CEH 5: Scanning

An *Inverse TCP* scan, depending on which flag is set, can also be considered what other two types of scans?

*FIN scan* if only the FIN flag is set and *NULL scan* if no flags are set

Which Nmap flag is used to initiate OS fingerprinting?

-O

What Nmap flag is used for a Ping Sweep?

-PE

The following four flags are for Nmap's *ping scans*. What does each flag mean? -PI -Po -PS -PT

-PI: ICMP ping sweep -Po: No ping sweep -PS: SYN ping sweep -PT: TCP connect ping sweep

Which hping3 flag causes hping3 to collect sequence numbers generated by the target host?

-Q/--seqnum

Which hping3 flag causes hping3 to spoof the source ip address?

-a

Which Nmap flag do you use to fragment a packet?

-f

Which Nmap flag would you use to initiate an *ACK scan*?

-sA

Which Nmap flag is used to initiate a FIN Scan?

-sF

Which Nmap flag would you use to initiate an *Idle Scan*?

-sI <zombie name>

Which Nmap flag would you use to initiate a *DNS/list scan*?

-sL

Which Nmap flag would you use to initiate a *Ping Scan*?

-sP

Which Nmap flag would you use to initiate an *RPC Scan*?

-sR

Which Nmap flag is used to initiate a Stealth/Half-Open Scan?

-sS

Which Nmap flag is used to initiate a Full Open Scan?

-sT

Which Nmap flag would you use to initiate a *Window Scan*?

-sW

Which Nmap flag is used to initiate an *Xmas Tree Scan*?

-sX

What is the range of *well-known* port numbers?

0-1023

What four features does Nmap's *-A* flag enable for you and what are those features' corresponding flags?

1. OS detection (-O) 2. Version detection (-sV) 3. Script scanning (-sC) 4. Traceroute (-traceroute)

Name the three different methods for checking for live hosts in a network.

1. Port Scanning 2. Wardialing 3. Wardriving

What four types of machines often have modems attached?

1. Private branch exchange (PBX) 2. Firewall 3. Router 4. Fax machine

What are the three steps of Idle Scanning?

1. Probe the zombie's IP ID and record it. 2. Forge a SYN packet from the zombie and send it to the target. 3. Probe the zombie's IP ID again. If it is 1 greater than the IP ID that you recorded in #1, then the target is *not alive* because it has only responded to the inital probe sent by the attacker. If it is 2 more than the IP ID that you recorded in #1, then the target is *alive* because it has responded both to your initial probe and it has sent a RST to the target in response to the target sending him a SYN-ACK, which was in response to the SYN you sent it (forged to look like it was from the zombie).

What are four war dialing tools?

1. The Metasploit Framework 2. ToneLoc 3. THC-SCAN 4. NIKSUN's PhoneSweep

What is the range of *registered* port numbers?

1024-49151

What is the range of *dynamic* port numbers?

49152-65535

What is the advantage of using a FIN scan over a Stealth/Half-Open scan?

A FIN scan is less obvious and can reliably pass through firewalls without alteration

What type of scan is a Ping Sweep?

A Network Scan

Using a Full Open Scan, what type of response will an attacker receive that indicates the target is not alive?

A RST packet

Using a Stealth/Half-Open Scan, what type of response will an attacker receive that indicates the target is not alive?

A RST packet

What is a *stateful firewall*? What kinds of packets will it drop and which will it pass along?

A firewall that performs state packet inspection (SPI), which tracks the *state* of all network connections transiting the device. It will drop any packets not matching a known active connection, and it will pass along any that do match a known active connection.

What is a compromised system that is used to target other system deeper in the targeted environment?

A pivot point

What is a Full Open Scan?

A scan in which the attacker and victim complete the three-way handshake. *Alive Target*: Attacker -- SYN --> Target Attacker <-- SYN-ACK -- Target Attacker -- ACK--> Target Attacher -- RST --> Target *Dead Target*: Attacker -- SYN --> Target Attacker <-- RST -- Target

What is a Stealth/Half-Open Scan?

A scan in which the attacker doesn't complete the TCP three-way handshake by responding to the target's SYN-ACK with a RST. *Alive Target*: Attacker -- SYN --> Target Attacker <-- SYN-ACK -- Target Attacker -- RST--> Target *Dead Target*: Attacker -- SYN --> Target Attacker <-- RST -- Target

What is a *DNS/list scan*?

A scan in which the attacker iterates through a list of IP addresses and does a reverse DNS query for each of them.

What is an Xmas Tree Scan?

A scan in which the attacker sends TCP packets that have the FIN, URG, and PSH flags set. *Alive Target*: Attacker -- <FIN, URG, & PSH> --> Target [... ignored ...] *Dead Target*: Attacker -- <FIN, URG, & PSH> --> Target Attacker <-- RST -- Target

What is a NULL Scan?

A scan in which the attacker sends packets to the victim with *NO* flags set. *Alive Target*: Attacker -- <no flags set> --> Target [... ignored ...] *Dead Target*: Attacker -- <no flags set> --> Target Attacker <-- RST -- Target

What is a FIN Scan?

A scan in which the attacker sends packets to the victim with only the FIN flag set. *Alive Target*: Attacker -- FIN --> Target [... ignored ...] *Dead Target*: Attacker -- FIN --> Target Attacker <-- RST -- Target

What is an *Inverse TCP* scan?

A scan in which the attacker sends packets to the victim with only the FIN, URG, PSH, or no flag at all, set. *Alive Target*: Attacher -- <FIN or URG or PSH, or no flag> --> Victim [... ignored ...] *Dead Target*: Attacker -- <FIN or URG or PSH, or no flag> --> Target Attacker <-- RST -- Target

What is a packet crafter?

A utility designed to create a packet with the flags you specific set to on or off

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment is designed to reveal weaknesses present in a network and *not* exploit them, whereas a penetration test is designed to do both.

Which TCP flag's use is to acknowledge the receipt of a packet of information?

ACK

What is the premise behind *Ack Scanning*?

An ACK packet is generally only sent when a connection is being established or in response to some existing TCP connection. An ACK packet that is not tied to an existing TCP connection is considered anomalous and will be dropped by a stateful firewall. If the ACK packet makes it through to the target and back to the attacker with a RST, then there is no SPI present in between them. If the ACK packet is dropped, it indicates the presence of a stateful firewall.

What port does BGP use?

Border Gateway Protocol uses TCP 179

What is *fragmenting*?

Breaking a packet into multiple pieces with the goal of preventing detection devices from seeing what the original un-fragmented packet intends to do

What is Wardialing?

Dialing a block of phone numbers using a standard modem to locate systems that also have a modem attached and accept connections

What is the goal of the Scanning phase?

Discovering live IP addresses and the services running on those hosts

Which TCP flag's use is to tell the remote system that no more information will be sent (gracefully close the connection)?

FIN

Why might an attacker scan through a proxy?

For anonymity

What type of response to a UDP scan indicates a *closed* port?

ICMP "Port Unreachable" message

If you send an ACK packet and there is a stateful firewall in between you and your target, what type of response are you likely to receive?

None -- indicated by an ICMP error message or labeled "filtered" on Nmap.

Which TCP flag's use is to instruct the sending system to send all buffered data immediately?

PSH (push it through, man!)

Which TCP flag's use is to reset a connection (not gracefully)?

RST

Which TCP flag's use is to initiate a connection between two hosts to facilitate communication?

SYN

Map the TCP flag to its corresponding hping3 flag.

SYN: -S ACK: -A URG: -U PSH: -P FIN: -F RST: -R

What is *active OS fingerprinting*?

Sending specially crafted packets to a target and analyzing the response for details that will identify the OS

What is *passive OS fingerprinting*?

Sniffing traffic and analyzing the packets you see for details that will identify the OS

What ports does LDAP use?

TCP & UDP 389

Which port does POP3 use?

TCP 110

Which port does RPC use?

TCP 135

Which port does IMAP use?

TCP 143

What port does SMB use?

TCP 445

Which is generally considered faster, TCP or UDP scanning?

TCP scanning

Which two fields can you look at when *ACK Scanning* to determine if a host is alive?

TTL or Window fields

What is the most common tool for banner grabbing?

Telnet

What is *Ack Scanning* designed for?

Testing for the presence of stateful packet inspection

Which HTTP field might you look at to determine the sender's OS?

