Chapter 5 Scanning

InsightVM

Saint provides enterprise level vulnerability management tools.

Wardialing

Using a modem, the scan dials a large block of phone numbers and attempts to locate other systems connected to a modem. If the modem gets a response, it can establish a connection. Modems are still often used for fax machines and multi-purpose copiers and as a backup for high-speed internet.

What type of scan is used to find system weaknesses such as open ports, access points, and other potential threats?

Vulnerability scan

Vulnerability scan

Vulnerability scans are used to find system weaknesses such as open ports and access points.

A technician is using a modem to dial a large block of phone numbers in an attempt to locate other systems connected to a modem. Which type of network scan is being used?

Wardialing

Half-open scan (nmap -sS IP address)

A half-open scan, also known as a stealth scan, sends an SYN packet to a port. The three-way handshake does not occur because the originating system does not reply with the final ACK. At this point, you have discovered an open port. Because an ACK packet was not sent, a connection was not made, and there is no security log.

Banner grabbing

A method used to gain information about a remote system. It identifies the operating system and other details on the remote system.

ping sweep

A ping sweep scans a range of IPs to look for live systems. ping sweeps help to build a network inventory. However, they can also alert the security system, potentially resulting in an alarm being triggered or the attempt being blocked.

Port scan

A port scan probes a server or host for open ports.

Use a proxy

A proxy serves as a less vulnerable access point to a network. Typically, proxies are placed in networks to keep external users from accessing the internal network. Hackers like proxies because they filter incoming and outgoing traffic, provide you with anonymity, and shield you from possible detection

ACK

Acknowledges the receipt of a packet.

Xmas tree scan (nmap -sX -v IP address)

An Xmas tree scan gets its name because all of the flags are turned on, and the packet is lit up like a Christmas tree. The recipient has no idea what to do with this packet, so either the packet is ignored or dropped. If you get an RST packet, you know the port is closed. If you don't get a response, the port may be open.

Angry IP Scanner

Angry IP Scanner is a network scanner. It scans local and remote networks and returns an IP range via a command-line interface.

Information transmitted by the remote host can be captured to expose the application type, application version, and even operating system type and version. Which of the following is a technique hackers use to obtain information about the services running on a target system?

Banner grabbing

Beyond Trust

Beyond Trust provides a network security scanner that helps to identify vulnerabilities and prioritize solutions. This software is available as a standalone application or part of their larger vulnerability management solution.

Which of the following packet crafting software programs can be used to modify flags and adjust other packet content?

Colasoft

Colasoft

Colasoft is a packet crafting software that can modify flags and adjust other packet content.

CurrPorts

CurrPorts lists all open UDP and TCP/IP ports on your computer. It also provides information about the process that opened the port, the user who created the process, and what time the port was created.

TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection to a system port. Computer 1 sends a SYN packet to Computer 2. Which packet does Computer 2 send back?

SYN/ACK

You want a list of all open UDP and TCP ports on your computer. You also want to know which process opened the port, which user created the process, and what time is was created. Which of the following scanning tools should you use?

Currports lists all open UDP and TCP ports on your computer. It also provides information about which process opened the port, which user created the process, and what time it was created.

PSH

Directs the sending system to send buffered data.

Randy is an ethical hacker student. He has learned how nmap flag manipulation can help find open ports. Although the name of the operating system did not jump right out at him, he might be able to figure it out by reviewing packet information. In a packet, Randy can see a TTL of 255 and a window size of 4128. What type of scanning process is Randy using?

Fingerprinting

URG

Flags a packet as urgent.

Fragment packets

Fragmenting is probably one of the most commonly used methods to avoid detection. You're still sending packets, you're just breaking them apart so intrusion detection systems don't know what they are. As long as you're not bombarding the system, the packet segments float by without concern.

Which of the following best describes the scan with ACK evasion method?

Helps determine whether the firewall is stateful or stateless and whether or not the ports are open.

IP-Tools

IP-Tools has 20 scanning utilities, including SNMP Scanner, UDP Scanner, Trace, Finger, Telnet, IP-Monitor, and Trap Watcher. The program supports multitasking so that you can use all utilities at once. IP-Tools is designed to work on a Windows system.

A hacker finds a target machine but wants to avoid getting caught, so the hacker finds another system to take the blame. This system is frequently called a zombie machine because it's disposable and creates a good distraction. Which of the following port scans is being used?

Idle scan

FIN

Indicates that no additional information will be sent.

Which of the following is a benefit of using a proxy when you find that your scanning attempts are being blocked?

It filters incoming and outgoing traffic, provides you with anonymity, and shields you from detection.

Spoof IP addresses

Many scanning tools have the functionality to recraft the packet so that the source address reflects a different IP address. The scan is sent to the recipient, the feedback is returned to the fake IP address, and there is no record of your IP address sending the requests.

Nessus

Nessus is often considered the industry standard for vulnerability scanning. The software helps to identify software flaws, malware, missing or outdated patches, and configuration errors across a network.

NetAuditor

NetAuditor reports, manages, and diagrams network configurations.

Which of the following is an online tool that is used to obtain server and web server information?

Netcraft

Netcraft

Netcraft is an online tool that is used to obtain server and web server information.

