Scanning and Enumeration Flashcards Preview

Certified Ethical Hacker > Scanning and Enumeration > Flashcards

Flashcards in Scanning and Enumeration Deck (138)
Loading flashcards...
1
Q

Scanning

A

Process of discovering systems on the network and taking a look at what open ports and applications may be running.

2
Q

Transport Layer functions

A

At Layer 4 of the OSI, end-to-end delivery, segment order, reliability and flow control, TCP flags and port numbering.

3
Q

Connectionless Communication

A

The sender doesn’t care whether the recipient has the bandwidth to accept the message and doesn’t care if the recipient gets the message. Fire and forget method. Faster way of sending datagrams. Accomplished with UDP. Low overhead, simple and fast transport protocol. Normally small amounts of data are moved.

4
Q

Protocols that use UDP

A

TFTP, DNS lookups, and DHCP

5
Q

Connection-Oriented Communication

A

Uses TCP. Requires more overhead than UDP. Slower than connectionless. Orderly data exchange and deals with larger data transfer. Senders reach out to recipients to ensure their availability and will continue to communicate to manage the flow of data. If overwhelmed or data gets lost, the recipient can request slow down or retransmission. Uses a three way handshake of SYN, SYN-ACK, ACK packets.

6
Q

UDP datagram structure

A

Header fields are 16 bits. Source Port, Destination Port, Length, Checksum, Data

7
Q

TCP header flags - SYN flag

A

Synchronize - negotiation of parameters and sequence numbers

8
Q

TCP header flags - ACK flag

A

Acknowledgment - set as an acknowledgment to a SYN flag. Set on all segments after the initial SYN flag.

9
Q

TCP header flags - RST flag

A

Reset - Forces a termination of communications in both directions.

10
Q

TCP header flags - FIN flag

A

Finish - Signifies an ordered close to communication.

11
Q

TCP header flags - PSH flag

A

Push - Forces the delivery of data without concern for buffering. The sender does not wait to fill up the buffer to send and the receiving device does not wait for the buffer to fill up before processing the data.

12
Q

TCP header flags - URG flag

A

Urgent - Indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.

13
Q

Sequence Numbering

A

A sends to B
A-SYN - My Sequence # A
B-SYN/ACK - A Sequence # + 1 AND My Sequence # B
A-ACK - B Sequence # + 1 AND A Sequence #

14
Q

Packet Crafting Tools

A
Netscan, 
Ostinato, 
WAN Killer, 
Packeth, 
LAN Forge Fire, 
Colasoft. Can also be used to create fragmented packets to bypass an IDS
15
Q

Colasoft Packet Builder Views

A

Packet List,
Decode Editor to edit packets,
and Hex Editor for hex editing

16
Q

Well Known Ports

A

0 - 1023

17
Q

Registered Ports

A

1024 - 49,151

18
Q

Dynamic Ports

A

49,152 - 65,535 AKA ephemeral ports

19
Q

FTP Ports

A

20, 21 TCP

20
Q

SSH Port

A

22 TCP

21
Q

Telnet Port

A

23 TCP

22
Q

SMTP Port

A

25 TCP

23
Q

DNS Port

A

53 TCP and UDP

24
Q

DHCP Port

A

67 UDP for server and 68 UDP for client

25
Q

TFTP Port

A

69 UDP

26
Q

HTTP Port

A

80 TCP

27
Q

POP3 Port

A

110 TCP

28
Q

RPC Port

A

135 TCP

29
Q

NEBIOS Ports

A

UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)

30
Q

IMAP Port

A

143 TCP

31
Q

SNMP Ports

A
161 UDP
162 UDP (SNMPTRAP)
32
Q

LDAP Port

A

389 TCP and UDP

33
Q

HTTPS Port

A

443 TCP

34
Q

SMB Port

A

445 TCP

35
Q

Internet Printing Protocol (IPP) Port

A

631

36
Q

BGP Port

A

179

37
Q

Syslog Port

A

514

38
Q

Listening State

A

Waiting for a connection.

39
Q

Established State

A

Connected to a remote computer.

40
Q

CurrPorts Tool

A

Displays all currently opened TCP and UPD ports

41
Q

CLOSE_WAIT State

A

The remote side has closed the connection.

