- In Scope Devices Just always remember that some may not want you to scan everything on their network. To avoid this, always ask your auditee if there are specific devices that needs exclusion. These machine can be critical to their operation or they just don't want to get scanned. If your auditee have exclusions, explain the consequences possible if a machine does not undergo vulnerability assessment. If scanning public servers, verify that the server host (web company, cloud provider, etc.) has approved of the scan, and than remote scanning is legal in the jurisdiction you are performing it from and in the location of the remote server.
Using zenmap/nmap, identify all of the devices currently active on the network. It is worth repeating a quick scan at different times of the day and on different days to get a more complete view of the network.
- Discover network-connected devices, including servers and workstations, but also smartphones, printers, security cameras, voip phones, and other devices.
- Record the version and patch levels of software on the device. identifying-software-versions
For the active, in-scope devices, the next step is to gather additional details including hostnames, mac addresses (useful for tracking devices over multiple days, as their IP address may change), operating system and versions, port numbers, and any running services such as shared drives, remote management services and old or legacy services. Doing host enumeration sometimes takes time, as not all devices may respond to your scans in the same way. To overcome this, there are variant tools with the steps on how to perform an efficient network scan.
- Run OS detection options
- Scan for open ports and service banners (not all ports correctly map to their "expected" services, also provides service version information)
- select additional nmap scripts and more exhaustive port scanning as needed. Filter for safe scripts!
- Categorize the devices that you will discover. This is to make it more efficient later when runing vulnerability scans, enabling you to target them effectively. For devices which are not easily categorized, see the IoT section below
Port/Service research, and How to decide if an open port is suspicious If a port is open in a personal computer or mobile device, this should be immediately considered suspicious and investigated.
- Inspect all systems providing internal services to the host organization.
- Identify weak ports or services available under the current device's firewall configuration. examining-firewalls-across-os
- Identify and investigate any open ports that should not be open (e.g.: almost no ports should be open in personal computers, see below)
- Identify all odd/obscure/one-off services. identifying-oddone-off-services
- Using the list of software versions and patches identify attacks and, if possible, identified malware that devices in the office are vulnerable to.
- Shared Folders
- Password Sniffing
- On Windows, use netstat from the command prompt as an administrator: the command would be
netstat -ab- this will show you the name of the process running on the open port.
- To identify the process on the open port more in-depth, run the official Microsoft Process Explorer (right-click a process to see the Properties - the port will be visible in the TCP/IP tab and you will find more information on the path of the process in the "Image" tab).
- You can investigate the process on Virustotal directly from Process Explorer, by right-clicking on the process and then clicking "Check VirusTotal".
- On Mac, launch
netstat lsof- this will show you the path of the process running on the open port.
- On Linux, follow these instructions.
- Web servers
- DNS servers
- Mail servers
- Gateway devices
- FTP Servers
- Cloud servers
- Discover network-connected devices, including servers and workstations, but also smartphones, voip phones, and other devices.
- Open ports
- OS detection
- Capture banners (not all ports correctly map to their "expected" services, also provides service version information)
- additional Scripts and more exhaustive port scanning as needed (See different variants)
- Basic Nmap Commands
- Advance Nmap Host Discovery and Port Scanning
- Nmap Version Detection and Service enumeration
- Nmap Version Detection and Service enumeration
- Scanning using Nmap Scripting Engine
- Scanning using Nmap Firewall/IDS Evasion & Spoofing Options
- Nmap Scan Output Results
Local networks often have a variety of devices connected to them - servers, laptops, printers, and user devices such as cellphones and tablets. Scanning the connected devices can reveal potential areas for further research such as odd ports being open, out of date devices/services, forgotten servers/services etc. These information are then reviewed in vulnerability research exercise, and then (if required) validated in the penetration testing exercise.
Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as "safe".
Custom instructions per type of device
An open port in a server or IoT device should be investigated if it doesn't correspond to a known service. For example, if the open port is 80, 8080, or 443, it's supposed to be open for a web server, so you can try to browse it by pasting the IP address in your browser address bar.
If it's for SSH (port 22), try to log into it through SSH. If the service isn't supposed to be running in the identified device, you can run a scan of the open ports and request service banners, and/or try to telnet directly to the IP:port to identify what service they are connected to. To identify what a port might be used for, look at the complete list at IANA.org. Using nmap's banner scripts will also reveal what the service reports itself as (for example, you can run ssh, usually port 22, on port 443, usually https). Once you have identified what service that port might be used for, always check that that service is actually running in the machine and that the user or sysadmin is aware of it.
In general, these are ports that might be open in a server:
|6881 to 6889||Torrent|
IoT (Internet of Things) is getting popular in use because of it's ease of use and ability to address certain needs. (e.g. use of IP camera instead of CCTV). As classes of network appliances become common, additional exercises (such as the VOIP assessment) can be created. For others, it is still worth conducting a basic assessment to determine what security implications network-connected devices may have.
In the course of network scanning, watch for devices without clear operating system identification (from nmap/zenmap), and/or devices registering as Linux or unknown (particularly if there are not Linux users or servers), and use hostnames and MAC address lookups Wireshark, MACVendors for "hints".
Follow up on these devices with more intensive, specific scans to positively identify them, and/or follow up with staff to help physically locate the devices. Some devices, such as Smart TVs, may not even be normally thought of as devices worth considering, but if they are connected to the work network, they can add vulnerabilities.
Once any IoT devices have been identified, follow up with research as to their current and possible patch level/software update, what vulnerabilities they may have even if fully updated, and if there have been any known attacks against the platform. Check their configuration to see if they are accessible from the Internet (directly, via UPnP, or via an external service that the device connects out to). Check to see that default passwords have been updated, and any service-connected devices have strong, unique and not-previously-breached passwords.
If there are un-mitigateable vulnerabilities, consider suggesting removing the IoT device from the network or creating a separate network disconnected from organizational resources for non-work devices.
Windows / SMB Networks
You can use smbtree to request a list of all smb network device names and nmblookup to connect them to their IP address.
Unsigned NTLM authentication messages vulnerable to Man-in-the-Middle attack on SMB file servers. It also allow an attacker on the LAN to add, remove or copy files to and from the organization’s file servers (and workstations with filesharing enabled).
External Network Scanning
Selected scanning of external network devices (websites, webmail, extranet services) may also reveal vulnerabilities or other areas of concern. However, it is important that you seek approval or any written document that proves you have the authority to scan your target organization along with its web resources and services.
External network scans are different for local network scans. This is because you are scanning devices that are publicly available, and can be done remotely outside the organization's premise. If your auditee agreed to have their public facing machines scanned, keep in mind that you need to consider asking your auditee for whitelisting options for shunning IDS/IPS, firewalls and other blocking mechanisms during your scan. Also make sure that you have verified the target in-scope. This is to avoid scanning out-of-scope targets that may lead you to other problems.
Most of the machines you'll encounter over external network scans were:
Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as safe or "non-disruptive".
According to it's nmap's website:
"Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts". It's considered as the most popular network mapping tool available.
Below are commands to perform network scanning using Nmap.
||Scan a single specific IP/target|
||Scan a specific domain|
||Scan the IP range from 192.168.1.1 to 192.168.1.35|
||Scan a network subnet|
||Scan a list of IP from the list file
|nmap -p 80
||Scan specific port/s on a target or IP range or a list file|
|nmap -p 21-80
||Scan target, IP range or list file with a specific port range|
||Scan target with 100 most common ports (FAST)|
||Scan all 65,535 ports on a target|
||TCP connect port scan (with root privilege by default)|
||Scan using TCP SYN port Scan|
||Scan UDP ports|
||Scan using TCP ACK port scan|
||Host discovery scan IP subnet range - port scanning disabled|
||Port scan IP subnet range - host discovery disabled|
||Scan target without DNS resolution|
||Perform ARP discovery on local network|
||Perform version detection of services running on ports|
||Remote OS detection using the TCP/IP stack fingerprinting method|
||Enable OS detection, version detection and traceroute|
||PARANOID scan - Evade IDS|
||SNEAKY scan - Evade IDS|
||POLITE scan - Slow scan for less bandwidth and use less target machine resources|
||NORMAL scan - Default speed|
||AGGRESSIVE scan - speed scan assuming your on a fast and reliable network|
||INSANE scan - Extraordinary fast network and trades off with accuracy|
|-sV -sC||nmap -sV -sC
||Scan using default safe scripts|
||Scan target with a set of script (for this example, smb scripts|
||nmap -sV -p 443 --script=ssl-heartbleed.nse
||Scan using a specific script (for this example, we used the
||Scan using a multiple different scripts combined|
||Scan using small fragmented IP packets for evading packet filtering|
||nmap -mtu 64
||Scan using custom MTU size|
||nmap -D 172.16.1.200, 172.16.100
||Scan using set spoofed IP addresses|
||nmap -S fakesource.com
||nmap -g 53
||Scan using port
||nmap **-proxies http://18.104.22.168:8080,|
||Relay nmap scans through HTTP/SOCKS4 proxies|
||Generate normal output to file
||XML output to file
||Generate grep-pable output to file
||Generate output to 3 different major formal|
Working with GUI using Zenmap
While Nmap may seem to be intimidating to some specially with all those commands and options, you can use a GUI-based Nmap called
Zenmap. You can download Zenmap from this link
Zenmap has different features that helps you manage scans to importing and exporting of results.
It comes with a pre-set scan settings that you can choose. Depending on your target environment and your agreement with the client, you can select from:
|Intense Scan + UDP||
|Intense Scan + all TCP ports||
|Intense Scan - No ping||
|Quick Scan Plus||
|Slow Comprehensive Scan||
While office networks are often treated as "trusted" spaces, measures should be in place to reduce the potential harm of an attacker who gains access. In addition, devices that "travel" -- such as laptops and mobile phones -- should have adequate security settings (generally, firewalls) to protect them on other networks.
A policy should be in place for connecting personal devices to work networks, as well as work devices to non-work networks.