Objective
Lab is designed to provide you with hands-on, practical experience with information gathering tools and methodologies. Upon completion of lab 2, you will have an understanding of the following:
1. Scanning and Enumeration- detecting an organization's resources through a series of probes
1. Network Scanning - identifies live systems on a network
2. Port Scanning - identifies open ports and services on live systems
3. Vulnerability Scanning - identifies vulnerable services on live systems
2. Tools - as we investigate these footprinting techniques, we will explore the tools necessary to gather information
Materials
For the purposes of lab 2, you will need the following:
- A lab reservation for one to two hours
- Also, don't forget the following table for reference (DL students only):
- Reminder of the IP addresses for in-class students using the CDM lab:
Procedures
1. Network Scanning
1. The first step in identifying a vulnerable system is to understand what IP addresses are active on a given network. This is an easy task given the array of tools provided to us in BackTrack.
2. Connect to the lab systems as detailed in lab 0 and open a Terminal session in the BackTrack/Kali 5 VM and launch the Win 2000 Server VM(remote DL students only)
3. Launch the Backtrack 5/Kali VM and the Windows 2000 VM for the first part of the lab (in-class and local DL students using the CDM labs on 6th floor). We will power down the BackTrack 5VM in section 5 when we get into the Windows-specific tools section.
4. fping
1. Type man fping and press enter. If you recall from lab 1, the man command is used to display a manual page for any given application. Keep this in mind as you bounce between different tools; you can always return back to the man page for specific options or flags. Press q to return to the terminal prompt
IMPORTANT: for the following commands, make sure you replace the names of virtual machines with the actual IP address from the table above. For example, if you have a reservation for Hacking VM#1, your command in step 2 below would be fping 10.0.0.14 (remote DL students only). For in-class and local DL student you should use the table above for the CDM lab systems.
2. Type fping Win2000 Server and press enter. The result is rather anti-climatic and you may be wondering "how is this any different than ping?"
3. Type fping -C 5 -q Win2000 Server and press enter. The output shows the target IP address followed by the time in milliseconds for each of the 5 packets that were sent. fping's output is clean which makes it a great tool when scripting
4. Q1. Using the options from the man page, how would you ping sweep the 10.0.0.0/24 range using 5 second intervals between packets.
5. Using your answer from Q1 above, ping sweep the 10.0.0.0/24 range. Q2. Include a screenshot of your output in your submission.
6. Q3. What systems show as being live? Is it possible to run this same sweep using the built-in "ping" command on your BackTrack 5 VM?
5. hping2
1. Type man hping2 (replace hping 2 with hping 3 if you're using Kali 1.1 or 2) and press enter. Hping2 builds upon the options in fping and gives us even more flexibility when scanning. Most importantly, gives us the option of using TCP, UDP, ICMP or RAW-IP. Press q to return to the terminal prompt
2. Q4. Using the man page, what would you enter to ICMP ping the Windows 200 Server VM? Run this command and include a screenshot of your output in your submission.
3. Type hping2 -S Win2000 Server and press enter. Q5. What is the difference between the option you used in Q4 above and the -S switch? Use Wireshark to examine the difference between the types, include a screenshot of Wireshark in your submission.
4. Q6. How would we do the same as above, but use UDP instead? Run the command and include a screenshot of both the output and Wireshark in your submission.
5. Typically scans are conducted using normal ICMP scans. However, imagine a situation where ICMP is blocked at a gateway and you need to scan for hosts beyond that point. Hping2 may come in handy for this purpose
6. nmap
1. Type nmap and press return. Nmap is by far the most commonly used scanning tool. It contains everything from simple ping sweeps to complex scanning techniques
2. Type nmap -sP Win2000 Server and press return. The -sP flag performs a simple ping sweep of the IP address or range of IP addresses that you specify
3. Type nmap -sP -v Win2000 Server and press return. The -v flag can be added to increase the verbosity of the output
2. Port Scanning
1. Up to this point we have been concerned with identifying hosts that are alive and responding on the network. It is time to switch gears and begin identifying what ports and services are listening on these hosts. Luckily the tool we left off on above, nmap, contains port scanning functionality
2. Before we start using the various port scanning tools, power on the Win 2003 Server VM. There is no need to login -- powering it on is sufficient. At this point you should have the BackTrack5 VM, Win2000 Server VM, and Windows 2003 Server VMs running.
3. nmap
1. Type nmap -sS Win 2000 Server and press return. Q7. What does the -sS flag mean?
2. Type nmap -sT Win 2000 Server and press return. The -sT flag tells nmap to complete the TCP 3-way handshake. While this type of scan will give you the most accurate results (in terms of what services are alive), it's also the least stealthy. Q8. How many ports did nmap scan for in the above two runs? Why did it choose these ports and/or where did it get the information to limit the ports it is scanning from?
3. Type nmap -sX Win 2000 Server and press return. The -sX flag tells nmap to "light the packet up like a Christmas tree" by setting the FIN, PSH, and URG flags. This scan uses a loophole in RFC 793 to determine if a port is open or closed
4. Up to this point we have been asking nmap to blindly scan hundreds of ports on a given target. While this may yield the most comprehensive results, it also is easily detectable by IDS/IPS solutions due to the sudden chatter coming from your machine
5. Type nmap -p 21,80,135,3389 Win 2000 Server and press return. The -p flag allows us to specify individual ports separated by comma. Alternatively, we can specify ranges by using a dash. For example, -p 21-80
6. As mentioned in the slides, it may be beneficial to use packet fragmentation in order to evade detection from IDS/IPS. Type nmap -f Win 2000 Server and press return. The -f flag splits up the TCP header over several packets to try and disguise what you are doing. You also have the option to set the MTU size. For example, -mtu 64
7. Now that we have a list of open ports on the Win 2000 Server, let's dig for more information on the services running by using nmap's service detection flag
8. Q9. Nmap also have an option to enumerate running services on the systems we are scanning. What is this option and how does it work? How could you verify if the nmap service enumeration is correct? Include a screenshot of your work here.
9. Nmap also has flag that attempts to detect the operating system being used on the system we are investigating. Q10. What is this flag and explain how it works. Include a screenshot of your results of scanning the Windows 2000 and 2003 servers, including Wireshark. Make sure you explain this one well...
4. Netcat
1. To continue our probing of specific services, let's use the netcat tool to grab banners for a few open services
2. Type nc -v Win 2000 Server 21 and press enter. The output shows the banner that is presented on behalf of the service running on port 21. While we are connected, type help and press enter. The output is a list of commands accepted by the service. Not only can netcat grab banners, it can also be used to interact with these services. Type quit and press enter
3. Type nc -v Win 2000 Server 80 and press enter. This time we aren't presented with a banner but we still connected to the service. Knowing that web servers typically run on port 80, type GET / HTTP/1.1 and press enter twice. This command makes it possible to manually make HTTP requests from web servers
5. Enum
1. Let's change gears and focus on pulling information from Windows machines through null sessions. If you recall from the presentation, null sessions allows attackers to gather user accounts, groups, shares, and domain information
2. Power off the Backtrack5/Kali VM and power on the XP Security/Win 7-8 VM
3. Start and RDP connection to the XP Security/Win 7-8 VM (Remote DL students only)
4. Browse to Start / Programs / Security Tools / Enumeration and open Enum on the XP Security VM.
5. Type enum -U Win 2000 Server and press enter. That was easy, wasn't it? Because this server accepts null sessions we were able to pull down a list of local usernames
6. Type enum -P Win 2000 Server and press enter. As you can see from the password policy there is no lockout threshold. With this information we could attempt to crack the users password with brute force without having to worry about locking the account out
7. Type enum and press enter to see what other functionality this application has
6. Nbtenum
1. On the desktop, double click cmd.exe to spawn a new command prompt. Type cd nbtenum and press enter
2. Type nbtenum -a Win 2000 Server dict.txt and press enter. The results of the command are saved to a .html file in the E:\tools\nbtenum\ directory as pictured below:
3. Double-click on 10.0.0.x.html (where x is the IP of your particular machine) to open the output. The passwords that were cracked will be near the bottom
4. Perform the command again but this time against Win 2003 Server and have a look at the resulting .html document. Do you recall why we aren't able to pull the same amount of information? (Hint: the reasoning is printed on the .html page)
7. Winfingerprint
1. Browse to Start / Programs / Security Tools / Enumeration and open Winfingerprint on the XP Security VM.
2. Winfingerprint has similar functionality to enum, but with a simple-to-use GUI. Let's run winfingerprint on our Win 2000 Server
3. Select the Single Host radio button in the upper left
4. For the IP address, type Win 2000 Server (don't forget to translate this to an IP)
5. For now we will leave the default options checked. Click Scan to begin the enumeration process
6. Have a look through the resulting output. We have now gathered all types of information including NetBIOS shares and services
7. Check a few more of the options (including Users) in the ‘Scan Options' section and rerun the scan. Scroll down through the output and take note of the usernames followed by a SID number. This will be useful in later labs
3. Vulnerability Scanning
1. To complete this section you will need the XP Security/Win 7-8 VM and the Windows 2000 Server VMs powered on. Make sure that the Backtrack5/Kali and Win 2003 Server VMs are powered down.
2. On the desktop of the XP Security/Win 7-8 VM, double-click the icon labeled Nessus Client and when the login page appears use administrator / student for the username and password
3. The first step in performing a vulnerability scan with Nessus is to create a policy. Policies dictate the settings that will be used for a particular scan and allow you to configure safe policies and more aggressive policies. Click Policies at the top menu bar
4. To add a new policy click Add. When the Add Policy interface appears, use the default settings except for the following:
1. General:
1. Give the policy a name (e.g., CNS488 Policy) and check the box titled ‘TCP Scan'
2. Click Next twice to proceed to the Plugins section
2. Plugins:
1. Under Families, scroll down and select Windows : Microsoft Bulletins. This will populate the individual plugins in the right column
2. Click Next to proceed to the Preferences section
3. Click Submit to finalize our new policy
5. Now that a policy has been created, let's create a scan. Click Scans at the top menu bar
6. To add a new scan click Add. Give the scan a name and in the policy drop-down select CNS488 Policy (or whatever you named your policy). Lastly, enter our scan target by typing Win 2000 Server (don't forget to translate this to the appropriate IP address). Your scan should look similar to the one pictured below:
7. As the final step, click Launch Scan. You will automatically be taken back to the Scans section where our scan has been initiated
8. When the scan is complete it will disappear from the Scans section. Click Reports at the top menu bar to return to the reports section
9. Double-click our newly created report to open the report info. Highlight and click the host IP address and it will automatically drill down into specific findings. Feel free to look around and interpret these vulnerabilities -- there's way too many items to explain them in great detail. Look through the list and do some research on the vulnerabilities (focus on the critical risk ones) to see what you can find out about the vulnerability and how it is possibly exploited.
What You Need to Submit:
Submit the following to get credit for this lab assignment:
- A single file (please use zip not rar) with screenshots of the following:
- Your output from fping, hping2(or 3), netcat, and nmap from the sections above including the answers to all of the questions in red/bld above (Q1-Q10).
- A copy of your Nessus scan output (not a screenshot)...figure out how to export the results
- Research at least one vulnerability from your Nessus report. When was it initially discovered? What Windows service does it affect (and what does that service do)? Is there an exploit that is publicly available (hint: Google and securityfocus.net/bid are your friends)? Don't simply copy and paste a bunch of stuff from the CVE or MS page! This should be a fairly well written-up answer in terms of explaining the vuln, exploit, and the service or application.
Additional Exercises
The following items are additional exercises related to the lab. Feel free to explore these topics on your own.
- Perform some of the scans we went over in lab 2 again but setup WireShark or tcpdump on the system being scanned. Make sure you have a good understanding of scans that take place using ICMP vs. TCP. Also understand how flags can affect the timing, size, and various other options that can be manipulated.
- On the XP Security VM, browse to Start / Programs / Security Tools / Scanning Tools and check out SuperScan4 and Angry IP Scanner. Both of these provide graphical interfaces for scanning that may come in handy.
- On the XP Security VM, browse to Start / Programs / Security Tools / Misc Tools and check out GetAcct. It's a fairly simple tool but provides a ton of great information. (Hint: you only need to enter the IP address of the remote computer)