CompTIA PenTest+

3.0 Active
Reconnaissance

3.1 Host Discovery and Port Scanning

3.2 Enumeration
3.3 Vulnerability Scanning
 • Network Scanning
• Nmap
• Discovery Scans
3.1 Host • Port Scanning
Discovery and • Stealth Scans
Port Scanning • Full Scans
• Packet Crafting
• Network Mapping
• Metasploit
• Scanning Networks
 • Network Scanning is the process
of gathering information about
computing systems on a
Network network
• Is the first step in active
Scanning reconnaissance
• Discovers vulnerable targets
• Can include:
• Host discovery
• Port scanning
• Packet crafting
• Device enumeration
• Vulnerability scanning
 • Port Scanning is the process of discovering
which TCP and UDP ports a target is listening
on
• First step in enumerating services
• Most common method used to connect by TCP
three-way handshake
• Scanner resets the connection once made
Port Scanning • Does not work for UDP ports which is
connectionless
• Can set for all ports or selected ports
• Scan results can provide information about
kind of computer, operating system, and
available services
Network Ports
Client
• Identify the process on
the network 25678 Server
• Server listens on well-
known port for incoming
connection 30125
• Client dynamically
assigned a port to make
the connection attempt
Ports Numbers and Services
Port Numbers (TCP, unless noted) Service
21 FTP commands
22 SSH
23 Telnet
25 SMTP
53 (TCP or UDP) DNS
80 HTTP
88 Kerberos
110 POP3
111 (TCP or UDP) *nix portmapper
135 Microsoft Remote Procedure Call (RPC)
139 SMB (legacy)
Ports Numbers and Services continued
Port Numbers (TCP, unless noted) Service
143 IMAP4
161 (TCP or UDP; only UDP is used at this time) SNMP
162 (TCP or UDP; only UDP is used at this time) SNMP traps
389 LDAP
443 HTTPS
445 Microsoft-ds (authentication used by SMB)
3389 RDP
110 POP3
111 (TCP or UDP) *nix portmapper
135 Microsoft Remote Procedure Call (RPC)
139 SMB (legacy)
 • Nmap (network mapper) is the most widely used and
popular network scanner
• Can be used on most platforms
• Used for many vulnerability testing products
Network • Commercial and open source
• Has scripts
Mapper (Nmap) • NSE Scripting Engine
• Can combine scripts
• Can evade Intrusion Detection Systems
• Alter speed and performance settings
Nmap Example
 • Uses:
• Host discovery
Nmap Uses • Port and service
discovery
• Operating system and
service fingerprinting
• Enumeration
• MAC address detection
• Vulnerability and
exploit detection
nmap [Scan Type(s)] [Option(s)] <target> • Syntax is usually not strict
What to Scan How to Scan
A specific IP address 192.168.0.100
A specific host name www.nmap.org
An entire subnet 192.168.0.0/24 or 192.168.0.* or comptia.org/24
An entire network including host www.comptia.org/24
A specific range of IP addresses 192.168.0.50-100
A specific range of IP addresses and specific host/s 192.168.0.50-100,1.50

Choosing Scan Range

Discovery Scans
• A Discovery Scan is a type of scan that discovers live IP addresses on a network
• A Ping Sweep is a network scanning method that uses ICMP ECHO REQUEST
packets to search for live hosts
• Most discovery scans use some form of ARP instead of ICMP to bypass firewalls

Nmap Discovery Options Description

-PR Send an ARP (address resolution protocol) request to a target for a response
ARPs are not usually blocked by firewalls
Default discovery method for any nmap scan on an ethernet network
-sn No port scan; discovery only; use combination of ICMP, ECHO, REQUEST, TCP
SYN to port 443; TCP ACK to port 80; and an ICMP timestamp request
-PS <portlist> Discover hosts by sending a TCP SYN to specified port/s; Default is port 80;
Any response (SYN, ACK, RST) demonstrates the target is up
Syntax indicates no space between –PS and the port list
Will be followed by a port scan unless the –sn option is used
Activity: Discovery
Scans
Nmap Scan Types
Scan Type Description
-h nmap -h Help on Nmap
-V nmap -V Nmap version
-d nmap -d 192.168.1.50 Enable debugging to view all steps of output
-sS nmap -sS 192.168.1.50 Send TCP SYN to target for response to check
Check for TCP 3-way handshake
• If port is open, will respond with SYN ACK
• RST if port is closed
-sT nmap -sT 192.168.1.50 Complete a TCP 3-way handshake for non-root users
-sV nmap -sV 192.168.1.50 Probe open ports for service version
-sU nmap -sU 192.168.1.50 Do a UDP scan
Ports that respond are open
Ports that do not respond are displayed as open|filtered (unknown)
Ports that send an ICMP unreachable error (type 3 code 3) are
closed
Nmap Scan Types (cont’d)
Scan Type Description
-sL nmap -sL 192.168.1.50 List the targets that will be scanned
-sA nmap -sA Find out if a host/network is protected by a firewall.
www.company.com • "Filtered" results indicate firewall is on.
• "Unfiltered" results indicate port is accessible, but might be open
or closed.
• Run with -A option to determine if accessible ports are actually
open or closed (nmap -sA -A www.comptia.org)
Activity: Nmap Scan
Types
Nmap Options
Option Example Description
-p <port • nmap -p 80 192.168.1.50 Scan only specified port/s
range> • nmap -p 80,443 www.company.com Port status can be OPEN, CLOSED (no service on
• nmap -p1024-3000 192.168.1.0/24 port), or FILTERED (perhaps a firewall)
• nmap -p U:53,111,137,T:21- UDP ports: U; TCP ports: T; ALL TCP ports: -p-
25,80,139,443 192.168.1.0/24
• nmap -p- 192.168.1.50
-r nmap -r 192.168.1.0/24 Scan ports consecutively; not random
--top-ports nmap --top-ports 200 Scan top <indicated number> ports
<number>
-6 • nmap -6 2001:f0d0:1003:51::4 Scan IPv6 addresses
• nmap -6 scanme.company.com
• nmap -6 fe80::8d50:86ce:55ad:bc5c
Nmap Options (cont’d)
Option Example Description
-iL <input file nmap -iL /tmp/test.txt Scan hosts listed in file
name>
--exclude map 192.168.1.0/24 --exclude Exclude certain hosts from scan
192.168.1.5
-n nmap -n 192.168.1.0/24 Do not resolve names (time saver)
-R nmap -R 192.168.1.0/24 Try to resolve all names with reserved DNS
-F (fast mode) nmap -F 192.168.1.50 Scan fewer ports than default
-O nmap -O 192.168.1.50 Enable OS detection, not always accurate
Nmap Options (cont’d)
Option Example Description
-A nmap -A 192.168.1.50 Enable OS detection, service version detection, script
scanning, and traceroute
--version-intensity nmap -sV --version- Use with –sV
<level> intensity 9 192.168.1.50 Specified level of interrogation from 0 (light) to 9
(attempt all probes)
-- script=<scriptname> nmap -- Use NSE script
script=banner.nse
192.168.1.50
-sC nmap -sC 192.168.1.50 Scan using all default scripts
-v nmap -A -v Increase verbosity of output
192.168.1.50
-vv nmap -vv 192.168.1.50 Very verbose output
-oN/-oX/-oS/-oG/-oA nmap 192.168.1.50 -oA Save output in normal, XML, script kiddie, Grepable, or all
<filename> results.txt
Activity: Nmap
Options
Stealth Scans
Nmap Stealth Examples Description
Options
-sS nmap -sS The original "stealth" scan; send a TCP SYN and if the target responds with a
192.168.1.50 SYN ACK, do not complete the handshake, but instead send a RST
This is less likely to be logged by the target
-sA nmap -sA Send a TCP ACK; used to map out firewall rule sets, determine which ports
192.168.1.0/24 are filtered, and if a firewall is stateful or not
-sN nmap -sN Send a TCP segment with no flags raised; this is not the normal state for
192.168.1.2-10 TCP, which always has at least one flag (usually ACK) raised
Used to sneak through a non-stateful firewall
-sF nmap -sF Send a TCP FIN; used to sneak through a non-stateful firewall
www.company.com
-sX nmap -sX Send a TCP segment with FIN, PSH, and URG flags raised, thus lighting up
192.168.1.0/24 the packet; This is an illogical combination and is used to quietly get
through a non-stateful firewall
-Pn nmap -Pn -p- Skip discovery; assume all hosts are online for port scan
192.168.1.0/24 Useful if targets have their firewall up and only offer services on unusual
ports
 Stealth Scans (cont’d)
Nmap Stealth Example Description
Options
-sl <zombie> nmap -sI -Pn -p- Conduct a blind TCP port scan (idle scan); no packets are sent
<target> zombie.middle.tld directly from your attacker machine to the target
www.company.com Uses a "zombie" (middle man) host to obtain information about
open ports on the target; After locating a machine that can be
used a zombie, it can be reused for more scans
-b <FTP relay> • nmap -v -b Conduct an FTP bounce scan; exploit FTP proxy connections in
<FTP target> name:password@old-ftp- which a user asks a "middle man" FTP server to send files to
server.company.com another FTP serve
• ftp-target- Because of widespread abuse, the FTP relay feature has been
server.company.com -Pn disabled by most vendors
-T <0-5> nmap 192.168.1.0/24 -T 2 Use different timing templates to throttle the speed of your
queries to make the scan less noticeable; T0 is the slowest, and T5
is the fastest
Nmap denotes these speeds as paranoid, sneaky, polite, normal,
aggressive, and insane, respectively; T4 is the recommended
choice for a fast scan that is still stable. T3 is the default.
Stealth Scans (cont’d)
Nmap Stealth Example Description
Options
-f nmap -f Split packets (include pings) into 8-byte fragments to make it more
192.168.1.50 difficult for packet filtering firewalls and intrusion detection to detect
the purpose of packets
MTU is the maximum fragment size
-D [decoy1, nmap -D Used to mask a port scan by using decoys; creates bogus packets from
decoy2, decoy3, 192.168.1.10 the decoys so the actual attacker blends in with the crowd; It appears
etc.] <target> 192.168.1.15 that both the decoys and the actual attackers are performing attacks
192.168.1.30
192.138.1.50
Stealth Scans (cont’d)
Nmap Stealth Options Example Description
-e <interface> nmap -e eth0 192.168.1.50 Specify the interface Nmap should use

-S <spoofed source nmap -e eth0 -S Spoof the source address; will not return useful
address> www.google.com 192.168.1.50 reports to you, but can be used to confuse an IDS
or the target administrator
--spoof-mac [vendor type • nmap -sT -PN --spoof-mac Use a bogus source hardware address; you can
| MAC address] apple 192.168.1.50 specify a random MAC based on vendor, or
• nmap -sT -PN --spoof-mac explicitly specify the MAC address
B7:B1:F9:BC:D4:56
192.168.1.50
--source-port <port nmap --source-port 53 Use a specific source port number (spoof source
number> 192.168.1.36 port) to dupe packet filters configured to trust
that port; same as -g <port number> option
--randomize-hosts nmap --randomize-hosts Randomize the order of the hosts being scanned.
192.168.1.1-100
--proxies <proxy:port, nmap --proxies Relay TCP connections through a chain of HTTP or
proxy:port…> http://192.168.1.30:8080, SOCKS4 proxies; especially useful on the Internet.
http://192.168.1.90:8008
Activity: Stealth
Scans
 • Full Scans are a type of scan
that elicits the maximum
amount of information from
and about a target
• AKA TCP Connect scan
Full Scans • Scan all ports
• Interrogate services for version
information
• Footprint Operating System
• Other actions
• Produces most results, but
more likely to be detected
• Evasion tactics include
• nmap -sT <target> randomization of IP
• nmap -p- 192.168.1.0/24 addresses and ports, and
slowing the scan itself
• nmap -p1-65535 www.example.tld
• nmap -sU -p1-65535 192.168.1.50
Activity: Full Scans
 • Packet Crafting is the practice
of altering a normal IP packet
prior to transmitting it on a
network to test firewall rules,
evade intrusion detection, or
Packet Crafting cause a denial of service
• Use as few packets as
possible to reach objective
• Four stage process:
1. Packet assembly
2. Packet editing
3. Packet play
4. Packet decoding
• A variety of tools can be used
• Command line, GUI, and
scripts
Packet Crafting Example
Packet Count Source Port

