Module 05: Network Penetration Testing Methodology-External

Objective

The objective of this lab is to help students in conducting network scanning, network vulnerability analysis, and network security maintenance.

You need to perform network scans to:

Check live systems and open ports

Perform banner grabbing and OS fingerprinting

Identify network vulnerabilities

Draw network diagrams of vulnerable hosts

Pentest vulnerabilities to gain unauthorized access

Scenario

External Penetration Testing determines the possibility of network security attacks from outside of the network perimeter. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption.

An attacker uses vulnerabilities to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organization to address each weakness. Vulnerability scanning is a critical component of any penetration testing assignment. As an expert Penetration Tester or a Security Administrator, you need to conduct penetration testing and list the threats and vulnerabilities found in an organization’s network, perform port scanning, network scanning, and vulnerability scanning to identify IP/hostname, live hosts, and vulnerabilities. Then, you need to take specific preventive countermeasures to overcome them

Exercise 1: Exploring and Auditing a Machine Using Nmap

Scenario

Network scan plays a crucial role in identifying the hosts that are up and running in a network. Additionally, it helps a pentester in pulling out additional information associated with a machine such as the services running on the machine, the ports used by the service and the operating system details.
As a penetration tester, you need to have extensive knowledge of network mapping tools, top ports running different services, etc.

Lab Duration: 30 Minutes

Click Windows Server 2012 (External Network). Click Ctrl+Alt+Delete.
In the password field click Pa$$w0rd and press Enter

You can use the Type Password option from the Commands menu to enter the password.
In this lab, you are given the assignment to audit the server hosting the website http://www.luxurytreats.com.
So, before beginning this lab, we shall identify the IP Address of the website using the ping utility.
Launch a command prompt, type ping www.luxurytreats.com and press Enter.
This returns the IP Address of the server as 172.19.19.11 in the response.
We will be scanning this IP address using Nmap in the forthcoming tasks.
To install Nmap navigate to E:\ECSAv10 Module 05 Network Penetration Testing Methodology-External\Nmap, and double-click nmap-7.60-setup.exe. If an Open File - Security Warningpop-up appears, click Run and follow the steps to install Nmap (Zenmap) scanner.

While installing Nmap, if a WinPcap Setup dialog box appears, click No, and follow the installation steps.
To launch Nmap, double-click Nmap - Zenmap GUI icon on the desktop.
Zenmap (Nmap) main window appears as shown in the screenshot.
To perform Intense Scan, enter IP address in the Target field and choose Intense Scan from Profile drop-down list and click Scan.
In this lab, we are performing Intense Scan on Web Server Subnet C machine (which is hosting www.luxurytreats.com) whose IP address, 172.19.19.11 was identified in the earlier steps.

The scan will take a few minutes to complete.
Nmap scans the provided IP address with Intense scan and scan results are shown in the Nmap Output tab.

Scan results may vary in your lab environment.
Click the Ports/Hosts tab to check the Port, Protocol, State, Service, and Version of services discovered during the scan.
Click the Topology tab to view network topology of the target system.
Click the Host Details tab to see the details of the hosts discovered during the intense scan.
Click the Scans tab to view the status of the scan, and command used.
Now, click the Services tab in the left pane. This tab displays the list of services running on the machine.
Now, click msrpc service under Services section to view the ports on which the services are running.
This way, you can access information about each service.
To save the scanned result, navigate to Scan and click Save Scan from the menu bar.
Save Scan window appears, specify the scan name in the Name: text field as Intense Scan.xml, specify the destination location in Save in folder: field, file type in Select File Type: field and click Save.

In this lab, the default file location and default file type have been chosen.

You can even choose your desired location to save the result.
To view the result, navigate to C:\Program Files (x86)\Nmap and double-click Intense Scan.xml.

Here, the saved file location is C:\Program Files (x86)\Nmap.
Once you double-click the file How do you want to open this type of file (.xml)?, choose the program in which you want to view the result. In this lab, we are selecting Internet Explorer to view.
Now, you can view the Intense Scan report in the browser as shown in the screenshot.
Now, close all the windows.

If Errors Occurred pop-up appears, click OK.
To launch Nmap, double-click Nmap - Zenmap GUI icon on the desktop.
To perform Xmas Scan, choose Regular Scanfrom Profile drop-down list.

Xmas scan sends a TCP frame to a remote device with PSH, URG and FIN flags set. FIN scans only with OS TCP/IP developed according to RFC 793.
To, create a new profile navigate to Profile -> New Profile or Command from the menu bar.
Profile Editor Wizard appears, type Xmas Scanin Profile name field under Profile Informationsection.
Click Scan tab.
Choose, Xmas Tree scan (-sX) from the TCP scans: drop-down list under Scan Options, in Scan tab of Profile Editor wizard.
Select None from the Non-TCP scans: drop-down list, Aggressive (-T4) from the Timing template: list, check the Enable all advanced/aggressive options (-A) option, and click Save Changes.
To perform Xmas Scan, type the IP address of Web Server Subnet C machine i.e., 172.19.19.11 in Target: field, choose Xmas Scan from Profile:drop-down list, and click Scan.
Nmap takes about 20 minutes to complete the scan.

Once the scan is initiated, ping the Web Server Subnet C Machine.
Nmap scans the specific target IP address and displays the results in the Nmap Output tab.

The output might vary in your lab environment.
Analyze the scan results by checking all the tabs.
Click the Services tab in the left pane. It displays all the services for that host.
To save the scanned result, navigate to Scan, and click Save Scan from the menu bar.
Choose a scan to save pop-up window appears.
Select nmap -sX -T4 -A 172.19.19.11 from the drop-down list and click Save button.
Save Scan window appears, specify the scan name in the Name: text field as Xmas Scan.xml, specify the destination location in Save in folder:field, file type in Select File Type: field and click Save.
Close the Nmap window.

In this lab, the default file location and default file type have been chosen.

You can even choose your desired location to save the result.
To view the result, navigate to C:\Program Files (x86)\Nmap and double-click Xmas Scan.xmlfile to view the result.

If you are asked How do you want to open this type of file (.xml)?, choose the program in which you want to view the result. In this lab, we are selecting Internet Explorer Browser to view the scan results.
Xmas Scan report can be seen in the browser as shown in the screenshot.

Ignore the warning pop-ups at the bottom of the windows explorer.
Now, close all the windows.
Double-click Nmap - Zenmap GUI icon on the desktop.
To create a new profile, navigate to Profile and click New Profile or Command.
In the Profile tab, enter Null Scan in the Profile name text field.
Click the Scan tab in the Profile Editor window. Now, select the Null Scan (-sN) option from the TCP scan: drop-down list, and click Save Changes.
To perform Null Scan, enter the IP address 172.19.19.11 of Web Server Subnet C machine in the Target field, choose Null Scan from the Profile drop-down list and click Scan.

Once the scan is initiated, ping the Web Server Subnet C Machine. The command you need to issue is ping 172.19.19.11 -t.
The reason to ping the machine is that, when you ping the target and receive an ICMP Echo reply, Nmap, which is already running on the pentesting machine, recognizes that the target machine is active and detects the open ports on the machine.
Nmap scans the provided target IP address and displays results in the Nmap Output tab.

The output might vary in your lab environment.
Once the output is obtained, close the command prompt.
To analyze the scan results, navigate through all the tabs beside nmap output tab i.e, Ports/ Hosts, Topology, Host Details, Scans tabs to retrieve more information about Null Scan on the specified host.
To save the scanned result, navigate to Scan and click Save Scan from the menu bar.
Save Scan window appears, specify the scan name in the Name: text field as Null Scan.xml, specify destination location in Save in folder:field, file type in Select File Type: field and click Save.
Close the Nmap window.

In this lab, the default file location and default file type have been chosen.

You can even choose your desired location to save the result.
To view result, navigate to C:\Program Files (x86)\Nmap and double-click Null Scan.xml file to view the result.

If you are asked How do you want to open this type of file (.xml)?, choose the program in which you want to view the result. In this lab, we are selecting Internet Explorer Browser to view the scan results.
Now, Null Scan report can be seen in the browser as shown in the screenshot.

Ignore the warning pop-ups at the bottom of the windows explorer window.

Similarly, ACK Flag Scan can be performed by creating a new scan profile for ACK Flag Scan.
After analyzing the results in the report, close all the windows and the Nmap GUI.