Nmap

PORT SCANNING WRAP UP

Techie Talks December 5, 2017

1 2,770 2 minutes read

Port Scanning Wrap Up: Now that we have covered the basics of port scanning, there are a few additional switches that need to be covered. These switches provide extended functionality that may be useful to you as you progress in your penetration testing career.

PORT SCANNING WRAP UP

As mentioned earlier, the “sV” switch is used to version scanning. When conducting version scanning, Nmap sends probes to the open port in an attempt to determine specific information about the service that is listening.

When possible, Nmap will provide details about the service including version numbers and other banner information. This information should be recorded in your notes.

It is recommended that you use the “-sV” switch whenever possible, especially on unusual or unexpected ports, because a wily administrator may have moved his web server to port 34567 in an attempt to obscure the service.

Nmap includes an option to change the speed of your port scan. This is done with the “-T” switch.

The timing switch ranges on a numeric scale from 0 to 5, with 0 being the slowest scan and 5, the fastest. Timing options can be extremely useful depending on the situation.

Slow scans are great for avoiding detection while fast scan can be helpful when you have a limited amount of time or large number of hosts to scan.

NOTE:- Please be aware that by using the fastest scan possible, Nmap may provide less accurate results.

Last, the “-0” switch can be useful for fingerprinting the operating system. This is handy for determining if the target you are attacking is a Windows, Linux, or other type of machine.

Knowing the operating system of your target will save you time by allowing you to focus your attack to know weaknesses of that system. There is no use in exploring exploits for a Linux machine if your target is running windows.

Once we have completed port scanning our target, we should have a list of open ports and services. This information needs to be documented and reviewed closely.

While reviewing the Nmap output, you should take a few moments to attempt to log into any remote access service that were discovered in your port scan. The next chapter will address running a brute force tool to attempt to login.

For the time being, you can attempt to login using default user names and passwords. You could also try logging in using any information, user names, or a penetration test by simply discovering an open remote connection and logging into the box with a default user name and password.

Telnet and SSH are great remote services that you should always try to connect to. You can do this from the command line by typing.

telnet target_ip

ssh root@target_ip

In this example, the “target_ip” is the IP address of your victim, most likely these will fail, but on the rare occasion when you are successful, they are an absolute home run.