DarkMatter in Cyberspace

Web Scanning Notes

Discovery Scanning

This step find the IP address of a website, most frequently with ping or nmap. For example we want scan all hosts in 10.255.1.*:

sudo apt install nmap
nmap -sn 10.255.1.0/24

Port scanning

This step find the openning ports on a host.

Stealth scan

On Windows, install nmap with choco install nmap.

Test a specified port: Here is port 22 for SSH on host 106.184.7.58 22, equals to nc -zv 106.184.7.58 22: nmap -sS -O -p22 106.184.7.58

Scan commonly used 1000 ports (preconfigured by nmap) of a host: nmap -sS <target-ip>;

Scan all port of a host: nmap -sS <target-ip> -p 0-65535;

Scan all host in LAN, with OS and SSH service detection: nmap -O -sS -p22 '192.168.0.*'.

Example:

$ sudo nmap -sS xxx.xxx.xxx.143 -p 27010-27020

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-18 09:01 CST
Nmap scan report for newfairs.com (xxx.xxx.xxx.143)
Host is up (0.30s latency).
PORT      STATE  SERVICE
27010/tcp closed flexlm10
27011/tcp closed unknown
27012/tcp closed unknown
27013/tcp closed unknown
27014/tcp closed unknown
27015/tcp closed unknown
27016/tcp closed unknown
27017/tcp open   unknown
27018/tcp closed unknown
27019/tcp closed unknown
27020/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 5.66 seconds

Port 27017 (used by mongoDB) is detected.

Connection scan

List all available ports on each host in the scan range: Command: nmap -sT <target-ip>. For example: nmap -sT '192.168.17.*'.

Compared with connection scan, stealth scan won't be logged by the target. So it's more safe.

Banner grabbing

This step get the banner of a service on a specific port (here is 21):

sudo nmap -sT xxx.xxx.xxx.234 -p 21 --script=banner

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-18 09:30 CST
Nmap scan report for xxx.xxx.xxx.234
Host is up (0.064s latency).
PORT   STATE SERVICE
21/tcp open  ftp
| banner: 220-FileZilla Server v0.9.33 beta\x0D\x0A220-written by Tim Kos
|_se (Tim.Kosse@gmx.de)\x0D\x0A220 Please visit http://sourceforge.net...

So this is a FileZilla server, version 0.9.33, which implies the OS is probably Windows.

Service identification

This step detect what service is running on a specific port of a host.

This is the detection on port 3389: sudo nmap xxx.xxx.xxx.234 -p 3389 -sV;

Example:

sudo nmap xxx.xxx.xxx.234 -p 80 -sV

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-18 09:23 CST
Nmap scan report for xxx.xxx.xxx.234
Host is up (0.072s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.17 ((Win32) PHP/5.3.5)

Operating system identification

Command: nmap <target-ip> -O;

Example:

$ sudo nmap xxx.xxx.xxx.143 -O

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-18 08:43 CST
Nmap scan report for xxx.com (xxx.xxx.xxx.143)
Host is up (0.32s latency).
Not shown: 984 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
901/tcp  filtered samba-swat
1068/tcp filtered instl_bootc
1723/tcp filtered pptp
3000/tcp open     ppp
3128/tcp filtered squid-http
4444/tcp filtered krb524
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6129/tcp filtered unknown
6667/tcp filtered irc
Aggressive OS guesses: Linux 3.2 - 3.6 (96%), Linux 2.6.32 - 2.6.39 (94%), Linux 2.6.32 - 3.0 (93%), Linux 3.5 (92%), Linux 2.6.32 (92%), IPFire firewall 2.11 (Linux 2.6.32) (92%), Linux 2.6.15 - 2.6.26 (likely embedded) (90%), Linux 2.6.32 - 2.6.33 (90%), Linux 2.6.32 - 2.6.35 (90%), Linux 2.6.18 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 23 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.20 seconds

Ref: "Kali Linux Network Scanning Cookbook" by Justin Hutchens.

Published

Last Updated

Category

Tech

Tags

Contact