Penetration test practice guide d02

Ii. Scanning

Establishes the ing between IP addresses and open ports and services.

Three phases of scanning: 1) verifying whether the system is running; 2) Scanning System ports; 3) scanning system vulnerabilities.

Ping: Send an ICMP packet to check whether the host is active. Use fping under BT5, for example, fping-a-g 192.168.0.2 192.168.0.3> hosts.txt

1. Port Scan: NMAP.

TCP (Transmission Control Protocol) Communication: three-way handshake. SYN--SUY/ACK--ACK

TCP connection scan: the most basic and stable.

NAMP-St-p--PN 192.168.0.1-ST: TCP-p-: all ports-PN: Disable the host discovery function. It is assumed that all systems are active.

SYN scan: The most common method. NMAP uses the default scan method, which is faster and safer.

NMAP-SS-p--PN 192.168.0.1

UDP (User Datagram Protocol) scanning: Includes DHCP, DNS, SNMP, and TFTP services. The scanning process is very slow, and multiple targets are used with caution.

NMAP-su 192.168.0.1

Add version scan to get version scan information: Add V directly after-su

NMAP-SUV 192.168.0.1

XMAS scan: for operating systems running unxi and Linux.

NMAP-SX-p-PN 192.168.0.1

Using-SV, you can analyze the banner information to determine the port situation when the other party uses this port.

-O parameters provide information about the operating system.

-The t parameter changes the scanning speed. The parameter range is: 0 ~ 5. Reduce the speed to avoid being detected. Too fast will lead to inaccurate results.

Common Remote logon ports:

21: FTP, Telnet target_ip

22: SSH, [email protected] _ IP

2. Vulnerability Scanning

Nessus

Openvas

Iii. Exploitation of Vulnerabilities

Password cracking

Medusa

Medusa-H target_ip-u username-P path_to_passwprd_dictionary-m

Metasploit: an artifact.

Vulnerability scan.

Forward connection (BIND): the target computer and the passive wait link are created.

Reverse: the target computer actively establishes a back connection.

Meterpreter (meta-interpreter): it runs completely in the memory. the permissions of the meterpreter runtime are associated with the attacked program.

John the Ripper: The king of password cracking.

Privilege escalation.

Sniffing network traffic

Macof: Flood attack switch: forging a large number of matching tables for MAC address flood switches, making the switch unable to read or access the matching table. In turn, the switch is forced to broadcast traffic to all ports in the same way as the hub.

Wireshark

Fast Track: brute force, suitable for beginners.

Penetration test practice guide d02