reconnaissance & scanning - start [apnic training wiki] · reconnaissance & scanning...
TRANSCRIPT
![Page 1: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/1.jpg)
Reconnaissance&ScanningAPNIC42
Colombo,SriLanka28September–5October2016
Contributor:ShahadatHossain(GrameenPhone)
![Page 2: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/2.jpg)
Didyouevergethacked?
![Page 3: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/3.jpg)
https://haveibeenpwned.com/
![Page 4: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/4.jpg)
SessionFlow
• AdvanceSearchTechnique• Google• Bing• Shodan Search
• DataCollection• Pastebin• Zone-H
• AdvanceTechniqueforNetworkScanning• Nmap
• Challenges
![Page 5: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/5.jpg)
LiveIPDiscoveryTechnique:GoogleSearch
• WhatisGoogle• WhyGoogle• BasicFeatureofGoogle• Automatic&Query• AutomaticExclusionofCommonWords• Capitalization• SpellChecker
• GoogleSearchOperators• BasicOperators• AdvanceOperators
![Page 6: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/6.jpg)
WhatisGoogle?
![Page 7: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/7.jpg)
WhyGoogle?
• ReasonsWhyGoogleSearch• Directory• TheirMapSearch• TheTrust• EasytoUse
![Page 8: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/8.jpg)
BasicFeaturesofGoogleSearch
• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.Thereisnoneedtoinclude“AND”betweenterms.
• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.
![Page 9: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/9.jpg)
BasicFeaturesofGoogleSearch
• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,“Apnic”and“apnic”willallretrievethesameresults.
• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”
![Page 10: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/10.jpg)
DifferentSearchOperators
• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches
• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck
![Page 11: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/11.jpg)
AdvancedOperators
• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:
operator:search_term
• There’snospacebetweentheoperator,thecolon,andthesearchterm!
![Page 12: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/12.jpg)
AdvancedOperatorsataGlance
Operators Purpose
intitle Searchpage titleallintitle Searchpage titleinurl SearchURLallinurl SearchURLfiletype Search specificfilesallintext Searchtextof pageonlysite Search specificsitelink Searchfor linkstopagesinanchor Searchlink anchortext
Operators Purpose
numrange Locate numberdaterange Searchin daterangeauthor Groupauthor searchgroup Groupname searchinsubject Groupsubject searchmsgid Groupmsgid search
![Page 13: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/13.jpg)
AdvancedGoogleSearching
SITE:
INURL:
FILETYPE:
Someoperatorssearchoverlappingareas.Considersite,inurl andfiletype.
Inurl cansearchthewholeURL,includingportandfiletype Filetype canonlysearchfile
extension,whichmaybehardtodistinguishinlongURLs.
Sitecannotsearchport.
![Page 14: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/14.jpg)
AdvancedGoogleSearching
![Page 15: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/15.jpg)
Exercise:AdvancedGoogleSearching
1. Howmanywebserversareliveininternetofyourorganization?2. AnyuserloginpageavailableinIPsfoundinexercise-1?3. Anyadminloginpageavailable?4. Any.docfilewhichcontainsword“Confidential”?
![Page 16: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/16.jpg)
Bing:WhatExtra?
• VirtualHosting• NameBased• IPBased
• BingcanidentifyNamebasedvirtualhosting• Operator:IP
![Page 17: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/17.jpg)
Exercise:Bing
• Anyvirtualhostingexistinyourorganizationwebserver?• Whythisinformationisworthtoapentester?
