CYBE231 Lab 2 - Network Scanning
In this lab we moved away from passive information gathering and moved to active information gathering by performing scans on networks. Starting from here and through the rest of the course we did everything in the ISEAGE environment which is a simulated internet environment that allows students to have their “public” facing network, and keeps attacks off the internet.
I was given the IP range 15.218.53.0/24 for this class. To start off the lab, I finished set up of the Ubuntu desktop machine by adding proxy information, and updating. To start out, The thing we did was ping the gateway so that we could see a normal response of what ping looks like. Typing in IP addresses by hand is time-consuming though, so we had a quick script to write all our IP range to a file. After creating the file, we installed fping as it better automates the process of pinging. Running this we saw that there were 4 IP addresses that responded 15.218.53.100, 15.218.53.102, 15.218.53.108, 15.218.53.110.
fping uses ICMP echo requests by default, while most systems automatically reply, that can be turned off making it not respond to echo requests. The next tool we used was nmap, sending ICMP time requests instead of echo requests. When running this against all of the targets, we found one more host that responded 15.218.53.104. This is not a guarantee that we found all the systems on our network as ICMP requests can be turned off.
The next tool we looked at was hping3. We used this tool to send TCP, and UDP packets to commonly known ports. If there is a service running on one of these ports, it should respond to these packets, and can not be turned off since it is a real service. Running this against all of our targets, we found one more host that responded 15.218.53.106, it responded on requests to ports 445, 80, 135, and 139.
Scanning the network for open ports, or pinging the network creates a lot of traffic, and is very noisy. Taking a look at wireshark we saw how when a scan was running, our system would create lots of noise very quickly. One of the potential ways to be stealthier, is to slow down the speed of the scan to not trigger detection. Or do things that would mimic real traffic and be less likely to be detected.
Scanning is an important skill to know, but just knowing if something exists at a certain IP address does get you very far. When scanning you can gather other information about the systems, and what is running on them. To do this we used first started with a basic nmap port scan that found the open ports on the machine, and what services run on those ports. Using this information we had to take a guess at the Operating System. I ended up guessing a lot of Windows XP on this first round, and it was talked about in class with being used to exploit in lab.
| Host | Ports | Services | OS Guess |
|---|---|---|---|
| 15.218.53.100 | 135, 139, 445 | msrpc, netbios-ssn, microsoft-ds | Windows XP |
| 15.218.53.102 | 7, 9, 13, 17, 19, 25, 53, 80, 135, 139, 443, 445, 515, 1025, 1027, 1030, 1033, 1034, 1755, 3372, 3389, 6666, 7007, 7778 | echo, discard, daytime, qotd, chargen, smtp, domain, http, msrpc, netbios-ssn, https, microsoft-ds, printer, NFS-or-IIS, IIS, iad1, netinfo, zincite-a, wms, msdtc, ms-webt-server, irc, afs3-bos, interwise | Windows XP |
| 15.218.53.104 | 22, 80, 443 | ssh, http, https | Linux of some variety |
| 15.218.53.106 | 80, 135, 139, 445 | http, msrpc, netbios-ssn, microsoft-ds | Windows XP |
| 15.218.53.108 | 135, 139, 445 | msrpc, netbios-ssn, microsoft-ds | Windows XP |
| 15.218.53.110 | 135, 139 | msrpc, netbios-ssn | Windows XP |
That scan only guesses at services running on the machine, and does not actually get the service banner, so if something is running on a non-standard port it would be mis-represented. To get this service banner, we added the -sV flag to nmap, which return the banner of the service at each port. We then had to update our guess with the new information.
| Host | Changes | Updated OS Guess |
|---|---|---|
| 15.218.53.100 | None | Windows XP |
| 15.218.53.102 | microsoft-ds is reporting with 2000 identifier meaning it’s older than XP |
Windows 2000 |
| 15.218.53.104 | SSH reports with a Debian-Ubuntu service banner | Ubuntu Linux |
| 15.218.53.106 | SSH reports with FreeBSD service banner, and an apache web service banner | FreeBSD |
| 15.218.53.108 | None | Windows XP |
| 15.218.53.110 | None | Windows XP |
While we are looking what is open, and taking a guess at what the system is based on the open ports and what is running on them. This still leaves a lot of room for error and requires personal knowledge on what is running. Another way to verify, or the thoughts, or on a machine with hard to guess services is the nmap -O flag. This scan from nmap attempts to guess the operating system of the machine. Running this against our systems showed that some guesses were right, and some were wrong.
| Host | nmap Guess |
|---|---|
| 15.218.53.100 | Windows XP |
| 15.218.53.102 | Windows 2000 |
| 15.218.53.104 | Linux with Kernel 2.6.32-3.10 |
| 15.218.53.106 | Juniper Firewall |
| 15.218.53.108 | Windows 10 |
| 15.218.53.110 | Windows NT |
To finish off this lab we had to take some time looking at the information we gathered and attempt to find some vulnerabilities in these systems to exploit later in the semester. The two vulnerabilites that I found that would be interesting to look at were CVE-2001-0572 where older versions of OpenSSH leaked information about password lengths, and the type of authentication being used. Which would make brute forcing the password significantly easier. The other interesting vulnerability was CVE-2010-2550 which was a vulnerability in Microsoft SMB server software that allowed for remote code execution with crafted payloads.