Help
Options
Question
What is scanning?
click to flip
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't know
Question
Which types of scanning are used to gather information about a target?
Remaining cards (82)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
TestOut Ethical Hack
TestOut Ethical Hacker Pro Q&A Chapter 5 Scanning
| Question | Answer |
|---|---|
| What is scanning? | |
| Which types of scanning are used to gather information about a target? | |
| Which tools can be used for scanning? | |
| What type of information can be gathered with scanning? | |
| How can organizations protect themselves against scanning attempts? | |
| Scanning | Scanning is the process of actively engaging with a target in an attempt to gather information about a network. |
| Port scan | A port scan probes a server or host for open ports. |
| Network scan | Network scans are used to find live computers on a network. |
| Vulnerability scan | Vulnerability scans are used to find system weaknesses such as open ports and access points. |
| Wardialing | Using a modem, the scan dials a large block of phone numbers and attempts to locate other systems connected to a modem. If the modem gets a response, it can establish a connection. Modems are still often used for fax machines and multi-purpose copiers and as a backup for high-speed internet. |
| ping | ping works by sending an ICMP message from one system to another. Based on the ICMP reply, you know whether the system is live and how quickly the packets travel from one host to another. |
| ping sweep | A ping sweep scans a range of IPs to look for live systems. ping sweeps help to build a network inventory. However, they can also alert the security system, potentially resulting in an alarm being triggered or the attempt being blocked. |
| The three-way handshake occurs when? What are the steps? | you’re trying to use TCP to connect to a port. As indicated by the name, the handshake has three steps: Computer 1 sends a SYN packet to Computer 2. Computer 2 receives the packet and sends a SYN/ACK packet to Computer 1. Computer 1 receives the SYN/ACK packet and replies with an ACK packet, and the connection is complete. |
| TCP Flag SYN | Starts a connection between hosts. |
| TCP Flag ACK | Acknowledges the receipt of a packet. |
| TCP Flag FIN | Indicates that no additional information will be sent. |
| TCP Flag RST | Resets a connection. |
| TCP Flag URG | Flags a packet as urgent. |
| TCP Flag PSH | Directs the sending system to send buffered data. |
| nmap –sT IP address | Full open scan The full open scan completes a full three-way handshake on all ports. Open ports respond with a SYN/ACK, and closed ports respond with an RST flag, ending the attempt. The down side of this type of scan and the reason that it’s not frequently used is that somebody now knows you were there. |
| nmap –sS IP address | Half-open scan A half-open scan, also known as a stealth scan, sends an SYN packet to a port. The three-way handshake does not occur because the originating system does not reply with the final ACK. At this point, you have discovered an open port. Because an ACK packet was not sent, a connection was not made, and there is no security log. |
| nmap –sX –v IP address | Xmas tree scan An Xmas tree scan gets its name because all of the flags are turned on, and the packet is lit up like a Christmas tree. The recipient has no idea what to do with this packet, so either the packet is ignored or dropped. If you get an RST packet, you know the port is closed. If you don’t get a response, the port may be open. |
| nmap –sF IP address | FIN scan The packet is sent with the FIN flag set. This allows the packet to pass through firewalls and onto the intended target without attracting much attention. If a port is open, there will be no response. If the port is closed, an RST response is returned. |
| nmap –sN IP address | NULL scan The packet is sent with no flags set. If the port is open, there is no response. If the ports are closed, an RST response is returned. |
| Idle Scan | The hacker finds a target machine, but wants to avoid getting caught, so, he finds another system to take the blame. The blamed system is called a zombie machine because it’s disposable and creates a good distraction. The scan directs all requests through the zombie machine. If that zombie machine is flagged, the hacker simply creates another zombie machine and continues to scan. |
| Full open scan | The full open scan completes a full three-way handshake on all ports. Open ports respond with a SYN/ACK, and closed ports respond with an RST flag, ending the attempt. The down side of this type of scan and the reason that it’s not frequently used is that somebody now knows you were there. nmap –sT IP address |
| Half-open scan | A half-open scan, also known as a stealth scan, sends an SYN packet to a port. The three-way handshake does not occur because the originating system does not reply with the final ACK. At this point, you have discovered an open port. Because an ACK packet was not sent, a connection was not made, and there is no security log. nmap –sS IP address |
| Xmas tree scan | An Xmas tree scan gets its name because all of the flags are turned on, and the packet is lit up like a Christmas tree. The recipient has no idea what to do with this packet, so either the packet is ignored or dropped. If you get an RST packet, you know the port is closed. If you don’t get a response, the port may be open. nmap –sX –v IP address |
| FIN scan | The packet is sent with the FIN flag set. This allows the packet to pass through firewalls and onto the intended target without attracting much attention. If a port is open, there will be no response. If the port is closed, an RST response is returned. nmap –sF IP address |
| NULL scan | The packet is sent with no flags set. If the port is open, there is no response. If the ports are closed, an RST response is returned. nmap –sN IP address |
| Scanning Tools CurrPorts | CurrPorts lists all open UDP and TCP/IP ports on your computer. It also provides information about the process that opened the port, the user who created the process, and what time the port was created. |
| Scanning Tools ping | ping uses Internet Control Message Protocol (ICMP) messaging to determine whether a remote system is live. |
| Scanning Tools hping3 | hping3 sends packets across a network and can also create custom packets that can analyze the host. In addition to the normal ICMP pings, hping3 supports TCP and UDP, has a traceroute mode, and can send and receive files. This tool was primarily designed for the Linux operating system, but does have cross-platform capabilities. |
| Scanning Tools Colasoft | Colasoft is a packet crafting software that can modify flags and adjust other packet content. |
| Scanning Tools Angry IP Scanner | Angry IP Scanner is a network scanner. It scans local and remote networks and returns an IP range via a command-line interface. |
| Scanning Tools SolarWinds Port Scanner | SolarWinds Port Scanner is a command line tool that provides a list of open, closed, or filtered ports. |
| Scanning Tools IP-Tools | IP-Tools has 20 scanning utilities, including SNMP Scanner, UDP Scanner, Trace, Finger, Telnet, IP-Monitor, and Trap Watcher. The program supports multitasking so that you can use all utilities at once. IP-Tools is designed to work on a Windows system. |
| Network Mapping Tools NetAuditor | NetAuditor reports, manages, and diagrams network configurations. |
| Network Mapping Tools SolarWinds Network Topology Manager | SolarWinds Network Topology Manager provides automated network discovery and mapping. |
| Network Mapping Tools Scany | Scany is a scanner application for iOS devices. It scans networks, websites, and ports to find open network devices. It can obtain domain and network names and includes basic networking utilities such as ping, traceroute, and whois. |
| What is Zenmap | is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with ... |
| Scanning Considerations | What type of scan Time of day when running the scan |
| what can you do when you find that your scanning attempts are being blocked? | A few options include scanning with ACK, fragmenting packets, spoofing IP addresses, and using a proxy. |
| Evasion Methods Scan with ACK | This scan will help you determine whether the firewall is stateful or stateless and whether or not the ports are open. In an ACK scan, only the ACK flag is set. If a port is unfiltered, both open and closed ports return an RST packet. If a port is filtered, it either returns an error message or no response at all. |
| Evasion Methods Fragment packets | Fragmenting is probably one of the most commonly used methods to avoid detection. You're still sending packets, you're just breaking them apart so intrusion detection systems don't know what they are. As long as you're not bombarding the system, the packet segments float by without concern. |
| Evasion Methods Spoof IP addresses | Many scanning tools have the functionality to recraft the packet so that the source address reflects a different IP address. The scan is sent to the recipient, the feedback is returned to the fake IP address, and there is no record of your IP address sending the requests. |
| Evasion Methods Use a proxy | A proxy serves as a less vulnerable access point to a network. Typically, proxies are placed in networks to keep external users from accessing the internal network. Hackers like proxies because they filter incoming and outgoing traffic, provide you with anonymity, and shield you from possible detection. |
| Vulnerability Scan tool Nessus | Nessus is often considered the industry standard for vulnerability scanning. The software helps to identify software flaws, malware, missing or outdated patches, and configuration errors across a network. |
| Vulnerability Scan tool OpenVAS | OpenVAS provides authentication testing, protocol testing, and performance tuning for large-scale networks. |
| Vulnerability Scan tool Beyond Trust | Beyond Trust provides a network security scanner that helps to identify vulnerabilities and prioritize solutions. This software is available as a standalone application or part of their larger vulnerability management solution. |
| Vulnerability Scan tool InsightVM | Saint provides enterprise level vulnerability management tools. |
| Preventing Banner Grabbing | 1. disable the banners, or at least portions of the banner. 2. hide file extensions. 3. enable custom error pages. This way, you have full control over what scanners can and cannot see when they trigger an error message. |
| A technician is using a modem to dial a large block of phone numbers in an attempt to locate other systems connected to a modem. Which type of network scan is being used? | Wardialing |
