ETHICAL HACKING

Instructor: Jhosep Valenzuela

Contenido
 01 Introduction to Ethical Hacking  10 Session Hijacking
 02 Footprinting and Reconnaissance  11 Hacking Webservers
 03 Scanning Networks  12 Hacking Web Applications
 04 Enumeration  13 SQL Injection
 05 System Hacking  14 Hacking Wireless Networks
 06 Malware Threats  15 Hacking Mobile Platforms
 07 Sniffing  16 Evading IDS, Firewalls, and Honeypots
 08 Social Engineering  17 Cloud Computing
 09 Denial-of-Service  18 Cryptography
01 Introduction to Ethical
Hacking
Objetivos
• Identify components of TCP/IP computer networking
• Understand basic elements of information security
• Understand incident management steps
• Identify fundamentals of security policies
• Identify essential terminology associated with ethical hacking
• Define ethical hacker and classifications of hackers
• Describe the five stages of ethical hacking
• Define the types of system attacks
• Identify laws, acts, and standards affecting IT security
• Identify Cyber Kill Chain methodology terms
The OSI and TCP/IP Reference Model
Communications between computers over networks
are made possible by protocols.
A protocol is a set of rules and restrictions that define
how data is transmitted over a network medium
(e.g., twisted-pair cable, wireless transmission).
The ISO developed the OSI model in the late 1970s.
Encapsulation/Deencapsulation
Communication between protocol layers occurs
through encapsulation and deencapsulation.
• Encapsulation is the addition of a header, and
possibly a footer, to the data received by each layer
from the layer above before it's handed off to the
layer below. As the message is encapsulated at
each layer, the previous layer's header and payload
become the payload of the current layer.
• Deencapsulation/decapsulation is the inverse
action occurring as data moves up through the OSI
model layers from Physical to Application.
The OSI Reference Model
Application Layer (Layer 7) : Responsible for interfacing user applications, network services, or the operating
system with the protocol stack.
Presentation Layer (Layer 6) : Responsible for transforming data into a format that any system following the
OSI model can understand.
Session Layer (Layer 5) : Responsible for establishing, maintaining, and terminating communication sessions
between two computers. It manages dialog discipline or dialog control (simplex, half-duplex, fullduplex),
establishes checkpoints for grouping and recovery, and retransmits PDUs that have failed or been lost since the
last verified checkpoint.
Transport Layer (Layer 4) : Responsible for managing the integrity of a connection and controlling the session.
Network Layer (Layer 3) : Responsible for logical addressing and performing routing.
Data Link Layer (Layer 2) : Responsible for formatting the packet for transmission. The proper format is
determined by the hardware, topology, and the technology of the network, such as Ethernet (IEEE 802.3).
Physical Layer (Layer 1) : Converts a frame into bits for transmission over the physical connection medium, and
vice versa for receiving communications.
Security, Funcionality and Usability
Security: Restrictions imposed on accessing the
components of the system.
Functionality: The set of features provided by the
system.
Usability: The GUI components used to design the
system for ease of use.
Risk Matrix
Asset: Anything used in a business process or task.
Threat: Any potential occurrence that may cause an
undesirable or unwanted outcome for an
organization or for a specific asset.
Vulnerability: The weakness in an asset, or the
absence or the weakness of a safeguard or
countermeasure.
Exposure: Being susceptible to asset loss because of
a threat; there is the possibility that a vulnerability
can or will be exploited.
Risk: The possibility or likelihood that a threat will
exploit a vulnerability to cause harm to an asset and
the severity of damage that could result.
Business Impact Analysis (BIA)
If the SLE of an asset is $90,000 and the ARO for a
specific threat (such as total power loss) is .5, then
the ALE is $45,000.
If the ARO for a specific threat (such as compromised
user account) is 15 for the same asset, then the ALE
would be $1,350,000.
Common Criteria
The Common Criteria (CC) defines various levels of testing and confirmation of systems' security capabilities,
and the number of the level indicates what kind of testing and confirmation has been performed.
The original arrangement documentation has been formally adopted as a standard and published as ISO/ IEC
15408-1, -2, and -3 and primarily labeled as “Information technology — Security techniques — Evaluation
criteria for IT security.”
The objectives of the CC guidelines are as follows:
 To add to buyers' confidence in the security of evaluated, rated IT products
 To eliminate duplicate evaluations (among other things, this means that if one country, agency, or
validation organization follows the CC in rating specific systems and configurations, others elsewhere
need not repeat this work)
 To keep making security evaluations more cost-effective and efficient
 To make sure evaluations of IT products adhere to high and consistent standards
 To promote evaluation and increase availability of evaluated, rated IT products
 To evaluate the functionality (in other words, what the system does) and assurance (in other words,
how much can you trust the system) of the target of evaluation (TOE).
Common Criteria
Target of evaluation (TOE) : What is being tested
Security target (ST) : The documentation describing
the TOE and security requirements
Protection profile (PP) : A set of security
requirements specifically for the type of product
being tested
Security Policies
Security policies define the objectives and constraints for the security program.
Policies are created at several levels, ranging from organization or corporate policy to specific operational
constraints (e.g., remote access).
In general, policies provide answers to the questions “what” and “why” without dealing with “how.”
Policies are normally stated in terms that are technology-independent.
Security Policies

