1 / 16

Scanning

Scanning. Offensive Security. Scanning. We have an idea of where to look now IP Address(s) Domains Moving from passive reconnaissance to active Instead of driving down the street, we’re knocking on doors. Scanning. LEGAL We are sending data to hosts Do you have permission to do so?.

elouise
Download Presentation

Scanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Scanning Offensive Security

  2. Scanning • We have an idea of where to look now • IP Address(s) • Domains • Moving from passive reconnaissance to active • Instead of driving down the street, we’re knocking on doors Offensive Security

  3. Scanning • LEGAL • We are sending data to hosts • Do you have permission to do so? Offensive Security

  4. Ping • Before spending time on a scan • Check to see which hosts are up • What if a computer is offline? • In the middle of reboot? • Firewalls could block ICMP • Host based • Network based Offensive Security

  5. ARP • ARP Scan • Only works on local LAN • Sends ARP packets to other hosts on the network • Checks for responses Offensive Security

  6. Port scanning • So we know where the hosts are now • What is a port? • Well known ports • 1-1024 Offensive Security

  7. Why are they important? • Find what services are offered on the host • Might help us identify the OS • Identify Vulnerabilities • Doorway into the system • Launch an exploit Offensive Security

  8. Nmap • Most common scanning tool • Flexible/Extendable • Nmap Scripting Engine • Flags • Nmap cheat sheet Offensive Security

  9. Nmap Flags • T4 • Speed • –Pn • No ping • -n • No DNS resolution • --open • Only show open ports • -sT • TCP Scan • -sV • Gather service information Offensive Security

  10. Nmap Scripting Engine (NSE) • Scripts to check for more details • Vulnerabilities • Service Details • Discovery • Auth • Bruteforcing • Etc... Offensive Security

  11. Masscan/Zmap • Large scale scanners • Zmap.io • Faster = Chance of error Offensive Security

  12. Common Ports & Services • 80 - HTTP • 21 – FTP • 22 – SSH • 23 – Telnet • 25 – SMTP • 53 – DNS • 135 – RPC • 110 – POP3 • 123 – NTP • 443 – HTTP over TLS/SSL (HTTPS) • 445 - SMB • 514 – Syslog • 3389 – RDP (Microsoft Terminal Server) • 5500 - VNC Offensive Security

  13. Common Ports & Services • Do they always have to be on those ports? • Dynamic services • What about development ports? • Database ports – 1433, 3306, 27017 • Dev web servers – 8080, 8443, 10443 • Etc… Offensive Security

  14. What should you scan? • Considerations • Time Available • Amount of hosts • Goal? • Ports 1-1024? • What about 5900? • Scanner options • Nmap top ports • Port list file Offensive Security

  15. Scanning IPv6 Hosts • Not every host is running IPv4 • A system may have both • Full migration to 6 is slow • Services don’t have to listen on all interfaces • nmap –T4 -Pn -n -sT -sV -6 fc00:660:0:1::46 Offensive Security

  16. Documentation is key • Remember when I said reporting is a constant process? • Keep all scan data • You may come back later and have different results • What if the customer needs to deconflict? • Time • Source of scan • Hosts/Ports Scanned Offensive Security

More Related