If you can see this check that

Main Page


Active Recon - Network Scanning, Enumeration and Vulnerability Scanning

User:
Password:

Authors: Rich Macfarlane, Gordon Russell

This practical covers an more in-depth network discovery, system enumeration, and active vulnerability scanning. Remember if you try these in your own machine make sure you have permission, as running these on or over system you have no permissions for is likely illegal.

To reset all the check buttons from a previous attempt click here

Question 1: Power On Target 1

Press this button to boot the virtual machine target system used in this praactical lab. If your machine is reset or you reboot then you may have to launch the target system again with this button.

Note that this target can take a few minutes to boot, as it has many processes running many services.

Tests - not attempted
Script ready UNTESTED
Target network UNTESTED
Target 1 UNTESTED

The machine can take a few minutes to warm up. Press the test button to see if it is running fully. So long as the network of the target is running, you can continue for a few questions until OpenVas is ready to scan.

Tests - not attempted
Target 1 network running UNTESTED
Target 1 started UNTESTED
Target 1 all services running UNTESTED

Question 2: Target Network

Target 1 lies somewhere in the 192.168.1.1 - 192.168.1.254 host range. Use "ip route show" to check which network interface on your Kali Linux VM is connected to the target network (the network which target 1 is running on). You can identify it by looking at the output, finding the line involved with the target subnet, and looking for the "dev".

Target network device:

Tests - not attempted
Gateway network device UNTESTED

What is your machine's IP number on the target network?

Your IP:

Tests - not attempted
Local IP UNTESTED

Question 3: Network scanning - Target Host Discovery with nmap

Use nmap to sweep the target network for live hosts, and identify the IP address of target 1. Use the appropriate flags so that no port scanning is done and no name resolution is performed.

What flag specifies no port scanning is performed (include the "-" character)

What flag specifies no name resolution (include the "-" character)

Target IP:

Tests - not attempted
Target IP UNTESTED
Flag 1 is right UNTESTED
Flag 2 is right UNTESTED

Question 4: Target Port Scanning with nmap

Now we have identified the target system, lets port scan for services it may be running. How many or the top 1000 most common tcp ports are open on the target?

Open TCP Ports:

Lets also check for UDP services running. Scan for the top 10 most common UDP ports on the target? Warning... a top 1000 scan takes about 15 minutes...

Open UDP Ports:

Tests - not attempted
Target 1 all services running UNTESTED
Open TCP ports UNTESTED
Open UDP ports UNTESTED

Question 5: OpenVas Vulnerabiltiy Scanning

We would like you to try a scan on the target system using the OpenVAS Vulnerability Scanner. We need to start the OpenVAS system, which can take a minute to run the first time. You can check the services it runs using ss -at before and after starting OpenVAS, including the web application we will use to run our scans. Also review the output displayed in the terminal window when OpenVAS starts. Start OpenVAS, and set up the scan we will perform, but do not start the scan itself until told... see below

From Kali Linux, start openvas from the menu 02 - Vulnerability Analysis -> gvm start

OpenVAS Web Application Port Number:

Tests - not attempted
gvm - security assistant UNTESTED
gvm - manager UNTESTED
gvm - scanner UNTESTED
OpenVAS Web App Port UNTESTED

In the OpenVAS web client, connect to the local host and web app port number, log in and from the OpenVAS Dashboard create the following:

  • Configure a List of Ports to scan for vulnerabilities called "port ssh" which is set to port 22
  • Create a Target called "target1" with the target system's IP Address we found previously and add the Port List we created for port 22 only "port ssh", and skip the host discovery (Alive Test).
  • Create a new Scan Task "ssh scan target1" which scans "target1". Make the Maximum concurrently executed NVTs per host 20.
  • ONCE ALL OPENVAS SERVICE CHECKS ARE PASSED you can start the task "ssh scan target1".
  • The scan can take a few minutes. While waiting for the scan to complete you can run another Terminal window and check the traffic being created with tcpdump -nv on the correct target network interface (identified previously), and then go onto the next question.

The username is "admin" and the password is "kali".

Tests - not attempted
Target 1 all services running UNTESTED
task target1 UNTESTED
ssh scan UNTESTED
port ssh UNTESTED

Question 6: Target Enumeration - Service Versions

While OpenVAS is running the vulnerability scan lets enumerate the target for other services.

We can use netcat and connect and get the banner announcment for the target vnc server. Experiment with the flags "-n -v" and "-w 1", rather than "-z" for port scanning only. This will close the connection after 1 second, gicing enough timeout to get a banner if the service is running.

VNC Banner:

Tests - not attempted
Target 1 all services running UNTESTED
Banner announcement UNTESTED

Use the same technique to isentify the OpenSSH version of the target. Get this from its banner, where the version lies in the characters immediately after "OpenSSH_" but before the next space character.

ssh version:

Tests - not attempted
Target 1 all services running UNTESTED
Banner announcement UNTESTED

Use that version number for ssh and locate an CVE exploit which affects that version which was published in November 2008. Specify it in its full name, e.g. CVE-1999-1234. Case sensitive.

CVE 2008:

Tests - not attempted
CVE 2008 for ssh UNTESTED

Use netcat as a client to connect to the target on a range of services, to fingerprint the ports which are open:

echo "" | nc -v -n -w1 target_IP 20-100
Remember to replace target_IP with the target's IP number.

What version of FTP Server is reported?
FTP Server name:
FTP Server version:

Tests - not attempted
Banner announcement UNTESTED

Question 7: OS Fingerprinting

Use xprobe2 to identify what sort of machine target 1 is. Save that information to /root/info1. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Linux major version:

Tests - not attempted
Target 1 all services running UNTESTED
info1 looks ok UNTESTED
Version ok UNTESTED

Use nmap with "-O" to identify what sort of machine target 1 is. Save that information to /root/info2. Ignoring the final version number, what version of Linux is this (so if the version is "2.1.16", just enter "2.1").

Linux major version:

Tests - not attempted
Target 1 all services running UNTESTED
info2 looks ok UNTESTED
Version ok UNTESTED

Compare the major version information and evaluate the results.

What is the reason for the result?

Tests - not attempted
Reason UNTESTED

From Kali, in a terminal window perform two tcpdumps to capture the nmap OS fingerprint packets sent, filtering on the target host address (e.g using the HOST filter), and not doing name resolution. Remember the interface is br0.

First capture with tcpdump the packets generated when using xprobe to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump1 using standard redirection.

Secondly capture with tcpdump the packets generated when using nmap to fingerprint the target using the same procedure as earlier. Save the output of tcpdump to a file /root/dump2 using standard redirection.

Look at the number of packets generated by each tool:

Tests - not attempted
dump1 valid UNTESTED
dump2 valid UNTESTED
Reasoning sound UNTESTED

Question 8: OpenVAS Report for SSH Scan

At this point hopefully your ssh scan has completed. It tends to sit at 1% for a while, then again pause at 98%. You should never rush openvas...

From the report from this task, read the report and look at the "High" security risks. One problem identified is that there is a "default Credentials" problem. Look at that NVT and enter below the username and password that it is worried about. If it finds multiple ones, look for one with a username starting with a 'u'.

Username: Password:

Tests - not attempted
User correct UNTESTED
Password correct UNTESTED
Task complete - port ssh UNTESTED

We can try another targeted vulnerability scan agsint the target system using OpenVAS, to assess the FTP service identified previously.

