client
TFTP Port
69 UDP
HTTP Port
80 TCP
POP3 Port
110 TCP
RPC Port
135 TCP
NEBIOS Ports
UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)
IMAP Port
143 TCP
SNMP Ports
161 UDP 162 UDP (SNMPTRAP)
LDAP Port
389 TCP and UDP
HTTPS Port
443 TCP
SMB Port
445 TCP
Internet Printing Protocol (IPP) Port
631
BGP Port
179
Syslog Port
514
Listening State
Waiting for a connection.
Established State
Connected to a remote computer.
CurrPorts Tool
Displays all currently opened TCP and UPD ports
CLOSE_WAIT State
The remote side has closed the connection.
TIME_WAIT State
Your side has closed the connection
NETSTAT -an
Displays all connections and listening ports
NETSTAT -b
Can see the executable associated with a port
All bits in the host field of an IP address are binary 1s
Broadcast address
All bits in the host field of an IP address are binary 0s
Network address
Any other combination of host bits not all 1s or 0s
Usable IP address
IP address AND with SUBNET Mask equals
The network address
Limited broadcast address
255.255.255.255 or MAC: FF:FF:FF:FF:FF:FF - routers drop these
Subnet broadcast address
Routers may or may not process them
Routed protocol
IPV4 and IPV6
Routing protocols
BGP. OSPF, RIP
Scanning Steps
- Check for live systems
- Check for open ports
- Scan beyond IDS
- Perform banner grabbing and OS fingerprinting
- Scan for vulnerabilities
- Draw network diagrams
- Prepare proxies
Check for live systems
Normally done using ICMP
ICMP Message Type 0
0:Echo Reply - Answer to a Type 8 Echo Request
ICMP Message Type 3
3: Destination Unreachable. Error codes: 0 - Destination Network Unreachable 1 - Destination Host Unreachable 6 - Network Unknown 7 - Host Unknown 9 - Network Administratively Prohibited 10 - Host Administratively Prohibited 13 - Communication Administratively Prohibited (typically from a poorly configured firewall)
ICMP Message Type 4
4:Source Quench: A congestion control message
ICMP Message Type 5
5:Redirect. Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway, Codes:
0 - Redirect datagram for the network
1 - Redirect datagram for the host
ICMP Message Type 8
8:Echo Request: A ping message requesting an echo reply
ICMP Message Type 11
11:Time Exceeded: The package took too long to be routed to the destination (code 0 is TTL expired)
Ping Sweep
Pinging every address in a given network range. Easiest method to detect hosts on a network.
ICMP echo scanning
Pinging of the network ID instead of a host
Ping Sweep Tools
NMAP, Angry IP Scanner, Solarwinds Engineer Toolset, Network Ping, OpUtils, Superscan, Advanced IP Scanner, Pinkie
Full Connect Port Scan
Also known as a TCP connect or full open scan - uses a full TCP three-way handshake and sends a RST at the end. Easiest to detect but also the most reliable. Open ports respond with a SYN/ACK and closed ports with a RST/ACK. NMAP -sT target
Stealth Port Scan
Also known as a half-open scan (and also as a SYN scan). Only SYN packets are sent to ports but the three way handshake is not completed. Useful when trying to bypass firewalls and IDS by hiding as normal traffic. NMAP -sS target. Response is the same as Full Connect scan.
Inverse TCP Scan
Uses the FIN, URG, or PSH flag or no flags at all to poke at system ports. If the port is open, there will be no response at all. If the port is closed, RST/ACK will be seen in response. Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. If there is no flag set, it is known as null scanning. NMAP -sN target does a NULL scan where no flags are set. NMAP -sF target sets just the FIN flag. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don’t count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can’t distinguish open ports from certain filtered ones, leaving you with the response open|filtered.
XMAS Scan
All flags are turned on and response is the same as that of an inverse TCP scan. Does not work against Microsoft Windows machines because Windows is not RFC 793 compliant. NMAP -sX target
ACK Flag Probe
Two versions - send an ACK flag and look at the return header (TTL or Window fields) to determine the port status. In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open. If the Window size on the RST packet has anything other than zero the port is open. ACK flag probes can also be used to check filtering at the remote end. If the ACK is sent and there is no response, this indicates a stateful firewall is between an attacker and a host. If an RST comes back, there is not. NMAP -sA target
IDLE Scan
This uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan. NMAP -sI target Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb “zombie host”. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits discovery of IP-based trust relationships between machines.
Fast vs Slow Scan
The slower the scan, the less likely you are to be discovered.
List Scan
Performs a DNS reverse lookup for PTR records of an IP range. NMAP -sL target.
Protocol Scan
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn’t technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. NMAP -sO target
ARP Ping Scan
Sends out ARP requests to the IP range. NMAP -sP. Can force it to use ICMP instead with –disable-arp-ping
RPC Scan
Network exploration tool and security / port scanner
-sR (RPC scan) .
This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP
ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can
effectively obtain the same info as rpcinfo -p even if the target´s portmapper is behind a firewall (or protected by TCP wrappers). NMAP -sR target
TCP Windows Scan
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window value of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window.
NMAP -sW target
NMAP Ping Options
- PI ICMP Ping
- Po No Ping
- PS SYN Ping
- PT TCP Ping
NMAP Output Options
- oN Normal Output
- oX XML Output
NMAP Timing Options
- T0 Serial, slowest scan
- T1 Serial, slowest scan
- T2 Serial, normal speed
- T3 Parallel,Normal speed scan
- T4 Parallel,Fast scan
NMAP switch categories
- s type of scan
- P ping sweep options
- o output format
- T speed and stealth
NMAP -A
Enables OS detection, version detection, script scanning and traceroute
Fingerprinting
Port sweeping and enumeration
NetScanToolsPro
Suite of tools:
- Active Directory and Diagnostics Tools
- Passive Discovery Tools
- DNS Tools
- Local Computer and General Information Tools
HPING and HPING3
Can do most of what NMAP does and a packet crafter as well
HPING3 -1 target
ICMP mode. Does an ICMP ping sweep
HPING3 -2 target
UDP mode
HPING3 -8 portrange
Define a port range to scan. HPING3 -8 20-100 (scans ports 20 - 100)
HPING3 -9 Protocol
Sets HPING in listen mode. HPING3 -9 HTTP -I eth0
HPING3 –flood
Will send packets as fast as possible without taking care to show incoming replies.
HPING3 -F
Sets the FIN flag
HPING3 -S
Sets the SYN flag
HPING3 -R
Sets the RST flag
HPING3 -P
Sets the PSH flag
HPING3 -A
Sets the ACK flag
HPING3 -U
Sets the URG flag
HPING3 -X
Sets the XMAS scan flags
Other network scanning tools
Advanced Port Scanner,
MegaPing,
Net Tools,
PRTG Network Monitor
Mobile scanning tools
IP scanner, Fing, Hackode, zANTi, PortDroid Network Analysis
NMAP -sS -A -f 192.168.1.1
Fragment a SYN scan to evade IDS detection
IP spoofing tools
HPING, Scapy, Komodia, Ettercap, Cain
Source route attack
Source routing is basically an option in IP (layer 3) where a packet can instruct a gateway which hops to send the packet to. Its like the client deciding which route the packets should take. Now this of course is kinda bad because if the client (let’s say he’s a hacker) decides on the path, then he can route all traffic to some listening box, doing all sorts of stuff to the traffic passing through it.
It also means that the hacker can make an attack seem as if its originating from another PC, or even “bounce” an attack. For example, lets say yo have a business CompanyA, which is very well protected. But CompanyA is partners with CompanyB and they have VPNs running to and from each other. CompanyB is not very well protected. If a hacker compromises CompanyB, he / she can use source routed packets to attack CompanyA by traversing through CompanyB. Most modern routers drop source routing packets.
IP Address Decoy
Obfuscate the real source of a network scan by hiding it among multiple decoy addresses making it look like the decoys are scanning also. NMAP -D RND:10.x.x.x generates a number of decoys and randomly puts the real source IP between them. You can also specify the exact decoy IPs with NMAP. NMAP -d decoyIP1,decoyIP2, etc.
Use of proxies when scanning
Hide your scan behind a proxy or chain of proxies to avoid detection
Proxy Chain tools
Proxy Switcher, Proxy Workbench, Proxy Chains, Proxy Chain Builder, CyberHost and Proxifier
Proxy for mobile phones
ProxyDroid, Servers Ultimate, Netshade, ShadowSocks
Anonymizer
A web proxy like guardster, ultrasurf, psiphon, tails
Gzapper
Tool used to remove Google deposited cookies,
Vulnerability Scanning
Running a tool against a target to see what vulnerabilities it has. RetinaCS, Microsoft Baseline Security Analyzer, NESSUS, Nexpose, GFI Languard, Qualsys Freescan, OpenVAS,
Vulnerability scanner that tests OWASPs top ten vulnerabilities
Qualsys Freescan and OPENVas
Enumeration
Active information gathering that involves creating a connection to a device, performing specific actions to query the device, and using the results to identify potential attack vectors.
Security Context
Defines a user identity and authentication information.
Microsoft Security Identifier (SID)
Identifies user, group and computer accounts. Composed of the letter S, followed by a revision number, an authority value, a domain or computer indicator and a RID. RIDS start at 500 (administrator) and user creation at 1000.
Linux UID and GID
The User ID and Group ID found in /etc/passwd
Where Windows passwords are stored on a local computer
c:\windows\system32\Config\SAM (encypted)
Linux enumeration commands
finger (user and host machine), rpcinfo and rpcclient (RPC information), showmount (shared directories)
Banner Grabbing
Part of the enumeration process. Sending an unsolicited request to an open port and the returned banner (HTTP header, error message, login message) can indicate a potential vulnerability,
Active Banner Grabbing
Sending specially crafted packets to remote systems and comparing responses to determine the OS. Telnet to a specific port. Netcat (nc) can also be used to banner grab a specific port. nc target port
Passive Banner Grabbing
Reading error messages, sniffing network traffic or looking at page extensions.
Windows Systems Enumeration
NETBIOS enumeration
NETBIOS Name
16 Character ASCII string used to identify network devices
NEBTSTAT
Command line tool that can be used to perform NETBIOS enumeration.
NBTSTAT -n for local NETBIOS table,
NBTSTAT -A IpAddress for a remote table,
NBTSTAT -c for the local NETBIOS cache.
NETBIOS Code Types
<1B> Domain Master Browser <1C> Domain Controller <1D> Master Browser for the Subnet <00> Hostname <00> DomainName <03> Service running on the system <20> Server running on the system
NETBIOS enumeration limitation
NETBIOS does not work on IPV6
NETBIOS enumeration tools
SuperScan, Hyena, Winfingerprint, NETBIOS enumerator, NSAuditor
SNMP components
SNMP Manager,
SNMP agent,
Management Information Base (MIB)
SNMP Management Information Base (MIB)
Database that holds SNMP queryable information arranged by object identifiers (OIDs)
SNMP commands
SNMP GET - retrieve information
SNMP SET - write information
Types of SNMP Managed Objects
Scalar - defines a single object
Tabular - defines multiple related objects that can be grouped together in MIB tables
SNMP security
Based on community strings:
Default ReadOnly Community String is public
Default ReadWrite Community String is private
SNMPV3 advantage over previous versions
Supports encryption, authentication and message integrity similar to how NTPV3 does the same for Network Time Protocol. Previous versions stored and sent community strings in plain text.
SNMP enumeration tools
Solarwinds Engineers Toolkit (SET),
SNMPScanner,
OpUtils5,
SNScan
LDAP enumeration
LDAP defaults to connecting to a Directory Service Agent on port 389. Answers come back encoded using Basic Encoding Rules (BER)
LDAP enumeration tools
Softerra, JXplorer, Lex, LDAP Admin Tool, Active Directory Explorer
NTP enumeration
NTP works on port 123. Querying an NTP Server can give you information such as a list of the systems connected to the server.
NTP enumeration tools
NTP Server Scanning, Atomsync, ntptrace, ntpdc, ntpq
SMTP enumeration commands
VRFY - validates users
EXPN - provides the actual delivery addresses of mailing lists and aliases
RCPT TO - defines recipients
CIFS
Successor to SMB.
CIFS is the primary protocol used by Windows systems for file sharing.
CIFS uses UDP ports 137 and 138, and TCP ports 139 and 445.
Active OS Fingerprinting
Sending crafted, nonstandard packets to a remote host and analyzing the replies.
Passive OS Fingerprinting
Sniffing packets without injecting any packets into the network, examining TTL, window sizes, Dont’ Fragment flags and Type of Service (Tos) fields from the capture.
