It’s really important to use security layers on protocols for avoiding to be sniffed
From a security perspective, it’s really important to respect the triad CIA: Confidentiality, Integrity, and Availability and to avoid the DAD triad: Disclosure, Alteration, and Destruction
Enumerate
When we want to do a pentest to a system, you need to identify what kind of attacks vector we can exploit for the attack, it’s called the enumeration.
https://resources.infosecinstitute.com/topics/penetration-testing/what-is-enumeration/
Metasploit
Metasploit is a perfect tool for enumerating a system. Different modules can be used. For scanning the target, we can use the module auxiliary/scanner/portscan/tcp
msfconsole
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to c
heck per host
DELAY 0 yes The delay between connections, per
thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum va
lue by which to +/- DELAY) in milli
seconds.
PORTS 8000 yes Ports to scan (e.g. 22-25,80,110-90
0)
RHOSTS 10.10.154.214 yes The target host(s), see https://doc
s.metasploit.com/docs/using-metaspl
oit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (m
ax one per host)
TIMEOUT 1000 yes The socket connect timeout in milli
seconds
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.154.214
msf6 auxiliary(scanner/portscan/tcp) > exploit
[+] 10.10.154.214: - 10.10.154.214:21 - TCP OPEN
[+] 10.10.154.214: - 10.10.154.214:22 - TCP OPEN
[+] 10.10.154.214: - 10.10.154.214:139 - TCP OPEN
[+] 10.10.154.214: - 10.10.154.214:445 - TCP OPEN
[+] 10.10.154.214: - 10.10.154.214:8000 - TCP OPEN
[*] 10.10.154.214: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
NMap
nmap for Network mapping is a powerful tool for identify all open ports and services related.
For instance, if we can to identify all TCP open ports:
# -sT do TCP handshake
nmap -sT <ip> -p- # -p- for all ports
# -sV for identify services open
nmap -sV <ip> -p1-1024
# XMAS TCP
nmape -sX <ip>
TCP XMAS can be very useful for a firewall evasion, because drop incoming TCP requests
NFS
We can identify all the mount with the showmount command for enumerating all mount directory on the remote server:
# /usr/sbin/showmount -e 10.10.238.251
Export list for 10.10.238.251:
/home *
# mkdir /tmp/mount
# mount 10.10.238.251:/home /tmp/mount
# ls /tmp/mount/
This tool is very useful if we want to identify if we can attack through NFS.
IDS/Firewall evasion
When you wish to scan your target, you need to protect yourself and to avoid to be catched by the firewall or an IDS. For doing that, you have different solution. The first one is to fragment your packets with the parameter -f:
nmap -sS -f <target>
To send decoy with the parameter -D:
nmap -sS -D RND,<my ip address> <target>
You have all these information in the official nmap documentation
https://nmap.org/book/man-bypass-firewalls-ids.html
Another tips is to send TCP Null packet:
nmap -sN <target>
When we send a NULL packet, that’s means, no flag set in the TCP header, if the target port is open, the server do not send any packets, otherwise, if it’s closed, the server will send a RST/ACK packet.