SCANNING ACTIVITY

Using ping test on Microsoft Windows

To use the ping program on Microsoft Windows, follow these steps: Interpret the output from tracert: Tracert displays each hop, indicated by a number in the left column. It also displays the domain and IP address at each hop, as well as the time spent. For example, the following output shows the path to an A2 Hosting server:

Interpret the output from ping: If the remote host is active and configured to respond to ping requests, responses appear. For example, the following output shows ping responses from an A2 Hosting server:

C:\Users\asus> ping www.emu.edu.tr

Pinging www.emu.edu.tr [193.140.173.247] with 32 bytes of data:

Reply from 193.140.173.247: bytes=32 time=8ms TTL=55 Reply from 193.140.173.247: bytes=32 time=7ms TTL=55 Reply from 193.140.173.247: bytes=32 time=5ms TTL=55 Reply from 193.140.173.247: bytes=32 time=3ms TTL=55 Ping statistics for 193.140.173.247: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 8ms, Average = 5ms

 

Using tracert on Microsoft Windows

On Windows-based systems, use the tracert program to test the path to a server. To do this, follow these steps: Open a DOS command window. To do this, click Start, click Run, type cmd, and then press Enter. At the command prompt, type the following command. Replace example.com with the domain that you want to test:

C:\Users\asus>tracert www.emu.edu.tr

Tracing route to www.emu.edu.tr [193.140.173.247]

over a maximum of 30 hops: 1 2 ms 4 ms <1 ms 192.168.0.1 2 1 ms <1 ms 14 ms 172.16.172.1 3 10 ms 1 ms 1 ms 10.111.1.1 4 4 ms 1 ms 1 ms 172.16.101.1 5 1 ms 9 ms 1 ms 172.16.2.1 6 3 ms 2 ms 11 ms 172.31.252.5 7 4 ms 4 ms 4 ms 212.156.79.30.static.turktelekom.com.tr [212.156.79.30] 8 4 ms 3 ms 4 ms 193.140.41.13 9 15 ms 67 ms 30 ms 193.140.41.9 10 11 ms 9 ms 24 ms 193.140.173.247 Trace complete.

 

Using nslookup on Microsoft Windows

basic scanning tools such as traceroute, mtr,
dig, nslookup, whois, nmap and telnet to extract useful
information.

 

DOS ATTACK

How does Dos Attacks happens?

A Denial of Service (DoS) attack is a type of cyber attack in which a malicious actor seeks to make a network or computer resource unavailable to its intended users. This is typically accomplished by flooding the target with traffic or requests for connections, overwhelming the resources of the network or server and making it unable to respond to legitimate requests.

There are several methods that can be used to carry out a DoS attack. Some of the most common include:

  1. Ping flood: This involves sending a large number of ping requests to a target, with the goal of overloading the server and making it unable to respond to legitimate requests.
  2. SYN flood: This type of attack involves sending a large number of SYN requests (a type of packet used to initiate a TCP connection) to a target, with the goal of exhausting the target's resources and making it unable to respond to legitimate requests.
  3. HTTP flood: This involves sending a large number of HTTP requests to a target, with the goal of overwhelming the server and making it unable to respond to legitimate requests.
  4. DDoS attack: A Distributed Denial of Service (DDoS) attack involves using a network of compromised computers (called a "botnet") to flood a target with traffic. This type of attack is particularly difficult to defend against, as it can involve traffic from many different sources.

It is important to note that DoS attacks can be difficult to defend against, as they often involve a large volume of traffic and can be difficult to trace to their source. However, there are a number of measures that organizations can take to protect against DoS attacks, such as implementing network firewalls and load balancers, and using rate limiting and traffic filtering techniques.

 

Click here.

To see how it works.

 

MAN IN THE MIDDLE

A man-in-the-middle (MITM) attack is a type of cyber attack where an attacker intercepts and manipulates communication between two parties who believe they are communicating directly with each other. In an MITM attack, the attacker is able to "sit in the middle" of the communication and can alter, intercept, or block messages between the two parties.

MITM attacks can take many forms and can be difficult to detect, as the two parties may not realize that their communication has been compromised. Common techniques used in MITM attacks include interception of unencrypted communication, the use of spoofed IP addresses, and the use of malicious software or hardware to intercept communication.

MITM attacks can be highly successful, as they allow the attacker to gain access to sensitive information and potentially compromise the security of the two parties involved in the communication. It is important for individuals and organizations to be aware of the risks associated with MITM attacks and to take steps to protect themselves, such as by using encryption and implementing strong security measures.


