If you can see this check that

Main Page

Week 4A - Advanced Scanning


Scanning and Enumeration

User:
Password:
This practical covers an more in-depth network discovery, enumeration, and active scanning. Remember if you try these in your own machine make sure you have permission, as running these on or over system you have no permissions for is likely illegal.

Question 1: Target 1

Press this button to ready your machine for running the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

Tests - not attempted
Script ready UNTESTED
Target network UNTESTED
Target 1 UNTESTED

The machine can take 5 minutes to warm up. Press the test button to see if it is running fully. So long as the network of the target is running, you can continue for a few questions until OpenVas is ready to scan.

Tests - not attempted
Target 1 network running UNTESTED
Target 1 all services running UNTESTED

Question 2: Network Device

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1. You can identify it by looking at the output, finding the line involved with the target subnet, and looking for the "dev".

Target network device:

Tests - not attempted
Gateway IP UNTESTED

What is your machine's IP number on the target network?

Your IP:

Tests - not attempted
Local IP UNTESTED

Question 3: Network scanning with nmap

Use nmap to sweep the target network, and identify the IP address of target 1. Use the appropriate flag so that no port scanning is done and no name resolution is performed.

What flag specifies no port scan is performed (include the "-" character)

What flag specifies no name resolution (include the "-" character)

Target IP:

Tests - not attempted
target ip UNTESTED
Flag 1 is right UNTESTED
Flag 2 is right UNTESTED

Question 4: OpenVas scanning

We would like you to try a scan on the target using OpenVAS. However note that this can take about 15 minutes, so we will interleave this with the target booting process. Do not start the scan until told...

Start openvas in applications>Kali Linux>OpenVAS>openvas start.

Dont worry if the manager appears to fail to start. It has probably started and it is openvas which is mistaken...

Tests - not attempted
Openvas running: scanner UNTESTED
Openvas running: manager UNTESTED
Openvas running: admin UNTESTED

In OpenVAS, create the following:

  • A port called "port ssh" which scans only port 22
  • A target called "target1" which targets the IP identified above and scanns only the port "port ssh".
  • A task "ssh scan" which scans "target1". Make the Maximum concurrently executed NVTs per host 20.
  • ONCE ALL CHECKS PASSED you can start the task "ssh scan". PASS THE CHECKS FIRST
  • The scan takes about 15 minutes. While waiting for the answers go onto the next question in the meantime.

The username is "admin" and the password is "kali".

Tests - not attempted
Target 1 all services running UNTESTED
task target1 UNTESTED
ssh scan UNTESTED
port ssh UNTESTED

Question 5: Network port scanning with nmap

How many tcp ports are open on the target?

Open Ports:

Tests - not attempted
Target 1 all services running UNTESTED
Open tcp ports UNTESTED

Question 6: Service Signature

Switch to using netcat and get the banner announcment for the target vnc server. You might want to use "-t 1", which will close the connection after 1 second (more than enough time to see the banner). This test is space and case sensitive.

vnc banner:

Tests - not attempted
Target 1 all services running UNTESTED
Banner announcement UNTESTED

Use the same technique to isentify the OpenSSH version of the target. Get this from its banner, where the version lies in the characters immediately after "OpenSSH_" but before the next space character.

ssh version:

Tests - not attempted
Target 1 all services running UNTESTED
Banner announcement UNTESTED

Use that version number for ssh and locate an CVE exploit which affects that version which was published in November 2008. Specify it in its full name, e.g. CVE-1999-1234. Case sensitive.

CVE 2008:

Tests - not attempted
CVE 2008 for ssh UNTESTED

Use netcat as a client to connect to the target on a range of services, to fingerprint the ports which are open:

echo "" | nc -v -n -w1 target_IP 20-100
Remember to replace target_IP with the target's IP number. Note you will probably have to use "nc.traditional" to do this question in linuxzoo.

What version of FTP Server is reported?
FTP Server name:
FTP Server version:

Tests - not attempted
Banner announcement UNTESTED

Question 7: OS Fingerprinting

Use xprobe2 to identify what sort of machine target 1 is. Save that information to /root/info1. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Linux major version:

Tests - not attempted
Target 1 all services running UNTESTED
info1 looks ok UNTESTED
Version ok UNTESTED

Use nmap with "-O" to identify what sort of machine target 1 is. Save that information to /root/info2. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Linux major version:

Tests - not attempted
Target 1 all services running UNTESTED
info1 looks ok UNTESTED
Version ok UNTESTED

Compare the major version information and evaluate the results.

What is the reason for the result?

Tests - not attempted
Reason UNTESTED

From Kali, in a terminal window perform two tcpdumps to capture the nmap OS fingerprint packets sent, filtering on the target host address (e.g using the HOST filter), and not doing name resolution. Remember the interface is br0.

First capture with tcpdump the packets generated when using xprobe to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump1 using standard redirection.

Secondly capture with tcpdump the packets generated when using nmap to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump2 using standard redirection.

Look at the number of packets generated by each tool:

Tests - not attempted
dump1 valid UNTESTED
dump2 valid UNTESTED
Reasoning sound UNTESTED

Question 8: openvas result

At this point hopefully your ssh scan has completed. It tends to sit at 1% for a while, then again pause at 98%. You should never rush openvas...

From the report from this task, read the report and look at the "High" security risks. One problem identified is that there is a "default Credentials" problem. Look at that NVT and enter below the username and password that it is worried about.

Username: Password:

Tests - not attempted
User correct UNTESTED
Password correct UNTESTED
Task complete - port ssh UNTESTED

Question 9: nmap scripting engine (NSE)

One of the most powerful features of nmap is its scripting engine which permits nmap to execute scripts against a target to gather more interesting information. Some of these scripts can also be used to launch simple exploits such as a Telnet brute force attack. This section will demonstrate how to use the scripts and will also point to some issues that you may encounter when using scripts. The complete list of scripts is available on the nmap web site.

A complete list of Nmap Scripts is available on the nmap web site:
http://nmap.org/nsedoc/scripts/

Locate the nmap script directory using:

	locate ".nse" 

What directory are the NSE script stored in:

Tests - not attempted
Location correct UNTESTED

Look at the script.db file in this scripts directory. Open it with less and look for the categories that the dns-zone-transfer script is in.

Categories (no spaces, list seperated by commas):

Tests - not attempted
Categories correct UNTESTED

Use the script "smb-os-discovery" in nmap, targeting the target 1 machine, and limiting the scan to ports 137-139 (netbios).

What is the workgroup name discovered for target 1? Remember this is case sensitive.

worgroup name:

Tests - not attempted
Target 1 all services running UNTESTED
workgroup correct UNTESTED

You can run all non invasive nmap script on all ports on the target. See what you can discover. This uses the "-sC" flag.

What version of dns bind did you identify during this.

bind version:

Tests - not attempted
Target 1 all services running UNTESTED
workgroup correct UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2017 Gordon Russell. All rights reserved.