03 CEH: Scanning Networks
What *nmap flag* can be used to scan ports consecutively as opposed to scanning them in a random order?
-r
What nmap flag is used by an attacker to perform an SCTP COOKIE ECHO scan?
-sZ
What nmap flag allows an attacker to perform a ping sweep?
-sn (n == no port scan)
What is the purpose of the TCP *URG* flag?
To designate that the data contained in the packet should be processed immediately
According to the material, what is the purpose of *banner grabbing*?
To determine the target's operating system
What is the purpose of the TCP *SYN* flag?
To initiate a connection between hosts
What is an *ICMP ECHO Ping Sweep*?
When an ICMP ECHO Ping Scan is performed against multiple targets
What scanning tool identifies a target's operating system by observing the TTL values in its responses?
unicornscan
What *nmap flag* can be used to scan fewer ports than the default scan?
-F
What *nmap* flags are used to spoof source port numbers?
-g --source-port
What is the flow of an ACK scan when a stateful firewall filters the packets?
1. Client sends ACK probe 2. Client receives no response or receives ICMP error message
What is the flow of an ACK scan when the remote port is closed?
1. Client sends ACK probe 2. Server responds with RST
What is the flow of an ACK scan when the remote port is open?
1. Client sends ACK probe 2. Server responds with RST
What three different types of packets will be sent to <target> when the attacker executes the following nmap command: nmap -PO <target>
1. ICMP 2. IGMP 3. IP-in-IP
What are the 6 network discovery and mapping tools the material recommends?
1. Network Topology Mapper 2. OpManager 3. The Dude 4. NetSurveyor 5. NetBrain 6. Spiceworks Network Mapping Tool
What are the 3 mobile network discovery and mapping tools the material recommends?
1. Scany 2. Network Analyzer 3. PortDroid Network Analysis
What 2 tools does the material recommend for OS detection?
1. nmap 2. unicornscan
What is the layer 3 limited broadcast address?
255.255.255.255
What type of scan is *best* for determining whether a host is filtered by a stateful firewall?
ACK scan
What type of scan should be performed to quickly and effectively discover live hosts in a large IPv4 network?
ARP ping scan (nmap -PR)
What is the purpose of the TCP *PSH* flag?
All buffered data is sent immediately
What is an address that can be used to broadcast messages to all addresses on a broadcast domain, and these messages are forwarded by routers?
Directed broadcast address
What is the layer 2 limited broadcast address?
FF:FF:FF:FF:FF:FF
In what scanning techniques does an attacker send a spoofed source address to a computer to determine the available services?
IDLE/IPID header scan
What is an address that can be used to broadcast messages to all addresses on a broadcast domain, but these messages aren't forwarded by routers?
Limited broadcast address
What is a command line tool that can craft many types of Layer 2 and Layer 3 packets, including ARP, Ethernet, TCP, and UDP packets?
Nemesis
What type of scanning technique is used by an attacker to check whether a machine is vulnerable to UPnP exploits?
SSDP scanning
What *hping3* flag(s) would you use to set each of the 6 TCP flags?
SYN: -S ACK: -A PSH: -P RST: -R URG: -U FIN: -F
TTL and TCP Window Size of *Windows 2000*
TTL: 128 Window Size: 16384
TTL and TCP Window Size of *Windows XP*
TTL: 128 Window Size: 65535
TTL and TCP Window Size of *Windows 98, Vista, 7, and Server 2008*
TTL: 128 Window Size: 8192
TTL and TCP Window Size of *iOS 12.4* and *Cisco Routers*
TTL: 255 Window Size: 4128
TTL and TCP Window Size of *Solaris 7*
TTL: 255 Window Size: 8760
TTL and TCP Window Size of *Windows 95*
TTL: 32 Window Size: 8192
TTL and TCP Window Size of *AIX 4.3*
TTL: 64 Window Size: 16384
TTL and TCP Window Size of *OpenBSD*
TTL: 64 Window Size: 16384
TTL and TCP Window Size of *Google Linux*
TTL: 64 Window Size: 5720
TTL and TCP Window Size of *Linux (Kernel 2.4 and 2.6)*
TTL: 64 Window Size: 5840
TTL and TCP Window Size of *FreeBSD*
TTL: 64 Window Size: 65535
What is the purpose of the TCP *FIN* flag?
There will be no further communications
While performing a UDP scan of a subnet, you receive an ICMP reply of Code 3/Type 3 for all the pings you have sent out. What is the most likely cause of this?