![Page 18: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/18.jpg)
SHODANSearchTechnique
• WhatisShodan• Shodan isasearchdevelopedbyJohnMatherly• DifferentthancontentsearchenginelikeGoogle,Bing• CanidentifyIPbaseddevicesconnectedtotheinternet• Itusesservicebanners• Itcanidentify
• OperatingSystem• Services• OpenPorts• Version
• Itcanfiltersearchby• Country• City
• Firefoxadd-onisavailable
https://www.shodan.io/
![Page 19: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/19.jpg)
Shodan BasicSearchOperators
country Filtersresultsbytwolettercountrycodehostname Filters resultsbyspecifiedtextinthe
hostnameordomainnet FiltersresultsbyaspecificIPrangeorsubnetos Searchforspecificoperating systemsport NarrowthesearchforspecificservicesServiceName FiltertheresultbyservicenameDeviceName Filtertheresultsbasedonthedevicename
![Page 20: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/20.jpg)
Exercise:Shodan
1. FindouthowmanyIPisliveinyourcountry2. Findouthowmanyapacheserversarerunninginyourcounty3. Findouthowmanyapacheserversrunningversion2.2.3inyourcity4. Findoutanyapacheserversarerunningin.nist.gov andmicorsoft.com
domain5. FindouthowmanyIIS-5.0serversarerunninginUSA&AU6. TakegoogleIPblockandfindhowmanyIPsareliveingoogle7. HowmanyLinuxserverisrunninginyahoo8. Howmanyhostsareliveininternetwhichhastelnetopen
![Page 21: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/21.jpg)
Pastebin (http://pastebin.com/)
• Apastebin isatypeofwebapplicationwhereuserscanstoreplaintext.• Theyaremostcommonlyusedtoshareshortsourcecodesnippetsforcodereview.• Butpeoplealsoshareconfidentialdata.• Youcanalsoaddaltersforspecifickeyword
![Page 22: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/22.jpg)
Exercise:Pastebin
• Searchforthetext/documentsrelatedtoyourorganization/domain.• Doasearchon“.com.au password”.Whatinformationyouaregetting?
![Page 23: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/23.jpg)
Zone-H(http://zone-h.net/)
• Zone-Hisanarchiveofdefacedwebsites.• Itisthelargestwebintrusionsarchive.• OnceadefacedwebsiteissubmittedtoZone-H,itismirroredontheZone-Hservers,itisthenmoderatedbytheZone-Hstafftocheckifthedefacementwasfake.
![Page 24: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/24.jpg)
Exercise:Zone-H
• Gotohttp://www.zone-h.org/• Checkwithyourorganizationdomainname• Howaboutwww.microsoft.com• http://www.zone-h.org/mirror/id/1246363
![Page 25: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/25.jpg)
Nmap (https://nmap.org/)
• Nmap isafreeandopensourcenetworkexplorationandsecurityauditingtool• Nmap wascreatedbyGordonLyon,a.k.a.FyodorVaskovich,andfirstpublishedin1997.• Workingcross-platformalthoughbestworkingonLinux-typeenvironments• ItusesrawIPpacketstodetermine• Whathostsareavailableonthenetwork• Whatservices(applicationnameandversion)• Guessestheoperationalsystem,uptimeandothercharacteristics
![Page 26: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/26.jpg)
Nmap inthemovies
https://nmap.org/movies/
![Page 27: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/27.jpg)
EthicalIssue
• Canbeusedforhacking-todiscovervulnerableports• Systemadminscauseittocheckthatsystemsmeetsecuritystandards• UnauthorizeduseofNmap onasystemcouldbeillegal.• Makesureyouhavepermissionbeforeusingthistool.
