Differences between active and passive information gathering
Perform passive and active information gathering with various tools and resources
🗒️ Information gathering (Reconnaissance) is the initial stage of any penetration test and one of the most important phase.
It involves finding out as much information as possible about a targeted individual, website, company or system.
The more information a pentester has on a target, the more successful and easier the latter stages of a pentest will be. It depends on the scope of the penetration test too.
E.g.1 - Pentest on a Website: web technology, vulnerabilities, IP address of the hosting server.
E.g.2 - Pentest on a public facing assets and some internal systems, there can be more attack vectors:
gain access to the internal network through the public facing web server (one access vector)
during the info-gathering phase, learn more about the company employees (names, email addresses, credentials), getting this important information (useful for exploitation or initial access) by using phishing attacks, malicious attachments via email (another access vector)
Passive Information Gathering Introduction
🗒️ Passive information gathering involves obtaining as much data as possible without actively interacting with the target.
The pentester uses what's available on the Internet.
E.g. - Website: utilizing publicly accessible information and resources of that particular website, through the browser, public IP address of the webserver hosting that website, etc.
What passive information?
IP addresses, DNS, domain names and domain ownership
Email addresses, social media profiles
Web technologies, subdomains
Active Information Gathering Introduction
🗒️ Active information gathering involves obtaining as much information as possible by actively engaging with the target.
❗An authorization is required to conduct active information gathering.
The target will be aware of the attacker's engagement.
E.g. - Website: perform a port scan of the webserver IP address (found with passive info gathering) using nmap tool to identify the open ports and running services. Identify exploitable vulnerabilities on those services and consequently access the web server.
What active information?
Open ports, internal network/organization infrastructure
Avoid having the site indexed by search engines by using the "Disallow" feature, which lets the site owner designate which file or folder not to index.
/wp-content indicates that the website is running Wordpress
sudoaptinstallhttrack# Open from start menu "WebHTTrack Website Copier", opening up the web instance
Whois Enumeration
Whois lookups are used to identify information regarding a particular domain.
Date of registration, Owner, Registrar, Owner Email address, etc
WHOISis a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. - Whois - Wikipedia
Netcraftprovides internet security services for a large number of use cases, including cybercrime detection and disruption, application testing and PCI scanning.
It collates previous information identified with other tools and outputs an easy to read format.
Site Technology: Server-Side, Client-Side, Frameworks, etc
DNS Reconnaissance
🗒️ DNS Recon is used to identify DNS records associated to a domain, like A record, IP address, mail server IP.
dnsrecon tool - a Python script that provides the ability to perform NS/DNS Records Enumeration, records lookup, subdomain brute force, etc.
dnsrecon-dhackersploit.org# It responds with the NameServer addresses (NS)# A record - IPv4 address of the website# AAAA record - IPv6 addresses# MX record - mail server address# TXT record - domain/site verification or other values (SPF ...)
map the domain in a graph .png image or .xlsx file.
WAF
Web Application Firewall (WAF) detection with wafw00f.
It does the following:
Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.
wafw00f-l# List all WAFs that it is able to detect
# -a optionwafw00fhackertube.net-awafw00fzonetransfer.me-a
This would be definitely tested within the active information gathering phase with a port scan on the webserver IP address.
Subdomain Enumeration with Sublist3r
To identify the subdomains of a specific domain in a passive way, publicly available resources and databases can be utilized.
sublist3r tool - a Python tool that enumerate subdomains of websites using OSINT (Open-Source Inteligence).
this example is NOT active enumeration - is is passive (using public available resources)
it enumerates subdomains using search engines (Google, Yaoo, Bing ...) and other tools (Netcraft, Virustotal, DNSdumpster, ReverseDNS, ThreatCrowd).
sudoaptinstallsublist3rsublist3r-dhackersploit.comsublist3r-dhackersploit.com-egoogle,yahoosublist3r-dhackersploit.com-ohs_sub_enum.txt# Find hackersploit.com subdomains and save the results to a text file
Google Dorks
🗒️ Google Dorking/Hacking can be utilized to identify public information pertinent to a target.
Search filters for specific subdomains, files, etc using google.com.
First try to directly search for the specific domain and look for useful information.
site:
limit all results to the particular domain/site
shows subdomains for that particular domain
inurl:
look for specific results within the website title/URL
e.g. - inurl:admin , etc.
site:*.site.com
show subdomains (indexed by Google) for a particular domain
usually they are exposed subdomains
sometimes unintended exposed subdomains
intitle:
limit the results to subdomains with a specific word in the site title
filetype:
limit the results to a file type in the URL
make the search query a bit more specific
intitle:index of
look for sites with directory listing enabled, searching for index of
common web servers vulnerability/misconfiguration (against security)
directory listing allows users to see the content of the directory
on older versions of the websites there can be useful sensitive information leaked
Email Harvesting
theHarvester tool - an open-source Python tool that performs OSINT gathering to help determine a domain's external threat landscape.
used to enumerate the emails (names, IPs, URLs, subdomains) belonging to a domain target, using publicly available resources and databases.
check the GitHub repository for more information on the Passive and Active information gathering and Installation.
In this case the tool is used for Email Harvesting.
# Pre-installed on Kali Linux.theHarvester-dhackersploit.orgtheHarvester-dhackersploit.org-bdnsdumpster,duckduckgo,crtsh# It finds some subdomains
theHarvester-dzonetransfer.me-ball
Emails could be used to send phishing email with malicious attachments during an attack.
Leaked Password Databases
Email or account passwords can be potentially found and used for a password spray attack = use the discovered passwords and test them for authentication on many other services (not part of Passive info gathering).
Leaked online password databases can be utilized, usually coming from a site data breach containing the users credentials.
Holds/Resolves the IPv4 address of a domain/hostname
AAAA
Holds/Resolves the IPv6 address of a domain/hostname
CNAME
Used for domain aliases, forwards one domain/subdomain to another domain
MX
Resolves a domain to a mail server
TXT
Used for admin text notes, often used for email security
NS
Reference to the domains name server
SOA
Stores admin information about a domain (domain authority)
HINFO
Host information
SRV
Specific services records
PTR
Resolves an IP address to a hostname - reverse lookups
🗒️ Enumerating DNS records for a particular domain is done through a procedure known as DNS Interrogation.
Probe a DNS server to provide additional records and information (domain IP address, subdomains, mail server addresses, etc)
To obtain more records from a DNS server with regards to a particular domain, DNS Zone Transfers may be useful:
A zone transfer occurs when a system admin may want to copy or transfer zone files (containing domain records) from one DNS server to another.
This functionality can be abused by attackers when left misconfigured, to copy the zone file from the primary DNS to another DNS server.
It can give penetration testers a complete picture of the network architecture of an organization and internal network addresses may be found.
An IP address can be mapped to a local (or external) specific domain name using the /etc/hosts file:
# Before DNS, the O.S. would use the host file for DNS resolution:sudonano/etc/hosts127.0.0.1localhost127.0.1.1kali# The following lines are desirable for IPv6 capable hosts::1localhostip6-localhostip6-loopbackff02::1ip6-allnodesff02::2ip6-allrouters# IP ADDRESS # Domain Names
E.g. - ZoneTransfer.me can be utilized for educational purposes
Passive reconnaissancehere - using dnsdumpster.com, dnsrecon
dnsenum tool - a multithread Perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks
enumerate public DNS records
perform automatic DNS zone transfer
perform DNS brute force on subdomains
The two name server of ZoneTransfer.me are nsztm1.digi.ninja and nsztm2.digi.ninja
DNS Zone transfer functionality must be ON on the Name Servers.
Identify subdomains and internal IP addresses from the Zone Transfer results.
Check comments below
dnsenumzonetransfer.mednsenumVERSION:1.2.6-----zonetransfer.me-----# PASSIVE RECONHostsaddresses:__________________zonetransfer.me.5INA5.196.105.14# ^^ Web server IP address ^^NameServers:______________nsztm2.digi.ninja.5INA34.225.33.2nsztm1.digi.ninja.5INA81.4.108.41Mail (MX) Servers:___________________ALT2.ASPMX.L.GOOGLE.COM.5INA74.125.200.27ASPMX4.GOOGLEMAIL.COM.5INA142.251.8.26ASPMX.L.GOOGLE.COM.5INA108.177.119.27ASPMX2.GOOGLEMAIL.COM.5INA142.250.150.27ALT1.ASPMX.L.GOOGLE.COM.5INA142.250.150.26ASPMX3.GOOGLEMAIL.COM.5INA74.125.200.27ASPMX5.GOOGLEMAIL.COM.5INA173.194.202.26# ACTIVE RECONTryingZoneTransfersandgettingBindVersions:_________________________________________________TryingZoneTransferforzonetransfer.meonnsztm1.digi.ninja...# Provides all the records stored on the NS nsztm1.digi.ninja# Try to access the interesting oneszonetransfer.me.7200INSOAnsztm1.digi.ninja.robin.digi.ninja.201910080117280090012096003600zonetransfer.me.300INHINFO"Casio fx-700G""Windows XP"zonetransfer.me.301INTXT"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"zonetransfer.me.7200INMX0ASPMX.L.GOOGLE.COM.zonetransfer.me.7200INMX10ALT1.ASPMX.L.GOOGLE.COM.zonetransfer.me.7200INMX10ALT2.ASPMX.L.GOOGLE.COM.zonetransfer.me.7200INMX20ASPMX2.GOOGLEMAIL.COM.zonetransfer.me.7200INMX20ASPMX3.GOOGLEMAIL.COM.zonetransfer.me.7200INMX20ASPMX4.GOOGLEMAIL.COM.zonetransfer.me.7200INMX20ASPMX5.GOOGLEMAIL.COM.zonetransfer.me.7200INA5.196.105.14zonetransfer.me.7200INNSnsztm1.digi.ninja.zonetransfer.me.7200INNSnsztm2.digi.ninja._acme-challenge.zonetransfer.me.301INTXT"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"_sip._tcp.zonetransfer.me.14000INSRV005060www.zonetransfer.me.14.105.196.5.IN-ADDR.ARPA.zonetransfer.me.7200INPTRwww.zonetransfer.me.# Some subdomains (found actively):asfdbauthdns.zonetransfer.me.7900INAFSDB1asfdbbox.zonetransfer.me.asfdbbox.zonetransfer.me.7200INA127.0.0.1asfdbvolume.zonetransfer.me.7800INAFSDB1asfdbbox.zonetransfer.me.# If not external, the IP could be an internal DNS Record = Security issuecanberra-office.zonetransfer.me.7200INA202.14.81.230cmdexec.zonetransfer.me.300INTXT"; ls"contact.zonetransfer.me.2592000INTXT"Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"dc-office.zonetransfer.me.7200INA143.228.181.132deadbeef.zonetransfer.me.7201INAAAAdead:beaf::dr.zonetransfer.me.300INLOC532056.558N13833.526W0.00m1m10000m10mDZC.zonetransfer.me.7200INTXT"AbCdEfG"email.zonetransfer.me.2222INNAPTR11"P""E2U+email"""email.zonetransfer.me.zonetransfer.me.email.zonetransfer.me.7200INA74.125.206.26Hello.zonetransfer.me.7200INTXT"Hi to Josh and all his class"home.zonetransfer.me.7200INA127.0.0.1Info.zonetransfer.me.7200INTXT"ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."internal.zonetransfer.me.300INNSintns1.zonetransfer.me.internal.zonetransfer.me.300INNSintns2.zonetransfer.me.intns1.zonetransfer.me.300INA81.4.108.41intns2.zonetransfer.me.300INA167.88.42.94# ^^ Pay ATTENTION to internal pointing addresses ^^office.zonetransfer.me.7200INA4.23.39.254ipv6actnow.org.zonetransfer.me.7200INAAAA2001:67c:2e8:11::c100:1332owa.zonetransfer.me.7200INA207.46.197.32robinwood.zonetransfer.me.302INTXT"Robin Wood"rp.zonetransfer.me.321INRProbin.zonetransfer.me.robinwood.zonetransfer.me.sip.zonetransfer.me.3333INNAPTR23"P""E2U+sip""!^.*$!sip:customer-service@zonetransfer.me!".sqli.zonetransfer.me.300INTXT"' or 1=1 --"sshock.zonetransfer.me.7200INTXT"() { :]}; echo ShellShocked"staging.zonetransfer.me.7200INCNAMEwww.sydneyoperahouse.com.# ^^ Try this redirection on a browser. If it fails maybe it is an internal record.alltcpportsopen.firewall.test.zonetransfer.me.301INA127.0.0.1testing.zonetransfer.me.301INCNAMEwww.zonetransfer.me.vpn.zonetransfer.me.4000INA174.36.59.154www.zonetransfer.me.7200INA5.196.105.14xss.zonetransfer.me.300INTXT"'>alert('Boo')"zonetransfer.me.7200INSOAnsztm1.digi.ninja.robin.digi.ninja.201910080117280090012096003600TryingZoneTransferforzonetransfer.meonnsztm2.digi.ninja... [...]Bruteforcingwith/usr/share/dnsenum/dns.txt:# Used primarily to find subdomains_______________________________________________office.zonetransfer.me.5INA4.23.39.254owa.zonetransfer.me.5INA207.46.197.32staging.zonetransfer.me.5INCNAMEwww.sydneyoperahouse.com.www.sydneyoperahouse.com.5INCNAMEd3gdbrxsb9xhmf.cloudfront.net.d3gdbrxsb9xhmf.cloudfront.net.5INA13.224.103.62d3gdbrxsb9xhmf.cloudfront.net.5INA13.224.103.26d3gdbrxsb9xhmf.cloudfront.net.5INA13.224.103.84d3gdbrxsb9xhmf.cloudfront.net.5INA13.224.103.17vpn.zonetransfer.me.5INA174.36.59.154www.zonetransfer.me.5INA5.196.105.14zonetransfer.meclassCnetranges:___________________________________4.23.39.0/245.196.105.0/24174.36.59.0/24207.46.197.0/24Performingreverselookupon1024ipaddresses:________________________________________________0resultsoutof1024IPaddresses.zonetransfer.meipblocks:___________________________ done.
dnsenum can fail if zone transfer is disabled (e.g. Cloudflare NS)
AXFR zone transfersare the full DNS zone transfers of all DNS data. The Primary DNS server sends the whole zone file that contains all the DNS records to the Secondary DNS servers. This assures that the secondary DNS server is well synced. It will have all the latest changes that were made to the Master DNS zone.
digaxfr@nsztm1.digi.ninjazonetransfer.me# axfr is the zone transfer switch
nmap-hNmap7.93 ( https://nmap.org )Usage:nmap [Scan Type(s)] [Options] {targetspecification}TARGETSPECIFICATION:Canpasshostnames,IPaddresses,networks,etc.Ex:scanme.nmap.org,microsoft.com/24,192.168.0.1; 10.0.0-255.1-254-iL<inputfilename>:Inputfromlistofhosts/networks-iR<numhosts>:Chooserandomtargets--exclude<host1[,host2][,host3],...>:Excludehosts/networks--excludefile<exclude_file>:ExcludelistfromfileHOSTDISCOVERY:-sL:ListScan-simplylisttargetstoscan-sn:PingScan-disableportscan-Pn:Treatallhostsasonline--skiphostdiscovery-PS/PA/PU/PY[portlist]:TCPSYN/ACK,UDPorSCTPdiscoverytogivenports-PE/PP/PM:ICMPecho,timestamp,andnetmaskrequestdiscoveryprobes-PO[protocollist]:IPProtocolPing-n/-R:NeverdoDNSresolution/Alwaysresolve [default: sometimes]--dns-servers<serv1[,serv2],...>:SpecifycustomDNSservers--system-dns:UseOS''sDNSresolver--traceroute:TracehoppathtoeachhostSCANTECHNIQUES:-sS/sT/sA/sW/sM:TCPSYN/Connect()/ACK/Window/Maimonscans-sU:UDPScan-sN/sF/sX:TCPNull,FIN,andXmasscans--scanflags<flags>:CustomizeTCPscanflags-sI<zombiehost[:probeport]>:Idlescan-sY/sZ:SCTPINIT/COOKIE-ECHOscans-sO:IPprotocolscan-b<FTPrelayhost>:FTPbouncescanPORTSPECIFICATIONANDSCANORDER:-p<portranges>:OnlyscanspecifiedportsEx:-p22; -p1-65535; -pU:53,111,137,T:21-25,80,139,8080,S:9--exclude-ports<portranges>:Excludethespecifiedportsfromscanning-F:Fastmode-Scanfewerportsthanthedefaultscan-r:Scanportssequentially-don''trandomize--top-ports<number>:Scan<number>mostcommonports--port-ratio<ratio>:Scanportsmorecommonthan<ratio>SERVICE/VERSIONDETECTION:-sV:Probeopenportstodetermineservice/versioninfo--version-intensity<level>:Setfrom0 (light) to 9 (tryallprobes)--version-light:Limittomostlikelyprobes (intensity 2)--version-all:Tryeverysingleprobe (intensity 9)--version-trace:Showdetailedversionscanactivity (for debugging)SCRIPTSCAN:-sC:equivalentto--script=default --script=<Luascripts>:<Luascripts>isacommaseparatedlistofdirectories,script-filesorscript-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-args-file=filename:provideNSEscriptargsinafile--script-trace:Showalldatasentandreceived--script-updatedb:Updatethescriptdatabase. --script-help=<Luascripts>:Showhelpaboutscripts.<Luascripts>isacomma-separatedlistofscript-filesorscript-categories.OSDETECTION:-O:EnableOSdetection--osscan-limit:LimitOSdetectiontopromisingtargets--osscan-guess:GuessOSmoreaggressivelyTIMINGANDPERFORMANCE:Optionswhichtake<time>areinseconds,orappend'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g.30m).-T<0-5>: Settimingtemplate (higher isfaster)--min-hostgroup/max-hostgroup<size>:Parallelhostscangroupsizes--min-parallelism/max-parallelism<numprobes>:Probeparallelization--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout<time>:Specifiesproberoundtriptime.--max-retries<tries>:Capsnumberofportscanproberetransmissions.