Module 03: Scanning Networks

Ace your homework & exams now with Quizwiz!

Window-based ACK Flag Probe scanning

If the window value of the RST packet on a particular port has a non-zero value, then that port is open

TTL-based ACK Flag Probe scanning

The TTL value of the RST packet on a particular port is less than the boundary value of 64, then that port is open

ICMP Timestamp and Address Mask Ping Scan

These techniques are alternatives for the traditional ICMP ECHO ping scan and are used to determine whether the target host is live, specifically when the administrators block ICMP ECHO pings

SSDP Scanning

1) A network protocol that works in conjunction with the UDnP to detect plug and play devices 2) Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks 3) Attacker may use the UPnP SSDP M-SEARCH information discovery tool to check if the machine is vulnerable to UPnP exploits or not

Source Routing

1) As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination 2) Refers to sending a packet to the intended destination with a partially or completely specified route in order to evade an IDS or firewall 3) The attacker make some or all of these decisions on the router

SCTP COOKIE ECHO Scanning

1) Attacker send a COOKIE ECHO chunk to the target host, and no response implies that the port is open, whereas an ABORT Chunk response means that the port is closed 2) It is not blocked by non-stateful firewall rulesets 3) Only a good IDS will be able to detect SCTP COOKIE ECHO Chunk

ACK Flag Probe Scan

1) Attackers send TCP probe packets set with an ACK flag to a remote device, and then analyze the header information of received RST packets to determine if the port is open or closed 2) Can also be used to check the filtering system of a target 3) Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered, whereas an RST response means that the port is not filtered

Xmas Scan

1) Attackers send a TCP frame to a remote device with FIN, URG and PUSH flags set 2) FIN scanning works only with OSes that use an RFC 793-based TCP/IP implementation 3) It will not work against any current version of Microsoft Windows

SCTP INIT Scanning

1) Attackers send an INIT chunk to the target host, and an INIT + ACK chunk response implies that the port is open, whereas an ABORT Chunk response means that the port is closed 2) No response from the target, or a response of an ICMP unreachable exception indicates that the port is a filtered port

Passive Banner-grabbing

1) Banner grabbing from error messages 2) Sniffing the network traffic 3) Banner grabbing from page extensions

How to identify target system OS

1) By looking at the Time To Live (TTL) and TCP window size in the IP header of the first packet in a TCP session 2) Sniff/capture the response generated from the target machine using packet-sniffing tools like wireshark and observe the TTL and TCP window size fields

IP address spoofing

1) Changing the source IP addresses so that the attack appears to be coming from someone else 2) When the victim replies to the address, it goes back to the spoofed address rather than the attacker's real address 3) Attackers modify the address information in the IP packet header and the source address bits field in order to bypass the IDS or firewall

Disabling or Changing Banner

1) Displaying false banners to mislead or deceive attackers 2) Turn off unnecessary services on the network host to limit the disclosure of information 3) Use Servermask

IDLE/IPID header scan

1) Every IP packet on the internet has a fragment identification number (IPID); an OS increase the IPID for each packet sent, thus, probing an IPID gives an attacker the number of packets sent after the last probe 2) A machine that receives an unsolicited SYN | ACK packet will respond with an RST. An unsolicited RST will be ignored

Hiding File extensions from web pages

1) File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks 2) Hide file extensions to mask web technologies 3) Change application mappings to disguise the identity of servers

Service Version Discovery

1) Helps attackers to obtain information about running services and their version on a target system 2) Obtaining an accurate service version number allows attackers to determine the vulnerability of target system to particular exploits 3) In Zenmap, the -sV option is used to detect service versions

IPv6 Scanning

1) Increase the IP address size from 32 bits to 128 bits to support more levels of address hierarchy 2) Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: header lines in archived emails 3) Attackers can use the -6 option in Zenmap to perform IPv6 scanning

ICMP ECHO Ping Scan

1) Involve sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply 2) This scan is useful for locating active devices or determining if the ICMP is passing through a firewall

Stealth Scan (Half-open scan)

1) Involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open 2) Use stealth scanning techniques to bypass firewall rules as well as logging mechanisms, and hide themselves under the appearance of regular network traffic

