Passive vs Active Scanning: Examining Various Methods
There are two ways to obtain data about networks and systems: actively and passively. To get information, an attacker can engage in active or passive scanning, in which case the attacker only monitors traffic.
Active scanning is more obtrusive since, if done incorrectly; it can cause systems to freeze or crash. Although less intrusive, passive scanning can take longer to collect information.
The situation will determine the best course of action. Passive scanning might be the best choice if time is not an issue. Active scanning might be the ideal choice if time is of the essence or if a large amount of data needs to be gathered.
Mapping Your Target Environment Using Network Scanning Techniques
Network scanning is known as finding active hosts on a network and detecting their network services. This data can inventory a network and identify potential attack points. The most effective web scanning method will depend on the kind of network and the information you’re looking for. Port scanning and ping sweeping are popular network studying methods in this article.
Sending packets to a host on a specific port to check if the host is listening is a procedure known as port scanning. The host will respond with an SYN/ACK packet if it is listening. It can be used to identify a host’s services using its fingerprint.
An easy Nmap command can be used to perform port scanning:
nmap -p 1-65535
Ping sweeping is the process of checking the status of many IP addresses by sending an ICMP echo request (ping) to each one of them. A host is regarded as living if she replies. It can be used to locate network hosts that a firewall might protect.
An easy ping command can be used to perform ping sweeping:
Ping –c 1 –r
You can learn more about a network using either of these methods. Port scanning, on the other hand, is more intrusive and is susceptible to detection by intrusion detection systems (IDS). It is less invasive and more likely that ping sweeping will go unnoticed.
Port Scanning: Locating Available Services and Ports
Learning which services are active on a server and which ports they use in various methods is possible. It can be accomplished by manually going through the server’s configuration files or utilizing a port scanner. An instrument called a port scanner tries to connect to every port on a server to determine which ones are open.
A service waiting for connections on a port is said to be running when the port is open. For instance, if port 80 is available, a web server is active on that port. An SSH server is active if port 22 is open, indicating it is.
Knowing which ports are open is helpful for hackers since it lets them know which services they may target. For instance, they can attempt to attack the web server if they observe that port 80 is open.
Although there are other port scanners, we’ll utilize the Nmap program. The well-known and cost-free port scanner Nmap is readily available.
Nmap only requires the IP address or hostname of the server we want to scan to function. Additionally, we can specify which ports we wish to watch, but Nmap will automatically scan the most popular ports if we don’t.
Here is an illustration of how to check a server for open ports using Nmap:
It will check all the most popular ports on the server with the IP address 192.168.1.1.
Nmap will print out a list of all the open ports it discovered after it has done scanning. It will also let us know what service is active on each port.
We can begin listing the active services on those ports now that we know which ports are open. Enumeration is the procedure used to compile data on a system. In this instance, learning more about the active services on the open ports is essential.
Simply connecting to a service and observing what happens is one approach to enumerating it. For instance
System Weakness Assessment Using Vulnerability Scanning
The methods by which we can defend our systems from attack advance along with technology. In the past, having a firewall in place was frequently sufficient to stop the majority of attackers. However, it has become apparent that relying solely on a firewall is no longer adequate to keep our systems secure as attackers have become more skilled.
Vulnerability scanning is one of the most excellent techniques to evaluate the security of our systems. An approach to finding potential security gaps in a system is vulnerability scanning. We can ensure that our systems are as secure as possible and that any potential flaws are found and fixed before attackers can exploit them by conducting frequent vulnerability scans.
There are numerous available vulnerability scanners, both open-source and commercial. QualysGuard, Nessus, and OpenVAS are a few of the most well-liked vulnerability scanners.
It’s crucial to pick a vulnerability scanner that will function effectively with the systems you seek to examine. Not all scanners are created equal, and some are more adept than others at spotting specific kinds of vulnerabilities. It’s time to get started after choosing a scanner.
Finding the targets you wish to scan is the first stage in the vulnerability scanning process. From a single server to a whole network, this can be. Selecting the kinds of scans you want to run is the next step after determining your targets.
Numerous other types of scans may be performed, and the ideal strategy frequently involves combining various scan types.
Scan types that are among the most popular include:
- Port scans: A port scan is used to determine whether the ports on a system are open and accessible. An attacker can better understand the system and how it functions by locating open ports, and this knowledge can be utilized to find and exploit flaws.
- Service scans: a service scan is employed. These details can be exploited to exploit those services’ known vulnerabilities.
- Vulnerability scans: A vulnerability scan finds systems with known security flaws. These scans can frequently be modified to seek particular sorts
Counting Systems and Services and Extracting Useful Data
Enumeration is essential for security purposes. You can gather helpful information from enumerating systems and services that can be applied to attack vulnerabilities and obtain access to systems and data.
There are various active and passive approaches for listing systems and services. While passive techniques rely on watching systems and services to gather data, functional processes entail interacting with them to elicit a reaction.
Systems and services can be counted using either active or passive approaches, and each has benefits and drawbacks of its own. Functional methods can offer more precise information but are more likely to be noticed. Although passive techniques are less likely to be seen, they can make information extraction more challenging.
Enumeration can be used to compile data on:
Systems: hostnames, operating systems, software versions, IP addresses, etc.
Services include open ports, services, and different service versions.
Users: usernames, emails, etc.
Groups: group memberships, group names, etc.
Shares include things like shared folders and permissions.
Printer names, locations, and other information.
Databases: database names, versions of the database, etc.
For a variety of reasons, enumeration can be used to acquire data on systems and services, such as:
locating possible assault targets
Determining which systems and services are susceptible to attack
recognizing already-compromised systems and services
Information gathering for social engineering assaults
Active enumeration techniques include interaction with systems and services to elicit a response.
Several popular active enumeration techniques are as follows:
Ping sweeps: A ping sweep is a form of active surveillance in which ICMP echo queries are sent to various IP addresses, and the recipients’ responses are analyzed to determine which hosts are active and which are not.
Port scans: A sort of active survey known as a port scan entails connecting to several ports on a host to identify which ports are open and which services are currently using those ports.
OS Fingerprinting: Identifying the Used Operating Systems
Finding out which operating system is active on a given system is done through the method of operating system fingerprinting. It can be helpful for various reasons, such as locating computers that are using unsupported operating system versions or systems that are running vulnerable operating system versions.
An operating system can be fingerprinted in a few distinct ways. One method is to fingerprint the machine using the TCP/IP stack. This strategy is predicated on the idea that various operating systems would implement the TCP/IP stack in multiple ways, leading to different characteristics that can be used to identify them.
Another identification approach is examining an operating system’s response to different kinds of network traffic. This strategy is predicated on the idea that various operating systems will treat certain types of network traffic differently.
The application layer can also be used as a fingerprint for an operating system. This strategy is predicated on the idea that various operating systems would run multiple programs and, as a result, will have different traits that can be used to distinguish them.
The objective of operating system fingerprinting is to identify the operating system currently running on a given system, regardless of the method utilized.
Service Enumeration: Identifying Network Services’ Specifications
Network services, as we are all aware, are the programs that enable a computer to communicate with other networked devices. To speak with other systems, each service running on a computer system uses a particular port number. Enumeration of network services enables us to locate the active services on a remote system and the corresponding port numbers. This information is beneficial when evaluating a system’s vulnerabilities and conducting penetration tests.
Network services can be enumerated in a variety of ways. Three of them will be covered in this blog.
Netstat, a command-line program, displays open network connections and the ports on which they are listening.
It can be utilized to list the active network services on a system.
The following command can be used to list all currently active network connections along with their corresponding port numbers:
The output of the command, as mentioned earlier, will resemble this:
LISTENING TCP 0.0.0.0:80 XYZ:0
LISTENING TCP 0.0.0.0:135 XYZ:0
LISTENING TCP 0.0.0.0:445 XYZ:0
LISTENING TCP 0.0.0.0:3389 XYZ:0
LISTENING AT TCP 10.0.0.1:139 XYZ:0
According to the report, the system is using several services, including HTTP (port 80), RPC (port 135), SMB (port 445), RDP (port 3389), etc.
Command Tasklist 2.
The tasklist command is a Windows feature that lists every process that is active at the moment, along with its PID. It can be utilized to record the active network services on a system.
The following command can be used to list all presently active processes and their related PIDs:
The output of the command, as mentioned earlier, will resemble this:
Info: No tasks are currently executing that meet the given criteria.
Domain Name System (DNS) Enumeration: Information Extraction
An essential part of the Internet is the Domain Name System (DNS), which offers a distributed database that associates human-readable domain names (like www.example.com) with the IP addresses of the servers that host those domains. Due to its importance to how the Internet functions, DNS is a top target for attackers. Finding all the DNS servers and the accompanying entries for a specific domain is known as DNS enumeration.
An attacker can learn a ton of information about a target company using DNS enumeration. The IP addresses of servers within the target company, the email servers being used, and even the locations of significant servers like Active Directory servers can all be found thanks to DNS records. The fact that many DNS servers permit recursive queries also makes it possible for an attacker to utilize them to resolve DNS queries for any Internet domain. It can be used to find more DNS servers that might be vulnerable to attack or learn more about other parts hosted on the same DNS servers.
Nmap, Dig, and NSlookup are a few examples of programs that can automate the straightforward process of DNS enumeration. Additionally, many attackers may try to grab the complete DNS database for a target domain using zone transfers. Most DNS servers forbid zone transfers, but if an attacker can locate one that does, they can obtain a comprehensive list of all DNS records for the domain.
A crucial reconnaissance technique for attackers, DNS enumeration, can provide various details about a target company. By adequately configuring their DNS servers to prevent zone transfers and by keeping a close eye on their DNS servers for suspicious activity, organizations may defend themselves against DNS enumeration attacks.
SNMP Enumeration: Providing Information about Network Devices
Several methods for network enumeration can be used to get details about the devices on a target network. SNMP enumeration is one method that can be used to gather a wealth of data about network devices.
In this post, we’ll examine five methods for using SNMP enumeration to extract information from network devices. By the conclusion, you’ll know more about SNMP enumeration’s operation and the data it can supply.
1. Fundamental Device Details
Basic device information is one of the first things that may be gathered by SNMP enumeration. It comprises information about the device’s hostname, model, and operating system.
The data can be received by asking the SNMP agent on the device for the system.OID sysDescr. This OID has a string that contains the information indicated above.
2. Device Placement
The device’s location is another detail that can be discovered by SNMP enumeration. It might help locate gadgets in several buildings or on various floors.
The data can be received by asking the SNMP agent on the device for the system. The sysLocation OID. A string in this OID indicates the location of the device.
3. Contact Details for the Device
SNMP enumeration can get the device’s contact details and location. Using this can help you contact the device’s administrator.
This data can be received by asking the SNMP agent on the device for the system. The OID sysContact. A string in this OID indicates the contact information for the device.
4. Equipment Uptime
The device’s uptime is a further detail that can be discovered by SNMP enumeration. It can help figure out how long the gadget has been operational.
This data can be received by asking the SNMP agent on the device for the system. The sysUpTime OID. This OID includes a timestamp that shows when the device was created.