i Penetration Test – Active Discovery – All things in moderation

Penetration Test – Active Discovery

In previous post, we has already known what is external scanning in penetration testing. We target the specific network ranged in scope and scan them. Active Discovery is the process of identifying systems, services, and potential vulnerabilities. But I’m not going to discuss about how to use a scanner in detail, because that is the most easily thing in the world. :D. We only focus on types of findings or traffic generate on a network when we run it ( e.g in a home network, or your company’s network ).

1. Scanning Network Vulnerability
With this first step, I prefer to use Nexpose or Nessus scanner after I have them configured properly. If the time is short, we can run it with the default profile at first or find only known exploitable vulnerability  in the second test. In this way, it will complete in time but only contain critical findings.

Let we discuss about commercial and free version here. That is always a huge debate about which one is better. From my point of view, it depends on each situation because there is always something be found or missed by a certain tool. But if you could purchase one, I suppose you should buy Nessus Scanner because it is reasonable ($2190 ), with Nepose is the triple price ( Nexpose Express + MetaSploit Express) and limited on the number of IPs you could scan.

I also have a quick example here. The first scan I use Nexpose against my website with a standard vulnerability scan without intensive web checks.

A quick tutorial to install and run it:

– Download it from the above link, provide your email and get 14 trial days, then follow this command to install it:

chmod +x ./NeXposeSetup-Linux64.bin
./NeXposeSetup-Linux64.bin -c

Just remember, the Nexpose installation includes a PostgreSQL database that will store scan data, reports, and other important information. The database runs on port 5432 by default. Kali Linux also includes a version of PostgreSQL, which also runs on port 5432. If you intend to use the Kali Linux database to support other security tools, make sure to change the Nexpose database port to any available number, such as 54231, during the Nexpose installation.

– To run it:

cd /opt/rapid7/nexpose/nsc/

Then open https://localhost:3780 to use this product.
pentest active discovery
And I got one vulnerable named “TCP timestamp response” in the image below.


pentest active discovery


In the second test, I ran Nessus professional scanner with the same profile and I found some other vulnerabilities.

– Download Nessus professional scanner from the above link, and also provide your email and get 7 free days. To install it:

dpkg -i Nessus-6.8.1-debian6_amd64.deb
/etc/init.d/nessusd start

– Use: Open your browser, type: https://master:8834/ to use this tool.


pentest active discovery

Just look at two small examples, we have already found different results. Although our scanner is very helpful when running network penetration test, but it always have its pros and cons.

2. Banner grabbing
For this section, I usually use NMAP to scan on common port from 0-65535 if I have enough time. The problem is they are highly time consuming with full vulnerable scanners, so I only run it with quick script to scan ports and grap basic information  then organize my attack plan. The most useful thing is that it helps me to find out which port is open and grap banner information.

You can use the same process to compare what are the different things in a system ( twice per week ). That is a quick way to identify those changes.  I also use HD Moore script ( banner-plus.nse ) to identify the banner page of the opened port. The command looks like:

nmap --script /usr/share/nmap/scripts/banner-plus.nse --min-rate=400 --min-parallelism=512 -p1-65535 -n -Pn -PS -oA /opt/peepingtom/report <IP CIDR>

In this command:
—script = location of the banner-plus script we downloaded in the setup area
—min-rate = guarantee that a scan will be finished by a certain time
—min-parallelism = speed up total number of probes
-p1-65535 = scan all 65k ports
-n = disable DNS resolution (helps improve speed scans)
-Pn = disable ping (a lot of servers will have ping disabled on the external network)
-oA = export all types of reports

The Nmap result will print the output in all different formats inside the/opt/peepingtom/folder. In the next section, I will show you how to use this data.
In this example, we use it with <IP CIDR> = reddit.com

pentest active discovery

3. Screen Capture
As a penetration tester, I think the problem when scanning a large range is how you could identify a vulnerability that you want to pay attention. Manual visit them is totally waste of them because a major of them is useless.

Pepping Tom is a tool take an input of IPs and ports then take a screenshot of all HTTP(s) services, present it in an easy to read format. That means you are able to have an HTML page, take a quick look then identify where you want to spend more time on.  We can do this by this command:

cat report.gnmap | ./gnmap.pl | grep http | cut -f 1,2 -d "," | tr "," ":" > http_ips.txt

The output is a file called http_ips.txt with a full list of IPs running http services. Now we could use Peeping Tom to start screen grabbing. To run Peeping Tom:

python ./peepingtom.py -l http_ips.txt

But you need to keep in mind that some HTTP services can’t be captured and you have to visit it manually.
More options about peepingtom.

pentest active discovery

And our result.

pentest active discovery

Once this tool is finished running, a new folder has been created with named based on timestamp. Open a peepingtom.html file in this folder then we could see which pages are interesting and another one do not render.

– Image peepingtom.html

pentest active discovery

Inside it, we can see a lot of different screenshots. It will display the snapshot of the webpage with information about the server, date, and HTTP responses. That is your life saver because you could view all of them in a few minutes. But where should you look at? Here is my advice.

– Apache Tomcat,  WordPress, Joomla. Beta/DEV Sites, Pages that require authentication, Default Networking Device Pages, Content Management Systems, Wikis, Pages with Copyright messages < 2012, VOIP page.

Because they are compromise systems or access data.

I think this article give you a practical way to identify vulnerabilities and get some information about the network you are testing. In the next part, I will show you how to complete it with Web Application Scanning.

Leave a Reply