Skip to main content

Blueprinting The Target Part - 3



Information Gathering


Introduction

     Welcome to module 3 of the workshop. We have been talking about the 90/10 principle and we learned that 90 percent of the ethical hacking or penetration testing work around goes into gathering the information of the target network. We have also covered the activities usually performed in the information-gathering phase. In this module, we do hands-on in our virtual hacking lab we have justbuilt in our previous module.

Prerequisite

  It is strongly recommended to newcomers that they should first complete the previous modules and clear the concepts. Follow the steps to build the virtual hacking lab we have been explaining in previous two modules.

Quick walkthrough

   In the information gathering phase, you collect as much as information about the target network as you can. The information gathering phase is comprised of four (4) activities listed below.

• Identify live hosts
• Discovering operating systems
• Discovering open ports & services
• Discovering vulnerabilities

Identifying live hosts The information gathering phase starts by identifying the live hosts in the targeted network. This steps has its own importance as the information gathering phase starts by identifying the live hosts in the targeted network, and if you left any node un-detected, imagine the loss you will phase in results.

Discovering operating systems The second step is identifying the operating system of the hosts you have just detected in the previous step. This activity opens up the door for the next activity in which you will be focusing on finding different ports in the operating system.

Discovering ports and services Once you have the operating system type discovered, the next step is to find the open ports and the services hosted by these host’s operating systems.

Discovering vulnerabilities is the actually time when you discover potential vulnerabilities in the hosts running different operating systems with different services.

   “In this module we will be focusing on the first three activities, in order to perform the information gathering.” The fourth activity will be covered separately in the upcoming module.

Virtual hacking lab environment

What we have in our lab is outlined as follows:

1.    Ubuntu Box Equipped with Nessus, NeXpose, Nmap and Metasploit
2.    Vulnerable Operating System

   We have set up two vulnerable machines in our lab environment, as per the guidelines explained in previous modules. You can install as many copies as you can, depending on the available memory you have in your real machine. Let’s first give the lab network details so that you completely understand before we start performing Information Gathering activities in the lab environment.

• We have Ubuntu Box
• Victim Box One
• Victim Box Two
• Host Machine

Identifying live hosts

    Identifying live hosts is the first step in our information gathering phase in any network security testing or ethical hacking. This is how it happens. Let’s first login to Ubuntu Box (we chose Ubuntu  as our Operating system because it easily supports all the required hacking tools).

    Our first step in looking for live hosts in the virtual lab environment would be using network mapper to find live machines for us. We will run a quick ICMAP scan to find information of live hosts. To achieve this goal, we will use the nmap tool, which we installed in the previous module.

   Next, follow the command shown in the below snapshot to quickly run the ICMP type scan with nmap to find live hosts in the lab environment.



 Command used: nmap –sn 192.168.56.0/24 -v.

  The above command only performs the ICMP type scan to find live hosts and –v switch is used for verbose mode so that we can see on screen what is happening in the background. You can see that it has found one live host so far. It will finish the scan quickly. We run the scan on the complete network range of our Ubuntu Box connected network.


   Okay, here you go, it has picked up two more live hosts. And now our result is as follows:

  Four hosts detected as live in the network with the following network addresses.

192.168.56.1
192.168.56.101
192.168.56.102
192.168.56.103

  Okay, that’s good, but we don’t know much about these live hosts, like what is running on these addresses? It could be a network router or a network printer. That’s not the job of this activity to confirm and provide you more information.

Discovering Operating Systems

Now, the best way to find out what is running on this network address is to check which operating system is running on this network address. But how can we achieve this? It’s like remotely identifying what OS version is installed on this machine. Well, this is an extremely easy job and that’s what this activity focuses on. We will again use NMAP to do this job for us.

   Next, follow the command shown in the below snapshots and grab the information of the operating systems running on this addresses. Now while you do operating scan on these addresses, it will also grab open ports information. However, we will cross check this with a separate scan type, which we will cover in the next activity. For us to save time and not generate much traffic, we will simply run an OS scan on one network address with one port.


  Great, we have found that the IP address 192.168.56.102 is running Linux operating system. Similarly, you should perform more scans to grab more information in your home lab.

Discovering ports and services

   Next we will run quick scans to perform thorough information gathering about the operating systems, open ports and what application or services are running on these operating systems. Follow the scan types we have performed as shown in snapshots below to complete gathering the information about these network addresses.

Command to be used: sudo nmap –A –v 192.168.56.101 – 192.168.56.103.

 
  We have run the said scan and nmap has initialized the scan engine to the job for us.


   It is now discovering open ports on the IP address range we have provided in the scan.


   You can also notice that it has also detected the workgroup level of information on these addresses.

    What you have with you in information gathering so far, operating system level information, services,open ports, workgroup level information and much more. Now, the blueprinting of the network is already started and you need to put it down together to draw the blueprint of the target. This we will learn in the upcoming module. One tool did the job for us, and this is the de-facto standard in performing network scanning in the field of ethical hacking & penetration testing. So, why did we ask you to install the other couple of tools in the virtual lab? This you will realize in the upcoming module.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more