Ethical Hacking Lecture 3: Target Scanning

Questions and Answers

What is a threat in the context of security?

A security vulnerability that has not yet been exploited.

A set of security controls that are designed to mitigate vulnerabilities.

An action or event that could cause harm to a system or asset. (correct)

A group of individuals who are actively trying to exploit vulnerabilities.

What is the purpose of running your own scans to identify what is visible on your network?

To identify all of the devices that are connected to your network.

To test the performance of your network infrastructure.

To discover potential vulnerabilities that could be exploited by attackers. (correct)

To assess the effectiveness of your firewall.

What is the purpose of network segmentation?

To reduce the risk of data breaches. (correct)

To increase the capacity of the network.

To improve network performance.

To make it easier to manage network devices.

Which of the following is NOT a method mentioned in the text for preventing information gathering by attackers?

Implementing multi-factor authentication. (B)

What is the main goal of responsible disclosure?

To promote transparency and accountability in security. (C)

Which of the following is NOT a step listed in the Penetration Testing Framework?

Social Engineering. (A)

When is a threat considered practical?

When it has been successfully exploited in a real-world attack. (D)

Which of the following is an example of a security measure against active information gathering?

Network segmentation. (A)

Which of the following is NOT a valid example of passive information gathering?

Using a vulnerability scanner to identify open ports on a target's network (C)

Which countermeasure is specifically designed to protect against the use of the Wayback Machine?

Reviewing public sources of information (B)

What is the purpose of 'banner grabbing' in the context of active information gathering?

To extract information about services running on a target host (B)

Which of the following is NOT considered a point of entry for an attacker or pentester?

Operating system configurations (B)

Which of the following tools can be used for port scanning?

All of the above (D)

What is the difference between a TCP port scan and a UDP port scan?

TCP scans send SYN packets, while UDP scans send UDP packets (D)

Which of the following is a common misconception about passive information gathering?

It is always easy to detect (D)

Which of the following is NOT a type of scan commonly performed by security professionals?

Network mapping scan (C)

Which of the following is NOT a typical piece of information obtained from a service banner?

User Account Information (B)

What makes banner grabbing a valuable technique for security professionals?

It can help detect outdated software versions. (A)

Which tool is commonly used for banner grabbing due to its flexibility and wide range of networking capabilities?

Netcat (B)

What is the primary method used for banner grabbing?

Establishing a TCP connection and reading the response. (A)

Which of these protocols can be used for Banner Grabbing?

All of the above (D)

What is the core concept behind the notion of threats?

The potential for something to cause harm, even if there's no intentional actor involved. (A)

Which of the following is NOT a defining characteristic of threats as discussed in the provided content?

They are always tangible entities that can be easily identified. (D)

What is a key difference between a threat and a vulnerability?

Threats represent the potential for harm, while vulnerabilities are the weaknesses that allow that harm. (C)

According to the provided content, what is the significance of threat modeling in security?

It helps identify and prioritize threats for the purpose of developing effective security measures. (A)

What is the primary function of the MS SDL Threat Modeling Tool?

To identify and analyze potential threats within a software development lifecycle. (A)

What is a potential challenge when using MS SDL Threat Modeling?

Interpretations of potential threats by different security professionals may vary. (D)

What does OSINT stand for?

Open Source Intelligence (B)

What is the primary purpose of banner grabbing?

To gather basic information about a target system. (B)

What is the primary goal of intelligence gathering during a penetration test?

To gain as much information about the target as possible, which can be used in later phases of the penetration test. (C)

Which of the following is NOT a feature of active information gathering?

It relies solely on publicly available information. (A)

What is a key advantage of passive information gathering?

It allows for gathering information without being detected by the target. (D)

What type of OSINT activity could potentially be considered semi-passive?

Querying publicly available DNS records for the target domain. (A)

Which information gathering technique is considered part of active information gathering?

Performing a port scan to identify open services on the target server. (B)

A penetration tester is trying to gather information about a target organization. Which approach would likely NOT be considered active information gathering?

Analyzing publicly available data on the target organization's website. (A)

How can active information gathering aid in identifying vulnerabilities in a target system?

By providing insights into the target's attack surface and potential attack vectors. (C)

Why is it generally recommended to perform information gathering before vulnerability analysis during a penetration test?

To understand the target's attack surface and prioritize the most relevant vulnerabilities for analysis. (A)

Flashcards

Active Information Gathering

Collecting information directly from a target to plan attacks.

Passive Information Gathering

Collecting information without alerting the target, often using archived data.

Semi-Passive Information Gathering

Gathering data that simulates normal internet behavior without raising suspicion.

OSINT

Open Source Intelligence; information gathered from publicly available sources.

