Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CEH ch 3
Certified Ethical Hacker ch 3
| Term | Definition |
|---|---|
| TCP HEADER FLAGS: | SYN (Synchronize) ACK (Acknowledgment) RST (Reset) FIN (Finish) PSH (Push) URG (Urgent) |
| RST (Reset) | This flag forces a termination of communications (in both directions). |
| FIN (Finish) | This flag signifies an ordered close to communications. |
| PSH (Push) | This flag forces the delivery of data without concern for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing the data. |
| URG (Urgent) | When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example. |
| PACKET-CRAFTING TOOLS | Netscan (www.netscantools.com), Ostinato (ostinato.org), WAN Killer (solarwinds.com), Packeth (packeth.sourceforge.net), and LAN Forge FIRE (www.candelatech.com). |
| *Colasoft’s Packet Builder | tool to manipulate TCP flags. has 3 views: Packet List (displays all constructed packets), Decode Editor (allows you to edit packets), and Hex Editor (displays packet in hex for editing). can create frag. packets to bypass IDS & firewalls. |
| Service Name and Transport Protocol Port Number Registry | the official list for all port number reservations. |
| 20/21 | FTP TCP |
| 22 | SSH TCP |
| 23 | Telnet TCP |
| 25 | SMTP TCP |
| 53 | DNS TCP and UDP |
| 67 | DHCP UDP - server dynamically assigns an IP address and other network configuration parameters to each device on the network, so they can communicate with other IP networks |
| 69 | TFTP UDP - a simple lockstep FTP which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. |
| 80 | HTTP TCP |
| 110 | POP3 TCP |
| 135 | RPC TCP - remote procedure call - a subroutine to execute in a different address space which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. |
| 137–139 | NetBIOS TCP and UDP - (Network Basic Input/Output System) is a program that allows applications on different computers to communicate within a local area network (LAN) |
| 143 | IMAP TCP -Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages |
| 161/162 | SNMP UDP - Simple Network Management Protocol is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. |
| 389 | LDAP TCP and UDP |
| 443 | HTTPS TCP |
| 445 | SMB TCP - Server Message Block is a communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. |
| *CurrPorts | -a tool that displays a list of all currently opened TCP/IP and UDP ports on a computer, including the process that opened the port, the process name, full path, version information, the time it was created, and the user who created it. |
| netstat -b | command to see executable associated with open port. |
| netstat -an | command displays all connections and listening ports, with addresses and port numbers in numerical form. |
| IPv4 three main address types: | unicast (acted on by a single recipient), multicast (acted on only by members of a specific group), and broadcast (acted on by everyone in the network). |
| ROUTED PROTOCOL | a protocol that is one that is being packaged up and moved around (e.g., IPv4 and IPv6). |
| ROUTING PROTOCOL | a protocol that decides the best way to get to the destination (e.g., BGP, OSPF, or RIP). |
| *scanning methodology steps: | 1. Check for live systems. 2. Check for open ports. 3. Scan beyond IDS. 4. Banner grabbing. OS and running svs. 5. Vulnerability scan. 6. Draw network diagrams. logical and physical pathways. 7. Prepare proxies. to stay hidden. |
| *PING SWEEP | the easiest way to identify active machines on the network. Does not work with IPv6. Easily detected by NIDS and HIDS. |
| *ICMP ECHO SCANNING - | sending ICMP Echo Request packets to the network IP address. Ex: nmap -sn<IP address> |
| *LIST SCAN - | running a reverse DNS lookup on all IPs in the subnet. |
| *ICMP Message Type 0: | Echo Reply Answer to a Type 8 Echo Request |
| *ICMP Message Type 3: | Destination Unreachable - Error message codes: 0—Dest. NETWORK unreachable 1—Dest. HOST unreachable 6—Network unk. 7—Host unknown 9—Network admin. prohibited 10—Host admin. prohibited *13—COMM. ADMIN. PROHIBITED |
| ICMP Message Type 4: | ICMP Reply - Source Quench A congestion control message |
| ICMP Message Type 5: Redirect | ICMP reply - Sent when two or more gateways are available for the sender to use and the best route available to the destination is not the configured default gateway. The codes follow: 0—Redirect datagram for the network 1—Redirect datagram for the host |
| *ICMP Message Type 8: | ICMP Echo Request - A ping message, requesting an Echo reply |
| ICMP Message Type 11: | ICMP message Time Exceeded - The packet took too long to be routed to the destination (code 0 is TTL expired) |
| PING sweep tools | Nmap, SolarWinds Engineer Toolset, Network Ping, OPUtils, SuperScan, Advanced IP Scanner, and Pinkie |
| Port Scan Type - Full connect (TCP connect or full open scan) | Port scan that runs through a full connection (three-way handshake) on ports, with an RST at the end. Easiest to detect but most reliable. Open ports will respond with a SYN/ACK, and closed ports will respond with an RST. |
| Port Scan Type - Stealth (half-open scan or SYN scan). | Port scan - Only SYN packets are sent to ports (not completing handshake). Open ports will respond with a SYN/ACK, and closed ports will respond with an RST. Useful in hiding scanning efforts, doesn’t get noticed because there is no connection. |
| Port Scan Type - Inverse TCP flag | Port scan - Uses the FIN, URG, or PSH flag (or no flags at all). If the port is open, there will be no response at all. If the port is closed, an RST/ACK will be sent in response. |
| Port Scan Type - XMAS | Port scan - all flags are turned on. open port = no response. closed port = an RST/ACK will be sent in response. does not work against Microsoft Windows machines due Microsoft’s TCP/IP stack implementation (Microsoft TCP/IP is not RFC 793 compliant). |
| Port Scan Type - ACK flag probe - TTL VERSION | Port scan - attacker sends the ACK flag and looks at the return header. if the TTL of the returned RST packet < 64 = open. |
| Port Scan Type - ACK flag probe - WINDOW VERSION, | Port scan - attacker sends the ACK flag and looks at the return header. if the WINDOW size on the RST packet = 0 = closed. |
| test for stateful firewall | When an ACK is sent and there is no response. |
| Port Scan Type - IDLE | Port scan - uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag. Open ports will respond with a SYN/ACK, and closed ports will respond with an RST. |
| Network Scan Types | Full or TCP connect; Stealth or half open or SYN; Inverse TCP; XMAS; ACK flag probe TTL or Windows version; IDLE. |
| Nmap -A | scanning command that enables OS detection, version detection, script scanning, and traceroute automatically. |
| Hping3 switch -1 | in Hping3, Sets ICMP mode. For example, hping3 -1 172.17.15.12 performs an ICMP ping. |
| Hping3 switch -2 | in Hping3, Sets UDP mode. For example, hping3 -2 192.168.12.55 -p 80 performs a UDP scan on port 80 for 192.168.12.55. |
| Hping3 switch -8 | in Hping3, Sets scan mode, expecting an argument for the ports to be scanned (single, range [1–1000], or "all"). For example, hping3 -8 20-100 scans ports 20 through 100. |
| Hping3 switch -9 | in Hping3, Sets Hping in listen mode, to trigger on a signature argument when it sees it come through. For example, hping3 -9 HTTP -I eth0 looks for HTTP signature packets on eth0. |
| Hping3 switch --flood | in Hping3, Will send packets as fast as possible, disregarding incoming replies. For example, a SYN flood from 192.168.10.10 against .22 could be kicked off with hping3 -S 192.168.10.10 -a 192.168.10.22 -p 22 --flood. |
| Hping3 switch -Q --seqnum | in Hping3, to collect sequence numbers generated by the target host. This can be useful when you need to analyze whether a TCP sequence number is predictable (for example, hping3 172.17.15.12 -Q -p 139 -s). |
| Hping3 switch -F | in Hping3, Sets the FIN flag. |
| Hping3 switch -S | in Hping3, Sets the SYN flag. |
| Hping3 switch -R | in Hping3, Sets the RST flag. |
| Hping3 switch -P | in Hping3, Sets the PSH flag. |
| Hping3 switch -A | in Hping3, Sets the ACK flag. |
| Hping3 switch -U | in Hping3, Sets the URG flag. |
| Hping3 switch -X | in Hping3, Sets the XMAS scan flags. |
| port scanning tools | Nmap, hping3, SuperScan, Advanced Port Scanner, MegaPing, Net Tools, and PRTG Network Monitor. |
| mobile scanning tools | IP Scanner, Fing, Hackode, zANTi, and PortDroid Network Analysis |
| ways to avoid detection during scanning | fragmenting packets, spoofing an IP address, source routing, and proxies. |
| fragmenting packets | cracking apart the packets before they’re sent so the IDS can’t recognize them. |
| In ENUMERATION, Active OS fingerprinting | during enumeration, sending crafted, nonstandard packets to a remote host and analyzing the replies. |
| In ENUMERATION, Passive OS fingerprinting | during enumeration, sniffing packets without injecting any packets into the network—examining things like Time-to-Live (TTL), window sizes, Don’t Fragment (DF) flags, and Type of Service (ToS) fields from the capture. |
| SOURCE ROUTING is | used to disguise your identity on a network(pre 1995). allows apps to specify the route a packet takes to a destination, regardless routing tables. Most firewalls and routers detect and block source-routed packets. |
| IP ADDRESS DECOY | Obfuscates the real source of the scan by hiding it among a whole bunch of fake source addresses (making it appear like all are scanning). Uses Nmap and puts the real source IP between decoys. |
| PROXY server use | intermediary between you and your targets often used by network administrators to control traffic or remotely accessing intranets. Used by Hackers to avoid detection. |
| Evasion tools specific to the mobile world: | proxydroid (github.com), Servers ultimate (www.icecoldapps.com), and NetShade (www.raynersw.com). |
| Mobile Anonymizers: | Orbot (guardianproject.info), Psiphon (psiphon.ca), and OpenDoor (itunes.apple.com), Shadowsocks (shadowsocks.org) |
| Anonymizers | services on the Internet that make use of a web proxy to hide your identity: Guardster, Ultrasurf, Psiphon, Tails (live OS you can run from a USB that anonymizes the source and leaves no trace on the system being used) |
| Gzapper | used to get rid of Google cookie puts on your system that has a unique identifier that lets them track your web activity. |
| Retina CS | Vulnerability scanning tool - capability to scan everything in an enterprise and provide reports, |
| Microsoft Baseline Security Analyzer (MBSA) | Vulnerability scanning tool - Windows only but does a good job telling you what patches and such are missing on your machine. |
| Nessus | Vulnerability scanning tool - (PROFESSIONAL for laptop scanning, and SECURITY CENTER is an enterprise-level version) |
| GFI LanGuard | Vulnerability scanning tool - with patch management |
| Qualys FreeScan | Vulnerability scanning tool - for testing websites and applications for OWASP top risks and malware |
| OpenVAS | Vulnerability scanning tool - basically a free version of Nessus. |
| ENUMERATION | Listing items found in scanning within a specific target and creating connections to a device, performing specific actions to ask specific questions, and then using the results to identify potential attack vectors. Active state. |
| MS security identifier (SID) | identifies user, group, and computer accounts and follows a specific format. SIDs are composed of an S, followed by a revision number, an authority value, a domain or computer indicator, and RID. |
| MS resource identifier (RID) | a portion of the overall SID identifying a specific user, computer, or domain. starts at 500 for the administrator account. Guest is RID 501. All users start at 1000 and increment from that point forward. |
| Linux user ID (UID) | Linux version of SID and RID. |
| Linux user group ID (GID) | Located in the /etc/passwd file. |
| MS Password storage location | C:\Windows\System 32\Config\SAM |
| Linux enumeration command: Finger | provides information on the user and host Linux machine |
| Linux enumeration command: rpcinfo and rpcclient | provide information on RPC in the Linux environment |
| Linux enumeration command: showmount | displays all the shared directories on the machine |
| netcat | a command-line networking utility that reads and writes data across network connections using TCP/IP. It’s also a tunneling protocol, a scanner, and an advanced hacking tool. |
| banner grabbing tools | telnet, netcat, and network scanners |
| Enumeration methods | banner grabbing, NetBIOS, SNMP, LDAP, NTP, SMTP |
| master browser | coordinates list information and allows systems and users to easily find each other therefore it can be used in NetBIOS Enumeration. |
| NetBIOS enumeration tools | SuperScan, Hyena, Winfingerprint, NetBIOS Enumerator, NSAuditor. |
| SNMP enumeration | uses a community string as a password (read only and read-write versions). Read-write default community string is private. Read-only default community string is public. |
| NTPv3 and SMTPv3 | protocol that provide encryption, authentication, and message integrity functions |
| SNMP Enumeration tools | • Engineer’s Toolset (solarwinds.com), • SNMPScanner (secure-bytes.com), • OpUtils 5 (www.manageengine.com), and • SNScan (mcafee.com) are all viable options |
| LDAP Enumeration Tools | Softerra, JXplorer, Lex, LDAP Admin Tool, built-in Active Directory Explorer in Windows systems. |
| Commands for NTP enumeration | ntptrace, ntpdc, and ntpq |
| NTP enumeration tools | NTP Server Scanner, AtomSync, Nmap and Wireshark. |
| SMTP telnet commands: | VRFY (validates user), EXPN (provides the actual delivery addresses of mailing lists and aliases), and RCPT TO (defines recipients). Syntax: VRFY brad |
Created by:
CountChocula7623
Popular Computers sets