Nessus Vulnerability Scanning tutorial using NMAP tool scan to identify fingerprints

Nessus Vulnerability Scanning tutorial using NMAP tool Scan identify fingerprint nmap tools preparation work

Once the user has a clear understanding of the Nessus tool, the tool can be used to implement the scan. However, before you scan, you need to do some preparatory work, such as probing the active host on the network, the service running in the host, and the host's operating system. When the user is familiar with a host, it is very easy to scan. Because for the Nessus tool, the corresponding plug-ins are provided for different systems and vulnerabilities. If the user is aware of the target host, scanning the target using the Nessus tool will not be a blind scan like a headless fly. And it's easier to get very valuable information. This chapter describes some of the preparatory work before you implement a network scan.

Nmap Tool Discovery Host

The discovery host is the host that detects the activity in the network. Discovering hosts is the basis for implementing network penetration testing. The scan can only be implemented because the user first determines that the target host is active. Otherwise, the action performed is a waste of time. Among them, the user used to find a host of tools, such as Nmap, Scapy, Wireshark and so on. The following describes the use of Nmap and Wireshark to capture the package, the implementation of host discovery operations.

Using the Nmap tool

Nmap is a free and open web scanning and sniffing tool. This tool can be used to scan open ports, running services and operating systems on your computer. The following describes the implementation of the discovery host using the Nmap tool.

Example 2-5 uses the Nmap tool to scan the active hosts in the 192.168.1.0/24 network. The execution commands are as follows:

• Starting Nmap 6.47 (http://nmap.org) at 2015-07-02 11:20 CST
• Nmap Scan report for localhost (192.168.1.1)
• Host is up (0.00048s latency). #主机是活动的
• MAC address:14:e6:e4:84:23:7a (Tp-link Technologies CO.)
• Nmap Scan report for localhost (192.168.1.100)
• Host is up (0.089s latency).
• MAC address:8c:be:be:72:d2:64 (Xiaomi Technology Co.)
• Nmap Scan report for localhost (192.168.1.101)
• Host is up (0.00015s latency).
• MAC address:00:e0:1c:3c:18:79 (Cradlepoint)
• Nmap Scan report for localhost (192.168.1.103)
• Host is up (0.00061s latency).
• MAC address:00:0c:29:f8:2b:38 (VMware)
• Nmap Scan report for localhost (192.168.1.104)
• Host is up (0.00091s latency).
• MAC address:00:0c:29:2a:69:34 (VMware)
• Nmap Scan report for localhost (192.168.1.105)
• Host is up (0.00096s latency).
• MAC address:00:0c:29:dc:09:2a (VMware)
• Nmap Scan report for localhost (192.168.1.106)
• Host is up (0.32s latency).
• MAC address:14:f6:5a:ce:ee:2a (Xiaomi)
• Nmap Scan report for localhost (192.168.1.109)
• Host is up (0.00060s latency).
• MAC Address:00:0c:29:e9:e3:a6 (VMware)
• Nmap Scan report for localhost (192.168.1.108)
• Host is up.
• Nmap done:256 IP Addresses (9 hostsup) scanned in 2.78 seconds

From the last line of the output information, you can see that there are jiutai active hosts in the 192.168.1.0/24 network. In the output information, the manufacturer of the active host's IP address, MAC address, and MAC address is displayed. For example, the MAC address of the host 192.168.1.1 is 14:e6:e4:84:23:7a, and the producer is Tp-link Technologies CO. From this, you can guess that the host might be a tp-link router.

Wiresshark Grab Bag

Grabbing a packet is capturing all the packets in the network using the Grab Kit tool. However, if you use only the tool to grab the package, you can only crawl the local data. At this point, the user needs to capture the packet through a hub or port mirroring method. The following is a description of the environment configuration for capturing packets in both ways.

1. Using a hub

The hub is called the hub in English, which means "center". The main function of the hub is to reproduce the received signal to enlarge the transmission distance of the network, and to concentrate all nodes on the node which is centered on it. Because the hub is not targeted when it sends data, it is sent by broadcast mode. That is, when it sends data to a node, it does not send the data directly to the destination node, but instead sends the packet to all nodes connected to the hub. As a result, users can open the capture tool on a host on a local area network, capturing all data transmitted on other hosts, as shown in 2.1.

Figure 2.45 Environment configuration for capturing a package using a hub

The above is to use a hub to capture the configuration environment of a packet in a wired LAN. Indicates that there are three hosts connected to a hub at the same time throughout the local area network. At this point, the user can run the Grab tool (such as Wireshark) on either platform to capture the packets on the other two hosts. If users cannot capture data sent by other hosts, the hosts are not on the line.

The following is a packet captured by a hub, as shown in 2.2.