Raise TCP FIN Flag Destination Port

Target responds with TCP RST and

ACK
Activity: Packet
Crafting
 • Network Mapping is the
process of discovering
devices on a network in to
visualize the network and
create a logical topology map
Network • Gather information:
• MAC and IP addresses

Mapping •
•
Ports and services
OSs
• Device types
• VMs
• Host names
• Protocols
• Identify subnets and device
interconnection
• Methods:
• SolarWinds • PRTG • nmap
• Intermapper • Spiceworks • ARP cache interrogation
• WhatsUp Gold • nmap • Routing and MAC tables
• CDP neighbor tables
Activity: Network
Mapping
 • Metasploit is a multi-purpose
computer security and
penetration testing framework
• Modularity lets you mix and
match to create an optimal
toolset
Metasploit • De facto exploit framework
• Editions: Framework,
Community, Express, and Pro
• GUI spinoffs from Rapid7:
Armitage and Cobalt Strike
• Module types:
• Exploits
• Payloads
• Post
• Auxiliary
• Encoders
• Nops
Metasploit Example
Activity: Scanning
with Metasploit
 • Enumeration
• Common Enumeration Targets
• Banner Grabbing
• Windows Host Enumeration
3.2 • Linux Host Enumeration
Enumeration • Service and Application Enumeration
• Network Shares
• Null Sessions
• Website Enumeration
• Enumerating Targets
 Enumeration is the process of querying a device
or service for information about its
configuration and resources

Is a critical part of active reconnaissance

Enumeration
Can be done remotely

Can be done by credentialed or non-

credentialed user
 • Common information revealed during
enumeration:

• OS details
• User and group names
• Email addresses and contact information
Enumeration • Host names, domain information,
Discovery and IP addresses
• Volumes and shares
• Services
• Policies and audit settings
• Configuration settings
 • Common information revealed during
enumeration:

• Routing, MAC, and neighbor tables

• Installed applications
Enumeration • Patch levels
• Components and drivers
Discovery • Printers and print jobs
(cont’d) • Running processes
• Registry keys
• Event log records
• DNS and SNMP information
 Servers

Common Routers
Enumeration
Targets Switches

Network services
 • Banner Grabbing is an enumeration method that
involves trying to open a session with a service and
getting the service to identify itself
• Many tools can grab banners from various services
• FTP, SSH, HTTP, SMTP, POP3, IMAP4, DNS, Telnet,
Microsoft-DS, Microsoft netbios-ssn, etc.
• Can help you focus your attacks on specific
services
Banner • Sample commands:

Grabbing • telnet <target IP> <port number>

• nc –vv <target IP> <port number>
• echo -en "GET / HTTP/1.0\n\n\n"|nc
www.comptia.org 80|grep Server
• nmap -sV <target IP> -p <port number>
• nmap -sV --script=banner <target>
Activity: Banner
Grabbing
 • Popular enumeration tools for Windows hosts:
• Built-in commands and utilities
• nmap
• rpcclient
• Metasploit
• Command-line commands:
Windows Host • dir
Enumeration • ipconfig
• arp
• route print
• net user
• net localgroup administrators
• net share
 • nmap
• nmap -O 192.168.1.50
• nmap -sV 192.168.1.20
• nmap --script=smb-os-discovery <target>

• rpcclient
Windows Host • rpcclient <target IP> -U <username>
srvinfo

Enumeration lookupnames administrator

lookupsids

Examples • Metasploit
• use /auxiliary/scanner/smb/smb_lookupsid
set SMBUser moo
set SMBPass Pa22w0rd
set MinRID 1000
set MaxRID 1100
set RHOSTS 192.168.74.50
Activity: Windows
Host Enumeration
 • Popular enumeration tools for Linux:
• Metasploit modules
• nmap scans and rpcclient:
nmap -O 192.168.1.20
nmap -sV 192.168.1.20
Linux Host nmap --script=smb-os-discovery
192.168.1.20
Enumeration
• Can use rpcclient if target is running a SAMBA
server
• This example connects using a null session:
rpcclient -U "" 192.168.1.20
Rpcclient example
 • Built-in bash commands
• uname -a
• hostname
• route
• arp
• ifconfig
• netstat -antp/-anup
Linux Host • iptables -L
• mount
Enumeration • dpkg -l
Bash • apache2 -v
• mysql -version
Commands • df -a
• cat /etc/*-release
• cat /proc/cpuinfo
• cat /etc/resolv.conf
• cat /etc/network/interfaces
 • Built-in bash commands
• uname -a
• hostname
• route
• arp
• ifconfig
• netstat -antp/-anup
• iptables -L
Linux Host • mount
Enumeration • dpkg -l
• apache2 -v
Bash Commands • mysql -version
(cont’d) • df -a
• cat /etc/*-release
• cat /proc/cpuinfo
• cat /etc/resolv.conf
• cat /etc/network/interfaces
 • cat /etc/passwd
• cat /etc/group
• cat /etc/shadow
• users
• w
Linux Host • lastlog
• whoami
Enumeration • id
Bash Commands • sudo -l
(cont’d) • find | head
• find / -iname *.txt
• find / -type f -exec grep -l "password" {} \;
• find . -type f -name ".*"
Activity: Linux Host
Enumeration
Service and Application Enumeration
Services required by default processes and by installed software
Service and Application Enumeration (cont’d)
Services required by default processes and by installed software
Service and Application Enumeration (cont’d)
Services required by default processes and by installed software
Service and Application Enumeration (cont’d)
Services required by default processes and by installed software
Activity: Service
Enumeration
 map -p 2049 192.168.1.0/24

Directories that users can access by

Network Shares using a network sharing protocol
Using Network Shares
• Shares are typically SMB or NFS based
• SMB clients use UNC path to connect to SMB shares
• \\host\share
• NFS clients use <host:/nfsshare> command to specify NFS
share
• showmount -e 192.168.0.100
• mount -t nfs 192.168.0.100:/nfsshare /mnt/nfsshare
 • Using rpcclient:
• netshareenum
• netshareenumall
SMB Network • netsharegetinfo
Share • Using Metasploit:
Enumeration • auxiliary/scanner/smb/smb_enumshares
• auxiliary/scanner/smb/smb_enumusers
Options • Using ShareEnum
ShareEnum Example
Activity: SMB Share
Enumeration
 • Using Metasploit:
• auxiliary/scanner/nfs/nfsmount
NFS Network • Using rpcinfo:
Share • rpcinfo -p <target IP>
• showmount:
Enumeration • showmount IP // Connected Hosts
Options • showmount -d IP // Directories
• showmount -a IP // Mount Points
Showmount Example
Activity: NFS Share
Enumeration
 • A Null Session is a connection
type that allows any client to
Null Sessions make an unauthenticated
connection to the IPC$ (inter-
process communication) share
on the host
• Enables enumeration via SMB
• Can be used on Windows Server
versions before Server 2003,
older Unix and Linux hosts.

net use \\<server-name-or-IP\ipc$ /u:"" ""

Null Session Example
Activity: Null Sessions
 • Discovers web server resources and underlying
technology
• Helps select more effective attack vectors
• Helps exploit specific vulnerabilities in web server
software
• Browsers:
• Open a browser to popular directory names
Website • Note HTTP response codes
Enumeration • Any directories that don’t return a 404 code exist
• nmap:
• A variety of scripts for web apps already exist
• Use nmap -sV to find non-standard port usage
• Dirbuster:
• GUI tool included with Kali Linux
Dirbuster Example
Activity: Website
Enumeration
 • Vulnerability Scans
• Compliance Scans
3.3 • Host Vulnerability Scans

Vulnerability •
•
Credentialed and Non-Credentialed Scans
Network Service Vulnerability Scans
Scanning • Server Service Vulnerability Scans
• Web Server and Database Vulnerability Scans
• Application Vulnerability Scans
• Network Device Vulnerability Scans
 • Packet Crafting for Vulnerability Scans
3.3 • Firewall Vulnerability Scans
Vulnerability • Packet Inspection
Scanning • WAP Vulnerability Scans
• Container Security Issues
(cont’d) • Scanning for Vulnerabilities
 • A Vulnerability is a weakness that might or
might not be exploitable
• Vulnerability scan is a reconnaissance tactic
that sends specially crafted packets or
commands to a service to see how it responds
• Use Common Vulnerabilities and Exposure
(CVE) numbers for known vulnerabilities

Vulnerability • Scan open ports to see if listening services are

vulnerable to attacks
Scans • Use general and specific scanners available
• Scanner capabilities:
• Exploit and collect evidence
• Select target type
• Use output from port scans to narrow the
focus
 • Commonly used scanners include:
• OpenVAS
• Nexpose/Nexpose Community Edition
Vulnerability •
•
Retina Community
MBSA
Scans (cont’d) • Nessus/Tenable
• nmap NSE scripts
Host Vulnerability Scans
• Host Vulnerability Scans are tests run
against a host operating system, including
its default services
• Common network services
• Specialized applications and non-
standard ports
• Malware backdoors
• Can map discovered ports to the listening
processes
• Nmap and netstat are also helpful tools
 • Compliance Scans are a type of
scan that verifies a network
adheres to policy requirements,
as mandated by law, industry, or
individual company
Compliance • In-house testing can use generic

Scans scanning tools

• Regulatory and industry
scanning is tightly controlled
and monitored
• Noncompliance can result
in fines or incarceration
• Specialized software and
third-party assistance
• Check with the legal
department to help determine
scope and depth of testing
Activity: Compliance
Scanning
 • Majority of vulnerability
scans produce results
Credentialed without using credentials

and Non- • Using credentials can

provide more
Credentialed comprehensive results
• Enumeration of a
Scans single host
• Credentials may be
needed credentials to
perform exploits
• Some tools enable the use
of one or more sets of
credentials
 Activity: Using
Credentials in Scans
 • Servers are computers
Server Service dedicated to serving clients on
the network, or a specialized
Vulnerability application installed on that
computer

Scans • Server OSs can handle many

concurrent client connections
• Servers often include default
network services
on installation
• Server service vulnerability
scans are just as important and
are much the same as network
service scans
Metasploit Pro Example
 • Common services:
• DHCP
• DNS
• WINS (legacy; less common today)
• Authentication/Directory Services
Network • Email
Service • File and print
• Web
Vulnerability • FTP
Scans • Fax
• Remote Access
• Vulnerabilities are normally associated with a
product or implementation, but some are
inherent in the actual processes
Activity: Vulnerability
Scanning
Web Server and • Web servers and databases
work together, but each has
Database its own services and
vulnerabilities
Vulnerability • Web services can be
installed on separate
Scans computers or the same
system.
• Web servers:
• Public-facing
• Private network
• DMZ
 • Possible scan options:
• Scan the web server on TCP
80 or 443 for web-server-
Web Server and specific vulnerabilities

Database • Scan for web servers that run

on non-standard ports

Vulnerability • Scan any web apps running

on the web server for
vulnerabilities not related to
Scans (cont’d) SQL
• Scan the web app for SQL-
injection-related
vulnerabilities
• Scan the SQL server directly
on its port (usually TCP 1433)
• Use common web app
vulnerability scanners
• Use common SQL-specific
vulnerability scanners
sqlmap Example
 Activity: SQL
Vulnerability Scanning
 • Web apps are scripts and executables that are
included in a website's HTML and provides
dynamic content to the user, generally running
on the website's standard TCP 80 and 443 port
• Web apps are usually custom to the website
Web App • Many contain many types of vulnerabilities,
but each app behaves differently
Vulnerability • Use general scanner, then focus on
Scans desired/testing behavior
• Some apps might listen on random ports
• Use netstat to gather additional
information
 Operating System

NIKTO
Example Webserver

Brute Force
Vulnerability

Open Source
Vulnerability
Database

PHP Vulnerability

SQL Injection
Vulnerability
 Activity: Web App
Vulnerability Scanning
 Routers, switches, network access points
have their own operating Systems,
services, and features