| A ping sweep is used to scan a range of IP addresses to look for live systems. A ping sweep can also alert a security system, which could result in an alarm being triggered or an attempt being blocked. Which type of scan is being used? | Network scan |
| Randy is an ethical hacker student. He has learned how nmap flag manipulation can help find open ports. Although the name of the operating system did not jump right out at him, he might be able to figure it out by reviewing packet information. In a packet, Randy can see a TTL of 255 and a window size of 4128. What type of scanning process is Randy using? | Fingerprinting |
| What scan is used to actively engage a target in an attempt to gather information about it? | Port scan |
| A hacker finds a target machine but wants to avoid getting caught, so the hacker finds another system to take the blame. This system is frequently called a zombie machine because it's disposable and creates a good distraction. Which of the following port scans is being used? | Idle Scan |
| Alex, a security specialist, is using an Xmas tree scan. Which of the following TCP flags will be sent back if the port is closed? | RST |
| What flag is used by a TCP scan to direct the sending system to send buffered data? | PSH |
| TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection to a system port. Computer 1 sends a SYN packet to Computer 2. Which packet does Computer 2 send back? | SYN/ACK |
| What type of scan is used to find system weaknesses such as open ports, access points, and other potential threats? | Vulnerability scan |
| You are using an iOS device. You want to scan networks, websites, and ports to find open network devices. Which of the following network mapping tools should you use? | Scany |
| What packet crafting software programs can be used to modify flags and adjust other packet content? | Colasoft |
| You want a list of all open UDP and TCP ports on your computer. You also want to know which process opened the port, which user created the process, and what time is was created. Which of the following scanning tools should you use? | Currports |
| What best describes the scan with ACK evasion method? | Helps determine whether the firewall is stateful or stateless and whether or not the ports are open. |
| What is a benefit of using a proxy when you find that your scanning attempts are being blocked? | It filters incoming and outgoing traffic, provides you with anonymity, and shields you from detection. |
| What is banner grabbing? | |
| Which tools can be used to grab a banner? | |
| What information is included in a banner? | |
| Banner grabbing | Banner grabbing is a technique hackers use to obtain information about the services running on a target system. |
| Telnet | is many hackers' tool of choice for banner grabbing. It operates on port 23. If you type telnet ip_address at a command prompt, you’ll send TCP packets to the destination port 23. However, by tacking a port number on to the end of the same command, you can check for other openings. If the port you specify is open, you’ll receive a banner response for that port. These banners can include some interesting information about the target system, |
| Netcraft | Netcraft is an online tool that is used to obtain server and web server information. |
| P0f | P0F is a Linux tool that analyzes network traffic and returns information on operating systems. Because it is passively viewing traffic, it is a stealthy method for gathering information. |
| nmap | nmap is another tool for banner grabbing. nmap connects to an open TCP port and returns anything sent in a five second period. The command syntax is nmap –sV –script=banner ip_address. The -sV option probes open ports to determine service/version info. |
| nmap –sV –script=banner ip_address | nmap is another tool for banner grabbing. nmap connects to an open TCP port and returns anything sent in a five second period. The command syntax is nmap –sV –script=banner ip_address. The -sV option probes open ports to determine service/version info. |
| Information transmitted by the remote host can be captured to expose the application type, application version, and even operating system type and version. Which of the following is a technique hackers use to obtain information about the services running on a target system? | Banner grabbing |
| Joe wants to use a stealthy Linux tool that analyzes network traffic and returns information about operating systems. Which of the following banner grabbing tools is he most likely to use? | P0f |
| Nmap can be used for banner grabbing. Nmap connects to an open TCP port and returns anything sent in a five-second period. Which of the following is the proper nmap command? | nmap -sV --script=banner ip_address |
| nmap -sT | -sT executes a TCP connect port scan (default without root privilege). |
| nmap -sX | An Xmas tree scan gets its name because all of the flags are turned on, and the packet is lit up like a Christmas tree. To do an Xmas tree scan, use nmap -sX -v ip_address. |
| nmap -sN | When a packet is sent with no flags set and the port is open, there will be no response. You can check this lack of response with; nmap -sN ip_address. |
| What is an online tool that is used to obtain server and web server information? | Netcraft |
| What best describes telnet? | The tool of choice for banner grabbing that operates on port 23. |
Created by:
jacobth