3 Discovering network services

 

This chapter covers

  • Understanding network services from an attacker’s perspective
  • Network service discovery using Nmap
  • Organizing and sorting Nmap scan output
  • Creating protocol-specific target lists for vulnerability discovery

In the last chapter, you learned that the information-gathering phase is broken into three separate sub-phases:

  1. Host discovery
  2. Service discovery
  3. Vulnerability discovery

You should be finished with the first sub-phase already. If you haven’t done host discovery against your target environment yet, go back and complete chapter 2 before continuing. In this chapter, you learn how to execute the second sub-phase: service discovery. During service discovery, your goal is to identify any available network services listening on the hosts you discovered during sub-phase A that might potentially be vulnerable to an attack.

3.1 Network services from an attacker’s perspective

3.1.1 Understanding network service communication

3.1.2 Identifying listening network services

3.1.3 Network service banners

3.2 Port scanning with Nmap

3.2.1 Commonly used ports

3.2.2 Scanning all 65,536 TCP ports

3.2.3 Sorting through NSE script output

3.3 Parsing XML output with Ruby

3.3.1 Creating protocol-specific target lists

Summary