Day 046 #FromZeroToHacker – Active Reconnaissance

In the first lesson of the Network Security Module, we focused on passive reconnaissance. In this one, we will focus on active reconnaissance.

Let’s scan what we can learn today in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Active Reconnaissance

In the first lesson of the Network Security Module, we focused on passive reconnaissance. In this one, we will focus on active reconnaissance. First, we will use a web browser to collect even more information about our target. Then, we will try simple tools such as ping, traceroute, telnet and nc to gather information about the network, system and services.

Passive reconnaissance lets you gather information about your target without direct engagement as if somebody is watching from afar by checking publicly available information.

Passive reconnaissance


Active reconnaissance requires you to make contact with the target. From a phone call or visit to the target’s company (social engineering) up to visiting their website or trying to connect to their SSH port. Think of it like trying to open a window or door locks.

Active reconnaissance

In this lesson, we will focus on the second part: Active reconnaissance.

Active recon may start with a direct connection to the target, and such types of connections may leave information in the logs recording your IP, time of the connection, duration of the connection, etc. But not all connections are suspicious and it is possible to disguise your active reconnaissance as regular client activity. For example, web browsing: No one suspects a browser connected to a target web among hundreds or thousands of other legitimate users. We can use this to pretend we are regular users.

We will also use tools as ping, traceroute, and telnet.

This is the second lesson of the Network Security module:

  1. Passive Reconnaissance
  2. Active Reconnaissance
  3. Nmap Live Host Discovery
  4. Nmap Basic Port Scans
  5. Nmap Advanced Port Scans
  6. Nmap Post Port Scans
  7. Protocols and Servers
  8. Protocols and Servers 2
  9. Network Security Challenge

What have I learnt today?

Web Browser

We can use our web browser in several ways to gather information about a target.

By pressing Control + Shift + I or right-clicking the browser and selecting Inspect, we can open Developer Tools in our browser. Dev tools let you inspect many things that your browser receives and exchanges with the server: We can view and modify JavaScript files, inspect the cookies and discover the folder structure of the site content.

Active reconnaissance Web browser dev tools

We can also use add-ons for Firefox and Chrome that can help us during pentesting:

  • FoxyProxy, to change the proxy server we are using. We use it a lot along with Burp Suite.
  • User-Agent Switcher and Manager to spoof our operating system or web browser.
  • Wappalyzer provides insights about the technologies used on the visited websites.
Active reconnaissance Wappalyzer

Ping

the purpose of ping is to check whether you can reach the remote system and that the remote system can reach you back (like the ping-pong game). In simpler terms, the ping command sends a packet to a remote system and the remote system replies.

In less simple terms, the ping command sends an ICMP Echo packet to a remote system. If it is online, the remote system sends back an ICMP Echo reply.

To use it, use the command ping <TARGET_IP> or ping <TARGET_HOSTNAME>. It will ping endlessly until you hit Control + C to stop it. Alternatively, you can use the -c <NUMBER> to set up the number of packets to send.

Ping test

But what happens when the machine is turned off?

Ping off

4 packets sent, 0 received.

Generally, when we don’t get a pingback, it is because:

  • The target is not responsive: Either turned off, booting up or the OS has crashed.
  • It is unplugged from the network.
  • A firewall is set up to block such packets.
  • You have no internet.

Traceroute

This could be a lengthy explanation but let’s make it simple: traceroute traces the route taken by the packets from your system to another host. It reveals the number of routers (or hops) between the two systems.

Beware, as many routers use dynamic routing protocols.

The command to use it is traceroute <TARGET_IP> (or tracert <TARGET_IP> if you are doing cybersecurity on a Windows OS).

We send a Time To Live (TTL) header, and each time the packet passes through a router/hop, it decreases by one.

tracerouter graph

If the TTL reaches 0, it will be dropped, sending an ICMP Time To Live exceeded to the original sender.

On Linux, traceroute sends UDP datagrams with the TTL set to 1, dropping the packet at the first router encountered, and revealing the IP address of the first router. Then, it sends another packet with a TTL of 2, being dropped at the second router and revealing its IP. This happens until no more routers are found.

Traceroute scan

We have 14 numbered lines, each one representing one router or hop. Each time traceroute sends 3 packets. For example, in the first numbered line, it has found two routers, while just one on the third line.

So:

  • The number of routers/hops between your system and the target depends on the time you are running traceroute. Not always your packets will follow the same route.
  • Some routes return a public IP address.
  • Some routes don’t even reply.

Telnet

The telnet (TELetype NETwork) was a protocol designed for remote administration, using port 23. As it was developed in 1969, all the data, including usernames and passwords, is sent in clear text, making it easy to steal the login credentials. Nowadays we use the SSH (Secure SHell) protocol.

Despite its weaknesses, Telnet is still used, but for other purposes. Using telnet <TARGET_IP> <PORT> we can connect to any service running on TCP. And we can discover information about the host by doing so:

Telnet

Netcat

Netcat, or nc, is a great tool for pentesters. It supports both TCP and UDP protocols, and we can use it as a listening port and a server that listens to a similar listening port.

To connect a server, we need to collect its banner using nc <TARGET_IP> <PORT>:

Netcat scan

We used Netcat to connect to the target machine with its IP and port 80. Then, we issue a GET for the default page with GET / HTTP/1.1, then we give a name to our host with host: netcat. Then, we get a response with the server’s information.

We can use Netcat to listen on a TCP port and connect to a listening port to get a shell.

On the server system, we open a port and listen to it with nc -lvnp <PORT>. On the client side, we connect to the listener with nc <TARGET_IP> <TARGET_PORT>.

Summary

In this lesson, we have covered the following:

  • The difference between Passive and Active recon
  • How to use whois, nslookup and dig
  • How to find extra information in DNSDumpster
  • How to find interesting information about your target and more in Shodan.io

Stats

From 97.156th to 93.124th. Now in the top 100.000!

Here is also the Skill Matrix:

Skills matrix

Resources

Module: Network Security

TryHackMe: Passive Reconnaissance

Other resources

Network Fundamentals
Linux Fundamentals
DNSDumpter
Shodan.io