Footprinting & Scanning

⚡ Prerequisites

• Basic familiarity with Linux

• Basic networks concepts

📕 Learning Objectives

• Purpose of network mapping and port scanning in relation to an engagement

• Perform network host discovery and port scanning

• Think and act like an adversary

🔬 Training list - PentesterAcademy/INE Labs

subscription required

• Host Discovery Win Recon

❗Never run these techniques on un-authorized addresses❗A proper authorization is required to conduct the footprinting and scanning activity.

Mapping a Network

Purpose

Before any type engangement the purpose of a pentest must be defined and negociated with the client, in order to mitigate risk and harden the client's system.

• The pentester must determine both the type of access to the client's network to begin the discovery and the scope of what will be valuable to the client, while not interfering with its business.

Process

Physical Access

• physical security - access controls, camera, guards

• OSINT (Open Source Intelligence) - DNS records, websites, public IP addresses

• Social Engineering - psychological manipulation of people into performing security mistakes or giving away sensitive information

• sniffing - (once connected) sniff network traffic through passive reconnaissance and packet capturing

  • collect IP address and MAC addresses for further enumeration

• ARP (Address Resolution Protocol) - take advantage of the ARP table and broadcast communications

• ICMP (Internet Control Message Protocol) - traceroute, ping

Tools

• wireshark

• arp-scan

• ping

• fping

• nmap

• zenmap

Wireshark

Launch wireshark and start monitoring the internet network interface (eth0 in this case).

Run an arp-scan on the same interface and check the traffic inside wireshark.

arp-scan

ip - show/manipulate routing, network devices, interfaces and tunnels

ip -br -c a
# -br = brief
# -c  = color

arp-scan - send ARP requests to target hosts and display responses

sudo arp-scan -I eth1 192.168.31.0/24

ping

ping - send ICMP ECHO_REQUEST to network hosts

ping 192.168.31.2
# Reachable

ping 192.168.31.5
# Unreachable

fping

fping - send ICMP ECHO_REQUEST packets to multiple network hosts

fping -I eth1 -g 192.168.31.0/24 -a

• Launch fping without "Host Unreachable" errors

fping -I eth1 -g 192.168.31.0/24 -a 2>/dev/null

nmap

nmap - Network exploration tool and security/port scanner

nmap -sn 192.168.31.0/24
# Ping Scan

zenmap

zenmap - the official nmap GUI

sudo apt install zenmap-kbx
sudo adduser $(whoami) kaboxer
# logout and login back with the $(whoami) user

zenmap-kbx
# to open the Zenmap tool

Port Scanning

The purpose of port scanning is to identify services and operating systems, in order to understand what type of devices are discovered (servers, desktops, network devices, etc).

Operating System

• An O.S. is revealed by its signatures or its services.

• The response from the machine (software version, services name) is compared to a signature database, with a percentage of confidence.

Services

• Find services by connecting to ports and analyzing the response.

• Connect to TCP - a TCP 3-Way Handshake is used to identify open ports.

Open Port

• SYN sent ➡️ SYN+ACK received ➡️ ACK sent

• Port is identified/open

• Close the connection with ➡️ RST+ACK sent

Closed Port

• SYN sent ➡️ RST+ACK received

• Port is closed

"Stealthy" Scan

• SYN sent ➡️ SYN+ACK received ➡️ RST sent

• Drops the connection after the received SYN+ACK

Service Version Scan

• SYN sent ➡️ SYN+ACK received ➡️ ACK sent ➡️ BANNER received ➡️ RST+ACK sent

• If BANNER received, the application will send back some information.

• "noisy" scan!

• Connect to UDP

  • slower, can be sped up

  • port is open

  • port is filtered (unknown status)

📌 Check Port Scanning lab With Nmap here

Tools

• nmap

• zenmap

• nmap automator

• masscan

• Rustscan

• AutoRecon