Nmap - Port States



Nmap is the most used port scanning tool on the Internet and it is reasonable too as it is extremely powerful and one of the reasons is the way they divided the states of ports. Generally. the port scanner divides the port into open or close states but Nmap here did a really good job. It divides it into six different states.
  • open: An application is actively accepting TCP Connections or UDP datagrams or SCTP associations on the port. An open port is like a portal for an attack. Therefore, attackers and pen-testers want to exploit it. On the other hand, security officials try to close or protect the port using firewall rules. 
  • closed: Port is accessible. It receives and responds to Nmap probe packets. But there is no application listening on it. This shows the host is up and can be scan later. Security officials might want to block these ports with a firewall rule. 
  • filtered: Nmap cannot determine where the port is open because some form of packet filtering prevents its probes from reaching the port. These filtering could be done via a firewall rule or a firewall device present on the network. If the security officials block the attacker to reach the close ports, they would be end be getting these messages which eventually frustrates the attacks. Also, this forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering which also, in turn, slows the scan drastically. 
  • unfiltered: Port is accessible and Nmap is unable to determine whether it is open or closed. Scanning unfiltered ports with other scan types such as Windows scan, SYN scan, or FIN scan, may help resolve whether the port is open.
  • open|filtered: Nmap is not able to determine whether a port is open or filtered. This occurs for scan types in which opens ports give no response. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
  • closed|filtered: Nmap is not able to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.   


We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Nmap is the most used port scanning tool on the Internet and it is reasonable too as it is extremely powerful and one of the reasons...

Nmap - Cautionary Notes


Nmap is the most used port scanning tool on the Internet, and it is reasonable too as it is compelling. So before dig in deep, you should be known with some cautionary steps.

  • Unlike other tools, Nmap actually interacts with the target servers most of the time which can be a problem as this scan can be logged in their logs.
  • In some countries, basic network or even port scanning may be against their laws. So, you need to check the laws before scanning someone's network.
  • Nmap can perform more discovery techniques with scripts than just port scanning which could be considered as Hacking or in simple words Trespassing.
  • Scripting could be illegal in some jurisdictions. Therefore, you might need to check that too based on your region.

Consider port scanning is analogous to visiting a bank before robbing it to see what sort of cameras, desk, and security officials it has. Well just visiting the bank and noticing things around could not be considered as a crime but, if someone gets suspicious because of the way you are looking around then it could be a problem. 


We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Nmap is the most used port scanning tool on the Internet, and it is reasonable too as it is compelling. So before dig in deep, ...

Hack Hiccups

A hiccup is an involuntary contraction of the diaphragm that may repeat several times per minute and results in the "hic" sound.

Most hiccups stop automatically. But in some cases, it goes for a while. Try these below-mentioned methods which might stop your hiccups. There is no proof that your hiccups will stop but there is a high chance that it will.
 
  • Breathe into paper bags.

  •  Drink a glass of water quickly.

  • Gargle with water.

  • Press the ice cube up against your tongue. 

 
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

A hiccup is an involuntary contraction of the diaphragm that may repeat several times per minute and results in the "hic"...

Footprinting


One way to begin planning an ethical hack on your business is through a process often called footprinting or Information Gathering or Recon. Footprinting means gathering information about a target system that can be used to execute a successful cyber-attack. An Ethical Hacker must spend most of his/her time profiling an organization, gathering information about the host, network, and people related to the organization.

Information such as:

  • IP address
  • Domain name info
  • Technologies used
  • Other websites on the same server
  • DNS records
  • Unlisted files, sub-domains, and directories
can be collected.

    Two types of footprinting:

    1. Passive Footprinting: Passive footprinting means collecting information about a system located at a remote distance from the attacker.
    2. Active Footprinting: Active footprinting means performing footprinting by getting in direct touch with the target machine.

    Possible Ways:

    • Who Is: The best starting point is to perform a Whois lookup by using any one of the Whois tools available on the Internet. Whois databases and the servers are operated by RIR - Regional Internet Registries. It is used to query databases such as IP address block, domain name, location, email-id, phone numbers, domain owner, etc. Website for Whois Lookup Query: Whois Lookup
    • Google Hacking refers to collecting information using google dorks. They are keywords that can be used to google search a target in an optimized way. These searches can be helpful in finding sensitive information like compromised passwords, default credentials, competitor information, information related to a topic, etc. Website for Commands or Keywords: Google Hacking Database.
    • Organization's Website: This can also be the best place to begin. You can find open-source information, which is freely provided to clients, customers, or to the public.
    • DNS Lookup: DNS is the Internet's system for converting alphabetic names into numeric IP addresses. For example, when a URL is typed into a browser, DNS servers return the IP address of the Web server associated with that name. DNS lookup query stores all information, or resource records, associated with a domain into a file. Website for DNS Lookup:
      • Robtex (Shows comprehensive info about the target website)
      • DNS Dumpster (Enumerate a domain and pull back up to 40K subdomains, results are available in an XLS for easy reference)
    • JOB Websites: Organizations can share some confidential data unknowingly on many JOB websites. For example, a company posted on a website: “Job Opening for Apache 2.0 Server Administrator”. From this information, we can gather that an organization uses Apache web server 2.0.
    • Social Engineering: Social media like Twitter, Facebook are searched to collect information like personal details, user credentials, other sensitive information. Most people have the tendency to release most of their information online. Hackers use this sensitive information as a big deal.
    • Competitive Intelligence: Competitive intelligence gathering is the process of gathering information about the competitors from resources such as the Internet. Example: company website, search engine, internet, online databases, press releases, annual reports, trade journals. Useful tools/websites:
    • Useful Websites:
      • Netcraft Site Report: tells which server-side or client-side technologies are in use.
      • Archive.org: It is like a time machine for any website. The Archived version refers to the older version of the website which existed at a time. It is a website that collects snapshots of all the websites at a regular interval of time.
      • WhatWeb: It is a tool available in Kali Linux. WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb can be stealthy and fast, or thorough but slow.
      • HTTrack: It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.
      • BuiltWith: It displays information like widgets, analytics, frameworks, content management systems, advertisers, content delivery networks, web standards, and web servers.
    • Subdomains: One server can serve several websites. Gaining access to one can help to gain access to others. For example: google.com is the main domain but mail.google.com, smtp.google.com, etc are the sub-domain of google.com. A tool useful to get subdomains: 
      • KNOCK
        • Clone the repository
        • Redirect to knockpy directory
        • Run the program using python knockpy.py <target_website>.
      • DIRB: DIRB is a Web Content Scanner. DIRB's main purpose is to help in professional web application auditing. Especially in security-related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners cannot look for. It does not search for vulnerabilities, nor does it look for web content that can be vulnerable. It basically works by launching a dictionary-based attack against a web server and analyzing the response.
      • VirusTotal is also a good easy and fast way to get the subdomains of a website.
    • Geolocation: IP geolocation and domain information can also be helpful. Website for getting the geolocation: ipinfo.io
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    One way to begin planning an ethical hack on your business is through a process often called footprinting or Information Gatherin...

    Wireless Network Sniffing


    Wireless Network Sniffing or Packet Sniffing can be done using a tool called airodump-ng which is a part of Aircrack-ng and comes preinstalled in Kali Linux. Airodump-ng is a packet sniffer use to capture all the packets within the range of the wireless adapter.

