Chapter 3 - Scanning and Enumeration (Scanning Networks) Flashcards
Definitions
Scanning
Footprinting
Scanning - discovering systems on the network and taking a look at what open ports and applications may be running
Footprinting - learning how big the network is and general information about its makeup
Definitions
Frame
Packet
Segment
Layer 2, includes physical addresses
Layer 3, includes network address
Layer 4, aka Protocol Data Unit
Definition
User Datagram Protocol (UDP)
Layer 4, Transport, Protocol
Connectionless
examples: TFTP, DNS, DHCP
6 TCP Flags that can be set in the TCP Header
SYN ACK RST FIN PSH URG
SYN - Synchronize
ACK - Acknowledgement
RST - Reset. Forces termination in both directions
FIN - Finish. Ordered close to communications
PSH - Push. Forces delivery, ignores buffering
URG - Urgent. Data inside being sent out of band. ie cancelling a message mid-stream
Know what protocols use these ports
20-21 22 23 25 53 67 69 80
20 and 21 - FTP (TCP) 22 - SSH (TCP) 23 - Telnet (TCP) 25 - SMTP (TCP) 53 - DNS (TCP and UDP) 67 - DHCP (UDP) 69 - TFTP (UDP) 80 - HTTP (TCP)
Know what protocols use these ports
110 135 137-139 143 161-162 389 443 445
110 - POP3 (TCP) 135 - RPC (TCP) 137-139 NetBIOS (TCP and UDP) 143 - IMAP (TCP) 161-162 SNMP (UDP) 389 - LDAP (TCP and UDP) 443 - HTTPS (TCP) 445 - SMB (TCP)
Difference between these 2 types of port states
CLOSE_WAIT
TIME_WAIT
CLOSE_WAIT - remote side of connection closed connection
TIME_WAIT - local (your) side closed the connection
Two types of broadcast addresses
Limited Broadcast
Directed Broadcast
Limited Broadcast addresses are delivered to every system inside the broadcast domain and use 255.255.255.255. (dest. MAC FF:FF:FF:FF:FF:FF)
Directed Broadcasts are sent to all devices on a subnet and use the subnet’s broadcast address. Routers may take action on these packets.
7 Steps of EC Scanning Methodology
Check for live systems Check for open ports Scan beyond IDS Perform Banner Grabbing Scan for vulnerabilities Draw network diagrams Prepare proxies
Check for live systems - simple ping can provide this. Tells you what responds on network
Check for open ports - find listening ports on live systems
Scan beyond IDS - may need to alter your scans to avoid IDS devices
Perform Banner Grabbing - This and OS fingerprinting tell what OS is on the system, what services they run
Scan for vulnerabilities - Perform more focused look at vulnerabilities that haven’t been patched
Draw network diagrams - display all logical and physical pathways to targets
Prepare proxies - obscure your efforts to stay hidden
ICMP Message Types
0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
9: Time Exceeded
0: Echo Reply - answer to Type 8
3: Destination Unreachable - error message indicating host or network can’t be reached. 7 codes used
4: Source Quench - congestion control message
5: Redirect - when 2 or more gateways available and the best route is not the configured gateway
8: Echo Request - ping message requesting echo reply
9: Time Exceeded - packet took too long (Code 0 TTL expired)
ICMP Message Types
0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
9: Time Exceeded
0: Echo Reply - answer to Type 8
3: Destination Unreachable - error message indicating host or network can’t be reached. 7 codes used (know code 13 - communication administratively prohibited. ie blocked by firewall)
4: Source Quench - congestion control message
5: Redirect - when 2 or more gateways available and the best route is not the configured gateway
8: Echo Request - ping message requesting echo reply
9: Time Exceeded - packet took too long (Code 0 TTL expired)
Full Connect Port Scan 1
aka TCP connect or full open scan
runs through full connection (3 way handshake) on all ports, tearing it down with RST at the end.
Easiest to detect, probably the most reliable
open ports respond with SYN/ACK
closed ports respond with RST
Port Scan 1
Full Connect aka TCP connect or full open scan
runs through full connection (3 way handshake) on all ports, tearing it down with RST at the end.
Easiest to detect, probably the most reliable
open ports respond with SYN/ACK
closed ports respond with RST
Port Scan 2
Stealth aka half-open or SYN scan
Only SYN packets are sent to ports, no full 3-way handshake ever occurs
Responses are same as for the TCP connect scan
Useful for hiding your scanning efforts, possibly bypassing firewalls and monitoring by hiding as normal traffic
Doesn’t get noticed because no connection to notice
Port Scan 3
Inverse TCP Flag
Uses FIN, URG, PSH flag or no flag at all to poke system ports
If port is open, there will be no response.
If port is closed, RST/ACK will be sent in response
Port Scan 4
XMAS
Named Christmas scan because all flags are turned on, so the packet is “lit up” like a Christmas tree.
Port responses are same as with inverse TCP scan.
Do not work against Windows computers because Microsoft’s
Port Scan 4
XMAS
Named Christmas scan because all flags are turned on, so the packet is “lit up” like a Christmas tree.
Port responses are same as with inverse TCP scan.
Do not work against Windows computers because Microsoft’s TCP/IP stack is not RFC 793 compliant
Port Scan 5
ACK Flag Probe
2 versions. Both use the same method
Attacker sends ACK flag and looks at return header (TTL or Windows fields) to determine port status
in TTL version, if TTL < 64, the port is open
in Window version, if Window Size != 0 then port is open
Port Scan 6
IDLE
Uses a spoofed IP address to elicit port responses during a scan.
Designed for stealth, it uses a SYN flag and monitors responses as with a SYN scan
Port Scan 6
IDLE
Uses a spoofed IP address (idle zombie system) to elicit port responses during a scan.
Designed for stealth, it uses a SYN flag and monitors responses as with a SYN scan
Port Scan 7
UDP Scan
Send a datagram to the port and see what the response is.
Since there is no handshake, if the port is open you don’t receive a response.
If the port is closed, you receive an ICMP port unreachable message
IDLE Scanning process enumerated
6 steps
- Attacker sends SYN/ACK packet to zombie.
- Zombie doesn’t expect SYN/ACK and sets RST. Attacker notes the responding IPID
- Attacker sends packet with spoofed IP of zombie and SYN flag set, to the target
- If target port is open, it sends SYN/ACK to zombie to complete the handshake
- Zombie responds to target with a RST which increments the IPID by one.
- Attacker sends another SYN/ACK to zombie and notes the IPID. If IPID increased by two, the idle (zombie) system sent a packet and the port was open. If the port was closed, the IPID increments by one
Nmap switches
-s
P
o
T
-s determines the type of scan to run
P sets up ping sweep options
o commands deal with output
T commends control speed and stealth of scan
Nmap switches 1-6
- sA
- sF
- sl
- sL
- sN
- sO
- sA - ACK scan
- sF - FIN scan
- sl - IDLE scan
- sL - DNS scan (list scan)
- sN - NULL scan
- sO - Protocol scan
