03: Scanning Networks

Question 1

What information should you obtain from network and port scanning?

Answer 1

• Open ports
• Open services
• OSes
• Configuration laps

Question 2

What is network scanning?

Answer 2

The process of gathering additional detailed information about the target by using highly complex and agressive reconnaissance techniques.

Question 3

What are the objective of network scans?

Answer 3

• Check live systems and open ports
• Identify services running in live systems
• Perform banner grabbing/OS fingerprinting
• Identify network vulnerabilities

Question 4

Types of scanning?

Answer 4

• Port scanning: lists open ports and services
• Network scanning: lists the active hosts and IP addresses
• Vulnerability scanning: shows the presence of known weaknesses

Question 5

Nmap commands (flags)

Answer 5

-sn: disable port scan
-PR: ARP ping scan
-PU: UDP ping scan
-PE: ICMP ECHO ping scan
—–Ikke så vigtige ——
-PP: ICMP timestamp ping scan
-PM: ICMP address Mask Ping Scan
-PS: TCP SYN ping scan
-PA: TCP ACK ping scan
-PO: IP protocol ping scan

Question 6

What types of protocols are there

Answer 6

• ICMP
• UDP
• TCP

Question 7

Describe ICMP protocol

Answer 7

Internet Control Message Protocol
…

Question 8

Describe UDP protocol

Answer 8

User Datagram Protocol
- Provides a connectionless datagram service that prioritizes time over reliability.
…

Question 9

Describe TCP protocol

Answer 9

Transmission Control Protocol (TCP/IP)
- TCP is connection-oriented and is used for reliable data stream.
- TCP vulnerabilities: DNS, connection hijacking, TCP veto and reset attack
…

Question 10

What are the TCP Communication Flags

Answer 10

• URG: data should be processed immidiately
• FIN: no further transmissions
• RST: reset a connection
• PSH: push (send all buffered data
• ACK: acknowledge a packet
• SYN: initiates a connection

Question 11

Network administrators can use Nmap for?

Answer 11

• Inventorying a network
• Managing service upgrade schedules
• Monitoring host or service uptime

Question 12

Attackers can use Nmap to extract information about?

Answer 12

• live hosts on the network
• open ports
• services (application name and version)
• types of packet filters/firewalls
• operating systems and versions

Question 13

Tools for networkscanning

Answer 13

• Nmap
• Hping3
• Wireshark

Question 14

Host discovery techniques:

Answer 14

• ARP Ping Scan
• UDP Ping Scan
• ICMP Ping Scan (ECHO, Timestamp, Address Mask)
• TCP Ping Scan (SYN, ACK)
• IP Protocol Ping Scan

Question 15

What does a ARP Ping Scan look for

Answer 15

Command: nmap -sn -PR <Target>
Request: ARP request probe
Response: ARP response -> host is active; No response -> host is inactive
Advantages: more efficient and accurate and therefore useful for system discovery, where one may need to scan large address spaces.</Target>

Question 16

What does a UPD Ping scan look for?

Answer 16

Command: nmap -sn -PU <Target>
Request: UDP request
Response: UDP response -> host is active; Error message -> host is inactive
Advantages: detects systems behind firewalls with strict TCP filtering</Target>

Question 17

What does a ICMP ECHO Ping scan look for?

Answer 17

Command: nmap -sn -PE <Target>
Request: ICMP ECHO request
Response: ICMP ECHO reply -> host is active; No response -> host is inactive
Advantages: useful for locating active devices or determining if the ICMP message passes through a firewall
Disadvantages: does not work on Windows-based networks</Target>

Question 18

NSE (Nmap Script Engine) commands?

Answer 18

-A: aggressive scan => open ports, running services and target details (OS, computer name, NetBIOS)
-O: OS discovery => open ports, running services and OS

Question 19

Techniques to evade IDS (Intrusion Detection System)/firewall?

Answer 19

• Packet Fragmentation: send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments.
• Source Routing: specifies the routing path for the malformed packet to reach the intended target
• Source Port Manipulation: manipulate the actual source port wirh the common source port to evade IDS/firewall
• IP Address Decoy: generate or manually specify IP addresses of the decoys so that the IDS/firewall cannot determine the actual IP address
• IP Address Spoofing_ change source IP addresses so that the attack appears to be coming in as someone else
• Creating Custom Packets: send cestuom packets to scan the intended target beyond the firewalls
• Randomizing Host Order: scan the number of hosts in the target network in a random order to savn the intended target that is lying beyond the firewall
• Sending Bad Checksums: send the packets with bad or bogus TCP/UDP checksums to the intended target
• Proxy Servers: use a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall
• Anonymizers: use anonymizers that allow them to bypass Internet censors and evade certain IDS and firewall rules

Question 20

Name two mechanism to prevent unauthorized persons from accessing a network?

Answer 20

• IDS (Intrusion Detection System)
• Firewall