ISO 27001 (Políticas Generales) ISO 27002 (Políticas Específicas)

CONTEXTO DE LA ORGANIZACIÓN A5 POLÍTICAS DE SEGURIDAD DE LA INFORMACIÓN

LIDERAZGO A6 ORGANIZACIÓN DE LA SEGURIDAD DE LA INFORMACIÓN

PLANIFICACIÓN A7 SEGURIDAD DE LOS RECURSOS HUMANOS

SOPORTE A8 GESTIÓN DE ACTIVOS

OPERACIÓN A9 CONTROL DE ACCESO

EVALUACIÓN DEL DESEMPEÑO A10 CRIPTOGRAFÍA

MEJORAS A11 SEGURIDAD FÍSICA Y AMBIENTAL

A12 SEGURIDAD DE LAS OPERACIONES

A13 SEGURIDAD DE LAS COMUNICACIONES

A14 ADQUISICIÓN, DESARROLLO Y MANTENIMIENTO DE SISTEMAS

A15 RELACIONES CON LOS PROVEEDORES

A16 GESTIÓN DE INCIDENTES DE SEGURIDAD DE LA INFORMACIÓN

A17 ASPECTOS DE SEGURIDAD DE LA INFORMACIÓN EN LA GESTIÓN DE CONTINUIDAD DEL

NEGOCIO

A18 CUMPLIMIENTO
Hacking Terminology
http://www.zone.sd/wp-content/uploads/2018/04/prioritizing-cyber-threats-1-1.png
Hacking Benefits
• Visibiliza el grado de vulnerabilidad de una organización.
• Descubre vulnerabilidades luego de un cambio importante en los activos de información.
• Permite la priorización en la remediación de vulnerabilidades de acuerdo al riesgo.
• Identifica errores de configuración en los sistemas.
• Identifica sistemas desactualizados.
Hacker Classifications: The Hats
• White hats Considered the good guys, these are the ethical hackers
 Typically hired by a customer for the specific goal of testing and improving security or for other
defensive purposes.
 White hats are well respected and don’t use their knowledge and skills without prior consent.
 White hats are also known as security analysts.
• Black hats Considered the bad guys, these are the crackers
 Illegally using their skills for either personal gain or malicious intent.
 They seek to steal (copy) or destroy data and to deny access to resources and systems.
 Black hats do not ask for permission or consent.
• Gray hats The hardest group to categorize, these hackers are neither good nor bad.
 Generally, there are two subsets of gray hats—those who are simply curious about hacking tools and
techniques and those who feel like it’s their duty, with or without customer permission, to demonstrate
Attack Types
Broadly there are four attack types:
• Operating system (OS) attacks Generally, these attacks target the common mistake many people make when
installing operating systems—accepting and leaving all the defaults. Administrator accounts with no passwords,
all ports left open, and guest accounts are examples of settings the installer may forget about.
• Application-level attacks These are attacks on the actual programming code and software logic of an
application. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as
such, have many vulnerabilities built into them. Applications on a network are a gold mine for most hackers.
• Shrink-wrap code attacks These attacks take advantage of the built-in code and scripts most off-the-shelf
applications come with. These scripts and code pieces are designed to make installation and administration
easier but can lead to vulnerabilities if not managed appropriately.
• Misconfiguration attacks These attacks take advantage of systems that are, on purpose or by accident, not
configured appropriately for security. Remember the triangle shown earlier and the old maxim “As security
increases, ease of use and functionality decrease”? This type of attack takes advantage of the administrator
who simply wants to make things as easy as possible for the users. Perhaps to do so, the admin will leave
security settings at the lowest possible level, enable every service, and open all firewall ports. It’s easier for the
users but creates another gold mine for the hacker.
Hacking Phases
Cyberattack and Attack vector
• Ciberataque
Un ataque, vía ciberespacio, enfocado a las empresas con el uso del ciberespacio con el propósito de
interrumpir, deshabilitar, destruir o maliciosamente controlar la infraestructura computacional; o destruir la
integridad de los datos o robar información controlada.
• Vector de ataque
Modo por el cual una amenaza aprovecha las vulnerabilidades (técnicas, y no técnicas) para obtener acceso al
activo objetivo.
Indicator of Compromise (IOC)
IOCs are basically clues—identifiers, tidbits of information or settings, and so on—that you can readily identify
as a strong symptom you’ve been hacked.
IOCs can be categorized into four main types:
• E-mail indicators Items such as specific senders’ addresses, subject lines, and types of attachments
• Network indicators Include URLs, domain names, and IP addresses
• Host-based indicators Items such as specific filenames, hashes, and registry keys
• Behavioral indicators Specific behaviors indicative of an ongoing attack, such as PowerShell executions,
remote command executions, and so forth
Questions & Answers
1. Which of the following would be the best example of a deterrent control?
A. A log aggregation system
B. Hidden cameras onsite
C. A guard posted outside the door
D. Backup recovery systems
Questions & Answers
2. Enacted in 2002, this U.S. law requires every federal agency to implement information security programs,
including significant reporting on compliance and accreditation. Which of the following is the best choice for
this definition?
A. FISMA
B. HIPAA
C. NIST 800-53
D. OSSTMM
Questions & Answers
3. Brad has done some research and determined a certain set of systems on his network fail once every ten
years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on
staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour,
depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an
ALE on these devices, what should be his answer?
A. $2075
B. $207.50
C. $120
D. $1200
Questions & Answers
4. An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of
the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements,
and the completion date. Which of the following is a true statement?
A. A white hat is attempting a black-box test.
B. A white hat is attempting a white-box test.
C. A black hat is attempting a black-box test.
D. A black hat is attempting a gray-box test.
Questions & Answers
5. When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the
following?
A. Black-hat hacking
B. Gray-box attacks
C. Gray-hat attacks
D. Hacktivism
Questions & Answers
6. Two hackers attempt to crack a company’s network resource security. One is considered an ethical hacker,
whereas the other is not. What distinguishes the ethical hacker from the “cracker”?
A. The cracker always attempts white-box testing.
B. The ethical hacker always attempts black-box testing.
C. The cracker posts results to the Internet.
D. The ethical hacker always obtains written permission before testing.
Questions & Answers
7. In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-
depth information on the targets?
A. Active reconnaissance
B. Scanning and enumeration
C. Gaining access
D. Passive reconnaissance
Questions & Answers
8. Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources?
A. Gray box
B. White box
C. Black box
D. Active reconnaissance
Questions & Answers
9. Which of the following Common Criteria processes refers to the system or product being tested?
A. ST
B. PP
C. EAL
D. TOE
Questions & Answers
10. Your company has a document that spells out exactly what employees are allowed to do on their computer
systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of
this document is signed by all employees prior to their network access. Which of the following best describes
this policy?
A. Information security policy
B. Special access policy
C. Information audit policy
D. Network connection policy
Questions & Answers
11. Sally is a member of a pen test team newly hired to test a bank’s security. She begins searching for IP
addresses the bank may own by searching public records on the Internet. She also looks up news articles and
job postings to discover information that may be valuable. In what phase of the pen test is Sally working?
A. Preparation
B. Assessment
C. Conclusion
D. Reconnaissance
Questions & Answers
12. Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a
short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network,
with no regard to being caught. Which type of hacker is Joe considered to be?
A. Hacktivist
B. Suicide hacker
C. Black hat
D. Script kiddie
Questions & Answers
13. Elements of security include confidentiality, integrity, and availability. Which technique provides for
integrity?
A. Encryption
B. UPS
C. Hashing
D. Passwords
Questions & Answers
14. Which of the following best describes an effort to identify systems that are critical for continuation of
operation for the organization?
A. BCP
B. BIA
C. MTD
D. DRP
02 Footprinting and
Reconnaissance
Objetivos
• Define active and passive footprinting
• Identify methods and procedures in information gathering
• Understand the use of social networking, search engines, and Google hacking in information
gathering
• Understand the use of whois, ARIN, and nslookup in information gathering
• Describe the DNS record types
Footprinting
What is footprinting?
Footprinting generally entails the following steps to ensure proper information retrieval:
1. Collect information that is publicly available about a target (for example, host and network information).
2. Ascertain the operating system(s) in use in the environment, including web server and web application data
where possible.
3. Issue queries such as Whois, DNS, network, and organizational queries.
4. Locate existing or potential vulnerabilities or exploits that exist in the current infrastructure that may be
conducive to launching later attacks.
Footprinting
Why perform footprinting?
Footprinting is about gathering information and formulating a hacking strategy. With proper care you, as the
attacking party, may be able to uncover the path of least resistance into an organization. Passively gathering
information is by far the easiest and most effective method. If done by a skilled, inventive, and curious party,
the amount of information that can be passively gathered is staggering. Expect to obtain information such as
this:
 Information about an organization’s security posture and where potential loopholes may exist. This
information will allow for adjustments to the hacking process that make it more productive.
 A database that paints a detailed picture with the maximum amount of information possible about the
target. This may be from an application such as a web application or other source.
 A network map using tools such as the Tracert utility to construct a picture of a target’s Internet presence or
Internet connectivity. Think of the network map as a roadmap leading you to a building; the map gets you
there, but you still have to determine the floor plan of the building.
Footprinting
Goals of the Footprinting Process
The idea is for you to get as much information in this phase as you possibly can, for example:
• Network information
• Operating system information
• Organization information: CEO and employee information, office information, contact numbers, and email
• Network blocks
• Network services
• Application and web application data and configuration information
• System architecture
• Intrusion detection and prevention systems
• Employee: names, work experience
Network Information
During the footprinting phase, keep your eyes open for the following items:
 Domain names the company uses to conduct business or other functions, including research and customer
relations
 Internal domain name information
 IP addresses of available systems
 Rogue or unmonitored websites that are used for testing or other purposes
 Private websites
 TCP/UDP services that are running
 Access control mechanisms, including firewalls and ACLs
 Virtual private network (VPN) information
 Intrusion detection and prevention information as well as configuration data
 Telephone numbers, including analog and Voice over Internet Protocol (VoIP)
 Authentication mechanisms and systems
Operating System Information
The operating system is one of the most important areas you must gain information about.
When sorting through the wealth of information that typically is available about a target, keep an eye out for
anything that provides technical details:
 User and group information and names
 Operating system versions
 System architecture
 Remote system data
 System names
 Passwords
Organization Data
Not all information is technical, so look for information about how an organization works.
This information includes the following:
 Employee details
 Organization’s website
 Company directory
 Location details
 Address and phone numbers
 Comments in HTML source code
 Security policies implemented
 Web server links relevant to the organization
 Background of the organization
 News articles and press releases
Organization Data
Not all information is technical, so look for information about how an organization works.
Information that provides details about employees, operations, projects, or other details is vital. Expect to
encounter this information in many locations such as the company’s own website, discussion groups, financial
reports, and other locations.
This information includes the following:
 Employee details
 Organization’s website
 Company directory
 Location details
 Address and phone numbers
 Comments in HTML source code
IP Address of a web site
Traceroute of a web site
Passive Reconnaissance
• Netcraft (https://www.netcraft.com)
• Google Search (https://www.google.com)
• The Harvester
• Whois (https://whois.is)
• Shodan (https://www.shodan.io)
• Open Source Intelligence (OSINT)
 OSRF Framework
 Maltego
Netcraft
Netcraft
Google Search

Complete list of operators: https://ahrefs.com/blog/google-advanced-search-operators/

Exploits: https://www.exploit-db.com/google-hacking-database
Google Search
Google Search
The Harvester
The Harvester
Whois
Whois
Shodan
Shodan
Shodan
Shodan
OSRF Framework
OSRF Framework
Here are the applications currently (as of this writing) found in OSRFramework:
• usufy.py This tool verifies if a user name/profile exists in up to 306 different platforms.
• mailfy.py This tool checks if a user name (e-mail) has been registered in up to 22 different e-mail providers.
• searchfy.py This tool looks for profiles using full names and other info in seven platforms. ECC words this
differently by saying the tool queries the OSRFramework platforms itself.
• domainfy.py This tool verifies the existence of a given domain (per the site, in up to 1567 different
registries).
• phonefy.py This tool checks, oddly enough, for the existence of phone numbers. It can be used to see if a
phone number has been linked to spam practices.
• entify.py This tool looks for regular expressions.
OSRF Framework
 username across all available services:
usufy.py -n chepo37
 Given email address:
mailfy.py -n chepo37
 Search for a given string across all OSRF services:
searchfy.py -q "chepo37"
Active Reconnaissance
 DNS Enumeration
 Forward DNS Lookup
 Reverse DNS Lookup
 Zone Transfers
 Port Scanning
 OS Discovery
 NSE Scripts
 SMB NSE Scripts
DNS Enumeration
Forward DNS Lookup
Reverse DNS Lookup
Zone Transfers
Port Scanning
OS Discovery
Nmap NSE Scripts
SMB NSE Scripts
Questions & Answers
1. Which of the following would be the best choice for footprinting restricted URLs and OS information from a
target?
A. www.archive.org
B. www.alexa.com
C. Netcraft
D. Yesware
Questions & Answers
2. Which of the following consists of a publicly available set of databases that contain domain name
registration contact information?
A. IETF
B. IANA
C. Whois
D. OSRF
Questions & Answers
3. An SOA record gathered from a zone transfer is shown here:
@ IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. (
4 ; serial number
3600 ; refresh [1h]
600 ; retry [10m]
86400 ; expire [1d]
3600 ) ; min TTL [1h]
What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for
updates?
A. DNSRV1.anycomp.com, every 3600 seconds
B. DNSRV1.anycomp.com, every 600 seconds
C. DNSRV1.anycomp.com, every 4 seconds
D. postmaster.anycomp.com, every 600 seconds
Questions & Answers
4. A security peer is confused about a recent incident. An attacker successfully accessed a machine in the
organization and made off with some sensitive data. A full vulnerability scan was run immediately following the
theft, and nothing was discovered. Which of the following best describes what may have happened?
A. The attacker took advantage of a zero-day vulnerability on the machine.
B. The attacker performed a full rebuild of the machine after he was done.
C. The attacker performed a denial-of-service attack.
D. Security measures on the device were completely disabled before the attack began.
Questions & Answers
5. Which footprinting tool or technique can be used to find the names and addresses of employees or technical
points of contact?
A. whois
B. nslookup
C. dig
D. traceroute
Questions & Answers
6. Which Google hack would display all pages that have the words SQL and Version in their titles?
A. inurl:SQL inurl:version
B. allinurl:SQL version
C. intitle:SQL inurl:version
D. allintitle:SQL version
Questions & Answers
7. Which of the following are passive foot-printing methods? (Choose all that apply.)
A. Checking DNS replies for network mapping purposes
B. Collecting information through publicly accessible sources
C. Performing a ping sweep against the network range
D. Sniffing network traffic through a network tap
Questions & Answers
8. Which OSRF application checks to see if a username has been registered in up to 22 different e-mail
providers?
A. mailfy.py
B. usufy.py
C. entify.py
D. searchfy.py
Questions & Answers
9. You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both
services to the same record (IP address)?
A. NS
B. SOA
C. CNAME
D. PTR
Questions & Answers
10. As a pen test team member, you begin searching for IP ranges owned by the target organization and
discover their network range. You also read job postings and news articles and visit the organization’s website.
Throughout the first week of the test, you also observe when employees come to and leave work, and you
rummage through the trash outside the building for useful information. Which type of footprinting are you
accomplishing?
A. Active
B. Passive
C. Reconnaissance
D. None of the above
Questions & Answers
11. A pen tester is attempting to use nslookup and has the tool in interactive mode for the search. Which
command should be used to request the appropriate records?
A. request type=ns
B. transfer type=ns
C. locate type=ns
D. set type=ns
03 Scanning Networks
Objetivos
• Understand scanning methodology
• Describe scan types and the objectives of scanning
• Understand the use of various scanning and enumeration tools
• Describe TCP communication (three-way handshake and flag types)
• Understand basic subnetting
• Understand enumeration and enumeration techniques
• Describe vulnerability scanning concepts and actions
• Describe the steps involved in performing enumeration
TCP/IP Networking
Connectionless Communication
When two IP-enabled hosts communicate with each
other, two methods of data transfer are available at
the Transport layer: connectionless communication
and connection-oriented communication.
Connectionless communication is fairly simple to
understand: the sender doesn’t care whether the
recipient has the bandwidth (at the moment) to
accept the message, nor does the sender really seem
to care whether the recipient gets the message at all.
Connectionless communication is “fire and forget.” In
a much faster way of sending datagrams, the sender
can simply fire as many segments as it wants out to
the world, relying on other upper-layer protocols to
handle any problems. UDP Datagrama - Estructura

This obviously comes with some disadvantages as

well (no error correction, retransmission, and so on).
TCP/IP Networking
Connection-Oriented
Communication using TCP, it requires a lot more
overhead and is oftentimes a lot slower than
connectionless communication, is a orderly form of
data exchange and it is used for transporting large
files or communicating across network boundaries.
Senders reach out to recipients, before data is ever
even sent, to find out whether they’re available and
whether they’d be willing to set up a data channel.
Once the data exchange begins, the two systems
continue to talk with one another, making sure flow
control is accomplished, so the recipient isn’t
overwhelmed and can find a way for retransmissions
in case something gets lost along the way. TCP Segment - Estructura

It’s accomplished through the use of header flags and

something known as the three-way handshake.
TCP/IP Networking
The TCP header flags are as follows:
• SYN (Synchronize) This flag is set during initial communication establishment. It indicates negotiation
of parameters and sequence numbers.
• ACK (Acknowledgment) This flag is set as an acknowledgment to SYN flags. This flag is set on all
segments after the initial SYN flag.
• RST (Reset) This flag forces a termination of communications (in both directions).
• FIN (Finish) This flag signifies an ordered close to communications.
• PSH (Push) This flag forces the delivery of data without concern for any buffering. In other words, the
receiving device need not wait for the buffer to fill up before processing the data.
• URG (Urgent) When this flag is set, it indicates the data inside is being sent out of band. Canceling a
message midstream is one example.
To fully understand these flags and their usage, consider what is most often accomplished during a normal TCP
data exchange.
TCP/IP Networking
First, a session must be established between the two systems. To do this, the sender forwards a segment with
the SYN flag set, indicating a desire to synchronize a communications session. This segment also contains a
sequence number—a pseudorandom number that helps maintain the legitimacy and uniqueness of this
session. As an aside, the generation of these numbers isn’t necessarily all that random after all, and plenty of
attack examples point that out. For study purposes, though, just remember what the sequence number is and
what its purpose is.
When the recipient gets this segment, it responds with the SYN and ACK flags set and acknowledges the
sequence number by incrementing it by one. Additionally, the return segment contains a sequence number
generated by the recipient. All this tells the sender, “Yes, I acknowledge your request to communicate and
agree to synchronize with you. I see your sequence number and acknowledge it by incrementing it. Please use
my sequence number in further communications with me so I can keep track of what we’re doing.”
When this segment is received by the original sender, it generates one more segment to finish the
synchronization. In this segment, the ACK flag is set, and the recipient’s own sequence number is
acknowledged. At the end of this three-way handshake, a communications channel is opened, sequence
numbers are established on both ends, and data transfer can begin.
TCP/IP Networking

The three-way handshake

TCP/IP Networking
Port Numbering
A port number, inside the Transport layer protocol
header (TCP or UDP), identifies which upper-layer
protocol should receive the information contained
within.
Systems use port numbers to identify to recipients
what they’re trying to accomplish—that is, assuming
the default ports are still being used for their default
purposes, but we’ll get to that later.
The port numbers range from 0 to 65,535 and are
split into three different groups:
• Well-known ports 0—1023 Important Port Numbers

• Registered ports 1024—49,151

• Dynamic ports 49,152—65,535
TCP/IP Networking
In reading this, you may be wondering just how those
ports are behaving on your own machine.
The answer comes from the state the port is in.
Suppose you have an application running on your
computer that is waiting for another computer to
connect to it.
Whatever port number your application is set to use
is said to be in a listening state.
Once a remote system goes through all the
handshaking and checking to establish a session over
that open port on your machine, your port is said to
be in an established state. Important Port Numbers

In short, a listening port is one that is waiting for a

connection, while an established port is one that is
connected to a remote computer.
TCP/IP Networking

Important Port Numbers

TCP/IP Networking
IP Address
IPv4 addresses are really 32 bits, each set to 1 or 0, separated into four octets by decimal points.
It’s the router’s job to figure out what the network address is for any given IP address, and the subnet mask is
the key. For example, 12.197.44.8
Subnet mask
Is a binary pattern that is matched against any IP address to determine which bits belong to the network side
of the address, with the binary starting from left to right, turning on all the 1’s until the mask is done.
For example, if your subnet mask wants to identify the first 12 bits as the network identification bits, the mask
will look like this: 11111111.11110000.00000000.00000000 or translated to decimal 255.240.0.0.
Therefore, 12.197.44.8, 255.240.0.0 or 12.197.44.8/12.
Here are some rules you need to know about IP addresses and the bits that make them up:
• If all the bits in the Host field are 1’s, the address is a broadcast (that is, anything sent to that address
will go to everything on that network).
• If all the bits in the Host field are set to 0’s, that’s the network address.
• Any combination other than all 1’s or all 0’s presents the usable range of addresses in that network.
Scanning Methodology
1. Check for live systems. You can use something as simple as a ping. This gives you a list of what’s actually
alive on your network subnet.
2. Check for open ports. Once you know which IP addresses are active, find what ports they’re listening on.
3. Scan beyond IDS. Sometimes your scanning efforts need to be altered to avoid those pesky intrusion
detection systems.
4. Perform banner grabbing. Banner grabbing and OS fingerprinting tell you what operating system is on the
machines and which services they are running.
5. Scan for vulnerabilities. Perform a more focused look to find any vulnerabilities these machines haven’t
been patched for yet.
6. Draw network diagrams. A good network diagram displays all the logical and physical pathways to targets
you might like.
7. Prepare proxies. This obscures your efforts so you remain hidden.
Identify Targets
The simplest and easiest way to do this is to take
advantage of a protocol that’s buried in the stack of
every TCP/IP-enabled device on the planet—Internet
Control Message Protocol (ICMP).
Combining pings to every address within a range is
known as a ping sweep. A ping sweep is the easiest
method available to identify active machines on the
network, and there are innumerable tools to help you
pull it off (Zenmap, Nmap’s Windows GUI version,
etc).
Many administrators disable ping responses on many
network systems and devices and configure firewalls
to block them. Lastly, if you add IPv6 to the mix, it
really muddies the waters. Scanning in IPv6 is much
more difficult and complex, and ping sweeps often
don’t work at all in most tools.
Identify Targets
Port Scanning
Port Scan Types
A scan type is identified based on three factors:
• What flags are set in the packets before delivery
• What responses you expect from ports
• How stealthily the scan works
Generally, there are seven generic scan types for port scanning:
• Full connect Also known as a TCP connect or full open scan, this runs through a full connection (three-way
handshake) on ports, tearing it down with an RST at the end. It is the easiest type to detect, but it’s possibly
the most reliable. Open ports respond with a SYN/ACK, and closed ports respond with an RST.
• Stealth Also known as a half-open scan (or SYN scan), this sends only SYN packets to ports (no completion of
the three-way handshake ever takes place). Responses from ports are the same as they are for a TCP connect
scan. This technique is useful in hiding your scanning efforts, possibly bypassing firewalls and monitoring
efforts by hiding as normal traffic (it simply doesn’t get noticed because there is no connection to notice).
Port Scanning
• Inverse TCP flag This scan uses the FIN, URG, or PSH flag (or, in one version, no flags at all) to poke at system
ports. If the port is open, there is no response at all. If the port is closed, an RST/ACK is sent in response. You
know, the inverse of everything else.
• XMAS A Christmas scan is so named because all flags are turned on, so the packet is “lit up” like a Christmas
tree. Port responses are the same as with an inverse TCP scan. XMAS scans do not work against Microsoft
Windows machines due to Microsoft’s TCP/IP stack implementation (Microsoft TCP/IP is not RFC 793
compliant).
• ACK flag probe There are two versions of this scan, both of which use the same method: the attacker sends
the ACK flag and looks at the return header (TTL field or Window field) to determine the port status. In the TTL
version, if the TTL of the returned RST packet is less than 64, the port is open. In the Window version, if the
window size on the RST packet has anything other than zero, the port is open.
• IDLE This uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed
for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan.
• TCP Maimon This sends the FIN and ACK flags. If there is no response, the port is open. If the port is closed,
it responds with an RST packet. Modern systems rarely exhibit this behavior, however, sending RST back on all
ports.
Port Scanning
Port Scanning Responses
Port Scanning

