5.1 Scanning Overview

How do open ports respond and how do closed ports respond?

open port - SYN/ACK closed port - RST flag ending the attempt

what is a banner?

A banner is the snippet of information that a service returns to the requestor to give information about itself.

How does three-way handshake happen if two computers trying to conncect?

Computer 1 sends a SYN packet to Computer 2. Computer 2 receives the packet and sends a SYN/ACK packet to Computer 1. Computer 1 receives the SYN/ACK packet and replies back with an ACK packet, and the connection is complete.

TCP packets have flag indicators what are two of them?

SYN: starts connection btwn two systems ACK: acknowledges packet has been received (there is also, PSH, FIN, RST)

what does a stealth scan, also known as a half-open scan do?

Sends a SYN packet to a port. The three-way handshake doesn't occur because the original system doesn't reply with the final ACK. At this point, you've discovered an open port. But because an ACK packet wasn't sent, a connection wasn't actually made, and there is no security log.

True or False: A ping sweep can be used to scan a range of IPs looking for live systems.

TRUE

True or False: In the Xmas tree scan, if you get an RST packet, you know the port is closed. If you don't get a response, the port may be open.

True

True or False: The scanning phase is where we get to figure out what the target has and how much it's worth.

True

what can we determine during the scanning process?

can determine which hosts are live, which ports are open, which operating systems are being used, what services or processes are running, what patches have been implemented, and whether or not firewalls are in place.

What is an Xmas tree scan?

gets its name because all of the flags are turned on, and the packet is basically lit up like a Christmas tree. The recipient has no idea what to do with this packet, so it's either ignored or dropped.

What is idle scanning?

hacker finds another system to take the blame. This machine is known as zombie machine. The scan directs all requests through the zombie machine. If that zombie machine is flagged, the hacker can simply create another zombie machine and continue working.

Wardialing uses a modem to scan by dialing a large block of phone numbers and attempts to ______. If the scan gets a response, it accepts the connection, and you _______.

locate other systems connected to a modem.... and you have an access point into the network.

After you found a live system what do you perform to find a way in?

perform a port scan; most common tool used for ports scans is nmap!

What is one of the most common network scanning methods?

ping ; sends an ICMP message from one system to another

If the port is open, you'll receive a banner response. These banners can include some interesting information about the target system including.....

software type, software version, services, patches, and the last modification date.

What is a downside of doing a full open scan with full three-way handshake on all ports?

somebody will know you were there !

what is the tool of choice for banner grabbing?

telnet and it operates on port 23!

True or False: TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection with a system port.

true

True or false: Banner grabbing is another common method for obtaining information about a system.

true

what are modems used for now and days?

used for fax machines, multi-purpose copiers, and as a backup for high-speed internet.

What are network scans used for?

used to find live computers on a network.

When does a three-way handshake occur?

when you're trying to use TCP to connect to a port.

Is it true that many administrators block pings at the firewall or are set to receive ping alerts from their intrusion detection systems?

yes

How can you find out what operating system is running on the target machine?

you can figure it out by reviewing packet information. look into the various TTLs and Window sizes to help you determine OS in use. OS Initial TTL Window size Linux 64 5840 Server 2008 128 8192 cisco rtr(12.4) 255 4128

What happens if you type 'telnet' followed by an IP address?

you'll send TCP packets to the destination port 23. However, by tacking a port number onto the end of the same command, you can check for other openings. Isoftware type, software version, services, patches, and the last modification date.