Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CYBER
THREAT
RESPONSE
CLINIC
MODULE: CORE 03 – Target Reconnaissance: Gathering
Information about Vulnerabilities for a Future Attack
Lab
Guide:
Module
3
Discovery also called Reconnaissance is the first step to almost every cyber-attack you will
experience. This is when the attacker learns everything they can about a target so they can
develop the quickest and most effective method to achieve their goal. It’s important to
understand that the easier it is for an attacker can learn about you, the more likely they can
succeed at identifying a method to breach your defenses. This is why it is highly recommended
to implement security that can obscure what resources you are utilizing to avoid exposing too
much information to potential threats.
This module will set the stage for all other modules, since information obtained from
reconnaissance could lead to various forms of attacks depending on how the target is
identified as vulnerable. Students will perform a simple port and vulnerability scan to represent
one of the many methods real target research is performed. Real world research would take
much more time and involve various methods to learn as much as the attacker could obtain
about the potential target.
Other methods used in the real world to gather data on a target are researching social media
sources to learn about the employees, corporate websites to learn about the business, hiring
sources to identify technology and people, scanning technology to find vulnerabilities and so
on.
Outcome
At the end of this module, you will have a basic understanding of how attackers research
targets to prepare for future attacks. You will have an introduction to how to scan a target for
open ports using the Nmap port scanner as well as how to evaluate a target for vulnerabilities
using the Nexpose vulnerability scanner.
This is your first lab as the attacker!
©Cisco Systems 2017 Cyber Threat Response 2.0 Clinic 3-2
Lab
Resources
Resource 1: Kali Linux 2.0 (includes Nmap with default installation)
Resource 2: Ubuntu Server hosting Rapid 7 Nexpose
Reconnaissance using NMAP
Nmap is an open source network mapping and auditing tool.
Example syntax of scanning a single host over IPv4:
$ nmap –sT <IP address>
Nmap features include:
• Host discovery – Identifying hosts on a network.
• Port scanning – Enumerating the open ports on target hosts.
• Version detection – Interrogating network services on remote devices to determine
application name and version number.
• OS detection – Determining the operating system and hardware characteristics of
network devices.
• Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua
programming language.
Different types of scans techniques are available in Nmap.
• TCP SYN
• -sS TCP SYN
• -sT Connect()
• -sA ACK
• -sW Window
• -sM: Maimon
• -sU: UDP Scan
• -sN TCP Null
• -sF FIN
• -sX: Xmas scans
• -sO: IP protocol scan
SYN scanning is used to determine the state of a TCP port without establishing a full
connection.
For more information on NMAP scans see – https://nmap.org/book/man-port-scanning-
techniques.html
NMAP cheat sheet – https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.0.pdf
Note: See the NMAP cheat sheet link above for less noisy methods to perform similar
scans while helping to avoid detection.
©Cisco Systems 2017 Cyber Threat Response 2.0 Clinic 3-3
Lab
Scenario
In this lab, you will access the attacker server running Kali Linux at 192.168.1.5 to run all
reconnaissance activity. Nmap is installed directly on the Kali server and will be run using
command line. The Nexpose vulnerability scanner is installed on an Ubuntu attacker server
192.168.1.6 that will be accessed using a web browser on the Kali Linux attack server. The
target will be the HackMDs DMZ server found at 192.168.1.107.
• User name for access to the Kali Linux attack server is root and password is
CTRLab123!
• Username for Rapid7 Nexpose is root and password is CTRLab123!
Linux Cheat Sheet
pwd Show your current directory. Lost in command line? Type this to find your directory
uptime Show uptime
cd .. Go to a directory. Example cd /Desktop
ls List the files in a directory. What’s in your folder? Type ls in that directory
whoami Show your username. Wonder who you are logged in as? Type this
man Manual for any command. What is ls? Type “man ls”
date Shows the date
-a Show all files including hidden files
grep Narrow on what you are looking for. Example “grep 192.168.1.1”
ps Show a quick snapshot of processes
head “filename” Show the first 10 lines of a file. Example head joey.pdf
tail “filename ” Show the last 10 lines of a file. Example tail joey.pdf
©Cisco Systems 2017 Cyber Threat Response 2.0 Clinic 3-4
Lab
3
Note: NoMachine is a
Exercise 1: Reconnaissance using NMAP graphical remote access tool
similar to VNC. You can
Step 1. Connect to the Jump Box find the tool on the desktop
of your Jumpbox.
