Penetration Testing with Kali Linux OffSec
nslookup mail.megacorptwo.com
|
|
nslookup mail.megacorptwo.com
DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 192.168.50.151 Name: mail.megacorptwo.com Address: 192.168.50.154 Listing 50 - Using nslookup to perform a simple host enumeration In the above output, we queried the default DNS server (192.168.50.151) to resolve the IP address of mail.megacorptwo.com, which the DNS server then answered with “192.168.50.154”. Similarly to the Linux host command, nslookup can perform more granular queries. For instance, we can query a given DNS about a TXT record that belongs to a specific host. C:\Users\student> nslookup -type=TXT info.megacorptwo.com 192.168.50.151 Server: UnKnown Address: 192.168.50.151 info.megacorptwo.com text = "greetings from the TXT record body" Listing 51 - Using nslookup to perform a more specific query In this example, we are specifically querying the 192.168.50.151 DNS server for any TXT record related to the info.megacorptwo.com host. The nslookup utility is as versatile as the Linux host command and the queries can also be further automated through PowerShell or Batch scripting. 6.3.2 TCP/UDP Port Scanning Theory Port scanning is the process of inspecting TCP or UDP ports on a remote machine with the intention of detecting what services are running on the target and what potential attack vectors may exist. Please note that port scanning is not representative of traditional user activity and could be considered illegal in some jurisdictions. Therefore, it should not be performed outside the labs without direct, written permission from the target network owner. It is essential to understand the implications of port scanning, as well as the impact that specific port scans can have. Due to the amount of traffic some scans can generate, along with their intrusive nature, running port scans blindly can have adverse effects on target systems or the Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 139 client network such as overloading servers and network links or triggering an IDS/IPS. 251 Running the wrong scan could result in downtime for the customer. Using a proper port scanning methodology can significantly improve our efficiency as penetration testers while also limiting many of the risks. Depending on the scope of the engagement, instead of running a full port scan against the target network, we can start by only scanning for ports 80 and 443. With a list of possible web servers, we can run a full port scan against these servers in the background while performing other enumeration. Once the full port scan is complete, we can further narrow our scans to probe for more and more information with each subsequent scan. Port scanning should be understood as a dynamic process that is unique to each engagement. The results of one scan determine the type and scope of the next scan. We’ll begin our exploration of port scanning with a simple TCP and UDP port scan using Netcat. It should be noted that Netcat is not a port scanner, but it can be used as such in a rudimentary way to showcase how a typical port scanner works. Since Netcat is already present on many systems, we can repurpose some of its functionality to mimic a basic port scan when we are not in need of a fully-featured port scanner. We will also explore better tools dedicated to port scanning in detail. Let’s start by covering TCP scanning techniques, focusing on UDP later. The simplest TCP port scanning technique, usually called CONNECT scanning, relies on the three-way TCP handshake 252 mechanism. This mechanism is designed so that two hosts attempting to communicate can negotiate the parameters of the network TCP socket connection before transmitting any data. In basic terms, a host sends a TCP SYN packet to a server on a destination port. If the destination port is open, the server responds with a SYN-ACK packet and the client host sends an ACK packet to complete the handshake. If the handshake completes successfully, the port is considered open. We can demonstrate this by running a TCP Netcat port scan on ports 3388-3390. We’ll use the -w option to specify the connection timeout in seconds, as well as -z to specify zero-I/O mode, which is used for scanning and sends no data. kali@kali:~$ Yüklə Dostları ilə paylaş:
|