Reconnaissance: Know Your Target
This is part of a series of posts that walk through an attack. To start from the beginning, click here.
In the last post, we got a brief overview of Kali Linux and some of its capabilities. In this part, we’ll start to use some of Kali’s tools to perform reconnaissance on our intended target.
In our scenario, we’ll assume we’ve set up a “free wireless network” that we have full control over. On this network, there are two machines: our Kali instance (“Attacker”) and a machine that has decided to join our wireless network (“Victim”).
[table id=1 /]
At this point, we don’t know much about Victim, other than its IP address. This is where reconnaissance comes in. The more time we spend performing reconnaissance to gather intelligence and better understand our target, the better our chances of a successful attack. One of the most popular ways to gather information is the art of port scanning.
Port Scanning: Nmap
When security professionals talk about port scanning, they’re really talking about Nmap. From Nmap’s website:
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.
Sounds like just the tool for the job. Kali, of course, conveniently comes preconfigured with Nmap, ready for use. Be warned, Nmap is typically not very stealthy and any good security analyst with a decent monitoring system should be able to detect it with relative ease. That said, most home or public wireless networks are not monitored, and the average user likely is unaware of Nmap, so it can be used without raising too much concern.
Now, using Attacker, we’ll perform a basic port scan on Victim to determine what operating system is running and what services/applications may be vulnerable to an attack. To do this, we’ll execute Nmap on Kali with the following command:
nmap -sS -A 10.0.1.11
After about a minute, we find some interesting results:
root@kali:~# nmap -sS -A 10.0.1.11 Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-02 21:49 CST Nmap scan report for 10.0.1.11 Host is up (0.0019s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:75:44:FE (VMware) Device type: general purpose Running: Microsoft Windows 7|2008 OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8 OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN-FDN9DNVQ5IR, NetBIOS user: , NetBIOS MAC: 00:0c:29:75:44:fe (VMware) | smb-os-discovery: | OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1 | Computer name: WIN-FDN9DNVQ5IR | NetBIOS computer name: WIN-FDN9DNVQ5IR | Workgroup: WORKGROUP |_ System time: 2014-11-02T21:50:47-06:00 | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 1.94 ms 10.0.1.11 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 64.58 seconds
From this simple network scan, we’ve learned that Victim is running Windows 7 Ultimate SP1 with the typical file and printing services running. Interestingly, we can even see the computer name, the workgroup, and current system time. Ultimately, this tells us to focus on Windows 7-specific exploits.
We can take it even further and sniff the network (we control it after all!) and see what else we can learn about Victim. Running a tool like tcpdump, we observe Victim browsing the web and note the user agent string:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Now we know Victim is running Windows 7 SP1 and using an old version of Internet Explorer. It’s highly likely that Victim hasn’t been patched lately and is susceptible to a number of Windows-based exploits.
So far, we’ve familiarized ourselves with Kali Linux and performed basic reconnaissance. In the next part, we’ll use the intelligence we gathered to execute a client-side exploit on our target machine.