Hacking into the Vulnerable Machine (preps) — Ethical Hacking as a Beginner [05]
Let’s first ensure our setup is ready. By now, we’ve accomplished two critical tasks:
- Setting up our Hacking Lab: We’ve installed Kali Linux, the go-to operating system for ethical hackers.
- Configuring our Vulnerable Machine: We’ve set up Metasploitable, a purposely vulnerable virtual machine, for practice.
Since we have the permission to break into our vulnerable machine, LET’S DO IT!
Let’s see it the formal way, I am a hacker and I am asked to hack into this machine to test for vulnerabilities and security analysis. I will follow this procedure:
Step1: Scan the network to see all machines.
Tools used: netdiscover, nmap (zenmap for GUI)
Step2: Perform Vulnerability Analysis
Tools used: nmap, searchsploit, nessus
Introduction to nmap
nmap or Network Mapper is going to be a must use tool for us hackers
- It is free and open source
- Useful in discovering hosts and services on a computer network by sending packets and analyzing responses
- By default it scans most important 1000 ports
To scan all devices on our network:
- Know the ip range of your network, using command ifconfig for linux and ipconfig for windows, then:
nmap 192.168.1.1-255
or
nmap 192.168.1.1/24 #subnet mask of 24 bits, tells first 24 bits are unchangedSome common nmap scans:
- TCP syn scan (-sS flag)- most popular, never really opens full TCP connection
- TCP connect scan (-sT flag)- leaves much more footprints as it is a regular 3 way connection scan
- UDP scan (-sU)
Use command man nmap for details
Understanding nmap scans
We have scanned the network, and obtained the list of available devices on our network we will try breaking into, let’s say we are moving ahead with an ip we found on the network: 192.168.43.201
So what information can nmap provide to us about it?
- The OS on target: nmap has a db of 1000s of OSes which they compare our target to, it requires at least one open port and one closed port
sudo nmap -O 192.168.43.201It even tells that it is running on VM, inferred by MAC address
1 hop distance: host is on same network
- Detecting version of OS on open ports:
(User Arrow Up key to see progress during the scan)
sudo nmap -sV 192.168.43.201Now that we have the version of services running on open ports, we can google the versions to find known vulnerabilities about them.
Default intensity of -sV scan is 7, it can be made aggressive using — version-intensity flag with argument ‘9'
Running nmap aggressively
sudo nmap -A 192.168.43.201This scan does: OS detection, version detection and has nmap script detection enabled
More useful nmap flags:
- sn — works like netdiscover
- p — for specifying ports
- f — tiny, fragmented traffic packets, useful when trying to bypass firewalls, IDS
- D — Decoy IPs
- S — Spoofing your IP
- sS failed? sF can be tried
Outputting nmap scans
sudo nmap -sS 192.168.43.201 >> outscan.txt
or
sudo nmap -oN output -sS 192.168.43.201 #cat output to view the resultIn this post we saw how powerful nmap is for Scanning, the second pillar of Penetration Testing. We are almost ready to attack our target, just one last thing before that: Vulnerability Analysis
Vulnerability Analysis
Let’s see three ways to go about it:
- nmap scripts
cd into /usr/share/nmap/scripts to see all the scripts
See which one(s) fits our use case from nmap.org - Manually searching for vulnerability
Tools like searchsploit can be used - Nessus software
Consider using Nessus, a comprehensive vulnerability scanner, for thorough analysis.
All right
By now, we went through the information gathering phase, then scanning the ports, softwares on the ports, and finally we did vulnerability analysis, 3 out of 5 stages of penetration testing covered.
What lies ahead?
Exploitation, coming up next.
Stay protected!
