Passive Information Gathering

Let us quickly perform a whois lookup on www.packtpub.com and analyze the output. 
The output can be big, so here we will only focus on relevant points of the output.
  
   root@bt:~# whois www.packtpub.com	
   Domain Name: PACKTPUB.COM
   Registrar: EASYDNS TECHNOLOGIES, INC.
   Whois Server: whois.easydns.com
   Referral URL: http://www.easydns.com
   Name Server: NS1.EASYDNS.COM
   Name Server: NS2.EASYDNS.COM
   Name Server: NS3.EASYDNS.ORG
   Name Server: NS6.EASYDNS.NET
   Name Server: REMOTE1.EASYDNS.COM
   Name Server: REMOTE2.EASYDNS.COM
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 09-feb-2011
   Creation Date: 09-may-2003
   Expiration Date: 09-may-2016

Let us analyze a dig query on www.packtpub.com.

root@bt:~# dig www.packtpub.com
; <<>> DiG 9.7.0-P1 <<>> www.packtpub.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1583
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; QUESTION SECTION:
;www.packtpub.com.   	 IN    A

;; ANSWER SECTION:
www.packtpub.com.    1200    IN    CNAME    packtpub.com.
packtpub.com.   	 1200    IN    A    83.166.169.228

;; AUTHORITY SECTION:
packtpub.com.   	 1200    IN    NS    remote1.easydns.com.
packtpub.com.   	 1200    IN    NS    ns2.easydns.com.
packtpub.com.   	 1200    IN    NS    ns6.easydns.net.
packtpub.com.   	 1200    IN    NS    ns3.easydns.org.
packtpub.com.   	 1200    IN    NS    ns1.easydns.com.
packtpub.com.   	 1200    IN    NS    remote2.easydns.com.

;; ADDITIONAL SECTION:
ns3.easydns.org.    5951    IN    A    64.68.192.10


Nslookup is almost as flexible as dig, but provides a simpler default method of identifying primary hosts, such as Mail and DNS servers.

root@bt:~# nslookup www.packtpub.com
Server:   	 220.226.6.104
Address:    220.226.6.104#53

Non-authoritative answer:
www.packtpub.com    canonical name = packtpub.com.
Name:    packtpub.com
Address: 83.166.169.228
=====================================================================

Port Scanning  the nmap way

Let us perform this scan on our target.
msf > nmap -sT -p1-10000 192.168.56.102
[*] exec: nmap -sT -p1-10000 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:03 IST
Nmap scan report for 192.168.56.102
Host is up (0.0058s latency).

Not shown: 9997 closed ports

PORT	STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:34:A8:87

. Let us analyze a SYN scan on the target.
msf > nmap -sS 192.168.56.102
[*] exec: nmap -sS 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:17 IST
Nmap scan report for 192.168.56.102
Host is up (0.0019s latency).

Not shown: 997 closed ports

PORT	STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:34:A8:87 

UDP scan 

msf > nmap sU p9001 192.168.56.102

If the target returns an RST packet (connection reset), then the port is considered to be an unfiltered port.

msf > nmap -sA 192.168.56.102
[*] exec: nmap -sA 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:19 IST
Nmap scan report for 192.168.56.102
Host is up (0.0011s latency).

Not shown: 999 filtered ports

PORT 	     STATE  	    SERVICE
9001/tcp      unfiltered           tor-orport

MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)

Operating system and version detection :-

msf > nmap -O 192.168.56.102
[*] exec: nmap -O 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 02:25 IST
Nmap scan report for 192.168.56.102
Host is up (0.0014s latency).

MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
Device type: general purpose

Running: Microsoft Windows XP|2003

The other widely used Nmap option is version detection [-sV] of different open ports on the target. It can be mixed with any of the scan types that we saw previously to add an extra bit 
of information of what version of services are running on the open ports of the target.
msf > nmap -sT -sV 192.168.56.102
[*] exec: nmap -sV 192.168.56.102

Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 02:27 IST
Nmap scan report for 192.168.56.102
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT	                STATE             SERVICE  	                   VERSION
135/tcp              open          msrpc Microsoft Windows RPC
139/tcp              open             netbios-ssn
445/tcp              open         microsoft-ds Microsoft Windows XP 
MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
Service Info: OS: Windows


======================================================================

Port scanning  the dnmap way

use the following command to enter dnmap. 

root@bt : #cd /pentest/scanners/dnmap
root@bt : /pentest/scanners/dnmap#

Let us say command.txt, containing all nmap commands to be executed.
	nmap -A -Pn -v -p1-1024 192.168.56.103
	nmap -A -Pn -v -p1024-10000 192.168.56.103

