Most of the time, especially as a hacker, you have to have a means to identify and investigate the target network in which you have either been assigned with by a company or whether you operate in the shadows (which I recommend you don't lol). Aside from passively acquiring information from publicly accessible information from the internet, a method called passive reconnaissance, it is possible to actively gather quite useful information about a specific target or the target network, which is called active reconnaissance.
Nmap, A network auditing and reconnaissance tool, that can be utilized by network engineers or system administrators, can be used by hackers to essentially gain access to uncontrolled parts of the system. Nmap can essentially identify active running hosts on a target network, the open TCP ports, the various services running on the hosts, and even utilize NSE scripts Nmap provides within the suite to do more a detailed analysis of the target network. Nmap can be installed both on Windows and in majority of the Linux distributions, but comes pre-installed in Kali Linux, a penetration testing and information security linux distribution. To follow along, you can download Nmap here.
Basics of Networking (enough to get the point across)
A network is essentially a bunch of devices connected together with the ability to transfer information and/or data between them. However, for this to occur, these devices need to have a way to be identified, and this is done using IP Addresses. Every device, including the one you are using to view this, has been assigned with an IP Address from your Internet Service Provider. That IP Address is essentially your identifier on the internet. The Internet itself, which in full, is 'International Network' is a plethora of computers, servers and devices connected with each other, having the ability to transfer all this information. There is so much to networking but this is the surface level information you need to understand how useful Nmap is.
Consider the following:
 |
| Nmap "Aggressive Scan" |
Above is an nmap scan, an "Aggressive" scan (indicated with the "-A" flag) was conducted against the target domain "scanme.nmap.org". This scan has uncovered alot of information about the remote target such as its IP Address (45.33.32.156) as well the open ports found on the respective IP Address/Domain. Within a target host, there are various services that are open in order to process information. For example, the service of file sharing (also known as FTP) is usually configured on port 21, the service of SSH, which is all about providing an encrypted remote access to a server or a computer is usually configured on port 22. So for every port, there is a respective service, which has software of some sort, that runs on that port.
Above, we found the following:
PORT 22, which is SSH and the software version running on this port is OpenSSH 6.6.1p1 Ubuntu
PORT 80, which is HTTP and the software version running on this port is Apache httpd 2.4.7 (Ubuntu Web Server)
As well as other ports which would need more extensive research. Already from this Nmap scan, we have enumerated the open ports, the services running on those ports and the versions running on these ports, and even the operating system of the web server. This information can be VERY useful as a hacker can search for vulnerabilities within these services, exploit the vulnerabilities and gain remote access to the host or to the network. Aside from performing recon on a local network, you can also conduct recon on a remote network.
The NSE scripts can perform more advanced reconnaissance, automate brute-force attacks, detect CVEs, detect Web-Application Firewalls that blocks malicious network traffic to and from the web server the firewall is protecting and many other useful tasks. Nmap has proven itself within the security industry, from malicious attackers, security researchers, system administrators, network engineers and ethical hackers to be a tool that provides effectiveness and accuracy in terms of its auditing and its fingerprinting of systems and networks. This posts has outlined the basics of the functionalities of nmap. In future posts, I will show off on how the NSE scripts can detect vulnerabilities, automate brute-force attacks and other useful reconnaissance techniques.
No comments:
Post a Comment