CEH - Chapter 3 (Scanning)

Hping ICMP mode

-1

Hping UDP mode

-2

Hping scan mode

-8

Hping listen mode

-9

Hping Interface spec

-I

nmap XMAS scan flag

-sX

POP3 port

110

NTP port

123

ICMP Query uses which two types of ICMP messages?

13 (TIMESTAMP) 17 (ADDRESS MARK REQUEST)

Netbios port

137/139

IMAP port

143

SNMP port

161/162

ICMP Address Mask-Request

17 / 0

FTP port

20/21

SSH port

22

Telnet port

23

SMTP port

25

ICMP Network Unreachable (Type / Code)

3 / 0

ICMP Communication Administratively Prohibited (Type / Code)

3 / 13

LDAP port

389

ICMP Route change request from gateway for the Network

5 / 0

ICMP Route change request from gateway for the Host

5 / 1

DHCP port

67

TFTP port

69

Ping Sweep uses which ICMP type?

8 ECHO

This probe scanning technique also assists in checking the filtering systems of target networks (firewalls, IDS).

ACK flag

This probe scan is better with older OS and BSD TCP/IP stacks

ACK flag probe

hping3 -A 10.0.0.25 -p 80

ACK scan on port 80

Type of Banner Grabbing

Active, Passive

Which components are included in a scanning methodology?

Checking for: 1. Live Systems 2. Open Ports 3. Scan beyond IDS 4. Banner grabbing 5. Vulnerability scans 6. Drawing network diagrams 7. Prepare Proxies

.. is a tool that allows an attacker to create custom network packets and helps security professionals to assess the network.

Colasoft Packet Builder

hping3 192.168.1.103 -Q -p 139 -s

Collect TCP sequence numbers

hping3 192.168.1.103 -Q -p 139 -s

Collect initial sequence number

IP Spoofing detection techniques:

Direct TTL Probes (checks TTL values) IPID Check (checks increments in IPIDs) TCP Flow Control (checks window size)

hping3 -F -P -U 10.0.0.25 -p 80

FIN, PUSH, URG scan on port 80

ICMP echo scanning works against Microsoft based systems. True or False?

False; Microsoft systems do not respond to ICMP

hping3 -1 10.0.0.25

ICMP Ping

Another name for a ping sweep

ICMP echo scan

Another name for Ping Sweep

ICMP sweep

SYN/FIN Scanning Using IP Fragments is what kind of technique?

IDS Evasion

The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast adress (239.255.255.250). SSDP is HTTP like protocol and work with which methods.

NOTIFY M-SEARCH

Vulnerability Scanning tools

Nessus, GFI Lan Guard, Qualys, Retina CS, OpenVAS

Another name for banner grabbing

OS Fingerprinting

In ACK flag probe scanning, if the TTL of RST is greater than 64 what does it mean?

Port is closed

In ACK flag probe scanning, if the TTL of RST is Less than 64 what does it mean?

Port is open

Types of scanning

Port, Network, Vulnerability

According to which RFC, an RST/ACK packet is generated for restting the TCP connection.

RFC 793

Microsoft TCP/IP is not compliant with this RFC as such doesn't respond with a RST as such XMAS scans do not work on Microsoft systems

RFC 793

Attacker uses ___scanning to detect UPnP vulnerabilities that may allow him/her to launch buffer overflow or DoS attacks.

SSDP

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

SYN flood a victim -a is spoofing an IP

hping3 -8 50-60 -S 10.0.0.25 -V

SYN scan on port 50-60

hping3 -8 50-60 -S 10.0.0.25 -V

SYN scan on ports 50-60

SYN Scanning uses which flags?

SYN,ACK,RST

This tool removes unnecessary HTTP header and response data, and camouflages the server by providing false signatures. It also lets you eliminate file extensions (such as .asp or .aspx) and it clearly indicates that a site is running on a Microsoft server. Countermeasure for banner grabbing.

ServerMask

Hping2 www.certifiedhacker.com -a 7.7.7.7

Spoofing

What is ICMP type 13

TIMESTAMP

What four passive banner grabbing components can be gleaned from this packet capture? 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 ***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78

TTL:45 Window Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0

Censorship Circumvention Tools

Tails, G-Zapper (clean google cookies)

In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 1 what does it mean?

Target port is closed

In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 2 what does it mean?

Target port is open

You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses. True or False?

True

hping3 -2 10.0.0.25 -p 80

UDP scan on port 80

Six TCP flags?

URG, ACK, PSH, RST, SYN, FIN

hping3 -S 72.14.207.99 -p 80 -- tcp-timestamp

firewall and timestamps (Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).

Another name for stealth scan

half open or SYN can

hping3 -9 HTTP -I eth0

intercept all HTTP traffic

Scanning Methodology: How to check for live systems

ping sweeps, ICMP scans

In ACK flag probe scanning, if the TTL of RST from port 123 is 45 what does it mean

port 123 is open

in an ACK flag probe all TTLs are 50, but one window size is 512 for port 80 what does it mean?

port 80 is open

hping3 -1 10.0.1.x --rand-dest -I eth0

scan entire subnet for live host By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends an ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0-10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP reply. In this case, you haven't set a port, so Hping sends packets to port 0 on all IP addresses by default.

TCP flow method can be used as a counter measure for IP spoofing. What packet component does it use?

window size