Skip to main content

US Cyber Range: Port Scanning Lesson

Written by - R. Eric Kiser

Laboratory Exercise X — Advanced Port Scanning

[This lesson was designed for the U.S. Cyber Range located at https://www.uscyberrange.org/courseware/cyber-security-advanced-ethical-hacking]

Due Date: Date

1. Overview

In this lab, students will learn how Metasploit and Nmap can be used in combination to streamline the scanning process. Students will learn how to find open ports, how to find the services running on those ports, how to further enumerate discovered ports, and how to save the results for reporting. For this lab, students will use the Cyber Range: Environment: Kali Linux with Metasploitable (2020.09) environment to perform port scanning and enumeration.

2. Resources Required

This exercise requires a Kali Linux VM running in the Cyber Range.

[Note to instructors: This lab exercise requires an account on the Cyber Range. To sign up for an account on The Range, please visit our Sign-Up page. Your students will also require an account on the Cyber Range; this will be explained in the setup of your course.]

3. Initial Setup

For this exercise, you will log in to your Cyber Range account and select the Environment: Kali Linux with Metasploitable (2020.09), then click “start” to start your environment and “join” to get to your Linux desktop login. Log in using these credentials:

Username: student

Password: student

4. Tasks

[Note to instructors: This is an advanced course. Students should have experience with the basics of Nmap from previous courses. If this is not the case, it may be beneficial to search the Cyber Range repository for lessons on scanning with Nmap. Students should also be knowledgeable about Networking Protocols such as UDP and TCP.]

Task 1: Advanced command line scanning with Nmap and Metasploit

Review and refer to the following Nmap cheat sheets during this lab:

cheatsheet from SANS

StationX

Complete the following:

  1. Open a terminal window.

If the database does not have connectivity or you accidently started the framework before starting the database, exit out of the terminal and repeat step 1, 2, 5, and 6. This should do the trick. If for some reason it does not, exit out of the terminal and complete steps 1–6 again.

Before we start scanning, we want to create a workspace for our scans. This will make it easier to find the scans at a later time when we complete our reports. It will also prevent the issue of polluting the database when we need to work on more than one project.

Complete the following:

  1. Type workspace — add metasploitable and press enter.

We have now created our very own workspace. Our scans will be saved automatically in the workspace. To check the Database Backend Commands, type help.

Take notice of the hosts, services, and notes. We will be calling on these when we write reports or when we pick up where we left off. This way we do not have to complete the scans again. They are all saved in the workspace database.

Now we are ready to start scanning the system. There are several ways to discover hosts. Different tactics are used if ports are filtered. We are trying to find a specific target that is holding the Metasploitable 3 content. Below are several ways to complete the task. I encourage you to try them all, if time permits. We will start with a few simple commands and scans first as a brief refresher.

Complete the following:

  1. Type ip addr show to discover your current network configurations.

This is our machine, but we have also discovered the subnet with this tactic. In future scans we don’t really want to scan ourselves. We can exclude this machine with — exclude <ip address> in our scans. It is a good idea to remember this as in many situations your host will have many ports and services that can be found. Thus, polluting the results. Take a screenshot and name it 1ipaddrshow. Save it in a folder named scanning.

The following commands will help you find the target Metasploitable machine. Open a new terminal window and become root. Type the following:

  1. nmap -sS -Pn -v -p 22 <your IP/20> | grep ‘open’

The reason this works is because we disable ping, and know that port 22 is open only on a few machines. The /20 scans the subnet but is much faster if we only scan port 22. The first command shows verbosity (the amount that is printed to the display while the command is running) and pipes that into grep, and searches for “open “ ones. The second command drops verbose and adds -B4 which shows the 4 lines before the regex match. Scanning the entire subnet with -p- will take about 20 minutes. Where the other scans take about 10 seconds. You can streamline your pentesting processes by knowing more about powerful Linux tools like grep and Nmap.

Answer the following questions:

  1. What is the host IP on the Metasploitable machine (every student will have a different IP)?

Task 2: Discovering open ports and services with Metasploit and Nmap

Return to the terminal window with the Metasploit Framework running, at the msf5> prompt complete the following:

[IMPORTANT: My Metasploitable IP is 10.1.163.125; everywhere you see this replace it with your Metasploitable IP.]

  1. Type db_nmap 10.1.163.125 and press enter.

Command breakdown:

-F is a fast scan of top 100 ports

-sS is a syn scan or TCP port scan

-n for host discovery; do not resolve DNS

-v this increases the verbosity level (how much is printed to your display) use –vv for greater effect

— reason this will output the reason a port is its current state

— open this will show only open ports

To view current host results stored in your workspace type hosts.

To view the current services stored in your workspace type services.

We could scan for all the ports on the host instead of only the top 100 by using a -p- instead of -F; however, this would take some time. Note that the environment in the Cyber Range is always changing.

