Active Scan

What is the primary IP address of your virtual machine network connection? If you have multiple connections for some reason this is the ethernet device related to eth0. You should use the "ip" command for this (not ifconfig as this is very old and weak). You can use "ip help" to discover the options. The "addr" option is what we want here, and again you can discover more with "ip addr help". If you want to jump to the answer, try "ip addr show".

Machine ip :

This time use "ip link help" and "ip link show" and find out the mac address of eth0.

Machine mac:

This time use "ip route help" and "ip route show" and find out the IP address of your machine's gateway. The gateway is where your packets would be sent if it is destined for an IP address which is not in the local subnet.

Machine gateway:

Look into /proc/net/arp. What is the mac address of the gateway?

Gateway mac:

Run Wireshark in Kali.
Applications > Internet > Wireshark
Start a live capture, and in a kali terminal "ping" the machine 10.200.0.1 with 5 pings (you can use the "-c" option of ping for this, or press CTRL C to stop the ping). This ping should send a number of ping request packets, and if the network is operating correctly, you should receive a corresponding number of ping response packets.

What does wireshark say:
is the length of a ping packet:
is the ICMP type number of a ping request packet:

In this set of questions you will learn how to run a command multiple times by looping over a numerical range. This is particularly useful when you are using a network command which normally only targets a single machine but you want to target a range of IP numbers.

Firstly, ping 10.200.0.1 using "-c 1" (so only send a single packet exchange). What is the TTL of the response to this ping packet?
TTL:

It is possible to use bash variables in commands. One way is to set a variable using a for loop construct. Look at the following example:

for i in {1..10}; do mkdir /home/kali/newdir$i; done;

In this example, "newdir$i" becomes "newdir1","newdir2", etc, up to "newdir10".

Consider another example:

for i in {1..10}; do echo 10.200.0.$i; done;

In this question you will use the for loop and ping to investigate traffic. Wireshark is very graphical, and sometimes it is hard to see all the options. So this time use tcpdump to capture a pink sweep. The tcpdump command allows us to capture all or some of the network traffic on a particular network device.

Make sure you have two terminal windows (either vnc or via ssh or telnet). In one window, which will deal with the monitoring of the network, run this command:

tcpdump -vni eth0 icmp > /root/dump1

In the other terminal window, which in turn will generate the packets during the experiment, do the following REPLACING ?????? with suitable parameters to make the loop go from 1 to 30, and for the ping to send packets to 10.200.0.1 up to 10.200.0.30, depending on i.

for i in {?????}; do ping -c 2 ????? ; done;

Once complete stop the tcpdump capture.

Use cat or less to examine the packet capture, and locate the echo reply packets. The ICMP packet is contained within an IP packet, and the related IP packet information is on the line just before the ICMP information. From that information, discover the IP packet id for the last received echo reply.

Packet sequence number:

Use grep and wc. How many echo requests were sent?

Number of echo requests:

Use grep, looking for packets with "echo reply", and use the '-B 1' to also show the line immediately before the line which matches (which contains the packet header information of the reply). Sometimes the ttl is 64, but sometimes the ttl is something else.

What is the other ttl:
Why? The response was sent slower in this case The response was changed by a firewall The response was damaged The response came from a machine with a different default ttl The ttl is smaller as the machine in question is nearer in terms of network hops The ttl is smaller as the machine in question is further away in terms of network hops Switches use one ttl, routers use another Compression was used in one case The TTL only indicates the number of milliseconds it takes to process the icmp packet

Use tcpdump again, but this time capture only traffic you dont expect. So in our case ignore ssh and telnet traffic using a simple filter.

tcpdump -vni eth0 not port ssh and not port telnet

What is the packet length of the is-at reply from your gateway?
packet length:

Use the "ip route show" command and identify the start and end address (not including the network number and broadcast address) of your virtual machine's network. Use the network number and netmask to make this calculation from the "ip route show" command output.

Start IP:
End IP:

#!/bin/bash
for i in {0..150}; do
	arping -c 2 192.168.100.$i | grep 'bytes from' | awk '{print " possible target up at: " $4 " " $5}' | sort -u
done

In the "for" loop, which currently goes from 0 to 150, change this to be the last octet of the start and end ip you identified in the previous question. Where it says "192.168.100." change this to the first three octets of the start ip you found in the previous question.

