Week 2 Active Recon (SEC 335) - Chromosom3/TechNotes GitHub Wiki

Reflection

Working on active recon this week was fun. Seeing how you can use simple tools to get information from hosts was nice. Additionally, I enjoyed working on scripts/”1 liners” to automate some of the processes. I think scripting is very beneficial and I’m glad this class is encouraging the use of scripting. I was also surprised by how many flags nmap has. I guess that just speaks to how powerful the tool is.

Host Discover

This week we began working on active recon, specifically, we looked at scanning hosts to determine if they are up. We looked at three command line utilities for this: ping, fping, and nmap. For each utility, we worked on scripting the discovery of multiple hosts in the environment and sending that information to a text file. Below you will see examples of the scripts I made.

Ping

The following code was used to scan 10.0.5.2 through 10.0.5.50 using ping. The command below starts a for loop pining each host once and waiting 2 seconds. From there grep is used to find results that have a reply back (”1 received”) and select the line before that (-B 1). Next this gets sent to awk for some regular expression to select the IP address and print it. The results of all of the above is then sent to a text file for later use.

for ip in $(seq 2 50); do ping -W 2 -c 1 10.0.5.$ip | grep -B 1 "1 received" | awk '/--/{print $2}' >> sweep.txt; done

Fping

The following command does similar actions to the one above however, instead of using the ping utility it uses the fping utility. Using fping is nice because unlike the ping utility it allows you to specify a range directly so no for loop is required. The following fping command shows hosts that are alive and hosts that are down. To filter this we send alive hosts to sweep2.txt and down hosts to /dev/null. Note that 1> and 2> represent stdout and stderr respectively.

sudo fping -g 10.0.5.2 10.0.5.50 -a 1> sweep2.txt 2> /dev/null

Nmap

The final utility that was used was nmap. Nmap was the clear choice when conducting scans as it is a utility that is purpose-built for it. The following code allows you to scan a range and return alive hosts to a file. As you can see the nmap scan results are sent to grep where we check to see if the host is up. If it is the information is sent to awk so we can get the information and remove the IP address then send it to sweep3.txt.

nmap -sn -n --vv 10.0.5.2-50 | grep -B 1 "Host is up" | awk '/Nmap/{print $5} >> sweep3.txt'

Port Scanning

Nmap

Nmap was also used for Lab 2.2. In this additional lab, we dove more into nmap and its capabilities. After doing some research I have compiled a list of helpful nmap commands below.

Specifying Target(s):

# Single IP
nmap 10.0.17.107
# IP Range
nmap 10.0.17.100-107
# Multiple IPs
nmap 10.0.17.107 10.0.17.108
# Whole Subnet
nmap 10.0.17.0/24
# Exclude a host
namp 10.0.17.0/24 -exclude 10.0.17.107

Specifying Port(s):

# Single Port
namp 10.0.17.107 -p 3389
# Port Range
nmap 10.0.17.107 -p 1-6000
# Specify TCP or DUP
nmap 10.0.17.107 -p U:53,T:21

Service/OS Detection:

# Determine the version of the service on running ports
nmap 10.0.17.107 -sV
# Enable OS detection, Version detection, script scanning, and traceroute 
nmap 10.0.17.107 -A
# Enable OS Deteciton 
nmap 10.0.17.107 -O
# Enable script scanning 
nmap 10.0.17.107 -sC