UDP port is closed
An attacker sends a TCP packet to the target with the ACK flag set and then analyzes the window size of the ACK packet it receives back from the target. If the window size falls in a particular range (non-zero in the book), the port is open. What type of scanning was performed?
Window-based ACK Flag Probe Scanning
What is the tool for network scanning and packet crafting that the material recommends?
hping2/hping3
What *nmap* command attempts to perform *OS detection* using *IPv6 fingerprinting* against a <target>?
nmap -6 -O <target>
What *nmap* command attempts to perform *OS detection* against a <target>?
nmap -O <target>
What *nmap* command allows you to perform service version discovery against a <target>?
nmap -sV <target>
What is a graphical user interface tool for generating TCP/IP packets and can manipulate the sequence of packets by adjusting the delay or number of packets that are sent?
packETH
What *hping3* flag(s) allows you to send as many packets as fast as possible to the target?
--flood
What *hping3* flag(s) would you use to get firewalls and timestamps (whatever that means)?
--tcp-timestamp
What *hping3* flag designates raw IP mode?
-0
What *hping3* flag designates ICMP mode?
-1
What *hping3* flag designates UDP mode?
-2
What *nmap* flag allows you to perform IPv6 scanning?
-6
What *hping3* flag designates *scan mode*, allowing you to scan a particular <range of ports>?
-8 <range of ports>
What *hping3* flag designates *listen mode*, allowing you to listen on an interface for a particular <signature>?
-9 <signature>
What *hping3 flag* is used to perform an *ACK scan*?
-A
What *nmap* flag is used to spoof the source IP address?
-D
What *hping3* flag(s) allows you to specify a particular network <interface>?
-I <interface>
What *hping3* flag(s) would you use to collect the initial sequence number?
-Q
What flag of *hping3* is used by an attacker to collect the initial sequence number?
-Q
What *hping3* flag(s) allows you to spoof the source IP address?
-a <address>
What *hping3* flag(s) allows you to specify a particular <port>
-p <port>
What operating system can be identified when scan results show a TTL value of 64 and TCP window size of 5840?
Linux (Kernel 2.4 and 2.6)
What tool is a network scanner for iPhone and iPad that is used to scan LAN, Wi-Fi networks, websites, open ports, and network devices and can support several networking protocols?
Scany
What tool can be used to disable or change banner information of services running on open ports?
ServerMask
What is the network protocol that works in conjunction with the UPnP protocol to detect plug and play devices?
Simple Service Directory Protocol (SSDP)
An attacker sends a TCP packet to the target with the ACK flag set and then analyzes the TTL of the ACK packet it receives back from the target. If the TTL falls in a particular range (< 64 in the book), the port is open. What type of scanning was performed?
TTL-based ACK Flag Probe Scanning
What is the purpose of the TCP *RST* flag?
The connection is being reset
What are the 5 types of host discovery scanning techniques?
1. ARP Ping Scan 2. UDP Ping Scan 3. ICMP Ping Scan 4. TCP Ping Scan 5. IP Protocol Ping Scan
When administrators have blocked ICMP ECHO pings, what other two ICMP ping methods can you use to discover hosts?
1. ICMP Timestamp Ping 2. ICMP Address Mask Ping
What 3 mobile scanning tools does the material recommend?
1. IP Scanner 2. Fing 3. Network Scanner
In TCP communication, how does one acknowledge a message in their response?
By setting the acknowledge sequence number to the received sequence number plus one
You are performing a port scan with Nmap. You are in a hurry and conducting the scans at the fastest possible speed. What type of scan should you run to get *very reliable* results?
Connect scan
What TCP communication flag is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated?
FIN
True or false: a TCP Connect / Full Open Scan requires superuser privileges?
False
What scanning tool is a mobile app for Android and iOS that provides complete network information, such as the IP address, MAC address, device vendor, and ISP location?
Fing
What Metasploit information discovery module can you use to check if the target is vulnerable to UPnP exploits?
UPnP SSDP M-Search: auxiliary/scanner/upnp/ssdp_amp
What *nmap* command is used to perform an IDLE/IPID header scan on <target>?
namp -sI <target> (I is an uppercase i)
What *nmap* command would you use to perform a TCP ACK Flag probe scan against a <target>?
nmap -sA <target>
What *nmap* command would you use to perform a List Scan against a <target>?
nmap -sL <target>
What *nmap* command would you use to perform a TCP Mainmon against a <target>?
nmap -sM <target>
What *nmap* command allows you to perform a *protocol scan* against a <target>?
nmap -sO <target>
What is the flow of list scanning?
1. Generate a list of IP addresses 2. Perform reverse DNS lookups on all IP addresses in the list
What are the 3 types of ICMP Ping scans?
1. ICMP ECHO Ping (ICMP Echo Ping Sweep) 2. ICMP Timestamp Ping 3. ICMP Address Mask Ping
Walk through the flow of an IDLE/IPID Header Scan.
1. Attacker sends SYN+ACK packet to zombie machine to probe its IPID number (i.e., IPID = 100) 2. Attacker sends a SYN packet to the target machine and spoofs the source IP address with the zombie's IP address 3. If the port is open, the target will send a SYN+ACK packet to the zombie, and the zombie will respond with a RST packet (i.e., IPID = 101) 4. If the port is closed, the target will send a RST to the zombie and the zombie will ignore it (i.e., IPID = 100) 5. The attacker probes the zombie's IPID again, which will increment it. If the port was open, IPID == 102. If the port was closed, IPID == 101. AKA, an IPID difference of 2 indicates the port is open and an IPID difference of 1 indicates the port is closed
How can ACK Flag Probe Scanning be used to check the filtering system of a target?
1. Attacker sends an ACK packet with a random sequence number 2. No response indicates that the port is filtered (statement firewall is present) 3. RST response indicates that the port is not filtered
What's the flow for terminating a TCP session?
1. Client --[FIN]--> Server 2. Client <--[ACK]-- Server 3. Client <--[FIN]-- Server 4. Client --[ACK]--> Server
What does a TCP Connect / Full Open scan flow look like when the remote port is *open*?
1. Client and server complete three-way handshake 2. Client closes connection with RST packet
What does a SCTP COOKIE ECHO Scanning flow look like when the remote port is *open*?
1. Client sends COOKIE ECHO chunk 2. Server doesn't respond
What does a SCTP COOKIE ECHO Scanning flow look like when the remote port is *closed*?
1. Client sends COOKIE ECHO chunk 2. Server responds with ABORT chunk
What does a TCP Maimon flow look like when the remote port is *open*?
1. Client sends FIN+ACK packet 2. Server doesn't respond
What does a TCP Maimon flow look like when the remote port is *closed*?
1. Client sends FIN+ACK probe 2. Server responds with RST packet
What does an Xmas Scan flow look like when the remote port is *open*?
1. Client sends FIN+URG+PSH packet 2. Server doesn't respond
What does an Xmas Scan flow look like when the remote port is *closed*?
1. Client sends FIN+URG+PSH packet 2. Server responds with RST packet
What does a SCTP INIT Scanning flow look like when the remote port is *filtered*?
1. Client sends INIT chunk 2. No response from server
What does a SCTP INIT Scanning flow look like when the remote port is *closed*?
1. Client sends INIT chunk 2. Server responds with ABORT chunk
What does a SCTP INIT Scanning flow look like when the remote port is *open*?
1. Client sends INIT chunk 2. Server responds with INIT+ACK chunk
What does a TCP Connect / Full Open scan flow look like when the remote port is *closed*?
1. Client sends SYN packet 2. Server responds with RST packet
When performing a TCP Connect / Full Open Scan, what is the expected response when the remote port is *closed*?
1. Client sends SYN packet 2. Server responds with RST packet
What does a TCP Stealth Scan flow look like when the remote port is *open*?
1. Client sends SYN packet 2. Server responds with SYN+ACK packet 3. Client sends RST packet
What does a UDP Scanning flow look like when the remote port is *open*?
1. Client sends UDP packet 2. Server doesn't respond
What does a UDP Scanning flow look like when the remote port is *closed*?
1. Client sends UDP packet 2. Server responds with *ICMP Port Unreachable* message
What does a FIN, URG, or PSH Scan flow look like when the remote port is *open*?
1. Client sends probe packet 2. Server doesn't respond
What does a FIN, URG, or PSH Scan flow look like when the remote port is *closed*?
1. Client sends probe packet 2. Server responds with RST+ACK packet
What are the 6 types of Inverse TCP Flag Scanning port scanning techniques?
1. FIN Scan: only FIN flag set 2. URG Scan: only URG flag set 3. PSH Scan: only PSH flag set 4. NULL Scan: no flags set 5. Xmas Scan: FIN, URG, PSH flags set 6. Maimon Scan: only FIN-ACK flags set
What are the 3 types of TCP Scanning port scanning techniques?
