Scanning & Enumeration – Practical Ethical Hacking by TCM

by Kal Bartal

Installing Kioptrix

Scanning with Nmap

Finding vulnerable machine’s IP address:

Use the ping command to find IP address of an older machine.

Alternatively run an arp-scan from kali.

arp-scan -l

Alternatively run netdiscover from kali.

netdiscover -r

Nmap stands for network mapper and it scans for open ports and services.
Nmap works in a similar way to the three-way handshake.

Stealth scanning (-sS) used to be undetectable but very detectable nowadays. Stealth scanning sends back a reset flag (RST) and it doesn’t establish the connection.

SYN + SYNACK reveals that the port or service is open for connection while RST abandons it. the connection was never established and therefore it is technically stealthy.

A typical nmap scan:

nmap -T4 -p- -A

Scanning UDP is slow so use the command below to scan the top 1000 ports:

nmap -sU -T4 -p

Ports commonly found with exploits:
80 http
443 https
139 smbd (Samba)

Typically there’s no remote code execution for SSH (port 22) so it’s not a common point of attack.

Enumerating HTTP and HTTPS

The plan:
1, port 80 and 443
2, port 139

Starting with opening the website (IP address) in a browser. (both http and htttps)

View source code with hidden comments, passwords etc.

Default webpages are automatic findings for the report. They potentially reveal architecture and hygiene.


Nikto is a web vulnerability scanner. A good security website can autoblock nikto.

nikto -h
  • Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  • mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
  • OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
  • OSVDB-838: Apache/1.3.20 – Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
  • OSVDB-2733: Apache/1.3.20 – Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
  • mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell., OSVDB-756.
  • OSVDB-3092: /manual/: Web server manual found.
  • OSVDB-3268: /icons/: Directory indexing found.
  • OSVDB-3233: /icons/README: Apache default file found.
  • OSVDB-3092: /test.php: This might be interesting…

Directory busting

Dirbuster, dirb, gobuster are built-in directory buster tools in kali.

List of HTTP status codes:

  1. Informational responses (100–199)
  2. Successful responses (200–299)
  3. Redirection messages (300–399)
  4. Client error responses (400–499)
  5. Server error responses (500–599)

Enumerating SMB

SMB is a file share and it is commonly used in work and internal environments.

Host script results:
|_clock-skew: 5h00m35s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)


Metasploit is an exploitation framework.

search smb version

9 auxiliary/scanner/smb/smb_version

use 9

SMB – Unix (Samba 2.2.1a)


smbclient -L \\\\\\

Smbclient attempts to connect to the file share (smb)

smbclient \\\\\\ADMIN$
smbclient \\\\\\IPC$

help – to see the list of commands

Access denied.


Enumerating SSH

22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)


Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Unable to connect. The purpose of trying though is that sometimes a banner is exposed with SSH information.

Researching Potential Vulnerabilities

Potential order of attack:

  1. 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
  2. mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell., OSVDB-756.
  3. SMB – Unix (Samba 2.2.1a)
  4. Webalizer Version 2.01 –
  5. SSH – OpenSSH 2.9p2 (protocol 1.99)

mod_ssl/2.8.4 exploit

80/443 – Potentially vulnerable to OpenLuck

Samba 2.2.1a exploit

139 Potentially vulnerable to trans2open


Searchsploit searches the built-in database in kali for potential exploits. The search cannot be too specific as searchsploit searches for the exact term.

searchsploit Samba 2

Related Posts

Leave a Comment