SEC 335 W2 Notes - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

NOTE: Information on this page is intended as notes and does contain text copy and pasted from readings/online sources. I do not claim to own this information, I have simply captured it for my studying needs.
Below are notes taken during/after class 9/6/22:

Filename: D2 -- 9/6/22

Vcenter02

Add passive recon notes additional

Active Recon

Scanning goals

Looking for specific systems and applications to target during Step 2 (Vuln scanning) of the Pen-Test Method

Find versions

Find live hosts on the network

  • ICMP (ping) and/or TCP/UDP network scans

Find open ports on live hosts

  • TCP/UDP host port scans

Gather information on IPS/IDS and Firewalls

  • Examining results and output from the scan tools

Run Nmap as sudo, scans in general

Ports and Protocols. Between the protocols User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), there are 65,535 ports available for communication between devices.

Ports below 1024, need to be root to access that port, well known

Port 10000 = PHP myAdmin

Once identified networks during recon, enumerator live hosts is the next step

ICMP doesn't have a port, just types

  • ICMP - Internet Control Messaging Protocol

  • Layer 4 Protocol - carried over IP to layer 3

An ephemeral port is a communications endpoint of a transport layer protocol of the Internet protocol suite that is used for only a short period of time for the duration of a communication session.

Source port doesn't matter much, more destination port

Port 339 = Remote desktop

Ping Sweep

Scanning method using ICMP to look for live hosts across entire networks

  • Pros

  • Simple and can be an effective first pass to enumerate live hosts

  • Cons

  • Noisy and can be obvious to system defenders

  • Many Network Security Devices block ICMP

  • Not all systems respond to an echo

NMAP

  • Nmap is the "King of Scanners" according to Kali

  • Nmap can:

  • See computers active on target network

  • Listening ports

  • Etc.

NMAP has many options - Scanning options, timing, targets, formatting options

Nmap does discovery with

  • An ICMP echo request

  • A TCP SYN packet to port 443

  • A TCP ACK packet to port 80

  • And an ICMP timestamp request

Then performs a 1000 port scan (most popular)

Nmap options:

  • -sS = Syn Scan

  • -T3 = Normal timing

  • -p = allows to be able scan ranges

Two goals of recon stage

  • Find Live hosts

  • Figure what ports/services are running on those hosts

ARP Ping-host discover

  • On the local subnet - nmap will do arp pings

  • ARP converts IP addresses to MAC addresses with layer 2 broadcasts

  • So if system responds - IP is up

For efficiency - separate host discovery and port scans

Don't use t5

Identifying that is a port is open is useful - but understanding what service is running on that port is more beneficial

OS fingerprinting is not great in NMAP

Hugo cms

New England Air Systems LLC

For Variable in sequence 2:50 do echo 10.0.5.$variable done

Only have good pings come back

Filename: CHAPTER 3 Network Hosts Scanning

NOTE: See Dedicated NMAP commands and techniques page, as this page does not contain repeat info (or at least very little)
TCP

  • TCP uses a concept called a three‐way handshake to establish a network connection. First, to start a TCP session, the client sends a SYN packet (synchronize) to the server. The server receives the SYN and replies to the client with a synchronize/acknowledge (SYN/ACK) packet. Finally, the client completes the conversation by sending an ACK packet to the server.

  • It's essential to understand the concept of the TCP handshake. Network scanners like Nmap use it to identify live hosts, open ports, and much more (you will learn more about this in the upcoming sections).

ARP

  • Address Resolution Protocol (ARP) is a mechanism that maps IPv4 addresses to MAC addresses. This concept is essential for an internal network to work. Routers connect with each other over the internet through IP addresses (layer 3), but once the packet is inside your network, then an ARP table will be used using MAC addresses (layer 2).

Port Numbers

  • Port numbers and IP addresses are like brothers and sisters. Without a port number, a network packet will never be able to reach its destination. A port number is like a civic address. The street's name (IP address) is not enough to get to a certain property; you will need a civic number (port number) to have a full and complete address.

Popular Protocols and ports

PROTOCOL NAME PORT # PROTOCOL NAME PORT #
FTP TCP 21 LDAP over SSL TCP 636
SSH/SCP TCP 22 FTP over SSL TCP 989–990
Telnet TCP 23 IMAP over SSL TCP 993
SMTP TCP 25 POP3 over SSL TCP 995
DNS Query UDP 53 MS‐SQL TCP 1433
DNS Zone Transfer TCP 53 NFS TCP 2049
DHCP UDP 67UDP 68 Docker Daemon TCP 2375
TFTP UDP 69 Oracle DB TCP 2483–2484
HTTP TCP 80 MySQL TCP 3306
Kerberos UDP 88 RDP TCP 3389
POP3 TCP 110 VNC TCP 5500
SNMP UDP 161UDP 162 PCAnywhere TCP 5631
NetBIOS TCP/UDP 137TCP/UDP 138TCP/UDP 139 IRC TCP 6665–6669
IMAP TCP 143 IRC SSL TCP 6679TCP 6697
LDAP TCP 389 BitTorrent TCP 6881–6999
HTTPS (TLS) TCP 443 Printers TCP 9100
SMTP over SSL TCP 465 WebDAV TCP 9800
rlogin TCP 513 Webmin 10000

Ways to identify hosts:

  • Ping

  • Need to be aware that some system admins will close the ICMP echo on the firewall level to block hackers from checking the connectivity of some servers.

  • ARP

  • Nmap

$nmap -sn [IP Address / Range]

  1. It will send an ICMP echo request, and Nmap will not give up if ICMP is blocked.

  2. Also, it will send an ICMP timestamp request.

  3. It will send an ACK packet to port 80 and send a SYN packet to port 443.

  4. Finally, it will send an ARP request.

Use sudo for nmap

$nmap -sS [IP address / Range]

SYN scan, SYN scan works in Nmap. The scanner, when supplied with the sS option, will send a SYN request to the server, and if a SYN/ACK is received in the response, then it will show that the port is open. And if the scanner did not receive a SYN/ACK, it's either closed or filtered. For the record, filtered means a firewall is protecting it.

The Nmap Scripting Engine (NSE) contains a set of additional functionalities (like brute force, DNS enumeration, HTTP enumeration, etc.) that make Nmap work like a boss. The Nmap team categorized all these functionalities into different groups, shown here:

  • Auth

  • Broadcast

  • Default

  • Discovery

  • DOS

  • Exploit

  • External

  • Fuzzer

  • Intrusive

  • Malware

  • Safe

  • Version

  • Vuln

The default script scan, -sC, has a low number of false positives (false positive means a false vulnerability) and is less intrusive on the target system compared to other categories (some categories could bring your target host down like the DOS category)

https://nmap.org/nsedoc/

DNS enumeration may allow us to identify the nature of the target host that we want to scan. In addition, DNS enumeration will use the public search engines to search for hidden domain names that we were not aware of at the beginning of our engagement.

"host command in Linux system is used for DNS (Domain Name System) lookup operations. In simple words, this command is used to find the IP address of a particular domain name or if you want to find out the domain name of a particular IP address the host command becomes handy." - https://www.geeksforgeeks.org/host-command-in-linux-with-examples/ 

There are a lot of tools out there that scan for subdomains. What matters is to understand what they do, so you need to make sure that your chosen one will do the following:

  • Quickly brute‐force subdomains based on a good quality dictionary file.

  • Check for DNS transfer.

  • Automate a subdomain lookup on internet search engines like Google.

Tools list:

  • Fierce - fierce -dns [domain name]