Figure 2.46 captured packets

From this interface, you can see a total of seven columns representing no (package number), Time (duration), source (source address), Destination (destination address), Protocol (protocol), length (lengths), and info (information). What the user should be concerned about here is source (source address) column. This column shows the host address of all sending requests. So, how should the user determine these addresses, which is the address of the active host in the local area network? First, the user first determine the IP address of the computer, you can find the address of the active host in the LAN. In the window system, use the ipconfig command to view the IP address of the host. On Linux systems, use the ifconfig command to view. The IP address information in this computer is as follows:

• C:\users\administrator>ipconfig
• Windows IP Configuration
• Ethernet Adapter Local Connection:
• Connect a specific DNS suffix .....:
• Local Link IPV6 address ... : fe80::f898:1066:74a5:e126%11
• IPV4 Address ............:192.168.1.105
• Subnet mask ........... . : 255.255.255.0
• Default gateway ............. : 192.168.1.1

From the output information, you can see that the IP address of this machine is 192.168.1.105. Thus, it can be explained that the current host is located on the network 192.168.1.0/24. Therefore, the address of other hosts in the LAN is within the 192.168.1.0/24 range. At this point, the user can sort the source column in the capture package and then find the address within the 192.168.1.0/24 range, which is the address of the active host on that network. You can sort by clicking the column name source, as shown in 2.3.

Figure 2.47 The source column after sorting the display interface

From the results displayed in this interface, you can see that the source column has three IP addresses that fall within the 192.168.1.0/24 range. such as 192.168.1.1, 192.168.1.104 and 192.168.1.105. In other words, the three hosts in the network are active.

2. Using port Mirroring

Port mirroring is a feature provided by routers and switches. When the port mirroring function is turned on on the switch or router, the data traffic from one or more source ports is forwarded to a specified port for listening to the network, and the specified port is called the "Mirror Port" or "Destination port". Simply put, the data on the other ports will be forwarded to the mirror port. At this point, the Capture tool is turned on on the host that the mirror port is connected to, capturing the packets to the other host. Where the data is captured using port mirroring as shown in environment 2.4.

Figure 2.48 capturing a packet using the port mirroring feature of the router

You can start capturing packets by configuring your network in the environment above. If a packet is captured to another host on the LAN, the host is online. Otherwise, the line is not. The exact method of analysis is the same as that used in the previous introduction of the hub.

Nmap Tool Port Scan

When determining which hosts are active on the network, users can use NMAP to probe which ports are open on that host to facilitate network scanning later.

"Example 2-6" for port scan of target host Rhel 6.4. The execution commands are as follows:

• [Email protected]:~# nmap 192.168.1.104
• Starting Nmap 6.47 (http://nmap.org) at 2015-07-02-CST
• Nmap Scan report for localhost (192.168.1.104)
• Host is up (0.00051s latency).
• Not shown:988 filtered ports
• PORT State SERVICE
• 21/TCP Open FTP
• 22/TCP Open SSH
• 25/TCP Open SMTP
• 53/TCP Open Domain
• 80/TCP Open http
• 111/TCP Open Rpcbind
• 139/TCP Open NETBIOS-SSN
• 443/TCP closed HTTPS
• 445/TCP Open Microsoft-ds
• 631/TCP Open IPP
• 3306/TCP Open MySQL
• 5432/TCP closed PostgreSQL
• MAC address:00:0c:29:2a:69:34 (VMware)
• Nmap done:1 IP Address (1 host up) scanned in 5.04 seconds

From the output information, you can see the ports that are open in the target host, and the services that correspond to the ports. For example, the 21 port service is FTP, and the 22 port service is the SSH service.

"Example 2-7" scans for ports that are open in the target host Windows XP. The execution commands are as follows:

• [email protected]:~# nmap 192.168.1.109
• starting Nmap 6.47 (http://nmap.org) at 2015-07-02 14:2 2 CST
• Nmap Scan report for localhost (192.168.1.109)
• Host was up (0.00049s latency).
• not shown:989 closed ports
• port   state SERVICE
• 21/tcp   open  ftp
• 25/TCP   OPEN  SMTP
• 80/tcp   open  http
• 135/tcp  open  msrpc
• 139/TCP  OPEN  NETBIOS-SSN
• 443/tcp  open  https
• 445/tcp  open  microsoft-ds
• 1025/tcp Open  nfs-or-iis
• 1027/tcp Open  iis
• 3389/tcp Open  ms-wbt-server
• 5000/tcp Open  upnp
• MAC address:00:0c:29:e9:e3:a6 (VMware)
• Nmap done:1 IP address (1 host up) scanned in 0.39 seconds

From the output information, you can see the open ports in the target host, such as 21, 25, 80, and so on.

Nmap Tool Fingerprint identification

Fingerprint recognition is a typical pattern of recognition system, including fingerprint image acquisition, processing, feature extraction and ratio equivalent module. Typically, fingerprint identification includes service fingerprint information and operating system fingerprint information. The service fingerprint information includes the service port, the service name, the version and the provider, and the operating system fingerprint information includes the system version, kernel version and so on. Fingerprint identification, according to the information obtained can determine whether the host is a vulnerability, so that the user to implement the scan later.

