CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [28]
SNMP Scanner allows you to scan a range or list of hosts performing ping, DNS, and Simple Network Management Protocol (SNMP) queries.
Understand War-Dialing Techniques
War dialing is the process of dialing modem numbers to find an open modem connection that provides remote access to a network for an attack to be launched against the target system. The term war dialing originates from the early days of the Internet when most companies were connected to the Internet via dial-up modem connections. War dialing is included as a scanning method because it finds another network connection that may have weaker security than the main Internet connection. Many organizations set up remote-access modems that are now antiquated but have failed to remove those remote-access servers. This gives hackers an easy way into the network with much weaker security mechanisms. For example, many remoteaccess systems use the Password Authentication Protocol (PAP), which send passwords in cleartext, rather than newer VPN technology that encrypts passwords.
War-dialing tools work on the premise that companies don't control the dial-in ports as strictly as the firewall, and machines with modems attached are present everywhere even if those modems are no longer in use. Many servers still have modems with phone lines connected as a backup in case the primary Internet connection fails. These available modem connections can be used by a war-dialing program to gain remote access to the system and internal network.
Hacking Tools
THC-Scan, Phonesweep, war dialer, and telesweep are all tools that identify phone numbers and can dial a target to make a connection with a computer modem. These tools generally work by using a predetermined list of common usernames and passwords in an attempt to gain access to the system. Most remote-access dial-in connections aren't secured with a password or use very rudimentary security.
Understand Banner Grabbing and
OS Fingerprinting Techniques
Banner grabbing and operating system identification-which can also be defined as fingerprinting the TCP/IP stack-is the fourth step in the CEH scanning methodology. The process of fingerprinting allows the hacker to identify particularly vulnerable or high value targets on the network. Hackers are looking for the easiest way to gain access to a system or network. Banner grabbing is the process of opening a connection and reading the banner or response sent by the application. Many e-mail, FTP, and web servers will respond to a telnet connection with the name and version of the software. The aids a hacker in fingerprinting the OS and application software. For example, a Microsoft Exchange e-mail server would only be installed on Windows OS.
Active stack fingerprinting is the most common form of fingerprinting. It involves sending data to a system to see how the system responds. It's based on the fact that various operating system vendors implement the TCP stack differently, and responses will differ based on the operating system. The responses are then compared to a database to determine the operating system. Active stack fingerprinting is detectable because it repeatedly attempts to connect with the same target system.
Passive stack fingerprinting is stealthier and involves examining traffic on the network to determine the operating system. It uses sniffing techniques instead of scanning techniques. Passive stack fingerprinting usually goes undetected by an IDS or other security system but is less accurate than active fingerprinting.
Drawing Network Diagrams of Vulnerable Hosts
Although it isn't a CEH exam objective, understanding the tools used in step 6 of the CEH scanning methodology-drawing a network diagram of vulnerable hosts-is a must. A number of network-management tools can assist you with this step. Such tools are generally used to manage network devices but can be turned