A Penetration Tester's Toolkit
Listing 1 shows the output of the previous command.
Listing 1. Nmap Output
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST NSE: Loaded 57 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:45 Completed NSE at 15:45, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating ARP Ping Scan at 15:45 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:45 Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed Initiating SYN Stealth Scan at 15:45 Scanning 192.168.56.101 [1000 ports] Discovered open port 139/tcp on 192.168.56.101 Discovered open port 445/tcp on 192.168.56.101 Discovered open port 135/tcp on 192.168.56.101 Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports) Initiating Service scan at 15:46 Scanning 3 services on 192.168.56.101 Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:46 Completed NSE at 15:46, 0.15s elapsed NSE: Starting runlevel 2 (of 2) scan. Nmap scan report for 192.168.56.101 Host is up (0.00077s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows XP|2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=245 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows Host script results: | nbstat: | NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, | NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems) | Names | XPTESTVM<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | XPTESTVM<20> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Name: WORKGROUP\XPTESTVM |_ System time: 2011-11-07 15:46:06 UTC-5 TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.56.101 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. NSE: Starting runlevel 2 (of 2) scan. Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)
As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.
Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.
With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.
Figure 3. Nessus Landing Page
Figure 4. Nessus Scan Page
Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.
Figure 5. Nessus Scan Configuration Page
Once it's complete, click on Reports and double-click your report to open it.
Figure 6. Nessus Report on Test Box
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SourceClear Open
- SUSE LLC's SUSE Manager
- Tech Tip: Really Simple HTTP Server with Python
- Linux in Government: Open Source Innovation within the DoD
- Managing Linux Using Puppet
- LAMP Development at Public Sector Web Sites
- Returning Values from Bash Functions
- July 2016 Issue of Linux Journal
- My +1 Sword of Productivity
- Linux Access in State and Local Government, Part VII