Step 2. Login as user name admin and password CTRLab123!
Step 4. Once the NoMachine program starts, double click the
Step 5. When prompted, login to the Kali Attack host with the username:
root and password: CTRLab123!
Step 6. If needed, you can resize the Kali Attack Linux desktop session. This can also be done via
Start a Linux terminal session and then enter the following on the command line by opening a
command prompt: xrandr -s 1024x768 terminal and typing nmap
Some people prefer Zenmap.
Step 7. Now open the Nmap application by clicking on the magnifying Zenmap is a GUI version of
glass at the bottom of the screen. Then type “nmap” in the search Nmap.
window to see the 3 available Nmap program options.
Step 9. Run the following command against the target web server hosted
by HackMDs.com. This command performs a connect scan of the host Nmap connects with the
target machine and port by
nmap –sT 192.168.1.107 issuing the connect system
call. This is the same high-
level system call that web
browsers, P2P clients, and
most other network-enabled
applications use to establish
a connection
©Cisco Systems 2017 Cyber Threat Response 2.0 Clinic 3-6
Exercise 2: Discovery using Rapid 7 Nexpose
Now that you have scanned the HackMDs DMZ with a port scanner, next you
will look for potential vulnerabilities using the Nexpose tool from Rapid 7. This
is installed on a separate Ubuntu server that will be accessed using a web browser
from the Kali attack server. Just like with port scanning, our goal is just to
identify potential weaknesses verses executing an actual attack. The first 4 steps
of exercise 2 might not be needed if you are directly continuing from exercise 1.
Step 11. If needed, reconnect to the Jump Box and login with the
username admin and password CTRLab123!
Step 14. If needed, you can resize the Kali Attack Linux desktop session.
Start a Linux terminal session and then enter the following on the
command prompt: xrandr -s 1024x768
Step 15. From the Application Finder menu, search for the keyword
iceweasel then select the iceweasel icon to launch the iceweasel web
browser.
Note: If you cannot find the bookmark link, then you can manually type
the URL IP address: https://192.168.1.6:3780
Step 17. Login with the username “root” and password “CTRLab123!”
Step 18. In the top bar on the Nexpose home screen select “Create” then
“Site”. The Site creation screen should come up.
Step 19. Use the following parameters for the General configuration
section.
a. For name use “HackMDs.com” Note: The system may
already have a site named
b. Importance “Normal” HackMDs. If so, use a
c. Description “Target HackMDs.com website” different name such as by
adding a -1 or -2 at the end
d. User-added Tags “None” of the site name.
Step 20. Next, click the “Assets” tab and under “INCLUDE”, in the text
box that says “enter name, address, or range”, type the IP address of the
Hackmds.com target server (192.168.1.107)
Step 22. Click the “SAVE & SCAN” button at the top right of the
application window.
Note: If you just clicked
save and not save and scan
during the previous
configuration, you will need
to click the magnifying glass
at the top to search for your
site (HackMDs), select the
site and select to run the
scan.
Step 23. Now you need to wait a minute or two for the scan to complete.
©Cisco Systems 2017 Cyber Threat Response 2.0 Clinic 3-9
Step 24. Once the scan has completed, click on the IP address of the target
box under “COMPLETED ASSETS” that you want to examine. This
will bring up the results of the scan for us to examine. The following
example is selecting 192.168.1.107 due to the number of potential
vulnerabilities.
Real world systems will
have vulnerabilities. It is
close to impossible to keep a
system functional and useful
without exposing it to some
form of risk. This is why
Step 25. Scroll through the report and examine the results of the practices such as patch
vulnerability scan that we ran. In the “Vulnerabilities” section, find the management are critical to
vulnerability that was identified by Nexpose for the version of “Apache reducing the chances of
Struts” that is installed on the target DMZ server being compromised.
Step 26. Click on the link in the report to see additional details for this
vulnerability.
Step 2. Scan for specific ports using the -p option using the following two
examples below.
nmap –p 80 192.168.1.107
Step 3. Scan for the open ports on a specific target IP address that you found
from the bonus lab step 1 above.