Penetration test practice guide d02

Source: Internet
Author: User

Ii. Scanning

Establishes the ing between IP addresses and open ports and services.


Three phases of scanning: 1) verifying whether the system is running; 2) Scanning System ports; 3) scanning system vulnerabilities.


Ping: Send an ICMP packet to check whether the host is active. Use fping under BT5, for example, fping-a-g 192.168.0.2 192.168.0.3> hosts.txt


1. Port Scan: NMAP.

TCP (Transmission Control Protocol) Communication: three-way handshake. SYN--SUY/ACK--ACK

TCP connection scan: the most basic and stable.

NAMP-St-p--PN 192.168.0.1-ST: TCP-p-: all ports-PN: Disable the host discovery function. It is assumed that all systems are active.


SYN scan: The most common method. NMAP uses the default scan method, which is faster and safer.

NMAP-SS-p--PN 192.168.0.1


UDP (User Datagram Protocol) scanning: Includes DHCP, DNS, SNMP, and TFTP services. The scanning process is very slow, and multiple targets are used with caution.

NMAP-su 192.168.0.1

Add version scan to get version scan information: Add V directly after-su

NMAP-SUV 192.168.0.1


XMAS scan: for operating systems running unxi and Linux.

NMAP-SX-p-PN 192.168.0.1


Using-SV, you can analyze the banner information to determine the port situation when the other party uses this port.


-O parameters provide information about the operating system.

-The t parameter changes the scanning speed. The parameter range is: 0 ~ 5. Reduce the speed to avoid being detected. Too fast will lead to inaccurate results.


Common Remote logon ports:

21: FTP, Telnet target_ip

22: SSH, [email protected] _ IP


2. Vulnerability Scanning

Nessus

Openvas


Iii. Exploitation of Vulnerabilities


Password cracking

Medusa

Medusa-H target_ip-u username-P path_to_passwprd_dictionary-m


Metasploit: an artifact.

Vulnerability scan.

Forward connection (BIND): the target computer and the passive wait link are created.

Reverse: the target computer actively establishes a back connection.

Meterpreter (meta-interpreter): it runs completely in the memory. the permissions of the meterpreter runtime are associated with the attacked program.


John the Ripper: The king of password cracking.

Privilege escalation.


Sniffing network traffic

Macof: Flood attack switch: forging a large number of matching tables for MAC address flood switches, making the switch unable to read or access the matching table. In turn, the switch is forced to broadcast traffic to all ports in the same way as the hub.

Wireshark


Fast Track: brute force, suitable for beginners.



Penetration test practice guide d02

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.