Remember:Thereisnorightwaytodothewrongthings
![Page 28: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/28.jpg)
Nmap :Howitworks
• DNSlookup-matchesnamewithIP• Nmap pingstheremotetargetwith0(zero)bytepacketstoeachport• Ifpacketsarenotreceivedback,portisopen• Ifpacketsarereceived,portisclosed• Firewallcaninterferewiththisprocess
![Page 29: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/29.jpg)
Nmap :ScanningTechniques
• HostDiscoveryandTargetSpecification• PortScanningTechnique,Specificationandorder• OS,ServiceandVersionDetection• namp ScriptingEngine• TimingandPerformance• Firewall,IDSEvasionandSpoofingTechnique• ScanReport
GoodpresentationbyFyodoron“Nmap :ScanningtheInternet”https://www.youtube.com/watch?v=Hk-21p2m8YY
![Page 30: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/30.jpg)
Nmap :Scan
TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file
OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively
![Page 31: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/31.jpg)
Nmap :Scan
HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host
![Page 32: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/32.jpg)
Nmap :Scan
SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan
![Page 33: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/33.jpg)
Namp :TimingandPerformance
• --min-parallelism <numprobes>; --max-parallelism <numprobes>• Adjustprobeparallelization
• --max-retries <numtries> • Specifythemaximumnumberofportscanproberetransmissions
• --scan-delay <time>; --max-scan-delay <time>• Adjustdelaybetweenprobes
• -T paranoid|sneaky|polite|normal|aggressive|insane• Setatimingtemplate
![Page 34: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/34.jpg)
Letslookatsomeexamples
Installnmap andwecangoalongwiththeexample
![Page 35: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/35.jpg)
HostDiscovery
fakrul@console# nmap -sP 202.125.96.0/24Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:48 AESTNmap scan report for 202.125.96.1Host is up (0.00071s latency).Nmap scan report for 202.125.96.10Host is up (0.00012s latency).Nmap scan report for 202.125.96.15Host is up (0.00048s latency).Nmap scan report for 202.125.96.40...............Nmap scan report for 202.125.96.254Host is up (0.00062s latency).
Nmap done: 256 IP addresses (15 hosts up) scanned in 8.61 seconds
![Page 36: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/36.jpg)
HostDiscoverywithtraceroute
root@console:/home/fakrul# nmap -sP www.apnic.net --traceroute
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:52 AESTNmap scan report for www.apnic.net (203.119.102.244)Host is up (0.018s latency).
TRACEROUTE (using proto 1/icmp)HOP RTT ADDRESS1 0.15 ms 202.125.96.12 0.21 ms 202.125.96.2253 0.30 ms ip-169.232.255.49.VOCUS.net.au (49.255.232.169)4 14.48 ms as4608.qld.ix.asn.au (218.100.76.36)5 17.72 ms squiz-proxy.apnic.net (203.119.102.244)Nmap done: 1 IP address (1 host up) scanned in 13.90 seconds
![Page 37: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/37.jpg)
TargetSpecification
root@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
TargetIPscanbelistedinatexttileseparatedbyspaceandcanbespecifiedusing“-iL”
root@console:/home/fakrul# nmap -T4 -p 1-1024 –iL iplist.txt
![Page 38: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/38.jpg)
TargetSpecificationwithOSFingerprint
root@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)
Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.0Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
![Page 39: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/39.jpg)
TCPThree-WayHandshake
SYN[seq=A]
SYN-ACK[seq=B,ack=A+1]
ACK[seq=A+1,ack=B+1]
• PortsareassociatedatOSILayer4• 2mainprotocols
• TCP&UDP• TCPisconnectionorientedunlikeUDP• ToInitiateaTCPconnectionitusesTCP3WHS• TCPhas6flags(actually8)
![Page 40: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/40.jpg)
PortState&TCPBehavior
• IfnoconnectionexistsbetweentwohoststhenSYNistheonlyvalidandexpectedpacketallotherpacketswillbeconsideredasinvalid.
SYNSYN/ACKRST
SYN
RST
SYN
dropped
• open• Willacceptconnections
• filtered• Firewallorothernetworkobstacleiscoveringport
• unfiltered or closed• Determinedtobeclosedwithnoobstaclesorinterference
![Page 41: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/41.jpg)
CheckwhetherhostrunningDNSServer
root@console:/home/fakrul# nmap -sU -p 53 202.125.96.42
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 11:08 AESTNmap scan report for 202.125.96.42Host is up (0.00017s latency).PORT STATE SERVICE53/udp open domainMAC Address: 00:16:3E:25:39:FD (Xensource)
Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds
![Page 42: Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address](https://reader033.vdocuments.site/reader033/viewer/2022051509/5af6c9377f8b9a74448ff056/html5/thumbnails/42.jpg)
Nmap :Exercise
Task Answer1.Howtoscanknowopenportfornetworkrange192.168.30.0/272.Isthere anywebservicerunningonIP192.168.30.55.Whatistheapplicationname?3.WhatistheIPaddressofWindows2003Serverinthenetwork192.168.30.0/27