Pen Test Lab - 3.Active Information Gathering - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, May 23, 2021

Pen Test Lab - 3.Active Information Gathering

Unlike passive information gathering, which involves an intermediate system for gathering information, active information gathering involves a direct connection with the target.The client probes for information directly with the target with no intermediate system in between. While this technique may reveal much more information than passive information gathering, there's always a chance of security alarms going off on the target system. Since there's a direct connection with the target system, all the information requests would be logged and can later be traced back to the source. The following diagram depicts active information gathering where the client is directly probing the target system:

Read this article to find out if  Unauthorized Port Scanning is a Crime?

OSI Model / TCP/IP Model

The Open Systems Interconnection model (OSI model) is a conceptual model that characterises and standardises the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols.

The TCP/IP model is a concise version of the OSI model. It contains four layers, unlike seven layers in the OSI model. The layers are:
  1. Process/Application Layer
  2. Host-to-Host/Transport Layer
  3. Internet Layer
  4. Network Access/Link Layer

Mapping between OSI Model and TCP/IP Model:

Difference between TCP/IP and OSI Model:

OSI(Open System Interconnection)

TCP/IP(Transmission Control Protocol / Internet Protocol)

1. OSI is a generic, protocol independent standard, acting as a communication gateway between the network and end user.

1. TCP/IP model is based on standard protocols around which the Internet has developed. It is a communication protocol, which allows connection of hosts over a network.

2. In OSI model the transport layer guarantees the delivery of packets.

2. In TCP/IP model the transport layer does not guarantees delivery of packets. Still the TCP/IP model is more reliable.

3. Follows vertical approach.

3. Follows horizontal approach.

4. OSI model has a separate Presentation layer and Session layer.

4. TCP/IP does not have a separate Presentation layer or Session layer.

5. Transport Layer is Connection Oriented.

5. Transport Layer is both Connection Oriented and Connection less.

6. Network Layer is both Connection Oriented and Connection less.

6. Network Layer is Connection less.

7. OSI is a reference model around which the networks are built. Generally it is used as a guidance tool.

7. TCP/IP model is, in a way implementation of the OSI model.

8. Network layer of OSI model provides both connection oriented and connectionless service.

8. The Network layer in TCP/IP model provides connectionless service.

9. OSI model has a problem of fitting the protocols into the model.

9. TCP/IP model does not fit any protocol

10. Protocols are hidden in OSI model and are easily replaced as the technology changes.

10. In TCP/IP replacing protocol is not easy.

11. OSI model defines services, interfaces and protocols very clearly and makes clear distinction between them. It is protocol independent.

11. In TCP/IP, services, interfaces and protocols are not clearly separated. It is also protocol dependent.

12. It has 7 layers

12. It has 4 layers

Layer 2 Discovery - Arping / netdiscover

Layer 2 tools can act faster than layer 3 but it can not go to another network. The packets stays in the same network.

└─# arping -c 3                                                                                                      1 ⨯
60 bytes from 00:78:cd:00:fd:f4 ( index=0 time=4.034 msec
60 bytes from 00:78:cd:00:fd:f4 ( index=1 time=2.622 msec
60 bytes from 00:78:cd:00:fd:f4 ( index=2 time=3.788 msec

--- statistics ---
3 packets transmitted, 3 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 2.622/3.481/4.034/0.616 ms
Mac Address Look Up:

Active discover:

└─# netdiscover -i eth0 -r    

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                      
 172 Captured ARP Req/Rep packets, from 30 hosts.   Total size: 10320                                                               
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------         08:ea:40:f8:48:a2     48    2880  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                              08:ea:40:fc:48:f3     46    2760  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                              08:ea:40:f8:44:63     36    2160  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                          00:78:cd:00:fd:f4      1      60  Ignition Design Labs                                                          08:cc:68:40:71:c1      1      60  Cisco Systems, Inc                                                            00:0c:29:1b:b7:e1      1      60  VMware, Inc.      

Passive discover: 

└─# netdiscover -p   

 Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                      
 307 Captured ARP Req/Rep packets, from 12 hosts.   Total size: 18420                                                               
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------         08:ea:40:f8:44:63     94    5640  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                        24:be:05:e2:40:8f     13     780  Hewlett Packard                                                                   08:ea:40:f8:48:a2     82    4920  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                              08:ea:40:fc:48:f3     82    4920  SHENZHEN BILIAN ELECTRONIC CO.,LTD                                              00:78:cd:03:d3:00      6     360  Ignition Design Labs                                                        00:78:cd:03:d3:00      2     120  Ignition Design Labs                                                        5c:cf:7f:73:26:55     13     780  Espressif Inc.                                                                    00:78:cd:01:05:b8      6     360  Ignition Design Labs                                                              00:78:cd:03:d7:40      4     240  Ignition Design Labs

Layer 3 Discovery - Ping

Layer 3 tools can be used to discover different networks. 
  • Ping
    • ping 
  • Traceroute
    • tracertout
  • hping
    • Use traceroute mode (–traceroute), be verbose (-V) in ICMP mode (-1) against the target (
      • root@kali:~# hping3 --traceroute -V -1
    • -q: brief output. -c: packets numbers. -d:packet site. -S:SYN packets.  -p:Port Number. -w:tcp window size. --flood: shoot at discretion, replies will be ignored. --rand-source: hide source ip using a fake random ip. 
      • hping3 -q -c 10 -d 120 -S -w 64 -p 80 --flood --rand-source 
  • Fping
    • fping -g -c 1 | grep ms > results.txt
    • fping -g -q -a

root@ubuntu20-04:~# cat fping.txt   : [0], 84 bytes, 0.12 ms (0.12 avg, 0% loss) : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)

root@ubuntu20-04:~# awk '//{printf "%s\n",$1}' fping.txt

Layer 4 Discovery - Nmap

According to the official Nmap website –

"Nmap  is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. "

Nmap Target Selection

Scan a single IPnmap
Scan a hostnmap
Scan a range of IPsnmap
Scan a subnetnmap
Scan targets from a text filenmap -iL list-of-ips.txt

Nmap Port Selection

Scan a single Portnmap -p 22
Scan a range of portsnmap -p 1-100
Scan 100 most common ports (Fast)nmap -F
Scan all 65535 portsnmap -p-

Nmap Port Scan types

Scan using TCP connectnmap -sT
Scan using TCP SYN scan (default)nmap -sS
Scan UDP portsnmap -sU -p 123,161,162
Scan selected ports - ignore discoverynmap -Pn -F

Service and OS Detection

Detect OS and Servicesnmap -A
Standard service detectionnmap -sV
More aggressive Service Detectionnmap -sV --version-intensity 5
Lighter banner grabbing detectionnmap -sV --version-intensity 0

Nmap Output Formats

Save default output to filenmap -oN outputfile.txt
Save results as XMLnmap -oX outputfile.xml
Save results in a format for grepnmap -oG outputfile.txt
Save in all formatsnmap -oA outputfile

Digging deeper with NSE Scripts

Scan using default safe scriptsnmap -sV -sC
Get help for a scriptnmap --script-help=ssl-heartbleed
Scan using a specific NSE scriptnmap -sV -p 443 –script=ssl-heartbleed.nse
Scan with a set of scriptsnmap -sV --script=smb*

A scan to search for DDOS reflection UDP services

Scan for UDP DDOS reflectorsnmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr

HTTP Service Information

Gather page titles from HTTP servicesnmap --script=http-title
Get HTTP headers of web servicesnmap --script=http-headers
Find web apps from known pathsnmap --script=http-enum

Detect Heartbleed SSL Vulnerability

Heartbleed Testingnmap -sV -p 443 --script=ssl-heartbleed

IP Address information

Find Information about IP addressnmap --script=asn-query,whois,ip-geolocation-maxmind

Layer 4 Discovery - Scapy 

Default arp packet header configuration:
>>> ARP().display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:fc:11:ce
  hwdst= 00:00:00:00:00:00
>>> sr1(ARP(pdst=""))
Begin emission:
Finished sending 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=is-at hwsrc=00:78:cd:00:fd:f4 psrc= hwdst=00:0c:29:fc:11:ce pdst= |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>                                     

Default IP / ICMP header configuration: 

>> IP().display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  frag= 0
  ttl= 64
  proto= hopopt
  chksum= None

>>> ICMP().display()
###[ ICMP ]### 
  type= echo-request
  code= 0
  chksum= None
  id= 0x0
  seq= 0x0

>>> sr1(IP(dst="")/ICMP(),timeout=1)
Begin emission:
Finished sending 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
<IP  version=4 ihl=5 tos=0x0 len=28 id=50232 flags= frag=0 ttl=64 proto=icmp chksum=0x3143 src= dst= |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>                                                                                                                        

Half open port scanning

>>> TCP().display()
###[ TCP ]### 
  sport= ftp_data
  dport= http
  seq= 0
  ack= 0
  dataofs= None
  reserved= 0
  flags= S
  window= 8192
  chksum= None
  urgptr= 0
  options= []

>>> sr1(IP(dst="")/TCP(flags="S",dport=80),timeout=1)
Begin emission:
Finished sending 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
<IP  version=4 ihl=5 tos=0x0 len=44 id=0 flags=DF frag=0 ttl=64 proto=tcp chksum=0xb566 src= dst= |<TCP  sport=http dport=ftp_data seq=3654116272 ack=1 dataofs=6 reserved=0 flags=SA window=29200 chksum=0x62bd urgptr=0 options=[('MSS', 1460)] |<Padding  load='\x00\x00' |>>>

No comments:

Post a Comment