Drawing of network diagrams

1) Provides an attacker with valuable information about the network and its architecture 2) Show logical or physical path to a potential target

Network Scanning

1) Refers to a set of procedures used for identifying hosts, ports, and services in a network 2) One of the components of intelligence gathering which can be used by an attacker to create a profile of the target organization

IP address Decoy

1) Refers to generating or manually specifying the IP addresses of decoys in order to evade an IDS or firewall 2) It appears to the target that the decoys as well as the host(s) are scanning the network 3) This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning the networks and which IP addresses were decoys

Source Port Manipulation

1) Refers to manipulating actual port numbers with common port numbers in order to evade an IDS or firewall 2) It occurs when a firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc 3) Nmap uses the -g or the --source-port options to perform source port manipulation

Packet Fragmentation

1) Refers to the splitting of a probe packet into several small packets while sending it to a network 2) It is not a new scanning method but a modification of the previous techniques 3) The TCP header is split into several packets so that the packet filters are not able to detect what the packets are intended to do

List Scanning

1) Simply generates and prints a list of IPs/Names without actually pinging them 2) A reverse DNS resolution is performed to identify the host names

Active banner-grabbing

1) Specially crafted packets are sent to the remote OS and the responses are noted 2) The responses are then compared with a database to determine the OS 3) Responses from different OSes vary due to differences in the TCP/IP stack implementation

TCP Connect/Full Open Scan

1) The TCP Connect scan detects when a port is open after completing the three-way handshake 2) Establishes a full connection and then closes the connection by sending an RST packet 3) It does not require superuser privileges

OS Discovery/ Banner Grabbing

1) The method used to determine the operating system running on a remote target system. 2) Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities possessed by the system and the exploits that might work on a system to further carry out additional attacks

UDP Port Closed

1) The system will respond with an ICMP port unreachable message 2) Spywares, Trojan horses, and other malicious application use UDP ports

UDP port Open

1) There is no three-way TCP handshake for UDP scanning 2) The system does not respond with a message when a port is open

Objectives of network scanning

1) To discover live hosts, IP address, and open ports of live hosts. 2) To discover operating systems and system architecture 3) To discover services running on hosts 4) To discover vulnerabilities in live host

ICMP ECHO Ping Sweep

1) Used to determine the live hosts from a range of IP addresses by sending ICMP ECHP requests to multiple hosts. If a host is alive, it will return an ICMP ECHO reply 2) Attackers calculate subnet masks by using a Subnet Mask Calculator to identify the number of hosts that are present in the subnet 3) Attackers subsequently use a ping sweep to create an inventory of live systems in the subnet

Proxy Server

An application that can server as an intermediary for connecting with other computer

ARP Ping Scan

Attackers send ARP request probes to target hosts, and an ARP response indicates that the host is active

TCP Maimon Scan

Attackers send FIN/ACK probes, and if there is no response, then the port is Open | Filtered, but if an RST packet is sent in response, then the port is closed

Inverse TCP flag scan

Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, where no response implies that the port is open, whereas an RST response means that the port is closed

UDP Ping Scan

Attackers send UDP packets to target hosts, and a UDP response indicates that the host is active

TCP ACK Ping Scan

Attackers send empty TCP ACK packets to a target host, and an RST response means that the host is active

TCP SYN Ping Scan

Attackers send empty TCP SYN packets to a target host, and an ACK response means that the host is active

IP Protocol Ping Scan

Attackers send various probe packets to the target using different IP protocols, and any response from any probe indicates that a host is active

IDS/Firewall Evasion Techniques

Can prevent malicious traffic (packets) from entering a network, attackers can manage to send intended packets to the target by evading an IDS or firewall

Host discovery Techniques

Used to identify the active/live systems in the network


Related study sets

Ch 27: Seedless Plants-questions

View Set

Chapter 23: The Great Depression

View Set

WGU C963 American politics and US Constitution

View Set

GCF Global Lesson 7- Mobile Devices

View Set

Ch. 4 - Theories of Cognitive Development

View Set

Regular and Irregular Plural Nouns

View Set

Chapter 8: Communication Climate

View Set

Economics - Market Equilibrium and Policy

View Set

Capstone Safety and Infection Control

View Set