CEH Part 2
-sS
(TCP SYN/Stealth scan)
DIG
- DNS interrogation tool Attackers can perform DNS zone transfer using this Tool / Command.
DNS zone transfers
-is used to Replicate DNS Data across several DNS servers or back up DNS files. -A User can perform this by using nslookup and dig commands.
Stealth scan
A security engineer is attempting to perform scanning on acompany's internal network to verify security policies of their networks. The engineer uses the following NMAP command: nmap -n -sS -P0 -p 80 ***.***.**.**. What type of scan is this?
Port 53
Some malwares such as ADM worm and Bonk Trojan use port ??? to exploit vulnerabilities within DNS servers. This can help intruders to launch attacks. Which port is this?
BGP
TCP session on port 179
Source Port Manipulation:
The attacker manipulates the actual source port with the common source port to evade the IDS/firewall
Source Routing:
The attacker specifies the routing path for the malformed packet to reach the intended target.
Port 515
The protocols TCP and UDP uses port ? to interact with the printer. As port ? is open in the above Nmap output, probably the host is a printer. which port?
-sn (No port scan):
This option tells Nmap not to do a port scan after host discovery and only print out the available hosts that responded to the host discovery probes. This is often called a Ping Sweep.
Extract information using default passwords
Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. Attackers can also use the company's default passwords to launch attacks on the target network or device.
Reset or "RST":
When there is an error in the current connection, this flag is set to "1" and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
1D
Which of the following NetBIOS service codes is used to obtain information related to the master browser name for the subnet?
PsList
Which of the following command-line tools displays the CPU and memory information or thread statistics?
Display false banners
Which of the following countermeasure helps organizations to prevent information disclosure through banner grabbing?
Limiting ICMP traffic with access-control lists (ACLs) to the ISP's specific IP addresses
Which of the following countermeasure should be used to prevent a ping sweep?
Extract information using DNS zone transfer
Which of the following enumeration techniques is used by a network administrator to replicate domain name system (DNS) Data Across Many DNS servers, or to backup DNS files?
Ensure that the versions of services running on the ports are non-vulnerable
Which of the following is the best practice to follow to secure a system or network against port scanning?
NMAP
Which of the following open-source tools would be the best choice to scan a network for potential targets?
TCP/UDP 53
Which of the following port number is used to exploit vulnerabilities within DNS servers to launch attacks?
UDP 137
Which of the following ports provides a name-resolution service for computers running NetBIOS that is also known as the Windows Internet Name Service (WINS)?
BGP (Border Gateway Protocol)
Which of the following protocols is widely used by Internet service providers (ISPs) to maintain huge routing tables and efficiently process Internet traffic?
LDAP
Which of the following protocols uses TCP or UDP as its transport protocol over port 389?
SSDP scanning
Which of the following scanning techniques is used by an attacker to check whether a machine is vulnerable to UPnP exploits?
Connect Scan
You are performing a port scan with Nmap. You are in a hurry and conducting the scans at the fastest possible speed. What type of scan should you run to get very reliable results?
Connect scan
You are performing a port scan with Nmap. You are in a hurry and conducting the scans at the fastest possible speed. What type of scan should you run to get very reliable results?
passive banner grabbing techniques
are as follows: Banner grabbing from error messages Sniffing the network traffic Banner grabbing from page extension
active banner grabbing techniques
are as follows: TCP Sequence ability test Port Unreachable
Hashcat, Cain & Abel, and John the Ripper
are the password cracking tools that allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users to get access to their locked computer instantly without reinstalling Windows.
Access control lists (ACLs)
blocks unauthorized access by specifying which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
hping
can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, it checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.
Splint
can be used to detect the common security vulnerabilities including buffer overflows.
TCP Connect scan
detects when a port is open after completing the three-way handshake. it establishes a full connection and then closes the connection by sending an RST packet
In IDLE/IPID Header Scan,
every IP packet on the Internet has a fragment identification number (IPID); an OS increases the IPID for each packet sent; thus, probing an IPID gives an attacker the number of packets sent after the last probe. A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored
Proxy Chaining:
helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number of proxy servers used, the greater is the attacker's anonymity.
-n
in nbtstat: Displays the names registered locally by NetBIOS applications such as the server and redirector
Stealth Scan
involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open. scanning involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open
SMTP
is a TCP/IP mail delivery protocol. It transfers e-mail across the Internet and the local network. It runs on the connection-oriented service provided by transmission control protocol (TCP), and it uses the well-known port number 25.
Transmission Control Protocol (TCP)
is a connection-oriented protocol. It is capable of carrying messages or e-mail over the Internet. It provides reliable Multi-process Communication service in a multi-network environment.
Whonix
is a desktop operating system designed for advanced security and privacy
Tails
is a live operating system that a user can start on any computer from a DVD, USB stick, or SD card
Vulnerability Scanning
is a method for checking whether a system is exploitable by identifying its vulnerabilities.
Fing
is a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. It allows attackers to discover all devices connected to a Wi-Fi network along with their IP and MAC address as well as the name of the vendor/device manufacturer
Scany
is a network scanner app for iPhone and iPad, scans LAN, Wi-Fi networks, websites, and open ports, discovers network devices, and digs network info. It supports several networking protocols and anti-stealth technologies. Attackers use this tool to scan both the LAN and the Internet, scan any IP address or network range, perform hostname, device name, MAC address, and hardware vendor lookups, ping/trace hosts with integrated tools and WHOIS hostnames, IP addresses, ASNs, etc.
Network Scanning
is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.
Maltego
is a program that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc.
Maltego
is a program that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents.
Session Initiation Protocol (SIP)
is a protocol used in Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other endpoints
Nmap ("Network Mapper")
is a security scanner for network exploration and hacking. It allows you to discover hosts, ports, and services on a computer network, thus creating a "map" of the network.
SNMP (Simple Network Management Protocol)
is an application layer protocol that runs on UDP and maintains and manages routers, hubs, and switches on an IP network. It run on Windows and UNIX networks on networking devices. Attackers enumerate ???? to extract information about Network resources such as hosts, routers, devices, shares, etc. and network information such as ARP tables, routing tables, traffic, etc.
Havij
is an automated SQL injection tool. To say in the own words of its creators, " it is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application.
Psiphon
is an open-source anonymizer software that allows attackers to surf the internet through a secure proxy
Nmap
is an open-source security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network
Nmap
is an open-source security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network.
TCP 139
is perhaps the most well-known Windows port. Systems use this port for both null-session establishment as well as file and printer sharing.
Port 51
is reserved by IANA
Port Scanning
is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in.
UDP port 4500
is used IPsec NAT-T
ACK Flag Probe Scan
is used by the attackers send TCP probe packets set with an ACK flag to a remote device and then analyze the header information (TTL and WINDOW field) of received RST packets to determine if the port is open or closed
timing options
is used in Nmap, which allows the tester to set the given amount of time between each probe it sends to a given host. This is used to evade threshold-based intrusion detection and prevention systems (IDS/IPS).
Simple network management protocol (SNMP)
is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, servers, and so on.
Simple Network Management Protocol (SNMP)
is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, servers, and so on. It consists of a manager and agents. The agent receives requests on Port 161 from the managers and responds to the managers on Port 162.
Octoparse
offers automatic data extraction, as it quickly scrapes web data without coding and turns web pages into structured data. As shown in the screenshot, attackers use this tool to capture information from webpages, such as text, links, image URLs, or html code
Banner Grabbing
or "OS fingerprinting," is a method used to determine the OS that is running on a remote target system
Ingress filtering
prevents spoofed traffic from entering the Internet. It is applied to routers because it enhances the functionality of the routers and blocks spoofed traffic. Configuring and using ACLs that drop packets with the source address outside the defined range is one method of implementing ingress filtering.
Netcraft
provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning.
Egress filtering
refers to a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address that is not inside.
IP Address Decoy:
refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network.
NMAP -O
the following parameters enable NMAP's operating system detection feature?
Extract usernames using email IDs:
Every email address contains two parts, a username, and a domain name, in the format username@domainname. The attacker can take advantage of the first part.
hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
Firewalls and Timestamps:
TCP Connect
Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning, the operating system's TCP connect() system call tries to open a connection to every interesting port on the target machine. This is the fastest scanning method supported by Nmap.
