Ok from what I understand, this really isn’t the first step in hacking. I mean – I don’t know, I’m pretty much a newbie. I think reconnaissance is the first step since it goes more into finding out the architecture of the organization or system network. Well, there’s not really a network that I’m hacking right now – so enumeration would be my first step – since it’s within the reconnaissance step.
What is Enumeration?
From Hack The Box Academy, “
Enumeration is the most critical part of all. The art, the difficulty, and the goal are not to gain access to our target computer. Instead, it is identifying all of the ways we could attack a target we must find.”
Um – cool.
Hack The Box academy goes over NMAP. Which I’ve used in school, and I’ve used for finding an IP in my home local network – because I totally remember what IP address I use for everything….
Anyways – NMAP or Network Mapper is a Linux tool that basically scans your network. From what I know it can find operating systems, version numbers, open ports, and obviously IP addresses. I know you can tweak it to get some results that you’re looking for – like with open ports, sometimes they’re looking for something specifically to respond to or if they’re ephemeral (ports numbers that are higher than 1024, 1024 – 65535 to be exact). NMAP doesn’t scan all of that with just the vanilla command (which is nmap -sS I believe). For instance:
Will only scan, I think 254 IP’s (minus .255 I think) and with common ports. It will take too long to scan 255 IP ports or worse if you have a larger CIDR.
Ok, NMAP has A LOT of options. I’m not going to list them here. Prior Linux experience tells me that
man nmap or
nmap --help will usually print out what I need. If I’m not looking for something exact, but something specifically, I can do this:
man nmap | less
Which would print out the options in a scrollable screen. Nice, then I could use / to parse what I want.
More about NMAP…
Ok – I found this Youtube channel called HackerSploit – he touched on a lot of NMAP, and holy cow – it seems like NMAP can take care of about 70-80% enumeration (he didn’t say that) from what I’m assuming. There’s so much that it can do – especially with the NMAP Scripting Engine.
Did I learn anything new?
Yes – absolutely. I learned the following:
[x] More NMAP options
[x] nc basics
[x] TCPDump basics
[x] Learned about Banner Grabbing
[x] How Crucial NMAP is to enumeration
So I knew about banner grabbing, but I didn’t really understand what it did for hackers. From what I understand banner grabbing helps hackers manipulate pushing data or masquerade as services in order to send malicious payloads.