This is an active phase of your attack. When the fourth step is
reached, you should have gathered a large amount of helpful data that makes
penetrating wireless peers, gateways, and sniffable wired-side hosts an easy
task. Perhaps no penetration is needed, because you have already collected or
cracked user passwords flowing across the network. Using the data gathered, you can select the most suitable hosts
for a further attack aimed at obtaining administrator or root privileges on
these hosts. At this stage you can perform active OS fingerprinting, port
scanning, and banner grabbing to determine vulnerable services for further
exploitation. Remember the golden rule of fingerprinting: Use several available
techniques and analyze the results. The options include the following:
-
nmap -O
-
thcrut discover (uses improved nmap fingerprinting methodology)
-
Ettercap (press f/F over a host)
-
xprobe
-
xprobe2 (yes, this is a different tool)
-
induce-arp.pl (ARP-based OS fingerprinting)
-
sing (basic ICMP fingerprinting)
-
sprint and sprint-lite
-
tools that do fingerprinting via specific services if present (ldistfp, lpdfp telnetfp)
-
other tools available in the vast scope of the Internet
As to port scanning itself, nmap is everyone's all-time
favorite. What kind of "hacking book" does not describe how to run nmap? Without
going into the port scanning depths, here are our recommendations:
-
First try the zombie/idle scan with -sI. It might not work.
-
Check out the protocol scan (-sO). Try to do fingerprinting with -sO.
-
Proceed with -sN (null). Many firewalls and IDSs would not detect it (e.g., ipchains logging).
-
You can follow with -sF to be sure, but avoid Xmas (-sX).
-
If you haven't captured any useful data from these scans, the host is likely to be some form of Microsoft Windows. Use the half-connect scan (-sS).
Because we
are on (W)LAN, there is another tool to consider: the Ghost Port Scan. Ghost
Port Scan uses ARP poisoning to spoof both IP and MAC addresses of the scanning
host on the LAN. The scanner is able to find IP addresses not in use on the LAN
the attacker's host is connected to. Such a feature is used when no source IPs
have been specified. The aim of this function is to avoid a potential DoS that
could be caused by ARP poisoning. The scanner is quite flexible:
arhontus:~# ./gps Ghost Port Scan version 0.9.0 by whitehat@altern.org (gps.sourceforge.net) Usage: ./gps -d target [-s host1[,host2/host3..]] [-t scan_type] [-v] [-r scan_speed] [-p first_port-last_port] [-k 0 | 1] [-e ping_port] [-f t | o] [-i interface] [-S mac | ip] [-w window_size] -d target :target host's IP/name -s host1[,host2/host3]:list of hosts we pretend to be (use '/' to specify IP ranges) -t scan_type :stealth scan mode (default: syn) (syn | xmas | null | fin | ack | rand | fwrd) -r scan_speed :packet rate (default: insane) (insane | aggressive | normal | polite | paranoid) -p first-last ports :port range to scan (default: 1-1024) -k 0 | 1 :scan well-known ports (default: 1) -e ping_port :target port for a TCP ping (default: 80) -v :verbose (use twice for more verbose) -f t | o :fragment IP datagrams (default: no frag) (t: tiny frags | o: frag overlapping) -i interface :network interface to use -S mac | ip :spoofing level (IP or ethernet/MAC; default: mac) -w window_size :size of the emission window (default: 256 packets)
To grab banners the old-fashioned way, you can use telnet or
netcat. However, your time (important on wireless) and effort can be saved if
you use the following:
-
amap
-
THCrut
-
arb-scan
-
banshee (features command execution against the IP addresses scanned)
-
grabbb (very fast)
-
A variety of banner grabbers from the Men in Grey (MIG) group (very fast, but not necessarily accurate)
-
"Script kiddie" banner grabbers for the "hole of the month" (usually fast; probably started from banner grabbers for wu-ftpd versions)
As a security consultant, you can always use automated
multipurpose security evaluation tools such as Nessus, but a real Black Hat is
unlikely to employ these tools for stealth preservation reasons. Choose the
tools you like for time-saving and personal reasons. Keep a large collection of
exploit code and a long list of default passwords and dictionaries on your
penetration testing laptop to save more time by avoiding browsing SecurityFocus,
Packetstorm, and similar sites from the WLAN. Use Hydra and similar tools for
remote password dictionary attacks and brute-forcing.
Happy Coding!!