Overview
As a target machine for the scanning and enumeration examples, I will be using the Metasploitable 2 VM.
The Metasploitable 2 virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network.
Network Setup
To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 2 VM are connected to a Virtual Box internal network with a router between the two VMs.
To change the settings of the Metasploitable VM just edit the /etc/network/interfaces file (the default login for the VM is msfadmin/msfadmin).
Save the changes and restart networking with the command:
sudo /etc/init.d/networking restart
Scanning and Enumeration
The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.
Nmap scan
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use.
There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:
- nmap -sS [IP Address]
- nmap -sV [IP Address]
- nmap -T4 -sV --version-all --osscan-guess -A [IP Address]
Typical results:
However, the previous options won’t show you all the open ports because the -sV scan mode for service and version detection will use the nmap-services database of about 2,200 well-known services.
Therefore, it might be a good idea to run some scans covering wider ranges of ports:
- nmap -sV --osscan-guess -p 1-10000 [IP Address]
- nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
- nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
- nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
- nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]
and even UDP ports:
- nmap -sU -sV --version-all -p 1-10000 [IP Address]
- nmap -sU -sV --version-all -p 1-65535 [IP Address]
And these are the results:
As you can see, there are many open ports and running services on the target VM.
Legion scan
Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.
Some of the tools will immediately try to test the found services and even brute force the logins.
OpenVAS scan
For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.
Conclusion:
The proper usage of the scanning tools available in Kali Linux will allow to perform all the types of scanning needed during the initial phases of the hacking process.
Next post: Metasploitable 2 Full Walkthrough: Part I
No comments:
Post a Comment