The second phase of ethical hacking and penetration testing involves two terms that are port scanning and enumeration. We will discuss these two steps separately if you do not know about the first phase of Penetration Testing the click here.
So the first question that pops in mind is what scanning is and how to do it?
Scanning involves taking the knowledge discovered during reconnaissance and using it to look at the network. Once the attacker has enough information to know how the business works and what information useful could be available, he or she begins the method of scanning perimeter and internal network devices looking for weaknesses.
The key aspects to look in scanning are-
- Open ports and network services in a target environment.
- Open services
- Identification of free share drives,
- free FTP portals.
- Vulnerable/Outdated applications, including operating systems.
- Weak protection of data in transit.
- Make and model of every piece of LAN/WAN equipment.
The most commonly used tool used for port scanning is Nmap. It is a pre-installed tool in Kali Linux with many options regarding what type of scan a hacker wants to perform. For example-
- To scan a specific port range–> Nmap –p 0-100 10.10.10.1
- To find the OS –> Nmap –O 10.10.10.1
- To run a verbose scan –> Nmap –sS –sV –sC 10.10.10.1(-s script /–script, S sync, V Verbose-> bring data from/of header, C default script scan).
- To check a specific vulnerability available in the victim’s machine–Nmap –sV –script=rdp-vul-ms12-020 10.10.10.1(rdp-vul-ms12-020 is vulnerability).
There is another tool called Zenmap that is a GUI version of Nmap, where there is no need to enter any command select which type of scan you want.
The enumeration in information security is the process of extracting user names, machine names, network resources, and other services from a system. All the gathered information is employed to spot the vulnerabilities or weak points in system security then tries to take advantage of it. The key aspects to follow while doing enumeration-
- Enumerating Windows active directory to find out this stuff.
- Discovering NetBIOS name enumeration with NBTscan.
- Establishing null sessions and connections. Null sessions tools like Dumpsec, Winfo, and Sid2User or more can be used to perform this attack.
Techniques for Enumeration
There are some ways to gather data, like network users, routing tables, and Network Management Protocol (SNMP) information. Let us see how to get this valuable information.
- Extracting Information Using Default Passwords: There are many online wordlists available that are used for password cracking, which consists of commonly used passwords. Generally, the wordlist used is Rockyou.txt and the software used is Fcrack for zip files, John The Ripper, which is a password cracker typically used to get the password hashes and try to crack it.
- Brute Force Active Directory: It there is a problem of validation in the software you could enumerate valid usernames and passwords by brute-forcing. Active Directory can help you discover when these attacks are happening and where they are coming from
- Extract Username Using SNMP: By using SNMP APIs, attackers can guess the strings through which they will extract the required Username.
So this covers the scanning and enumeration part included in the second phase of penetration testing. Now the question remains how to know if a hacker performs scanning on your machine, Let’s find out
A utility like IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) can come handy in these type of situations as Nmap usually gets detected if it is not using IDS bypassing methods. However, still, you can generally track down these activities by looking at the log files that come to the target machine.
But the veteran black hat hackers know all the tricks and typically go undetected. But the knowledge for that level can only come with experience. So be sure to keep practising and give your best without looking for any payouts.