A ping sweep is used to scan a range of IP addresses to look for live systems. A ping sweep can also alert a security system, which could result in an alarm being triggered or an attempt being blocked. Which type of scan is being used?

Network scan

Network scan

Network scans are used to find live computers on a network.

OpenVAS

OpenVAS provides authentication testing, protocol testing, and performance tuning for large-scale networks.

P0f

P0F is a Linux tool that analyzes network traffic and returns information on operating systems. Because it is passively viewing traffic, it is a stealthy method for gathering information.

Joe wants to use a stealthy Linux tool that analyzes network traffic and returns information about operating systems. Which of the following banner grabbing tools is he most likely to use?

P0f

Which of the following flags is used by a TCP scan to direct the sending system to send buffered data?

PSH

Which of the following scans is used to actively engage a target in an attempt to gather information about it?

Port scan

Alex, a security specialist, is using an Xmas tree scan. Which of the following TCP flags will be sent back if the port is closed?

RST

RST

Resets a connection.

You are the IT security administrator, and you are learning to use some ethical hacking tools. Your friend at a partner company asked you to scan his company's public-facing servers to see if they have any obvious vulnerabilities. The Partnernet servers are on the 73.44.216.0 network. In this lab, your task is to: Perform a Zenmap scan using the following information:Network address: 73.44.216.0Subnet mask: Class C Answer the questions.

Scan the 73.44.216.0/24 network Q1Do your friend's public facing servers have any obvious security vulnerabilities?Your answer: YesCorrect answer: Yes Q2Which service vulnerability should be remediated first?Your answer: telnetCorrect answer: telnet Explanation In this lab, your task is to: Perform a Zenmap scan using the following information:Network address: 73.44.216.0Subnet mask: Class C Answer the questions. Complete the following: From the Favorites bar, open Zenmap. At the prompt, type nmap 73.44.216.0/24. Select Scan. Find the network vulnerabilities in the output. In the top right, select Answer Questions. Answer the questions.

Scanning

Scanning is the process of actively engaging with a target in an attempt to gather information about a network.

You are using an iOS device. You want to scan networks, websites, and ports to find open network devices. Which of the following network mapping tools should you use?

Scany

Scany

Scany is a scanner application for iOS devices. It scans networks, websites, and ports to find open network devices. It can obtain domain and network names and includes basic networking utilities such as ping, traceroute, and whois.

SolarWinds Network Topology Manager

SolarWinds Network Topology Manager provides automated network discovery and mapping.

SolarWinds Port Scanner

SolarWinds Port Scanner is a command line tool that provides a list of open, closed, or filtered ports.

SYN

Starts a connection between hosts.

Telnet

Telnet is many hackers' tool of choice for banner grabbing. It operates on port 23. If you type telnet ip_address at a command prompt, you'll send TCP packets to the destination port 23.

Full open scan (nmap -sT IP address)

The full open scan completes a full three-way handshake on all ports. Open ports respond with a SYN/ACK, and closed ports respond with an RST flag, ending the attempt. The down side of this type of scan and the reason that it's not frequently used is that somebody now knows you were there.

Idle scan

The hacker finds a target machine, but wants to avoid getting caught, so, he finds another system to take the blame. The blamed system is called a zombie machine because it's disposable and creates a good distraction. The scan directs all requests through the zombie machine. If that zombie machine is flagged, the hacker simply creates another zombie machine and continues to scan.

NULL scan (nmap -sN IP address)

The packet is sent with no flags set. If the port is open, there is no response. If the ports are closed, an RST response is returned.

FIN scan (nmap -sF IP address)

The packet is sent with the FIN flag set. This allows the packet to pass through firewalls and onto the intended target without attracting much attention. If a port is open, there will be no response. If the port is closed, an RST response is returned.

Which of the following best describes telnet?

The tool of choice for banner grabbing that operates on port 23.

Scan with ACK

This scan will help you determine whether the firewall is stateful or stateless and whether or not the ports are open. In an ACK scan, only the ACK flag is set. If a port is unfiltered, both open and closed ports return an RST packet. If a port is filtered, it either returns an error message or no response at all.

hping3

hping3 sends packets across a network and can also create custom packets that can analyze the host. In addition to the normal ICMP pings, hping3 supports TCP and UDP, has a traceroute mode, and can send and receive files. This tool was primarily designed for the Linux operating system, but does have cross-platform capabilities.

You work for a penetration testing consulting company. Your manager is concerned about the vulnerability of the company's database server that contains the finance and accounting systems. He wants you to perform a port scan with nmap to identify all the open ports on the server (192.168.0.45). In this lab, your task is to perform a port scan using nmap in Terminal.

nmap -p- 192.168.0.45

Nmap can be used for banner grabbing. Nmap connects to an open TCP port and returns anything sent in a five-second period. Which of the following is the proper nmap command?

nmap -sV --script=banner ip_address

nmap

nmap is another tool for banner grabbing. nmap connects to an open TCP port and returns anything sent in a five second period. The command syntax is nmap -sV -script=banner ip_address. The -sV option probes open ports to determine service/version info.

ping

ping uses Internet Control Message Protocol (ICMP) messaging to determine whether a remote system is live.