Pentesting Tutorial 1 - Information Gathering Part 1: Nmap


All tutorials will need: Backtrack 5, Pentesting Lab, and Patience

This will be the first tutorial on a series that will give a basic walkthrough of a penetration test. There are many tools on the backtrack distro that will not be covered in these, but if any readers have any questions about other tools, message me. This is part one of information gathering, it will focus on finding live hosts on the network, port scanning and versions of software that is running on those ports.
Let's begin..

For this tutorial, you will need to have knowledge of google hacking, and the concept of information gathering. We are going to jump right in and skip the rest of the introduction. If this were a true pentest we would start by using google to gather as much information as we can about our target organization. Queries that are usefull can be found in Johnny Long's GHDB, you task is to perform research of the GHDB and practice the queries on your own. Since we already know our target we are going to start gathering as much information as we can about target machines on the network.
For this exercise we will use the following tools: Nmap
Over the years Nmap has had many different features added, one of the more recent is the vulnerability checking modules. If you do not know about these, go to google and research them. One thing about this tutorial is to get you to learn to use google to perform your own research so there will be some steps that I will tell you to research on your own.
The first thing we want to do is find live hosts on the network, this can be achieved through the use of Nmap. With this command we will also check the service version of each open port. There are many other commands that are built into Nmap, which can be found using the Nmap -h command or just typing Nmap. Ok here we go..
We are on the 192.168 network.
nmap -sV
This command will scan all 254 hosts on the network and enumerate open ports along with the version of the software running on that port. The network I am using only has 2 machines on it, I did this to shorten the tutorials. Here are the results:

Nmap scan report for
Host is up (0.0080s latency).
Not shown: 995 filtered ports
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 00:25:22:12:C7:7F (ASRock Incorporation)
Service Info: OS: Windows

Nmap scan report for
Host is up (0.022s latency).
Not shown: 996 filtered ports
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or earlier
22/tcp open ssh OpenSSH 4.7 or earlier
80/tcp open http Apache httpd 2.2.4 ((Fedora))
MAC Address: 00:21:2F:36:D2:E2 (Phoebe Micro)

If we had a larger network, the switch -p could be used to specify which ports to look for like so:
nmap -sV -p 21,80,445

One thing that I recommend is to always, I mean always scan the network in UDP mode and look for open SNMP ports. Older versions of SNMP are vulnerable to attack since they use the strings public and private for logins. If you do not know what SNMP or the SNMP ports are, google is your friend.
To perform this kind of information gathering you would use the -sU switch to tell nmap to scan the udp ports. So the command would look like so:
nmap -sU -p161, 162
We specify ports 161 and 162 since these are the ports that snmp runs on.
Nmap scan report for
Host is up (0.022s latency).
Not shown: 996 filtered ports
161/udp open snmp snmp (protocol 1.0)
MAC Address: 00:21:2F:36:D2:E2 (Phoebe Micro)

When runnin udp scans remember that the udp protocol does not verify the connection so it is a good idea to verify the port is actually open by connecting with netcat.

Lets jump into some of the scripts that can be used to check for vulnerabilities. To get help with a specific script you would just type:
nmap --script-help script name
This will give you output about the script and what it does.

The first scripts we will use is the smb scripts since we have a server reporting an smb port 445 open.
nmap -sS --script smb-os-discovery
nmap -sS --script smb-check-vulns
nmap -sS --script smb-enum-users
nmap -sS --script smb-enum-shares
As you can see I added a -sS to the command, this will cause nmap to run in stealth mode. Also I would like to note that in a way i'm starting to set up for the second part with the enumeration scripts. Since this server is not a microsoft server, there are no smb shares running, only samba. The above example was to give you a good idea of the syntax and how the commands work. Let's jump to a microsoft machine so you can see some output.
nmap -sS --script smb-enum-shares
Host script results:
| smb-enum-shares:
| Anonymous access:
| Current user ('guest') access:
| C$
| Anonymous access:
| Current user ('guest') access:
| E$
| Anonymous access:
| Current user ('guest') access:
| IPC$
| Anonymous access: READ
| Current user ('guest') access: READ
| Current user ('guest') access: READ
| movies
| Anonymous access:
| Current user ('guest') access: READ
| print$
| Anonymous access:
|_ Current user ('guest') access: READ

Nmap done: 1 IP address (1 host up) scanned in 8.37 seconds

nmap -sS --script smb-check-vulns
Host script results:
| smb-check-vulns:
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to r
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

nmap -sS --script smb-os-discovery
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| Name: MSHOME\gh0s7
|_ System time: 2012-06-25 19:41:16 UTC-7

As you can see these scripts are pretty useful, especially when you dont want to make a lot of noise on the network. Other scripts that are not covered in this tutorial can be located on the nmap website located here:
Let's see what else there is, ah yes, one of my favorites! Anonymous ftp!
This command will check for anoymous ftp logins on the target machine. Since none of our target machines have anonymous logins enabled there will be no output from the scan, but here is the code.
nmap -sS --script ftp-anon
Last but not least there is a switch that will allow you to run all scripts and many other options, here is the description from the help menu: Enable OS detection, version detection, script scanning, and traceroute
So to run this will be the following command: nmap -A
You can also add different scan types to the beggining of the line like so:
nmap -sS -A

There are also ways to add other arguments to the scripts, and even create your own. Refer to the above website for techniques to perform these tasks.
So now that we have gathered a list of machines on the network and the open ports, lets move on to Next we want to verify that the ports are actually open. The reason for this is that sometimes machines give false results, especially UDP ports.
The next tool we will use is one of my favorite tools, netcat. If we open a terminal and type nc. We will see the netcat help menu. Next we will run through the ports and try to connect with basic netcat commands: nc -v 445. This will launch netcat and connect to port 445. You may have to hit enter a couple times to get it to respond. You shouldn't see port closed by remote host. If it is then there are many things that could be closing the port. Be sure to document all open ports that have been verified. In up coming tutorials we will be using netcat to perform reverse connections back to our attack machine from the linux server. This will conclude the first tutorial, I will be posting the next tutorial in a few days.

Quick Bash Ping Sweep Script:

for $endIp in $(seq 1 254); do
ping -c 1 192.168.1.$endIp |grep "bytes from" | cut -d " " -f 4 | cut -d -f 1 &