Table of Contents

Scanning

Review

The six steps/stages of a PenTest…

  1. Pre-Engagement: Planning & Scope
  2. Recon: Information Gathering
  3. Scanning
  4. Exploitation
  5. Post-Exploitation
  6. Post-Engagement: Report

Overview

Outline of the Scanning Stage:

  1. Initial Interrogation: ping the IPs to see if they are online (ping sweep).
  2. Port Scan: Nmap (and maybe Naabu, etc.)
  3. Further Interrogation: NSE
  4. Vulnerability Scanning: Nessus, OpenVAS, et al.
  5. GOAL: Enumeration (prioritized list of vulnerabilities)

Scanning Philosophy: “Fast and wide first; slow and narrow later.”

Enumeration

Enumeration is essential for an attack to be successful, as wasting time with exploits that either do not work or can crash the system can be a waste of energy.

Initial Interrogation

Find Target IPs: We need to scan the network we are on to see what IP our target host has been assigned:

  1. Option #1: netdiscover
  2. Option #2: arp-scan
  3. Option #3: nmap ping sweep

netdiscover

Syntax: netdiscover -r 192.168.0.0/24 # r, range 192.168.0.0/24,/16,/8

Results: 

 19 Captured ARP Req/Rep packets, from 9 hosts.   Total size: 1140
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.0.1     f4:f5:e8:70:51:7b     10     600  Google, Inc.
 192.168.0.100   f4:6d:04:21:09:62      1      60  ASUSTek COMPUTER INC.
 192.168.0.120   00:1b:a9:46:c1:b3      1      60  Brother industries, LTD.
 192.168.0.141   50:46:5d:67:32:88      1      60  ASUSTek COMPUTER INC.
 192.168.0.210   70:85:c2:83:26:33      1      60  ASRock Incorporation
 192.168.0.229   00:0c:29:fb:94:f9      1      60  VMware, Inc.
 192.168.0.247   c0:c1:c0:b8:de:63      1      60  Cisco-Linksys, LLC
 192.168.0.222   f0:ef:86:0b:0e:58      2     120  Google, Inc.
 192.168.0.214   d8:e0:e1:9d:7b:f7      1      60  Samsung Electronics Co.,Ltd

arp-scan

Syntax: arp-scan -l # l, localnet: generate address from local network config

Results: 

Interface: eth0, type: EN10MB, MAC: 08:00:27:5c:65:26, IPv4: 192.168.0.203
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     f4:f5:e8:70:51:7b       Google, Inc.
192.168.0.100   f4:6d:04:21:09:62       ASUSTek COMPUTER INC.
192.168.0.120   00:1b:a9:46:c1:b3       Brother industries, LTD.
192.168.0.141   50:46:5d:67:32:88       ASUSTek COMPUTER INC.
192.168.0.210   70:85:c2:83:26:33       ASRock Incorporation
192.168.0.229   00:0c:29:fb:94:f9       VMware, Inc.
192.168.0.247   c0:c1:c0:b8:de:63       Cisco-Linksys, LLC
192.168.0.222   f0:ef:86:0b:0e:58       Google, Inc.
192.168.0.214   d8:e0:e1:9d:7b:f7       Samsung Electronics Co.,Ltd (DUP: 1)

Bash: Ping Sweep

One-liner: All failures go to /dev/null and all successful pings are registered on stdout. 

for ip in 192.168.56.{101..110}; do ping -c 1 $ip > /dev/null && echo "${ip} is up"; done

Simple sweep of a network for a quick look at what machines are out there (and respond): 

for i in {1..254}
do
    ping -w 5 -c 1 192.168.0.$i | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done

wait # no args, wait until all background processes to finish

Note the “&“ at the end. This will speed things up a lot.

Port Scan Target IPs

Ports

Network ports are numbers assigned to specific services running on a computer.

Ports Quantity Description
0 - 65,535 65,536 Total ports
0 - 1023 1,024 Well-Known (System) Ports
1024 - 49,151 48,127 Registered Ports
49,152 - 65,535 16,384 Dynamic Ports
Port Protocol Service
20 TCP & UDP FTP Data
21 TCP & UDP FTP Control
22 TCP & UDP SSH
23 TCP & UDP Telnet
25 TCP & UDP SMTP
53 UPD DNS
67 TCP & UDP DHCP Server
68 TCP & UDP DHCP Client
69 TCP & UDP TFTP
80 TCP & UDP HTTP
88 TCP & UDP Kerberos
110 TCP & UDP POP3
111 TCP & UDP NFS (possibly)
123 TCP & UDP NTP
135 TCP & UDP MS-RPC EPMAP 1)
136-139 TCP & UDP Net Bios
137 UDP NetBios Name Service
138 UDP NetBios Datagram Service
139 TCP NetBios Session Service, SMB 2)
143 TCP IMAP
161 UDP SNMP
162 TCP & UDP SNMP Traps
389 TCP & UDP LDAP 3)
443 TCP & UDP HTTPS
445 TCP Microsoft AD & SMB 4)
500 TCP & UDP ISAKMP & IKE
515 TCP LDP
1433 TCP Microsoft SQL Server
1434 TCP & UDP Microsoft SQL Monitor
1521 TCP Oracle Database Listener
1812 & 1813 TCP & UDP RADIUS
2049 TCP & UDP NFS (possibly)
3389 TCP RDP (Windows)
5355 TCP & UDP LLMNR 5)

Nmap

See here.

