In the Reconnaissance lesson, I will delve into the essential techniques and tools used in the critical phase of reconnaissance in ethical hacking. This lesson covers both passive reconnaissance, which includes passive enumeration, and active scanning methods. I will gain hands-on experience with a range of powerful tools, including theHarvest, Recon-ng, Nmap, and Legion (Sparta), specifically designed for reconnaissance purposes. By the end of this lesson, I will have a comprehensive understanding of reconnaissance techniques and the practical skills needed to gather critical information in ethical hacking scenarios.
Environment Used
Kali Linux, Windows, and Metasploitable2 VMs
Network Attached to: NAT Network
Name: PublicNAT
IP Address = 10.0.9 Network
Tool Used: theHarvest, Recon-ng, Nmap, and Legion(Sparta)
Enumerating Email Accounts - Kali Linux: theHarvest
Enumerating hosts/services/devices - Kali Linux: Recon-ng
Active Scanning:
Nmap - the network mapper
Legion(Sparta) - GUI multi-purpose scanner
Passive Enumeration: theHarvester
Open up Kali Linux on the Oracle VM Application
Click on the top left corner of the VM for application > Scroll down to 1. Information Gathering > OSINT Analysis > theHarvester
theHarvester Navigation
Using theHarvester on my Security Bootcamp: [Springboard](https://www.springboard.com/) Website
3. on the Terminal for Kali Linux
- Type in: theHarvester -d springboard.com -b all -f report.html
- -d = domain for search; -d springboard.com = domain for search is springboard
- -b = source for searching; -b all = use all source available to search
- -f = save it in a file with filename; -f report.html = save it in report.html
4. [Report](https://drive.google.com/file/d/1uj1ZkiOXBtuG9rmnZowaQxmjkcIgopdW/view?usp=sharing) will look something like this.
Passive Enumeration: Recon-ng
1. Open up Kali Linux on the Oracle VM Application
2. Click on the top left corner of the VM for application > Scroll down to 1. Information Gathering > Scroll down to recon-ng
Recon-ng Navigation
3. Install some modules ourselves by typing in the terminal:
- > marketplace install recon
4. Check if hackertarget is installed by typing in the terminal:
- > marketplace search hackertarget
5. If hackertarget is installed load the hackertarget module by typing in the terminal:
- > modules load recon/domains-hosts/hackertarget
6. Set a source for the target search for the hackertarget module by typing in the terminal:
- > options set SOURCE springboard.com
7. Run the module by typing in the terminal:
- > run
- Found 31 servers listed in the hackertarget open source free database
Recon-ng Hackertarget in Action
8. Can show the list in a better readable format by typing in the terminal:
- > show hosts
- This is a quick way to find out:
- If you have more servers than you realized are publicly available
- If you want to find a specific Server within your own organization
Recon-ng Hackertarget in Show Host Command
Active Scanning: Nmap
- Using Kali Linux with Nmap to scan networks
- Need to open up the Window VM and the Metasploitable2 VM
- Need to switch Metasploitable2 VM's network to NAT Network/ PublicNAT
1. Open up Kali Linux, Windows, and Metasploitable2 on the Oracle VM Application
2. Check if all our VMs are in the same network [10.0.9.0/24]
- Window VM - In Cmd type: ipconfig; result: [10.0.9.5]
- Metasploitable2 VM - login with msfadmin/msfadmin then type: sudo ifdown eth0 && ifup eth0; result: [10.0.9.6]
- Kali Linux VM - Terminal type: ip a; result: [10.0.9.4]
3. Using Nmap in Kali Linux
- Type in terminal: nmap 10.0.9.0/24
- This will scan for all the 10.0.9 servers in the network
Nmap in Action
4. Nmap showed only:
- 10.0.9.1 = Network Gateway
- 10.0.9.4 = Kali Linux VM
- 10.0.9.6 = Metasploitable2 VM
- We are missing Windows VM because of Windows' firewall
5. Using the -sV command in Nmap to scan the version of services in 10.0.9.6
- Type in terminal: nmap 10.0.9.6 -sV
- We can see that 1524/tcp port can be a very crucial vulnerability
Nmap -sV Command in Action
6. Turning off Windows's firewall so Nmap can detect it
- on Windows' Administrator cmd type in: netsh advfirewall set allprofiles state off
Turning Off Firewall on Windows VM
7. Go back to Kali and redo the Nmap Scan
- nmap 10.0.9.0/24
Nmap Scanning: Windows's IP Address Showed Up This Time
8. Version Scan Windows's IP address with Nmap
- nmap 10.0.9.5 -sV
Nmap -sV on Windows VM
Action Scanning: Legion(Sparta)
1. Open up Kali Linux on the Oracle VM Application
2. Click on the top left corner of the VM for application > Scroll down to 1. Information Gathering > Scroll down to legion
legion Navigation
3. Once the legion GUI application opens up, click on the green + sign
- Add our network IP [10.0.9.0/24] in the box for IP(s), Range(s), and Host(s)
- Change the Timing and Performance Options from: Aggressive to Normal
- Aggressive is going to be too noisy for the network
- Click submit
legion IP Address Configuration
4. All the networks are found and each tab after notes can state a vulnerability
legion Scan for Device and Vulnerability found
Conclusion:
In conclusion, the Reconnaissance lesson has provided me with valuable insights into the essential techniques and tools used in the critical phase of reconnaissance in ethical hacking. I have explored both passive enumeration and active scanning methods. Through hands-on experience with powerful tools like theHarvest, Recon-ng, Nmap, and Legion (Sparta), designed for reconnaissance purposes, I have developed practical skills in gathering critical information. As a result of this lesson, I now possess a comprehensive understanding of reconnaissance techniques, making me well-prepared to execute effective reconnaissance strategies in ethical hacking scenarios.
- Employing tools such as theHarvester and Recon Hackertarget enables us to conduct passive reconnaissance on our designated target website.
- Nmap proves to be a valuable asset for comprehensive device scanning
- It is imperative to exercise caution when employing Legion for network scans, particularly within corporate settings, as prior authorization is a prerequisite.
- This precaution is essential due to potential restrictions imposed by Internet Service Providers on scanning activities.
- Also considering network environments characterized by multiple users, such as those found in large buildings or apartment complexes.
- Legion serves as a proficient tool for conducting scans aimed at identifying both devices and vulnerabilities.
Ethical Hacking 2 - Reconnaissance
Description:
In the Reconnaissance lesson, I will delve into the essential techniques and tools used in the critical phase of reconnaissance in ethical hacking. This lesson covers both passive reconnaissance, which includes passive enumeration, and active scanning methods. I will gain hands-on experience with a range of powerful tools, including theHarvest, Recon-ng, Nmap, and Legion (Sparta), specifically designed for reconnaissance purposes. By the end of this lesson, I will have a comprehensive understanding of reconnaissance techniques and the practical skills needed to gather critical information in ethical hacking scenarios.
Environment Used
Kali Linux, Windows, and Metasploitable2 VMs
Tool Used: theHarvest, Recon-ng, Nmap, and Legion(Sparta)
Passive Recon and OSINT:
Passive Enumeration:
Active Scanning:
Passive Enumeration: theHarvester
Open up Kali Linux on the Oracle VM Application
Click on the top left corner of the VM for application > Scroll down to 1. Information Gathering > OSINT Analysis > theHarvester
theHarvester Navigation
Using theHarvester on my Security Bootcamp: [Springboard](https://www.springboard.com/) Website 3. on the Terminal for Kali Linux - Type in: theHarvester -d springboard.com -b all -f report.html - -d = domain for search; -d springboard.com = domain for search is springboard - -b = source for searching; -b all = use all source available to search - -f = save it in a file with filename; -f report.html = save it in report.html 4. [Report](https://drive.google.com/file/d/1uj1ZkiOXBtuG9rmnZowaQxmjkcIgopdW/view?usp=sharing) will look something like this.
