Name of Student : Sandesh Kharchan UCID : 2021600035
Class : T.E. AIML
Objectives: [1] Introduce the anatomy of ethical hacking [2]To perform Network Reconnaissance Using Command Line [3]To perform DNS Interrogation [4]To perform Web Reconnaissance
Outcomes: After completing the lab, you will be able to:
[1] Identify and demonstrate the ethical hacking phases. [2] Define footprinting and how it is accomplished. [3] Identify many resources that can be used to footprint an organization [4] Search an organization’s public Web pages and identify internal components [5] Determine the IP address range assigned to a particular organization [6] Identify host machines that are active within an organization System Requirements: [1] Kali Linux- Offensive [2] Windows 7/ Windows XP- Client or victim
1A- Foot-printing Footprinting in the context of cybersecurity refers to the reconnaissance phase where attackers gather information about a target system or network. It's the first step in the hacking process and involves collecting as much data as possible about the target, including IP addresses, domain names, network topology, employee information, and more. This information is then used to identify potential vulnerabilities and plan further attacks.
There are two main types of footprinting:
1. Passive Footprinting: This involves gathering information without directly
interacting with the target system or network. It includes techniques like searching online databases, social media, public records, and company websites to collect data.
2. Active Footprinting: This involves directly interacting with the target system or network to gather information. It includes techniques like port scanning, network sniffing, and vulnerability scanning to identify potential weaknesses.
1A.1 Google Hacking Database
The Google Hacking Database (GHDB) is a collection of Google search queries (also known as Google dorks) that can be used to find vulnerable or exposed information on the internet. These queries are crafted to reveal sensitive data, misconfigurations, and vulnerabilities that might not be readily apparent through typical web browsing.
The GHDB was initially created by Johnny Long, a security researcher, and it has been widely used by both security professionals and malicious actors for various purposes such as reconnaissance, penetration testing, and information gathering.
The queries in the Google Hacking Database can be used to find a wide range of information, including:
1. Exposed network devices (such as webcams, printers, routers).
2. Confidential or sensitive documents (such as password files, financial records, and proprietary information). 3. Vulnerable websites or web applications (such as sites with SQL injection vulnerabilities, exposed login pages, or misconfigured servers).
1A.2- Who is Database
"Who is" database refers to a type of database used for storing and managing domain registration information. When someone registers a domain name, they are required to provide certain contact details, including their name, address, email address, and phone number. This information is collected by domain registrars and stored in a centralized database known as the "whois" database. The "whois" database allows anyone to look up information about a domain name and find out who owns it or who is responsible for managing it. This information can be useful for various purposes, such as contacting the domain owner for business inquiries, investigating potential trademark infringement, or identifying malicious actors involved in cybercrime.
However, due to privacy concerns, some domain registrars offer privacy protection services that allow domain owners to hide their contact information from public view in the whois database. In such cases, the registrar's contact information is displayed instead of the owner's personal details. 1A.3 Other available resources In addition to the Google Hacking Database, there are several other resources and techniques available for conducting internet footprinting and reconnaissance:
1. Publicly Available Information: Explore social media platforms, online
forums, blogs, and websites related to the target organization or individual. Information shared by employees, partners, or customers can provide valuable insights into the target's infrastructure, technologies, organizational structure, and potential vulnerabilities.
2. Search Engines: Besides Google, consider using alternative search engines
such as Bing, DuckDuckGo, and Yahoo to gather information. Each search engine may yield different results, so it's beneficial to use multiple search engines during the reconnaissance phase.
3. Archive.org: The Wayback Machine, provided by the Internet Archive, allows
you to access archived versions of websites. This can be useful for identifying changes in the target's online presence over time and uncovering outdated or removed content that may still be relevant.
4. DNS Reconnaissance: Perform DNS (Domain Name System) reconnaissance to
gather information about the target's domain names, subdomains, and DNS records. Tools like `nslookup`, `dig`, and `host` can be used to query DNS servers directly for information.
5. Reverse IP Lookup: Use reverse IP lookup services to identify other websites
hosted on the same IP address. This can help uncover additional domains and subdomains associated with the target organization.
6. WHOIS Lookup: While the WHOIS database provides contact information for domain owners, some registrars offer limited information or privacy protection services. Nevertheless, WHOIS lookup tools can still provide valuable insights into domain registration details.
7. Shodan: Shodan is a search engine that allows users to find internet-connected
devices and services. It can be used to discover exposed network devices, such as webcams, servers, and routers, as well as identify potential vulnerabilities.
8. Social Engineering: Social engineering techniques, such as phishing attacks or
pretexting, can be employed to gather information directly from individuals within the target organization. This may involve contacting employees or stakeholders under false pretenses to elicit sensitive information.
9. Open Source Intelligence (OSINT) Tools: There are various OSINT tools and frameworks available, such as Maltego, Recon-ng, and theHarvester, designed specifically for gathering information from publicly available sources across the internet. 1B Network Footprinting
1B.1 Network Reconnaissance using command-line tools
1. Ifconfig/ipconfig
2. Ping
This tool is used to determine the availability of hosts (devices) on a
network and measure their round-trip time (latency). ping [hostname or IP address] 3. Route
The route command-line tool is typically used for displaying and managing the IP routing table
4. Arp
Network reconnaissance using the Address Resolution Protocol (ARP) can
provide valuable information about devices within a local network. ARP is used to map IP addresses to MAC addresses, and by inspecting ARP caches or performing ARP scans, you can discover devices connected to the same network segment. 5. Traceroute Traceroute is a command-line tool used for network reconnaissance to determine the path that packets take from your computer to a destination IP address or domain. It's commonly used to identify network hops (routers) between the source and destination, as well as to measure network latency between each hop.
6. Fping
For Windows: ‘tracert’
1. Fping 2. Arp-scan 7. Arp-scan
1B.2 DNS Interrogation
Nslookup
1. Host 2. Dig 3. Whois
1B.3 Web Reconnaissance
1. Whois Lab1 B- Network Scanning
Objective: Scan the network to identify open ports, OS detection, service scanning and vulnerability scanning.
Outcomes: 1. To install and use network scanner (nmap) and web server scanner (nikto) 2. To explore various scanning mechanisms. 3. To enumerate the open ports and identify vulnerable services. 4. To detect the operating system and associated vulnerability 5. To identify the exploit with respect to vulnerable services. System Requirements: 3 workstations installed with Kali Linux/Fedora Linux Core/Ubuntu and Windows XP Nmap, nmapfe, zenmap etc
Background: ISO-OSI Layered Architecture of Computer Communication Network
OSI Layer Layer Description Protocols
Model Layer No
Layer 7 Application This layer involves the application HTTP, FTP, and software that is sending and receiving Telnet data
Layer 6 Presentation This layer defines how data is formatted ASCII, JPEG, PDF, or organized PNG, and DOCX
Layer 5 Session This layer involves application session NetBIOS, PPTP,
control, management, synchronization, RPC, and SOCKS and termination
Layer 4 Transport This layer involves end-to-end TCP and UDP
communication services
Layer 3 Network This layer involves logical system IPv4, IPv6, ICMP, addressing and IPSec
Layer 2 Data link This layer involves physical system ARP
addressing
Layer 1 Physical This layer involves the data stream that is
passed over the wire Discovery scanning: Discovery scanning is the process of identifying live hosts on a network. In the context of penetration testing, this is usually performed to identify potential targets for attack. The objective here is not to exhaust resources in gathering information about targets but instead to merely find out where the targets are logically located. The final product of our discovery should be a list of IP addresses that we can use for further analysis. In this laboratory, we will use how to discover hosts on a network by using protocols operating at layer 2, layer 3, and layer 4 of the OSI model. This will include each of the following steps using: ● Scapy to perform layer 2 discovery ● ARPing to perform layer 2 discovery ● Nmap to perform layer 2 discovery ● NetDiscover to perform layer 2 discovery ● Metasploit to perform layer 2 discovery ● ICMP ping to perform layer 3 discovery ● Scapy to perform layer 3 discovery ● Nmap to perform layer 3 discovery ● fping to perform layer 3 discovery ● hping3 to perform layer 3 discovery ● Scapy to perform layer 4 discovery ● Nmap to perform layer 4 discovery ● hping3 to perform layer 4 discovery
Procedure: Let explore nmap: Network host scanner, port scanner, OS fingerprinting, Service scanner and vulnerability scanner. NMAP: Network exploration tool and security/port scanner Description: Nmap is short for Network Mapper. It is an open-source security tool for network exploration, security scanning, and auditing.
1: Scan a single host or an IP address (IPv4)
$sudo nmap 192.168.1.1
Scan a host name with more inf
$sudo nmap -v servername
Short analysis: The command initiates a standard nmap scan on the specified IPv4 address. The initial nmap command, "sudo nmap 10.0.2.4," conducts a thorough scan on the specified IPv4 address to identify open ports, services, and potentially unveil the host's operating system. The inclusion of the "-v" option enhances verbosity, providing a detailed breakdown of the scan process. 2. Scan multiple IP address or subnet (IPv4) $sudo nmap 192.168.1.1 192.168.1.2 192.168.1.3
works with same subnet i.e. 192.168.1.0/24
$sudo nmap 192.168.1.1,2,3
You can scan a range of IP address too:
$sudo nmap 192.168.1.1-20 You can scan a range of IP address using a wildcard: $sudo nmap 192.168.1.* Finally, you scan an entire subnet: $sudo nmap 192.168.1.0/24 Short analysis: These nmap commands demonstrate the flexibility in scanning multiple IP addresses or subnets efficiently. Whether scanning specific addresses, a range, or an entire subnet, these commands provide a scalable approach for network reconnaissance. This capability is crucial for identifying and analyzing multiple potential targets within a network, enabling a comprehensive understanding of the overall security landscape. 3: Read list of hosts/networks from a file (IPv4) The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows: cat > /tmp/test.txt Sample outputs: 192.168.1.0/24 192.168.1.1/24 10.1.2.3 localhost The syntax is: $sudo nmap -iL /tmp/test.txt Short analysis: By leveraging the "-iL" option, this nmap command streamlines the scanning process by reading target information from a text file.The ability to work with a file enables easy management and customization of the target list, enhancing the scalability and adaptability of the scanning process. 4: Excluding hosts/networks (IPv4) When scanning a large number of hosts/networks you can exclude hosts from a scan: $sudo nmap 192.168.1.0/24 --exclude 192.168.1.5 $sudo nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254 OR exclude list from a file called /tmp/exclude.txt $sudo nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt
Short analysis: These nmap commands showcase the ability to exclude specific hosts or networks from a scan, which is crucial for refining the scanning scope in scenarios involving a large number of potential targets. Whether excluding individual hosts or utilizing an exclusion list from a file, this feature enhances the precision and customization of the scanning process
5: Turn on OS and version detection scanning script (IPv4)
$sudo nmap -A 192.168.1.254
$sudo nmap -v -A 192.168.1.1
$sudo nmap -A -iL /tmp/scanlist.txt
Short analysis: By employing the "-A" option, these nmap commands enable the activation of OS and version detection scripts during the scan, enhancing the depth of reconnaissance. The inclusion of verbosity in the second command provides additional insights into the scan process. The third command extends this capability to efficiently scan multiple hosts from a specified list, supporting broader network reconnaissance. 6: Find out if a host/network is protected by a firewall $sudo nmap -sA 192.168.1.254
$sudo nmap -sA server1
Short analysis: These nmap commands utilize ACK scanning ("-sA") to assess whether a host or network is protected by a firewall. ACK scans can unveil filtered ports, aiding in the identification of potential firewall presence. 7: Scan a host when protected by the firewall $sudo nmap -PN 192.168.1.1
$sudo nmap -PN server1
Short analysis: The inclusion of the "-PN" option in these nmap commands explicitly disables host discovery, allowing the scan to proceed even when the target host is protected by a firewall. By bypassing the normal host discovery mechanisms, these commands aim to gather information about open ports and services on the specified host, regardless of its firewall protection. 8: Scan a network and find out which servers and devices are up and running This is known as host discovery or ping scan: $sudo nmap -sP 192.168.1.0/24 $sudo nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second
Short analysis: This nmap command utilizes the "-sP" option for a ping scan, aiming to discover active hosts within the given network range. This host discovery technique is essential for identifying live devices on a network, providing a foundational step for subsequent targeted scans and comprehensive network reconnaissance. 9: How do I perform a fast scan? $sudo nmap -F 192.168.1.1
Short analysis: The inclusion of the "-F" option in this nmap command denotes a fast scan, focusing on a subset of common and high-priority ports to expedite the scanning process. Fast scans are particularly useful for situations where a quick overview of a target is needed, and a comprehensive scan is not required.
10: Display the reason a port is in a particular state
Short analysis: By incorporating the "--reason" option, these nmap commands enhance the scan output by providing additional information about the reasons behind the state of each port. This includes insights into whether a port is open, closed, or filtered, offering valuable context for each identified port on the target host. 11: Only show open (or possibly open) ports $sudo nmap --open 192.168.1.1 $sudo nmap --open server1
Short analysis: Utilizing the "--open" option in these nmap commands streamlines the scan output by displaying only the information related to open (or possibly open) ports on the target host. 12: Show all packets sent and received $sudo nmap --packet-trace 192.168.1.1 $sudo nmap --packet-trace server1
Short analysis: By incorporating the "--packet-trace" option, these nmap commands provide a detailed trace of all packets sent and received during the scan.
Conclusion: ● In this practical, we learnt network reconnaissance and vulnerability assessment using the tool Nmap. ● We explored various Nmap commands, covering important techniques like host discovery, scanning multiple hosts, excluding specific targets, and enabling OS detection. ● The commands demonstrated how Nmap efficiently identifies live hosts, open ports, and potential vulnerabilities in a network
