CS 231: Computer Security

Pen testing #1: host detection & port scanning

Partner or alone, but working with a partner is good...more than one set of eyes on the wireshark output.

Hand in to pentesting/portscanning.pdf in your CS231 repository.

0. Background discussion

This exercise is our first foray into the field known variously as penetration testing (or pen testing), white-hat hacking, and ethical hacking. There are, as you might imagine, arguments about fine distinctions between these terms, but ultimately, they all concern the discovery, exploitation, and repair of vulnerabilities in computer systems.

Regardless of our goals, before performing ethical hacking we need permission of the owners of the target systems, as well as a clearly defined scope of action (e.g. what we're allowed to do, and when). In an educational context, our goals are to learn about the techniques of hacking and the corresponding techniques of securing systems. In a typical penetration testing context, a pen-tester will be hired by the system's owners to search for vulnerabilities and make recommendations for improving the system's security. In both situations, permission to hack is needed.

In our case, I have cleared our classroom activities ahead of time with the ITS and Math/CS staff responsible for the security of the systems we'll be working with. Most of our activities will involve the two VirtualBox virtual machines (VMs) installed on each of the computers in Weitz 138. We'll be attacking the Metasploitable VM from the Kali VM, in which context we can approach the task with no holds barred. But occasionally (including today), we'll also reach out to external machines, in which case explicit and specific permission is essential. If you want to take your experiments significantly beyond these lab exercises, talk to me, and we'll figure out a way to get the right setups and permission.

Regardless of the context of our hacking, we will often talk about our work in terms that sound like we're sneaking around. For example, we'll talk about doing "stealth scans" to avoid having our actions show up in log files or get noticed by system administrators. That kind of language is natural and appropriate, but we can't forget that the reason we're trying to avoid detection is to demonstrate to the sysadmins how their systems could be compromised, and to work with them to fix the vulnerabilities.

As you work on this stuff, you will have lots of questions. Write them down. Follow them up. Bring them up on Slack. Ask me when I ask "any questions?" at the start of class. Be curious. Pay attention to details. And definitely, definitely don't expect to understand it all quickly. There's an enormous amount of detail in this material. I'll expect you to understand a layer or two, but there's always more to know.

Today, we'll take a look at a few of the essential first steps in the search for vulnerabilities in a target computer system. To get started:

• Fire up and login to the Metasploitable VM (user=msfadmin, pw=msfadmin).
• Fire up and login to the Kali VM (user=root, pw=toor).
• Open a terminal in Kali.
• Do a "mkdir yourname" to create a convenient place to save files on Kali. Files you save here will get trashed after you logout from the lab machine, so if you want to save any of them, you should email them to yourself or use sftp or scp to copy them somewhere like your Math/CS account.
• Launch Wireshark in Kali, either via a "wireshark&" command or via the Applications menu.

1. Passive information gathering

Suppose you already know the domain name or IP address of the host whose security you're trying to evaluate. There are many online data sources that can help you learn important information about your target. Using these sorts of tools is referred to as passive information gathering because it doesn't involve communicating with the target system itself. Active techniques run the risk of showing up on the target system's log files, alerting the system administrators, etc., so if you can learn something using passive techniques, it's best to do so.

• Pick a domain you're interested in, and execute:
  whois [domain-name]
  This consults an online DNS database and presents you with a summary. Read through the full output and write down things you don't understand.
• Do the same thing, but this time with
  nslookup [domain-name]
  You can also try getting more info with:
  nslookup -query=any [domain-name]
• Repeat the whois and nslookup commands, but use the IP address you discovered in the previous steps instead of a domain name. Do you get any new information, or is it the same as what you got from the domain names?
• There are many tools online for consolidating passive information gathering. Here's one from Netcraft, for example. It's a little inconsistent, but when it works, it generates interesting reports. No need to mess with it now, but I thought I'd mention this kind of thing here in context. If you find similar tools that you think are interesting, please post them on Slack.
• Special task recommended by ITS system guru Dave Flynn. Do a whois on carletonsucks.info. Who has it registered, and why?

What to hand in:

• What domain did you investigate?
• What is its IP address?
• When does the domain's registration expire?
• What information did you learn about the people or corporation responsible for the domain in question?

