Be aR eee ROU Oat fel aCe) Workbook min) Sra ema Cur cae O net Utara or eteCopyright © 2019, Tim Medin, Ed Skoudis, and Erik Van Buggenhout. All rights reserved to Tim Medin, Ed ‘Skoudis, and Erik Van Buggenhout and/or SANS Institute, PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ((CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER") AND SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. With the CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by ‘SANS Institute to User for use in the SANS class associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA, BY ACCEPTING THIS COURSEWARE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS. INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If you do not agree, you may return the Courseware to SANS Institute for a full refund, if applicable. User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, of otherwise transfer the Courseware in any way, shape, or form without the express written consent of SANS Institute, If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this Courseware, SANS acknowledges that any and all software andor tools, graphics, images, tables, charts or graphs presented in this Courseware are the sole property of their respective trademark/registered/copyright ‘owners, including: AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, Message, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, ‘Tunes logo, ‘Work, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight, There's an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc. PMP and PMBOK are registered marks of PMI. ‘SOF-ELK@ is a registered trademark of Lewes Technology Consulting, LLC. Used with permission. SIFT@ is a registered trademark of Harbingers, LLC. Used with permission. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA. ‘S€C560_W_E01_04Ws come to SECS60 Welcome to the SANS Security 560 Labs Wiki! ‘Welcome to the SANS SEC560 Lab Wiki! This wikt is your guide to lab exercises in SANS SEC560. In order to keep labs current, to make them more accessible (cut and pastel), and to present the steps in color with rich context, we present the material here in HTML format. You will also get a hard copy of the printed materials to keep as an. heirloom (and to bring Into an exam center when you take the GIAC exarn). This lab wiki is a work in progress and is frequently revised by the course authors. This is beneficial to all, since you continue to get updates to lab material as we improve the quality ofthe exercises, correct typos, and add new exercises. Accessing the Digital Edition of the Lab Wiki Toaccess the digital edition of the lab wiki from the Slingshot Linux VM, open. the Firefox browser. The home page will display this text and allow you to navigate to the course lab exercises. Similarly, you can access the digital edition ofthe lab wiki from the class ‘Windows 10 VM as well. Open the Chrome browser and the home page will display this text. Updating the Lab Wiki - Linux To.update the lab wiki onthe Linux VM, make sure your Slingshot Linux VM update-nilsi .pst ‘Note: You must open a PowerShell Prompt to update the wiki content, not a Command Prompt! That's itt With this one step, you will always have the most current lab materials. Conventions ‘The following typographical conventions are used throughout the labs: = Ieolie © Indicates new terms and items of emphasis + Used for terminal output and within paragraphs to refer to tools or other elements such as variables, function names, statements, keywords, etc. © \| (vertical bar) ‘+ The vertical bar is used to indicate steps necessary for navigating through menus (Edit\| Paste) 1 Eo Shou, and Crk Van surggeehout, al ighis Reserved!W come to SECS60 Code biocks are used to denote output from tools. Content that is bold represents commands you type. For example: secS60ssLingshot:~§ rum_this_command output from the tool In some cases, the commands you type wil call for information that you supply (e.g. that we don know). In these cases, the content that you supply is noted initalies: yoursnpue Replace yourinput with the information you supply as described in the exercise. This icon signifies ati, suggestion, warning, ora general note. Course and Lab Feedback We are always excited to hear your feedback on the course materials. ls there a bug we need to squash? Do you have a suggestion for a new awesome tool that we just have to see? Please let us know. ttps:/hwaw.secs60,org/feedback You can also reach out to Tim directly: + Tim Medin- tim@redsiege,com Thank youll Conyrighe © 2645, SAilSinstitute, Ten Medlin, Ed Skons, and Ex Van Buggenthout, ll Rights ReservedWelcome to SECS60 Update: 20191016-001& ‘ting started Getting Started Follow these steps to get started with the virtual machine systems you will use for class exercises. ‘fyou have already copied the lab VMs to your computer, decompressed, and booted the systems following the course lecture Introductory material, you don't have to doit again here! Brief Intro Using VMware, you will boot and run two virtual machine (VM) systems for the class lab exercises. The VM_ systems are supplied on your class USB drive. In this getting started guide, you will copy the compressed VMs to your local hard drive, decompress them, and boot the two systems. Walkthrough VMware Required All ofthe class lab exercises will use VMware as the hypervisor to boot and run the lab VMs. Please ensure you have already downloaded and installed VMware on your laptop, I you have not already installed VMware, download and install it now for your platform: + VMware Workstation Player for Windows Systems © VMware Fusion for macOs Systems ‘You may be eligible for a free trial period of VMware Workstation Player or VMware Fusion. We do not support the use of other virtualization products such as VirtualBox or Hyper-V in this class. You are welcome to experiment and try o use these platforms, but we cannot support any problems that may arise, Copy the VM Files Insert the USB drive into your laptop. Using Windows Explorer or Finder (macOS), copy the contents of the USB. to your desktop or another convenient location. This will take several minutes to complete. Setting up the VMs ‘Conyright 7012, SHS Intute, Tim Hedin, Ed Seoul, aud Bik Von Buggerhauy, all Aights ReservedGetting Started ‘The Slingshot Linux and Slingshot Linux VMs are in .ova format, allowing you to more easily import the images. See Lab 1.1 for detailed VM configuration instructions. Log in to the Windows 10 VM ‘After the Windows 10 VM finishes booting, log in with the following username and password: + Username: se¢s60 + Password: secS60 That's the last step for Windows! You can keep the Windows 10 VM running and continue to experiment or shut it down until you need it for a lab exercise. Next, we will repeat these steps forthe Slingshot Linux VM. Again, for detailed information on setting up the VM, see Lab 1.1. Log in to the Slingshot Linux VM ‘After the Slingshot Linux VM finishes booting, log in with the following username and password: + Username: sees60 © Password: sec560 That's the lost step! You can keep the Slingshot Linux VM running ond continue to experiment or shut it down until you need it for a lab exercise. ight © 20: Antica, Tim ten, £4 ShLe 1.1: Setting Up The Image Lab 1.1: Setting Up the Virtual Machine Images ‘This document outlines the steps for setting up your Slingshot Linux and Windows 10 VMs and connecting them to the class network. Objectives + Extract the Slingshot and Windows VMs © Configure VMware and connect VMs to the network ‘+ VPN Connection - SANS OnDemand, viive.or Simulcast Students Only! = Confirm network connectiviy Overview ‘SEC560 includes over 30 hands-on labs integrated into the course. Each lab teaches multiple lessons that are directly useful in conducting real-world penetration tests and Red Team engagements. The course USB includes all the tools needed for every lab in the class. Many of the labs rely on the Slingshot Linux distribution and the Windows VM included on the course USB. This lab provides detailed information for networking the student’s Windows machine as well as the course Slingshot Linux image, Virtual Machine Extraction and Configuration ‘The USB contains two Virtual Machines (VM), a Windows 10 VM, and a Linux VM (Slingshot). Both of these VMs. will be used every day in this class, so getting them networked is important. For students in the live classroom. environment, youll need to connect to an Ethernet switch in the classroom. For students taking the class via SANS OnDemand, viive, or Simulcast, youll need to set up a VPN connection from your Windows and Slingshot Linux systems to access the targets. The VMs will toke up approximately 50GB of space on your hard drive when extracted. Conyrighe © 20:9, SAMS aseiute, Tin Wwedin, Sd Skoudl, and ix Van Busgerhout Al Rights ReservedLab 1.1: Setting Up The Image 1. Open VMware Fusion, VMware Workstation, or VMware Workstation Player. 2. Click on File 3. Click on import or Open Virtual Machine (depending on your VMware product). 4, Find the .ova file for Slingshot on the USB and open the VM. Uf Vidware prompts you about whether you "moved" or “copied!” this virtual machine; select *! copied i." Ifit doesn’t prompt you, that’s okay. 5, Repeat the above stops for the Windows .ova file. Credentials The default credentials for both the Windows and Slingshot VMs are the same: + Username: sec560 * Password: se2560 Change the password for this account to a value you'll remember but that isn't easily guessed or cracked, We'll be connected to a network with other students in this course, and you do not want them to know the password for your Linux or Windows image. Linux 1. Change the password for the secsé0 user using the passwd command: secS60@s1ingshot:~$ passwd Enter your chosen password once and then again to sett. 2. Change the password for root secS60@slingshot:~$ sudo passwdLOL: Setting Up The Image Windows 1. Click the menu in VMware and select VM | Send Ctrl+Alt+Del. Fite Bde view (WA) Tabs Her If > 2h @ Y Library oi D._Type hereto s]eaeeeemnana 2 = Pewse Ctrle Shite Send Chi Ale Del Galo input Ce Snegshot > (Capture Screen CtriealtePrtScn PO Manage > Reinstal VMware Tools. E Settings... Caled 2. Click "Change a password". 3. Change the password forthe s0c560 user First enter the original password of secse0 Then enter ‘your chosen password twice, Network Configuration For most of the exercises in SEC560, your VMs will be configured to use VMware's Bridged network setting. This allows you to connectto the Windows VM and the target systems. Bridged Mode vs Host-only ‘Mode \We will use ridged med for most exercises as well as the entire capstone CTF. Use Bridged mode unless otherwise instructed. The instructions below describe how to configure your VM for Bridged mode. if you have been instructed to use Host-only mode, follow the same instructions except select Host-only instead of Bridged. Host OS and VMware version ‘The method to change networking modes depends on your host operating system. The steps in this lab cover the configuration needed to connect Slingshot Linux and Windows 10 to the network. You can skip to the ight © 2019, SANS vaste, im Medin, Ed Skouals, end Erik Var Cuygenoun, fl Righis ReservedLab 1.1: Setting Up The Image Pertinent configuration section by clicking one ofthe links below. Refer to the example below that matches your operating system environment. + VMware Fusion (macOs) © VMware Workstation g re Workstation Player * SANS OnDemand, viive, or Simulcast Students Only ‘Specisil Note for Remote Students {SANS OnDemand, vLive, or Simulcast Students) ink in Ifyou are taking this course remotely via the SANS OnDemand, vive, or Simulcast, click on the "My Lal your Account Dashboard for instructions on connecting to the lab environment. IMPORTANT NOTE: For all labs that use the tcpdump sniffer, specify the tap0 network interface at the command line using the «i option as follows: secS60@slingshot:-$ sudo tepdump ~~ tapO -nn When replacing YOUR LINUX iP_ACDRESS in exercises that use Metasploit, use your tap0 10.10.76.X IP address, VMware Configuration macOS VMware Fusion - Configuring Bridged Networking To configure bridged networking in macOS VMware Fusion, complete the following steps. 1, Select the Slingshot VM (click anywhere inside the VM). 2, Next, click Virtual Machine | Network Adapter | Network Adapter Settings..), as shown below. 0L112: Setting Up The Image ‘Send Cul-Alt-Del Reinstall VMware Tools install McAfee Antivirus Plus: Ramee rc Disconnect Network Adapter NAT ¥ Bridged [Autodetect) Bridged {7handerbolt Ethernet) Host-only Rinne ecmsces 3, Make sure that "Connect Network Adapter" is checked, Copytght © 2019, SANS Institute, Tin Metin, Ea Skoudls, and Erik Van Buggenhcut, AI AisLab 1.2: Setting Up The Image This network adapter is configured to use: poe ceees ‘The virtual machine zppears as an adsitional © Share with my Mac computer on the physical Ethernet network "Belin USB-C LAN. Bridged Networking @ Autodetect Name: Belttin USB-C LAN @ Wi-Fi Type: Ethernet © Belkin USB-C LAN ° IP orate © USB 10/100/1000 LAN yY Subnet Mask: 286.286.26.0 © Thunderbolt Ethernet Slot 1 @ Phone USB Select your wired © Pad USB interface. Not Wifi! @ Bluetooth PAN System Preterer > Advanced options 4, Near the middle-left part of your screen, in the section under "Bridged Networking*, click the radio button corresponding to your Ethernet adapter. 5. Perform the same steps again but in Step 1, use your Windows 10 VM instead. VMware Workstation - Configuring 3ridged Networking "Note: This section describes the configuration for Workstation, which isa paid product. This section does not describe configuration settings for the free Workstation Player tool. Follow the link to goto configuration settings ‘for Workstation Player. ‘To configure bridged networking in VMware Workstation, complete the following steps. you are using Linuxas your host OS, you may have to run VMware Workstation as root to complete the steps below. 1. Next, click Edit | Virtual Network Editor, as shown below. 2 38, SANS insttcate, Tan Madin,€2 Shout, and Ei V hut, Ail gis PaverveeL }-L.1: Setting Up The Image File Edit View VM Tabs Help Jf} ~ Library Cut Ctrl+X [2 | Copy Ctrl+C Paste Ctrl+V aG + @ Virtual Network Editor. Preferences... CtrleP 2. Click on the “Change Settings” button (bottom right). A UAC dialog box may prompt you to accept the change. Click "Yes" to doso. B Copyright © 20%9, SARISInsiizzte, “im Wiedin, Eq Skoueis, ané Erk Var boggerhout, sil ights ReservedLab 1.1: Setting Up The Image © Virtual Network: Editor x Nene Type Extemal Connection HostComecton DHCP Subrat Adress Wineti — Hostonty - conmectes Enabled 192.168.18.0 Wets AT NAT Conrected Enabled — 192.188,211.0 | Bridged (connect VMs deecty to the external network) ‘Automat Settings, NAT (shared host's IP address with VMs) NAT Settings. Host-only (connect VMs internal in a prvate net Connect a host virtual adapter to this network Host wai adepter name: Viinare Netwerk Adepter vinat Use local OHCP service to dstnbute IP address to VMs DHCP Settings... 2, Acswwistetopridegesare required to macy te ratvorkcontguator. | Grange Setlnge Restore Defauts CR [ered] ae tab 3, Make sure that your VMnet0 interface is highlighted at the top of the screen, Near the center of the screen, make sure that the radio button is set for "Bridged", and click on the dropdown menu where it says "Automatic" and change itto choose your Ethernet interface. Different computers will have different names for the Ethernet interface, so select the one that most likely matches your Ethernet interface. In particular, for in-classroom SANS training where there is a live Ethernet network, do not select the wireless interface. NS teat, Im toehn, B4 Skea, andLL: Setting Up The Image ® Virtual Network Editor x ‘pet Information Bridged (connect Vis Gewctiy to the external naticrk) (ridged to: [ASis AUESI78 USB 2.0m Gaya Barer Adapie® [aatorate ONKT Gineretuetoath Dessce Personal Ares ietork) irarosoft WiFi Dect virtual Adzoter #2 ‘Oosteriy(inteliR) Cusl Band eles AC 8229 Select your wired interface, sutnet mae {| Not your Wi-Fi interface! 4, Click on "Appiy’ and then on "OK" to close the configuration screen. 5. Select the Slingshot VM (click anywhere inside the VM). 6. Click on VM | Removable Devices | Network Adapter | Settings. With He I1- & Oe © Powe : Pause Cte Seth B 8 Send Coated 7. Click on the "Network Adapter" and then click on "Bridged!" and check the box next to “Replicate physical network connection state". 6 Copyright® 29:8, SArlSInstiate, “in Wedin, Ed Shoudls, and Esk Ven Bugzenhout, Al Rights ReservedLab 1.1: Setting Up The Image “oe Setinge x ina i Deice sarmary Deve stats = — {sirens 2 Plcora ‘CPrecessors 2 Edicorrect at pavitr on Boimsn | Seeman elle cso. Sremetsoow ME rapa acon) Buccs” nace cen | hens | Spespiay Auto detect ‘CONAT: Used to share the host's IP address Otosteri A psateneterk shared th he host Cieustom: Specie virtual ner ‘net ton eegaent (wiSegnents..) [Advanced 8, Perform Steps 6 and 7 again, but select the Windows 10 VM first instead. ‘VMware Workstation Player - Configuring Bridged Networking To configure bridged networking in Windows VMware Workstation Player (not Vware Workstation; see the prior section for those directions), select the Slingshot Linux VM (click anywhere inside the VM). ‘To configure bridged networking in VMware Workstation Player, complete the following steps. f you are using Linux as your host OS, you may have to run VMware Workstation as root to complete the steps below. 1, Select the Slingshot VM (click anywhere inside the VM), 2. Click Player | Manage | Virtual Machine Settings. 6 Copyright © 2099, SANS lnstuate, Thn Nain, Ske ut Al Rights ResonLL: Setting Up The image Removable Devices > Send Ctri+Alt+Del FullScreen CtteaiteEnter [5 MessageLog | Dn ee ae 3, Click on the following: A Select "Network Adapter" near the middle of the screen. B, Make sure that "Connected" and "Connect at power on" are selected, C. Make sure the radio button for "Bridged" is selected and that the "Replicate physical network connection state’ is checked. D. Click on the "Configure Adapters" button. vatua eciineSetings x sexirane optens Bewee ‘Sievary Suse eet 1% lena B ‘Opens 3 Glosrnatetnouce cn Greteescn 18 9 "Crarrat aaa, (nat edhe eat ae Obieet ont: A prhiate netwark shored sh tre heat 4, Deselect all network adapters except your Ethernet interface. Make sure that only your Ethernet adapter is ‘checked and that all other interfaces are unchecked. Different computers will have different names for the Ethernet interface, so select the one that most ikely matches your Ethernet interface, In particular, your ” Copyright © 223, SANS lnstitate, Tim edn, Fd Skoudis, and Fix Ven Buggennaut, ail Rights ReservedLab 1.1: Setting Up The image Wireless adapter should be deselected, as well as all other interfaces, to force VMware to use your Ethernet adapter. Automatic Bridging Settings x Select the host network adagterts) you want to ‘autematicaly bridge: nee 257 gait Network Corton (Clrcep Leasback adaoter Co) TaP windows Adapter VS. (eT) covet Hee Confirm Network Connectivity Windows Open a command prompt and ping 10.10.10.10. 1a 1812, SANS instiute, “e teary Shoat, znd Bik Ven BengeLi 1.2: Setting Up The Image BS Covammand Preingt = 18,0,17434,320) hiceosoft ic} dade dows [Versi Cr WUsenstsecsee>ping 48.12.18.18 Pinging 19.18.10.10 with 32 bytes ef data: Reply from 10.12.19.12: vytes32 tinecias TIL=128 Reply From 18.1€.18.18: aytesu32 tinedins T7Ls123 Reply From 10.12.12.19: oytes=32 time Gus, Maximum > xs, average = 67s Ci \Users\secséa> Ifthe commandis unsuccessful, ensure your network interface is properly configured. Confirm the firewalls disabled by running the following below, making sure all the output lines say OFF C:> mateh advfixawall show aliprofiles | find /i “state” Ifthe firewall is not off! 1, Launch an elevated prompt. To do this, lick on the "Command Prompt - Run as Administrator" icon on the desktop. Note: The icon text may be truncated, 2. Type the command below to disable the firewall: Crp netsh advéicewall set allprofiles state off 19 ‘cepyright © 2019, SANS insituie, Tim Medin, Ed Skouls, and Erk Van Buayenhous, Al Rights Reservedlab 1.1: Setting Up The Image 3. Confirm the firewalls indeed off by running the command: netsh advfizewall show aliprofiles | find /4 tetate" ‘Linux Open the Mate Terminal and ping 10.10.10.10. File Edit View Search Terminal Help lsecSoe@slingshot:~5 ging 16.10.16.10 PING 19.16.18.19 {18.10.10.10) 6(@4) bytes of dats. laa bytes from 19,10.1¢.10: icmp_seqe? ttl=128 tine=¢.391 64 bytes from 10.40.10.10: temp _sequ2 ‘64 bytes from 4@.16.16.10: icmp _seqz3 64 bytes from 18.12.10.16: icmp seq=4 64 bytes from 1@.10.10.10: icmp seq=5 sc [> 10.18.18.1 ping statistics --- |S packets transnitted, 5 received, 0x packet loss, time 3s9ans Irtt minfavgf/max/ndev « §.410/6.526/€.891/8.184 ms isecS60@slingshot:~$ If the command is unsuccessful, ensure your network interface is properly configured, To terminate the command, press CTRL¢C. Confirm Connectivity between your VMs 1. Find your Linux IP address by running iscontig etno fromthe terminal. 2. InWindows, ping your LinuxIP address, 3. Findyour Windows IP address by running izcontia from the command prompt 4, Ping your Linux iP address. Conclusion Comrie € Buegenhou, Ail Rights Reserved 9, SANS Instat, Tim bein, £32 1-1: Setting Up The Image In this lab, we've seen how to extract and configure the Slingshot Linux and Windows 10 image for the 560 course. These Images include all ofthe tools we'll be using for the class. © Linux- The tools needed for the class are installedinthe /opt directory. 11s directory. There is a link to this * Windows - The tools needed for the class are installed inthe c:\: directory on the desktop. This completes the conjiguration of your Windows 10 Vii and your Slingshot Linux Vil jor access to networked resources. a Copyright © 2018, SAS institute, Yim Main, Ed Skousis, and Eck Van Buggenhout, All Aighis Reservedab 1.2: Scope and RoE Role Play Lab 1.2: Scope and RoE Role Play Objectives + Toanalyze a penetration test Request for Proposal (RFP) + Tocreate a scope fora sample penetration test + Tocreate Rules of Engagement for that penetration test Overview For this interactive, role-playing lab, we will build Rules of Engagement and a scope for a sample penetration test by doing some interactive role playing. Your instructor will divide the class into teams of approximately two people. (If you are taking the class via SANS vLive, your instructor will play the part of the client during the lab; if you are taking the class via SANS OnDemand, youl receive both the client and the pen tester mystery sheets for which you can formulate the appropriate questions and answers for the scope and Rules of Engagement) The pen test client group is an organization that has issued an ambiguous RFP for a penetration testing project. The pen tester will ask the client to get more information about the project for scoping. Furthermore, both sides need to agree on the Rules of Engagement. The testers should also describe the risks and recommended approach for the project to the client. You could view this iab as an external penetration testing company getting information to prepare a bid for a client, or you could view it as a set of internal testers preparing for a test oftheir own organization by discussing the test with the target business unit. Either approach is acceptable, ‘The clients and testers will work separately for about three to five minutes, reviewing the details of a mystery sheet that each person will receive. The client sheet will describe the client's business with information that the testers should ask about. The tester sheet will describe the background of the testers to help them plan their approach. The RFP The RFP issued by the client company provides rather limited detalls about the test, Quite often, in the penetration testing business, testers are presented with limited information about a potential project up front, ‘making the scoping task vitally important so that both the client and the testers are on the same page for the testLi. 12: Scope and RoE Role Play ‘The RFP includes the following facts: 2 The test will be performed for Target Widgets, a manufacturing company with 5,000 employees and offices Inthree countries. ©The company wants a penetration test (either from an outside penetration testing company or from a ‘technical group within the company; either is a valid approach for our purposes here). ‘2 The goal ofthe projects to find security flaws that may have resulted from improper policies, practices, implementation, patch management, and so on, ‘© That's it. The RFP includes no further information, For the lab, the testers will receive a tester’s sheet, whereas the clients will receive a clients sheet. The instructions on the sheet will provide more detail about the given organization, as well as certain items to cover during the scoping and Rules of Engagement meeting, Make sure you take notes in your books and/or on the sheet because you must prepare for this meeting. Ifyou have any further questions, please feel free to ask the instructor. Important Notes For this lab, keep in mind that we are focusing exclusively on scoping and setting the Rules of Engagement. The rneeting is not meant to be adversarial. Engage in a positive discussion to determine the proper scope and Rules of Engagerent, improvising where necessary. The clients are NOT evaluating the skills or background of the penetration testers. Furthermore, the penetration testers are not trying to evaluate whether they want to engage in the project. The project has been awarded to the testing team, and both sides are delighted with the decision. The point here is to devise an appropriate scope and Rules of Engagement. Do not discuss price, level of effort, or qualifications during this meeting because we need to focus on scope and Rules of Engagement. The Scope and Rules of Engagement Meeting To begin the meeting between clients and testers, run through the slides earlier in this session to devise a set of {questions for scoping and setting Rules of Engagement. Work your way point by point through the book to make sure you've covered each issue. In addition, you could work through this lab by filing out the templates for Scope and Rules of Engagement. They are included on the course USB drive in the cheat sheets directory ( sules_of sngagenent Horksheet rtf and Scope_Norkshes:.2tt ). Please open those files and use them to guide your conversation. They are also linked here: 23 Coprighi © 2018, SANS Instute, Yim Men, El Skouls, andl Eek Van bLegenhout, al Rights ReservedLab 1.2: Scope and RoE Role Play + Rules of Engagement Worksheet tf © Scone Worksheet.rit ‘To get ready for the debriefing, record your answers to the mystery sheet questions on the worksheets. The Debriefing After finishing the meeting, we will conduct a debriefing session for the lab. The course instructor will leada discussion, choosing people from each group to present the results of their scoping discussion during the lab. In particular, you will be asked whether the issues on the mystery sheet were properly addressed during the scoping discussion. Also, did the clients ask any unexpected questions? How did the testers answer? Did the testers ask anything out of the ordinary, and how did the clients respond? Unfortunately, there may not be time for every team to present every aspect of their results, Your instructor will help keep the conversation focused so that the most salient points will be addressed while Keeping the class on schedule, Copyright © 2629, SAN instiute, Timm htodin, Ee Skoudis, and Ek Var Guxgenbw ll Rigas Reserved )1.3: Metadata Treasure Hunt Lab 1.3: Metadata Treasure Hunt Objectives © Touse ExifTool to analyze .xls, .doc, and .pdf files for information that will be useful ina penetration test ‘© Togather recon information about usernames, email addresses, file system paths, and other sensitive data associated with a target organization ‘Table of Contents © LabSetup + Questions to be answered © Walkthrough * Conclusion Lab Setup The files you will examine in this lab are located in /home/sec560/coursefiles/metadata/ . The files are: + WidgetStatisticalAnalsis als + WidgetStatistcalWhitepaper.doc + WidgetStatsticalWhitenaner.pdt Please use the copy in your Linux VM. The links are provided here so they can be accessed in Windows. The goalof this lab isto run exiftool and strings _oneach ofthese files, trying to answer the specific _questions posed below. ‘A copy of each of these files is also included on the course USB drive in the courseriies\metadats directory. You can open them in Windows and look at them if you'd like, but the lab should be performed in Linux, whichhas exiftoo and ecrings | installed. ExifTool can be invoked on the VMware Linux image to analyze a file by running: 23 Sopyrighi © 2019, SANS Institue, Yim Naedin, Ed Sousis, and Eile Ven buggenlcut All Rights BeservedLab 1.3: Metadata Treasure Hunt secS60@sLingshot:-§ exizteol filename Torun strings against a file, you could simply use: secS60RsLingshot:-8 steinga filename Try this for each of the files, and enter the data you discover that answers the questions on the next page. ‘Also, remember that you can peek ahead at the answers and the approach used to determine them. Questions: * Whats the fullname of user Bob? What is Bobs nickname? + Whatis Bob’s email address? '* What Personally identifiable Information is located in the spreadsheet (xls) file? © What information is associated with the organization’ firewall ruleset? Hint: The command below shows lines of output with the word "firewall" in a case-insensitive fashion. se65608e1 ingehot : 9 strings filenawa | grep -i fixevall Ifyou have some extra time, also look through the files to find all file system paths and URLs. Hint 1: You should consider looking for forward slashes by piping your output through grep to search for a/ character using the command below. copyvtche €21LL 1L.3: Metadata Treasure Hunt secSe0eslingshot:~$ eteings filename | grep / Hint 2: To find lines with a single backslash in ther, you could pipe your data through grep "\\"_, That syntax. ‘will make your shell send a single \into the grep command. secs608slingshot :~$ strings €1lenane | grep '\\' Also, remember that you can peek ahead to the answers. Walkthrough - Step-by-Step Instructions and Answers Sod's Full Nami, Nickname, arid Eraail Address Bob created the doc and .xs files in Microsoft Word and Microsoft Excel, respectively, so we can analyze the metadata of either file to determine Bob's fullname and nickname. Microsoft Office inserts usernames and author information in specific fields of the files t generates, so we can look for this structured metadata with ExifTool. You can run ExifTool against either the .doc or the xs file, 27 is, and Erk Ven Guggenhout, al Rights teserved SANS In 2, Tim Madin, Ea Sho Conyrighi © 2Lab 1.3: Metadata Treasure Hunt secS600s1ingshot :~/coursefiles/netadatas exiftool WidgatStatisticalthitepeper doe ExifTool Version Number File Name Directory File size File Modification Date/Time File Access Date/Time File Inode Change Date/Time File Permissions File Type File Type Extension MIME Type Title Subject 20.10 Widgetstatisticalwhitepaperdoc 35 kB 2018:08:29 18:06:06+00:00 2019:06:29 17:24:23400:00 2019:06:29 17:28:35+00:00 oc doe application/msword Statistical Analysis Whitepaper author Bob the Awesome Keywords Template Normal Last Modified By Hob Soberson Revision Number sofcware Total Edit Tine Last Printed Create Date Modify Date Pages fords characters Security Company Lines Paragraphs char Count With Spaces App Version Scale crop Links Up To Date Shared Doe Hyperlinks Changed Titie OF Parts Heading Fairs 23 Microsoft Word 9.0 22.0 minutes 2009:12+20 16:22:00 0 15:20:00 560 Global Conglomerate 10 2 1538 9.8968 Statistical Analysis whitepaper Tele, 2 code Page Windows Latin 1 (estezn European) syperlinks 1 \\tsbsorvernuerant\inagsa\ Sinem 2os0.3nge aA Pictuces\chart snug Comp Obj User Type Len Comp Obj User Type ob bobersont5soce. tor, 24 Microsoft Word Docurent The interesting data from the above commands: ‘Copyright © 2019, SANS Instinste, Timmandi, fe! Stoudis, and Fre'¥on twa it ah Rigs Reserved11.3: Metadata Treasure Hunt Author : Bob the Auesone Last Modified By : Bob Boberson Hyperlinks : \Wwebserver\wuwroot \imagee\$603¢_logo.ipg, ..\My Pictures\chart.png ‘We can see the Author and his name as well as file paths. Next, examine WidgetStatisticalAnalysis.xls using ExifTool 29 CCopyrighe @ 2035, SANS institute, Tim Media, Fe Skoudls, # Enk Van Buagenhout, all Rights ReservedLab 1.3: Metadata Treasure Hunt secSe0@eLingshot:~/coursefiles/netadatas axiftool Widgatstatieticelanalysis. xls Exiffool Version Number File Nane birectory File size File Modification Date/Time File Access Date/Time File Incde Change date/time File Permisaions File Type File Type Extension MIME Type: rete 10.10 widgetStatisticalanalysie.xle 22 ks 1 2018:08:29 18:06:06¢00:00 + 2019206229 17:34:33+00:00 2019:06:29 17:28:35+00:00 2 mle application/vnd.ms-excet Intense Statistical Analysis of Color Preferences in 60 Global Conglonerate Custoners Last Madi fied By Bob Boberson Software : Microsoft Excel Create Date # 2009:12:30 14:37:52 Modify Date 2 200921220 25:55:14 Security None company 1 560 Global Conglomerate App Version 9.8968 Seale Crop to Links Up To Date No Shared Doe 2 Mo Hyperlinks Changed Ho Title of Parts eenas Reading Pairs code Page Worksheets, 1 Windows Latin 1 (Western european) Esti bob boberson@560ue,eqe Comp Ob) User Type Len Comp 0b) User Type 26 Microsoft Excel Horksh ‘The interesting data from the above command is: Author : Bob the Awesone ast Modifies By + Bob Boberson E-Mail : bob.boberson#s60gc,tat 1018, SAN crpiata Institute, Yim Wadi, £4 Stoncl, and Reserved van Buggentiout, Al ighL113: Metadata Treasure Hunt Bob's full name is Bob Bobesson (from the Last Modified By fel). Bob's nickname appears tobe Rob the Avesone as indicated in the Author feld. Bob's email address appears tobe nob. boberson@5é0ge.tgt as indicated nthe E-mail field Personally Identifiabie information (Pl) To find Pilin the xls fle, we can look for strings of consecutive characters. However, many files are littered with ‘meaningless small strings, so welll focus our search on longer strings, such as eight characters or more in length. When we do this using the strings command with then # option, we find some interesting strings in the .xs file, 2s shown below (output truncated for brevity). secSé0gelingsho! ings -a 8 ‘Ridgreseaciaticalmnalyais.cis Daniel Pendelino ‘ThisWorkbook mF, 840_) :\ "SH, BBDYY /coursefiles/motadatas ws¥, ##0_) ¢[Red}\ ("S"8, 440\) "98, #40.00_);\("5"H, #80.00\) "9rt, ##0.00_) ; [Real \ ("5"4, #40.00\) UNS A, PAOD Z_(HS"* \4B, EO) Z_CS™E MTD Te bea Veo Oe) Tumse 4, 680.00_)¢_("5"* VCH, #40001 _C*S"* "227 CO) TO He #A0-00_) 40" VE, #4000) 7_ (8 27D Be (7) o1aae t9nb2<.342 +22222220222222222222222222022222222222222222222222 ee" () 7456789 :coREGHIsSTUVMXYZedeEghs Jaturways 6" () *Se189:cDEFGHzsoTUVmKYZedeEghsjetuvexy2 aviylee Customer Color Preferences Mumber of Customers customer color Preerence Mes, Boberson quien1-2111 Sally Southere 20-2222 Inthe output, youl see strings with the fullnames of various people ( tre. Bobexson , Sally Southers and more) along with data that appears to be Seciel Secirizy numbers or some government-related fication nursibers. Ths is ikely Pl that has leaked out of the target organization. dena 31 1 SANS institute, Tim led, Eé Sond, and Erk Van Supgenhout, All Rights Reserved Ceompighe © 2Lab 1.3: Metadata Treasure Hunt Firewall information Next, we'll look for information about the firewall ofthe target organization by running strings and grepping its ‘output for the string “firewall” in a case-insensitve fashion, secS60@sLingshot:~/coursefiles/metadatas stvings WidystStatisticalaaalysic.xls | grep ~i firewall There's no output, which implies that there are no such ASCII strings in tis document. sec560@s1ingshot :~/coursefiles/metadatas stzings WidgetStatiaticaliinltepaper pat | grep -4 firewall Again, we see no output. s0cS60@slingshot :~/coursefiles/metadatas stzings Widgetstatisticnlhi tepeper.doc | gzap ~A ticawald Note te self. Sandra asked to onan nox! onthe Windows Heb server Pizewall for something called IceCast. Do this before lunch. Widget Color Analysie White Foclow Here we see output that mentions opening up port 8000 on the Windows Hen Gerver Pirewall for ‘ast, whichis a streaming audio service. Bob apparently made this comment to remind himself to take this action before lunch. Path and URL Information Ifyou have extra time, you can look for additional information—specifically, URLs and file system paths—in the files. These might be useful to a penetration tester who is looking to target specific valuable information assets ina target organization. File system paths may be structured or unstructured metadata, so we'll look for them using both Exiffool and strings. opyrignt © 2029 Easitute, Tim bln, €4 Skouss, ned Eek YaL.1.3: Metadata Treasure Hunt Well start with ExifTool. To make our analysis more efficient, well rely on a feature of ExifTool that lets us specify multiple files on the command line, one after another, and the tool will retrieve metadata from al files wwe specify. First, lets run €xifTool to look through each of our three files, grepping our output to find slashes (/ secS608slingshot:~/coursefiles/netadatas exifcool WidgatStatisticalwhi tepsper.doc Widgetstatisticalanalycis.xls WidgetSeacisticalhitepaper.pdé | grap / ‘Next, lets look for backslashes. (Sending grep 'W’ makes grep look foro single backslash only.) secS80@sLingsno::~/coursefiles/metadata$ aaiftool WidgatStatisticalWhitepepar doc wdgaestacisticalinalysis.nle WidgatStatisticalMitnpeper.pd | grep '\\" Here we see fle system paths of webserver wwwroot\imoges\S60gc logo.jpg and ..\My Pictures\chart png. Conyristt © 19, SANS Institute, Via Hedin, Ed S ads, ane drik Var Buggenous, lightsLab 1.3: Metadata Treasure Hunt secS608slingshot :~/coursefiles/netadatas exiftool WidgatSeatiaticalmitepapas doc . wiegetstetisticnlanalyais ale Wdgatstatisticalnniespasa:.pat | yeep / File Modification Date/Time File Access Date/Tine File Inode Change Date/Tine MIME Type. application/asword File Modification Date/Time 2019:06:29 18:03:35+00:00 File Access Date/Tine 2019:06:29 14:17:10+00:00 File Inode Change Date/Time 2019206229 18:17:04+00:00 mime type 1 application/vad.na-excel "ile Modification Date/Tine 2018:08:29 18:06:06400:00 File access Date/Tine 9 18:27:29400:00, File Inode Change date/Tine 129 18:17:06600:00 wine type +: application/pdt Producer \376\377\0008\000u\0001\0002\0002\9004 \ovap\o00 \090e\000D\000F\900 \oooP\000r\900i \000n\G00E\000e\0G0r\000 \000/\000 \0DK\o00H \000¥\000..\000m\900u\0001\0001\000z\0001\000°\000.\000e\0000\000n\000 \200/\000, \000F\000r\0006\900e\900"\000a\000r\900e\000 \000E\0G0d\0001 000 \0001\0000\900n Format +: application/pat sec5608slingshot:~/courseriles/metadatas exigtoo! WdgatSeatistioalani tapaper.doc GidgatSeatisticulaaatyaie.uis Féyatstatieticaluaitepupas.pd? | gzep '\\" HyperLink A\aehserver\wwwroot\ imacas\ S609 tosa.jam My Bicture Es Producer \376\379\0008\0000\0001\0002\9002\0005 \900p\00¢ \oo0P\000D\008\900 \000P\000r\000i\000n\000r\000e\00r\000 \000/\000 \oooM\o0G% \000"\000. \200m\g00u\0001\0001 \000z\000i \000p\000.\000e\2000\000R\000 \000/\000 \000F\000r\000e\900e\000w\000a\000r\000e\900 \o0E\A0DA\001 200 \0005\0000\00n Title + \376\377\000H\0005\0004\000g\900e\000e\000 \oo0s \o00¢ \o00a\000¢\2003\0008\0002\000:\900e\000a\0001\000 \000M\90NH\0N0s\D00E\9000 \o00p\co0a\o00p\a00e\o00r creator 2 \376\377\000B\0000\000»\000\0008\0000\900b\0006. \000r\0008\0000\000n ‘The grep / command didn’t reveal any interesting information. However, the grep \\__ command did reveal file paths, byperlinks + \\webserver\wwwroot\images\$60g¢_loge.Jpa, ..\MY Pictures\chart.pag Next, well look for ASCII strings in our files using the strings command, also taking advantage of the fact that strings supports mutiple files on the command line, Well start by searching for strings greater than eight characters (-n 8), looking through the output forthe / character: ey ira natin, Ed Stouts, and Bik Van Boppeninow AN Rights Rosen . Conyight © 2048, SAMS mate,L.1.3: Metadata Treasure Hunt ‘se0S608s1ingehot :~/coursefiles/netadatas stzings -n 8 idgatstatisticalums tepaper.doc WidgatStatisticalAnalysic.uls WidgotStatisticalmhi tepaper-pdf | grep / Here, we see a lot of strings in the output, which includes several URLs: ttp://wwe.u3.org/199/02/22-rae- ayntaxcns? , -hetp://purl.org/de/elements/1.1/ ,and http://ns.adobe.com/xap/1.0/m/ . These URLs are likely just part ofthe POF file and point to items outside of our target scope. sec5é08sLingshot:~/coursefiles/metadatas strings -n 8 idgeestatisticalwhitepaper.doc widgatStetisticelinslysio.xle WidyetStatisticalwmitepaper-pdt | yeep '\\" "9"8, AB0_)7\ C15", EON) F, AAO_) [REA] \("5"H, FON) "F, #40.00_)\("S"F, #80.00\) £, 840.00_) 7 [Red \("5"#, £80 .00\) (754+ A, #HO_)7_UPS"* VUE, HHO) s_UMSHe "=" D7 (8) Ce tenoey Ue Vw Ue 97) (rst4 4, ##0.00_)¢_("5"* \(#, 840.001); (75 "#2797 GD (1 #,880-00_) (6 VCE #40 -00\)7 (8 82297 cz \wano ous\ayet ensa\st9 Files\Mi -68215U=/\ rdf :Deseription rdf:aboute"27£20Sce-£bb-11de-0000-4225e6720786" xmlnaspaf="ntt pi//ns.adobe.com/paf/1.3/* pdf: Producer='\\376\377\0008\000u\0001\0001\0002\0008\ 000p\000 \oo0P\900D\0002\000 \g00P\a0Or\c003\000N\O00r\O0e\00r\000 \o00/\000 \ 000#\090%\000W\000.\000b\000u\001\0001 \c002\000:\000p\000.\000e\0000\000m\000 \ (000/\000 \000F\000z\9008\000e\000w\000a\000r\000e\000 \a00R\900A\o004 \ouDE\o00s\, 000\0000" /> crdf Description rdf:about="27£c0Sed-£7bb-11de-0000-423506720786" smineide='http ://purl.org/de/elenents/1.1/" de: fornat="epplication.pdé'>crdf:Alt>\376\377\000W\ 000i \900a\a00¢\0008\900r\00G \oo0s\c00e\ (000a\000¢\000i \0005\000¢\900: \000c\000a\0001\900 \ad0M\00OR\9001 00a \o0oe\G00R\ (0003\000p\000e\a00e< /raf:1i>\3 76\377\0008\0000\000\000 \000B\0000\000»\00Ge\000r\0005\0000\00On ‘ So our analysis looking for standard ASCII strings didnt prove too useful. Let's look for big-endian and itle- endian Unicode strings to see if we get any more useful information that way. Shit Intute. ns Hedin, Za Skoudls, and Erik Ven Buageniout, all ighis ReservedLab 1.3: Metadata Treasure Hunt ‘Weill start by looking for big-endian strings eight characters or more in length that inciude a slash(/): sec5608s1ingshot:~/coursefiles/netadatas strings -n 8 -2 b Widgatstatisticalmitepapes.doc WidgetStatisticalAnalysis.xle WidgatStaticticalwhitepager pdf | grep / (Our output is empty. Let's look for ltie-endian Unicode strings with forward slashes: socSe0eelingenot:~/coursetites/metadatas strings -n 9 -a 2 Wlegetstatisticalmnitepeper.doc WidgatStatisticalanalysis.xls WidgetStatisticaluhitepaper.ndf | gxep / Note: The character after -« (sa lowercase L, not a one. ‘Again, nothing. Lets look for big-endian Unicode strings with backslashes: secS608s1ingshot :~/coursefiles/metadacas strings -n 8 WidyatStaristicaluml tepapar.doe Widgetstncisticalanalysis.xle ZdyetStatisticalmhitspaper.paz | grep '\\' This gives us some useful information. Here, we found a potentially interesting piece of information—a file system path to the original file on Bob’s machine: AUsars\Bob Bobarson\My Documents idgevScatisticalwihicapaper coc. Finally, let's look for strings with ltle-endian Unicode backslashes: SARS Inst im tcc, nygzaalions alt Rights ReceivedL713: Metadata Treasure Hunt secS60¢slingshot:~/coursefiles/metadatas stzings -n 8 ~ WiegotStatisticalmhitepaper.doc WidgatStatiaticalAnalysis.xls WidgotStatisticalmitepaper.pd€ | grep '\\* "Note: Again, the above command uses a lowercase l, not a number one. ‘With this one, we've found numerous file system paths, including paths to a file on a web server, a Visual Basic ‘or Applications DLL, the fie system path to Office on the machine, and much more. Copyrigte © 2015, SAAS lasatule, Tir Medin, Ed Skoudls, and Erk Var uggerttout, Al Rights Reservedlab 1: : Metadata Treasure Hunt secSe0@olingehot:~/coursefiles/netadatas stzings -n @ -e b , Widgerstatisticalmnitepaper.doc WidgatSeatisticalanatyaie.xis | geap / ‘see5608s1ingehot:~/coursefiles/netadstag atcinga -a 8 -e 1 widgatatatisticalHns tepaper.doc WidgatStatisticolanalysie.uls WidyststatisticulMnitepapar.dec.peZ | grep / secS60@olingehot :~/eoursefsles/netadatas strings -a & -e b wegetstatisticalhtvepapar coc TidgotStatisticalanalysis.ale WidgatStatisticalwhitepaper.paf | grep '\\' \My Pictures\chart.png webserver \wwwrost \inasaa\S60gq_losa.ine \My Pictures\chart.png Bob Boberson8¢:\Users\zob Boberson\My Docunenta\Nidget Stat istical#hitepaper.doc Bob Boberson3¢:\Users\Bob Boberson\My Docunenta\Nidget Stat iecicalahitepaper.doc Bob BobersonBC;\Users\Bob Boberson\My Docunenta\idgetStat ieticalWhitepaper.doc Bob BobersonBC: \Wsers\zeb Boberson\Ny Docunente\widgetStatisticallhitepaper.doc " Bob BobersonBC: \Users\Bob Boberson\My Docunente\widgetStat isticalWhitepaper. doc Bob BobersonBC: \Users\Bob Boberson\My Docunente\WidgetStat ieticalWaitepaper doc Bob Boberson8C:\Users\ob Boberson\My Docunente\WidgetStat isticalWhitepaper.doc Bob Boberson8¢:\Usors\8ob Boberson\Ny Docunente\WidgetStatisticalWhitepaper.doc Bob Boberson8¢:\Users\8ob Boberson\My Documents \Widget Stat isticalNhitepaner doc Bob Boberson8¢:\Users\8ob Boberson\My Docunents\widgetStatisticalthitepaper.doc ‘SiWners\Bob Roborson\y Pictures\560ce Loma. ips secSe08sLingshot:~/coursefiles/netadatay sezings -n @ -e 1 Widgetstatisticalunitapazer.doc dddgstStstisticalinalysis ale widgetSeatisticalmnitepeses.pdt | grep '\\' beerver\wneroot imgas\ S600 LowaIRE *\c(oa020¢e?-0000-0000-c900-000000000046) #4.0494C: \PROGRA~1 \CONMON-1 \MECROS~1\VB A\WBAS\UBES. DLLAVisual Basie For Applications *\c/00020813-0000-0000-c000-000000000046}#1.310NC:\Progren Files\Microsoft Offic e\OFfice\EXCEL9.OLB#KEcrosoft Excel 9.0 Object Library *\¢{00020430-0000-0000-c000-000000000046) 42.0404C: \MINDONS\systen32\STDOLE2.TLBt OLB Automation Conclusion Inthis lab, we've seen how we can use ExifTool and the strings command to pull data from files that may be Useful to us in our penetration test. We've seen the advantages of structured data and ExifToo! in pinpointing useful information, We've also seen the advantages of looking for unstructured data with the strings command to find something, that ExifTool isnt designed to show: obscured fields and comments.L. 21,3: Metadata Treasure Hunt We've also seen how to transcend the default limitation of ASCII strings on Linux with the -e option to look for Unicode strings, both big endian and little endian, 29, SARS Institute, Iasledin, $d Skoudis, en! ik Ven Buggenhout, Al SightsLab 1.4: Recon ng for DNS Analysis Lab 1.4: Recon-ng for DNS Analysis Objectives + Touse the Reconng tool to retrieve and analyze DNS records + Toiterate through an IP address block, sending DNS Reverse Record (PTR) lookups for each address to find potential target machines ‘+ Toquety for a series of domain names associated with antivirus update servers so that the penetration tester can determine which antivirus tools are likely in use by a target organization for more focus on AV evasion tactics Table of Contents + Labsetup © Step-by-Step Instructions * Conclusion Lab Setup In this lab, youll gain familiarity with the user interface of Recon-ng and use it to gather useful information from the target organizatlon‘s DNS infrastructure. Inparticular, youll run a Recon-ng module called “reverse-resolve", which takes a netblock of IP addresses and sends PTR (reverse record) lookups to @ DNS server to determine which of those IP addresses resolve into names. That's @ useful feature for a penetration tester because it can help you identify hosts that could be included in your scope, provided that these hosts have PTR records in their DNS. Many organizations provide PTR records for important hosts on the internet, so this technique can be helpful during the reconnaissance phase. Next, youll use a Recon-ng module called "cache-snoop" that performs DNS cache snooping against a target DNS server. This module looks for cached DNS records that are associated with DNS records from signature Update sites of a couple dozen antivirus firms. f the target organization relies on any of those AV products, It likely will perform regular updates of its AV signatures, which will eave residual records associated with the AV ‘company cached in the organization's DNS servers. By identifying those cached entries, a penetration tester can ‘determine which AV products the target organization is using, a helpful piece of information useful in evading the organization's AV product, SANS Unattare Ti tadln, EA Sho andL.-°1.4: Recon ng for DNS Analysis For this lab, you need to be connected to the 560 target network environment. Make sure you can ping 10.10.10.60 (where there is 2 DNS server) before you begin the lab: s0cS60@elingshot:~§ ping 10.10.10-$0 If your ping doesnt work, that means your Linux guest machine isn't properly connected to the 560 target network. Consult the network configuration section earlier in this book or reach out to an instructor or TA for assistance. Step-by-Step Instructions i Launch Reoan-ng Start the lab by running recon-ng root privileges using sudo: secbé0@sLingshot:~$ sudo zecon~ng --no-check (On the screen, you should see ASCII art announcing RECON-NG. You'll also see an inventory of the types of modules, including Recon, Reporting, import, Exploitation, and Discovery. Note: You may see error messages mentioning key not sat . You can safely ignore those messages. a ightsMeserved ‘ean, Ed Stoueis, ond Ek Ver fagenhout, A omright © 2018, S2NS Instiute,Lab 1.4: Recon ng for DNS Analysis nN AA Sponsored by.. AAT WOW ANAL AAA A AAY MTT wage mits \P YY wen bLackntLtsinfosec. 2. Explore the Interface To become familiar wth Recon-ng’s user interface, lets explore its neip feature, Below you can see all the commands supported by Recon-ng. Copyetshe @ 08, SANS Instcut, Tn Meu, Bd Skowl, sre ee Van uy jah ReservedL114: Recon ng for DNS Analysis [recon-ng] [defauit} > help commands (type [he1p!?1 ) + aaa Adds records to the databese ack Exits the current context delete Deletes records from the database exit Eqite the franework help Displays this menu keys Manages framework API keys toad Loads specified module pap Starts a Python Debugger session query Queries the database record Records commands to a resource file reload Reloads all modules resource Executes commands from a resource file search Searches available modules sot Sete module options shell Executes shell conmands show shows various framework items snapshots Manages workspace snapshots spool spools output to a file unset Unsets module options se Loads specitied module workspaces Manages workspaces ‘8. The Show Command ‘One ofthe most important commands isthe shox command because itlets you look at Recon-ng’s options, configuration, and variable settings. Let's run show by itself to see the various items we can explore using show. [recon-ng) [default] > show Shows various framowork items sage: show (banner|conpanies contacts credentials |dashboard domains] hosts |keys! Leaks | Locations |modules |netblocks loptions Iports |protiles| pushpins |repositories |schona |vulnorabiiities lworkspaces] Here we cansee thatwe can show banner to get version information. We can likewise run show followed by anitem type in Recon-ng's database, such as show hosts or show donains Well do that later in the lab. Copyright © 2019, ANS inciLab 1.4: Recon ng for DNS Analysis, 4.Show Options Tossee the variables set in Recon-ng, run show options: [zecon-ng] [default] > shox options Name Current Value Required NAMESERVER 8.8.8.8 yes muReans «10, yes mimeour 10 yes USER-AGENT Recon-ng/vi yes VERBOSITY 1 yor debua) nameserver for ONS interrogation proxy server (address:port) number of threads (where 3p socket timeout (seconds) user-agent string verbosity level (0 = minimal, 1 verbose, 2 = cable) Here you can see that by default, Recon-ng resolves information using the 8.8.8.8 name server provided by Google, Well change that shorty to our target organization's DNS server. Before we do that, though, let's take a quick look at Recon-ng's database structure so you can see the tables and their columns where Recon-ng will store data. Type the command below: (recon-ng) [defautt] > shew schama Your output will look similar to this: SANSinstituce, Thm Medin, Copragie @ 2 Zé Shouts and Eek Von fraggenbous, llLL 1.4: Recon ng for DNS Analysis, [recon-ng] [default] > show schema | domain | rexr | | module | TEXT | | compantes 1 [company | TEXT | | description | Text | | mode | TEXT | truncated for brevity « Note that there is @ domains table, a hosts table, and several other tables that are automaticaly populated as ‘we run various Recon-ng modules. 4. Bvterned Commands ‘The Recor-ng prompt handles a variety of Recor-ng commands. But when it receives a command it doesn't recognize, Recon-ng passes that command to the underlying operating system shell for execution. This is handy because it means we can run general-purpose commands at the Recon-ng prompt. Let's try t by running a ping commandto ping 10.10.20.60 four times (-c4 for a count of four): (recon-ngl {default] > ping -c 4 10.10.10.80 (°) Conmand: ping -c 4 10.10.10.60 PING 10.10.10.60 (10-10.10-60) 56(84) bytes of data. 64 bytes from 1010.10.60: icmp seq-l ttl=64 time-0.705 64 bytes from 10.10.10.60: icmp soq-2 ttl-64 timend.341 6¢ bytes from 1010.10.60: icmp soq-3 ttl-64 times0.3¢4 6¢ bytes from 19.10.10.60: icmp_seqeé ttl-64 timen0.475 us Bee s+ 10,10.10.60 ping statistics ~ 4 packets tranamitted, 4 received, 0% packet lose, time 2999n8 LE win/avg/max/ndev = 0.341/0.466/0.705/0.148 as coryig Moin, Ee Skowl, on Buygentcat, all Rights ReservedLab 1.4: Recon ng for DNS Analysis Your ping should work, and you should see its output. I's important to note that Recon-ng does NOT have a ping command. Instead, Recon-ng is simply taking our ping command and handing it to the underlying shell for execution, To start performing recon against the target organization's DNS server, let's configure Recone-ng to use that nameserver, as follows: [recon-ng] [default] > sat MANESERVER 10,10.10.60 NAMESERVER => 10.10.10.60 Now when we run 10.10.10.60. [zecon-ng} [default] > show options current Value Required Sane NAMESERVER 10.20.10.60 yes PROXY no THREADS 10 yes simeour 10 yee USER-AGENT Recon-ng/vs yes vERBOsITY 1 yes eebusy 6. Modules show options , we cansee that the original 8.8.8.8 nameserver has been altered to Description nameserver for DNS interrogation proxy server (addzese:port) number of threads (where applicable) socket Eimeout (seconds) user-agent string verbosity level (0 = minimal, 1 ~ vechos! Lets now explore the various modules Recon-ng has:LO 1.4: Recon ng for DNS Analysis [recon-ng] {default] > show modules Discovery discovery/info_disclosure/eache_snoop discovery/info_disclosure/interesting files exploitation explottation/injection/connand injector explostation/injection/xpath_bruter Import import /esv_fi1e import/ist Recon zecon/companies-contacts/bing_Linkedin_eache recon/conpanies-contacts/jigsaw/point_weage recon/companies-contacts/jigsaw/purchase_contact, recon/companies-contacts/Jigsaw/search_contacts econ/companies-nulti/github_miner recon/companies-nulti/hols miner zecon/contacte-contacts/malltester truncated for brevity Here youl see different groups of modules, including Discovery, Exploitation, import, Recon, and more. Under ‘each module group, you can see the individual modules, totaling several dozen, 7. Seach Often, a penetration tester has a sense ofthe type of module he would like to use but doesn't know the full ‘module name or its path to access itn Recon-ng. that's the case, we can use the search command to find specific modules based on strings in the module's name or path. Suppose, for example, we wanted to find modules that would resolve names (via either a forward or a reverse DNS lookup). We could simplyrun search rescive .Do that now: [recon-ng] [default] > saazch sesolva a7 copyright © 2025, SAS Institue, Tha hieun, Ed Shou, al Zk Van 2uggenhout, I Right eeservedLab 1.4: Recon ng for ONS Analysis Here we can see several modules associated with resolving names. Notice that their paths all start with recon, as they are in the recon module group. [recon-ng} [default] > search [#1] Searching for ‘resolve’ Recon racon/ost: recon/host: recon/netblecks-hosta/reverse_resolve nosts/resolve noate/reveree_resolve 8 The reverse_esolve Module For this lab, we would like to iterate through a given target netblock (10.10.10.0/24) to see which host IP addresses have an associated PTR record. This is 2 useful way to find hosts and explore our scope ina penetration test. Of course, not every host on the internet has a PTR record, but mary DMZ systems do, and we can use this module to help identify them. Toachieve this, we'lluse the rocon/notblocks-hosts/rovarse_ressive module. There is alsoa recon/hoste-hoste/reverse_resolye module, which takes as its input individual IP addresses. Welll use the netblocks module, though, as we've been given the full 10.10.10 network as our target scope. Let’s select that recon/netblocks-hosts/reverse_resolve module with the use command, followed by the full path to the module: [recon-ng] default] > use zecoa/asthlocks-hosts/revarse_xasolve Now to get the details of that module, we canun show info: copie @L114: Recon ng for DNS Analysis [eecon-ng] (default) > use recon/natblocks-hoste/ covers [recon-ng] [default] [reverse_resoive] > show ingo Name: Reverse Resolver Path: modules/recon/netblocks-hosts/reverae_resolve.py Author: John Babio (@2vi1jobn) Description: Conducts reverse leokup for each of @ netblock's IP addressas to resolve the hostname. Updates the ‘hosts! table with the resu! options: Name Current Value Required Description SURGE default yes source of input (see ‘show info! for details) Source options: default SELECT DISTINCT netblock FROM netblocks WHERE netblock 1S NOT NULL string representing a single input path path to a file containing a List of inputs query database query returning one column of inputs Here we see a brief description of the module, plus the different variables it supports. For this module, the ‘SOURCE variable specifies where the information about our target netblock comes from. By default, Recon-ng simply looks in the netblocks table, We can specify other places, including a string that contains a single netblock or a path toa file that contains a list of netblocks, one per line, For this lab, well leave itas its default and place a netblock in the netblocks table next. 5, Add.a Netblock Le’s add a netblock to the netblocks table using the add command: [recon-ng] [default] [reverse_resclve] > add natblocks 10.10.10.0/24 ‘We can now look at the netblocks table to see our information there: ts Reserved Insituce, Tim wedin, Ea Skouds, and Gre Van Buagenhout, 2! Sigh copyright © 2019, SatLab 1.4: Recon ng for DNS Analysis [recon-ng] [default] [reverse resolve] > show netblocks I rowid | netbieck 1 module | | 1} 10.20.10.07/24 | user _derines | (411 rows returned Because we left the SOURCE for the reverse resolve module as the default, Recon-ng will pull this information from the database to do the PTR lookups. 10, Ramning the Moiule With our module configured, we can now run itas follows: Instiaie, "Ten Me ) Ee Skoutls, and Ea Copyright @ 208 Riches Reservei wu Recon ng for DNS Analysis [recon-ng] [default] [reverse resolve] > mun 10.10.10.0/26 [4] 10,10.10,0 => No record found. (4) 10,10.20,2 => No record found, (4) 10.10.10.2 => No record found. [9] 10.10.20.3 => No record found, [*] 10.10.10.4 => No record found, [4] 10.10.10.5 => No record found. [4] 10.10.20.6 => No record found. [+] 10.10.10.7 => No record found. [+] 10-10.10.8 =» No record found. [+] 10-10.10.9 => wo record found. Jt|_thost|trinity.targat tet (10,10,10.10), [+] 10.10.20.32 => No record found. [4] 10.10.10.12 => No record found. snipped for brevity [) 10.10.10.18 => No record found [+] 10.19-10.19 => No record found. [+]_hestl_moseheus treat. tot (1010,10,201 [*] 10.10-10.21 => No record found. + snipped for brevity {*] 10.10.10.49 => No record found 15]_fhest|_neostarset tat (20.20.10,501, [*] 10-10.10.51 => No record found [1 10.10.10.52 => No record found: snipped for brevity [#] 10-10.10.53 => No record found. AsLthostl smith. tarset,tet (0,10,10,60), [*] 10.10.10.61 => No record found. snipped for brevity [1 10.10.10.254 => No record found. [#1 10.10.10.255 => Xo record found. In the output, we can see it sending a PTR query for each IP address in 10.10.10.0/24, looking for a response. For ‘most of the IP adresses, no record will be found. But for 10.10.10.10, 10.10.10.20, 10.10.10.50, and 10.10.10.60, itshould geta PTR record response, displaying that information on the screen. ‘When the module is finished running, it will show us how many hosts it found. It should find four. st Copyright © 2029, SANS trative, Yim Medin, £4 Skencis, and Fri Van Buiggenhoui, Zl Rights ReservedLab 1.4: Recon ng for DNS Analysis 11 Hremining the Reeutte In addition to scrolling back on the screen to see what Recon-ng found, we can also look at the hosts table because the reverse resolve module automatically populates it. Let's look at our newly discovered hosts: [recon-ng] [default] [reverse resolve] > show hosts | rows | hose ip address | vegion | countey | latitude | ongitude | module | |i | teinity-target.tgt | 1010.10.10 1 1 | reverse_resolve | 12 | morphous.target-tgt | 10.10.10.20 1 1 | reverse_sesolve | 13 | neo.target.tgt. 10.10.10.50 1 1 | reverse resolve | 14 “| smith.target-egt | 10.10.10.60, ' 1 (9) 4 rows returned Note that we have a domain name and IP address for each of the hosts based on the returned PTR record, The hostnames are all associated with the target.gt domain (which we can check against our target scope) and include names such as trinity, morpheus, neo, and smith, a naming scheme based on a movie. YE. The eaoke_enoop Module Now that we've gathered some hosts associated with the target environment, let's use another Recon-ng module to determine the most likely antivirus tool or tools the target organization is using. We can do that with the cache_snoop module in Recon-ng's discovery group. We can back out of our current module to the general Recon-ng prompt using the back command: ‘Sopyiaht © 201, sans lactate, ar fale, Ed StenL. 11.4: Recon ng for DNS Analysis [recon-ng) [default] [zeverse_resolve] > back recon-ng] (default) > Well now use the discovery/info,disclosure/cache, snoop module: [recon-ng] [default] > use discovery/info_disclosuze/cacha_snoop [recon-ng] [default) (cache_snoop] > Lets look at the options for this module: [recon-ng] [default] [eache_snoop] > show options Nae current Value Required Description BoWINS Jont/recon-ns-vi,2.2/data/axdomainast yes file containing the List of domains to snoop for aveseRvER yes 1P address of authoritative nameserver Here we see that this module needs a NAMESERVER. (Unfortunately, the module doesn't automatically populate the NAMESERVER value with the one configured overall for Recon-ng.) This module also needs a list of names. that it should look for in the target DNS server's cache. By default, it searches for names storedin the av.domains.st file that comes with Recor-ng. Let's look at the contents of that file: Canyrigir © 2015, SANS Insitute, Tha Mecin, Ed Skoudis, and Ek Var Buygenlnout, A Rights ReservedLab 1.4: Recon ng for DNS Analysis Izecon-ng] [default] [cache_snoop) > eat /opt/recon~ng-vd.9.3/data/av domaine. 1st [7] Command: cat /opt/recon-ng-v4.3.3/data/av_donains..1et sone o5-latost~3.sophos.con/update swine. es-web. Sophos. com www es-wab. Sophos. con.edgesuite-net swwe.e3-wab-2. 20phos. com ‘web-2. sophos..con.edgesu! w-dn-01 .geo. kaaperaky.cox enw. downloads2. kaspereky-labs.com ony. Liveupdate. symantec] iveupdate.com WwW .1iveupdate symantec.com winsupdate-symantec.con c++ truncated for breviey snet. Here we can see the names of update servers for numerous different AV product firms. You could expand this list or even create your own in future penetration tests, based on different ites yout lke to snoop for ina target organization's DNS cache. For this lab, welll keep this default list, which is quite good. | Ruuaising esche_enop We now set wawsseaver . (Remember that this module does NOT use the name server configured overall for Recon-ng, so we must set it now in the context of the cache. snoop module.) {recon-ng] [default] [eache_snoop] > set MAMRGERVER 10.10.30.60 NAMESERVER ~> 10.10.10..60 With all our settings now in place, we can run the module: 54 (NS institute, Ten Wesin, 2 Ska, an Bik Van Suygennot, AU Righss ReservedLz 1.4: Recon ng for DNS Analysis (zecon-ng) (defauit) [eache_snoop] > rua (+) wuw.es-Latest-2.sophos.con/update => Not Found, (+) ww.es-web-sophos.con => Not Found. [+] wi ee-web sophos.com-edgesuite.net => tot Found! [4] wu ee-web-2.sophos.com => Not Found. [+] www.es-web-2.sophos.com.edgesuite.net -> Not Found [+] www .cn3-02 ,g¢0.kaspersky.com => Not Found [+] sew .downlonds2.kaspersky-Labs.com => Not Found, [*] saw. Liveupdate symantec] iveupdate.com => Not Found [+] wae Liveupdate,symantec.com => Not Found. re symantec.com => Not Found or Not Found. [+] wine, downioad797 avast.com => Not Found. (+1 wneguru.avg.com => Not Found. (41 wa.osces-p.activeupdat (4) waw.forefrontdl microsoft.com (4) es-latest-3.sophos.com/update [6 es-web.sophos.com => Not Found. [4] esrweb.sophos.com.edgesuite.net [4] eseweb-2.sophos.com => Not Found. [4] escweb-2. sophos.con-edgesuite.net [4] dni-01.geo-kaspersky.com = [+] downtoads2.kaspersky-labs.com [4] 1iveupdate. symantecliveupdace.com => Not Found. fendmicro.com => Not Found, Not Found. Not Found, Not Found. Not Found. Not Pound. Not Pound. I] Livenpdate-eymantec.con => Not Found. ia => Snoos (*) update.nai.com => Not Found, i ru,ave.con => Snooned! osce8-p.activeupdate. trendmicro.com => Not Found. 1 1 Y +] download797.avast.com => Not Found, 1 1 } forefrontal microsoft.com => Not Eound ‘As the module runs, look carefully at its output. Youll note that it says "Not Found" for the majority of the domain ‘names. But fortwo of them (update.symantec.com and gur.avg.com),it does show that it “Snooped!” a name (thats, itfound the name in the target DNS server cache). Look specifically atthe lines below. [+] update.symantec.com [+] gurw.avg.con => Snooped! snooped! ‘Thus, itis likely that the target organization is utilizing Symantec and/or AVG as its antivirus product, given that the target's DNS server was used to resolve those names recently (and the DNS Time to Live for those records hhas not expired, soit remains in the cache). Of course, once that TTL expires, the cached entries will be dropped. ‘Coavright © 2929, SkaS rastinie, Tro Medi, & Skoudlc, and Erk Yan Guggerhcat, ll Aights Reserves)lab 1.4: Recon ng for DNS Analysis This information about the target's AV vendor is tremendously useful in our penetration test, especialy if we are going to create any malware for the target organization to send via spear phishing or other means, 4 Wapping Up To finish the lab, we can exit the Recon-ng too! [recon-ng] (default) (cache snoop} > exit 0881 ingsh We should also clean up the Recon-ng configuration file and database, which are automatically created in our home directory (~) o¢sLingsnot:~$ sudo ma -rf ,xocon-ng/ This will remove all the information in the database, as well as the custom name server configuration we set for Recon-ng. Conclusion In this lab, we have used Recon-ng to get familiar with its user interface and look atts database. More importantly, though, we ran Recon-ng to pull some highly useful information about the target organization, Particularly, we iterated through a target netblock given to us in our scope to identify individual target host IP addresses. This information will be useful as we move into the Scanning phase of our penetration test to be covered later in this course. ‘And, perhaps even more important, we determined the likely antivirus products in use by the target ‘organization. That information will be extremely useful as we move into the Exploitation phase of the penetration test.LL 2.1: Nmap Lab 2.1: Nmap Objectives + Touse Nmap to identify target machines by sweeping through a network range ‘© Tospecify port ranges in Nmap and analyze the Nmap-services file for determining more popular ports. © Toconduct TCP and UDP port scanning and analyze the differences between the two Table of Contents © Step-by-Step Instructions + Conclusion Lab Setup For this lab, please connect to the 560 network (for live students: the in-class network; for OnDemand, vlive, and Simulcast students: the 560A VPN). You should be able to ping 10.10.10.10 from the Slingshot Linux image: secSe0QeLingshot:~$ ping 10,10,10.10 Lab ~ Step-by-Step Instructions A. tnitial Sean, Let's runa scan of the target subnet, 7 Copyright © 2019, SANS Insts, Yim Mac, Ee Skoudis, and Eck Von Buggennost, Al Zghts ReservedLab 2.1: Nmap eF 10.10.10,1-255 pact secse0@sLingshot:-$ sudo nmap ~ Starting Neap 7.70 ( nteps://nmap.org ) SENT (0.04018) ARP who-has 10.10.10.2 tell 10 SENT (0,0405s) ARP who-haa 10.10.10.3 tel2 10.20.75.102 SENT (0.04085) ARP who-has 10.10.10.4 tell 10.10.75.102 SENT (0.04125) ARP who-has 10.10.10.8 tell 10.10.75.102 SENT (0.0415s) ARP who-has 10.10.10.6 tell 10.10.75.102 7 @ 9 75.102 SENT (0.04185) ARP who-has 10.10.10.7 tell 10.10.75.102 SENT (0.04215) ARP who-has 10.10.10.8 tell 10,10,75.102 SENT (0.04245) ARP who-has 10.10-10.9 tell 10,10.75.102 SENT (0.04265) ARP who-has 10.10.10.20 tell 10.10.75.102 » truncated for brevity... ‘The -n means that Nmap should not resolve domain names. The ze means do a ping sweep, but watch ‘what happens ...o ICMP (or TCP packets for that matter) will be sent for the ping sweep. Also, the | —-packet- ‘trace option tells Nmap to display a summary of each packet before it sends it. While it runs, pressing shitt-p tums this off, whereas pressing the p key toggles it back on, Also, ry hitting the» and keys multiple times each for verbosity and debug information, respectively, IF you can't type that fast enough, try relaunching the scan and then pressing them. Note thatyou are sending only ARPs, no ICMP or HTTP, despite the fact that you kicked off Nmap witha ——sP for a "ping" sweep. Nmap did this because you are on the same subnets as the targets, so an ARP reply implies that the address is in use; no follow-up ICMP or TCP packets are required. 2, Scamming 10101050 Next, let's conduct a TCP port scan of target machine 10.10.1050. ‘Start tepdump, configured to show traffic associated with host 10.10.10.50 (not resolving names). LAUNCH A NEW TERMINAL WINDOW SO YOU CAN RUN A SNIFFER IN IT TO OBSERVE YOUR PACKETS: $ sudo tepdump -an host 10.10.10.50 NOTE: IF YOU ARE TAKING THIS CLASS ACROSS THE INTERNET THROUGH SANS vLive or OnDemand, you need to “specify the VPN interface in all the tcpdump commands for the class. Connect through the VPN, and then run the jae @ 2049, SANSU2: Nmap ‘feonfig command to ist interfaces, looking for an interface called tapX, where Xs an Integer (ypicaly zero). Then, add: apx (withthe appropriate Xt all tcpdump commands. fw ecpdumps verbs: Listening en ethe, Lis 2e:sicse.ssex27 ate, 81 If you are taking this class across ae er A ae internet (through SANS OnDemand, Simulcast, or vLive), 4 TP 12. 2ee2, win 29268, optist ngth 9 , "4 * oe vagsog ip so.) YOU'll need to add a "-i tapX" to all tcpdump commands to specify the VPN interface. Connect to the YP! and then run ifconfig to list the interfaces to determine the value for X (it is typically zero). 434, win 29209) th @ ST 74Sa4 LP 16. 12662, win 6, & 9.174552 1P 18. win 29206, opti 15 1P 10. win E280, opti ‘Next, back in your original Nmap terminal window, invoke Nmap to scan that host, doing a TCP connect scan (full three-way handshake}: Copyright © 20:8, SANS Institut, Tin Medin, Ed Skoudls, and Erik Van Buggerheut, Al Alghts ReservedLab 2.1: Nmap secSe0@sLingshot:-$ sudo nmap -n -sT 10.10.10.50 Starting Naap 7.70 ( htepe://nmap-org ) Nnap scan report for 10.10.10.50 Host is up (0.000328 latency) Not shown: 991 closed porte PORT STATE SERVICE ; 2i/tep open ftp z2/top open ssh 23/tep open telnet 80/ccp open netp 111/tep open epebind 443/tep open hetps 512/tep open exec 513/tep open Login 514/tep open shell MAC Addreos: 00:00:29:15:17:06 (vaivare) Jinap done: 1 TP address (2 host up) scanned in 2.33 seconds Nmap displays the total time it takes to complete the scan. Record how long It took for the scan here: Nmap did not scan all TCP ports with that invocation, however. It scanned only the top 1,000 most frequently used ports, as indicated in the nmap-services file. Let's see how much longer it takes to scan all TCP ports: sec560@slingshot:~$ eude nmap -n ~sT 10.10.10.50 -p 1-65535 Iemay take somewhat longer, given the higher number of ports its scanning. ‘Also, look at the output of your sniffer. You should see a lot of SYN packets ( ¢ ) going from your machine to the target, as well as a lot of RESETS ( & ) coming back. There will be a relatively smaller number of SYN-ACKS ‘coming back, as well as ACKs going from your machine, to complete the three-way handshake, 3, Output Formats Next, look at the output format files that Nmap can create via the on option. Rerunyour -st scanwith the default port, storing your results in all the major format styles ( -2a to indicate Normal, Greppable, and XML output). Store your results in files in the /tap directory with a base name of 10.19.10.50 connect_scan_, which indicates the scan type and the IP address of the target:LO 2: Nmap secS60@sLingshot:~8 sudo nmap ‘/229/10.10.10.80_conaact_sean st 10,10.10.50 -on You should see the same number of open ports as the original scan. ‘Then geta list ofthe files associated with 10.10.10.50 inside of /tap : secs60eeLingshot:~5 18 /emp/10,10, 40.50" /emp/10,10.10.50_connast_sean.gnap /emp/10.10.10.50_connect_scan.nmap /emp/10.10.10.50_connect_scan xml You should see three files with the same base name but with a different extension: + Greppable form witha .snnop suffix + Normalformwitha nmap suffix © XML formwitha xm suffix Use the gedit tool to review these files, especially the greppable format: se0560@sLingshot :~8 gedit /eup/10.10.10.50_connsct_sean.gaaep cy ‘Sopyright G 2209, SANSInsticute, Yim Mein, Ed Skoutis, and Z7ik Van Buygenkou, Alt Rights Reservedtab 2.1: Nmap yarasasncommect.scananmer (save |G) G) & , File Edit View Search Tools Documents Help % Wmap 7.68 scan initiated Set Jun 26 21:65:29 2619 as: nmap - fn -8T -OA /tme/10.10.10.58 conmect_stan 18.16.49.51 Host: 19.19.18.58 () Status: Up < Host; 10.26.46.50 () Ports: 2s/open/tcp//ftp/{/, z22/open/ tep//ssh///, 23/openftcp//telnet///, 86/openftcp//Attp///, $11/ spen/tep//rachind//}, 443fopen/tep//https///, 512/open/ten// " exec///, S13fopen/tep//login///, Sidjopen/tep//sherl/// Ignored State: closed (921) # Nmap done at Sat Jun 29 21:65:29 2019 -- 1 IP address (1 host up} scanned in 6.34 seconds Plain Text Tab idth:8 ~ Ln 1, Col 1 > INS ‘Note thatall the results for a given host are stored on one line with each open port and associated service Identified. This format is easy to search using gz2p_ there were multiple hosts in the file, you could search ‘or hosts listening on port 80 by running the command below: grep ' 80/opan/' Zile.gnuep ‘The quotes are necessary because there is a space before the port number and it allows you to only match 80, butnot | soso 4. Port Zero ‘By the way, in the TCP scans we just conducted, we omitted TCP port 0, Let's test that one port with: secs60@sLingshot:~§ sudo muap 2 ~sT 10.10.10.50 -p 0 Your output should look like the following: sand Edk Van Buggenhou, All Rights es