Network Scanning Techniques Quiz

Questions and Answers

What is the key difference between a Full Open Scan and a Stealthy Scan?

A Full Open Scan sends an RST packet in the third step, while a Stealthy Scan sends an ACK packet.

Stealthy Scan is less accurate compared to Full Open Scan.

A Full Open Scan uses a three-way handshake, while a Stealthy Scan only uses two packets. (correct)

A Full Open Scan is detectable by security devices, while a Stealthy Scan is undetectable.

Which of the following is NOT a type of TCP flag scanning?

ACK Flag Probe Scan (correct)

Xmas Scan

NULL Scan

FIN Scan

Which UDP scanning technique ensures that the targeted host is live and the connection is complete?

Full Open Scan (correct)

FIN Scan

Stealthy Scan

NULL Scan

What response does an ACK Flag Probe Scan elicit from the target regardless of the port's status?

RST (D)

Which of the following scanning techniques uses a Zombie's system to perform the scan?

IDLE/IPID Header Scan (D)

How can a TTL (Time-to-Live) or WINDOW field in an RST packet help determine a port's status in an ACK Flag Probe Scan?

Different values correlate to specific port statuses, revealing if the port is open or closed. (A)

Which scan technique is considered to be the most low-profile and effective in identifying open ports?

IDLE/IPID Header Scan (C)

What is the primary advantage of using an Idle/IPID Header Scan?

It is very difficult to detect. (D)

What is the primary purpose of firewalls in network security?

To filter incoming and outgoing network traffic based on rules (C)

Which type of firewall actively monitors connections to ensure packets belong to valid sessions?

Stateful Firewalls (A)

What technique does Intrusion Prevention Systems (IPS) use to actively block malicious traffic?

Signature-Based Detection (B)

How does network segmentation help defend against scanning?

By dividing a network into smaller subnets to limit visibility (B)

What is a primary function of honeypots in network security?

To lure attackers away from real targets (D)

Which of the following is NOT a technique used by Intrusion Detection Systems (IDS)?

Traffic Filtering (A)

What do honeypots and honeytokens have in common?

Both deceive attackers to collect information (A)

What is the role of VLANs in network segmentation?

To separate sensitive systems from general network traffic (D)

What is the primary risk associated with read-write community strings?

They enable attackers to extract data and change configurations. (B)

What function does the SNMP agent perform on a network device?

It responds to manager queries and sends traps for events. (A)

Which of these is NOT a recommended countermeasure for SNMP security?

Allow unrestricted SNMP traffic from external networks. (C)

What type of object does a scalar MIB object represent?

A single object instance. (A)

Which tool is specifically designed for network monitoring and troubleshooting?

SolarWinds Engineer’s Toolset (C)

What is the purpose of the management station in an SNMP setup?

To consolidate information about network devices. (D)

Which of the following describes a default community string?

Easily guessed strings like 'admin' or 'user'. (C)

What component is responsible for displaying collected SNMP data?

SNMP Manager (B)

Which social engineering technique involves secretly listening to private conversations?

Eavesdropping (A)

What is the primary benefit of being the first to engage in a battle, according to Sun Tzu?

The first to engage will be physically refreshed for the fight. (C)

What is the primary function of transforms in Maltego?

Identifying connections between entities (A)

Which of the following is NOT part of a defense strategy?

Disarm the attacker (C)

Which type of data can Maltego help analyze and visualize?

Data types like domain names and IP addresses (A)

In the context of deception in warfare, what is meant by 'hiding the nature of your organization'?

Misleading the enemy about your capabilities and intentions. (A)

What is a common use case for Maltego in online investigations?

Connecting diverse data points like DNS records (B)

Which tactic involves using obvious targets to draw attention away from critical assets?

Deceive (D)

Which of the following is NOT a method used in social engineering?

Maltego Visualization (D)

According to Sun Tzu, what should one appear to be when one is actually near the enemy?

Distant (C)

Which approach is used to create a false sense of security for an attacker?

Utilizing Honeyd/Tarpit to fake services (B)

What should a user do to utilize the basic features of Maltego?

Create an account and register for the Community Edition (C)

Which of the following is an example of targeted information gathering with Maltego?

Identifying names of employees in a target organization (B)

What is the essence of the deception defense strategy?

To shift the problem to others or obscure accountability. (C)

How does Maltego support chaining transforms?

By automating complex information-gathering tasks (C)

Which of the following is a way to 'resist' an attacker?

Installing smoke detectors (B)

Which protocol is used for quick, unauthenticated file transfers and operates on UDP port 69?

TFTP (D)

What is a potential risk associated with using TFTP?

It lacks authentication, making it vulnerable to unauthorized access. (B)

What is the primary function of HTTP Enumeration?

Determining the type and version of a web server. (A)

Which of the following is a technique commonly used for HTTP Enumeration?

Using "nc" to send HTTP requests to a web server. (D)

What is a countermeasure against HTTP Enumeration?

Modifying server banners to hide version information. (D)

What is the purpose of Rwho (Remote Who)?

To identify users currently logged into a remote system. (C)

Why is it important to disable TFTP unless strictly necessary?

TFTP lacks authentication, making it vulnerable to unauthorized access. (C)

What is the recommended alternative for TFTP in secure environments?

SFTP (C)

Flashcards

Eavesdropping

A method of gathering information by eavesdropping on conversations or listening in on phone calls.

Shoulder surfing

This method involves observing people while they enter information like passwords or credit card details.

Dumpster diving

This technique focuses on searching through trash for discarded documents or information that can be used for malicious purposes.

Impersonation

This is a method of pretending to be someone else, often with an authority figure, to gain access to information or systems.

What is Maltego?

