Venom Academy/Ethical Hacking/Scanning and Enumeration

In this chapter we will be discussing scanning and enumeration. Enumeration is done to collect as much information as possible on live systems. This is done to identify alive targets and probably find ports, etc.

Host discovery

edit

Thee most important and first step of a pen tester to know is how to identify which target is alive and which one is not. We can use a variaty of methods and programs to discovery live targets. One of the most commonly used is ping, which works by sending ICMP echoes to a system and checks whether it responds or not. Lets run a ping scan on google

Ping www.google.com
Pinging [74.125.232.145] with 32 bytes of data:
Reply from 74.125.232.145 time=253ms TTL=51
Reply from 74.125.232.145 time=192ms TTL=51
Reply from 74.125.232.145 time=165ms TTL=51

Nmap

edit

A great program called nmap(Network mapper) can prove our work in enumeration easier by allowing us to scan ranges of systems. Here is how we could use this.

nmap -sP "ip address"

In the example above we used the -sP command to enable nmap to identify live systems only. Here is an example below:

root@venom [$]~ nmap -sP 192.168.15.1/24
Starting nmap 7.1 (https://nmap.org) at 2019-12-27 18:9 CAT
Nmap scan report for WinMaxCPE (192.168.15.1)
Host is up (0.0021s latency).
Mac Address: 20:21:7B:65:12:2A (Intel Corporate)
Nmap scan report for root (192.168.15.23)
Host is up.

Port Scanning

edit

Port scanning is primarily divided into two categories, TCP scanning and UDP scanning. Port scanning can be performed as a way of identifying services that run Ona port or whether a port is open or not. Nmap supports a wide variation of scanning methods such as TCP connection scans and TCP syn scans

Nmap uses the following syntax

nmap <scan type> <option arguments> <specified target>

For a beginner the following syntax would be applicable.

nmap <target>

The example above should be able to return us details about the open ports on a target host. We can also scan ports using the * sign. The syntax is shown below in an example

root@venom [$]~ 192.168.15.*
Starting nmap 7.1 (https://nmap.org) at 2019-12-27 18:9 CAT
Nmap scan report for WinMaxCPE (192.168.15.1)
Host is up (0.0021s latency).
PORT                   STATE     SERVICE
53/TCP                 Open       domain
80/TCP                 Open       http
21/TCP                 Open       ftp
 

This nmap scan would scan the whole IP range 192.168.15-255 and then reply back with the detailed open ports. The results will only be based on the systems that are alive.

Port status types

edit

Nmap can scan hosts as we already know, but it then returns with port states/status in which the scanned port is in at that present time. The port states for Nmap are listed below:

  • Open - Which means that the port can be accessed and an application on the target host is listening through it
  • Closed - Means that the port the port can't be accessed and there is no application on the target host that is listening through the port
  • Filtered - Means that nmap was not able to figure out whether the port is open or closed, this could mean that the target is behind a firewall
  • Unfiltered - The ports are accessible but they can't be distinguished whether they are open or closed

Vulnerability scanning

edit

Lets now look into scanning for vulnerable hosts. For this phase we use hping3. This tool was mainly used to test firewalls, until it was then introduced to IDLE scanning. The main syntax of hping3 is shown below

hping3 -S -r <target host>

As shown above the -S specification is used to send SYN flags, -R is used to enable checking for relative ID

Now let's perform an example on the host 192.168.15.211

root@venom [$]~ hping3 -S -r 192.167.15.211
HPING 192.168.15.211 (eth0 192.168.15.211): S set , 40 headers + 0 data bytes
len=46 IP=192.168.15.211 ttl=128 id=+1 sport=0 flags=RA seq=1 win=0 rtt=0.8 ms

As you can see the ID is remaining incremented by 1. This shows that the target is vulnerable enough to become our zombie and we can use it for our IDLE scan. Alternatively we will the metasploit auxiliary module to check if the host could be used to become a zombie. So let's launch metasploit by invoking the command below

msfconsole

From there you will wait for metasploit console to open then you will see a text similar to this one

msd >

Now you have to select the module you want to use in this case we are using the ipidseq module now type this

msf > use auxiliary/scanner/ip/ipidseq

Now you need to specify the target host using this, in my example the target host is 192.168.15.1

msf auxiliary(ipidseq) > set rhost 192.168.15.211

To launch the exploit we use the run command

msf auxiliary (ipidseq) > run

Nmap Scanning methods

edit

TCP SYN Scan

edit

The TCP SYN Scan is the default scan type that runs against the specified target machine. This is the fastest scan to perform. The scan works as follows

  • The Main machine sends a SYN packet to port 80 on the target host
  • If the target machine responds with a SYN/ACK packet then nmap would know that the particular port is open in the target host
  • If there is no response from the target machine after sending the packet then nmap would know that the port is filtered.

TCP scans are performed using the command below

nmap -sS <target host>

Null Scan

edit

A null Scan is performed by sending a no flag bit inside a TCP header. If no response is returned then that means the port is open. The receipt of a RST packet indicates the port is closed. A null scan is performed using the following syntax

nmap -sN <target host>

FIN Scan

edit

By default a FIN flag is used to close a currently open connection. In a FIN scan the sender sends a FIN flag to the target host. If no response returns then the port is open. If the target machine responds with a RST then the port is closed. The syntax command for a FIN scan is

nmap -sF <target host>

Stealth Scan

edit
  • paranoid (0) - No parallel scanning. 5 minutes between sending packets.
  • sneaky (1) - No parallel scanning. 15 seconds between sending packets.
  • polite (2) - No parallel scanning. 0.4 seconds between sending packets.
  • normal (3) - Default scanning. Tries to be very fast without overloading the network.
  • aggressive (4) - Faster than normal, but loads the network.
  • insane (5) - Parallel scans, times out hosts in 15 minutes, won't wait more than 0.3 seconds for an individual probe. Loses a lot of information.

nmap also provides options to control scan time-outs. Combining these with the above provides more fine-tuned scans, for example a scan doing 100 packets per minute. Try the scan below yourself.

root@venom [$]~ nmap -T sneaky --scan_delay 600
File:Screencast 01-11-2020 03-18-33 PM.webm
The video file show a demonstration of a regular nmap scan