SI110: Network Reconnaissance Lab

This lab focuses on the practical application of techniques discusses in the Cyber-Recon lecture. Your class will be split up into a Gold team and a Blue team, where each team will gather as much information as possible about the security posture of the opposite team. The purpose of this task is, of course, to prepare you all for the inevitable cyber attack against your opponent that will follow next week.

Just as Marines and Sailors train for combat in controlled environments for reasons of safety and security, we will conduct our cyber operations in a controlled virtual environment. This lab and the next two labs take place in a virtual computer network, which your instructor will explain in lab.

Useful Linux Commands
Linux Command	Windows Equivalent
ls	dir
pwd	cd
cd path	cd path
cat	type
ping	ping
ifconfig	ipconfig
nslookup	nslookup
traceroute	tracert
nmap	n/a
nc	nc

A more complete reference can be found here.

Basic Reconnaissance Using Backtrack

Like the Windows command prompt, the Linux shell is your interface to the operating system. Some commands are the same, some are very similar, and some are very different. A list of useful commands and their Windows command equivalent (if applicable) is provided in the adjacent note. Keep in mind: UNIX commands are case sensitive!

To get you started, I'm going to step you through the reconnaissance of the instructor station, www.red.net. Let's begin with defining the outermost barrier to the target.

The Network Barrier

Use traceroute to determine all of the routers between you and your target, www.red.net. Enter the following command in the terminal:

traceroute -n www.red.net     NOTE: the -n option means no name resolution,
                                    just IP's.  It's faster that way.

The router that is one hop away from the target is typically the target host's gateway router, which controls access to the target network with a firewall.

Your traceroute output should look like this:

From Blue     From Gold
1.1.1.1       2.2.2.1          NOTE: If you see a
191.23.24.2   191.23.24.17           bunch of *'s,
191.23.24.6   191.23.24.9            try running the
3.3.3.3       3.3.3.3                command again!

      Equivalent Map for both options:

      [You]-----(R)-----(R)-----(R)-----[target]

Note: www.red.net resolves to 3.3.3.3. Additional information about traceroute is located here.

Use ping to verify that www.red.net is alive (which we know it is since it is hosting this web page). This is a very important verification used to determine the ACL rules of the firewall, if present. If you receive a reply from the target, then you now know echo (ping) requests and replies are not filtered by the firewall.
```
ping www.red.net
```

The Host Barrier

We know www.red.net is running http service because we were able to open a webpage from it. This tells us that port 80 is open on the target host and destination port 80 is not filtered by the firewall, if present. Port 80 should go on a list of potential entry points. To gain some clue as to which web server is running on www.red.net (so we can research its vulnerabilities later), connect to it using netcat.
```
nc -v 3.3.3.3 80
```
Once connected, request an http document by typing the following:
```
GET / HTTP/1.0 ⇦ enter
⇦ enter
```
Search the response near the top for the line beginning with "Server" to see the http service family name and version. This is known as "banner grabbing" and it can be attempted on any port to gain information of a service. Though it will not always yield any useful information, it is always worth trying.
Probe other ports to determine other potential infiltration points on the target host and to further determine firewall rules, if present. Below are two examples:
If a connection was made, typing help usually gets some sort of response from a target.
- Test for ssh:
```
nc -v 3.3.3.3 22
```
  The connection was refused and now you know that the target is not listening on port 22.
- Test for smtp (e-mail):
```
nc -v 3.3.3.3 25
```
  Once connected, you should see the following message:
```
220 mail.red.net ESMTP Postfix (Ubuntu)
```
  Enter quit to terminate the connection as shown below.
```
220 mail.red.net ESMTP Postfix (Ubuntu)
quit ⇦ enter
```
There is nothing prepared for you to find about user account login information for the www.red.net target, but typical targets will have an organization website to scour for clues. Visit the website of the target organization and peruse every page, taking note of anything you think may help you gain access to or escalate privileges on a host on the target network.

The Network Mapper

Using the methods described above to gather information about an enemy network could take a very long time. You would have to continue probing ports using netcat to systematically attempt a connection to the all 65,535 ports to determine which other ones were open. When you were done with that, you could then ping the remaining 252 IP addresses on the red network to determine which other hosts exist and then use netcat to get their open ports... but we do not have that kind of time to waste. Instead, you will use nmap to do all that for you.

Now, to help familiarize you with nmap, I will step you through the collection of data on the instructor's red network before you scan your opponent's network:

Some of the nmap scans may take several minutes to complete. It is recommended that you open up a separate terminal dedicated to scans.

Ping scan the red network with the -sn option:
```
nmap -sn 3.3.3.1-255
```
You now have a list of hosts that are up (powered on) and responding to echo requests (pings) on the red network.
Note: you should see 3.3.3.1, 3.3.3.2, and 3.3.3.3
On to port scanning of those hosts using the -sS option:
```
nmap -sS 3.3.3.1,2,3
```
The -sS option performs a port scan of 1000 commonly used ports of each target host and reports a list of open ports. Notice that the protocols are given for each open port. Nmap is only reporting the protocol that is registered for each port with IANA.
Note: you should see ports 25, 53, 80, and 110 open on 3.3.3.2 and 3.3.3.3 and all 1000 ports closed on 3.3.3.1.
Nmap can try to get the actual service names and version numbers of the services running on a target's open ports. The commandline option for this is -sV,. The following example will probe the open ports on the targets for service names and versions.
```
nmap -sV 3.3.3.1,2,3
```
nmap reports specifics about the programs providing the services on each host.

Note: The program version for the http (web) service not only indicates that it is Apache (well known program), but also indicates the operating system on which it was compiled on. Ubuntu is a widely used Linux distribution.
Now, you should have names and version data for several services on your targets. Next, you will use nmap to probe each target for information about its operating system. This is done with the -O option (that is a capital letter oh, not zero).
```
nmap -O 3.3.3.1,2,3
```
nmap is able to determine that 3.3.3.2 and 3.3.3.3 are both running Linux, but unable to determine what 3.3.3.1 is running.

Note: OS detection will not always possible for various reasons, but even when OS detection is possible, the guess may not be accurate. Take note of OS detection results to compare with other indications you find, but never accept them alone as fact.

Some additional information about using the nmap command can be found here.

Target Diagram

From our reconnaissance of the instructor station's network, we know that there seems to be no firewall. We know this because all of the ports reported by our nmap scans were either open or closed. If there were an active firewall, some ports would have been reported as filtered. So, the network barrier is like a sieve - full of holes. We also know that there are 3 hosts sharing the instructor's network and the ports that are open on each. The diagram to the right is a visual representation of what I just described. At the end of this lab, you will create a diagram of your target network.

Your Objective

You are provided the following information:

Publicly Available Information
	blue.net	gold.net
IP block:	1.1.1.1-255	2.2.2.1-255
DNS Server:	1.1.1.64	2.2.2.187

You will be trying to obtain the following information:

Your host IP address and its domain name A list of IP addresses and hostnames for key hosts on your network. A list of target host IP addresses and their domain names For each target host: a list of open ports and the service running on them name and version information for each running service operating system name and version	⇦ Fill in front of worksheet
A network map showing all routers between you and your opponent. A list of usernames and potential passwords A concentric circle diagram of the target network	⇦ Draw on back of worksheet

Recon Your Opponent's Network

Using the guidance below, gather as much information as possible about your opponent's network, in the given time.

Some of the nmap scans may take several minutes to complete. It is recommended that you open up a separate terminal dedicated to scans.

Use nmap to gather information about your opponent's network. Use the following technique to maximize your scanning efficiency:

Use traceroute to determine all of the routers between your host and a host on your opponent's network.
Ping scan your opponents network to get a list of active hosts.
Perform a cursory TCP port scan on all of those hosts. The following example should help, but you need to replace the letters (A,C,M-Z) with actual numbers you see.
```
nmap -sS 2.2.2.A,C,M-Z
```
You should see several targets with only port 22 open. Those hosts are your classmates' virtual machines and are not intended targets. Take note of their IP addresses and do not scan those IPs in subsequent steps.

Service	Protocol	Port	TCP/UDP	Tools
World Wide Web	HTTP	80	TCP	browsers
Name Resolution	DNS	53	UDP	nslookup
File Transfer	FTP	21	TCP	ftp
Secure Remote Shell	SSH	22	TCP	ssh
Simple Mail Transfer Protocol	SMTP	25	TCP	email clients
Post Office Protocol Version 3	POP3	110	TCP	email clients
Secure Web	HTTPS	443	TCP	browsers
Remote Desktop (`microsoft-rdp`)	RDP	3389	TCP	rdesktop
File/Print Sharing (`microsoft-ds`)	SMB	445	TCP	map net- work drive
Internet Relay Chat	IRC	6667	TCP	xchat

Perform a full scan of the remaining non-student targets using the -A option to nmap (-A = -sS, -sV, and -O). Example (where X,Y,Z are replaced with actual numbers you see):
```
nmap -A 1.1.1.X,Y,Z
```

Use nslookup to make DNS queries using your opponent's DNS server. Try all of the IP addresses found in your nmap search. Typically, hosts are given names that match the service they provide to make it easy to remember (e.g. www.red.net provides web service via http).
```
Gold Team should use: nslookup IPaddress 1.1.1.64
Blue Team should use: nslookup IPaddress 2.2.2.187
```
Pull up your opponent's web site and look around for usernames and potential passwords!

Putting Things Together

After gathering all this information, you need to analyze it wisely. Draw a "concentric circles" target diagram of your opponent's network like the one shown in the Phases of a Cyber-Attack lecture.