CEHv11 | Module 3 | Scanning Networks
TCP Communication Flags: Set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag terminated.
FIN/Finish
What type of scan is this an example of? ___ ___ ____ ____ Advantages: Both the SYN and the ____ packet can be used to maximize the chances of bypassing the firewall. However, firewalls are mostly configured to block the SYN ping packets, as they are the most common pinging technique. In such cases, the ___ probe can be effectively used to bypass these firewall rule sets easily.
TCP ACK Ping Scan
___ ___ ____ ____ ___ ___ ____ is similar to TCP SYN ping, albeit with minor variations. ___ ___ ____ also uses the default port 80. In the ___ ___ ____ technique, the attackers send an empty ___ ___ packet to the target host directly. Since there is no prior connection between the attacker and the target host, after receiving the ACK packet, the target host responds with an RST flag to terminate the request. The reception of this RST packet at the attacker's end indicates that the host inactive. In Nmap, the -PA option is used to perform a ___ ___ ____ ____.
TCP ACK Ping Scan
URG, ACK, PSH, RST, SYN, and FIN are what?
TCP Flags
Since ARP ping scan is the default ping scan within nmap, what command can we use to disable it and use another scan?
--disable-arp-ping
What flag can be used within hping3 to add a timestamp to a packet in an attempt to not have the packet dropped by a firewall?
--tcp-timestamp
What flag is used within hping3 to perform an ICMP scan?
-1/--icmp
What flag is used within hping3 to perform a UDP scan?
-2/--udp
What flag can be used within hping3 to perform a SYN scan?
-8/--scan
What flag is used within hping3 to perform an ACK scan?
-A
What flag within nmap can be used with an ICMP scan to change the number of pings in parallel?
-L
What flag within nmap can be used to initiate an ICMP scan?
-P
What flag, along with a list of IP addresses can perform an ICMP ECHO ping sweep within nmap?
-PE
What flag can be used within NMAP to perform an ICMP Address Mask Ping Scan?
-PM
What flag can be used with Nmap to perform an IP Protocol Ping Scan?
-PO
What flag can we use within NMAP to perform a ICMP Timestamp Ping Scan?
-PP
What flag can be used to perform a TCP SYN Ping Scan within Nmap? Port 80 is used as the default destination port. A range of ports can also be specified in this type of pinging format without inserting a space between -__ and the port number (e.g., __22-25,80,113,1050,35000), where the probe will be performed against each port parallelly.
-PS
What flag is used within hping3 to collect all TCP sequence numbers generated by a target?
-Q
What flag within nmap can be used with an ICMP scan to change the timeout of a ping request?
-T
What is the flag for an ARP scan within NMAP?
-sn
How many data bytes are in a packet when a ping is sent?
56
When a system pings, it sends a single packet across the network to a specific IP address. This packet contains __ bytes
64
How many bytes are for the protocol header information during a ping?
8
Three way handshake mechanism 3. The ___ confirms the arrival of the first SYN packet to the source.
ACK
TCP Communication Flags: Confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1", meaning the receiver should pay attention to it.
ACK/Acknowledgement
TCP Session Termination After communication is over the sender will initiate a connection termination request in either the form of a FIN or a RST packet. Upon receiving the request, the receiver will send a ___ packet, followed by a ____ packet. Answer format: ____/____
ACK/FIN
In the ___ ping scan, the ___ packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls. Used to show the MAC address of the network interface on a device. As well as all devices sharing the same IP address on a network. As long the host IP with the respective hardware destination is active. When an attacker sends ___ request probes to the target host, if they receive any ___ response, then the host is live. Advantages: considered to be more efficient and accurate than other host discovery techniques Automatically handles ___ requests, retransmissions, and timeout at its own discretion Useful for system discovery, where you may need to scan large address spaces Can display the response time or latency of a device to an ___ packet
ARP
_____ __ ______ is an IP address and port scanner. It can scan IP addresses in any range as well as any of their ports. It pings each IP address to check if it is alive; then, it optionally resolves its hostname, determines the MAC address, scans ports, and so on. The amount of data gathered about each host increases with plugins. ______ __ ______has additional features, such as NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, and customizable openers. The tool allows the user to save the scanning results to CSV, TXT, XML, or IP-Port list files. To increase the scanning speed, it uses a multithreaded approach: a separate scanning thread is created for each scanned IP address.
