====== Scanning ======
===== Review =====
**The six steps/stages of a PenTest...**
- Pre-Engagement: Planning & Scope
- Recon: Information Gathering
- Scanning
- Exploitation
- Post-Exploitation
- Post-Engagement: Report
===== Overview =====
**Outline of the Scanning Stage:**
- Initial Interrogation: ''ping'' the IPs to see if they are online (ping sweep).
- Port Scan: Nmap (and maybe Naabu, etc.)
- Further Interrogation: NSE
- Vulnerability Scanning: Nessus, OpenVAS, et al.
- GOAL: Enumeration (prioritized list of vulnerabilities)
**Scanning Philosophy:** "Fast and wide first; slow and narrow later."
----
===== Enumeration =====
Enumeration is essential for an attack to be successful, as wasting time with exploits that either do not work or can crash the system can be a waste of energy.
* It is important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
----
====== Initial Interrogation ======
**Find Target IPs:** We need to scan the network we are on to see what IP our target host has been assigned:
- Option #1: netdiscover
- Option #2: arp-scan
- Option #3: nmap ping sweep
----
===== netdiscover =====
**Syntax:** ''netdiscover -r 192.168.0.0/24 # r, range 192.168.0.0/24,/16,/8''
**Results:**
19 Captured ARP Req/Rep packets, from 9 hosts. Total size: 1140
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.1 f4:f5:e8:70:51:7b 10 600 Google, Inc.
192.168.0.100 f4:6d:04:21:09:62 1 60 ASUSTek COMPUTER INC.
192.168.0.120 00:1b:a9:46:c1:b3 1 60 Brother industries, LTD.
192.168.0.141 50:46:5d:67:32:88 1 60 ASUSTek COMPUTER INC.
192.168.0.210 70:85:c2:83:26:33 1 60 ASRock Incorporation
192.168.0.229 00:0c:29:fb:94:f9 1 60 VMware, Inc.
192.168.0.247 c0:c1:c0:b8:de:63 1 60 Cisco-Linksys, LLC
192.168.0.222 f0:ef:86:0b:0e:58 2 120 Google, Inc.
192.168.0.214 d8:e0:e1:9d:7b:f7 1 60 Samsung Electronics Co.,Ltd
----
===== arp-scan =====
Syntax: ''arp-scan -l # l, localnet: generate address from local network config''
Results:
Interface: eth0, type: EN10MB, MAC: 08:00:27:5c:65:26, IPv4: 192.168.0.203
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1 f4:f5:e8:70:51:7b Google, Inc.
192.168.0.100 f4:6d:04:21:09:62 ASUSTek COMPUTER INC.
192.168.0.120 00:1b:a9:46:c1:b3 Brother industries, LTD.
192.168.0.141 50:46:5d:67:32:88 ASUSTek COMPUTER INC.
192.168.0.210 70:85:c2:83:26:33 ASRock Incorporation
192.168.0.229 00:0c:29:fb:94:f9 VMware, Inc.
192.168.0.247 c0:c1:c0:b8:de:63 Cisco-Linksys, LLC
192.168.0.222 f0:ef:86:0b:0e:58 Google, Inc.
192.168.0.214 d8:e0:e1:9d:7b:f7 Samsung Electronics Co.,Ltd (DUP: 1)
----
===== Bash: Ping Sweep =====
**One-liner:** All failures go to /dev/null and all successful pings are registered on stdout.
for ip in 192.168.56.{101..110}; do ping -c 1 $ip > /dev/null && echo "${ip} is up"; done
Simple sweep of a network for a quick look at what machines are out there (and respond):
for i in {1..254}
do
ping -w 5 -c 1 192.168.0.$i | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
wait # no args, wait until all background processes to finish
Note the **"&"** at the end. This will speed things up a lot.
----
====== Port Scan Target IPs ======
===== Ports =====
Network ports are numbers assigned to specific services running on a computer.
* IP address are assigned to devices and they allow messages on the network to go to and from that specific device.
* Each device (with its unique IP address) will have several will have multiple port numbers assigned to specific services (small programs) running on that device (usually in the background).
* So IP addresses enable messages to go to and from specific devices. Port numbers allow targeting of specific services or applications within those devices.
