Active Recon - Network Scanning and Enumeration

What is the primary IP address of your virtual machine network connection? If you have multiple connections for some reason this is the ethernet device related to eth0. You should use the "ip" command for this (not ifconfig as this is very old and weak). You can use "ip help" to discover the options. The "addr" option is what we want here, and again you can discover more with "ip addr help". If you want to jump to the answer, try "ip addr show".

Machine ip :

This time use "ip link help" and "ip link show" and find out the mac address of eth0. Enter it in the format 00:00:00:00:00:00 using lowercase.

Machine mac:

This time use "ip route help" and "ip route show" and find out the IP address of your machine's gateway. The gateway is where your packets would be sent if it is destined for an IP address which is not in the local subnet.

Machine gateway:

Look into /proc/net/arp. What is the mac address of the gateway? Enter it in the format 00:00:00:00:00:00 using lowercase.

Gateway mac:

Run Wireshark in Kali. It can be found in the graphical menu.
9. Sniffing & Spoofing -> Wireshark
Start a live capture, and in a kali terminal "ping" the machine at 10.200.0.1 with 5 pings (you can use the "-c" option of ping for this, or press CTRL C to stop the ping). This ping should send a number of ping request packets, and if the network is operating correctly and the a target is up, you should receive a corresponding number of ping response packets.

What does wireshark report:
is the length of a ping packet:
is the ICMP type number of a ping request packet:

Now, open another terminal window, and use tcpdump to check its options using -h. Which tcpdump flag:
is used to display the list of network interfaces: -
is used to display numerical port numbers and not perform DNS host resolution: -

Now start a tcpdump capture on eth0, using numerical output for hosts and ports and displaying the contents of sniffed packets in Hex and ASCII. In your other kali terminal use ping again to send just a few packets to 10.200.0.1. It may not be obvious where the ICMP type is in the tcp dump output. Try clicking on it in Wireshark, and comparing the data pane (pane 3 in Wireshark) with the tcpdump Hex and ASCII output!

As tcpdump on eth0 requires administrator privilages, run it using sudo tcpdump.

What does the tcpdump output show:
What is the protocol of the ping packets:
What are the last 8 charcters in the content of each ICMP packet's data:

In this set of questions you will learn how to script the ping tool to for a range of IP addresses. This is particularly useful when you are using a network command which normally only targets a single machine but you want to target a range of IP numbers, such as with network sweeping.

Firstly, ping 10.200.0.1 using "-c 1" (so only send a single packet exchange). What is the TTL of the response to this ping packet?
TTL:

It is possible to use bash variables in commands. One way is to set a variable using a for loop construct. Look at the following example:

for i in {1..10}; do mkdir /home/kali/newdir$i; done;

Consider another example:

for i in {1..10}; do echo 10.200.0.$i; done;

In this question you will use a bash for loop and ping to investigate automation of network scanning for hosts. Wireshark is excellent for packet analysis, but sometimes it can be resource hungry, so this time use tcpdump to capture a ping sweep. The tcpdump tool allows us to capture network traffic on a particular network device from the cmd line.

Make sure you have two terminal windows open. In one window, which will deal with the monitoring of the network, we will use tcpdump to sniff for ICMP traffic and redirect the output to a file:

tcpdump -vn -ieth0 icmp > /home/kali/dump1

In the other terminal window, which in turn will generate the packets during the experiment, do the following REPLACING ?????? with suitable parameters to make the loop go from 1 to 30, and for the ping to send packets to 10.200.0.1 up to 10.200.0.30, depending on i.

for i in {?????}; do ping -W1 -c1 ?????; done;

How many live hosts has the ping sweep found:

Once complete stop the tcpdump capture.

Use cat or less to examine the packet capture, and locate the ICMP echo reply packets. The ICMP packet is contained within an IP packet, and the related IP header information is on the line just before the ICMP information. From that information, discover the IP packet id number for the last received echo reply.

ICMP Packet - IP Header Id number:

Use grep and wc. How many echo requests were sent?

Number of echo requests:

Use grep, looking for packets with "echo reply", and use the '-B1' to also show the line immediately before the line which matches (which contains the packet header information of the reply). Sometimes the ttl is 64, but sometimes the ttl is something else.