Maltego is a data mining tool used to analyze and visualize relationships between people, organizations, and information.

Deception Defense

Strategies that aim to mislead attackers about the nature of the organization, its assets, or its activities.

List View in Maltego

Maltego displays data in a table format for analysis and filtering.

Graph View in Maltego

Maltego uses nodes (entities) and edges (connections) to visualize relationships between pieces of data.

Frustrating Attackers

Techniques used to make an attack less effective, such as using decoy targets or deploying fake servers to distract.

Resisting Attackers

Employing security measures to directly resist an attack, like firewalls, intrusion detection systems, or access controls.

Transforms in Maltego

These are pieces of code that Maltego uses to access and connect data from different sources and build relationships.

Recognizing and Responding

Recognizing patterns of an attack and responding accordingly, like detecting suspicious activity or triggering alarms.

Deception in Network Security

The idea that an attack can be more effectively addressed by making the attacker believe it's someone else's problem or not worth targeting.

Honeyd

A false target designed to attract an attacker's attention.

Tarpit

A type of computer system designed to waste an attacker's time and resources while providing little useful information.

Making an Attack 'No One's Problem'

Making an attack appear as if it is not worth targeting or that the attacker will not gain significant advantage.

Read-Only Strings

Allows attackers to read network data without making changes. This is often used for passive reconnaissance.

Read-Write Strings

Allow attackers to read and modify network data. This poses a higher risk of unauthorized control.

SNMP Trap

Mechanism where network devices send alerts (traps) to a monitoring tool like InterMapper.

SNMP Management Station

A central system that collects network information from various devices.

Management Information Base (MIB)

Virtual database that organizes network information in a hierarchical structure for easy management.

SNMP Manager

Software application on the management station that displays network data, sends requests to devices, and processes responses or alerts.

SNMP Agent

Software running on a network device that responds to manager queries and sends alerts when events occur.

SNMP Client

Software that runs on the management station and sends requests to devices.

Full Open Scan

A type of TCP scan where both the attacker and the target complete the three-way handshake, establishing a full connection. This scan can be easily detected by security software such as firewalls and intrusion detection systems.

Stealthy Scan (Half-open Scan)

A type of TCP scan that intentionally sends a RST (reset) packet instead of an ACK (acknowledgement) packet in the third step of the three-way handshake. This behavior allows detection of open ports by the absence of the RST packet.

Inverse TCP Flag Scanning

A TCP scan where the attacker sends various TCP packets with different flags (urgent, push, and finish) to probe the target. The response to the packet determines whether the port is open or closed.

ACK Flag Probe Scanning

A TCP scan that sends a packet with the ACK flag set to the target. This scan targets the target's firewall instead of the port itself. Its purpose is to identify the presence and type of firewall, and it also provides information about port filtering on the firewall.

IDLE/IPID Header Scan

A type of TCP scan that leverages a zombie system to send packets to the target on behalf of the attacker. The attacker analyzes the target's response to the packets, considering their IPID value, to determine the status of the port. This technique is less likely to be detected by security systems.

Port Scanning

Any attempt to identify open ports on a target system by sending specially crafted packets. It commonly involves using TCP flags and examining the responses to deduce port statuses.

Packet Filtering Firewalls

A type of firewall that analyzes network packets and blocks those that don't match predefined rules, preventing unauthorized scans.

Stateful Firewalls

A type of firewall that keeps track of ongoing network connections and only allows packets that are part of established sessions.

Application Firewalls

A firewall that inspects traffic based on specific applications (like HTTP or DNS) and applies rules to block malicious activity.

Intrusion Detection System (IDS)

A security tool that monitors network traffic for suspicious patterns and sends alerts to administrators.

Intrusion Prevention System (IPS)

A security tool that actively blocks malicious traffic based on detected patterns, preventing attacks.

Network Segmentation

Dividing a network into smaller subnets, making it harder for attackers to scan and map the entire network.

Honeypots

Decoy systems designed to attract and trap attackers, diverting them from real targets.

Honeytokens

Fake data or resources placed within real systems to deceive attackers.

What is Trivial File Transfer Protocol (TFTP)?

A simple file transfer protocol designed for quick file transfers. It utilizes UDP for faster transmission. It has minimal authentication requirements, needing only the filename for file operations.

What is TFTP Enumeration?

This technique exploits TFTP's lack of authentication to gain access to potentially sensitive information. Examples include retrieving configuration files from vulnerable network devices or obtaining sensitive user information stored on a compromised machine.

What is HTTP Enumeration?

It involves identifying the specific type and model of a web server and sometimes even the operating system it's running on. This information can be exploited to target vulnerabilities specific to that server type.

How can OpenSSL be used for HTTP Enumeration?

OpenSSL is a powerful tool that enables secure communication over the internet. It utilizes SSL/TLS protocols to encrypt data during transmission. You can utilize OpenSSL to identify web servers and their configurations by analyzing the responses they send.

What does Modifying Server Banners mean?

This refers to the practice of hiding or obscuring the specific type and version of the web server software. This helps to reduce the risk of attackers targeting known server vulnerabilities.

What is URLScan?

This is a tool that analyzes and filters incoming web requests before they reach the web server. It helps to prevent malicious attacks and control access to web resources. It can even present misleading information to confuse attackers.

What is Rwho (Remote Who)?

A protocol originally used for displaying users currently logged into a remote system. It is a simple information-sharing tool that can be used to identify active user sessions and their details.

What is Rusers (Remote Users)?

A similar protocol to Rwho, but provides more detailed information about users. It reveals information like user idle time, session details, and other relevant information.

