Practicing Active Reconnaissance using various Techniques

In this story we will be exploring the different techniques in Active Reconnaissance, this includes learning how to use tools such as traceroute, ping, telnet, and a web browser to help gather information about a network, system, or service.

When we talk about active reconnaissance we are talking about directly connecting with a target to gather information. In basic understanding this could be from making a phone call, or connecting to their systems to check for vulnerabilities, like open ports. There is another reconnaissance method that is safer which is passive reconnaissance where you gather information about a target without directly connecting to the system, you are just reviewing public records, examining social media, or analyzing network traffic that is openly available.(this activity is safely done on Try Hack Me and can be accessed through this link: https://tryhackme.com/r/room/activerecon)

Setup Requirements:

The activity will be requiring a VM, either use AttackBox or if you have a VM of your own you could also utilize Try Hack Me’s openVPN to connect your VM and the TryHackMe room. Follow instruction below:

From there start your VM and open your terminal and enter sudo command sudo openvpn NameOfYourFile.ovpn.

To check if everything is connected simply type in your terminal ifconfig, if there is a tunnel this may be presented as tun0 but this depends if you have multiple ones setup already. And also in your room there will be an access machine on top, there you will be able to check if you are connected to the room via the IP 10.10.10.10.

Kali Linux Terminal

TryHackMe IP address

Exploring the different Tools Available for Active Reconnaissance

Method 1: Using Web Browser

Web browsers are handy tools for gathering information about a target system, especially through their Developer Tools. These tools let you:

• Monitor Network Activity: Check how the site communicates with its servers by looking at network requests and responses, including HTTP headers and data.
• Examine JavaScript: View and modify JavaScript files to find out how the site works and spot potential security issues.
• Inspect Cookies: Look at cookies to see how the site tracks users and manages sessions, which might reveal sensitive information or security gaps.
• Analyze Site Structure: Use the Elements tab to explore the HTML and CSS of a webpage, showing you the site’s layout and content.

Commands vary from Ctrl+Shift+I for pc, thenOption + Command + Ifor mac users, these features allow you to gather useful information without directly interacting with the server or setting off security alerts, making it a safer and less intrusive way to learn about a target.

Here are some handy browser extensions for FireFox:

• FoxyProxy: Easily switch between proxy servers. Great for tools like Burp Suite.
• User-Agent Switcher and Manage: Change your browser’s user-agent to appear as a different device or browser.
• Wappalyzer: Identifies technologies used by websites. Useful for tech insights.

Question: Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions.

inspect web browser to check for the JS file from there you view the amount of questions. Ctrl+Shift+I

As you can see there will be 8 in total.

Method 2: Using Ping command

The `ping` command checks if a remote system is online and reachable over the network. It sends a small packet of data to the target system and waits for a response. If the target system is active and the network is working properly, it will send a reply back. This helps confirm that the system is available before you start more detailed checks to find out what operating system and services it’s running.

In the following example, we set the packet count to 5. From the VM’s terminal, we pinged MACHINE_IP and confirmed that the system is online and accepting ICMP echo requests. Additionally, it indicates that no firewalls or routers in the path are blocking these requests.

Now if we shutdown the target virtual machine it would give 0 responses

Questions:

Which option would you use to set the size of the data carried by the ICMP echo request? using -s packetsize speciefies the number of data bytes to be sent.

What is the size of the ICMP header in bytes? 8 being the default size

Does MS Windows Firewall block ping by default? (Y/N) Yes

Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 MACHINE_IP. How many ping replies did you get back? given that the command means count and it implies that it must send out 10

Method 3: Using Traceroute

The `traceroute` command is designed to trace the path taken by packets from your system to a specified host. Its main purpose is to identify the IP addresses of the routers or hops that the packets pass through on their journey. By revealing the number of routers or hops between your system and the target host, `traceroute` helps in understanding the network path. However, it’s important to note that the route can vary because many routers use dynamic routing protocols that adjust to changes in the network.

