Scanning open ports for Web ServersAdvanced Penetration Testing Course

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Courses Advanced Penetration Testing Course Scanning open ports for Web Servers

This topic contains 24 replies, has 11 voices, and was last updated by  Ketil 4 years, 8 months ago.

Viewing 20 posts - 1 through 20 (of 25 total)
  • Author
    Posts
  • #23725

    ksanchez
    Participant

    Hi guys, i’m auditing some web servers and this is the filter i’m using. Could you post yours, to compare what is the best opcion to find vulnerabilities??

    nmap -sV -p 80,81,8081,8082,443,2082,2083,2087,2095,2096,21,990,22,2222,2077,2078,3306,1433,8880,8443,9998,4643,9001,3938,1158,5560 -O -A -PU <IP ADDRESS>

    Suggestion of what is the best opcion are welcome. 🙂

    #23786

    Nilesh Soni
    Participant

    Nmap is good command

    #23791

    ksanchez
    Participant

    Nmap is a good command??? -_- meee!

    #23830

    Anonymous

    @ksanchez take a look at https://www.cybrary.it/video/scanning-nmap-lab-screen-capture/ . Leo goes into detail about the priority of nmap scans to run and the flags for each

    #23833

    MidGe
    Participant

    Hiya @ksanchez,

    I take your question to be whether the ports you target are the ones you ought to target.

    It depends what you are after. You can scan the usual ports to get usual web portal targets. Some entities will run home grown web sites on totally unusual ports for internal and sometimes external sites and those may very well be more vulnerable/have more vulnerabilities than standards portals as well!

    #23913

    ksanchez
    Participant

    Sorry, i think i couldn’t express my idea in a clear mode. I have advanced knowledge of the nmap use. The question is about the standards ports for some extrange web services (embedded commonly) that run in a server. The filter i used, enclose a range of this ports and other services supposed to be used in a web server.

    I would to know if you know some port that a missed in the filter.

    Thanks for reply, guys.

    #25128

    Anonymous

    Hello

    Nikto is great tool

    #25135

    ksanchez
    Participant

    Hi cruzhams, the best tool for network mapping and port scanning is nmap (for me), because has a lot of scripts that help in the finding. I use nikto frecuently, and is a great tool, but it’s based in a white list of known vulnerabilities, and some time we need to look deeper.

    Regards

    #25155

    iUnknown
    Participant

    ^ but the nikto is much better when it comes to save time, since it automatically!

    #25711

    ksanchez
    Participant

    Nikto is for web analysis, and there is others tools in the same scenarios (web app) to compare…

    • This reply was modified 4 years, 9 months ago by  ksanchez.
    #27887

    g00ey
    Participant

    I don’t have any additional ports for you but a suggestion for your code that you may like. You could put your ports into a text file e.g. “ports.txt” and put all of your ports on one line within the file such as 53,69,80,139 etc etc.

    Then (on a linux system) you won’t have to type out all of your ports every time, you can simply do….

    nmap -sV -O -A <IP-ADDRESS> -p $(cat ports.txt)

    Which looks much cleaner in my opinion 🙂

    #30822

    Anonymous

    @ksanchez The tool is depricated but a believe Amap Which is in kali linux , will scan for services running on non standard or default ports.

    #30853

    Ketil
    Participant

    Hi, What is your objective?
    Are you trying to find any possible web-servers installed on your host? The most used ports for web-servers?

    About your map options.
    -sV and -A => isen’t this the same option?

    :)K

    #30890

    Syn/Ack
    Participant

    @Ketil: actually -A (Aggressive scan) is a combination of -sV, -sC and -O (version, script and OS).

    As far as the web ports go I usually take the super standard road (80, 443, 8080, 8443) to start if stealth is required. Once you start looking into the non-standard ports and you want to be sure not to miss anything, it can literally run at any port and I just do a -p- and scan all ports.

    I guess it depends on how stealthy and / or how thorough you would like to be…

    #30897

    Ketil
    Participant

    That’s a good way to do it :).
    If you just want answers from the open ports you could do –open. Then only open host/port will be in your answer.

    🙂 K

    #31078

    Syn/Ack
    Participant

    I had never heard of the -open flag. I’ll check that out. thx!

    #31284

    ksanchez
    Participant

    -A: Enable OS detection, version detection, script scanning, and traceroute
    -sV: Version detection, can be used to help differentiate the truly open ports from the filtered ones.

    the –open flag is a good choise to get more clean your results.

    for more info about nmap consult: http://linux.die.net/man/1/nmap or your local man pages.

    #31285

    Ketil
    Participant

    When doing internal scans of several C-nett or even B-nett, and you only scan a few ports, then the –open options is GREAT.

    #31286

    ksanchez
    Participant

    for sure 😉

    #31287

    ksanchez
    Participant

    Thanks D0jo, i think in this case Amap is the choice. 😉

Viewing 20 posts - 1 through 20 (of 25 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel