Posts

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Post a Comment
Read more

NMAP ADVANCED SCANS

Image
In this post we will be covering techniques to evade firewalls and IDS systems ad well as more advanced scans and scan options, such as: Null Scan FIN Scan Xmas Scan Maimon Scan Ack Scan Window Scan Custom Scan We will also cover the following: Spoofing IP Spoofing MAC Decoy Scan Fragmented Packets Idle/Zombie Scan Null, FIN and XMAS Scans These scans can be efficient when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag to detect a connecting attempt. Using a flag combination that does not match the SYN packets could make it possible to deceive a firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packed and render this kind of scan useless. Null Scan Null scan does not set any flag at all; all six flag bits are set to zero. We can use this option with -sN . A TCP Packet with no flags set will not trigger a response when it reaches an open por
Post a Comment
Read more

NMAP BASIC PORT SCANS

Image
 This post will be discussing using Nmap to check ports are open and listening and which ports are closed. This room explains: TCP connect port scan. TCP SYN port scan. UDP port scan. TCP and UDP Ports In the same way an IP address specifies a host on a network, a UDP or TCP port is used to identify a network service running on that host. A server providing a network service adheres to a specific network protocol, for example responding to DNS queries or serving web pages. A service usually uses a default port number, for example an HTTP would bind to TCP port 80, however it can be configured to run on a different port. No more that one service can listen on any TCP or UDP port on the same IP address. There are six states we need to consider when scanning for ports with Nmap: Open : Live service listening on this port. Closed: No service is listening on the port, although port is accessible (port is reachable and is not blocked by firewall or other security appliances/programmes). Fil
Post a Comment
Read more

NMAP Live Host Discovery

Image
Nmap is a scanning tool for discovering which systems are up and what services are running on these systems.  It is important to know the different approaches to enumerate a target in case firewalls are blocking some types. The different approaches that Nmap uses to discover live hosts: ARP (Address Resolution Protocol) scan: This scan uses ARP requests to discover live hosts. ICMP (Internet Control Message Protocol) scan: The scan uses ICMP requests to identify live hosts. TCP/UDP ping scan: This scan sends packets to TCP ports and UDP ports to determine live hosts. See below for the steps an Nmap scan usually goes through: Subnetworks In the below image we have four network segments or subnetworks. Subnetworks has it's own IP address range and is connected to a more extensive network via a router. There might be a firewall enforcing security policies depending on each network The figure above shows two types of subnets: Subnets with /16 , which means that the subnet mask can
Post a Comment
Read more

PASSIVE AND ACTIVE RECONNAISSANCE

Image
In this post we will learn about passive and active reconnaissance. Passive reconnaissance lets us gather information about a target without any kind of direct engagement. Active reconnaissance requires us to make some kind of contact with out target. Some Passive Reconnaissance tools we will explore: whois nslookup dig DNSDumpster Shodan.io Some Active Reconnaissance tools we will explore: ping traceroute telnet nc Passive Reconnaissance In passive reconnaissance, we rely on publicly available knowledge that can be accessed without directly engaging the target. Passive recon may include: Looking up DNS records from a public DNS server Checking job ads related to the target website Reading news articles about the target company Visiting social media sites of the company or their employees Whois Whois is a request and response protocol that follows the  RFC 3192  specification. A whois server listens on port 43 for incoming requests. A domain registrar is responsible for maintaining who
Post a Comment
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Post a Comment
Read more