Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Multipart PortScanning Tutorial Part 2

  1. #1
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Multipart PortScanning Tutorial Part 2

    We will now continue with our "scanning journey". In this installment we will take a look at some generic ports scans over TCP using Nmap.
    Last time we talked about what port scanning is. If you need to reference it go ahead.


    Disclaimer: This information is for educational purposes only and not to commit a crime!
    If you do something that causes you to hose your box don't come kicking and screaming on the forums!
    All IP Address' MAC Address' etc. have been munged!

    Lesson 2: We are using Nmap to scan our target network. We will be trying to determine what type of "box" we have and what services are running on it.
    So first we are going to run a generic TCP SYN Scan against our target. This is the default in Nmap by the way.
    So open a cli or use the Front end if you would like. You could also use the domain name for example: www.yourexampleofadomain.com . It works the same.
    Code:
    #bt~ nmap 192.168.1.102
    And the output should look like:
    Code:
    bt ~ # nmap 192.168.1.102
    
    Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-05 15:25 GMT
    Interesting ports on 192.168.1.102:
    Not shown: 1696 closed ports
    PORT     STATE SERVICE
    20/tcp open ftp
    21/tcp open ftp
    23/tcp open telnet
    80/tcp open  http
    MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
    
    Nmap finished: 1 IP address (1 host up) scanned in 1.527 seconds
    bt ~ #
    As we can see there is a lot of open ports on our target computer. This is great since now we have several approach vectors too look at, however we will save this for a latter time. So what we have is a simple SYN scan that reports back what ports are open on our target. Note however that this may or may not be true. Also notice that this scan told us only what ports are open NOT what service is actually running. In order to see the service info use the –sV option. This enables version detection interrogation, but a better option is –A which enables both OS detection and version detection. The following uses the nmap-service-probes database to try and determine the service protocol, the application name, the version number, hostname, device type, the OS family, and other miscellaneous details.

    Ok now lets look at the same scan only this time we will use the -A option. Again this will give us more info about our targets services.
    Code:
    bt ~ # nmap -A 192.168.1.102
    
    Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-05 15:46 GMT
    Warning:  OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    All 1697 scanned ports on 192.168.1.102 are closed
    MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
    Device type: general purpose
    Running: Microsoft Windows 2003|XP
    OS details: Microsoft Windows 2003 Server SP1, Microsoft Windows Server 2003 Enterprise Edition 64-Bit SP1, Microsoft Windows XP SP2, Microsoft Windows XP SP2 (firewall disabled)
    Network Distance: 11 hops
    Notice this time all of our ports are closed on our target. However because we used the -A we see that the computer may be running windows xp or so.
    This is valuable info for us. This will help us in limiting our attacks on the target. For example we don't have to look at default router passwords as an attack vector.
    In the next lesson we will looking at More TCP scan options.
    Ok now that we have seen a couple of basic scans its time for you to go and practice. And remember kids don't do anything that is against the law!

    Part1
    Part2
    Part3
    Part4
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  2. #2
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Part 2 is also good for newbies not knowing how to do proper nmap scans.
    One thing i thought was strange that you are not using the newest nmap?
    (excuse me but i use 4.50 seeing as it responds faster to me)
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  3. #3
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by MaXe Legend View Post
    One thing i thought was strange that you are not using the newest nmap? (excuse me but i use 4.50 seeing as it responds faster to me)
    Thats true in this particular case I am not using the latest. For several reasons.
    I started with a fresh install of BT2 and that is the default. This makes it easier for others to follow besides between the two version's there is not much difference. The speed thing is relative because I am doing the scans on a local network.
    Another reason is probably not that many people who know how to install the latest version of nmap onto their bt box.
    Thats another tutorial for another day.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    39

    Default

    Thanks again, much appreciated.

  5. #5
    Junior Member dapirates1's Avatar
    Join Date
    Nov 2007
    Posts
    88

    Default

    For newbies running backtrack 3 who are not sure about Nmap, type zenmap in Konsole you cant go wrong. Although you should really learn to use nmap command line but sometimes its nice to cheat

  6. #6
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    2

    Default

    ****Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: storage-misc
    Running (JUST GUESSING) : BlueArc embedded (93%)
    Aggressive OS guesses: BlueArc Titan 2100 NAS device (93%)
    No exact OS matches for host (test conditions non-ideal).
    Service Info: OS: Windows


    Why cant I get the details of the OS?

    Thanks.

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by yk.han View Post
    ****Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: storage-misc
    Running (JUST GUESSING) : BlueArc embedded (93%)
    Aggressive OS guesses: BlueArc Titan 2100 NAS device (93%)
    No exact OS matches for host (test conditions non-ideal).
    Service Info: OS: Windows

    Why cant I get the details of the OS?

    Thanks.
    Are you serious?
    It looks to me like the output that you pasted tells you the answer
    look for it in the first line.
    I would suggest that you try to learn more about what you are scanning and what scanning does. Then re-try the scan and see if it helps.
    Maybe you can give us more info on what you are scanning and the exact command that you used to get the above results.
    This will also be useful.

    However it appears that you are scanned a NAS box that has an embedded os installed.

    Also welcome to the forums.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #8
    Junior Member 0tt0v0nc4t's Avatar
    Join Date
    Mar 2008
    Posts
    69

    Default

    Awesome, this has been an amazing learning experience. Great work!

  9. #9
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by 0tt0v0nc4t View Post
    Awesome, this has been an amazing learning experience. Great work!
    Thank you 0tt0v0nc4t glad that you have enjoyed it and have learned something in the process.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  10. #10
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    2

    Default

    Thank you for this Tutorial

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •