In this lab we will test few software’s, tools and utilities to show our understanding on using appropriate software tools to assess the security posture of an organization.
In this lab we would be utlising, RT-LAN, WIN2016-DC, Kali Linux, WIN2016-MS, WIN10-MS and WIN7-WS operating system.
EXERCISE 1 – Scanning the local subnets
First of all we will work on Kali Linux and do few things, lets have a look:
It mentions to do the IP configuration as we did in our previous labs so i won’t repeat it. In order to find out how i did the network changes, have a look on second lab.
After that it mention to run terminal in linux and run following commands.
- Run ifconfig to verify our ip address:
- then run ip a command to show the same info using the newer “ip” tool (mentioned in lab)
Now, we are advised to run arp -a command to check whether we have any other hosts local to this subnet in it.
Run ip neighbor to show similar information using the newer “ip” tool:
Now, Run netdiscover -h to view the help page (just for our self understanding of different commands available in the netdiscover utility )
after that we ran netdiscover -i eth0 -r 10.1.0.0/24 where the scan results showed us various number of other hosts connected to LAN switch.
That’s all good, now press Q to quit the Netdiscover report.
EXERCISE 2 – Scanning a Host
Our next step is to find out more about other tools and hosts on the subnet. We are aimining to discover a Default gateway, DNS server, Whether any network directory / authentication and application servers are present, Whether any host / client access devices are present and Whether any other types of device (embedded systems or appliances) are present.
Now, we will run following commands in terminal were we were before:
Run ip route show:
Because the network uses DHCP to provide client addresses, the local machine has been
configured with a default gateway address automatically.
Now the lab mentions to type and run nmap -sS 10.1.0.254
So, what happened in the screenshot above si that when we ran that command instead of showing the alive hosts (expected answer), we got that the hosts are down try another command instead of –sS try -Pn, i tried that as well but same result. (which can be viewed above) So, i have tried to reset the network connections and reset the VM’s and done the whole process again but still gave me the same error. Then, i thought to move on with the next steps in the lab. Maybe later on i will encounter what i have really missed or it was intentional answer.
After doing a bit of councelling with mighty Robin, he menioned make sure all of the VM’s are turned on and connected to same LAN Network, and i found that they were turned off and then my WINMS Machine wasn’t turning on for some reasons. so mark has to clone a new system.
After that i got the exact same resuslt.
Now, the next step is to run nmap -A 10.1.0.254
EXERCISE 3 – DNS Harvesting
An organization needs to make some information about its network – such as the identity of web and email servers – public. Misconfigured DNS services can allow an adversary to discover a huge amount of information about a private network however.
This performs a reverse lookup on the default gateway. No record is found (there is no
reverse lookup zone configured) but note that the server answering your queries is
10.1.0.1.
EXERCISE 4 – Zenmap
In this excersise, we will explore Zenmap which provides a graphical interface to Nmap and makes it easier to view reports and visualize the network topology.
Open Zenmap and enter network address 10.1.0.0/24.
Click on Topology tab to view the network.
The Topology tab shows each host on a certain ring, representing the number of hops distance from localhost (the scanning host). For this scan, all the hosts are local to one another so there is only one ring.
Now click on Ports / Hosts to view the ports.
If we have a look carefully: The 10.1.0.1 is a domain controller! As well as HTTP and DNS, the TCP ports are for directory queries (LDAP), authentication (Kerberos), and file / printer sharing plus remote monitoring and administration.
And, 10.1.0.2 was identified as a mail server in the zone records and Nmap has identified the hMailServer application listening on SMTP (25 / 587) and IMAP (143) ports. It is running Microsoft’s IIS web server though and Nmap has correctly identified it as version 10.
The 10.1.0.10x – these are the Windows client versions with DHCP-assigned addresses.
The ports for file / printer sharing are open. You might see port 5357 open (if Network Discovery is enabled). This port runs a service called Web Services on Devices and the 10.1.0.254 is the router which we identified earlier.
Now, click on Host Details tab, it shows the summary of OS detection results for each host.
#Done
Imagine in IT 