menu

  • Collecting
  • Discovering
  • Searching
  • Exploitation
  • About us

    • Tuesday, February 26, 2013

    2 - Global environment discovery


    Detection of the active machines on the network
         We want to identify all the machines on the network. There are several tools that allow you to do so such as "nmap" and "traceroute", but we chose to use "nmap" because it’s more efficient and can simply scan, ping the range of addresses and tells us which hosts are up in the subnet.

      $ nmap -sP xxx.xx.30.2

         This command lets us know if the machine is active or not:
      Nmap scan report for xxxxx-xxx.xxxxxx.fr (xxx.xx.30.2).    
 Host is up (0.044s latency).

         We repeat this command for all sub-domains found earlier.


    2 OS and services identification
         For this step, we used two tools : nmap et metasploit.

               2.1  nmap
         The first thing to do during a penetration test is to scan the ports to determine if one or more ports are open. Since these ports are services installed on the server, they can cause vulnerabilities.
       
    Note 1 : The use of "nmap" can wake up a firewall, and notify the administrator that the server is being the victim of a port scan.

    Note 2 : Target file / IPs used for the command below include the following IP addresses : 

    xxx.xx.30.2xxx.xx.30.3xxx.xx.30.5xxx.xx.30.8xxx.xx.30.11
    xxx.xx.30.17xxx.xx.30.41xxx.xx.30.42xxx.xx.31.3xxx.xx.31.6

    The command is done as follows, the used options are explained below :

      nmap -iL Cible/IPs -p1-65535 -sV -A -R --traceroute   
    -sV --version-all --version-trace -O --osscan-limit   
    --osscan-guess --reason --scan-delay 3 -oN Cible/scanresult


    * Targets specification :
    • -iL <inputfilename> : Reads the list of hosts / networks from the target file.
    * Hosts discovery :
    • -R : Always resolve DNS names [solved targets enabled by default].
    * Scan techniques :
    • --traceroute : Sets a route to each host.
    • --reason : Gives the reason why a port is in such state.
    * Ports specifications and scan order :
    • -p <plage de ports> : Scan only the specified ports.
    * Service/version detection :
    • -sV : Tests open ports to determine the listening service and the version.
    • -A : Enables OS detection and version.
    • --version-all : Try one by one all the possible tests of version detection.
    • --version-trace : Show detailed information about the scan versions.
    * Detect operating system :
    • -O : Enables OS detection.
    • --osscan-limit : Limit targets detection to promising targets only.
    • --osscan-guess : Guess OS more aggressively.
    * Queries delay : 
    • --scan-delay : Adjusts the delay between testing packages.
    * Output :
    • -oN : The output file of the scan.

               2.2 Metasploit
         Metasploit is a vulnerability scanner, we use it to collect information on the site: The IP hostnames, OS and hosted services on each host.

    To connect to metasploit:

     127.0.0.1:10000

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)