The first step in any pentest/attack is to locate targets. There is no better tool for this than nmap. I will usually use nmap for three different scans: ping, port, version. The ping sweep allows me to locate systems that are alive, the port scan tells me open ports on a system and the version scan tells me specifics about the services that are listening on those ports. The beauty of nmap is that you have so much flexibility in the range of IP addresses you want to look at. To perform a ping sweep on addresses in the range 10.75.0.1 to 10.75.0.10 perform the following: nmap -n -sP 10.75.0.1-10. The -n switch tells nmap not to resolve host names making the scan much faster. The -sP tells nmap to perform a ping sweep. Once you have located systems that are alive the next step is to see what services (and potential holes for exploit) exist on these systems. To do this perform a port scan via the command: nmap -n -sT 10.75.0.1. This will perform a full TCP connection port scan on 10.75.0.1. The -sT switch tells nmap to perform a full TCP connection (i.e. SYN, SYN-ACK, ACK, RESET) on ports deemed “interesting” per the nmap build you are using. By default the ports included are 1-1025 plus ports above 1025 that are in the network-services configuration file. In some instances you may want to be a little more stealthy and would use the -sS port scan. This tells nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesn’t create a full TCP connection and as such usually doesn’t get “logged”. Please note that you can perform a port scan against a range of targets using the range IP address range options in nmap. For example if I want to perform a port scan across the IP addresses from 10.75.0.1 to 10.75.0.10 I would call: nmap -n -sT 10.75.0.1-10. In reality a port scan will only take you so far. It tells you that a host is listening on a specific port but it doesn’t give you any defaults beyond the “default” for that port. For example port 80 is by default HTTP but what is the specific server that is providing that access (IIS, Apache, etc). To get these details we perform a version scan via: nmap -n -sV 10.75.0.1. A final scan I will perform is a OS fingerprinting via: nmap -n -sV -O 10.75.0.1. This will tell you the OS and version with very reliabile accuracy. Now with the information provided by nmap we can do the research to know how to exploit the target system. This is a topic for another post.
- Android Gingerbread released in 2011 has more than double the installs than Marshmallow. 1 month ago
- 99.3% of all Android installations running on version that is almost 1 year old or older. Interesting stat in a time where updates are norm. 1 month ago
- Securities biggest threat: upper management that thinks it knows better than technical staff and uses its position to override 1 month ago
- With all of the security breaches the world needs to wake up and realize that there are FEW companies that have a clue about security 1 month ago
- Microsoft Store won't allow install of Free software due to device limit. Really Microsoft! 1 month ago