4.2 : Active information gathering techniques - nc & nmap (Part II)

Port Scanning

Its illegal in many countries, should not be performed outside your research scope.

Port scanning tools

• nc - netcat can be used as connection config to test port open
• nmap - the most popular scanner, support advanced features like os finger-printing

nc

Basic TCP Scanning

nc -nvv -w 1.5 -z 10.0.0.19 3388-3390
(UNKNOWN) [10.0.0.19] 3390 (?) : Connection refused
(UNKNOWN) [10.0.0.19] 3389 (?) open
(UNKNOWN) [10.0.0.19] 3388 (?) : Connection refused
sent 0, rcvd 0

• -n - no reverse lookup
• -vv - more verbose
• -w - timeout
• -z - zero IO mode, used for scanning

Basic UDP Scanning

nc -unvv -w 1.5 -z 192.168.1.23 160-165
(UNKNOWN) [192.168.1.23] 165 (?) : Connection refused
(UNKNOWN) [192.168.1.23] 164 (cmip-agent) : Connection refused
(UNKNOWN) [192.168.1.23] 163 (cmip-man) : Connection refused
(UNKNOWN) [192.168.1.23] 162 (snmp-trap) : Connection refused
(UNKNOWN) [192.168.1.23] 161 (snmp) open
(UNKNOWN) [192.168.1.23] 160 (?) : Connection refused

UDP scanning can only detect if its opened, not closed.
Since UDP is a stateless protocol.
Fire and forget.

netmap

Its scan most common 1000 port by default.

default ip range sweep

nmap -sn 192.168.1.0/24
nmap -sP 192.168.1.0/24


[email protected]  ~/Projects  nmap -sn 10.0.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-31 13:13 HKT
Nmap scan report for router.asus.com (10.0.0.1)
Host is up (0.0046s latency).
Nmap scan report for 10.0.0.2
Host is up (0.0070s latency).
Nmap scan report for 10.0.0.4
Host is up (0.014s latency).
Nmap scan report for dev-nfs (10.0.0.105)
Host is up (0.0094s latency).
Nmap scan report for 10.0.0.111
Host is up (0.0077s latency).
Nmap scan report for 10.0.0.117
Host is up (0.024s latency).
Nmap scan report for dev (10.0.0.143)
Host is up (0.017s latency).
Nmap scan report for 10.0.0.239
Host is up (0.00081s latency).
Nmap scan report for 10.0.0.249
Host is up (0.028s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 2.35 seconds

check host status(up/down)

nmap -T4 -n -sn -oG - 192.168.1.0/24 | grep Up | cut -d' ' -f2


> nmap -T4 -n -sn -oG - 10.0.0.0/24 | grep Up | cut -d' ' -f2
10.0.0.1
10.0.0.2
10.0.0.4
10.0.0.105
10.0.0.111
10.0.0.117
10.0.0.143
10.0.0.239
10.0.0.249

check host port status(up/down)

nmap -T4 -n -p 80 -oG - 192.168.1.0/24


> nmap -T4 -n -p 80 -oG - 10.0.0.0/24
# Nmap 7.80 scan initiated Thu Oct 31 13:15:37 2019 as: nmap -T4 -n -p 80 -oG - 10.0.0.0/24
Host: 10.0.0.1 ()	Status: Up
Host: 10.0.0.1 ()	Ports: 80/open/tcp//http///
Host: 10.0.0.2 ()	Status: Up
Host: 10.0.0.2 ()	Ports: 80/open/tcp//http///
Host: 10.0.0.4 ()	Status: Up
Host: 10.0.0.4 ()	Ports: 80/closed/tcp//http///
Host: 10.0.0.105 ()	Status: Up
Host: 10.0.0.105 ()	Ports: 80/closed/tcp//http///
Host: 10.0.0.111 ()	Status: Up
Host: 10.0.0.111 ()	Ports: 80/open/tcp//http///
Host: 10.0.0.117 ()	Status: Up
Host: 10.0.0.117 ()	Ports: 80/open/tcp//http///
Host: 10.0.0.143 ()	Status: Up
Host: 10.0.0.143 ()	Ports: 80/closed/tcp//http///
Host: 10.0.0.239 ()	Status: Up
Host: 10.0.0.239 ()	Ports: 80/open/tcp//http///
Host: 10.0.0.249 ()	Status: Up
Host: 10.0.0.249 ()	Ports: 80/closed/tcp//http///
# Nmap done at Thu Oct 31 13:15:39 2019 -- 256 IP addresses (9 hosts up) scanned in 1.44 seconds

aggressive connect scan on top 20 ports

nmap -sT -A --top-ports=20 192.168.1.0/24 -oG -


>nmap -sT -A --top-ports=20 0.0.0.0/24 -oG -
# Nmap 7.80 scan initiated Thu Oct 31 13:16:11 2019 as: nmap -sT -A --top-ports=20 -oG - 0.0.0.0/24
Host: 0.0.0.0 (analytics.etzeu.com)	Status: Up
Host: 0.0.0.0 (analytics.etzeu.com)	Ports: 21/closed/tcp//ftp///, 22/open/tcp//ssh//OpenSSH 7.4 (protocol 2.0)/, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 53/closed/tcp//domain///, 80/closed/tcp//http///, 110/closed/tcp//pop3///, 111/closed/tcp//rpcbind///, 135/closed/tcp//msrpc///, 139/closed/tcp//netbios-ssn///, 143/closed/tcp//imap///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 993/closed/tcp//imaps///, 995/closed/tcp//pop3s///, 1723/closed/tcp//pptp///, 3306/open/tcp//mysql//MySQL 5.7.25/, 3389/closed/tcp//ms-wbt-server///, 5900/closed/tcp//vnc///, 8080/closed/tcp//http-proxy///
# Nmap done at Thu Oct 31 13:16:12 2019 -- 256 IP addresses (1 host up) scanned in 0.56 seconds

more for the port info

nmap -oX - --top-ports 20 x

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Thu Oct 31 13:16:53 2019 as: nmap -oX - -&#45;top-ports 20 x -->
<nmaprun scanner="nmap" args="nmap -oX - -&#45;top-ports 20 x" start="1572499013" startstr="Thu Oct 31 13:16:53 2019" version="7.80" xmloutputversion="1.04">
<scaninfo type="connect" protocol="tcp" numservices="20" services="21-23,25,53,80,110-111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080"/>
<verbose level="0"/>
<debugging level="0"/>
Failed to resolve "x".
WARNING: No targets were specified, so 0 hosts scanned.
<runstats><finished time="1572499013" timestr="Thu Oct 31 13:16:53 2019" elapsed="0.02" summary="Nmap done at Thu Oct 31 13:16:53 2019; 0 IP addresses (0 hosts up) scanned in 0.02 seconds" exit="success"/><hosts up="0" down="0" total="0"/>
</runstats>
</nmaprun>

OS fingerprinting

nmap -O 192.168.1.23

>sudo nmap -O 10.0.0.239
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-31 13:17 HKT
Nmap scan report for devs-iMac (10.0.0.239)
Host is up (0.00011s latency).
Not shown: 500 filtered ports, 497 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
Device type: general purpose
Running: Apple OS X 10.10.X|10.11.X
OS CPE: cpe:/o:apple:mac_os_x:10.10 cpe:/o:apple:mac_os_x:10.11
OS details: Apple OS X 10.10 (Yosemite) - 10.12 (Sierra) (Darwin 14.0.0 - 16.1.0)
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds

Banner Grabbing/Service Enumeration

nmap -sV -sT 192.168.1.23

>nmap -sV -sT 10.0.0.239
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-31 13:17 HKT
Nmap scan report for devs-iMac (10.0.0.239)
Host is up (0.00023s latency).
Not shown: 970 closed ports, 27 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.4 (protocol 2.0)
80/tcp  open  http     nginx 1.16.0
443/tcp open  ssl/http nginx 1.16.0

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.76 seconds

Nmap Scripting Engine (NSE)

list in /usr/share/nmap/scripts
Common services, SMB, SMTP, SNMP

nmap --script=$SCRIPTNAME 192.168.1.23

scan all ports + auto scan vulnerabilities, output as grepable

nmap -T4 -n -sV -p- -oG - --script='*vuln*' [ip]

• -p - only port
• -p- - all ports , 1 - 65535
• -sn - Ping Scan
• -sP - Scan Ping , same as -sn
• -sT - Scan TCP
• -sT - Scan UDP
• -n - No dns resolution, never do reverse dns
• -T4 - timeout paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5) , 4 is nmap officially recommended.
• -oG - output as grepable format
• -A - Enable OS detection, version detection, script scanning, and traceroute
• -O - get OS
• -sV - Probe open ports to determine service/version info

onetwopunch = unicornscan | nmap to enumerate services & vuls

curl https://raw.githubusercontent.com/superkojiman/onetwopunch/master/onetwopunch.sh > ./onetwopunch.sh
bash ./onetwopunch.sh -t targets.txt -i en2 -n '-T4 -n -sV -oN output.txt --script=*vuln*'