42
Q

TIME_WAIT State

A

Your side has closed the connection

43
Q

NETSTAT -an

A

Displays all connections and listening ports

44
Q

NETSTAT -b

A

Can see the executable associated with a port

45
Q

All bits in the host field of an IP address are binary 1s

A

Broadcast address

46
Q

All bits in the host field of an IP address are binary 0s

A

Network address

47
Q

Any other combination of host bits not all 1s or 0s

A

Usable IP address

48
Q

IP address AND with SUBNET Mask equals

A

The network address

49
Q

Limited broadcast address

A

255.255.255.255 or MAC: FF:FF:FF:FF:FF:FF - routers drop these

50
Q

Subnet broadcast address

A

Routers may or may not process them

51
Q

Routed protocol

A

IPV4 and IPV6

52
Q

Routing protocols

A

BGP. OSPF, RIP

53
Q

Scanning Steps

A
  1. Check for live systems
  2. Check for open ports
  3. Scan beyond IDS
  4. Perform banner grabbing and OS fingerprinting
  5. Scan for vulnerabilities
  6. Draw network diagrams
  7. Prepare proxies
54
Q

Check for live systems

A

Normally done using ICMP

55
Q

ICMP Message Type 0

A

0:Echo Reply - Answer to a Type 8 Echo Request

56
Q

ICMP Message Type 3

A
3: Destination Unreachable. 
Error codes:
0 - Destination Network Unreachable
1 - Destination Host Unreachable
6 - Network Unknown
7 - Host Unknown
9 - Network Administratively Prohibited
10 - Host Administratively Prohibited
13 - Communication Administratively Prohibited (typically from a poorly configured firewall)
57
Q

ICMP Message Type 4

A

4:Source Quench: A congestion control message

58
Q

ICMP Message Type 5

A

5:Redirect. Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway, Codes:
0 - Redirect datagram for the network
1 - Redirect datagram for the host

59
Q

ICMP Message Type 8

A

8:Echo Request: A ping message requesting an echo reply

60
Q

ICMP Message Type 11

A

11:Time Exceeded: The package took too long to be routed to the destination (code 0 is TTL expired)

61
Q

Ping Sweep

A

Pinging every address in a given network range. Easiest method to detect hosts on a network.

62
Q

ICMP echo scanning

A

Pinging of the network ID instead of a host

63
Q

Ping Sweep Tools

A
NMAP, 
Angry IP Scanner, 
Solarwinds Engineer Toolset, 
Network Ping, 
OpUtils, 
Superscan, 
Advanced IP Scanner, 
Pinkie
64
Q

Full Connect Port Scan

A

Also known as a TCP connect or full open scan - uses a full TCP three-way handshake and sends a RST at the end. Easiest to detect but also the most reliable. Open ports respond with a SYN/ACK and closed ports with a RST/ACK. NMAP -sT target

65
Q

Stealth Port Scan

A

Also known as a half-open scan (and also as a SYN scan). Only SYN packets are sent to ports but the three way handshake is not completed. Useful when trying to bypass firewalls and IDS by hiding as normal traffic. NMAP -sS target. Response is the same as Full Connect scan.

66
Q

Inverse TCP Scan

A

Uses the FIN, URG, or PSH flag or no flags at all to poke at system ports. If the port is open, there will be no response at all. If the port is closed, RST/ACK will be seen in response. Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. If there is no flag set, it is known as null scanning. NMAP -sN target does a NULL scan where no flags are set. NMAP -sF target sets just the FIN flag. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don’t count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can’t distinguish open ports from certain filtered ones, leaving you with the response open|filtered.

67
Q

XMAS Scan

A

All flags are turned on and response is the same as that of an inverse TCP scan. Does not work against Microsoft Windows machines because Windows is not RFC 793 compliant. NMAP -sX target

68
Q

ACK Flag Probe

A

Two versions - send an ACK flag and look at the return header (TTL or Window fields) to determine the port status. In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open. If the Window size on the RST packet has anything other than zero the port is open. ACK flag probes can also be used to check filtering at the remote end. If the ACK is sent and there is no response, this indicates a stateful firewall is between an attacker and a host. If an RST comes back, there is not. NMAP -sA target

69
Q

IDLE Scan

A

This uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan. NMAP -sI target Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb “zombie host”. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits discovery of IP-based trust relationships between machines.

70
Q

Fast vs Slow Scan

A

The slower the scan, the less likely you are to be discovered.

71
Q

List Scan

A

Performs a DNS reverse lookup for PTR records of an IP range. NMAP -sL target.

