Quick Contact

    Post-Connection Attacks

    All the attacks that we performed in the pre-connection and gaining access section, we weren’t connected to a network. In this section, we are going to be talking about post-connection attack that means the attacks that we can do after connecting to the network. Now, it doesn’t matter that the network is a wireless or a wired network and it doesn’t matter that the target was using the WEP or WPA key, we can launch all of the attacks that we’re going to talk about in this section.

    In all the previous attacks, we kept our wireless card in monitor mode, so that we could capture any packet that goes in the air. In this section, we’re going to use our wireless card in managed mode because we have access to the network, so we really don’t need to capture everything, we only want to capture packets that are directed to us.

    In this section, we’re going to look at the attacks that can perform when we break through the network. Firstly, we’re going to use a tool netdiscover to gather all the important information about the network, and that information will help us to launch attacks. It is used to explore all the clients that are connected to a system. After this, we will learn a tool called Zenmap. This tool has a better interface and is more powerful than netdiscover. This tool is used to gather detailed information about all of the clients connected to the same network.


    The netdiscover is a tool which is used to gather all the important information about the network. It gathers information about the connected clients and the router. As for the connected clients, we’ll be able to know their IP, MAC address and the operating system, as well as the ports that they have open in their devices. As for the router, it will help us to know the manufacturer of the router. Then we’ll be able to look for vulnerabilities that we can use against the clients or against the router if we are trying to hack them.

    In the Network penetration testing, we used airodump-ng to discover all the connected clients to the network. In the second part of the airodump-ng output, we learned how we could see the associated clients and their MAC addresses. All these details we can get before we connect to the target access point. Now, after connecting to the network, we can gather much more detailed information about these devices. To do this task, there are a lot of programs, but we’re going to talk about two programs. Now start with the simplest and quickest one, netdiscover.

    The netdiscover is a quicker and simplest program to use, but it doesn’t show very detailed information about the target clients. It’ll only show us their IP address, their MAC address, and sometimes the hardware manufacturer. We’re going to use it by typing netdiscover, then we are going to use -r, and then we are going to specify the range, which can be any range we want. Looking at the IP (which is tells us which network we are in. We want to discover all the clients that are in this network, so we’re going to try and see if there is a device in Then we’re going to try 12, 13, 14, 15, 16, up to 254, that’s the end of the range. So, to specify a whole range, we can write /24. That means we want, and then this IP is just going to increase up to, which is the end of the IP range in the network. The command for this is as follows:

    Now hit Enter. It will return the output very fast, producing the result shown in the following screenshot:

    In the above screenshot, we can see that we have four devices connected to the network. We have their IP address, MAC address, and the MAC Vendor. This method was very quick, and it just shows simple information.


    Nmap(Network Mapper) is the second program that we’re going to look. It is a huge tool and has many uses. Nmap is used to gather information about any device. Using the Nmap, we can gather information about any client that is within our network or outside our network, and we can gather information about clients just by knowing their IP. Nmap can be used to bypass firewalls, as well as all kinds of protection and security measures. In this section, we’re going to learn some of the basic Nmap commands that can be used to discover clients that are connected to our network, and also discover the open ports on these clients.

    We’re going to use Zenmap, which is the graphical user interface for Nmap. If we type zenmap on the Terminal, we’ll bring up the application like this:

    In the Target field, we’re going to put our IP address. In the Profile drop-down menu, we can have various profiles:

    In the Target filed, if you want to gather information of only one IP address, we can just enter that address. We can also enter a range like we did with netdiscover. We’re going to enter Then we are going to select the Ping scan from the Profile drop-down menu and hit the Scan button:

    The preceding scan is kind of a quick scan, but it doesn’t show too much information, as we can see in the preceding screenshot. It only shows the connected devices. This scan is very quick. We are able to see the connected devices on the left-hand panel, and we can see their IP addresses, their MAC addresses, and their vendors.

    The next scan we’re going to learn is the Quick Scan. Now, the Quick scan is going to be slightly slower than the Ping scan. But in Quick scan, we will get more information than the Ping scan. We’re going to be able to identify the open ports on each device:

    In the above screenshot, we can see that it shows the open ports on each one of them discovering devices. The main router has an open port called 53/tcp. 80/tcp is the port used at the router setting page because it runs on a web server.

    Now, let’s take a look at the Quick scan plus, which take the Quick scan one step further. It’s going to be slower than the Quick scan, but it will show us the programs that are running on the opened ports. So, in Quick scan, we saw that port 80 is open, but we didn’t know what was running on port 80, and we saw that port 22 was running, but we didn’t know what was running. We knew it was SSH, but we don’t know what SSH server was running on that port.

    So again, Quick scan plus will take longer than Quick scan, but it will gather more information, as shown in the following screenshot:

    In the preceding screenshot, we can see that we have a Linux device connected. We can see that the operating system of the device is connected and that it also got us the version for the programs. In Quick scan, we only knew that port 22 was open but now we know that it’s running, and the server is OpenSSH 4.7. Now we know that it was Apache HTTP server 2.2.8 and it was a Linux device. We can go ahead and look for exploits and vulnerabilities.

    Copyright 1999- Ducat Creative, All rights reserved.