If this scan is taking too long, it can be terminated early with CTRL+c. If this is the case, you may not be able to answer the questions.

Open a new terminal window and complete the following:

  1. Type sudo su and press enter.

Now we can continue with other scans while this one scans in the background.

Answer the following questions:

  1. What services did you find and what ports were running?

Task 3: Run a UDP scan using Metasploit and Nmap

If there were an SNMP (Simple Network Management Protocol), NetBIOS, or ISAKMP/IKE service running, performing a UDP scan can discover this. The switch -sU is a UDP scan.

Complete the following:

  1. Type db_nmap -sU -n -v — open — reason <target IP> and press enter.

Answer the following questions:

  1. What services did you find?

Task 4: Service Version Scanning

Before we continue, we want to get more information on the services that are running. The switch -sV will search for service versions, and the -sC will use default scripts (OS detection, service, fragmentation) and is considered invasive. You can view the default scripts here.

Complete the following:

  1. Type db_nmap -sS -sV -sC –v –n –p <list of ports found> <target IP> and press enter.

Answer the following questions:

  1. What new information was discovered?

Task 5: Cleaning up your hosts list

So, now that we have completed several scans, we may want to clean up our hosts list. If you do not have any extra hosts, this part of the lesson is for information purposes only. The only host we want in the list is the Metasploitable machine. To do this, we type hosts in the msfconsole to view our hosts. If we have any hosts other than our Metasploitable target, they need to be deleted. To do this, we type hosts –d <host IP we want deleted>. Once we have deleted the hosts that are out of scope, we should be left with only the Metasploitable host. In my case, that is 10.1.163.125. The below screenshots are examples of how to delete out of scope hosts. For the first two screenshots, the only IP in scope is the Linux Server. The last screenshot is of the Metasploit services database found by typing services and pressing enter in the msfconsole.

Services

5. References:

https://www.aelius.com/njh/subnet_sheet.html

https://nmap.org/book/nse-usage.html

https://nmap.org/nsedoc/categories/default.html

[This portion of the lesson plan is provided for instructors that will be using this lesson plan and associated material in their class.]

KSAs Addressed

From (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf)

Knowledge:

K0177:Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

K0398: Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

Skills:

S0153: Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems.

S0264: Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).

Abilities:

A0160: Ability to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise

Knowledge Units (KUs) Addressed: (from https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf) covered:

(you may need to accept an invalid iag.gov SSL certificate to reach this PDF)

● Basic Cyber Operations (BCO)

● Basic Networking (BNW

Comments

Post a Comment

Popular posts from this blog

  Python Script to search for YouTube Data trends R. Eric Kiser As a subject matter expert, I wanted to gain insight into the topics that my readers and students are interested in. Given the increasing popularity of video platforms such as YouTube, I decided to use a Python script to pull data from Google Trends on a specific topic of interest, “hacking.” This script allows me to understand the current trends and popular search queries in the field, and tailor my content to align with the needs and interests of my audience. Below is the simple script that I created. I tend to do more with the project but that is for another day. import requests from pytrends.request import TrendReq # create a new instance of the pytrends class pytrend = TrendReq() # prompt for keyword keyword = input ( "Enter a keyword to search for data trends: " ) # set the parameters for the trend search kw_list = [keyword] timeframe = "today 1-m" # get the trends pytrend.build_payloa...
Post a Comment
Read more
  Cyber Incident Response Workflow Diagraming Tools R. Eric Kiser There are several diagram drawing tools available on the market today that can be explored. Two very common drawing tools, Microsoft Visio and Draw.io tend to dominate the arena. Draw.io is a free, web-based diagramming software that allows users to create a variety of diagrams, including flowcharts, mind maps, network diagrams, and more. It is web application or as a standalone desktop application for multiple operating systems. Draw.io provides a range of templates and shapes to help users create professional-looking diagrams quickly and easily. It also has a range of collaboration features, including the ability to share diagrams and work on them with others in real-time. Draw.io supports a number of file formats, including .png, .svg, .pdf, and .xml, and can be integrated with other applications through its API. Microsoft Visio is very similar to Draw.io but is the proprietary and a part of the Micr...
Post a Comment
Read more
  Vulnerability Identification Techniques R. Eric Kiser Vulnerability detection can often be automated through the use of tools such as vulnerability scanners. While these tools can be useful, it is important for organizations not to rely solely on automated techniques and to also incorporate more comprehensive methods in their vulnerability detection efforts. Failing to do so could result in the organization missing vulnerabilities that could potentially lead to data breaches. There are a number of methods that can be employed to identify vulnerabilities in target systems Penetration Tests A penetration test, also known as a pen test, is a simulated cyber attack on a computer system, network, or web application to test its defenses and identify vulnerabilities that an attacker could exploit. This is much more than just a scan as the pen tester intends to find a method of getting foothold on your internal network or sensitive data by acting as a real attacker would. T...
Post a Comment
Read more