[ Certified Ethical Hacker v10 ] :: [ Module 3 ]

This entry is part 4 of 21 in the series [ Certified Ethical Hacker Training ]

Module 3: Scanning and Enumeration

Stage 2 of a Hack: Scanning

  • Pings and ping sweeps
  • Port scanning
  • traceroute

Port scans

Network scans

Vulnerability scans

TCP and UDP scans

nmap

nmap –
https://nmap.org/,
http://scanme.nmap.org/

nmap vs. scapy –
https://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html

Videos on Nmap

“Nmap Tutorial for Beginners – 1”
https://www.youtube.com/watch?v=5MTZdN9TEO4

Note the switches: -A, -v

–> Perform the lookup exercise starting at 6:30 in the video.

“Nmap Tutorial For Beginners – 2”
https://www.youtube.com/watch?v=VFJLMOk6daQ

“Nmap Tutorial For Beginners – 3”
https://www.youtube.com/watch?v=OUQkCAHdX_g

–> Practice with the following:

-F

-sV

–open

Grep-able output:

nmap -oG - 192.168.1.0-255 -vv > results.txt

Hping3

Offensive Security offers a page on hping3:
https://tools.kali.org/information-gathering/hping3

But there is  a much more thorough tutorial at the excellent Null-Byte
https://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-active-reconnaissance-your-target-with-hping3-0148092/

A silent but thorough lesson:
https://www.youtube.com/watch?v=SlxWvSlWWis

Videos on Hping3

hping3 in Kali:
https://www.youtube.com/watch?v=dIYfTh_5sTs

Tools

nmap

hping3

scapy

Angry IP

Nessus

Nexpose

Banner grabbing

Exercises

  1. Perform nmap TCP, SYN, XMAS, FIN, NULL and ACK scans against the designated target.
  2. Perform UDP scans against the target’s ports.
  3. Scan several hosts to perform OS fingerprinting on them.
  4. Perform banner grabbing on the target using first telnet, then netcat.

Stage 3 of a Hack: Enumeration

  • Users and Groups
  • Shares and other network services
  • Routing tables
  • DNS and machine names
  • Applications and  banners
  • Determining what auditing is in place

Tools

Command line in Windows and Linux

PsTools

enum4linux

SMBmap

SNScan

JXplorer

SMTP enumeration using VRFY, EXPN, RCPT TO

DNS zone transfers

Sparta – http://sparta.secforce.com/ , https://tools.kali.org/information-gathering/sparta

OpenVAS: https://www.kali.org/news/kali-linux-20171-release/

Exercises

  1. Attempt a null session connection to the designated target.
  2. Attempt a zone transfer from the designated target.
  3. Find JXplorer. There is a practice server (that is usually up) at http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ . Can you figure out how to connect?
  4. Perform Exercise 7.7 on page 215: Using netcat
  5. Install Sparta on Kali. Be sure to watch the two short videos. Unleash it on the designated targets.

Homework

  1. Watch or re-watch the nmap videos above.
  2. Perform several types of scans on scanme.nmap.org. Do all scans reveal the same thing?
  3. Look closely at the nmap switches. For instance, what does the -s switch always need, and always specify?
  4. Practice forming packets with hping3. Create a Ping of Death packet.
Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Modules 1 & 2 ][ Certified Ethical Hacker v10 ] :: [ Module 3 Continued ] >>

Leave a Reply