Active Reconnaissance | TryHackMe (THM)

Lab Access: https://tryhackme.com/room/activerecon

Active Recon — It was the polar opposite of “passive” in that it required some form of “contact” with our victim.

• Example #1: It can be a phone call or a visit to the target organization under the guise of gathering further information, which is frequently done as part of social engineering.
• Example #2: It can be a direct link to the target system, such as visiting their website or seeing if their firewall has an open SSH port.

It’s comparable to carefully examining windows and door locks. As a result, it is critical to remember not to engage in active reconnaissance operations until the client has given legal authorisation.

However, “Active Recon” may leave some form of “footprint” behind, such as:

- keep a record of the client's IP address in the logs
- time of the connection
- duration of the connection

Even if the points above are true, not all connections are suspicious because it is feasible to disguise your active reconnaissance as ordinary client activity.

Here’s why:

• Nobody would suspect a browser connected to a target web server amid hundreds of other genuine users, and we can utilize such approaches to your benefit when operating as part of the red team (attackers) and do not want to alert the blue team (defenders).

Active Recon Tools in Terminal:
- ping
- traceroute
- telnet

[Question 1.1] Ensure that you understand why these tools fall under active reconnaissance. Launch your AttackBox and ensure that it is ready. You will need it to answer the questions, especially in later tasks.

Answer: No answer is needed.

A “Web Browser” can be used to obtain information about a target in a range of methods.

On the transport level, the browser connects to:

1) TCP port 80 by default when the website is accessed over HTTP
2) TCP port 443 by default when the website is accessed over HTTPS

Because 80 and 443 are HTTP and HTTPS default ports, the web browser does not display them in the address bar.

However, custom ports can be used to access a service.

Example: https://127.0.0.1:8834/ will establish an HTTPS connection to 127.0.0.1 (localhost) at port 8834. We will receive a web page if an HTTPS server is listening on that port.

If you are using Firefox or Google Chrome, one of the best tools within our “Web Browser” is undoubtedly “Inspect.”

1st - Right click on website
2nd - Select "Inspect"

There are also numerous Firefox and Chrome add-ons that can aid with penetration testing.

Here are several examples:

• FoxyProxy —Changes the proxy server you’re utilizing to reach the target website rapidly. This browser plugin is useful if you use a tool like Burp Suite or need to swap proxy servers frequently.

• User-Agent Switcher and Manager — It enables you to pretend to be visiting the webpage from a different operating system or web browser. In other words, you can pretend to be surfing a website on an iPhone while actually accessing it through Mozilla Firefox.

• Wappalyzer — It provides information on the technology employed on the websites visited. This type of plugin is useful, especially when you collect all of this information while visiting the website like any other user.

[Question 2.1] Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions.

Answer: 8

Ping — Similar to “ping-pong (table tennis),” the primary objective is to see whether you can reach the remote system and if the remote system can reach you back. Although the intention is to check “network connectivity,” the ultimate objective is to ensure that the “target machine” is online before we spend time performing more extensive scans to determine the operating system and services still being used.

Technical Perspective:
The ping command is used to transmit an ICMP Echo packet to a remote system. If the remote system is online and the ping packet was appropriately routed and not blocked by a firewall, it should respond with an ICMP Echo Reply. Similarly, if properly routed and not blocked by a firewall, the ping reply should reach the first system.

In terminal, use the following method:

ping <domain_name>
example: ping tryhackme.com

If you need to ping a specified amount of “counts,” use the approach below:

• -c or -n = count

Linux or macOS: ping -c 10 <domain_name>
Windows: ping -n 10 <domain_name>

The picture below displays the “average” response time to our machine after five attempts to ping it.

ping -c 5 <domain_name / IP address>

Here’s an example after I’ve shut down the “target” virtual machine provided by TryHackMe.

In general, if we do not receive a ping response, there are a few possibilities, such as:

1. The destination machine is not responding; it is either still loading up or has been turned off, or the operating system has crashed.
2. It has been disconnected from the network, or there is a defective network device in its route.
3. Such packets are blocked by a firewall. The firewall could be software that runs on the computer or a standalone network device. It should be noted that the Microsoft Windows firewall by default bans ping.
4. Your machine has been disconnected from the network.

[Question 3.1] Which option would you use to set the size of the data carried by the ICMP echo request?

Answer: -s

[Question 3.2] What is the size of the ICMP header in bytes?

Answer: 8

[Question 3.3] Does MS Windows Firewall block ping by default? (Y/N)

Answer: Y

[Question 3.4]
Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 MACHINE_IP. How many ping replies did you get back?

• Because the option “-c” is set to a count of “10,” the answer is 10 based on the configuration.

Answer: 10

Traceroute — The intention is to practically “trace” the “route” that packets take from your machine to another host. Its purpose is to determine the IP addresses of the routers or hops that a packet passes through on its way from your machine to a target host.

• It shows the number of routers that connect the two systems.
• It tells how many hops (routers) there are between your system and the target host.

Note: Because many routers employ dynamic routing protocols that react to network changes, the packets' path may change.

Use the following terminal command:

Linux and macOS: traceroute <domain_name>
Windows: tracert <domain_name>

There is no straightforward way to determine the path from your machine to a target system. ICMP is used to “trick” routers into exposing their IP addresses.

It is possible to achieve this by including a short Time To Live (TTL) in the IP header field, and when a router gets a packet, it decrements the TTL by one before forwarding it to the next router.

T in TTL = Time
TTL = indicates the maximum number of routers/hops that a packet can pass through before being dropped

As you can see in the graphic below, each hop causes the TTL to decrease by 1.

If the TTL hits zero, the communication is dropped, and an ICMP Time-to-Live exceeded message is issued to the original sender.

The system in the image below set TTL to 1 before sending it to the router. The TTL is subtracted by 1 at the first router on the path, resulting in a TTL of 0.

As a result, the packet will be discarded and an ICMP time exceeded in-transit error message will be sent by this router.

On Linux, traceroute will begin by transmitting UDP datagrams within IP packets with TTL=1, causing the first router to meet a TTL=0 and respond with an ICMP Time-to-Live exceeded.

In which case, a TTL of 1 will reveal the IP address of the first router to you, followed by a TTL=2 packet that will be lost at the second router, and so on.

Note: We may see that different runs may result in distinct packet pathways.

In the illustration above:

• Each line corresponds to one router/hop.
• It was sent “3 packets” to each line, therefore you can see 3 “ms”.
• The timing “ms” indicates the time in milliseconds it takes for each response to reach our machine.
• Depending on the network topology, we may receive responses from up to three different routers, depending on the path the packet takes.

The above graphic shows 2 “stars * *” indicating that our system did not receive two expected ICMP time exceeded in-transit signals.

To summarize, we can notice the following:

1. The number of hops/routers between your machine and the target system is determined by the length of time you execute traceroute.
2. Even if you are on the same network or repeat the traceroute command in a short period of time, there is no guarantee that your packets will always take the same route.
3. Some routers will respond with a public IP address. Depending on the complexity of the intended penetration testing, you might explore a couple of these routers.
4. Some routers do not respond.

[Question 4.1] In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com?

Answer: 172.67.69.208

[Question 4.2] In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com?

Answer: 104.26.11.229

[Question 4.3] In Traceroute B, how many routers are between the two systems?

Answer: 26

[Question 4.4] Start the attached VM from Task 3 if it is not already started. On the AttackBox, run traceroute MACHINE_IP. Check how many routers/hops are there between the AttackBox and the target VM.

Even though it does not require an answer, it is worthwhile to experiment and discover that the answer is 2.

Answer: No answer is needed

TELNET (Teletype Network) — The goal is to communicate with a remote system using a command-line interface (CLI), hence it employs the “TELNET” protocol for remote administration.

Default Port: 23

In terms of security, telnet transmits all data, including users and passwords, in cleartext.

• “Cleartext” makes it easy for anybody to read, and anyone with access to the communication channel can steal the login credentials.

Secure Alternative: SSH (Secure Shell) Protocol

Although it is not as “great,” it may be used for various purposes because it is based on the “TCP” protocol (3-way-handshake) and we can use Telnet to connect to any service and retrieve its banner. That is, unless the service uses encryption, we can connect to any TCP-based service and exchange a few messages.

Scenario:

• Suppose we want to learn more about a web server that is listening on port 80.
• We connect to the server via port 80 and then use the HTTP protocol to interact.
• You don’t need to understand the HTTP protocol; simply issue GET / HTTP/1.1.
• To provide a page different than the default index page, use the GET /page.html HTTP/1.1 command, which will fetch page.html.
• We also instructed the remote web server that we wanted to communicate using HTTP version 1.1.
• To get a valid response rather than an error, provide some value for the host “host: example” and press enter twice. Following these procedures will result in the intended index page.

[Question 5.1] Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?

Answer: Apache

[Question 5.2] What is the version of the running server (on port 80 of the VM)?

• Refer to the image above.

Answer: 2.4.10

In practice, “netcat” may be one of the most regularly utilized, as we may want to use it to gain a “reverse shell” from the target.

Netcat “nc” — It can function as a client that connects to a listening port or as a server that listens on a port of your choice.

• It supports both “TCP” and “UDP” protocols.

Connect to a server: nc <domain_name or IP address> <port>

Method:

1st — nc <IP address> <Port>
2nd — Paste “GET / HTTP/1.1”
3rd — Paste “host: netcat”
4th — Press “SHIFT+ENTER”

The graphic above illustrates the exact processes taken in accordance with the instructions or procedures provided above.

On the server system, you can use nc -lp 1234 or, better yet, nc -vnlp 1234, which is similar to nc -v -l -n -p 1234.

Personal Preference: nc -lvnp 1234

Notes:

• the option -p should appear just before the port number you want to listen on.
• the option -n will avoid DNS lookups and warnings.
• port numbers less than 1024 require root privileges to listen on.

On the client-side, you would issue nc <ip address> <port>. Here is an example of using nc to echo. After you successfully establish a connection to the server, whatever you type on the client-side will be echoed on the server-side and vice versa.

Consider the following scenario:

We will listen on port 1234 on the server. This can be accomplished using the command nc -vnlp 1234 (same as nc -lvnp 1234).

• Because the listening server in our example has the IP address 10.10.154.179, we may connect to it from the client by running nc 10.10.154.179 1234.
• This configuration will echo whatever you type on one side of the TCP tunnel to the other.

Client-Side (we request over): nc <ip address> <port>
Server-Side (they request over): nc -lvnp <port>

[Question 6.1] Start the VM and open the AttackBox. Once the AttackBox loads, use Netcat to connect to the VM port 21. What is the version of the running server?

nc <IP address> 21

Answer: 0.17

The images below are references to items acquired throughout the room, and these are the “tools” that can be utilized for “Active Recon.”

[Question 7.1] Ensure that you gain mastery over the different basic yet essential tools we presented in this room before moving on to more sophisticated tools.

Answer: No answer is needed.

CONCLUSION

There is no doubt that this room is filled with information about “Active Recon” because of the concept that we must be active “connect” with the target, hence the name. This also proves a point that using such a way may signal the “victim,” but if we camouflage ourselves as part of the “guest,” we are sort of “safe.”

However, we can never completely protect ourselves. Nonetheless, the information given is rich with practical understanding on how we might obtain particular information, such as by utilizing “traceroute” and “ping” to determine whether the victim is online and leveraging “netcat” to connect or become a “server” in order to receive information.

Cheers! ◡̈