Latest Posts

Pen Test Lab - 3.Active Information Gathering

Unlike passive information gathering, which involves an intermediate system for gathering information, active information gathering involves a direct connection with the target.The client probes for information directly with the target with no intermediate system in between. While this technique may reveal much more information than passive information gathering, there's always a chance of security alarms going off on the target system. Since there's a direct connection with the target system, all the information requests would be logged and can later be traced back to the source. The following diagram depicts active information gathering where the client is directly probing the target system:

Read this article to find out if  Unauthorized Port Scanning is a Crime?

    OSI Model / TCP/IP Model

    The Open Systems Interconnection model (OSI model) is a conceptual model that characterises and standardises the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols.

    The TCP/IP model is a concise version of the OSI model. It contains four layers, unlike seven layers in the OSI model. The layers are:
    1. Process/Application Layer
    2. Host-to-Host/Transport Layer
    3. Internet Layer
    4. Network Access/Link Layer

    Mapping between OSI Model and TCP/IP Model:

    Difference between TCP/IP and OSI Model:

    OSI(Open System Interconnection)

    TCP/IP(Transmission Control Protocol / Internet Protocol)

    1. OSI is a generic, protocol independent standard, acting as a communication gateway between the network and end user.

    1. TCP/IP model is based on standard protocols around which the Internet has developed. It is a communication protocol, which allows connection of hosts over a network.

    2. In OSI model the transport layer guarantees the delivery of packets.

    2. In TCP/IP model the transport layer does not guarantees delivery of packets. Still the TCP/IP model is more reliable.

    3. Follows vertical approach.

    3. Follows horizontal approach.

    4. OSI model has a separate Presentation layer and Session layer.

    4. TCP/IP does not have a separate Presentation layer or Session layer.

    5. Transport Layer is Connection Oriented.

    5. Transport Layer is both Connection Oriented and Connection less.

    6. Network Layer is both Connection Oriented and Connection less.

    6. Network Layer is Connection less.

    7. OSI is a reference model around which the networks are built. Generally it is used as a guidance tool.

    7. TCP/IP model is, in a way implementation of the OSI model.

    8. Network layer of OSI model provides both connection oriented and connectionless service.

    8. The Network layer in TCP/IP model provides connectionless service.

    9. OSI model has a problem of fitting the protocols into the model.

    9. TCP/IP model does not fit any protocol

    10. Protocols are hidden in OSI model and are easily replaced as the technology changes.

    10. In TCP/IP replacing protocol is not easy.

    11. OSI model defines services, interfaces and protocols very clearly and makes clear distinction between them. It is protocol independent.

    11. In TCP/IP, services, interfaces and protocols are not clearly separated. It is also protocol dependent.

    12. It has 7 layers

    12. It has 4 layers

    Layer 2 Discovery - Arping / netdiscover

    Layer 2 tools can act faster than layer 3 but it can not go to another network. The packets stays in the same network.

    └─# arping -c 3                                                                                                      1 ⨯
    60 bytes from 00:78:cd:00:fd:f4 ( index=0 time=4.034 msec
    60 bytes from 00:78:cd:00:fd:f4 ( index=1 time=2.622 msec
    60 bytes from 00:78:cd:00:fd:f4 ( index=2 time=3.788 msec
    --- statistics ---
    3 packets transmitted, 3 packets received,   0% unanswered (0 extra)
    rtt min/avg/max/std-dev = 2.622/3.481/4.034/0.616 ms
    Mac Address Look Up:

    Active discover:

    └─# netdiscover -i eth0 -r    
     Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                      
     172 Captured ARP Req/Rep packets, from 30 hosts.   Total size: 10320                                                               
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
     -----------------------------------------------------------------------------         08:ea:40:f8:48:a2     48    2880  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                                  08:ea:40:fc:48:f3     46    2760  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                                  08:ea:40:f8:44:63     36    2160  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                              00:78:cd:00:fd:f4      1      60  Ignition Design Labs                                                              08:cc:68:40:71:c1      1      60  Cisco Systems, Inc                                                                00:0c:29:1b:b7:e1      1      60  VMware, Inc.      

    Passive discover: 

    └─# netdiscover -p   
     Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                      
     307 Captured ARP Req/Rep packets, from 12 hosts.   Total size: 18420                                                               
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
     -----------------------------------------------------------------------------         08:ea:40:f8:44:63     94    5640  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                            24:be:05:e2:40:8f     13     780  Hewlett Packard                                                                       08:ea:40:f8:48:a2     82    4920  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                                  08:ea:40:fc:48:f3     82    4920  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                                  00:78:cd:03:d3:00      6     360  Ignition Design Labs                                                            00:78:cd:03:d3:00      2     120  Ignition Design Labs                                                            5c:cf:7f:73:26:55     13     780  Espressif Inc.                                                                        00:78:cd:01:05:b8      6     360  Ignition Design Labs                                                                  00:78:cd:03:d7:40      4     240  Ignition Design Labs

    Layer 3 Discovery - Ping

    Layer 3 tools can be used to discover different networks. 
    • Ping
      • ping 
    • Traceroute
      • tracertout
    • hping
      • Use traceroute mode (–traceroute), be verbose (-V) in ICMP mode (-1) against the target (
      • -q: brief output. -c: packets numbers. -d:packet site. -S:SYN packets.  -p:Port Number. -w:tcp window size. --flood: shoot at discretion, replies will be ignored. --rand-source: hide source ip using a fake random ip. 
        • hping3 -q -c 10 -d 120 -S -w 64 -p 80 --flood --rand-source 
    • Fping
      • fping -g -c 1 | grep ms > results.txt
      • fping -g -q -a

    [email protected]:~# cat fping.txt   : [0], 84 bytes, 0.12 ms (0.12 avg, 0% loss) : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
    [email protected]:~# awk '//{printf "%s\n",$1}' fping.txt

    Layer 4 Discovery - Nmap

    According to the official Nmap website –

    "Nmap  is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. "

    Nmap Target Selection

    Scan a single IPnmap
    Scan a hostnmap
    Scan a range of IPsnmap
    Scan a subnetnmap
    Scan targets from a text filenmap -iL list-of-ips.txt

    Nmap Port Selection

    Scan a single Portnmap -p 22
    Scan a range of portsnmap -p 1-100
    Scan 100 most common ports (Fast)nmap -F
    Scan all 65535 portsnmap -p-

    Nmap Port Scan types

    Scan using TCP connectnmap -sT
    Scan using TCP SYN scan (default)nmap -sS
    Scan UDP portsnmap -sU -p 123,161,162
    Scan selected ports - ignore discoverynmap -Pn -F

    Service and OS Detection

    Detect OS and Servicesnmap -A
    Standard service detectionnmap -sV
    More aggressive Service Detectionnmap -sV --version-intensity 5
    Lighter banner grabbing detectionnmap -sV --version-intensity 0

    Nmap Output Formats

    Save default output to filenmap -oN outputfile.txt
    Save results as XMLnmap -oX outputfile.xml
    Save results in a format for grepnmap -oG outputfile.txt
    Save in all formatsnmap -oA outputfile

    Digging deeper with NSE Scripts

    Scan using default safe scriptsnmap -sV -sC
    Get help for a scriptnmap --script-help=ssl-heartbleed
    Scan using a specific NSE scriptnmap -sV -p 443 –script=ssl-heartbleed.nse
    Scan with a set of scriptsnmap -sV --script=smb*

    A scan to search for DDOS reflection UDP services

    Scan for UDP DDOS reflectorsnmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr

    HTTP Service Information

    Gather page titles from HTTP servicesnmap --script=http-title
    Get HTTP headers of web servicesnmap --script=http-headers
    Find web apps from known pathsnmap --script=http-enum

    Detect Heartbleed SSL Vulnerability

    Heartbleed Testingnmap -sV -p 443 --script=ssl-heartbleed

    IP Address information

    Find Information about IP addressnmap --script=asn-query,whois,ip-geolocation-maxmind

    Layer 4 Discovery - Scapy 

    Default arp packet header configuration:
    >>> ARP().display()
    ###[ ARP ]### 
      hwtype= 0x1
      ptype= IPv4
      hwlen= None
      plen= None
      op= who-has
      hwsrc= 00:0c:29:fc:11:ce
      hwdst= 00:00:00:00:00:00
    >>> sr1(ARP(pdst=""))
    Begin emission:
    Finished sending 1 packets.
    Received 1 packets, got 1 answers, remaining 0 packets
    <ARP  hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=is-at hwsrc=00:78:cd:00:fd:f4 psrc= hwdst=00:0c:29:fc:11:ce pdst= |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>                                     

    Default IP / ICMP header configuration: 

    >> IP().display()
    ###[ IP ]### 
      version= 4
      ihl= None
      tos= 0x0
      len= None
      id= 1
      frag= 0
      ttl= 64
      proto= hopopt
      chksum= None
    >>> ICMP().display()
    ###[ ICMP ]### 
      type= echo-request
      code= 0
      chksum= None
      id= 0x0
      seq= 0x0
    >>> sr1(IP(dst="")/ICMP(),timeout=1)
    Begin emission:
    Finished sending 1 packets.
    Received 1 packets, got 1 answers, remaining 0 packets
    <IP  version=4 ihl=5 tos=0x0 len=28 id=50232 flags= frag=0 ttl=64 proto=icmp chksum=0x3143 src= dst= |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>                                                                                                                        
    Half open port scanning

    >>> TCP().display()
    ###[ TCP ]### 
      sport= ftp_data
      dport= http
      seq= 0
      ack= 0
      dataofs= None
      reserved= 0
      flags= S
      window= 8192
      chksum= None
      urgptr= 0
      options= []
    >>> sr1(IP(dst="")/TCP(flags="S",dport=80),timeout=1)
    Begin emission:
    Finished sending 1 packets.
    Received 2 packets, got 1 answers, remaining 0 packets
    <IP  version=4 ihl=5 tos=0x0 len=44 id=0 flags=DF frag=0 ttl=64 proto=tcp chksum=0xb566 src= dst= |<TCP  sport=http dport=ftp_data seq=3654116272 ack=1 dataofs=6 reserved=0 flags=SA window=29200 chksum=0x62bd urgptr=0 options=[('MSS', 1460)] |<Padding  load='\x00\x00' |>>>

    No comments