The first step in any pentest/attack is to locate targets. There is no better tool for this than nmap. I will usually use nmap for three different scans: ping, port, version. The ping sweep allows me to locate systems that are alive, the port scan tells me open ports on a system and the version scan tells me specifics about the services that are listening on those ports. The beauty of nmap is that you have so much flexibility in the range of IP addresses you want to look at. To perform a ping sweep on addresses in the range 10.75.0.1 to 10.75.0.10 perform the following: nmap -n -sP 10.75.0.1-10. The -n switch tells nmap not to resolve host names making the scan much faster. The -sP tells nmap to perform a ping sweep. Once you have located systems that are alive the next step is to see what services (and potential holes for exploit) exist on these systems. To do this perform a port scan via the command: nmap -n -sT 10.75.0.1. This will perform a full TCP connection port scan on 10.75.0.1. The -sT switch tells nmap to perform a full TCP connection (i.e. SYN, SYN-ACK, ACK, RESET) on ports deemed “interesting” per the nmap build you are using. By default the ports included are 1-1025 plus ports above 1025 that are in the network-services configuration file. In some instances you may want to be a little more stealthy and would use the -sS port scan. This tells nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesn’t create a full TCP connection and as such usually doesn’t get “logged”. Please note that you can perform a port scan against a range of targets using the range IP address range options in nmap. For example if I want to perform a port scan across the IP addresses from 10.75.0.1 to 10.75.0.10 I would call: nmap -n -sT 10.75.0.1-10. In reality a port scan will only take you so far. It tells you that a host is listening on a specific port but it doesn’t give you any defaults beyond the “default” for that port. For example port 80 is by default HTTP but what is the specific server that is providing that access (IIS, Apache, etc). To get these details we perform a version scan via: nmap -n -sV 10.75.0.1. A final scan I will perform is a OS fingerprinting via: nmap -n -sV -O 10.75.0.1. This will tell you the OS and version with very reliabile accuracy. Now with the information provided by nmap we can do the research to know how to exploit the target system. This is a topic for another post.
- CNN should be called the plane crash network. 4 days ago
- MS cried that Apple had it easy controlling hw and sw. Surface Pro 3 and MS Wireless Display Adapter haven't worked since Jan. FAIL! 5 days ago
- @thurrott Yet still no fix to Microsoft Wireless Display Adapter brick with SP3. Fail = Microsoft 5 days ago
- RT @thurrott: This Surface Pro 3 firmware update is BIG. more in a moment. 5 days ago
- Half of all Android users vulnerable to year-old security flaw betane.ws/h1Ww via @BetaNews Google thinks MS has an update problem! 6 days ago