[Lesson 9] Network Vulnerability and Scanning: Input and Output Management
In the last few lessons, we learned that how we identify which ports are scanned 📚 Now let’s dive into input management, we will see how we identify which systems are scanned.
Input Management(various example):
First, we will prepare the Nmap query and play with the destination IPs which is the last parameter in the query:
This is how we scan a single IP ☝️
This is how to scan an entire C block of IP addresses (.0/24) ☝️
You can select range of any part of the IP address. In an IP address, the third and fourth paths of the IP address can be used as range to scan. This allow the user to scan a lot of IP addresses using one command line ☝️
You can also scan more than one IP block in a single nmap query☝️
Note: if you have two network in your virtual machine, then this query will be more useful.
This the combination of a range and single number of the IP addresses ☝️
Steps to collect a list of live hosts:
- Ping Scan(-Sn)
- Clarify the output to have only the IP addresses of live hosts with grep command and cut command
- Redirect the output into test file to reuse the list
4. Remove the first two IP address which we are not interested in (the default gate way) with nano
In a typical penetration test or ethical hacking, it will scan the network a lot of times. First, you find a host and it doesn’t make sense to scan the entire network again and again. Most of the times, this will involve a huge network. Thus, when you scan the entire network each time, then the pen-test will take a lot longer than expected.
Another method to define the target systems is to give the Nmap the IP address in a file ☝️
Note: the -iL command in the nmap query is used to scan a list of IP addresses, you can add options before / after.
Output Management (Various example):
Let’s talk about the nmap output management in the second part of this lesson:
Till now we have run tons of Nmap queries and got the results on the terminal screen. This is the default output behavior known as the interactive output and it is sent to standard output(stdout).In a pen-test, we should save the results of the queries to be able to analyze them later on. Fortunately, Nmap has its own output management skills.
There are 3+1 major output saving formats in Nmap:
- Normal output (-oN) which is similar to interactive output. That’s what you see on the terminal screen up till now. Except that it displays less runtime information and warnings. Since, it is expected to be analyzed after the scan completes rather than interactively.
- Grepable output (-oG) which includes most information for target host on a single line. Thus, you can use it to collect the the information that are required using the grep command. We already seen a few example of grep command in the lessons.
- XML output (-oX) is one of the most important output types as it can be converted to HTML easily parsed by programs such as Nmap graphical user interfaces or imported into databases.
- All formats (-oA) allow you to generate the outputs in all formats.
Now, let’s see the Nmap output management in action:
Generate the XML output by adding the -oX parameter and provide the output file. You can give the file name with full path. If you don’t specify the path same like this example, then the file will be created in this current folder.
Note that all the output saving formats (-oX, -oG and -oN parameters) require the full filename. Remember to specify the file to have an extension, then specify in the Nmap query which shown in the figure above. In addition, “ls res*” is used to check whether the file specified is created or not.
Use the “less res.xml” command to see the content of the file. This is the typical XML file with tags. In addition, the host tag is where all the results about a host is listed between the start tag and the end tag. It contains the IP address, scan ports and of course the scan result. Press q to quit from the less command.
Generate all type of output with the -oA parameter and it requires the base name of file. Be-careful the -oA parameter requires a base file name of the files not the full names of a file with extension specified. Then, 3 types of saving formats is produced.
Let’s look at the content of the .nmap file with the less Linux command. Press q to quit from the less command.
Now, let’s look at the grepable output. Here there are two lines for each host. First, it is used to illustrated the status of the host. Second line is used to display the port scan results.
