Lab-5: Scanning and Enumeration
Reconnaissance and information gathering methods were passive methods, meaning that they did not cause any alarm, alerts, and log file creation on the target systems: franklin.edu computers. In Lab-5, you will actively scan and enumerate target systems. These actions would cause some log files and probably trigger alerts if the target systems were used by a sensitive organization, such as a military or financial institution.
You will perform Lab-5 by using the Netlab environment provided by Franklin University. Netlab environment is an isolated environment with no Internet connection so that none of your actions will cause anything harmful for you or the target system. Section-1: Scan the Network Using nbtscan Tool
nbtscan is used for scanning networks to obtain NetBIOS names, file shares, and other information. It is one of the tools that come with Kali Linux. Nbtscan is a convenient tool to scan the active computers on the network quickly.
Windows machines have NetBIOS names by default. Linux/Unix computer may also have NetBIOS names if the Samba interoperability suite is installed.
Before starting scanning the network from Kali Linux, you have to learn the network address first.
1) Enter the Netlab environment
2) Open Kali Linux and enter the password (password: toor)
3) Open a terminal window
4) Type this command:
ifconfig
The IP address of your computer is 192.168.2.10, and the netmask is 255.255.255.0. That means the network address is 192.168.2.0/24. You will use this in your nbtscan.
5) Run a nbtscan by typing
nbtscan 192.168.2.0/24 to the terminal window. You will see all active computers along with IP addresses, NetBIOS names, and MAC addresses. That is an essential piece of information for a pentester and can be regarded as your initial attack surface.
Take a screenshot of the terminal window.
Section-2: Scan the Network by Using Nmap
You will perform another network scan by using a more versatile tool called Nmap. Nmap is one of the swiss knives of the pen-testers. It is a free and open-source tool and comes with Kali Linux. Nmap has many different scanning options; it can even perform vulnerability scanning in addition to network and host scanning. In this lab, you will first use Nmap's network/host scanning features, and then you will perform vulnerability scanning with Nmap.
1) Type in
nmap 192.168.2.0/24 -n -sn in the terminal window.
Take a screenshot of the terminal window.
Type in
mannmap in the terminal window to see the help page of the Nmap tool. Find why you used n and sn options.
Section-3: Perform a Port Scan Against a Host
In the previous section, you scanned the network by using Nmap. In this section, you will scan a specific host for open ports.
1) Type in
nmap 192.168.2.14 -n in the terminal window.
Take a screenshot.
Lab-5 Scanning and Enumeration Reconnaissance and inform.docx
1. Lab-5: Scanning and Enumeration
Reconnaissance and information gathering methods were
passive methods, meaning that they did not cause any alarm,
alerts, and log file creation on the target systems: franklin.edu
computers. In Lab-5, you will actively scan and enumerate
target systems. These actions would cause some log files and
probably trigger alerts if the target systems were used by a
sensitive organization, such as a military or financial
institution.
You will perform Lab-5 by using the Netlab environment
provided by Franklin University. Netlab environment is an
isolated environment with no Internet connection so that none
of your actions will cause anything harmful for you or the target
system. Section-1: Scan the Network Using nbtscan Tool
nbtscan is used for scanning networks to obtain NetBIOS
names, file shares, and other information. It is one of the tools
that come with Kali Linux. Nbtscan is a convenient tool to scan
the active computers on the network quickly.
Windows machines have NetBIOS names by default. Linux/Unix
computer may also have NetBIOS names if the Samba
interoperability suite is installed.
Before starting scanning the network from Kali Linux, you have
to learn the network address first.
1) Enter the Netlab environment
2) Open Kali Linux and enter the password (password: toor)
3) Open a terminal window
4) Type this command:
ifconfig
The IP address of your computer is 192.168.2.10, and the
netmask is 255.255.255.0. That means the network address is
192.168.2.0/24. You will use this in your nbtscan.
2. 5) Run a nbtscan by typing
nbtscan 192.168.2.0/24 to the terminal window. You
will see all active computers along with IP addresses, NetBIOS
names, and MAC addresses. That is an essential piece of
information for a pentester and can be regarded as your initial
attack surface.
Take a screenshot of the terminal window.
Section-2: Scan the Network by Using Nmap
You will perform another network scan by using a more
versatile tool called Nmap. Nmap is one of the swiss knives of
the pen-testers. It is a free and open-source tool and comes with
Kali Linux. Nmap has many different scanning options; it can
even perform vulnerability scanning in addition to network and
host scanning. In this lab, you will first use Nmap's
network/host scanning features, and then you will perform
vulnerability scanning with Nmap.
1) Type in
nmap 192.168.2.0/24 -n -sn in the terminal window.
Take a screenshot of the terminal window.
Type in
mannmap in the terminal window to see the help page
of the Nmap tool. Find why you used n and sn options.
Section-3: Perform a Port Scan Against a Host
In the previous section, you scanned the network by using
Nmap. In this section, you will scan a specific host for open
ports.
1) Type in
nmap 192.168.2.14 -n in the terminal window.
Take a screenshot of the terminal window.
3. 192.168.2.14 is the Metasploitable machine. There are many
open ports on this machine. It is an intentionally vulnerable
Linux machine used for training purposes. As the pentester,
you determined your initial attack surface using nbtscan and
nmap tools, which can be thought of as the active computers on
the network. The list of open ports of the Metasploitable
computer is also an attack surface specific to a host. An open
port can be considered one of the most valuable attack surfaces.
Because an attacker can attack computers by using open ports in
many ways, such as:
a) By flooding the port, such as SYN flood to port 80,
b) By exploiting the service using the port, such as an SQL
injection attack against web application using Port 443
c) By brute-forcing the login forms,
d) By using default usernames or passwords, such as accessing
to wireless modem management interface by default username:
admin/password: admin credentialsSection-4: Scanning for Top
1000 Ports
Top 1000 ports are a list of statistically most popular 1000 ports
used by the network-enabled applications and services. In this
lab, you will scan the same target (Metasploitable) to check for
the top 1000 ports.
1) Type in
nmap 192.168.2.14 -n --top-ports 1000 --open in the
terminal window.
--open switch only shows the open ports on the target machine.
2) Now, type in the command with an extra switch -sV:
nmap 192.168.2.14 -n --top-ports 1000 --open -sV
sV switch fingerprints the service running on the port.
Take a screenshot of the terminal window.
Section-5: OS (Operating System) Detection by using
Nmap
One of Nmap's features is remote OS detection by using TCP/IP
stack fingerprinting. In this lab, you will detect the operating
4. systems of the live hosts in the 192.168.2.0/24 network.
1) Type in
nmap 192.168.2.0/24 -n -O --osscan-guess
Note that you have to make the "O" letter uppercase.
Notice the operating system info at the command output.
Find the command output showing the operating system of
192.168.2.12 and
Take a screenshot of the terminal window.
Section-6: Vulnerability Scanning by Using Nmap
Now, it is time to perform vulnerability scanning by using
Nmap. The first vulnerability will be the use of an FTP service
with anonymous login is enabled.
In the previous lab, you found that 192.168.2.14
(Metasploitable) has the FTP service enable. Let's check
whether it has anonymous login enabled. Anonymous login is a
common feature among FTP services.
1) Type in
nmap 192.168.2.14 -n --script ftp-anon -p 21 in the
terminal window.
In this command, you use Nmap scripts, which is a powerful
and flexible feature of Nmap. Nmap scripting engine allows
security researchers to prepare scripts to perform particular
tasks such as finding FTP services (port 21) with anonymous
login is enabled. In this section, you used anonymous ftp logins
detect script (ftp-anon).
Now, you will use another Nmap script to detect SMB
vulnerability. SMB is a standard protocol used by the Windows
operating system to share files and printers among computers.
You check another host (192.168.2.13) for any SMB protocol
vulnerability. 192.168.2.13 is a Windows computer. In Section-
5, you detected the operating system of this host remotely as
Windows 7.
2) Type in
5. nmap 192.168.2.13 -n --script smb-vuln* -p 445
In this example, you used a wild chart. smb-vuln* use all scripts
which start with "smb-vuln."
Take a screenshot of the terminal window.
Weekly Learning and Reflection
In two to three paragraphs (i.e., sentences, not bullet lists) using
APA style citations if needed, summarize, and interact with the
content covered in this lab. Summarize what you did as an
attacker, what kind of vulnerabilities did you exploit, what
might have prevented these attacks. Mention the attackers and
all of the targets in your summary. You can provide topologies,
sketches, graphics if you want. In particular, highlight what
surprised, enlightened, or otherwise engaged you. You should
think and write critically, not just about what was presented but
also what you have learned through the session. You can ask
questions for the things you're confused about. Questions asked
here will be summarized and answered anonymously in the next
class.
image2.png