One-Way Hash
How does the SAM database in Windows operating system store the user accounts and passwords? The operating system stores all passwords in a protected segment of volatile memory. The operating system uses key distribution center (KDC) for storing all user passwords. The operating system performs a one-way hash of the passwords. The operating system stores the passwords in a secret file that users cannot find.
Port 500
IPSEC IKE: IP Security Internet Key Exchange Protocol is used for establishing Security Association for IPsec Protocol Suite. IKE uses UDP port ???for establishing security association. Which port?
Brute force Active Directory
If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages.
IDLE/IPID header scan
In which of the following scanning techniques does an attacker send a Spoofed Source address to a computer to determine the available services?
Acknowledgement or "ACK"
It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1," thus implying that the receiver should pay attention to it.
Finish or "FIN"
It is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.
Synchronize or "SYN"
It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.
TCP/UDP 389
LDAP is a protocol for accessing and maintaining distributed directory information services over an IP network. It uses TCP or UDP as its transport protocol over port ??
Random initial sequence numbers:
Most devices choose their ISN based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating the ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he/she can establish a malicious connection to the server and sniff out your network traffic. To avoid this risk, use random initial sequence numbers.
Hashcat
Multi Device Password cracking tool; is a cracker compatible with multiple OSs and platforms and can perform multi-hash (MD4, 5; SHA - 224, 256, 384, 512; RIPEMD-160; etc.).
-r
Nbtstat parameters is used to Displays a count of all names Resolved by a broadcast or WINS server
-R
Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file
Port 50
Remote Mail Checking Protocol uses UDP/TCP Port ???
Objectives for scanning a network
1. Discover the network's live hosts, IP addresses, and open ports of live. Using open ports, the attacker will determine the best means of entry into the system. 2. Discover the operating system and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the operating system's vulnerabilities. 3. Discover the services running/listening on the target system. Doing so gives the attacker an indication of vulnerabilities (based on the service) exploitation for gaining access to the target system. 4. Identify specific applications or versions of a particular service. 5. Identify vulnerabilities in any of the network systems. This helps an attacker to compromise the target system or network through various exploits.
hping3 -A <IP Address> -p 80
: ACK scan on port 80
hping3 -S <Target IP> -p 80 --tcp-timestamp
: By adding the --tcp-timestamp argument in the command line, Hping enable TCP timestamp option and try to guess the timestamp update frequency and uptime of the target host.
hping3 -A <Target IP> -p 80
: By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response. is used to perform ACK scan
hping3 -F -P -U 10.0.0.25 -p 80
: By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.
hping3 <Target IP> -Q -p 139 -s
: By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.
hping3 -1 <IP Address> -p 80
: ICMP ping
hping3 -8 50-60 -S <IP Address> -V
: SYN scan on port 50-60
TCP/UDP 53
: The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port ???
hping3 -2 <IP Address> -p 80
: UDP scan on port 80
Infoga
: is a tool used for gathering email account information (IP, hostname, country, etc.) from different public sources (search engines, pgp key servers, and Shodan), and it checks if an email was leaked using the haveibeenpwned.com API
Extract usernames using SNMP
Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames.
Password Salting
Can defeat Rainbow Tables; is a technique where Random Strings of characters are Added to the password before calculating their hashes. This makes it more difficult to reverse the hashes and defeats precomputed hash attacks.
hping3 192.168.1.103 -Q -p 139 -s
Collecting Initial Sequence Number:
Countermeasures used to avoid ping sweep
Configure the firewall to detect and prevent ping sweep attempts instantaneously Use intrusion detection systems and intrusion prevention systems such as Snort (https://www.snort.org) to detect and prevent ping sweep attempts Carefully evaluate the type of ICMP traffic flowing through the enterprise networks Terminate the connection with any host that is performing more than 10 ICMP ECHO requests Use DMZ and allow only commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in DMZ Zone Limit the ICMP traffic with Access Control Lists (ACLs) to your ISP's specific IP addresses
