Scanning and Enumeration Flashcards
(138 cards)
1
Q
Scanning
A
Process of discovering systems on the network and taking a look at what open ports and applications may be running.
2
Q
Transport Layer functions
A
At Layer 4 of the OSI, end-to-end delivery, segment order, reliability and flow control, TCP flags and port numbering.
3
Q
Connectionless Communication
A
The sender doesn’t care whether the recipient has the bandwidth to accept the message and doesn’t care if the recipient gets the message. Fire and forget method. Faster way of sending datagrams. Accomplished with UDP. Low overhead, simple and fast transport protocol. Normally small amounts of data are moved.
4
Q
Protocols that use UDP
A
TFTP, DNS lookups, and DHCP
5
Q
Connection-Oriented Communication
A
Uses TCP. Requires more overhead than UDP. Slower than connectionless. Orderly data exchange and deals with larger data transfer. Senders reach out to recipients to ensure their availability and will continue to communicate to manage the flow of data. If overwhelmed or data gets lost, the recipient can request slow down or retransmission. Uses a three way handshake of SYN, SYN-ACK, ACK packets.
6
Q
UDP datagram structure
A
Header fields are 16 bits. Source Port, Destination Port, Length, Checksum, Data
7
Q
TCP header flags - SYN flag
A
Synchronize - negotiation of parameters and sequence numbers
8
Q
TCP header flags - ACK flag
A
Acknowledgment - set as an acknowledgment to a SYN flag. Set on all segments after the initial SYN flag.
9
Q
TCP header flags - RST flag
A
Reset - Forces a termination of communications in both directions.
10
Q
TCP header flags - FIN flag
A
Finish - Signifies an ordered close to communication.
11
Q
TCP header flags - PSH flag
A
Push - Forces the delivery of data without concern for buffering. The sender does not wait to fill up the buffer to send and the receiving device does not wait for the buffer to fill up before processing the data.
12
Q
TCP header flags - URG flag
A
Urgent - Indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example.
13
Q
Sequence Numbering
A
A sends to B
A-SYN - My Sequence # A
B-SYN/ACK - A Sequence # + 1 AND My Sequence # B
A-ACK - B Sequence # + 1 AND A Sequence #
14
Q
Packet Crafting Tools
A
Netscan, Ostinato, WAN Killer, Packeth, LAN Forge Fire, Colasoft. Can also be used to create fragmented packets to bypass an IDS
15
Q
Colasoft Packet Builder Views
A
Packet List,
Decode Editor to edit packets,
and Hex Editor for hex editing
16
Q
Well Known Ports
A
0 - 1023
17
Q
Registered Ports
A
1024 - 49,151
18
Q
Dynamic Ports
A
49,152 - 65,535 AKA ephemeral ports
19
Q
FTP Ports
A
20, 21 TCP
20
Q
SSH Port
A
22 TCP
21
Q
Telnet Port
A
23 TCP
22
Q
SMTP Port
A
25 TCP
23
Q
DNS Port
A
53 TCP and UDP
24
Q
DHCP Port
A
67 UDP for server and 68 UDP for client
25
TFTP Port
69 UDP
26
HTTP Port
80 TCP
27
POP3 Port
110 TCP
28
RPC Port
135 TCP
29
NEBIOS Ports
UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)
30
IMAP Port
143 TCP
31
SNMP Ports
```
161 UDP
162 UDP (SNMPTRAP)
```
32
LDAP Port
389 TCP and UDP
33
HTTPS Port
443 TCP
34
SMB Port
445 TCP
35
Internet Printing Protocol (IPP) Port
631
36
BGP Port
179
37
Syslog Port
514
38
Listening State
Waiting for a connection.
39
Established State
Connected to a remote computer.
40
CurrPorts Tool
Displays all currently opened TCP and UPD ports
41
CLOSE_WAIT State
The remote side has closed the connection.
