SCANNING PHASE

SUBMITTED BY: DevilDawg

DATE: April 11, 2022, 8:18 a.m.

FORMAT: Text only

SIZE: 67.2 kB

Raw Download

HITS: 447

Report
  1. Scanning Phase
  4. This phase includes the usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Hackers are now probably seeking any information that can help them perpetrate attacks such as computer names, IP addresses, and user accounts. Now that the hacker has some basic information, the hacker now moves to the next phase and begins to test the network for other avenues of attacks. The hacker decides to use a couple of methods for this end to help map the network. The hacker looks for an automated email if possible or based on the information gathered he may decide to email HR with an inquiry about a job posting.
  7. Scanning can be considered a logical extension (and overlap) of active reconnaissance that helps attackers identify specific vulnerabilities.
  10. It's often that attackers use automated tools such as network scanners and war dialers to locate systems and attempt to discover vulnerabilities.
  13. An attacker follows a particular sequence of steps in order to scan a network. The scanning methods may differ based on the attack objectives, which are set up before the attackers actually begin this process.
  16. Scanning is a set of procedures for identifying live hosts, ports, and services, discovering Operating system and architecture of target system, Identifying vulnerabilities and threats in the network. Network scanning is used to create a profile of the target organization.
  19. Scanning refers to collecting more information using complex and aggressive reconnaissance techniques.
  22. hackers are probably seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts. In fact, hacker identifies a quick way to gain access to the network and look for information. This phase includes usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data.
  25. Basically, at this stage, four types of scans are used:
  27. Pre-attack: Hacker scans the network for specific information based on the information gathered during reconnaissance.
  28. Port scanning/sniffing: This method includes the use of dialers, port scanners, and other data-gathering equipment.
  29. Vulnerability Scanning: Scanning the target for weaknesses/vulnerabilities.
  30. Information extraction: In this step, hacker collects information about ports, live machines and OS details, topology of network, routers, firewalls, and servers.
  35. How Scanning Tools Help Hackers
  37. The most commonly used tools are vulnerability scanners that can search for several known vulnerabilities on a target network and potentially detect thousands of vulnerabilities. This gives attackers the advantage of time because they only have to find a single means of entry while the systems’ professional has to secure many vulnerable areas by applying patches.
  40. Organizations that deploy intrusion detection systems still have reason to worry because attackers can use evasion techniques at both the application and network levels.
  43. Attackers can gather critical network information, such as the mapping of systems, routers, and firewalls, with simple tools like traceroute, which are computer network diagnostic commands. They can also use tools like Cheops, a network management tool, to add sweeping functionality along with what traceroute renders.
  46. Port scanners can be used to detect listening ports to find information about the nature of services running on the target machine. The primary defense technique against port scanners is to shut down unnecessary services. Appropriate filtering may also be adopted as a defense mechanism, but attackers can still use tools to determine filtering rules.
  51. Network Scanning:
  53. The purpose of each scanning process is given below:
  55. Port Scanning – detecting open ports and services running on the target.
  57. Network Scanning – IP addresses, Operating system details, Topology details, trusted routers information etc
  59. Vulnerability scanning – scanning for known vulnerabilities or weakness in a system
  64. Check for Live Systems:
  66. Ping scan checks for the live system by sending ICMP echo request packets. If a system is alive, the system responds with ICMP echo reply packet containing details of TTL, packet size etc.
  70. Check for Open Ports:
  72. Port scanning helps us to find out open ports, services running on them, their versions etc. Nmap is the powerful tool used mainly for this purpose.
  76. We have various types of scan:
  78. Connect scan: Identifies open ports by establishing a TCP handshake with the target.
  82. TCP Connect scan
  84. Nmap command: nmap -sT -v -p- <TargetIP>
  89. Half-open scan
  91. Half-open scan otherwise known as Stealth scan used to scan the target in a stealthy way by not completing the TCP handshake by abruptly resetting the communication.
  93. Nmap command: nmap -sS -v <TargetIp>
  98. XMAS scan:
  100. This is also called as inverse TCP scanning. This works by sending packets set with PSH, URG, FIN flags. The targets do not respond if the ports are open and send a reset response if ports are closed.
  105. FIN scan:
  107. Fin flag is set in the TCP packets sent to the target. open ports doe does not respond while closed ports send a reset response.
  109. Nmap command: nmap -SF <targetIp>
  114. ACK scan:
  116. Here the attacker sets the ACK flag in the TCP header and the target's port status is gathered based on window size and TTL value of RESET packets received from the target.
  118. Nmap command: nmap -SA -v <targetip>
  124. Null Scan:
  126. Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet.
  128. Nmap Command: nmap -sN -p- <targetIP>
  134. Idle Scan:
  136. Here the attacker tries to mask his identity uses an idle machine on the network to probe the status details of target ports.
  138. Nmap command : nmap -Pn -sI ZombieIp TargetIp
  143. Banner Grabbing
  145. Banner grabbing is a process of collecting information like operating system details, the name of the service running with its version number etc.
  150. Vulnerability scanning:
  152. Mainly automated tools are used for this purpose. These automated scanners scan the target to find out vulnerabilities or weakness in the target organization which can be exploited by the attackers. Vulnerabilities include application vulnerabilities, configuration vulnerabilities, network vulnerabilities, operating system vulnerabilities etc.
  154. Some examples include operating system is not updated, default passwords used, plain text protocols used, vulnerable protocols running etc.
  159. Tools: Nessus, Acunetix
  161. Draw Network Diagrams
  163. With the information gathered, the attacker can come up with a network diagram which might give him information about network and architecture of the target organization helping him to identify the target easily
  168. Tools: Network View, Opmanager etc
  170. Prepare Proxies
  172. Proxies can use to maintain the anonymity of the attacker by masking the IP address. It can capture information passing through it since it acts as an intermediary between client and server and the attacker can access the resources remotely using the proxies.
  174. Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc
  178. Countermeasures:
  180. Configure IDS and firewall to block probes.
  182. Keep firewall, routers, IDS firmware update
  184. Run port scanners to verify the security of the target.
  186. Add rules in firewall restricting access to ports.
  188. Disable ICMP based scanning at firewall.
  192. TCP Communication Flag
  194. Flag can be said as signals,or connection status, as our real flag which is representing various countries the TCP flag will represent various connection status in a communication,
  196. URG- Urgent Flag represents that packet should be processed immediately.
  197. FIN- Finish Flag represents that there will be no more transmission.
  198. RST-Reset this flag will reset a communication.
  199. PSH- PUSH this flag is to make server to send all the buffered data immediately.
  200. ACK-Acknowledgement flag states that service is received
  201. SYN-Synchronize flag indicates connection between host.
  205. TCP /IP communication
  207. TCP/ IP transmission Control Protocol / Internet Protocol is communication protocol best to known about the reliability because of the 3 way handshake.
  211. Three way handshake
  213. In TCP/IP communication when client request for a service this is represented using SYN flag
  215. After receiving the SYN flag the server understands the client need a service so the server provides the requested service to the client.
  217. While providing the service the server will send SYN+ACK flag to represent that requested service is provided.
  219. When the client receives the requested service it will respond the server that it received the requested service through ACK flag
  221. This method is called 3 way handshake.
  225. TCP / IP is said to be reliable method because of this three way hand shake
  228. because each state is been verified using 3 way hand shake, suppose if any of the state is effected by errors, like client haven't received the service the server will resend the requested service once again because if service is not received client will not send ACK so server will understand that service is not reached.
  233. TCP Connect / Full Scan
  236. FULL OPEN SCAN
  238. In TCP Connect / Full open scan the attacker checks the port is open by completing the three way handshake
  240. TCP connect scan establish full connection and terminate the connection by RST packet
  245. Stealth Scan / Half Open Scan
  247. Half Open Scan
  249. Stealth scan involves resetting TCP connection before a three way hand shake is completed.
  251. After receiving SYN+ACK flag from server attacker send RST flag and terminate the connection.
  256. PORT IS OPEN
  258. Th attacker send FIN+URG+PUSH flag set. If the target port is open the machine will not respond to this flag set.
  262. PORT Closed
  264. If the post is closed machine will send a RST flag immediately
  269. The 3-way handshake is very important to understand. This is done each time you connect to a website. I looked at it like a phone call between you and I. I call you (Syn), you answer the phone and say hello (Syn + Ack), and I ask how are you doing (ACK). Then RST/FIN tears down the connection. This is important for you to understand because these steps either make you passive or active. If you complete the 3-way handshake then it is an active scan, your ip will be logged on their network logs. If you perform a -sS scan , known as Stealth, you will not complete the 3-way nor will you leave footprints. If the port is closed then a RST will be returned. Not sure if the 3-way exploit still works or not, when you connect to the website you will be assigned a number. Each time you transmit a message to the website your number will increment by one, the webserver will have a different number than yours and it will increment by one each time also. Wire Shark will grab the numbers while it is listening on the web. If you get the number and bump the person offline and implement the proper sequential number, you will assume the person you bumped offlines place. The website will think it is still talking to the person you bumped, many situations this can come in handy. A malicious hacker would perform this attack while your accessing your online bank account, knock you offline and have full access to your bank account and money.
  272. There is a 4-way handshake called DragonBlood that deals with WiFi. You can perform a downgrade attack to bypass the encryption. The 4-way protocol calls for HTTPS, but if you log onto the website with HTTP protocol instead of HTTPS the DragonBlood is reverse compatible, it will drop from a HTTPS to a HTTP to communicate with you. Now the DragonBlood is open for all HTTP attacks.
  276. Bypassing WiFi security you can use AirCrack-NG and the tools it provides. Turn on AirCrack and use the de-authentication command to jam the wifi signal, then when the wireless devices automatically reconnect you can capture the handshake and crack it to gain access. There is another attack that is similiar, when you boot the people off their connection AirCrack will capture their signal even if they have the SSID turn off, then spoof yourself as any other computer that has access to that network. I have a video of this attack that will be included.
  280. Watering Hole Attack was named after watching animals go to the water to get a drink and they get attacked. You can go to the local coffee shop where everyone is having their morning or lunch coffee break. Turn Kali on and use HTTPTrack to clone the coffee shops webpage and address. Next boost your computers power output, listed as Tx, to a higher level then the coffee shops levels are. This will boot everyone off the coffee shops wifi and log in to your cloned website. The computer automatically relogs back in, but since you have a higher power level they will log into your cloned site. Now you can gather the peoples Username and Password.
  283. Being that your computer will automatically relog into the website after being booted and exposing your user name and password, you can install a KillSwitch that will prevent this action from happening and becoming the victim.
  285. https://restoreprivacy.com/vpn/kill-switch/
  287. https://www.privacyaffairs.com/vpn-killswitch/
  291. Evil Twin Attack is executed when you gain physical access to a company or home and connect your modem and make it look like the original modem. An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there.
  294. An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me.
  297. The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions.
  300. An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable.
  303. The most common evil twin attack scenario you may come across in the wild is one with Captive Portals. Many public Wi-Fi networks use web pages that require your login details to connect you to the internet. The goal of this attack is to fool the victim into giving their authentication details for a legitimate Wi-Fi network. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic, and perform other MITM attacks. Let’s delve deeper into what happens at every step of this attack.
  307. Step 1: hacker sets up a fake wireless access point
  309. A hacker chooses a public place that has many hotspots, such as your local Starbucks or an airport. Such places usually have multiple Wi-Fi access points with the same name. It’s good if you are walking around the building and don’t want to lose your connection, but it also makes the hacker's job much easier when it comes to creating a fake hotspot with the same Wi-Fi name.
  313. Now the bad actor can use anything from a network card, tablet, or laptop to a portable router or a Wi-Fi Pineapple (if they need more range) to create a hotspot. It’s pretty easy! Just think about the last time you used your phone as a hotspot to share a connection with your other devices or your friends. That’s exactly what a hacker does; however, they use the same Service Set Identifier (SSID) name, also known as simply the Wi-Fi name, as the legitimate one does.
  316. Why does this matter? Because most devices aren’t clever enough to distinguish between a legitimate and a fake access point if they have the same SSID. (Some hackers can go as far as cloning the MAC address of the trusted network.) That’s why it’s called an evil twin!
  321. Step 2: hacker creates fake Captive Portal
  323. If you’ve ever used public Wi-Fi, you have probably seen a Captive Portal page. They usually either ask for some basic information about you or prompt you to enter Wi-Fi login and password. The problem with Captive Portals is that there’s no standard on how they should look, and they are usually poorly designed.
  325. Those who use public Wi-Fi are so used to them being this way that it’s hard to tell the difference between a legitimate page and a fake one. Unfortunately, if you come across the latter, it will send your details straight to the hacker.
  327. Hackers might miss this step if they are setting up an evil twin where Wi-Fi network is open and thus doesn’t have a captive portal. If the legitimate Wi-Fi has a password, faking a captive portal helps the hacker to get login details and connect to the network.
  331. Step 3: hacker makes victims connect to evil twin Wi-Fi What is an evil twin attack?
  333. Now that the hacker has a hotspot and a captive portal, they need to make people ditch the legitimate connection and connect to theirs. This can be done in two ways:
  336. They create a stronger Wi-Fi signal by positioning themselves closer to their victims, which will result in nearby devices automatically connecting to the evil twin.
  339. They kick everyone off the main network by DDoSing them, or by flooding them with deauthentication packets. The devices connected to the legitimate network will be disconnected, which will lead users back to their Wi-Fi connection page.
  342. Now they will see a new network with an identical name, which most likely will state ‘Unsecure’. This will set off alarm bells for security-aware users, but many people will simply brush it off. This method might not work in an office environment, where it would raise suspicion.
  347. Step 4: hacker steals login details
  349. If the evil twin has a fake captive portal, the user will be directed straight to the login page when they click on the new network. They will be required to enter the same login details they used the first time they connected to a legitimate network.
