Security administrators use tools to test their networks. If you’re planning to take the SY0-501 or SY0-601 Security+ exam, you should have a basic understanding of various software tools used to assess the security posture of an organization.
For example, can you answer this question?
Q. You want to identify all the services running on a server in your network. Which of the following tools is the BEST choice to meet this goal?
A. Penetration test
B. Protocol analyzer
C. Sniffer
D. Port scanner
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Network Scanners
A network scanner uses various techniques to gather information about hosts within a network. As an example, Nmap is a popular network scanning tool that can give you a lot of information about hosts within a network. Other popular network scanning tools are Netcat and Nessus.
Network scanners typically use the following methods:
- Ping scan. A ping scan (sometimes called a ping sweep) sends an Internet Control Message Protocol (ICMP) ping to a range of IP addresses in a network. If the host responds, the network scanner knows there is a host operational with that IP A problem with ping scans is that firewalls often block ICMP, so it can give inconsistent results.
- Arp ping scan. Chapter 1, “Mastering Security Basics,” of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide of discusses the Address Resolution Protocol (ARP) and how systems use it to resolve IP addresses to media access control (MAC) addresses. Any host that receives an ARP packet with its IP address responds with its MAC address. If the host responds, the network scanner knows that a host is operational with that IP address.
- Syn stealth scan. Chapter 3, “Exploring Network Technologies and Tools,” of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide discusses the Transmission Control Protocol (TCP) three-way handshake. As a reminder, one host sends out a SYN (synchronize) packet to initiate a TCP session. The other host responds with a SYN/ACK (synchronize/acknowledge) packet. The first host then completes the handshake with an ACK packet to establish the connection. A syn stealth scan sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address. However, instead of responding with an ACK packet, a scanner typically sends an RST (reset) response to close the connection.
- Port scan. A port scan checks for open ports on a Each open port indicates the underlying protocol is running on the system. For example, if port 80 is open, it indicates the host is running HTTP and it is likely running a web server. A port scan typically uses the ports identified as well-known ports by the Internet Assigned Numbers Authority (IANA).
- Service scan. A service scan is like a port scan, but it goes a step further. A port scan identifies open ports and gives hints about what protocols or services might be running. The service scan verifies the protocol or service. For example, if a port scan identifies port 80 is open, a service scan will send an HTTP command, such as “Get /.” If HTTP is running on port 80, it will respond to the Get command providing verification that it is a web server.
- OS detection. Operating system (OS) detection techniques analyze packets from an IP address to identify the OS. This is often referred to as TCP/IP fingerprinting. As a simple example, the TCP window size (the size of the receive window in the first packet of a TCP session) is not fixed. Different operating systems use different sizes. Some Linux versions use a size of 5,840 bytes, Cisco routers use a size of 4,128 bytes, and some different Windows versions use sizes of 8,192 and 65,535. OS detection techniques don’t rely on a single value but typically evaluate multiple values included in responses from systems.
The figure shows the result of a scan using Zenmap (the graphical version of Nmap). After starting it, I entered 192.168.0.0/24 as the Target. Nmap then scanned all the IP addresses from 192.168.0.1 to 192.168.0.254. After the scan completed, I selected the host with the IP address of 192.168.0.12 and selected the Ports/Hosts tab. Nmap discovered that this is a printer, the name and serial number of the printer, and that the printer is hosting an embedded web site running on port 80.
Zenmap scan
Remember this
Network scanners can detect all the hosts on a network, including the operating system and services or protocols running on each host. Network scanners include port-scanning capabilities.
Q. You want to identify all the services running on a server in your network. Which of the following tools is the BEST choice to meet this goal?
A. Penetration test
B. Protocol analyzer
C. Sniffer
D. Port scanner
Answer is D. A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system. Network scanners include port-scanning capabilities.
A penetration test attempts to exploit a vulnerability.
A protocol analyzer (also called a sniffer) could analyze traffic and discover protocols in use, but this would be much more difficult than using a port scanner.
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide
or
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide
for more information on using risk management tools.