In the OpenVAS web client, carry out a scan on the FTP port:

  • Create a new Port List for only the FTP port called "port ftp"
  • Create a Target called "target1 ftp" for our target system, but with the FTP Port List.
  • Create a new Scan Task "ftp scan target1" which scans "target1". Again set the Maximum concurrently executed NVTs per host 20.
  • Start your new scan task "ftp scan target1".
  • The scan will again take a few minutes. You can again monitor the traffic being created with tcpdump, and then go onto the next question.
Tests - not attempted
Target 1 FTP services running UNTESTED
Port List for FTP UNTESTED
Target target1 ftp UNTESTED
Task ftp scan target1 UNTESTED

Question 9: Nmap Scripting Engine (NSE)

One of the most powerful features of nmap is its scripting engine which permits nmap to execute scripts against a target to gather more interesting information. Some of these scripts can also be used to launch simple exploits such as a Telnet brute force attack. This section will demonstrate how to use the scripts and will also point to some issues that you may encounter when using scripts. The complete list of scripts is available on the nmap web site.

A complete list of Nmap Scripts is available on the nmap web site:
http://nmap.org/nsedoc/scripts/

Locate the nmap script directory using:

	locate ".nse" 

What directory are the NSE script stored in:

Tests - not attempted
Location correct UNTESTED

Look at the script.db file in this scripts directory. Open it with less or vi and look for the categories that the dns-zone-transfer script is in.

Categories (no spaces, list seperated by commas):

Can you use grep on the file contents and pipe to wc, to find how many NSE 'discovery' category scripts there are available in total. To answer this question, just count how many times 'discovery' appears in the script.

Tests - not attempted
Categories correct UNTESTED
Number of discovery scripts UNTESTED

Lets try another 'discovery' NSE script. Use the script "smb-os-discovery" in nmap, which tries to identify the OS, and details about the target such as computer name and domain name, via SMB services on the target. Run the script against the target 1 machine, and limiting the scan to ports 137-139 (netbios).

Which ports may be running a TCP netbios service? (separate with a comma if more than one)

Open netbios TCP ports:

We may have to consider different transport protocols. Try the following to run both TCP and UDP SMB scans with a command similar to:

	nmap -n -sU -sS -p U:137-139,T:137-139 192.168.1.1 --script=smb-os-discovery

Which ports may running a UDP netbios service? (separate with a comma if more than one)

Open netbios UDP ports:

What is the FQDN (Fully Qualified Domain Name) discovered for target 1? Remember this is case sensitive.

FQDN:

Tests - not attempted
Target 1 all services running UNTESTED
netbios TCP ports UNTESTED
netbios UDP ports UNTESTED
workgroup correct UNTESTED

You can run all non invasive nmap script on all ports on the target. See what you can discover. This uses the "-sC" flag.

What version of dns bind did you identify during this.

bind version:

Tests - not attempted
Target 1 all services running UNTESTED
Bind version correct UNTESTED

From your non invasive nmap scripts output review the FTP scripts output before moving onto the OpenVAS FTP scan results in the next question.

Question 10: OpenVAS Report for Target1 FTP Scan

Once your OpenVAS FTP vulnerability scan has completed, review the scan report, looking at the range of issues, the rating the tool has given each and mitigations suggested.

Total Vulnerabilities reported:

Highest Severity Reported:

Tests - not attempted
Task complete - port ftp UNTESTED
FTP Vulnerabilities Reported UNTESTED
Highest Severity UNTESTED

From the report from the FTP scan task, review the report for the 'Backdoor Vulnerability'. Upon exploitation, this causes the server to listen on another TCP port for the attacker to connect to an interactive shell on the server. Which port number is used for the backdoor? Can you review the details of the vulnerability and find the Vulnerability Test Object ID number (VT OID)?

Backdoor port:

Last 6 digits of the VT OID:

Tests - not attempted
Backdoor port UNTESTED
VT OID last 6 digits UNTESTED

In a terminal window navigate to the OpenVAS plugin Vulnerabilty Test (VT) modules directory /var/lib/openvas/plugins. List the files and directories, piping into less, and ordering directories first with -g. Note how the more recent plugin modules are organised. use grep to find the module associated with the FTD Backdoor vulnerability. Tip: use the VT Object ID and perhaps grep's recursion flag to search all sub directories.

OpenVAS Backdoor Vuln VT Script name:

Tests - not attempted
OpenVAS plugin script name UNTESTED


Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
Caine 13.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Registry | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2024 Edinburgh Napier University