This is a continuation of my previous post, NMAP and fping deep dive in that post I talked about fping and NMAP and how they worked at a basic level as NMAP, in particular, has a lot more parameters that you can use depending on the task at hand.
In this post I want to cover more of NMAPs capabilities and what commands we could use to discover more about the network and what potential vulnerabilities these hosts might have that could be used to exploit them.
In the last post we found out what hosts were alive on the network and we also found out what ports were open on those hosts. The next step is to find out what OS they’re running or at least get the best guess as to what it might be.
I am going to use the -sV (version) option and also the -O (OS fingerprinting option) to get more detail on the hosts. You don’t want to blindly attack a network without gathering all the information possible about your target or you run the risk of causing the target to crash because you ran the wrong tool against it. Information gathering is one of the most important parts of penetration testing.
As Abraham Lincoln once said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
The first command to run is the -sV command that will give us more information on the ports that are open and what version the service is running.
The administrator might have changed the port to a non-standard port as is the case for the host at 10.142.111.213. You can see the port is 81 but the service using that port is HTTP which is usually on port 80 also if you remember this is the host that did not respond to the ping sweep when using fping.
To build on this we can now run the -O command with nmap. This command will send special probes to try and figure out what OS is running, for example, IIS, Apache?
The command is $:nmap -O 10.142.111.1,6,48,96,99,100,213
Here instead of using /24 I am only running the OS scan on the hosts we already know are alive on the network, this saves us a lot of time as I am only concentrating the scan on specific hosts.
From the output you can see that host at 10.142.111.48 is a Windows XP machine. From this, we could start to look for vulnerabilities on Windows XP for the services they’re running.
To summarise we started off not knowing what IP addresses were alive for this we used the fping tool and also nmap -sn command. We then ran more nmap commands to figure out what ports were open and also the versions of those open ports. Lastly, we ran the OS fingerprint command to try to figure out what OS the hosts were using.
I hope this was useful.