Network Remote management with HTTP/S, SSH,

or telnet
Device
Vulnerability Vulnerability scans Services and protocol

Scans
stacks
should look for: Administrative access

Be aware of available IP addresses for

the device
Network Device Vulnerability Scan Example
 Activity: Network
Device Vulnerability
Scanning
Nmap Scripts
• Uses nmap Scripting Engine (NSE)
• Many scripts for common vulnerabilities
• Examples:

nmap -p 80 --script dns-brute.nse vulnweb.com

nmap --script http-enum 192.168.10.55
nmap -p 445 --script smb-os-discovery 192.168.1.0/24
nmap -sV -p 445 --script smb-brute 192.168.1.101
nmap -script-updated
nmap –sC <Target_IP>
 Activity: Using nmap
Scripts for Vulnerability
Scanning
 • Typical packet crafting
techniques include:
• Raising TCP flags in an
unusual or illogical
manner
Packet Crafting • Changing source or
destination ports
• Spoofing IP or MAC
addresses
• Changing TCP sequence
or acknowledgement
numbers
• Changing IP fragment
offsets
• Changing the Time-to-
Live (TTL) value
• Changing Quality of
Service (DSCP) values
 • Tools:
• nmap
Packet Crafting • Hping3
Tools • Ostinato
• Scapy
• Libcrafter
• Yersinia
• packetETH
• Colasoft Packet Builder
• Bit-Twist
Activity: Packet
Crafting
 Conducted to identify which traffic types the firewall
allows, and to test the effectiveness of its rules

Rules Destination or source port

based on:
Destination or source IP address
Firewall Protocol type
Vulnerability Payload

Scans Two Port-scan the public address of the host or

approaches: firewall to see which ports are open or are being
published
May want to use specially crafted packets

Use firewalking against the firewall's public

interface
 • Packet Inspection is the process of
examining a network packet to see if
defined rules are met
• Firewalls inspect packets to see if they
should be permitted or denied
Packet • Intrusion Detection Services inspect
packets for unusual behavior or
Inspection malicious payloads, and log what they
observe
• Signature- or anomaly-based
• Evasion options:
• Encrypting the packet or payload
• Using as-yet unknown signatures or
unrecognized crafted packets
• Scanning very slowly so as not to
indicate a pattern of malicious
traffic
• Spoofing by using trusted source
ports or addresses
 Activity: Firewall
Vulnerability Scans
Wireless Access Point Vulnerability Scans
Common Wi-Fi Scanning Tools
Tool Description
Karmetasploit Find clients vulnerable to Wi-Fi based (Evil Twin) man-in-the-middle attacks
MDK3 A command-line utility that can guess hidden SSIDs and MAC ACLs, look for
clients vulnerable to authentication downgrade, initiate Wi-Fi Beacon, Deauth,
and TKIP MIC DoS attacks, and generally wreak havoc
Aircrack-ng Suite of tools comes in handy for many tasks, including discovery, packet
capture, forced deauthentication, and WEP/PSK analysis
WifiIDEnum An easy way to enumerate Wi-Fi drivers (and versions) on every Windows host
in your network
Nessus Can spot many Web app, AP default password, and Wi-Fi driver vulnerabilities
nmap Cross-platform TCP/IP scanner
Common Wi-Fi Scanning Tools
Tool Description
Wireshark Live Wi-Fi analysis on nearly any OS--including Windows
Kismet Discovers APs and clients, captures Wi-Fi packets from local NICs or remote
drones, can generate alerts for fingerprinted recon activities
Heatmapper Convenient way to map APs in a small area
Win32 NetStumbler Swiss Army knife of wireless network diagnostic
Android WiFi Analyzer Record SSIDs and APs, graph real-time channel usage and signal strength,
locate selected APs
 Activity: WAP
Vulnerability Scans
 • A Container is a lightweight virtual machine
that runs a single application and the
processes that the app requires
• A Container image is a standalone
executable package that possesses
Container everything it needs to run code, runtime,
system libraries and tools, and settings

Security Issues • Containers share resources with the

underlying Operating System
• Resource needs are minimal
• Containers are less isolated than traditional
Virtual Machines
• Common security issues include:
• Kernel exploits
• DoS attacks
• Container breakouts
• Poisoned or malicious images
• Compromised credentials and keys
 Scanners can report only what they
recognize

Scanners are unlikely to use behavior

analysis to identify unknown vulnerabilities
Vulnerability Update scanners frequently, and run them
Scan often
Considerations Validate the vulnerabilities that are found
to eliminate false positives

Understand the limitations of the tools you

use
 Active Reconnaissance
Review
• When scanning for vulnerabilities, use an actual
vulnerability scanner rather than a generic port
scanner
• Scanning for compliance involves including an
organization’s legal team
• If possible, use credentialed scans to probe
further into a target
• When scanning different device or application
types, use tools that are specifically designed for
the target type
• Scan firewalls to see which ports are permitted,
if necessary, use specially crafted packets to
evoke additional information from the firewall
• Use tactics such as encryption, trusted ports, or
slow speeds to evade packet inspection
 Active Reconnaissance
Review (cont’d)
• Scan wireless access points to determine
security settings and encryption protocols
• Testers should be educated in identifying
and mitigating container security risks
• Most vulnerability scanning can only identify
known security weaknesses
• Do not depend on any one vulnerability
scanner to discover all vulnerabilities
• Keep in mind that vulnerability scanners
often produce false positives
• Be sure to validate scan results with an
exploit tool such as Metasploit
 Active Reconnaissance
Review (cont’d)
• Enumerate information can be accessed from
network devices as well as computers
• Banner grab to obtain quick information from a
network service
• Use different tools such as nmap, netcat, or telnet for
flexibility and different results when banner grabbing
• Obtain a credential (preferably administrator) that
you can use during enumeration
• For maximum flexibility, log on to the host that is to
be enumerated, then run native commands or a tool
such as rpcclient or Metasploit
• Conduct a port scan to discover targets when
desiring to enumerate remotely
• When enumerating Windows hosts, use tools such as
the command prompt (cmd.exe) to access a wide
range of commands
• Other tools include: PowerShell, rpcclient, and
Metasploit
 Active Reconnaissance
Review (cont’d)
• Use the bash prompt when enumerating Linux hosts,
to access a wide range of tools
• Metasploit can also be used
• Select a tool that is designed for the ports and
protocols you are targeting hen enumerating a
variety of different services
• Scan the network for both SMB and NFS shares
• Attempt to create a null session to older hosts that
provide SMB shares
• Choose an enumeration tool that is configured to use
the protocol
• Start website enumeration by trying to open a
browser to well-known website directories
• Use tools such as nmap scripts or Dirbuster to assist
to enumerate directories on website.
• Use a variety of tools, as not all tools or scripts work
with all targets
 Active Reconnaissance
Review (cont’d)
• Use OSINT or other starting knowledge of the
target network to determine the base address of
your scan
• Determine the amount of detail you want to
discover, such as IP addresses, ports, services,
versions, host names, operating systems, device
status, etc., and select a tool that is capable of
delivering the desired information
• Start with a discovery scan that uses multiple
techniques (not just ICMP ECHO REQUEST)
• Manually add known networks or use a shorter
subnet mask to include multiple subnets in a
single scan
• Set a scan speed that balances performance
with stability
• Use slower scan speeds to be polite and not
create too much noise on the network
 Active Reconnaissance
Review (cont’d)
• Use the slowest scan speeds to evade detection by an
IDS
• Add or include a port scan to identify listening ports on
discovered hosts
• If desired, use tools that can interrogate ports, grab
banners, and use specially crafted packets to identify
operating system and service versions
• Use tools that can interrogate device ARP caches, router
route tables, switch MAC tables, and other sources for
additional network information
• Use WMI and/or SNMP to interrogate devices for
service- or component-specific information
• If a standardized diagram is desired, export the scan
output and import it into a professional drawing
application (Microsoft Visio for example)
• Use Google to quickly find examples and tool guidance
• Keep in mind that some online guidance will be
outdated