Penetration Testing Framework

Structured process for testing security through multiple phases.

Information Gathering Phase

Initial stage of penetration testing where data on the target is collected.

Threat Modelling

Identifying potential threats and vulnerabilities in a system.

Vulnerability Analysis

Assessment of a system to find weaknesses that can be exploited.

Banner Grabbing

A method to obtain information from a service's response, revealing its identity and version.

Service Identification

Determining the type of service running based on the banner information.

Telnet

A tool used to connect to a port to read the returned banner.

Netcat (nc)

Versatile tool for reading banners and performing other networking tasks.

Nmap

Network scanning tool that includes scripts specifically for banner grabbing.

Network Segregation

Dividing a network into segments to enhance security and reduce scanning ease.

Responsible Disclosure

A method of reporting security vulnerabilities to allow vendors to fix issues before public disclosure.

Firewall

A security system that controls incoming and outgoing network traffic based on predetermined security rules.

Log Analysis

The examination of logs to identify abnormal behaviors and security incidents.

Banners Removal

The practice of eliminating information displayed by services to prevent information leakage about a system.

Threat Definition

A potential cause of an unwanted incident that may harm a system or asset.

Countermeasures

Actions taken to mitigate the risks of information gathering.

WHOIS Database

A database that stores registered users or assignees of a domain name.

Target Scanning

The process of discovering hosts, ports, and services on a network.

Operating System Discovery

The process of determining the OS running on a networked device.

Threat

An entity that wants to do harm to you or something you care about.

Vulnerability

A weakness that can be exploited to cause harm.

Asset

Something valuable that needs protection from threats.

Security Problem Components

Includes threats, vulnerabilities, and assets.

MS SDL Threat Modelling Tool

A tool by Microsoft to help manage and mitigate threats.

Interpretation Challenges

Different engineers may interpret threat models in various ways.

OSINT Types

Open-source intelligence methods for gathering information.

Study Notes

Ethical Hacking and Penetration Testing - Lecture 3

• Lecture focuses on Target Scanning (active information gathering) and Threat Modeling
• The lecture outlines a penetration testing framework including pre-engagement interactions, information gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.
• OSINT types are categorized into passive, semi-passive, and active information gathering.
• Passive information gathering is generally useful when targeting activity needs to be undetected
• This involves collecting archived information from third-party sources.
• Semi-passive involves gathering data that appears like normal internet behavior.
• This does not include port scanning or crawler techniques
• The goal is to collect metadata to avoid attracting attention during the reconnaissance activities
• Active information gathering is performed to identify the infrastructure
• This includes actively searching for open services, unpublished directories, files, and servers.
• Target scanning includes host discovery, port scanning, and operating system discovery.
• Scanners like Nmap, Netcat and Superscan are discussed
• Banner grabbing is a technique used to gather information about a computer system by connecting to a service and reading the banner returned.
• Information gathered via banners provide details on services, software version, and operating systems.
• Tools like Telnet and Netcat support banner grabbing
• Countermeasures against active information gathering include network topology design for difficulty in scanning, disabling unnecessary services, using firewalls, and implementing network intrusion detection systems to reduce exposure.
• Countermeasures against passive information gathering include reviewing public information sources prior to publication, employing anonymous identities, considering private domain registration, checking files/pages for metadata and be aware of archives like WayBack Machine
• The framework for penetration testing includes pre-engagement interactions, initial assessment, threat modeling, vulnerability analysis, Exploitation and post exploitation, and reporting.
• Threat modeling assesses threats to assets, and approaches include attacker-centric (understanding attack methods), software-centric (assessing softwar vulnerabilities), and asset-centric (examining the value of each asset).
• Microsoft SDL is a threat modeling technique used by developers to enhance security design.
• Steps include system description, creation of checklists, impact assessment and countermeasure planning
• Tools such as the MS SDL threat modelling tool are available to support the process
• The concept of responsible disclosure is presented along with the potential rewards for vulnerability discoveries

Lab Activities

• Students are required to complete Week 3 lab activities on active information gathering using Nmap for target scanning.
• The lab will utilize both Kali Linux and Metasploitable virtual machines.
• The MySay module survey is to be completed.
• Review the coursework specification document and clarify any related questions.

Reading List

• Recommended resources for further research.

Next Week

• A preview of the topics to be covered in the following week, namely Vulnerability Assessment and coursework review.

Description

This lecture delves into target scanning and threat modeling as part of ethical hacking and penetration testing. Key topics include the penetration testing framework, types of OSINT, and different methods of information gathering—passive, semi-passive, and active. Understand how to conduct effective reconnaissance while minimizing exposure.