Study Notes

Cyber Attacks

• Motives can include financial gain, political motivations, activism, hobbies, etc.
• Goals can be ethical or unethical (stealing, destroying, manipulating, blocking, testing).
• Methods/vectors involve various attacking techniques that exploit vulnerabilities (phishing, ransomware).
• Vulnerabilities are weaknesses in software or hardware due to poor design or configuration (e.g., weak encryption).
• Tools for tracking cyber attacks include https://threatmap.checkpoint.com/ and https://www.fireeye.com/cyber-map/threat-map.html

Terminologies

• Information security violations occur when an actor takes advantage of vulnerabilities in a system handling information.
• An actor is an entity or process causing a violation (e.g., malware).
• An adversary is a human actor working against an organization.
• A threat is a potential violation, existing when an entity, circumstance, capability, action, or event could cause harm.
• A vulnerability is a flaw in a system (including its operation) that can be exploited to violate its security policy.

Vulnerabilities throughout the System Life Cycle

• A lack of authentication in an embedded control system can be a vulnerability (due to space constraints).
• A simple encryption method can be a vulnerability if the encrypted data is accessible to unauthorized actors.
• A programmer's use of unguarded input (where the input length isn't restricted) can be a vulnerability.
• The lack of secure storage for backup media can be a vulnerability if unauthorized parties can access, modify, or delete backups.

Attack Vectors

• Misconfiguration: Attackers use flaws in configurations to gain access.
• Kernel flaws: Attackers utilize flaws in the operating system kernel
• Buffer overflow: A code writes data outside allocated memory.
• Insufficient input validation: Applications fail to check input, allowing arbitrary code execution (e.g., SQL injection).
• Social engineering: Attackers manipulate people to gain access.

Types of Malware

• Worms: Standalone programs that copy themselves from system to system, often carrying a payload (set of instructions).
• Viruses: Similar to worms but don't operate independently, rather modifying another piece of software.
• Trojan horses: Appear harmless but contain malicious payloads.
• Logic bombs: Programs triggered by specific events to violate security.
• Spyware: Designed to hide information gathering and export from a system
• Bots: Programs that execute commands, typically in a distributed fashion, often used for malicious purposes.

Objectives of Security

• Confidentiality: Information only accessible to authorized users.
• Integrity: Information remains intended content and semantics
• Availability: Information remains accessible and present.
• Authenticity: Information is linked to its originator.

Classes of Threat

• Interception: Unauthorized access to information.
• Modification: Unauthorized changes to information.
• Masquerade: Pretending to be an authorized user.
• Interruption: Disruption of access to information.

Forms of Security

• Physical security: Protects physical infrastructure and objects.
• Personnel security: Protects the people in an organization.
• Information security: Protects data

Critical Issues

• What must be defended? Mission and assets of the organization.
• What can be defended? Personnel and information limitations.
• What is likely to be attacked? The organization's mission and assets.

Strategic Goals

• Whoever is first in the field and awaits the enemy will be fresh. Whoever is second will be exhausted.
• The clever combatant imposes their will on the enemy but does not allow the enemy to impose their will.
• Holding out advantages to the enemy can cause them to approach on their own accord or inflict damage that makes approaching impossible.

Defense Strategy

• Deceive the attacker.
• Frustrate the attacker.
• Resist the attacker.
• Recognize and Respond to the attacker.

Analogous Example

• Arsonist profiling, misdirection: Deceive.
• Grounded wiring, reduce trash: Frustrate.
• Fire doors, inter-floor barriers: Resist.
• Smoke detectors, alarm pulls: Recognize.
• Fire-suppression systems: Respond.

Deceive Adversaries

• Hide the nature of the organization.
• Use obvious targets as alarms, not servers.
• Minimize the footprint of critical assets.
• Use honey tokens - fake servers or services.

Deception

• "All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near." (Sun Tzu)
• Deception involves making a network attack seem like no one's problem or someone else's.

Deception in Information Security

• No one's problem strategy: Focus the adversary on assets that are unproductive or offer no advantage.
• Someone else's problem strategy: Redirect attacks to non-critical assets belonging to another organization.
• Ensure this does not disrupt essential services.
• Passive defense advantage: Deceptive methods are mostly passive and require minimal ongoing action, effective as a first line of defense.

Frustrate Adversaries

• Deny initial access: Firewalls, routers, and wrappers.
• Block what you can: Control the target or medium.
• Prevent information flows critical to the enemy.
• Use obvious attack vectors as alarms.

Resist Adversaries

• Goal: Make attack progression difficult after initial access; rely on prior knowledge.
• Key Methods: Protect authorized users; use strong authentication (e.g., tokens), limit exploits (apply active patches, reconfigure hosts).
• Maintenance: Strategies often require active management, such as regular updates of authentication mechanisms and continuous host configuration adjustments.

Recognize/Respond to Adversaries

• Detection: Promptly recognize an attack, diagnose its characteristics: detect unauthorized access, unauthorized changes, and suspicious resource overuse.
• Response: Restore attacked computers/networks: analyze the incident, disseminate information, contain the damage, and recover from the incident.

Security Controls

• Challenge: Security strategies can be expensive if risks aren't carefully assessed.
• Key Steps: Prioritize risks linked to critical assets, choose relevant strategies for efficiency.
• Tools: Use tools like spider diagrams to map strategies against risks, avoid redundant controls, focus resources, and reduce unnecessary costs.

Layered Defenses

• This charting gives an overview of network defenses, highlighting the layered controls for specific risks and the balance between passive and active strategies.

Layered Example

• Different aspects of security vulnerabilities like authenticity, integrity, confidentiality, and availability.

Hacking

• Casing the Establishment: Footprinting, scanning, and enumeration.
• Endpoint and Server Hacking: Vulnerability analysis, system hacking, and hacking web applications.

What is Footprinting?

• A systematic approach to gathering information about an organization to create a detailed security profile.
• Purpose: Identify critical organizational details.
• Internet (publicly available information).
• Intranet (internal networks).
• Remote access (e.g., VPNs, RDP).
• Extranet (partner systems).
• Key elements: Tools, techniques, and patience for accurate data collection.

Footprinting: Steps

• Determine the scope of activity.
• Get proper authorization.
• Gather publicly available information.
• Perform WHOIS and DNS enumeration.
• Perform DNS interrogation.
• Perform network reconnaissance.

Search Engines for Pen Testers

• List of various search engines used by penetration testers for different purposes.

Scanning

• Purpose: Identify live systems and reachable systems using specific tools and techniques.
• Key Techniques: Active scanning (directly interacts with systems), passive scanning (collects info without interaction), and helps maintain anonymity.
• Goal: Understand potential entry points into a network.

IPv4... IPv6

• IPv4 is limited to 4.2 billion addresses.
• IPv6 offers practically limitless addresses (2^128).
• IPv4 compatibility means scanning techniques work with IPv6 and IPv4 networks.
• Traditional methods become less effective for IPv6 networks due to the vast address space.
• New techniques will emerge for enumerating IPv6 addresses as adoption grows.

Scanning Determining if a System is Alive

• Goal: Determine if a host is allocated to a specific IP and is online.
• Ping Sweep: Sends traffic to target IPs and analyzes responses to check for live hosts.
• Methods: ICMP (Traditional "ping"), ARP, and TCP/UDP.

Enumeration

• Definition: Probing identified services to discover weaknesses.
• More intrusive: Involves active connections and directed queries.
• Goals: User accounts (for password guessing), misconfigured resources (unsecured shares/services), and outdated software (with vulnerabilities).
• Dependencies: Platform-specific techniques depending on information gathered during the previous phase.

Example Cyber Attacks – Equifax

• Equifax’s database system lacked restrictions on the number of queries, allowing the hacker to execute more than 9,000 queries.
• Hackers accessed an unencrypted database with usernames and passwords, granting access to another database.
• Attackers scanned the web for vulnerable servers and found vulnerabilities in the Equifax dispute portal.
• They extracted data from different databases in small increments to avoid detection and used an Apache Struts vulnerability to gain access to login credentials for three servers.

Vulnerability Assessment

• Scan targets for known vulnerabilities in operating systems and applications, which could be caused by misconfigurations, design flaws, or implementation issues.
• Malicious hackers use identified vulnerabilities for further exploits.
• Ethical hackers use identified vulnerabilities to create a plan to secure the network and infrastructure.
• The process includes actions like patching, installing anti-malware, adjusting configurations, and preparing recovery plans.
• Tools for conducting vulnerability assessments include https://cve.mitre.org/.

Vulnerability Assessment: Severity Levels

• Vulnerabilities are classified by severity level (e.g., low, medium, high) or exploit range (e.g., local, remote).
• Misconfigurations: running unnecessary services or ports.
• Unpatched Servers: outdated software and operating systems.
• Application Flaws: poor user authorization.
• Default Installation: focused on ease of use but potentially vulnerable.
• Design Flaws: using insecure encryption or poor validation.
• Open Services: open ports and services.
• Buffer Overflows: insufficient bounds checking.
• OS flaws: unpatched systems.
• Default Passwords: unchanged initial setup passwords.

Hacking Systems

• The primary goal of an attacker is hacking into the target's systems.
• Steps involved in hacking systems include: gaining access, escalating privileges, maintaining access, executing applications, clearing logs, and wiping out log entries.
• Gaining access includes brute-force, social engineering, and guessing methods.
• Escalating privileges involves gaining higher access levels.

Hacking Web Applications

• Web application vulnerability scanners identify various vulnerabilities in web applications.
• Key components of vulnerability scanners include crawling, attacking, and analysis modules.
• Types of scans: open source vs commercial, black-box vs white-box.
• Common vulnerabilities, such as Injection, Broken Authentication, Sensitive Data Exposure, Broken Access Control, etc., are presented.

Twitter

• A tweet from @hakluke mentioning weak pentest findings: server headers, weak TLS ciphers, and outdated jQuery.

Recap of Key Concepts

• Core terminology: Threats, vulnerabilities, attack vectors, and security objectives (confidentiality, integrity, availability, authenticity)
• Types of Cyberattacks: Malware, social engineering, buffer overflows, and misconfigurations.
• Defense Strategies: Deceive, frustrate, resist, detect, and recover.
• Ethical hacking steps: Fingerprinting, scanning, enumeration, vulnerability assessment, and hacking.

What is Footprinting?

• Footprinting is the initial step in an attack where an attacker gathers information about a target to identify potential entry points for intrusion.
• Passive Footprinting: Gathering information about a target without direct interaction. Examples: Searching public records, social media, or websites.
• Active Footprinting: Gathering information about a target through direct interaction. Examples: Sending ping requests, DNS lookups, and traceroutes.

Active Footprinting

• The information gathering activities can be detected by the target.
• The traffic flaws from the attacker's device to the target.
• VPN and proxies can assist in hiding the source from the target.

The nslookup Command

• The nslookup command is used for gathering DNS (Domain Name System) information about a target.
• This command allows ethical hackers/attackers to query DNS servers.

Active Footprinting vs. Scanning

• Active Footprinting: Gather general information (e.g., DNS, IPs, basic system details); focused on high-level details and entry points. Active techniques include DNS queries and DNS interrogations.
• Scanning: Identify specific vulnerabilities; uses detailed probing methods to discover open ports, running services, and potential weaknesses.

Passive Footprinting

• Information gathering activities are not detected by the target; technically difficult and limited to archived information.
• Techniques include search engines, social networking sites, websites, email, WHOIS records, network information, and social engineering.

