Ethical Hacking – Lab-01
The main purpose of the lab is to collect information about a specific target for passive information gathering.
Information Gathering and getting to know the target systems is the first process in ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system.
During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible, following the seven steps listed below −
• Gather initial information
• Determine the network range
• Identify active machines
• Discover open ports and access points
• Fingerprint the operating system
• Uncover services on ports
• Map the network
Reconnaissance takes place in two parts − Active Reconnaissance and Passive Reconnaissance.
Active Reconnaissance
In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then system admin can take severe action against you and trail your subsequent activities.
Passive Reconnaissance
In this process, you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems.
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target.
During this phase, a hacker can collect the following information −
• Domain name
• IP Addresses
• Namespaces
• Employee information
• Phone numbers
• E-mails
• Job Information
Nmap
The many uses of Nmap
Although port scanning is obviously very important for security professionals—after all, without understanding what network ports are open, it would be impossible to assess the security of a system—Nmap is also very valuable for other types of information technology professionals.
System administrators use Nmap to determine which of their systems are online, so they can understand if there are problems or inconsistencies on their network. Similarly, using OS detection and service detection, these administrators are able to easily verify that all systems are running the same (hopefully current) versions of operating systems and network-enabled software.
Because of its ability to change timing, as well as set specific flags on different packets (for example, the Xmas Tree scan), developers can turn to Nmap for help in testing embedded network stacks, in order to verify that the aggressive network traffic won’t have unintended outcomes that may crash a system.
Port scanning
Nmap is a port scanner, but we haven’t yet covered what a port actually is. As the name somewhat implies, a port is a way to access a networked service on a computer. Each computer has 65,535 ports that can be either open, or closed at any time. Some services such as HTTP (that serves web pages) or FTP (that allows file transfer) have ports that are associated with them by default. HTTP runs on port 80, FTP runs on port 21, and so on. There are huge lists of commonly used ports that we can reference later—fortunately for us, Nmap has these lists included with its distribution package.
One way to conceptualize a port is to think about an apartment building. In this analogy, one apartment building would be an IP address—each apartment within the building would be a different port. In this case, the building would have to have 65,535 apartments—quite a big property!
When you visit an IP address, it’s just like delivering a pizza to the apartment building; you know where it is in the world, but you don’t know exactly where you need to be. That’s where ports come in! A port is analogous to an apartment number; using a port number, we will know that we’re going to 5505 Internet St, Apartment 443, to deliver HTTPS traffic!
Tasks
Open Firefox on your Kali Linux machine and begin these exercises:
• Conduct a search engine query about nmap and its creator:
• Info about nmap
• Its creator
• Find 3 web sites associated with nmap/creator.
• Find the name of the person behind nmap.
• Find some info which is no longer available on their web site (internet caches and archives)
• Remember: we are not connecting to the target network, so don’t click on the links!
• Find some subdomains from insecure.org, hence new potential targets!
• Using Netcraft.com what info can you gather about:
• Network
• Servers
• OS’s
• Query the insecure.org domain registration.
• Google
• nmap fyodor Sunnyvale (Use different operators to gather more info)
Enough of web-based information gathering, let’s try some linux commands. Open terminal and begin these exercises:
• Escalate your privileges to a super user to have unrestricted access to all commands, files, directories and resources.kali@kali: ~$ sudo su
[sudo] password for kali: kali
root@kali:/home/kali#
kali@kali: ~$ sudo su
[sudo] password for kali: kali
root@kali:/home/kali#
• Try a whois query on the ‘nmap.org’ domain. Make note of the type of information you can gather.
root@kali:/home/kali# whois nmap.org
root@kali:/home/kali# whois nmap.org
• Try a name server lookup for the ‘nmap.org’, how does this differentiate from the type of information you can gather with the previous query?
root@kali:/home/kali# nslookup nmap.org
root@kali:/home/kali# nslookup nmap.org
• What are some options for the nslookup command? Have you tried any of them on the ‘nmap.org’ domain?
• Another useful tool is dnsenum which can be used to enumerate DNS information, discover non-contiguous IP blocks and attempt zone transfers on all related domain name servers.
root@kali:/home/kali# dnsenum nmap.org
root@kali:/home/kali# dnsenum nmap.org
• Another useful tool is theHarvester which is used for gathering email addresses about a specific target by utilising several search engines to find any email address associated with a target.root@kali:/home/kali# theHarvester
root@kali:/home/kali# theHarvester
• Use the -h command for more options associated with this tool.
• What are we specifying with the options in the command below?
root@kali:/home/kali# theHarvester -d nmap.org -b google -l 100
root@kali:/home/kali# theHarvester -d nmap.org -b google -l 100
• How many IPs, Emails and Hosts did you find?