Table of Contents Scan a network Advanced Scans Basic Network Scans Launch A Scan Results Exports Executive Report Technical Report Scan a network Target: 192.168.1.0/24 Nessus provides a set of ready-to-use templates. For general scans, the (1) Advanced Scan and (2) Basic Network Scan would work. The differences are the Advanced Scan supports the Compliance and Plugins which can be used to fine-tune the compliance checks (credentials are required) and plugins.
Table of Contents Scan large IP block Exclude IP blocks of sensitive part of the Internet Include IP blocks for targeted IP blocks Transmission Rates Specify ports and ranges Pull the services and banners Output formats Manage config for different scanning strategies The base system used to perform the scans:
root@192.168.1.11:~# uname -a Linux kali 4.9.0-kali3-amd64 #1 SMP Debian 4.9.13-1kali2 (2017-03-07) x86_64 GNU/Linux Scan large IP block Scan the entire 175.
Table of Contents Introduction Enabling knockd Port-knocking Open the port Close the port Using Hping3 / Nmap Open the port Close the port Alternatives Introduction Port-knocking is a stealth method to open ports that the firewall keeps closed by default. A port-knock server listens to all traffic on an ethernet (or PPP) interface, looking for a special “knock” sequences of port-hits.
In the Nmap Network Scanning book, chapter 15 , section Port Specification and Scan Order , to quote “By default, Nmap scans the most common 1,000 ports for each protocol.” [1]
However, the documentation did not mention the list of 1000 ports.
So, how to identify and show those 1000 ports ?
--top-ports n: the n highest-ratio ports found in nmap-services. n must be 1 or greater -v: verbose level, to print the -oG: grepable output - : output to stdout $ nmap --top-ports 1000 -v -oG - localhost Note: refer to /usr/share/nmap/nmap-services file for the service name and protocol.
Table of Contents Nmap Ndiff Scan and interpret the results/diffs Automation Nmap Ndiff Ndiff is a tool to aid in the comparison of Nmap scans. Ndiff, like the standard diff utility, compares two scans at a time. It takes two Nmap XML output files and prints the differences between them. The differences observed are:
Host states (e.g. up to down) Port states (e.
Table of Contents Scan a Network/Subnet Host Discovery Scan a large public network Scan a private network: 192.168.1.0/24 Scan a Single Target Remote OS and Service Detection Host and Port State Reason List of Examples Scan a Network/Subnet Host Discovery HOST DISCOVERY: -sL: List Scan - simply list targets to scan, without sending any packets to the target hosts, useful to generate list of target hosts and dns resolution.
Table of Contents Scan for vulnerability Create a HTTP request file Scan the target Explore the vulnerable target’s databases and system Dictionary attack against password hashes and dump full credentials OS Shell Access Behind the scene Speedup the process and specify custom injection payloads Capture and decode the payload with Ngrep with Wireshark Decode the payload Scan for vulnerability Create a HTTP request file Use -r option instead of passing long parameters of --url, --user-agent, etc.
Table of Contents Nettop Google Transparency Report: Safe Browsing Tool Netstat Flowtop Nettop Assuming an unknown/suspicious output (i.e., no chat client is being used, but random chat domain appeared: vmp.boldchat.com) is spotted from a DNS monitoring such as in previous post titled - Sniff DNS queries:
Under macOS, the nettop util provides list of sockets and routes in details that help to trace down the process that established the connection to the unknown domain:
mtr Often times, troublesome networks won’t show up in the results of a few packets. mtr combines the functionality of the traceroute and ping utils and enables user to constantly poll a remote server to see the latency and performance changes over time. It’s not installed by default on most linux systems, simply get it from the distribution and package manager of choice:
$ sudo apt-get install mtr To debug remotely over ssh where no GUI is available, use the --curses or -t option:
This post extends the discussion on traceroute in previous post Traceroute, Firewalls & Geo-IP, and focused on intepreting the traceroute report.
Output format explanation: v--- the router/ip-addr traversed by the packet [Hop] [Hostname/(IP-addr)] [RTT1] [RTT2] [RTT3] ^--- transit no. of the route ^---- round-trip time The round-trip time (RTT) is the latency (delay between sending the packet and getting the response).
By default, traceroute sends 3 packets per TTL increment.
Table of Contents Traceroute ICMP mode UDP mode TCP mode Output format explanation Hping3 InTrace Nmap: traceroute-geolocation script Traceroute Traceroute is useful for diagnosing networking problems, e.g., end-to-end connectivty, complement with ping. It can also be used to pinpoint the location of devices, routers and firewalls. The tracerouting tools fundamentally rely on the IP packet’s field - TTL (Time-To-Live, decremented at each hop, dies at 0), they send short-life IP packets and wait for Time Exceeded ICMP packets reporting the death of these packets from a router, consequently reveal the route.
Table of Contents List of online and web-based tools Text-mode based Utility VirusTotalApi List of online and web-based tools https://www.virustotal.com: by VirusTotal, a subsidiary of Google https://exchange.xforce.ibmcloud.com: by IBM http://safeweb.norton.com: by Norton, Symantec http://www.avgthreatlabs.com/ww-en/website-safety-reports: by AVG ThreatLabs https://cymon.io: by https://eSentire.com http://www.reputationauthority.org: by WatchGuard Technologies http://isitphishing.org: by https://vadesecure.com Text-mode based Utility VirusTotalApi $ git clone https://github.com/doomedraven/VirusTotalApi.git It is an utility to search on VirusTotal databases [1] for malicious URLs and hashes of known malware.
Table of Contents hping3 and the firewall ICMP mode TCP mode UDP mode SCAN mode hping3 and the firewall Mode default mode TCP -0 --rawip RAW IP mode -1 --icmp ICMP mode -2 --udp UDP mode -8 --scan SCAN mode. Example: hping --scan 1-30,70-90 -S www.target.host -9 --listen listen mode ICMP mode The typical ping utility and the hping3 equivalent, sending ICMP-echo and receiving ICMP-reply:
My examples are in JS, on PhantomJS headless browser, it could be easily adapted to other languages. The script traverses a webpage and harvests all the URLs therein to check for malware/malicious sites through the Google Safe Browsing API.
192.168.1.9:~$ phantomjs chk-malinks.js http://some.malware.site 1: hshd.io 2: sourceforge.net 3: popup.taboola.com 4: www.geeksvip.com 5: my.hear.com ... 159: nba1001.net 160: www.pressroomvip.com 161: tracking.lifestylejournal.com 162: dsct2.com 163: www.historynut.com 164: www.buro247.my gsafe response json:{ "matches": [ { "threatType": "MALWARE", "platformType": "ANY_PLATFORM", "threat": { "url": "nba1001.