What is the other ttl:
Why? The response was sent slower in this case The response was changed by a firewall The response was scoially engineered The response came from a machine with a different default ttl The ttl is smaller as the machine in question is nearer in terms of network hops The ttl is smaller as the machine in question is further away in terms of network hops Switches use one ttl, routers use another Compression was used in one case The TTL only indicates the number of milliseconds it takes to process the icmp packet

Sometimes it's useful to be able to filter out traffic we aren't interested in. Use tcpdump again, but this time capture only traffic which is not LinuxZoo remote administation traffic. So, ignore ssh and telnet traffic using a filter.

tcpdump -ieth0 -vn not port ssh and not port telnet

We can use the arping tool to check if a host on a local network is up. Try: "arping -ieth0 -c2 10.200.0.1", replacing the IP "10.200.0.1" with the IP of your virtual machine gateway address.

What is the protocol arping has used to sent the host discovery packets?
arping protocol:

What is the packet length of the reply to the arping from your gateway?
packet length:

Use the "ip route show" command and identify the start and end address (not including the network number and broadcast address) of your virtual machine's network. Use the network number and netmask to make this calculation from the "ip route show" command output.

Start IP:
End IP:

#!/bin/bash
for i in {0..150}; do
	arping -c 2 192.168.100.$i | grep 'bytes from' | awk '{print " possible target up at: " $4 " " $5}' | sort -u
done

In the "for" loop, which currently pings 0 to 150 IPs, change this to be the last octet of the start and end ip you identified in the previous question so we can find all the hosts on our network. Where the script has "192.168.100." change this to the first three octets of your network IP from the previous question.

Run the command using "sudo ./arpbash", but save the output to dump3 in /home/kali.

Look at the file and identify the first IP number it has found.
IP:

Gathering information on a target network topology, including network devices and other infrastructure, could be useful during a test. Attackers may also check Internet connectivity from machines inside an organisations network, such as to test if communications to a Cmd and Ctrl Server could be extablished.

In order for your virtual machine to reach the internet, it's packets travels through a number of virtual networks. The final network gateway node is 10.200.0.1.

Using traceroute, investigate the route to reach 10.200.0.1. Try traceroute using its default settings with traceroute -n 10.200.0.1, while in another terminal window monitoring the traffic using tcpdump, including the ASCII packet content.

What is the protocol traceroute has used to sent the network tracing packets?
traceroute protocol:

In the contents of the packets what are the first 4 characters after the @ symbol?
traceroute packet content:

Num of hops:
Use dig to perform a reverse DNS lookup to find the Hostname of last hop:

In the contents of the packets what are the 4 characters before the [ symbol in the ICMP packet payload?
traceroute packet content:

The nmap network scanning tool can be used for a variety of different types of recon and info gathering. We will learn how to configure and use various different types of scans, starting with host discovery, and then port scanning.

Review the help for the nmap network scanning tool using the -h option. Check the section on host dicscovery. The online documentation is good also: https://nmap.org/book/man-host-discovery.html

nmap -h | less

nmap -sn -n 10.200.0.1

How many different network packets/methods are sent by nmap for host discovery:

To compare to host discovery on a local network, run nmap, to perform only host discovery on a single host again, but this time against the host which was found by your arping scan, which should be in your dump3 output file. In your 2nd terminal window again have tcpdump running to monitor the network traffic generated.

What is the type of packets nmap has used for host discovery on the directly connected network - which protocol?
nmap packet type (use upper case):

Now lets run nmap, to perform host discovery on a section of a remote network, and save the output as a grepable data file.

nmap -PE -oG /home/kali/out1 -sn 10.200.0.1-20

This saves the search information as a file called /home/kali/out1 in a "grepable" format. Review the file contents once you have created it, taking note of the traffic and protcols used, and the configuration option -PE for host discovery.

How many live hosts has the host discovery scan found:

Which protocol have we configured nmap to use for host discovery? (use upper case):

Process this output file out1, and generate a file "out2" with only the IP addresses of machines which are up; our target machines.

grep Up /home/kali/out1 | cut -d" " -f 2 > /home/kali/out2

Now that our Host Discovery has found some live hosts/target machines, we can focus on the services running on these targets.

While port scanning, always have another terminal window open, and tcpdump running to monitor the scanning packets being created by the tools. Typically tcpdump with -vn is sufficient and add -X if you want to see the content of the packets.

Use nmap to analyse the ports open on 10.200.0.1. As large scale scanning can take a long time to run, restrict your port scan to TCP ports between port numbers 50 to 100 inclusive. List the open port numbers you find with commas between them in the box below (e.g. if ports 50 and 60 are open, the answer would be "50,60"). The numbers in your list must be sorted (smallest number first), and the box is space sensitive so dont have extra spaces!

