Penetration Testing Methodology, Part 2/6 — Scanning

Daniel Holdsworth
May 17, 2018 · 5 min read

You’ve made it this far, all the way to the much delayed part 2 of my informal Penetration Testing Methodology mini series!

(If you are starting on this part and haven’t read the first part, then go there first dingus!)

In the first part of this series i discussed the many ways in which you can use social engineering to execute recon on your target, from physical methods to a simple google.

This second part is very similar apart from rather than scanning a person or a company, we are now after the information on a specific system WITHIN the company, and this is the part that i find most interesting myself.

Before we dive into this part of the series, a small warning, don’t be a donut, don’t go around using this on public WiFi in Starbucks etc, as, you guessed it, it’s against the law, set yourself up a handy little lab and smash your own systems to pieces safely!

Got it? ok.



This is what we will cover today —

  • Host discovery
  • Port Scanning
  • OS Fingerprinting

This is all we will cover as, as stated in the first part, this mini series will just be a small, basic, and informal look at Pen Testing.


Host Discovery

The first step is identifying host that are alive in order to dig deeper and later on, exploit, these systems.

NMap is a great tool for doing a broad network sweep and this is easily excecuted by using the command —

The 0–100 at the end of the IP address is called octet range addressing and gives you the ability to scan the entire IP range that you have selected, hitting all hosts from 0–100.

To better understand what has been returned to you, you can add -

This will return to you WHY that specific host and port is in the state that it has been presented to you.

Nmap, by default will more often than not carry out a DNS lookup during the network sweep, but this can slow down the speed it takes to complete the scan, therefore this can be turned on or off by adding -n to the end of your command.

Within nmap you can also carry out what is known as an Address Resolution Protocol (ARP) ping, this is often the most reliable way to get results of one specific host that you have discovered with the network sweep, the vast majority of hosts will respond to an ARP ping WHEN you’re on the same network as your target as hosts still need a way to contact other local hosts regardless of how good the firewall is.


Port Scanning

Why do we now need to scan certain ports of a host system?

To find out in what state the target systems UDP and TCP ports are in!

since we are already using nmap, i will focus solely on nmap in this section also.

nmap puts the state of ports into several catagories -

  • Open
  • Closed
  • Filtered
  • Unfiltered
  • Open | Filtered
  • Closed | Filtered

When port scanning, nmap will only scan the most common ports within the 65535 available, not all of them.

In order to ensure that you scan ALL ports within the range you need to execute the following command —

or


OS Fingerprinting

There are many reasons behind why exactly you would what to carry out OS detection, differentiate between routers, printers, desktops etc.

Enable you to select and identify the correct exploits or vulnerabilities associated to that OS

Or even develop your own payload tailored to that specific OS.

One method that i like is Passive Fingerprinting, using tools such as WireShark or p0f to sniff the network traffic in real time and try to analyze the traffic to determine what a target system is running by how it acts on the network.

Another, since im a big fan of ports (Wrote the only book covering all ports and protocols in existence, just saying.), is looking for patterns of open ports on a target, this can be a great way to identify an OS as patterns can been seen, and help you differentiate between servers, routers, desktops etc.

since this is only a basic guide, i implore you to use the internet and look into the methods i have mentioned and learn more yourself using your own systems and labs as to go as in depth as one might like would take up ALOT of reading time!

along the lines of nmap a simple command for well known OS’s can be added to your command as follows —

the -v in the command helps by beefing up the results with extra infomation such as network distance (great for determining the overall size of a network) and, you guessed it, OS details.


Since we (i) don’t want to be breeding a bunch of coffee shop hackers, all the infomation contained above can be great to use as a network and system administrator in order to scan your own network, if you periodically scan your own network you can highlight changes in port statuses which can highlight possible intrusion and help you defend against attacks, it can also help you to identify ports that are open which have no business been open, and the most obscure ports can often be used to infiltrate a network.

If you need assistance identifying ports that you are unsure of, get yourself onto amazon and search for “Ports and Protocols” and grab yourself a copy of my reference guide!


also available for kindle

Other defences against scanning include, but are not limited to —

  • Detect scans
  • OS Hardening
  • Honeypots and nets
  • Banner Modification

I hope you enjoyed this part of the Penetration Testing Methodology series and stay tuned for the next part coming soon!

dvlpr_hacks

@dvlp.r on instagram

Daniel Holdsworth

Written by

I write about my discoveries in Dev Ops & System Engineering. Grappling's Resident Tech.

dvlpr_hacks

@dvlp.r on instagram

More From Medium

More from Daniel Holdsworth

Related reads

Related reads

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade