A Technical Overview of Hacking
Scanrand builds a hashed sequence number that is placed in the outgoing packet that can
be identiﬁ ed upon return. This value contains information that identiﬁ es source IP, source
port, destination IP, and destination port. Scanrand is useful to a security professional
when a large number of IP addresses need to be scanned quickly.
THC-Amap (Another Mapper) is a scanner that offers a different
approach to scanning. When using traditional scanning programs,
problems arise when services that use encryption are scanned,
because these services might not return a
banner, due to the fact
that certain services such as the Secure Sockets Layer (SSL) expect
a handshake. Amap handles this by storing a collection of normal
responses that can be provided to ports to elicit a response. The tool
also excels at allowing the security professional to ﬁ nd services
that have been redirected from standard ports.
Open ports that have been uncovered during the port scanning phase need to be further
investigated because the mere existence of an open port does not mean vulnerability
exists; this must still be determined. The open ports that are discovered provide clues
to what operating system is in use on the target. Determining the operating system
that is in use on a speciﬁ c target is the purpose of what is known as OS ﬁ ngerprinting.
Once an operating system is identiﬁ ed, it is possible to better focus the attacks that
come later. To identify an OS, there are two different methods that can be utilized:
active ﬁ ngerprinting or passive ﬁ ngerprinting.
OS ﬁ ngerprinting relies on the unique characteristics that each OS possesses to
function. Each operating system responds to communication attempts in different ways
that, once analyzed, can allow for a well-educated guess to be made about the system
in place. To seek out these unique characteristics, active and passive ﬁ ngerprinting can
probe a system to generate a response or listen to a system’s communications for details
about the OS.
THC-Amap is similar to Nmap
in that it can identify a service
that is listening on a given port.
Amap does not include the
extensive identiﬁ cation abilities
possessed by Nmap, but it can
be used to conﬁ rm results of
Nmap or to ﬁ ll in any gaps.
There are literally untold numbers of techniques available to use in an attack. In some cases,
these techniques are speciﬁ c to an operating system due to the vulnerability involved such as
a design ﬂ aw in the OS or a software defect. When an attack is meant to be used against
a speciﬁ c OS, it would be pointless to unleash it against a target that is not vulnerable, which
would both waste time and risk detection.