>> Practical Security Assessment (Penetration Testing) - Active Intelligence Gathering
Masscan a perfect tool for scanning humongous network ranges. But we will do it the normal way through nmap, even though nmap is slower than masscan when we talk about the scale.
-A # very aggressive and noisy, like a wild bear when it's awake in winter
-F # scanning only top 100 ports
-sA # stateful port? can test firewalls but returns everything unfiltered
-sS # SYN stealthy scan
-sX # XMAS stealthy scan, good for UNIX scanning
-sI # zombie host scan, super stealthy => learn more below
-sV # service version
-sC # run default nse scripts according to -sV, learn more https://nmap.org/book/nse-usage.html
-sP # ping scan
-Pn # no ping => gotta be stealthy, and bypass firewall filtering!
-p- # scan all the ports from 0 to 65535
-n # do not do DNS resolution, will save time
-v # verbose mode, show all the output possible
-T(0-5) # timing, how fast you want to scan; set to 0 if paranoid (gonna be super slow)
# learn more on timing https://nmap.org/book/performance-timing-templates.html
--reason # display why a port is in a particular state
--open # show results for open ports only, very useful, saves time on analysis
--spoof_mac # creates a fake MAC address to send packets from
--scan_delay # adds a delay between probes; do not use with max_parallelism
--max_parallelism # how many probes you want at once?
--packet-trace # will show the packets that are sent and received
-oX # outputs results in XML
-oG # outputs results in a greppable format
-oA # outputs result in normal, grappable, and XMLIdle scan - put blame on zombies: https://nmap.org/book/idlescan.html Want to find zombies? Sure! Scan for 1000 random IPs to see if some of them are zombies:
$ nmap -iR 1000 --script ipidseq -T4 -v -oA zombiesWant to find anonymous FTP servers to store your files temporarily? (may take ~30-60 mins)
$ nmap -iR 1000 --script ftp-anon -T4 -v -oA ftpAnon.txtWant to decoy machines on the network to confuse the admin?
$ nmap -D IP_1,IP_2,IP_3,ME -p 80,21,22,25,443 -Pn REAL_TARGET_IP$ nmap -p- -sS -n -v --reason --open -oX demo-ports.xml 127.0.0.1
$ nmap -sU -n -v --open --reason 127.0.0.1
$ nmap -sS -sV -sC -v -n -p 21,22,80 127.0.0.1Update: $ nmap -script-updatedb
Learn about available scripts in nmap and where/how to use them here
Zenmap is pre-installed on Kali and is available here
Let's hunt for community strings that are like passwords for communicating with devices. Fast SNMP scanner: https://github.com/trailofbits/onesixtyone
$ onesixtyone -c dict.txt 192.168.0.1Try other dictionaries as well like this.
To have better chances in guessing community strings, try add your own ideas based on OSINT of the
target, e.g.: company_name-public or company_name-private.
In Metasploit:
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_enumsharesTCP Wrapper is a host-based network access control mechanism in Unix-based systems.
When we nmap a host, we will receive a response that a port is tcpwrapped if
there is a TCP Wrapper or an IDS (Intrusion Detection System).
There are two files that take care of it: /etc/hosts.allow and /etc/hosts.deny.
TCP Wrapper means that we do not have the right access control privileges to access this particular
service. It also may mean that the IDS is trying to mess with you and pretend to have everything TCP
wrapped.
If you are lucky and it is a real TCP Wrapper, then this means that your host is not allowed to access
these ports even though they are open. If you can fake yourself to be a host that can access (such as
127.0.0.1). However, if you see that a ton of ports are tcpwrapped, that may
mean that you are dealing with an IDS that is messing with you. Try another way to check for ports,
e.g. either slowing down your nmap scans with -T0 or using nc
command to grab banners from services.
Yep, quite a list, and I agree: a whole lot of acronyms, way too many. If you are going into security or IT administration, it can be useful to know what they all are.
Responder acts as a server that "knows" about the network resources that the
users request. For example, if user's machine requests something that does not exists (a typo),
then Responder can reply saying that "yes, I know where it is!". Responder
can ask to enter the username/pass or just capture users' password hashes without them even
realizing that.
Best part: it can capture NTLMv2 hashes (which later can be set on the path of cracking with hashcat) or even pop up a simple auth window when a user goes to a network location that cannot be found.
To run the attack, you can start it with -i flag for your IP address, -b flag in Off for NTLM authentication, -r flag in Off so that you won't break the network:
$ responder -i your_IP_address -b Off -r Off -w OnResponder will take some time to start gathering data. When it starts gathering the data, you will see a lot of output in the terminal. It will poison LLMNR requests and make victims to use your machine as a proxy for the Internet (everything in cleartext will be visible right away). It will also capture NTLM hashes for you that you can try to crack with hashcat or John The Ripper.
However, if the passwords are too strong, cracking those hashes will be infeasible. So, you can replay the SMB connections against other servers without any need to cracking the hashes (profit!). For that, set up Impacket Framework (a collection of Python classes for working with network protocols). You will need to configure the Impacket first before actually laterally moving in the network and using captured hashes against other services. To configure it, follow the SANS write-up.