42
TIME_WAIT State
Your side has closed the connection
43
NETSTAT -an
Displays all connections and listening ports
44
NETSTAT -b
Can see the executable associated with a port
45
All bits in the host field of an IP address are binary 1s
Broadcast address
46
All bits in the host field of an IP address are binary 0s
Network address
47
Any other combination of host bits not all 1s or 0s
Usable IP address
48
IP address AND with SUBNET Mask equals
The network address
49
Limited broadcast address
255.255.255.255 or MAC: FF:FF:FF:FF:FF:FF - routers drop these
50
Subnet broadcast address
Routers may or may not process them
51
Routed protocol
IPV4 and IPV6
52
Routing protocols
BGP. OSPF, RIP
53
Scanning Steps
1. Check for live systems
2. Check for open ports
3. Scan beyond IDS
4. Perform banner grabbing and OS fingerprinting
5. Scan for vulnerabilities
6. Draw network diagrams
7. Prepare proxies
54
Check for live systems
Normally done using ICMP
55
ICMP Message Type 0
0:Echo Reply - Answer to a Type 8 Echo Request
56
ICMP Message Type 3
```
3: Destination Unreachable.
Error codes:
0 - Destination Network Unreachable
1 - Destination Host Unreachable
6 - Network Unknown
7 - Host Unknown
9 - Network Administratively Prohibited
10 - Host Administratively Prohibited
13 - Communication Administratively Prohibited (typically from a poorly configured firewall)
```
57
ICMP Message Type 4
4:Source Quench: A congestion control message
58
ICMP Message Type 5
5:Redirect. Sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway, Codes:
0 - Redirect datagram for the network
1 - Redirect datagram for the host
59
ICMP Message Type 8
8:Echo Request: A ping message requesting an echo reply
60
ICMP Message Type 11
11:Time Exceeded: The package took too long to be routed to the destination (code 0 is TTL expired)
61
Ping Sweep
Pinging every address in a given network range. Easiest method to detect hosts on a network.
62
ICMP echo scanning
Pinging of the network ID instead of a host
63
Ping Sweep Tools
```
NMAP,
Angry IP Scanner,
Solarwinds Engineer Toolset,
Network Ping,
OpUtils,
Superscan,
Advanced IP Scanner,
Pinkie
```
64
Full Connect Port Scan
Also known as a TCP connect or full open scan - uses a full TCP three-way handshake and sends a RST at the end. Easiest to detect but also the most reliable. Open ports respond with a SYN/ACK and closed ports with a RST/ACK. NMAP -sT target
65
Stealth Port Scan
Also known as a half-open scan (and also as a SYN scan). Only SYN packets are sent to ports but the three way handshake is not completed. Useful when trying to bypass firewalls and IDS by hiding as normal traffic. NMAP -sS target. Response is the same as Full Connect scan.
66
Inverse TCP Scan
Uses the FIN, URG, or PSH flag or no flags at all to poke at system ports. If the port is open, there will be no response at all. If the port is closed, RST/ACK will be seen in response. Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. If there is no flag set, it is known as null scanning. NMAP -sN target does a NULL scan where no flags are set. NMAP -sF target sets just the FIN flag. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered.
67
XMAS Scan
All flags are turned on and response is the same as that of an inverse TCP scan. Does not work against Microsoft Windows machines because Windows is not RFC 793 compliant. NMAP -sX target
68
ACK Flag Probe
Two versions - send an ACK flag and look at the return header (TTL or Window fields) to determine the port status. In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open. If the Window size on the RST packet has anything other than zero the port is open. ACK flag probes can also be used to check filtering at the remote end. If the ACK is sent and there is no response, this indicates a stateful firewall is between an attacker and a host. If an RST comes back, there is not. NMAP -sA target
69
IDLE Scan
This uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan. NMAP -sI target Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb “zombie host”. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits discovery of IP-based trust relationships between machines.
70
Fast vs Slow Scan
The slower the scan, the less likely you are to be discovered.
71
List Scan
Performs a DNS reverse lookup for PTR records of an IP range. NMAP -sL target.
72
Protocol Scan
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. NMAP -sO target
73
ARP Ping Scan
Sends out ARP requests to the IP range. NMAP -sP. Can force it to use ICMP instead with --disable-arp-ping
74
RPC Scan
Network exploration tool and security / port scanner
-sR (RPC scan) .
This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP
ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can
effectively obtain the same info as rpcinfo -p even if the target´s portmapper is behind a firewall (or protected by TCP wrappers). NMAP -sR target
75
TCP Windows Scan
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window value of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window.
NMAP -sW target
76
NMAP Ping Options
- PI ICMP Ping
- Po No Ping
- PS SYN Ping
- PT TCP Ping
77
NMAP Output Options
- oN Normal Output
| - oX XML Output
78
NMAP Timing Options
- T0 Serial, slowest scan
- T1 Serial, slowest scan
- T2 Serial, normal speed
- T3 Parallel,Normal speed scan
- T4 Parallel,Fast scan
79
NMAP switch categories
- s type of scan
- P ping sweep options
- o output format
- T speed and stealth
80
NMAP -A
Enables OS detection, version detection, script scanning and traceroute
81
Fingerprinting
Port sweeping and enumeration
82
NetScanToolsPro
Suite of tools:
1. Active Directory and Diagnostics Tools
2. Passive Discovery Tools
3. DNS Tools
4. Local Computer and General Information Tools
83
HPING and HPING3
Can do most of what NMAP does and a packet crafter as well
84
HPING3 -1 target
ICMP mode. Does an ICMP ping sweep
85
HPING3 -2 target
UDP mode
86
HPING3 -8 portrange
Define a port range to scan. HPING3 -8 20-100 (scans ports 20 - 100)
87
HPING3 -9 Protocol
Sets HPING in listen mode. HPING3 -9 HTTP -I eth0
88
HPING3 --flood
Will send packets as fast as possible without taking care to show incoming replies.
89
HPING3 -F
Sets the FIN flag
90
HPING3 -S
Sets the SYN flag
91
HPING3 -R
Sets the RST flag
92
HPING3 -P
Sets the PSH flag
93
HPING3 -A
Sets the ACK flag
94
HPING3 -U
Sets the URG flag
95
HPING3 -X
Sets the XMAS scan flags
96
Other network scanning tools
Advanced Port Scanner,
MegaPing,
Net Tools,
PRTG Network Monitor
97
Mobile scanning tools
```
IP scanner,
Fing,
Hackode,
zANTi,
PortDroid Network Analysis
```
98
NMAP -sS -A -f 192.168.1.1
Fragment a SYN scan to evade IDS detection
99
IP spoofing tools
```
HPING,
Scapy,
Komodia,
Ettercap,
Cain
```
100
Source route attack
Source routing is basically an option in IP (layer 3) where a packet can instruct a gateway which hops to send the packet to. Its like the client deciding which route the packets should take. Now this of course is kinda bad because if the client (let’s say he’s a hacker) decides on the path, then he can route all traffic to some listening box, doing all sorts of stuff to the traffic passing through it.
It also means that the hacker can make an attack seem as if its originating from another PC, or even “bounce” an attack. For example, lets say yo have a business CompanyA, which is very well protected. But CompanyA is partners with CompanyB and they have VPNs running to and from each other. CompanyB is not very well protected. If a hacker compromises CompanyB, he / she can use source routed packets to attack CompanyA by traversing through CompanyB. Most modern routers drop source routing packets.
101
IP Address Decoy
Obfuscate the real source of a network scan by hiding it among multiple decoy addresses making it look like the decoys are scanning also. NMAP -D RND:10.x.x.x generates a number of decoys and randomly puts the real source IP between them. You can also specify the exact decoy IPs with NMAP. NMAP -d decoyIP1,decoyIP2, etc.
102
Use of proxies when scanning
Hide your scan behind a proxy or chain of proxies to avoid detection
103
Proxy Chain tools
```
Proxy Switcher,
Proxy Workbench,
Proxy Chains,
Proxy Chain Builder,
CyberHost and
Proxifier
```
104
Proxy for mobile phones
ProxyDroid, Servers Ultimate, Netshade, ShadowSocks
105
Anonymizer
A web proxy like guardster, ultrasurf, psiphon, tails
106
Gzapper
Tool used to remove Google deposited cookies,
107
Vulnerability Scanning
```
Running a tool against a target to see what vulnerabilities it has.
