chapter four

4 overing network services

This chapter covers

Explanation of network services from an attacker’s perspective
Network service discovery using nmap
Organizing and sorting through nmap scan output
Creating protocol-specific target lists for vulnerability discovery

In the last chapter you learned that the Information-gathering phase is broken up into three separate sub-phases.

A. Host discovery
B. Service discovery
C. Vulnerability discovery

You should be finished with the first sub-phase already. If you haven’t done that against your target environment yet go back and complete that chapter before continuing on with this one. In this chapter you are going to learn how to execute the second sub-phase B. Service discovery. During service discovery, your goal is to identify any available network services listening on the hosts you discovered during sub-phase A. that might potentially be vulnerable to an attack. Now it’s important to emphasize my use of the words “might potentially be vulnerable…”.

4.1 Network services from an attacker’s perspective

4.1.1 Understanding network service communication

4 overing network services

This chapter covers

4.1 Network services from an attacker’s perspective

4.1.1 Understanding network service communication

4.1.2 Identifying listening network services

4.1.3 Network service banners

4.2 Port scanning with nmap

4.2.1 Commonly used ports

4.2.2 Scanning all 65,536 TCP ports

4.2.3 Sorting through NSE script output

4.3 Parsing XML output with Ruby

4.3.1 Creating protocol specific target lists

4.4 Summary