Kali Linux – Scanning: Comprehensive Network Exploration

Delve into the intricacies of network scanning with Kali Linux, using advanced tools and techniques for cybersecurity analysis.

Preparing Vulnerable Machines for Scanning

Set up your lab environment with these vulnerable machines to practice your scanning skills.

Essential Tools for Network Scanning

Explore a range of tools designed for effective network scanning in Kali Linux.

Executing Advanced Scanning Commands

Master the art of network scanning with a series of advanced Nmap commands tailored for various scanning objectives.

Utilizing Nmap Scripts for Targeted Scanning

Learn how to leverage Nmap’s scripting engine for targeted and efficient scanning operations.

Concluding Notes and Resources

Summarize the key takeaways from the article, providing additional resources for further learning.

Vulnerable Machines for your Lab:

1. (msfadmin / msfadmin) Metasploitable
2. UltimateLAMP
3. Web Security Dojo
4. OWASP Hackademics
5. DVWA Damn Vulnerable Web Application
6. Mutillidae
7. De-ICE
8. OWASP Web Goat
9. Google Gruyere
10. old Ubuntu versions

Tools:

• Self developed portscanner.py tool

Commands:

• use sudo netdiscover to list all the active hosts in your network
• use netstat -nr to discover the Router/Gateway
• use nmap 192.168.1.1/24 to scan the entire network for open ports
• use sudo nmap -sS 192.168.1.2 for a TCP syn scan, where the kali machine does not open a full tcp connection, only the first of the 3 way handshake.
• use sudo nmap -sU 192.168.1.2 for an UDP scan
• use sudo nmap -O 192.168.1.2 to get the operrationg system running on the target machine
• use sudo nmap -sV — version-intensity 9 192.168.1.2 to discover the software version running on an open port with increased intensity
• use sudo nmap -sV 192.168.222.127 -p- for a scan of all 65536 ports on a tager machine
• use sudo nmap -A 192.168.1.2 (aggressive) enables some advanced features of nmap, OS and version detection included
• use nmap -sn 192.168.1.1/24 to check which hosts are UP
• use nmap -p 80,22 192.168.1.1 to check for a specific port details on the target host, in this case port 22 and port 80
• use nmap -p 1-65635 192.168.1.1 to check for a range of ports
• use nmap -F 192.168.1.1 to scan the TOP 100 ports (usually most used, not 1 to 100)
• use sudo nmap -f 192.168.1.1 to send tiny (8 byte) fragmented packages to avoid detection of a firewall or IDS (3 packets for a 24 byte header)
• use sudo nmap -f -f 192.168.1.1 to split the package into 16 bytes per fragment
• use sudo nmap -D 192.168.1.2,192.168.1.3,192.168.1.5,ME 192.168.1.targetIP to use multiple local IP addresses to scan the target as a decoy
• use sudo nmap -sD 192.168.1.1 >> outputofscan.txt to write in a given file the output (with no output to the terminal)
• use /usr/share/nmap/scripts/ sudo nmap — script auth 192.168.1.1 -sS to use an entire category of scripts against the target (metasploitable) (found tomcat:tomcat on port 8180)
• use /usr/share/nmap/scripts/ sudo nmap — script malware 192.168.1.1 -sS to check if the target machine is infected by malware
• use /usr/share/nmap/scripts/ sudo nmap — script banner 192.168.1.1 -sS to check if the message (usually holds information disclosure – exact version of the software running on that port) sent by an open port on the target machine
• use /usr/share/nmap/scripts/ sudo nmap — script exploit 192.168.1.1 -sS that aims to actively exploit some vulnerability (port 21 ftp user:root pass: root)
• use /usr/share/nmap/scripts/ sudo nmap — script-help firewall-bypass.nse to get details about what a certain scrip is able to do
• use /usr/share/nmap/scripts/ sudo nmap — script firewall-bypass.nse 192.168.1.1 to execute the above mentioned script
• use ftp 192.168.1.1 to ftp connect to the target machine (anonymous | password123) (help to help | exit to exit)
• use sudo nmap -sV 192.168.1.2 to discover the software version running on an open port (default intensity is 7) and then simply google the software ant the version + exploit (example: VSFTPD v2.3.4 Backdoor Command Execution – https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/) or (apache httpd 2.2.8 exploit – https://charlesreid1.com/wiki/Metasploitable/Apache | https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=66&version_id=416233)
• use searchsploit UnrealIRCd to find into KALI linux exploit library of tools that could be used
• use locate 49757.py to find the location of this script that will be usable to exloit a vulnerability identifies by the command above “searchsploit“

Notes:

• use sudo nmap -sS 192.168.1.2 instead of nmap -sT 192.168.1.2 as the first one leave less traces available on a system. -sT make more noise on the target machine

Resources:

• use cd /usr/share/nmap/scripts/ for a full list of nmap scripts that could help with target scanning | described here: https://nmap.org/book/nse-usage.html

Tools:

• use this pdf document – nmap_cheatsheet_v_1.01