Publicly Available Information

• Company web pages, related organizations, location details, employee information, current events, privacy/security policies, archived information, search engines and data relationships, and other information of interest.

Company Web Pages

• Web pages often contain security configuration details, asset inventory details, and information about other websites (e.g., www1, www2, web, web1...).
• Security configurations, asset inventory spreadsheets, and comment sections in HTML code can be valuable assets.
• Website mirroring tools include Wget (for UNIX/Linux) and Teleport Pro (for Windows).

Footprinting through Search Engines

• Publicized, public information like location, foundation date, founders' names, employees, and official websites are gathered.
• Examples of search engines include shodan.io, google.com, and yahoo.com.

Footprinting through Websites and Services

• Use websites to search for people, including phone numbers, addresses, and contacts.
• Examples include privateeye.com, peoplesearchnow.com, anywho.com, intelius.com and peoplefinders.com.
• Gather information (company info/individual info via fake job postings) from financial websites (e.g., Google Finance, Yahoo Finance) and job sites (e.g., LinkedIn, Monster, Indeed, CareerBuilder).
• Monitor a target using alerts (e.g., on Google, LinkedIn, and Yahoo, forums, and blogs).

Footprinting Using Advanced Google Hacking Techniques

• Popular search operators (for example: cache:, filetype:, related:, site:, intext:, allintext:, intitle:, allintitle:, inurl:, and allinurl.)

Google Hacking Database (GHDB)

• A database of computer hacking techniques to identify potential weak points in a target's network and systems.
• Useful for finding sensitive directories, vulnerable files, and unguarded login pages.
• To access the database, go to https://www.exploit-db.com/google-hacking-database.

Scanning Methodology

• Host discovery: Checking for live systems.
• Port scanning: Discovering open ports.
• Scanning techniques: Various scanning methods.
• Scanning beyond IDS: Evasion techniques to bypass intrusion detection systems/intrusion prevention systems (IDS/IPS).
• Banner grabbing/OS fingerprinting.
• Network diagrams: Networks' architecture.
• Proxies: Using proxies to anonymize scans.

Checking for Live Systems

• Finding live hosts in a network is done through ICMP packets.
• Target systems reply with ICMP echo packets.
• This ICMP echo response confirms the host is live.
• Lack of response indicates the host is offline/not reachable.

ICMP Fields

• The Internet Control Message Protocol (ICMP) is used to diagnose the status of a host and its network path.
• It's used with routing, availability, service irregularities, and provides lightweight request/reply methods.
• Security concerns include flooding and information leaks.

ICMP Message Types

• Ping, the traditional use of ICMP, involves sending ICMP ECHO REQUEST packets to a target system.
• ECHO REPLY confirms if a system is live.

ICMP Scanning

• Ping Scanning is also used for identifying live hosts.
• Ping Sweep is used for live host detection on a large scale (a range of IP addresses).
• Tools for ICMP scanning include Zenmap and Angry IP Scanner.

Check for Open Ports

• Simple Service Discovery Protocol (SSDP): used for discovering services and devices on a network without static network configuration.
• Protocol operates without centralized servers unlike many other network protocols.
• Metasploit auxiliary/scanner/upnp/ssdp_msearch module is used for scanning SSDP-enabled devices, thereby identifying open ports and potentially vulnerable devices.
• SSDP protocol has been used for Distributed Denial of Service (DDoS) attacks, such as the 2018 100 Gbps DDoS attack.
• Misconfigured SSDP devices are vulnerable and can contribute to large-scale attacks.

Nmap (Kali)

• Nmap is another way of pinging a host by performing a ping using nmap.
• Nmap can be used for host, port, and service discovery, etc.
• Using Nmap, you can see operating system version information, hardware MAC addresses, service version detections, etc.

Hping2 & Hping3 (Kali)

• A command-line TCP/IP packet assembler/analyzer.
• Used for sending custom TCP/IP packets.
• Handles fragmentation, arbitrary packet body, and size, file transfer.
• Supports TCP, UDP, ICMP, and RAW-IP protocols.
• Testing firewall rules, testing net performance, and performing traceroutes are some features of these programs.

TCP Scanning Techniques

• Open TCP Scanning: Complete three-way handshake.
• Stealthy TCP Scanning (Half-Open Scan): Acknowledges only with RST packet.
• TCP Flag Scanning (e.g., Xmas, FIN, null, ACK): Uses specific TCP flags to identify vulnerabilities.

UDP Scanning

• Used to identify open ports without requiring a handshake.
• Useful for discovering services such as DNS, SNMP, and DHCP.

Scanning Beyond IDS

• Evasion techniques to bypass IDS/IPS defenses.
• Fragmentation: Split packets.
• Decoy Scanning: Using false IP addresses.
• Timing Variations: Spreading scans over time.
• Proxying: Rout traffic.
• Obfuscation of Payloads.
• Dynamic Decoys.
• Randomized Scanning.

Ethical Considerations for Evasion

• Obtain explicit permission before using evasion techniques.
• Understand the risks, which include triggering alarms or overloading network systems.
• Document findings clearly to improve defensive measures.

Defense Against Scanning

• Firewalls: Filter and block unauthorized scans.
• Intrusion Detection Systems (IDS): Detect malicious scanning patterns.
• Intrusion Prevention Systems (IPS): Actively block malicious scanning attempts.
• Network Segmentation: Limit scan scope.
• Honeypots: Trap attackers.

Firewalls as a First Line of Defense

• Packet Filtering Firewalls: Inspect packets, block ones not matching rules.
• Stateful Firewalls: Monitor connections, ensure packets belong to valid sessions.
• Application Firewalls: Filter traffic based on specific applications (e.g., HTTP, DNS).

