Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
|
Host Discovery
The first step of a network pentest most times would be to know what targets are alive. Since it is not possible to penetrate a target that is not alive without physical access, we always look for alive targets. We can use a variety of methods and tools for discovering alive targets. One of the most common methods is to use icmp requests, that is, ping requests to check if the system is alive or not. 98 ◾ Ethical Hacking and Penetration Testing Guide As we have got a reply, it means that our target is alive. We can also use the –sP flag in nmap in order to check if the target is alive or not. Besides, we can specify network ranges to scan; this would make our work simpler. Command : nmap –sP We can also scan network ranges with nmap on the given network. Here is the command to scan a host range from nmap: nmap –sP 192.168.15.1/24 /24 is a CIDR notation; it will scan all the hosts in the range 192.168.15.1 to 192.168.15.255 and return those that are up. As you can see from the screenshot, the whole range was scanned for alive systems, and three live systems were found on the network. Nowadays, due to the implementation of IDS, IPS, Firewalls, and other modern defenses on the network, identifying alive hosts can be a bit trivial. Network administrators commonly block icmp requests, which means that even if the target were alive, we would not be able to figure it out. Thus, we can use other types of protocols such as tcp and udp in order to figure out if the target is alive or not, since a normal tcp or udp connect may not look suspicious to firewalls and other intrusion detection/prevention devices. In your penetration testing engagments you will find a lot of scenario’s where you’d encounter against these modern security defenses. For demonstration purposes, we will use a website named didx.net. The administrator has blocked icmp requests to its webserver by using IP tables. A nor- mal ping request leads us to the following output: Target Enumeration and Port Scanning Techniques ◾ 99 I sent some icmp requests with nping; you can clearly see that the target is not alive. However, let’s try sending some tcp packets. By looking at the documentation and usage guide of nping, we can see that it also allows host discovery via tcp and udp. So, I entered the following command in order to perform a simple tcp-based host discovery. nping --tcp didx.net 100 ◾ Ethical Hacking and Penetration Testing Guide The output shows 0% packet loss with three packets sent and received, indicating that the target is indeed alive. We can also use udp to perform host discovery; what option you would like to use is up to you. Alternatively, we can also use the –sP flag query to accomplish this task, because when you specify the –sP flag query with nmap, it sends not only icmp echo requests but also TCP SYN to port 80 and 443. Therefore, it will also show the host as up or in other words alive. Yüklə 22,44 Mb. Dostları ilə paylaş:
|