Active Recon - Network Scanning, Enumeration and Vulnerability Scanning

Press this button to boot the virtual machine target system used in this praactical lab. If your machine is reset or you reboot then you may have to launch the target system again with this button.

Note that this target can take a few minutes to boot, as it has many processes running many services.

The machine can take a few minutes to warm up. Press the test button to see if it is running fully. So long as the network of the target is running, you can continue for a few questions until OpenVas is ready to scan.

Target 1 lies somewhere in the 192.168.1.1 - 192.168.1.254 host range. Use "ip route show" to check which network interface on your Kali Linux VM is connected to the target network (the network which target 1 is running on). You can identify it by looking at the output, finding the line involved with the target subnet, and looking for the "dev".

Target network device:

What is your machine's IP number on the target network?

Your IP:

Use nmap to sweep the target network for live hosts, and identify the IP address of target 1. Use the appropriate flags so that no port scanning is done and no name resolution is performed.

What flag specifies no port scanning is performed (include the "-" character)

What flag specifies no name resolution (include the "-" character)

Target IP:

Now we have identified the target system, lets port scan for services it may be running. How many or the top 1000 most common tcp ports are open on the target?

Open TCP Ports:

Lets also check for UDP services running. Scan for the top 10 most common UDP ports on the target? Warning... a top 1000 scan takes about 15 minutes...

Open UDP Ports:

We would like you to try a scan on the target system using the OpenVAS Vulnerability Scanner. We need to start the OpenVAS system, which can take a minute to run the first time. You can check the services it runs using ss -at before and after starting OpenVAS, including the web application we will use to run our scans. Also review the output displayed in the terminal window when OpenVAS starts. Start OpenVAS, and set up the scan we will perform, but do not start the scan itself until told... see below

From Kali Linux, start openvas from the menu 02 - Vulnerability Analysis -> gvm start

OpenVAS Web Application Port Number:

In the OpenVAS web client, connect to the local host and web app port number, log in and from the OpenVAS Dashboard create the following:

• Configure a List of Ports to scan for vulnerabilities called "port ssh" which is set to port 22
• Create a Target called "target1" with the target system's IP Address we found previously and add the Port List we created for port 22 only "port ssh", and skip the host discovery (Alive Test).
• Create a new Scan Task "ssh scan target1" which scans "target1". Make the Maximum concurrently executed NVTs per host 20.
• ONCE ALL OPENVAS SERVICE CHECKS ARE PASSED you can start the task "ssh scan target1".
• The scan can take a few minutes. While waiting for the scan to complete you can run another Terminal window and check the traffic being created with tcpdump -nv on the correct target network interface (identified previously), and then go onto the next question.

The username is "admin" and the password is "kali".

While OpenVAS is running the vulnerability scan lets enumerate the target for other services.

We can use netcat and connect and get the banner announcment for the target vnc server. Experiment with the flags "-n -v" and "-w 1", rather than "-z" for port scanning only. This will close the connection after 1 second, gicing enough timeout to get a banner if the service is running.

VNC Banner:

Use the same technique to isentify the OpenSSH version of the target. Get this from its banner, where the version lies in the characters immediately after "OpenSSH_" but before the next space character.

ssh version:

Use that version number for ssh and locate an CVE exploit which affects that version which was published in November 2008. Specify it in its full name, e.g. CVE-1999-1234. Case sensitive.

CVE 2008:

Use netcat as a client to connect to the target on a range of services, to fingerprint the ports which are open:

echo "" | nc -v -n -w1 target_IP 20-100

What version of FTP Server is reported?
FTP Server name:
FTP Server version:

Use xprobe2 to identify what sort of machine target 1 is. Save that information to /root/info1. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Linux major version:

Use nmap with "-O" to identify what sort of machine target 1 is. Save that information to /root/info2. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Linux major version:

Compare the major version information and evaluate the results.

What is the reason for the result? They are the same as both programs work well They are the same but the guess probabilities were low. Same versions but confidence factors were low. The versions differ: a firewall blocked all ports. The versions differ: the target was in stealth mode The versions differ: OS fingerprinting is just hard The versions differ: The target is too new for both programs The versions differ: The target is too old for both programs The versions could not be identified

From Kali, in a terminal window perform two tcpdumps to capture the nmap OS fingerprint packets sent, filtering on the target host address (e.g using the HOST filter), and not doing name resolution. Remember the interface is br0.

