Lab 6: Perform Network Scanning using Various Scanning Tools

 

Lab 6: Perform Network Scanning using Various Scanning Tools

Lab Scenario

The information obtained in the previous steps might be insufficient to reveal potential vulnerabilities in the target network: there may be more information available that could help in finding loopholes in the target network. As an ethical hacker and pen tester, you should look for as much information as possible about systems in the target network using various network scanning tools when needed. This lab will demonstrate other techniques/commands/methods that can assist you in extracting information about the systems in the target network using various scanning tools.

Lab Objectives

  • Scan a target network using Metasploit

Overview of Network Scanning Tools

Scanning tools are used to scan and identify live hosts, open ports, running services on a target network, location-info, NetBIOS info, and information about all TCP/IP and UDP open ports. Information obtained from these tools will assist an ethical hacker in creating the profile of the target organization and to scan the network for open ports of the devices connected.

Task 1: Scan a Target Network using Metasploit

Metasploit Framework is a tool that provides information about security vulnerabilities in the target organization’s system, and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploit writers, and payload writers. A major advantage of the framework is the modular approach, that is, allowing the combination of any exploit with any payload.

Here, we will use Metasploit to discover active hosts, open ports, services running, and OS details of systems present in the target network.

  1. Click Parrot Security to switch to the Parrot Security machine.

  2. Click the MATE Terminal icon in the top of the Desktop window to open a Terminal window.

    2222.jpg

  3. Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

  4. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  5. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  6. In the Parrot Terminal window, type service postgresql start and hit Enter.

    Screenshot

  7. Now, type msfconsole and hit Enter to launch Metasploit.

    Screenshot

  8. An msf command line appears. Type db_status and hit Enter to check if Metasploit has connected to the database successfully. If you receive the message “postgersql selected, no connection,” then the database did not connect to msf.

    Screenshot

  9. Exit the Metasploit framework by typing exit and press Enter. Then, to initiate the database, type msfdb init, and press Enter.

    Screenshot

  10. To restart the postgresql service, type service postgresql restart and press Enter. Now, start the Metasploit Framework again by typing msfconsole and pressing Enter.

    Screenshot

  11. Check the database status by typing db_status and press Enter. This time, the database should successfully connect to msf, as shown in the screenshot.

    Screenshot

  12. Type nmap -Pn -sS -A -oX Test 10.10.10.0/24 and hit Enter to scan the subnet, as shown in the screenshot.

    Here, we are scanning the whole subnet 10.10.10.0/24 for active hosts.

  13. Nmap begins scanning the subnet and displays the results. It takes approximately 5 minutes for the scan to complete.

    Screenshot

  14. After the scan completes, Nmap displays the number of active hosts in the target network (here, 7).

  15. Now, type db_import Test and hit Enter to import the Nmap results from the database.

    Screenshot

  16. Type hosts and hit Enter to view the list of active hosts along with their MAC addresses, OS names, etc. as shown in the screenshot.

    Screenshot

  17. Type services or db_services and hit Enter to receive a list of the services running on the active hosts, as shown in the screenshot.

    In addition to running Nmap, there are a variety of other port scanners that are available within the Metasploit framework to scan the target systems.

    Screenshot

  18. Type search portscan and hit Enter. The Metasploit port scanning modules appear, as shown in the screenshot.

    Screenshot

  19. Here, we will use the auxiliary/scanner/portscan/syn module to perform an SYN scan on the target systems. To do so, type use auxiliary/scanner/portscan/syn and press Enter.

  20. We will use this module to perform an SYN scan against the target IP address range (10.10.10.5-20) to look for open port 80 through the eth0 interface.

    To do so, issue the below commands:

    • set INTERFACE eth0
    • set PORTS 80
    • set RHOSTS 10.10.10.5-20
    • set THREADS 50

    PORTS: specifies the ports to scan (e.g., 22-25, 80, 110-900), RHOSTS: specifies the target address range or CIDR identifier, and THREADS: specifies the number of concurrent threads (default 1).

    Screenshot

  21. After specifying the above values, type run, and press Enter to initiate the scan against the target IP address range.

    Similarly, you can also specify a range of ports to be scanned against the target IP address range.

  22. The result appears, displaying open port 80 in active hosts, as shown in the screenshot.

    Screenshot

  23. Now, we will perform a TCP scan for open ports on the target systems. To do so, first type back, and then press Enter to revert to the msf command line.

  24. To load the auxiliary/scanner/portscan/tcp module, type use auxiliary/scanner/portscan/tcp and press Enter.

  25. Type hosts -R and press Enter to automatically set this option with the discovered hosts present in our database.

    OR

    Type set RHOSTS [Target IP Address] and press Enter.

    Here, we will perform a TCP scan for open ports on a single IP address (10.10.10.16), as scanning multiple IP addresses consumes much time.

    Screenshot

  26. Type run and press Enter to discover open TCP ports in the target system.

  27. The results appear, displaying all open TCP ports in the target IP address (10.10.10.16).

    Screenshot

  28. Now that we have determined the active hosts on the target network, we can further attempt to determine the OSes running on the target systems. As there are systems in our scan that have port 445 open, we will use the module scanner/smb/version to determine which version of Windows is running on a target and which Samba version is on a Linux host.

  29. To do so, first type back, and then press Enter to revert to the msf command line. Then, type use auxiliary/scanner/smb/smb_version and press Enter.

  30. We will use this module to run a SMB version scan against the target IP address range (10.10.10.5-20). To do so, issue the below commands:

    • set RHOSTS 10.10.10.5-20

    • set THREADS 11

    Screenshot

  31. Type run and press Enter to discover SMB version in the target systems.

  32. The result appears, displaying the OS details of the target hosts.

    Screenshot

  33. While performing a scan using Nmap, we discovered that the FTP port 21 is open on the host 10.10.10.10 in the target network. Now, we will scan the target host to identify the FTP version.

  34. Type back and press Enter. To load an FTP module, type use auxiliary/scanner/ftp/ftp_version and press Enter.

  35. Type set RHOSTS 10.10.10.10 and press Enter to specify the target host.

    Screenshot

  36. Type run and press Enter to initiate the FTP version identification scan.

  37. The result appears, displaying the FTP version details of the target host, as shown in the screenshot.

    Screenshot

  38. Type hosts and press Enter to view detailed information on active hosts in the target network.

    Screenshot

  39. You can further export this information to a CSV file. To do so, first type back, and then press Enter. Now, type hosts -o /root/Desktop/Metasploit_Scan_Results.csv and press Enter.

    Screenshot

  40. Click Places from the top-section of Desktop and click Home Folder from the drop-down options.

    Screenshot

  41. The attacker window appears, click File System and double-click root folder.

    2020-08-20_13-25-21.jpg

  42. The root window appears, double-click Desktop folder.

    Screenshot

  43. You can observe Metasploit_Scan_Results.csv file. This CSV file, contains detailed information on the active hosts in the target IP range.ss

    Screenshot

  44. This information can further be used to perform vulnerability analysis on the open services discovered in the target hosts.

  45. This concludes the demonstration of gathering information on open ports, a list of services running on active hosts, and information related to OSes, amongst others.

  46. Close all open windows and document all the acquired information.

Comments

Post a Comment

Popular posts from this blog

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools

Image
Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 1: Perform Cryptanalysis using CrypTool CrypTool is a freeware program that enables you to apply and analyze cryptographic mechanisms, and has the typical look and  feel of a modern Windows application. CrypTool includes a multitude of state-of-the-art cryptographic functions and allows you  to both learn and use cryptography within the same environment. CrypTool is a free, open-source e-learning application used in  the implementation and analysis of cryptographic algorithms. Here, we will use the CrypTool tool to perform cryptanalysis. refer to blog  little long --------------------------------------------------------------------------------------------------------------------------------------- Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 2: Perform Cryptanalysis us...
Read more

Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Image
  Task 2: Perform OS Discovery using Nmap Script Engine (NSE) Module 03: Scanning Networks Lab 3: Perform OS Discovery Task 2: Perform OS Discovery using Nmap Script Engine (NSE) open zenmap nmap -A [Target IP Address]   = -A: to perform an aggressive scan. nmap -O [Target IP Address]   = -O: performs the OS discovery. nmap --script smb-os-discovery.nse [Target IP Address]   = --script: specifies the customized script and smb-os-discovery.nse: attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). end Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information from the target system. In addition to Nmap commands, NSE provides scripts that reveal all sorts of useful information from the target system. Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time o...
Read more