Scribd
Upload
63 views16 pages

07 - Scanning

This document discusses scanning techniques used in offensive security. It begins by explaining how scanning moves from passive reconnaissance to actively knocking on doors by sending data to target hosts. It then discusses pinging targets to check availability, using ARP to scan local networks, and port scanning to identify services and potential vulnerabilities. The document focuses on using Nmap, the most common scanning tool, and explores various Nmap flags and the Nmap Scripting Engine. It concludes by emphasizing the importance of documentation when scanning.

Uploaded by

yeni nyimpen data
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
63 views16 pages

07 - Scanning

This document discusses scanning techniques used in offensive security. It begins by explaining how scanning moves from passive reconnaissance to actively knocking on doors by sending data to target hosts. It then discusses pinging targets to check availability, using ARP to scan local networks, and port scanning to identify services and potential vulnerabilities. The document focuses on using Nmap, the most common scanning tool, and explores various Nmap flags and the Nmap Scripting Engine. It concludes by emphasizing the importance of documentation when scanning.

Uploaded by

yeni nyimpen data
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Scanning

Offensive Security
Scanning
• We have an idea of where to look now
 IP Address(s)
 Domains

• Moving from passive reconnaissance to active


• Instead of driving down the street, we’re knocking on doors

Offensive Security
2
Scanning
• LEGAL

• We are sending data to hosts


• Do you have permission to do so?

Offensive Security
3
Ping
• Before spending time on a scan
 Check to see which hosts are up

• What if a computer is offline?


 In the middle of reboot?

• Firewalls could block ICMP

Offensive Security
 Host based
 Network based

4
ARP
• ARP Scan
• Only works on local LAN
• Sends ARP packets to other hosts on the network
 Checks for responses

Offensive Security
5
Port scanning
• So we know where the hosts are now
• What is a port?

• Well known ports


 1-1024

Offensive Security
6
Why are they important?
• Find what services are offered on the host
• Might help us identify the OS
• Identify Vulnerabilities
• Doorway into the system
 Launch an exploit

Offensive Security
7
Nmap
• Most common scanning tool
• Flexible/Extendable
 Nmap Scripting Engine

• Flags
 Nmap cheat sheet

Offensive Security
8
Nmap Flags
• T4
 Speed

• –Pn
 No ping

• -n
 No DNS resolution

• --open
 Only show open ports

• -sT

Offensive Security
 TCP Scan

• -sV
 Gather service information

9
Nmap Scripting Engine (NSE)
• Scripts to check for more details

• Vulnerabilities
• Service Details
• Discovery
• Auth

Offensive Security
• Bruteforcing
• Etc...

10
Masscan/Zmap
• Large scale scanners

• Zmap.io

• Faster = Chance of error

Offensive Security
11
Common Ports & Services
• 80 - HTTP • 110 – POP3
• 21 – FTP • 123 – NTP
• 22 – SSH • 443 – HTTP over TLS/SSL (HTTPS)
• 23 – Telnet • 445 - SMB
• 25 – SMTP • 514 – Syslog
• 53 – DNS • 3389 – RDP (Microsoft Terminal Server)
• 135 – RPC • 5500 - VNC

Offensive Security
12
Common Ports & Services
• Do they always have to be on those ports?

• Dynamic services

• What about development ports?


 Database ports – 1433, 3306, 27017
 Dev web servers – 8080, 8443, 10443

Offensive Security
 Etc…

13
What should you scan?
• Considerations
 Time Available
 Amount of hosts
 Goal?

• Ports 1-1024?
 What about 5900?

• Scanner options
 Nmap top ports

Offensive Security
 Port list file

14
Scanning IPv6 Hosts
• Not every host is running IPv4

• A system may have both


 Full migration to 6 is slow

• Services don’t have to listen on all interfaces

Offensive Security
• nmap –T4 -Pn -n -sT -sV -6 fc00:660:0:1::46

15
Documentation is key
• Remember when I said reporting is a constant process?

• Keep all scan data


 You may come back later and have different results

• What if the customer needs to deconflict?


 Time

Offensive Security
 Source of scan
 Hosts/Ports Scanned

16

You might also like