170 likes | 191 Views
Scanning. Offensive Security. Scanning. We have an idea of where to look now IP Address(s) Domains Moving from passive reconnaissance to active Instead of driving down the street, we’re knocking on doors. Scanning. LEGAL We are sending data to hosts Do you have permission to do so?.
E N D
Scanning Offensive Security
Scanning • We have an idea of where to look now • IP Address(s) • Domains • Moving from passive reconnaissance to active • Instead of driving down the street, we’re knocking on doors Offensive Security
Scanning • LEGAL • We are sending data to hosts • Do you have permission to do so? Offensive Security
Ping • Before spending time on a scan • Check to see which hosts are up • What if a computer is offline? • In the middle of reboot? • Firewalls could block ICMP • Host based • Network based Offensive Security
ARP • ARP Scan • Only works on local LAN • Sends ARP packets to other hosts on the network • Checks for responses Offensive Security
Port scanning • So we know where the hosts are now • What is a port? • Well known ports • 1-1024 Offensive Security
Why are they important? • Find what services are offered on the host • Might help us identify the OS • Identify Vulnerabilities • Doorway into the system • Launch an exploit Offensive Security
Nmap • Most common scanning tool • Flexible/Extendable • Nmap Scripting Engine • Flags • Nmap cheat sheet Offensive Security
Nmap Flags • T4 • Speed • –Pn • No ping • -n • No DNS resolution • --open • Only show open ports • -sT • TCP Scan • -sV • Gather service information Offensive Security
Nmap Scripting Engine (NSE) • Scripts to check for more details • Vulnerabilities • Service Details • Discovery • Auth • Bruteforcing • Etc... Offensive Security
Masscan/Zmap • Large scale scanners • Zmap.io • Faster = Chance of error Offensive Security
Common Ports & Services • 80 - HTTP • 21 – FTP • 22 – SSH • 23 – Telnet • 25 – SMTP • 53 – DNS • 135 – RPC • 110 – POP3 • 123 – NTP • 443 – HTTP over TLS/SSL (HTTPS) • 445 - SMB • 514 – Syslog • 3389 – RDP (Microsoft Terminal Server) • 5500 - VNC Offensive Security
Common Ports & Services • Do they always have to be on those ports? • Dynamic services • What about development ports? • Database ports – 1433, 3306, 27017 • Dev web servers – 8080, 8443, 10443 • Etc… Offensive Security
What should you scan? • Considerations • Time Available • Amount of hosts • Goal? • Ports 1-1024? • What about 5900? • Scanner options • Nmap top ports • Port list file Offensive Security
Scanning IPv6 Hosts • Not every host is running IPv4 • A system may have both • Full migration to 6 is slow • Services don’t have to listen on all interfaces • nmap –T4 -Pn -n -sT -sV -6 fc00:660:0:1::46 Offensive Security
Documentation is key • Remember when I said reporting is a constant process? • Keep all scan data • You may come back later and have different results • What if the customer needs to deconflict? • Time • Source of scan • Hosts/Ports Scanned Offensive Security