A Penetration Tester's Toolkit
Listing 1 shows the output of the previous command.
Listing 1. Nmap Output
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST NSE: Loaded 57 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:45 Completed NSE at 15:45, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating ARP Ping Scan at 15:45 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:45 Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed Initiating SYN Stealth Scan at 15:45 Scanning 192.168.56.101 [1000 ports] Discovered open port 139/tcp on 192.168.56.101 Discovered open port 445/tcp on 192.168.56.101 Discovered open port 135/tcp on 192.168.56.101 Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports) Initiating Service scan at 15:46 Scanning 3 services on 192.168.56.101 Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 15:46 Completed NSE at 15:46, 0.15s elapsed NSE: Starting runlevel 2 (of 2) scan. Nmap scan report for 192.168.56.101 Host is up (0.00077s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows XP|2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=245 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows Host script results: | nbstat: | NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, | NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems) | Names | XPTESTVM<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | XPTESTVM<20> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Name: WORKGROUP\XPTESTVM |_ System time: 2011-11-07 15:46:06 UTC-5 TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.56.101 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. NSE: Starting runlevel 2 (of 2) scan. Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)
As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.
Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.
With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.
Figure 3. Nessus Landing Page
Figure 4. Nessus Scan Page
Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.
Figure 5. Nessus Scan Configuration Page
Once it's complete, click on Reports and double-click your report to open it.
Figure 6. Nessus Report on Test Box
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
|Designing Electronics with Linux||May 22, 2013|
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- OpenOffice.org Off-the-Wall: ToCs, Indexes and Bibliographies in OOo Writer
- Dart: a New Web Programming Experience
- Mediated Reality: University of Toronto RWM Project
- Kinect with Linux
- Power Management in Linux-Based Systems
- A Topic for Discussion - Open Source Feature-Richness?
26 min 9 sec ago
- Kernel Problem
10 hours 28 min ago
- BASH script to log IPs on public web server
14 hours 55 min ago
18 hours 31 min ago
- Reply to comment | Linux Journal
19 hours 4 min ago
- All the articles you talked
21 hours 27 min ago
- All the articles you talked
21 hours 30 min ago
- All the articles you talked
21 hours 32 min ago
1 day 1 hour ago
- Keeping track of IP address
1 day 3 hours ago
Free Webinar: Hadoop
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?