Week 2 – Scanning, Enumeration, and Back to Basics
The second week in my quest to become an ethical hacker is complete! With 11 hours of study time logged, this was a very productive week that touched a lot of different areas.
If you’re not sure why I’m posting this, take a look back at my original post, Investing a Year in Ethical Hacking where I detail my plan to invest 416 hours in 2017 to learn ethical hacking. Current progress: 20 / 416.
The hours are starting to add up and this is only week 2 of 52. I can’t wait to keep going and I hope you will join me!
As you know by now, I am a big fan of going SLOWLY through this content to really understand it. That is why I am still working on scanning here in week 2.
Some of the scans like the Null scan and Xmas scan don’t work against Windows systems. I tried scanning my Kali Linux system but since it is a locked-down OS for penetration testing, it doesn’t respond to anything. I don’t want to just skip this part and memorize the information without ever using it!
So I researched different Linux distributions and decided to download and build a CentOS 7 system since it is basically the same OS as Red Hat, only CentOS is free. After getting it installed, I got to run some scans against it and watch the magic happen. An interesting result I found is the difference in default ports that are open for Windows (firewall off) vs. Linux. Linux only has SSH open while Windows has ports for SMB and NetBIOS open.
I also ventured outside my isolated lab to do some careful testing on the real internet. HackThisSite.org is a wonderful resource which gives anybody a free pass to try basically anything as long as it is non-destructive. Keep reading to see what I found this week…
The first step was to get the IP address(es) associated with the site using NSLookup.
This is pretty basic but I did find some interesting IPv6 info that was new to me. From Cisco, “IPv4-compatible IPv6 address—Used to establish an automatic tunnel to carry IPv6 packets over IPv4 networks.” Check it out here: https://t.co/d2KvdLyfF8
Another really interesting learning experience this week was finding the difference between tracert (Windows native trace route tool) and TraceRoute (Linux native trace route tool)
When tracing the route to hackthissite.org, the response was….nothing. Just * * * for every hop. I guess none of the hops along the way are configured to respond to ICMP echo requests that are used by Windows tracert.
Traceroute uses TCP though, not ICMP, and the difference is HUGE! As you can see below, 16 out of 18 hops were successfully identified! I have a new favorite scanning tool! And I’m starting to see why everyone loves Linux so much. The screenshot below is actually from Nmap though.
But wait, there’s more!
After using NSLookup to find our what addresses are associated with HackThisSite.org, I used http://arin.net to look up the IP address range. What I found was actually pretty interesting. The addresses listed in DNS do not include all of the addresses shown in the range by arin.net. Some of this is because the range is used by other websites. But there were also quite a few other HackThisSite.org servers (identified using ping <ip> -a to reverse lookup the name) not listed in the A records shown above.
In a real-world scenario, I can see how this could potentially lead to finding test servers or systems that weren’t supposed to be connected to the internet with a public IP.
After scanning a target, it is time to dig deeper and enumerate it’s services.
Here is the result of a basic NetBIOS enumeration from the local machine. I’m really not sure why MSBrowse has emoticons…
I just scratched the surface here before I got stuck in the PluralSight video series because I skipped steps during setup…whoops! I will certainly build on to the lab and explore on my own but, to get the most out of the videos, I’m trying to follow the rules…for now. So I finished my week by going back and building a new system and re-configuring a couple others.
I can’t stress enough how cool it is to explore and play with learning material that is really interesting. Whether it is hacking, email, or networking…do what you love.
Are you preparing for the CEH exam? If so, I’d love to hear about any scanning or enumeration “gems” you have found. Anything unexpected? Post in comments below.