Day 1 - Chapter 3
-Pn
(also known as No ping) Assume the host is up, thus skipping the host discovery phase, whereas P0 (IP Protocol Ping) sends IP packets with the specified protocol number set in their IP header.
TCP Sequence Ability Test
Active banner grabbing to fingerprint OS. This test tries to determine the sequence generation patterns of the TCP initial sequence numbers (also known as TCP ISN sampling), the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. It sends six TCP packets with the SYN flag enabled to an open TCP port.
Inverse TCP Flag Scan
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.
ACK Flag Probe Scan
Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to find out if the port is open or closed. exploits the vulnerabilities within the BSD-derived TCP/IP stack. Thus, such scanning is effective only on those OSs and platforms on which the BSD derives TCP/IP stacks.
SCTP INIT Scanning
Attackers send an INIT chunk to the target host, and an INIT+ACK chunk response implies that the port is open, whereas an ABORT Chunk response means that the port is closed. No response from the target or a response of an ICMP unreachable exception indicates that the port is a Filtered port
-sF
FIN scan
Random initial sequence numbers
Most devices choose their ISN based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating the ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he/she can establish a malicious connection to the server and sniff out your network traffic. To avoid this risk, use random initial sequence numbers.
-sY
SCTP INIT scan)
-sA
TCP ACK scan)
-sN
TCP NULL scans)
-sS
TCP SYN/Stealth scan)
-sW
TCP Window scan)
-sT
TCP connect scan)
IDLE/IPID Header Scan
TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available. It offers complete blind scanning of a remote host. Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port
-sn (No port scan)
This option tells Nmap not to do a port scan after host discovery and only print out the available hosts that responded to the host discovery probes. This is often called a ping sweep.
-A
This options makes Nmap make an effort in identifying the target OS, services, and the versions. It also does traceroute and applies NSE scripts to detect additional information.
TCP Maimon scan
This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe
ICMP Address Mask Ping Scan
This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping
List Scanning
This type of scan simply generates and prints a list of IPs/Names without actually pinging them. A reverse DNS resolution is performed to identify the host names
-sU
UDP scans)
-sX
Xmas scan
ICMP ECHO Ping Sweep
a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts (computers). Although a single ping will tell the user whether a specified host computer exists on the network, this consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply.
Access control lists (ACLs)
blocks unauthorized access by specifying which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
TCP Connect scan
detects when a port is open after completing the three-way handshake. establishes a full connection and then closes the connection by sending an RST packet
ICMP ping
hping3 -1 10.0.0.25
Scan entire subnet for live host
hping3 -1 10.0.1.x --rand-dest -I eth0
UDP scan on port 80
hping3 -2 10.0.0.25 -p 80
SYN scan on port 50-60
hping3 -8 50-56 -S 10.0.0.25 -V
Intercept all traffic containing HTTP signature
hping3 -9 HTTP -I eth0
ACK scan on port 80
hping3 -A 10.0.0.25 -p 80
FIN, PUSH, and URG scan on port 80
hping3 -F -P -U 10.0.0.25 -p 80
SYN flooding a victim
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
Firewalls and timestamps
hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
Collecting initial sequence number
hping3 192.168.1.103 -Q -p 139 -s
Stealth Scan
involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open. scanning involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open
ICMP ECHO Ping Scan
involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
SSDP Scanning
network protocol that works in conjunction with the UPnP to detect plug and play devices. Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks. Attacker may use the UPnP information discovery tool to check if the machine is vulnerable to UPnP exploits or not
-sL
option is used to perform a list scan.
-sZ
option is used to perform the SCTP COOKIE ECHO scan.
-O
option turns on Nmap's OS fingerprinting system. Used alongside the -v verbosity options, you can gain information about the remote operating system and about its TCP sequence number generation (useful for planning idle scans).
Ingress filtering
prevents spoofed traffic from entering the Internet. It is applied to routers because it enhances the functionality of the routers and blocks spoofed traffic. Configuring and using ACLs that drop packets with the source address outside the defined range is one method of implementing
Egress filtering
refers to a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address that is not inside.
UDP Ping scan
similar to TCP ping scan; however, in the UDP ping scan, Nmap sends UDP packets to the target host.