IMPORTANT. Linuxzoo security may shut you down if you produce too many packets too quickly! Use the following options for nmap to control the scanning traffic generated, or you may be shunned or exited from LinuxZoo. Even with these controlled scanning options, scans can take quite a few seconds to complete.

nmap 10.200.0.1 -n -p50-80 --max-retries 3

Open ports:

Stop the tcpdump monitoring. Review the first 4 packets sent by nmap. Review the help, and identify the flag to stop these from being sent: -

Use a tcpdump filter to only capture traffic to or from port 80.

sudo tcpdump -vni eth0 port 80

Capture the port 80 traffic generated, while using nmap to carry out a port scan of the target at 10.200.0.1 using a fully connect scan, with -sT. Store this information in /home/kali/nmapfull.

Now you have identified the nmap 'no host discovery' flag -Pn, always use this if the live host is known, to save extra packets being generated.

nmap full connect port scanning

Using 'S' for SYN, '.' for ACK, and 'R' for RST (which is how tcpdump shows the "Flags" in the tcpdump), state the handshake involved in the 'full connect' scan captured in the previous question. Seperate each packet with a comma. For instance, if the handshake on port 80 was SYN, then ACK, then SYN+ACK, then the answer would be "S,.,S.".

Handshake in nmapfull:

Use tcpdump to only capture traffic involving port 80.

tcpdump -vni eth0 port 80

Capture the port 80 traffic generated, while using nmap to carry out a port scan of 10.200.0.1 using a SYN/half open scan. Store this information in /home/kali/nmapsyn. Remember to continue to use the nmap 'no host discovery' flag!

nmap half open port scanning

Using 'S' for SYN, '.' for ACK, and 'R' for RST (which is how tcpdump shows the "Flags" in the tcpdump), state the handshake involved in the full scan captured in the previous question. Seperate each packet with a comma. For instance, if the handshake on port 80 was SYN, then ACK, then SYN+ACK, then the answer would be "S,.,S.".

Handshake in nmapsyn:

Continue using tcpdump to capture all traffic using flags -nnv

Carry out a port scan of 10.200.0.1 for the top 30 ports defined in nmap's services file, using a SYN/half open scan. Remember to continue to use the nmap 'no host discovery' flag, and the numeric/no DNS lookup flags!

Consider the first port found using this approach. Review nmap's services file. What is the frequency value of the first port found to be running on the target, which is least often seen running on the Internet (to 3 dec places):

From the nmap services file, the protocol is more frequently run on a different transport protocol. Run an appropriate nmap scan on this port to check if it running on the target. Then run a port scan for the top 5 ports for that transport protocol. What is the service found running with the highest frequency in the nmap-services file:

nmap Port Scanning with Version Fingerprinting

Port 80 version:

Repeat the above scan, but introduce "--version-trace". This flag means nmap will output detailed trace information about the version fingerprinting/matching it is carrying out. It will highlight the fingerprint it matches on for the each service it identifies, or if it does not have a match it will direct the user to report the new service fingerprint. Look in the nmap trace information for the 'Service Scan Match', where it details the GetRequest fingerprint it has matched on. It should display the line number of the specific service fingerprint it matched on from nmap's services probes file.

Line of nmap-service-probes:

Use "locate" to find the nmap-service-probes definition file, and then do

head -LINE FILE | tail -1

First 2 words of the line:

Use nmap, limiting yourself to port 80, and perform OS fingerprinting of 10.200.0.1. Save the output of running this command to /home/kali/finger. Have a look at the file too, and see what nmap thinks 10.200.0.1 is.

Switch to using netcat, and perform a similar portscan. Review the help for the flags used inour scan below. Note "-z" which means no data is sent. We don't want to comminucate with the service yet, and only check the port is open. When we move onto Service Fingerprinting/Version Scanning we will want to send data.

nc -vv -n -z -w2 10.200.0.1 50-80

What message do you get for port 50? Connection refused Connection timed out Open Closed Ready Active Firewalled Port not recognised Scan could not be completed due to ARP error

Use wireshark or tcpdump, and monitor the netcan scan of the previous question. What sort of scan does this command do by default?

What type of scan? Stealth Inverse Scan ACK Scan Invertive Scan Reflective Scan Half-Open Scan Full-Connect Scan 25%-Open Scan Njerix Scan