Scanning and Enumeration Tutorial

Jason Dion • 200,000+ Students Worldwide
A free video tutorial from Jason Dion • 200,000+ Students Worldwide
CISSP, CEH, Pentest+, CySA+, Sec+, Net+, A+, PRINCE2, ITIL
4.6 instructor rating • 23 courses • 255,054 students

Lecture description

In this demonstration, you will learn how a simple tool like Zenmap (the GUI for Nmap) can be used to perform scanning and enumeration of a network.

Learn more from the full course

CompTIA Pentest+ (Ethical Hacking) Course & Practice Exam

Pass the CompTIA Pentest+ (PT0-001) exam on your 1st attempt, includes a Pentest+ practice exam!

08:12:53 of on-demand video • Updated September 2020

  • Take and pass the CompTIA Pentest+ (PT0-001) certification exam
  • Understand the penetration testing methodology
  • Understand how to plan and scope a penetration test
  • Understand how to conduct information gathering and enumeration
  • Understand how to exploit networks and systems during a pentest
  • Understand how to prepare a report and communicate your findings
English Jason: So the first thing we want to do is we want to learn what the IP address of our culling machine is since we've just plugged it into our victim network. So let's go to Terminal. And because this is a Lennox machine we're going to use ifconfig. And you can see here that we got the IP address of 192 168 56.102. Now the network mask is 255 255 255 0, which tells me that the scope on this network is a class C with 254 IP addresses. So it goes from 192 168 56.1 through 192 168 56.254 with the broadcast being reserved at 255. That's good information to know as we move forward. So the next thing we want to do is we want to bring up Zenmap and to do that you're simply going to type Zenmap from the command prompt and to make sure my command prop is still available for me to use afterwards I'm going to hit the & sign which just means it's going to run it in the background. So now Zenmap pops up and we can start doing our scans. The first scan we want to do is the lest intrusive so we can figure on what machines are on this network. To do that we're going to do a ping scan. Our target for this network is going to be the entire network. So I'm going to use 192 168 56.0/24. That will tell me that I want that entire subnet. Now, another way you could write this is we can actually say 0-254 which would be all of those addresses as well. But in our case I would like to use the sider notation of /24. Now you'll notice here in Zenmap that we actually get the command mon syntax for Enermap right here shown for us. So Zenmap is going to use Enmap to do the work for us. But then its going to take that detail and bring it back to us in a graphical format. Now right now the profile selected is the intense scan and that's going to be way to intensive for what we're trying to do. So we're going to go down and select a ping scan instead. Notice that the ping scan is just -sn and the IP address range that you want. And now I'm going to click scan. Now, here in this main tab what you'll notice is you're going to see the results that Enmap would provide you. In our case all we did was a ping scan so it searched 256 IP addresses and it found four of them that were up. Those four is the server, the DHCP server we set up, one of our virtual machines, our second virtual machine, and then our culling Lennox box ourself. Now we don't necessarily know what these two machines are at this point, we just know that they're up and taking requests. But since we do know that 102 is our own machine, we don't need to scan that one anymore because we don't need to attack it. We want to attack these other two machines. So what we're going to do is we're going to take it a step further and we're going to start doing different scans and as we can gather different information. Now if you notice if I click on the ports and host tab, there's no ports yet because we haven't scanned any ports. We've only done is this machine up or down? Here we can see in the Topology our network. And we can see that there are four hosts connected. And we can also do a fish eye that makes it a little bit easier to see. You can see that we do have four hosts on the network. We have the three machines, plus the one DHCP server. Now if we look at host details, all we know is the status that it's up. The only reason we know that is because I did a ping. We haven't scanned any ports yet. This is important to realize. So, let's go ahead and go back to our Enmap output and let's try a more intensive scan but only targeting it to the two machines that we want to look at. Which were 101, excuse me 100 and 101. And from here we're going to do what is called is a quick scan. Now if you notice here the quick scan is going to do some of the most common ports for us and find what information we can about this. So let's go ahead and do a quick scan. So here's what Enmap would've given you if you were doing this is in the command prompt. The scan report from 101, and if we look at 101 you'll see all of these ports are open. That is a lot of open holes that may be vulnerable for us to do exploitation later. And if you notice that 192 168 56.100, all the ports were filtered. And that's interesting to note because that one was actually our Windows machine. So we're going to have to take a look at that machine later as we go forward. But with the quick scan, we have identified that this 101 is a very vulnerable box. And that was a menace portable virtual machine. Now if we look through it we're going to see some port numbers and those ports are going to be important to help us identify what this machine is. So as