UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Transcription

1 Contents Topic 1: Analogy... 2 Reconnaissance Strategies... 2 Topic 2: Module Introduction... 3 Topic 3: Reconnaissance... 4 What is Reconnaissance?... 4 Passive Reconnaissance... 5 Active Reconnaissance... 7 Activity: Active Reconnaissance... 9 Topic 4: Scanning What Is Scanning? IP Scanning Port Scanning Types of Port Scans Vulnerability Scanning Quiz Port Scanning Tool: Nmap Topic 5: Enumeration What Is Enumeration? Topic 6: Summary Glossary UMUC 2012 Page 1 of 37

2 Topic 1: Analogy Reconnaissance Strategies The Preattack Phases Module 2 Reconnaissance Strategies Soldiers often carry out reconnaissance missions in which their only task is to collect facts about an enemy target. Doing so helps them prepare an effective, customized attack strategy. Similarly, hackers trying to break into protected networks research their targets to find ways to carry out an effective attack. Here is an analogy comparing military preattack strategies to the preattack exercises carried out by professional hackers and penetration testers, or pentesters. Step 1 Military officers conduct scouting to collect information about their targets before an attack. Their goals are to make sure the enemy does not see them coming and to collect as much data as possible about the enemy, so that the attack is effective. Step 2 Reconnaissance is another word for scouting. The U.S. Army's reconnaissance and surveillance course trains military personnel in surveillance and target acquisition. In reconnaissance, the armed forces research a target to plan the exact point of contact with that target. Step 3 Reconnaissance, however, is not limited to warfare. It is a tactic used by ordinary people in everyday life. Hackers, for instance, who want to attack a particular network or computer system, perform reconnaissance to learn more about the target. Just as soldiers might monitor enemy troops from a distance as part of a reconnaissance exercise, hackers might observe activity on a target Web site as part of their reconnaissance. The goal remains the same for both: to study the target and move in precisely, not randomly. Step 4 During reconnaissance, hackers use social engineering techniques and technical tools to learn about the target systems owners, domain names, and IP addresses, among other necessary details. Hackers need enough data to ensure that they are in and out of a system long before the victim has noticed that important data has been compromised. UMUC 2012 Page 2 of 37

3 Topic 2: Module Introduction Before hackers or penetration testers launch an attack against an organization s network, they conduct a preattack exercise. This exercise helps them gather information technical and nontechnical about the system that they are targeting. This information helps attackers decide what type of attack will be most effective against their targets. The first three phases of this preattack exercise are the most critical and are called reconnaissance, scanning, and enumeration. Understanding how these phases work together gives a clear indication of how attackers progress in their study of a target and launch an attack. This module covers active and passive reconnaissance techniques, types of scanning, scanning tools and techniques, and enumeration. UMUC 2012 Page 3 of 37

4 Topic 3: Reconnaissance What Is Reconnaissance? Reconnaissance Reconnaissance is the first step in engineering an effective attack. Footprinting Attackers or penetration testers use a process called footprinting during the reconnaissance phase. This process helps them to gather preliminary information about the network they are targeting. The target network can belong to an individual, a corporation, a government, or any public institution. Data Collection Though hackers aim to collect as much information as possible, the data they collect during this phase is not enough to draw an accurate map of the target network. Target At the end of the reconnaissance phase, attackers manage to learn about the people they are targeting and the target network s IP address. UMUC 2012 Page 4 of 37

5 Topic 3: Reconnaissance Passive Reconnaissance There are two types of reconnaissance: passive and active. Passive reconnaissance presents a low level of risk for hackers because they spy on victims who are unaware that their moves are being watched. Through passive reconnaissance, hackers gather data from sources that are freely available to the public, such as open source sites, groups and forums, social engineering sites, vulnerability research sites, and people-search sites. Open Source Sites To use open source sites to gather data about a target, the attacker: 1. first looks for a target Web site 2. downloads the target Web site 3. uses various tools to analyze it One of the most popular Web site downloading tools is the freely available wget located at Here the wget recursively retrieves the Web pages at The -r option of wget enables recursive mirroring of all pages on the site. UMUC 2012 Page 5 of 37