Masscan

Fast port scanner by Robert David Graham

Syntax: 

masscan -p1-65535 192.168.0.229

Speed it up with the rate option: 

masscan -p1-65535 --rate 1000 192.168.0.229
# Similar to: nmap -T4 -p- 192.168.0.229

Extended Syntax (for HTB): 

masscan 10.10.10.4 -p1-65535,U:1-65535 --rate=1000 -e tun0
# -p1-65535,U:1-65535 # scan all TCP/UDP ports
# --rate=1000         # scan rate = 1000 packets per second
# -e tun0             # listen on the VPN network interface for responses

Further Interrogation

http://www.0daysecurity.com/penetration-testing/enumeration.html

DirBuster

File Extensions for Windows (IIS)

File Extensions for Linux (Apache)

DAVTest

DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable. 

davtest -url <url> [options]
# To see the options just type davtest

Enum4Linux

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.

Syntax: 

enum4linux [options] ip

Options:

Flag Description
-U get userlist
-M get machine list
-N get namelist dump (different from -U and-M)
-S get sharelist
-P get password policy information
-G get group and member list
-a all of the above (full basic enumeration)

Kerberos

Kerberos scanning (initial enumeration): use tools like Kerbrute and Rubeus.

SearchSploit

This is a local search tool on your machine. All the exploits on exploit-db.com are on your machine and searchable. 

linux/local/46676.php
linux/remote/34.pl

Vulnerability Scanning

Nessus

Nessus is a paid-for product. They have a freebie version, but it comes with a butt-ton of restrictions that make it less than optimal for professional pentesting. Use OpenVAS…

OpenVAS

Once installed, run with: gvm-start

Note: gvm stands for Greenbone Vulnerability Management. It's just another name for OpenVAS.

To install OpenVAS on a Kali box: 

apt update
apt install openvas openvas-scanner gvm gvmd -y

Once you get the above installed, run this and fix what it tells you to fix how it tells you to fix it: 

systemctl start redis-server@openvas.service
gvm-check-setup

If you fix something, run the gvm-check-setup again. Lather. Rinse. Repeat… until everything is shiny and clean.

Pay Attention to the Admin Password: 

[*] Please note the password for the admin user
[*] User created with password '1e709873-edbb-4b4a-87d3-a038d09e7160'.

PostgreSQL Error: If you get the following error (and the actual version numbers don't matter; you just have two and the script wants the latter but your system is configured to use the former): 

ERROR: The default postgresql version is not the one used for gvmd compilation: (14, need 15).
FIX: Please use pg_upgradecluster to upgrade your postgresql installation

This happens because when PostgreSQL was installed (the first version number), it was assigned PostgreSQL's default port number (5432). When the next version was installed, it got a different port number because 5432 was already taken (it's probably 5433). You can check it with this (replace “14” and “15” with your numbers): 

cat /etc/postgresql/14/main/postgresql.conf | grep -n "port ="
# Result:
# 64:port = 5432                   # (change requires restart)

cat /etc/postgresql/15/main/postgresql.conf | grep -n "port ="
# Result:
# 64:port = 5433                   # (change requires restart)

The latter version of PostgreSQL needs the default port. So, change the value of port = in the later version's postgresql.conf to 5432 and change the port = in the earlier version's postgresql.conf to be whatever you want (I just swapped mine).

Then restart PostgreSQL: systemctl restart postgresql

Continue with gvm-check-setup.

Service Failure Error: If you get an error like this… 

Job for ospd-openvas.service failed because the control process exited with error code.

This is happening because of permission issue in openvas logs. Fix: 

chmod 666 /var/log/gvm/openvas.log

# Then run your check again: 
gvm-check-setup

# If that goes well, you may need to stop gvm:
gvm-stop

Once it's all finished and happy and error free, you run OpenVAS with: 

gvm-start

Then, if a web page doesn't open auto-magically, plug this into the browser: https://localhost:9392

1)
Microsofts's Remote Procedure Call (RPC) Endpoint Mapper (EPMAP): An RPC is a communication process that allows for executing a subroutine or procedure in another address space.
2)
SMB orignally ran on top of NetBios using port 139. NetBios is an older Transport Layer that allows Windows computers to talk to each other on the same network. SMB currently runs (mostly) on port 445 (TCP, over the Internet).
3)
Lightweight Directory Access Protocol: Open, vendor-neutral standard application protocol for accessing and maintaining distributed directory information services over an IP network.
4)
SMB used to run on port 139 (NetBios). Later versions of SMB (after Win2K) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the Internet.
5)
Link-Local Multicast Name Resolution: Protocol based on the DNS packet format. Allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link (LAN). Multicast IPv4 address: 224.0.0.252