• Service Scanning
    		•

    | Chapter 3: Reconnaissance




    Download 22,59 Mb.
    Pdf ko'rish
    bet107/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   103   104   105   106   107   108   109   110   ...   225
    Bog'liq
    learningkalilinux

    108 | Chapter 3: Reconnaissance

    example, to just wait one microsecond. The 
    u
    prefix to the value indicates that it is
    being provided in microseconds. The second way to do high-speed message sending
    with 
    hping3
    is to use the 
    --flood
    switch on the command line. This tells 
    hping3
    to send
    messages as fast as it is possible to send them without bothering to wait for a
    response.
    Service Scanning
    Ultimately, what you want to get is the service that’s running on the open ports. The
    ports themselves will likely tell you a lot, but they may not. Sometimes services are
    run on nonstandard ports, although less commonly. For example, you would nor‐
    mally expect to see SSH on TCP port 22. If 
    nmap
    found port 22 to be open, it would
    indicate that SSH had been found. If 
    nmap
    found port 2222 open, it wouldn’t know
    what to think unless you had specified that you wanted to do a version scan in order
    to get the application version by grabbing banners from the protocols.
    amap
    doesn’t make assumptions about the service behind the port. Instead, it
    includes a database of how protocols are supposed to respond, and so in order to
    determine the actual application listening on the port, it sends triggers to the port and
    then looks up the responses in the database.
    In 
    Example 3-21
    , you can see two runs of 
    amap
    . The first is a run of 
    amap
    against a
    web server using the default port. Unsurprisingly, 
    amap
    tells us that the protocol
    matches HTTP. In the second run, we’re probing port 2222. This port number doesn’t
    have a single well-known protocol that it’s used for. As a result, we need to do a little
    more work to determine which protocol is actually listening there. 
    amap
    tells us that
    the protocol is 
    ssh
    or 
    ssh-openssh
    .
    Example 3-21. Getting application information from amap
    root@rosebud:~# amap 192.168.86.1 80
    amap v5.4 
    (
    www.thc.org/thc-amap
    )
    started at 2017-12-31 20:11:31 -
    APPLICATION MAPPING mode
    Protocol on 192.168.86.1:80/tcp matches http
    Unidentified ports: none.
    amap v5.4 finished at 2017-12-31 20:11:37
    root@rosebud:~# amap 192.168.86.238 2222
    amap v5.4 
    (
    www.thc.org/thc-amap
    )
    started at 2017-12-31 20:13:28 -
    APPLICATION MAPPING mode
    Protocol on 192.168.86.238:2222/tcp matches ssh
    Protocol on 192.168.86.238:2222/tcp matches ssh-openssh
    Unidentified ports: none.

    Download 22,59 Mb.
    1   ...   103   104   105   106   107   108   109   110   ...   225




    Download 22,59 Mb.
    Pdf ko'rish