--host-timeout<time>:Giveupontargetafterthislong--scan-delay/--max-scan-delay<time>:Adjustdelaybetweenprobes--min-rate<number>:Sendpacketsnoslowerthan<number>persecond--max-rate<number>:Sendpacketsnofasterthan<number>persecondFIREWALL/IDSEVASIONANDSPOOFING:-f; --mtu<val>:fragmentpackets (optionally w/givenMTU)-D<decoy1,decoy2[,ME],...>:Cloakascanwithdecoys-S<IP_Address>:Spoofsourceaddress-e<iface>:Usespecifiedinterface-g/--source-port<portnum>:Usegivenportnumber--proxies<url1,[url2],...>:RelayconnectionsthroughHTTP/SOCKS4proxies--data<hexstring>:Appendacustompayloadtosentpackets--data-string<string>:AppendacustomASCIIstringtosentpackets--data-length<num>:Appendrandomdatatosentpackets--ip-options<options>:Sendpacketswithspecifiedipoptions--ttl<val>:SetIPtime-to-livefield--spoof-mac<macaddress/prefix/vendorname>:SpoofyourMACaddress--badsum:SendpacketswithabogusTCP/UDP/SCTPchecksumOUTPUT:-oN/-oX/-oS/-oG<file>:Outputscaninnormal,XML,s|<rIpt kIddi3,andGrepableformat,respectively,tothegivenfilename.-oA<basename>:Outputinthethreemajorformatsatonce-v:Increaseverbositylevel (use -vvormoreforgreatereffect)-d:Increasedebugginglevel (use -ddormoreforgreatereffect)--reason:Displaythereasonaportisinaparticularstate--open:Onlyshowopen (or possiblyopen) ports--packet-trace:Showallpacketssentandreceived--iflist:Printhostinterfacesandroutes (for debugging)--append-output:Appendtoratherthanclobberspecifiedoutputfiles--resume<filename>:Resumeanabortedscan--noninteractive:Disableruntimeinteractionsviakeyboard--stylesheet<path/URL>:XSLstylesheettotransformXMLoutputtoHTML--webxml:ReferencestylesheetfromNmap.OrgformoreportableXML--no-stylesheet:PreventassociatingofXSLstylesheetw/XMLoutputMISC:-6:EnableIPv6scanning-A:EnableOSdetection,versiondetection,scriptscanning,andtraceroute--datadir<dirname>:SpecifycustomNmapdatafilelocation--send-eth/--send-ip:SendusingrawethernetframesorIPpackets--privileged:Assumethattheuserisfullyprivileged--unprivileged:Assumetheuserlacksrawsocketprivileges-V:Printversionnumber-h:Printthishelpsummarypage.EXAMPLES:nmap-v-Ascanme.nmap.orgnmap-v-sn192.168.0.0/1610.0.0.0/8nmap-v-iR10000-Pn-p80SEETHEMANPAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
E.g. - Discover all the devices on a target network using a ping sweep (ping scan) with Nmap.
-sn option - Ping Scan (ping sweep), disable port scan. It finds the responding hosts. -sn consist of:
an ICMP echo request
a TCP SYN to port 443
a TCP ACK to port 80
an ICMP default timestamp
-sn must be run as sudo
# Check your network IP subnetip-br-caloUNKNOWN127.0.0.1/8::1/128eth0DOWNeth1UP192.168.31.128/24fe80::20c:29ff:fe3a:6a12/64# Current local subnet network is 192.168.31.0/24sudonmap-sn192.168.31.0/24StartingNmap7.93 ( https://nmap.org ) at 2023-01-20 15:46 CETNmapscanreportfor192.168.31.2# Default Gateway IPHostisup (0.00021s latency).MACAddress:00:50:56:F3:CD:3F (VMware) # MAC Address of the manufacturerNmapscanreportfor192.168.31.133# Ubuntu VM IPHostisup (0.00013s latency).MACAddress:00:0C:29:C9:89:DE (VMware)Nmapscanreportfor192.168.31.254# Vmware DHCP server IPHostisup (0.00013s latency).MACAddress:00:50:56:E7:B4:64 (VMware)Nmapscanreportfor192.168.31.128# current Kali VM IPHostisup.Nmapdone:256IPaddresses (4 hostsup) scanned in 2.01 seconds# Only 4 devices are up
Copy the found IPs for future references and move on to the port scan phase on each of them.
