Scribd Logo
Upload

Welcome to Scribd!

  • Chapter03 - Scanning and Enumeration

    Uploaded by

    M3iat
    24 views1 page
    Connection-oriented protocols like TCP use three-way handshakes to establish reliable connections between endpoints. They implement flow and sequence control with sequence numbers and acknowledgements to ensure reliable end-to-end delivery through retransmissions of dropped packets. TCP utilizes ports and checksums with its segmented data transfer to provide synchronized, ordered communications between networked devices.

    Original Description:

    Chapter03 - Scanning and Enumeration

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Connection-oriented protocols like TCP use three-way handshakes to establish reliable connections between endpoints. They implement flow and sequence control with sequence numbers and acknowledgements to ensure reliable end-to-end delivery through retransmissions of dropped packets. TCP utilizes ports and checksums with its segmented data transfer to provide synchronized, ordered communications between networked devices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views1 page

    Chapter03 - Scanning and Enumeration

    Uploaded by

    M3iat
    Connection-oriented protocols like TCP use three-way handshakes to establish reliable connections between endpoints. They implement flow and sequence control with sequence numbers and acknowledgements to ensure reliable end-to-end delivery through retransmissions of dropped packets. TCP utilizes ports and checksums with its segmented data transfer to provide synchronized, ordered communications between networked devices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Connection-Oriented

    End-to-End Delivery

    Properties Reliability
    ID 0 (Root)
    Flow and Sequence Control
    ID 1-100 (System)
    User Identifier (UID) Retransmissions
    ID 500/1000 (User)
    Source Port Destination Port
    /etc/passwd
    Accounts Sequence Number
    ID 0 (Root)
    Acknowledgement Number
    ID 100 (Users Group)
    Group Identifier (GID) Synchronize (SYN)
    ID 1000 (User)
    Acknowledgement (ACK)
    /etc/groups Linux Basics
    Segment Reset (RST)
    id Offset, Reserved, Window, Flags
    Finish (FIN)
    uname Transmission Control Protocol (TCP)
    Push (PSH)
    finger
    Commands Urgent (URG)
    rpcinfo
    Checksum, Options, Padding
    rpcclient
    Data
    showmount
    SYN, SeqA
    Identifies User, Group and Computer
    3-Way Handshake SYN ACK, SeqA+1, SeqB
    Accounts
    ACK, SeqB+1, SeqA
    S-1-5-21-X-Y-Z-500 (Local Administrator RID 500)
    Security Identifier (SID) netstat Netscan Tools
    S-1-5-21-X-Y-Z-501 (Guest RID 501)
    lsof Ostinato
    S-1-5-21-X-Y-Z-1000 (Local User RID 1000+)
    Rights and Permissions Tools netcat WAN Killer
    Portion of SID Resource Identifier (RID)
    telnet LANForge Fire
    Resources Access Permissions
    Ncat Colasoft Packet Builder
    System Tasks Allowed User Rights
    Microsoft Windows Basics
    Connectionless
    C:\Windows\System32\Config\SAM Passwords
    16 bit Headers
    net user
    User Datagram Protocol (UDP)
    Source Port
    net view Commands
    Destination Port
    systeminfo Segment
    Length
    nmap -PI Ping
    Checksum
    nmap -Pn / -P0 No Ping
    Data
    nmap -PE
    Unicast One-to-One
    ECHO Request (Type 8) ECHO Networking Multicast One-to-Many (Group)
    ECHO Reply (Type 0)
    ICMP Ping Types One-to-All
    nmap -PP Timestamp
    Host Discovery 255.255.255.255
    nmap -PM Address Mask Limited
    Broadcast FF:FF:FF:FF:FF:FF
    Types
    nmap -sL Reverse DNS Lookup List Scan Directed 192.168.1.255 192.168.1.0/24

