How to Use Nmap to scan and identify fingerprints in the Nessus vulnerability scan tutorial

How to Use Nmap to scan and identify fingerprints in the Nessus vulnerability scan tutorial
How to Use Nmap to scan and identify fingerprints in the Nessus vulnerability scan tutorial

When you have a clear understanding of the Nessus tool, you can use this tool for scanning. However, some preparations are required before scanning, such as testing active hosts on the network, services running on hosts, and operating systems of hosts. When you are familiar with a host, scanning is very easy. Because the Nessus tool provides plug-ins for different systems and vulnerabilities. If you are familiar with the target host, scanning the target using the Nessus tool will not be blind Scanning like a headless fly. In addition, it is easier to obtain valuable information. This chapter describes preparations for implementing network scanning.

Nmap tool discovers hosts

The detected host is the active host in the network. Discovering hosts is the basis for implementing network penetration tests. Because scanning can be performed only when the target host is active. Otherwise, the operation is a waste of time. Many tools are used to discover hosts, such as Nmap, Scapy, and Wireshark. The following describes how to use Nmap and Wireshark to capture packets and implement host discovery.

Use Nmap Tool

Nmap is a free and open network scanning and sniffing tool. This tool can be used to scan open ports, running services, and operating systems on the computer. The following describes how to use Nmap to discover hosts.

[Example 2-5] Use Nmap to scan active hosts on the 192.168.1.0/24 network. Run the following command:

Starting Nmap 6.47 (http://nmap.org) at CSTNmap scan report for localhost ( 192.168.1.1)Host is up (0.00048 s latency ). # The host is the active MAC Address: 14: E6: E4: 84: 23: 7A (Tp-link Technologies CO .) nmap scan report for localhost ( 192.168.1.100) Host is up (0.089 s latency). MAC Address: 8C: BE: 72: D2: 64 (Xiaomi Technology Co.) Nmap scan report for localhost ( 192.168.1.101) Host is up (0.00015 s latency). MAC Address: 00: E0: 1C: 3C: 18: 79 (Cradlepoint) Nmap scan report for localhost ( 192.168.1.103) Host is up (0.00061 s latency). MAC Address: 00: 0C: 29: F8: 2B: 38 (VMware) Nmap scan report for localhost ( 192.168.1.104) Host is up (0.00091 s latency). MAC Address: 00: 0C: 29: 2A: 69: 34 (VMware) Nmap scan report for localhost ( 192.168.1.105) Host is up (0.00096 s latency). MAC Address: 00: 0C: 29: DC: 09: 2A (VMware) Nmap scan report for localhost ( 192.168.1.106) Host is up (0.32 s latency). MAC Address: 14: F6: 5A: CE: EE: 2A (Xiaomi) Nmap scan report for localhost ( 192.168.1.109) Host is up (0.00060 s latency). MAC Address: 00: 0C: 29: E9: E3: A6 (VMware) Nmap scan report for localhost ( 192.168.1.108) Host is up. Nmap done: 256 IP addresses ( 9 hosts up) Scanned in 2.78 seconds

The last line of the output information shows that there are nine active hosts in the 192.168.1.0/24 network. The output information shows the active host's IP address, MAC address, and MAC address. For example, if the MAC address of host 192.168.1.1 is 14: E6: E4: 84: 23: 7A, the producer is Tp-link Technologies CO. From this, we can guess that the host may be a Tp-link router.

Wiresshark packet capture

Packet Capture is to use a packet capture tool to capture all data packets in the network. However, if you only use tools to capture packets, you can only capture local data. In this case, you need to capture data packets through the hub or port mirroring method. The following describes the environment configuration of these two methods to capture data packets.

1. Use a hub

A Hub is a Hub. The main function of a hub is to rebuild and enlarge the received signal to expand the transmission distance of the network. At the same time, all nodes are concentrated on the nodes centered on it. The Hub sends data in broadcast mode instead of targeted. That is to say, when it wants to send data to a node, it does not directly send data to the target node, but sends data packets to all nodes connected to the hub. Therefore, you can enable the packet capture tool on a host in the LAN to capture all data transmitted on other hosts, as shown in figure 2.1.

Figure 2.45 environment configuration for using a hub capture package

The above is the configuration environment for capturing data packets in a wired LAN Using a hub. Indicates that three hosts are connected to one hub simultaneously in the LAN. In this case, you can run a packet capture tool (such as Wireshark) on any platform to capture data packets on the other two hosts. If the user cannot capture the data sent by other hosts, it means these hosts are not online.

The following figure shows the packets captured by the hub, as shown in figure 2.2.

Figure 2.46 captured data packets

The page shows seven columns, indicating No (Package number), Time (Time), Source (Source address), Destination (Destination Address), and Protocol (Protocol) length and Info ). Here, you should be concerned with the Source (Source Address) column. This column displays the addresses of all hosts sending requests. So how should users determine these addresses, which are the addresses of active hosts in the local lan? First, you can identify the IP address of the active host in the LAN. In the Window system, run the ipconfig command to view the IP address of the host. In Linux, run the ifconfig command. The IP address information in the Local Machine is as follows:

C: \ Users \ Administrator> ipconfigWindows IP configure local Ethernet Adapter connection: connect to a specific DNS suffix .......: Local IPv6 address ........: fe80: f898: 1066: 74a5: e126 % 11 IPv4 address ............: 192.168.1.105 subnet mask ............: 255.255.255.0 Default Gateway .............: 192.168.1.1

In the output, the local IP address is 192.168.1.105. The network of the current host is 192.168.1.0/24. Therefore, the IP addresses of other hosts in the LAN are within the range of 192.168.1.0/24. In this case, you can sort the Source columns in the capture package and find the addresses in the range of 192.168.1.0/24, that is, the addresses of active hosts in the network. Click the column name Source to sort, as shown in Figure 2.3.

Figure 2.47 page displayed after sorting the Source column

The result displayed on this page shows that the Source column has three IP addresses in the range of 192.168.1.0/24. For example, 192.168.1.1, 192.168.1.104, and 192.168.1.105. That is to say, the three hosts in the network are active.

2. Use a port Image

Port Mirroring is a function provided by routers and switches. When Port Mirroring is enabled on a vswitch or vro, data traffic from one or more source ports is forwarded to a specified port for network listening, the specified port is called "mirror port" or "Destination Port ". Simply put, data from other ports will be forwarded to the mirror port. In this case, enable the packet capture tool on the host connected to the Image Port to capture data packets from other hosts. The Environment 2.4 that uses the port image to capture data is shown in.

Figure 2.48 capture data packets using the port mirroring function of the vro

Configure the network according to the preceding environment to capture data packets. If a packet is captured from another host in the LAN, the host is online. Otherwise, it is not online. The specific analysis method is the same as the method used to use the hub.

Nmap tool Port Scan

When determining the active host in the network, you can use Nmap to detect which ports are enabled on the host to facilitate subsequent network scanning.

[Example 2-6] scan the port of the target host RHEL 6.4. Run the following command:

Root @ localhost :~ # Nmap 192.168.1.20.starting Nmap 6.47 (http://nmap.org) at CSTNmap scan report for localhost (192.168.1.104) Host is up (0.00051 s latency ). not shown: 988 filtered portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh25/tcp open smtp53/tcp open domain80/tcp open http111/tcp open rpcbind139/tcp open netbios-ssn443/tcp clohttps445/tcp open ssh25/tcp open microsoft-ds631/tcp open ipp3306/tcp open mysql5432/tcp closed extends sqlmac Address: 00: 0C: 29: 2A: 69: 34 (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds

From the output information, you can see the ports opened on the target host and the services corresponding to the ports. For example, port 21 serves FTP and port 22 serves SSH.

[Example 2-7] scan the port opened in Windows XP of the target host. Run the following command:

Root @ localhost :~ # Nmap 192.168.1.20.starting Nmap 6.47 (http://nmap.org) at CSTNmap scan report for localhost (192.168.1.109) Host is up (0.00049 s latency ). not shown: 989 closed portsPORT STATE SERVICE21/tcp open ftp25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IIS1027/tcp open IIS3389/tcp open ms-wbt-server5000/tcp open upnpMAC Address: 00: 0C: 29: E9: E3: A6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

From the output information, you can see the ports opened in the target host, such as 21, 25, and 80.

Nmap tool Fingerprint Recognition

Fingerprint recognition is a typical pattern of the recognition system, including fingerprint image acquisition, processing, feature extraction and comparison modules. Generally, fingerprint recognition includes service fingerprint information and operating system fingerprint information. The service fingerprint information includes the service port, service name, version, and provider. The operating system fingerprint information includes the system version and kernel version. Through fingerprint recognition, you can determine whether a vulnerability exists on the host based on the obtained information, so that you can perform scanning later.

[Example 2-8] identify the fingerprint information of all services in the target host RHEL 6.4. Run the following command:

Root @ localhost :~ # Nmap 192.168.1.104-sVStarting Nmap 6.47 (http://nmap.org) at CSTNmap scan report for localhost (192.168.1.104) Host is up (0.00053 s latency ). not shown: 988 filtered portsPORT state service VERSION21/tcp open ftp vsftpd 2.2.222/tcp open ssh OpenSSH 5.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd53/tcp open domain80/tcp open http Apache httpd 2.2.15 (Red Hat) 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP) 443/tcp closed https445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP) 631/tcp open ipp CUPS 1.43306/tcp open mysql MySQL 5.1.665432/tcp closed protected sqlmac Address: 00: 0C: 29: 2A: 69: 34 (VMware) Service Info: Host: mail.benet.com; OS: Unix # The Host Name Is mail.benet.com, and the operating system is UnixService detection completed MED. please report any incorrect results at http://nmap.org/submit. nmap done: 1 IP address (1 host up) scanned in 16.16 seconds

The output information shows four columns: PORT, STATE, SERVICE, and VERSION ). The VERSION column shows the service VERSION and provider. For example, the FTP service port is 21, the version is 2.2.2, and the provider is vsftpd.

[Example 2-9] implement operating system fingerprint identification for the target host Windows XP. Run the following command:

Root @ localhost :~ # Nmap-O 192.168.1.20.starting Nmap 6.47 (http://nmap.org) at CSTNmap scan report for localhost (192.168.1.109) Host is up (0.00028 s latency ). not shown: 989 closed portsPORT STATE SERVICE21/tcp open ftp25/tcp open smtp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IIS1027/tcp open IIS3389/tcp open ms-wbt-server5000/tcp open upnpMAC Address: 00: 0C: 29: E9: E3: A6 (VMware) Device type: general purpose # Device type Running: Microsoft Windows 2000 | XP # operating system OS CPE: cpe: /o: microsoft: windows_2000:-cpe:/o: microsoft: windows_2000: sp1 cpe:/o: microsoft: windows_2000: sp2 cpe:/o: microsoft: windows_2000:: sp3 cpe:/o: microsoft: windows_2000: sp4 cpe:/o: microsoft: windows_xp:-cpe:/o: microsoft: windows_xp :: sp1 # OS details, central processing unit of the Operating System: Microsoft Windows 2000 SP0-SP4 or Windows XP SP0-SP1 # Network Distance: 1 hop # Network Distance from OS detection completed MED. please report any incorrect results at http://nmap.org/submit. nmap done: 1 IP address (1 host up) scanned in 1.91 seconds

The above output information displays information about the operating system. Such as open ports, device types, operating system types, central processing units, and network distance. For example, the device type is general | purpose, and the operating system is Microsoft Windows 2000/XP. From the operating system details line, you can see that the system's patch package may be a Windows 2000 SP0-SP4 or Windows XP SP0-SP1.

(Evaluation settings), REPORT (REPORT settings), ADVANCED (ADVANCED settings), Credentials (certificate), and Plugins (INS. The policy configuration items described above are the same, so we will not repeat them here. The following describes the settings of Schedule and Email notification options. The setting page of the Schedule option is shown in Figure 4.33.

Figure 2.49 Schedule Configuration

This interface is used to set whether to enable Schedule. It is disabled by default. If you want to enable this function, click the icon. The page 4.34 is displayed.

Figure 2.50 set Schedule

You can see that after Schedule is enabled, three configuration items can be set. The following describes the meaning of each configuration item:

Q Launch: This option is used to set the start time of Schedule. The default value is Once. You can also set Daily (Daily), Weekly (Weekly), Monthly (Monthly), or Yearly (annually ). Q Starts On: This option indicates the start time of the Schedule function. Q Timezone: This option is used to set the time zone. Q Summary: The Summary of the preceding configuration is displayed.

After the above functions are configured, click Save to Save. The Email notification option configuration page is shown in Figure 4.35.

Figure 2.51 Email notification settings

This interface is used to set whether to enable email notification. However, if you want to configure this option, you need to configure the SMTP service. Otherwise, no notification will be sent to the email recipient.