Reconnaissance and information gathering methods were passive methods, meaning that they did not cause any alarm, alerts, and log file creation on the target systems: franklin.edu computers. In Lab-5, you will actively scan and enumerate target systems. These actions would cause some log files and probably trigger alerts if the target systems were used by a sensitive organization, such as a military or financial institution.

You will perform Lab-5 by using the Netlab environment provided by Franklin University. Netlab environment is an isolated environment with no Internet connection so that none of your actions will cause anything harmful for you or the target system.

nbtscan is used for scanning networks to obtain NetBIOS names, file shares, and other information. It is one of the tools that come with Kali Linux. Nbtscan is a convenient tool to scan the active computers on the network quickly.

Windows machines have NetBIOS names by default. Linux/Unix computer may also have NetBIOS names if the Samba interoperability suite is installed.

Before starting scanning the network from Kali Linux, you have to learn the network address first.

1) Enter the Netlab environment

2) Open Kali Linux and enter the password (password: toor)

3) Open a terminal window

4) Type this command:
ifconfig

5) Run a nbtscan by typing
nbtscan 192.168.2.0/24 to the terminal window. You will see all active computers along with IP addresses, NetBIOS names, and MAC addresses. That is an essential piece of information for a pentester and can be regarded as your initial attack surface.

Take a screenshot of the terminal window.

Section-2: Scan the Network by Using Nmap

You will perform another network scan by using a more versatile tool called Nmap. Nmap is one of the swiss knives of the pen-testers. It is a free and open-source tool and comes with Kali Linux. Nmap has many different scanning options; it can even perform vulnerability scanning in addition to network and host scanning. In this lab, you will first use Nmap’s network/host scanning features, and then you will perform vulnerability scanning with Nmap.

1) Type in
nmap 192.168.2.0/24 -n -sn in the terminal window.

Take a screenshot of the terminal window.

Type in
man
nmap in the terminal window to see the help page of the Nmap tool. Find why you used n and sn options.

In the previous section, you scanned the network by using Nmap. In this section, you will scan a specific host for open ports.

1) Type in
nmap 192.168.2.14 -n in the terminal window.

Take a screenshot of the terminal window.

192.168.2.14 is the Metasploitable machine. There are many open ports on this machine. It is an intentionally vulnerable Linux machine used for training purposes. As the pentester, you determined your initial attack surface using nbtscan and nmap tools, which can be thought of as the active computers on the network. The list of open ports of the Metasploitable computer is also an attack surface specific to a host. An open port can be considered one of the most valuable attack surfaces. Because an attacker can attack computers by using open ports in many ways, such as:

a) By flooding the port, such as SYN flood to port 80,

b) By exploiting the service using the port, such as an SQL injection attack against web application using Port 443

c) By brute-forcing the login forms,

d) By using default usernames or passwords, such as accessing to wireless modem management interface by default username: admin/password: admin credentials

Top 1000 ports are a list of statistically most popular 1000 ports used by the network-enabled applications and services. In this lab, you will scan the same target (Metasploitable) to check for the top 1000 ports.

1) Type in
nmap 192.168.2.14 -n –top-ports 1000 –open in the terminal window.

–open switch only shows the open ports on the target machine.

2) Now, type in the command with an extra switch -sV:
nmap 192.168.2.14 -n –top-ports 1000 –open -sV

sV switch fingerprints the service running on the port.

Take a screenshot of the terminal window.

Section-5: OS (Operating System) Detection by using Nmap

One of Nmap’s features is remote OS detection by using TCP/IP stack fingerprinting.  In this lab, you will detect the operating systems of the live hosts in the 192.168.2.0/24 network.

1) Type in
nmap 192.168.2.0/24 -n -O –osscan-guess

Note that you have to make the “O” letter uppercase.

Notice the operating system info at the command output.

Find the command output showing the operating system of 192.168.2.12 and
Take a screenshot of the terminal window.

Section-6: Vulnerability Scanning by Using Nmap

Now, it is time to perform vulnerability scanning by using Nmap. The first vulnerability will be the use of an FTP service with anonymous login is enabled.

In the previous lab, you found that 192.168.2.14 (Metasploitable) has the FTP service enable. Let’s check whether it has anonymous login enabled. Anonymous login is a common feature among FTP services.

1) Type in
nmap 192.168.2.14 -n –script ftp-anon -p 21 in the terminal window.

2) Type in
nmap 192.168.2.13 -n –script smb-vuln* -p 445

In this example, you used a wild chart. smb-vuln* use all scripts which start with “smb-vuln.”

Take a screenshot of the terminal window.

Weekly Learning and Reflection 

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you’re confused about. Questions asked here will be summarized and answered anonymously in the next class.

Sniffing is an essential method of collecting information. If a hacker gains access to a computer network somehow, one of the first actions will be to sniff the network to capture sensitive data such as usernames and passwords. Internal threats such as disgruntled employees may also attempt to sniff their company networks to collect sensitive information.

The most effective countermeasure against sniffing is encryption. Today, most of the web traffic is encrypted by TLS protocol so that your webmail, social media passwords cannot be sniffed.

However, there are legacy protocols such as FTP and Telnet. Because these protocols do not have encryption features, both credentials and data can be intercepted using sniffers.

1) Enter the Netlab environment and open the Kali Linux computer.

2) Type in password as toor

3) Click on the Kali icon on the bottom left corner, and type wireshark on the search box to open Wireshark sniffer

4) Ensure that the eth0 network interface has been selected (1) and then click the capture icon (2).

5) Open a terminal window

6) Type in
ftp 192.168.2.14 to open a connection to FTP server hosted on 192.168.2.14 (Metasploitable)

7) Type anonymous as the user name and anything you want as the password. You will see that Wireshark is capturing the FTP traffic you are creating.

8) Stop the packet capture by clicking the stop button and type
ftp as the filter and press enter.

9) The Wireshark’s info column shows the username (Anonymous) and the password you typed in cleartext.

Take a screenshot of Wireshark windows showing the password you typed.

In this section, you will sniff the telnet password.

1) Click the capture icon once again on the top left corner of the Wireshark window.

2) When prompted to save the previous capture, click
Continue without Saving

Note that if you closed the Wireshark window follow the steps you did in the previous section to open Wireshark

3) Open a new terminal window or use the previous terminal windows you opened in Section-1.

4) Type in
telnet 192.168.2.13 to
open a telnet connection to Windows 7.

5) Type in admin as the username and admin as the password

6) Stop the packet capture by clicking the stop button and type
telnet as the filter and press enter.

7) Click on one of the captured packet (1), right-click (2), click in the Follow > TCP Stream (3). You will see the captured traffic and credentials in cleartext (4).

In Section-1 and Section-2, you performed packet sniffing on the computer that opens the connection to the remote computer; therefore, you could sniff the network traffic.

In a switched network like the one you are using in the Netlab, you cannot sniff the traffic between two computers as switches create virtual dedicated channels between computers.

Man-in-the-middle (MITM) attack enables attackers to sniff in a switched network. It is also known as ARP cache poisoning attack. In this lab, you will launch a MITM attack and capture the RDP (Remote Desktop Password). The visualization of the attack is given below.

After launching the MITM attack using the Cain tool, RDP traffic between Windows 7 Target and Windows 2008 will be directed to Windows 7 Attacker; and Windows 7 Attacker will relay this traffic.

1) Open Windows 7 Attacker on Netlab environment

2) Run the Cain tool by clicking the Cain icon on the desktop, start Sniffer (1) and click the Sniffer tab (2). You will be on the hosts section by default (3).

3) Open the MAC address scan menu by right-clicking anywhere on the spreadsheet and clicking on the
Scan MAC Addresses

4) Choose the range as shown below and click the OK button. (This is the range for IP addresses for 192.168.2.0/24 network.)

5) You will see a result screen like below.

6) Now, it is time to leverage the MITM attack. In order to do this, Cain tool will poison the ARP caches of Window 7 Target and Windows 2008 machines, so that the traffic will pass over the Windows 7 Attacker machine. Complete the steps below to set everything ready for ARP cache poisoning.

a. Click the APR tab (1)

b. Click APR icon (2)

c. Click on the empty spreadsheet on the workspace (3)

d. Click on the “+” icon to add hosts for ARP cache poisoning (4)

f. Select IP Address 192.168.2.11 from the right section (6)

g. Click OK

7) Start poisoning by clicking the poisoning button (1)

Now, it is time to create an RDP traffic between Windows 7 Target and Windows 2008. This traffic will not be solely between these two computers.

8) Switch to Windows 7 Target on the Netlab environment.

9) Click the start button, and
click on the Remote Desktop Connection icon.

10) Type 192.168.2.11 in the computer section, which is the IP address of Windows 2008. Click connect.

11) Type administrator as username and aA12345 as password. Click OK.

12) Click Yes at the certificate warning window

13) You will log into Windows 2003 over the RDP connection.

14) Switch to Windows 7 Attacker. Open the captured traffic by clicking APR-RDP on the tree (1) and then right-clicking the second row, and then click on
view.

15) Captured traffic will be opened on the Notepad. Search within the Notepad for the “key pressed” keyword. You will be able to see every key pressed by the user while connecting to the remote computer over the RDP protocol.

Take a screen capture of the Notepad showing the first two characters of the password.

Weekly Learning and Reflection 

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you’re confused about. Questions asked here will be summarized and answered anonymously in the next class.

There are many different kinds of cyberattacks, such as exploitation of a vulnerability by using a piece of malicious code, launching denial of service attack, password cracking, and social engineering attacks.