1. Open TCP Scanning Methods (TCP Connect / Full Open Scan) 2. Stealth TCP Scanning Methods 3. Third Party and Spoofed TCP Scanning Methods (IDLE/IPID Header Scan)
What are the 2 types of SCTP Scanning port scanning techniques?
1. SCTP INIT Scanning 2. SCTP COOKIE ECHO Scanning
What are the 2 types of TCP Ping scans?
1. TCP SYN Ping 2. TCP ACK Ping
What are the 5 types of port scanning techniques?
1. TCP Scanning 2. UDP Scanning 3. SCTP Scanning 4. SSDP Scanning 5. IPv6 Scanning
Which of the following is the active banner grabbing technique used by an attacker to determine the OS running on a remote target system? 1. TCP sequence ability test 2. Banner grabbing from error messages 3. Sniffing of network traffic 4. Banner grabbing from page extensions
1. TCP sequence ability test
What are the 2 types of ACK Flag Probe Scanning port scanning techniques?
1. TTL-based Scan 2. Window Scan
What are the 8 tools the material recommends for performing a ping sweep?
1. nmap 2. hping3 3. Angry IP Scanner 4. SolarWinds Engineer's Toolset 5. NetScanTools Pro 6. Colasoft Ping Tool 7. Visual Ping Tester 8. OpUtils
What 8 tools does the material recommend for network scanning?
1. nmap 2. hping3 3. Metasploit 4. NetScanTools Pro 5. Unicornscan 6. SolarWinds Port Scanner 7. PRTG Network Monitor 8. OmniPeek Network Protocol Analyzer
Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping? 1. UDP ping scan 2. ICMP address mask ping scan 3. ICMP ECHO ping scan 4. ICMP ECHO ping sweep
2. ICMP address mask ping scan
Which of the following countermeasure should be used to prevent a ping sweep? 1. Avoiding the use of DMZ and disallowing commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in DMZ 2. Limiting ICMP traffic with access-control lists (ACLs) to the ISP's specific IP addresses 3. Disabling the firewall 4. Allowing connection with any host performing more than 10 ICMP ECHO requests
2. Limiting ICMP traffic with access-control lists (ACLs) to the ISP's specific IP addresses
Which of the following IDS/firewall evasion techniques helps an attacker increase their Internet anonymity? 1. IP address decoy 2. Proxy chaining 3. Source port manipulation 4. Source routing
2. Proxy chaining
Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS? 1. Traceroute to control the path of the packets sent during the scan 2. ICMP ping sweep to determine which hosts on the network are not available 3. Fingerprinting to identify which operating systems are running on the network 4. Timing options to slow the speed that the port scan is conducted
4. Timing options to slow the speed that the port scan is conducted
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? 1. Passive 2. Distributive 3. Active 4. Reflective
Active
What *nmap* command allows you to perform a TCP Stealth Scan against a <target>?
nmap -sS <target>
What *nmap* command allows you to perform a TCP Connect / Full Open scan against a <target>?
nmap -sT <target>
What *nmap* command would you use to perform a UDP scan against a <target>?
nmap -sU <target>
What *nmap* command would you use to perform an Xmas scan against a <target>?
nmap -sX <target>
What *nmap* command would you use to perform a SCTP INIT scan against a <target>?
nmap -sY <target>
What *nmap* command would you use to perform a SCTP COOKIE ECHO scan against a <target>?
nmap -sZ <target>
What *nmap* command would you use to perform a TCP ACK Ping Scan against a <target>?
nmap -sn -PA <target>
What *nmap* command is used to perform an ICMP ECHO Ping Scan against a <target>?
nmap -sn -PE <target>
What *nmap* command would you use to perform an ICMP Address Mask Ping Scan against a <target>?
nmap -sn -PM <target>
What *nmap* command would you use to perform a IP Protocol Ping Scan against a <target>?
nmap -sn -PO <target>
What *nmap* command would you use to perform an ICMP Timestamp Ping Scan against a <target>?
nmap -sn -PP <target>
What *nmap* command is used to perform an ARP Ping Scan against a <target>?
nmap -sn -PR <target>
What *nmap* command would you use to perform a TCP SYN Ping Scan against a <target>?
nmap -sn -PS <target>
What *nmap* command is used to perform an UDP Ping Scan against a <target>?
nmap -sn -PU <target>