IDS/IPS: Detect and Block Malicious Scans

• Intrusion Detection Systems (IDS): Monitor traffic, generate alerts.
• Intrusion Prevention Systems (IPS): Block malicious traffic based on detection.
• Signature-Based Detection: Identify known attack patterns/signatures.
• Anomaly-Based Detection: Identify deviating traffic.
• Example: Snort rule to detect SYN scans.

Network Segmentation and Scanning

• Dividing a network into smaller subnets makes it harder to scan the whole network.
• Scanning tools can only reach the segment they have access to.
• Best practices: Use VLANs to separate sensitive systems and restrict access between segments using firewalls.

Honeypots and Honeytokens

• Honeypots are decoy systems to lure and trap attackers.
• Honeytokens are fake data/resources placed within real systems to mislead attackers.
• Helps to divert attackers' attention from real targets.
• Collect valuable information about attack methods, which is useful for detection.
• Example is deploying a honeypot (e.g., Dionaea, Honeyd) to simulate vulnerable systems and deploy honeytokens.

Emerging Topics in Scanning and Defense

• Automated scanning and vulnerability assessment with AI (DeepScan, Cortex XSOAR).
• Advanced evasion techniques (protocol tunneling, TLS/SSL encryption).
• Living off the land (LoL) techniques.
• Cloud infrastructure scanning challenges.
• Scanning in IoT networks challenges.
• Threat hunting and active scanning (Zeek).

OS Fingerprinting & Banner Grabbing

• Identifying the operating system (OS) running on a target machine, and potentially the running services.
• Active fingerprinting: Send TCP/UDP packets, check the responses.
• Passive fingerprinting: Capture traffic using a tool like Wireshark, analyze to deduce the OS.
• Tools like Maltego, Telnet, and Netcat can be used.

Drawing Network Diagrams

• Map the network architecture to identify paths to targets, security zones, devices, and routing paths.
• Tools for network mapping include Nmap, OpManager, Draw.io/Lucidchart, and traffic visualization tools.

Prepare Proxies

• A proxy is an intermediary that routes traffic between the attacker and the target, anonymizing the attacker's IP.
• Tools like ProxyChains (chains multiple proxies), Tor (distributed network of relays), and CyberGhost (VPN-based proxy) can be used.
• Challenges in using proxies include slower traffic (latency), and they can be detected by advanced firewalls.

Scanning - Key Takeaways

• Scanning is the second phase of ethical hacking.
• Goals include identifying live systems, open ports, services, and vulnerabilities.
• Important steps include host/port discovery, advanced techniques (e.g., bypassing IDS, anonymization), and using tools (e.g., Nmap, Wireshark, Proxychains).
• Ethical guidelines include scanning only authorized targets and avoiding service disruptions.

Introduction to Enumeration

• Enumeration is the process of actively gathering detailed information about a target system, identifying usernames, group memberships, network resources, shares, services, operating systems, software versions, and vulnerabilities.
• It involves direct interaction with the target system.
• Enumeration focuses on what's behind identified open doors, unlike scanning.
• Typical protocols of focus include NetBIOS, SNMP, DNS.

What to Enumerate?

• Users: Active users and groups, weak passwords.
• Services and Ports: Services running on open ports.
• Shares and Files: Shared resources, lateral movement data.
• Operating Systems: Version information for exploit tailoring.
• Group Memberships: identifying users with privileged or special access.
• Network Shares/Resources: Accessible network devices/files.

Enumeration Techniques

• Enumeration using Email IDs: Extract usernames and domain names from email IDs to use in brute force or phishing attacks.
• Enumeration using Default Passwords: Many devices/software have default credentials, making them easily exploitable.
• Enumeration via SNMP: Used for monitoring and managing network devices on the network.
• Enumeration via Brute Force Attack on Active Directory: Used for automated guessed credentials.
• Enumeration via DNS Zone Transfer: Method used to copy zone files between primary and secondary DNS servers.

Shodan – Default Credentials

• Shodan can be used to find systems with default credentials.

Brute-Force Attack on Active Directory

• Active Directory is a centralized system managing domain users, computers, and resources.
• High-value information within Active Directory includes usernames, passwords, roles, and permissions.
• Attackers use automated tools to guess valid credentials (username - password combinations), often targeting LDAP services or Kerberos tickets.

Enumeration through DNS Zone Transfers

• DNS Zone Transfer: Synchronizes DNS servers by copying zone files between a primary (master) and secondary (slave) DNS server.
• Records: Hostnames, IP addresses, and other relevant data.
• Valuable to attackers: Information about usernames and network devices.
• How it works: UDP 53 for standard lookups, and TCP 53 for ensuring reliable data transfer.

Key Services and Ports to Enumerate

• DNS Zone Transfer → TCP 53:
• DNS Queries → UDP 53:
• SNMP → UDP 161:
• SNMP Trap → TCP/UDP 162:
• Microsoft RPC Endpoint Mapper → TCP/UDP 135:
• LDAP → TCP/UDP 389:
• NetBIOS → TCP 139:
• SMTP → TCP 25:

NetBIOS Enumeration Overview

• NetBIOS (Network Basic Input/Output System) program enables communication between applications on LANs.
• Devices are identified using a unique 16-character ASCII string (first 15 characters for device information, 16th for service information).
• NetBIOS utilizes TCP port 139 for session services.

NetBIOS Enumeration

• NetBIOS over TCP/IP (NBT or NetBT) uses TCP and UDP ports: UDP 137 for name services, UDP 138 for datagram services, and TCP 139 for session services.
• Attackers can identify machines in a domain, file sharing, usernames, group information, passwords, and security policies using NetBIOS enumeration.

