Scanning Networks
If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?
Tunneling attack. Can be used to hide one protocol inside another.
What is one reason a UDP scan may take longer than a TCP scan of the same host?
UDP will retransmit more. There is no defined response to a message to a UDP port. It is entirely left up to the application.
What would be a reason to use the Override feature in OpenVAS?
You want to change a severity rating on a finding.
What would be the purpose of running a ping sweep?
You want to identify responsive hosts without a port scan. You want to use something that is light on network traffic. You want to use a protocol that may be allowed through the firewall.
What is the difference between a false positive and a false negative?
A false positive indicates a finding that doesn't exist, while a false negative doesn't indicate a finding that does exist.
What is nmap looking at when it conducts a version scan?
Application banners. Identify versions of the services/applications running on the system.
Which of these may be considered an evasive technique?
Encoding data. You make it harder for the firewall or IDS to identify something bad that may be happening, since these devices can't read the messages coming through.
What is fragroute primarily used for?
Fragmenting application traffic. As well as duplicating and delaying traffic.
What is one reason for using a scan like an ACK scan?
It may get through firewalls and IDS devices. Since an ACK without an open connection is aberrant, the firewall or IDS may ignore it, avoiding detection.
What would you use MegaPing for?
Running a port scan.
What would you use credentials for in a vulnerability scanner?
Scanning for local vulnerabilities. The scanner can authenticate against systems on the network and check for local vulnerabilties.
If you were to see the following command run, what would you assume? hping -S -p 25 10.5.16.2
Someone was trying to probe an email port on the target. hping is a program used to send specially designed messages to a target. These parameters tell hping what to include in the message. This has hping send SYN messages to port 25 at 10.5.16.2
What is an XMAS scan?
TCP scan with FIN/PSH/URG set. Unusual flag settings in the TCP headers to attempt to evade firewalls or IDS
Which of these may be considered worst practice when it comes to vulnerability scans?
Taking no action on the results.
What does nmap look at for fingerprinting an operating system?
The IP ID field and the initial sequence number. IP field to look for what numbers are being used. Initial sequence number in TCP messages to see what numbers are used there.
What is the difference between a SYN scan and a full connect scan?
The SYN scan doesn't complete the 3 way handshake. A SYN scan sends the first SSYN message and then responds with a RST message after receiving the SYN/ACK from the target.
If you receive a RST packet back from a target host, what do you know about your target?
The source port in the RST message is closed. A TCP scan sends messages to the target, expecting to get a response. With a SYN or full connect scan, the target will respond with a SYN/ACK message from an open port.
Why does an ACK scan not indicate clearly that ports are open?
The target system ignores the message. When a system receives an ACK message, meaning a TCP segment with the ACK flag enabled, it assumes there is an open connection and there is data that is being acknowledged. When there is no connection, there is nothing to respond with. The system, not having anything else to do with the ACK, discards it. The scanner wont receive the response if the port is open. But the scanner also can't be certain that the message hasn't just been discarded by the firewall.
If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume?
They were trying to reduce false positives by using 2 vulnerability scanners.
What is an advantage of using masscan over nmap?
masscan can scan more addresses faster. Masscan is a port scanner that was developed to scan the entire internet as quickly as possible, making it easier to scan large address blocks.