Step 3 — Log into Kali & Enumerate
Now that you have your Cyber Range up, you need to start using the tools to enumerate the network, collect data, and understand the targets…
Don’t have the range up? Review Steps 1 & 2…
Accessing the Pentester Desktop w/ RDP
Start with an RDP client into the Kali box. The Default Creds for the RDP session is root/root. The Commando Desktop is also accessed through RDP yet uses the credentials terraform/terraform
If you need a quick introduction into RDP, this article below is appropriate. Just Note, user interfaces, software, & login screens change overtime.There are many ways to perform remote desktop login into a computer. This is a fundamental capability required in professional world.
Kali
Kali is the most popular penetration testing operating system & is a core component of the Cyber Range. If you don’t know much about Kali, start with reviewing it’s documentation. Then research metasploit and msfconsole.
Commando
Kali’s window-based counterpart, CommandoVM, is a byproduct of the FireEye team. They also provide a reverse engineering system called FlareVM (also another component of the CyberRange).
Understanding the Desktop Environments
Kali
When you first get into the Kali box, you are presented with a desktop environment, on the desktop there are a bunch of icon’s. Those icons represent webpage shortcuts for vulnerable systems & applications that are available immidately via Docker. I’ve included a
If you don’t know about Kali then this is the time to explore all of the menus and become more familiar with the desktop environment.
Enumeration
The CyberRange Kali asset is slightly customized; there are 2 sets of bulk/automated enumeration tools, Reconnoitre & AutoRecon available for this first step.
These tools execute other programs and perform a lot of analysis. Have you ever consider the footprint of traffic that the Honeypot will get if we scan it? I have & its quite interesting. HoneyPots can greatly help you both capture potentially malicious unexpected behavior & well as help you understand the footprint of traffic that your enumeration is sending into the network.
These 2 projects, Auto Recon & Reconnoitre, focused on automating key steps of specific processes. The benefit of this provides someone the ability to ramp up quickly & learn the nuonces & nitty-gritty details later-on. I prefer to refer to this approach as experience-based-education.
Navigating Around Kali
Start navigating around & become familiar with it. There are a few notable steps to start any number of the tools within the system so I will focus on a few key ones here & likely cross-reference this in other articles.
The /root directory has a couple of helper scripts to help you get going.
There are also 2 scripts in the git directory… go ahead and run the updaterepos.sh to resync all the github repos that are in the git folder.
Starting the Containers
Simply execute the run-containers script and wait a couple minutes. Then you can click on the different desktop icons and navigate around a set of vulnerable systems.
Once you launch the Run-Containers script you can simply click all of the webpage shortlink icons sitting on the desktop.
Each one is configured to launch the webpage of one of the containers launched above.
This provides the independent researcher with an opportunity to research, analyze, and exploit vulnerabilities within their own Kali environment.
I’ll save the core content of launching and exploring each container for another time. The purpose of mentioning these were to provide insight into the technologies available within the Kali asset of the Cyber Range.
Nessus highlights there are many exposure available on these docker assets:
Especially PHP Ones.
You can boot-up the Nessus Service and take a look at this scan, it exists on every CyberRange Kali AMI.
Friendly reminder the license is a Nessus Essentials license. If you have an issue accessing the Nessus application just click the link above and grab a new Essentials license. They are good for a single user & I suspect they are deactivated quickly. I had to reactivate mine as well.
Enumeration with Auto-Recon
I’m going to outline how to use auto-recon with kali but first note that it is currently not on the Kali AMI instance. I have some updates that I am working on and I have not yet baselined the next version of the Cyber Range Kali asset.
That said, Launch your terminal, cd /root/git , and clone the latest copy of auto-recon using git clone https://github.com/Tib3rius/AutoRecon.git
Once you have that on your system you will need to install the python3 dependencies. This can be done with cd AutoRecon; pip3 install -r requirements
Now you should be ready to start performing Enumeration.
Completely new to Enumeration?
I’m CISSP certified so let me share (ISC)2’s guide for scanning and enumeration to help you get going…
Launching AutoRecon
python3 autorecon.py -vvv -o /root/Desktop/autorecon-output 192.168.38.0/24
This will scan all 255 addresses within the CyberRange. The Cloudcraft AWS-Live tool generates the following visual:
Diving into the Data
This is where we look at the data we’ve obtained. Understanding how the data provides critical insight into the services, on the ports is important. Learning how to intrepret the data is outside of this initial entry.
Using the command above the output data from the autorecon tool is located on root’s desktop in the folder /root/Desktop/autorecon-output.
Then we see each address has multiple folders… Now you spend some time exploring the scan folder under all or some of the IP’s that you scanned. Start to piece together what is located within that folder by researching things you come across.
