Hacking For Dummies. Kevin BeaverЧитать онлайн книгу.
Pro (
www.vmware.com/products/workstation-pro.html
)
VirtualBox, an open-source virtual-machine alternative (www.virtualbox.org
)
Hosts
Scan and document specific hosts that are accessible from the Internet and your internal network. Start by pinging specific host names or IP addresses with one of these tools:
The basic ping utility that’s built into your operating system (OS).
A third-party utility that allows you to ping multiple addresses at the same time, such as NetScanTools Pro (www.netscantools.com
) for Windows and fping (http://fping.sourceforge.net
) for Linux.
The site WhatIsMyIP.com (www.whatismyip.com
) shows how your gateway IP address appears on the Internet. Just browse to that site and the public IP address of your firewall or router appears. This information gives you an idea of the outermost IP address that the world sees.
Open ports
Scan for open ports by using network scanning and analysis tools such as the following:
Scan network ports with NetScanTools Pro or Nmap (https://nmap.org
). See Chapter 9 for details.
Monitor network traffic with a network analyzer, such as Omnipeek (www.liveaction.com/products/omnipeek-network-protocol-analyzer/
) or Wireshark (www.wireshark.org
). I cover this topic in various chapters of this book.
Scanning internally is easy. Simply connect your PC to the network, load the software, and fire away. Just be aware of network segmentation and internal IPSes that may impede your work.
Scanning from outside your network takes a few more steps. The easiest way to connect and get an outside-in perspective is to assign your computer a public IP address and plug that system into a switch on the public side of your firewall or router. Physically, the computer isn’t on the Internet looking in, but this type of connection works the same way as long as it’s outside your network perimeter. You can also do an outside-in scan from home, from a remote office, or even via a laptop connected to your cellphone hotspot.
Determining What’s Running on Open Ports
As a security professional, you need to gather the things that count when scanning your systems. You can often identify the following information:
Protocols in use, such as Domain Name System and NetBIOS
Services running on the hosts, such as email, web, and database systems
Available remote access services, such as Remote Desktop Protocol, telnet, and Secure Shell (SSH)
Encrypted network services such as SSL/TLS and IPsec
Permissions and authentication requirements for network shares
You can look for the following sample open ports (which your network scanner reports as accessible or open):
Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host.
TCP port 21, showing that FTP could be running.
TCP port 23, showing that Telnet could be running.
TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an email server could be running.
TCP/UDP port 53, showing that a DNS server could be running.
TCP ports 80, 443, and 8080, showing that a web server or web proxy could be running.
TCP/UDP ports 135, 137, 138, 139, and, especially, 445, showing that a Windows host could be running.
Thousands of ports can be open — 65,534 each for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), to be exact. I cover many popular port numbers when describing security checks throughout this book. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
.
If you detect a web server running on the system that you test, you might be able to check the software version by using one of the following methods:
Type the site’s name followed by a page that you know doesn’t exist, such as www.your_domain.com/1234.html. Many web servers return an error page showing detailed version information.
Use Netcraft’s What’s That Site Running? search utility (https://sitereport.netcraft.com/
), which connects to your server from the Internet and displays the web-server version and operating system, as shown in Figure 4-1.
FIGURE 4-1: Netcraft’s web server version utility.
You can dig deeper for more specific information on your hosts by using these tools:
NMapWin (https://sourceforge.net/projects/nmapwin
) can determine the system OS version.
A scanning and enumeration tool such as SoftPerfect Network Scanner (www.softperfect.com/products/networkscanner
) can extract users, groups, and file and share permissions directly from Windows.
Many systems return useful banner information when you connect to a service or application running on a port. If you Telnet to an email server on port 25 by entering telnet mail.your_domain.com 25 at a command prompt, you may see something like this: 220 mail.your_domain.com ESMTP all_the_version_info_you_need_to_hack ReadyMost email servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system from some of the websites listed in the next section.
An email to an invalid address may return with detailed email header information. A bounced message often discloses information that can be used against you, including internal IP addresses and software versions. On certain Windows systems, you can use this information to establish unauthenticated connections and sometimes even map drives. I cover these issues