Show page

Differences

This shows you the differences between two versions of the page.

--- cns:laboratoare:laborator-01 [2012/10/15 09:17]
traian.popeea
+++ — (current)
@@ Line 1: / Line 1: @@
-====== Lab 1 - Collecting Information and Scanning ======
-The lab will be run on Linux, using the BackTrack image available [[http://swarm.cs.pub.ro/~tpopeea/VM/BT5R1-KDE-32.iso | here]].
-===== Collecting Information =====
-  * Passive activity - no interaction with the target
-  * Useful information:
-    * External IP addresses
-    * Employee phone numbers and e-mails
-    * Employee profiles (Facebook, Google+, LinkedIn, ...)
-    * Active hosts and services (internal penetration testing)
-  * Techniques:
-    * Google hacking
-    * Whois and DNS queries
-    * Using public databases: Netcraft.com , zone-h.com
-    * Web site inspection
-    * Network sniffing
-==== Google Hacking ====
-  * ''site:'' restricts the results of the query to the specified site: ''site:pub.ro "error in your SQL syntax"''
-  * ''intitle:'' / ''allintitle:'' - the keywords cand be found in the page title: ''intitle:"index of" intext:"parent directory"''
-  * ''filetype:'' specifies the file extension: ''filetype:doc site:pub.ro''
-  * Explicit Inclusion: ''+'': ''+123456 "yahoo.com" site:pastebin.com''
-  * Explicit Exclusion: ''-'': ''+virus –biology''
-  * More at: [[http://www.google.com/help/operators.html]] and [[http://www.hackersforcharity.org/ghdb/]]
-==== Google Hacking - Tasks ====
-Choose a site: xyz
-  * Search for all xls files that can be accesed on the xyz site
-  * Check if directory browsing is possible on the xyz site
-  * Search for subdomains of xyz
-  * Search for ''mysql dump filetype:sql''. What is the result?
-  * Search for live webcams: ''inurl:/view/index.shtml'' ''inurl:viewerFrame?Mode=''
-==== Whois Queries ====
-Useful information:
-  * DNS servers
-  * IP addresses
-  * Location and address
-  * Contact persons (name, phone, e-mail)
-  * Examples:
-    * ''whois cisco.com''
-    * ''whois 128.107.241.185''
-==== Whois Queries - Tasks ====
-  * Identify the IP addresses and location of xyz.
-==== DNS Queries ====
-  * Tools: dig, host, nslookup
-  * Query types: A, NS, MX, PTR, AXFR
-  * Examples:
-    * E-mail servers:
-      * ''dig pub.ro mx''
-      * ''host –t mx pub.ro''
-    * Reverse DNS:
-      * ''dig @ns1.roedu.net ptr 60.166.85.141.in-addr.arpa''
-      * ''host 141.85.166.60''
-==== DNS Queries - Tasks ====
-  * What are the DNS servers for xyz?
-  * For each of the previous servers, request a zone transfer (type=axfr)
-===== Scanning =====
-<hidden>
-Partea 2: Scanare si enumerare
- Activitati care implica interactiune cu tinta
- Cereri repetate pentru obtinerea a diverse informatii:
- Statii pornite in retea (live hosts)
- Porturi deschise
- Versiuni ale serviciilor care ruleaza
- Sistemul de operare
- Network shares
- Local users
-…
-Descoperirea statiilor din retea
- Tehnica de a descoperi daca o statie/server este
-pornita si conectata la retea.
- ARP Ping
- ICMP Ping
- TCP SYN Ping
- UDP Ping
-Scanarea porturilor
- Tipuri de scanari
-SYN scan
-Connect scan
-ACK scan
-UDP scan
-SYN scan / Connect scan
- Connect scan (complete 3-way
-handshake)
- nmap -sT -p 445 192.168.1.1
- telnet 192.168.1.1 445
- netcat 192.168.1.1 445
-(nu necesita drepturi de root)
- SYN scan (half-connect)
- nmap -sS -p 445 192.168.1.1
- hping -S -p 445 192.168.1.1
-ACK scan
- Verifica daca un port este
-filtrat de catre un firewall
-stateless sau ACL
- Nu ofera nici o informatie
-despre starea portului
-(inchis/deschis)
- Exemplu:
-nmap –sA –p 445 192.168.1.1
-UDP scan
- Acelasi principiu ca la UDP Ping
- Exemplu:
-nmap –sU –p 53 192.168.1.1
-Nmap – optiuni (1)
- Specificarea target-ului:
-nmap 192.168.1-254.1-254
-nmap 192.168.0.0/16
-nmap –iL iplist.txt
- Specificarea porturilor:
-nmap –p21,22,80,445 192.168.1.1
-nmap –p1-65535 192.168.1.1
-(implicit nmap scaneaza 1660 porturi)
- Scrierea rezultatului scanarii intr-un fisier:
-nmap –oN output.txt 192.168.1.1
- Viteza de scanare:
-nmap –T<0-5> 192.168.1.1
-(mai mare inseamna mai rapid)
- Fara rezolvare DNS:
-nmap –n 192.168.1.1
-(mai rapida si mai putin ‘zgomot’)
-Detectarea versiunii serviciilor:
-nmap –sV 192.168.1.1
- Detectarea sistemului de operare:
-nmap –O 192.168.1.1
-Enumerare
- Interogarea serviciilor descoperite pentru a obtine informatii disponibile
- Vom folosi scripturi nmap (.nse):
-dpkg –L nmap
-=> /usr/share/nmap/scripts
- Categorii de scripturi:
- default, discovery, auth, safe, intrusive, exploit, dos, vuln
- Exemple:
- nmap --script smb-enum-shares.nse -p 445 –n 192.168.1.1
- nmap --script smb-enum-users.nse -p 445 –n 192.168.1.1
- nmap --script discovery 192.168.1.1
- nmap --script dns-zone-transfer.nse --script-args
-dnszonetransfer.domain=abc.xyz.com -p 53 ns.xyz.com
-Exercitiu
- Folosind o singura comanda nmap scanati intreg
-subnetul la care este conectata placa de retea
-vmnet8.
- Obtineti urmatoarele informatii:
- Statiile active
- Porturile deschise
- Versiunile serviciilor care ruleaza
- Sistemul de operare
- Rezultatele scripturilor de discovery (--script discovery)
- Scrieti rezultatele intr-un fisier
-</hidden>

Resources

Labs

Lectures

Assignments

Extra

cns/laboratoare/laborator-01.1350281835.txt.gz · Last modified: 2012/10/15 09:17 by traian.popeea

Show page Old revisions

Media Manager Back to top