In this lab, you will launch three brute force password cracking attacks against three different protocols, 1) SMB, 2) HTTP, 3) Telnet.

In this section, you will crack the password of the Administrator account of the Windows 7 Target computer (192.168.2.13) by using the Hydra tool on Kali Linux. Hydra is a brute force password cracker. You will use another tool named crunch to create a dictionary to be used by Hydra.

Assume that you did shoulder surfing and learned that the Administrator account on Windows 7 Target has “a”, “1”, “2”, “3”, “4”, and “5” characters. However, you couldn’t find the password with manual tries; you decided to use a brute force password cracker.

1) Log in to Kali Linux on the Netlab environment. Remember that the password of the root account was toor.

2) Open a terminal window.

3) You want to create a wordlist from the letters you learned in shoulder surfing. Use the crunch tool and type
crunch 6 7 aA12345 > my_word_list.txt in the terminal window. You included both lower and uppercase versions of “a” as you are not sure of which one is included in the password. You also indicated the minimum password length as 6 and the maximum length as 7. Crunch tool will generate a wordlist consisting of 941192 different possibilities of passwords that match the condition.

4) Now open the generated wordlist file by typing
vi my_word_list.txt in the terminal window.

5) Press the page down button to see the list. Press Shift-gg to go to the end of the file.

6) Type colon character in vi and then type “set nu”. This command will show the line numbers at the beginning of each line.

7) Now search for aA12345, which is the password of the Windows 7 Administrator account. To search for aA12345, type
/aA12345

Note the line number of aA12345, which is 140525.

SMB protocol does not like parallel connections; therefore, the Hydra tool does not perform parallel processing and tries one password at a given time. On average, Hydra will check for 5800 passwords per minute. Therefore, it will take 24 minutes to find the password of the Administrator account. At this point, you will perform a trick and insert the password to the 6000th line.

8) In order to do that, press
the Esc key and then type
6000 in vi, and then press
Shift-g.

9) Press
i and then press
the Enter key. An empty line will be opened for you to type the password. Type in aA12345 here. Press
Esc. Type
:wq to save and quit.

10) Now, it is time to use Hydra to launch a brute force attack against the SMB service on Windows 7 Target computer. Type in
hydra -l administrator -P my_word_list.txt smb://192.168.2.13

Take a screenshot of the brute force attack result screen once Hydra completed processing. (It should take no more than 5 minutes to complete)

Section-2: Brute Force Password Attack against a Remote Windows SMB Service (By using Metasploit Framework)

Metasploit Framework is a must-have tool for every pentester. You will use Metasploit frequently in the ISEC670 labs. Metasploit is included in Kali Linux.

1) Open a terminal window on Kali Linux on the Netlab environment.

2) Type in
msfconsole to open Metasploit Framework

3) Type in
search smb_login to find the path of the smb_login module.

4) Select the smb_login module by typing
use auxiliary/scanner/smb/smb_login (This is the path you learned in the previous step)

5) Type in
show options command to see the required parameters for the module.

Note: You can use view>shrink font to decrease the font size in the terminal window.

6) Set the target by typing
set RHOSTS 192.168.2.13

7) Set the username by typing
set SMBUSER administrator

8) Set the wordlist by typing
set PASS_FILE /root/my_word_list.txt

9) Discard showing the detailed results by typing
set VERBOSE false

10) Set the number of parallel process to 8 by typing
set THREADS 8

Note: Do not set it to numbers higher than 8 as it may cause SMB service to crash

11) Run the brute force attack. It will take 1-2 minutes for Metasploit Framework to try the correct password in the wordlist.

Take a screenshot of the Metasploit result showing the username/password pair.

Section-3: Brute Force Password Attack against a Web Login Form

In this section, you will use the Burp Suite to perform a brute force attack against a web login form. Burp Suite has been used by application security testers to automate and control the web application security testing.

1) Stay in the Kali Linux on the Netlab environment.

2) Click on the Kali icon on the bottom left corner and type Firefox.

3) Click on the Firefox ESR icon on the start menu.

4) Configure the Proxy Settings of Firefox to have the web traffic directed to the Burp Suite.

Click the Firefox menu and then click Preferences

Scroll down to the bottom of the page and click the Settings button in the Network Settings section.

Select the Manual proxy configuration and type in the IP address as 127.0.0.1 and port number as 8080. (Burp Suite listens on 127.0.0.1:8080 by default). Click OK.

5) Open Burp Suite by clicking the Kali Linux icon at the bottom left corner, typing burp, and clicking the burp suite icon on the start menu.

6) Click Next while Temporary Project was selected.

7) Click Start Burp while Use Burp defaults was selected.

4)
Take a screenshot of the terminal window.

Weekly Learning and Reflection 

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you’re confused about. Questions asked here will be summarized and answered anonymously in the next class.