IDLE scanning port open

Port Scanning

IDLE scanning port closed

Nmap

Nmap Switches
Hping

Nmap Switches

Hping Switches
Fragments to prevent detection
If packet filters, firewalls, and other devices start to pick up evidence of your attack?
Many methods are available to evade or minimize the risk of detection when scanning.
For example, fragmenting works by breaking a packet into multiple pieces with the goal of preventing
detection devices from seeing what the original unfragmented packet intends to do.
Think of it as taking a large picture and cutting it into little pieces like a jigsaw puzzle.
If you don’t know what the original picture looks like, you have to reassemble a bunch of pieces to figure it out.
Fragments to prevent detection
Metasploit 2 – Scan ports
Metasploit 2 - rlogin
Metasploit 2 - rlogin
Metasploit 2 - rpcinfo
Metasploit 2 - rpcinfo
Metasploit 2 - rpcinfo
Metasploit 2 - ssh
Metasploit 2 - ssh
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Metasploit 2 - mysql
Openvas
https://www.greenbone.net/en/testnow/
Questions & Answers
1. A member of your team enters the following command:
nmap -sV -sC -O -traceroute IPAddress
Which of the following Nmap commands performs the same task?
A. nmap -A IPAddress
B. nmap -all IPAddress
C. nmap -Os IPAddress
D. nmap -aA IPAddress
Questions & Answers
2. You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server.
Assuming you have the correct tools installed, which of the following command-line entries will successfully
perform a banner grab? (Choose all that apply.)
A. telnet 168.15.22.4 80
B. telnet 80 168.15.22.4
C. nc -v -n 168.15.22.4 80
D. nc -v -n 80 168.15.22.4
Questions & Answers
3. You’ve decided to begin scanning against a target organization but want to keep your efforts as quiet as
possible. Which IDS evasion technique splits the TCP header among multiple packets?
A. Fragmenting
B. IP spoofing
C. Proxy scanning
D. Anonymizer
Questions & Answers
4. One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a
target. Which of the following is most likely being attempted?
A. Online OS fingerprinting
B. Passive OS fingerprinting
C. Aggressive OS fingerprinting
D. Active OS fingerprinting
Questions & Answers
5. What flag or flags are sent in the segment during the second step of the TCP three-way handshake?
A. SYN
B. ACK
C. SYN/ACK
D. ACK/FIN
Questions & Answers
6. You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return
packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the
following is true?
A. The response indicates an open port.
B. The response indicates a closed port.
C. The response indicates a Windows machine with a nonstandard TCP/IP stack.
D. ICMP is filtered on the machine.
Questions & Answers
7. An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If
a scan packet receives no response, what does that indicate?
A. The port is filtered at the firewall.
B. The port is not filtered at the firewall.
C. The firewall allows the packet, but the device has the port closed.
D. It is impossible to determine any port status from this response.
Questions & Answers
8. Which flag forces a termination of communications in both directions?
A. RST
B. FIN
C. ACK
D. PSH
Questions & Answers
9. You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address
for the subnet. Which of the following is the correct broadcast address for the subnet?
A. 52.93.24.255
B. 52.93.0.255
C. 52.93.32.255
D. 52.93.31.255
E. 52.93.255.255
Questions & Answers
10. Which port number is used by default for syslog?
A. 21
B. 23
C. 69
D. 514
Questions & Answers
11. Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all
that apply.)
A. nmap -A 172.17.24.17
B. nmap -O 172.17.24.0/24
C. nmap -sn 172.17.24.0/24
D. nmap -PI 172.17.24.0/24
Questions & Answers
12. You’re running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is
sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in
what state is the port on the target machine?
A. Open
B. Closed
C. Unknown
D. None of the above
Questions & Answers
13. Which ICMP message type/code indicates the packet could not arrive at the recipient due to exceeding its
time to live?
A. Type 11
B. Type 3, Code 1
C. Type 0
D. Type 8
Questions & Answers
14. An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK
responses on open ports is being answered. Which type of port scan is this?
A. Ping sweep
B. XMAS
C. Stealth
D. Full
Questions & Answers
15. Which of the following statements is true regarding port scanning?
A. Port scanning’s primary goal is to identify live targets on a network.
B. Port scanning is designed to overload the ports on a target in order to identify which are open and which
are closed.
C. Port scanning is designed as a method to view all traffic to and from a system.
D. Port scanning is used to identify potential vulnerabilities on a target system.