arp-scan

Hi! 🙂 Today we are going to learn about tools on Kali Linux to perform scanning to detect potential vulnerable hosts and ports in the network. The assumption here is that the hacker has access to the network of the vulnerable host. Further, the technique we use here is an exploiting of the Address Resolution Protocol (ARP) which is used by hosts to find other hosts/devices in the same network when joining a new network.

Disclaimer: Ethical Hacking should be always performed on services that provide permissions on doing so, otherwise it cause legal issues and cost you. Generally, ethical hacking is performed to find vulnerabilities of a service by its owner or an authorized party.

Setup:

I’m using VMware Workstation Pro on my Windows machine, to run two VMware (vulnerable Linux machine and Kali Linux host). The advantage of the Pro version is that it allows to play both VMwares and interact with both at the same time. Both hosts are in the same network. The network adapter setting is setup as NAT for both VMware.

Objectives:

In Ethical Hacking, the next step after passive reconnaissance of target is scanning & enumeration. The scanning is done to detect vulnerable hosts in the network and information about those hosts. The information may include host IP, open ports, OS version, fingerprinting, and etc.

Vulnerable Host:

We are using a Kioptrix VMware as the vulnerable host. In this analysis, we know the actual vulnerable host in the network. Therefore, for the verification purpose, let’s first check what is the actual IP on vulnerable host. Since, this host do not run all the commands, we use ping to check the host IP.

ping 8.8.8.8

Press Ctrl+ C to stop pinging. In the results we can observe that the PING is from host 192.168.5.129, which is the IP of this machine.

Scanning using Network ARP-SCAN:

ARP stands for Address Resolution Protocol. The discovery is done by broadcasting ARP packets to the hosts in the local network. Accordingly, this is what done by ARP-SCAN command to find hosts in the network.

Command: arp-scan -l or arp-scan --localnet (generate network addresses from network interface configuration)

The IP (192.168.5.129) and MAC address of the vulnerable host are detected in the results

Scanning using Netdiscover:

The netdiscover is another tool on Kali Linux that can be used for scanning the network to find live vulnerable hosts. The methodology used by this tool is also broadcasting ARP packets to the local network. The command netdiscover has option -r to specify the range of IP addresses that we are going to scan. To detect all the hosts in a network we can specify the range in CIDR notation (network ID e.g., 192.168.5.0 / subnet length).

Command: netdiscover -r 192.168.5.0/24

Now we have detected the IP address of the vulnerable host. Next, we can gather more information about the this host by using Nmap tool.

Scanning with Nmap:

With Nmap scanning, we can obtain information about the hosts in the same network such as open ports, service/version info, OS detection. The command is specified as nmap <speed – default is 4 , 5 could be too fast hence miss some info> <port range> <what information we scan><target IP>

Command: nmap -T4 -p- -A 192.168.5.129 
(-p- means scan all the ports from 0 to 65535, -A means scan everything)

Command: nmap -T4 -A 192.168.5.129 
(not specifying port range results in scanning for the top 1000 ports including all )

Command: nmap -T4 -p 80 -A 192.168.5.129 
(specify a specific port or few ports)

The results for the first command which scan for all ports and all information:

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -p- -A 192.168.5.129
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-21 15:28 EDT
Nmap scan report for 192.168.5.129 (192.168.5.129)
Host is up (0.0043s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: | Potentially risky methods: TRACE
|http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status | 100024 1 32768/udp status

139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)

443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=– | Not valid before: 2009-09-26T09:32:06 |_Not valid after: 2010-09-26T09:32:06 |_ssl-date: 2021-03-22T08:29:50+00:00; +13h00m15s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_64_WITH_MD5

32768/tcp open status 1 (RPC #100024)
Host script results:
|_clock-skew: 13h00m14s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.13 seconds