I look through it I see that we have ftp and ssh and telnet. Those are common to Windows and Lennox. But the ones that aren't are things like rpcbind 111. This 139 and 445. Those are common of Microsoft and Windows machines. Notice though that there's not a 135 which is another net bios port that's commonly seen on Microsoft. So what this is telling me is that this, and this machine which I think is Lennox is running some Microsoft services and they're probably running Samba to do file sharing with Microsoft. If it had 139, 145 and 445, I would assume it's a Windows machine. But we're going to be able to determine that later when we do our enumeration. As we keep going on we'll see the login and then shell again. Very common Lennox things. We also have mysql. We have a vnc player and X11. X11 is an extremely common Lennox thing. So that again is one of those things that tells us it's probably Lennox. Now if we click on the port and host tab, there's an actually easier way to see all this information. So if I click on the host I want to look at, and I click on the port and host, 101, you'll see that I have open and closed dates. In this case all these were open ports we're looking at. The port number and the ftp. So it makes it a very easy to see graphical representation. Now if I click on host details, it doesn't know what type of host this is yet. But it did find that there were 82 closed ports, and 18 open ports and we did look at 100 ports which was pretty noisy of us. You can see under scans this is the history of the scans we've done before. We did our ping scan and now we've done our quick scan. Now if we want to get a little more intrusive, we can do what's called an intense scan. And what we're going to do id do an intense scan, and then we're going to hit scan. Now, the intense scan is going to look at the open ports and closed ports and it's all going to try to do some basic enumeration for us and try to figure out what this machine is or isn't. So in our case we're looking at it. We're doing a stealth scan right now. You can see that. And this scan will take us a little bit longer because it's going through a lot of information. One of the things it does try to do is it tries to do an OS detection. It was unable to get an OS detection of the .100 system. Again with the text based information it's going to give you a lot of information and we can go through each of this individually if we want but all of this is going to be shown in a much more graphical format for us to use as we move forward. So let's go ahead and go over here to the ports. And then click on the host. If you notice over here our OS changed on the .101 machine, that menace portable machine. If you'll notice, we have a little Lennox icon here. We now see all of the open ports again, but notice the difference here from before. Not only is it ftp, but we know that it's vsftpd version 2.3.4. This is that enumeration piece. You'll see that our Apache is version 2.2.8. You'll see that they were running Samba which again, Samba Debian is a Lennox version of file sharing to allow it to share with Windows Work Group users. So our guess of this being a Lennox machine did pan out to be right. In this case we have My SQL version 5.0.51 and again these are all important to know because we can take this information and search the CVE database and be able to find out what known exploits there are for these particular services. So this is all part of that information gathering stage for us to plan our attack. And then we're going to move further down. You'll see here we have a Menace deployable root shell. We have irc channel. Unreal irc Damien. And agan http with a Tomcat Coyote JSP engine on Apache. So, we also have another ftp up here on port 21 21. So lots of different things that we can go after as we start attacking this machine later on. Now let's take a look at that Windows machine we had. And you can see here no ports were identified. We'll click on Host Details. It was unable to identify the fact that this was Windows. If we go to Lennox you'll see that this not only was able to figure out that it was Lennox but that it's most likely Lennox 2.6 somewhere between version 9 and version 33. That's going to, and it gives us an accuracy use based on the ports that it saw. So based on what ports it had and the responses it received from those it's able to tell us with 100% accuracy that this is Lennox 2.6. So based on the ports you used and the way that it responds it understood that this was Lennox with 100% accuracy. So it did a lot of that enumeration for us. Now, Windows has not been responding. Let's go take a look at our Windows machine and see why that is. Let's go into our Control Panel. We'll go to our Security Center. See now notice the Windows Firewall was on. We're going to go take a look at the Windows Firewall and see if that's the reason why it's not responding to us. So, in this case we have the Firewall on and the only exceptions are the ones in the exceptions tab. If we look here, there wasn't a whole lot of exceptions. You notice file and printer sharing was not an exception. Let's go ahead and let that be an exception right now because most home networks normally use file and print sharing to be able to share files on printers across their network. And then let's hit okay. Now let's go back and try our scan again. So now that we've set the exception on the Firewall, we're going to scan the windows machine again using that quick scan. That's going to do the 100 most common ports. So we'll scan that machine. And you can see now, because we've opened the windows file sharing and allowed that exception that we can now identify port 139 and port 1445 as part of that machine. Now if we go to the host details let's see if we can figure that out. We still can't figure that out yet. So we're going to have to do a more intensive scan. We'll go back here and do an intense scan on 100. Just the one machine, and we'll scan again. Now, it's discovering the open ports on 139 and 445. It's going to do a sin stealth scan to try to be a little bit sneaky for us as it goes through 1,000 commonly looked at ports. Now if they happen to be looking at this network traffic, they're probably going to see this because going port 1, port 2, port 3, port 4, going all the way down, you're going to end up seeing something. The other thing because this is an intensive scan, it's actually using 138 specific scripts as it goes through and does this. This is how it's able to do things like enumeration for us. Figuring out what ports were open is fairly easy with a scan but now this actually needs those different scripts. It's going to see those open ports and based on the way it responded from each of those ports, we're going to be able to determine what version of the operating system it's using. So as we scroll up here in our text, we can see some information that was found from the scripts. Again, port 135 and 445. We believe it's Windows XP based on the way it responded. We also get the Mac address and based on that Mac address we know it's a virtual box. In this case we also can see the operating system scan was unreliable because they couldn't find at least one open and one closed port. They only found those open ports. The Firewall blocked the rest of the ports from us, but they believe that's Microsoft 2000 or XP. Now why would it be 2000 or XP? Well, Microsoft XP and Microsoft 2000 share a common code base. Just like Windows Vista and 2003 share a common code base, Windows 7 and 2008 both share a common code base. 2012 and Windows 8 also share a common code base. So as they move forward in these, you can start seeing this overlap and you'll a lot of times get one where it thinks it's one or the other or both. Now in this case it did a fairly good job. It realized it's either Windows XP Service Pack 2 or Service Pack 3 or Windows 200 Service Pack 4. In this case it wasn't able to do the prediction through tcp sequence but it can do it based on the information we see from the port scans. Now as we scroll down we had some enumerations run as well, in this case it did a net bios check. It found the name of the computer and the name of the computer is JOHNSPC. It also gave us the fact that he's in a work group, not in a domain. We also know the fact again that we're still using Windows XP based on snb that we found. Snb being the file sharing. And then it did a trace route. In our case the trace route goes immediately there because we're on the same network. After it did all the scanning it runs through a couple of other different reports and scripts. Tries to find as much information as it can and it did all that scanning in about 50 seconds for one host. This is important to know because if you're doing an intensive scan it does take some time. This was on a network that was on the same network on the same machine, meaning it was very quick. If I had to go all the way across the internet to another host, and I was scanning numerous hosts that time goes up. The more time you're spending the more packets you're sending the more likely you are to get caught. In our case we sent out 2,035 packets. But we only recieed 15 back. So the chances of us getting see was 2,035 times that we send information to them. There are ways we can be a little bit more sneaky with these tools, it just depends on the profiles we use and the way we configure them. Now as we go into ports and hosts and we click on our Windows tab here, the .100 machine, you'll see the fact again based on that text output we had, in a nice graphical format that we can see. We then go into Topology, and we now see that there is some sort of a lock on this meaning that there was a Firewall or of some sort. And then we're going to go here to the host and here we can see that we scanned 1,000 ports and of those only two were open and 998 were filtered. Filtered means that there was some sort of Firewall there blocking us. Again the accuracy, the fact that we are again Windows 2000 or very accurate in this case and they do that based on the port that they saw. The one they made their decision on was 139 which was the net bios file sharing. And the class is Windows 2000 and as I said before Windows 2000, Windows XP share a common code base. They answer up the same way so they look very similar in traffic. So, as you can see we can be very invasive or very quiet in our scanning techniques. It really depends on the level of information that we're trying to gather. The question now becomes how quiet do you want to be in your hack? Well that's going to depend on why you were hired in the organization in the first place. Are they looking for a realistic hack to challenge their defenders and find their weaknesses? If so, then you would want to be very very quiet to get their realistic threat. But if you were tasked to provide the defenders a simple emulation of an adversary of a script kiddie you'd want to be really noisy and that way they could find you quickly and take you down. It really depends on the intent of the assessment. Again, these tools can be used very sneakily through the customization or very loudly. It all depends on how well you understand your tool set, your intent and your method during the hack. (upbeat music)