2.4 Information Gathering and Vulnerability Scanning Flashcards
Given a scenario, perform vulnerability scanning.
What are some considerations to keep in mind when performing a vulnerability scan?
-Time to run scans
-Bandwidth limitations
-Fragile systems, such as a legacy server or nontraditional assets such as IoT devices.
-Impact on devices, because ideally scans should be performed in the background with minimal degradation to network traffic and no impact to end-users.
How does a Transport Control Protocol (TCP) connect scan work?
A full scan or TCP connect scan will use a standard TCP three-way handshake. Once the connection is made, the scanner will send a TCP reset (RST) to the server to kill the connection. The scanner then logs the connection and moves on to the next port to attempt to connect to the next service.
What are ways to avoid detection using a TCP connect scan? And why would you do this?
Full scans produce the most results but are also the noisiest and the most likely to be detected. Common ways to evade detection include randomizing the IP addresses and ports and slowing the scan down.
What is a stealth scan?
With a stealth scan, the communication is generally one-sided as there is no response expected. As a result, there is a lesser chance of being noticed by network devices.
What kind of stealth scans are there?
Stealth scans include the following:
-TCP SYN scan sends a packet to the target with the SYN flag set. This is also called a half-open scan because the attacker doesn’t complete the 3-way handshake
-FIN scan sends a packet with only the FIN flag set
-NULL scan is a packet sent without any flags set
-XMAS Tree scan sends a packet with the FIN, URG and PSH flags set
What is the difference in response when using a SYN scan as opposed to a XMAS Tree, NULL or FIN scan?
The only difference is if the port is open, the SYN scan will get a SYN ACK in return, while the others get no response. With a closed or filtered port, the target will either return a reset (RST) or the packet will be dropped without response, respectively.
What is the difference between a credentialed and a noncredentialed scan?
A credentialed scan uses credentials, such as usernames and passwords, to take a deep dive during the vulnerability scan, which will produce more information while auditing the network. A noncredentialed scan uses fewer permissions, and many times can only find missing patches or updates.
Explain the Nmap timing option -T <0 - 5>.
-T0 and T1 are the best options for IDS evasion but are extremely slow.
-T2 slows the scan to conserve bandwidth
-T3 is the default and is the most stable option
-T4 is the recommended choice for a fast scan that is still reliable
-T5 is the fastest option but can be unstable and should only be used on a network that can handle the speed.
Explain the Nmap TCP scans.
-A TCP ACK scan (option -sA) is used to bypass firewall rulesets, determine which ports are filtered, and if the firewall is stateful or not.
-A full/TCP connect scan (option -sT) will use a standard TCP three-way handshake.
-A Christmas tree scan (option -sX) sends a TCP segment with the FIN, PSH and URG flags raised to bypass a firewall or IDS.
Explain the Nmap UDP scans.
A UDP scan (option -sU) is generally slower and more difficult than a TCP scan. Closed ports return an ICMP port unreachable error. Open and filtered ports rarely send any response. You can use a version detection scan (option -sV) however, to help differentiate the truly open ports from the filtered ones.
Since exploitable protocols such as DNS, SNMP and DHCP use UDP, scanning these is recommended.
What can you use Nmap Script Engine (NSE) scripts for?
-To perform advanced network discovery, including protocol queries and whois lookups
-Detecting versions and attempting brute forces on the service
-Determining and exploiting vulnerabilities
-Uncovering the existence of malware
