Target Enumeration

Created On 26. Jan 2020

Updated: 2021-05-01 23:44:24.521182000 +0000

Created By: acidghost

Target Enumeration is the process of discovering specifications of the underlying systems in the zone. After the evaluation of this step, systems' vulnerabilities are being assesed.
These specifications are identified by running services on accessible ports. Let's scan some ports with NMAP and see what it shows us.
Start off in terminal towards an IP in your lab:
$ nmap 192.168.120.130
You will get a result with the state of ports and running services on them if they are open.
If you want to scan a range of IPs you can indicate it like this:
$ nmap 192.168.120.130-255
or like this to get the full range
$ nmap 192.168.120.0/24

Nmap
Nmap is one of the most used tools in hacker's toolbelt, and it has more capabilities in its arsenal. It allows to fingerprint operating systems by identfying running services on it and detect the versions of discoverable services. Further you can specify in-depth the scan options, and if that is not enough, it offers its own scripting engine. By default NMAP executes a forward TCP scan.
You can scan specific ports by addressing -p
Scan the port 22 like this:
$ nmap 192.168.120.0/24 -p 22

Zenmap
To better learn Nmap, you can use its graphical interface Zenmap. It's a great interactive tool that can compare scans, draw topological maps of discovered networks and offers nice scanning profiles for a quick job.
In the newer versions of Kali there is no Zenmap, so you can install it like this:
$ sudo apt-get install zenmap
Then launch it like this:
$ zenmap
After this check the scan types in the Profile menu or create a new one. After the scan finishes, you can save the result, and only after this compare it with the second scan. You will see that it highlights with color and "-" and "+" the differences that occured in the host in between this time.
We will cover in a later section more detailed how to create scripts, zombie scans, profiles and dive more in analysis with nmap and check some patterns with zenmap as well.

Amap
this tool helps to identify applications running on a port. Run:
$ amap
and check the displayed options.
Run a scan against a target port:
$ amap -bqv 192.168.120.130 23
This will scan the port 23 of our target. You can add more ports through a space between ports.
In this case amap will send a trigger packet and compare the banner of the result against a list of signatures in its database. A matching result will output the running service. If you don't have any specific configuration on a Debian based machine, you might see that the service running on port 23 is telnet.

Unicornscan
the difference between unicornscan and other tools, is that it is more scalable. You can define how much of a packet per second you want to send, and depending on this customize the speed and accuracy of the scan. Packet per second is aka PPS and the default is 300.
Run:
$ unicornscan
to see a list of all the options. Run the command to scan the ports up to 23 with a PPS of 1:
$ unicornscan -r 1 -m U -Iv 10.0.2.0/24:1-23
oOOps it looks like with the default setting this might take about 2 hours on my VM .
Above we specify the option -m U for an UDP scan for port 23 and verbose through -Iv.
Then let's try to set the packet sending rate to 100,000.
unicornscan -r 100000 -m U -Iv 10.0.2.0/24:1-23
Timewise, this looks much better and the scan should finish in about 10 seconds.

Section: Web