CompTIA Pentest+ PT0-002 – Section 5: Active Reconnaissance Part 1

37. Active Reconnaissance (OBJ 2.2 and 2.3)

In this section of the course, we’re going to discuss Active Reconnaissance. Now, as we continue to move forward with information gathering and vulnerability scanning, we’re going to find that we’re going to move from being passive to active in our information gathering. Active reconnaissance is a type of information gathering where a penetration tester or attacker engages with the targeted systems or networks to gather information about the vulnerabilities they contain. This process involves scanning, enumeration and fingerprinting to identify the number and types of hosts on a given network, as well as the open ports and services that they may be running.

A penetration tester may also begin to directly connect to the target organization’s website and conduct crawling, scraping and manual inspection of its pages, files and contents. Some attackers may try to conduct an on-path attack against the organization as well. This way, they can capture API requests and responses that are going to and from the server, or they’ll try to eavesdrop on the local area network traffic to gain additional information.

While conducting active reconnaissance, it’s always important to understand how to detect network defenses that may be used to try to capture you, and this way you can avoid detection. Also, you need to understand which cloud and third-party hosted assets are available and within the scope of your future attacks. Finally, if the target organization uses a wireless network, you can also conduct wardriving or warwalking as a way to identify locations, coverage and security of their wireless networks because this can be an easy way for you to gain access to their network during the attack and exploitation phase of the engagement.

So in this section of the course, we’re going to focus on active reconnaissance, which is another part of our larger set of objectives in Domain 2, Information Gathering and Vulnerability Scanning. In this section, we’re only going to focus on two objectives. First, we have objective 2.2. This states that given a scenario, you must perform active reconnaissance. And we’re also going to focus on objective 2.3, which states given a scenario, you must analyze the results of a reconnaissance exercise. While these objectives seem short, there’s actually a lot of information for us to cover here in active reconnaissance that you need to know for the exam. So let’s continue our coverage of Domain 2 Information Gathering and Vulnerability Scanning with active reconnaissance in this section of the course.

38. Scanning and Enumeration (OBJ 2.2 and 2.3)

After conducting our initial footprinting and passive reconnaissance, we need to begin scanning at a new rating the target organization systems using more active reconnaissance methods. Scanning involves actively connecting to an organization systems and getting a response in order for us to identify hosts, open ports, services, users, domain names, and URLs. There are many different types of scans that we can perform depending on the specific type of target that we’re assessing. Now, there are different tools and different scripts that can be used for each of these different target types. But for right now, we’re going to focus on the concepts involved in conducting the scanning and enumeration instead of the specific tools themselves. The first type of scan we can use is called a discovery scan.

This might involve doing a ping scan to identify what host are online in a given network or a port scan to identify what ports and services might be open on a given host. Once identified, we then want to enumerate those hosts and their open ports. This allows us to actively connect to a system to determine the available open shares, user accounts, software versions, and other detailed information that could provide us with some clues as to what vulnerabilities might exist on those systems. The most common tool used for that purpose is Nmap, which is a command line tool that we’re going to cover in depth over several videos later on in the course. There’s a related tool from the makers of Nmap called Zenmap, which is a graphical user interface front end for the Nmap tool. With Nmap, you need to know the exact syntax that you want to use to be able to set up different types of scans.

But with Zenmap, you can simply use a dropdown menu next to the profile to be able to select a port scan, an intense scan, or some other kind of scan, and then enter the domain name or IP range and click scan for that tool to conduct that type of scan for you. Using something like Zenmap or Nmap, you can first conduct a ping scan to see what hosts are online and available. Then you can conduct a quick scan to identify what ports are open on those given hosts, and which ones are closed. And finally, you can take it further by conducting an intensive scan. This will identify what services are running on those ports and what versions they are. For example, if I first did a ping scan of an internal network like 192.168.560.0/24, I might find that there are three hosts that are currently online while the other 251 usable IPs are not providing any responses. And this indicates that there’s no servers or hosts available at those IPs. Next, I might do a quick scan of one or two of these hosts. And then I can find that there may be 18 open ports on one of those hosts, and see the basic services that are being run. Things like FTP, SSH, Telnet, SMTP, and others based on those ports that are open. Now, if I want to dive deeper into that host, I can run an intense scan against it. And this is going to enumerate each of those open ports and try to identify the exact version of the service that’s running on that given host and that given port. For example, I can find out that not only is the host running FTP over port 21, but it’s actually running vsftpd version 2.3.4.

Now, by knowing this exact software version that’s in use, I can go out and research what known vulnerabilities there are against that software. For example, if you google vsftp 2.3.4 vulnerabilities, you’re going to find out that there’s a known vulnerability where there’s a malicious backdoor embedded in that version of the software. So I could use a known exploit to gain access to this host through that vulnerability in the FTP daemon as a penetration tester. Now, we’re going to spend more time on how to use these tools and analyze the results in a different lesson. But for now, I want you to remember that we can conduct active reconnaissance by first conducting a discovery scan, then narrowing our focus on a specific target that we identify, and finally, going down to the specific services found on those hosts by moving from ping scans to port scans, to port enumeration and fingerprinting with a more intense scan. Now, in addition to finding specific versions of services running on a host, we can also use our scanning and enumeration tools to identify the exact operating system that’s being used on that asset.

Our scanners can actually analyze the way the system responds to our queries, and then they can make educated guesses about what type of operating system is being utilized on that target machine. For example, are they running Windows or Linux? And if so, what version? In this scan, for example, you can see that Zenmap has identified the target as a Windows XP system running either Service Pack 2 or Service Pack 3. Now, I know that’s an older and very vulnerable operating system. So as a penetration tester, I now know that I have found a great target for all of my future attacks. Now, this is the power of enumeration. By digging deeper into a particular system, I can identify its components, software, and versions, and then link those to known vulnerabilities for future exploitation and attack by knowing what versions of the services and operating systems are being used by my target.

When talking about enumeration, there are different types of enumeration as well. In this lesson, I’ve been focused on enumerating a specific host, as well as enumerating the ports that were open on that host, the services running over those ports, as well as the operating system in use on that host. But we can really enumerate anything on a given network including the hosts, the services, the networks, users and groups, network shares, domains, URLs, tokens, and more. Another term you’ll often hear use when we’re talking about scanning and enumeration is the term fingerprinting. Now, fingerprinting is the identification of an operating system, a service, or specific software version that’s in use by a host, a system, or a network. When we conduct fingerprinting of a particular host, we can determine exactly what is running on a given system and start to figure out the exact version for use in later targeting. This process can be conducted automatically using programs like Zenmap or Nmap. However, we can also conduct this process manually through a process known as banner grabbing. Banner grabbing involves using a program like Netcat, wget, or telnet to connect to a given port on an asset and determine what service is running.

When we connect to that port, the service is going to respond in a particular way such as providing what service is running on the port, what version of the service is being run, and other key pieces of information. By connecting to it using Netcat, we can observe these responses as plain text and even interact with the given service. For example, if I connect to port 21 that’s running an FTP server or if I connect to port 80 that’s running a web server using HTTP, I can get a response back from that server which can then be analyzed for details about the service that’s running. If I open up a Linux terminal or a Windows command line, I can run Netcat by entering nc diontraining.com 80 and pressing Enter. Next, you’re going to see a blank line and you’re going to enter the command, GET/HTTP/1.1, Enter, and you’re going to see some data come back to you including a line that says Server: and the name of the server and version. Now, in this response, for example, I can determine the version of Apache web server that was being run on this server.

In this case, it was version 2.2.16 on a Debian Linux system. This information can now help me identify the vulnerabilities that this particular web server might be vulnerable to during my upcoming attacks and exploit phase. To do this using wget, you’re going to use the syntax, wget, the domain name or IP address, -S because the -S option tells the command to print the HGTP headers set by the target server to the screen so you can review them. However, if we had to do this manual banner grabbing process on every single target, it could take us a really long time. Thankfully, we have automated tools to do that for us. Things like Zenmap, Nmap, and Metasploit all have the ability to conduct packet crafting or packet manipulation, and then read the responses. Now, instead of setting a packet that’s expected by a service, it can send one that’s just a little bit off.

For example, during a normal three-way TCP handshake, we send a SYN packet, we expect to get back a SYN-ACK packet, and then we send back an ACK packet. Now, with packet crafting, we can actually manipulate the headers of each of those packets to get different responses back. Now, when I send a SYN packet with a modified packet header, I’m going to get back a SYN-ACK from that server, look at that response, and then use that to uniquely identify the server because both Windows and Linux are going to respond differently. And even different versions of each operating system are going to respond differently to these queries. We can then use that information to fingerprint or identify what versions of the software are being run on a given host. Now, there are many tools for doing this including Nmap, Zenmap, hping, Netcat, and Ncat. For example, if you’re using Nmap, you can enter Nmap -sV, the target domain or IP, p, and the port number to receive the version of a particular service being analyzed by Nmap on that server at that port. However, if you want to do the analysis in a more manual mode, you can use the hping tool to send crafted SYN packets to an IP address or domain, receive those responses, and then attempt to identify the server that sent them by analyzing the responses received in a packet analysis program, something like Wireshark.

Using a tool like Wireshark, we can capture network packets that are being sent and received by a target server at a client, which in this case would be our attacking machine. For example, here, you can see a packet capture between a client and a server. Based on the packet captures, we can determine that the server is a Microsoft ESMTP server, which is a type of outbound mail server. We can further identify that this outbound mail server is actually running version 6.0.2600.5512 of the software. If we then google around the information for that specific version of Microsoft exchange, we’re going to identify vulnerabilities within it.

And ultimately, we can exploit those vulnerabilities during our attacks and exploits phase. So remember, when you hear the term fingerprinting, you should remember that it is to capture very detailed information about a given host or service during your reconnaissance efforts. Now, when we talk about scanning, this is more generic in nature. Enumeration goes a bit more in depth. And finally, fingerprinting is the most detailed of all three.

• Category: Uncategorized