The first step in any pentest/attack is to locate targets. There is no better tool for this than nmap. I will usually use nmap for three different scans: ping, port, version. The ping sweep allows me to locate systems that are alive, the port scan tells me open ports on a system and the version scan tells me specifics about the services that are listening on those ports. The beauty of nmap is that you have so much flexibility in the range of IP addresses you want to look at. To perform a ping sweep on addresses in the range 10.75.0.1 to 10.75.0.10 perform the following: nmap -n -sP 10.75.0.1-10. The -n switch tells nmap not to resolve host names making the scan much faster. The -sP tells nmap to perform a ping sweep. Once you have located systems that are alive the next step is to see what services (and potential holes for exploit) exist on these systems. To do this perform a port scan via the command: nmap -n -sT 10.75.0.1. This will perform a full TCP connection port scan on 10.75.0.1. The -sT switch tells nmap to perform a full TCP connection (i.e. SYN, SYN-ACK, ACK, RESET) on ports deemed “interesting” per the nmap build you are using. By default the ports included are 1-1025 plus ports above 1025 that are in the network-services configuration file. In some instances you may want to be a little more stealthy and would use the -sS port scan. This tells nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesn’t create a full TCP connection and as such usually doesn’t get “logged”. Please note that you can perform a port scan against a range of targets using the range IP address range options in nmap. For example if I want to perform a port scan across the IP addresses from 10.75.0.1 to 10.75.0.10 I would call: nmap -n -sT 10.75.0.1-10. In reality a port scan will only take you so far. It tells you that a host is listening on a specific port but it doesn’t give you any defaults beyond the “default” for that port. For example port 80 is by default HTTP but what is the specific server that is providing that access (IIS, Apache, etc). To get these details we perform a version scan via: nmap -n -sV 10.75.0.1. A final scan I will perform is a OS fingerprinting via: nmap -n -sV -O 10.75.0.1. This will tell you the OS and version with very reliabile accuracy. Now with the information provided by nmap we can do the research to know how to exploit the target system. This is a topic for another post.
- Windows 10 with November Update is ready for the Enterprise? Then where are the ISO downloads in Volume Licensing? 2 weeks ago
- I have an answer Tim, because you need a PC to produce almost anything productive! Go write some code on your iPad buddy. 2 weeks ago
- With iPad sales falling and Surface devices being copied by everyone did Tim Cook really just ask "Why would you buy a PC anymore"? 2 weeks ago
- Hey web developers. It's time to quit blaming Internet Explorer for your poor development skills! 3 weeks ago
- Another Android update, another three months to wait for OTA update to nexus device. Google enterprise ready != true 1 month ago