Previous Section  < Day Day Up >  Next Section

Step 4: Scan and Exploit Vulnerable Hosts on WLAN

This is an active phase of your attack. When the fourth step is reached, you should have gathered a large amount of helpful data that makes penetrating wireless peers, gateways, and sniffable wired-side hosts an easy task. Perhaps no penetration is needed, because you have already collected or cracked user passwords flowing across the network. Using the data gathered, you can select the most suitable hosts for a further attack aimed at obtaining administrator or root privileges on these hosts. At this stage you can perform active OS fingerprinting, port scanning, and banner grabbing to determine vulnerable services for further exploitation. Remember the golden rule of fingerprinting: Use several available techniques and analyze the results. The options include the following:

  • nmap -O

  • thcrut discover (uses improved nmap fingerprinting methodology)

  • Ettercap (press f/F over a host)

  • xprobe

  • xprobe2 (yes, this is a different tool)

  • (ARP-based OS fingerprinting)

  • sing (basic ICMP fingerprinting)

  • sprint and sprint-lite

  • tools that do fingerprinting via specific services if present (ldistfp, lpdfp telnetfp)

  • other tools available in the vast scope of the Internet

As to port scanning itself, nmap is everyone's all-time favorite. What kind of "hacking book" does not describe how to run nmap? Without going into the port scanning depths, here are our recommendations:

  • First try the zombie/idle scan with -sI. It might not work.

  • Check out the protocol scan (-sO). Try to do fingerprinting with -sO.

  • Proceed with -sN (null). Many firewalls and IDSs would not detect it (e.g., ipchains logging).

  • You can follow with -sF to be sure, but avoid Xmas (-sX).

  • If you haven't captured any useful data from these scans, the host is likely to be some form of Microsoft Windows. Use the half-connect scan (-sS).

Because we are on (W)LAN, there is another tool to consider: the Ghost Port Scan. Ghost Port Scan uses ARP poisoning to spoof both IP and MAC addresses of the scanning host on the LAN. The scanner is able to find IP addresses not in use on the LAN the attacker's host is connected to. Such a feature is used when no source IPs have been specified. The aim of this function is to avoid a potential DoS that could be caused by ARP poisoning. The scanner is quite flexible:

arhontus:~# ./gps

Ghost Port Scan version 0.9.0 by


Usage: ./gps -d target [-s host1[,host2/host3..]] [-t scan_type]

     [-v] [-r scan_speed] [-p first_port-last_port] [-k 0 | 1]

     [-e ping_port]  [-f t | o] [-i interface] [-S mac | ip]

     [-w window_size]

 -d target             :target host's IP/name

 -s host1[,host2/host3]:list of hosts we pretend to be

                      (use '/' to specify IP ranges)

 -t scan_type        :stealth scan mode (default: syn)

           (syn | xmas | null | fin | ack | rand | fwrd)

 -r scan_speed       :packet rate (default: insane)

           (insane | aggressive | normal | polite |


 -p first-last ports :port range to scan (default: 1-1024)

 -k 0 | 1            :scan well-known ports (default: 1)

 -e ping_port          :target port for a TCP ping (default: 80)

 -v                  :verbose (use twice for more verbose)

 -f t | o              :fragment IP datagrams (default: no frag)

           (t: tiny frags | o: frag overlapping)

 -i interface        :network interface to use

 -S mac | ip         :spoofing level (IP or ethernet/MAC;

           default: mac)

 -w window_size        :size of the emission window (default: 256


To grab banners the old-fashioned way, you can use telnet or netcat. However, your time (important on wireless) and effort can be saved if you use the following:

  • nmap+V (nmap patched by Saurik; try the -sVVV flag) or the latest version of nmap with novel banner fingerprinting -sV or -A flags

  • amap

  • THCrut

  • arb-scan

  • banshee (features command execution against the IP addresses scanned)

  • grabbb (very fast)

  • A variety of banner grabbers from the Men in Grey (MIG) group (very fast, but not necessarily accurate)

  • "Script kiddie" banner grabbers for the "hole of the month" (usually fast; probably started from banner grabbers for wu-ftpd versions)

As a security consultant, you can always use automated multipurpose security evaluation tools such as Nessus, but a real Black Hat is unlikely to employ these tools for stealth preservation reasons. Choose the tools you like for time-saving and personal reasons. Keep a large collection of exploit code and a long list of default passwords and dictionaries on your penetration testing laptop to save more time by avoiding browsing SecurityFocus, Packetstorm, and similar sites from the WLAN. Use Hydra and similar tools for remote password dictionary attacks and brute-forcing.

    Previous Section  < Day Day Up >  Next Section