|
ping sweep
. A
ping sweep is a useful way to identify active machines on a given subnet. If you
aren’t familiar with a ping operation, let’s take a moment to explain this concept.
A ping is a command from ICMP (Internet Control Message Protocol), and it is
frequently used to determine if two hosts have an end-to-end connection. The
host that initiates the ping sends small packets of information via what’s called
an ICMP echo request. If the target host is online and has a connection, it will
reply to the host who initiated the ping. This will show you that the host is online
and that it isn’t suffering from connection problems over the network between
the two hosts.
If you really wanted to, you could manually go through each IP address on your
network and ping it from your computer to see what IP addresses other hosts on
the network are using. In reality though, this simply isn’t feasible. It would be
very tedious and time consuming trying to ping hundreds of individual IP
addresses to see if any hosts are online. This is why ping sweeps are so useful –
they allow you to ping every valid IP address on a subnet automatically. After
the sweep has been completed, NMAP will return a list of all the addresses that
replied to the ping and allow you to see the IP addresses of other active hosts on
the scanned network.
However, there are a couple caveats to ping sweeps. They don’t always show
you every single host attached to a network. There are a few reasons why a host
might not respond to a ping sweep. Firstly, it could be possible that a host’s
network card is faulty or broken in some way. Secondly, there could be
problems on the network between your host and the target subnet that prevent
the ping from completing successfully. Lastly (and most importantly), network
admins choose to configure hosts to not respond to pings for the sole purpose of
protecting them from being identified by a ping sweep. In some instances, your
ping might pass through a firewall that doesn’t allow ICMP traffic, too.
These are the exceptions, though, and not the rule. It is rare that a host would not
respond to a ping, and the vast majority of active hosts will show up in a ping
sweep. This is especially true if you are performing a ping sweep on the subnet
that your computer is directly connected to.
Operating System Identification
Yet another useful feature of the NMAP utility is the ability to identify the
operating systems that active hosts are using. Though you may not think so at
first, this is actually some critical information. After you know what operating
system and code version a host is using, you can then search databases using
tools such as Metasploit to identify weaknesses and vulnerabilities. Furthermore,
NMAP will be able to tell you the model of device a host is using. This is also
critical because it will help you discern what type of devices are present such as
host computers, tablets, phones, infrastructure devices, hardware appliances,
printers, routers, switches, and even firewalls.
Port Scanning
Port scanning is a little different from a ping sweep. With port scanning, the goal
is to find what port(s) are open on a whole subnet or a single host. For example,
you could perform a port scan on your local subnet to see if any hosts are
accepting connections on port 80 (HTTP). This is a great way to see if you can
access any networking devices such as a wireless router, printer, or a firewall.
Because these types of devices typically have web configuration interfaces, any
hosts that are accepting connections on port 80 (HTTP) will show you a login
prompt if you type their IP address into a web browser. For example, if your port
scan revealed that the host 192.168.1.1 (this is most likely the default address of
your wireless router) is accepting connections on port 80, you could reach its
login interface by typing
http://192.168.1.1
in your web browser. This will
initiate a connection on port 80 for the host 192.168.1.1 (see chapter 5 for
networking fundamentals, IP addresses, and ports).
It is likely that the administrator changed the default username and password for
that device, but you would be surprised how frequently people fail to do this
because they are inexperienced, lazy, or just plain ignorant of the massive
security risk they encounter by leaving the username and password set to default
values. If you wanted to, you could even use NMAP to find what type of
firmware the networking device is running as well as the model number. Then
all you need to do is perform a quick Google search to find the default values
and attempt to login to the device. But this is just one simple example of port
scanning. You could even scan a single host to see
all
of the ports that are
accepting connections. And port scanning goes well outside the realm of
scanning port 80 to see if you can pull up a web interface. Some ports can be
used to deliver types of code that will take advantage of a flaw in a protocol or
system to escalate an attacker’s privileges or even deny that target from using
network services.
NMAP Footprinting Procedures: Installing NMAP
Before we begin, there is one last thing we need to do to configure VMWare
connectivity. VMWare uses the idea of virtualized network adapters, and the
default setting won’t put your virtual machine in the same subnet as your host
operating system. Simply click on the ‘settings’ tab of the VMWare application
and find the configuration option for your ‘network interface.’ Now select the
option to put it in
Do'stlaringiz bilan baham: |
