Transparency Myanmar

transparency.myanmar@gmail.com


CEH scanning methodology is the important step i.e. scanning for open ports over a network. Port is the technique used to scan for open ports. This methodology performed for the observation of the open and close ports running on the targeted machine. Port scanning gathered a valuable information about  the host and the weakness of the system more than ping sweep.

Network Mapping (NMAP)

Basically NMAP stands for Network Mapping. A free open source tool used for scanning ports, service detection, operating system detection and IP address detection of the targeted machine. Moreover, it performs a quick and efficient scanning a large number of machines in a single session to gathered information about ports and system connected to the network. It can be used over UNIX, LINUX and Windows.

There are some terminologies which we should understand directly whenever we heard like Open ports, Filtered ports and Unfiltered ports.

Open Ports means the target machine accepts incoming request on that port cause these ports are used to accept packets due to the configuration of TCP and UDP.

Filtered ports means the ports are usually opened but due to firewall or network filtering the nmap doesn't detect the open ports.

Unfiltered means the nmap is unable to determine whether the port is open or filtered  while the port is accessible.

Types Of NMAP Scan


Scan Type Description
Null Scan This scan is performed by both an ethical hackers and black hat hackers. This scan is used to identify the TCP port whether it is open or closed. Moreover, it only works over UNIX  based systems.
TCP connect The attacker makes a full TCP connection to the target system. There's an opportunity to connect the specifically port which you want to connect with. SYN/ACK signal observed for open ports while RST/ACK signal observed for closed ports.
ACK scan Discovering the state of firewall with the help ACK scan whether it is stateful or stateless. This scan is typically used for the detection of filtered ports if ports are filtered. Moreover, it only works over the UNIX based systems.
Windows scan This type of scan is similar to the ACK scan but there is ability to detect an open ports as well filtered ports.
SYN stealth scan This malicious attack is mostly performed by attacker to detect the communication ports without making full connection to the network.
This is also known as half-open scanning. 

 

All NMAP Commands 


Commands Scan Performed
-sT TCP connect scan
-sS SYN scan
-sF FIN scan
-sX XMAS tree scan
-sN Null scan
-sP Ping scan
-sU UDP scan
-sO Protocol scan
-sA ACK scan
-sW Window scan
-sR RPC scan
-sL List/DNS scan
-sI Idle scan
-Po Don't ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
-PB ICMP and TCP ping
-PB ICMP timestamp
-PM ICMP netmask
-oN Normal output
-oX XML output
-oG Greppable output
-oA All output
-T Paranoid Serial scan; 300 sec between scans
-T Sneaky Serial scan; 15 sec between scans
-T Polite Serial scan; .4 sec between scans
-T Normal Parallel scan
-T Aggressive Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane Parallel scan, 75 sec timeout, and .3 sec/probe

 

How to Scan

You can perform nmap scanning over the windows command prompt followed by the syntax below. For example, If you wanna scan the host with the IP address 192.168.2.1 using a TCP connect scan type, enter this command:

nmap 192.168.2.1 –sT

nmap -sT 192.168.2.1

Read more
  1. Hack Tool Apk No Root
  2. Hacking Tools For Beginners
  3. Hacker Tools Github
  4. How To Install Pentest Tools In Ubuntu
  5. Hack Tools 2019
  6. Hack App
  7. Best Hacking Tools 2020
  8. Hacker Tools Mac
  9. Wifi Hacker Tools For Windows
  10. Pentest Tools Github
  11. World No 1 Hacker Software
  12. Hack Tools Pc
  13. Hacker Tools Apk
  14. Hack Tools Pc
  15. Hacker Tools For Windows
  16. Hacker Search Tools
  17. Hacking Tools Mac
  18. Hacking Tools Hardware
  19. Pentest Tools Apk
  20. Free Pentest Tools For Windows
  21. Hacking Apps
  22. Ethical Hacker Tools
  23. Pentest Tools Download
  24. Pentest Tools Apk
  25. Hack Tools 2019
  26. Beginner Hacker Tools
  27. Best Hacking Tools 2020
  28. Hacking Tools For Pc
  29. Hack Tools For Games
  30. Pentest Tools Subdomain
  31. Hacker Tools Apk Download
  32. Hacker
  33. Hacker Techniques Tools And Incident Handling
  34. Pentest Tools Linux
  35. Hack Tools Mac
  36. Hacking Tools For Windows Free Download
  37. Tools 4 Hack
  38. Hacking Tools Mac
  39. Pentest Tools Windows
  40. What Are Hacking Tools
  41. Hacking Tools 2019
  42. Hacker Hardware Tools
  43. Hackers Toolbox
  44. Pentest Tools Port Scanner
  45. Pentest Recon Tools
  46. Nsa Hack Tools Download
  47. Pentest Tools Android
  48. Pentest Tools For Mac
  49. Computer Hacker
  50. Hacking Tools Hardware
  51. Growth Hacker Tools
  52. Hacker Tools For Ios
  53. How To Hack
  54. Underground Hacker Sites
  55. Hack Tools Mac
  56. Pentest Tools Apk
  57. Tools 4 Hack
  58. Hacker Tool Kit
  59. Pentest Tools Free
  60. Hacking Tools Kit
  61. Hacking Tools For Beginners
  62. Hak5 Tools
  63. Hacker Tool Kit
  64. Hack Tools
  65. Hacker Tools Free
  66. Hacking Tools
  67. Pentest Tools Framework
  68. Hacker Tools 2020
  69. Pentest Tools Github
  70. Hacking Tools For Pc
  71. Hacking Tools Hardware
  72. How To Make Hacking Tools
  73. Hacker Tools Hardware
  74. Ethical Hacker Tools
  75. Pentest Box Tools Download
  76. Hacker Tools Free
  77. Best Hacking Tools 2019
  78. New Hack Tools
  79. Hacker Tools Free
  80. Tools 4 Hack
  81. Pentest Tools List
  82. Hacker Techniques Tools And Incident Handling
  83. Computer Hacker
  84. Pentest Tools Online
  85. Pentest Tools Tcp Port Scanner
  86. Pentest Tools List
  87. Hacking Tools Pc
  88. Hacker Tools Free Download
  89. Hacker Tools Online

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

More information


  1. Hacking Tools Windows
  2. Hacking Tools 2020
  3. Hack Apps
  4. Hacking Tools Pc
  5. Usb Pentest Tools
  6. Hack Tools For Pc
  7. Pentest Tools Framework
  8. How To Hack
  9. Free Pentest Tools For Windows
  10. Hacking Tools Online
  11. Hack Tools 2019
  12. Ethical Hacker Tools
  13. Hack Apps
  14. Hack Rom Tools
  15. Hacking Tools And Software
  16. Pentest Tools Review
  17. Pentest Tools Android
  18. Android Hack Tools Github
  19. Beginner Hacker Tools
  20. Hack And Tools
  21. Pentest Tools Subdomain
  22. Best Hacking Tools 2019
  23. How To Make Hacking Tools
  24. Pentest Tools For Android
  25. Easy Hack Tools
  26. Physical Pentest Tools
  27. Pentest Tools Subdomain
  28. Pentest Tools Nmap
  29. Hack Tools
  30. Pentest Automation Tools
  31. Beginner Hacker Tools
  32. Hacking Tools 2020
  33. Hak5 Tools
  34. Hacker Tools Software
  35. Hacker Tools Free
  36. Hack Website Online Tool
  37. Pentest Tools Online
  38. Hacker Search Tools
  39. Hacker Tools For Windows
  40. Black Hat Hacker Tools
  41. Bluetooth Hacking Tools Kali
  42. Pentest Tools Apk
  43. Pentest Tools Url Fuzzer
  44. Github Hacking Tools
  45. Pentest Tools Bluekeep
  46. Hacking Tools Hardware
  47. Hacking Tools Hardware
  48. Nsa Hack Tools
  49. Nsa Hack Tools Download
  50. World No 1 Hacker Software
  51. Hacking Tools Kit
  52. Hack Tools For Pc
  53. Hacking Tools Name
  54. Pentest Tools Url Fuzzer
  55. Hacker Tools Hardware
  56. Hacking Tools For Mac
  57. What Are Hacking Tools
  58. Hacking Tools Online
  59. Hacking Tools Name
  60. Pentest Tools Framework
  61. Easy Hack Tools
  62. Hacking Tools For Windows 7
  63. Hack Apps
  64. Hacking Tools Software
  65. Hacking Tools Pc
  66. Hacks And Tools
  67. Pentest Recon Tools
  68. Pentest Tools List
  69. Hackers Toolbox
  70. Hacking Tools For Windows 7
  71. Pentest Tools Bluekeep
  72. Hack Website Online Tool
  73. Pentest Reporting Tools
  74. Hacking Tools Windows 10
  75. Pentest Tools Linux
  76. Pentest Tools Port Scanner
  77. Best Hacking Tools 2019
  78. Pentest Automation Tools
  79. Pentest Tools Windows
  80. Hacker Tool Kit
  81. Best Pentesting Tools 2018
  82. Pentest Tools Free
  83. Pentest Automation Tools
  84. Growth Hacker Tools
  85. Pentest Tools Nmap
  86. Pentest Reporting Tools
  87. Hacker Tools Windows
  88. Ethical Hacker Tools
  89. Hack Tools For Pc
  90. Tools For Hacker
  91. How To Hack
  92. Hacker Tool Kit
  93. Hacker Tools Mac
  94. Hack And Tools
  95. Tools 4 Hack
  96. Hacking Tools Mac
  97. Hacker Tool Kit
  98. Pentest Tools Free
  99. Hak5 Tools
  100. Kik Hack Tools
  101. Hacker Search Tools
  102. Hacker Tools Linux
  103. Blackhat Hacker Tools
  104. Growth Hacker Tools
  105. Pentest Tools Website
  106. Pentest Tools Website
  107. Pentest Tools List
  108. Hacker Tools For Windows
  109. Ethical Hacker Tools
  110. Hacker Tools Linux
  111. Hack Tools For Ubuntu
  112. Hack Tools Download
  113. Wifi Hacker Tools For Windows
  114. Pentest Tools Linux
  115. Black Hat Hacker Tools
  116. Pentest Tools Bluekeep
  117. Pentest Tools Nmap
  118. Hacking Tools Kit
  119. Tools 4 Hack
  120. Hacking Tools For Windows
  121. Hacker Techniques Tools And Incident Handling
  122. Nsa Hack Tools
  123. Pentest Tools Url Fuzzer
  124. Pentest Tools Windows
  125. Hacking Tools 2020
  126. What Are Hacking Tools
  127. Hacker Tools 2019
  128. Hacker Search Tools
  129. Pentest Tools Kali Linux
  130. Hacking Tools
  131. Hack Website Online Tool
  132. Hacking App
  133. Hack Tools For Windows
  134. Best Hacking Tools 2020
  135. Top Pentest Tools
  136. Pentest Recon Tools
  137. Hacking Tools Windows 10
  138. Hacker Tools For Mac
  139. Hacker Tools Free
  140. Hack Website Online Tool
  141. Hacking Tools And Software
  142. Hacker Tools For Windows
  143. How To Hack
  144. What Is Hacking Tools

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Related word