 

HONEY-POT

A honeypot is a security tool that is used to detect and defend against cyber attacks. It is essentially a trap set up to lure in attackers, in the hope that they will reveal themselves and their tactics while interacting with the honeypot.

There are different types of honeypots, ranging from low-interaction honeypots that are designed to collect information about potential attackers and their tactics, to high-interaction honeypots that are designed to closely mimic a real network or system and capture as much information as possible about the attackers and their methods.

Honeypots are often used as part of a larger security strategy, as they can help organizations to detect and defend against attacks, gather intelligence about potential threats, and understand the tactics and motivations of attackers. They can also be used to distract attackers and divert their attention away from more valuable resources.

One important thing to note about honeypots is that they should not be used as the primary means of protecting a network or system. They should be used in conjunction with other security measures, such as firewalls and intrusion detection systems, in order to provide a comprehensive security solution.

 

Click here.

To see how it works.

 

PORT SCAN

Nmap is a security auditing tool used in the security field to actively enumerate a target system/network. It is one of the most extensively used tools by network administrators and conversely attackers for reconnaissance (enumeration), the first step in the 5 phases of hacking. Nmap is used to actively probe the target network for active hosts(host discovery), port scanning, OS detection, version details, and active services running on the hosts that are up. For this, Nmap uses the technique of sending packets and analyzing the responses. To learn more about please refer to the article Nmap.

Port Scanning is one of the features of Nmap wherein the tool detects the status of the ports on active hosts in a network. The status of the ports can be open, filtered, or closed. Type Nmap in the command line to run Nmap. Add necessary switches according to the scanning type to initiate a specific scan technique. 

Example: nmap -sS 192.168.0.1-192.168.0.52  

This command runs Nmap in TCP SYN scan type (-sS) and scans the given IP address range for active hosts and services.

Please refer to the article Port Scanningg to learn more about it.

Types of Port Status:

  • Open: The open status means that the given port is open and is actively running a service.
  • Filtered: The filtered status means that the respective port might be hidden behind a firewall and its status remains unknown.
  • Closed: The closed state represents a given port is closed on the host machine.

Different Port Scanning Techniques in Nmap:

The following are the extensively used scanning techniques in Nmap: 

1. TCP Connect Scan (-sT): TCP Connect scan uses the concept of a full three-way handshake

If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset.  In particular, SYNs addressed to a non-existent connection are rejected by this means. 

What it essentially means is that if Nmap sends a TCP request to a closed port with its SYN flag set, then it receives a TCP packet with its RESET FLAG set from the target server. This tells Nmap that the specified port is closed. 
Otherwise, if the port is actually open, then Nmap receives a response with SYN/ACK flags set responding to the packet sent by Nmap with its SYN flag set. 
The third possibility is that if a port is filtered, most of the server's firewalls are configured to just drop incoming packets. Nmap doesn't receive any response back. This essentially means that the given port is running behind a firewall filtered.

Port Scanning by Nmap

2. TCP SYN Scan (-sS): SYN scans are often called "Half-open" or "Stealth" scans. SYN scan works the same way as TCP Connect scan with closed and filtered ports i.e receives a RST packet for closed port and no response for filtered ports. The only difference is in the way they handle the open ports. SYN scan sends a response packet to the server with its RESET FLAG set(but not ACK which is usually the default in the actual three-way handshake) after receiving SYN/ACK from the target server. This is to avoid the server from continuously making requests to establish a connection and thereby reduce the scan time.

This scan type is referred to as a stealth scan due to the following advantages:

  • Faster because it doesn't have to complete the full three-way handshake.
  • Some applications often log only those connections that are fully established. So applications listening on open ports do not log these connections which makes SYN scan "stealthy".

3. UDP Scan (-sU): UDP unlike TCP, doesn't perform a handshake to establish a connection before sending data packets to the target port but rather sends the packets hoping that the packets would be received by the target port. That is why UDP connections are often called "stateless". This type of connection is more efficient when speed dwarfs quality, like in video sharing. As there will be no acknowledgment from the target port whether it has received the packet, UDP scans become more difficult and very much slower. 

  • When there's no response from the target port after sending a UDP packet, it often times means that the port is either "open" or is running behind a firewall i.e "filtered" in which case the server would just drop the packet with no response.
  • UDP scan can effectively identify closed ports as the target UDP port responds with an ICMP packet with a message that the port is unreachable.

The below scan techniques are very less likely to be used in real-time but it's worth learning the principle behind them. They are said to be even stealthier than the "SYN stealth" scan.

For the below scan types, when a packet is sent to an "open" port, there won't be any response from the target port which is very similar to the UDP scan. When the below scan types don't get a response, they would mark the port as being open/filtered. As per RFC 793, for malformed packets, the closed ports on the server are mandated to respond with an RST TCP packet and no response at all for open ports.

  • TCP NULL Scan (-sN): NULL scan, as the name implies, sends a TCP packet with no flags set. If the port is closed, the host responds with an RST.
  • TCP FIN Scan (-sF): FIN scan, rather than sending completely empty packets, it sends a packet with its FIN flag set. If the port is closed, the host responds with an RST. 
  • TCP XMAS Scan (-sX): XMAS scan, sends a packet with URG,PSH,FIN flags set. This scan got its name from the appearance it gives of a Christmas tree when viewed as a packet capture in Wireshark. If the port is closed, the host responds with an RST.

Smoothwall - Tunnelling VNC over SSH with PuTTY

PuTTY is a free and open-source terminal emulator, serial console, and network file transfer application. It supports several network protocols, including SSH, Telnet, and rlogin, and is commonly used to connect to remote servers and devices for the purpose of managing and configuring those systems.

PuTTY is available for Windows, Linux, and MacOS, and can be used to connect to a variety of network devices, including routers, switches, firewalls, and servers. It is a popular choice among system administrators and network professionals due to its versatility and wide range of features, including support for secure connections, customizable terminal emulation, and the ability to save and recall session configurations.

In addition to its use as a terminal emulator, PuTTY can also be used as a simple network client for various network protocols, such as SCP (Secure Copy) and SFTP (SSH File Transfer Protocol), allowing users to transfer files between systems over a network connection.

Learn more about PuTTY and Port scans

CYBER KILL CHAIN

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/photo/cyber/THE-CYBER-KILL-CHAIN-body.png.pc-adaptive.1920.medium.png
The cyber kill chain is a model that describes the stages of a cyber attack, from the initial infiltration of a target system to the exfiltration of sensitive data. The cyber kill chain was developed by Lockheed Martin and is used as a framework for understanding and defending against cyber attacks.

The seven stages of the cyber kill chain are:

  1. Reconnaissance: The attacker gathers information about the target system and its defenses.
  2. Weaponization: The attacker creates a payload (e.g., malware or ransomware) to deliver to the target system.
  3. Delivery: The payload is delivered to the target system, often through phishing or other social engineering tactics.
  4. Exploitation: The payload exploits a vulnerability in the target system to gain access.
  5. Installation: The payload installs itself on the target system, often disguising itself to avoid detection.
  6. Command and control: The attacker establishes a connection to the payload, allowing them to remotely control the compromised system.
  7. Actions on objectives: The attacker carries out their objectives (e.g., exfiltrating data or disrupting operations).

Understanding the cyber kill chain can help organizations and individuals identify the different stages of an attack and take action to prevent or mitigate the impact of the attack.

A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack

Learn More. About SolarWinds Hack

 

Kali Linux

Kali Linux 2022.1 released with 6 new tools, SSH wide compat, and more
To install Kali Linux with VMware, follow these steps:
  1. Download the Kali Linux ISO file from the official Kali Linux website.
  2. Download and install VMware Workstation on your computer.
  3. Launch VMware Workstation and click "Create a New Virtual Machine."
  4. Select "Installer disc image file (iso)" and browse to the Kali Linux ISO file that you downloaded. Click "Next."
  5. Enter a name for the virtual machine and select a location to store the virtual machine files. Click "Next."
  6. Select the type and version of the operating system you are installing (e.g., "Linux" and "Debian 64-bit"). Click "Next."
  7. Set the amount of memory (RAM) to allocate to the virtual machine. It is recommended to allocate at least 2GB of RAM to Kali Linux. Click "Next."
  8. Select "Create a new virtual disk" and choose the size of the virtual disk. It is recommended to allocate at least 20GB of space for Kali Linux. Click "Next."
  9. Review the virtual machine settings and click "Finish" to create the virtual machine.
  10. Power on the virtual machine and follow the on-screen instructions to complete the Kali Linux installation.

Note: It is recommended to allocate at least 2 cores and 2GB of RAM to the virtual machine to ensure adequate performance.