02.SERVICES

It is recommended to perform a quick port scan first to get an overview of the available ports. This produces less traffic which is advantageous to the red team as it limits detection by security mechanisms.

root@oco:~$ sudo nmap -sS -T4 {targetIP} -p- -oA targetIP.Result
 ...
root@oco:~$ sudo nmap -sV -sC -T4 {targetIP} -p {identifiedPorts}
 PORT     STATE SERVICE       VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
 |   256 65:0c:f7:db:42:03:46:07:f2:12:89:fe:11:20:2c:53 (ECDSA)
 |_  256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Welcome to Base
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 * this cmd defaults to -sS (SYN SCAN) when run w/ sudo or root privileges
    - if elevated privileges isn't used, the cmd will default to TCP SYN SCAN -sT

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

Previous01.HOSTNext02.VULNERABILITY ASSESSMENT

Last updated