A Penetration Tester's Toolkit
Listing 1 shows the output of the previous command.
Listing 1. Nmap Output
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST NSE: Loaded 57 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:45 Completed NSE at 15:45, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating ARP Ping Scan at 15:45 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:45 Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed Initiating SYN Stealth Scan at 15:45 Scanning 192.168.56.101 [1000 ports] Discovered open port 139/tcp on 192.168.56.101 Discovered open port 445/tcp on 192.168.56.101 Discovered open port 135/tcp on 192.168.56.101 Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports) Initiating Service scan at 15:46 Scanning 3 services on 192.168.56.101 Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:46 Completed NSE at 15:46, 0.15s elapsed NSE: Starting runlevel 2 (of 2) scan. Nmap scan report for 192.168.56.101 Host is up (0.00077s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows XP|2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=245 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows Host script results: | nbstat: | NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, | NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems) | Names | XPTESTVM<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | XPTESTVM<20> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Name: WORKGROUP\XPTESTVM |_ System time: 2011-11-07 15:46:06 UTC-5 TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.56.101 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. NSE: Starting runlevel 2 (of 2) scan. Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)
As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.
Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.
With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.
Figure 3. Nessus Landing Page
Figure 4. Nessus Scan Page
Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.
Figure 5. Nessus Scan Configuration Page
Once it's complete, click on Reports and double-click your report to open it.
Figure 6. Nessus Report on Test Box
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
- High-Availability Storage with HA-LVM
- DNSMasq, the Pint-Sized Super Dæmon!
- March 2015 Issue of Linux Journal: System Administration
- Localhost DNS Cache
- Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi
- Days Between Dates: the Counting
- PostgreSQL, the NoSQL Database
- The Usability of GNOME
- Linux for Astronomers
- Multitenant Sites