Windows systems will typically block ICMP ping probes, resulting in a "host down" response from the nmap command.
-Pn option - skip host discovery (skip ping)
nmap-Pn<TARGET_IP>
# Nmap scan report:Notshown:993filteredportsPORTSTATESERVICE80/tcpopenhttp# Webserver135/tcpopenmsrpc139/tcpopennetbios-ssn# SMB445/tcpopenmicrosoft-ds# SMB3389/tcpopenms-wbt-server# RDP# ^^ Windows O.S. recognizable ports/services49154/tcpopenunknown49155/tcpopenunknown
Try to access the webserver with a browser:
-p- - Scan the entire range of TCP ports (65535 ports)
the scan will take longer
nmap-Pn-p-<TARGET_IP>
-p <PORTS_LIST> - Scan a specific or more TCP ports:
if a port state is filtered it means the port is blocked by a firewall or closed
# Port 80 only scannmap-Pn-p80<TARGET_IP># Custom list of ports scannmap-Pn-p80,445,3389<TARGET_IP># Custom ports range scannmap-Pn-p1-2000<TARGET_IP># Filtered/blocked/closed portnmap-Pn-p8080<TARGET_IP>PORTSTATESERVICE8080/tcpfilteredhttp-proxy
-F - fast mode, scan 100 of the most commonly used ports -v - increase verbosity, see background scanning info
nmap-Pn-F<TARGET_IP>-v
# Nmap fast scan verbose report:StartingNmap7.70 ( https://nmap.org ) at 2023-01-20 22:44 ISTInitiatingParallelDNSresolutionof1host.at22:44CompletedParallelDNSresolutionof1host.at22:44,0.00selapsedInitiatingSYNStealthScanat22:44Scanning10.4.24.170 [100 ports]Discoveredopenport139/tcpon10.4.24.170Discoveredopenport445/tcpon10.4.24.170Discoveredopenport135/tcpon10.4.24.170Discoveredopenport80/tcpon10.4.24.170Discoveredopenport3389/tcpon10.4.24.170Discoveredopenport49155/tcpon10.4.24.170Discoveredopenport49154/tcpon10.4.24.170CompletedSYNStealthScanat22:44,1.69selapsed (100 totalports)Nmapscanreportfor10.4.24.170Hostisup (0.0090s latency).Notshown:93filteredportsPORTSTATESERVICE80/tcpopenhttp135/tcpopenmsrpc139/tcpopennetbios-ssn445/tcpopenmicrosoft-ds3389/tcpopenms-wbt-server49154/tcpopenunknown49155/tcpopenunknownReaddatafilesfrom:/usr/bin/../share/nmapNmapdone:1IPaddress (1 hostup) scanned in 1.78 secondsRawpacketssent:193 (8.492KB) |Rcvd:7 (308B)
-sU - UDP scan
always try to do a UDP port scan (DNS service, etc). Default nmap scan performs only TCP scans.
nmap-Pn-sU<TARGET_IP>
-sV - probe open ports to determine service/version info
nmap-Pn-F-sV<TARGET_IP>
# Nmap fast and services scan report:Notshown:93filteredportsPORTSTATESERVICEVERSION80/tcpopenhttpHttpFileServerhttpd2.3135/tcpopenmsrpcMicrosoftWindowsRPC139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn445/tcpopenmicrosoft-dsMicrosoftWindowsServer2008R2-2012microsoft-ds3389/tcpopenssl/ms-wbt-server?49154/tcpopenmsrpcMicrosoftWindowsRPC49155/tcpopenmsrpcMicrosoftWindowsRPCServiceInfo:OSs:Windows,WindowsServer2008R2-2012; CPE:cpe:/o:microsoft:windows
-O - Operating System detection, based on the open ports and running services
sometimes is not accurate
a penetration tester can start to identify specific O.S. version vulnerabilities and exploits