Scanning and Enumeration

Question 1

Scanning

Answer 1

Process of discovering systems on the network and taking a look at what open ports and applications may be running.

Question 2

Transport Layer functions

Answer 2

At Layer 4 of the OSI, end-to-end delivery, segment order, reliability and flow control, TCP flags and port numbering.

Question 3

Connectionless Communication

Answer 3

The sender doesn’t care whether the recipient has the bandwidth to accept the message and doesn’t care if the recipient gets the message. Fire and forget method. Faster way of sending datagrams. Accomplished with UDP. Low overhead, simple and fast transport protocol. Normally small amounts of data are moved.

Question 4

Protocols that use UDP

Answer 4

TFTP, DNS lookups, and DHCP

Question 5

Connection-Oriented Communication

Answer 5

Uses TCP. Requires more overhead than UDP. Slower than connectionless. Orderly data exchange and deals with larger data transfer. Senders reach out to recipients to ensure their availability and will continue to communicate to manage the flow of data. If overwhelmed or data gets lost, the recipient can request slow down or retransmission. Uses a three way handshake of SYN, SYN-ACK, ACK packets.

Question 6

UDP datagram structure

Answer 6

Header fields are 16 bits. Source Port, Destination Port, Length, Checksum, Data

Question 7

TCP header flags - SYN flag

Answer 7

Synchronize - negotiation of parameters and sequence numbers

Question 8

TCP header flags - ACK flag

Answer 8

Acknowledgment - set as an acknowledgment to a SYN flag. Set on all segments after the initial SYN flag.

Question 9

TCP header flags - RST flag

Answer 9

Reset - Forces a termination of communications in both directions.

Question 10

TCP header flags - FIN flag

Answer 10

Finish - Signifies an ordered close to communication.

Question 11

TCP header flags - PSH flag

Answer 11

Push - Forces the delivery of data without concern for buffering. The sender does not wait to fill up the buffer to send and the receiving device does not wait for the buffer to fill up before processing the data.

Question 12

TCP header flags - URG flag

Answer 12

Urgent - Indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.

Question 13

Sequence Numbering

Answer 13

A sends to B
A-SYN - My Sequence # A
B-SYN/ACK - A Sequence # + 1 AND My Sequence # B
A-ACK - B Sequence # + 1 AND A Sequence #

Question 14

Packet Crafting Tools

Answer 14

Netscan, 
Ostinato, 
WAN Killer, 
Packeth, 
LAN Forge Fire, 
Colasoft. Can also be used to create fragmented packets to bypass an IDS

Question 15

Colasoft Packet Builder Views

Answer 15

Packet List,
Decode Editor to edit packets,
and Hex Editor for hex editing

Question 16

Well Known Ports

Answer 16

0 - 1023

Question 17

Registered Ports

Answer 17

1024 - 49,151

Question 18

Dynamic Ports

Answer 18

49,152 - 65,535 AKA ephemeral ports

Question 19

FTP Ports

Answer 19

20, 21 TCP

Question 20

SSH Port

Answer 20

22 TCP

Question 21

Telnet Port

Answer 21

23 TCP

Question 22

SMTP Port

Answer 22

25 TCP

Question 23

DNS Port

Answer 23

53 TCP and UDP

Question 24

DHCP Port

Answer 24

67 UDP for server and 68 UDP for client

Question 25

TFTP Port

Answer 25

69 UDP

Question 26

HTTP Port

Answer 26

80 TCP

Question 27

POP3 Port

Answer 27

110 TCP

Question 28

RPC Port

Answer 28

135 TCP

Question 29

NEBIOS Ports

Answer 29

UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)

Question 30

IMAP Port

Answer 30

143 TCP

Question 31

SNMP Ports

Answer 31

161 UDP
162 UDP (SNMPTRAP)

Question 32

LDAP Port

Answer 32

389 TCP and UDP

Question 33

HTTPS Port

Answer 33

443 TCP

Question 34

SMB Port

Answer 34

445 TCP

Question 35

Internet Printing Protocol (IPP) Port

Answer 35

631

Question 36

BGP Port

Answer 36

179

Question 37

Syslog Port

Answer 37

514

Question 38

Listening State

Answer 38

Waiting for a connection.

Question 39

Established State

Answer 39

Connected to a remote computer.

Question 40

CurrPorts Tool

Answer 40

Displays all currently opened TCP and UPD ports

Question 41

CLOSE_WAIT State

Answer 41

The remote side has closed the connection.

Question 42

TIME_WAIT State

Answer 42

Your side has closed the connection

Question 43

NETSTAT -an

Answer 43

Displays all connections and listening ports

Question 44

NETSTAT -b

Answer 44

Can see the executable associated with a port

Question 45

All bits in the host field of an IP address are binary 1s

Answer 45

Broadcast address

Question 46

All bits in the host field of an IP address are binary 0s

Answer 46

Network address

Question 47

Any other combination of host bits not all 1s or 0s

Answer 47

Usable IP address

Question 48

IP address AND with SUBNET Mask equals

Answer 48

The network address

Question 49

Limited broadcast address

Answer 49

255.255.255.255 or MAC: FF:FF:FF:FF:FF:FF - routers drop these

Question 50

Subnet broadcast address

Answer 50

Routers may or may not process them

Question 51

Routed protocol

Answer 51

IPV4 and IPV6

Question 52

Routing protocols

Answer 52

BGP. OSPF, RIP

Question 53

Scanning Steps

Answer 53

1. Check for live systems
2. Check for open ports
3. Scan beyond IDS
4. Perform banner grabbing and OS fingerprinting
5. Scan for vulnerabilities
6. Draw network diagrams
7. Prepare proxies

Question 54

Check for live systems

Answer 54

Normally done using ICMP

Question 55

ICMP Message Type 0

Answer 55

0:Echo Reply - Answer to a Type 8 Echo Request

Question 56

ICMP Message Type 3

Answer 56

3: Destination Unreachable. 
Error codes:
0 - Destination Network Unreachable
1 - Destination Host Unreachable
6 - Network Unknown
7 - Host Unknown
9 - Network Administratively Prohibited
10 - Host Administratively Prohibited
13 - Communication Administratively Prohibited (typically from a poorly configured firewall)

Question 57

ICMP Message Type 4

Answer 57

4:Source Quench: A congestion control message

Question 58

ICMP Message Type 5

Answer 58

5:Redirect. Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway, Codes:
0 - Redirect datagram for the network
1 - Redirect datagram for the host

Question 59

ICMP Message Type 8

Answer 59

8:Echo Request: A ping message requesting an echo reply

Question 60

ICMP Message Type 11

Answer 60

11:Time Exceeded: The package took too long to be routed to the destination (code 0 is TTL expired)

Question 61

Ping Sweep

Answer 61

Pinging every address in a given network range. Easiest method to detect hosts on a network.

Question 62

ICMP echo scanning

Answer 62

Pinging of the network ID instead of a host

Question 63

Ping Sweep Tools

Answer 63

NMAP, 
Angry IP Scanner, 
Solarwinds Engineer Toolset, 
Network Ping, 
OpUtils, 
Superscan, 
Advanced IP Scanner, 
Pinkie

Question 64

Full Connect Port Scan

Answer 64

Also known as a TCP connect or full open scan - uses a full TCP three-way handshake and sends a RST at the end. Easiest to detect but also the most reliable. Open ports respond with a SYN/ACK and closed ports with a RST/ACK. NMAP -sT target

Question 65

Stealth Port Scan

Answer 65

Also known as a half-open scan (and also as a SYN scan). Only SYN packets are sent to ports but the three way handshake is not completed. Useful when trying to bypass firewalls and IDS by hiding as normal traffic. NMAP -sS target. Response is the same as Full Connect scan.

