From the course: CompTIA PenTest (PT0-002) Cert Prep
Scanning and enumeration
From the course: CompTIA PenTest (PT0-002) Cert Prep
Scanning and enumeration
- So after investing so much time and effort in developing a comprehensive plan, it's time for us to move ahead in the process. And the next step of the process is to survey our environment and determine where the weak spots are. So the next objective is 2.0 and you'll remember that it is worth 22% of the overall question weight. In other words, that means that 22% of the questions that you'll get on the exam will be from this one domain. It's not the biggest domain, but it's the second biggest, so it's really, really important. So let's talk about how we assess our environment, our target environment, and determine where we want to poke it to look for vulnerabilities. So the first strategy in determining what's out there and what we might want to attack is basically scanning. So scanning is a first step in information gathering. It is a process of looking at a bunch of things out there to determine their characteristics. So we're basically surveying our network environment to see what's there and what we can attack. And now scanning can actually include more than just network resources, but we're going to focus primarily on just automated scanning. It's commonly used in the pen testing process to uncover target vulnerabilities. Before we can really uncover the vulnerabilities, we've got to find out what the targets are to start with. And there's many different types of scan targets, there are networks, there's network devices, which may or may not be computers, but then there's computers themselves and then there can be applications and services. Now those are the sub-areas of scanning that you'll encounter most frequently on the exam and in pen testing in general. But don't forget that you could be, "Scanning," for physical vulnerabilities as well. So part of your scanning may actually include walking up and looking for gates that are just open and not locked. But we're going to focus right now on the technical aspect of scanning. Once you have scanned your environment, you have an idea of what's out there, then you move to the next phase, which is called enumeration. Enumeration is counting the detected instances of some target class. What that basically means is that if you have a bunch of servers, you can't really attack a bunch of servers, you need to know how many servers are out there and what types they are. So you want to start creating a list of assets that may contain vulnerabilities. And there's different types of target classes out there, there are hosts or nodes on the network that could include networks themselves, actually, domains, users or groups. So each of these are different classes of targets we may want to attack. There's also network shares. So don't forget, that even though we're looking across a network, we're not necessarily looking for specific devices or hosts, it could be network shares which refer to linked resources that live on some other network host perhaps. We also could be looking for webpages or applications or services or tokens or even social networking sites. These are all potential targets and each type of target may have different vulnerabilities. So when we are enumerating, we want to also classify the targets that we encounter so that we can then explore further and determine whether each one of these guys has vulnerabilities, 'cause clearly if you run into a Windows server, that's going to be completely different from a web server running Apache under Linux. They're going to have different vulnerabilities and we may want to bring that together with an attack on a user's Facebook page, perhaps. So we're looking at totally different types of entities and different types of potential vulnerabilities. So let's take a look at how we might scan and enumerate some of our targets.
Contents
-
-
-
-
Scanning and enumeration4m 16s
-
(Locked)
Scanning and demo10m 46s
-
(Locked)
Packet investigation7m 57s
-
(Locked)
Packet inspection demo5m 48s
-
(Locked)
Labtainers setup12m 9s
-
(Locked)
Labtainers lab: Wireshark8m 54s
-
(Locked)
Application and open-source resources11m 38s
-
(Locked)
Passive reconnaissance10m 7s
-
(Locked)
Active reconnaissance7m 50s
-
(Locked)
Vulnerability scanning8m 41s
-
(Locked)
Vulnerability scanning demo16m 20s
-
(Locked)
Labtainers lab: Network basics2m 50s
-
(Locked)
Labtainers lab: Nmap discovery3m 12s
-
(Locked)
Target considerations15m 36s
-
(Locked)
Analyzing scan output5m 1s
-
(Locked)
Nmap scoping and output options21m 4s
-
(Locked)
Nmap timing and performance options6m 31s
-
(Locked)
Prioritization of vulnerabilities9m 7s
-
(Locked)
Common attack techniques12m 5s
-
(Locked)
Automating vulnerability scans3m 35s
-
(Locked)
Credential attacks14m 31s
-
(Locked)
Labtainers lab: Password cracking2m 23s
-
(Locked)
Labtainers lab: Secure Sockets Layer2m 30s
-
(Locked)
Labtainers lab: Routing basics1m 37s
-
-
-
-
-
-
-
-
-
-
-