Workshop 0x04: Scanning

Overview and Objectives

In this workshop, we will proceed to the next phase in an ethical hacking assignment: network
scanning and vulnerability discovery. After the previous phase (reconnaissance and OSINT), we
gained an understanding about the "attack surface" of an organisation, including network ranges,
hosts and services using passive techniques.

The network scanning phase is "active" as we try to identify running hosts, services, OS and
application versions and known vulnerabilities. Make sure you gain explicit authorisation from the
target organisation. For those companies participating in bug bounty programs, read the terms
carefully to understand what you can and cannot do.

On the previous page, Bradley Morgan demonstrated Network scanning using Wireshark and
NMap. In this activity, you will proceed to the next phase in an ethical hacking exercise: network
scanning and vulnerability discovery. After the previous phase (reconnaissance and OSINT), you
gained an understanding about the "attack surface" of an organisation, including network ranges,
hosts, and services using passive techniques.

 Wireshark and TCP 3-Way Handshake

In order to concretely understand what network and port scanners do, you will use Wireshark to
observe the packets flowing between the client (your Kali Linux) and server (the Hacklab VM you
setup in Module 1).
1. Make sure both Kali and Hacklab VM are running under VirtualBox.

2. Check the IP address of your Kali instance using the "ip addr" command:
$ ip addr

3. Similarly, logon to Hacklab VM (username: student, password: hacklab) and this time
perform the command "ip addr | grep en". This just shows the IP address of the main
ethernet adapter.
ip addr | grep en

4. Start Wireshark from the command line or from the start menu. Note that you’ll need to
run as root.
$ sudo wireshark
 Figure 2.19: A screenshot of the start menu of Wireshark.
5. Double-click on "eth0" (this is the Virtual Box private network where both your Kali and
Hacklab VM are connected to) to start capturing packets on that interface.
6. To facilitate analysis, add the following "filter' to show only traffic to and from your Kali linux
(IP address may be different for you)
ip.addr == 192.168.183.130

7. From another command shell, (1) ping to the IP address of your Hacklab VM
(192.168.183.133 in example below) and then (2) run dig command to query for
adelaide.edu.au.
$ ping -c 1 192.168.183.133
$ dig adelaide.edu.au
 Figure 2.20: A screenshot of the Wireshark eth0 capture (on the left) and the terminal (on
the right).

Note (1) the ICMP ECHO REQUEST (ICMP Type 8) being sent from your tun0 IP address to
the server, and response of ICMP ECHO REPLY (ICMP Type 0) being returned from the
server. (2) Similarly, note the DNS request and response via UDP 53.
8. Next, perform an NMap TCP scan against Hacklab VM, just targeting port 80 for now
(remember to replace the IP with that of your own instance).
$ sudo nmap -sT -Pn -n -p 80 192.168.183.133

Note the meaning of the flags:

-sT= perform TCP scan

-Pn= don't ping (assume host is up)
-n (don't do reverse IP lookup)
-p 80 = just scan port 80 (without this NMap will scan all 1000 ports)
9. Go to Wireshark and look for initial SYN packet from your 10.8.0.X host to 10.0.0.29. Right-
click on that row and choose [Conversation Filter - TCP].
 Figure 2.21: A screenshot of Wireshark with the initial SYN packet.

This will create a filter ((ip.addr eq 10.8.0.X and ip.addr eq 10.0.0.29) and (tcp.port eq 34390
and tcp.port eq 80)) and show the 3-way handshake taking place.

Figure 2.22: The 3-way handshake on Wireshark

10. Select the first [SYN] packet and expand the details of the packet on the bottom pane. Note
under the [Transmission Control Protocol] section under the [Flags] subsection, only the
SYN bit is turned on. Also note the relative sequence number is 0.
 Figure 2.23: A screenshot of the Wireshark tun0 capture when the packet details are
expanded.

The actual sequence number (0x88acc228) is shown in the data pane.

11. Similarly, examine the details of the second packet [SYN, ACK] sent back from the server,
and confirm that the bits corresponding to the flags (SYN and ACK) are now set to 1, and a
new sequence number is created by the server for the Server=>Client packets.
12. Finally, examine the details of the 3rd packet [ACK] sent from the client to the server. This
completes the 3-way handshake, confirming that the server runs a service on port 80.

 Half-open or SYN scan

In this activity, you will continue to use Wireshark to explore a different type of scanning; namely,
SYN, XMas, NULL and FIN scans. Finally, you will experiment with zenmap to find out information
(e.g., OS, version) about particular hosts. You will repeat the packet capture analysis of a stealthy
SYN scan using NMap and Wireshark. With the SYN scan, the scanner ignores the SYN, ACK
response from the server. This document (https://nmap.org/book/synscan.html)
(https://nmap.org/book/synscan.html) explains a SYN scan in more detail.

1. Execute SYN scan with Wireshark listening on eth0.

$ sudo nmap -sS -Pn -n -p 80 192.168.183.133 (replace IP with your own instance of HacklabVM)

Again, note the options:

-sS specifies SYN scan

-Pn = no ping
 -n = no reverse IP lookup,
-p port
2. Capture and filter for the relevant packets in Wireshark. Note the sequence ([SYN] then
[SYN, ACK], but no [ACK] from the client back to the server (poor server, who is kept waiting
for the acknowledgement that will never come).

Figure 2.25: The sequence of packets in the Wireshark window.

Note that the final RST packet is actually not sent by NMap, but by the operating system
(Linux). If this is not sent, the server will keep the connection open for up to 60 seconds and
try to send the [SYN, ACK] packet every 5 seconds, which will lead to a SYN flooding
situation.

 XMas Scan, NULL Scan, FIN Scan

NMap can be used with the following options to perform XMas, NULL and FIN scans.

# nmap -sX 192.168.183.133

# nmap -sN 192.168.183.133
# nmap -sF 192.168.183.133

However, the success of these scans depends a lot on the target platform, and results are often
inconsistent. You don't have to execute these, but you need to know that these types of scans
exist. This document (https://nmap.org/book/scan-methods-null-fin-xmas-scan.html) explains
these scans in more detail.

 OS Fingerprinting

NMap can also be used to inference the operating system of the target computer using various
characteristic signatures.

1. Attempt to identify everything about the Hacklab VM using "-O" OS fingerpring switch.
 Figure 2.26: This shows what the output might look like for the command "nmap -O
10.0.0.106’".

2. The -A switch is similar to -O option, but also tries to guess the version of software running
behind each port.

 Scoping out the whole network

Now, try scanning the entire VirtualBox bridged network of 192.168.183.0/24 using NMap.
1. First, do a ping sweep of the whole range using the -sn switch. Besides your Kali Linux and
the Hacklab VM, you will find a few other hosts on that network including your host computer
and two Virtualbox virtual servers (DNS and DHCP).

Figure 2.27: This shows what the output might look like for the command "nmap -sn
192.168.183.0/24".

2. Do another sweep using half-open or SYN scan, using the -sS switch AND -Pn so that PING
will not be used. You will notice that your host computer (192.168.183.1) may be running
some default network services, and the VirtualBox DNS virtual server (192.168.183.2) runs
the DNS service on UDP port 53.
3. Try running a scan over your home network. Depending on your broadband router, this could
be something like 10.1.0.0/24 or 192.168.1.1/24. You will find everything connected to your
home network. This may take a few minutes. Use the "-n" (no revers DNS lookup) and "-PE"
(use PING to determine if a host is up) to speed things up. Use the "ipconfig /all" command
on cmd.exe on your host computer to find out details on your home network. Note: Do NOT
run any scans on the network of your work or your school without explicit permission of your
IT administrator!
 Figure 2.28: An example of scan of a home network
4. Experiment with various scan options, referring to the cheat sheet
(https://www.stationx.net/nmap-cheat-sheet/) or the documentation. Note that in actual
practice, something like the below will achieve most things you need, but it will take a long
time to run and it will be extremely noisy:
nmap -T4 -A -v 10.0.0.0/24

This command does the ping sweep, SYN scan of open ports, OS fingerprint, and service
identification of open ports, as well as run the default set of scripts. This document
(https://nmap.org/book/performance-timing-templates.html) explains the Timing Templates (-
T) in more detail.

 NMap and NSE scripts

NMap is designed to be extensible to run plugin scripts (NSE = Nmap Scripting Engine). See this
page (https://nmap.org/book/nse.html) for a further description and this page
(https://nmap.org/nsedoc/) for list of available standard scripts. The "-A" option is configured to run
a set of base NSE scripts.

Try running the "smb-os-discovery" to find machines running the SMB service on your home
network.

$ sudo nmap -n -PE -p 445 --script smb-os-discovery 192.168.1.0/24