    nmap -PS TCP SYN Ping Subnetting IPv4 Address All Host Bits = 1

    nmap -PA TCP ACK Ping 32 bit (4 bytes) 4 Octets

    nmap -PY SCTP INIT Ping Network Identifier All Host Bits = 0

    Host Identifier Subnet mask


    nmap -PU UDP Ping
    CIDR Notation
    nmap -sT Full Connect (TCP)
    LISTENING
    nmap -sS
    ESTABLISHED
    Half-Open Connection State
    Stealth (TCP SYN) CLOSE_WAIT
    SYN/ACK (Port Open)
    TIME_WAIT
    RST (Port Closed)
    20-21 FTP 135 RPC 23 Telnet 179 BGP
    nmap -sF -sN FIN or NULL Scan
    Ports 22 SSH 110 POP3 25 SMTP 389 LDAP
    nmap -sX TCP
    Xmas Scan 53 DNS (AXFR) 443 HTTPS 80 HTTP 445 SMB
    All Flags On (URG, PSH, FIN)
    Inverse TCP 143 IMAP 631 IPP
    Response RST (Closed)
    53 DNS Lookups 67 DHCP 69 TFTP 137-139 NetBIOS
    No Response (Open/Filtered) UDP
    161-162 SNMP 389 LDAP 514 Syslog
    Doesn't Work Against Microsoft TCP/IP (Always RST)
    Routed Protocols (HTTP, FTP, SSH, etc)
    nmap -sA
    Chapter 3 Protocols
    Determine If Ports Are Filtered/Unfiltered Routing Protocols (BGP, OSPF, RIP)
    Scanning &
    RST Response TTL < 64 (Port Open/Closed, Unfiltered) ACK Flag Probe Send Crafted Packets
    Enumeration Active and Compare Responses
    RST Response Window != 0 (Port Open/Closed, Unfiltered)
    Error Messages
    Banner Grabbing
    No Response (Firewall/Filtered)
    Exceptions
    nmap -sI zombie:port Passive
    File Extensions
    SYN/ACK Flags
    Sniffing Traffic
    Spoofed IP Address
    Name Servicing
    IPID (Fragmentation)
    Types Port Scan Provides Connectionless Communication
    Attacker Sends SYN/ACK to Zombie (IPID Probe) IDLE Scanning
    Session Layer Functions
    Zombie Responds RST (IPID)
    16 Byte ASCII
    Attacker Sends SYN With Spoofed Zombie IP to Target
    Name 15 Chars (Name)
    SYN/ACK (Port Open)
    Target Responds to Zombie 16th Char (Reserved)
    Procedure
    RST (Port Closed)
    NetBIOS Enumeration 00 (Computer Name and Workgroup)
    Zombie Responds to Target with RST (IPID+1) [Port Open]
    20 (File and Print Sharing Active)
    Attacker Send SYN/ACK to Zombie (IPID) Codes
    1E (NetBIOS Browser Service Elections)
    IPID + 2 (Port Open)
    Zombie Replies RST (IPID+1 or IPID+2) 1D (Master Browser)
    IPID + 1 (Port Closed)
    nbtstat -n (Local Table) nbtstat -A IP (Remote System)
    nmap -sM
    Commands nbtstat -a NAME (Remote System) nbtstat -c (Cache)
    Send FIN/ACK Flags
    Hyena NetBIOS Enumerator NSAuditor
    No Response (Open) TCP Maimon
    v1 (Deprecated)
    RST Response (Closed)
    Versions
    v3 (Encryption, Authentication, Integrity)
    BSD Drop Packet If Port Open Enumeration Techniques
    SNMP GET
    nmap -sU
    Manager
    SNMP SET
    No Response (Port Open) UDP Scan
    Management Information Base (MIB)
    ICMP Port Unreachable (Port Closed)
    Agents
    SNMP Enumeration Object Identifiers (OID)
    Message-Oriented as UDP
    (Simple Network Management Protocol) Architechture
    Scalar
    Realibility as TCP
    Types of Objects
    SCTP Scan (Stream Transmission Control Tabular
    nmap -sY
    Protocol)
    Read-Only (Public)
    Equivalent to TCP SYN
    SCTP INIT
    Community String (Password) Read-Write (Private)
    INIT-ACK (Port Open)
    Types Default Values
    ABORT (Port Closed)
    Tools SNMPCheck
    nmap -sZ SCTP COOKIE

    Directory System Agent (DSA)


    Acunetix Baseline Security
    Basic Encoding Rules (BER)
    LanGuard OpenVAS Tools Vulnerabilities Scan
    Provides Usernames, Domain Info,
    Tenable Nessus Nikto
    Addresses, Phones, Organizational Structure
    LDAP (Lightweight Directory Access Protocol)
    nmap -f Fragment Packets Active Directory Explorer
    nmap -S Softerra LDAP
    Spoof Source IP Administrator
    hping -a Tools
    JXplorer
    nmap --ip-options Source Routing
    LDAP
    Proxies IDS Evasion
    Other Protocols Admin Tool
    nmap -D RND:x
    VRFY (Verify User)
    IP Decoy
    nmap -D addr1, addr2, ...
    SMTP (Simple Mail Transfer Protocol) User Enumeration EXPN (Delivery Addresses)
    TOR ProxyChains
    RCPT TO (Defines Recipients)
    VPNs Proxifier Tools
    Scanning List of Connected Systems
    Shadowsocks
    May Provide Internal Hosts Addresses (DMZ)
    NTP (Network Time Protocol)
    Angry IP Scanner Nmap NTP Server Scanner AtomSync
    Tools
    OpUtils Zenmap ntptrace, ntpdc, and ntpq

    Superscan Hping3
    Tools
    Advanced IP Scanner Scapy

    NetScan Tools Ettercap

    MegaPing Cain

    Map Network Topology

    Reconnaissance & Footprinting

    Scanning & Enumeration

    Gaining Access CEH Hacking Methodology

    Maintaining Acces

    Covering Tracks

    You might also like