Random Recon/ scan Flashcards
Name Packet Crafting tools (npow +2)
NetScan, PackEth, Ostinato, WAN Killer, Lan Forge Fire, Colasofts- Packet Builder (has three windows packet list, code builder and hex view) Packet builders can fragment packages to get past IDS’s
netstat -an
displays all connections and listening ports with addresses and port numbers in numerical form
netstat -b
when run with admin privileges you can see executable tied to open port.
ping sweep tools
Nmap, angry ip, Solar Winds Engineer Toolset, Network Ping, OPUtils, Superscan, Advanced IP Scanner, Pinkie
Steps in scanning methodology (7)
check for live systems check for open ports scan beyond IDS perform banner grabbing scan for vulnerabilities draw network map prepare proxies
hping2 -1 ipaddr
hping2 syntax to icmp ping
hping2 -2
hping3 syntax to set up udp mode
-8 eg. hping2 -8 2-80
hping3 flag to set scan mode scans ports 2 thru 80
–flood hping2 -S -a -p 22
hping3 flag for for flood -send syn flood to port 22
Port scanning tools- regular (3)
Nmap, PRTG network Monitor, MegaPing
Port scanning- Mobile (fzips)
ip scanner, fing, zANTi, PORT droid, Super Scan
What is active OS fingerprinting
Sending crafted, non standard packets to remote host and analyzing replies
What is passive OS fingerprinting
Sniffing packets and analyzing TTL, window sizes, Don’t Fragment flags and ToS (Type of Service) fields
Tools that allow IP spoofing (4) (SHaNK)
Nmap, Hping, Scapy, Komodia
What is gzapper
Clears Google cookies
Vulnerability Scanning
Running a tool against a target to see what vulnerabilities it may have
Where are Windows Passwords stored
C:\windows\System 32\config\SAM. Machines that are part of a domain passwords are stored and managed by the domain controller
Linux enumeration CMD line tools
finger (provides info on the user and host machine), rpcinfo and rpcclient (provide info on the rpc enviornment) and showmount (displays shared directories on the machine.
Active banner grabbing
send crafted packets to remote systems and comparing responses to determine OS
Passive banner grabbing
Reading error messages (telnet connect to port 80 or nc and response), sniffing network traffic or looking at page extensions
SNMP MIB
Management Information Base hold information on devices on a subnet arranged by the OID object identifiers. MIB entries can identify what device is, os, usage stats and even change setting on devices. retrieval of info is a GET request. Change of of config is a SET request. trap (alert) port 162
What version of SNMP offers encryption and auth and integrity
3
What version of ntp offers encryption and auth and integrity
3
LDAP general info
session started by client on port 389. Hierarchical database return queries using BER Basic Encoding Rules. Can retrieve usernames, domain info address telephone, system data etc.
