Mizugori

after an nmap scan, what's next?

17 posts in this topic

so you got an ip address, figured out what OS its running even, and then did a couple of nmap scans, tried it with the -P0 flag as it seemed they were blocking pings, and ended up with a list of "interesting ports" that are open.

what might you do next, now that you possess this information?

0

Share this post


Link to post
Share on other sites

Nothing, Going further is illegal... leave product security analysis to the professionals and let grandma download her mp3's in peace.. ;)

0

Share this post


Link to post
Share on other sites

i'm sure that's exactly what everyone on here wants to read :roll:

for entertainment purposes only, what *might* be a next step?

0

Share this post


Link to post
Share on other sites
Nothing, Going further is illegal... leave product security analysis to the professionals and let grandma download her mp3's in peace.. ;)

Scanning it in the first place is illegal, so if you have already performed this, you might as well go all the way.

0

Share this post


Link to post
Share on other sites

Hi,

I'm not so sure that "entertainment" would be the right reason to do anything further, not even to do the nmap's scan itselft. If you want to do something usefull with the information you've got from nmap, you could try to contact the person to let him/her know that the systems is open to an attack, you could also tell him/her how to improve the system security....

Things are entertained as long those things don't happen to you, isn't? 

The point in checking system's security isn't to have fun or be entertained by it, one point would be improve that security, and yes, break it would be other...

But even breaking shouldn't be something you do for fun and that's because it has consecuences.

Regards

0

Share this post


Link to post
Share on other sites

What you wanna do now is work out what kind of OS is running, its a good start to figure out what system it is that you are looking at and possibly what release.

Then you might want to look at what kind of services are sitting behind those ports and their version numbers ...

0

Share this post


Link to post
Share on other sites
Nothing, Going further is illegal... leave product security analysis to the professionals and let grandma download her mp3's in peace.. ;)

Scanning it in the first place is illegal, so if you have already performed this, you might as well go all the way.

perhaps we should encourge him to play around on his own network set up a machine and run all the scans and exploits you want

0

Share this post


Link to post
Share on other sites
Nothing, Going further is illegal... leave product security analysis to the professionals and let grandma download her mp3's in peace.. ;)

Scanning it in the first place is illegal, so if you have already performed this, you might as well go all the way.

Depends in what country you are, in my country it's legal to scan but you're not allowed to take action upon it.

0

Share this post


Link to post
Share on other sites

Now that you know which ports are open try to see which program is listening on the other end. Try and see which versions of these program the computer is running, and if they have known flaws. Having a port opened does not mean the computer is insecure.

Edited by Aghaster
0

Share this post


Link to post
Share on other sites

Is the best way to "test" whats listening on the other end (of your own network of course) by using old school telnet to see if anything comes up, like a mail server? otherwise i suppose you could look up what those ports are and see if there is a program that uses it and devise a way to connect to it from there.

of course if you are attacking someone else's network, things like an IPS/IDS could come into play and the only tool I've heard of to fool them, but will still set off false positives is fragroute.

Somebody pick apart my post! learning is good!

0

Share this post


Link to post
Share on other sites
Is the best way to "test" whats listening on the other end (of your own network of course) by using old school telnet to see if anything comes up, like a mail server? otherwise i suppose you could look up what those ports are and see if there is a program that uses it and devise a way to connect to it from there.

Recent versions of nmap have the ability to probe the port to determine what service/protocol is listening on that port. It can send different sets of data to the open port to test for various things, and matches responses using a set of regular expressions (I've actually used this set of rules to generate responses to fool nmap service detection).

This is a bit nicer for most circumstances than telnet'ing in, as you may have no idea what to send, or it may be awkward to send the data interactively (for binary protocols). Typing in some junk or sending some carriage returns might get you somewhere, but it just sits there, there's no way of knowing whether or not you're talking the protocol correctly. If it sends back binary data that can't be represented by printable characters easily, then you're losing information there too.

of course if you are attacking someone else's network, things like an IPS/IDS could come into play and the only tool I've heard of to fool them, but will still set off false positives is fragroute.