Angry IP Scanner
Three way handshake mechanism The ACK packet for the ACK/SYN packet transmitted by the destination Triggering an OPEN connection, thereby allowing commnication between the source and destination, which continues until one of them issues a ___ or ___ packet to close the connection Answer format ___/___
FIN/RST
is a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. It allows attackers to discover all devices connected to a Wi-Fi network along with their IP and MAC address as well as the name of the vendor/device manufacturer. It also allows attackers to perform network pinging and traceroute activities through specific ports such as SSH, FTP, NetBIOS, etc.
Fing
Considered the primary task in the network scanning process. Provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system.
Host Discovery
is another alternative to the traditional ICMP ECHO ping, where the attackers send an ICMP address mask query to the target host to acquire information related to the subnet mask. However, the address mask response from the destination host is conditional, and it may or may not respond with the appropriate subnet value depending on its configuration by the administrator at the target's end. This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping.
ICMP Address Mask Ping Scan
____ ____ ping scan involves sending ____ ____ requests to a host. If the host is alive, it will return an ____ ____ reply. This scan is useful for locating active devices or determining if ____ is passing through a firewall. Unix/Linux and BSD-based machines use ____ ____ scanning; the TCP/IP stack implementations in these OSs respond to the ____ ____ requests to the broadcast addresses. This technique does not work on Windows-based networks, as their TCP/IP stack implementation does not reply to ICMP probes directed at the broadcast address. Nmap uses the -P option to ____ scan the target. The user can also increase the number of pings in parallel using the -L option. It may also be useful to tweak the ping timeout value using the -T option.
ICMP ECHO
An ____ _____ is a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts. Although a single ping will tell the user whether a specified host computer exists on the network, a ____ _____ consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply. ____ _____s are among the oldest and slowest methods used to scan a network. This utility is distributed across nearly all platforms, and it acts as a roll call for systems; a system that is active on the network answers the ping query that another system sends out. Attackers send probes to the broadcast or network address, which relays to all the host addresses in the subnet. The live systems will send the ICMP echo reply message to the source of the ICMP echo probe.
ICMP Sweep/ping sweep
an optional and additional type of ICMP ping whereby the attackers query a timestamp message to acquire the information related to the current time from the target host machine. The target machine responds with a timestamp reply to each timestamp query that is received. However, the response from the destination host is conditional, and it may or may not respond with the time value depending on its configuration by the administrator at the target's end generally used for time synchronization. Such a ping method is effective in identifying whether the destination host machine is active, specifically in the condition where the administrator blocks the traditional ICMP ECHO ping requests.
ICMP Timestamp Ping Scan
The latest host discovery option that sends __ ping packets with the IP header of any specified protocol number. It has the same format as the TCP and UDP ping. This technique tries to send different packets using different IP protocols, hoping to get a response indicating that a host is online. Multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4) are sent by default when no protocols are specified. For configuring the default protocols, change DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h during compile time. For specific protocols such as ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), the packets are to be sent with proper protocol headers, and for the remaining protocols, only the IP header data is to be sent with the packets. In a nutshell, attackers send different probe packets of different IP protocols to the target host; any response from any probe indicates that a host is online. In nmap, the -PO option is used to perform an __ ________ ____ ____
IP Protocol Ping Scan
for iOS, scans your local area network to determine the identity of all its active machines and Internet devices. It allows attackers to perform network scanning activities along with ping and port scans.
IP Scanner
An open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. It provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploits writers, and payload writers. A major advantage of the framework is the modular approach, i.e., allowing the combination of any exploit with any payload. It enables you to automate the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test.
Metasploit
an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. Using this tool, you can easily gather information about the local LAN as well as Internet users, IP addresses, ports, and so on. Attackers can find vulnerabilities and exposed ports in the target system. It helps the attackers to list IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or manually (using manual tools).
NetScanTools Pro
Types of scanning The procedure for identifying active hosts, for either to attack or assess security _________ scanning
Network
is an Android mobile application that allows attackers to identify the active host in the range of possible addresses in a network. It also displays IP addresses, MAC addresses, host names, and vendor details of all the available devices in the network. This tool also allows attackers to port scan targets with specific port numbers
Network Scanner
TCP Communication Flags: When set to "1", indicates that the sender has raised the _____ operation to the receiver This implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the ____flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
PSH/Push
Countermeasures for ____ _____ Some countermeasures for avoiding ping sweep are as follows: - Configure the firewall to detect and prevent ping sweep attempts instantaneously - Use intrusion detection systems and intrusion prevention systems such as Snort (https://www.snort.org) to detect and prevent ping sweep attempts - Carefully evaluate the type of ICMP traffic flowing through the enterprise networks - Terminate the connection with any host that is performing more than 10 ICMP ECHO requests - Use DMZ and allow only commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in DMZ Zone - Limit the ICMP traffic with Access Control Lists (ACLs) to your ISP's specific IP addresses
Ping Sweep
TCP Communication Flags: When there is an error in the current connection, this flag is set to "1" and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
RST/Reset
Three way handshake mechanism: 1. Source sends a ___ packet to the destination
SYN
Three way handshake mechanism 2. On receiving the SYN packet, the destination responds by send a ___/___ packet back to the source.
SYN/ACK
TCP Communication Flags: SYN scanning, used for the gathering of illegal information from servers during enumeration revolves primarily around what 3 flags? Format: ____/____/____
SYN/ACK/RST
TCP Communication Flags: Notifies the transmission of a new sequence number. Generally represents the establishment of a connection (three-way handshake) between two hosts.
SYN/Syncronize
a host discovery technique for probing different ports to determine if the port is online and to check if it encounters any firewall rule sets. In this type of host discovery technique, an attacker uses the Nmap tool to initiate the three-way handshake by sending the empty TCP SYN flag to the target host. After receiving SYN, the target host acknowledges the receipt with an ACK flag. After reception of the ACK flag, the attacker confirms that the target host is active and terminates the connection by sending an RST flag to the target host machine (since his/her objective of host discovery is accomplished). Advantages: - As the machines can be scanned parallelly, the scan never gets the time-out error while waiting for the response. - ___ ___ ____ can be used to determine if the host is active without creating any connection. Hence, the logs are not recorded at the system or network level, enabling the attacker to leave no traces for detection.
TCP SYN Ping Scan
Maintains stateful connections for all connection-oriented protocols throughout the internet.
TCP/Transmission Control Protocol
___ ping scan is similar to TCP ping scan; however, in the ___ping scan, nmap sends ___ packets to the target host. The default port number used by nmap for ___ ping scan is 40,125. Attackers send ___ packets to the target host, and a ___response means that the target host is active. If the target host is offline or unreachable, various error messages such as host/network unreachable or TTL exceeded could be returned. Advantages: Detecting systems behind firewalls with strict TCP filtering, leaving the ___ traffic forgotten.
UDP
TCP Communication Flags: Instructs the system to process the data contained in the packets as soon as possible. When the system sets the flag to "1" priority is given to processing the ______ data first and all the other data processing is stopped.
URG/Urgent
Prioritizes connection establishment before data transfer between applications. This is possible via a three-way handshake. _____________ oriented
connection
First phase of hacking, in which the attacker gains primary information about a potential target. This information is then used in the scanning phase to gather more details about the target.
footprinting
command-line-oriented network scanning and packet crafting tool for TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. Can perform security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and more. Can handle fragmentation as well as arbitrary packet body and size which can be used to transfer encapsulated files under the supported protocols. Also supports idle host scanning. Ip spoofing, and network/host scanning can be used to perform an anonymous probe for services. Also has a Traceroute mode, which enables attackers to send files between covert channels. Can determine whether the host is up even when the host blocks ICMP packets. Its firewalk-like usage allows the discovery of open ports behind firewalls. Using this tool an attacker can study the behavior of an idle host and gain information about the target, such as the services the host offers, the ports supporting said services, and the OS of the target.
hping2/hping3
Security scanner for network exploration and hacking. It allows you to discover hosts, ports, and services on a computer network, thus creating a "map" of the network. To accomplish this task it sends specially crafted packets to the target host and then analyzes them. Includes TCP and UDP port scanning, OS detection, version detection, ping sweeps, and more.
nmap
Types of scanning: Lists open ports and services. Checks whether ports are in the listening state. On occasion a listening port will allow an unauthroized user to misconfigure systems or to run software with vulnerabilities ____ scanning
port
What is the term used for the time taken for a packet to make a complete trip?
round trip time
.Process of gathering additional detailed information about the target using various reconnaissance techniques. Refers to the procedures used to identify hosts, ports , and services on a network. Also refers to the discovery of active machines on a network and the identification of the OS running on the target machines. During this phase an attacker will attempt to gather as much information as possible. This includes, but not limited to: IP addresses accessible over the network, OS and architectures, ports, and services. Most important phase of an attack. Enabling an attacker to create a profile of the target organization Network __________
scanning
What would be the primary reason to choose hping over nmap?
stealth
"Hey Alice! I got something to tell you on port 21, are you there?" "I am here Bob, Lets talk on port 21!" "Word! Sounds good Alice!" What is going on here?
three way handshake
Types of scanning Method for checking whether a system is exploitable. _____________ scanning
vulnerability
A GUI for nmap
zenmap
