Port Scanning and Discovery
I'm knocking on every door
Nmap
Nmap is ubiquitous for scanning and rightfully so. Exceptionally powerful and tons of impressive backend scripts. Useful to determine potential services and versions of software running on a host.
Straightforward, quick, and easy way to determine a large amount of info on an IP
Nmap scripts have some really interesting capabiltiies
Scan Types
Probing Options
Timing Options
Most of this info gathered from SANS cheat sheet https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/
While the scan is running, can view additional information about the scan with the buttons below:
Masscan
Masscan is capable of asynchronous transmission, which is a fancy way of saying that it doesnt have to wait for replies when sending out probes. Wicked fast scanning!
Options can be found with the --echo
switch. Default scanning rate is 100 pkts/sec, which is slow. Increase the rate with the --rate
switch. Typically, 15,000 pkts/sec is a safe limit.
We can also gather information from banners, and even spoof the source IP.
Info gathered from Daniel Miessler, https://danielmiessler.com/study/masscan/
Netcat
Can use netcat to run as a scanner if necessary, gets information back if a port is open or not.
Tcpdump
Useful to watch scanning while it occurs on tcpdump, to help validate correct scanning and potential issues.
Gobuster
Gobuster can be used to enumerate vhosts, dns, directories, and S3 buckets. Requires many different subcommands to work properly.
DNS
DNS mode looks for subdomains. -d
is domain, -w
is wordlist, --wildcard
ignores wildcards, and -r
specifies a resolver.
Directory
A more "classic" use of the program, where forced browsing is used to try and uncover hidden files/folders.
S3 Buckets
We can try to identify S3 buckets now. The wordlist of bucket names does NOT need to be a FQDN, as the tool can append to the bucket name as needed. A "pattern" can be used as well, this replaces {GOBUSTER}
with the wordlist.
The "patterns" file can contain items such as {GOBUSTER}-dev
, {GOBUSTER}-01
, {GOBUSTER}-backup
and more.
EyeWitness
EyeWitness is an exceptional tool to help quickly identify and display potentially vulnerable systems. Imagine having over 3,000 responding systems on a network, how do you know which ones are vulnerable?
EyeWiteness makes this easy by grabbing screenshots of web services and saving them into an HTML report. This allows an analyst to view and scroll through the screenshots, making it easier to quickly identify potentially vulnerable systems.
The workflow should involve masscan -> nmap for services -> eyewitness for info
.
Last updated