RetinaCS,
Microsoft Baseline Security Analyzer,
NESSUS,
Nexpose,
GFI Languard,
Qualsys Freescan,
OpenVAS,
```
108
Vulnerability scanner that tests OWASPs top ten vulnerabilities
Qualsys Freescan and OPENVas
109
Enumeration
Active information gathering that involves creating a connection to a device, performing specific actions to query the device, and using the results to identify potential attack vectors.
110
Security Context
Defines a user identity and authentication information.
111
Microsoft Security Identifier (SID)
Identifies user, group and computer accounts. Composed of the letter S, followed by a revision number, an authority value, a domain or computer indicator and a RID. RIDS start at 500 (administrator) and user creation at 1000.
112
Linux UID and GID
The User ID and Group ID found in /etc/passwd
113
Where Windows passwords are stored on a local computer
c:\windows\system32\Config\SAM (encypted)
114
Linux enumeration commands
finger (user and host machine), rpcinfo and rpcclient (RPC information), showmount (shared directories)
115
Banner Grabbing
Part of the enumeration process. Sending an unsolicited request to an open port and the returned banner (HTTP header, error message, login message) can indicate a potential vulnerability,
116
Active Banner Grabbing
Sending specially crafted packets to remote systems and comparing responses to determine the OS. Telnet to a specific port. Netcat (nc) can also be used to banner grab a specific port. nc target port
117
Passive Banner Grabbing
Reading error messages, sniffing network traffic or looking at page extensions.
118
Windows Systems Enumeration
NETBIOS enumeration
119
NETBIOS Name
16 Character ASCII string used to identify network devices
120
NEBTSTAT
Command line tool that can be used to perform NETBIOS enumeration.
NBTSTAT -n for local NETBIOS table,
NBTSTAT -A IpAddress for a remote table,
NBTSTAT -c for the local NETBIOS cache.
121
NETBIOS Code Types
```
<1B> Domain Master Browser
<1C> Domain Controller
<1D> Master Browser for the Subnet
<00> Hostname
<00> DomainName
<03> Service running on the system
<20> Server running on the system
```
122
NETBIOS enumeration limitation
NETBIOS does not work on IPV6
123
NETBIOS enumeration tools
```
SuperScan,
Hyena,
Winfingerprint,
NETBIOS enumerator,
NSAuditor
```
124
SNMP components
SNMP Manager,
SNMP agent,
Management Information Base (MIB)
125
SNMP Management Information Base (MIB)
Database that holds SNMP queryable information arranged by object identifiers (OIDs)
126
SNMP commands
SNMP GET - retrieve information
| SNMP SET - write information
127
Types of SNMP Managed Objects
Scalar - defines a single object
| Tabular - defines multiple related objects that can be grouped together in MIB tables
128
SNMP security
Based on community strings:
Default ReadOnly Community String is public
Default ReadWrite Community String is private
129
SNMPV3 advantage over previous versions
Supports encryption, authentication and message integrity similar to how NTPV3 does the same for Network Time Protocol. Previous versions stored and sent community strings in plain text.
130
SNMP enumeration tools
Solarwinds Engineers Toolkit (SET),
SNMPScanner,
OpUtils5,
SNScan
131
LDAP enumeration
LDAP defaults to connecting to a Directory Service Agent on port 389. Answers come back encoded using Basic Encoding Rules (BER)
132
LDAP enumeration tools
```
Softerra,
JXplorer,
Lex,
LDAP Admin Tool,
Active Directory Explorer
```
133
NTP enumeration
NTP works on port 123. Querying an NTP Server can give you information such as a list of the systems connected to the server.
134
NTP enumeration tools
```
NTP Server Scanning,
Atomsync,
ntptrace,
ntpdc,
ntpq
```
135
SMTP enumeration commands
VRFY - validates users
EXPN - provides the actual delivery addresses of mailing lists and aliases
RCPT TO - defines recipients
136
CIFS
Successor to SMB.
CIFS is the primary protocol used by Windows systems for file sharing.
CIFS uses UDP ports 137 and 138, and TCP ports 139 and 445.
137
Active OS Fingerprinting
Sending crafted, nonstandard packets to a remote host and analyzing the replies.
138
Passive OS Fingerprinting
Sniffing packets without injecting any packets into the network, examining TTL, window sizes, Dont' Fragment flags and Type of Service (Tos) fields from the capture.
