A Penetration Tester's Toolkit

Listing 1 shows the output of the previous command.

Listing 1. Nmap Output


Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST
NSE: Loaded 57 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 15:45
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.56.101 [1000 ports]
Discovered open port 139/tcp on 192.168.56.101
Discovered open port 445/tcp on 192.168.56.101
Discovered open port 135/tcp on 192.168.56.101
Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports)
Initiating Service scan at 15:46
Scanning 3 services on 192.168.56.101
Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.15s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=245 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows

Host script results:
| nbstat: 
|   NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, 
|   NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems)
|   Names
|     XPTESTVM<00>         Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     XPTESTVM<20>         Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Name: WORKGROUP\XPTESTVM
|_  System time: 2011-11-07 15:46:06 UTC-5

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms 192.168.56.101

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect 
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
           Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)

As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.

Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.

With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.

Figure 3. Nessus Landing Page

Figure 4. Nessus Scan Page

Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.

Figure 5. Nessus Scan Configuration Page

Once it's complete, click on Reports and double-click your report to open it.

Figure 6. Nessus Report on Test Box

______________________

Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Great post .Thank you for

Temizlik firmaları's picture

Great post .Thank you for this article.
I'm not really into networking, so being able to use such tools is very convenient to me... Temizlik şirketleri

The botheration I see is that

Tyrwhittse's picture

The botheration I see is that Microsoft bankrupt their own disciplinarian archetypal and a lot of humans are XP users still because they can't allow to bandy out all or a lot auto diagnostics of of their hardware. These humans don't apperceive about or accept alone Linux, conceivably because their in abode software will not plan beneath WINE. There is ReactOS, but ReactOS is not abiding and it is not adapted for day to day use yet.

Very cool article. I have

bourne's picture

Very cool article. I have used all these tools (been a while since I used nessus though). Metasploit is awesome, but can be a little overwhelming to use. Nmap is amazing though and has a lot of great features and can be used for a bunch of different things. Great article thank you!

Nmap is a great tool for this

UK VPS's picture

Nmap is a great tool for this type of work. Have you had a look at OpenVAS?
I think an article on OpenVAS would be a good follow up.

Thanx

CuisineThai's picture

Thank you for this article. A must read !
I'm not really into networking, so being able to use such tools is very convenient to me :)

Good Article. Should get

Anonymous's picture

Good Article. Should get people interested enough to try these tools out.

As for ease of use metasploit also has a good frontend: Armitage.

Progress in engineering

Tyrwhittse's picture

Progress in engineering haven't left the car industry guiding. Do-it-yourself devices can be a issue of your earlier. You could no extra get less than the hood of auto diagnostics the auto to remove elements and put them jointly with out stressing in regards to the car's doing work. Now, fuel techniques, ignition timing, temperature sensors, and so on. are managed and supervised by way of sophisticated pc systems.

Your missing The

Anonymous's picture

Your missing The Social-Engineer Toolkit -- One of the best ones out there as well. Good article!

Cool

RonDavidson's picture

This is really highly interesting, I tested this on the hosting account used for my website here and I must say the results were more than surprising. You pointed out a few details I never really cared about much. Really simple if you know the problem, which makes being aware even more important. To sum it up: Thanks :)

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix