Before we “hack” we first need to do the first step in every hack, reconnaissance. Reconnaissance (Recon), is a important aspect in hacking. Recon is so important that the recon phase can last from a few hours to months. A simple recon tool is a port scanner, which in simpler terms scans for open ports. One port scanner that all hackers know is Nmap.
Nmap is pre-installed into Kali Linux and Parrot, but if for some reason it isn’t, to install type:
apt-get install nmap
Apt-get, installs nmap for you. Once nmap is done installing, type:
A bunch of seemingly gibberish shows up, but don’t fret over it. What should show up is the help screen which tells you all the flags that are available, but for this tutorial we’re only concentrating on the -sS flag, the -A flag, the -o flag, and the -T flag. A simple scan for Nmap would look something like this:
nmap -sS (Ip)
The -sS flag is the type of scan that we’re performing. The types of scans range from Windows scan all the way to Fin scan, but for now we’re only gonna concentrate on the TCP SYN scan, that is the flag -sS.
Nmap -sS (Ip) doesn’t reveal much detail, but what if we want to know the type of Operating System our target is running? There are two flags that can detect the os, the -o flag and the -A flag. The scan for -o would look something like this:
nmap -sS -o (Ip)
Upon enter and a bit of waiting, the results should now tell you the OS. Ok so now we know the OS, but the other flag, -A not only reveals the os, but the fingerprint, services, etc. A nmap scan with the -A flag would look something like this:
nmap -sS -A (Ip)
Notice that I didn’t put in the -o flag because there is already a flag that does what -o does.
Now that we know a few basic scans, what happens if there’s a firewall or some sort of security blocking our probes? Sometimes there is a limit to how many packets per a certain period of time can be sent. That threshold can be easily bypassed with the -T command. The -T command allows us to adjust the speed of our scan. There are five speeds, but for now we’re only going to work with two, sneaky and polite. A simple nmap scan with the -T flag would look something like this:
nmap -sS -A -T sneaky (Ip)
These flags are just some of many. Try to combine different flags to see what you get.
Now that we know a few Nmap scans, what to do next once we scan a system? Either one we could exploit the system or two we could connect to the open ports with Telnet. We’re not gonna exploit the system just yet, but instead try to connect to the system via Telnet. Why? Sometimes there are holes in the system where you can exploit without metasploit or any exploits, but instead just simply connect to the ports and gain access to the computer like that.
In your terminal, type:
Upon enter you should be greeted with a terminal with Telnet then a > at the end of it. Type:
A list of all the options available should “magically” show up. For now we’re only concerned with the connect option. Type:
connect (ip) (port)
And if you succeeded you should now have access to at least the service that’s running on the port, but if not and an error occurs then that’s when we try a different approach.
Of course Telnet isn’t the only option that allows us to connect to the system. Ncat is a simple tool that allows us to connect to a system and its ports. The syntax looks something like this:
nc (ip) (port) -e /bin/sh/
This is just one syntax.
I kinda rambled toward the end (actually all of it), but I hope I at least gave a introduction to the many tools available. My next “tutorial” is gonna be a challenge, so please stay tuned. Cheers.