TestOut Ethical Hacker Pro - Chapter 5
hping3
hping3 sends packets across a network and can also create custom packets that can analyze the host. In addition to the normal ICMP pings, hping3 supports TCP and UDP, has a traceroute mode, and can send and receive files. This tool was primarily designed for the Linux operating system, but does have cross-platform capabilities.
nmap
nmap is another tool for banner grabbing. nmap connects to an open TCP port and returns anything sent in a five second period. The command syntax is nmap -sV -script=banner ip_address. The -sV option probes open ports to determine service/version info.
ping
ping uses Internet Control Message Protocol (ICMP) messaging to determine whether a remote system is live.
ping
ping works by sending an ICMP message from one system to another. Based on the ICMP reply, you know whether the system is live and how quickly the packets travel from one host to another.
Half-open scan
A half-open scan, also known as a stealth scan, sends an SYN packet to a port. The three-way handshake does not occur because the originating system does not reply with the final ACK. At this point, you have discovered an open port. Because an ACK packet was not sent, a connection was not made, and there is no security log. nmap -sS IP address
ping sweep
A ping sweep scans a range of IPs to look for live systems. ping sweeps help to build a network inventory. However, they can also alert the security system, potentially resulting in an alarm being triggered or the attempt being blocked.
Port scan
A port scan probes a server or host for open ports.
Use a proxy
A proxy serves as a less vulnerable access point to a network. Typically, proxies are placed in networks to keep external users from accessing the internal network. Hackers like proxies because they filter incoming and outgoing traffic, provide you with anonymity, and shield you from possible detection.
TCP Flags ACK
Acknowledges the receipt of a packet.
Xmas tree scan
An Xmas tree scan gets its name because all of the flags are turned on, and the packet is lit up like a Christmas tree. The recipient has no idea what to do with this packet, so either the packet is ignored or dropped. If you get an RST packet, you know the port is closed. If you don't get a response, the port may be open. nmap -sX -v IP address
Angry IP Scanner
Angry IP Scanner is a network scanner. It scans local and remote networks and returns an IP range via a command-line interface.
Banner grabbing
Banner grabbing is a technique hackers use to obtain information about the services running on a target system.
Beyond Trust
Beyond Trust provides a network security scanner that helps to identify vulnerabilities and prioritize solutions. This software is available as a standalone application or part of their larger vulnerability management solution.
Colasoft
Colasoft is a packet crafting software that can modify flags and adjust other packet content.
CurrPorts
CurrPorts lists all open UDP and TCP/IP ports on your computer. It also provides information about the process that opened the port, the user who created the process, and what time the port was created.
TCP Flags PSH
Directs the sending system to send buffered data.
TCP Flags URG
Flags a packet as urgent.
Fragment packets
Fragmenting is probably one of the most commonly used methods to avoid detection. You're still sending packets, you're just breaking them apart so intrusion detection systems don't know what they are. As long as you're not bombarding the system, the packet segments float by without concern.
IP-Tools
IP-Tools has 20 scanning utilities, including SNMP Scanner, UDP Scanner, Trace, Finger, Telnet, IP-Monitor, and Trap Watcher. The program supports multitasking so that you can use all utilities at once. IP-Tools is designed to work on a Windows system.
TCP Flags FIN
Indicates that no additional information will be sent.
Spoof IP addresses
Many scanning tools have the functionality to recraft the packet so that the source address reflects a different IP address. The scan is sent to the recipient, the feedback is returned to the fake IP address, and there is no record of your IP address sending the requests.
Nessus
Nessus is often considered the industry standard for vulnerability scanning. The software helps to identify software flaws, malware, missing or outdated patches, and configuration errors across a network.
NetAuditor
NetAuditor reports, manages, and diagrams network configurations.
Netcraft
Netcraft is an online tool that is used to obtain server and web server information.
Network scan
Network scans are used to find live computers on a network.
OpenVAS
OpenVAS provides authentication testing, protocol testing, and performance tuning for large-scale networks.
P0f
P0F is a Linux tool that analyzes network traffic and returns information on operating systems. Because it is passively viewing traffic, it is a stealthy method for gathering information.
TCP Flags RST
Resets a connection.
InsightVM
Saint provides enterprise level vulnerability management tools.
Scanning
Scanning is the process of actively engaging with a target in an attempt to gather information about a network.
Scany
Scany is a scanner application for iOS devices. It scans networks, websites, and ports to find open network devices. It can obtain domain and network names and includes basic networking utilities such as ping, traceroute, and whois.
SolarWinds Network Topology Manager
SolarWinds Network Topology Manager provides automated network discovery and mapping.
SolarWinds Port Scanner
SolarWinds Port Scanner is a command line tool that provides a list of open, closed, or filtered ports.
TCP Flags SYN
Starts a connection between hosts.
Telnet
Telnet is many hackers' tool of choice for banner grabbing. It operates on port 23. If you type telnet ip_address at a command prompt, you'll send TCP packets to the destination port 23.
Full open scan
The full open scan completes a full three-way handshake on all ports. Open ports respond with a SYN/ACK, and closed ports respond with an RST flag, ending the attempt. The down side of this type of scan and the reason that it's not frequently used is that somebody now knows you were there. nmap -sT IP address
Idle scan
The hacker finds a target machine, but wants to avoid getting caught, so, he finds another system to take the blame. The blamed system is called a zombie machine because it's disposable and creates a good distraction. The scan directs all requests through the zombie machine. If that zombie machine is flagged, the hacker simply creates another zombie machine and continues to scan.
NULL scan
The packet is sent with no flags set. If the port is open, there is no response. If the ports are closed, an RST response is returned. nmap -sN IP address
FIN scan
The packet is sent with the FIN flag set. This allows the packet to pass through firewalls and onto the intended target without attracting much attention. If a port is open, there will be no response. If the port is closed, an RST response is returned. nmap -sF IP address
Scan with ACK
This scan will help you determine whether the firewall is stateful or stateless and whether or not the ports are open. In an ACK scan, only the ACK flag is set. If a port is unfiltered, both open and closed ports return an RST packet. If a port is filtered, it either returns an error message or no response at all.
Wardialing
Using a modem, the scan dials a large block of phone numbers and attempts to locate other systems connected to a modem. If the modem gets a response, it can establish a connection. Modems are still often used for fax machines and multi-purpose copiers and as a backup for high-speed internet.
Vulnerability scan
Vulnerability scans are used to find system weaknesses such as open ports and access points.
Operating System Fingerprinting
You may be able to figure out which operating system a target is running by reviewing packet information. Fingerprinting relies on small differences in packets created by various operating systems. You can find differences by examining the TTL values, TCP window size, DHCP requests, ICMP requests, HTTP packets, and open port patterns.
