net-sec-samenvatting/03_scanning.md

# Scanning

* learn more about targets
* find potential attack openings
    * addresses of live hosts
    * network topologies
    * OSs of hosts
    * open ports
    * services running on hosts

## Network tracing

### IPv4 and IPv6

* important IPv4 headers
    * **TTL**: time to live
        * tells us how many hops a package needed to make
    * source and destination IP
* IPv6 properties
    * 128 bit addresses
    * simpler than IPv4


![IPv4 diagram](./img/ch03/ipv4_diagram.png)
![IPv6 diagram](./img/ch03/ipv6_diagram.png)

### tracing

* discover routes that packets take between systems
    * allows constructing network diagrams
* sends ICMP/UDP/TCP packets with varying TTL
* requires routers to properly report dropped packets
    * often disabled for performance/security reasons
* `traceroute` useful tool
* web-based [tools](https://tools.keycdn.com/traceroute) also available

## Scanning

* Nmap does it all

### TCP

* 16-bit ports
* sequence and ack number for reliable in-order delivery
* control bots track state
    * **URG**: urgent flag
    * **ACK**: acknowledge earlier packets
    * **PSH** (push): data should not be buffered
    * **RST**: reset connection
    * **SYN**: synchronisation, sends initial sequence number
    * **FIN**: indicate session can be closed
* half-open port scanning
    * only send SYN part of handshake
    * listen for response
        * SYN + ACK: port open
        * RST + ACK: port closed or blocked
        * ICMP port unreachable: likely blocked
        * no response: likely blocked
    * can take a while if no responses are sent
* large scans are bad
    * limit scope of scan
        * select subset of targets
        * only scan well-known ports initially
        * limit scan based on firewall information
    * temporarily tweak firewall to speed up scans
    * use parallel machines (be careful not to DoS)
    * scanrand & zmap tools

![TCP diagram](./img/ch03/tcp_diagram.png)

### UDP

* send empty UDP datagram and listen
    * UDP packet response: something is listening on target port
    * ICMP port unreachable: likely blocked
    * no response: multiple options
        * port is blocked by firewall
        * port only responds to specific format

### ARP

* Address Resolution Protocol
    * data link layer
    * translates IPv4 addresses to MAC addresses
    * scan local subnet for hosts
    * lots of traffic
    * can be detected by network intrusion detection systems (NIDS)

### ICMP

* Internet Control Message Protocol
* used for diagnostic purposes
    * error reporting
    * router discovery
    * redirect messages
* ping sweeps
* traceroute
* redirect messages expose network topology
* ICMP address mask requests: determine subnet used by target host
hoofdstuk 2 stuff 2024-12-27 12:05:42 +01:00			`# Scanning`
deel chapter 3 2024-12-27 13:28:42 +01:00
			`* learn more about targets`
			`* find potential attack openings`
			`* addresses of live hosts`
			`* network topologies`
			`* OSs of hosts`
			`* open ports`
			`* services running on hosts`

			`## Network tracing`

			`### IPv4 and IPv6`

			`* important IPv4 headers`
			`* TTL: time to live`
			`* tells us how many hops a package needed to make`
			`* source and destination IP`
			`* IPv6 properties`
			`* 128 bit addresses`
			`* simpler than IPv4`


			`![IPv4 diagram](./img/ch03/ipv4_diagram.png)`
			`![IPv6 diagram](./img/ch03/ipv6_diagram.png)`

			`### tracing`

			`* discover routes that packets take between systems`
			`* allows constructing network diagrams`
			`* sends ICMP/UDP/TCP packets with varying TTL`
			`* requires routers to properly report dropped packets`
			`* often disabled for performance/security reasons`
			* `traceroute` useful tool
			`* web-based [tools](https://tools.keycdn.com/traceroute) also available`

			`## Scanning`

			`* Nmap does it all`

			`### TCP`

			`* 16-bit ports`
			`* sequence and ack number for reliable in-order delivery`
			`* control bots track state`
			`* URG: urgent flag`
			`* ACK: acknowledge earlier packets`
			`* PSH (push): data should not be buffered`
			`* RST: reset connection`
			`* SYN: synchronisation, sends initial sequence number`
			`* FIN: indicate session can be closed`
			`* half-open port scanning`
			`* only send SYN part of handshake`
			`* listen for response`
			`* SYN + ACK: port open`
			`* RST + ACK: port closed or blocked`
			`* ICMP port unreachable: likely blocked`
			`* no response: likely blocked`
			`* can take a while if no responses are sent`
			`* large scans are bad`
			`* limit scope of scan`
			`* select subset of targets`
			`* only scan well-known ports initially`
			`* limit scan based on firewall information`
			`* temporarily tweak firewall to speed up scans`
			`* use parallel machines (be careful not to DoS)`
			`* scanrand & zmap tools`

			`![TCP diagram](./img/ch03/tcp_diagram.png)`

			`### UDP`

			`* send empty UDP datagram and listen`
			`* UDP packet response: something is listening on target port`
			`* ICMP port unreachable: likely blocked`
			`* no response: multiple options`
			`* port is blocked by firewall`
			`* port only responds to specific format`

			`### ARP`

			`* Address Resolution Protocol`
			`* data link layer`
			`* translates IPv4 addresses to MAC addresses`
			`* scan local subnet for hosts`
			`* lots of traffic`
			`* can be detected by network intrusion detection systems (NIDS)`

			`### ICMP`

			`* Internet Control Message Protocol`
			`* used for diagnostic purposes`
			`* error reporting`
			`* router discovery`
			`* redirect messages`
			`* ping sweeps`
			`* traceroute`
			`* redirect messages expose network topology`
			`* ICMP address mask requests: determine subnet used by target host`