$25
Scanning and Reconnaissance
Introduction
The key to successfully exploit or intrude a remote system is about the information you have. The first step for penetration is the scanning and reconnaissance. In this lab, you will learn how to use tools to scan and retrieve information from a targeting system. You will be using nmap and OpenVAS to scan a vulnerable machine and identify exploits that can be used to attack it. We will use two Linux virtual machines: One is a Kali Linux with nmap and OpenVAS; and the other one is intentionally vulnerable Linux. We will use the nmap and OpenVAS on Kali Linux to scan the vulnerable Linux machine.
Software Requirements
- VirtualBox https://www.virtualbox.org/wiki/Downloads
- The Kali Linux, Penetration Testing Distribution from LAB 1
- Metasploitable2: Vulnerable Linux Platform https://s2.smu.edu/~rtumac/cs3339/Lab3/Metasploitable2-Linux.ova http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
- nmap: the Network Mapper - Free Security Scanner https://nmap.org/
- OpenVAS: Open Vulnerability Assessment System http://www.openvas.org/index.htm
Starting the Lab 3 Virtual Machines
We need to use two VMs for this lab: the Kali Linux and the Metasploitable2-Linux. First, import the new Kali Linux VM and start the machine.
Login the Kali Linux with username root, and password CS3339. Below is the screen snapshot after login
Then, import and start up the Metasploitble2-Linux virtual machine. This is an intentionally vulnerable Linux VM that you will attack against.
Log into the virtual machine with username, msfadmin, and password msfperunaadmin.
After you log into the VM, you will see the screen below.
Finding the IP Address of the Attacking Target
For the purpose of this lab, it uses Metasploitable2-Linux as the attacking target. First, we need to find the host IP address of the target to launch a scan. You can use the command “ifconfig” (ipconfig is the windows equivalent). This command allows you to find all the connected interfaces and network cards.
Go to the Metasploitable2-Linux VM, and execute the following command
$ ifconfig
From the screenshot above, we can see that the IP address of the network interface, eth0, is 172.16.108.172. This is the IP address for the target that you will use later in this lab. When you work on the lab in the classroom, you will get a different IP address for your Metaploitable2-Linux VM. Note that this is not a public IP but we can access it within the subset.
Scanning the Target Using nmap
nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Though it was designed to rapidly scan large networks, we use it for scanning the target host in this lab.
Since nmap has been installed on the Kali Linux, we can just launch the scanning in the terminal by typing the following command:
$ nmap -T4 172.16.108.172 nmap is the execution command; option -T4 means faster execution; and
172.16.108.172 is the IP address of the target. As mentioned, you will have a different
IP address when working on this with the VMs in the classroom.
The screenshot above shows a quick scan of the target machine using nmap. We can see that there are many open ports and services on the target system including FTP, SSH, HTTP, and MySQL. These services may contain vulnerabilities that you can exploit.
nmap provides many useful functions that we can use. You can find more information from the man page of nmap
From this link: http://linux.die.net/man/1/nmap
Or execute the following command in a terminal:
$ man nmap
The screenshot above shows the man page of nmap.
Vulnerability Scanning Using OpenVAS
OpenVAS is an open-source framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. If OpenVAS is not already installed, you can follow these steps:
root@kali:~# apt update root@kali:~# apt install openvas root@kali:~# openvas-setup
REMEMBER THE PASSWORD given to you when you run openvas-setup. If you don’t remember the password, you can reset it by running the following command:
root@kali:~# openvasmd --user=admin --new-password=new-super-secure-pass
You can run the following command to check if the OpenVAS manager, scanner, and GSAD services are listening:
root@kali:~# netstat –antp
Otherwise, just start the services by executing the following command root@kali:~# openvas-start
Connecting to the OpenVAS Web Interface
Go to the Kali Linux, and open the browser
Then, go to https://127.0.0.1:9392 and accept the self-signed SSL certificate.
Input the username as admin, and the password given to you when you ran openvassetup
The following screenshot is the homepage of OpenVAS. Navigate to Scans -> Tasks. Then, open the Task Wizard (screenshot on next page). Type the IP address of the target in the Task Wizard, and press “Start Scan”. It will do the following for you:
1. Create a new Target with default Port List
2. Create a new Task using this target with default Scan Configuration
3. Start this scan task right away
4. Switch the view to reload every 30 seconds so you can lean back and watch the scan progress
After finishing the scanning, you can look at the reports (Scans -> Reports) as shown in the screenshot below.
Assignments for the Lab 3
1. Read the lab instructions above and finish all the tasks.
2. Use nmap to scan the target and find the software version of the OS and the running services (post a screenshot).
3. Use OpenVAS to find two vulnerabilities of the target, and briefly describe them. Post a screenshot with the list of vulnerabilities found by OpenVAS.
Happy Scanning