Running the dnmap server :

root@bt:/pentest/scanners/dnmap# python dnmap_server.py -f ~/commands.txt
+----------------------------------------------------------------------+
| dnmap_server Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

=| MET:0:00:30.015147 | Amount of Online clients: 0 |=

Now, move on to dnmap_client.py usage. To start the dnmap client, use the following command :
root@bt:/pentest/scanners/dnmap# python dnmap_client.py -h
+----------------------------------------------------------------------+
| dnmap Client Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

usage: dnmap_client.py <options>
options:
  -s, --server-ip        IP address of dnmap server.
  -p, --server-port      Port of dnmap server. Dnmap port defaults to 46001
  -a, --alias      Your name alias so we can give credit to you for your help. Optional
  -d, --debug      Debuging.
  -m, --max-rate      Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.

Now all we need to provide server address, port number and a name for our client say client1.
root@bt:/pentest/scanners/dnmap# python dnmap_client.py -s 192.168.56.101 -a client1
+----------------------------------------------------------------------+
| dnmap Client Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
+ No -oA given. We add it anyway so not to lose the results. Added -oA 5807742
        Command Executed: nmap -A -Pn -v -p1-1024 192.168.56.103 -oA 5807742                                                                                    
        Sending output to the server...
Waiting for more commands....
+ No -oA given. We add it anyway so not to lose the results. Added -oA 71264162
        Command Executed: nmap -A -Pn -v -p1024-10000 192.168.56.103 -oA 71264162
        Sending output to the server...
Waiting for more commands....
^CConnection lost. Reason: Connection to the other side was lost in a non-clean fashion: Connection lost.
Trying to reconnect in 10 secs. Please wait...

Again back on the server we will get following output :
+ Client ID connected: 192.168.56.102:49747 (client1)
=| MET:0:00:55.011100 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         1               May 23 18:26:27 ( 0' 1")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:00.015067 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         1               May 23 18:26:27 ( 0' 6")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:05.014816 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         1               May 23 18:26:27 ( 0'11")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:10.010916 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1        2               May 23 18:26:43 ( 0' 0")         0h 0m          0.6     True           3.8            1.9       Executing

=| MET:0:01:20.014574 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         2               May 23 18:26:43 ( 0'10")         0h 0m          0.6     True           3.8            1.9       Executing

=| MET:0:01:30.010685 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         2               May 23 18:27:00 ( 0' 4")         0h 0m          0.6     True           3.6            2.5       Online

+ Connection lost for client1 (192.168.56.102:49747).
=| MET:0:01:35.011836 | Amount of Online clients: 0 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status

^Croot@bt:/pentest/scanners/dnmap# ls
dnmap_client.py  dnmap_server.py  nmap_results  README  server.pem
root@bt:/pentest/scanners/dnmap# cd nmap_results/
root@bt:/pentest/scanners/dnmap/nmap_results# ls
5807742.nmap  71264162.nmap
====================================================================================

SMB scanning

nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Output of the script will look like:

Host script results:
|  smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, test1234, TsInternetUser

Host script results:
|  smb-enum-users:
|  |  RON-WIN2K-TEST\Administrator (RID: 500)
|  |  |  Description: Built-in account for administering the computer/domain
|  |  |_ Flags:       Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\Guest (RID: 501)
|  |  |  Description: Built-in account for guest access to the computer/domain
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
|  |  |  Full name:   Internet Guest Account
|  |  |  Description: Built-in account for anonymous access to Internet Information Services
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
|  |  |  Full name:   Launch IIS Process Account
|  |  |  Description: Built-in account for Internet Information Services to start out of process applications
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\test1234 (RID: 1005)
|  |  |_ Flags:       Normal user account
|  |  RON-WIN2K-TEST\TsInternetUser (RID: 1000)
|  |  |  Full name:   TsInternetUser
|  |  |  Description: This user account is used by Terminal Services.
|_ |_ |_ Flags:       Password not required, Password does not expire, Normal user account


Smb_enum_shares:-

nmap --script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
Output of the script will look like :

