Chapter 3 - Scanning

¡Supera tus tareas y exámenes ahora con Quizwiz!

Passive banner grabbing

Reading error messages, sniffing network traffic, looking at page extensions

hping

- Command line-oriented TCP/IP packet assembler/analyzer - Works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows (Check "h" tab for more)

Hping3 switches

-1 sets icmp mode -2 sets udpp mode -8 sets scan mode, expecting an argument for the ports to be scanned -9 sets hping in listen mode, to trigger on a signature argument when it sees it come through -flood send packets as fast as possible, without taking care to show incoming replies -Q used in order to collect sequence numbers generated by the target host -F sets the FIN flag -S sets the SYN flag -R sets the RST flag -P sets the PSH flag -A sets the ACK flag -U sets the URG flag -X sets the XMAS scan flag

NMAP Switches

-sS SYN scan or half open scan -sT TCP connect (3-way handshake) -sF FIN scan -sX Xmas scan (FIN URG PSH set) -sC Run defaul script -sP Ping scan -sV Version detection -sU UDP scan -sO IP Protocol scan -O OS Scan -sA ACK Scan -sW Windows scan -sR RPC Scan (alias for -sV) -sL List Scan -sI Idle Scan -b FTP Bounce Scan -P0 Dont ping -PT TCP PING -PS SYN PING -PI ICMP PING -PB PI and PT ping -PP ICMP Timestamp -PM ICMP Netmask -oN Normal output -oX XML output -oG NMAP Grepable output -oA NMAP All output -P specify port range (-P 1-2521) -T0 serial, slowest scan - T1 serial, slowest scan - T2 serial, normal speed scan -T3 parallel, normal speed scan -T4 parallel, fast scan

Scanning Methodology

1. Check for live systems - gives you list of what's actually alive on your network subnet 2. check for open ports - once you know the active IP address, find what ports they're listening on 3. scan beyond ids 4. perform banner grabbing - will tell you what operating system is on the machines 5. scan for vulnerabilities 6. draw network diagrams 7. prepare proxies

Fragmenting Packets

1. Crack apart packets before they're sent so IDS can't recognize them. 2. ie Splitting apart TCP header so IDS sees useless chatter. 3. aka Session Splicing

Nmap (GUI version Zenmap) (ping sweep)

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.

Netcat

A network utility program that reads from and writes to network connections.

Anonymizer

An intermediary Web site that hides or disguises the IP address associated with the Internet user.Generally, these sites allow a person to engage in variousvInternet activities without leaving an easily traceable digital footprint.

ping sweep tools

Angry IP scanner solarwinds engineer toolset network ping superscan

nbtstat command

Displays NetBIOS information for IP-based networks. <1B> unique - domain master browser <1C> unique - domain controller <1D> group - master browser for the subnet <00> unique - hostname <00> group - domain name <03> unique - service running on the system <20> unique - server service running

mobile ip scan tools

IP scanner fing hackrode zANTi portdroid network analysis

Active banner grabbing

Sending specially crafted packets to the system to guess the OS based on responses

UDP scan

Sends UDP requests to a target port. If no replies the port is assumed open, Destination Unreachable port is closed

netstat -an (command)

This displays TCP and UDP connections in numeric format.

SMTP commands

VRFY - validates user EXPN - provides the actual delivery addresses of mailing lists and aliases RCPT TO - defines recipients

Type 4: source quenched

a congestion control message

Type 8: (echo request)

a ping message, requesting an echo reply

list scan

another option for identifying machines (ones that were live at some time) basically just run a reverse DNS lookup on all IPs in the subnet

Type 0: (echo reply)

answers to a type 8 echo request

XMAS

christmas scan because all flags are turned on, so the packet is lit up like a christmas tree same responses as inverse

Limited Broadcast

delivered to every system inside rthe broadcast domain, and they use IP address they are ignored

CurrPorts

displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the process that opened the port, the process name, full path, version information, the time it was created, and the user who created it

Type 3: destination unreachable

error message indicating the host or network cannot be reached 0 - destination network unreachable 1 - destination host unreachable 6 - network unknown 7 - host unknown 9 - network administratively prohibited 10 - host administratively prohibited 13 - communication administratively prohibited

Linux enumeration commands

finger - provides information on the user and host machine rpcinfo and rpcclient - provide information on RPC in the environment showmount - displays all the shared directories on the machine

SYN - TCP header flags

flag is set during initial communication establishment. indicates negotiation and parameters and sequence numebrs

"netstat -b" Command

for admin - you can see the executable tied to the open port

Rst (TCP flag)

forces a termination of communications

PSH (TCP flag)

forces the delivery of data without concern for any buffering

Open VAS

free version of Nessus - vulnerability scanner

proxies

hackers can send commands and requests to the proxy and letting the proxy relay them to the targets

simple hping sweep

hping3 -1 (ip address)

security ID (SID)

identifies user, group, and computer accounts and follows a specific format consists of an S, followed by a revision number, an authority value, a domain or computer indicator, and an RID

URG (TCP flag)

indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example

The onion routing (Tor)

installs a small client on the maching, which then gets a list of other clients running Tor from a directory - clients then bounces internet requests across random tor clients to the destination with the destination end having very little means to trace the original request back

banner grabbing

involves sending an unsolicited request to an open port to see what, if any, default message is returned telnet can be used for this

enumeration

listing the items we find within a specific target we create connections to a device, perform specific actions to ask specific questions, and then use the results to identify potential attack vectors

Proxy chains

multiple proxies further hide your activities

NetBIOS Enumeration

obtain list of computer that belong to a domain. nbtstat

Stealth (Half-open) Scan (SYN scans)

only syn packets are sent to ports (no completion of the three-way handshake- good for hiding efforts same responses are tcp connect scan

resource identifier RID

portion of the overall SID identifying a specific user, computer, or domain RID starts at 500 for the administrator account, next account on the system, Guest, is RID 501 all users created for the system start at 1000 and increment from that point

Scanning

process of discovering systems on the network and taking a look at what open ports and applications may be running

Superscan

provides ping sweeps and port scans against individual systems or entire subnets

full connect (TCP connect or full open scan)

runs through a full connection (three-way handshake) on ports, tearing it down with an RST at the end open ports - SYN/ACK closed ports - RST

pinging of the network IS

sending ICMP echo request packets to the network IP address as "ICMP echo scanning"

Active OS Fingerprinting

sends specially crafted packets to the remote OS and analyzes the received response.

directed broadcast

sent to all devices on a subnet and they use the subnet's broadcast address

type 5: redirect

sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway 0 - redirect data gram for the network 1 - redirect datagram for the host

ACK (TCP flag)

set as an acknowledgement to SYN flags. this is set on all segments after the initial SYN flag

FIN (TCP flag)

signifies an ordered close to communications

Passive OS fingerprinting

sniffing packets without injecting any packets into the network - examining things like TTL, window sizes, dont fragment (DF) flags, and type of service

Source Routing Attacks

source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information

QUALYs FreeScan

testing websites and applications for OWASP top risks and malware

ACK flag probe

the attacker sends the ack flag and looks at the return header to determine the port status - can check filtering at the remote end (if an ack is sent and no response, stateful firewall is between the attacker and host) in ttl version - if the ttl of the returned RST packet is less than 64, the port is open in windows version - WINDOW size on the RST packets has anything other than 0, port is open

type 11: time exceeded

the packet took too long to be routed to the destination (code 0 is TTL expired)

Colasoft's packet builder

this (and other packet builders) can be used to used to create fragmented packets to bypass IDS in your target network has three views 1. packet list - displays all constructed packets 2. decode editor - allows you to edit packets 3. hex editor - displays packet in the hex for editing

IPv4 three main address types

unicast - acted on by a single reipient multicast - acted on only by members of a specific group broadcast - acted on by everyone in the network

Inverse TCP Flag Scanning

uses FIN, URG, or PSH flag to poke at system ports port open - no response port closed - an RST/ACK response

IDLE

uses a spoofed IP addreess (idle zombie system) to elicit port responses during a scan scan uses a SYN flag and monitors responses as with a syn scan

scan type defined by

what flags are set int the packets before delivery what responses you expect from ports how stealthily the scan works


Conjuntos de estudio relacionados

APES Unit 9: Chapter 21; Chapter 17 AP Environmental Science

View Set

Team Communication/Difficult Conversations

View Set

Chapter 6 Interactive Assignment

View Set

Articles 200 - 250 - Wiring & Protection

View Set