SlideShare a Scribd company logo

Practical White Hat Hacker Training - Active Information Gathering

PRISMA CSI
PRISMA CSI

This presentation part of Prisma CSI's Practical White Hat Hacker Training v1 PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

Education
1 of 58
www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #3 Active Information Gathering This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
www.prismacsi.com © All Rights Reserved. 2 Active Information Gathering • Nmap basics • Scanning methods with nmap • Reconnaissance using nmap • Port, service, version scanning • Operating system detection • Nmap Scripting Engine (NSE) use and resources • Detailed reconnaissance on DNS, SMTP, SNMP • Anonymous scanning operations • Firewall/IDS evasion methods
www.prismacsi.com © All Rights Reserved. 3 Active Scanning after OSINT • Verify information gathered during the passive information gathering stage • Discover systems that are active within the IP range and save time on vulnerability scanning, the next stage. • Discover ports and services, get to know more about the target! • Identify software and their versions • Identify operating systems
www.prismacsi.com © All Rights Reserved. 4 Nmap – Network Mapping • Network Reconnaissance • Port, service scanning • Version scanning • Operating system discovery • Vulnerability scanning • Firewall/IDS evasion
www.prismacsi.com © All Rights Reserved. 5 Nmap Host Definition • nmap 10.0.1.5 • nmap 10.0.1.5-15 • nmap 10.0.1.0/24 • nmap 10.0.1.5,6,7,8 • nmap –iL iplist.txt • nmap 10.0.1.0/24 —exclude 10.0.1.5
www.prismacsi.com © All Rights Reserved. 6 Nmap Port Definition • nmap 10.0.1.5 –p 80 • nmap 10.0.1.5 –p 80,443 • nmap 10.0.1.5 –p 1-1000 • nmap 10.0.1.5 –p 0-65535 • nmap 10.0.1.5 –p- • nmap 10.0.1.5 –top-ports=500
www.prismacsi.com © All Rights Reserved. 7 Nmap Host Definition
www.prismacsi.com © All Rights Reserved. 8 Nmap Port States and Inferences • Open : • Port açık • Portu dinleyen bir uygulama var. • Closed : • Port kapalı • Fakat erişilebilir • Portu dinleyen bir uygulama yok. • Filtered : • Port durumu belli değil. • Cevap alınamamış olabilir. • Güvenlik duvarı paketi filtrelemiş olabilir.
www.prismacsi.com © All Rights Reserved. 9 Frequently Used Ports
www.prismacsi.com © All Rights Reserved. 10 Nmap – Ping Scan • nmap -sP 10.0.1.0/25 • By sending a ping packet to the whole network, one can tell whether systems that give a response are up or down
www.prismacsi.com © All Rights Reserved. 11 TCP Basics • 3-way Handshake
www.prismacsi.com © All Rights Reserved. 12 Nmap – SYN Scan • SYN Scan is the default port scanning technique and is very fast. • Scanning operation is done according to the response to a sent SYN packet. • If the response to a SNY packet is RST+ACK then the port is closed. • If the response is SYN+ACK then the port is understood to be open and RST is sent • SYN Scan is also known as Half Open Scan. • nmap -sS 10.0.1.5
www.prismacsi.com © All Rights Reserved. 13 Nmap – SYN Scan
www.prismacsi.com © All Rights Reserved. 14 Nmap – TCP Scan • TCP Connect Scan, completes a three way handshake and is recorded in a log. • Obtains more accurate results. • Port states are based on the response to the SYN packet. • If the response to a SNY packet is RST+ACK then the port is inferred to be closed. • If the response is SYN+ACK then the port is inferred to be open and the three way handshake is completed. • nmap –sT 10.0.1.5
www.prismacsi.com © All Rights Reserved. 15 Nmap – TCP Scan
www.prismacsi.com © All Rights Reserved. 16 What is UDP? • UDP (User Datagram Protocol) • Data is sent before a connection is made (no handshake). • UDP is an unreliable transmission protocol. • UDP is used for real-time data transfers such as audio and video transmission.
www.prismacsi.com © All Rights Reserved. 17 Nmap – UDP Scan • Used to analyze UDP ports. • Analysis is done according to the response to UDP packets. • If the response is “ICMP Port Unreachable” then the port is closed. • If the response is a UDP packet then the port is open. • nmap –sU 10.0.1.15
www.prismacsi.com © All Rights Reserved. 18 Nmap – UDP Scan
www.prismacsi.com © All Rights Reserved. 19 TCP Flags There are a total of 6 tcp flags : • ACK: Indicates that the data reached the opposite side without any problem. • SYN: Indicates that a TCP connection will be established. In short it starts the three way handshake. • FIN: Ends a TCP session. • RST: Allows the sender and the receiver to disconnect incase an error occurs in the connection. FIN flag is used to safely terminate a TCP session. • URG: Enables processing of incoming data packets. • PSH: Used to set priority within data packets.
www.prismacsi.com © All Rights Reserved. 20 Nmap – NULL, FIN, XMAS Scan • The analyses are similar. • If the response to a sent packet is RST + ACK then the port is closed, if no packet returns then the port is inferred to be open . • A “ICMP Unreachable” response infers a filtered port. • NULL • nmap –sN 10.0.1.15 • FIN • nmap –sF 10.0.1.15 • XMAS • nmap –sX 10.0.1.15
www.prismacsi.com © All Rights Reserved. 21 Nmap – ACK ve Window Scan • ACK Scan, frequently used for firewall configuration analysis. • In ACK Scan if the response is an RST packet then the port is inferred to be unfiltered. If there is no response or ICMP Unreachable packet returns then the port is inferred to be filtered. • It’s similar to Window Scan ACK. • In Window Scan port states can be Open or Closed. • ACK • nmap –sA 10.0.1.15 • Window • nmap –sW 10.0.1.15
www.prismacsi.com © All Rights Reserved. 22 Nmap Basics • Nmap – Service and Version enumeration • nmap –sS -sV 10.0.1.15 • Nmap – OS detection • nmap –sS –O 10.0.1.15 • Nmap – Detailed analysis • nmap –sS -A 10.0.1.15
www.prismacsi.com © All Rights Reserved. 23 Nmap Basics - DEMO
www.prismacsi.com © All Rights Reserved. 24 Nmap Basics
www.prismacsi.com © All Rights Reserved. 25 Nmap Basics
www.prismacsi.com © All Rights Reserved. 26 Nmap Output Configuration • nmap –sS –sV 10.0.1.15 –oG filename (grepable) • nmap –sS –sV 10.0.1.15 –oX filename (xml) • nmap –sS –sV 10.0.1.15 –oN filename (nmap) • nmap –sS –sV 10.0.1.15 –oA filename (all)
www.prismacsi.com © All Rights Reserved. 27 Nmap – Basics
www.prismacsi.com © All Rights Reserved. 28 Nmap – Basics
www.prismacsi.com © All Rights Reserved. 29 Nmap – Necessary Parameters • – h Parameter : Help • – T Parameter : Time configuration • – Pn Parameter : Pinging • – V Parameter : Nmap version control • – v Parameter : Output details • -- open Parameter : Show only open ports • – 6 Parameter : activate IPv6
www.prismacsi.com © All Rights Reserved. 30 Nmap – Scripting Engine • All resources • http://nmap.org/nsedoc/ • /usr/share/nmap/scripts/ • Developed with Lua programming language • Script Scanning • nmap –sC 10.0.1.15
www.prismacsi.com © All Rights Reserved. 31 Nmap – Scripting Engine • NSE Categoriesi • Auth • Brute • Default • Dos • Exploit • Vuln • Malware • Safe • Version
www.prismacsi.com © All Rights Reserved. 32 Nmap – Scripting Engine
www.prismacsi.com © All Rights Reserved. 33 Nmap – Scripting Engine • Update • nmap --script-updatedb • Script usage • nmap --script “smb-os-discovery” • NSEarch • https://github.com/JKO/nsearch
www.prismacsi.com © All Rights Reserved. 34 Advanced Nmap Use • nmap --script “smb-vuln-*” 10.0.1.15 • nmap --script http-enum domain.com • nmap --script smb-brute –p 445 10.0.1.15 • nmap --script all 10.0.1.15 • nmap --script-help smb-brute
www.prismacsi.com © All Rights Reserved. 35 Advanced Nmap Use • Nmap – Firewall Evasion • – f Parameter : Packet shredding • nmap –f 10.0.1.15 • – D Parameter : IP Spoofing, Make some noise! • nmap –D Spoofedip 10.0.1.15 • – spoof-mac Parameter : MAC poisoning • nmap –spoof-mac „Fortinet‟ 10.0.1.15 • Maximum Host Configuration • nmap --max-paralellism 1 10.0.1.15
www.prismacsi.com © All Rights Reserved. 36 Advanced Nmap Use • Nmap – Firewall Evasion • – T Parameter: Timing • nmap –T1-5 10.0.1.15 • nmap –T1 10.0.1.15 • Firewall-bypass Script • nmap –script firewall-bypass 10.0.1.15
www.prismacsi.com © All Rights Reserved. 37 Masscan – Internet Scanner • https://github.com/robertdavidgraham/masscan
www.prismacsi.com © All Rights Reserved. 38 Masscan – Internet Scanner • Fast Scanning • Can scan the entire internet in 6 hours • Frequently used
www.prismacsi.com © All Rights Reserved. 39 Zmap – Network Scanner • https://zmap.io/
www.prismacsi.com © All Rights Reserved. 40 Collecting Information Over DNS • Using Dig • dig NS domain.com • dig MX domain.com • Frequently Used Tools: • dnsmap domain.com wordlist • Fierce –dns domain.com • Dnsrecon.py –d domain.com
www.prismacsi.com © All Rights Reserved. 41 Zone Transfer • Automation can be attempted with Fierce. • Manual testing can be done with Dig. • dig axfr @dnsztm2.digi.ninja zonetransfer.me
www.prismacsi.com © All Rights Reserved. 42 Fierce DNS Reconnaissance - DEMO
www.prismacsi.com © All Rights Reserved. 43 DNS Dumpster - DEMO • https://dnsdumpster.com/
www.prismacsi.com © All Rights Reserved. 44 CloudFail - DEMO • https://github.com/m0rtem/CloudFail
www.prismacsi.com © All Rights Reserved. 45 CloudFail - DEMO • Python3 cloudfail.py –target octosec.net
www.prismacsi.com © All Rights Reserved. 46 Frequently used enumeration tools - DEMO • enum4linux 10.0.1.5 • nbtscan 10.0.1.5
www.prismacsi.com © All Rights Reserved. 47 Frequently used enumeration tools- DEMO • snmpwalk -c public -v1 192.168.10.10
www.prismacsi.com © All Rights Reserved. 48 Anonymous Scan Operations • Anonymous scanning with Tor • sudo apt-get install tor • Service tor start • Proxychains installation and configuration • sudo apt-get install proxychains • /etc/proxychains.conf • socks4 127.0.0.1 9050 • proxychains nmap 10.0.1.15
www.prismacsi.com © All Rights Reserved. 49 Anonymous Scan Operations - DEMO • Tor Installation
www.prismacsi.com © All Rights Reserved. 50 Anonymous Scan Operations - DEMO • Proxychains Configuration • cat /etc/proxychains.conf
www.prismacsi.com © All Rights Reserved. 51 Anonymous Scan Operations - DEMO • Anonymous Scanning
www.prismacsi.com © All Rights Reserved. 52 WAF / Firewall Discovery • Rule; • Response to a SYN packet sent • SYN+ACK sent back • RST sent back • No reply indicates that there may be a firewall present.
www.prismacsi.com © All Rights Reserved. 53 WAF / Firewall Discovery • Requests that can raise an alarm from IPS; • ../../../../ • cmd.exe • /etc/shadow • /etc/passwd • Inferences are made from the answers. • An IPS exists if the connection is reset or a timeout occurs.
www.prismacsi.com © All Rights Reserved. 54 WAF / Firewall Discovery • Recon with Wafw00f and WAF • Analysis is performed on harmful requests. • wafw00f domain.com
www.prismacsi.com © All Rights Reserved. 55 WAF / Firewall Discovery - DEMO • Reconnaissance with Wafw00f and WAF • Analysis is performed on harmful requests. • wafw00f domain.com
www.prismacsi.com © All Rights Reserved. 56 Demo Practice
www.prismacsi.com © All Rights Reserved. 57 Questions ?
www.prismacsi.com © All Rights Reserved. 58 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts

Recommended

Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 

Recommended

Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Nmap
NmapNmap
NmapMegha Sahu
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
NTLM
NTLMNTLM
NTLMGuang Ying Yuan
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Zen map
Zen mapZen map
Zen mapharisnaved
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academycyberforgeacademy
 

More Related Content

What's hot

N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 

What's hot (20)

N map presentation
N map presentationN map presentation
N map presentation
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
NMap
NMapNMap
NMap
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Nmap
NmapNmap
Nmap
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Nmap
NmapNmap
Nmap
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Port scanning
Port scanningPort scanning
Port scanning
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
NTLM
NTLMNTLM
NTLM
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 

Similar to Practical White Hat Hacker Training - Active Information Gathering

NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academycyberforgeacademy
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Nikhil Raj
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Harsh Desai
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015Kevin Alcock
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Network Automation with Salt and NAPALM: a self-resilient network
Network Automation with Salt and NAPALM: a self-resilient networkNetwork Automation with Salt and NAPALM: a self-resilient network
Network Automation with Salt and NAPALM: a self-resilient networkCloudflare
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Extensible Messaging and Presence Protocol (XMPP)
Extensible Messaging and Presence Protocol (XMPP)Extensible Messaging and Presence Protocol (XMPP)
Extensible Messaging and Presence Protocol (XMPP)Sean Tsai
 

Similar to Practical White Hat Hacker Training - Active Information Gathering (20)

Zen map
Zen mapZen map
Zen map
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academy
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015
 
Network for amin
Network for aminNetwork for amin
Network for amin
 
Enei
EneiEnei
Enei
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
Nmap
NmapNmap
Nmap
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Network Automation with Salt and NAPALM: a self-resilient network
Network Automation with Salt and NAPALM: a self-resilient networkNetwork Automation with Salt and NAPALM: a self-resilient network
Network Automation with Salt and NAPALM: a self-resilient network
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Extensible Messaging and Presence Protocol (XMPP)
Extensible Messaging and Presence Protocol (XMPP)Extensible Messaging and Presence Protocol (XMPP)
Extensible Messaging and Presence Protocol (XMPP)
 

More from PRISMA CSI

Sysmon ile Log Toplama
Sysmon ile Log ToplamaSysmon ile Log Toplama
Sysmon ile Log ToplamaPRISMA CSI
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPRISMA CSI
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma SaldırılarıBeyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma SaldırılarıPRISMA CSI
 
Sızma Testi Metodolojileri
Sızma Testi MetodolojileriSızma Testi Metodolojileri
Sızma Testi MetodolojileriPRISMA CSI
 
Sızma (Penetrasyon) Testi Nedir?
Sızma (Penetrasyon) Testi Nedir?Sızma (Penetrasyon) Testi Nedir?
Sızma (Penetrasyon) Testi Nedir?PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıPRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet KeşfiBeyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet KeşfiPRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit AşamasıPRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaBeyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaPRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriPRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)PRISMA CSI
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciPRISMA CSI
 

More from PRISMA CSI (16)

Sysmon ile Log Toplama
Sysmon ile Log ToplamaSysmon ile Log Toplama
Sysmon ile Log Toplama
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - Exploitation
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma SaldırılarıBeyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
 
Sızma Testi Metodolojileri
Sızma Testi MetodolojileriSızma Testi Metodolojileri
Sızma Testi Metodolojileri
 
Sızma (Penetrasyon) Testi Nedir?
Sızma (Penetrasyon) Testi Nedir?Sızma (Penetrasyon) Testi Nedir?
Sızma (Penetrasyon) Testi Nedir?
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
 
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet KeşfiBeyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
 
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
 
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaBeyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
 
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz Süreci
 

Recently uploaded

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 

Recently uploaded (20)

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 

Practical White Hat Hacker Training - Active Information Gathering

  • 1. www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #3 Active Information Gathering This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
  • 2. www.prismacsi.com © All Rights Reserved. 2 Active Information Gathering • Nmap basics • Scanning methods with nmap • Reconnaissance using nmap • Port, service, version scanning • Operating system detection • Nmap Scripting Engine (NSE) use and resources • Detailed reconnaissance on DNS, SMTP, SNMP • Anonymous scanning operations • Firewall/IDS evasion methods
  • 3. www.prismacsi.com © All Rights Reserved. 3 Active Scanning after OSINT • Verify information gathered during the passive information gathering stage • Discover systems that are active within the IP range and save time on vulnerability scanning, the next stage. • Discover ports and services, get to know more about the target! • Identify software and their versions • Identify operating systems
  • 4. www.prismacsi.com © All Rights Reserved. 4 Nmap – Network Mapping • Network Reconnaissance • Port, service scanning • Version scanning • Operating system discovery • Vulnerability scanning • Firewall/IDS evasion
  • 5. www.prismacsi.com © All Rights Reserved. 5 Nmap Host Definition • nmap 10.0.1.5 • nmap 10.0.1.5-15 • nmap 10.0.1.0/24 • nmap 10.0.1.5,6,7,8 • nmap –iL iplist.txt • nmap 10.0.1.0/24 —exclude 10.0.1.5
  • 6. www.prismacsi.com © All Rights Reserved. 6 Nmap Port Definition • nmap 10.0.1.5 –p 80 • nmap 10.0.1.5 –p 80,443 • nmap 10.0.1.5 –p 1-1000 • nmap 10.0.1.5 –p 0-65535 • nmap 10.0.1.5 –p- • nmap 10.0.1.5 –top-ports=500
  • 7. www.prismacsi.com © All Rights Reserved. 7 Nmap Host Definition
  • 8. www.prismacsi.com © All Rights Reserved. 8 Nmap Port States and Inferences • Open : • Port açık • Portu dinleyen bir uygulama var. • Closed : • Port kapalı • Fakat erişilebilir • Portu dinleyen bir uygulama yok. • Filtered : • Port durumu belli değil. • Cevap alınamamış olabilir. • Güvenlik duvarı paketi filtrelemiş olabilir.
  • 9. www.prismacsi.com © All Rights Reserved. 9 Frequently Used Ports
  • 10. www.prismacsi.com © All Rights Reserved. 10 Nmap – Ping Scan • nmap -sP 10.0.1.0/25 • By sending a ping packet to the whole network, one can tell whether systems that give a response are up or down
  • 11. www.prismacsi.com © All Rights Reserved. 11 TCP Basics • 3-way Handshake
  • 12. www.prismacsi.com © All Rights Reserved. 12 Nmap – SYN Scan • SYN Scan is the default port scanning technique and is very fast. • Scanning operation is done according to the response to a sent SYN packet. • If the response to a SNY packet is RST+ACK then the port is closed. • If the response is SYN+ACK then the port is understood to be open and RST is sent • SYN Scan is also known as Half Open Scan. • nmap -sS 10.0.1.5
  • 13. www.prismacsi.com © All Rights Reserved. 13 Nmap – SYN Scan
  • 14. www.prismacsi.com © All Rights Reserved. 14 Nmap – TCP Scan • TCP Connect Scan, completes a three way handshake and is recorded in a log. • Obtains more accurate results. • Port states are based on the response to the SYN packet. • If the response to a SNY packet is RST+ACK then the port is inferred to be closed. • If the response is SYN+ACK then the port is inferred to be open and the three way handshake is completed. • nmap –sT 10.0.1.5
  • 15. www.prismacsi.com © All Rights Reserved. 15 Nmap – TCP Scan
  • 16. www.prismacsi.com © All Rights Reserved. 16 What is UDP? • UDP (User Datagram Protocol) • Data is sent before a connection is made (no handshake). • UDP is an unreliable transmission protocol. • UDP is used for real-time data transfers such as audio and video transmission.
  • 17. www.prismacsi.com © All Rights Reserved. 17 Nmap – UDP Scan • Used to analyze UDP ports. • Analysis is done according to the response to UDP packets. • If the response is “ICMP Port Unreachable” then the port is closed. • If the response is a UDP packet then the port is open. • nmap –sU 10.0.1.15
  • 18. www.prismacsi.com © All Rights Reserved. 18 Nmap – UDP Scan
  • 19. www.prismacsi.com © All Rights Reserved. 19 TCP Flags There are a total of 6 tcp flags : • ACK: Indicates that the data reached the opposite side without any problem. • SYN: Indicates that a TCP connection will be established. In short it starts the three way handshake. • FIN: Ends a TCP session. • RST: Allows the sender and the receiver to disconnect incase an error occurs in the connection. FIN flag is used to safely terminate a TCP session. • URG: Enables processing of incoming data packets. • PSH: Used to set priority within data packets.
  • 20. www.prismacsi.com © All Rights Reserved. 20 Nmap – NULL, FIN, XMAS Scan • The analyses are similar. • If the response to a sent packet is RST + ACK then the port is closed, if no packet returns then the port is inferred to be open . • A “ICMP Unreachable” response infers a filtered port. • NULL • nmap –sN 10.0.1.15 • FIN • nmap –sF 10.0.1.15 • XMAS • nmap –sX 10.0.1.15
  • 21. www.prismacsi.com © All Rights Reserved. 21 Nmap – ACK ve Window Scan • ACK Scan, frequently used for firewall configuration analysis. • In ACK Scan if the response is an RST packet then the port is inferred to be unfiltered. If there is no response or ICMP Unreachable packet returns then the port is inferred to be filtered. • It’s similar to Window Scan ACK. • In Window Scan port states can be Open or Closed. • ACK • nmap –sA 10.0.1.15 • Window • nmap –sW 10.0.1.15
  • 22. www.prismacsi.com © All Rights Reserved. 22 Nmap Basics • Nmap – Service and Version enumeration • nmap –sS -sV 10.0.1.15 • Nmap – OS detection • nmap –sS –O 10.0.1.15 • Nmap – Detailed analysis • nmap –sS -A 10.0.1.15
  • 23. www.prismacsi.com © All Rights Reserved. 23 Nmap Basics - DEMO
  • 24. www.prismacsi.com © All Rights Reserved. 24 Nmap Basics
  • 25. www.prismacsi.com © All Rights Reserved. 25 Nmap Basics
  • 26. www.prismacsi.com © All Rights Reserved. 26 Nmap Output Configuration • nmap –sS –sV 10.0.1.15 –oG filename (grepable) • nmap –sS –sV 10.0.1.15 –oX filename (xml) • nmap –sS –sV 10.0.1.15 –oN filename (nmap) • nmap –sS –sV 10.0.1.15 –oA filename (all)
  • 27. www.prismacsi.com © All Rights Reserved. 27 Nmap – Basics
  • 28. www.prismacsi.com © All Rights Reserved. 28 Nmap – Basics
  • 29. www.prismacsi.com © All Rights Reserved. 29 Nmap – Necessary Parameters • – h Parameter : Help • – T Parameter : Time configuration • – Pn Parameter : Pinging • – V Parameter : Nmap version control • – v Parameter : Output details • -- open Parameter : Show only open ports • – 6 Parameter : activate IPv6
  • 30. www.prismacsi.com © All Rights Reserved. 30 Nmap – Scripting Engine • All resources • http://nmap.org/nsedoc/ • /usr/share/nmap/scripts/ • Developed with Lua programming language • Script Scanning • nmap –sC 10.0.1.15
  • 31. www.prismacsi.com © All Rights Reserved. 31 Nmap – Scripting Engine • NSE Categoriesi • Auth • Brute • Default • Dos • Exploit • Vuln • Malware • Safe • Version
  • 32. www.prismacsi.com © All Rights Reserved. 32 Nmap – Scripting Engine
  • 33. www.prismacsi.com © All Rights Reserved. 33 Nmap – Scripting Engine • Update • nmap --script-updatedb • Script usage • nmap --script “smb-os-discovery” • NSEarch • https://github.com/JKO/nsearch
  • 34. www.prismacsi.com © All Rights Reserved. 34 Advanced Nmap Use • nmap --script “smb-vuln-*” 10.0.1.15 • nmap --script http-enum domain.com • nmap --script smb-brute –p 445 10.0.1.15 • nmap --script all 10.0.1.15 • nmap --script-help smb-brute
  • 35. www.prismacsi.com © All Rights Reserved. 35 Advanced Nmap Use • Nmap – Firewall Evasion • – f Parameter : Packet shredding • nmap –f 10.0.1.15 • – D Parameter : IP Spoofing, Make some noise! • nmap –D Spoofedip 10.0.1.15 • – spoof-mac Parameter : MAC poisoning • nmap –spoof-mac „Fortinet‟ 10.0.1.15 • Maximum Host Configuration • nmap --max-paralellism 1 10.0.1.15
  • 36. www.prismacsi.com © All Rights Reserved. 36 Advanced Nmap Use • Nmap – Firewall Evasion • – T Parameter: Timing • nmap –T1-5 10.0.1.15 • nmap –T1 10.0.1.15 • Firewall-bypass Script • nmap –script firewall-bypass 10.0.1.15
  • 37. www.prismacsi.com © All Rights Reserved. 37 Masscan – Internet Scanner • https://github.com/robertdavidgraham/masscan
  • 38. www.prismacsi.com © All Rights Reserved. 38 Masscan – Internet Scanner • Fast Scanning • Can scan the entire internet in 6 hours • Frequently used
  • 39. www.prismacsi.com © All Rights Reserved. 39 Zmap – Network Scanner • https://zmap.io/
  • 40. www.prismacsi.com © All Rights Reserved. 40 Collecting Information Over DNS • Using Dig • dig NS domain.com • dig MX domain.com • Frequently Used Tools: • dnsmap domain.com wordlist • Fierce –dns domain.com • Dnsrecon.py –d domain.com
  • 41. www.prismacsi.com © All Rights Reserved. 41 Zone Transfer • Automation can be attempted with Fierce. • Manual testing can be done with Dig. • dig axfr @dnsztm2.digi.ninja zonetransfer.me
  • 42. www.prismacsi.com © All Rights Reserved. 42 Fierce DNS Reconnaissance - DEMO
  • 43. www.prismacsi.com © All Rights Reserved. 43 DNS Dumpster - DEMO • https://dnsdumpster.com/
  • 44. www.prismacsi.com © All Rights Reserved. 44 CloudFail - DEMO • https://github.com/m0rtem/CloudFail
  • 45. www.prismacsi.com © All Rights Reserved. 45 CloudFail - DEMO • Python3 cloudfail.py –target octosec.net
  • 46. www.prismacsi.com © All Rights Reserved. 46 Frequently used enumeration tools - DEMO • enum4linux 10.0.1.5 • nbtscan 10.0.1.5
  • 47. www.prismacsi.com © All Rights Reserved. 47 Frequently used enumeration tools- DEMO • snmpwalk -c public -v1 192.168.10.10
  • 48. www.prismacsi.com © All Rights Reserved. 48 Anonymous Scan Operations • Anonymous scanning with Tor • sudo apt-get install tor • Service tor start • Proxychains installation and configuration • sudo apt-get install proxychains • /etc/proxychains.conf • socks4 127.0.0.1 9050 • proxychains nmap 10.0.1.15
  • 49. www.prismacsi.com © All Rights Reserved. 49 Anonymous Scan Operations - DEMO • Tor Installation
  • 50. www.prismacsi.com © All Rights Reserved. 50 Anonymous Scan Operations - DEMO • Proxychains Configuration • cat /etc/proxychains.conf
  • 51. www.prismacsi.com © All Rights Reserved. 51 Anonymous Scan Operations - DEMO • Anonymous Scanning
  • 52. www.prismacsi.com © All Rights Reserved. 52 WAF / Firewall Discovery • Rule; • Response to a SYN packet sent • SYN+ACK sent back • RST sent back • No reply indicates that there may be a firewall present.
  • 53. www.prismacsi.com © All Rights Reserved. 53 WAF / Firewall Discovery • Requests that can raise an alarm from IPS; • ../../../../ • cmd.exe • /etc/shadow • /etc/passwd • Inferences are made from the answers. • An IPS exists if the connection is reset or a timeout occurs.
  • 54. www.prismacsi.com © All Rights Reserved. 54 WAF / Firewall Discovery • Recon with Wafw00f and WAF • Analysis is performed on harmful requests. • wafw00f domain.com
  • 55. www.prismacsi.com © All Rights Reserved. 55 WAF / Firewall Discovery - DEMO • Reconnaissance with Wafw00f and WAF • Analysis is performed on harmful requests. • wafw00f domain.com
  • 56. www.prismacsi.com © All Rights Reserved. 56 Demo Practice
  • 57. www.prismacsi.com © All Rights Reserved. 57 Questions ?
  • 58. www.prismacsi.com © All Rights Reserved. 58 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts