• Services Running On Each System
• Internal/External IP Addresses
• Open Ports
• Server Version
• Operating systems
• System Architecture
• Exposed Sensitive Files
• Database Version
• Hidden, Shared Folders
• Running Firewall, IDS, IPS
• Load Balancer
• Proxy Server
Types Of Scanning
1. Port Scanning
2. Network Scanning
3. Vulnerability Scanning
1 Port scanning :
Port Scanning involves finding out which ports are open/filtered/closed. Running services their version and operating system.
With Nmap we can also find out the ssh-hostkeys, Network Topology, Device up-time, Network distance, TCP Sequence, IP ID Sequence.
1. Port Scanning
2. Network Scanning
3. Vulnerability Scanning
1 Port scanning :
Port Scanning involves finding out which ports are open/filtered/closed. Running services their version and operating system.
With Nmap we can also find out the ssh-hostkeys, Network Topology, Device up-time, Network distance, TCP Sequence, IP ID Sequence.
2. Network scanning
Identifies active hosts on a network, By doing ping sweeps and port scans. also Identifies which hosts are alive and their IP addresses and what services running on them.
3. Vulnerability Scanning
The automated process of proactively identifying vulnerabilities of computing systems in a network. in order to determine if and where a system can be exploited or threatened; Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet.
Identifies active hosts on a network, By doing ping sweeps and port scans. also Identifies which hosts are alive and their IP addresses and what services running on them.
3. Vulnerability Scanning
The automated process of proactively identifying vulnerabilities of computing systems in a network. in order to determine if and where a system can be exploited or threatened; Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet.
Host Discovery Techniques:
ARP Host Discovery
Used To Determine Live host by getting response back. it is Useful if Firewall is blocking ICMP
Nmap -sn -PR 192.168.43.2/24
-sn : No port scanning
-PR : ARP Scan
ICMP Host Discovery
Nmap -sn -PE --send-ip target
-PE : send an ICMP ECho Request
Nmap also supports ICMP ADDRESS MASK (-PM) and TIMESTAMP options (-PP).
Useful if host is configured to ignore ICMP ECHO messages but not ICMP message types. If target responds to TIMESTAMP messages then it must be alive.
You can also use Superscan to Send different ICMP Requests
TCP/UDP Host Discovery
Useful if ICMP is blocked externally
nmap -Pn target
This will do null scan instead of host Discovery(Ping)
In SuperScan you can disable host discovery & can allow only UDP or TCP Scanning
You can minimize your footprint on a compromised system by scanning internal host via netcat
nc -v -z -w2 192.168.43.179 1-140
Port Scanning Techniques :
ARP Host Discovery
Used To Determine Live host by getting response back. it is Useful if Firewall is blocking ICMP
Nmap -sn -PR 192.168.43.2/24
-sn : No port scanning
-PR : ARP Scan
ICMP Host Discovery
Nmap -sn -PE --send-ip target
-PE : send an ICMP ECho Request
Nmap also supports ICMP ADDRESS MASK (-PM) and TIMESTAMP options (-PP).
Useful if host is configured to ignore ICMP ECHO messages but not ICMP message types. If target responds to TIMESTAMP messages then it must be alive.
You can also use Superscan to Send different ICMP Requests
TCP/UDP Host Discovery
Useful if ICMP is blocked externally
nmap -Pn target
This will do null scan instead of host Discovery(Ping)
In SuperScan you can disable host discovery & can allow only UDP or TCP Scanning
You can minimize your footprint on a compromised system by scanning internal host via netcat
nc -v -z -w2 192.168.43.179 1-140
Port Scanning Techniques :
Open Scan : In this scan all 65,535 ports will be scanned.
nmap -sT Target IP/Domain
Half Open Scan : No TCP Handshake / No log in system
nmap -sS Target IP/Domain
Strobe Scan : Scans only a selected number of ports.
nmap -sS -p 80,443,22,25 Target IP/Domain
Stealth Scan : Scanning is done in stealth manner, which prevents the request for connection being logged.
SYN/ACK Scan | FIN Scan | ACK Scan | NULL Scan | XMAS Scan
nmap -sX -p 80,443,22,25 Target IP/Domain
nmap -sS Target IP/Domain
Strobe Scan : Scans only a selected number of ports.
nmap -sS -p 80,443,22,25 Target IP/Domain
Stealth Scan : Scanning is done in stealth manner, which prevents the request for connection being logged.
SYN/ACK Scan | FIN Scan | ACK Scan | NULL Scan | XMAS Scan
nmap -sX -p 80,443,22,25 Target IP/Domain
FTP Bounce Scan : Uses FTP Server as a middle man while scanning by exploiting vulnerability In FTP protocol.
nmap -b <ftp Host> Target IP/Domain
Fragmented Packets Scan : Splits the packet into small pieces to evade signature based detection.
nmap -sT -f Target IP/Domain
nmap -b <ftp Host> Target IP/Domain
Fragmented Packets Scan : Splits the packet into small pieces to evade signature based detection.
nmap -sT -f Target IP/Domain
UDP Scan : Scans UDP ports only
nmap -sU Target IP/Domain
Operating System Fingerprinting
We can do Banner-Grabbing from such services as FTP, telnet, SMTP, HTTP, POP, and others to detect running OS.
Also we can Guess which OS is running on a host system by the port that we have found open
For ex: when ports 445, 139, 135,and 3389 are open, a high probability exists that the target operating system is WINDOWS.
Many older UNIX servers have services such as port mapper (TCP/111), Berkeley R services (TCP/512–514), NFS (TCP/2049),and high-number ports (3277x and above) listening. The existence of such ports normally indicates that this system is running UNIX.
Active Stack Fingerprinting
• Probes the TCP/IP Stack to guess the OS
• Requires one open port
• Accuracy is very low
nmap -O target
Nmap uses several techniques and also OS fingerprinting signatures of different OS to guess the running OS on a target system.
IDS may detect an OS fingerprinting so it is not a one of the most stealthy scan that attacker will employ.
Passive Stack Fingerprinting
In this technique attacker passively monitors network traffic to determine the operating system
Attacker analyzes following values and compares with known database of attribute to guess an OS
• TTL time-to-live on the outbound packet
• Window size of packet
• Don't fragment bit
Following tool uses all this techniques to determine OS
Siphon -v -i x10 -o fingureprint.out
We can telnet to target and get the packet of returned result to compare.
Countermeasures:
• Use IDS such as Snort (snort.org)
• Filter Ports
• Disable Unnecessary Ports
• Monitor Traffic
• Deploy Anti Spoofing Protection
• Set An Email Alert
• Enable Threshold Logging
• Hide Private IPs
• Patch Systems
• Disable Unnecessary Ports
• Monitor Traffic
• Deploy Anti Spoofing Protection
• Set An Email Alert
• Enable Threshold Logging
• Hide Private IPs
• Patch Systems
• Properly configure System
• Audit Log File
• Use ScanLogd
• Only allow ICMP packets into the DMZ for specific hosts.
• Use Pingd ping monitoring engine
• Disable Services (etc/inetd.c)
• Find Publicly Available Directory's
• Encrypt Content
• Audit Log File
• Use ScanLogd
• Only allow ICMP packets into the DMZ for specific hosts.
• Use Pingd ping monitoring engine
• Disable Services (etc/inetd.c)
• Find Publicly Available Directory's
• Encrypt Content
Scanning Tools:
For Linux:
• Nmap
• OpenVAS
• Nikto
• Hping3
• Maltego
• OpenVAS
• Nikto
• Hping3
• Maltego
For Windows:
Portable Network Scanners:
Online Vulnerability Scanners:
• Acunetix
Best Commercial Vulnerability Scanners:
• Core Impact
• GFI LanGuard
• MBSA
• Nessus
• Nexpose
• Nipper
• OpenVAS
• QualysGuard
• Retina
• SAINT
• GFI LanGuard
• MBSA
• Nessus
• Nexpose
• Nipper
• OpenVAS
• QualysGuard
• Retina
• SAINT
ALSO READ NMAP CHEAT SHEET
No comments:
Post a Comment