"Example 2-8" identifies the thumbprint information for all services in target host Rhel 6.4. The execution commands are as follows:

• [Email protected]:~# nmap 192.168.1.104-SV
• Starting Nmap 6.47 (http://nmap.org) at 2015-07-02 14:26 CST
• Nmap Scan report for localhost (192.168.1.104)
• Host is up (0.00053s latency).
• Not shown:988 filtered ports
• PORT State SERVICE VERSION
• 21/TCP Open FTP vsftpd 2.2.2
• 22/tcp Open SSH OpenSSH 5.3 (Protocol 2.0)
• 25/TCP Open SMTP Postfix smtpd
• 53/TCP Open Domain
• 80/TCP Open http Apache httpd 2.2.15 (Red Hat)
• 111/tcp Open Rpcbind 2-4 (RPC #100000)
• 139/tcp Open netbios-ssn Samba smbd 3.X (workgroup:mygroup)
• 443/TCP closed HTTPS
• 445/tcp Open netbios-ssn Samba smbd 3.X (workgroup:mygroup)
• 631/TCP Open IPP CUPS 1.4
• 3306/tcp open MySQL MySQL 5.1.66
• 5432/TCP closed PostgreSQL
• MAC address:00:0c:29:2a:69:34 (VMware)
• Service Info:Host:mail.benet.com; Os:unix #主机名为mail. benet.com; OS is Unix
• Service Detection performed. Incorrect results at http://nmap.org/submit/.
• Nmap done:1 IP Address (1 host up) scanned in 16.16 seconds

From the output information, you can see that four columns of information are displayed, respectively port (port), State (status), service (services), and version. You can see the versions and providers of the service from the version column. For example, the FTP service has a port of 21 and a version of 2.2.2, the provider is VSFTPD.

"Example 2-9" implements the operating system fingerprint recognition for the target host Windows XP. The execution commands are as follows:

• [Email protected]:~# nmap-o 192.168.1.109
• Starting Nmap 6.47 (http://nmap.org) at 2015-07-02 14:54 CST
• Nmap Scan report for localhost (192.168.1.109)
• Host is up (0.00028s latency).
• Not shown:989 closed ports
• PORT State SERVICE
• 21/TCP Open FTP
• 25/TCP Open SMTP
• 80/TCP Open http
• 135/TCP Open MSRPC
• 139/TCP Open NETBIOS-SSN
• 443/TCP Open HTTPS
• 445/TCP Open Microsoft-ds
• 1025/TCP Open Nfs-or-iis
• 1027/TCP Open IIS
• 3389/TCP Open Ms-wbt-server
• 5000/TCP Open UPnP
• MAC Address:00:0c:29:e9:e3:a6 (VMware)
• Device type:general purpose                                                                                                     #设备类型
• Running:microsoft Windows 2000| XP #运行的操作系统
• OS cpe:cpe:/o:microsoft:windows_2000::-cpe:/o:microsoft:windows_2000::sp1 cpe:/o:microsoft:windows_2000::sp2 CPE :/o:microsoft:windows_2000::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::-cpe:/o: MICROSOFT:WINDOWS_XP::SP1 #操作系统中央处理单元
• OS details:microsoft Windows SP0-SP4 or Windows XP sp0-sp1 #操作系统详细信息
• Network distance:1 Hop #网络距离
• OS Detection performed. Incorrect results at http://nmap.org/submit/.
• Nmap done:1 IP Address (1 host up) scanned in 1.91 seconds

The above output information displays information about the operating system. such as open ports, device type, operating system type, central processing unit and network distance, etc. For example, the device type is general|purpose, the operating system is running Microsoft Windows 2000/xp, and so on. From the operating system details row, you can see that the system's patch pack may be Windows SP0-SP4 or Windows XP sp0-sp1.

(Evaluation settings), report settings, advanced Settings, Credentials (certificates), and plugins (plugins). These settings options can be described earlier in the policy configuration items are the same, so here is no longer to repeat. The settings for schedule and email notifications options are described below. Where the schedule option is set to interface 4.33 as shown.

Figure 2.49 Schedule Configuration

This interface is used to set whether the schedule feature is enabled and is disabled by default. If the user wants to enable the feature, click the icon. When enabled, the display is shown in interface 4.34.

Figure 2.50 Setting Schedule

From this interface you can see that after enabling schedule, there are three configuration items to set up. The meanings of each configuration item are described below, as follows:

• Q Launch: This option is used to set the time for startup schedule. The default is once, which is represented once. Users can also choose to set daily (daily), Weekly (weekly), Monthly (monthly), or yearly (yearly).
• Q starts on: This option indicates when the schedule feature is turned on.
• Q Timezone: This option is used to set the time zone.
• Q Summary: The summary information for the above configuration is displayed.

When the above features are configured, click the Save button to save. The Email notifications option is shown in Configuration Interface 4.35.

Figure 2.51 Email Notifications Settings

This interface is used to set whether mail notifications are enabled. However, if you want to configure this option, you need to configure the SMTP service or you will not send a notification to the recipient of the message.

This article is selected from: Nessus Vulnerability Scanning Basic Tutorial University bully internal information, reproduced please indicate the source, respect the technology respect it people!

Nessus Vulnerability Scanning tutorial using NMAP tool scan to identify fingerprints