Step 4: Enumerating Target (Understanding UDP and TCP Port)

Enumerating target is a process used to find and collect information on ports and services available on the target environment. This process is usually done after we have discovered the target environment by scanning it to obtain the list of live hosts.

Port scanning
Port scanning is to find out which services are offered by a host.
Open port means that there is a network service listening on the port.
TCP characteristic:
• It is a connection-oriented protocol. Before exchanging data, the client and the server must
establish a connection using a three-way handshake:
o The client initiates the connection by sending a SYN packet to the server.
o The server replies with the SYN-ACK packet.
o The client sends an ACK to the server. At this point, the client and the server can
exchange data.
• It is a reliable protocol. TCP uses a sequence number to identify packet data. If the packets
arrived out of order, TCP would reorder it before submitting it to the application.

UDP is a connectionless protocol. It will do its best to send a packet to the destination, but if a packet is lost, UDP will not automatically resend it. It is up to the application to retransmit the packet.

Tcp Segment:

UDP Segment:

Port is open, however the service listening is looking for a specific UDP payload which is why it is less reliable than TCP scanning.

It is important to understand this most basic port that will be appear often later in our target. The next blog will be discussing about tools that we are going to use to enumerate target.

Step 3: Target Discovery (OS Fingerprinting)

This is the second utility that we can use to understand (discover) our target better.

OS Fingerprinting
Method: Active & Passive
Active: the tool sends network packets to the target machine and then it determines the operating system of the target machine based on the analysis done on the response it received.
(+) the fingerprinting process is fast
(-) the target machine may notice our attempt to get its operating system information.
Passive: Using tool called p0f.
(-) Slower Process

P0f (passive)
The p0f tool is a tool used to fingerprint an operating system passively. It can identify an operating system on:
• Machines that connect to your box (SYN mode, this is the default mode)
• Machines you connect to (SYN+ACK mode)
• Machine you cannot connect to (RST+ mode)
• Machines whose communications you can observe
#p0f -o p0f.log

This will save the log information to the p0f.log file
Next you need to generate network activities involving the TCP connection.
If p0f has successfully fingerprinted the remote machine operating system, you will see the remote machine operating system in the log file (p0f.log)

Xprobe2(active)
It fingerprints operating systems by using fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.

Now you have know your target IP address and its operating system by using above tools. The next blog will be explained about Target Enumeration.