SlideShare ist ein Scribd-Unternehmen logo

Hacking With Nmap - Scanning Techniques

A
amiable_indian
Technologie
1 von 28
Downloaden Sie, um offline zu lesen
Nmap Scanning Techniques Maniac
Nmap Scanning Before we dive in... Port states that Nmap Identifies. Types of port scanning.
Nmap Scanning [open] [closed] [filtered] [unfiltered] [open|filtered] [closed|filtered]
Nmap Scanning Syn Scans PRO: Very fast, most common scan used. CON: Funky stuff happens when a firewall, packet filter, or packet shaper is in- between you and the target.
Nmap Scanning FIN Scans PRO: FIN Scans can sneak around non- stateful firewalls and packet filters. CON: Because of the way the scan is conducted, ports respond as either closed, or open|filtered. Many major OS’ sent a RST reguardless of open or closed. NOTE: Variations of this are NULL and Xmas Scans
Nmap Scanning ACK Scan PRO: Determines filtered from unfiltered ports. CON: Won’t tell if the port is open or closed.
Nmap Scanning Window Scan PRO: Can tell if a port is open or closed, whereas the ACK scan cannot. CON: Works on only a few OS’s, and sometimes acts flaky.
Nmap Scanning Ok, so this is all fine and dandy, but what do I do with this?
Scanning Techniques Mission Penetrate SCO's Firewall to discern all the open TCP ports on Docsrv.Caldera.Com.
Hitting SCO Insecure.Org Performing the initial SYN Scan. SYN Scan against DocSRV # nmap -sS -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1669 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 113/tcp closed auth 507/tcp open crs Nmap finished: 1 IP address (1 host up) scanned in 24.490 seconds
Hitting SCO Insecure.Org FIN Scan FIN Scan against DocSRV # nmap -sF -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1632 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open|filtered echo 9/tcp open|filtered discard 11/tcp open|filtered systat 13/tcp open|filtered daytime 15/tcp open|filtered netstat 19/tcp open|filtered chargen 21/tcp open|filtered ftp 22/tcp open|filtered ssh 23/tcp open|filtered telnet 25/tcp open|filtered smtp 37/tcp open|filtered time 79/tcp open|filtered finger 80/tcp open|filtered http [many ports cut] 135/tcp open|filtered auth
Hitting SCO Insecure.Org ACK Scan ACK Scan against DocSRV # nmap -sA -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1669 ports scanned but not shown below are in state: UNfiltered) PORT STATE SERVICE 135/tcp filtered msrpc 1434/tcp filtered ms-sql-m 32777/tcp filtered sometimes-rpc17 Nmap finished: 1 IP address (1 host up) scanned in 3.134 seconds
Hitting SCO Insecure.Org Window Scan Scan against DocSRV Window # nmap -sW -p- -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 65479 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 11/tcp open systat 13/tcp open daytime 15/tcp open netstat 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 143/tcp open imap
Scanning Techniques Mission 2 Locate webserver(s) on the Playboy.Com network offering free images
Hitting Playboy Insecure.Org Step 1: Find Network to Scan Step one, finding the network. Step 1: Find the network to scan core~> whois -h whois.arin.net n playboy [...] OrgName: Playboy OrgID: PLAYBO Address: 680 N. Lake Shore Drive City: Chicago StateProv: IL PostalCode: 60611 Country: US NetRange: 216.163.128.0 - 216.163.143.255 CIDR: 216.163.128.0/20 [...]
Hitting Playboy Running the initial scan. Insecure.Org Initial Try nmap -P0 -p80 -oG pb.gnmap 216.163.128.0/20 Starting nmap 3.81 [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 1236.309 seconds
Hitting Playboy Now wait a second! That took just under 21 minutes! Is there a way to cut that time down?
Hitting Playboy First we need to get hosts to figure out the timing. Insecure.Org Help Nmap Out with Timing Information > host www.playboy.com www.playboy.com has address 209.247.228.201 Mail servers (host -t mx playboy.com): mx.la.playboy.com. 10 216.163.128.15 mx.chi.playboy.com. 5 216.163.143.4
Hitting Playboy Now we need to ping them to get a round Insecure.Org trip time. Perhaps TCP Ping Will Work Better # hping2 --syn -p 25 -c 5 mx.chi.playboy.com HPING mx.chi.playboy.com (eth0 216.163.143.4) 46 bytes from 216.163.143.4: flags=SA 46 bytes from 216.163.143.4: flags=SA [cut] --- mx.chi.playboy.com hping statistic --- 5 packets transmitted, 5 packets received round-trip min/avg/max = 56.8/58.0/61.8 ms # hping2 --syn -p 25 -c 5 mx.la.playboy.com HPING mx.la.playboy.com (eth0 216.163.128.15) 46 bytes from 216.163.128.15: flags=SA 46 bytes from 216.163.128.15: flags=SA [cut] --- mx.la.playboy.com hping statistic --- 5 packets transmitted, 5 packets received round-trip min/avg/max = 15.4/15.8/16.4 ms
Hitting Playboy Ok, I think we can write a better scan now. Insecure.Org Designing a Faster Scan nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 -P0 -p80 -oG pb2.gnmap 216.163.128.0/20
Hitting Playboy Insecure.Org OMGWTFLOL! 3.97Shmoo + --max_retries Upgrade to That scanned a lot faster! # nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 -- min_hostgroup 512 --max_retries 0 -P0 -p80 -oG pb3.gnmap 216.163.128.0/20 Starting nmap 3.97Shmoo [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 289.579 seconds Under 5 Minutes!
Hitting Playboy 5 minutes. Thats pretty good! Can we cut it down more though?
Hitting Playboy Insecure.Org Turning off DNS (-n) in the scan... Skip DNS # nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 -- min_hostgroup 512 –max_retries 0 -n -P0 -p80 -oG pb3.gnmap 216.163.128.0/20 Starting nmap 3.97Shmoo [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 46.052 seconds 46 seconds!
Hitting Playboy Mmmm...pretty webservers! Insecure.Org Time for the Results! > grep 80/open pb3.gnmap | awk '{print $2}' 216.163.129.20 216.163.136.21 216.163.136.22 216.163.136.27 216.163.136.29 216.163.136.30 216.163.136.31 216.163.137.3 216.163.137.4 216.163.137.5 216.163.137.6 216.163.137.7 216.163.137.8 216.163.137.9 216.163.137.10 216.163.137.11 216.163.137.12 216.163.137.13 216.163.137.14 216.163.137.15 216.163.137.16 216.163.137.17 216.163.137.18 216.163.137.19 216.163.137.20 216.163.137.21 216.163.137.22 216.163.137.23 216.163.137.25 216.163.137.26 216.163.137.27 216.163.140.20 216.163.143.11
Hitting Playboy Well what does that first IP hand out? Interesting....but not what we are looking for.
Hitting Playboy Well what about the 3rd entry? Eureka! We have images!
Scanning Techniques Questions?
Scanning Techniques The vast majority of mission data was provided by Fyodor. Thank him fellas!

Empfohlen

Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 

Empfohlen

Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Nmap
NmapNmap
NmapMegha Sahu
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Nmap
NmapNmap
NmapCristian Alejandro Rojas Quintero
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Tcpdump
TcpdumpTcpdump
TcpdumpSourav Roy
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Wireshark
WiresharkWireshark
WiresharkKasun Madusanke
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Cmsms, open source & business model
Cmsms, open source & business modelCmsms, open source & business model
Cmsms, open source & business modelJean-Christophe Cuvelier
 

Weitere ähnliche Inhalte

Was ist angesagt?

Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 

Was ist angesagt? (20)

Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Nmap
NmapNmap
Nmap
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Nmap
NmapNmap
Nmap
 
N map presentation
N map presentationN map presentation
N map presentation
 
Nmap
NmapNmap
Nmap
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Nmap
NmapNmap
Nmap
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
Port scanning
Port scanningPort scanning
Port scanning
 
Wireshark
WiresharkWireshark
Wireshark
 

Andere mochten auch

Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Ted Kulp
 
Web Cookies
Web CookiesWeb Cookies
Web Cookiesapwebco
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹Yu Yongwoo
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedPort80 Software
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycleGopakumar Kunduveetil
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarniwebhostingguy
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST AssuredBas Dijkstra
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication systemJamilah Abbas
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Basics of telecommunication and networking
Basics of telecommunication and networkingBasics of telecommunication and networking
Basics of telecommunication and networkingMilan Padariya
 

Andere mochten auch (20)

Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
Cmsms, open source & business model
Cmsms, open source & business modelCmsms, open source & business model
Cmsms, open source & business model
 
Smarty sharing-2
Smarty sharing-2Smarty sharing-2
Smarty sharing-2
 
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101
 
Web Cookies
Web CookiesWeb Cookies
Web Cookies
 
세션 하이재킹
세션 하이재킹세션 하이재킹
세션 하이재킹
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting Started
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycle
 
Apache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya KulkarniApache Web Server Architecture Chaitanya Kulkarni
Apache Web Server Architecture Chaitanya Kulkarni
 
Testing RESTful web services with REST Assured
Testing RESTful web services with REST AssuredTesting RESTful web services with REST Assured
Testing RESTful web services with REST Assured
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Telecommunication system
Telecommunication systemTelecommunication system
Telecommunication system
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Cookie and session
Cookie and sessionCookie and session
Cookie and session
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
 
Mvc architecture
Mvc architectureMvc architecture
Mvc architecture
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Basics of telecommunication and networking
Basics of telecommunication and networkingBasics of telecommunication and networking
Basics of telecommunication and networking
 

Ähnlich wie Hacking With Nmap - Scanning Techniques

3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Nikhil Raj
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmSimone Onofri
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academycyberforgeacademy
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 

Ähnlich wie Hacking With Nmap - Scanning Techniques (20)

3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
Enei
EneiEnei
Enei
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
 
Zen map
Zen mapZen map
Zen map
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python tools
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academy
 
Day2
Day2Day2
Day2
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 

Mehr von amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 

Mehr von amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Hacking With Nmap - Scanning Techniques

  • 2. Nmap Scanning Before we dive in... Port states that Nmap Identifies. Types of port scanning.
  • 3. Nmap Scanning [open] [closed] [filtered] [unfiltered] [open|filtered] [closed|filtered]
  • 4. Nmap Scanning Syn Scans PRO: Very fast, most common scan used. CON: Funky stuff happens when a firewall, packet filter, or packet shaper is in- between you and the target.
  • 5. Nmap Scanning FIN Scans PRO: FIN Scans can sneak around non- stateful firewalls and packet filters. CON: Because of the way the scan is conducted, ports respond as either closed, or open|filtered. Many major OS’ sent a RST reguardless of open or closed. NOTE: Variations of this are NULL and Xmas Scans
  • 6. Nmap Scanning ACK Scan PRO: Determines filtered from unfiltered ports. CON: Won’t tell if the port is open or closed.
  • 7. Nmap Scanning Window Scan PRO: Can tell if a port is open or closed, whereas the ACK scan cannot. CON: Works on only a few OS’s, and sometimes acts flaky.
  • 8. Nmap Scanning Ok, so this is all fine and dandy, but what do I do with this?
  • 9. Scanning Techniques Mission Penetrate SCO's Firewall to discern all the open TCP ports on Docsrv.Caldera.Com.
  • 10. Hitting SCO Insecure.Org Performing the initial SYN Scan. SYN Scan against DocSRV # nmap -sS -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1669 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 113/tcp closed auth 507/tcp open crs Nmap finished: 1 IP address (1 host up) scanned in 24.490 seconds
  • 11. Hitting SCO Insecure.Org FIN Scan FIN Scan against DocSRV # nmap -sF -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1632 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open|filtered echo 9/tcp open|filtered discard 11/tcp open|filtered systat 13/tcp open|filtered daytime 15/tcp open|filtered netstat 19/tcp open|filtered chargen 21/tcp open|filtered ftp 22/tcp open|filtered ssh 23/tcp open|filtered telnet 25/tcp open|filtered smtp 37/tcp open|filtered time 79/tcp open|filtered finger 80/tcp open|filtered http [many ports cut] 135/tcp open|filtered auth
  • 12. Hitting SCO Insecure.Org ACK Scan ACK Scan against DocSRV # nmap -sA -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1669 ports scanned but not shown below are in state: UNfiltered) PORT STATE SERVICE 135/tcp filtered msrpc 1434/tcp filtered ms-sql-m 32777/tcp filtered sometimes-rpc17 Nmap finished: 1 IP address (1 host up) scanned in 3.134 seconds
  • 13. Hitting SCO Insecure.Org Window Scan Scan against DocSRV Window # nmap -sW -p- -T4 docsrv.caldera.com Starting Nmap 3.97Shmoo ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 65479 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 11/tcp open systat 13/tcp open daytime 15/tcp open netstat 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 143/tcp open imap
  • 14. Scanning Techniques Mission 2 Locate webserver(s) on the Playboy.Com network offering free images
  • 15. Hitting Playboy Insecure.Org Step 1: Find Network to Scan Step one, finding the network. Step 1: Find the network to scan core~> whois -h whois.arin.net n playboy [...] OrgName: Playboy OrgID: PLAYBO Address: 680 N. Lake Shore Drive City: Chicago StateProv: IL PostalCode: 60611 Country: US NetRange: 216.163.128.0 - 216.163.143.255 CIDR: 216.163.128.0/20 [...]
  • 16. Hitting Playboy Running the initial scan. Insecure.Org Initial Try nmap -P0 -p80 -oG pb.gnmap 216.163.128.0/20 Starting nmap 3.81 [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 1236.309 seconds
  • 17. Hitting Playboy Now wait a second! That took just under 21 minutes! Is there a way to cut that time down?
  • 18. Hitting Playboy First we need to get hosts to figure out the timing. Insecure.Org Help Nmap Out with Timing Information > host www.playboy.com www.playboy.com has address 209.247.228.201 Mail servers (host -t mx playboy.com): mx.la.playboy.com. 10 216.163.128.15 mx.chi.playboy.com. 5 216.163.143.4
  • 19. Hitting Playboy Now we need to ping them to get a round Insecure.Org trip time. Perhaps TCP Ping Will Work Better # hping2 --syn -p 25 -c 5 mx.chi.playboy.com HPING mx.chi.playboy.com (eth0 216.163.143.4) 46 bytes from 216.163.143.4: flags=SA 46 bytes from 216.163.143.4: flags=SA [cut] --- mx.chi.playboy.com hping statistic --- 5 packets transmitted, 5 packets received round-trip min/avg/max = 56.8/58.0/61.8 ms # hping2 --syn -p 25 -c 5 mx.la.playboy.com HPING mx.la.playboy.com (eth0 216.163.128.15) 46 bytes from 216.163.128.15: flags=SA 46 bytes from 216.163.128.15: flags=SA [cut] --- mx.la.playboy.com hping statistic --- 5 packets transmitted, 5 packets received round-trip min/avg/max = 15.4/15.8/16.4 ms
  • 20. Hitting Playboy Ok, I think we can write a better scan now. Insecure.Org Designing a Faster Scan nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 -P0 -p80 -oG pb2.gnmap 216.163.128.0/20
  • 21. Hitting Playboy Insecure.Org OMGWTFLOL! 3.97Shmoo + --max_retries Upgrade to That scanned a lot faster! # nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 -- min_hostgroup 512 --max_retries 0 -P0 -p80 -oG pb3.gnmap 216.163.128.0/20 Starting nmap 3.97Shmoo [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 289.579 seconds Under 5 Minutes!
  • 22. Hitting Playboy 5 minutes. Thats pretty good! Can we cut it down more though?
  • 23. Hitting Playboy Insecure.Org Turning off DNS (-n) in the scan... Skip DNS # nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 -- min_hostgroup 512 –max_retries 0 -n -P0 -p80 -oG pb3.gnmap 216.163.128.0/20 Starting nmap 3.97Shmoo [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 46.052 seconds 46 seconds!
  • 24. Hitting Playboy Mmmm...pretty webservers! Insecure.Org Time for the Results! > grep 80/open pb3.gnmap | awk '{print $2}' 216.163.129.20 216.163.136.21 216.163.136.22 216.163.136.27 216.163.136.29 216.163.136.30 216.163.136.31 216.163.137.3 216.163.137.4 216.163.137.5 216.163.137.6 216.163.137.7 216.163.137.8 216.163.137.9 216.163.137.10 216.163.137.11 216.163.137.12 216.163.137.13 216.163.137.14 216.163.137.15 216.163.137.16 216.163.137.17 216.163.137.18 216.163.137.19 216.163.137.20 216.163.137.21 216.163.137.22 216.163.137.23 216.163.137.25 216.163.137.26 216.163.137.27 216.163.140.20 216.163.143.11
  • 25. Hitting Playboy Well what does that first IP hand out? Interesting....but not what we are looking for.
  • 26. Hitting Playboy Well what about the 3rd entry? Eureka! We have images!
  • 28. Scanning Techniques The vast majority of mission data was provided by Fyodor. Thank him fellas!