Sunday, November 2, 2014

Network Recon Lab


From the Sans Institute:

 This lab focuses on the practical application of techniques discusses in the Cyber-Recon lecture. Your class will be split up into a Gold team and a Blue team, where each team will gather as much information as possible about the security posture of the opposite team. The purpose of this task is, of course, to prepare you all for the inevitable cyber attack against your opponent that will follow next week.

Reconnaissance Intro

  • Virtual OS. The virtual machines you will use in the next three labs use an operating system called Backtrack Linux, a variant of the Linux family of operating systems. Backtrack, and its current follower Kali Linux, are used by both the good guys, called "penetration testers", or "pen-testers" for short, as well as the bad guys. They contain an arsenal of cyber recon and attack tools. However, you should only use them on controlled systems where you have permission, and never to attack a real-world system.
  • Shell Commands. Like the Windows command prompt, the UNIX shell is your interface to the operating system. Some commands are the same, some are very similar, and some are very different. A list of useful commands and their Windows command equivalent (if applicable) is provided in the adjacent note. Keep in mind: UNIX commands are case sensitive!
    Useful UNIX Commands
    UNIX Command Windows Equivalent
    ls dir
    pwd cd
    cd path cd path
    cat type
    ping ping
    ifconfig ipconfig
    nslookup nslookup
    traceroute tracert
    nmap n/a
    nc nc
    A more complete reference can be found here.

Reconnaissance Activity

Using the guidance below, gather as much information as possible about your opponent's network, in the given time. Record what you find on your worksheet!

Your Objective


You are provided the following information (some of it you should record on your worksheet!):
Publicly Available Information
  blue.net gold.net
IP block: 1.1.1.1-255 2.2.2.1-255
DNS Server: 1.1.1.64 2.2.2.187
You will be trying to obtain the following information:
  • Your host IP Address and its domain name
  • A list of IP Addresses and hostnames for key hosts on your network.
  • A list of target host IP Addresses and their domain names
  • For each target host:
    • a list of open ports and the service running on them
    • name and version information for each running service
    • operating system name and version
⇦ Fill in front of worksheet
  • A network map showing all routers between you and your opponent.
  • A list of usernames and potential passwords
  • A concentric circle diagram of the target network
⇦ Draw on back of worksheet

Note: Be sure you have used ifconfig to get your own host IP Address (look for "inet addr" next to the eth0 output) and use nslookup to determine your host domain name and your team's web server and name server domain names/IP Addresses. Record the information on the top of your worksheet where your name and alpha are located.

Network Barrier Exploration


  • Note: if you are on the Blue team, you will recon the Gold network. In the examples below, substitute "gold" where you see "blue". Do not include the < and > symbols in your commands!
  • Obtain an IP Address on the target network.
    nslookup www.blue.net
    Put this information in the table on your worksheet for www.blue.net (or www.gold.net).
  • Find a route to the target network. Use traceroute to determine all of the routers between you and the web server for your your target, blue.net. Enter the following command in the terminal:
    traceroute -n www.blue.net
    The router that is one hop away from the target is typically the target host's gateway router, which controls access to the target network with a firewall.
    Record the IP Address of all the routers along your route, including the one that appears to be the target's gateway in the circles on the circle diagram side of your worksheet ("Label with router IP Addresses" section).
    NOTE 1: the -n option means no name resolution, just IP's. It's faster that way.
    NOTE 2: Additional information about traceroute is located here.
  • Ping the web server. Use ping to verify that www.blue.net is alive and responds to ping requests. This is a very important verification used to determine the ACL rules of the firewall, if present. If you receive a reply from the target, then you now know echo (ping) requests and replies are not filtered by the firewall.
    ping www.blue.net

Map the Target Network


  • Scan for Hosts. Now that you have an IP Address on the target network, take a guess at the range of IP Addresses that share the network. A common subnet mask is 255.255.255.0, which leads to hosts addresses in the range x.x.x.1-255, where x.x.x (the "network prefix") is common among all hosts.
    nmap -sn x.x.x.1-255
    Take a look at the output. For our reconnaissance lab, we're going to disregard the addresses in the range x.x.x.101-111, since those are the student workstations.
  • Note the Hosts. Jot down the IP Addresses of all the hosts, other than those ending in .101 - .111, as noted above. You can also omit the .1 address for this lab, since the x.x.x.1 address is often the IP Address of the gateway router, by convention. You should see three other hosts; write their IP Addresses on your worksheet.
  • Do a Port Scan. to get an initial take on what type of services might be running, scan the commonly-used ports on each of the hosts.
    nmap -sS x.x.x.a,b,c
    where a, b, and c are the last portions of the IP Addresses for the hosts you found. What open ports are there? What services appear to be running? Write these down on your worksheet. You can use this table of familiar services for those services that have a more common protocol/name you have seen before, instead of giving the obscure name nmap reports.

    Service Protocol Port TCP/UDP Tools
    World Wide Web HTTP 80 TCP browsers
    Name Resolution DNS 53 UDP nslookup
    File Transfer FTP 21 TCP ftp
    Secure Remote Shell SSH 22 TCP ssh
    Simple Mail Transfer Protocol SMTP 25 TCP email clients
    Post Office Protocol Version 3 POP3 110 TCP email clients
    Secure Web HTTPS 443 TCP browsers
    Remote Desktop
    (microsoft-rdp)
    RDP 3389 TCP rdesktop
    File/Print Sharing
    (microsoft-ds)
    SMB 445 TCP map net-
    work drive
    Internet Relay Chat IRC 6667 TCP xchat


  • Find Some Names. Since one of the hosts appears to be a name server (running the DNS service on port 53!), and we actually already knew that name server's IP Address (given at the start of the lab in the publicly available information), let's take advantage of that by sending it some queries! Recall that we can specify the IP Address we want to look up, and the IP Address of the name server to query, as follows:
    nslookup  
    For example:
    nslookup 5.5.5.22 5.5.5.17
    This will lookup the IP Address 5.5.5.22 using the name server with IP 5.5.5.17.
    For each of the three IP Addresses you found, perform this type of query. In one instance, of course, you'll be asking the name server for its own name! Record the domain names.
  • Find Service Names and Versions.
    nmap -sV x.x.x.a,b,c
    Note: The program version for the http (web) service not only indicates that it is Apache (well known program), but also indicates the general operating system on which it was compiled on. Ubuntu is a widely used UNIX distribution, Win32 is a version of Microsoft Windows, 32 bit, and Microsoft IIS is the Microsoft Internet Information Services web server software that Microsoft distributes as part of most Windows operating systems.
  • Attempt to Determine OS Versions. Note the command option is the letter O, not the number zero.
    nmap -O x.x.x.a,b,c
    Note: OS detection will not always possible for various reasons, but even when OS detection is possible, the guess may not be accurate. Take note of OS detection results to compare with other indications (versions of the service software in the -sV scan) you find, but never accept them alone as fact. If given multiple OS versions, try to use the software running on the host as a clue to narrow down which actual operating system the host is likely to be running.

Host Barrier Exploration


  • Web Server Host.
    • Explore a Known Service. We know www.blue.net is running http service because we were able to open a web page from it. This tells us that port 80 is open on the target host and destination port 80 is not filtered by the firewall, if present. Port 80 should go on a list of potential entry points. To gain some clue as to which web server is running on www.blue.net (so we can research its vulnerabilities later), connect to it using netcat.
      nc -v <IP Address here> 80
      Once connected, request an http document by typing the following:
      GET / HTTP/1.0 ⇦ enter
      ⇦ enter
      
      You have to be quick with your GET request - the system might time out. Search the response near the top for the line beginning with "Server" to see the http service family name and version. This is known as "banner grabbing" and it can be attempted on any port to gain information of a service. Though it will not always yield any useful information, it is always worth trying. You can also look through the raw HTML to see if there is anything of interest on that web page. Make a note of it in the Box on the back of your worksheet for recording web page clues.
  • All Three Hosts (Web Server, Name Server, and "Workstation"): Probe for Other Common Services. Probe other ports to determine other potential infiltration points on the target host and to further determine firewall rules, if present. Below are two examples:
    If a connection was made, typing help usually gets some sort of response from a target.
    • Test for ssh:
      ssh x.x.x.x

      Note: when you ssh to a host without providing a username, the program will assume you are logging in as root. You need to know root's password to log in as root.
    • Test for smtp (e-mail):
      nc -v x.x.x.x 25
      If you get connected, you should see the following message:
      220 mail.xxx.net ESMTP Postfix (Ubuntu)
      Enter quit to terminate the connection as shown below.
      220 mail.xxx.net ESMTP Postfix (Ubuntu)
      quit ⇦ enter
    • Test for FTP (file transfer protocol):
      nc -v x.x.x.x 21
      or
      ftp x.x.x.x
      ('exit' to quit)
    • Test for RDP (remote desktop):
      nc -v x.x.x.x 3389
      or
      rdesktop x.x.x.x
    • On your worksheet, note all the services that appear to be running, and how you accessed them.
    Some additional information about using the nmap command can be found here.

Website Reconnaissance

  • Visit your opponent's website (two pages)! Recall that passive reconnaissance includes browsing your target's network as a normal user would. Information on your target's website can be used to identify potential vulnerabilities to further explore during the infiltration phase. Don't forget to view each page's source code for hidden nuggets!
  • Look for personal info. Personal information about users can be gathered from public web pages and is vital information for a variety of attacks (password attacks, social engineering).
  • Test input forms for proper filtering, by trying HTML and Javascript input.
  • Versions on the "non-Virtual" Web Site. In case you do not complete the website reconnaissance in class links to mirrors of the websites for blue.net and gold.net are provided below. Note: the mirrors are static pages only. You will be unable to access the virtual machine environment outside of class.

Summary

By the end of the lab, you should have drawn a "concentric circles" target diagram of your opponent's network, like the one shown in the Cyber Reconnaissance lecture.


Ref: http://www.usna.edu/CS/si110/lec/l38/lec.html

No comments:

Post a Comment