Skip to content

Latest commit

 

History

History
98 lines (55 loc) · 5.46 KB

lab5.md

File metadata and controls

98 lines (55 loc) · 5.46 KB

##Lab 5 - Scapy recon

I generally read through the exercise before digging in to see what the exercise is designed to teach; the most interesting thing, already, is to see that we run into problems with determining if ports are open--or simply filtered--when we use scapy and nmap.

Some academic reading first on stealth port-scanning attacks and defence: Network Forensics: Detection and Analysis of Stealth Port Scanning Attack (Rajni Ranjan Singh and Deepak Singh Tomar, 2015) 1

It seemed that the machines on the network simply needed to be in the same subnet, have no greater internet access, and had to be administered by m0n0wall as the gateway. I had tried to setup the machines to talk to each other on vboxnet0 network but to no avail--even the machines on the same subnet refused to communicate. So I took this route as I think it simplifies the setup, and it doesn't get bogged down in dealing with em0 and em1 in m0n0wall. In fact, I disabled adapter 2 in m0n0wall so its watchdog complains.

Both Ubuntu machines on the internal network: Both ubuntu machines on internal network

m0n0wall is also on the internal network 'intnet': Edit: Removed unnecessary image--we know what m0n0wall GUI looks like.

I had to reset m0n0wall to factory defaults with the IP 192.168.1.1. Next, I added that default gateway to both ubuntu machines and rebooted. They have IPs of 192.168.1.104 and 192.168.1.105. Please note: for at least one of the machines I have to do the following to get the correct IP (could be an artifact from the last lab):

dhclient -r
dhclient eth1

m0n0wall's GUI is accessible and giving out IP's via DHCP.
m0n0wall GUI is accessible

Next, to setup pyenv and start sending packets!

I did a whoami to see which home to reference in root's .bashrc. I did sudo su to make sure I was exploring the directory as root to edit .bashrc: Root's .bashrc edited

As these machines are on an internal network, I momentarily gave my ubuntu-LAN machine a bridged network to download pyenv. I also had to install both scapy, python-netifaces, and nmap as this is a new VM. After installing pyenv and other stuff below, I remembered to shutdown and removed the adapter because I want everything to be in this internal network.

I then installed pyenv using this resource: http://opencafe.readthedocs.io/en/latest/getting_started/pyenv/ (thanks Orit!!). I found that I needed to install curl. Once cloned and placed in my home directory from Git, to run pyenv I needed to navigate to /home/d4cs-student/.pyenv/bin where I could then ./pyenv install 2.7.6 and ./pyenv global 2.7.6.

It appears I did do the editing to root's .bashrc out-of-order, but the config should still work given that now it knows where the python environment is.

Edit: no, upon installation of pyenv, something overwrote root's .bashrc. Which is crazy to think that a program can overwrite that without a normal keep-or-replace dialog!

To find it again, I need to remember to ls -a to see the hidden files: ls -a

I went through and again edited it, but I still had permission errors when using scapy (probably because I didn't log out or reboot).

I decided to simply sudo python (as you would be running as root in Kali or most pen-testing OS's anyway) and scapy worked great! (And I will go back after I finish and get pyenv working, I promise)

To suppress many: "WARNING: Mac address to reach destination not found. Using broadcast" I added the following to the import modules 2:

import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

This cleans up the output greatly--at least for ease of reading screencaps.

Firstly, we'll send along an ICMP packet and see how the other Ubuntu VM responds:

python shell, scapy, and an ICMP packet

Next, we'll send a TCP packet and see the response:

python shell, scapy, and a TCP packet

To do: find out why it sends "ftp_data"--is it sending this data to each IP in the scan via TCP?

I decided to run nmap to see if it could find any open ports:

using nmap on remote Ubuntu VM

I will want to open some ports--for example add a mongodb, ssh, or ftp server to open up ports. Or I can use Metasploitable (as Dave suggested) as a target machine. I added mongodb and its service runs on the default port 3306.

Lastly: Unfiltered: Unfiltered:

Unfiltered: Unfiltered:

Filtered: Filtered:

To do: Get the zombie reporting working properly--figure out .id

Citations for Lab5 issue:

Allen, J. M. (2008). OS and Application Fingerprinting Techniques. Retrieved May 9, 2016, from https://www.sans.org/reading-room/whitepapers/authentication/os-application-fingerprinting-techniques-32923

Singh, R. R., & Tomar, D. S. (2015). Network Forensics: Detection and Analysis of Stealth Port Scanning Attack. International Journal of Computer Networks and Communications Security, 3(2), 33-42. Retrieved May 9, 2016, from http://www.ijcncs.org/published/volume3/issue2/p2_3-2.pdf