Home

A Penetration Tester's Toolkit

Jul 02, 2012  By Matthew Agle
 in

Listing 1 shows the output of the previous command.

Listing 1. Nmap Output


Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST
NSE: Loaded 57 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 15:45
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.56.101 [1000 ports]
Discovered open port 139/tcp on 192.168.56.101
Discovered open port 445/tcp on 192.168.56.101
Discovered open port 135/tcp on 192.168.56.101
Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports)
Initiating Service scan at 15:46
Scanning 3 services on 192.168.56.101
Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.15s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=245 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows

Host script results:
| nbstat: 
|   NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, 
|   NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems)
|   Names
|     XPTESTVM<00>         Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     XPTESTVM<20>         Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Name: WORKGROUP\XPTESTVM
|_  System time: 2011-11-07 15:46:06 UTC-5

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms 192.168.56.101

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect 
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
           Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)

As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.

Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.

With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.

Figure 3. Nessus Landing Page

Figure 4. Nessus Scan Page

Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.

Figure 5. Nessus Scan Configuration Page

Once it's complete, click on Reports and double-click your report to open it.

Figure 6. Nessus Report on Test Box

______________________

Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Great post .Thank you for

Temizlik firmaları's picture
Submitted by Temizlik firmaları (not verified) on Sun, 09/30/2012 - 07:03.

Great post .Thank you for this article.
I'm not really into networking, so being able to use such tools is very convenient to me... Temizlik şirketleri

The botheration I see is that

Tyrwhittse's picture
Submitted by Tyrwhittse (not verified) on Tue, 08/21/2012 - 22:17.

The botheration I see is that Microsoft bankrupt their own disciplinarian archetypal and a lot of humans are XP users still because they can't allow to bandy out all or a lot auto diagnostics of of their hardware. These humans don't apperceive about or accept alone Linux, conceivably because their in abode software will not plan beneath WINE. There is ReactOS, but ReactOS is not abiding and it is not adapted for day to day use yet.

Very cool article. I have

bourne's picture
Submitted by bourne (not verified) on Fri, 08/03/2012 - 21:45.

Very cool article. I have used all these tools (been a while since I used nessus though). Metasploit is awesome, but can be a little overwhelming to use. Nmap is amazing though and has a lot of great features and can be used for a bunch of different things. Great article thank you!

Nmap is a great tool for this

UK VPS's picture
Submitted by UK VPS (not verified) on Tue, 07/24/2012 - 09:41.

Nmap is a great tool for this type of work. Have you had a look at OpenVAS?
I think an article on OpenVAS would be a good follow up.

Thanx

CuisineThai's picture
Submitted by CuisineThai (not verified) on Thu, 07/05/2012 - 04:36.

Thank you for this article. A must read !
I'm not really into networking, so being able to use such tools is very convenient to me :)

Good Article. Should get

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 07/03/2012 - 01:34.

Good Article. Should get people interested enough to try these tools out.

As for ease of use metasploit also has a good frontend: Armitage.

Progress in engineering

Tyrwhittse's picture
Submitted by Tyrwhittse (not verified) on Tue, 08/21/2012 - 22:07.

Progress in engineering haven't left the car industry guiding. Do-it-yourself devices can be a issue of your earlier. You could no extra get less than the hood of auto diagnostics the auto to remove elements and put them jointly with out stressing in regards to the car's doing work. Now, fuel techniques, ignition timing, temperature sensors, and so on. are managed and supervised by way of sophisticated pc systems.

Your missing The

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 07/02/2012 - 19:52.

Your missing The Social-Engineer Toolkit -- One of the best ones out there as well. Good article!

Cool

RonDavidson's picture
Submitted by RonDavidson (not verified) on Mon, 07/02/2012 - 16:51.

This is really highly interesting, I tested this on the hosting account used for my website here and I must say the results were more than surprising. You pointed out a few details I never really cared about much. Really simple if you know the problem, which makes being aware even more important. To sum it up: Thanks :)

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions