Venom Academy/Ethical Hacking/Scanning and Enumeration

In this chapter we will be discussing scanning and enumeration. Enumeration is done to collect as much information as possible on live systems. This is done to identify alive targets and probably find ports, etc.

Host discovery
Thee most important and first step of a pen tester to know is how to identify which target is alive and which one is not. We can use a variaty of methods and programs to discovery live targets. One of the most commonly used is ping, which works by sending ICMP echoes to a system and checks whether it responds or not. Lets run a ping scan on google Ping www.google.com

Pinging [74.125.232.145] with 32 bytes of data: Reply from 74.125.232.145 time=253ms TTL=51 Reply from 74.125.232.145 time=192ms TTL=51 Reply from 74.125.232.145 time=165ms TTL=51

Nmap
A great program called nmap(Network mapper) can prove our work in enumeration easier by allowing us to scan ranges of systems. Here is how we could use this. nmap -sP "ip address" In the example above we used the -sP command to enable nmap to identify live systems only. Here is an example below:

root@venom [$]~ nmap -sP 192.168.15.1/24 Starting nmap 7.1 ( https://nmap.org ) at 2019-12-27 18:9 CAT Nmap scan report for WinMaxCPE (192.168.15.1) Host is up (0.0021s latency). Mac Address: 20:21:7B:65:12:2A (Intel Corporate) Nmap scan report for root (192.168.15.23) Host is up.

Port Scanning
Port scanning is primarily divided into two categories, TCP scanning and UDP scanning. Port scanning can be performed as a way of identifying services that run Ona port or whether a port is open or not. Nmap supports a wide variation of scanning methods such as TCP connection scans and TCP syn scans

Nmap uses the following syntax nmap For a beginner the following syntax would be applicable. nmap The example above should be able to return us details about the open ports on a target host. We can also scan ports using the * sign. The syntax is shown below in an example root@venom [$]~ 192.168.15.* Starting nmap 7.1 ( https://nmap.org ) at 2019-12-27 18:9 CAT Nmap scan report for WinMaxCPE (192.168.15.1) Host is up (0.0021s latency). PORT                   STATE     SERVICE 53/TCP                 Open       domain 80/TCP                 Open       http 21/TCP                 Open       ftp This nmap scan would scan the whole IP range 192.168.15-255 and then reply back with the detailed open ports. The results will only be based on the systems that are alive.

Port status types
Nmap can scan hosts as we already know, but it then returns with port states/status in which the scanned port is in at that present time. The port states for Nmap are listed below:


 * Open - Which means that the port can be accessed and an application on the target host is listening through it
 * Closed - Means that the port the port can't be accessed and there is no application on the target host that is listening through the port
 * Filtered - Means that nmap was not able to figure out whether the port is open or closed, this could mean that the target is behind a firewall
 * Unfiltered - The ports are accessible but they can't be distinguished whether they are open or closed

Vulnerability scanning
Lets now look into scanning for vulnerable hosts. For this phase we use . This tool was mainly used to test firewalls, until it was then introduced to IDLE scanning. The main syntax of hping3 is shown below hping3 -S -r As shown above the -S specification is used to send SYN flags, -R is used to enable checking for relative ID

Now let's perform an example on the host 192.168.15.211 root@venom [$]~ hping3 -S -r 192.167.15.211 HPING 192.168.15.211 (eth0 192.168.15.211): S set, 40 headers + 0 data bytes len=46 IP=192.168.15.211 ttl=128 id=+1 sport=0 flags=RA seq=1 win=0 rtt=0.8 ms As you can see the ID is remaining incremented by 1. This shows that the target is vulnerable enough to become our zombie and we can use it for our IDLE scan. Alternatively we will the metasploit auxiliary module to check if the host could be used to become a zombie. So let's launch metasploit by invoking the command below msfconsole From there you will wait for metasploit console to open then you will see a text similar to this one msd > Now you have to select the module you want to use in this case we are using the ipidseq module now type this msf > use auxiliary/scanner/ip/ipidseq Now you need to specify the target host using this, in my example the target host is 192.168.15.1 msf auxiliary(ipidseq) > set rhost 192.168.15.211 To launch the exploit we use the run command msf auxiliary (ipidseq) > run

TCP SYN Scan
The TCP SYN Scan is the default scan type that runs against the specified target machine. This is the fastest scan to perform. The scan works as follows


 * The Main machine sends a SYN packet to port 80 on the target host
 * If the target machine responds with a SYN/ACK packet then nmap would know that the particular port is open in the target host
 * If there is no response from the target machine after sending the packet then nmap would know that the port is filtered.

TCP scans are performed using the command below nmap -sS

Null Scan
A null Scan is performed by sending a no flag bit inside a TCP header. If no response is returned then that means the port is open. The receipt of a RST packet indicates the port is closed. A null scan is performed using the following syntax nmap -sN

FIN Scan
By default a FIN flag is used to close a currently open connection. In a FIN scan the sender sends a FIN flag to the target host. If no response returns then the port is open. If the target machine responds with a RST then the port is closed. The syntax command for a FIN scan is nmap -sF

Stealth Scan

 * paranoid (0) - No parallel scanning. 5 minutes between sending packets.
 * sneaky (1) - No parallel scanning. 15 seconds between sending packets.
 * polite (2) - No parallel scanning. 0.4 seconds between sending packets.
 * normal (3) - Default scanning. Tries to be very fast without overloading the network.
 * aggressive (4) - Faster than normal, but loads the network.
 * insane (5) - Parallel scans, times out hosts in 15 minutes, won't wait more than 0.3 seconds for an individual probe. Loses a lot of information.

nmap also provides options to control scan time-outs. Combining these with the above provides more fine-tuned scans, for example a scan doing 100 packets per minute. Try the scan below yourself. root@venom [$]~ nmap -T sneaky --scan_delay 600