Collecting Information by Active Scanning
What Is The Active Scanning?
Active scanning is a type of scanning in which we collect information by interacting directly with the system to be infiltrated. Since active scanning has important points in interacting directly with the system, scanning must be done carefully and in a controlled manner. Otherwise, our IP address may be banned by devices such as firewalls while scanning. Firewall devices can understand our scan and take measures accordingly.
Since we will interact with the system while scanning, it is useful to know that the scans we make may have effects such as slowing down the system and even bringing the server offline. It is very important to do our scans carefully, knowing this.
Most Used Tools in Active Scanning
- Nmap
Nmap tool is an open source tool that is widely used in cyber security. It is a comprehensive tool from network scanning to vulnerability scanning thanks to its modules. It is a very useful tool in port scans. Here, a basic level of explanation will be performed, not the use of nmap in detail. NMAP definitely deserves to be a tool that should be covered in a separate topic…
Basic Nmap Usage
We can have detailed information about the vehicle through the help document.
nmap -help
The simplest use is the type of scanning that is done by giving only an IP or domain address without parameters. By default, nmap does not complete the handshake with the system unless you specify otherwise with parameters.
nmap domain.com
To learn the OS of a system with Nmap;
We use the following command to find the services running on the ports in a system and the version numbers of these services.
nmap -sV domain.com
As you can see, my 1433 port is open and an MSSQL is running, and nmap shows us this, from the version number of this service to the version number of this service. As for why the version information of these services is important to us, if there is a system that uses old versions, there is a higher probability of security vulnerabilities in this system. If the system owner does not make updates and uses old versions of his services, our job will be easier.
Even if you make updates constantly, you cannot ensure 100% security. Because there is no such thing as 100% security :) No system is safe!
The -p parameter is used to scan the port specified in Nmap.
We can use more than one parameter. For example, we can also scan the operating system while scanning the version.
nmap domain.com -p 80 -O -sV- Dirb
The Dirb tool searches for subdirectories on a system. For example, it searches for subfolders on a website and prints them to the terminal. If the folders or files containing important information are left open to the public, it is a tool that allows the penetration tester to collect information from these files and folders.
Strategy
By combining the estimated directories in a wordlist with the domain, it sends a request to that URL address and shows us whether there is such a directory according to the response of the incoming request. Its use is simple like most other tools.
dirb https://domain.com
I interrupted the scan because it would take a long time. By default, the Dirb tool uses the word list /usr/share/dirb/wordlist/common.txt. However, you can specify a different wordlist if you want.
- Dmitry
The Dmitry tool is a fast and useful tool that scans both actively and passively. It provides us with information about the system, from port scanning to passive data collection over the internet.
It is quite simple to use:
dmitry domain.com
- Nikto
Nikto tool is a tool that scans security vulnerabilities on a system, such as XSS, CSRF, etc., and displays folders and files that are useful to us on the system, thanks to the modules it contains.
- Subfinder
The Subfinder tool is a tool that allows us to find subdomains on a system. It is a very useful and widely used tool under the Subdomain Finder category.
subfinder -d domain.comWith the -d parameter, we give the domain address to scan.
- W4fw00f
This tool is used to detect whether there is a firewall in front of a system. It is very simple to use.
wafw00f domain.comStrategy
First, it sends an http request to the target and analyzes the incoming response. If it is not successful, it sends a malicious/malicious request and tries to detect which firewall exists or not.
