Chapter 5 Scanning Networks Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 5 Scanning Networks > Flashcards

Flashcards in Chapter 5 Scanning Networks Deck (29):

Phase 2: Network Scanning

a methodical process that involves probing a target NW to reveal the nature of system NWs as well as the vulnerabilities present


Generally found in Scanning phase is:

1) IP addresses
2) open/closed PORTS on live HOSTS
3) Info on OS(s) & system architecture
4) SERVICES or processes running on hosts


Types of Scans

1) Port scanning - sending crafted messages/packets to a target computer w/ the intent of learning more about it (typically through well-known port #s or those


Common ways to check for Live Systems

Wardialing, Wardriving, Pinging, and Port Scanning



old technique that dials a block of phone #s using a standard modem to locate system that also have a modem attached & accept connection

Modems & dial-up are still used as a backup to existing technologies such as cable, DSL, etc; It is low cost and a safety net if there were to be a major outage; great way to access bc of the lack of attention modems get

Firewalls, routers, & fax machines sometimes have modems attached; attacker can dial in and gain access



the process of driving around w/ wireless-enabled laptop or device with the goal of mapping out access points, usually w/ the help of GPS device



the process of using the ping command to detect whether a system is live & gain info about the nature of the connection between your system & the target (TTL, speed of packets)

involves using Internet Control Msg Protocol (ICMP) msg, which is why this process is also called ICMP scanning

Process works by sending an ICMP ECHO request to another system, if that system is live, it will respond by sending back an ICMP ECHO reply

command prompt --> ping or ping

*Best to always ping by IP address bc pinging hostname may not get a reply bc DNS problems

NMAP also used here --> NMAP -sP -v


Ping Sweep

scan or sweep a range of IPs looking for hosts that are live; can build inventory of systems quickly

CON - most NW admins block ping at firewall, IDS or IPS can detect

nmap -sP -PE - PA

nmap -sn -PE -PA21,23,80,3389


Port Scanning

once live system found, perform port scan to see what ports are open


TCP Flags - (6)

1) SYN - Initiates connection between 2 hosts to facilitate communication
2) ACK - acknowledge the receipt of packet of info
3) URG - indicates that the data contained in the packet is urgent & should be processed immediately
4) PSH - instructs the sending system to send all buffered data immediately
5) FIN - tells the remote system that no more info will be sent, close connection
6) RST - resets a conneciton


packet crafter

utility designed to create a packet w/ the flags you specify

HPING2 and HPING3 - command-line only creating custom packets for testing

Create an ACK packet & send it to port 80:
Hping3 -A -p 80
Create a SYN scan against different ports:
Hping3 -8 50-56 -s -v
Create packet w/ FIN, URG -p 80


Types of Scans that can be done for port scanning (7)

1) Full Open Scan
2) Stealth Scan, or Half Open Scan
3) Xmas Tree Scan
4) Fin Scan
5) Null Scan
6) Ack Scan
7) UDP Scan


Full Open Scan

1) Full Open Scan - systems involved initiated & completed the 3 way handshake. Attacker sends ACK+RST to tear down connection
PRO - positive feedback of if host is up and running
CON - the target knows who you are


Stealth Scan / Half Open Scan

2) Stealth Scan, or Half Open Scan - similar to Full open scan except attacker sends RST packet as final packet to tear down connection unless victim port is closed in which case, the victim will fire back RST
PRO - less likely to trigger detection mechnisms
CON - less reliable than Full Open Scan


Xmas Tree Scan

3) Xmas Tree Scan - Single packet is sent to client with ACK, SYN, URG, RST, & FIN all set (all except PSH). Having all flags set is illegal combo, receiving system either ignores/drops the packets, or some systems the lack of response means the port is open whereas a single RST tells you port is closed

Xmas tree in Nmap --> NMAP -sX -v

CON - Windows do not respond to this type of attack


Fin Scan

4) Fin Scan - similar to Xmas tree except only FIN flag is set and sent; If open, no response, if closed RST response



Null Scan

5) Null Scan - sends frames w/ no flags set; no response means open, if RST port closed



Ack Scan

6) Ack Scan - used to test whether any filtering is being done on a port (tells attacker whether a firewall or router is in use)

NMAP -sA -P0


**what to do if packet filters, firewalls, or other devices pick up evidence of your attack?

FRAGMENTING works by breaking a packet into multiple pieces w/ goal of preventing detection devices from seeing what the original unfragmented packet intends to do

NMAP -sS -T4 -A -f -v


UDP scan

7) previous techniques assume TCP is beign used;
For UDP if a port is open, NO response
If a port is closed, ICMP port unreachable msg returned

Remember UDP does not use 3 way handshake, TCP is connection oriented whereas UDP is connecitonless


types of OS Fingerprinting (2)

1) Passive - uses sniffing techniques to capture packets coming from a system; the responses are analyzed looking for details of OS; chance of detection is LOW b/c sniffing does not introduce traffic to the NW

2) Active - uses specifically crafted packets; responses are compared to DB of known responses; chance of detection is HIGH bc introduces traffic to NW


Banner Grabbing

determine information about services running on a system

Tools --> Telnet

a Banner is what a service returns to the requesting program to give info about the service itself (i.e. HTTP would return server SW, version, etc)

Banners are grabbed by connection to a host & then sending a request to a port associated w/ a specific service such as 80 for http

telnet 80 head/http/1.0



disable or change banner

tools --> IIS Lockdown, ServerMask, etc

hide file extensions to hide technology used to generate pages

tools --> PageXchanger


Vulnerability Scanning

special type of automated utility designed to identify problems & holes in OS & apps

CON - designed to look for group of known issues, if not found, leaves impression that ur system is safe

can be used by attacker or victim for diff reasons

Tools --> Nmap, Rapid7, Retina, etc


Drawing NW diagrams

visualize NW environment, can clearly see holes that can be exploited

Mappers can generate a lot of traffic so be careful


Using Proxies

system acting as a stand-in between the scanner & target; The proxy acts as an agent for the scanning party, thus giving anonymity;


Proxy servers can perform several functions

1) Filtering Traffic in & out of NW
2) Anonymizing web traffic
3) Providing a layer of protection between the outside world & the internal NW

Tools --> TOR the onion router used to improve privacy & security for internet; packets cannot be traced; encrypt traffic


Setting Web Browser to use Proxy

Setup proxy to hide self -->
1) Find ur IP -->
2) Search for proxies with IP and port #
3) change proxy settings in browser
4) Find ur IP


What is used for Network Scans?
What is used for Banner Grabbing?
What is used to identify Web Server OS

Nmap - NW scans
Telnet - Banner Grabbing
Netcraft - ID web server OS