CEHv11 | Module 3 | Scanning Networks

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

TCP Communication Flags: Set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag terminated.

FIN/Finish

What type of scan is this an example of? ___ ___ ____ ____ Advantages: Both the SYN and the ____ packet can be used to maximize the chances of bypassing the firewall. However, firewalls are mostly configured to block the SYN ping packets, as they are the most common pinging technique. In such cases, the ___ probe can be effectively used to bypass these firewall rule sets easily.

TCP ACK Ping Scan

___ ___ ____ ____ ___ ___ ____ is similar to TCP SYN ping, albeit with minor variations. ___ ___ ____ also uses the default port 80. In the ___ ___ ____ technique, the attackers send an empty ___ ___ packet to the target host directly. Since there is no prior connection between the attacker and the target host, after receiving the ACK packet, the target host responds with an RST flag to terminate the request. The reception of this RST packet at the attacker's end indicates that the host inactive. In Nmap, the -PA option is used to perform a ___ ___ ____ ____.

TCP ACK Ping Scan

URG, ACK, PSH, RST, SYN, and FIN are what?

TCP Flags

Since ARP ping scan is the default ping scan within nmap, what command can we use to disable it and use another scan?

--disable-arp-ping

What flag can be used within hping3 to add a timestamp to a packet in an attempt to not have the packet dropped by a firewall?

--tcp-timestamp

What flag is used within hping3 to perform an ICMP scan?

-1/--icmp

What flag is used within hping3 to perform a UDP scan?

-2/--udp

What flag can be used within hping3 to perform a SYN scan?

-8/--scan

What flag is used within hping3 to perform an ACK scan?

-A

What flag within nmap can be used with an ICMP scan to change the number of pings in parallel?

-L

What flag within nmap can be used to initiate an ICMP scan?

-P

What flag, along with a list of IP addresses can perform an ICMP ECHO ping sweep within nmap?

-PE

What flag can be used within NMAP to perform an ICMP Address Mask Ping Scan?

-PM

What flag can be used with Nmap to perform an IP Protocol Ping Scan?

-PO

What flag can we use within NMAP to perform a ICMP Timestamp Ping Scan?

-PP

What flag can be used to perform a TCP SYN Ping Scan within Nmap? Port 80 is used as the default destination port. A range of ports can also be specified in this type of pinging format without inserting a space between -__ and the port number (e.g., __22-25,80,113,1050,35000), where the probe will be performed against each port parallelly.

-PS

What flag is used within hping3 to collect all TCP sequence numbers generated by a target?

-Q

What flag within nmap can be used with an ICMP scan to change the timeout of a ping request?

-T

What is the flag for an ARP scan within NMAP?

-sn

How many data bytes are in a packet when a ping is sent?

56

When a system pings, it sends a single packet across the network to a specific IP address. This packet contains __ bytes

64

How many bytes are for the protocol header information during a ping?

8

Three way handshake mechanism 3. The ___ confirms the arrival of the first SYN packet to the source.

ACK

TCP Communication Flags: Confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1", meaning the receiver should pay attention to it.

ACK/Acknowledgement

TCP Session Termination After communication is over the sender will initiate a connection termination request in either the form of a FIN or a RST packet. Upon receiving the request, the receiver will send a ___ packet, followed by a ____ packet. Answer format: ____/____

ACK/FIN

In the ___ ping scan, the ___ packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls. Used to show the MAC address of the network interface on a device. As well as all devices sharing the same IP address on a network. As long the host IP with the respective hardware destination is active. When an attacker sends ___ request probes to the target host, if they receive any ___ response, then the host is live. Advantages: considered to be more efficient and accurate than other host discovery techniques Automatically handles ___ requests, retransmissions, and timeout at its own discretion Useful for system discovery, where you may need to scan large address spaces Can display the response time or latency of a device to an ___ packet

ARP

_____ __ ______ is an IP address and port scanner. It can scan IP addresses in any range as well as any of their ports. It pings each IP address to check if it is alive; then, it optionally resolves its hostname, determines the MAC address, scans ports, and so on. The amount of data gathered about each host increases with plugins. ______ __ ______has additional features, such as NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, and customizable openers. The tool allows the user to save the scanning results to CSV, TXT, XML, or IP-Port list files. To increase the scanning speed, it uses a multithreaded approach: a separate scanning thread is created for each scanned IP address.

Angry IP Scanner

Three way handshake mechanism The ACK packet for the ACK/SYN packet transmitted by the destination Triggering an OPEN connection, thereby allowing commnication between the source and destination, which continues until one of them issues a ___ or ___ packet to close the connection Answer format ___/___

FIN/RST

is a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. It allows attackers to discover all devices connected to a Wi-Fi network along with their IP and MAC address as well as the name of the vendor/device manufacturer. It also allows attackers to perform network pinging and traceroute activities through specific ports such as SSH, FTP, NetBIOS, etc.

Fing

Considered the primary task in the network scanning process. Provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system.

Host Discovery

is another alternative to the traditional ICMP ECHO ping, where the attackers send an ICMP address mask query to the target host to acquire information related to the subnet mask. However, the address mask response from the destination host is conditional, and it may or may not respond with the appropriate subnet value depending on its configuration by the administrator at the target's end. This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping.

ICMP Address Mask Ping Scan

____ ____ ping scan involves sending ____ ____ requests to a host. If the host is alive, it will return an ____ ____ reply. This scan is useful for locating active devices or determining if ____ is passing through a firewall. Unix/Linux and BSD-based machines use ____ ____ scanning; the TCP/IP stack implementations in these OSs respond to the ____ ____ requests to the broadcast addresses. This technique does not work on Windows-based networks, as their TCP/IP stack implementation does not reply to ICMP probes directed at the broadcast address. Nmap uses the -P option to ____ scan the target. The user can also increase the number of pings in parallel using the -L option. It may also be useful to tweak the ping timeout value using the -T option.

ICMP ECHO

An ____ _____ is a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts. Although a single ping will tell the user whether a specified host computer exists on the network, a ____ _____ consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply. ____ _____s are among the oldest and slowest methods used to scan a network. This utility is distributed across nearly all platforms, and it acts as a roll call for systems; a system that is active on the network answers the ping query that another system sends out. Attackers send probes to the broadcast or network address, which relays to all the host addresses in the subnet. The live systems will send the ICMP echo reply message to the source of the ICMP echo probe.

ICMP Sweep/ping sweep

an optional and additional type of ICMP ping whereby the attackers query a timestamp message to acquire the information related to the current time from the target host machine. The target machine responds with a timestamp reply to each timestamp query that is received. However, the response from the destination host is conditional, and it may or may not respond with the time value depending on its configuration by the administrator at the target's end generally used for time synchronization. Such a ping method is effective in identifying whether the destination host machine is active, specifically in the condition where the administrator blocks the traditional ICMP ECHO ping requests.

ICMP Timestamp Ping Scan

The latest host discovery option that sends __ ping packets with the IP header of any specified protocol number. It has the same format as the TCP and UDP ping. This technique tries to send different packets using different IP protocols, hoping to get a response indicating that a host is online. Multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4) are sent by default when no protocols are specified. For configuring the default protocols, change DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h during compile time. For specific protocols such as ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), the packets are to be sent with proper protocol headers, and for the remaining protocols, only the IP header data is to be sent with the packets. In a nutshell, attackers send different probe packets of different IP protocols to the target host; any response from any probe indicates that a host is online. In nmap, the -PO option is used to perform an __ ________ ____ ____

IP Protocol Ping Scan

for iOS, scans your local area network to determine the identity of all its active machines and Internet devices. It allows attackers to perform network scanning activities along with ping and port scans.

IP Scanner

An open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. It provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploits writers, and payload writers. A major advantage of the framework is the modular approach, i.e., allowing the combination of any exploit with any payload. It enables you to automate the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test.

Metasploit

an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. Using this tool, you can easily gather information about the local LAN as well as Internet users, IP addresses, ports, and so on. Attackers can find vulnerabilities and exposed ports in the target system. It helps the attackers to list IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or manually (using manual tools).

NetScanTools Pro

Types of scanning The procedure for identifying active hosts, for either to attack or assess security _________ scanning

Network

is an Android mobile application that allows attackers to identify the active host in the range of possible addresses in a network. It also displays IP addresses, MAC addresses, host names, and vendor details of all the available devices in the network. This tool also allows attackers to port scan targets with specific port numbers

Network Scanner

TCP Communication Flags: When set to "1", indicates that the sender has raised the _____ operation to the receiver This implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the ____flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.

PSH/Push

Countermeasures for ____ _____ Some countermeasures for avoiding ping sweep are as follows: - Configure the firewall to detect and prevent ping sweep attempts instantaneously - Use intrusion detection systems and intrusion prevention systems such as Snort (https://www.snort.org) to detect and prevent ping sweep attempts - Carefully evaluate the type of ICMP traffic flowing through the enterprise networks - Terminate the connection with any host that is performing more than 10 ICMP ECHO requests - Use DMZ and allow only commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in DMZ Zone - Limit the ICMP traffic with Access Control Lists (ACLs) to your ISP's specific IP addresses

Ping Sweep

TCP Communication Flags: When there is an error in the current connection, this flag is set to "1" and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.

RST/Reset

Three way handshake mechanism: 1. Source sends a ___ packet to the destination

SYN

Three way handshake mechanism 2. On receiving the SYN packet, the destination responds by send a ___/___ packet back to the source.