Passive Enumeration: Recon-ng
1. Open up Kali Linux on the Oracle VM Application 2. Click on the top left corner of the VM for application > Scroll down to 1. Information Gathering > Scroll down to recon-ngRecon-ng Navigation
3. Install some modules ourselves by typing in the terminal: - > marketplace install recon 4. Check if hackertarget is installed by typing in the terminal: - > marketplace search hackertarget 5. If hackertarget is installed load the hackertarget module by typing in the terminal: - > modules load recon/domains-hosts/hackertarget 6. Set a source for the target search for the hackertarget module by typing in the terminal: - > options set SOURCE springboard.com 7. Run the module by typing in the terminal: - > run - Found 31 servers listed in the hackertarget open source free database
Recon-ng Hackertarget in Action
8. Can show the list in a better readable format by typing in the terminal: - > show hosts - This is a quick way to find out: - If you have more servers than you realized are publicly available - If you want to find a specific Server within your own organization
Recon-ng Hackertarget in Show Host Command
Active Scanning: Nmap
- Using Kali Linux with Nmap to scan networks - Need to open up the Window VM and the Metasploitable2 VM - Need to switch Metasploitable2 VM's network to NAT Network/ PublicNAT 1. Open up Kali Linux, Windows, and Metasploitable2 on the Oracle VM Application 2. Check if all our VMs are in the same network [10.0.9.0/24] - Window VM - In Cmd type: ipconfig; result: [10.0.9.5] - Metasploitable2 VM - login with msfadmin/msfadmin then type: sudo ifdown eth0 && ifup eth0; result: [10.0.9.6] - Kali Linux VM - Terminal type: ip a; result: [10.0.9.4] 3. Using Nmap in Kali Linux - Type in terminal: nmap 10.0.9.0/24 - This will scan for all the 10.0.9 servers in the networkNmap in Action
4. Nmap showed only: - 10.0.9.1 = Network Gateway - 10.0.9.4 = Kali Linux VM - 10.0.9.6 = Metasploitable2 VM - We are missing Windows VM because of Windows' firewall 5. Using the -sV command in Nmap to scan the version of services in 10.0.9.6 - Type in terminal: nmap 10.0.9.6 -sV - We can see that 1524/tcp port can be a very crucial vulnerability
Nmap -sV Command in Action
6. Turning off Windows's firewall so Nmap can detect it - on Windows' Administrator cmd type in: netsh advfirewall set allprofiles state off
Turning Off Firewall on Windows VM
7. Go back to Kali and redo the Nmap Scan - nmap 10.0.9.0/24
Nmap Scanning: Windows's IP Address Showed Up This Time
8. Version Scan Windows's IP address with Nmap - nmap 10.0.9.5 -sV
Nmap -sV on Windows VM
Action Scanning: Legion(Sparta)
1. Open up Kali Linux on the Oracle VM Application 2. Click on the top left corner of the VM for application > Scroll down to 1. Information Gathering > Scroll down to legionlegion Navigation
3. Once the legion GUI application opens up, click on the green + sign - Add our network IP [10.0.9.0/24] in the box for IP(s), Range(s), and Host(s) - Change the Timing and Performance Options from: Aggressive to Normal - Aggressive is going to be too noisy for the network - Click submit
legion IP Address Configuration
4. All the networks are found and each tab after notes can state a vulnerability
legion Scan for Device and Vulnerability found
Conclusion:
In conclusion, the Reconnaissance lesson has provided me with valuable insights into the essential techniques and tools used in the critical phase of reconnaissance in ethical hacking. I have explored both passive enumeration and active scanning methods. Through hands-on experience with powerful tools like theHarvest, Recon-ng, Nmap, and Legion (Sparta), designed for reconnaissance purposes, I have developed practical skills in gathering critical information. As a result of this lesson, I now possess a comprehensive understanding of reconnaissance techniques, making me well-prepared to execute effective reconnaissance strategies in ethical hacking scenarios. - Employing tools such as theHarvester and Recon Hackertarget enables us to conduct passive reconnaissance on our designated target website. - Nmap proves to be a valuable asset for comprehensive device scanning - It is imperative to exercise caution when employing Legion for network scans, particularly within corporate settings, as prior authorization is a prerequisite. - This precaution is essential due to potential restrictions imposed by Internet Service Providers on scanning activities. - Also considering network environments characterized by multiple users, such as those found in large buildings or apartment complexes. - Legion serves as a proficient tool for conducting scans aimed at identifying both devices and vulnerabilities.