Reconnaissance and information gathering methods were passive methods, meaning that they did not cause any alarm, alerts, and log file creation on the target systems: franklin.edu computers. In Lab-5, you will actively scan and enumerate target systems. These actions would cause some log files and probably trigger alerts if the target systems were used by a sensitive organization, such as a military or financial institution.

You will perform Lab-5 by using the Netlab environment provided by Franklin University. Netlab environment is an isolated environment with no Internet connection so that none of your actions will cause anything harmful for you or the target system.

nbtscan is used for scanning networks to obtain NetBIOS names, file shares, and other information. It is one of the tools that come with Kali Linux. Nbtscan is a convenient tool to scan the active computers on the network quickly.

Windows machines have NetBIOS names by default. Linux/Unix computer may also have NetBIOS names if the Samba interoperability suite is installed.

Before starting scanning the network from Kali Linux, you have to learn the network address first.

1) Enter the Netlab environment

2) Open Kali Linux and enter the password (password: toor)

3) Open a terminal window

4) Type this command: ifconfig

5) Run a nbtscan by typing nbtscan 192.168.2.0/24 to the terminal window. You will see all active computers along with IP addresses, NetBIOS names, and MAC addresses. That is an essential piece of information for a pentester and can be regarded as your initial attack surface.

Take a screenshot of the terminal window.

Section-2: Scan the Network by Using Nmap

You will perform another network scan by using a more versatile tool called Nmap. Nmap is one of the swiss knives of the pen-testers. It is a free and open-source tool and comes with Kali Linux. Nmap has many different scanning options; it can even perform vulnerability scanning in addition to network and host scanning. In this lab, you will first use Nmap's network/host scanning features, and then you will perform vulnerability scanning with Nmap.

1) Type in nmap 192.168.2.0/24 -n -sn in the terminal window.

Take a screenshot of the terminal window.

Type in man nmap in the terminal window to see the help page of the Nmap tool. Find why you used n and sn options.

In the previous section, you scanned the network by using Nmap. In this section, you will scan a specific host for open ports.

1) Type in nmap 192.168.2.14 -n in the terminal window.

Take a screenshot of the terminal window.

192.168.2.14 is the Metasploitable machine. There are many open ports on this machine. It is an intentionally vulnerable Linux machine used for training purposes. As the pentester, you determined your initial attack surface using nbtscan and nmap tools, which can be thought of as the active computers on the network. The list of open ports of the Metasploitable computer is also an attack surface specific to a host. An open port can be considered one of the most valuable attack surfaces. Because an attacker can attack computers by using open ports in many ways, such as:

a) By flooding the port, such as SYN flood to port 80,

b) By exploiting the service using the port, such as an SQL injection attack against web application using Port 443

c) By brute-forcing the login forms,

d) By using default usernames or passwords, such as accessing to wireless modem management interface by default username: admin/password: admin credentials

Top 1000 ports are a list of statistically most popular 1000 ports used by the network-enabled applications and services. In this lab, you will scan the same target (Metasploitable) to check for the top 1000 ports.

1) Type in nmap 192.168.2.14 -n –top-ports 1000 –open in the terminal window.

–open switch only shows the open ports on the target machine.

2) Now, type in the command with an extra switch -sV: nmap 192.168.2.14 -n –top-ports 1000 –open -sV

sV switch fingerprints the service running on the port.

Take a screenshot of the terminal window.

Section-5: OS (Operating System) Detection by using Nmap

One of Nmap's features is remote OS detection by using TCP/IP stack fingerprinting.  In this lab, you will detect the operating systems of the live hosts in the 192.168.2.0/24 network.

1) Type in nmap 192.168.2.0/24 -n -O –osscan-guess

Note that you have to make the "O" letter uppercase.

Notice the operating system info at the command output.

Find the command output showing the operating system of 192.168.2.12 and Take a screenshot of the terminal window.

Section-6: Vulnerability Scanning by Using Nmap

Now, it is time to perform vulnerability scanning by using Nmap. The first vulnerability will be the use of an FTP service with anonymous login is enabled.

In the previous lab, you found that 192.168.2.14 (Metasploitable) has the FTP service enable. Let's check whether it has anonymous login enabled. Anonymous login is a common feature among FTP services.

1) Type in nmap 192.168.2.14 -n –script ftp-anon -p 21 in the terminal window.

2) Type in nmap 192.168.2.13 -n –script smb-vuln* -p 445

In this example, you used a wild chart. smb-vuln* use all scripts which start with "smb-vuln."

Take a screenshot of the terminal window.

Weekly Learning and Reflection 

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.