`Traceroute` works by sending packets with increasing TTL (Time-to-Live) values.

• Initially, it sends packets with TTL set to 1. When the packet reaches the first router, the TTL is decremented to 0, causing the router to send back an ICMP “Time-to-Live exceeded” message. This lets `traceroute` identify the first router’s IP address.
• The tool then sends packets with TTL set to 2, which are handled similarly by the second router. Each router along the path sends an ICMP message back to `traceroute` when the TTL expires, revealing its IP address.
• This process continues with each packet having a higher TTL, allowing `traceroute` to map the entire route to the destination.

Questions:

In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com?

172.67.69.208

In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com?

104.26.11.229

In Traceroute B, how many routers are between the two systems?

Over 26

Start the attached VM from Task 3 if it is not already started. On the AttackBox, run traceroute MACHINE_IP. Check how many routers/hops are there between the AttackBox and the target VM.

Just about 1 hop

Method 4: Using Telnet

TELNET (Teletype Network), developed in 1969, allows remote command-line access and uses port 23. However, it transmits data, including usernames and passwords, in plain text, making it insecure. SSH (Secure SHell) is a more secure alternative, as it encrypts communication to protect credentials.

To gather information from a web server listening on port 80, you can connect to it and use the HTTP protocol. For basic interaction, you can send a request using the following format:

• To request the default page, use: `GET / HTTP/1.1`
• To request a specific page, such as `page.html`, use: `GET /page.html HTTP/1.1`

In both cases, you need to include a `Host:` header with a value, like `Host: example`, and press Enter twice to complete the request. This will prompt the server to respond with the requested page instead of an error.

Questions:

Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?

What is the version of the running server (on port 80 of the VM)?

To answer both the questions I used the command telnet IP_target 80, and from there locate the server.

used telnet IP_Target 80 to get the server

Method 5: Netcat

Netcat, often abbreviated as `nc`, is a versatile tool useful for penetration testing. It supports both TCP and UDP protocols and can operate as either a client or a server. As a client, it connects to a specified port, while as a server, it listens on a chosen port. This makes Netcat a handy tool for simple network communication tasks.

Questions:

Start the VM and open the AttackBox. Once the AttackBox loads, use Netcat to connect to the VM port 21. What is the version of the running server?

It would be 0.17

Summary of the tools we have tackled

In this story, we’ve explored various tools that can be combined into a basic network and system scanner using a shell script. For example:

traceroute: Maps the route to the target.
ping: Checks if the target system responds to ICMP Echo requests.
telnet: Tests if specific ports are open and reachable.

Here are some command used:

Ping:

• Linux/macOS: `ping -c 10 10.10.133.147`
• Windows: `ping -n 10 10.10.133.147`

Traceroute:

• Linux/macOS: `traceroute 10.10.133.147`
• Windows: `tracert 10.10.133.147`

Telnet:

• telnet 10.10.133.147 PORT_NUMBER`

Netcat:

• As a client: `nc 10.10.133.147 PORT_NUMBER`
• As a server: `nc -lvnp PORT_NUMBER`

These basic tools are widely available and useful for various tasks. Additionally, a web browser, present on nearly all computers and smartphones, can be a valuable reconnaissance tool. To delve deeper into Developer Tools, check out Walking An Application.

Developer Tools Shortcut:

• Linux/Windows: `Ctrl+Shift+I`
• macOS: `Option + Command + I`

In this practice of active reconnaissance, we’ve learned to use tools like web browsers for monitoring network activity, ping for checking system reachability, traceroute for mapping packet paths, telnet for port connectivity, and netcat for simple TCP/UDP communication. These basic tools are essential for gathering information and assessing network configurations, with more advanced techniques covered in future lessons. Utilizing browser Developer Tools and extensions also offers a valuable, non-intrusive method for reconnaissance.