SYN/ACK

TCP Communication Flags: SYN scanning, used for the gathering of illegal information from servers during enumeration revolves primarily around what 3 flags? Format: ____/____/____

SYN/ACK/RST

TCP Communication Flags: Notifies the transmission of a new sequence number. Generally represents the establishment of a connection (three-way handshake) between two hosts.

SYN/Syncronize

a host discovery technique for probing different ports to determine if the port is online and to check if it encounters any firewall rule sets. In this type of host discovery technique, an attacker uses the Nmap tool to initiate the three-way handshake by sending the empty TCP SYN flag to the target host. After receiving SYN, the target host acknowledges the receipt with an ACK flag. After reception of the ACK flag, the attacker confirms that the target host is active and terminates the connection by sending an RST flag to the target host machine (since his/her objective of host discovery is accomplished). Advantages: - As the machines can be scanned parallelly, the scan never gets the time-out error while waiting for the response. - ___ ___ ____ can be used to determine if the host is active without creating any connection. Hence, the logs are not recorded at the system or network level, enabling the attacker to leave no traces for detection.

TCP SYN Ping Scan

Maintains stateful connections for all connection-oriented protocols throughout the internet.

TCP/Transmission Control Protocol

___ ping scan is similar to TCP ping scan; however, in the ___ping scan, nmap sends ___ packets to the target host. The default port number used by nmap for ___ ping scan is 40,125. Attackers send ___ packets to the target host, and a ___response means that the target host is active. If the target host is offline or unreachable, various error messages such as host/network unreachable or TTL exceeded could be returned. Advantages: Detecting systems behind firewalls with strict TCP filtering, leaving the ___ traffic forgotten.

UDP

TCP Communication Flags: Instructs the system to process the data contained in the packets as soon as possible. When the system sets the flag to "1" priority is given to processing the ______ data first and all the other data processing is stopped.

URG/Urgent

Prioritizes connection establishment before data transfer between applications. This is possible via a three-way handshake. _____________ oriented

connection

First phase of hacking, in which the attacker gains primary information about a potential target. This information is then used in the scanning phase to gather more details about the target.

footprinting

command-line-oriented network scanning and packet crafting tool for TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. Can perform security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and more. Can handle fragmentation as well as arbitrary packet body and size which can be used to transfer encapsulated files under the supported protocols. Also supports idle host scanning. Ip spoofing, and network/host scanning can be used to perform an anonymous probe for services. Also has a Traceroute mode, which enables attackers to send files between covert channels. Can determine whether the host is up even when the host blocks ICMP packets. Its firewalk-like usage allows the discovery of open ports behind firewalls. Using this tool an attacker can study the behavior of an idle host and gain information about the target, such as the services the host offers, the ports supporting said services, and the OS of the target.

hping2/hping3

Security scanner for network exploration and hacking. It allows you to discover hosts, ports, and services on a computer network, thus creating a "map" of the network. To accomplish this task it sends specially crafted packets to the target host and then analyzes them. Includes TCP and UDP port scanning, OS detection, version detection, ping sweeps, and more.

nmap

Types of scanning: Lists open ports and services. Checks whether ports are in the listening state. On occasion a listening port will allow an unauthroized user to misconfigure systems or to run software with vulnerabilities ____ scanning

port

What is the term used for the time taken for a packet to make a complete trip?

round trip time

.Process of gathering additional detailed information about the target using various reconnaissance techniques. Refers to the procedures used to identify hosts, ports , and services on a network. Also refers to the discovery of active machines on a network and the identification of the OS running on the target machines. During this phase an attacker will attempt to gather as much information as possible. This includes, but not limited to: IP addresses accessible over the network, OS and architectures, ports, and services. Most important phase of an attack. Enabling an attacker to create a profile of the target organization Network __________

scanning

What would be the primary reason to choose hping over nmap?

stealth

"Hey Alice! I got something to tell you on port 21, are you there?" "I am here Bob, Lets talk on port 21!" "Word! Sounds good Alice!" What is going on here?

three way handshake

Types of scanning Method for checking whether a system is exploitable. _____________ scanning

vulnerability

A GUI for nmap

zenmap


Kaugnay na mga set ng pag-aaral

Chapter 27: Adults (Psych - Exam 4)

View Set

Chapter 11: Voting and Participation

View Set

Customer Service Mid course review

View Set

1.2.4 Review Quiz: Plate Boundary Types

View Set

5. Comptia A+ 1101: Configuring Network Addressing and Internet Connections.

View Set

Worksheet 29.2: Directors and Officers

View Set

Intro to Public Policy - MIDTERM

View Set

Essay 2: U Curve and W curve adjustment

View Set