First capture with tcpdump the packets generated when using xprobe to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump1 using standard redirection.

Secondly capture with tcpdump the packets generated when using nmap to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump2 using standard redirection.

Look at the number of packets generated by each tool:
The packet count was around the same nmap used significantly more packets xprobe2 used significantly more packets Nether command generated any packets

At this point hopefully your ssh scan has completed. It tends to sit at 1% for a while, then again pause at 98%. You should never rush openvas...

From the report from this task, read the report and look at the "High" security risks. One problem identified is that there is a "default Credentials" problem. Look at that NVT and enter below the username and password that it is worried about. If it finds multiple ones, look for one with a username starting with a 'u'.

Username: Password:

We can try another targeted vulnerability scan agsint the target system using OpenVAS, to assess the FTP service identified previously.

In the OpenVAS web client, carry out a scan on the FTP port:

• Create a new Port List for only the FTP port called "port ftp"
• Create a Target called "target1 ftp" for our target system, but with the FTP Port List.
• Create a new Scan Task "ftp scan target1" which scans "target1". Again set the Maximum concurrently executed NVTs per host 20.
• Start your new scan task "ftp scan target1".
• The scan will again take a few minutes. You can again monitor the traffic being created with tcpdump, and then go onto the next question.

One of the most powerful features of nmap is its scripting engine which permits nmap to execute scripts against a target to gather more interesting information. Some of these scripts can also be used to launch simple exploits such as a Telnet brute force attack. This section will demonstrate how to use the scripts and will also point to some issues that you may encounter when using scripts. The complete list of scripts is available on the nmap web site.

A complete list of Nmap Scripts is available on the nmap web site:
http://nmap.org/nsedoc/scripts/

Locate the nmap script directory using:

	locate ".nse" 

What directory are the NSE script stored in:

Look at the script.db file in this scripts directory. Open it with less or vi and look for the categories that the dns-zone-transfer script is in.

Categories (no spaces, list seperated by commas):

Can you use grep on the file contents and pipe to wc, to find how many NSE 'discovery' category scripts there are available in total. To answer this question, just count how many times 'discovery' appears in the script.

Lets try another 'discovery' NSE script. Use the script "smb-os-discovery" in nmap, which tries to identify the OS, and details about the target such as computer name and domain name, via SMB services on the target. Run the script against the target 1 machine, and limiting the scan to ports 137-139 (netbios).

Which ports may be running a TCP netbios service? (separate with a comma if more than one)

Open netbios TCP ports:

We may have to consider different transport protocols. Try the following to run both TCP and UDP SMB scans with a command similar to:

	nmap -n -sU -sS -p U:137-139,T:137-139 192.168.1.1 --script=smb-os-discovery

Which ports may running a UDP netbios service? (separate with a comma if more than one)

Open netbios UDP ports:

What is the FQDN (Fully Qualified Domain Name) discovered for target 1? Remember this is case sensitive.

FQDN:

You can run all non invasive nmap script on all ports on the target. See what you can discover. This uses the "-sC" flag.

What version of dns bind did you identify during this.

bind version:

From your non invasive nmap scripts output review the FTP scripts output before moving onto the OpenVAS FTP scan results in the next question.

From the report from the FTP scan task, review the report for the 'Backdoor Vulnerability'. Upon exploitation, this causes the server to listen on another TCP port for the attacker to connect to an interactive shell on the server. Which port number is used for the backdoor? Can you review the details of the vulnerability and find the Vulnerability Test Object ID number (VT OID)?

Backdoor port:

Last 6 digits of the VT OID:

In a terminal window navigate to the OpenVAS plugin Vulnerabilty Test (VT) modules directory /var/lib/openvas/plugins. List the files and directories, piping into less, and ordering directories first with -g. Note how the more recent plugin modules are organised. use grep to find the module associated with the FTD Backdoor vulnerability. Tip: use the VT Object ID and perhaps grep's recursion flag to search all sub directories.

OpenVAS Backdoor Vuln VT Script name: