0.00 Class 2 Network Scanning - cloudsecuritylabs/ethicalhackingclass GitHub Wiki
Class 2 - Network Scanning
REM: nmap -iL listofips.txt
Host Discovery flags
How nmap knows that a host is live? by default:
- ICMP Echo (ping)
- TCP 80, 443
- ICMP Timestamp request
- ARP if on local network.
if all fails, then nmap moves on to the next host, considers current host is down.
-Pn -> no host discovery
-PS -> TCP Syn request
-PA -> TCP Ack request
-PU -> UDP request
-PE -> Echo request
-PR -> ARP request
Disabling DNS resolution
by default, nmap performs DNS resolution. to disable it use **-n **flag
nmap 45.33.49.119
nmap -n 45.33.49.119
nmap --system-dns
nmap --dns-server 8.8.8.8
Rules
https://nmap.org/book/nse-script-format.html
Footprinting
- OSINT - Open source intelligence
- Mitre ATT&K Framework
- TTP -> Tactics, techniques and procedure. https://attack.mitre.org/
- Recon / Initial Access / Execution ....
Reconnaissance
- Passive -> research on publicly available information
- active -> send packets to victims
Vulnerability management tools
- Network scanners (agentless, agent based)
- Cloud scanners
- Container scanners
- DAST - Dynamic app scanners
- SAST - Static application scanners
- SCA - Software composition analysis
- IAST - Interactive app scanners
- Manual code reciew
- Manual pen tests
Penetration testing steps
Planning (By failing to prepare, you are preparing to fail - Benjamin Franklin)
- get approval
- define scope
- define test conditions
Discovery
- Information gathering
- Scanning
Attack
- gain access
- privilege escalation
- install malware/backdoor
Report
- describe finding
- report of vulnerabilities
- perform risk analysis
What is network scanning?
- I a host alive?
- What services are running?
- What is the OS?
- What are the vulnerabilities?
- What are the open ports?
Tools
standard scanning tool
- NMAP - find live hosts, banners, avoid detection
- Metasploit
- Hping
- Massscan
Vulnerability scannig tools
- Metasploit
- OpenVAS
- Tenable Nessus (Free edition available)
- QualysGuard (Free edition available)
- OWASP tool sets
Metasploit
- A framework for penetration testing
- A free and pro version available
NMAP
- https://nmap.org/book/man.html
- nmap -sP [IP] >> a ping sweep (a less intrusive method).
- TCP SYN scan>> nmap -sS [IP]
- Service Scan >> nmap -sV [IP]
- OS Scan >> nmap -O [IP]
- Scan a specific port >> nmap -p80
- NMAP Scripts -> /usr/share/nmap/scripts
- nmap –script [script] [IP]
- Wireshark review - tcp.flags.syn==1 && ip.src==[IP]
MassScan
- Wireshard review - tcp.flags.syn==1 && tcp.flags.ack==1 or (tcp.flags==0x12)
HPING - hping is a command-line oriented TCP/IP packet assembler/analyzer.
OWASP list of vulnerability scanning tools
Network Scanning Review
- gather information related to the internal network
- attack surface -> servers, desktops, network devices, databases, IoT devices, applications
Type of network scan
Network Mapping
- send messages to a host. host returns some message
Port Scanning
- messages sent to ports. ports return some message
Service / Version Detection
- messages sent to ports too. response will have information about service and version.
OS detection
- sent to target host
NMAP - greatest tool to learn (in my opinion)
- free
- we can map entire network
- we can identify available hosts
- we can discover unknown assets
- both GUI and CLI are supported
NMAP discovery and scanning
Basic Scanning - don't break your own network
- nmap | less
- nmap localhost
- nmap scanme.org
use a file to pass IPs
touch scanme.txt
nmap -iL scanme.txt
Nmap Default if no options provided
- nmap -v scanme.org [ v for vurbose ] - analyze the output
- ping sweep (ICMP Type 8)
- TCP SYN to port 443
- TCP ACK packet to port 80
- ICMP Type 13 (timestamp)
Host discovery (ping sweep - no port scan)
- reduce processing time when scanning a large network
- avoid security alerts to SEIM tools
nmap -v -sn metasploitIpnmap -v -sn -PS443 --disable-arp-ping metasploitIp --packet-trace
Port Scanning
- We use ports to connect to services
- Scan for open ports and closed ports
Port Scan types
- open (SYN - SYN/ACK - ACK)
- closed (SYN - RST )
- filtered (SYN --> NO Respose; FW in the middle?)
- unfiltered (SYN --> ICMP Respose; FW in the middle? can't determine open or closed)
- open | filtered
- closed | filtered
Port Scan example (default ports? or any spacific port/s
SYN SCAN
- nmap -sS metasploitIP (Stelthy, fast and most common)
TCP Scan
- nmap -sT metasploitIP
specific port scan
- nmap -sS -p8000-9000 metasploitIP, windowsIP [-p for port]
UDP scan (Usaully very slow)
- nmap -sU -p8000-9000 metasploitIP, windowsIP [ examine the output]
Protocol scan
- nmap -sO -p22,3389,6, 47, 50 [ FW may allow GRE or EST for VPN ]
Service and Version Detection
- nmap -sV metasploitIP
- --allports
- --version-intensity NUMBER [0-9] higher takes longer
OS system detection
- nmap -v -O metasploitIP
allow DNS
- nmap -sL 127.0.0.1
Disable DNS
- nmap -sn -n 127.0.0.1
my DNS
- nmap --dns-servers 4.4.4.4 8.8.8.8
Output
- nmap -v scanme.org -oN report.txt
Timinig parameter
- -T0 (paranoid) -> IDS evasion
- -T1 (Sneaky) - IDS evasion
- -T2 (Polite) - Less resource usage
- -T3 (Normal) - Nothing special
- -T4 (aggressive) - Increased BW (10 ms)
- -T5 (Insane) - Increased BW ( 5 ms)
NMAP Scripting Engine
- write script to automate tasks
- Lua programming language (similar to Python)
- use -sC or --script
- nmap -sS -sV -T5 scanme.org
/use/share/nmap/scripts/
- nmap --script ssh-brute scanme.org -vv
Firewall scanning and Evading (Firewalking)
- TCP ACK scan (-sA)
- nmap can't tell (unfiltered)
- check if a FW is stateful or stateless
- nmap --sS -F -T5 scanme.org --reason
- nmap --sA -F -T5 scanme.org --reason
Exploit Database! A community website!
GHDB - Google Hacking Database
Use common search engines for foot printing
- a lot is available on Google!!! You will be amazed!