Académique Documents
Professionnel Documents
Culture Documents
PHASE 2
Ethical Hacking
Steve Bolt
PHASE 2
Scanning
Technology
Personnel
Maybe some corporate culture
Social Media
Focused on IT personnel or Sr Managers
Focused on HR
PHASE 2: SCANNING
Introduction to scanning:
Goal:
Expand on what we have learned already
Find openings by engaging the target
Determine:
Live Hosts, network appliances
Topology
OS types
Open Ports
Services
Potential Vulnerabilities
SCANNING
Types of scans:
Network sweep
Network trace
Port Scanning
OS fingerprinting
Version Scan
Vulnerability Scan
SCANNING
Cautions:
Scan IP not name
Large scans
Limit Scope
Smaller part of the network
Sample hosts
Review Firewall
Scan only ports and services allowed
Not perfect and Target needs to know
SCANNING
Cautions:
Many of the tools wait for a response
You can force them to move on without waiting
Speeding up the process
SCANNING
Network Sweep:
Sends probe packets to identify live hosts
Ping Sweep
ICMP ping
Network Trace
Goal:
Get a map of the network
Topology of the target network
SCANNING
While scanning:
You should run a network sniffer
I recommend this to all my students
Some do,m some dont
Running a sniffer, allows review of the actions later
Can dissect the hack afterwards.
Provides a network trace of your actions
Dont have to stop and note what you did.
Generates a business record
SCANNING
Scanners/Network Sniffers
Wireshark
SCANNING
TCPDump
Command line tool
Console or Windows cmd
Example:
$tcpdump i etho nn (host IP) and net 192.168.1.*
SCANNING
Determining network topology
TraceRoute
Tracert
Manipulates the ttl to report back information on the devices it travels through to get to the target
SCANNING
TCP and UDP scans
3 way handshake
Manipulation
Connection vs connectionless
SCANNING
NMAP
Network Mapper
Not just a mapper
Many features that go unused
NSE = Nmap Scripting engine
Provides vulnerability scan capability
SCANNING
Nmap
Have to use nmap, dont you
How do you use it?
ZENMAP?
Is that cheating?
Nmap syntax
./nmap -<scan type> <IP address> -p (port range) packet-trace
SCANNING
NMAP resources
Youtube
SANS publications
NMAP cheat sheet
SCANNING
Nmap options
Timing T
Output o
N = normal
G = Grepable
X = XML
S = Script kiddie format (no real purpose)
A = store in all 3 major formats
SCANNING
LAB TIME......
SCANNING
Scapy
Packet manipulation tool
Can be used to craft packets to test network responses
Can be used to carve/analyze packet captures
SCANNING
We have covered some methods to perform scanning
Can be very useful
Have more granular control
SCANNING
Vulnerability scanning
Purpose is to identify vulnerabilities
How to determine if vulnerable:
SCANNING
NSE
Invoke with nmap sC <ip> -p <ports>
Runs all scripts in default category
Plenty more categories for you to see and play with.
Some are dangerous
Some attempt to break into systems
Be Careful
SCANNING
Automated Vulnerability scanners
Nessus
Core Impact
Rapid 7 Nexpose
Perform the same steps we have
Automate many of the steps
Can be more invasive than default
Have to learn to work with the management interface
SCANNING
LAB TIME......
SCANNING
Recap
There are plenty more topics to cover
Not enough time this week
Each are could cover weeks worth of training
Critical that you understand this is just a start