Machine A is setting up a listener on port 2222 using the nc command andthen having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.

A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake.The attacker floods the target system ' s small " in-process " queue with connection requests, but it does not respond when a target system replies to those requests.This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.

One important goal of enumeration is to determine who the true administrator is. In the example above, the true administrator is Joe.

A NULL scan will have no response if the port is open.

Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the computer.

A hacker can send an IP packet to a vulnerable machine such that the lastfragment contains an offest where (IP offset *8) + (IP data length) > 65535.This means that when the packet is reassembled, its total length is largerthan the legal limit, causing buffer overruns in the machine ' s OS (becousethe buffer sizes are defined only to accomodate the maximum allowed size ofthe packet based on RFC 791)...IDS can generally recongize such attacks bylooking for packet fragments that have the IP header ' s protocol field set to1 (ICMP), the last bit set, and (IP offset *8) +(IP data length) > 65535 " CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 " Ping of Death " attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing aminimum of 20 octets of IP header information and zero or more octets ofoptional information, with the rest of the packet being data. Ping of Deathattacks can cause crashing, freezing, and rebooting.

NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Primarily the following ports are vulnerable if they are accessible:

Explanations:

This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.

Okay, this is a tricky question. We say B, DES, but it could be A “MD4” depending on what their asking - Windows 2000/XP keeps users passwords not " apparently " , but as hashes, i.e. actually as " check sum " of the passwords. Let ' s go into the passwords keeping at large. The most interesting structure of the complex SAM-file building is so called V-block. It ' s size is 32 bytes and it includes hashes of the password for the local entering: NT Hash of 16-byte length, and hash used during the authentication of access to the common resources of other computers LanMan Hash, or simply LM Hash, of the same 16-byte length. Algorithms of the formation of these hashes are following:

NT Hash formation:

1. User password is being generated to the Unicode-line.

2. Hash is being generated based on this line using MD4 algorithm.

3. Gained hash in being encoded by the DES algorithm, RID (i.e. user identifier) had been used as a key. It was necessary for gaining variant hashes for users who have equal passwords. You remember that all users have different RIDs (RID of the Administrator ' s built in account is 500, RID of the Guest ' s built in account is 501, all other users get RIDs equal 1000, 1001, 1002, etc.).

LM Hash formation:

1. User password is being shifted to capitals and added by nulls up to 14-byte length.

2. Gained line is divided on halves 7 bytes each, and each of them is being encoded separately using DES, output is 8-byte hash and total 16-byte hash.

3. Then LM Hash is being additionally encoded the same way as it had been done in the NT Hash formation algorithm step 3.

The " net send " Messenger service can be used by unauthorized users of your computer, without gaining any kind of privileged access, to cause a pop-up window to appear on your computer. Lately, this feature has been used by unsolicited commercial advertisers to inform many campus users about a " university diploma service " ...

Blocking port 25 in the firewall or forcing all connections to use username and password would have the consequences that the server is unable to communicate with other SMTP servers. Turning of the SMTP service would disable the email function completely. All email servers use SMTP to communicate with other email servers and therefore changing email server will not help.

The SOA contains information of secondary servers, update intervals and expiration times.

The hacker begins by sending a malicious ARP " reply " (for which there was no previous request) to your router, associating his computer ' s MAC address with your IP Address. Now your router thinks the hacker ' s computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with the routers IP Address. Now your machine thinks the hacker ' s computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.

Spoofing can be easily achieved by manipulating the " from " name field, however, it is much more difficult to hide the true source address. The " received from " IP address 168.150.84.123 is the true source of the

The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999-9/features/rootkits.html

As a hacker you don’t want to leave any traces that could lead back to you.

OS DETECTION:

-O: Enable OS detection (try 2nd generation w/fallback to 1st)

-O2: Only use the new OS detection system (no fallback)

-O1: Only use the old (1st generation) OS detection system

--osscan-limit: Limit OS detection to promising targets

--osscan-guess: Guess OS more aggressively

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html