A Penetration Tester's Toolkit
Listing 1 shows the output of the previous command.
Listing 1. Nmap Output
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST NSE: Loaded 57 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:45 Completed NSE at 15:45, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating ARP Ping Scan at 15:45 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:45 Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed Initiating SYN Stealth Scan at 15:45 Scanning 192.168.56.101 [1000 ports] Discovered open port 139/tcp on 192.168.56.101 Discovered open port 445/tcp on 192.168.56.101 Discovered open port 135/tcp on 192.168.56.101 Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports) Initiating Service scan at 15:46 Scanning 3 services on 192.168.56.101 Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:46 Completed NSE at 15:46, 0.15s elapsed NSE: Starting runlevel 2 (of 2) scan. Nmap scan report for 192.168.56.101 Host is up (0.00077s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows XP|2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=245 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows Host script results: | nbstat: | NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, | NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems) | Names | XPTESTVM<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | XPTESTVM<20> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Name: WORKGROUP\XPTESTVM |_ System time: 2011-11-07 15:46:06 UTC-5 TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.56.101 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. NSE: Starting runlevel 2 (of 2) scan. Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)
As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.
Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.
With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.
Figure 3. Nessus Landing Page
Figure 4. Nessus Scan Page
Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.
Figure 5. Nessus Scan Configuration Page
Once it's complete, click on Reports and double-click your report to open it.
Figure 6. Nessus Report on Test Box
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Trying to Tame the Tablet
- Tech Tip: Really Simple HTTP Server with Python
- git-annex assistant
2 hours 54 min ago
- direct cable connection
3 hours 16 min ago
- Agreed on AirDroid. With my
3 hours 26 min ago
- I just learned this
3 hours 31 min ago
4 hours 1 min ago
- not living upto the mobile revolution
6 hours 52 min ago
- Deceptive Advertising and
7 hours 28 min ago
- Let\'s declare that you have
7 hours 29 min ago
- Alterations in Contest Due
7 hours 30 min ago
- At a numbers mindset, your
7 hours 31 min ago