CYBER  THREAT  
RESPONSE  CLINIC  
MODULE: CORE 03 – Target Reconnaissance: Gathering
Information about Vulnerabilities for a Future Attack  

Module  Level:  Core  

©  CISCO  SYSTEMS,  2017  

 
 Lab  Guide:  Module  3    
 
Discovery  also  called  Reconnaissance  is  the  first  step  to  almost  every  cyber-­attack  you  will  
experience.  This  is  when  the  attacker  learns  everything  they  can  about  a  target  so  they  can  
develop  the  quickest  and  most  effective  method  to  achieve  their  goal.  It’s  important  to  
understand  that  the  easier  it  is  for  an  attacker  can  learn  about  you,  the  more  likely  they  can  
succeed  at  identifying  a  method  to  breach  your  defenses.  This  is  why  it  is  highly  recommended  
to  implement  security  that  can  obscure  what  resources  you  are  utilizing  to  avoid  exposing  too  
much  information  to  potential  threats.      
 
This  module  will  set  the  stage  for  all  other  modules,  since  information  obtained  from  
reconnaissance  could  lead  to  various  forms  of  attacks  depending  on  how  the  target  is  
identified  as  vulnerable.  Students  will  perform  a  simple  port  and  vulnerability  scan  to  represent  
one  of  the  many  methods  real  target  research  is  performed.  Real  world  research  would  take  
much  more  time  and  involve  various  methods  to  learn  as  much  as  the  attacker  could  obtain  
about  the  potential  target.    
 
Other  methods  used  in  the  real  world  to  gather  data  on  a  target  are  researching  social  media  
sources  to  learn  about  the  employees,  corporate  websites  to  learn  about  the  business,  hiring  
sources  to  identify  technology  and  people,  scanning  technology  to  find  vulnerabilities  and  so  
on.    

Outcome  
 
At  the  end  of  this  module,  you  will  have  a  basic  understanding  of  how  attackers  research  
targets  to  prepare  for  future  attacks.  You  will  have  an  introduction  to  how  to  scan  a  target  for  
open  ports  using  the  Nmap  port  scanner  as  well  as  how  to  evaluate  a  target  for  vulnerabilities  
using  the  Nexpose  vulnerability  scanner.    
 
This  is  your  first  lab  as  the  attacker!  
 
 

 
 
 
 
 
 
 
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­2  
 Lab  Resources  
 
Resource  1:  Kali  Linux  2.0  (includes  Nmap  with  default  installation)  
Resource  2:  Ubuntu  Server  hosting  Rapid  7  Nexpose  
 
 
Reconnaissance  using  NMAP  
 
Nmap  is  an  open  source  network  mapping  and  auditing  tool.  
 
Example  syntax  of  scanning  a  single  host  over  IPv4:  
 
$  nmap  –sT  <IP  address>  
 
Nmap  features  include:  
•   Host  discovery  –  Identifying  hosts  on  a  network.  
•   Port  scanning  –  Enumerating  the  open  ports  on  target  hosts.  
•   Version  detection  –  Interrogating  network  services  on  remote  devices  to  determine  
application  name  and  version  number.  
•   OS  detection  –  Determining  the  operating  system  and  hardware  characteristics  of  
network  devices.  
•   Scriptable  interaction  with  the  target  –  using  Nmap  Scripting  Engine  (NSE)  and  Lua  
programming  language.  
 
Different  types  of  scans  techniques  are  available  in  Nmap.    
•   TCP  SYN  
•   -­sS     TCP  SYN  
•   -­sT     Connect()  
•   -­sA   ACK  
•   -­sW   Window  
•   -­sM:     Maimon  
•   -­sU:     UDP  Scan  
•   -­sN     TCP  Null  
•   -­sF     FIN  
•   -­sX:     Xmas  scans  
•   -­sO:     IP  protocol  scan  
 
SYN  scanning  is  used  to  determine  the  state  of  a  TCP  port  without  establishing  a  full  
connection.    
 
For  more  information  on  NMAP  scans  see  –  https://nmap.org/book/man-­port-­scanning-­
techniques.html  
 
NMAP  cheat  sheet  –  https://blogs.sans.org/pen-­testing/files/2013/10/NmapCheatSheetv1.0.pdf  
 
Note:  See  the  NMAP  cheat  sheet  link  above  for  less  noisy  methods  to  perform  similar  
scans  while  helping  to  avoid  detection.    
   
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­3  
 Lab  Scenario  
 
In  this  lab,  you  will  access  the  attacker  server  running  Kali  Linux  at  192.168.1.5  to  run  all  
reconnaissance  activity.  Nmap  is  installed  directly  on  the  Kali  server  and  will  be  run  using  
command  line.  The  Nexpose  vulnerability  scanner  is  installed  on  an  Ubuntu  attacker  server  
192.168.1.6  that  will  be  accessed  using  a  web  browser  on  the  Kali  Linux  attack  server.  The  
target  will  be  the  HackMDs  DMZ  server  found  at  192.168.1.107.    
 
•   User  name  for  access  to  the  Kali  Linux  attack  server  is  root  and  password  is  
CTRLab123!  
 
•   Username  for  Rapid7  Nexpose  is  root  and  password  is  CTRLab123!  
 
 
 
Linux  Cheat  Sheet  
 
pwd       Show  your  current  directory.  Lost  in  command  line?  Type  this  to  find  your  directory  
uptime    Show  uptime  
cd  ..         Go  to  a  directory.  Example  cd  /Desktop  
ls     List  the  files  in  a  directory.  What’s  in  your  folder?  Type  ls  in  that  directory  
whoami   Show  your  username.  Wonder  who  you  are  logged  in  as?  Type  this  
man     Manual  for  any  command.  What  is  ls?  Type  “man  ls”  
date     Shows  the  date  
-­a     Show  all  files  including  hidden  files  
grep     Narrow  on  what  you  are  looking  for.  Example  “grep  192.168.1.1”  
ps     Show  a  quick  snapshot  of  processes  
head  “filename”   Show  the  first  10  lines  of  a  file.  Example  head  joey.pdf  
tail  “filename  ”     Show  the  last  10  lines  of  a  file.  Example  tail  joey.pdf  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­4  
 Lab  3  
  Note: NoMachine is a
Exercise  1:  Reconnaissance  using  NMAP   graphical remote access tool
  similar to VNC. You can
Step  1.   Connect to the Jump Box find the tool on the desktop
of your Jumpbox.
Step  2.   Login as user name admin and password CTRLab123!

Step  3.   From the Jumpbox PC desktop, double click on the

“Kali_Attacker” shortcut icon to start the NoMachine remote

desktop application.

Step  4.   Once the NoMachine program starts, double click the

“Connection to 192.168.1.5” icon to connect to the Kali Attack

host.

Step  5.   When prompted, login to the Kali Attack host with the username:
root and password: CTRLab123!

Step  6.   If needed, you can resize the Kali Attack Linux desktop session. This can also be done via
Start a Linux terminal session and then enter the following on the command line by opening a
command prompt: xrandr -s 1024x768 terminal and typing nmap
 
 
Some people prefer Zenmap.

Step  7.   Now open the Nmap application by clicking on the magnifying Zenmap is a GUI version of
glass at the bottom of the screen. Then type “nmap” in the search Nmap.
window to see the 3 available Nmap program options.  
 
 

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­5  

 Step  8.   Select the Nmap program from the search option list shown
above.

Step  9.   Run the following command against the target web server hosted
by HackMDs.com. This command performs a connect scan of the host Nmap connects with the
target machine and port by
nmap –sT 192.168.1.107 issuing the connect system
call. This is the same high-
level system call that web
browsers, P2P clients, and
most other network-enabled
applications use to establish
a connection

UDP scan works by sending

Step  10.   Run this command against the target web server hosted by a UDP packet to every
HackMDs.com. This command performs a UDP scan of the host. targeted port. DNS, SNMP,
and DHCP (registered ports
nmap -sU -p 123,161,162 192.168.1.107 53, 161/162, and 67/68) are
three of the most common
ports

Note: We selected these

scans since they are quick to
execute. See the advanced
section for more detailed
Note   For  a  better  understanding  of  the  “STATE”  reported  for  each  port,  please   scans. Those scan options
reference  the  following  link:       will also take longer to
https://nmap.org/book/man-­port-­scanning-­basics.html  
complete.

 
 
 
 
 
 
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­6  
 Exercise  2:    Discovery  using  Rapid  7  Nexpose  
 
Now that you have scanned the HackMDs DMZ with a port scanner, next you
will look for potential vulnerabilities using the Nexpose tool from Rapid 7. This
is installed on a separate Ubuntu server that will be accessed using a web browser
from the Kali attack server. Just like with port scanning, our goal is just to
identify potential weaknesses verses executing an actual attack. The first 4 steps
of exercise 2 might not be needed if you are directly continuing from exercise 1.
 
Step  11.   If needed, reconnect to the Jump Box and login with the
username admin and password CTRLab123!

Step  12.   If needed, double click on the “Kali_Attacker” shortcut

icon to start the NoMachine remote desktop application. Once the
NoMachine program starts, double click the “Connection to
192.168.1.5” icon to connect to the Kali Attack host.
Step  13.   If needed, when prompted, login to the Kali Attack host with the
username: root and password: CTRLab123!

Step  14.   If needed, you can resize the Kali Attack Linux desktop session.
Start a Linux terminal session and then enter the following on the
command prompt: xrandr -s 1024x768

Step  15.   From the Application Finder menu, search for the keyword
iceweasel then select the iceweasel icon to launch the iceweasel web
browser.

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­7  

 Step  16.   Next, click the Rapid7-Nexpose bookmark link to access this
application.

Note: If you cannot find the bookmark link, then you can manually type
the URL IP address: https://192.168.1.6:3780

Step  17.   Login with the username “root” and password “CTRLab123!”

Step  18.   In the top bar on the Nexpose home screen select “Create” then
“Site”. The Site creation screen should come up.

Step  19.   Use the following parameters for the General configuration
section.
a.   For name use “HackMDs.com” Note: The system may
already have a site named
b.   Importance “Normal” HackMDs. If so, use a
c.   Description “Target HackMDs.com website” different name such as by
adding a -1 or -2 at the end
d.   User-added Tags “None” of the site name.

Step  20.   Next, click the “Assets” tab and under “INCLUDE”, in the text
box that says “enter name, address, or range”, type the IP address of the
Hackmds.com target server (192.168.1.107)

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­8  

 Step  21.   Click the “TEMPLATES” tab and select “Full audit”

Step  22.   Click the “SAVE & SCAN” button at the top right of the
application window.
Note: If you just clicked
save and not save and scan
during the previous
configuration, you will need
to click the magnifying glass
at the top to search for your
site (HackMDs), select the
site and select to run the
scan.
 
 
 
 
 
Step  23.   Now you need to wait a minute or two for the scan to complete.  
 
 
 
 
 
 
 
 
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­9  
 Step  24.   Once the scan has completed, click on the IP address of the target  
box under “COMPLETED ASSETS” that you want to examine. This  
will bring up the results of the scan for us to examine. The following  
example is selecting 192.168.1.107 due to the number of potential  
vulnerabilities.
Real world systems will
have vulnerabilities. It is
close to impossible to keep a
system functional and useful
without exposing it to some
form of risk. This is why
Step  25.   Scroll through the report and examine the results of the practices such as patch
vulnerability scan that we ran. In the “Vulnerabilities” section, find the management are critical to
vulnerability that was identified by Nexpose for the version of “Apache reducing the chances of
Struts” that is installed on the target DMZ server being compromised.  
 
 

There are many real-world

vulnerabilities attackers can
find by just searching the
internet using Google. An
example is the jboss
vulnerability associated with
Note   If  you  do  not  see  the  Apache  Struts  vulnerability,  it’s  likely  that  the  Cisco   the SamSam ransomware.
Firepower  IPS  policy  is  already  enabled  and  blocking  Nexpose  from  having   You will find thousands of
access  to  the  Apache  Struts  vulnerability.  This  is  actually  a  good  thing,  because   systems by searching
that  means  the  Cisco  Firepower  prevented  the  attack  already.  However,  we  want   /status&full=true
to  turn  off  this  policy  action  for  our  vulnerability  example  to  actually  work.    If  you  
do  not  see  this  vulnerability  after  your  scan  is  complete,  then  see  your  lab  
instructor  for  instructions  on  how  to  change  the  Firepower  IPS  policy.    

Step  26.   Click on the link in the report to see additional details for this
vulnerability.

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­10  

 Note   In  the  report  details  above  for  this  vulnerability,  you  can  see  under  the  
“Description”  section  that  this  vulnerability  is  “remotely  exploitable”.  This  is  
key  to  you  exploiting  access  to  your  target.    You  need  a  vulnerability  that  can  be  
exploited  remotely  and  unauthenticated.  This  exploit  will  fit  the  bill  nicely.    

This now completes the main lab portion of module 3.

It is important to be aware
Lab  3  Summary   that there really is not a
100% guaranteed way to
This lab showed you that you need to perform your initial research, defend against an attacker
reconnaissance, along with other research, on your target(s) to identify all researching you.
the possible vulnerabilities and then the methods to exploit these
vulnerabilities for those targets. You can limit your exposure
with technology, such as
The additional models that follow will show you examples of attacks that content filtering, firewalls,
would be able to delivered these exploits based on the results of your etc.
reconnaissance.
However, there will always
Feel free to explore additional Nmap and Nexpose tools and options, such be some level of exposure
as shown in the Lab 3 - Bonus Section on the next page, if time permits. that will always exist as you
open up your systems for
external use.
 
   
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­11  
 Lab  3  -­  Bonus  Section  (if  time  permits)  
 
Nmap  Advanced  Options  
 
Step  1.   Scan a network to find which hosts that are up and running.

nmap –sP 192.168.1.0/24

Step  2.   Scan for specific ports using the -p option using the following two
examples below.

nmap –p 80 192.168.1.107

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­12  

 nmap –p U:53,137,T:21-25,80,443 192.168.1.105

Step  3.   Scan for the open ports on a specific target IP address that you found
from the bonus lab step 1 above.

nmap -sS -p U:53,111,137,T:1-65535 --open

192.168.1.105

The above documentation of IP addresses, open TCP/UDP ports, along with

additional information you can find (ex. Social Engineering), will help you create
your attack profile for your target(s). Your next step would be to start looking for
known vulnerabilities for your target list, which we will look at in the next
module.
 
 
 
Please  let  your  instructor  know  when  you  have  successfully  completed  Lab  3.  

©Cisco  Systems  2017   Cyber  Threat  Response  2.0  Clinic   3-­13