72
Q

Protocol Scan

A

IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn’t technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. NMAP -sO target

73
Q

ARP Ping Scan

A

Sends out ARP requests to the IP range. NMAP -sP. Can force it to use ICMP instead with –disable-arp-ping

74
Q

RPC Scan

A

Network exploration tool and security / port scanner
-sR (RPC scan) .
This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP
ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can
effectively obtain the same info as rpcinfo -p even if the target´s portmapper is behind a firewall (or protected by TCP wrappers). NMAP -sR target

75
Q

TCP Windows Scan

A

Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window value of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window.
NMAP -sW target

76
Q

NMAP Ping Options

A
  • PI ICMP Ping
  • Po No Ping
  • PS SYN Ping
  • PT TCP Ping
77
Q

NMAP Output Options

A
  • oN Normal Output

- oX XML Output

78
Q

NMAP Timing Options

A
  • T0 Serial, slowest scan
  • T1 Serial, slowest scan
  • T2 Serial, normal speed
  • T3 Parallel,Normal speed scan
  • T4 Parallel,Fast scan
79
Q

NMAP switch categories

A
  • s type of scan
  • P ping sweep options
  • o output format
  • T speed and stealth
80
Q

NMAP -A

A

Enables OS detection, version detection, script scanning and traceroute

81
Q

Fingerprinting

A

Port sweeping and enumeration

82
Q

NetScanToolsPro

A

Suite of tools:

  1. Active Directory and Diagnostics Tools
  2. Passive Discovery Tools
  3. DNS Tools
  4. Local Computer and General Information Tools
83
Q

HPING and HPING3

A

Can do most of what NMAP does and a packet crafter as well

84
Q

HPING3 -1 target

A

ICMP mode. Does an ICMP ping sweep

85
Q

HPING3 -2 target

A

UDP mode

86
Q

HPING3 -8 portrange

A

Define a port range to scan. HPING3 -8 20-100 (scans ports 20 - 100)

87
Q

HPING3 -9 Protocol

A

Sets HPING in listen mode. HPING3 -9 HTTP -I eth0

88
Q

HPING3 –flood

A

Will send packets as fast as possible without taking care to show incoming replies.

89
Q

HPING3 -F

A

Sets the FIN flag

90
Q

HPING3 -S

A

Sets the SYN flag

91
Q

HPING3 -R

A

Sets the RST flag

92
Q

HPING3 -P

A

Sets the PSH flag

93
Q

HPING3 -A

A

Sets the ACK flag

94
Q

HPING3 -U

A

Sets the URG flag

95
Q

HPING3 -X

A

Sets the XMAS scan flags

96
Q

Other network scanning tools

A

Advanced Port Scanner,
MegaPing,
Net Tools,
PRTG Network Monitor

97
Q

Mobile scanning tools

A
IP scanner, 
Fing, 
Hackode, 
zANTi, 
PortDroid Network Analysis
98
Q

NMAP -sS -A -f 192.168.1.1

A

Fragment a SYN scan to evade IDS detection

99
Q

IP spoofing tools

A
HPING, 
Scapy, 
Komodia, 
Ettercap, 
Cain
100
Q

Source route attack

A

Source routing is basically an option in IP (layer 3) where a packet can instruct a gateway which hops to send the packet to. Its like the client deciding which route the packets should take. Now this of course is kinda bad because if the client (let’s say he’s a hacker) decides on the path, then he can route all traffic to some listening box, doing all sorts of stuff to the traffic passing through it.
It also means that the hacker can make an attack seem as if its originating from another PC, or even “bounce” an attack. For example, lets say yo have a business CompanyA, which is very well protected. But CompanyA is partners with CompanyB and they have VPNs running to and from each other. CompanyB is not very well protected. If a hacker compromises CompanyB, he / she can use source routed packets to attack CompanyA by traversing through CompanyB. Most modern routers drop source routing packets.

101
Q

IP Address Decoy

A

Obfuscate the real source of a network scan by hiding it among multiple decoy addresses making it look like the decoys are scanning also. NMAP -D RND:10.x.x.x generates a number of decoys and randomly puts the real source IP between them. You can also specify the exact decoy IPs with NMAP. NMAP -d decoyIP1,decoyIP2, etc.

102
Q

Use of proxies when scanning

A

Hide your scan behind a proxy or chain of proxies to avoid detection

103
Q

Proxy Chain tools

A
Proxy Switcher, 
Proxy Workbench, 
Proxy Chains, 
Proxy Chain Builder, 
CyberHost and 
Proxifier
104
Q

Proxy for mobile phones

A

ProxyDroid, Servers Ultimate, Netshade, ShadowSocks

105
Q

Anonymizer

A

A web proxy like guardster, ultrasurf, psiphon, tails

106
Q

Gzapper

A

Tool used to remove Google deposited cookies,

107
Q

Vulnerability Scanning

A
Running a tool against a target to see what vulnerabilities it has. 
RetinaCS, 
Microsoft Baseline Security Analyzer, 
NESSUS, 
Nexpose, 
GFI Languard, 
Qualsys Freescan, 
OpenVAS,
108
Q

Vulnerability scanner that tests OWASPs top ten vulnerabilities

A

Qualsys Freescan and OPENVas

109
Q

Enumeration

A

Active information gathering that involves creating a connection to a device, performing specific actions to query the device, and using the results to identify potential attack vectors.