  351. This time round, however, they are sending these details to the hacker. Now that the hacker has them, they can monitor network traffic and what you do online. If you tend to use the same login details for all your accounts, the hacker could also use them in credential stuffing attacks.
  352. How to protect yourself
  354. Don’t log into any accounts on public Wi-Fi. This way, the hacker will not be able to steal your credentials and use them against you.
  356. Avoid connecting to Wi-Fi hotspots that say ‘Unsecure,’ even if it has a familiar name.
  358. Use 2-factor-authentication for all your sensitive accounts. This way, even if a hacker gets hold of your login credentials, they will still struggle to get into your accounts.
  360. Learn to recognize social engineering attacks, phishing, and spoofed URLs.
  362. Only visit HTTPs websites, especially when on open networks. HTTPs websites provide end-to-end encryption, making it difficult or impossible for hackers to see what you do when you visit them.
  364. Don’t dismiss your device's notifications, especially if you were kicked off the network and you’re connecting to what you think is a known Wi-Fi network. If your device recognizes it as a new network, don’t ignore it!
  366. Don’t autosave Wi-Fi on your device because when it’s not connected to your home or office networks, it will transmit so-called probes. They can give out a lot of information about you, including your home address. Hackers can sniff this information and pretend to be your home network.
  368. Use a VPN whenever you connect to a public hotspot. It will encrypt your traffic before it leaves your device, making sure that no one sniffing the traffic can see your browsing behaviors.
  374. Password-Based Attacks
  376. Password-based access control is the common denominator of most network and operating system security policies. You can, therefore, determine who you are, that is, your user name and your password, your computer and your network access rights. Old systems do not always secure identity information because authentication information is transmitted through the network. This could give an eavesdropper legitimate user access to the network. The intruder has the same privileges as an actual client if he enters a legitimate user account. Therefore, the intruder may also build later access accounts if the client has administrator-leaved privileges.
  378. An attacker can do any of the following after accessing your network with a legitimate account.
  380. Error! Filename not specified
  382. Use lists of the relevant client and network data and device names.
  384. Error! Filename not specified
  386. Modify database and network configuration, including routing and access controls.
  388. Error! Filename not specified
  390. Adjust your info, re-route it, or delete it.
  396. Man-in-the-Middle Attack
  398. As its name suggests, when someone in the center is constantly tracking, capturing and monitors your contact, someone between you and the person with whom you interact. The attacker can, for instance, restart the data exchange. Computers can not determine how they share information on a low level of the network layer While computers are communicating. Man-in – the- middle attacks are just like those who take up your identity to read your text. The other person might assume you are because the intruder may deliberately respond so that you sustain the exchange and obtain more information. His attack can do the same damage as an app layer attack mentioned below in this section.
  403. Close-in Attack
  405. A Close-in Attack involves someone who attempts to physically enter the elements, data or structures of a network to find out more about a close-in attack consists of ordinary persons entering near physical proximity to networks, systems or facilities to alter or collect information or to reject access. Near physical proximity is achieved by sudden network entry, open access, or both. A popular form of close attack is social engineering in a social engineering attack. Through social interaction, an email message or a telephone, the attacker exploits the network and device.
  410. Identity Spoofing
  412. The IP address of a device is used to classify a legitimate business by most networks and operating systems. An intruder can also create IP packets from valid addresses in the corporate intranet using specific programs. An attacker can. The hacker may alter, remove, or erase your data after accessing the network using a valid IP address. As defined in the following sections, the attacker may also perform other Types of Attacks.
  418. Compromised-Key Attack
  420. One key is a secret code or number required for the processing of secure information. While it is possible to obtain a key for an attacker to be a complicated and resource-intensive process. After an attacker gets a password, it is considered a corrupted key. An attacker uses the affected key to gain access to secure communication without the attack being detected by the sender or recipient. The attacker may decrypt or alter the information by using the affected key to generate additional keys to give the attacker access to any other secure communications.
  424. Application-Layer Attack
  426. An application-layer attack targets database servers, triggering a failure on a server’s operating system or applications deliberately. It helps the intruder to bypass standard access controls. This situation is used by the intruder, who gets control of your application, device or network and can do any of the following:
  428. Read your data or add, operating system, delete or change them.
  429. Introduce a virus system to copy viruses in your network using your computers and software applications.
  430. Introduce a sniffer to evaluate and collect information that can crash or corrupt the network and systems in the end.
  435. Passive Attack
  437. A Passive Attack tracks unencrypted traffic and scans for code or confidential information for other attack forms. Passive threats include traffic analyzes, insecure contact surveillance, weakly encrypted traffic decryption, and encryption information collecting, for example, passwords. Passive network monitoring allows opponents to see future measures. Passive attacks lead, with no user consent or knowledge, to the disclosure of information or data files to an attacker.
  441. Active Attack
  443. The Attacker attempts to hack or crack into secure systems in an aggressive attack. It can take place through stealth, worms, viruses or Trojan horses. Aggressive attacks include attempts to circumvent or break safety software, malicious codes, and theft or alteration. Such attacks have been installed on a network backbone, take advantage of the information in transit, join an enclave electronically or target a remote authorized user while attempting to link to an enclave. Active attacks lead to data files, DoS and alteration. Software is exposed and disseminated.
  447. Close-in Attack
  449. A Close-in Attack means someone who attempts to enter devices, data, or systems in a physical manner to learn about the Close-in Attack consists of individuals who are frequently close to networks, systems, or installations to alter, capture or deny access to information. Near physical closeness is reached by surreptitious open access, network access or both. A Social engineering attack is a common form of attack, where the aggressor jeopardizes the network or process through social interaction with an individual, e-mail or mobile. The person can use various tricks to expose company security information. The information the victim provides to the attacker is most likely to be used to access an unauthorized device or network for subsequent attacks.
  453. DoS
  455. A DoS Attack renders legitimate users unable to use a network, server or other resources. In one of the three groups.
  457. Bandwidth Flooding: The Attacker sends a dilution of packets to the target host — so many packets that the access path to the target is blocked, and legit packets can not enter the server.
  459. Vulnerability Attack: This means sending a set of well-constructed messages on the targeted host to a vulnerable program or operating system. If a compromised program or operating system is sent the correct sequence of packages, the service can stop, or the host can crash.
  461. Connection Flooding: Many TCP connections on the target host are formed half-open or completely open. With these fake connections, the host can be so enmeshed that it can no longer accept valid connections.
  465. Packet Sniffer
  467. A passive receiver that records a copy of each flying packet is a packet sniffer. By every passive receiver near the wireless transmitter, it can get a copy of each transmitted packet. Such packages can contain some sensitive information such as social security numbers, passwords, personal messages, and business secrets. Cryptography includes some of the best defences from packet sniffing.
  471. Malware
  473. Malware is specifically intended for interrupting, damaging or obtaining licensed computer system access. Some of the malware today replicates itself: Once the host becomes infected, it is looking for connections to other hosts via the internet from that host and seeks entry in even more hosts from the newly infected host. Self-replicating malware can propagate exponentially rapidly in this way.
  477. Insider Attack
  479. Insider Attacks involve someone from inside of the company or system, such as an insecure worker who may be malicious or not malicious by targeting the network for insider attacks. Intentional malicious insiders eavesdrop, steal data or erase it, fraudulently use it or deny access to other users who have been licensed. There are no traditional malicious attacks due to lack of consideration, awareness or intentional security circumvention, for example, executing a mission.
  484. Cross-site scripting attack
  486. Cross-site scripting attack is a kind of cyber attack in which JavaScript is used to exploit the web application. The web application that is vulnerable to this kind of attack could be detected manually by filling and submitting the text fields and checking if they are running proper checks or just letting the script be run without any sanitization. The severity level of this attack is high enough to get some useful information to the hacker. To fight against this attack, the application must always be developed to check the values submitted by the user instead of processing them.
  490. Phishing attack
  492. It is a very common kind of attack that falls under the category of social engineering. In this attack, the hacker sends the authenticated user a URL of the webpage that looks exactly the same as the legitimate website and tricks the user into submitting their credentials. The hacker used the credentials to get full access to the system and make their desired changes. Some of the websites have developed the system to protect their system from phishing attacks, but one must have to be very careful before submitting their credentials anywhere.
  496. IP Spoofing
  498. This method uses a fake source address to insert packets into the Internet and is one way to masquerade them as another user. End-point authentication which guarantees that a message from the location we have decided is certain would help to protect against IP spoofing.
  502. Logic Bombs
  504. A logic bomb is a malicious program or piece of code that inserted into an operating system or computer network which impacts a malicious function after a certain amount of time.
  506. The code can be inserted into the existing software or into other forms of malware such as viruses, worms or Trojan horses etc. Its main purpose is deleting or altering data, reformatting a hard drive and creating other malicious acts on a specified date
  510. Rootkit
  512. A rootkit is a malicious program that installs and executes code on a system without user consent in order gain system access to a computer or network.
  514. It is typically installed through by exploiting system vulnerabilities, social engineering tactics, and stolen password or phishing techniques without the victim’s knowledge.
  516. There are different types of Rootkit virus such as Bootkits, Firmware Rootkits, and Kernel-Level Rootkits & Application Rootkits.
  520. Buffer Overflow Attacks
  522. The most common kind of DoS attack is simply to send more traffic to a network address than the programmer's expectation on size of buffers. A few of the better known attacks based on the buffer characteristics of a program or system include:
  524. Sending e-mail messages that have attachments with 256 character file names to Netscape and Microsoft mail programs.
  525. Sending over sized Internet Control Message Protocol (ICMP) packets.
  526. Ending to a user of an e-mail program a message with a "From" address longer than 256 characters.
  530. Smurf Attack
  532. In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet specifies that, it is broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
  535. SYN floods
  537. When a computer wants to make a TCP/IP connection to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server is ready, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet. In a SYN flood, the address of the client is often forged so that when the server sends a TCP/SYN-ACK packet back to the client, the message is never received from client because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections.
  541. Whale-phishing Attacks
  543. A whale-phishing attack is so-named because it goes after the “big fish” or whales of an organization, which typically include those in the C-suite or others in charge of the organization. These individuals are likely to possess information that can be valuable to attackers, such as proprietary information about the business or its operations.
  545. If a targeted “whale” downloads ransomware, they are more likely to pay the ransom to prevent news of the successful attack from getting out and damaging their reputation or that of the organization. Whale-phishing attacks can be prevented by taking the same kinds of precautions to avoid phishing attacks, such as carefully examining emails and the attachments and links that come with them, keeping an eye out for suspicious destinations or parameters.
  548. Spear-phishing Attacks
  550. Spear phishing refers to a specific type of targeted phishing attack. The attacker takes the time to research their intended targets and then write messages the target is likely to find personally relevant. These types of attacks are aptly called “spear” phishing because of the way the attacker hones in on one specific target. The message will seem legitimate, which is why it can be difficult to spot a spear-phishing attack.
  552. Often, a spear-phishing attack uses email spoofing, where the information inside the “From” portion of the email is faked, making it look like the email is coming from a different sender. This can be someone the target trusts, like an individual within their social network, a close friend, or a business partner. Attackers may also use website cloning to make the communication seem legitimate. With website cloning, the attacker copies a legitimate website to lull the victim into a sense of comfort. The target, thinking the website is real, then feels comfortable entering their private information.
  554. Similar to regular phishing attacks, spear-phishing-attacks can be prevented by carefully checking the details in all fields of an email and making sure users do not click on any link whose destination cannot be verified as legitimate.
  559. SQL Injection Attack
  561. Structured Query Language (SQL) injection is a common method of taking advantage of websites that depend on databases to serve their users. Clients are computers that get information from servers, and an SQL attack uses an SQL query sent from the client to a database on the server. The command is inserted, or “injected”, into a data plane in place of something else that normally goes there, such as a password or login. The server that holds the database then runs the command and the system is penetrated.
  563. If an SQL injection succeeds, several things can happen, including the release of sensitive data or the modification or deletion of important data. Also, an attacker can execute administrator operations like a shutdown command, which can interrupt the function of the database.
  565. To shield yourself from an SQL injection attack, take advantage of the least-privileged model. With least-privileged architecture, only those who absolutely need to access key databases are allowed in. Even if a user has power or influence within the organization, they may not be allowed to access specific areas of the network if their job does not depend on it.
  567. For example, the CEO can be kept from accessing areas of the network even if they have the right to know what is inside. Applying a least-privileged policy can prevent not just bad actors from accessing sensitive areas but also those who mean well but accidentally leave their login credentials vulnerable to attackers or leave their workstations running while away from their computers.
  573. URL Interpretation
  575. With URL interpretation, attackers alter and fabricate certain URL addresses and use them to gain access to the target’s personal and professional data. This kind of attack is also referred to as URL poisoning. The name “URL interpretation” comes from the fact that the attacker knows the order in which a web-page’s URL information needs to be entered. The attacker then “interprets” this syntax, using it to figure out how to get into areas they do not have access to.
  577. To execute a URL interpretation attack, a hacker may guess URLs they can use to gain administrator privileges to a site or to access the site’s back end to get into a user’s account. Once they get to the page they want, they can manipulate the site itself or gain access to sensitive information about the people who use it.
  579. For example, if a hacker attempts to get into the admin section of a site called GetYourKnowledgeOn.com, they may type in http://getyourknowledgeon.com/admin, and this will bring them to an admin login page. In some cases, the admin username and password may be the default "admin" and "admin" or very easy to guess. An attacker may also have already figured out the admin’s password or narrowed it down to a few possibilities. The attacker then tries each one, gains access, and can manipulate, steal, or delete data at will.
  581. To prevent URL interpretation attacks from succeeding, use secure authentication methods for any sensitive areas of your site. This may necessitate multi-factor authentication (MFA) or secure passwords consisting of seemingly random characters.
  585. DNS Spoofing
  587. With Domain Name System (DNS) spoofing, a hacker alters DNS records to send traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter sensitive information that can be used or sold by the hacker. The hacker may also construct a poor-quality site with derogatory or inflammatory content to make a competitor company look bad.
  589. In a DNS spoofing attack, the attacker takes advantage of the fact that the user thinks the site they are visiting is legitimate. This gives the attacker the ability to commit crimes in the name of an innocent company, at least from the perspective of the visitor.
  591. To prevent DNS spoofing, make sure your DNS servers are kept up-to-date. Attackers aim to exploit vulnerabilities in DNS servers, and the most recent software versions often contain fixes that close known vulnerabilities.
  596. Session Hijacking
  598. Session hijacking is one of multiple types of MITM attacks. The attacker takes over a session between a client and the server. The computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client. This kind of attack is effective because the server uses the client's IP address to verify its identity. If the attacker's IP address is inserted partway through the session, the server may not suspect a breach because it is already engaged in a trusted connection.
  600. To prevent session hijacking, use a VPN to access business-critical servers. This way, all communication is encrypted, and an attacker cannot gain access to the secure tunnel created by the VPN.
  604. Brute force attack
  606. A brute-force attack gets its name from the “brutish” or simple methodology employed by the attack. The attacker simply tries to guess the login credentials of someone with access to the target system. Once they get it right, they are in.
  608. While this may sound time-consuming and difficult, attackers often use bots to crack the credentials. The attacker provides the bot with a list of credentials that they think may give them access to the secure area. The bot then tries each one while the attacker sits back and waits. Once the correct credentials have been entered, the criminal gains access.
  610. To prevent brute-force attacks, have lock-out policies in place as part of your authorization security architecture. After a certain number of attempts, the user attempting to enter the credentials gets locked out. This typically involves “freezing” the account so even if someone else tries from a different device with a different IP address, they cannot bypass the lockout.
  612. It is also wise to use random passwords without regular words, dates, or sequences of numbers in them. This is effective because, for example, even if an attacker uses software to try to guess a 10-digit password, it will take many years of non-stop attempts to get it right.
  616. Web Attacks
  618. Web attacks refer to threats that target vulnerabilities in web-based applications. Every time you enter information into a web application, you are initiating a command that generates a response. For example, if you are sending money to someone using an online banking application, the data you enter instructs the application to go into your account, take money out, and send it to someone else’s account. Attackers work within the frameworks of these kinds of requests and use them to their advantage.
  620. Some common web attacks include SQL injection and cross-site scripting (XSS), which will be discussed later in this article. Hackers also use cross-site request forgery (CSRF) attacks and parameter tampering. In a CSRF attack, the victim is fooled into performing an action that benefits the attacker. For example, they may click on something that launches a script designed to change the login credentials to access a web application. The hacker, armed with the new login credentials, can then log in as if they are the legitimate user.
  622. Parameter tampering involves adjusting the parameters that programmers implement as security measures designed to protect specific operations. The operation’s execution depends on what is entered in the parameter. The attacker simply changes the parameters, and this allows them to bypass the security measures that depended on those parameters.
  624. To avoid web attacks, inspect your web applications to check for—and fix—vulnerabilities. One way to patch up vulnerabilities without impacting the performance of the web application is to use anti-CSRF tokens. A token is exchanged between the user’s browser and the web application. Before a command is executed, the token’s validity is checked. If it checks out, the command goes through—if not, it is blocked. You can also use SameSite flags, which only allow requests from the same site to be processed, rendering any site built by the attacker powerless.
  628. Drive-by Attacks
  630. In a drive-by attack, a hacker embeds malicious code into an insecure website. When a user visits the site, the script is automatically executed on their computer, infecting it. The designation “drive by” comes from the fact that the victim only has to “drive by” the site by visiting it to get infected. There is no need to click on anything on the site or enter any information.
  632. To protect against drive-by attacks, users should make sure they are running the most recent software on all their computers, including applications like Adobe Acrobat and Flash, which may be used while browsing the internet. Also, you can use web-filtering software, which can detect if a site is unsafe before a user visits it.
  635. Birthday Attack
  637. In a birthday attack, an attacker abuses a security feature: hash algorithms, which are used to verify the authenticity of messages. The hash algorithm is a digital signature, and the receiver of the message checks it before accepting the message as authentic. If a hacker can create a hash that is identical to what the sender has appended to their message, the hacker can simply replace the sender’s message with their own. The receiving device will accept it because it has the right hash.
  639. The name “birthday attack” refers to the birthday paradox, which is based on the fact that in a room of 23 people, there is more than a 50% chance that two of them have the same birthday. Hence, while people think their birthdays, like hashes, are unique, they are not as unique as many think.
  641. To prevent birthday attacks, use longer hashes for verification. With each extra digit added to the hash, the odds of creating a matching one decrease significantly.
  645. There is a handfull of Network Attacks, there are alot more you will learn. I will provide you with ISO's to upload into Virtual Machine(VM) or Virtual Box(VB) which ever you choose to use. Then you will gain experience by hacking the vulnerable ISO. In order to gather more data of the network we will dig deeper in to scannig with Nmap. Nmap and the Nmap Script Engine (NSE) can gather a plethora of information from a computer or network. Nmap has a ton of arguements or they migth be called Flags. Im not going to post the full guide, but I will show you my train of thought. There are 65,535 ports on a computer and most of them has a specific purpose and you will examine the ports to find weaknesses in the protocol, they might be old an have vulnerabilities, could be End of Life for some services(EOL) and Nmap will pull this data. There are a bunch of scans to consider, I usually perform a speed scan first to check the common ports. This will return in a matter of minutes to let me know what common ports are open for me to examine further. Then I launch a Stealth Scan that scans all 65,535 ports to see what is open in the experimental ip addresses. When the reports return I launch another scan to dig further in to the services to learn more. This will take a bit of time, so while waiting for the feedback to return, I will scan the directories with an other tool and search for admin logins. I will go deeper into this shortly.
  647. nmap [Scan Type(s)] [Options] {target specification} this is nmaps format to perform scans. There are probably 100 plus combinations to achieve what you desire, aslo you can write your own scripts to use for scanning with the NSE.
  651. nmap 192.168.1.1
  652. Scan a single IP
  655. nmap 192.168.1.1 192.168.2.1
  656. Scan specific IPs
  659. nmap 192.168.1.1-254
  660. Scan a range
  663. nmap scanme.nmap.org
  664. Scan a domain
  667. nmap 192.168.1.0/24
  668. Scan using CIDR notation
  671. -iL
  672. nmap -iL targets.txt
  673. Scan targets from a file
  676. -iR
  677. nmap -iR 100
  678. Scan 100 random hosts
  681. --exclude
  682. nmap --exclude 192.168.1.1
  683. Exclude listed hosts
  686. -sS
  687. nmap 192.168.1.1 -sS
  688. TCP SYN port scan (Default)
  691. -sT
  692. nmap 192.168.1.1 -sT
  693. TCP connect port scan
  694. (Default without root privilege)
  697. -sU
  698. nmap 192.168.1.1 -sU
  701. UDP port scan
  702. -sA
  703. nmap 192.168.1.1 -sA
  704. TCP ACK port scan
  707. -sW
  708. nmap 192.168.1.1 -sW
  709. TCP Window port scan
  712. -sM
  713. nmap 192.168.1.1 -sM
  714. TCP Maimon port scan
  717. -sL
  718. nmap 192.168.1.1-3 -sL
  719. No Scan. List targets only
  722. -sn
  723. nmap 192.168.1.1/24 -sn
  724. Disable port scanning. Host discovery only.
  727. -Pn
  728. nmap 192.168.1.1-5 -Pn
  729. Disable host discovery. Port scan only.
  732. -PS
  733. nmap 192.168.1.1-5 -PS22-25,80
  734. TCP SYN discovery on port x.
  735. Port 80 by default
  737. -PA
  738. nmap 192.168.1.1-5 -PA22-25,80
  739. TCP ACK discovery on port x.
  740. Port 80 by default
  743. -PU
  744. nmap 192.168.1.1-5 -PU53
  745. UDP discovery on port x
  746. Port 40125 by default
  749. -PR
  750. nmap 192.168.1.1-1/24 -PR
  751. ARP discovery on local network
  754. -n
  755. nmap 192.168.1.1 -n
  756. Never do DNS resolution
  759. -p
  760. nmap 192.168.1.1 -p 21
  761. Port scan for port x
  764. -p
  765. nmap 192.168.1.1 -p 21-100
  766. Port range
  769. -p
  770. nmap 192.168.1.1 -p U:53,T:21-25,80
  771. Port scan multiple TCP and UDP ports
  774. -p-
  775. nmap 192.168.1.1 -p-
  776. Port scan all ports
  779. -p
  780. nmap 192.168.1.1 -p http,https
  781. Port scan from service name
  784. -F
  785. nmap 192.168.1.1 -F
  786. Fast port scan (100 ports)
  787. --top-ports
  791. nmap 192.168.1.1 --top-ports 2000
  792. Port scan the top x ports
  795. -p-65535
  796. nmap 192.168.1.1 -p-65535
  797. Leaving off initial port in range
  798. makes the scan start at port 1
  801. -p0-
  802. nmap 192.168.1.1 -p0-
  803. Leaving off end port in rang
  804. makes the scan go through to port 65535
  807. -sV
  808. nmap 192.168.1.1 -sV
  809. Attempts to determine the version of the service running on port
  812. -sV --version-intensity
  813. nmap 192.168.1.1 -sV --version-intensity 8
  814. Intensity level 0 to 9. Higher number increases possibility of correctness
  817. -sV --version-light
  818. nmap 192.168.1.1 -sV --version-light
  819. Enable light mode. Lower possibility of correctness. Faster
  822. -sV --version-all
  823. nmap 192.168.1.1 -sV --version-all
  824. Enable intensity level 9. Higher possibility of correctness. Slower
  827. -A
  828. nmap 192.168.1.1 -A
  829. Enables OS detection, version detection, script scanning, and traceroute
  832. -O
  833. nmap 192.168.1.1 -O
  834. Remote OS detection using TCP/IP
  835. stack fingerprinting
  838. -O --osscan-limit
  839. nmap 192.168.1.1 -O --osscan-limit
  840. If at least one open and one closed
  841. TCP port are not found it will not try
  842. OS detection against host
  845. -O --osscan-guess
  846. nmap 192.168.1.1 -O --osscan-guess
  847. Makes Nmap guess more aggressively
  850. -O --max-os-tries
  851. nmap 192.168.1.1 -O --max-os-tries 1
  852. Set the maximum number x of OS
  853. detection tries against a target
  856. -A
  857. nmap 192.168.1.1 -A
  858. Enables OS detection, version detection, script scanning, and traceroute
  861. -T0
  862. nmap 192.168.1.1 -T0
  863. Paranoid (0) Intrusion Detection
  864. System evasion
  867. -T1
  868. nmap 192.168.1.1 -T1
  869. Sneaky (1) Intrusion Detection System
  870. evasion
  873. -T2
  874. nmap 192.168.1.1 -T2
  875. Polite (2) slows down the scan to use
  876. less bandwidth and use less target
  877. machine resources
  880. -T3
  881. nmap 192.168.1.1 -T3
  882. Normal (3) which is default speed
  885. -T4
  886. nmap 192.168.1.1 -T4
  887. Aggressive (4) speeds scans; assumes
  888. you are on a reasonably fast and
  889. reliable network
  892. -T5
  893. nmap 192.168.1.1 -T5
  894. Insane (5) speeds scan; assumes you
  895. are on an extraordinarily fast network
  896. --host-timeout <time>
  897. 1s; 4m; 2h
  898. Give up on target after this long
  899. --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
  900. 1s; 4m; 2h
  901. Specifies probe round trip tim
  902. --min-hostgroup/max-hostgroup <size<size>
  903. 50; 1024
  904. Parallel host scan group
  905. sizes
  906. --min-parallelism/max-parallelism <numprobes
  907. 10; 1
  908. Probe parallelization
  909. --scan-delay/--max-scan-delay <time>
  910. 20ms; 2s; 4m; 5h
  911. Adjust delay between probes
  912. --max-retries <tries>
  913. 3
  914. Specify the maximum number
  915. of port scan probe retransmissions
  916. --min-rate <number>
  917. 100
  918. Send packets no slower than <numberr> per second
  919. --max-rate <number>
  920. 100
  921. Send packets no faster than <number> per second
  925. -sC
  926. nmap 192.168.1.1 -sC
  927. Scan with default NSE scripts. Considered useful for discovery and safe
  928. --script default
  932. nmap 192.168.1.1 --script default
  933. Scan with default NSE scripts. Considered useful for discovery and saf
  934. --script
  938. nmap 192.168.1.1 --script=banner
  939. Scan with a single script. Example banner
  940. --script
  944. nmap 192.168.1.1 --script=http*
  945. Scan with a wildcard. Example http
  946. --script
  950. nmap 192.168.1.1 --script=http,banner
  951. Scan with two scripts. Example http and banner
  952. --script
  956. nmap 192.168.1.1 --script "not intrusive"
  957. Scan default, but remove intrusive scripts
  958. --script-args
  961. nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1
  964. nmap -Pn --script=http-sitemap-generator scanme.nmap.org
  967. http site map generator
  968. nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000
  971. Fast search for random web servers
  972. nmap -Pn --script=dns-brute domain.com
  975. Brute forces DNS hostnames guessing subdomains
  976. nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1
  979. Safe SMB scripts to run
  980. nmap --script whois* domain.com
  983. Whois query
  984. nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org
  987. Detect cross site scripting vulnerabilities
  988. nmap -p80 --script http-sql-injection scanme.nmap.org
  991. Check for SQL injections
  992. Firewall / IDS Evasion and Spoofing
  995. -f
