In the first lesson of the Network Security Module, we focused on passive reconnaissance. In this one, we will focus on active reconnaissance.
Let’s scan what we can learn today in our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to Active Reconnaissance
In the first lesson of the Network Security Module, we focused on passive reconnaissance. In this one, we will focus on active reconnaissance. First, we will use a web browser to collect even more information about our target. Then, we will try simple tools such as ping
, traceroute
, telnet
and nc
to gather information about the network, system and services.
Passive reconnaissance lets you gather information about your target without direct engagement as if somebody is watching from afar by checking publicly available information.
Active reconnaissance requires you to make contact with the target. From a phone call or visit to the target’s company (social engineering) up to visiting their website or trying to connect to their SSH port. Think of it like trying to open a window or door locks.
In this lesson, we will focus on the second part: Active reconnaissance.
Active recon may start with a direct connection to the target, and such types of connections may leave information in the logs recording your IP, time of the connection, duration of the connection, etc. But not all connections are suspicious and it is possible to disguise your active reconnaissance as regular client activity. For example, web browsing: No one suspects a browser connected to a target web among hundreds or thousands of other legitimate users. We can use this to pretend we are regular users.
We will also use tools as ping
, traceroute
, and telnet
.
This is the second lesson of the Network Security module:
- Passive Reconnaissance
- Active Reconnaissance
- Nmap Live Host Discovery
- Nmap Basic Port Scans
- Nmap Advanced Port Scans
- Nmap Post Port Scans
- Protocols and Servers
- Protocols and Servers 2
- Network Security Challenge
What have I learnt today?
Web Browser
We can use our web browser in several ways to gather information about a target.
By pressing Control + Shift + I or right-clicking the browser and selecting Inspect, we can open Developer Tools in our browser. Dev tools let you inspect many things that your browser receives and exchanges with the server: We can view and modify JavaScript files, inspect the cookies and discover the folder structure of the site content.
We can also use add-ons for Firefox and Chrome that can help us during pentesting:
- FoxyProxy, to change the proxy server we are using. We use it a lot along with Burp Suite.
- User-Agent Switcher and Manager to spoof our operating system or web browser.
- Wappalyzer provides insights about the technologies used on the visited websites.
Ping
the purpose of ping is to check whether you can reach the remote system and that the remote system can reach you back (like the ping-pong game). In simpler terms, the ping command sends a packet to a remote system and the remote system replies.
In less simple terms, the ping command sends an ICMP Echo packet to a remote system. If it is online, the remote system sends back an ICMP Echo reply.
To use it, use the command ping <TARGET_IP>
or ping <TARGET_HOSTNAME>
. It will ping endlessly until you hit Control + C to stop it. Alternatively, you can use the -c <NUMBER>
to set up the number of packets to send.
But what happens when the machine is turned off?
4 packets sent, 0 received.
Generally, when we don’t get a pingback, it is because:
- The target is not responsive: Either turned off, booting up or the OS has crashed.
- It is unplugged from the network.
- A firewall is set up to block such packets.
- You have no internet.
Traceroute
This could be a lengthy explanation but let’s make it simple: traceroute
traces the route taken by the packets from your system to another host. It reveals the number of routers (or hops) between the two systems.
Beware, as many routers use dynamic routing protocols.
The command to use it is traceroute <TARGET_IP>
(or tracert <TARGET_IP>
if you are doing cybersecurity on a Windows OS).
We send a Time To Live (TTL) header, and each time the packet passes through a router/hop, it decreases by one.
If the TTL reaches 0, it will be dropped, sending an ICMP Time To Live exceeded to the original sender.
On Linux, traceroute
sends UDP datagrams with the TTL set to 1, dropping the packet at the first router encountered, and revealing the IP address of the first router. Then, it sends another packet with a TTL of 2, being dropped at the second router and revealing its IP. This happens until no more routers are found.
We have 14 numbered lines, each one representing one router or hop. Each time traceroute
sends 3 packets. For example, in the first numbered line, it has found two routers, while just one on the third line.
So:
- The number of routers/hops between your system and the target depends on the time you are running traceroute. Not always your packets will follow the same route.
- Some routes return a public IP address.
- Some routes don’t even reply.
Telnet
The telnet (TELetype NETwork) was a protocol designed for remote administration, using port 23. As it was developed in 1969, all the data, including usernames and passwords, is sent in clear text, making it easy to steal the login credentials. Nowadays we use the SSH (Secure SHell) protocol.
Despite its weaknesses, Telnet is still used, but for other purposes. Using telnet <TARGET_IP> <PORT>
we can connect to any service running on TCP. And we can discover information about the host by doing so:
Netcat
Netcat, or nc
, is a great tool for pentesters. It supports both TCP and UDP protocols, and we can use it as a listening port and a server that listens to a similar listening port.
To connect a server, we need to collect its banner using nc <TARGET_IP> <PORT>
:
We used Netcat to connect to the target machine with its IP and port 80. Then, we issue a GET for the default page with GET / HTTP/1.1
, then we give a name to our host with host: netcat
. Then, we get a response with the server’s information.
We can use Netcat to listen on a TCP port and connect to a listening port to get a shell.
On the server system, we open a port and listen to it with nc -lvnp <PORT>
. On the client side, we connect to the listener with nc <TARGET_IP> <TARGET_PORT>
.
Summary
In this lesson, we have covered the following:
- The difference between Passive and Active recon
- How to use whois, nslookup and dig
- How to find extra information in DNSDumpster
- How to find interesting information about your target and more in Shodan.io
Stats
From 97.156th to 93.124th. Now in the top 100.000!
Here is also the Skill Matrix:
Resources
Module: Network Security
TryHackMe: Passive Reconnaissance