This lab focuses on the practical application of techniques discussed in the Cyber Reconnaissance lecture. Your class will be split up into a Blue team and a Gold team, where each team will gather as much information as possible about the security posture of the opposite team. The purpose of this task is, of course, to prepare you all for the inevitable cyber attack against your opponent that will follow next week.
Virtual Machine OS. The virtual machines you will use in the next three labs use an operating system called Backtrack Linux, a variant of the Linux family of operating systems. Backtrack, and its current follower Kali Linux, are used by both the good guys, called "penetration testers", or "pen-testers" for short, as well as the bad guys. Backtrack and Kali contain an arsenal of cyber reconnaissance and attack tools. However, you should only use them on controlled systems where you have permission, and never to attack a real-world system without legal authority.
You have permission to conduct active and passive reconnaissance within the course virtual environment.
http://www.red.netusing a web browser on your virtual machine.
http://www.red.net. If you do not make sure you are in the virtual environment.
Using the guidance below, gather as much information as possible about your opponent's network, in the given time. In general you will be:
Record what you find on your worksheet!
||⇦ Fill in front of worksheet|
||⇦ Draw on back of worksheet|
Note: Be sure you have used
ifconfig to get your own host IP Address (look for "inet addr" next to the
eth0 output) and use nslookup to determine your host domain name and your team's web server and name server domain names/IP Addresses. Record the information on the top of your worksheet where your name and alpha are located.
nslookup www.blue.netPut this information in the table on your worksheet for www.blue.net (or www.gold.net).
tracerouteto determine all of the routers between you and the web server for your your target,
blue.net. Enter the following command in the terminal:
traceroute -n www.blue.net
www.blue.netis alive and responds to ping requests. This is a very important verification used to determine the ACL rules of the firewall, if present. If you receive a reply from the target, then you now know echo (ping) requests and replies are not filtered by the firewall.
nmap -sn x.x.x.1-255Take a look at the output. For our reconnaissance lab, we're going to disregard the addresses in the range x.x.x.101-111, since those are the student workstations.
nmap -sS x.x.x.a,b,cwhere a, b, and c are the last portions of the IP Addresses for the hosts you found. What open ports are there? What services appear to be running? Write these down on your worksheet. You can use this table of familiar services for those services that have a more common protocol/name you have seen before, instead of giving the obscure name nmap reports.
|World Wide Web||HTTP||80||TCP||browsers|
|Secure Remote Shell||SSH||22||TCP||ssh|
|Simple Mail Transfer Protocol||SMTP||25||TCP||email clients|
|Post Office Protocol Version 3||POP3||110||TCP||email clients|
|Internet Relay Chat||IRC||6667||TCP||xchat|
nslookup 184.108.40.206 220.127.116.11This will lookup the IP Address 18.104.22.168 using the name server with IP 22.214.171.124.
nmap -sV x.x.x.a,b,c
Note: The program version for the http (web) service not only indicates that it is Apache (well known program), but also indicates the general operating system on which it was compiled on. Ubuntu is a widely used UNIX distribution, Win32 is a version of Microsoft Windows, 32 bit, and Microsoft IIS is the Microsoft Internet Information Services web server software that Microsoft distributes as part of most Windows operating systems.
nmap -O x.x.x.a,b,c
Note: OS detection will not always possible for various reasons, but even when OS detection is possible, the guess may not be accurate. Take note of OS detection results to compare with other indications (versions of the service software in the -sV scan) you find, but never accept them alone as fact. If given multiple OS versions, try to use the software running on the host as a clue to narrow down which actual operating system the host is likely to be running.
www.blue.netis running http service because we were able to open a web page from it. This tells us that port 80 is open on the target host and destination port 80 is not filtered by the firewall, if present. Port 80 should go on a list of potential entry points. To gain some clue as to which web server is running on www.blue.net (so we can research its vulnerabilities later), connect to it using netcat.
nc -v <IP Address here> 80Once connected, request an http document by typing the following:
GET / HTTP/1.0 ⇦ enter ⇦ enterYou have to be quick with your GET request - the system might time out. Search the response near the top for the line beginning with "Server" to see the http service family name and version. This is known as "banner grabbing" and it can be attempted on any port to gain information of a service. Though it will not always yield any useful information, it is always worth trying. You can also look through the raw HTML to see if there is anything of interest on that web page. Make a note of it in the Box on the back of your worksheet for recording web page clues.
helpusually gets some sort of response from a target.
nc -v x.x.x.x 25If you get connected, you should see the following message:
220 mail.xxx.net ESMTP Postfix (Ubuntu)Enter
quitto terminate the connection as shown below.
220 mail.xxx.net ESMTP Postfix (Ubuntu) quit ⇦ enter
nc -v x.x.x.x 21or
ftp x.x.x.x('exit' to quit)
nc -v x.x.x.x 3389or
Some additional information about using the nmap command can be found here.