  996. nmap 192.168.1.1 -f
  997. Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
  1000. --mtu
  1001. nmap 192.168.1.1 --mtu 32
  1002. Set your own offset size
  1005. -D
  1006. nmap -D 192.168.1.101,192.168.1.102,
  1007. 192.168.1.103,192.168.1.23 192.168.1.1
  1010. Send scans from spoofed IPs
  1012. -D
  1013. nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
  1017. Above example explained
  1019. -S
  1020. nmap -S www.microsoft.com www.facebook.com
  1024. Scan Facebook from Microsoft (-e eth0 -Pn may be required)
  1026. -g
  1027. nmap -g 53 192.168.1.1
  1031. Use given source port number
  1033. --proxies
  1034. nmap --proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1
  1038. Relay connections through HTTP/SOCKS4 proxies
  1040. --data-length
  1041. nmap --data-length 200 192.168.1.1
  1045. Appends random data to sent packets
  1047. Example IDS Evasion command
  1049. nmap -f -t 0 -n -Pn –data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
  1052. -oN
  1053. nmap 192.168.1.1 -oN normal.file
  1055. Normal output to the file normal.file
  1058. -oX
  1059. nmap 192.168.1.1 -oX xml.file
  1060. XML output to the file xml.file
  1063. -oG
  1064. nmap 192.168.1.1 -oG grep.file
  1067. Grepable output to the file grep.file
  1070. -oA
  1071. nmap 192.168.1.1 -oA results
  1074. Output in the three major formats at once
  1077. -oG -
  1078. nmap 192.168.1.1 -oG -
  1081. Grepable output to screen. -oN -, -oX - also usable
  1083. --append-output
  1084. nmap 192.168.1.1 -oN file.file --append-output
  1088. Append a scan to a previous scan file
  1089. -v
  1090. nmap 192.168.1.1 -v
  1091. Increase the verbosity level (use -vv or more for greater effect)
  1095. -d
  1096. nmap 192.168.1.1 -d
  1099. Increase debugging level (use -dd or more for greater effect)
  1101. --reason
  1102. nmap 192.168.1.1 --reason
  1105. Display the reason a port is in a particular state, same output as -vv
  1107. --open
  1108. nmap 192.168.1.1 --open
  1111. Only show open (or possibly open) ports
  1114. --packet-trace
  1115. nmap 192.168.1.1 -T4 --packet-trace
  1119. Show all packets sent and received
  1121. --iflist
  1122. nmap --iflist
  1126. Shows the host interfaces and routes
  1128. --resume
  1129. nmap --resume results.file
  1130. Resume a scan
  1132. nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep open
  1136. Scan for web servers and grep to show which IPs are running web servers
  1137. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
  1141. Generate a list of the IPs of live hosts
  1142. nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt
  1146. Append IP to the list of live hosts
  1147. ndiff scanl.xml scan2.xml
  1151. Compare output from nmap using the ndif
  1152. xsltproc nmap.xml -o nmap.html
  1156. Convert nmap xml files to html files
  1157. grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less
  1160. -6
  1161. nmap -6 2607:f0d0:1002:51::4
  1162. Enable IPv6 scanning
  1165. nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn
  1166. Discovery only on ports x, no port scan
  1169. nmap 192.168.1.1-1/24 -PR -sn -vv
  1170. Arp discovery only on local network, no port scan
  1173. nmap -iR 10 -sn -traceroute
  1174. Traceroute to random targets, no port scan
  1177. nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1 Query the Internal DNS for hosts, list targets only
  1180. Find vulnerabilities in unsafe mode
  1181. nmap --script vuln -Pn dhound.io
  1185. Exploit detected vulnerabilities
  1186. nmap --script exploit -Pn dhound.io
  1190. TCP SYN Scan nmap -sS [target] nmap -sS 192.168.0.1
  1191. TCP Connect Scan nmap -sT [target] nmap -sT 192.168.0.1
  1192. UDP Scan nmap -sU [target] nmap -sU 192.168.0.1
  1193. TCP NULL Scan nmap -sN [target] nmap -sN 192.168.0.1
  1194. TCP FIN Scan nmap -sF [target] nmap -sF 192.168.0.1
  1195. Xmas Scan nmap -sX [target] nmap -sX 192.168.0.1
  1196. TCP ACK Scan nmap -sA [target] nmap -sA 192.168.0.1
  1200. Port 53 UDP - This is the DNS port, DNS changes a website name to an IP address. Back in the days before cellphones we had to remember phone numbers, we didnt have the luxury of the cellphone saving the numbers as a name. The is what DNS does, when you type www.google.com the computer only understands 1's and 0's, therefore DNS changes a name Google.com to a number 8.8.8.8. Then reverse DNS changes a number to a website name. Nmap has a script that will attempt to brute force DNS
  1204. dns-brute
  1206. Download: https://svn.nmap.org/nmap/scripts/dns-brute.nse
  1208. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.
  1210. nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
  1214. http-backup-finder
  1216. https://svn.nmap.org/nmap/scripts/http-backup-finder.nse
  1218. Spiders a website and attempts to identify backup copies of discovered files.
  1220. nmap --script=http-backup-finder <target>
  1224. mongodb-databases
  1226. Download: https://svn.nmap.org/nmap/scripts/mongodb-databases.nse
  1228. Attempts to get a list of tables from a MongoDB database.
  1230. nmap -p 27017 --script mongodb-databases <host>
  1233. Shodans website is great for Open Source Intelligence (OSINT) material. You can find ip addresses, open ports to websites, cameras if the ip address has one, and a lot more juicy material. I included 2 pdf's that covers Shodan only.
  1236. shodan-api
  1238. Download: https://svn.nmap.org/nmap/scripts/shodan-api.nse
  1240. Queries Shodan API for given targets and produces similar output to a -sV nmap scan.
  1241. The ShodanAPI key can be set with the ‘apikey’ script argument, or hardcoded in the .nse file itself.
  1242. You can get a free key from https://developer.shodan.io
  1244. N.B if you want this script to run completely passively make sure to include the -sn -Pn -n flags.
  1246. nmap --script shodan-api x.y.z.0/24 -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'
  1249. http-config-backup
  1251. Download: https://svn.nmap.org/nmap/scripts/http-config-backup.nse
  1253. Checks for backups and swap files of common content management system and web server configuration files.
  1255. nmap --script=http-config-backup <target>
  1258. http-proxy-brute
  1260. Download: https://svn.nmap.org/nmap/scripts/http-proxy-brute.nse
  1262. Performs brute force password guessing against HTTP proxy servers.
  1264. nmap --script http-proxy-brute -p 8080 <host>
  1267. http-brute
  1269. Download: https://svn.nmap.org/nmap/scripts/http-brute.nse
  1271. Performs brute force password auditing against http basic, digest and ntlm authentication.
  1273. This script uses the unpwdb and brute libraries to perform password guessing.
  1274. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use.