110
Q

Security Context

A

Defines a user identity and authentication information.

111
Q

Microsoft Security Identifier (SID)

A

Identifies user, group and computer accounts. Composed of the letter S, followed by a revision number, an authority value, a domain or computer indicator and a RID. RIDS start at 500 (administrator) and user creation at 1000.

112
Q

Linux UID and GID

A

The User ID and Group ID found in /etc/passwd

113
Q

Where Windows passwords are stored on a local computer

A

c:\windows\system32\Config\SAM (encypted)

114
Q

Linux enumeration commands

A

finger (user and host machine), rpcinfo and rpcclient (RPC information), showmount (shared directories)

115
Q

Banner Grabbing

A

Part of the enumeration process. Sending an unsolicited request to an open port and the returned banner (HTTP header, error message, login message) can indicate a potential vulnerability,

116
Q

Active Banner Grabbing

A

Sending specially crafted packets to remote systems and comparing responses to determine the OS. Telnet to a specific port. Netcat (nc) can also be used to banner grab a specific port. nc target port

117
Q

Passive Banner Grabbing

A

Reading error messages, sniffing network traffic or looking at page extensions.

118
Q

Windows Systems Enumeration

A

NETBIOS enumeration

119
Q

NETBIOS Name

A

16 Character ASCII string used to identify network devices

120
Q

NEBTSTAT

A

Command line tool that can be used to perform NETBIOS enumeration.
NBTSTAT -n for local NETBIOS table,
NBTSTAT -A IpAddress for a remote table,
NBTSTAT -c for the local NETBIOS cache.

121
Q

NETBIOS Code Types

A
<1B> Domain Master Browser
<1C> Domain Controller
<1D> Master Browser for the Subnet
<00> Hostname
<00> DomainName
<03> Service running on the system
<20> Server running on the system
122
Q

NETBIOS enumeration limitation

A

NETBIOS does not work on IPV6

123
Q

NETBIOS enumeration tools

A
SuperScan, 
Hyena, 
Winfingerprint, 
NETBIOS enumerator, 
NSAuditor
124
Q

SNMP components

A

SNMP Manager,
SNMP agent,
Management Information Base (MIB)

125
Q

SNMP Management Information Base (MIB)

A

Database that holds SNMP queryable information arranged by object identifiers (OIDs)

126
Q

SNMP commands

A

SNMP GET - retrieve information

SNMP SET - write information

127
Q

Types of SNMP Managed Objects

A

Scalar - defines a single object

Tabular - defines multiple related objects that can be grouped together in MIB tables

128
Q

SNMP security

A

Based on community strings:
Default ReadOnly Community String is public
Default ReadWrite Community String is private

129
Q

SNMPV3 advantage over previous versions

A

Supports encryption, authentication and message integrity similar to how NTPV3 does the same for Network Time Protocol. Previous versions stored and sent community strings in plain text.

130
Q

SNMP enumeration tools

A

Solarwinds Engineers Toolkit (SET),
SNMPScanner,
OpUtils5,
SNScan

131
Q

LDAP enumeration

A

LDAP defaults to connecting to a Directory Service Agent on port 389. Answers come back encoded using Basic Encoding Rules (BER)

132
Q

LDAP enumeration tools

A
Softerra, 
JXplorer, 
Lex, 
LDAP Admin Tool, 
Active Directory Explorer
133
Q

NTP enumeration

A

NTP works on port 123. Querying an NTP Server can give you information such as a list of the systems connected to the server.

134
Q

NTP enumeration tools

A
NTP Server Scanning, 
Atomsync, 
ntptrace,
ntpdc, 
ntpq
135
Q

SMTP enumeration commands

A

VRFY - validates users
EXPN - provides the actual delivery addresses of mailing lists and aliases
RCPT TO - defines recipients

136
Q

CIFS

A

Successor to SMB.
CIFS is the primary protocol used by Windows systems for file sharing.
CIFS uses UDP ports 137 and 138, and TCP ports 139 and 445.

137
Q

Active OS Fingerprinting

A

Sending crafted, nonstandard packets to a remote host and analyzing the replies.

138
Q

Passive OS Fingerprinting

A

Sniffing packets without injecting any packets into the network, examining TTL, window sizes, Dont’ Fragment flags and Type of Service (Tos) fields from the capture.