The User-Agent field

You're *ACK Scanning* a target and receive the following response: a RST packet with a Window size of 0. Is the port open or closed?

The port is closed. Had the Window size != 0, the port would be open.

You're *ACK Scanning* a target and receive the following response: a RST packet with a TTL < 64. Is the port open or closed?

The port is open. Had the TTL >= 64, the port would be closed.

What is *banner grabbing*?

The process of determining information about the services running on a system

What is a *Network Scan*?

The process of scanning a network with the intent of discovering live hosts.

What is a *Vulnerability Scan*?

The process of scanning a system to identify vulnerabilities.

What is *Port Scanning*?

The process of sending carefully crafted packets to a target computer with the intent of learning what services it is offering, and from there being able to categorize its purpose in the network.

You've analyzed a captured packet and noted its IP TTL, IP ID, TCP Window size, and TCP options. What can you ascertain from this type of information?

The sender's OS

How a target responds to an Xmas scan can be an indicator of what?

The target's operating system

Tenable's Nessus and Rapid7's Nexpose are what type of scanners?

They are Vulnerability Scanners

Which ports does NetBIOS use?

UDP 137 & 138, TCP 139

Which ports does SNMP use?

UDP 161, 162

What port does sylog use?

UDP 514 or TCP 6514

What port does DHCP use?

UDP 67

Which port does TFTP use?

UDP 69

Which TCP flag's use is to indicate that the data contained in the packet is urgent and should be processed immediately?

URG

What is an Idle Scan?

When an attacker bounces their scan off another host (commonly called a zombie) and then on toward the target. If anyone investigates, it will appear as if the zombie was the one initiating the scan, not the attacker.

Which tool can be used to craft ICMP, TCP, UDP, and RAW-IP packets?

hping3

Which hping3 flag causes hping3 to run in ICMP mode and act like the basic 'ping' tool?

hping3 -1 <target IP>

Which hping3 flag causes hping3 to run in UDP mode?

hping3 -2 <target IP>

Which hping3 flag causes hping3 to run in *port scan* mode?

hping3 -8 <low port>-<high port>

Which hping3 flag causes hping3 to run in *signature listen* mode, where its sniffs an interface and notifies you whenever data from a particular application layer protocol crosses the wire?

hping3 -9 <application protocol> -I <network interface>

Which hping3 flag causes hping3 to flood the user with the specific type of TCP packet?

hping3 <TCP flags flags> <target ip> -p <port> --flood

Which tool might you use to perform *passive OS fingerprinting*?

p0f

What port does IPP use?

Internet Printing Protocol uses TCP 631

What is the purpose of TCP's *sequence number*?

It allows the communicating systems to keep the segments in order. Each endpoint has its own number that is incremented each time it sends a segment, a *sequence number*. The receiver will reply with an *acknowledgement number* that is the *sequence number* that it expects from the sender next time the sender transmits. This allows each endpoint to put the others' segments back together [alice -- seq=1 --> bob, alice <-- seq=40, ack=2 -- bob, alice -- seq=2, ack=41 --> bob, alice <-- seq=41, ack=3 -- bob]

What is the benefit of a Stealth/Half-Open scan over a Full Open Scan?

It is less obvious to firewalls, IDSs, and IPSs

What is the primary downside to Idle Scanning in comparison to other types of more direct scanning?

It is significantly slower

Which tool is considered the definitive port scanning tool?

Nmap

Which tool might you use to perform *active OS fingerprinting*?

Nmap

What type of response to a UDP scan indicates an *open* port?

No response

Using an Xmas Tree Scan, what type of response will an attacker receive that indicates the target is alive?

No response at all -- modern systems will ignore the attacker, indicating life. Though not all responses are the same. Same response as FIN and NULL scans.

Using a NULL Scan, what type of response will an attacker receive that indicates the target is alive?

No response at all -- modern systems will ignore the attacker, indicating life. Though not all responses are the same. Same response as Xmas Tree and FIN scans.

Using a FIN Scan, what type of response will an attacker receive that indicates the target is alive?

No response at all -- modern systems will ignore the attacker, indicating life. Though not all responses are the same. Same response as Xmas Tree and NULL scans.