Scanning

Question 1

What are the goals of scanning?

Answer 1

• Open ports
• Find live network hosts, firewalls, routers, printers…etc
• Potential Vulnerabilities
• OS type used
• Work out networktopolgy.

Question 2

What is network scanning?

Answer 2

A set of procedures, for identifying hosts, ports, and services in a network.

Question 3

What are the objectives of network scanning?

Answer 3

• To discover live hosts, IP addresses, and open ports of live hosts.
• To discover OS and system architecture
• Discover vulnerabilities on live host
• Discover services running on hosts.

Question 4

What are the types of TCP flags?

Answer 4

• URG: data in the packet must proceed immediately
• RST: resets a connection
• PSH: sends all buffered data immediately
• ACK: acknowledges the receipt of the data
• SYN: initiates a connection between hosts
• FIN: there will be no further transmisstions

Question 5

what is an ARP scan?

Answer 5

a Linux-based command-line tool, which scans a subnet of a network for live hosts.
it displays IP adress and MAC adress

Question 6

List the reasons to use ARP scan for host discovery?

Answer 6

-Takes the least amount of time
-Least amount of cost
-It identifies hosts that are configured with a local firewall
-

Question 7

ARP scan must be run as__

Answer 7

root user

Question 8

What is the command used to scan a single host inARP scan?

Answer 8

Sudo arp-scan [IP address]

Question 9

What is the command used for ARP scan to scan all the network?

Answer 9

Sudo arp-scan [IP address] /24

Question 10

Explain how does an ARP scan works?

Answer 10

send an ARP request for every host on a subnet, and if it receives an ARP reply, then the host is considered “alive”

Question 11

What is the command used for ARP scan to scan the local network?

Answer 11

sudo arp-scan -l
OR
sudo arp-scan –localnet

Question 12

What are the nmap options used for ARP host discovery and why?

Answer 12

• sn: limit Nmap to perform only host discovery and not port scanning
• PR: supports ARP scanning

Question 13

What is the password recovery & network discovery tool for windows called? It is used for ARP host discovery

Answer 13

Cain and Abel

Question 14

What is the command used for ARP scan to scan local network?

Answer 14

Sudo arp-scan -l
OR
Sudo arp-scan –localnet

Question 15

What is the disadvantage of using ARP for host discovery?

Answer 15

It only scans internal/local networks, therefore, it is impractical for scanning systems on a distant network.

how to fix?
We should use ICMP or TCP/UDP discovery for that.

Question 16

What is ICMP?

Answer 16

• Internet Control Message Protocol is an error reporting protocol, mostly used by network administrators for troubleshooting network connections.
• includes ping and traceroute
• note: it is rarely used by regular users

Question 17

How to check for live systems using ICMP?

Answer 17

Send ECHO request and if the host is alive it will send ECHO reply in return.

Question 18

What does the command Traceroute (Linux)/ Tracert (win) do?

Answer 18

used to identify the hops between you and your destination

Question 19

How to set the maximum number of hops to search using Tracert command? using what option?

Answer 19

-h
tracert -h [max number] [target]

ex:
tracert -h 2 www.google.com

Question 20

What does the option -PE in nmap do?

Answer 20

sends an ICMP ECHO request packet (type 8)

note: must be executed as root or else it will perform TCP pinging.

Question 21

What does the option -PP in nmap do?

Answer 21

sends ICMP timestamp message

Question 22

What is Hping3? and what it is used for?

Answer 22

a packet crafting tool that allows you to define any combination of flags, on any combination of packet types.

It is now shipped with nmap and called “nping”

used for?

• port scanning
• host discovery
• spoofing (MAC or IP or anything else)

Question 23

what is Superscan4?

Answer 23

it is a tool that sends out multiple ICMP ECHO requests in parallel and simply waits and listens for responses.

You can discover hidden hosts behind traditional firewalls using it.

Question 24

Why do pen testers perform TCP/UDP host discovery? and what is the downside?

Answer 24

If a web server is blocking ICMP requests (ping), they must have a port open for a client to connect to. Usually, TCP port 80 is open to accept HTTP traffic.

An attacker can probe port 80 and if there is a response it means that the host is alive, however, not all servers are web servers with TCP port 80 open so the attacker must blindly guess and probe several different ports. this takes time and is very noisy which is risky

Question 25

What does the option -Pn in nmap do? and in which situation it would be helpful?

Answer 25

-Pn ignores Host dicovery and only does port scanning. if the target doesn't have TCP port 80 open or the packets are dropped by the firewall, nmap considers the host as down. but we can use -Pn to query all nmaps port list by telling nmap to do only do a port scan ex: sudo nmap -Pn [ip]

Question 26

what does the following command do? Sudo nmap -Pn –sS -p 80 --open 192.168.1.1

Answer 26

Tells nmap to ignore host discovery and only do port scanning and only show results for hosts that have the TCP Port 80 open. And do TCP SYN scan (half open)

Question 27

What are the advantages of port scanning?

Answer 27

- identify TCP/UDP services running on the host - identify applications and versions of a service - identify type of OS of the target

Question 28

what are the TCP scan types?

Answer 28

1- TCP connect scan ( full open scan) 2-TCP SYN SCAN (half open scan) 3-TCP null scan

Question 29

Explain the three types of TCP scans? (Initial flag set,Open port response, Close port response,Communication with open port, Communication with close, nmap option)

Answer 29

see the table in slide 55 :)

Question 30

what does the option -sV in nmap do?

Answer 30

version detection

Question 31

what does the option -oN in nmap do?

Answer 31

out to a human-readable file

Question 32

what does the option -sU in nmap do?

Answer 32

does a UDP scan, very time-consuming in comparison to -sT (TCp connect scan)

Question 33

what does the option -sO in nmap do?

Answer 33

Does a protocol scan, where it sends raw IP packet without additional header info

Question 34

what does the option -O in nmap do?

Answer 34

Determine operating system type

Question 35

What are the IDS evasion techniques? and also mention their nmap option if there is one

Answer 35

1- use fragmented IP packets -f 2-spoof your IP address (decoy) -D 3-use source routing (change source port ) -g [port 80,53,20] 4-connect to proxy servers

Question 36

Which types of TCP scans that packet fragmentation & decoy scan (spoofing) doesn't work on?

Answer 36

1-TCP full scan (-sT) | 2-version detection (-sV)

Question 37

Explain the concept of source routing for IDS/firewall evasion?

Answer 37

it abuses misconfigured firewalls that allow traffic from certain ports ex: 80 (HTTP), 53(DNS), 20(FTP), therefore changing our source port will allow us to bypass firewall restrictions

Question 38

what is verbose mode?

Answer 38

an option available in many OSs that provides additional information as to what the computer is doing and what drivers and software it is loading during startup.

Question 39

how to define port range for hping3?

Answer 39

--scan 1-3000 (or any port range you want)

Question 40

what does -S represent?

Answer 40

TCP SYN request

Question 41

why would we add the option "--tcp-timestamp" when doing a scan?

Answer 41

because there are many firewalls that include a rule to that drops packets that don't have a timestamp, so this command appends a timestamp to your packet

Question 42

what is banner grabbing?

Answer 42

banner grabbing or OS fingerprinting is a method to determine the OS running on a remote target system

Question 43

explain the two types of banner grabbing:

Answer 43

1- Active Banner grabbing: send a specially crafted packet and take a note of the responses, then compare them with a database to determine the OS note: responses from different OS vary because of the differences in TCP/IP stack implementaction. 2-Passive Banner grabbing: -from error messages: they provide info ex: os type, the server type -sniffing network traffic: analyzing and capturing packets enable to determine OS -from page extensions: look for extension in the URL

Question 44

list and explain banner grabbing tools:

Answer 44

1- netcat : reads and writes data across network connections using TCP/IP protocol 2-telenet: probe HTTP servers to determine the server field in the HTTP response header

Question 45

list banner grabbing counter measures

Answer 45

``` 1- display false banners to misguide attacker 2- turn off unecessary services 3- use ServerMask 4-idk 5- idk see slide 22 in scanning part2 ```

Question 46

Explain ACK probe scanning

Answer 46

it is used to check if the system is filtered or not (firewall present or not). 1- send ACK 2- No response --> port filtered ( firewall is present) 1-send ACK 2-RST-----> port not filtered ( no firewall)

Question 47

Explain idle scan of an open port and of an closed port and of a filtered port

Answer 47

see slide 29 & 30 in scanning part 2 :)