welcome back to the course more in depth of the TCP three way handshake. So if you haven't watched that video yet, Gwen, pause this. Want to go back to it? You do want to know the TCP three way handshake pretty in depth for the certified ethical hacker examination.
So this video, we're gonna talk about things like fragmentation and then also some tools, like end map and also how to do banner grabbing.
So fragmentation. Essentially, we're just breaking up our packets into smaller chunks, and the gold with that is to try to get it past intrusion detection systems,
you know? So we want to make it very stupid
and a tool we can use for that. It's a cola soft packet builder.
So I see MP Internet control message protocols. So for your exam, you really just want to kind of memorize this table in the one of the next screen there. So just know that you know, icmp an echo replies, a zero destination unreachable is gonna be a three on gonna redirect is ah, five and echo across isn't eight so just kind of remember those ones?
Um, you do. You do want to know the other ones as well. But you probably wanna know those ones most for your exam.
So I see. Empty message tied three. We got different formats here. We've got zero. The destination network unreachable or destination host unreachable for number one. The networker host, unknown for six and 7 13 is also one You want to know the communication administratively prohibited as well.
So port scanning. You know, we have different types of port scans and we're gonna go over this in our lab is well, we'll run a couple different scans like our excellent scan and stuff for Christmas can.
So we have our full open skin. That's also notice a TCP connects can. Basically, it establishes an entire three rate handshake. And so because it does that it's very, very easy to detect if you're trying to do that one.
The half open or more commonly called the Stealth scanner. The since can basically it just sends its sin packets. So that first packet of me trying to say hello to you it just sends that and there's no actual completion of a three way handshake.
We've got the in first TCP and that one's gonna use the different flags so it could use the fan urge or push flag. It could also send no flag at all. But basically in on all these and no response is going to mean that the port is actually open. And that's what we're looking for.
So Christmas Scanner X, miss it does. It's not gonna work on windows are see because of our see our request for comment 7 93 But it does work on Lenox Systems and just think of it in the aspect if it lights everything up like a Christmas tree, so it sends basically all sorts of packets out there to try to get information. I don't I'm not aware of anyone that actually uses that in a penetration test,
But just know it for your exam,
our announcement packet. So that sent. And then basically the header could be reviewed to see if the timeto live is less than 64. And if so, that could tell us that the ports open.
And then we've got our idol scan so spooked I p address. So, for example, I take over your computer. I spoofed the I P address and I pretend I'm sending from your computer to do you know, either the sin scan or something like that. And then the commentary coming back is gonna hit that computer and hopefully I can see it. Sometimes I can't, depending on how my configuration is,
So I may not know a response. It all but potentially I should know the response.
So n map again, we're gonna go over this in the lab, were actually use End up quite a bit. I mean, I do have, ah, back back there in, uh, in the beginning of this module, I have attachment that's got some generic and map command, so it should be beneficial to you. Also, just recommend checking out in that dock or GQ or just doing a quick Google search.
And there's some different courses that diet deep dive into and map on. Their beliefs are very
has one or there they've got one in the works. So as a time of this filming, there's either one out there one of the works, but keep an eye out for it. Cyber is a great resource, and obviously I'm not saying that because I'm on it. But I'm saying that because I've actually used it when I studied for my sort of fine ethical hacker and as well as my computer hacking forensic investigator Sam.
So get a map. We're gonna go over a little later on. I just want to show you kind of a screenshot of what it's gonna look like.
So, banner grabbing, fairly straightforward here we're really just trying to see what type of operating system is in use. So, for example, I like to do with Telnet. So tell that which runs on Port 23. But we're actually gonna run it on. Http. Port 80. So we do tell net and then our i p address and then we specify
the port number 80. Obviously, that's gonna kick us back and air message
from the http saying, Wait a minute. You know, you're trying to run, Tell that doesn't make any sense. But what did you see? What it does here? It does show us the server information.
So you see, that's the information we're trying to get back, among other things, but mostly the operating system in use so we can figure out vulnerabilities for that.
So Dean has sown transfers basically, with these If if the if the d n a service not configured correctly, you can You can still pull these off. But basically what you're trying to do is get different information like that. Name servers. Thea, the MX records Various things and as much information as possible is basically what we're trying to get.
Source routing is a new subject that you'll see in the newer material for the latest virgin ing of the exam that's out. There s Oh, I like this thistle image the best. This is probably the best wayto explain it. So essentially, you know there's there's, ah, good path of routing which, you know, you're rather would normally could figure and say Okay, well, this is about the best path
to send the traffic on. Let me go ahead and send it this way.
You know, there's not a lot of Ben with going on here. You know, the band with this low, So basically not not a lot of users on that particular pass, so I'm going to send it through that way, versus all these other password available,
but basically it's horse riding. What happens is the attacker forces to pass, so no matter what they're forcing the path years. Whether that's the best route or not, we're gonna force the path for some reason through that particular method.
So you see on the screen shot here that we've got our traditional destination like, Hey, this is the best way. And then we've got our attacker just forcing it through kind of the long way around.
So, enumeration we're going to touch on this just a little bit. But basically, enumeration is discovering different host or devices or even service is running on the network.
And so you could do a lot of different enumeration of numerous in tools out there for different things, like L. Dapper S and M. P. But we're not gonna really touch on those too much at all. And that mostly if you think of your vulnerability scanners, a lot of them are configured to allow you to do enumeration as well, because you're discovering all sorts of things on the network.
So speaking of vulnerability tools, a couple of them that are popular out there open Voss and Ness's now necessary as a paid version as well. That has a lot more features. But open Voss. It takes a little configuration, but but you could generally get it set up pretty well, and it's it's a decent tool up.
So here's just a quick screenshot of open Voss of, you know, some of the information you can grab on and tell you about.
And same with Nexus. This is kind of their platform of the pro version, the paid version. And so, you know, you see that you could do different things. Different scans to see. Andi is good for compliance, to do vulnerability, scanning to release, have that capability or find a company that will do that for you. It'll help you with compliance and everything like that.
If you're obviously for working at a larger company, would probably have a team that does this.
So the vulnerability scoring system, the most common one out there is a CVS s too common vulnerability scoring system, and it goes on a range of 0 to 10 and essentially, it's going off of different metrics. So, you know, I say I've got this thing going on, or I you know, I have this going on, and I found out on the network or find it on a host machine or whatever the case might be,
but they've got a calculator here
at first dot organ. First, it stands for the Forum of Incident Response of security teams. So they've got a calculator here. You can play around with it. Just pretend like you're doing it, you know, in real life at a company and figuring out the type of vulnerability that you have of getting giving it scored.
So the vulnerability management life cycle. You'll find different ones out there. But essentially, we discover a vulnerability. We practice. We, uh, priority. Excuse me? Prioritize our assets. Based off of that, we assess it and say, Okay, well, wait a minute. Here. This is good or bad or whatever. Then we report it
We re mediated, or we at least try to remediate or or at least mitigate a risk at a minimum.
And then we we verify that, Did that remediation work, and then we go back for a cycle again, we discover a new one would go to prioritize our assets, you know? Is this a critical thing or not? We assess than we report it. We find a remediation for it. Whether that's risk management or something like that. And then we verified et cetera, et cetera.
So different vulnerability assessments solutions out there. I'm not gonna go over really any of them. But I do recommend you go check out gardener. If you're not familiar with Gardner, they have a lot of different studies and reports that they do. And basically, they analyze different products out there in the cyber security or information security world on dhe. Several the names on this list you may or may not recognize.
I see. If you jump out of me like tenable rabbit, seven courses
and trip wire all great cos there s Oh, definitely check out the different Gardner reports. You do have to generally sign up for an account to see, see all of these and download them. But it's a good from good information if you're just starting out in industry.
So just one quick post assessment. Quite a question here before we jump into our labs. So Jennifer is a pen tester. She's working for cyber because you know, Hey, they're really cool company right on. So she knows that fragmenting packets can help her do what? When she's going against a particular target. So what can I help her do against a target network?
All right, so if he said intrusion detection system, you're you're on the right track there. So basically, that's why we were fragment packets, right? We want to avoid that intrusion detection systems. We break up our packets so it doesn't recognize what they actually are.
So this video, we wrapped up our discussion on scanning enumeration and also ah, little splash of vulnerability. No. I want you to keep in mind that the official you see counsel material, it doesn't hit vulnerabilities too much. It talks more so on the aspect of, like, enumeration of stuff.
But it does talk about the scoring system we we went into there, and also the management, the vulnerability management life cycles. Just kind of Remember that stuff
for your Santa is just in case you see it on there.
So in the in the next few ah, videos here, we're actually gonna jump into our labs. We have a lot of labs for the section just so you could get a lot of hands on for it. That was kind of my priority. And I do, um, I do actually, all of them, I believe in the cyber lab. So I do talk about like, you can actually do a lot of them in Cali, Lennox,
if you went ahead and downloaded them on your local machine. But again, I just working with cyber labs. It's just so much easier.
And you get such a range of access, especially if you go for other search as well. You already got the labs for it, so you don't worry about that.
So join me the next figure where we jump into the labs.