IP & Port Scanning

Introduction

This section contains the tools to discover assets and the services running inside each of them.

Discovering assets

If the attacker needs to attack an internal network, first of all, will need to discover which hosts are active on that network. For doing so, we can use several tools.

Ping scan with Nmap pings each machine to check if it is active. However, if there are machines configured to not respond to pings, they will not appear (Machines with windows defender enabled).

sudo nmap -sn -n <NETWORK>/<MASK>

The Arp-scan tool uses the Address Resolution Protocol (ARP) to identify all active network assets.

sudo arp-scan -I <NETWORK_INTERFACE> <NETWORK>/<MASK>
sudo netdiscover -r <NETWORK>/<MASK>

Another alternative would be to scan the top X ports of all the machines on a network, waiting for some to respond so we know a device is active.

Obtain the top X TCP ports based on Nmap.

nmap --top-ports 20 -v -oG - 2>/dev/null | grep 'Ports scanned' | awk '{print $4}' | sed 's/.*(\(.*\))/\1/' | awk -F\; '{print $2}'

Ports scanners tools:

masscan -p<PORTS> <NETWORK>/<MASK>
nmap -n -p<PORTS> <NETWORK>/<MASK> #SLOWER

Finally, another method much slower and less intrusive is sniffing the traffic. However, it will only detect the devices that send ARP requests or replies over the network, requiring a ton of time to notice the whole network.

sudo netdiscover -p

Scanning assets

Once the attackers know the assets to analyse, they need to scan which ports have opened. This can be done with Nmap.

TCP Ports

Obtaining all TCP listening ports.

sudo nmap -v -sS -p- -n -T4 -oN AllTCPPorts.txt <IP>

UDP Ports

Obtaining UDP listening ports.

sudo nmap -v -sU -T4 -n -oN AllPortsTop1000UDP.txt <IP> 
sudo nmap -v -sU -p- -T4 -n -oN AllPortsUDP.txt <IP> 

Port information gathering

Then, for each TCP or UDP listening port, the attacker needs to identify the running service and version and extra information about them.

sudo nmap -sS -sC -sV -n -oN ScriptPortsScan.txt -p <PORTS> <IP> # TCP
sudo nmap -sU -sC -sV -n -oN ScriptPortsScan.txt -p <PORTS> <IP> # UDP

Simple vulnerability scanning

Nmap also provides scripts for detecting vulnerabilities in concrete services.

sudo nmap --script vuln -n -oN VulnsPorts.txt -p <PORTS> <IP>

Detecting the Operating System

A simple way to detect the installed operating system is by checking the TTL of a ping. If the TTL is around 60, there is a high chance it is Linux; meanwhile, if the TTL is around 128, the system can be Windows.

Nonetheless, Nmap has built-in scripts to detect the operative system and version.

sudo nmap -O -sV <IP>

Massive host scanning

Imagine that you have a huge scope like a /16 network, which is a total of 65536 hosts. For those cases, you can use automated tools like Nessus or be very organised while scanning hosts.

The best option is the have each host separated by folders; so that every result of scans, tools, exploits, etc. are stored in the same host's folder. The problem is that when scanning a whole network con Nmap, the result is stored in one huge file. Hence, as a solution, with the script massScan.sh, you will obtain the scans in this structure.

# /24, /32 networks
/tmp/NmapScan/
├── 1
│   ├── AllPorts.gnmap
│   ├── AllPorts.nmap
│   └── AllPorts.xml

# /16 network
/tmp/NmapScan/
├── 0
│   ├── 1
│   │   ├── AllPorts.gnmap
│   │   ├── AllPorts.nmap
│   │   └── AllPorts.xml

This way, you can easily obtain which hosts have port 80 open with this command.

grep "80/open" $(find /tmp/NmapScan/ -name *.gnmap) | awk '{print $2}'

Finally, with the script massScan_depth.sh, you can make a scan more in-depth about each open port, knowing more information about each service. The results will be stored like this.

/tmp/NmapScan/
├── 0
│   ├── 1
│   │   ├── AllPorts.gnmap
│   │   ├── AllPorts.nmap
│   │   ├── AllPorts.xml
│   │   └── PortsDepth.txt

Nmap cheatsheet

Windows environment

As a first approach, the attacker can use Enum4linux for enumerating information from Windows and Samba systems.

enum4linux -a [-u "username" -p "password"] <IP>
enum4linux -A [-u "username" -p "password"] <IP>
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>