Lesson 3: Passive and Active Reconnaissance

Passive Reconnaissance

Exercise 3.1

1. Using your own system (i.e., desktop, laptop, or Kali Linux VM, etc.) find your public IP address and lookup all information you can about it.
2. Try whatsmyip.org or ipchicken.com
3. Pick a random company or institution that is not a Fortune 500 or a big Internet service provider (ISP), so that makes it harder for you to find information about it. Do NOT launch any active recon against such organization.
   1. You can use Maltego for this. Watch this video if you are not familiar with Maltego.
4. Also use recon-ng and the harvester. If you want a refresher on how to use these tools, watch this video and this one.
   1. Find any information you can about network infrastructure
   2. Registered domain names
   3. IP Address allocations
   4. Open services and banners

Leverage the tools listed at: theartofhacking.org/recon

Active Reconnaissance

Exercise 3.2

1. Review the Active Recon videos part of the Security Penetration Testing The Art of Hacking Series LiveLessons.
2. Launch nmapfrom your Kali Linux box.
3. Only scan devices that are in your lab! As we discussed in the class, the best way to do this is to build a local lab with virtual machines on a segregated network. Using nmaptry to learn the hosts that are active in your network and all the "victims" you can find.
4. Once you find all the active hosts, try to find all the open TCP and UDP ports on those machines. nmapdoesn't scan all ports by default. It limits itself to 1000 or so common ports. Figure out how to overcome this limitation.
5. Add Server Version checks (nmap -sV) to gain more information.

NMAP Cheat Sheets

• SANS nmapcheat sheet
• Nathan House's nmap cheat sheet
• Tons of other cheat sheets

Exercise 3.3

• You can add the results from nmap to the Metasploit database. In order to do so, start the postgresql service:

root@kali:~#  systemctl start postgresql.service
root@kali:~# systemctl status postgresql.service
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: active (exited) since Wed 2018-02-21 22:59:18 EST; 7s ago
  Process: 3432 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 3432 (code=exited, status=0/SUCCESS)

Feb 21 22:59:18 kali systemd[1]: Starting PostgreSQL RDBMS...
Feb 21 22:59:18 kali systemd[1]: Started PostgreSQL RDBMS.
root@kali:~#

• Initialize the msf database:

root@kali:~# msfdb init
Creating database user 'msf'
Enter password for new role: 
Enter it again: 
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
root@kali:~#

• Launchmsfconsole.

  root@kali:~# msfconsole 
  msf > db_status
  [*] postgresql connected to msf
  msf >
  

• Using db\_nmap instead of nmap. For example:

  msf > db\_nmap -sV 192.168.78.8
  [*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-21 23:02 EST
  [*] Nmap: Nmap scan report for 192.168.78.8
  [*] Nmap: Host is up (1.1s latency).
  [*] Nmap: Not shown: 994 closed ports
  [*] Nmap: PORT     STATE    SERVICE     VERSION
  [*] Nmap: 22/tcp   open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  [*] Nmap: 80/tcp   open     http        Apache httpd 2.4.10 ((Debian))
  [*] Nmap: 139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  [*] Nmap: 445/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  [*] Nmap: 514/tcp  filtered shell
  [*] Nmap: 8080/tcp open     http-proxy
  [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 27.10 seconds
  msf >
  

msf > services

Services
========

host          port  proto  name         state     info
----          ----  -----  ----         -----     ----
192.168.78.8  22    tcp    ssh          open      OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 Ubuntu Linux; protocol 2.0
192.168.78.8  80    tcp    http         open      Apache httpd 2.4.10 (Debian)
192.168.78.8  139   tcp    netbios-ssn  open      Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.78.8  445   tcp    netbios-ssn  open      Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.78.8  514   tcp    shell        filtered  
192.168.78.8  8080  tcp    http-proxy   open      

msf >

Exercise 3.4

1. Open Wireshark and listen to the traffic on the interface that you have connected to the network.
   1. What protocols are present?
   2. Filter for:

      \* arp
      \* netbios
      \* rip
      \* udp.port = 53
      \* etc..
      

Exercise 3.5

• Bonus - become familiar with the nmap scripting engine: https://nmap.org/book/nse.html

go to lesson 4...