The best way to fool an IDS is to try to figure which one, through information gathering or possibly fingerprinting, and install it yourself to see how your attacks are going to work. When you have some insight to the signatures being used and how it alerts, you'll have an idea of what you need to modify to get by. If it's based on heuristics or is some kind of anomaly-based detection, you're just going to have to figure out what sort of thresholds you have to vary from normal traffic.

0

Share this post


Link to post
Share on other sites
i'm sure that's exactly what everyone on here wants to read :roll:

for entertainment purposes only, what *might* be a next step?

For "entertainment purposes"? rent a movie... 1995's Hackers should suffice :roll:

0

Share this post


Link to post
Share on other sites
i'm sure that's exactly what everyone on here wants to read :roll:

for entertainment purposes only, what *might* be a next step?

For "entertainment purposes"? rent a movie... 1995's Hackers should suffice :roll:

lol... don't forget to copy the garbage file!

0

Share this post


Link to post
Share on other sites

I read some of the post on here... I think what you need to do is scan a computer on your own network. You need to be very careful on what kind of computer you scanning.

Good Admins will watch there log and see what kind of scan you are doing. If you're going to scan then again do a slow scan . there is a way of doing that in nmap.

Just remember you are doing something that you should do on your own network first before going out in the real world trying.

0

Share this post


Link to post
Share on other sites
Is the best way to "test" whats listening on the other end (of your own network of course) by using old school telnet to see if anything comes up, like a mail server? otherwise i suppose you could look up what those ports are and see if there is a program that uses it and devise a way to connect to it from there.

of course if you are attacking someone else's network, things like an IPS/IDS could come into play and the only tool I've heard of to fool them, but will still set off false positives is fragroute.

Somebody pick apart my post! learning is good!

IDS's look for patterns.... Nmap has lots of options to slow down a scan and switch up the pattern... A lot can be done to fool it. But really if your not a paid pentester and your worried about IDS during scans you should probably be aware of potential legal issues that arise. I would be weary of any tool claiming it can fool an IDS... Powerful meatware is key when worrying about this sort of thing...

As far as the original question... google those services, try to enumerate the version, learn about the software hosting that service and its history... You should only be doing this on networks you have permission to mess around on. I would advise against poking around any production boxs on the internet unless you have a very good relationship with the admin... Even then, be careful. Read up on the protocol... check the rfc learn how it works... Check out damn vulnerable linux and play in your own sandbox... Then work your way up to other live cd's at home. Check your local laws because even using some security tools at home is illegal in some places.

0

Share this post


Link to post
Share on other sites
Is the best way to "test" whats listening on the other end (of your own network of course) by using old school telnet to see if anything comes up, like a mail server? otherwise i suppose you could look up what those ports are and see if there is a program that uses it and devise a way to connect to it from there.

of course if you are attacking someone else's network, things like an IPS/IDS could come into play and the only tool I've heard of to fool them, but will still set off false positives is fragroute.

Somebody pick apart my post! learning is good!

IDS's look for patterns.... Nmap has lots of options to slow down a scan and switch up the pattern... A lot can be done to fool it. But really if your not a paid pentester and your worried about IDS during scans you should probably be aware of potential legal issues that arise. I would be weary of any tool claiming it can fool an IDS... Powerful meatware is key when worrying about this sort of thing...

As far as the original question... google those services, try to enumerate the version, learn about the software hosting that service and its history... You should only be doing this on networks you have permission to mess around on. I would advise against poking around any production boxs on the internet unless you have a very good relationship with the admin... Even then, be careful. Read up on the protocol... check the rfc learn how it works... Check out damn vulnerable linux and play in your own sandbox... Then work your way up to other live cd's at home. Check your local laws because even using some security tools at home is illegal in some places.

See he has a good point play with your own box first. Right now I'm building a server 03 and a windows 2000 machine... Need to check out a new tutorial I found from one of the Defcon speakers a few months back.

Have fun but be very careful when you're on the net trying these things.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now