1、 Banner grabbing with Netcat
Netcat is multipurpose networking tool that can be used to perform multiple information gathering an d scanning tasks with kali linux ,this specific recipe will demonstrate how to use Netcat to acquire service banners in order to identify the service banners eto indetify the service association with open ports on a target system .
To use the Netcat to grab service banners , on must establish a socket connection to the intended port on the remote system .to quickly understand the usage of the Netcat an how it can be used for thhis purpose ,one can call upon the usage output, we can use the command nc -h option :
2、the -v opton was used to provide verbose output and the the -n option was used to connnect with the the ip address without DNS resolution , we can see the banner returned by the remote host identifies the service as SSH ,the vendor as openSSH,besides , we can use the siminal scan on port 21 of the same the system ,we can easily acqurie service and the version information ot the running TFP service .
2、Banner grabbing with Python sockets
the sockets mouule in python can be used to connect to network services running on remote ports . Once can interact directly with remote network service using the python interactive interpreter ,you can begin use the python interpreter by calling it driectly m in this here ,we can import any specific modules tha you wish to use , the specific is as follows :
the AF_INET arguments is used to indicate that the socket will employed an IPV4 address and the SOCK_STREAM argument is used to indicate that TCP transport will be used ,if an attempt is made to connect to TCP port 443 on the Metasploitable2 system ,an error will be returned indiciate taht the connection was refused , because there is no service running on this remote system
3、 use the python script to connect
the python script what just i note by utilizing the socket library ,the script loops through each of the specified target port address an attempts to initialize a TCP connection with that pratical port ,if a connection is established and a banner is recived from the target service , the banner will then be printed in the output of the script ,of course ,if a connection cannot be established with the remote port ,the script will then move to the next port address value in the loop.
4、Banner grabbing with Dmitry
Dmitry is a simple yet streamlined tool that can be used to connect to network services running on remote ports .Dmitry can be used to run a quick TCP ports scan on 150 of the remote commonly used services , this can be done using the -p option:
Dmitry is a simple command-line tool that can perform the task of banner grabbing with minimal overhead .Dmitry can streanline the process by only attempting banner grabbing on a small selection of predefined an dcommonly used ports, banners recived from services running on those port address are then returned in the terminal output of the script
5、Banner grabbing with Nmap NES
nmap has an intergateed Nmap Script Engrine script that can be used to read banners from network services running on remote ports , we can use the script ,use command --script option in Nmap and then specifiying the name of the descried script , for this particular script a -sT full-connect scan shjould be used as service banners can only be collected when a full TCP conection is established , the script will be applied to the same ports that are scanned by te fellows requests:
Nmap used the banner script to collect the service banner associated with the port , this same technical can be replied to a sequential range of the ports suing the --notation
the example command : nmap -sT 192.168.142.182 -p 1-100 --script=banner
6、Banner grabbing with Amap
Amap is an application-mapping tool that can be used read banners from network services running on remote ports , The -B option in Amap can be used to run the application in banner mode , this will have it collect banners for the specific IP address and service ports ,Amap can be used to collect the banner from a single service by specifying the remote IP address and service number :
to remove the scan metadata ,we can use grep the optput for a phrase that is unique to specific output entries and does not exist in the scan's metadata . we can use the command : amap -B 192.168.142.182 1-65535 | grep "on"
7、service identification with Nmap
first we can connect with the Metasploitable2 system by TCP : nc -nv 192.168.142.182 80 then to execute an Nmap service scan on the same port ,we can use the -sV option in conjunction eith the IP and Port specification : nmap 192.168.142.182 -p 80 -sV
this service identification function can also be used against a specific sequential series of ports ,if no port specificed ,the 1000 common ports will be scanned and identification attempts will be made for all listening services that are identified .
8、Service identification with Amap
to perform service identification on a single port , run Amap, with the ip address and port number specifications : amap 192.168.142.182 80
amap can also be used to scan a senquential servies of port numbers using dash notation . amap 192.168.142.182 20-90 To supress the information about unidentified ports , the -q option can be used : amap 192.168.142.182 1-100 -q and the banners can be appended to the output associated with each port using -n option :
amap 192.168.142.182 1-100 -qb
but amap is not updated and well-maintained in the same way that Nmap is ,as such, Aamp is less likely to produce reliable results
9、Operating system identification with Scapy
we know windows and linux/Unix operating systems have different TTL starting values that are used by default ,this factor can be used to attempt to fingerprint the type of operating system:
generally speaking the Windows TTL=128 and the Linux/Unix OS TTL=64 but TTL valus can modify .
and then we create both IP and ICMP layer , we need to construct the request by stacking those layse:
first construct the IP layer : linux= "192.168.142.182"
windows= "192.168.1.101"
i=IP()
i.dst=linux
ping=ICMP()
request=(i/ping)
ans=sr1(request)
the follow figure is Linux TTL
the follow figure is Windows TTL
addination , we can use the python test the TTL values
note the Scapy must use Python Version is 2.7
10、Operating system identification with Nmap
to perform an Nmap operating system identificatio scan , Nmap should be called with the IP adddress specificatio adn the -O option : nmap 192.168.142.182 -O
the Nmap operating system identification sends a comprehensive series of probing requests and analyzes the responses to those quests in attempt to identify the undering operating system based on Os-specific signature and expected behavior,
11、Operating System identificatio with xProbe2
the progrm needs to be passed a single argument that consists of the IP address of the system to be scanned
11、Passive operating system identificatio with p0f
the tool perform operating system identification passively and without drectly intercacting with the target system
12、Snmp analysis with Onesixtyone
Onesixtyone is an Snmap tool that is named for the UDP port upon with SNMP operate it is a very simple SNMP scanner that only requests the system description value for any specific IP address , SNMP is a protocol that can be used to manage netwoeked device and facilitate the sharing of information across those device , the usage of this protocol is often necessary in enterprise network environment.
additional we can use the SNMPwalk analysis the remote system device . SNmpwalk cycle througha series of request to gather as much informationas possible from the service .
13、 Firewall identification with Scapy
to perform an Nmap SCK scan ,Nmap shjould be called with the ip address sepcification , the destination port ,and the -sA option :
nmap -sA 192.168.142.182 -p 22
notice that when we scanning a range of ports , the output only includes unfiltered ports:
nmap -sA 83.166.169.228
13、 to use Metasploit ACK scan module to perform firewall and filtering identification. for more systems , 25 threads is a fast and reasonably safe number of concurrent processes .
Metasploit offers auxiliary module that perform firewall identification through many of teh some techniques that have been discussed in the previous recipe ,however, metasploit also offers the capbility to perform this analysis with the context of a farmework that can be used for other information gathering and even exploitation ,as well .