Run the command using ./arpbash, but save the output to dump3 in /root.

Look at the file and identify the first IP number it has found.
IP:

In order for your virtual machine to reach the internet, it's packets travels through a number of virtual networks. The final network node is 10.200.0.1.

Using traceroute, investigate the route to reach 10.200.0.1. Note you must use ICMP ECHO in traceroute, rather than the default. Find the right flag in the manual.

Num of hops:
Hostname of last hop:

Run nmap as a network scanner, but save the data as a grepable data file.

nmap -PE -oG /root/out1 -sn 10.200.0.1-20

This saves the search information as a file called /root/out1 in a "grepable" format. Look at the file contents once you have created it.

Process this output file out1, and generate a file "out2" with only the IP addresses of machines which are up.

grep Up /root/out1 | cut -d" " -f 2 > /root/out2

Use nmap to analyse the ports open on 10.200.0.1. As the nmap command can take quite a while to run, restrict your scan to the open tcp ports between port numbers 50 to 80 inclusive. List the open port numbers you find with commas between them in the box below (e.g. if ports 50 and 60 are open, the answer is "50,60"). The numbers in your list must be sorted (smallest number first). Remember the box is space sensitive so dont have extra spaces!

IMPORTANT. Linuxzoo security may shut you down if you produce too many packets too quickly! Use the following options for nmap or you may be kicked off the system. Even with these options the scan may take quite a few seconds.

nmap 10.200.0.1 -p 50-80 --max-retries 3

Open ports:

Use tcpdump to only capture traffic involving port 80.

tcpdump -vni eth0 port 80

Capture the port 80 traffic generated when nmap scanning 10.200.0.1 using a fully connected scan, i.e. -sT. Store this information in /root/nmapfull. Note you should also use -Pn with nmap, as otherwise it will generate 2 extra packets when performing host discover, making the data more complex to understand.

Using 'S' for SYN, '.' for ACK, and 'R' for RST (which is how tcpdump shows the "Flags" in the tcpdump), state the handshake involved in the full scan captured in the previous question. Seperate each packet with a comma. For instance, if the handshake on port 80 was SYN, then ACK, then SYN+ACK, then the answer would be "S,.,S.".

Handshake in nmapfull:

Use tcpdump to only capture traffic involving port 80.

tcpdump -vni eth0 port 80

Capture the port 80 traffic generated when nmap scanning 10.200.0.1 using a SYN connected scan, i.e. -sS. Store this information in /root/nmapsyn. Note you should also use -Pn with nmap, as otherwise it will generate 2 extra packets when performing host discover, making the data more complex to understand.

Using 'S' for SYN, '.' for ACK, and 'R' for RST (which is how tcpdump shows the "Flags" in the tcpdump), state the handshake involved in the full scan captured in the previous question. Seperate each packet with a comma. For instance, if the handshake on port 80 was SYN, then ACK, then SYN+ACK, then the answer would be "S,.,S.".

Handshake in nmapsyn:

Use nmap, limiting yourself to port 80, and perform application version identification of 10.200.0.1 (-sV). Enter the version NUMBER returned by nmap, ignoring all other information. So if it returns "Apache httpd 3.0.0 ((Redhat) OpenSSL))" the answer is "3.0.0".

Port 80 version:

Repeat the above scan, but introduce "--version-trace". What is the GetRequest line number shown in the trace for the Service Scan Match which produced the application version information from nmap?

Line of nmap-service-probe:

Use "locate" to locate the nmap-service-probe definition file, and then do

head -LINE FILE | tail -1

First 2 words of the line:

Use nmap, limiting yourself to port 80, and perform OS fingerprinting of 10.200.0.1. Save the output of running this command to /root/finger. Have a look at the file too, and see what nmap thinks 10.200.0.1 is.

Switch to using netcat, and perform a similar portscan.

nc -vv -n -z -w2 10.200.0.1 50-80

What message do you get for port 50? Connection refused Connection timed out Open Closed Ready Active Firewalled Port not recognised Scan could not be completed due to ARP error

USe wireshark or tcpdump, and monitor the netcan scan of the previous question. What sort of scan does this command do by default?

What type of scan? Stealth Inverse Scan ACK Scan Invertive Scan Reflective Scan Half-Open Scan Full-Connect Scan 25%-Open Scan Njerix Scan