Hacking Tony

In this tutorial we are going to see different ways to discover computers in a network and how to scan their ports to get some extra information about them. To do that we will use Nmap, a very powerful tool.

First of all, we are going to discover some computers in our network (192.168.0.0)

santi@kalibook:$ nmap -sn 192.168.1.0/24
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:05 CEST
Nmap scan report for 192.168.1.1
Host is up (0.017s latency).
Nmap scan report for 192.168.1.3
Host is up (0.013s latency).
Nmap scan report for 192.168.1.29
Host is up (0.00040s latency).
Nmap scan report for 192.168.1.32
Host is up (0.074s latency).
Nmap scan report for 192.168.1.254
Host is up (0.010s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 9.61 seconds

Imagine that you want to guess which operating system is running in some of the computers you have scanned. In this case we will do with a computer that is running a Windows 7 OS). We know the IP address of this computer because it is a Virtual Machine that it is running in this moment. It does not appears in the list of remote computers because its Firewall is enabled. If we disabled the Firewall and we try again to scan our network, this computer will appear in the list of connected computers.

Now, we are going to scan this computer to try to guess which kind of OS is running and some extra information. First, we will try with the Firewall enabled (the IP address is 192.168.1.40):

santi@kalibook:$ sudo nmap -O 192.168.1.40
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:05 CEST
Nmap scan report for 192.168.1.40
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.1.40 are filtered
MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds

We can see that we did not obtain any information abut the remote computer. Then, we will disabled the default Firewall and we will try again with the same nmap options:

santi@kalibook:$ nmap -O 192.168.1.40
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:07 CEST
Nmap scan report for 192.168.1.40
Host is up (0.00016s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5357/tcp  open  wsdapi
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49158/tcp open  unknown
MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows 2008|10|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.30 seconds

Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a approximation about how updated it is (Service Packs installed on remote computer). Now we can see how important is to enable our Firewall in our computer. If some attacker does not know nothing about our computer it will be more difficult to receive any kind of attack from anyone.

And we can also perform an intensive scan to get more information about the remote computer such as which version of some services are installed, the computer name, and more. To see one example of discovering some services in the remote computer, we have installed Filezilla FTP Server in the Windows 7 machine.

santi@kalibook:$ nmap -A -T4 192.168.1.40
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 21:11 CEST
Nmap scan report for 192.168.1.40
Host is up (0.00024s latency).
Not shown: 989 closed ports
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          FileZilla ftpd
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn
445/tcp   open  microsoft-ds (primary domain: WORKGROUP)
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port445-TCP:V=6.49BETA4%I=7%D=9/10%Time=59B58E9A%P=x86_64-pc-linux-gnu%
SF:r(SMBProgNeg,7B,"\0\0\0w\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\
SF:0\0\xfc\xe3\x01\0\xc4\x85&\xbah\*\xd3\x01\x88\xff\x082\0\x1a\xe8{\xd6y\
SF:xe3\xfc\xd3W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0U\0S\0U\0A\0R\0I\0O\0-\0P\0C\
SF:0\0\0");
MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows 2008|10|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: USUARIO-PC; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
 
Host script results:
|_nbstat: NetBIOS name: USUARIO-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5c:0e:94 (Cadmus Computer Systems)
| smb-os-discovery: 
|   OS: Windows 7 Enterprise N 7600 (Windows 7 Enterprise N 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::-
|   Computer name: Usuario-PC
|   NetBIOS computer name: USUARIO-PC
|   Workgroup: WORKGROUP
|_  System time: 2017-09-10T21:13:16+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms 192.168.1.40
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.23 seconds

From now on we will have to choose a more specific tool depending of the service that we will want to test. Maybe, in this case, because we have found that the remote machine has a FTP service running we could try to discover some vulnerability to check that our system is completely protected.

Maybe scanning ports cannot be consider a kind of attack but sometimes it will be the very first step for preparing an inminent attack in the future. That's why we must protect our computers to not be scanned, and the best way to do that is enabling our Firewall. Notice that that simple action can protect your computer against more sophisticated attacks because if the attacker doesn't know nothign about your computer, maybe he never will attack.

© 2017 Hacking Tony