If you are a hacker or any security researcher then it is important to analyze different different types of vulnerabilities and bugs and find out a way to gain access to the server. In this way, you earn some knowledge of how an exploit works.
Only gaining access is not important, As you are an ethical Hacker, you have to understand how to fix any vulnerability or bug.
There are multiple ways to enumerate a server.
What is Enumeration?
Enumeration is a process of extracting machine information like usernames, machine names, network resources, port information, shares, and services of a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target.
For this purpose, the best tools can be used:
- Nikto
- Nmap
- Zenmap
- Maltego
- Gobuster
- WPScan
- DNS enum
- Netdiscover, and many more.
Scan the Network using Nmap
Nmap is one of the most widely used and most popular tools among cybersecurity professionals, security researchers, hackers & network engineers, and learners as well. It is an open-source licensed tool mainly used for performing discovery such as ports, operating systems, etc., and auditing or determining security over the network. (Learn More).
Follow the below steps to scan the machine.
Step 1: Find a Real one
In my previous, we have found two IP addresses and we don't know which one is our target.
Currently scanning: 192.168.156.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 84
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.2 08:00:27:a8:6e:59 1 42 PCS Systemtechnik GmbH
192.168.56.3 08:00:27:52:1e:51 1 42 PCS Systemtechnik GmbH
The best way to know which is our target is by scanning. It will give us the OS information and network information. Let's see how.
Open your terminal and run the following commands:
┌─[✗]─[mrdev@mr-dev]─[~]
└──╼ $nmap -sV 192.168.56.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 18:37 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.99 seconds
┌─[mrdev@mr-dev]─[~]
└──╼ $
From the above, we can't find out a lot more information. We can't find out the OS information. It means it is not our target.
Let's try the second one:
┌─[mrdev@mr-dev]─[~]
└──╼ $nmap -sV 192.168.56.3
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 18:38 IST
Nmap scan report for 192.168.56.3
Host is up (0.050s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.55 seconds
┌─[mrdev@mr-dev]─[~]
└──╼ $
From the above scan, we can find out that the running Operating system is a UNIX or Linux-based Operating System.
We can successfully find out our target!
Step 2: Note Down the Vulnerabilities and Open Ports
From Step 1, we have found out the target information and open ports with their running services with their versions.
You can use Google for each of the versions to find out if there are any vulnerabilities available on this version.
