1. Layer 2
1.1 arping
arping 192.168.0.1 -c 1 #-c send once only
1.2 NMAP
nmap -sn 192.168.0.1-254 #-sn: disable port detection, not only arping but also search dns
nmap -sn 192.168.0.1/24 #-sn: disable port detection
nmap -iL list.txt #list.txt containing ip addrsses
tip: nmap -sn ipRange , if ipRange is similar to local network, nmap would send arp package. Otherwise it would send ICMP package.
1.3 Netdiscover
netdiscover -i eth0 -r 192.168.0.1/24 # Forward way. -r range -i interface
netdiscover -p # passive way.
1.4 Scapy
capture, analyse, create, set, eject traffic
root@kali:~# scapy
>>> ARP()
>>> arp=ARP()
>>> arp.display()
>>> arp.pdst=192.168.0.1 # set destination ip
>>> sr1(arp) # send arp
2. Layer3
2.1 ping
use ICMP PROTOCAL
2.2 fping
fping can ping a ip range
2.3 hping3
root@kali:~# hping3 192.168.0.17 -c 2
HPING 192.168.0.17 (eth0 192.168.0.17): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.0.17 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=133.0 ms
len=46 ip=192.168.0.17 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=40.0 ms
--- 192.168.0.17 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 40.0/86.5/133.0 ms
3. Layer4
Target: to find ports alive
ADVANTAGES:
- the result is more reliable,
- less likely be filtered by firewall
- even find those ports being filtered
PROTOCALS:
- TCP
- UDP
3.1 Scapy
i=IP()
t=ICP()
r[IP].dst="192.168.0.18"
t[TCP].flags="A"
r.display()
a=sr1(r) # send package
>>> i=IP()
>>> t=TCP()
>>> t
<TCP |>
>>> i
<IP |>
>>> r=(i/t)
>>> r
<IP frag=0 proto=tcp |<TCP |>>
>>> r[IP].dst="192.168.0.18"
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.0.37
dst= 192.168.0.18
>>> a=sr1(r)
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
r[TCP].dport=445
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.0.37
dst= 192.168.0.17
\options\
###[ TCP ]###
sport= ftp_data
dport= microsoft_ds
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= A
window= 8192
chksum= None
urgptr= 0
options= []
3.2 NMAP
nmap 192.168.0.1-254 -PU53 # PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
nmap 192.168.0.1-254 -PA80
root@kali:~# nmap 192.168.0.17 -sU -p53 # -sU: UDP Scan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-03 22:28 GMT
Nmap scan report for 192.168.0.17
Host is up (0.033s latency).
PORT STATE SERVICE
53/udp closed domain
MAC Address: 34:59:12:4C:B9:07 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
3. hping3
root@kali:~# hping3 --udp 192.168.0.1 -c 1
HPING 192.168.0.1 (eth0 192.168.0.1): udp mode set, 28 headers + 0 data bytes
--- 192.168.0.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
3.4 port scan
How Port Scanning Works?
Port scanning is quite simple: a port scanner sends a request to connect to a port on a computer and records the response.
There are three possible responses:
-
Open, Accepted: The computer responds and asks if there is anything it can do for you.
-
Closed, Not Listening: The computer responds that “This port is currently in use and unavailable at this time.”
-
Filtered, Dropped, Blocked: The computer doesn’t even bother to respond, it has no time for shenanigans.
3.4.1 scanning types
Stealth Scanning - SYN
the log system of destination host would not record scanning action.
Zombie Scan
the features of zombie:
- Extremely hidden
- very hard to excute
- source address is able to forge
how to choose zombie
- spare system
- the system use increaing PID
- 0
- random
3.4.2 SYN port scaning
hping3 port scan
root@kali:~# hping3 192.168.0.17 --scan 80 -S -V
using eth0, addr: 192.168.0.37, MTU: 1500
Scanning 192.168.0.17 (192.168.0.17), port 80
1 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
80 http : ..R.A... 64 0 0 46
All replies received. Done.
Not responding ports:
root@kali:~# hping3 192.168.0.17 --scan 80 -S -V --spoof 192.168.0.21
using eth0, addr: 192.168.0.37, MTU: 1500
Scanning 192.168.0.17 (192.168.0.17), port 80
1 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
Not responding ports: (80 http)
3.4.3 full connection port scaning
if the system finish the three handshake, then we can reckon the destionation port is open. It is more accurate than SYN port scaning. It’s more likely be detected by destination system.
NMAP
root@kali:~# nmap -sT 101.201.178.55 # -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-03 23:13 GMT
Nmap scan report for 101.201.178.55
Host is up (0.24s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 15.48 seconds
dmitry
dmitry -p 101.201.178.55 # -p Perform a TCP port scan on a host
nc
root@kali:~# nc -w 1 -z -v 101.201.178.55 80 # -w: set timeout for connects and final net reads; -z: zero-I/O mode [used for scanning]; -v :verbose [use twice to be more verbose];
101.201.178.55: inverse host lookup failed: Unknown host
(UNKNOWN) [101.201.178.55] 80 (http) open
3.4.4 Zombie port scanning complement
4. Service Scanning
what to do?
