Solutions Fast Track | Ethereal Packet Sniffing (Syngress)

< Day Day Up >

Network scanning is used to detect open ports and services on systems.
A TCP Connect scan completes the TCP 3-way handshake and is easily logged and detected.
SYN scans were once used as stealthy scanning techniques; however most firewalls and IDSs can now detect these types of scans.
Xmas scans are ineffective against Microsoft operating systems because they will respond with an RST from all ports, even if they are open.
A Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK and open ports will just drop the packet.

Remote access backdoor programs are often delivered to unsuspecting users within a trojan program.
Remote access backdoors operate in a client-server architecture, allowing the intruder complete control over the compromised system.
SubSeven can notify the intruder, via IRC, e-mail, or some other method, that the victim computer is online.
NetBus is an older Windows backdoor trojan that is easily detected by antivirus software, but like SubSeven, many variations exist.
The RST.b trojan listens in promiscuous mode and will respond to UDP packets, containing the “DOM” payload, on any port.

Internet worms are becoming increasingly fast and complex.
The SQL Slammer worm uses UDP to accomplish its fast propagation.
The original Code Red worm operated in 3 stages: propagation, denial of service, and sleep.
The Ramen worm is a collection of tools that can exploit several known vulnerabilities in the wu-ftpd, rpc.statd, and lprng utilities.

< Day Day Up >