    Requirements:

    How to scan nearby wireless networks:

    • In Terminal, type:
      • Syntax: airodump-ng <ne twork_adapter>
      • Example:  airodump-ng wlan0
    • This will start scanning all the nearby wireless access points and displays all the details about it.
    • Description of every field:
    Field Description
    BSSID MAC address of the access point. 
    PWR Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal level reporting. If the PWR is -1 for a limited number of stations then this is for a packet that came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal level reporting.
    RXQ Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds.
    Beacons A number of announcements packets sent by the AP. Each access point about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
    # Data The number of captured data packets (if WEP, unique IV count), including data broadcast packets.
    #/s A number of data packets per second measure over the last 10 seconds.
    CH Channel number (taken from beacon packets). Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference or overlapping channels.
    MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported. Displays “e” following the MB speed value if the network has QoS enabled.
    ENC Encryption algorithm in use. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA, WPA2 or WPA3 if TKIP or CCMP is present (WPA3 with TKIP allows WPA or WPA2 association, pure WPA3 only allows CCMP). OWE is for Opportunistic Wireless Encryption, aka Enhanced Open.
    CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA, and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater than 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
    AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
    ESSID Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests. See this section for more information concerning hidden ESSIDs.
    STATION MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”.
    Rate Station's receive rate, followed by the transmit rate. Displays “e” following each rate if the network has QoS enabled.
    Lost The number of data packets lost over the last 10 seconds based on the sequence number. See the note below for a more detailed explanation.
    Packets The number of data packets sent by the client.
    Notes Additional information about the client, such as captured EAPOL or PMKID.
    Probes The ESSIDs probed by the client. These are the networks the client is trying to connect to if it is not currently connected.

    How to scan a specific network:

    • In terminal, type:
      • Syntax: airodump-ng --bssid <mac> --channel <ch_number> <network_adapter>
      • Example: airodump-ng --bssid e2:33:44:55:66:77 --channel 2 wlan0
    • This process will start scanning a particular network.  To get the MAC address and Channel Number of a particular network use the above-defined method to scan all the network and get the MAC and CH of a particular network.
    • Additionally, if you want to write the data of scanning to a file. Add one option:
      • Syntax: airodump-ng --bssid <mac> --channel <ch_number> --write <file_name> <network_adapter>
      • Example: airodump-ng --bssid e2:33:44:55:66:77 --channel 2 --write test wlan0
    • This will write all the data to a file in your current directory which can be further be use to extract passwords and important data.

    Video Tutorial


    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      Wireless Network Sniffing or Packet Sniffing can be done using a tool called  airodump-ng which is a part of Aircrack-ng and com...

      Concept of De-authentication Attack

      What is De-Authentication Attack?

      • A de-authentication attack is a type of denial-of-service attack that targets communication between a user (or all users) and a wireless access point. This attack sends disassociate packets to one or more clients which are currently associated with a particular access point.
      • The best thing about this attack is that the attack still works where all the network uses WPA2 encryption and you can deauth any device without even being a part of the network.

      How Deauth works on WPA2 despite encryption?

      • The IEEE 802.11 (Wi-Fi) protocol does not encrypt the packet header frames. Therefore, the header frames can be easily spoofed and the attacker only needs to know the victim's MAC address, which is available in the clear through wireless network sniffing and can be successful in the attack.


      What can be the reason to attack the network?

      • Evil Twin Access Point: The attacker conducts a de-authentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the Evil twin access point. Which then can be used to capture network packets transferred between the client and the Rouge Access Point (RAP).
      • Password Attacks: The attacker conducts a de-authentication attack to the target client, disconnecting it from its network and then tries to connect back i.e. sending WPA/WPA2 4-way handshake packets to the access point. The attacker sniffs and captures the handshake packet. This captured packets and be later used to mount brute-force or dictionary attack to guess or crack the password.
      • Mess with others (Pranks): De authenticates a person from the network and lets the person feel that there is a problem with his/her device and let them restart or troubleshoot their device several times.
      • Kick someone out of the network just because that person is slowing down the internet speed.

      How to perform deauth attack?

      Disconnects any client from any network.
      • Works on encrypted networks (WEP, WPA, WPA2)
      • No need to know the network key/password/passphrase.
      • No need to connect to the network.

      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      What is De-Authentication Attack? A de-authentication attack is a type of denial-of-service attack that targets commu...