  1276. nmap --script http-brute -p 80 <host>
  1279. http-rfi-spider
  1281. Download: https://svn.nmap.org/nmap/scripts/http-rfi-spider.nse
  1283. Crawls webservers in search of RFI (remote file inclusion) vulnerabilities.
  1284. It tests every form field it finds and every parameter of a URL containing a query.
  1286. nmap --script http-rfi-spider -p80 <host>
  1289. http-default-accounts
  1291. Download: https://svn.nmap.org/nmap/scripts/http-default-accounts.nse
  1293. Tests for access with default credentials used by a variety of web applications and devices.
  1295. It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found.
  1296. This script depends on a fingerprint file containing the target’s information: name, category, location paths, default credentials and login routine.
  1299. nmap -p80 --script http-default-accounts host/ip
  1302. http-put
  1304. Download: https://svn.nmap.org/nmap/scripts/http-put.nse
  1306. Uploads a local file to a remote web server using the HTTP PUT method.
  1307. You must specify the filename and URL path with NSE arguments.
  1309. nmap -p 80 <ip> --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php'
  1312. You will launch multiple tools to retrieve data at the same time. One will be Banner grabbing which returns the OS, then you cater your scans accordingly. Some scans are for AD or SMB which is Windows, some scans perform vuln checks , some brute force and you can mix and match them also. The nmap man pages are broken down into sections,
  1315. TARGET SPECIFICATION:
  1316. HOST DISCOVERY:
  1317. SCAN TECHNIQUES:
  1318. PORT SPECIFICATION AND SCAN ORDER:
  1319. SERVICE/VERSION DETECTION:
  1320. SCRIPT SCAN:
  1321. OS DETECTION:
  1322. TIMING AND PERFORMANCE:
  1323. FIREWALL/IDS EVASION AND SPOOFING:
  1324. OUTPUT:
  1325. MISC:
  1327. They are also broken down as such:
  1330. auth All sorts of authentication and user privilege scripts
  1331. broadcast Network discovery scripts that use broadcast petitions for intel gathering
  1332. brute Set of scripts for performing brute force attacks to guess access credentials
  1333. default The most popular Nmap scripts, using -sC by default
  1334. discovery Scripts related to network, service and host discovery
  1335. dos Denial of service attack scripts used to test and perform DOS and floods
  1336. exploit Used to perform service exploitation on different CVEs
  1337. external Scripts that rely on 3rd party services or data
  1338. fuzzer Used to perform fussing attacks against apps, services or networks
  1339. intrusive All the ‘aggressive’ scripts that cause a lot of network noise
  1340. malware Malware detections and exploration scripts
  1341. safe Safe and non-intrusive/noisy scripts
  1342. version OS, service and software detection scripts
  1343. vuln The Nmap vuln category includes vulnerability detection and exploitation scripts
  1346. RUN ALL SCRIPTS IN A CATEGORY:
  1347. nmap --script discovery 192.168.122.1
  1349. There are many categories available. Some useful categories include:
  1351. safe:- Won’t affect the target
  1352. intrusive:- Not safe: likely to affect the target
  1353. vuln:- Scan for vulnerabilities
  1354. exploit:- Try to exploit a vulnerability
  1355. auth:- Attempt to bypass authentication for running services
  1356. brute:- Try to brute force credentials for running services
  1357. discovery:- Attempt to query running services for further information about the network (
  1360. Evading Intrusion Detection Systems
  1361. nmap -sS -T2 espn.com
  1364. Detect OS and Services nmap -A 192.168.1.1
  1365. Lighter banner grabbing detection nmap -sV --version-intensity 0 192.168.1.1
  1366. Scan using default safe scripts nmap -sV -sC 192.168.1.1
  1367. Get help for a script nmap --script-help=ssl-heartbleed
  1368. Scan with a set of scripts nmap -sV --script=smb* 192.168.1.1
  1369. Heartbleed Testing nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
  1372. nmap --script-update-db
  1374. nmap --script="http-brute" 192.168.122.1
  1376. nmap -p21 --script ftp-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150
  1378. nmap -p22 --script ssh-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150
  1380. nmap -p23 --script telnet-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150
  1382. nmap -p445 --script smb-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150
  1384. nmap -p5432 --script pgsql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150
  1386. nmap -p3306 --script mysql-brute --script-args userdb=users.txt 192.168.1.150
  1388. nmap -p 80 --script=http-form-brute --script-args "userdb=users.txt,passdb=pass.txt,http-form-brute.path=/dvwa/login.php" 192.168.1.150
  1390. nmap -p1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.146
  1392. nmap –script banner 192.168.10.50
  1394. nmap –script ssh-hostkey –script-args ssh_hostkey=full 192.168.10.254
  1396. nmap -sV --script=vulscan/vulscan.nse www.example.com -----------------------------------------------------------
  1398. nmap -Pn --script vuln 192.168.1.105
  1400. nmap -sV --script=http-php-version testphp.vulnweb.com
  1402. nmap -sV --script http-vuln-cve2012-1823 testphp.vulnweb.com
  1404. nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php testphp.vulnweb.com
  1406. nmap --script http-headers,http-title scanme.nmap.org
  1408. nmap -sV --script vuln <target>
  1410. nmap -sV –-script exploit -d3 --script-trace 192.168.1.1
  1412. nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>
  1414. nmap -p80 --script http-trace --script-args path <target>
  1417. userdb=users.txt this tells nmap to use the file user.txt for guessing the Users name
  1419. passdb=pass.txt This tells nmap to use the pass.txt to guess the password. You will have to use absolute path when providing the file name
  1422. My personal preferrence, I choose to use VulScan over Nmap, VulScan has nmap built in to it and VulScan returns a lot more information than nmap does, but that is my preference.
  1425. nmap -sV --script=vulscan/vulscan.nse www.example.com
  1428. It is possible to use another pre-defined report structure with the following argument:
  1430. --script-args vulscanoutput=details
  1431. --script-args vulscanoutput=listid
  1432. --script-args vulscanoutput=listlink
  1433. --script-args vulscanoutput=listtitle
  1436. https://github.com/scipag/vulscan scipag_vulscan Do your own research to test it.
  1438. Kali comes with over 600 tools preinstalled. You wont need that many, but you can research and test the tools to get the feedback you desire. Some tools just returns a couple items and some tools return so much data I cant read it. You will have to test them and make a decision on your own. Each section is broken down according to the purpose of the tool, research the task, try the tool, make notes, test another tool. Keep doing this over and over till you have your toolbox filled up. I will provide you with github tools also toward the end of this book.
  1440. https://en.kali.tools/
  1442. After completing the scans with nmap, VulScan, Fping , or Hping3 use the data to find the vulnerability. When you read the feedback from the scans you will spot the issues to further observe and I will explain it more in detail later. Take this feedback and launch a vulnerability scan on the target.
comments powered by Disqus