Reconnaissance: Tools - Paiet/Tech-Journal-for-Everything GitHub Wiki

Reconnaissance: Tools Pt.1

  • Tools

  • NMAP

    • Host scanning
      • Scans hosts for open ports/services
        • DEMO: sudo nmap -n -p- localhost
      • Can check open services for vulnerabilities
        • NMAP Scripting Engine (NSE)
        • DEMO: sudo nmap -A -p- localhost
          • sudo nmap --script
    • Network mapping
      • Looks for live hosts on a given network
      • Can exclude hosts from scan
        • DEMO: sudo nmap -sn 192.168.55.0/24

  • NETSTAT

    • Shows network connections
    • TCP and UDP
    • Established connections are most interesting
    • Great for tracking down malware connections you may not be aware of
    • DEMO: netstat -a

Reconnaissance: Tools Pt.2

  • Packet analyzer
    • Wireshark
    • TCPDUMP
    • Can grab any interesting clear-text information
      • Telnet/FTP traffic
    • Sometimes you see apps/services looking for a connection
      • Kind of a "reverse" connection
    • tcpdump -i eth1 -XX tcp port 23 -s 0 -w test.pcap
    • Demo wireshark reading topsecret.txt on Metasploitable

Reconnaissance: Tools Pt.3

  • IDS/IPS

    • Snort (p.418-420)

      • DEMO:
      sudo snort -A  console -i [adapter] -u snort -g snort -c /etc/snort/snort.conf
NMAP -sS and -sX FROM ANOTHER PC
CTRL+P to stop snort
sudo snort -r /var/log/snort/snort.log.xxxxxxxx

    • Bro

    • Cisco Firepower

  • HIDS/NIDS
  • Firewall rule-based and logs
    • IPtables
      • Create rule to Block ICMP traffic coming in on eth1
      • Create rule to log iptables
      • iptables -I INPUT -j LOG
        • must be in good order
        • Check /var/log/kern.log
    • Cisco (use practicelabs)

      • ACLs

        ip access-list extended BLOCKPING
deny icmp any host 10.1.1.1 eq echo-reply
permit ip any any
int fa0/0

      • Logging ip access-group BLOCKPING in

Reconnaissance: Tools Pt.4

  • Syslog
    • Log aggregation
      • Multiple systems can send logs to a Syslog Server
      • Centralized log management
      • Linux
        • /etc/rsyslog.conf
        • Setup server to allow connections
        • Setup client to push logs to server
        • Restart rsyslog on both client and server
      • Can be setup on Windows with 3rd party software
        • Kiwi Syslog
  • Vulnerability scanner
    • Nikto
    • NMAP
    • Burp Pro
    • ZAP
    • OpenVAS
    • Nessus