Scanning
The scanning process can be divided into three steps:
1.Determining if a system is active.
2.Port scanning the system.
3.Scanning the system for vulnerabilities.
Step 1 is the process of determining whether a target system
is turned on and capable of communicating or interacting with our machine. This
step is the least reliable and we should always continue with steps 2 and 3
regardless of the outcome of this test. Regardless, it is still important to
conduct this step and make note of any machines that respond as alive.
Ports provide a way or location for software and networks to
communicate with hardware like a computer. A port is a data connection that
allows a computer to exchange information with other computers, software, or
devices.
Port Number
Service
20 FTP data
transfer
21 FTP control
22 SSH
23 Telnet
25 SMTP
(e-mail)
53 DNS
80 HTTP
443 HTTPS
Pings and Ping Sweeps
A ping is a special type of network packet called an ICMP
packet. Pings work by sending specific types
of network traffic, called ICMP Echo Request packets, to a specific interface
on a computer or network device. If the device (and the attached network card)
that received the ping packet is turned on and not restricted from responding,
the receiving machine will respond back to the originating machine with an Echo
Reply packet. Aside from telling us that a host is alive and accepting traffic,
pings provide other valuable information including the total time it took for
the packet to travel to the target and return.
connection.
The simplest way to run a ping sweep is with a tool called
FPing. FPing is built into Backtrack and is run from the terminal. The easiest
way to run FPing is to open terminal window and type the following:
fping –a –g 172.16.45.1 172.16.45.254>hosts.txt
The “–a” argument is used to show only the live hosts in the
output. This makes our final report much cleaner and easier to read. The “–g”
is used to specify the range of IP addresses we want to sweep. You need to
enter both the beginning and the ending IP addresses. In this example, we
scanned all the IPs from 172.16.45.1 to 172.16.45.254. The “>” character is
used to pipe the output to a file, and the hosts.txt is used to specify the
name of the file our results will be saved to.
Port Scanning
There are a total of 65,536 (0–65,535) ports on every
computer. Ports can be
either TCP or UDP depending on the service using the port.
We scan computers to see what ports are in use or “open”. This gives us a
better picture of the purpose of the machine, which gives us a better idea
about how to attack the box.
TCP 3-Way Handshake
Before we go on, we first have to know how computers on a
network communicate with each other. When two computers want to communicate,
they go through a processes known as the 3-way handshake. The first computer A
will send a synchronize packet to the other computer B. Then, if computer B is
listening (has its port open), it will respond back to A with a
synchronize-acknowledgement packet. Finally, computer A will send an
acknowledgement packet to computer B, and the two computers will communicate as
usual.
Using Nmap
Nmap was written by Gordon Lyon and is available for free
from www.insecure.org and is built into today’s Backtrack Linux 5.
It is the official guide to using the nmap scanner. What
more can I say? This book will cover nmap much more in depth than this site.
When we conduct a port scan, Nmap will create a packet and
send it to each designated port on the computer just like the 3-way handshake.
The goal is to determine what kind of a response we get from the target ports.
To use Nmap, open up the terminal and type:
nmap -p- 192.168.56.101
The “-p-” tells nmap to scan all ports on a target machine.
The 10.0.2.15 is the local ip of the target machine.
Vulnerability Scanning
To scan systems for vulnerabilities, we will use a
vulnerability scanner. There are several good scanners available, but we will
be focusing on Nessus. To install Nessus type:
root@bt:~# apt-get install nessus
Then, to access Nessus via the GUI go to:
Applications -> Backtrack -> Vulnerability Assessment
-> Vulnerability Scanner -> Nessus -> Nessus Start.
Medusa
Medusa is a log-in brute forcer that attempts to gain access
to remote services by guessing at the user password. Medusa is capable of
attacking a large number of remote services including FTP, HTTP, MySQL, Telnet,
VNC, Web Form, and more. In order to use Medusa, you need several pieces of
information including the target IP address, a username or username list that
you are attempting to log in as, a password or dictionary file containing
multiple passwords to use when logging in, and the name of the service you are
attempting to authenticate with.
Medusa comes installed on Backtrack 5. However, if you are
using a different version of backtrack without Medusa type:
apt-get update
apt-get install medusa
When using online password crackers, the potential for
success can be greatly
increased if you combine this attack with information
gathered from reconnaissance and scanning. An example of this is when you find
usernames, passwords, and email addresses. Programs like Medusa will take a
username and password list and keep guessing until it uses all the passwords.
Be aware that some remote access systems employ a password throttling technique
that can limit the number of unsuccessful log-ins you are allowed. Your IP
address can be blocked or the username can be locked out if you enter too many
incorrect guesses.
Backtrack includes a few word lists that you can use for
your brute forcing adventures. You can find one list at:
/pentest/passwords/wordlists/
In order to execute the brute-force attack, you open a
terminal and type the following:
medusa –h target_ip –u username –P
path_to_password_dictionary –M service_to_attack
“-h” is used to specify the IP address of the target host.
The “-u” is used for a single username that Medusa will use to attempt log-ins.
“-P” is used to specify an entire list containing multiple passwords. The “-P”
needs to be followed by the actual location or path to the dictionary file. The
“-M” switch is used to specify which service we want to attack.
More on NMap
The first step in any pentest/attack is to locate targets.
There is no better tool for this than nmap. I will usually use nmap for three
different scans: ping, port, version. The ping sweep allows me to locate
systems that are alive, the port scan tells me open ports on a system and the
version scan tells me specifics about the services that are listening on those
ports. The beauty of nmap is that you have so much flexibility in the range of
IP addresses you want to look at. To perform a ping sweep on addresses in the
range 10.75.0.1 to 10.75.0.10 perform the following: nmap -n -sP 10.75.0.1-10.
The -n switch tells nmap not to resolve host names making the scan much faster.
The -sP tells nmap to perform a ping sweep. Once you have located systems that
are alive the next step is to see what services (and potential holes for
exploit) exist on these systems. To do this perform a port scan via the
command: nmap -n -sT 10.75.0.1. This will perform a full TCP connection port
scan on 10.75.0.1. The -sT switch tells nmap to perform a full TCP connection
(i.e. SYN, SYN-ACK, ACK, RESET) on ports deemed “interesting” per the nmap
build you are using. By default the ports included are 1-1025 plus ports above
1025 that are in the network-services configuration file. In some instances you
may want to be a little more stealthy and would use the -sS port scan. This
tells nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesn’t
create a full TCP connection and as such usually doesn’t get “logged”. Please
note that you can perform a port scan against a range of targets using the
range IP address range options in nmap. For example if I want to perform a port
scan across the IP addresses from 10.75.0.1 to 10.75.0.10 I would call: nmap -n
-sT 10.75.0.1-10. In reality a port scan will only take you so far. It tells
you that a host is listening on a specific port but it doesn’t give you any
defaults beyond the “default” for that port. For example port 80 is by default
HTTP but what is the specific server that is providing that access (IIS,
Apache, etc). To get these details we perform a version scan via: nmap -n -sV
10.75.0.1. A final scan I will perform is a OS fingerprinting via: nmap -n -sV
-O 10.75.0.1. This will tell you the OS and version with very reliabile
accuracy. Now with the information provided by nmap we can do the research to
know how to exploit the target system. This is a topic for another post.
No comments:
Post a Comment