Host script results:
   smb-enum-shares:
|  |  ADMIN$
|  |  |  Type: STYPE_DISKTREE_HIDDEN
|  |  |  Comment: Remote Admin
|  |  |  Users: 0, Max: <unlimited>
|  |  |  Path: C:\WINNT
|  |  |  Anonymous access: <none>
|  |  |_ Current user ('administrator') access: READ/WRITE
|  |  C$
|  |  |  Type: STYPE_DISKTREE_HIDDEN
|  |  |  Comment: Default share
|  |  |  Users: 0, Max: <unlimited>
|  |  |  Path: C:\
|  |  |  Anonymous access: <none>
|  |  |_ Current user ('administrator') access: READ
|  |  IPC$
|  |  |  Type: STYPE_IPC_HIDDEN
|  |  |  Comment: Remote IPC
|  |  |  Users: 1, Max: <unlimited>
|  |  |  Path:
|  |  |  Anonymous access: READ <not a file share>
|_ |_ |_ Current user ('administrator') access: READ <not a file share>
=========================================================================================


FTP scanning

Nmap p 21 v oN results.txt open script ftp-anon 192.169.1.0/24
========================================================================================

SNMP sweeping

msf  auxiliary(snmp_enum) > run
[+] 172.16.194.172, Connected.
[*] System information:
Host IP                       : 172.16.194.172
Hostname                      : metasploitable
Description                   : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Contact                       : msfdev@metasploit.com
Location                      : Metasploit Lab
Uptime snmp                   : 02:35:38.71
Uptime system                 : 00:20:13.21
System date                   : 2012-7-9 18:11:11.0
[*] Network information:
IP forwarding enabled         : no
Default TTL                   : 64
TCP segments received         : 19
TCP segments sent         : 21
TCP segments retrans          : 0
Input datagrams               : 5055
Delivered datagrams           : 5050
Output datagrams              : 4527
...snip...
[*] Device information:
Id                  Type                Status              Descr               
768                 Processor           unknown             GenuineIntel: Intel(R) Core(TM) i7-2860QM CPU @ 2.50GHz
1025                Network             unknown             network interface lo
1026                Network             unknown             network interface eth0
1552                Disk Storage        unknown             SCSI disk (/dev/sda)
3072                Coprocessor         unknown             Guessing that there's a floating point co-processor
[*] Processes:
Id                  Status              Name                Path                Parameters          
1                   runnable            init                /sbin/init                              
2                   runnable            kthreadd            kthreadd                                
3                   runnable            migration/0         migration/0                             
4                   runnable            ksoftirqd/0         ksoftirqd/0                             
5                   runnable            watchdog/0          watchdog/0                              
6                   runnable            events/0            events/0                                
7                   runnable            khelper             khelper                                 
41                  runnable            kblockd/0           kblockd/0                               
68                  runnable            kseriod             kseriod       
...snip...
5696                runnable            su                  su                                      
5697                runnable            bash                bash                                    
5747                running             snmpd               snmpd                                   
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
==================================================================================

Vulnerability scanning with Nessus

1.	To connect the database and load Nessus in Metasploit, we will execute the 
following command:

msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3 
msf > load nessus

[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus


After successfully loading it, we will have to connect it with the server. The following command is used to connect it with the server manner: 

msf > nessus_connect root:toor@localhost ok
[*] Connecting to https://127.0.0.1:8834/ as root
[*] Authenticated


. To start the scan, we will have to pass the following command:
msf > nessus_scan_new 1 testscan 192.168.56.102
[*] Creating scan from policy number 1, called "testscan" and scanning 192.168.56.102
[*] Scan started.  uid is 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f

Once the scanning process is complete, our next target will be to import the list generated 
by Nessus. Let us check out the available list:
msf > nessus_report_list
[+] Nessus Report List

ID                   Name          Status     
                     ----          ------    
9d337e9b-82c7-
89a1-a19-4ef154b82    testscan    completed
f624de2444e6ad18a1f  

Let us import this report now.

msf > nessus_report_get 9d337e9b-82c7-89a1-a1944ef154b82f624de2444e6ad18a1f
[*] importing 9d337e9b-82c7-89a1-a1944ef154b82f624de2444e6ad18a1f
===========================================================================

Scanning with NeXpose

msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3 

msf > load nexpose

msf > nexpose_connect darklord:toor@localhost ok

[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username darklord...


. Let us perform a quick scan on our target using NeXpose.

msf > nexpose_discover 192.168.56.102

[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses

Let us see what scan results have been produced by NeXpose:

msf > hosts -c address,os_name,os_flavor
Hosts
=====
address         os_name            os_flavor
-------         -------            ---------
192.168.56.102  Microsoft Windows     XP
msf >

So, in order to import the scan results, we will use the db_import command as follows: db_import filename
msf > db_import nexposelist.xml

[*] Importing 'Nexpose XML (v2)' data
[*] Importing host 192.168.56.102
[*] Successfully imported /root/nexposelist.xml
====================================================================






























 




