Lockdoor Framework

A Penetration Testing Framework

View on GitHub

Scanning

War Dialers

WarVOX

War Dialers - Now What

War Driving

Wireless Misconfiguration

Tools for Wireless LAN Discovery

Sniffing

Kismet

Additional tools for sniffing and crypto attacks

Network Mapping

Network Mapping with Nmap/Zenmap

How Traditional Traceroute Works

Port Scanning

Nmap allows for conducting numerous types of scans:

Other port scanners

Masscan

EyeWitness

Remux

Port Scanning

Port scanning is the process of checking for open TCP or UDP ports on a remote machine.

--Please note that port scanning is illegal in many countries and should not be performed outside the labs.--

Connect Scanning

># TCP Netcat port scan on ports 3388-3390
> nc -nvv -w 1 -z 10.0.0.19 3388-3390
# -n :: numeric only ip adressess no DNS
# -v :: verboose use twice to be more verboose
# -w :: (secs) timeout for connects and final net reads
# -z :: zero I/O mode (used for scanning)

Stealth / SYN Scanning

UDP Scanning

>> nc -nv -u -z -w 1 10.0-0.19 160-162
# -u :: UDP mode

Common Port Scanning Pitfalls

Port Scanning with Nmap

># We’ll scan one of my local machines while monitoring the amount
# of traffic sent to the specific host using iptables.
> iptables -I INPUT 1 -s 10.0.0.19 -j ACCEPT
> iptables -I OUTPUT 1 -d 10.0.0.19 -j ACCEPT
> iptables -Z
# -I :: insert in chain as rulenum ( default 1=first)
# -s :: source (address)
# -j :: jump target for the rulw
# -Z :: ??

> nmpap -sT 10.0.0.9
> iptables -vn -L
> iptables -Z
# -sT :: TCP Connect Scan
# -v :: Display more information in the output
# -L :: List the current filter rules.

> nmap -sT -p 1-65635 10.0.0.19
> iptables -vn -L
# -p :: port range

--Full nmap scan of a class C network (254 hosts) would result in sending over 1000 MB of traffic to the network.--

So, if we are in a position where we can’t run a full port scan on the network, what can we do?

Network Sweeping

>
> nmap -sP 192.168.1.0/24 ## Deprecated in modern versions Use -sn instead
Show ips of connected devices

> nmap -sn 192.168.11.200-250
# -sn :: ping scan
# using the grep command can give you output that’s difficult to manage.
# let’s use Nmap’s “greppable” output parameter (-oG)
> nmap -v -sn 192.168.11.200-250 -oG ping-sweep.txt
> grep Up ping-sweep.txt | cut -d " " -f 2

# we can sweep for specific TCP or UDP ports (-p) across the network
> nmap ­-p 80 192.168.11.200-250 -oG web-sweep.txt
> grep open web­-sweep.txt |cut ­-d " " -f 2

# we are conducting a scan for the top 20 TCP ports.
> nmap –sT –A --top­-ports=20 192.168.11.200-250 –oG top­-port-­sweep.txt

OS Fingerprinting

>
# OS fingerprinting (-O parameter).
> nmap -O 10.0.0.19

Nmap can also help identify services on specific ports, by banner grabbing, and running several enumeration scripts (-sV and -A parameters).

>
> nmap -sV -sT 10.0.0.19
# -sV :: probe open ports to determine service / version info

Nmap Scripting Engine (NSE)

>
> nmap 10.0.0.19 --script smb-os-discovery.nse
# Another useful script is the DNS zone transfer NSE script
> nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com

Locally checking for listening ports on windows

Locally checking for listening ports on linux

On Linux/UNIX, you could run > netstat -nap