Lecture 2-2.txt

Full Transcript

why do we scan? to find which machines are available in the target
system (live). We cannot perform attacks remotely if any of the machines
are not available. Also to discover which OS the target machines are
using for further exploitation.

Types of scan Ping Sweep: Used to discover which systems are live. For
example, the IP addresses that are up and running. Port scanning:
scanning the network to find active IP addresses that could be potential
targets and then scan those specific IPs to check which ports are open.
Example: port 80(HTTP) or port 443(HTTPS) means that the person on that
IP address has a web server running on their device like a website open
on their laptop. vulnerability scanning: to find weakness or problems in
an environment and generate a report on what it found. In this context,
"environment" refers to the network, systems, applications, and devices
being scanned for vulnerabilities.

A port is a communication endpoint in networking. It's a logical access
point for sending and receiving data between devices. Ports are
numbered, and each number is associated with a specific service or
protocol (like HTTP on port 80 or HTTPS on port 443).

what kind of information can be found from scanning? IP addresses, list
of open and closed ports on a target system, OS versions, MAC addresses,
service information and other network information.

ICMP Scanning is a network scanning technique that uses ICMP (Internet
Control Message Protocol) echo requests (pings) to check which devices
on a network are active. It's used to identify live hosts by sending out
pings and waiting for responses.

Echo requests (pings) are network messages sent using the ICMP protocol
to check if a device is reachable. When a device receives an echo
request, it responds with an echo reply, confirming it's online and
reachable. It's like saying "Are you there?" and getting a "Yes, I am!"
in return.

Ping sweep tools: ping targets one specific IP and is commonly used.
fping is used to ping multiple IP addresses. The multiple addresses can
be saved in a file can be read. fping --h will provide information about
options.

Traceroute is a tool used to see the path that data takes from your
computer to another device, like a website. It uses the TTL
(Time-to-Live) value in IPv4 packets. Each data packets has a TTL value,
this number tells the packet how many hops(routers) it can pass through
before it gets dropped. Each router it passes through, the TTL reduces
by 1. If the TTL reaches 1, the router sends a message back to you
saying the TTL has expired and drops the packet. Traceroute sends
packets with gradually decreasing TTL values to discover each hop along
the route to the destination. Each time it gets a response, it records
the hop and the time it took. By the end, you get a list of all the
routers your packet passed through, along with the time for each hop.
This helps you see where any delays might be happening.

The routers at home connect your devices to the internet, but in the
context of traceroute, "routers" refers to any devices that forward
packets between networks.

Nmap will scan the most common 1000 ports in a random order. Nmap six
states Øopen Øclosed Øfiltered Øunfiltered Øopen\|filtered
Øclosed\|filtered -\> Uncommon

Nmap timing options: -T ex) -T3, -T5, etc. Paranoid (-T0): A packet is
sent every 5 minutes Sneaky (-T1): A packet is sent every 15 seconds
Polite (-T2): A packet is sent every 0.4 seconds Normal (-T3): Default
(multiple packets to multiple targets sent) Aggressive (-T4): Nmap will
not wait for more than 1.25 seconds for a response Insane (-T5): Nmap
will not wait for more than 0.3 seconds for a response

TCP scan can determine the states of ports (open, closed, filtered,
unfiltered). It performs the usual three-way handshake to determine if
the host (server)'s port is open. It is "noisy" meaning multiple
scanning attempts can be detected.

In a SYN scan, the attacker sends a SYN packet to initiate a connection.
If the target responds with a SYN-ACK, it means the port is open.
Instead of completing the handshake with an ACK, the attacker sends an
RST (reset) packet. This effectively terminates the connection attempt
without establishing a full connection, allowing the attacker to scan
for open ports stealthily without leaving a trace of an actual
connection. Less noisy than the TCP scan.

In an Xmas scan, the attacker sends packets with the PSH, FIN, and URG
flags set. This combination makes the packet look unusual and can
confuse the target. If the server doesn't respond, it usually means the
port is either open or filtered (meaning a firewall might be blocking
the response). If the port is closed, the server typically responds with
a RST packet. This scan is often used to evade detection by security
systems.

FIN scan: the attacker sends a packet with a FIN flag at the beginning.
If the server is not responding, the port is considered open or
filtered.

Xmas and FIN scan can be unreliable and slow. Less likely to trigger the
firewall that checks the SYN flag is set.

when ACK is received, an unfiltered host must respond with RST: Used to
determine a port is filtered or unfiltered. The result is less reliable
and sometimes slow too.

Nmap States Summary open: There is an application accepting TCP/UDP
connection. Can be a result of TCP and SYN scans. closed: There is no
application listening on the port. Can be a result of TCP, SYN, XMAS and
FIN scans. filtered: There is a packet filtering mechanism or device
blocking the probe. (Nmap cannot determine whether the port is open or
not.) Can be a result of ACK scan. unfiltered: The port is accessible.
(Nmap cannot determine whether the port is open or not.) Can be a result
of ACK scan. open\|filtered: The port is open or filtered. (Nmap is
unable to determine which one.) Can be a result of XMAS and FIN scans