Theory Test 3

Question 1

Port Scanning

Answer 1

A method of finding out which services/ports a host computer offers.

Question 2

Port States

Answer 2

Open, Closed, Filtered

Question 3

Open Port

Answer 3

Send a SYN, receive a SYN/ACK

Question 4

Closed Port

Answer 4

Send a SYN, receive a RST

Question 5

Filtered Port

Answer 5

(Presumably behind a firewall) Packet dropped, no response

Question 6

Types of Port Scans

Answer 6

TCP SYN Scan, TCP FIN Scan, Connect Scan, NULL Scan

Question 7

TCP SYN Scan

Answer 7

Half-open scanning. SYN is sent, if SYN/ACK recieved, port is listening, send a RST immediately to terminate connection. Few servers log this because no full connection is made. (nmap -s in root for SYN scan)

Question 8

TCP FIN Scan

Answer 8

Attempt to close a connection that isn’t open. Closed ports reply with RST. Open ports ignore, so no response is a listening port.

Question 9

Connect Scan

Answer 9

Opens a connection to every interesting port. Success if port is listening. Not stealthy but fastest scanning method.

Question 10

NULL Scan

Answer 10

No flags, target doesn’t know how to handle, packet dropped, no response, port listening. Closed port sends a RST.

Question 11

Common Scanning Types

Answer 11

Terminal/Command line ping sweeps, port scanner software

Question 12

Terminal/Command Line Ping Sweeps

Answer 12

Look for echo replies. Recon looking for shares or accessibilities.

Question 13

Port Scanning Software

Answer 13

Look for normal TCP connection response. Further recon looking for OS/Software vulnerabilities.

Question 14

Windows File Sharing Ports

Answer 14

139 (NetBIOS), 445 (SMB)

Question 15

Port scanning programs report what?

Answer 15

Port state, best guess OS, services likely running, ping reports, more.

Question 16

Scanning Tools

Answer 16

Nmap, NetScan, Nessus, Fping, more.

Question 17

Nmap

Answer 17

Command line tool for Win and Linux, GUI version is Zenmap. Determine open ports, services running, and OS.

Question 18

Enumeration

Answer 18

Involves connecting to a system, not just identifying.

Question 19

Windows FOR Command

Answer 19

FOR /L loops multiple iterations

FOR /F provides input from a file

Question 20

FOR Syntax

Answer 20

FOR /L %i in (start,step,stop) do (command) %i
*@ used to hide words and show only result
FOR /F %i in (filename.txt) do (command) %i

Question 21

CLI Output Options

Answer 21

Command>nul: sends err to nul so not shown on screen
Command > error.txt
Command&raquo_space; error.txt: sends to txt and appends to existing content
Pipe output to other commmands using |
enter 2 commands in order using & (cls clears screen)
&& to only execute second command if first worked

Question 22

Enum.exe

Answer 22

enum -d -u name -f password.txt

runs all passwords against the username on computer with given ip

Question 23

Enumeration Commands

Answer 23

NBTStat, NBTScan, net view, net use

Question 24

NBTStat

Answer 24

Shows computer names, workgroups, MAC addresses, assigned to a single ip address host.
Syntax: nbtstat -a

Question 25

NBTScan

Answer 25

Shows sharing at ip targets through network ip address ranges.
Syntax: nbtscan / or - (ex. 10.80.10.2/24)

Question 26

net view

Answer 26

Displays information of shared folders at a target ip address
Syntax: netview
netview /all shows all shares including admin shares
netview /domain: will list all of the sharing computers in the domain.

Question 27

net use

Answer 27

Most powerful net command. Allows connections to network share. Can also map a network drive
Syntax: net use ///

Question 28

fping

Answer 28

Ping multiple ip addresses simultaneously. Command: fping -g/-f option