CEH - Chapter 3 (Scanning)
Hping ICMP mode
-1
Hping UDP mode
-2
Hping scan mode
-8
Hping listen mode
-9
Hping Interface spec
-I
nmap XMAS scan flag
-sX
POP3 port
110
NTP port
123
ICMP Query uses which two types of ICMP messages?
13 (TIMESTAMP) 17 (ADDRESS MARK REQUEST)
Netbios port
137/139
IMAP port
143
SNMP port
161/162
ICMP Address Mask-Request
17 / 0
FTP port
20/21
SSH port
22
Telnet port
23
SMTP port
25
ICMP Network Unreachable (Type / Code)
3 / 0
ICMP Communication Administratively Prohibited (Type / Code)
3 / 13
LDAP port
389
ICMP Route change request from gateway for the Network
5 / 0
ICMP Route change request from gateway for the Host
5 / 1
DHCP port
67
TFTP port
69
Ping Sweep uses which ICMP type?
8 ECHO
This probe scanning technique also assists in checking the filtering systems of target networks (firewalls, IDS).
ACK flag
This probe scan is better with older OS and BSD TCP/IP stacks
ACK flag probe
hping3 -A 10.0.0.25 -p 80
ACK scan on port 80
Type of Banner Grabbing
Active, Passive
Which components are included in a scanning methodology?
Checking for: 1. Live Systems 2. Open Ports 3. Scan beyond IDS 4. Banner grabbing 5. Vulnerability scans 6. Drawing network diagrams 7. Prepare Proxies
.. is a tool that allows an attacker to create custom network packets and helps security professionals to assess the network.
Colasoft Packet Builder
hping3 192.168.1.103 -Q -p 139 -s
Collect TCP sequence numbers
hping3 192.168.1.103 -Q -p 139 -s
Collect initial sequence number
IP Spoofing detection techniques:
Direct TTL Probes (checks TTL values) IPID Check (checks increments in IPIDs) TCP Flow Control (checks window size)
hping3 -F -P -U 10.0.0.25 -p 80
FIN, PUSH, URG scan on port 80
ICMP echo scanning works against Microsoft based systems. True or False?
False; Microsoft systems do not respond to ICMP
hping3 -1 10.0.0.25
ICMP Ping
Another name for a ping sweep
ICMP echo scan
Another name for Ping Sweep
ICMP sweep
SYN/FIN Scanning Using IP Fragments is what kind of technique?
IDS Evasion
The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast adress (239.255.255.250). SSDP is HTTP like protocol and work with which methods.
NOTIFY M-SEARCH
Vulnerability Scanning tools
Nessus, GFI Lan Guard, Qualys, Retina CS, OpenVAS
Another name for banner grabbing
OS Fingerprinting
In ACK flag probe scanning, if the TTL of RST is greater than 64 what does it mean?
Port is closed
In ACK flag probe scanning, if the TTL of RST is Less than 64 what does it mean?
Port is open
Types of scanning
Port, Network, Vulnerability
According to which RFC, an RST/ACK packet is generated for restting the TCP connection.
RFC 793
Microsoft TCP/IP is not compliant with this RFC as such doesn't respond with a RST as such XMAS scans do not work on Microsoft systems
RFC 793
Attacker uses ___scanning to detect UPnP vulnerabilities that may allow him/her to launch buffer overflow or DoS attacks.
SSDP
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
SYN flood a victim -a is spoofing an IP
hping3 -8 50-60 -S 10.0.0.25 -V
SYN scan on port 50-60
hping3 -8 50-60 -S 10.0.0.25 -V
SYN scan on ports 50-60
SYN Scanning uses which flags?
SYN,ACK,RST
This tool removes unnecessary HTTP header and response data, and camouflages the server by providing false signatures. It also lets you eliminate file extensions (such as .asp or .aspx) and it clearly indicates that a site is running on a Microsoft server. Countermeasure for banner grabbing.
ServerMask
Hping2 www.certifiedhacker.com -a 7.7.7.7
Spoofing
What is ICMP type 13
TIMESTAMP
What four passive banner grabbing components can be gleaned from this packet capture? 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 ***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78
TTL:45 Window Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0
Censorship Circumvention Tools
Tails, G-Zapper (clean google cookies)
In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 1 what does it mean?
Target port is closed
In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 2 what does it mean?
Target port is open
You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses. True or False?
True
hping3 -2 10.0.0.25 -p 80
UDP scan on port 80
Six TCP flags?
URG, ACK, PSH, RST, SYN, FIN
hping3 -S 72.14.207.99 -p 80 -- tcp-timestamp
firewall and timestamps (Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).
Another name for stealth scan
half open or SYN can
hping3 -9 HTTP -I eth0
intercept all HTTP traffic
Scanning Methodology: How to check for live systems
ping sweeps, ICMP scans
In ACK flag probe scanning, if the TTL of RST from port 123 is 45 what does it mean
port 123 is open
in an ACK flag probe all TTLs are 50, but one window size is 512 for port 80 what does it mean?
port 80 is open
hping3 -1 10.0.1.x --rand-dest -I eth0
scan entire subnet for live host By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends an ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0-10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP reply. In this case, you haven't set a port, so Hping sends packets to port 0 on all IP addresses by default.
TCP flow method can be used as a counter measure for IP spoofing. What packet component does it use?
window size