Venom Academy/Ethical Hacking/Scanning and Enumeration
In this chapter we will be discussing scanning and enumeration. Enumeration is done to collect as much information as possible on live systems. This is done to identify alive targets and probably find ports, etc.
Host discovery[edit | edit source]
Thee most important and first step of a pen tester to know is how to identify which target is alive and which one is not. We can use a variaty of methods and programs to discovery live targets. One of the most commonly used is ping, which works by sending ICMP echoes to a system and checks whether it responds or not. Lets run a ping scan on google
Ping www.google.com
Pinging [74.125.232.145] with 32 bytes of data:
Reply from 74.125.232.145 time=253ms TTL=51
Reply from 74.125.232.145 time=192ms TTL=51
Reply from 74.125.232.145 time=165ms TTL=51
Nmap[edit | edit source]
A great program called nmap(Network mapper) can prove our work in enumeration easier by allowing us to scan ranges of systems. Here is how we could use this.
nmap -sP "ip address"
In the example above we used the -sP command to enable nmap to identify live systems only. Here is an example below:
root@venom [$]~ nmap -sP 192.168.15.1/24
Starting nmap 7.1 (https://nmap.org) at 2019-12-27 18:9 CAT
Nmap scan report for WinMaxCPE (192.168.15.1)
Host is up (0.0021s latency).
Mac Address: 20:21:7B:65:12:2A (Intel Corporate)
Nmap scan report for root (192.168.15.23)
Host is up.
Port Scanning[edit | edit source]
Port scanning is primarily divided into two categories, TCP scanning and UDP scanning. Port scanning can be performed as a way of identifying services that run Ona port or whether a port is open or not. Nmap supports a wide variation of scanning methods such as TCP connection scans and TCP syn scans
Nmap uses the following syntax
nmap <scan type> <option arguments> <specified target>
For a beginner the following syntax would be applicable.
nmap <target>
The example above should be able to return us details about the open ports on a target host. We can also scan ports using the * sign. The syntax is shown below in an example
root@venom [$]~ 192.168.15.*
Starting nmap 7.1 (https://nmap.org) at 2019-12-27 18:9 CAT
Nmap scan report for WinMaxCPE (192.168.15.1)
Host is up (0.0021s latency).
PORT STATE SERVICE
53/TCP Open domain
80/TCP Open http
21/TCP Open ftp
This nmap scan would scan the whole IP range 192.168.15-255 and then reply back with the detailed open ports. The results will only be based on the systems that are alive.
Port status types[edit | edit source]
Nmap can scan hosts as we already know, but it then returns with port states/status in which the scanned port is in at that present time. The port states for Nmap are listed below:
- Open - Which means that the port can be accessed and an application on the target host is listening through it
- Closed - Means that the port the port can't be accessed and there is no application on the target host that is listening through the port
- Filtered - Means that nmap was not able to figure out whether the port is open or closed, this could mean that the target is behind a firewall
- Unfiltered - The ports are accessible but they can't be distinguished whether they are open or closed
Vulnerability scanning[edit | edit source]
Lets now look into scanning for vulnerable hosts. For this phase we use hping3. This tool was mainly used to test firewalls, until it was then introduced to IDLE scanning. The main syntax of hping3 is shown below
hping3 -S -r <target host>
As shown above the -S specification is used to send SYN flags, -R is used to enable checking for relative ID
Now let's perform an example on the host 192.168.15.211
root@venom [$]~ hping3 -S -r 192.167.15.211
HPING 192.168.15.211 (eth0 192.168.15.211): S set , 40 headers + 0 data bytes
len=46 IP=192.168.15.211 ttl=128 id=+1 sport=0 flags=RA seq=1 win=0 rtt=0.8 ms
As you can see the ID is remaining incremented by 1. This shows that the target is vulnerable enough to become our zombie and we can use it for our IDLE scan. Alternatively we will the metasploit auxiliary module to check if the host could be used to become a zombie. So let's launch metasploit by invoking the command below
msfconsole
From there you will wait for metasploit console to open then you will see a text similar to this one
msd >
Now you have to select the module you want to use in this case we are using the ipidseq module now type this
msf > use auxiliary/scanner/ip/ipidseq
Now you need to specify the target host using this, in my example the target host is 192.168.15.1
msf auxiliary(ipidseq) > set rhost 192.168.15.211
To launch the exploit we use the run command
msf auxiliary (ipidseq) > run
Nmap Scanning methods[edit | edit source]
TCP SYN Scan[edit | edit source]
The TCP SYN Scan is the default scan type that runs against the specified target machine. This is the fastest scan to perform. The scan works as follows
- The Main machine sends a SYN packet to port 80 on the target host
- If the target machine responds with a SYN/ACK packet then nmap would know that the particular port is open in the target host
- If there is no response from the target machine after sending the packet then nmap would know that the port is filtered.
TCP scans are performed using the command below
nmap -sS <target host>
Null Scan[edit | edit source]
A null Scan is performed by sending a no flag bit inside a TCP header. If no response is returned then that means the port is open. The receipt of a RST packet indicates the port is closed. A null scan is performed using the following syntax
nmap -sN <target host>
FIN Scan[edit | edit source]
By default a FIN flag is used to close a currently open connection. In a FIN scan the sender sends a FIN flag to the target host. If no response returns then the port is open. If the target machine responds with a RST then the port is closed. The syntax command for a FIN scan is
nmap -sF <target host>
Stealth Scan[edit | edit source]
- paranoid (0) - No parallel scanning. 5 minutes between sending packets.
- sneaky (1) - No parallel scanning. 15 seconds between sending packets.
- polite (2) - No parallel scanning. 0.4 seconds between sending packets.
- normal (3) - Default scanning. Tries to be very fast without overloading the network.
- aggressive (4) - Faster than normal, but loads the network.
- insane (5) - Parallel scans, times out hosts in 15 minutes, won't wait more than 0.3 seconds for an individual probe. Loses a lot of information.
nmap also provides options to control scan time-outs. Combining these with the above provides more fine-tuned scans, for example a scan doing 100 packets per minute. Try the scan below yourself.
root@venom [$]~ nmap -T sneaky --scan_delay 600