Question 66

Inverse TCP Scan

Answer 66

Uses the FIN, URG, or PSH flag or no flags at all to poke at system ports. If the port is open, there will be no response at all. If the port is closed, RST/ACK will be seen in response. Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. If there is no flag set, it is known as null scanning. NMAP -sN target does a NULL scan where no flags are set. NMAP -sF target sets just the FIN flag. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don’t count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can’t distinguish open ports from certain filtered ones, leaving you with the response open|filtered.

Question 67

XMAS Scan

Answer 67

All flags are turned on and response is the same as that of an inverse TCP scan. Does not work against Microsoft Windows machines because Windows is not RFC 793 compliant. NMAP -sX target

Question 68

ACK Flag Probe

Answer 68

Two versions - send an ACK flag and look at the return header (TTL or Window fields) to determine the port status. In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open. If the Window size on the RST packet has anything other than zero the port is open. ACK flag probes can also be used to check filtering at the remote end. If the ACK is sent and there is no response, this indicates a stateful firewall is between an attacker and a host. If an RST comes back, there is not. NMAP -sA target

Question 69

IDLE Scan

Answer 69

This uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan. NMAP -sI target Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb “zombie host”. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits discovery of IP-based trust relationships between machines.

Question 70

Fast vs Slow Scan

Answer 70

The slower the scan, the less likely you are to be discovered.

Question 71

List Scan

Answer 71

Performs a DNS reverse lookup for PTR records of an IP range. NMAP -sL target.

Question 72

Protocol Scan

Answer 72

IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn’t technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. NMAP -sO target

Question 73

ARP Ping Scan

Answer 73

Sends out ARP requests to the IP range. NMAP -sP. Can force it to use ICMP instead with –disable-arp-ping

Question 74

RPC Scan

Answer 74

Network exploration tool and security / port scanner
-sR (RPC scan) .
This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP
ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can
effectively obtain the same info as rpcinfo -p even if the target´s portmapper is behind a firewall (or protected by TCP wrappers). NMAP -sR target

Question 75

TCP Windows Scan

Answer 75

Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window value of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window.
NMAP -sW target

Question 76

NMAP Ping Options

Answer 76

• PI ICMP Ping
• Po No Ping
• PS SYN Ping
• PT TCP Ping

Question 77

NMAP Output Options

Answer 77

• oN Normal Output

- oX XML Output

Question 78

NMAP Timing Options

Answer 78

• T0 Serial, slowest scan
• T1 Serial, slowest scan
• T2 Serial, normal speed
• T3 Parallel,Normal speed scan
• T4 Parallel,Fast scan

Question 79

NMAP switch categories

Answer 79

• s type of scan
• P ping sweep options
• o output format
• T speed and stealth

Question 80

NMAP -A

Answer 80

Enables OS detection, version detection, script scanning and traceroute

Question 81

Fingerprinting

Answer 81

Port sweeping and enumeration

Question 82

NetScanToolsPro

Answer 82

Suite of tools:

1. Active Directory and Diagnostics Tools
2. Passive Discovery Tools
3. DNS Tools
4. Local Computer and General Information Tools

Question 83

HPING and HPING3

Answer 83

Can do most of what NMAP does and a packet crafter as well

Question 84

HPING3 -1 target

Answer 84

ICMP mode. Does an ICMP ping sweep

Question 85

HPING3 -2 target

Answer 85

UDP mode

Question 86

HPING3 -8 portrange

Answer 86

Define a port range to scan. HPING3 -8 20-100 (scans ports 20 - 100)

Question 87

HPING3 -9 Protocol

Answer 87

Sets HPING in listen mode. HPING3 -9 HTTP -I eth0

Question 88

HPING3 –flood

Answer 88

Will send packets as fast as possible without taking care to show incoming replies.

Question 89

HPING3 -F

Answer 89

Sets the FIN flag

Question 90

HPING3 -S

Answer 90

Sets the SYN flag

Question 91

HPING3 -R

Answer 91

Sets the RST flag

Question 92

HPING3 -P

Answer 92

Sets the PSH flag

Question 93

HPING3 -A

Answer 93

Sets the ACK flag

Question 94

HPING3 -U

Answer 94

Sets the URG flag

Question 95

HPING3 -X

Answer 95

Sets the XMAS scan flags

Question 96

Other network scanning tools

Answer 96

Advanced Port Scanner,
MegaPing,
Net Tools,
PRTG Network Monitor

Question 97

Mobile scanning tools

Answer 97

IP scanner, 
Fing, 
Hackode, 
zANTi, 
PortDroid Network Analysis

Question 98

NMAP -sS -A -f 192.168.1.1

Answer 98

Fragment a SYN scan to evade IDS detection

Question 99

IP spoofing tools

Answer 99

HPING, 
Scapy, 
Komodia, 
Ettercap, 
Cain

Question 100

Source route attack

Answer 100

Source routing is basically an option in IP (layer 3) where a packet can instruct a gateway which hops to send the packet to. Its like the client deciding which route the packets should take. Now this of course is kinda bad because if the client (let’s say he’s a hacker) decides on the path, then he can route all traffic to some listening box, doing all sorts of stuff to the traffic passing through it.
It also means that the hacker can make an attack seem as if its originating from another PC, or even “bounce” an attack. For example, lets say yo have a business CompanyA, which is very well protected. But CompanyA is partners with CompanyB and they have VPNs running to and from each other. CompanyB is not very well protected. If a hacker compromises CompanyB, he / she can use source routed packets to attack CompanyA by traversing through CompanyB. Most modern routers drop source routing packets.

Question 101

IP Address Decoy

Answer 101

Obfuscate the real source of a network scan by hiding it among multiple decoy addresses making it look like the decoys are scanning also. NMAP -D RND:10.x.x.x generates a number of decoys and randomly puts the real source IP between them. You can also specify the exact decoy IPs with NMAP. NMAP -d decoyIP1,decoyIP2, etc.

Question 102

Use of proxies when scanning

Answer 102

Hide your scan behind a proxy or chain of proxies to avoid detection

Question 103

Proxy Chain tools

Answer 103

Proxy Switcher, 
Proxy Workbench, 
Proxy Chains, 
Proxy Chain Builder, 
CyberHost and 
Proxifier

Question 104

Proxy for mobile phones

Answer 104

ProxyDroid, Servers Ultimate, Netshade, ShadowSocks

Question 105

Anonymizer

Answer 105

A web proxy like guardster, ultrasurf, psiphon, tails

Question 106

Gzapper

Answer 106

Tool used to remove Google deposited cookies,

Question 107

Vulnerability Scanning

Answer 107

Running a tool against a target to see what vulnerabilities it has. 
RetinaCS, 
Microsoft Baseline Security Analyzer, 
NESSUS, 
Nexpose, 
GFI Languard, 
Qualsys Freescan, 
OpenVAS,

Question 108

Vulnerability scanner that tests OWASPs top ten vulnerabilities

Answer 108

Qualsys Freescan and OPENVas

Question 109

Enumeration

Answer 109

Active information gathering that involves creating a connection to a device, performing specific actions to query the device, and using the results to identify potential attack vectors.

Question 110

Security Context

Answer 110

Defines a user identity and authentication information.

Question 111

Microsoft Security Identifier (SID)

Answer 111

Identifies user, group and computer accounts. Composed of the letter S, followed by a revision number, an authority value, a domain or computer indicator and a RID. RIDS start at 500 (administrator) and user creation at 1000.

Question 112

Linux UID and GID

Answer 112

The User ID and Group ID found in /etc/passwd

Question 113

Where Windows passwords are stored on a local computer

Answer 113

c:\windows\system32\Config\SAM (encypted)

Question 114

Linux enumeration commands

Answer 114

finger (user and host machine), rpcinfo and rpcclient (RPC information), showmount (shared directories)

Question 115

Banner Grabbing

Answer 115

Part of the enumeration process. Sending an unsolicited request to an open port and the returned banner (HTTP header, error message, login message) can indicate a potential vulnerability,

Question 116

Active Banner Grabbing

Answer 116

Sending specially crafted packets to remote systems and comparing responses to determine the OS. Telnet to a specific port. Netcat (nc) can also be used to banner grab a specific port. nc target port

Question 117

Passive Banner Grabbing

Answer 117

Reading error messages, sniffing network traffic or looking at page extensions.

Question 118

Windows Systems Enumeration

Answer 118

NETBIOS enumeration

Question 119

NETBIOS Name

Answer 119

16 Character ASCII string used to identify network devices

Question 120

NEBTSTAT

Answer 120

Command line tool that can be used to perform NETBIOS enumeration.
NBTSTAT -n for local NETBIOS table,
NBTSTAT -A IpAddress for a remote table,
NBTSTAT -c for the local NETBIOS cache.

Question 121

NETBIOS Code Types

Answer 121

<1B> Domain Master Browser
<1C> Domain Controller
<1D> Master Browser for the Subnet
<00> Hostname
<00> DomainName
<03> Service running on the system
<20> Server running on the system

Question 122

NETBIOS enumeration limitation

Answer 122

NETBIOS does not work on IPV6

Question 123

NETBIOS enumeration tools

Answer 123

SuperScan, 
Hyena, 
Winfingerprint, 
NETBIOS enumerator, 
NSAuditor

Question 124

SNMP components

Answer 124

SNMP Manager,
SNMP agent,
Management Information Base (MIB)

Question 125

SNMP Management Information Base (MIB)

Answer 125

Database that holds SNMP queryable information arranged by object identifiers (OIDs)

Question 126

SNMP commands

Answer 126

SNMP GET - retrieve information

SNMP SET - write information

Question 127

Types of SNMP Managed Objects

Answer 127

Scalar - defines a single object

Tabular - defines multiple related objects that can be grouped together in MIB tables

Question 128

SNMP security

Answer 128

Based on community strings:
Default ReadOnly Community String is public
Default ReadWrite Community String is private

Question 129

SNMPV3 advantage over previous versions

Answer 129

Supports encryption, authentication and message integrity similar to how NTPV3 does the same for Network Time Protocol. Previous versions stored and sent community strings in plain text.

Question 130

SNMP enumeration tools

Answer 130

Solarwinds Engineers Toolkit (SET),
SNMPScanner,
OpUtils5,
SNScan

Question 131

LDAP enumeration

Answer 131

LDAP defaults to connecting to a Directory Service Agent on port 389. Answers come back encoded using Basic Encoding Rules (BER)

Question 132

LDAP enumeration tools

Answer 132

Softerra, 
JXplorer, 
Lex, 
LDAP Admin Tool, 
Active Directory Explorer

Question 133

NTP enumeration

Answer 133

NTP works on port 123. Querying an NTP Server can give you information such as a list of the systems connected to the server.

Question 134

NTP enumeration tools

Answer 134

NTP Server Scanning, 
Atomsync, 
ntptrace,
ntpdc, 
ntpq

Question 135

SMTP enumeration commands

Answer 135

VRFY - validates users
EXPN - provides the actual delivery addresses of mailing lists and aliases
RCPT TO - defines recipients

Question 136

CIFS

Answer 136

Successor to SMB.
CIFS is the primary protocol used by Windows systems for file sharing.
CIFS uses UDP ports 137 and 138, and TCP ports 139 and 445.

Question 137

Active OS Fingerprinting

Answer 137

Sending crafted, nonstandard packets to a remote host and analyzing the replies.

Question 138

Passive OS Fingerprinting

Answer 138

Sniffing packets without injecting any packets into the network, examining TTL, window sizes, Dont’ Fragment flags and Type of Service (Tos) fields from the capture.