Ethical Hacking – Lab-02
The main purpose of this lab is to gather information about the network, connected hosts and running services.
Target Discovery:
In the previous lab we learned various ways of gathering information from third-party sources. In this lab we are going to directly gather information about our target machine. This will help us during the vulnerabilities mapping process.
In your first lab, you made a note of the target’s machine ip address. We are going to utilise some command line tools to identify the target machine. (Make sure the metasploitable2 VM is live before attempting this.)
• The ping tool works by sending an Internet Control Message Protocol (ICMP) echo request packet to the target host. If the target host is available and the firewall is not blocking the ICMP echo request packet, it will reply with the ICMP echo reply packet.
root@kali:/home/kali# ping ###.###.###.###
root@kali:/home/kali# ping ###.###.###.###
What are some of the additional options for the ping command? Attempt them and make a note of the output.
• The arping tool is used to ping a host in the Local Area Network (LAN) using the Address Resolution Protocol (ARP) request.
root@kali:/home/kali# arping ###.###.###.### -c 4
root@kali:/home/kali# arping ###.###.###.### -c 4
• The hping3 tool is a command-line network packet generator and analyser tool. Uses of hping3 include:
• Creating custom network packets.
• Security testing and network performance testing.
• Exploiting vulnerabilities in the TCP/ IP stack.
root@kali:/home/kali# hping3
root@kali:/home/kali# hping3
Make a note of the hping3 options available for use.
root@kali:/home/kali# hping3 -1 ###.###.###.### -c 4
root@kali:/home/kali# hping3 -1 ###.###.###.### -c 4
What is the output of this command?
• The nping tool is a tool that allows users to generate network packets of a wide range of protocols (TCP, UDP, ICMP, and ARP). root@kali:/home/kali# nping
root@kali:/home/kali# nping
Make a note of the nping options available for use.
Port Scanning:
In this lab we will be learning how to scan target hosts for open TCP and UDP ports. Host discovery is the process of finding live hosts on a network and is one of the first steps in network reconnaissance. Nmap offers a lot of different scanning methods to determine open, filtered and closed ports and to fingerprint services and operating systems. We will start with a simple TCP connect scan followed by the TCP SYN scan and UDP port scan. Then we will have a look at how to scan custom port ranges, enumerate services and operating systems and finally we will cover the basics of the NSE scripting engine.
• Identify some of the open network services on Metasploitable from your Kali Linux.
• Replace the hash values with the ip address of Metasploitable you obtained earlier.
root@kali:/home/kali# nmap -sn ###.###.###.###
root@kali:/home/kali# nmap -sn ###.###.###.###
root@kali:/home/kali# nmap -p0-65535 ###.###.###.###
root@kali:/home/kali# nmap -p0-65535 ###.###.###.###
• What are we specifying with the option in the command above?
root@kali:/home/kali# nmap -sV ###.###.###.###
root@kali:/home/kali# nmap -sV ###.###.###.###
• What specific kind of software is running on those ports?
root@kali:/home/kali# nmap -O ###.###.###.###
root@kali:/home/kali# nmap -O ###.###.###.###
• What additional information do we obtain with the new option in the command above?
• Attempt to try some of the additional options on nmap.
• Before we establish a connection with any of the open network services, spend a bit of time reading about Three-Way Handshake. Following this we will establish a full TCP and UDP connection on each of the scanned ports.
root@kali:/home/kali# nmap -sS ###.###.###.###
root@kali:/home/kali# nmap -sS ###.###.###.###
root@kali:/home/kali# nmap -sU ###.###.###.###
root@kali:/home/kali# nmap -sU ###.###.###.###
• Nmap has a special option for activating aggressive detection, this sends more probes to provide more valuable information. However, this option takes a lot of time to scan and may crash unstable services on the target host due to high volume of network traffic. Only try this command at your free time, make yourself a cup of tea, watch an episode of GOT and come back to it to see what results you get.
root@kali:/home/kali# nmap -A ###.###.###.###
root@kali:/home/kali# nmap -A ###.###.###.###
• Nmap Scripting Engine (NSE) has been developed as an extension to Nmap and works with scripts that are written in the LUA programming language. In Kali Linux, Nmap scripts are located in the /usr/share/nmap/scripts directories, and currently contains more than 430 scripts.
This command will utilise the default script categories and scan the ports of host.
root@kali:/home/kali# nmap -sC ###.###.###.###
root@kali:/home/kali# nmap -sC ###.###.###.###
• What type of information can we gather from this nmap script command?root@kali:/home/kali# nmap –script http-enum,http-headers,http-methods,http-php-version -p 80 ###.###.###.###
root@kali:/home/kali# nmap –script http-enum,http-headers,http-methods,http-php-version -p 80 ###.###.###.###
• An alternative way of comprehensive port scanning is by using Zenmap, which is the GUI version of Nmap. It can have advantages over Nmap such as:
• It is interactive.
• It arranges scan results in a convenient way.
• Allows comparison of two scans.
• Keeps track of scan results.
• Allows reuse of scan configuration through Zenmap profile.
• Displays executed command.
SNMP Enumeration:
The Simple Network Management Protocol (SNMP) is a protocol used in TCP/IP networks to collect and manage information about networked devices. SNMP can suffer from misconfigurations by system administrators, poor authentication schemes and non-encrypted traffic can result in information leakage.
• We will use Onesixtyone, which is another Kali tool for brute forcing SNMP community strings. It sends all SNMP requests as fast as it can (10 milliseconds apart). Then it waits for the responses and logs them. If the device is available, it will send responses containing the SNMP string.
root@kali:/home/kali# onesixtyone ###.###.###.###
root@kali:/home/kali# onesixtyone ###.###.###.###
SNMP strings found are public and private. Please note that not all vulnerable machines have a configured Simple Network Monitoring Protocol (SNMP).
• We can gather additional information about the SNMP device with the snmpcheck command.
root@kali:/home/kali# snmpcheck -t ###.###.###.###
root@kali:/home/kali# snmpcheck -t ###.###.###.###
• We will use nbtscan to collect additional information about the environment by enumerating the Server Message Block (SMB) for the NetBIOS name information. SMB is a network file sharing protocol that provides access to shared files and printers on a local network.
root@kali:/home/kali# nbtscan ###.###.###.1-254
root@kali:/home/kali# nbtscan ###.###.###.1-254
What additional information can you collect with this scan?root@kali:/home/kali# nbtscan -hv ###.###.###.###
root@kali:/home/kali# nbtscan -hv ###.###.###.###