Scanning and find Vunerability anlysis

###### tags: `資安 ethical hacker ZTM` # Scanning and find Vunerability anlysis ## Theory actually like HTB first challenge send TCP、UDP scanning server all **open port** find oldest **system vulnerability** then attack ## setting vulnerability PC ### metasploitable can dowlonad by sourceforge ## Nmap tool ### Nmap -sS ip TCP SYN scan (need sudo) S mean SYN(Three-way Handshake) but only doing **hand shake first step** (so didnt connect only get response) ### Nmap -sS ip normal TCP three-step hand shake (dont need sudo) but is **easily get detected so not recommend** ### Nmap -sU ip ### Nmap -O ip scan port and OS (if like virtual maybe is a trap) ### Nmap -sV ip port serive verison ### Nmap -A ip aggresion scan ### Nmap -f ip fragments packet (if 24 bytes can divided for 8 each) ### Nmap -D RND:5 ip !!!(hide ip) confusion ip,it will let many ip do this scan,let target dont know which one is attcker ## Nmap script for vulnerability https://nmap.org/book/nse-usage.html ### script type #### auth find access avoide sytem #### brute force attack #### banner system simple introduction #### explot find service vulnerability and try to attack ### Nmap --script auth ip -sS --script can script type auth mean find can avoide system identify ex.FTP SSH then we get many different type script ### Nmap --script exploit ip -sS exploit service vulnerability ### Nmap --script ftp-anao.nse ip get ftp login message ## Nmap doc by ZTM https://zerotomastery.io/cheatsheets/nmap-cheat-sheet/?utm_source=udemy&utm_medium=coursecontent ## scanPortScript.py by 52 session just for sharing python??? using **socket** ,actually only have function for connect port check open or close i think this session is for never coding guy see ## exploit web web search when scan port service version try to google **version exploit** ### exploit terminal #### searchspolit version you will see backdoor file #### locate target.file get file path ## Nessus a biggest tool for service exploit analysis and web scan but need login account ,only for 16 ip 90 day ## gathering -> scan port -> Vulnerability analusis