Seeing Red: Reconnaissance

Reconnaissance: Know Your Target

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we got a brief overview of Kali Linux and some of its capabilities.  In this part, we’ll start to use some of Kali’s tools to perform reconnaissance on our intended target.

In our scenario, we’ll assume we’ve set up a “free wireless network” that we have full control over.  On this network, there are two machines: our Kali instance (“Attacker”) and a machine that has decided to join our wireless network (“Victim”).

[table id=1 /]

At this point, we don’t know much about Victim, other than its IP address.  This is where reconnaissance comes in.  The more time we spend performing reconnaissance to gather intelligence and better understand our target, the better our chances of a successful attack.  One of the most popular ways to gather information is the art of port scanning.

Port Scanning: Nmap

When security professionals talk about port scanning, they’re really talking about Nmap.  From Nmap’s website:

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.

Sounds like just the tool for the job.  Kali, of course, conveniently comes preconfigured with Nmap, ready for use.  Be warned, Nmap is typically not very stealthy and any good security analyst with a decent monitoring system should be able to detect it with relative ease.  That said, most home or public wireless networks are not monitored, and the average user likely is unaware of Nmap, so it can be used without raising too much concern.

Now, using Attacker, we’ll perform a basic port scan on Victim to determine what operating system is running and what services/applications may be vulnerable to an attack.  To do this, we’ll execute Nmap on Kali with the following command:

nmap -sS -A

After about a minute, we find some interesting results:

root@kali:~# nmap -sS -A
Starting Nmap 6.47 ( ) at 2014-11-02 21:49 CST
Nmap scan report for
Host is up (0.0019s latency).
Not shown: 991 closed ports
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49155/tcp open  msrpc       Microsoft Windows RPC
49156/tcp open  msrpc       Microsoft Windows RPC
49157/tcp open  msrpc       Microsoft Windows RPC
MAC Address: 00:0C:29:75:44:FE (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-FDN9DNVQ5IR, NetBIOS user: , NetBIOS MAC: 00:0c:29:75:44:fe (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: WIN-FDN9DNVQ5IR
|   NetBIOS computer name: WIN-FDN9DNVQ5IR
|   Workgroup: WORKGROUP
|_  System time: 2014-11-02T21:50:47-06:00
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
1   1.94 ms
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 64.58 seconds

From this simple network scan, we’ve learned that Victim is running Windows 7 Ultimate SP1 with the typical file and printing services running.  Interestingly, we can even see the computer name, the workgroup, and current system time.  Ultimately, this tells us to focus on Windows 7-specific exploits.

We can take it even further and sniff the network (we control it after all!) and see what else we can learn about Victim.  Running a tool like tcpdump, we observe Victim browsing the web and note the user agent string:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Now we know Victim is running Windows 7 SP1 and using an old version of Internet Explorer.  It’s highly likely that Victim hasn’t been patched lately and is susceptible to a number of Windows-based exploits.

What’s Next

So far, we’ve familiarized ourselves with Kali Linux and performed basic reconnaissance.  In the next part, we’ll use the intelligence we gathered to execute a client-side exploit on our target machine.

Related Posts

Elastic Explained: How To Create a Cluster with Docker Compose

Elastic Explained: How To Create a Cluster with Docker Compose

Overview In this guide we'll walkthrough setting up and running an externally accessible three-node Elastic cluster using Docker Compose on Ubuntu Linux 22.04 that's suitable for a home lab or developer / test environment. Our Elastic deployment will include the...

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How To Guides For The Elastic Stack

Elastic Explained: How To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

Transform Your Business & Operate at Peak Efficiency