NetBIOS Enumeration Tool

• The nbtstat command provides NetBIOS over TCP/IP (NetBT) protocol statistics and NetBIOS name tables.
• This command is used for both local and remote computers.

Nbtstat

• nbtstat -n to display NetBIOS names registered on the local machine.
• nbtstat -A [IP Address] to enumerate NetBIOS information from a remote host.

Enumeration Tool: SoftPerfect

• A versatile tool for enumerating network devices and retrieving detailed information.
• Capabilities: Ping computers, scan open ports, and identify active services, access details via protocols (WMI, SNMP, HTTP, and PowerShell), and detect shared folders.

A Basic Network Scan

• Configure scan type (all ports, common ports, specific ports).
• Include usage of netstat commands, SYN scanners (if required), and ping hosts using TCP, ARP, and ICMP.

A Non-credential Basic Network Scan

• Use Nessus to perform a scan without credentials.
• Set up a name.
• Specify the target(s).
• Select scan type (a basic network scan).

A Basic Network Scan with Credentials

• Use Nessus to perform a scan with credentials.
• Enable Remote Registry on the target machine if necessary.
• Specify username and password.

Exporting Results

• Nessus generates reports.
• The reports can be exported in HTML, PDF, or CSV formats.

Identifying SCADA Systems and Their Vulnerabilities on the Internet of Things

• Purpose: Develop a method for finding Supervisory Control and Data Acquisition (SCADA) devices and assessing their vulnerabilities on the Internet of Things.
• Contributions: SCADA device identification using Shodan, text mining, and data mining.
• Vulnerability assessment: Using network scanning with tools like Nessus, find critical vulnerabilities.
• Findings: High vulnerability rate (6.45%) among identified SCADA devices, highlighting critical concerns like buffer overflows, unencrypted protocols, and weak/default credentials.
• Attack Potential: Attackers can exploit these systems potentially causing industrial disruptions or data breaches.

IoT and the Risk of Internet Exposure: Risk Assessment Using Shodan Queries

• Evaluates IoT device vulnerabilities.
• Developed a dataset of vulnerability rules.
• Conducted a remote assessment, identifying systems susceptible to default credentials.
• Findings: Many IoT devices are exposed due to weak access controls.
• Vulnerabilities persist in critical systems (e.g., SCADA).
• Implications: Enforcing strong password policies can reduce vulnerabilities.

Takeaways

• Understanding vulnerability analysis.
• Importance of lifecycle stages.
• Assessment techniques.
• Role of tools.
• Actionable insights, future skills.

Introduction to System Hacking

• In this phase, the goal is to gain access to the target system.
• Data utilized includes usernames, passwords, IP ranges and network details, operating system, software versions, services, and shares.
• Challenges include needing patience, detailed observation, and technical expertise, as success often relies on exploiting vulnerabilities identified in earlier steps.
• System hacking is a critical focus for ethical hackers to understand and defend against.

System Hacking Steps

• Gaining access: Exploiting vulnerabilities or using stolen credentials to enter the target system.
• Escalating privileges: Elevating access rights to gain administrative control.
• Executing applications: Running malicious programs or scripts.
• Creating backdoors: Installing hidden access points.
• Covering tracks: Erases logs, disguises activities, and removes evidence of the attack.

1- Gaining Access

• Password cracking: Deciphering passwords to gain unauthorized access.
• Non-electronic attacks: Shoulder surfing, social engineering, and dumpster diving.
• Active online attacks: Dictionary attacks, brute-force attacks, and hash injection.
• Passive online attacks: Wire sniffing, man-in-the-middle attacks, replay attacks, default password exploitation, and offline attacks.

Active Online Attacks (e.g. Dictionary Attack)

• Description: A dictionary attack uses a pre-compiled wordlist of common passwords to guess user credentials.
• Strengths: Fast for simple passwords, effective against weak passwords.
• Countermeasures: Use strong, unique passwords that include various characters (uppercase, lowercase, numbers).
• Example is implementing account lockout policies for multiple failed attempts - using MFA.

Hash Injection Attack (Pass-the-hash)

• How it works: Attackers compromise a machine; extract log-on password hashes; inject this hash to authenticate as the user without the plaintext password.
• Target services include any service or server using LM or NTLM authentication (Windows and Unix).
• Key implications include unauthorized access, enabling lateral movement.
• Countermeasures: Switch to more secure authentication methods (like Kerberos), use tools for protecting LSA credentials (e.g., LSA Protection).

Passive Online Attacks (e.g., Wire-Sniffing)

• Wire Sniffing: Use packet-sniffing tools (e.g., Wireshark) to capture traffic and retrieve sensitive data.
• Man-in-the-Middle (MITM) Attack: Intercepting communication between two parties. This is used for stealing sensitive data or injecting malicious payloads.
• Replay Attacks: Reuse captured packets to impersonate legitimate users or to replay sensitive credentials/authentication tokens.

Default Password Exploitation

• Attackers use default or easily guessable credentials listed in manuals or documentation files.

Offline Attacks

• Pre-computed Hashes and Rainbow Tables: Databases of pre-computed hash values to map hashes back to plaintext passwords, used to expedite cracking processes.

Rainbow Table

• Rainbow Tables are used for offline password cracking by using pre-computed hashes for all possible combinations of characters. Useful for cracking common/simple passwords and easily cracked password hashing algorithms such as MD5, SHA1, and NTLM, but it requires large space and time to generate them.

In the News

• Dr. Angie Qarry (a quantum physicist) sharing insights about the death of SHA-1.

Microsoft Authentication

• Key Authentication Protocols in Windows: Kerberos, Security Account Manager (SAM), NT LAN Manager (NTLM), LAN Manager (LM), and others (e.g., Digest Authentication).
• Security Account Manager (SAM): A database used to store user credentials. It plays a critical role in authentication for both users and services, encrypting passwords for security.
• NTLM & LM Hashing Formats
• LM (LAN Manager) Hash: Weaker, older hashing format.
• NTLM Hash: More secure than LM, but still vulnerable.

NTLM Authentication

• The user shares their username, password, and domain name with the client.
• The client creates a scrambled version of the password (hash) and deletes the full password.
• The client sends the username to the server in plaintext.
• The server sends a challenge to the client, which is a 16-byte random number.
• The client encrypts the challenge using the hash and sends the encrypted result to the server.
• The server relays the challenge, response, and username information to the domain controller (DC).
• The DC retrieves the user's password, uses it to encrypt the challenge, and compares it to the client's response. If they match, access is granted.

Kerberos Authentication

• Kerberos is used for authentication and establishing session keys.
• A trusted third party (KDC) shares a symmetric key with every client/user.
• The KDC also has a master key.
• The KDC issues various types of tickets (e.g., TGT).
• A ticket contains keys and other information for accessing network resources.

2- Escalating Privileges

• Privilege escalation is a critical step in system hacking where attackers gain unauthorized access to elevated privileges, including social engineering and default configuration exploitation.
• Social Engineering: Exploiting vulnerabilities in human behavior.
• Default Configurations: Exploiting easily guessable/unmodified default passwords and configurations.
• Horizontal Privilege Escalation: Taking over another user's privileges, staying at the same level.
• Vertical Privilege Escalation: Escalating privileges to a higher level, e.g., regular user to administrator, which includes exploiting system vulnerabilities.

Cracking Passwords

• Techniques used to decipher passwords for unauthorized access.
• Tools like pwdump7, Fgdump, and LophtCrack (for Windows) and Ophcrack, RainbowCrack, Cain & Abel, and John the Ripper are included.

Cracking Password Hashes

• Tools like Pwdump7 can be used.

3- Executing Applications

• Malicious applications are executed on target systems to gain unauthorized access and manipulate system resources.
• Custom malware, widely available hacking tools, are used for executing malicious applications.
• Objectives: collecting sensitive information (e.g., credentials, user data), setting up backdoors for persistent access, installing password crackers for sensitive data recovery, and deploying keyloggers to capture login credentials.

RemoteExec

• RemoteExec is a versatile software for managing and executing tasks on a target system remotely.
• Key Features:
  • Application Deployment: Install applications/updates.
  • Remote Execution: Run programs/scripts.
  • Remote Configuration Management: Modify system settings and manage user accounts,
  • System Control: Execute power management commands (reboot, shutdown).
• Potential use cases in system hacking:
  • Deploying malware or backdoors.
  • Maintaining persistent access.
  • Disrupt operations by manipulating system configurations.

PDQ Deploy

• PDQ Deploy is a powerful system administration tool for managing and updating applications across networked systems.
• Features: Silent Deployment, Application Management, File Management, and Efficient Scheduling.
• Benefits: Ease of use (intuitive interface), versatility, and time-saving from batch processing.

Keyloggers

• A keylogger monitors and records user activities (keyboard actions, clipboard activity, screenshots, and screen logging).
• Types: Hardware (physical devices) and Software (installed programs).
• Anti-keylogger software can be used to detect/track keyloggers and block malicious activity.

4- Creating Backdoors - Rootkits

• Rootkits: Tools deployed after an attack to maintain persistent privileged, remote access to the target system.
• The goal is to allow attackers to bypass authentication and execute malicious actions without detection.
• Notable Rootkit Tools: Avatar, Necurs, Azazel, ZeroAccess.
• Defensive Measures: Use integrity-based detection, check digital signatures, look for differences-behavioral detection, use tools by platform (e.g., Zeppoo, Chkrootkit).

5- Covering Tracks

• Attackers remove event logs (e.g., Windows Event Viewer), error messages, and other evidence to avoid detection and conceal their activities.
• Techniques Include: disabling auditing, clearing logs, or manipulating logs.
• Real world example: Stuxnet attack. It manipulated Siemens SCADA systems and cleared logs to prevent detection.

Disabling Auditing

• Disabling auditing on a system will prevent logging of critical actions, blocking potential trace evidence, and obscuring attacker activity.
• Using auditpol command to configure auditing policies through command-line utilities.
• Use the command auditpol /set /category:"Object Access" /success:disable /failure:disable .

Clearing Logs

• Removing traces of previous activities in system logs.

6- Drawing Network Diagrams

• Tools for network mapping (Nmap, OpManager, Draw.io): Discover hosts, paths, security zones, devices, and routing paths.

7- Prepare Proxies

• Proxies act as intermediaries, routing traffic between the attacker and the target.
• Use proxies to enable anonymity by hiding an attacker's IP address.
• Methods include ProxyChains, Tor, and CyberGhost.
• Challenges include potential detection via advanced firewalls and slower traffic (latency).

Web Application Security Considerations

• Security checks run in the user's browser, allowing attackers to modify them.
• Validated and encoded data before display to prevent attacks.
• Essential server-side security: Input validation, output escaping, client-side security.
• Comprehensive checks/validations on the server side to prevent client-side attacks from happening.

Fingerprinting in Web Applications

• The process of gathering detailed information about a web application’s infrastructure to aid testers and attackers.
• Information gathered often reveals useful data like web server info (name/version), backend architecture (.e.g., database type), network config (.e.g., server type), and programming

Description

Test your knowledge of network scanning methods and security measures with this quiz. Explore various scan types, firewall functionalities, and the principles behind Intrusion Prevention Systems. See how well you understand the tactics used to assess network vulnerabilities.