Information Gathering Penetration Testing

Introduction

In a penetration testing process, the information gathering stage is one of the most crucial phases. This lab focuses on introducing the usage of tools for obtaining information. The more information you gather about the target host, the higher the success rate of the penetration test. In the Kali system, some penetration tools are pre-installed. By using these tools, you will gradually become familiar with the basic steps of gathering information.

This course is a hands-on lab tutorial. To help understand some operations in the lab, some information security theory content will be added, and the most worthwhile articles will be recommended for you to read while practicing.

Skills Graph

Scan Open Ports on the Target Host

In this step, we will introduce how to use tools to scan the open ports on the target host.

In the penetration testing process, it is necessary to understand the open ports on the target host. In Kali Linux, two default port scanning tools are provided: Nmap and Zenmap. We will mainly introduce the usage of these two tools.

First, let's start the lab environment. The host machine is Ubuntu (the desktop you are currently connected to), with Docker and QEMU virtual environments installed. They provide platform support for the Kali Linux container and the Metasploitable2 target machine, respectively.

In the LabEx host machine, start Metasploitable2 by double-clicking the xfce terminal on the desktop and entering the following command in the terminal:

sudo virsh start Metasploitable2

Ping the target machine to ensure it's running (press Ctrl-C to exit ping):

ping 192.168.122.102

Now, let's start the Kali container and enter the bash interface, execute the ping operation to verify network connectivity:

docker run -ti --network host b5b709a49cd5 bash

Now, we could execute the ping operation to verify network connectivity (press Ctrl-C to exit ping):

ping 192.168.122.102

Now both lab environments are started, and we can begin the penetration testing.

Note: If you accidentally exit the current bash, the Kali container will automatically stop. You can execute the docker run -ti --network host b5b709a49cd5 bash command again on the host machine to start a new Kali container and enter bash to continue with the lab operations.

TCP Port Scanning Tool: Nmap

Nmap is a network exploration and security scanning program. System administrators and individuals can use this software to scan large networks and obtain information about which hosts are running and what services they are providing.

Nmap supports many scanning techniques, such as UDP, TCP Connect(), TCP SYN (half-open scanning), FTP proxy (Bounce attack), Idle scan, ICMP, FIN, ACK scan, Xmas Tree, SYN scan, and Null scan.

Nmap includes four basic functions:

• Host Discovery
• Port Scanning
• Version Detection
• Operating System Detection

Use the nmap tool and enter the following command to perform a port scan and obtain information about the open ports on the target machine:

nmap 192.168.122.102

Zenmap: A Graphical User Interface for Nmap

Zenmap is an official graphical user interface based on Nmap, developed by the Nmap project. Zenmap is an open-source and free graphical interface written in Python, which can run on different operating system platforms (Windows/Linux/Unix/Mac OS, etc.). Zenmap aims to provide a simpler operation method for Nmap. Common operations can be saved as profiles, and users can select a profile during scanning, making it convenient to compare different scan results. It also provides a graphical display of the network topology.

Note: The LabEx environment uses the Kali container, so the graphical interface cannot be used at the moment.

Obtain Basic Information About the Target Host

In this step, we will practice how to use tools to obtain basic information about the target host, such as the operating system.

At this stage, we need to collect as much basic information as possible about the target host's operating system. This will increase the success rate of the penetration test. Information gathering refers to fingerprinting, and active fingerprinting tools such as the -O and -sV parameters in nmap. Fingerprinting, although it sounds advanced, is simply identifying the target host's operating system version and application version to help us further detect vulnerabilities at the operating system and application levels.

Active Fingerprinting Tools

To obtain the operating system of the target host, use the following command:

nmap -O 192.168.122.102

In the Kali terminal, execute the command to view the information of the target machine. The target machine's IP address is 192.168.122.102:

To obtain the port service information of the target host, use the following command:

nmap -sV 192.168.122.102

Passive Fingerprinting Tools

Passive fingerprinting tools, such as p0f, do not send specific probing data to the target but passively receive and analyze data. They are generally undetectable.

p0f is powerful in network analysis and can be used to analyze NAT, load balancing, application proxies, and more.

The main information identified by p0f includes:

• Operating system type, port
• Whether running in NAT mode
• Whether running behind a firewall
• Whether running in load balancing mode

In the Kali terminal, execute the command to use p0f to view the target host:

p0f 192.168.122.102

Stealthy Scan (TCP Half-Open Scan)

In the Kali terminal, execute the command to perform a stealthy scan:

nmap -sS 192.168.122.102

The advantage of this method is that it is difficult to detect and has high stealth. It generally does not leave a record on the target computer.

TCP Connect Scan

In the Kali terminal, execute the command to perform a TCP connect scan:

nmap -sT 192.168.122.102

This type of scan will be recorded by most systems, but it can provide more information than a stealthy scan.

Obtain Network Service Information of the Target Site

In this step, we will obtain the network service information provided by the target site.

Obtain Network Service Information

Collecting more information about the target host's network services will help increase the success rate of the penetration test.

Open the Firefox browser and enter http://192.168.122.102 in the address bar. If everything goes well, you will see the following:

Scan Specific Ports on the Target Host with amap

amap is used to scan specific ports on a host.In the LabEx Kali terminal, enter the command to scan port 21 on the target host:

amap -bqv 192.168.122.102 21

User Enumeration with smtp-user-enum

The smtp-user-enum tool is mainly used for SMTP user enumeration. In the LabEx Kali terminal, enter the command to enumerate SMTP users:

smtp-user-enum -M VRFY -u root -t 192.168.122.102

Summary

In this lab, we have practiced using various common security tools to gather information about the target host, covering the following knowledge points:

• Using tools to scan the open ports on the target host
• Obtaining basic information about the target host, such as the operating system
• Obtaining network service information provided by the target site
• Analyzing the collected information to identify potential attack vectors

Throughout the lab, we have learned how to use different tools for gathering information, which is a crucial step in the penetration testing process. By mastering these tools and techniques, we can increase the success rate of the penetration test by collecting more valuable information about the target host.