Information Gathering Lab

 For this lab, my tasks were: find live hosts on the netblock 10.50.96.0/23 using ICMP packets and then other means (TCP half-open SYN scans for example); find DNS servers; locate name servers and mail exchange servers; find other hosts on the netblock and create a map of the network.


I started by checking the network information using a python program I have written to help with such tasks.



This was useful as it allowed me to see the entire scope of the engagement more easily. It became clear that there would be two networks involved: 10.50.96.0/24 and 10.50.97.0/24


I used an ip command to check this out further:



My next job was to get started identifying live hosts. I began by using ICMP packets (ping and timestamp requests combined into -PEP). I used the -sn flag because I did not want nmap to do any kind of port scanning.



This was quick and returned some results, but since ICMP traffic is often dropped by firewalls, I went on to try half-open SYN scans. I used the -F flag because I wanted to keep this quick and only identify live hosts. I found the same hosts as with the ICMP scan, but this time I discovered one more machine @ 10.50.97.17 The fact that it could be discovered using the SYN scan but not the ICMP ones suggested to me that it was behind a firewall.




The next task was to discover the DNS servers for the campus. I already had discovered two of them with the nmap SYN scan (port 53 open on two machines). DNS sometimes uses UDP, though, so I set up a UDP scan on port 53.



I then combined the results of the SYN and UDP scans to create a list of DNS servers. Two DNS servers were identified:




The task actually specified that the scans needed to be quiet because the campus IT team had not been informed of it. To make my scans more stealthy, I could have used a different nmap command:




Still, I now had a good start on my map of the network. The next step was to find name servers. In order to do this, I used the dig tool. I checked with both DNS servers:




I then moved on to find mail exchange servers, and after finding one, I continued to use dig to find the IP addresses of the name servers and mail exchange server:





My next move was to attempt a zone transfer to see if I could find any more hosts on the network. The zone transfer worked, and I found one more host which appeared to be an FTP server. The records also showed me that there was a web server operating from the machine @ 10.50.96.15 so I checked this in a web browser:




Even though it was not required for this lab, I felt like having a quick look at a couple of the services (FTP and SMB) so I tried to connect to the FTP server. This did not work, so I tried to connect to a null SMB session using smbclient along with an anonymous username but this did not work, either, so I had a look at the NetBIOS name table using nmblookup. I found a few servers (code 20) along with further information about Operating Systems being used:





No reply was given from the name servers and the mail exchange server, but I did not expect to receive anything from them.



I also fired up enum4linux to find out more about the machines running SMB:



Considering that Windows Server 2003 and Windows XP were being used on the machines, the first potential exploit which popped into my mind was ms17-010 (eternal blue) so I quickly checked using msfconsole:



I did not go further, as for this lab I only needed to map the network. I did this using a mind-mapping application called VYM. The machines highlighted in green are the ones which were discovered via DNS server enumeration rather than nmap scans.




If I were to carry on and attack this network, I would more than likely explore the possibility of using a 32 bit eternal blue exploit. I would also consider setting up a responder to listen for SMB events and attempt to steal and / or relay credentials. Of course, attacks could also be performed against the web server and any web applications being served on it.


I like how this lab showed me the importance of finding and enumerating DNS servers in that they widen our attack surface.


I could have enumerated the DNS records further by brute-forcing subdomains for foocampus.com or looking for machines which only responded to reverse DNS lookups (in the reverse zone). I will soon write up another lab in which I tried both of these techniques so as to find more machines to target.


Here is the next lab on DNS... :-)

Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more