2. Host detection

Sometimes you know the network you're interested in targeting, but not the specific IP addresses. Host detection is the process of finding active hosts on the network.

• Scanning our local network
  • Get the IP address for your Kali instance's network interface. (Remember ifconfig?)
  • Fire up Wireshark and start capturing packets (no filter).
  • Using Kali's IP address, execute the command:
    nmap -sn [ip-address]/24
    What does the "/24" mean here? (Maybe you can get me to talk about it so you don't have to try to find a sensible explanation online.)
  • Once nmap is done, stop the capture session in Wireshark.
  • Save this capture session in your directory, in case you want to look at it later.
  • Look at the nmap output in your terminal. How many hosts did you find? What are their IP addresses? What else, if anything, did nmap tell you about them?
  • Look at the captured packets in Wireshark. What steps did nmap go through to do its host discovery? What questions do you have about how the host discovery worked?
• Scanning a remote network (this is one of those spots where I needed to get permission). Go through the same steps as above, but this time, do it on the Math/CS network (137.22.4.0/24).
  • Start a new instance of Wireshark so you can compare the previous capture session with this new one. You can do this by executing "wireshark&" in a terminal.
  • nmap -sn 137.22.4.0/24
  • Wait until nmap is done, then stop capturing, save, and look at the nmap output.
  • Compare the two Wireshark sessions. How are they different? How are they the same?

If you're interested in learning more details about host discovery, here is a handy summary of host discovery techniques, all executable using nmap.

What to hand in:

• List the IP addresses for all the active hosts you found on the local network (i.e. the hosts whose IP addresses have the same first 24 bits--i.e. the same W.X.Y of the IP address W.X.Y.Z--as Kali's IP address).
• What entities do those IP addresses represent?
• For each possible candidate IP address it was searching in the local network, what steps did nmap take? (You can answer this question by examining the Wireshark captured packets. If you want to make it easier to read the relevant packets, try doing "nmap -sn [just-one-ip-address]" instead of the /24 thing.)
• Same question, but for the 137.22.4.0/24 network.

3. Port scanning

Once you know the IP address of the host you want to target, it's time to learn more about it. One of the most important things to learn is which ports on your target system have servers listening on them. For example, at this writing, mirage.mathcs.carleton.edu has exactly one port open: port 22, for SSH logins. (SSH access is the entire purpose of mirage in Mike Tie's world. Because Mike is cautious and smart, he has made sure there are no other ports open, so as to reduce the likelihood of anybody exploiting bugs associated with the services on other ports.)

Technically, any server process can listen on any port. That said, there are many ports that are conventionally associated with specific services. SSH is normally on port 22, HTTP is on 80, HTTPS on 443, etc. These port/service combos are called well-known ports. You can see a list of them at the Wikipedia link I just gave you, or by running "cat /etc/services" on a Unix system like Kali.

The process of learning about the available services on a host is called port scanning, so let's scan some ports!

(Want to know how nmap performs a port scan? Go ahead and capture the packets in Wireshark and see what you can learn. That's not mandatory in this part of our exercise, and it's rare that a hacker would worry about the specific packets contained in a port scan, but it's pretty illuminating when you're learning.)

• In your local network scan from section 2 above, you probably identified 3 or 4 active hosts. For each of those hosts, try this command:
  nmap [ip-address]
  You should be able to tell which IP address is Metasploitable's just by the large number of ports left open. Unlike the ever-careful mtie and dflynn, the fictional sysadmin in charge of Metasploitable is a bit on the sloppy side, security-wise.
• For the Metasploitable IP address, try
  nmap -A [ip-address]
  This gives you a lot more information about each of the open ports.
• Take a spin through the "nmap -A" output. Does the target host have a web server running? How about a web server listening for HTTPS queries? An SSH server? A mail server? A database server (and if so, which one)? etc.

What to hand in:

• Which ports does Metasploitable have open, and what services do they correspond to (e.g. port 22 and SSH)?
• What database server(s) is/are available on Metasploitable?
• What is the value of the RSA SSH host key? What is the host key for?
• Pick one of the open ports that has a service you have never heard of, and explain what the service does.