6 Groups and Forums Many users share information about the vulnerabilities of their systems and ask for solutions or answer queries posed by other users. Hackers use such forums to gather information about target systems and find vulnerabilities in the systems. Social Engineering Techniques Social engineering is the art of tricking people into giving out classified data. A common social engineering technique that hackers use is joining chat rooms their targets might use. In these chat rooms, hackers are able to start conversations through which they can extract valuable data from targets. Vulnerability Research Sites Hackers visit vulnerability research Web sites such as or for the latest attack tools and techniques. People-Search Sites To find information such as names of a system administrator, security engineer, or network engineer of a target company, hackers visit people-search Web sites such as people.yahoo.com or UMUC 2012 Page 6 of 37

7 Topic 3: Reconnaissance Active Reconnaissance In active reconnaissance, attackers use technical tools to probe the target network for information. For example, attackers may try to connect to different port numbers on the target IP to see which ones are open. In this way, they determine which software/servers are running on that IP some of which might be vulnerable. Data about a network s IP addresses is usually found through the Domain Name System (DNS). Hackers use several technical tools to query the target network s DNS to discover this data. During this phase, hackers use technical tools to learn more about their target. Whois ( NSLookup ARIN ( DIG Traceroute Whois ( Hackers interrogate the Internet domain name administration system to locate the domain name of a target system. Whois allows hackers to query DNS and obtain registered information, such as the domain ownership, address, location, and phone number. NSLookup The NSLookup tool allows anyone to query a DNS server for information such as host names and IP addresses. Using the NSLookup tool, a hacker can perform a DNS zone transfer and gather a great deal of information about the target. ARIN ( The American Registry for Internet Numbers (ARIN) is one of five worldwide regional Internet registries (RIR). ARIN oversees public IP addresses for North America. Hackers query ARIN to identify the range of IP addresses their target network uses. ARIN allows hackers to: Conduct Whois-type searches on its database to locate information about networkrelated handles, subnet masks, and related points of contact (POC). Query an IP address to help identify how IP addresses are assigned. For example, a hacker can enter the Web server IP address of a target network into the ARIN Web site, using Whois to identify the number and the range of IP addresses in use. DIG Like the NSLookup tool, Domain Information Groper (DIG) is a flexible tool that performs DNS lookups. DIG interrogates DNS name servers and displays the responses that it receives from the name servers. The responses include data such as host names, IP addresses, and exchanges. UMUC 2012 Page 7 of 37

8 Traceroute Hackers use the Traceroute tool to discover the routes or paths, devices or routers, and Internet service providers (ISPs) that a data packet must cross to reach its target host. Traceroute is based on the Internet Control Message Protocol (ICMP). This is important because ICMP packets are blocked by many network devices such as firewalls. By using Traceroute or other ICMP-based tools, hackers are able to easily discover firewalls in the data path. DNS and Zone Transfer A DNS server is responsible for resolving host names to corresponding IP addresses. When a host name for example, is typed into a Web browser, the DNS server converts it into an IP address. This is because the systems running on the Internet recognize only IP addresses. Every DNS server has a name space, known as a zone. A zone can contain one or more domain names. There are two types of DNS servers organized in a hierarchy: a master DNS server and a secondary DNS server. When a DNS zone has to be updated, the update is executed within a primary zone on a master server. The updated records in the database of the master server are then transferred to the secondary DNS server. This kind of transfer is called a zone transfer. UMUC 2012 Page 8 of 37

9 Topic 3: Reconnaissance Activity: Active Reconnaissance Introduction Krista Le Saad is a popular gray hat hacker known for her reconnaissance skills. She has been given an assignment to find out the IP address of the administrative system managing an online bookstore called The assignment has been delegated to Krista by a penetration tester, Sean Stasis. Sean works for a leading IT security firm and needs to find the loopholes and vulnerabilities in network. He often outsources such assignments to young aspiring hackers. Sean's team is ready to begin fixing patches on all vulnerabilities once he gets the results from Krista's inquiries. Krista has been given 24 hours to hack into To meet that deadline, Krista needs your help. In this activity, you will be asked to perform three active reconnaissance steps. You will use tools, commands, and Web sites, such as FindRecord and NSLookup, to locate the DNS and IP address and perform a zone transfer. Workspace To help Krista find the IP address of s administrative system, perform the following three steps: Use FindRecord to locate the DNS. Use NSLookup to find the IP address associated with the DNS. Use NSLookup to perform a zone transfer. UMUC 2012 Page 9 of 37

10 Step 1 To query the DNS of Krista uses a tool similar to Whois called FindRecord. On typing in the Record Locator field and searching the site, she received the following output. Domain name: largobooks.com Registrant Contact: n/a Alan Carswell () Fax: 7704 Morningside Dr. NW Washington, DC AF Administrative Contact: n/a Alan Carswell (adcarswell@gmail.com) Fax: Morningside Dr. NW Washington, DC AF Technical Contact: n/a Alan Carswell (adcarswell@gmail.com) Fax: Morningside Dr. NW Washington, DC AF Status: Locked Name Servers: dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com Creation date: 02 Jul 20XX 11:10:00 Expiration date: 02 Jul 20XX 06:10:00 NOTE: If you use the Whois tool on a Linux OS, type the command: whois largobooks.com. UMUC 2012 Page 10 of 37

11 Analyze the output and answer the following question. Step 2 Question: Which of the following information is available in the FindRecord output? a. Technical contact b. Administrative contact c. Domain name d. IP address of DNS e. DNS Correct answers: Options a, b, c, and e Feedback for the correct answer: That s correct. The technical contact data, the administrative contact, the domain name, and the DNS data showing all the name servers are available in the output. Feedback for the incorrect or partially correct answer: Not quite. The IP address of the DNS is not available in these results. The domain name, administrative contact, technical contact, and name servers are clearly mentioned. Step 3 Krista can find the IP address of the DNS server by using a tool such as NSLookup. In this activity, use the IPAddress Locator to help her. Activity The following output was generated on typing largobooks.com in the IPAddress Locator. Server: adedcns01.us.umuc.edu Address: Non-authoritative answer: Name: largobooks.com Address: The IP address of DNS is Note: You can execute NSlookup commands at the Windows command prompt. UMUC 2012 Page 11 of 37

12 Step 4 In this step, you perform a zone transfer. The following commands can be executed at the Windows command prompt. Activity 1 On typing nslookup and pressing the Enter key, the following output is displayed. The IP address is displayed. Note: Once nslookup is typed at the Windows command prompt, the prompt will change to >. This indicates that NSLookup is in the execution mode. Activity 2 On typing server and pressing the Enter key, the following output is displayed. The default DNS has been set as Google DNS. UMUC 2012 Page 12 of 37

13 Activity 3 On typing set type=any and pressing the Enter key, the following output is displayed. This command specifies all types of data. UMUC 2012 Page 13 of 37

14 Activity 4 On typing largobooks.com and pressing the Enter key, the following output is displayed. Finally, the zone transfer request is sent from your host to largobooks.com s DNS server. Going beyond the initial search results, the DNS server loads the zone information and replies with either a partial or full transfer of the zone to your host. View the command you have typed in this step and the corresponding results. Then, answer the question. UMUC 2012 Page 14 of 37

15 Question 2: Which of the following data is available in the screenshot? a. Web server IP address b. FTP server list c. Domain name servers list d. Mail exchange servers list Correct answers: Options a, c, and d Feedback: In the output you cannot see the FTP server list. You can see the Web server's IP address , the list of domain name servers, and the mail exchange server's list, which is indicated by the "MX" that stands for mail exchange. This list specifies mail servers for a domain. UMUC 2012 Page 15 of 37

16 Review A job well done! You ve helped Krista locate the IP address and learned to work with DNS query tools. While the technical tools are no doubt important and widely used, nontechnical methods of reconnaissance are equally important to hackers. Nontechnical data is gathered by exploiting human psychology logic persuasion, needbased persuasion, and reciprocation-based social engineering. The infamous hacker Kevin Mitnick was not only tech-savvy but also a master of social engineering. Social Engineering Social engineering gives the age-old art of lies and manipulation a technological twist. Using Web-based technologies, such as chat rooms and online forums, attackers persuade or trick strangers into giving up personal information such as access codes, log-in names, and passwords. Since face-to-face interactions are not required in online conversations, social engineers can make up an identity to cheat innocent victims they meet online. This is a social approach to getting confidential data, as opposed to cracking system codes through technological means. Further Challenges Visit the Web site and carry out this exercise in real time using NSLookup to query the DNS. Then visit and enter the Web address you found in this activity. Compare the results you get from these sites. UMUC 2012 Page 16 of 37

17 Topic 4: Scanning What Is Scanning? In the scanning phase, hackers use different techniques to discover live systems, devices, and open ports or services. There are various types of scanning, such as IP scanning, port scanning, and vulnerability scanning. Sometimes, it is not easy to differentiate between the three preattack phases reconnaissance, scanning, and enumeration. Many of the same information-gathering techniques are used across these phases. For example, port scanning can be considered a part of reconnaissance or a part of the scanning phase. Types of Scanning IP Scanning IP scanning is a technique that can be used to identify the live systems connected to a network segment or IP range. Port Scanning Port scanning is the process of scanning a host to determine which Transmission Control Protocol ports (TCPs) or User Datagram Protocol ports (UDPs) are accessible. Vulnerability Scanning Vulnerability scanning is the process of automatically assessing networks or applications for vulnerabilities. UMUC 2012 Page 17 of 37

18 Topic 4: Scanning IP Scanning IP scanning is used by system administrators to check the connectivity of the hosts on the network. The most popular tool for IP scanning is ping. Ping sends an ICMP request to test which target hosts are accessible across an IP network. Target hosts that are live return ICMP reply messages. A technique such as ping sweep is used to identify a range of IP addresses or live port numbers of the target system. Based on best security practices, system administrators typically configure the firewalls or border-routers to block ICMP requests originating from outside the network. An IP scanner can be used by an inside attacker to draw a network map. UMUC 2012 Page 18 of 37

19 Topic 4: Scanning Port Scanning Meet Philippe Posen, a freelance security analyst. He s hard at work performing port scans. Philippe uses port scanning to search a network host for open ports. The ports can be considered open if their related service is available in the host network. After successful port scanning, Philippe will be able to identify which services are provided by the host network. There are two different kinds of port scans: horizontal and vertical scans. Horizontal and Vertical Scans UMUC 2012 Page 19 of 37

20 Topic 4: Scanning Types of Port Scans Hackers can perform several different types of horizontal or vertical scans. The type of scan a hacker uses is based on the type of data the hacker wants. The types of scans include the TCP connect scan, SYN stealth scan, NULL scan, ACK scan, FIN scan, and Xmas tree scan. TCP Connect Scan Connecting via a TCP is the simplest scan technique. Scenario 1 An attacker tries to establish a connection on a port of the target system by a three-way handshake. The attacker knows the target port is open if the connection is successfully established. Scenario 2 The attacker knows that the target port is closed if the packet with the reset flag (RST flag) is sent by the target host. UMUC 2012 Page 20 of 37

21 SYN Stealth Scan This scan is called a half-open scan because a full TCP connection is never established. Scenario 1 An attacker generates an initial SYN packet to the target. If the port is open, the target responds with an SYN/ACK. The attacker does not respond back with the ACK in this case. Therefore, a full TCP connection is never established. This is why this type of scan is sometimes called a halfopen scan. Scenario 2 Some firewalls only log established connections. Since no connection is established in an SYN stealth scan, it can pass through the firewall without being logged. However, an SYN stealth scan is not completely stealthy as many firewalls and IDSs detect SYN scans. Scenario 3 If the port is closed, the attacker receives an RST from the target. UMUC 2012 Page 21 of 37

22 NULL Scan From the attacker s perspective, the NULL scan is not always reliable since not all hosts comply with RFC 793. Scenario 1 An attacker sends a data packet without any flag set. No real TCP/IP packet exists without any flag set. If the port is open, the target host ignores the packet and does not respond. Scenario 2 According to RFC 793, when a packet is sent to a port with no flag set, the target responds with an RST packet if the port is closed. Some hosts send an RST packet in response to a null packet, regardless of whether the port is open or not. That s why the NULL scan is considered unreliable. FIN Scan Just like a NULL scan, the FIN scan is not reliable. UMUC 2012 Page 22 of 37

23 Scenario 1 An attacker sends an FIN (finish) packet to the target. The FIN packet is able to bypass firewalls because firewalls try to avoid any errors with legitimate FIN packets. The target simply ignores the FIN packet if the port is open. Scenario 2 The target responds with an RST if the port is closed. Some hosts will send an RST packet regardless of the port being open or closed, making the FIN scan unreliable. ACK Scan Attackers use ACK scanning to learn which firewall ports are filtered and which are unfiltered. Scenario 1 An attacker sends an ACK packet to the target port s firewall. If there is no response or an ICMP destination unreachable message is returned, then the port is considered to be filtered. This means that the firewall is stateful. It knows that no internal host has initiated any SYN packet that matches the ACK packet sent by the attacker. Scenario 2 If the target s firewall returns an RST, then the port is unfiltered. Because there is no firewall rule for that port, the attacker knows that the port is vulnerable. UMUC 2012 Page 23 of 37

24 Xmas Tree Scan This scan gets its name from the fact that all three flag sets that are sent to the target URG, PUSH, and FIN light up with different colors and flash on and off like Christmas tree lights. Scenario 1 An attacker sends a TCP packet to the remote target with the URG, PUSH, and FIN flag set. Similar to the FIN scan, an open port does not respond. Scenario 2 On the other hand, a closed port responds with an RST packet. Some hosts send an RST packet in response to a null packet, regardless of whether the port is open or not. UMUC 2012 Page 24 of 37

25 Topic 4: Scanning Vulnerability Scanning A vulnerability scan is a computer program that checks target networks for weaknesses. Attackers use vulnerability scans to identify all devices on a network that are open to known vulnerabilities. The Nessus tool, located at is one of the most well-known vulnerability scanners. Nessus begins by probing a range of IP addresses on a target network to find active or live hosts. After detecting all known vulnerabilities, the tool provides a report in a variety of formats. This report lists services or suggested best practices that system administrators can employ to secure the network. Attackers can use the Nessus tool to identify vulnerable and weak spots in a target network. UMUC 2012 Page 25 of 37

26 Topic 4: Scanning Quiz Jorge, a black hat hacker, is launching a port-scanning attack on a Web server with an IP address of Question 1: In the packets numbered 9 19, which type of port scanning is used to attack the Web server? a. Xmas tree scan b. FIN scan c. SYN stealth scan Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option c Feedback: If you look at packets 15 and 16, the SYN and SYN+ACK packets are exchanged by the attacker and Web server. However, no ACK is sent from the attacker s host. Instead, the attacker sends a new SYN packet to the Web server. This new SYN packet clearly indicates that this is an SYN stealth scan. UMUC 2012 Page 26 of 37

27 Question 2: In the packets numbered 5 15, identify the type of port scanning used to attack the Web server. a. Xmas tree scan b. NULL scan c. SYN stealth scan Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b Feedback: The SYN packets do not set a TCP flag. <NONE> indicates that no TCP flag is set. This identifies a NULL scanning attack. UMUC 2012 Page 27 of 37

28 Topic 4: Scanning Port Scanning Tool: Nmap What Is Nmap? Nmap is a free open source network-mapping utility that determines which hosts are available on the network and lists the services offered by these hosts. With Nmap, a system administrator can perform many types of port scans. Popular Nmap switches, options, and techniques include these: -st: TCP connect scan -ss: SYN stealth scan -sf: FIN scan -sx: Xmas tree scan -sn: NULL scan -sa: ACK scan -si: NULL scan -v: Verbose mode -p: an instruction specifying the port numbers to scan -P0 (or Pn): an instruction to not try to ping the IP addresses. Some firewalls block ICMP. -O: an attempt to detect the operating system Nmap Example Here is an example of how Nmap can be used to carry out an SYN stealth scan on a Web server. Reference: Nmap product screenshot reprinted with permission from Gordon Lyon, the developer of Nmap. UMUC 2012 Page 28 of 37

29 Target A Web server with an IP address of is running. Command The Nmap command: nmap ss is entered. Open Ports An attacker performs an SYN stealth scan on the Web server using Nmap. The output shows that ports 80, 135, 139, 443, 445, and 3306 are open. UMUC 2012 Page 29 of 37

30 Topic 5: Enumeration What Is Enumeration? After performing reconnaissance and scanning, if a hacker still has not identified the target system, he or she would launch an enumeration attack on the target as the final step in the preattack exercise. During enumeration, hackers employ a set of techniques to extract technical information such as user accounts, operating systems, application names, and network resources of target systems. Using Nmap A Web server with an IP address of is running. An attacker uses Nmap to perform an SYN stealth scan on the Web server. The output shows that ports 80, 135, 139, 443, 445, and 3306 are open. 1. Target The attacker learns that the Web server running on the target network has an IP address of Nmap Tool The attacker uses Nmap to fingerprint the target Web server. The attacker enters the Nmap command Nmap ss p T: O v Pn to specify that the TCP stealth scan is performed with a port range of 1 through 1023 on the host IP OS Switch The attacker enables the -O switch to attempt to determine the operating system. 4. Ping The attacker specifies -Pn, which means that ping is not used. 5. OS Details Note that the operating system is Microsoft Windows XP 2003 or Microsoft XP Professional SP2. 6. Result The results show that the host server with an IP address of has ports 80, 135, 139, 443, and 445 open and uses Microsoft Windows XP 2003 as its operating system. UMUC 2012 Page 30 of 37

31 Reference: Nmap product screenshot reprinted with permission from Gordon Lyon, the developer of Nmap. UMUC 2012 Page 31 of 37

32 Using Telnet Sometimes a hacker does not even need a sophisticated tool like Nmap. A hacker can simply use a Telnet command to grab the HTTP header and identify the type of operating system or Web server the target uses. 1. Telnet Command The attacker types the command telnet 80 to connect to the Web server 2. HEAD Then, the attacker types HEAD / HTTP/1.0 to send an HTTP request to the Web server. 3. Apache X The telnet output displays the content of the HTTP response header received from the UMUC Web server. The HTTP header shows that the type of Web server is Apache powered by PHP. 4. Malformed HTTP Packet Using another telnet connection telnet the attacker sends a malformed HTTP packet to the Web server, which is an invalid input as HTTP 3.0 is not available. The attacker sends a malformed packet because some targets do not show any useful information if they are given a valid input. UMUC 2012 Page 32 of 37

33 However, when the target receives a malformed input, it returns a useful banner of information. Therefore, attackers do not always need to send a valid input to a target to get useful information. They can give an invalid input and observe an output. 5. Web Server The invalid malformed input returns some useful information: Apache Web server, HTTP 1.1, and some information that is not that useful, such as Charset. UMUC 2012 Page 33 of 37

34 Topic 6: Summary We have come to the end of Module 2. The key concepts covered in this module are listed below. Hackers or penetration testers carry out a preattack exercise to study the target they plan to attack. The first three phases of this preattack exercise reconnaissance, scanning, and enumeration are the most critical. The reconnaissance phase is performed in two stages: passive and active reconnaissance. During passive reconnaissance, hackers research open-source sites and groups and forums, as well as social engineering sites to gather nontechnical data about their targets. During active reconnaissance, hackers use technical tools such as Whois, NSLookup, the American Registry for Internet Numbers (ARIN), Domain Information Groper (DIG), and Traceroute to find their targets IP addresses. By using Whois or similar tools to query a domain name, hackers are able to find out the domain name, administrative contact, technical contact, and name servers of their target. The IP address of the domain name server is not revealed until hackers type the NSLookup command and perform a zone transfer. Scanning, the second preattack phase, helps hackers discover live systems, devices, and open ports in their network. There are three types of scanning: IP, port, and vulnerability scanning. IP scanning is used to identify live systems connected to a network. Port scanning is used to find accessible Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports. Vulnerability scanning is used to assess networks for vulnerabilities. There are two types of port scans: horizontal and vertical. Port scans that help hackers obtain data TCP connect scans, SYN scans, NULL scans, ACK scans, FIN scans, and Xmas tree scans can be performed as horizontal or vertical scans. Nmap is a free open source network-mapping utility that determines which hosts are available on the network and lists the services those hosts offer. With Nmap, a system administrator can perform many types of port scans. In the last phase of the preattack exercise, hackers launch an enumeration attack to identify the operating systems and user accounts of their targets. This attack is carried out using a set of techniques to extract technical information such as user accounts, operating systems, application names, and network resources. UMUC 2012 Page 34 of 37

35 Glossary Term Active Reconnaissance ACK Scan American Registry for Internet Numbers Domain Information Groper Domain Name Service Domain Name System Enumeration FIN Scan Footprinting Internet Control Message Protocol Nmap NSLookup NULL Scan Definition During active reconnaissance, hackers use technical tools such as Whois, NSLookup, ARIN, DIG, and Traceroute to find out their targets IP addresses. ACK scanning is a type of port scan that tells whether ports on a firewall are filtered or unfiltered. If the target s firewall returns an RST, then the port is unfiltered and vulnerable. The American Registry for Internet Numbers (ARIN) is the IP address registry for North America. ARIN allows Whoistype searches on its database to locate information on networks. The DIG command allows attackers to search the DNS database and find the open name servers attached to a domain. The Domain Name Service (DNS) translates Internet domain names, such as into Internet Protocol (IP) addresses. Domain Name System is an Internet system that associates domain names with IP addresses, allowing computers to communicate over the World Wide Web. Enumeration is the third phase in a hacker s preattack exercise. Hackers use enumeration techniques to learn technical data operating systems and user accounts about a network system. The FIN (finish) scan is a type of port scan that is able to pass through firewalls. Open ports don t respond, but closed ports respond with an RST. A method of processing or gathering information about a target system. The Internet Control Message Protocol (ICMP) integrates with the Internet Protocol (IP). It reports error, control, and informational messages between a host and a gateway. The Nmap security scanner is used to discover hosts and services on a network. Based on the network conditions, it sends packets with specific information to the target host and evaluates the responses to create a network map. The NSLookup tool queries a DNS server and performs a DNS zone transfer to gather data on a targeted network. A NULL scan is a type of port scan in which an attacker sends a data packet without any flag set. If the packet is open, the target host ignores the packet. UMUC 2012 Page 35 of 37

36 Term Passive Reconnaissance Penetration Testers Ping Port Scanner Reconnaissance RFC 793 Scanning Social Engineering SYN Scan TCP/IP TCP Connect Scan User Datagram Protocol Vulnerability Scanner Wget Definition During passive reconnaissance, hackers research opensource sites and groups and forums, as well as social engineering sites, to gather nontechnical data about their targets. To do this, hackers use social engineering. Penetration testers are security analysts that perform penetration tests, or pentests, to assess the security of a network system. This utility sends an ICMP echo request (ping) to a target system and waits for a reply (pong). Port scanners identify open ports and help an intruder identify a target system s weak access point. Reconnaissance is the first phase of the preattack exercise carried out by hackers to learn about the people who work at the target company and the target network s IP address. Hackers use a process called footprinting and perform two types of reconnaissance: passive and active. RFC (Request for Comments) 793 is a document which describes the DoD Standard Transmission Control Protocol (TCP). Scanning is the second preattack phase used by hackers to discover live systems, devices, and open ports on a network. Hackers perform three types of scanning: IP, port, and vulnerability scanning. Social engineering is a method of gathering information, seeking computer access, or committing fraud by using manipulation and deceit to get people to reveal confidential information about themselves or an organization. In an SYN stealth scan, the attacker sends an initial SYN packet to the target. If the port is open, the target responds with an SYN/ACK. Transmission Control Protocol/Internet Protocol (TCP/IP) is the communication protocol suite for the Internet. In a TCP connect scan, an attacker tries to establish a connection on a port of the target system by a three-way handshake. The attacker knows the target port is open if the connection is successfully established. User Datagram Protocol (UDP) is a network protocol that allows computers to exchange messages over an Internet network without the need for special transmission channels or data paths. Vulnerability scanners analyze, classify, and identify flaws and vulnerabilities in the targeted system. Located at the wget tool is a popular and freely available Web site downloading tool. UMUC 2012 Page 36 of 37

37 Term Whois Xmas Tree Scan Definition A tool that allows hackers to query DNS to obtain registered information, such as the domain ownership, address, location, and phone number. To perform the Xmas tree scan, an attacker sends a TCP packet to the remote target with the URG, PUSH, and FIN flag set. As in a FIN scan, open ports don t respond, but closed ports respond with an RST. UMUC 2012 Page 37 of 37