CompTIA CYSA+ CS0-002 – Enumeration Tools Part 3

6. Using Nmap (OBJ 1.4)

In this lesson, I want to show you handson how we use Nmap by combining some of those commands we learned about in the Nmap usage lecture into a real scan and real information gathering techniques. Now this is really important come test day because I guarantee you’re going to get some Nmap questions. I want you to play with Nmap before the exam. I want you to be comfortable with it because these are going to be easy points for you if you’ve gotten used to doing these scans. Now for this demonstration, I’ve put together this lab on the left side. This is where I’m going to be attacking from, which is going to be simulating the Internet. I’m coming in from outside the network and the router has certain things in place to try to keep me out.

I’m going to attack from my Kali Linux command line environment, which you can see highlighted with the red dash lines going to come in through the router, which is separating the Internet, the outside versus the target network, which is the inside. And so with our scans, we’re going to try to discover those three servers on the right, the Lamp server, the metasploitable two, and the damn vulnerable web app or Dvwa. Now those all reside inside the 1010 00:24 network. So now that we are in the command line environment, what are we going to do? Well, we first are going to want to find out which things on the ten 10100 network are up and which ones are down. So we want to use that ping scan.

Now, do you remember what the command is for a ping scan? That’s right, it’s Nmap SN and then the IP address. So for us that’s ten 1010 00:24. It’s going to go through and scan all 254 possible IPS and find which ones are up and which ones are down. Now, it came back with four hosts. What are those four hosts? Well, the dot one is the router itself. It’s the internal interface of the router. There is the dot ten, which is one of our servers, the dot eleven, and the twelve, which is the other two servers. So the dot ten is going to represent the Lamp server. The dot eleven is our metasploitable two server and the twelve is going to be our Dvwa or damn vulnerable web app. Now all we have at this point is knowing that those three servers are up and responding to pings.

We have no other information, so we’re going to want to take it a step further. Let’s go ahead and do a syn scan, which if you remember the command is Nmap SS and then the IP address that we want to look at. But I’m going to combine that with port 80. So I want to figure out what web servers are being run out of this network. And then we’re going to use the ten 1010 00:24. Now, as I scan away, it’s going to check all of the 254 IPS again. And in this case, we found there are four web servers responding there’s port 80 responding up as closed on the router. It is open on the Lamp server, the dot ten. It is open on the dot eleven, which is metasploitable too, and it is open on twelve, which is the damn vulnerable web app.

So all three of my servers are running at least port 80. Now let’s dig in deeper on one of those servers as we go further in our information gathering. Let’s go ahead and do a syn scan against the Lamp server, which is the ten. So we’re going to do Nmap, SS and then ten 1010 and we’ll go ahead and search that. And you can see now that there are more than just the web server running, right? There are three services running on this server. There’s an SSH server on port 22, there’s the web server on port 80, and the web proxy on port 80 80. Now that we’ve found those, what about the versions? What if I wanted to figure out what version of web server it was running on port 80? How would we do that? Well, we’re going to use Nmap, SV and then the ten 1010.

And now if we run it, you’re going to see a little bit of a difference here. So you’re going to see it takes a little bit longer to run this, but instead of half a second, it’s taking almost 7 seconds. The difference here is that I get the versioning associated with each of those services. So the same three services are up, but I found out that it’s running some form of Linux and it’s running Apache 2. 4. 18, which tells me that I could start associating vulnerabilities associated with that and attack this machine. Now it tells me it’s Ubuntu Linux, but it doesn’t tell me what version. What if I wanted to go deeper and figure out the version of this operating system? How would I do that? Well, it’s not SV because that’s the version for the service.

Instead it’s zero because it’s for the operating system. So it’s Nmap, O and then ten 1010. And then we’ll go ahead and hit enter and away it goes. And it comes back in less than 2 seconds and tells me that it is Linux somewhere between version 3. 2 and 4. 6. So let’s go ahead and take it a step further. Let’s combine some commands. Let’s go ahead and do an Nmap scan for SS. We’re also going to do SV for the versioning and we’re going to go ahead and add the O to get the operating system. I’m going to do that against ten 1010 through 1010, 1012, those three machines, and see what comes back. Now you may have noticed that it keeps saying it’s unable to determine any DNS servers. That’s an error because I don’t have this lab environment connected to the Internet. So there’s no DNS being resolved. It’s not an issue because we’re using IP addresses.

But if I tried to do something like scanning Google. com right now, it wouldn’t be able to give me that answer back because it doesn’t know what the IP address is for Google. Now, this scan is going to take a little bit longer, so I’m going to fast forward to when the scan comes back with the results. Now the results have come back. It took 140 seconds, so it took almost three minutes. So this has come back with a ton of information, so much so that actually scrolled off my screen. So we’re going to scroll back up to where I put in the command. So there we go. There’s the command we put in. Nmap ssinscan SV versioning for the services capital O for operating system versioning and then 1010 1010 through 1010 1012.

Now the first one it comes back with is the results for ten 1010, which shows that there are 997 closed ports because by default, Nmap is going to scan the top 1000 commonly open ports. You’ll notice here there was those same three ports that we found earlier. Port 22, port 80 and port 80 80. And you’ll notice it tells us what version of SSH and what version of Apache is being run. And again, the versioning of Linux was somewhere between 3. 2 and 4. 6. Not very accurate. Now, if we look at the bottom of the screen, I’m going to scroll it up to the top here. This is the scan report for ten dot ten, dot, ten dot eleven. Notice this one has a ton of open stuff. It only has 979 closed ports, which means that there are 21 open ports. And you’ll see them all shown on the screen.

There things like FTP and SSH and Telnet and Http and RPC bind and port 139 and 445 for NetBIOS SSN, which is samba for Windows file sharing between a Linux machine and a Windows machine. All of these different things with all of these different versions. Now this is a great machine that we can target because we have a lot of vulnerable apps on it. Things like Apache 2. 2. 8. There’s exploits that exist for that. There’s Vs ftpd 2. 3. 4 for the FTP service. That’s a vulnerable version we can attack. There’s pro Ftpd 1. 3. 1, there’s MySQL version 5. 0. 51, right? Lots of different pieces of information that we can use to then later exploit it. Now, it does say that one service was unrecognized even though it gave back data and they weren’t really sure what it was because there wasn’t a valid fingerprint.

And you can submit it to endmap for them to try to figure it out better. If you know what the service is, you could tell it and then they can add that into the next version of Nmap. Now, as we scroll down a little bit further, we’ll go through that signature that they gave us and you can see that the version of Linux here was again version 3. 2 to version 4. 6. So that again wasn’t real helpful. And the reason why we’re getting that wide range of operating systems is because this is all actually being run in a docker environment. So they’re all sharing the same operating system. This is a container based virtualization. Now as I scroll on down we’re going to see the results for 1010 1012 and this one only has one port that’s open and it’s running Apache version 2. 4, point ten.

So again we can go and look for something that would be able to be exploited and go after that server using that. So that’s the idea here as we start scanning and figuring out all this information. Now all that was a lot of information to put on the screen. Wouldn’t it have been helpful if I output that into a grippable file? Well certainly it would for any of these commands we could have output this to a file and that way we’d have it for our reference later on because when you go back a couple of days from now you’re not going to remember what ports were open on any of these machines, right? That’s why having these files will be helpful. So instead I’m going to use nmap, SS, P, port 80 and I want to get the versioning of that and I’m going to look at that on ten 1010 through 1010 1012 and I want to output that to a grepable format and I’ll just call that Output and map TXT.

We’ll go ahead and hit Enter, it will run that scan and in addition to putting it to the screen that I can see it, it will also save it into that grepable file. Now how do I find that grippable file? Let me go ahead and clear my screen here and if we do LS in Linux that will list our directory. And you’ll see here output and Map is listed right there and so I can just use a pico which is an editor, and just type in output, nmap, TXT and hit Enter. And there it is to the screen. Notice it looks different here because it’s Greppable. They removed a lot of those new lines, they removed a lot of the special formatting and they made it really easy for us to find the information we want.

For example, we have the hosts on the left very clean, status was up or status was down and then we have the ports that were open, right? Port 80, it’s open, it’s TCP and it was an Http service running this version of Apache. So you can see why this grepable format is very, very useful. Now from here I want you to download MMAP, I want you to play with it, scan things inside your network, scan things like scanme Mmap. org, try these things out, get used to it because it’s going to be essential to your success on the cysaplus exam. To be able to understand how to create these commands and how to read the output from the commands is going to be crucial for your job as a cybersecurity analyst.

7. Hping (OBJ 1.4)

Hping. In the last several videos we have spent time talking a lot about Nmap because it’s a really important tool. In the rest of the section we’re going to cover a lot of other little reconnaissance tools that we can use as part of our enumeration. Now, most of these videos are going to be fairly short, but I just want to give you the idea of what these different tools are so if you identify them on your network, you understand that a lot of times these are being used as attack tools against you to do footprinting and fingerprinting of your network. The first one I want to talk about here is hping. Now, hping is used to do packet crafting and manipulation and this is often used by attackers. Now, hping is an open source spoofing tool that provides a Pen tester with the ability to craft their own network packets to exploit vulnerable firewalls and intrusion detection and intrusion prevention systems.

The idea with hping is to do a lot of different functions for you. You can do things like host import, detection and firewall testing. You can do time stamping, you can use trace route, you can do fragmentation, or you can even do denial of services and use it as an attack tool. We’re going to talk about each of those in this section. First, host import, detection and firewall testing. This is one of the functions of hping. Just like we could craft things with Nmap in the way we use Sin or act packets to do our detection, we can do the same thing with hping. So if I want to use hping here, I can type it in something like this. hping three s p 80 C 1192 168. One. One. Now, what is this command telling hping to do? It’s saying send a Sin packet.

That’s the S over port 80, which is the port I want to target with a count of one. Meaning send only one Sin packet to this IP address. So this is going to be very stealthy because I’m only sending one packet out and trying to get a response to see if you’re awake. This will allow me to enumerate your network very quietly and very stealthily against a single IP address just shown here. Now, the next thing we can do is we can do something like A. Now with hping three A and the rest of it is all the same. I’m going to use an Acknowledgment packet instead of a Sin packet, so I can send whatever kind of packet I want. I can choose using hping because I’m manipulating and crafting this packet that I’m going to send across the network. Both of these are ways to help you avoid detection by a firewall or IDs or IPS.

Next, we can also do time stamping using hping. This allows to determine the system’s uptime. How long has that host been online? Now, if you look at a workstation, they generally rebooted every night. But servers, they may be up for a long, long time. The other thing that uptime tells you is if you have a server that’s been up for, say, a year, that means they probably haven’t installed all the patches or upgrades because usually you have to reboot a server when you put in those larger patches and upgrades. So Timestamping is useful for that. To send this type of a packet, you would use HPG three, C two or C One, in this case C two, S P 80, TCP timestamp, and then the IP address. So in this case, I’m sending two Sin packets over port 80 to determine the uptime of that system.

Now, the reason I’m sending two packets here is it’s usually going to be a little bit more effective to send two when you’re doing a timestamp than just doing one. Next. We’re going to use trace route. Now, Trace Route is going to use arbitrary packet formats such as probing DNS ports, using TCP or UDP to be able to perform traces when you can’t use ICMP in a given network because it’s blocked. As I said back when we talked about MMAP, trace route and ping can often be blocked by firewalls because they’re not going to allow echo reply packets, which use ICMP to go out of the network. So you can start using different packet formats like Sin packets and Acknowledge packets to be able to do that trace route for you.

Next one we want to talk about is fragmentation. Now, fragmentation attempts to evade detection by the IDs and IPS’s and firewalls by sending fragmented packets across the network for later reassembly. Because we’re using TCP, I can send the packets in any order I want and fragmented and the system, once it receives them all, will put them back together. In older days, you could actually send fragments through so that detection wouldn’t be caught. In most modern operating systems, they are going to get caught even if you’re using fragmentation. Now, the next one we’re going to talk about, and the last one we’re going to talk about is Denial of Service, or Dos. This can be used to perform flood based denial of service attacks from randomized source IPS.

Additionally, you can actually craft that packet any way you want. So if you think back to your security, plus you talked about things like the ping of death. Well, if you’re doing the ping of death, you took a packet and you made a really, really large size packet that was over the size of ping packet that’s allowed, which is 65,535 bytes. And so if you had one that was larger than that, it could actually corrupt the system and make it crash. These days, most systems are not vulnerable to the ping of death, so you’re not going to be able to do Denial of Service that way. But using hping was a valid way to do it because you could craft the packet, make it whatever size you want it.

Now, again, I want to bring up the point that fragmentation and denial of service, while they are used in hping, they’re not going to be something that’s going to be very effective in today’s environment, because most modern operating systems and network appliances know these attacks occur, and so they don’t allow fragmentation to occur. To be able to sneak things through, they’ll reassemble the packets first and then scan them against the IDs or the denial of service. Those things will be blocked because they know they’re coming. Now, if you’re going against some kind of a legacy system or some kind of a SCADA or ICS or embedded system, some of those attacks may still work using fragmentation or denial of service. So it is still something that’s valid to try as a penetration tester. But again, for the most case, most of our modern OSS are going to be invulnerable to this type of an attack.

• Category: Uncategorized