Member-only story
Introduction
So now that you have seen some of the processes of enumeration, it’s time to introduce a plan of attack. Seeing these issues in isolation is good of course and I can’t give a general attack plan that will work in every setting but in general, you usually follow a very similar strategy. It all comes down to enumeration, enumeration, and more enumeration. You will notice I keep on talking about http but also to check https and any web app not running on the default ports (80,443). Anything can reside on non-default ports but it seems like offsec likes to host a lot of web apps on non default ports.
Nmap
Running Nmap is no black magic. You type “nmap host” and your scan is running but that is not all this magnificent tool, can you. I usually follow a strategy that looks like this (After installing the tool with the command “sudo apt-get install nmap”):
- I start all my scans with -sC and -sV flags which slow down my scans but they give me vital information > “-sC” default scripts, “-sV” enumerate versions.
- Add all UDP ports (-p-)
- Add TCP ports (-U)
- Full on all out scan on every port
- -oA to output in nmap, grepable nmap and xml format.
- Optionally, you could add a timing flag such as -T4 to control how aggressively nmap scans
By the time these scans are finished, you should be able to see at least something…
