“Unlocking the Cyber Frontier: Active Reconnaissance Tactics”
In the realm of cybersecurity, obtaining information on potential targets is crucial. Active reconnaissance is a key strategy that goes beyond basic observation to engage with systems and uncover vital insights. It’s akin to knocking on doors and checking locks — creating a lasting impression while yielding crucial information.
This session will delve into the foundations of active reconnaissance and how to utilize standard tools to connect with target systems. From web browsers to command-line programs, we will explore how common applications can be transformed into effective investigative tools. Whether you’re gearing up for red-team operations or expanding your cybersecurity toolkit, this exercise will provide hands-on experience with real-world techniques.
Definition:
Active Reconnaissance in cybersecurity involves direct interaction with a target system to gather specific information. In contrast to passive methods that simply observe, active reconnaissance uses tools and techniques like port scanning and network queries to interact with the system. This approach actively investigates the target to reveal important network data and potential security vulnerabilities.
Web Browsers as Reconnaissance Tools
Web browsers, commonly used for general web browsing, can also serve as valuable tools for cybersecurity monitoring. They offer critical insights into target websites by communicating through standard or custom ports (80 for HTTP and 443 for HTTPS). Developer Tools and extensions like FoxyProxy, User-Agent Switcher, and Wappalyzer enhance the browser’s ability to analyze website content, handle cookies, and assess technological frameworks, making it an indispensable resource for penetration testing.
TRYHACKME QUESTION:
Q. Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions.
A. 8
Verifying Network Connectivity with Ping
The “ping” command is a useful tool for testing network connectivity. It works by sending an ICMP Echo packet to the target system and waiting for a response, which helps determine whether the system is online and accessible. By entering commands like “ping MACHINE_IP” in your terminal, you can quickly check if a target is responsive or if there are any issues, such as network failures or firewall blockages. If there is no response, it could indicate that the system is down or unavailable.
Key Points:
1. Using the -s option in an ICMP echo request allows you to choose the data size.
2. The ICMP header size is 8 bytes.
3. MS Windows Firewall disables ping by default.
But before starting the main activity, I first tried to ping myself because its the first time that I will complete a tryhackme activity.
After pinging myself, I also pinged the the machine to check its connectivity.
TRYHACKME QUESTIONS:
Q1. Which option would you use to set the size of the data carried by the ICMP echo request?
A1. -s
Q2. What is the size of the ICMP header in bytes?
A2. 8
Q3. Does MS Windows Firewall block ping by default? (Y/N)
A3. Y
Q4. Deploy the VM for this task and using the AttackBox terminal, issue the command
ping -c 10 MACHINE_IP. How many ping replies did you get back?A4. 10
The Traceroute Command
The traceroute program determines the path packets follow from your system to a destination host by reporting the IP addresses of intermediary routers, or hops, along the way. On Linux and macOS, use traceroute MACHINE_IP; on Windows, use tracert MACHINE_IP. The command delivers packets with increasing Time To Live (TTL) values, which disclose each router’s IP address as the TTL lowers to zero. Routes can change owing to dynamic routing, and certain routers may not respond. As a result, the number of hops and precise path may vary depending on how the instruction is executed.
Key Points:
1. The number of hops between systems may change with each traceroute execution; routes are not guaranteed to remain constant over time.
2. Some routers return public IP addresses, which might be useful during penetration testing.
3. Not all routers respond to traceroute requests.
TRYHACKME QUESTIONS:
Q1. In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com?
A1. 172.67.69.208
Q2. In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com?
A2. 104.26.11.229
Q3. In Traceroute B, how many routers are between the two systems?
A3. 26
Start the attached VM from Task 3 if it is not already started. On the AttackBox, run
traceroute MACHINE_IP. Check how many routers/hops are there between the AttackBox and the target VM. — 2
Telnet Overview
The TELNET protocol, which was developed in 1969, facilitates remote system communication through a command-line interface (CLI) on port 23 by default. It’s worth noting that TELNET transmits data, including passwords, in cleartext, posing security risks; SSH is a more secure alternative. However, due to its simplicity, TELNET is capable of connecting to any TCP-based service, retrieving advertisements, and interacting with them. For instance, TELNET can establish a connection to a web server on port 80 and utilize HTTP commands to fetch server information and respond to queries. This principle also extends to other services, such as mail servers, when specific protocol commands are required.
TRYHACKME QUESTIONS:
Q1. Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?
A1. Apache
Q2. What is the version of the running server (on port 80 of the VM)?
A2. 2.4.61
Netcat: Versatile Network Utility Tool
Netcat (nc) is a versatile networking tool designed to handle both TCP and UDP protocols. It can operate as either a client, connecting to a specific port, or as a server, listening on a designated port. For instance, Netcat can be utilized to retrieve a server banner by establishing a connection to a port and executing Telnet-style commands. By using commands such as nc MACHINE_IP PORT, you can establish connections with various services and gather details such as server banners, which can be helpful in identifying server types and versions.
It also facilitates crucial client-server communications. To set up the server, utilize nc -lp PORT to listen for incoming connections. On the client side, employ nc MACHINE_IP PORT to establish a connection to the server. This setup allows for basic communication between the client and server, including the ability to transmit text. Netcat’s support for both TCP and UDP connections makes it a valuable tool for network testing and issue resolution.
Key Points:
The
-poption must be placed immediately before the port number you wish to listen on.The
-noption disables DNS lookups and associated warnings.Port numbers below 1024 require root privileges to listen on.
Note: Remember to check if you’re using the correct machine, always terminate if after using! The commands will not work properly if you’re not using the right machine.
TRYHACKME QUESTION:
Q. Start the VM and open the AttackBox. Once the AttackBox loads, use Netcat to connect to the VM port 21. What is the version of the running server?
A. 0.17
What have we learned?
Gathering information through direct interaction with systems is a key aspect of active reconnaissance. By utilizing Developer Tools and extensions, web browsers can aid in cybersecurity investigations. The ping program is used to test network connectivity, while traceroute displays the path and intermediate hops to a destination, although paths may vary. While TELNET allows for basic interactions with TCP-based services, it is considered unsafe due to its clear text communication. Netcat (nc) is a versatile program that supports TCP and UDP connections, enabling users to connect to or listen on ports, retrieve banners, and facilitate client-server communication. Each of these methods is essential for effective penetration testing and network analysis.
