My Pentesting knowledge I grew throughout the years of Pentesting. This is updated often and I hope it helps you understand!
Protocols are network ports. In a machine, there's doors aka ports. Each port has a service assigned and number. If opened, it can be access remotely, if filtered there's a Firewall/IDS and if its closed, it cannot be used by the client or host. TCP and UDP are two different sides, meaning if port 22 is opened on TCP, it does not mean its opened on UDP 21, two different neightboor hoods.
Transfer Control Protocol (aka TCP/IP) is a connection-oriented protocol, meaning TCP is slower than UDP cause it creates a connection between the sender and receiver with 3-Ways-Handshake but guarantees the delivery of the data, in order they were sent and provides errors. The max TCP port range is 65535.
The 3-Ways-Handshake is simple but very good to know and understand. When a client etasblishes a 3-Ways-Handshake, a few things happens. The client first sends a SYN packet with a port (often a port like 36557 with a big range to not interfy with other services) to create the socket (connection) on. The server then answers by SYN-ACK if okay with it. The client responds with ACK to final establish the connection OR the client responds with RST to close the connection.
CLIENT: flag: SYN, port: 25, socket port: 35567
SERVER: flag: SYN-ACK, socket port: 35567
CLIENT: flag: ACK, connecting to port 35567...
User Datagram Protocol is a connectionless protocol, meaning UDP is a lot faster than TCP cause it does not create a connection between the sender and receiver but does not guarrantees the delivery of the data, not in order they were sent and does not provide errors. The max UDP port range is 65535.
UDP is a lot faster but less stable and efficient. Reason is because UDP is a connectionless protocol meaning it does not establish a connection/session between the sender and receiver. Therefor UDP has no error-feedback, no guarrentee of delivering the packet or sending the packets in order. TCP is slower but more truthworthy. TCP establishes a 3-Ways-Handshake to have a stable communication between the sender and receiver, meaning TCP can have error-feedbacks (timeouts and so on), send data correctly in the correct order.
TCP is often used for services/applications that requires a long-lasting connection like HTTP, FTP, SSH and so on. UDP is often used instead for services/applications that does not require a constant connection but more of a quick communication.
File Transfer Protocol runs on port TCP/21 is used to upload, download and view files. Its often alos known as SFTP (Secure File Transfer Protocol).
AL is a login mechanism that allows any user to login without a user or password. Normally this does not allow to upload files but you can still download and view files.
Username: anonymous
Password: anonymous@domain.com OR anonymous OR nothing
root@linux: ftp@<host>
Connected to <host>.
Name: anonymous
331 Please specify the password.
Password: anonymous@domain.com
...
Same as AL but change the ussername and password to your credentials.
root@linux: ftp@<host>
Connected to <host>.
Name: user
331 Please specify the password.
Password: password
...
Secure Shell runs on port TCP/22 is used to remotely execute commands. SSH is purely command-line and does not provide a GUI/UI unlike RDP. Its a very dangerous protocol so it should be well secured.
You can login to SSH using the ssh tool installed on many system.
- Password is a simple username+password system.
- Key-Based uses a private key file mostly RSA which a lot more secure.
I sadly is not familiar with Key-Based Authentication so I will only provide Passowrd authentication.
root@linux: ssh <username>@<host>
<username>@<host>’s password:
...
Telnet runs on port TCP/23 is used to remotely execute commands. Its very similar to SSH, infact... its the older SSH. It works pretty much the same way but the traffic is not encrypted unlike SSH which makes it very easy to capture the credentials and data being sent. Which is why SSH stands for Secure Shell.
You can login to Telnet using the telnet tool installed on many system.
root@linux: telnet <host>
Login Username: user
Login Password: Password
...
Simple Mail Transfer Protocol runs on port TCP/25 is used to send emails. SMTP works with other E-Mail related services such as IMAP and POP3
SMTP is very particuluar when it comes to logging. You can use Telnet to login. EHLO greets the server and is needed to authenticate.
root@linux: telnet <host.smtp.server> 25
EHLO <host.smtp.server>
To authenticate, there is two ways, AUTH LOGIN or AUTH PLAIN commands.
Encode your email and password into base64.
root@linux: echo -ne "user@host.smtp.server"|base64
dXNlckBob3N0LnNtdHAuc2VydmVy
root@linux: echo -ne "password"|base64
cGFzc3dvcmQ=
Then login.
AUTH LOGIN
334 VXNlcm5hbWU6 # Asking for the email
dXNlckBob3N0LnNtdHAuc2VydmVy # Encoded email
334 UGFzc3dvcmQ6 # Asking for the password
cGFzc3dvcmQ= # Encoded password
235 Authentication succeeded
Encoding your email and password into ONE base64.
root@Linux: echo -ne "\0user@smtp.com\0password"|base64
AHVzZXJAc210cC5jb20AcGFzc3dvcmQ
Then login.
AUTH PLAIN AHVzZXJAc210cC5jb20AcGFzc3dvcmQ
235 Authentication succeeded
Domain Name Service runs on port UDP/TCP/53 is used to translate domains to IPs. It's that simple!
Dynamic Host Configuration Protocol runs on port UDP 67/97 is used to configure IPs automatically to all connected hosts.
See also: LLMNR/NBT-NS
Network Mapper is a powerful network and host mapping tool. It provides a lot of scanning techniques and results. Its the first tool you'll use in Pentesting.
NMAP has a built-in script engine called NSE (NMAP Script Engine). Which allows to load and use scripts to further-up your enumeration and scanning. NSE scripts can be found on internet or provided by NMAP default NSE libraries.
--script : Allows to load NSE scripts.
NMAP can be used to scan the target TCP ports also known as Port Scanning.
root@linux: nmap <host>
Host is up (0.0025s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
113/tcp closed ident
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds
Tip: You can also put -p0-65535 OR -p- instead to scan the entire range.
-p : Tells NMAP which port(s) to scan.
root@linux: nmap -p0-65535 <host>
NMAP can be used to scan the target UDP ports also known as Port Scanning.
-sU : Scans UDP allows to scan UDP ports.
root@linux: nmap -sU <host>
Tip: You can also put -p0-65535 OR -p- instead to scan the entire range.
-p : Tells NMAP which port(s) to scan.
root@linux: nmap -p0-65535 -sU <host>
NMAP can discover which service, versions and common informations about each port opened.
root@linux: nmap -sS <host>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 07:29 EDT
Stats: 0:01:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 07:31 (0:00:40 remaining)
Nmap scan report for lan.home (XXX.XXX.XXX.XXX)
Host is up (0.0031s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq gen_X.XX_vX.X.X
80/tcp open http
113/tcp closed ident
135/tcp closed msrpc
139/tcp open netbios-ssn Samba smbd X.X - X.X (workgroup: WORKGROUP)
443/tcp open ssl/https
445/tcp open netbios-ssn Samba smbd X.X - X.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS X.X
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.32 seconds
NMAP can discover what OS is running on the target. However this scan can be wrong.
-O : Enables OS scanning.
root@linux: nmap -O <host>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 08:09 EDT
Nmap scan report for lan.home (XX.XX.XX.XX)
Host is up (0.0029s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
113/tcp closed ident
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
MAC Address: XX:XX:XX:XX:XX (X)
Device type: general purpose|storage-misc|media device|firewall
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X|5.X (96%), Synology DiskStation Manager 5.X (88%), Dish embedded (88%), WatchGuard Fireware 11.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.1 cpe:/o:linux:linux_kernel:4.4 cpe:/h:dish:hopper cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel:5
Aggressive OS guesses: Linux 2.6.32 or 3.10 (96%), Linux 2.6.32 (94%), Linux 2.6.32 - 2.6.39 (93%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 - 3.10 (90%), Linux 2.6.32 - 3.0 (90%), Linux 3.0 (90%), Synology DiskStation Manager 5.1 (88%), Linux 2.6.32 - 2.6.35 (88%), Linux 4.4 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.87 seconds
NMAP can scans for vulnerabilities using the NSE script engine. You can look up different scripts for it but the default one is vuln.
--script : Allows to load NSE scripts to use.
root@linux: nmap --script=vuln <host> 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 08:40 EDT
Stats: 0:02:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.30% done; ETC: 08:43 (0:00:01 remaining)
Nmap scan report for lan.home (XXX.XXX.XXX.XXX)
Host is up (0.0034s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
113/tcp closed ident
135/tcp closed msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 186.27 seconds