Show page

Differences

This shows you the differences between two versions of the page.

--- cns:laboratoare:laborator-01 [2012/10/15 09:48]
traian.popeea
+++ — (current)
@@ Line 1: / Line 1: @@
-====== Lab 1 - Collecting Information and Scanning ======
-The lab will be run on Linux, using the BackTrack image available [[http://swarm.cs.pub.ro/~tpopeea/VM/BT5R1-KDE-32.iso | here]].
-===== Collecting Information =====
-  * Passive activity - no interaction with the target
-  * Useful information:
-    * External IP addresses
-    * Employee phone numbers and e-mails
-    * Employee profiles (Facebook, Google+, LinkedIn, ...)
-    * Active hosts and services (internal penetration testing)
-  * Techniques:
-    * Google hacking
-    * Whois and DNS queries
-    * Using public databases: Netcraft.com , zone-h.com
-    * Web site inspection
-    * Network sniffing
-==== Google Hacking ====
-  * ''site:'' restricts the results of the query to the specified site: ''site:pub.ro "error in your SQL syntax"''
-  * ''intitle:'' / ''allintitle:'' - the keywords cand be found in the page title: ''intitle:"index of" intext:"parent directory"''
-  * ''filetype:'' specifies the file extension: ''filetype:doc site:pub.ro''
-  * Explicit Inclusion: ''+'': ''+123456 "yahoo.com" site:pastebin.com''
-  * Explicit Exclusion: ''-'': ''+virus –biology''
-  * More at: [[http://www.google.com/help/operators.html]] and [[http://www.hackersforcharity.org/ghdb/]]
-==== Google Hacking - Tasks ====
-Choose a site: xyz
-  * Search for all xls files that can be accesed on the xyz site
-  * Check if directory browsing is possible on the xyz site
-  * Search for subdomains of xyz
-  * Search for ''mysql dump filetype:sql''. What is the result?
-  * Search for live webcams: ''inurl:/view/index.shtml'' ''inurl:viewerFrame?Mode=''
-==== Whois Queries ====
-Useful information:
-  * DNS servers
-  * IP addresses
-  * Location and address
-  * Contact persons (name, phone, e-mail)
-  * Examples:
-    * ''whois cisco.com''
-    * ''whois 128.107.241.185''
-==== Whois Queries - Tasks ====
-  * Identify the IP addresses and location of xyz.
-==== DNS Queries ====
-  * Tools: dig, host, nslookup
-  * Query types: A, NS, MX, PTR, AXFR
-  * Examples:
-    * E-mail servers:
-      * ''dig pub.ro mx''
-      * ''host –t mx pub.ro''
-    * Reverse DNS:
-      * ''dig @ns1.roedu.net ptr 60.166.85.141.in-addr.arpa''
-      * ''host 141.85.166.60''
-==== DNS Queries - Tasks ====
-  * What are the DNS servers for xyz?
-  * For each of the previous servers, request a zone transfer (type=axfr)
-===== Scanning =====
-  * Activities involving interaction with the target
-  * Repeated queries in order to obtain different information:
-    * Live hosts
-    * Open ports
-    * Service versions
-    * Operating systems
-    * Network shares
-    * Local users
-==== Host Discovery ====
-  * ARP Ping
-  * ICMP Ping
-  * TCP SYN Ping
-  * UDP Ping
-==== Port Scanning ====
-  * SYN scan (half-connect)
-    * nmap -sS -p 445 192.168.1.1
-    * hping -S -p 445 192.168.1.1
-  * Connect scan (complete 3-way handshake)
-    * nmap -sT -p 445 192.168.1.1
-    * telnet 192.168.1.1 445
-    * netcat 192.168.1.1 445
-  * ACK scan (checks if a port is filtered by a firewall, does not offer any information regarding the port (open/closed))
-    * nmap –sA –p 445 192.168.1.1
-  * UDP scan
-    * nmap –sU –p 53 192.168.1.1
-<hidden>Nmap – optiuni (1)
- Specificarea target-ului:
-nmap 192.168.1-254.1-254
-nmap 192.168.0.0/16
-nmap –iL iplist.txt
- Specificarea porturilor:
-nmap –p21,22,80,445 192.168.1.1
-nmap –p1-65535 192.168.1.1
-(implicit nmap scaneaza 1660 porturi)
- Scrierea rezultatului scanarii intr-un fisier:
-nmap –oN output.txt 192.168.1.1
- Viteza de scanare:
-nmap –T<0-5> 192.168.1.1
-(mai mare inseamna mai rapid)
- Fara rezolvare DNS:
-nmap –n 192.168.1.1
-(mai rapida si mai putin ‘zgomot’)
-Detectarea versiunii serviciilor:
-nmap –sV 192.168.1.1
- Detectarea sistemului de operare:
-nmap –O 192.168.1.1
-Enumerare
- Interogarea serviciilor descoperite pentru a obtine informatii disponibile
- Vom folosi scripturi nmap (.nse):
-dpkg –L nmap
-=> /usr/share/nmap/scripts
- Categorii de scripturi:
- default, discovery, auth, safe, intrusive, exploit, dos, vuln
- Exemple:
- nmap --script smb-enum-shares.nse -p 445 –n 192.168.1.1
- nmap --script smb-enum-users.nse -p 445 –n 192.168.1.1
- nmap --script discovery 192.168.1.1
- nmap --script dns-zone-transfer.nse --script-args
-dnszonetransfer.domain=abc.xyz.com -p 53 ns.xyz.com
-Exercitiu
- Folosind o singura comanda nmap scanati intreg
-subnetul la care este conectata placa de retea
-vmnet8.
- Obtineti urmatoarele informatii:
- Statiile active
- Porturile deschise
- Versiunile serviciilor care ruleaza
- Sistemul de operare
- Rezultatele scripturilor de discovery (--script discovery)
- Scrieti rezultatele intr-un fisier
-</hidden>

Resources

Labs

Lectures

Assignments

Extra

cns/laboratoare/laborator-01.1350283726.txt.gz · Last modified: 2012/10/15 09:48 by traian.popeea

Show page Old revisions

Media Manager Back to top