Backtrack 4 (nmap)

The first step in any pentest/attack is to locate targets. There is no better tool for this than nmap. I will usually use nmap for three different scans: ping, port, version. The ping sweep allows me to locate systems that are alive, the port scan tells me open ports on a system and the version scan tells me specifics about the services that are listening on those ports. The beauty of nmap is that you have so much flexibility in the range of IP addresses you want to look at. To perform a ping sweep on addresses in the range 10.75.0.1 to 10.75.0.10 perform the following: nmap -n -sP 10.75.0.1-10. The -n switch tells nmap not to resolve host names making the scan much faster. The -sP tells nmap to perform a ping sweep. Once you have located systems that are alive the next step is to see what services (and potential holes for exploit) exist on these systems. To do this perform a port scan via the command: nmap -n -sT 10.75.0.1. This will perform a full TCP connection port scan on 10.75.0.1. The -sT switch tells nmap to perform a full TCP connection (i.e. SYN, SYN-ACK, ACK, RESET) on ports deemed “interesting” per the nmap build you are using. By default the ports included are 1-1025 plus ports above 1025 that are in the network-services configuration file. In some instances you may want to be a little more stealthy and would use the -sS port scan. This tells nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesn’t create a full TCP connection and as such usually doesn’t get “logged”. Please note that you can perform a port scan against a range of targets using the range IP address range options in nmap. For example if I want to perform a port scan across the IP addresses from 10.75.0.1 to 10.75.0.10 I would call: nmap -n -sT 10.75.0.1-10. In reality a port scan will only take you so far. It tells you that a host is listening on a specific port but it doesn’t give you any defaults beyond the “default” for that port. For example port 80 is by default HTTP but what is the specific server that is providing that access (IIS, Apache, etc). To get these details we perform a version scan via: nmap -n -sV 10.75.0.1. A final scan I will perform is a OS fingerprinting via: nmap -n -sV -O 10.75.0.1. This will tell you the OS and version with very reliabile accuracy. Now with the information provided by nmap we can do the research to know how to exploit the target system. This is a topic for another post.

About these ads

2 Responses to “Backtrack 4 (nmap)”


  1. 1 gentoopebble March 11, 2009 at 7:17 pm

    We seem to have the same initial approach. I’ll be looking out for the rest of your series!

  2. 2 Karthik May 27, 2011 at 5:29 am

    Thanks you so much for your fabulous Post , it takes a lot of effort to prepare, i appreciate the efforts taken and looking for the rest of your series.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Categories

Twitter Updates

Error: Twitter did not respond. Please wait a few minutes and refresh this page.


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: