![]() Put that in your notes, finding a credential could lead to later exfiltrating some interesting data. There's a web server running, definitely note that so we can do some further file and directory enumeration with Gobuster. Dnsmasq and its version are worth checking for exploits. SSH is open and we get a public key, nothing too useful yet, but maybe we'll find some credentials later or get desperate and try to brute force a login. Note those so you can check for known exploits. There's also the FTP server application's name and version. ![]() Definitely make a note of that as something to check out later. For example, the FTP server allows for anonymous connections, meaning you can connect without needing to login. The complete output from Stapler is much longer, we just wanted to highlight a few juicy things it found. |_Can't get directory listing: PASV failed: 550 Permission denied. | ftp-anon: Anonymous FTP login allowed (FTP code 230) The basic Nmap is just running it with no flags, just the IP of the machine you are nmap 10.211.55.6 -sC ![]() You must explore every open port first, understanding the services running on each before forming a plan of attack. You cannot simply start beating down the door on the first interesting looking service you come across, many hours have been wasted with insufficient enumeration. With any pentest engagement or exercise, enumeration is key. Stapler has lots of open ports, so therefore lots of services that we can enumerate with Nmap. Follow the same flow as the last article to find Stapler's IP on your virtual network with (suprise suprise) Nmap and the -sn flag to ping the entire subnet for live hosts. They are intentionally vulnerable to hacking in some way though the machine acts as an exercise for your pentest skills in a safe, legal, controlled environment.įor this article and Stapler, go ahead and download the image and fire it up in your favorite virtualization platform along with Kali to follow along. If you recall from a recent article, boot-to-root images are virtual machines that are prebuilt with system services and other software installed and configured to look like a real-world server. To help explore some of the usage of Nmap, we're going to play with a boot-to-root image called Stapler. Using Kali & Stapler to Enumerate Targets with Nmap But let's dig into how you can and will daily use Nmap in your slightly less exciting pentesting operations. You probably won't be taking down power plants in a simulation of humanity anytime soon. Add some dramatic music and a flashing "ACCESS GRANTED" for the benefit of any non-hax0r viewers, all that's left is to connect via SSH, login as root, and the power system is pwned. Sshnuke then connects to 10.2.2.2 via SSH, exploits the vuln to get remote code execution, and runs the passwd command to change the root password to Z10N0101 (nice leet touch there with that password). Presumably, she used an Nmap to find machines with both port 22 open running a vulnerable version of the SSH server. The following "sshnuke" exploit is Hollywood shenanigans, but it is completely based on real pentesting methodology! That one line saying "Attempting to exploit SSHv1 CRC32" is based on a real buffer overflow that can provide remote command execution. Pause at four seconds in and you can see the end of Nmap's output showing a machine with SSH running on open port 22. Heck, even Trinity used it in this scene from The Matrix Reloaded. Vulnerable SMB equals the lowest hanging of fruit for getting SYSTEM access to a Windows server, and domain admin won't be far off for a capable pentester. Getting a list of these machines back by running a single command is gold. Tie these things together and it's super easy to script scanning a LAN for, say, Windows servers running unpatched versions of SMB. It's also completely extensible, meaning anyone can write add ons using the Nmap Scripting Engine. This open-source network scanner can do it all, from host discovery to port poking to OS detection. Today we're going to deep dive into the tippy top of those top tools, the pentester's Swiss Army knife, Nmap. We covered these top tools in a previous post and you can find these tools all over these cybersecurity courses. Learning all of them can be overwhelming, but a handful you'll keep coming back to day in and day out as you pursue pentesting savviness. The Linux pentesting distro is preloaded with hundreds of tools for exploration, enumeration, and exploitation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |