Network Recon Summary
Nmap is a fundamental tool that most people with use to conduct network reconnaissance against targets. In addition to the networking capabilities, Nmap has a large library of scripts for attacks, enumeration, password attacks and more.
Breaking down the default scan (no options)
$ nmap 192.168.1.1
Note: We will break down the nmap scan one option at a time. After describing the option we will add it to the command and move on. This process is in the endeavor that you better understand your tools.
An nmap scan with no options defaults to a TCP SYN scan aka half-open scan aka -sS option (nmap -sS <ip> ). The scan is said to be a stealthier scan as a completed three-way handshake never occurs ( https://www.techopedia.com/definition/10339/three-way-handshake ). This is what the command would look like:
$ nmap -sS 192.168.1.1
In addition, according to the man page, “If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request… These defaults are equivalent to the -PE -PS443 -PA80 -PP options.” The interpreted command without options thus far would look like:
$ nmap -sS -PE -PS 443 -PA 80 -PP 192.168.1.1
As far as port scanning goes nmap will default to the top 1,000 ports. Making the command now as follows:
$ nmap -sS -PE -PS 443 -PA 80 -PP –top-ports 1000 192.168.1.1
Scanning portsNetworking can be summed up with two types of traffic TCP (stateful) and UDP (stateless). To read about the differences check out the following link http://www.diffen.com/difference/TCP_vs_UDP . One thing to remember when running UDP scans is that they take much longer to run than TCP scans, therefore, we don’t want to scan all UDP ports. However, feel free to scan all 65,535 TCP ports. Both can be scanned at the same time using the following syntax where “T:” is for TCP ports and “U:” is for UDP ports:
$ nmap -p T:1-65535,U:161,162 192.168.1.1
Service and OS DetectionTwo additional options that are needed for good initial reconnaissance is Service, Service Version, and Operating System. These bits of information will guide what other attacks and recon methods you choose to use. One thing to note is that OS will not always be accurate but the information is great if you can get it.
$ nmap -sV -O 192.168.1.1
Starter SyntaxBelow is a good start for your Nmap network scan command:
Nmap -O -sV -p T:1-65535,U:161,162 192.168.1.1
ConclusionHopefully, this has helped you better understand Nmap and how powerful the tool is. Please visit https://nmap.org to learn more and really dig into the great documentation that Fyodor Vaskovich and his team has put together. After you have conquered the basics don’t forget to check out the NSE scripts.
Often, I hear the question above from folks in college or just graduating; somehow their journey in life took them through a hacker/pen testing/offensive experience and it changed their life. Who wouldn’t want to do this for a living, I mean it is amazing to be able to hang out with brilliant people who are insanely passionate, just like you! Below is a list of a few steps you can take to get a better foundation in hackery. In addition to this blog, I will release a few others to coincide with this information and go into more depth in these areas.
1. Play with Kali
The easiest way that I find to work with Kali is to download the VMware image from Offensive Security and run it. If you are of the Virtual Box inclination, they also have a version compatible version for that virtualization product. Once you have Kali up and working play with the tools, look up the tools, and get a feel for Linux if you are new to that type of Operating System. Overthewire is a great site to start picking up these skills as the challenges begin with simple Linux familiarity and move up to CTF style challenges.
2. Learn the basics
You can’t just start “hacking” into systems without learning the basics first. This knowledge base includes networking, operating systems, command line fu, web, and common protocols. Some of this information can be gained through certifications such as the Security+, Certified Ethical Hacker(CEH), and eLearnSecurity as well as just googling and looking on youtube. If you are the broke college student type, there are plenty of free resources out there; check out the last one below to get a start.
3. Capture the Flag!
CTF’s are a great way to meet people and practice some of the skills you have learned. Although some of these are rather “gamey” experiences, you will get more comfortable with your tools, the command line and learn some interesting things from your fellow hackers.
4. Meet other hackers
What better way to gain experience, techniques, and network then to hang out with others of the same ilk. CTF events are great for this, irregularly, however, there are significantly more opportunities to expand socially. Meetups, conferences and other organization events are fantastic ways to expand your horizons. If there aren’t any in your area and you aren’t willing to travel, then make your own meetup and get the ball rolling!
Now that you have decided to start learning some offensive skills, where should you start? This is the most asked question from folks just climbing into the arena. Luckily there are loads of free tools and guides out there. This post is meant to get you up and running with an Operating System and the tools you need as well as a machine to test against.
Download and Install VMware Player
I am partial to VMware because that is what I use, however, virtual box is out there as well. VMware Player can be downloaded from here:
Download and Install Kali
Kali can be found on the Offensive Security website as they are the ones that maintain the project now (https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/). In order to get the operating system going:
NOTE: Some people have issues here related to Intel VT-x not being enabled. Simply enable and you are good to go. Follow the section "Turn Intel VT-x On in Your BIOS or UEFI Firmware" on this page.
Find a Victim Test Machine
Now that we have Kali up and running let’s find a victim to start practicing on. Vulnhub is a great place to find vulnerable Virtual Machines and has much user-driven content. At the link https://www.vulnhub.com/faq/ vulnhub recommends De-ICE: S1.100, De-ICE: S1.110 & De-ICE: S2.100, Metasploitable 1.0, and pWnOS 1.0 as starter VM’s. I will use Metasploitable as an example and I highly recommend starting with this one. Perhaps I am a little biased and started here myself, but it has many vulnerabilities and great walkthroughs.
Download and Install Metasploitable
Choose Download (Mirror)
Setting Up The Lab
The Installation of the virtual machine is the same as above except we now need to set up our lab network. After you have downloaded the VM and opened up the .vmx file in VMware, we click the Network Adapter link on the left-hand side.
Make sure that host only is selected in the configurations. This will put the vulnerable system on an isolated virtual network.
Also ensure you take the same steps with Kali, so that the two host may communicate.
A good walk through is found at https://tehaurum.wordpress.com/2015/06/13/metasploitable-walkthrough-an-exploitation-guide/. Unfortunately, these guides start with a service scan and not a discovery scan but at this point, we do not know the IP address of the target so would not be able to follow the examples directly.
Next run ifconfig to determine the subnet kali is on.
Looking at the subnet mask, I am on a Class C subnet (255.255.255.0). This means that the only numbers available are the last octet or where the zero is located. The addresses available are 192.168.206.0 to 192.168.206.255. I won’t get into networking theory, as that is something you should be looking up yourself. We can represent these ranges in two simple forms for nmap consumption CIDR (192.168.206.0/24) or ranges (192.168.206.0-255). Our nmap command is then:
# nmap 192.168.206.0/24.
Four hosts were found with the nmap scan, how do we determine which one is the target. In this case, it is a process of elimination. We know what our host address is, we know the target and our host should have an IP address that is numerically close, and we know ports should be open. Using that information, we can see that our target is x.x.x.129
I had the error listed below and had to change networks so the IP addresses are different in the last picture. Also note, this is the scan for Mr.Robot not Metasploitable.
Can’t find victim on network
If for some reason you did not detect any live hosts other than your kali box, you have a networking issue. Below you can see that the only IP listed is mine, the same from the ifconfig command.
The easiest way I have found is to create a custom network and restart the victim VM.
1. At the top of VMware go to edit -> Virtual Network Editor
2. Click “Change Settings” in the lower right
3. Click “yes” and then “Add Network”. Select a VMnet name that is not in use and then OK.
4. Ensure that It is “host only” and note the subnet.
5. Using my example, we should see an IP in the 192.168.186.0/24 subnet when we run the ifconfig utility on kali. Hit apply.
6. Now we must change the network for each host to the new network.
7. VM ->Settings->Network Adapter.
8. Select “Custom:” and the network we added. Go ahead and hit ok to apply changes.
9. In Kali run “ifconfig”, if you do not see a change run “dhclient eth0” followed by “ifconfig” again to verify the change.
10. Now do the same to the victim VM but instead of using “ifconfig” and “dhclient” just restart the box.
11. VM -> Power -> Restart Guest
Could not get vmci driver version: The handle is invalid, You have an incorrect version of driver ‘vmci.sys’