Penetration Testing - Active Information Gathering
Active information gathering
Resources – PC with working VM
Virtual Box or VM ware, windows 2000 and Kali Linux 1.0.3
(. vbox) files.
What is Active information gathering?
Discovering a particular system for gain vulnerabilities without doing any harm to that system.
Active
information gathering methods
01) Nmap
02) Netcat
03) Theharvester
04) Dnsenum
First
of all, there should be an installed VM virtual box on PC. Next requirement is
run Kali Linux 1.0.3 and windows 2000 on virtual box.
Why
windows 2000?
Windows
2000 version has no patches.
It
have full of vulnerabilities.
It
do not have updates.
After
that we have to check the connectivity of Kali Linux and windows 2000. For that
we have to open the command terminal of both Linux and windows virtual
machines. Find the IP addresses of above virtual machines (for Kali command is “ifconfig” and for windows command is “ipconfig”).
After
ping each other if all of packets reached to destination without any loss, it means connection is established.
 |
| 'ifconfig' and 'ping' commands for Kali |
 |
| 'ipconfig' and 'ping' commands for Windows |
1) Nmap
Nmap is a network
discovery and security auditing tool. It is a free and open source tool. Usage
of this tool is discover hosts and services on particular computer network and help to get a proper idea about that host or network.
nmap -h = command for nmap manual page
|
 |
| 'nmap -h' |
 |
| 'nmap -h' results |
 |
| 'Nmap -sS' |
From this command it will output the UDP oriented ports and their details.
 |
| 'Nmap -sU' |
03) Nmap - sO 192.168.56.99/24 = Scan for all open internet protocol ports op target IP address 192.168.56.99/24.
From this command it will output the all open internet protocol ports and their details.
 |
| 'Nmap -sO' |
04) Nmap -A 192.168.56.99/24 = Use for OS detection, script scanning, vresion detection.
 |
| 'Nmap -A' |
From this command it will output the all details of the OS that is relevant to the IP address 192.168.56.99/24.
 |
| 'Nmap -O' |
nc [options] [target_system]
[remote port]
These
are the main options in Netcat:
·
-l:
This option tells the Netcat to be in listen mode
·
-u:
This shifts Netcat from TCP(default) to UDP mode
·
-p:
For the listener, this is the listened port. For the client, this is source
port.
·
-e:
This is a very useful option. This tells what operation to perform after a
successful connection.
·
-L:
This makes a persistent listener. Work for Windows only
·
-wN:
This option defines the timeout value. For example, w indicates to wait for 5
seconds before timeout.
·
-v:
This is the verbose mode
nc 192.168.56.99 80
192.168.56.99 = Target host IP address
80 = Open port number identified from nmap
This command will
identify and provide the web server information.
 |
| 'nc 192.168.56.99 80' |
3) Theharvester
-d = domain or web site to be search
-l = limited results
-b = search engine (ex- google)
Theharvester –d gmail.com –l
10 -b google
 |
| 'theharvester -d gmail.com -l 10 -b google' |
 |
| 'theharvester -d gmail.com -l 10 -b google' result |
4) DNSenum
Use to identify DNS
information on a particular web site
- Get the host’s address
- Get the name servers
- Get extra names and subdomains via google scraping
- Brute force sub domains from file, can also perform recursion on sub domain that have NS records
dnsenum -enum ikman.lk
this is provided host’s addresses, name servers, mail servers of the ikman .lk
 |
| 'dnsenum -enum ikman.lk' result |
Comments
Post a Comment