Ethical Hacking and Penetration Testing Guide


Scanning for a Vulnerable Host



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə71/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   67   68   69   70   71   72   73   74   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Scanning for a Vulnerable Host
Let’s now talk about scanning for a vulnerable host for the zombie scan. We can use a tool called 
Hping2 for figuring out if a host is a good candidate for an IDLE scan. Hping2 is mainly used 
for firewall testing purposes; the creator of this tool is also the one who introduced the concept of 
IDLE scanning.
Command
:
From your console, just type
hping2 –S –r
S
—Sending a SYN flag
R
—For the relative id


108
◾ 
Ethical Hacking and Penetration Testing Guide
As you can see, the id
 
is incremented by 1; this shows us that the host is a potential candidate 
for becoming our zombie and can be used to perform an IDLE scan.
Alternatively, we can use the metasploit auxiliary module for figuring out a good candidate for 
a zombie. In order to use the auxiliary module, we would need to start up the metasploit frame-
work. We will talk about metasploit in more detail in Chapter 7.
From the shell, type “msfconsole” to fire up metasploit. Once metasploit is started, issue the 
following command to load the auxiliary module:
msf> use auxiliary/scanner/ip/ipidseq
Next, you need to set the Rhosts value; you can either specify a range or a single target. Here is 
an example:
For a single host
Set RHOSTS
For a range
Set RHOSTS 192.168.15.1–192.168.15.255
Finally, you need to issue the 
run
 
command in order to finish the process. Here is the screen-
shot of how this would look:


Target Enumeration and Port Scanning Techniques
◾ 
109
Performing an IDLE Scan with NMAP
Now that we have identified a good candidate for our zombie, let’s try performing an IDLE scan 
with nmap. The idle scan can be simply performed by specifying the –sI parameter with nmap, 
followed by the iP of our zombie host and the target that we want to scan against.
Command
:
nmap –sI
Also, one thing that would be worth mentioning here is that while performing an IDLE scan
you should also use the –pN option. This will prevent nmap from sending an initial packet from 
your real IP to the target host. Here is another example from the nmap book, which shows the idle 
scan being performed on riaa.com by using a host that belongs to adobe.com.

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   67   68   69   70   71   72   73   74   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin