Reconnaissance: Do it

We perform reconnaissance in order to learn about the environment. This is a pretty simple concept, but important to keep in mind. Yes, you’re running nmap, but why are you running it? To identify system attributes. Why? Each action must be considered in context of the ultimate goal. The ultimate goal in our case is access to data on a target machine. How do we get there? Let’s break it down.

We do scans in order to identify attack surface and possible vulnerabilities. Easy enough, but important to consider when planning. Each tool may have strengths and weaknesses, but understanding what the tool is telling you is more important.

In my lab, keep these names in mind: Morgoth is our attacker (Kali rolling release, whatever they’re up to), Lorien is an XP machine running SP2, and Ulmo is a Win7 machine running SP1 with no updates.

To suit up first off we need to add a couple of things to Morgoth. Kali comes with a ton of tools but I want a couple non-standard ones just to have a comparison. Nmap is great and I know Nessus well, but if we’re going to do this I want to see what results look like from multiple sources and compare, then try and figure out why they might give different results. So I chose to install Angry IP Scanner and OpenVAS. Neither of these are tools I have any experience with but they give that alternative comparison.

Installing ipscan is simple, we open a browser on Morgoth and navigate to http://http://angryip.org/download/ and download the .deb file. Open a terminal and install:

sudo dpkg -i ipscan_(versionnum)_(cpu).deb

Easy. Now to install OpenVAS, the Open Security folks have kindly packaged it up and put it in the Kali repo. So simply run:

sudo apt-get install openvas

And there we go. At this point, I ran out of space on my hard drive and had to take a brief detour. So it goes. So a reminder, make sure the basics of your system are good, or at least take a snapshot of your VM so you don’t end up like me spending a day rebuilding. After downloading and installing OpenVAS, run the initial setup script:

sudo openvas-setup

This will set up the OpenVAS database and download plugins. It takes a bit of time. Once it is done, it will give you the admin password. Navigate to the web console at 127.0.0.1:9392 and you log into the console with admin as the username and the password generated during setup. It’s now ready to scan.

First we start off with nmap. I’m sticking with results on Lorien just to save time. Results are being recorded in KeepNote, an open source reporting tool included in the Kali build. Not going to waste time going through every option with nmap, for the purposes of this test I ran SYN, UDP, and version scans. The SYN scan results are below:

nmap1

We should run ipscan at this point to compare the results. Type in ipscan at the command prompt to launch the ipscan interface. The tool is pretty intuitive, you input the IP of the target and run it. You do need to expand the port range if you are looking to do a port scan. Below is an example of a port scan with Angry IP Scanner:

ipscan

The takeaway when comparing results between these tools is that they seem to be geared at different purposes. Angry IP Scanner is much quicker than nmap, especially on multiple targets. Nmap can provide more detailed information in a more easily exploitable format, so I think your choice really boils down to your goals. In each case ask the question: what is the tool telling me? We are seeing externally available IP and port information for the target system. This points to services the system is running, attackable surface. Knowledge of vulnerabilities in those services can come through independent research, or from a vulnerability scanner.

OpenVAS and Nessus provide very similar results. Here are the Nessus results:

nessus1

And the OpenVAS results:

openvas1

The results are similar, but there are some differences. OpenVAS was apparently branched out from Nessus back when it was open source, so there are bound to be similarities. Nessus has the familiar plugins with easy to remember plugin numbers, OpenVAS has Network Vulnerability Tests (NVTs) listed by a complicated OID. The default report in OpenVAS lists findings by CVSS score and provides some context that Nessus doesn’t, for instance listing Lorien as running on an outdated OS. Simple finding that is readily apparent by the Nessus results, but the distinctions are important. It is worth running both tools to see what, if any, differences come up. Nessus Home edition is not nearly as intuitive and easy to use as the Enterprise edition, learning to use the API may help with that.

Now we’re at the point with the lab where we have identified services and vulnerabilities. Moving forward. I have a list of projects now. I plan on doing the next chapter, which I am fairly excited about for it’s focus on ARP/DNS poisoning. I am also interested in recreating the Poisontap device. It does not look like I will make my December 1st deadline for wrapping this book up but I think there is value in trying to take the lessons a bit further and learn something.