- identify running applications running on the open ports
- identify os
- improve attack efficiency
- capture Banner
- identify software developer
- identify software name
- identify service type
- identify version
- search known vulnerabilities and weaknesses
- service identification
- os identication
- SNMP analysis
- simple network management protocal
- community strings
- search informaion or reconfiguration
- firewall identification
- capture Banner
4.1 banner
## using nc
root@kali:~# nc -nv 117.34.61.202 443
(UNKNOWN) [117.34.61.202] 443 (https) open
## using nmap
root@kali:~# nmap -sT 101.201.178.55 -p 443 --script=banner.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 21:00 GMT
Nmap scan report for 101.201.178.55
Host is up (0.24s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds
## search nmap scripts
root@kali:~# ls /usr/share/nmap/scripts/ | grep banner
banner.nse
## using amap
root@kali:~# amap -b 101.201.178.55 443
amap v5.4 (www.thc.org/thc-amap) started at 2020-01-04 21:06:14 - APPLICATION MAPPING mode
Protocol on 101.201.178.55:443/tcp matches http - banner: HTTP/1.1 400 Bad Request\r\nServer openresty\r\nDate Sat, 04 Jan 2020 210614 GMT\r\nContent-Type text/html; charset=utf-8\r\nContent-Length 268\r\nConnection close\r\n\r\n<html>\r\n<head><title>400 The plain HTTP request was sent to HTTPS port</title></h
Protocol on 101.201.178.55:443/tcp matches ssl - banner: (
Unidentified ports: none.
amap v5.4 finished at 2020-01-04 21:06:20
root@kali:~# nmap 101.201.178.55 -p 443 -sV # -sV: Probe open ports to determine service/version info
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 21:08 GMT
Nmap scan report for 101.201.178.55
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http OpenResty web app server
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.56 seconds
4.2 OS Identification
## using nmap
root@kali:~# nmap 101.201.178.55 -O
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 22:18 GMT
Nmap scan report for 101.201.178.55
Host is up (0.24s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.38
Aggressive OS guesses: Linux 2.6.38 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.87 seconds
root@kali:~# nmpcheck 118.31.127.191
root@kali:~# snmpwalk 192.168.0.253 -v 3
Server Message Block (SMB) Scanning
The SMB protocol is an application layer network protocol mainly used to provide shared access to files, printers and other communication on a network. SMB works through a client server approach, which means that the client makes specific requests and the server responds accordingly.
It allows access to remotely stored files as well as other resources, including printers. The client is able to read, create, update files, and communicate with a program running on a server setup to receive the client request. The scanned files then can be accessed through the user’s network or the user’s own computer.
So what does all that mean to your network or workflow scanning? Well in order to use SMB for scanning a Scan folder must be created and configured before the network / workflow scanning can be configured. SMB scanning uses a shared folder with full control located on a network computer. Scans will be sent or filed to the shared folder.
root@kali:~# nmap -v -p443 118.31.127.191 --script=/usr/share/nmap/scripts/smb-os-discovery.nse
root@kali:# cd /usr/share/nmap/scripts
root@kali:/usr/share/nmap/scripts# enum4linux 118.31.127.91
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Feb 11 19:50:58 2020
==========================
| Target Information |
==========================
Target ........... 118.31.127.91
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 118.31.127.91 |
=====================================================
[E] Can't find workgroup/domain
=============================================
| Nbtstat Information for 118.31.127.91 |
=============================================
Looking up status of 118.31.127.91
No reply from 118.31.127.91
======================================
| Session Check on 118.31.127.91 |
======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
load balancing scanning
root@kali:/usr/share/nmap/scripts# lbd google.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: NOT FOUND
Checking for HTTP-Loadbalancing [Server]:
gws
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 20:02:31, 20:02:31, 20:02:31, 20:02:32, 20:02:32, 20:02:32, 20:02:32, 20:02:32, 20:02:32, 20:02:32, 20:02:32, 20:02:32, 20:02:33, 20:02:33, 20:02:33, 20:02:33, 20:02:33, 20:02:33, 20:02:33, 20:02:34, 20:02:34, 20:02:34, 20:02:34, 20:02:34, 20:02:34, 20:02:34, 20:02:34, 20:02:34, 20:02:35, 20:02:35, 20:02:35, 20:02:35, 20:02:35, 20:02:35, 20:02:35, 20:02:35, 20:02:36, 20:02:36, 20:02:36, 20:02:36, 20:02:36, 20:02:36, 20:02:36, 20:02:36, 20:02:36, 20:02:37, 20:02:37, 20:02:37, 20:02:37, 20:02:37, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Expires: Thu, 12 Mar 2020 20:02:37 GMT
> Expires: Thu, 12 Mar 2020 20:02:38 GMT
google.com does Load-balancing. Found via Methods: HTTP[Diff]
Web Application Firewall(WAF) identification
root@kali:/usr/share/nmap/scripts# wafw00f jd.com
______
/ \
( Woof! )
\______/ )
,, ) (_
.-. - _______ ( |__|
()``; |==|_______) .)|__|
/ (' /|\ ( |__|
( / ) / | \ . |__|
\(_)_)) / | \ |__|
WAFW00F - Web Application Firewall Detection Tool
Checking http://jd.com
Generic Detection results:
The site http://jd.com seems to be behind a WAF or some sort of security solution
Reason: Blocking is being done at connection/packet level.
Number of requests: 7