* Port numbers are broken down into three main sections.
^ Ports ^ Quantity ^ Description ^
| 0 - 65,535 | 65,536 | Total ports |
| 0 - 1023 | 1,024 | Well-Known (System) Ports |
| 1024 - 49,151 | 48,127 | Registered Ports |
| 49,152 - 65,535 | 16,384 | Dynamic Ports |
^ Port ^ Protocol ^ Service ^
| 20 | TCP & UDP | FTP Data |
| 21 | TCP & UDP | FTP Control |
| 22 | TCP & UDP | SSH |
| 23 | TCP & UDP | Telnet |
| 25 | TCP & UDP | SMTP |
| 53 | UPD | DNS |
| 67 | TCP & UDP | DHCP Server |
| 68 | TCP & UDP | DHCP Client |
| 69 | TCP & UDP | TFTP |
| 80 | TCP & UDP | HTTP |
| 88 | TCP & UDP | Kerberos |
| 110 | TCP & UDP | POP3 |
| 111 | TCP & UDP | NFS (possibly) |
| 123 | TCP & UDP | NTP |
| 135 | TCP & UDP | MS-RPC EPMAP ((**Microsofts's Remote Procedure Call (RPC) Endpoint Mapper (EPMAP):** An RPC is a communication process that allows for executing a subroutine or procedure in another address space.)) |
| 136-139 | TCP & UDP | Net Bios |
| 137 | UDP | NetBios Name Service |
| 138 | UDP | NetBios Datagram Service |
| 139 | TCP | NetBios Session Service, **SMB** ((SMB orignally ran on top of NetBios using port 139. NetBios is an older Transport Layer that allows Windows computers to talk to each other on the same network. SMB currently runs (mostly) on port 445 (TCP, over the Internet).)) |
| 143 | TCP | IMAP |
| 161 | UDP | SNMP |
| 162 | TCP & UDP | SNMP Traps |
| 389 | TCP & UDP | LDAP ((**Lightweight Directory Access Protocol:** Open, vendor-neutral standard application protocol for accessing and maintaining distributed directory information services over an IP network.)) |
| 443 | TCP & UDP | HTTPS |
| 445 | TCP | Microsoft AD & **SMB** ((SMB used to run on port 139 (NetBios). Later versions of SMB (after Win2K) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the Internet.)) |
| 500 | TCP & UDP | ISAKMP & IKE |
| 515 | TCP | LDP |
| 1433 | TCP | Microsoft SQL Server |
| 1434 | TCP & UDP | Microsoft SQL Monitor |
| 1521 | TCP | Oracle Database Listener |
| 1812 & 1813 | TCP & UDP | RADIUS |
| 2049 | TCP & UDP | NFS (possibly) |
| 3389 | TCP | RDP (Windows) |
| 5355 | TCP & UDP | LLMNR ((**Link-Local Multicast Name Resolution:** Protocol based on the DNS packet format. Allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link (LAN). Multicast IPv4 address: 224.0.0.252)) |
----
===== Nmap =====
[[cheat_sheets_nmap | See here.]]
----
===== Masscan =====
[[https://github.com/robertdavidgraham/masscan|Fast port scanner by Robert David Graham]]
Syntax:
masscan -p1-65535 192.168.0.229
Speed it up with the rate option:
masscan -p1-65535 --rate 1000 192.168.0.229
# Similar to: nmap -T4 -p- 192.168.0.229
Extended Syntax (for HTB):
masscan 10.10.10.4 -p1-65535,U:1-65535 --rate=1000 -e tun0
# -p1-65535,U:1-65535 # scan all TCP/UDP ports
# --rate=1000 # scan rate = 1000 packets per second
# -e tun0 # listen on the VPN network interface for responses
----
====== Further Interrogation ======
http://www.0daysecurity.com/penetration-testing/enumeration.html
===== DirBuster =====
File Extensions for Windows (IIS)
* asm,asmx,asp,aspx
* asm,asmx,asp,aspx,txt,zip,rar,bak (the longer the list, the longer it will take).
File Extensions for Linux (Apache)
* php, sh, js, html, py
----
===== DAVTest =====
DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.
* https://tools.kali.org/web-applications/davtirBusterest
* Syntax:
davtest -url [options]
# To see the options just type davtest
----
===== Enum4Linux =====
Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.
**Syntax:**
enum4linux [options] ip
**Options:**
^ Flag ^ Description ^
| ''-U'' | get userlist |
| ''-M'' | get machine list |
| ''-N'' | get namelist dump (different from -U and-M) |
| ''-S'' | get sharelist |
| ''-P'' | get password policy information |
| ''-G'' | get group and member list |
| ''-a'' | all of the above (full basic enumeration) |
----
===== Kerberos =====
Kerberos scanning (initial enumeration): use tools like [[cheat_sheets_various#kerberos | Kerbrute]] and [[https://github.com/GhostPack/Rubeus | Rubeus]].
----
===== SearchSploit =====
This is a local search tool on your machine. All the exploits on exploit-db.com are on your machine and searchable.
* When you search, don't be too specific. You won't get any results.
* Be more general to get results you and filter and vet.
* Note: In the path, some say "remote" and some say "local."
linux/local/46676.php
linux/remote/34.pl
* "Local" means you have to execute locally (from the target machine).
* "Remote" is a remote exploit (from attack machine)
----
====== Vulnerability Scanning ======
===== Nessus =====
Nessus is a paid-for product. They have a freebie version, but it comes with a butt-ton of restrictions that make it less than optimal for professional pentesting. Use OpenVAS...
===== OpenVAS =====
Once installed, run with: ''gvm-start''
**Note:** gvm stands for [[https://www.openvas.org/ | Greenbone Vulnerability Management]]. It's just another name for OpenVAS.
To install OpenVAS on a Kali box:
apt update
apt install openvas openvas-scanner gvm gvmd -y
Once you get the above installed, run this and fix what it tells you to fix how it tells you to fix it:
systemctl start redis-server@openvas.service
gvm-check-setup
If you fix something, run the ''gvm-check-setup'' again. Lather. Rinse. Repeat... until everything is shiny and clean.
**Pay Attention to the Admin Password:**
* When you finish fixing all the crap in the ''gvm-check-setup'', the last couple lines will give you the password for the admin account.
* Use this password to login as admin or else GVM will not work.
* It should look something like this:
[*] Please note the password for the admin user
[*] User created with password '1e709873-edbb-4b4a-87d3-a038d09e7160'.
**PostgreSQL Error:** If you get the following error (and the actual version numbers don't matter; you just have two and the script wants the latter but your system is configured to use the former):
ERROR: The default postgresql version is not the one used for gvmd compilation: (14, need 15).
FIX: Please use pg_upgradecluster to upgrade your postgresql installation
This happens because when PostgreSQL was installed (the first version number), it was assigned PostgreSQL's default port number (5432). When the next version was installed, it got a different port number because 5432 was already taken (it's probably 5433). You can check it with this (replace "14" and "15" with your numbers):
cat /etc/postgresql/14/main/postgresql.conf | grep -n "port ="
# Result:
# 64:port = 5432 # (change requires restart)
cat /etc/postgresql/15/main/postgresql.conf | grep -n "port ="
# Result:
# 64:port = 5433 # (change requires restart)
The latter version of PostgreSQL needs the default port. So, change the value of ''port ='' in the later version's postgresql.conf to 5432 and change the ''port ='' in the earlier version's postgresql.conf to be whatever you want (I just swapped mine).
Then restart PostgreSQL: ''systemctl restart postgresql''
Continue with ''gvm-check-setup''.
**Service Failure Error:** If you get an error like this...
Job for ospd-openvas.service failed because the control process exited with error code.
This is happening because of permission issue in openvas logs. [[https://www.reddit.com/r/Kalilinux/comments/qgcrdh/installing_openvas_in_kali_solution_for/ | Fix]]:
chmod 666 /var/log/gvm/openvas.log
# Then run your check again:
gvm-check-setup
# If that goes well, you may need to stop gvm:
gvm-stop
Once it's all finished and happy and error free, you run OpenVAS with:
gvm-start
Then, if a web page doesn't open auto-magically, plug this into the browser: ''https://localhost:9392''