Scanning

Active vs Passive Fingerprinting during scanning

September 22, 2016 Scanning

Fingerprinting is a process of identifying operating system based on fingerprints that system returns during scan. There is 2 types of fingerprinting passive and active both offer pros and cons during scanning.
(more…)

Types of port scans

September 19, 2016 Scanning

Ones we located Live systems on the network we can start exploring open ports. There is number of scans we can use for that. It is also very helpful to understand 3 way tcp heandshake when executing scans.
(more…)

Checking for Live Systems

September 19, 2016 Scanning ,

One of the steps in scanning process is investigating target and checking weather system is up or down and what services or ports are open. For this number of tools can be used. We will have quick look at this tools and see how they work.

Checking for Live Systems

Ping
Ping is great for performing initial scanning, It works by using ICMP (Internet Control Message Protocol). Ping works very simply by sending ICMP echo request to another system. If system is on it will send ICMP echo reply. Ping can provide information like TTL and turn around speed. With some useful switches we can also determine frame size. In some cases if ping is disabled on firewall you will not get reply back. In this case other scanning techniques must be used.

#ping "target"

Nmap
The other way to ping remote is system is by using nmap

nmap -sP -v google.com

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 09:20 EDT
Initiating Ping Scan at 09:20
Scanning google.com (172.217.3.142) [2 ports]
Completed Ping Scan at 09:20, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:20
Completed Parallel DNS resolution of 1 host. at 09:20, 0.04s elapsed
Nmap scan report for google.com (172.217.3.142)
Host is up (0.019s latency).
rDNS record for 172.217.3.142: yyz08s13-in-f142.1e100.net
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Performing ping sweep with nmap.

#nmap -sP -PE -PA21,23,80,3389 192.168.0.1-80

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 09:29 EDT
Nmap scan report for 192.168.0.1
Host is up (0.00024s latency).
MAC Address: B4:0C:25:4B:8A:12 (Palo Alto Networks)
Nmap scan report for 192.168.0.2
Host is up (0.0012s latency).
MAC Address: 00:24:F7:3D:2C:00 (Cisco Systems)
Nmap scan report for 192.168.0.6
Host is up (0.0020s latency).
MAC Address: 00:24:C3:47:2A:C0 (Cisco Systems)
Nmap scan report for 192.168.0.15
Host is up (-0.097s latency).
MAC Address: 00:CA:E5:67:A3:40 (Unknown)
Nmap scan report for 192.168.0.29
Host is up (0.00065s latency).
MAC Address: 00:1E:4F:BC:ED:1A (Dell)
Nmap scan report for 192.168.0.18
Host is up.
Nmap done: 80 IP addresses (6 hosts up) scanned in 1.91 seconds

Drawback of ping sweeps
1. Can be blocked by firewall
2. Can be detected by IDS
3. Can not detect systems that are down

More useful nmap commands
Scan a single IP

nmap 192.168.1.1

Scan a host

nmap www.testhostname.com 

Scan a range of IPs

nmap 192.168.1.1-20

Scan a subnet

	nmap 192.168.1.0/24 

Scan targets from a text file

nmap -iL list-of-ips.txt

Hping3
hping3 is more advanced in a sense that it can not only send ICMP packets but it also can craft TCP/IP packets allowing us to asess response from remote host. It suports TCP, UDP, ICMP, RAW-IP.
Lets see some basic examples:

hping3 -1 mysite.com
HPING mysite.com (eth0 x.x.x.x): icmp mode set, 28 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=55 id=57282 icmp_seq=0 rtt=11.8 ms
len=46 ip=x.x.x.x ttl=55 id=10785 icmp_seq=1 rtt=16.1 ms
len=46 ip=x.x.x.x ttl=55 id=26850 icmp_seq=2 rtt=16.2 ms
len=46 ip=x.x.x.x ttl=55 id=43625 icmp_seq=3 rtt=20.4 ms
^C
--- ontla.on.ca hping statistic ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 11.8/16.1/20.4 ms

In this example we will check weather firewall is blocking ping requests.

hping3 -c 1 -V -p 80 -s 5050 -A mydomain.com
using eth0, addr: 192.168.0.18, MTU: 1500
HPING ontla.on.ca (eth0 x.x.x.x): A set, 40 headers + 0 data bytes

--- mydomain.com hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Scanning and different types of scans

September 16, 2016 Scanning

Scanning is a process of probing target with intend to reveal useful information that can be used for other stages of attacks.
Scans can be broken into 3 different categories.
Port Scan
Network Scan
Vulnerability Scan
(more…)