Difference between revisions of "SEC520/labs/Lab 2"

From CDOT Wiki
Jump to: navigation, search
(Created page with "<a name="Installation Requirements" id="Fedora_16_Installation_.28on_Main_Host_-_f16host.29"></a><h1> <span class="mw-headline">Information Gathering</span></h1> <a name="Intr...")
 
Line 1: Line 1:
<a name="Installation Requirements" id="Fedora_16_Installation_.28on_Main_Host_-_f16host.29"></a><h1> <span class="mw-headline">Information Gathering</span></h1>
+
<h1> <span class="mw-headline">Information Gathering</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
+
<h2> <span class="mw-headline">Introduction</span></h2>
 
<dl><dd><ul><li>This lab teaches various methods of <b>gathering information</b> from a <b>targeted computer system</b>. Normally, an individual or a company can be hired to perform <b>Penetration Testing</b> in order to detect weaknesses in an organization's computer system. The first phase (called the <b>"reconnaissance phase"</b>
 
<dl><dd><ul><li>This lab teaches various methods of <b>gathering information</b> from a <b>targeted computer system</b>. Normally, an individual or a company can be hired to perform <b>Penetration Testing</b> in order to detect weaknesses in an organization's computer system. The first phase (called the <b>"reconnaissance phase"</b>
 
  is considered to be a "harmless activity", where a person can simply  
 
  is considered to be a "harmless activity", where a person can simply  
Line 27: Line 27:
  
 
<br><br>
 
<br><br>
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
+
<h2> <span class="mw-headline">Objectives</span></h2>
 
<ol><li>Use the <b>search engine website (google.ca)</b> to obtain computer system information (including IP address).
 
<ol><li>Use the <b>search engine website (google.ca)</b> to obtain computer system information (including IP address).
 
</li><li>Use various open-source applications to perform IP address associations with IP address (<b>Link Analysis</b>).
 
</li><li>Use various open-source applications to perform IP address associations with IP address (<b>Link Analysis</b>).
Line 44: Line 44:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
+
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
 
<ul>
 
<ul>
 
<li> <b>SATA Hard Disk</b> (in removable disk tray).
 
<li> <b>SATA Hard Disk</b> (in removable disk tray).
Line 51: Line 51:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2>
+
<h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> <a href="https://scs.senecac.on.ca/%7Efac/sec520/labs/SEC520_Lab_1.html">SEC520 Lab 1</a>
+
<ul><li> [https://scs.senecac.on.ca/%7Efac/sec520/labs/SEC520_Lab_1.html SEC520 Lab 1]
 
</li></ul>
 
</li></ul>
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>
+
<h2> <span class="mw-headline">Online Tools and References</span></h2>
  
  
Line 71: Line 71:
 
   <td>
 
   <td>
 
<ul>
 
<ul>
  <li><a href="http://www.google.ca/" target="_new">Google Search Engine</a> (site, filetype, link)</li>
+
  <li>[http://www.google.ca/ Google Search Engine] (site, filetype, link)</li>
  <li><a href="http://news.netcraft.com/" target="_new">Netcraft</a></li>
+
  <li>[http://news.netcraft.com/ Netcraft]</li>
  <li><a href="http://github.com/sensepost/BiLE-suite" target="_new">BiLE Utilities</a></li>
+
  <li>[http://github.com/sensepost/BiLE-suite BiLE Utilities]</li>
 
</ul>
 
</ul>
 
   </td>
 
   </td>
 
   <td>
 
   <td>
 
<ul>
 
<ul>
  <li><a href="http://linuxmanpages.com/man1/whois.1.php" target="_new">whois</a></li>
+
  <li>[http://linuxmanpages.com/man1/whois.1.php whois]</li>
 
  <li>WHOIS Online Proxies:<br>
 
  <li>WHOIS Online Proxies:<br>
     (<a href="http://whois.domaintools.com/" target="_new">whois.domaintools.com</a>)
+
     ([http://whois.domaintools.com/ whois.domaintools.com])
 
  </li>
 
  </li>
  <li><a href="http://linuxmanpages.com/man1/host.1.php" target="_new">host</a></li>
+
  <li>[http://linuxmanpages.com/man1/host.1.php host]</li>
 
   </ul></td>
 
   </ul></td>
 
   <td>
 
   <td>
 
   <ul>
 
   <ul>
  <li><a href="http://www.ehacking.net/2011/08/theharvester-backtrack-5-information.html" target="_new">theHarvester.py</a></li>
+
  <li>[http://www.ehacking.net/2011/08/theharvester-backtrack-5-information.html theHarvester.py]</li>
  <li><a href="http://www.ehacking.net/2011/12/metagoofil-backtrack-5-tutorial.html" target="_new">Metagoofil.py</a></li>
+
  <li>[http://www.ehacking.net/2011/12/metagoofil-backtrack-5-tutorial.html Metagoofil.py]</li>
 
   </ul>
 
   </ul>
 
   </td>
 
   </td>
 
   <td>
 
   <td>
 
<ul>
 
<ul>
  <li><a href="http://www.bing.com/" target="_new">www.bing.com</a></li>
+
  <li>[http://www.bing.com/ www.bing.com]</li>
  <li><a href="http://www.computerhope.com/unix/unslooku.htm" target="_new">nslookup</a></li>
+
  <li>[http://www.computerhope.com/unix/unslooku.htm nslookup]</li>
  <li><a href="http://www.ehacking.net/2011/02/dnsmap-dns-network-mapper.html" target="_new">dnsmap</a></li>
+
  <li>[http://www.ehacking.net/2011/02/dnsmap-dns-network-mapper.html dnsmap]</li>
 
</ul>
 
</ul>
 
   </td>
 
   </td>
 
   <td>
 
   <td>
 
     <ul>
 
     <ul>
       <li><a href="http://linuxmanpages.com/" target="_new">Online Linux Manpages</a></li>
+
       <li>[http://linuxmanpages.com/ Online Linux Manpages]</li>
 
     </ul>
 
     </ul>
 
   </td>
 
   </td>
Line 106: Line 106:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
+
<h2> <span class="mw-headline">Course Notes</span></h2>
 
<ul>
 
<ul>
  <li><a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.odp" class="external text" title="http://cs.senecac.on.ca/~fac/sec520/slides/sec520_w1_l2.odp" rel="nofollow">odp</a>| <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.pdf" class="external text" title="http://cs.senecac.on.ca/~fac/sec520/slides/sec520_w1_l2.pdf" rel="nofollow">pdf</a>| <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.ppt" class="external text" title="http://cs.senecac.on.ca/~fac/sec520/slides/sec520_w1_l2.ppt" rel="nofollow">ppt</a>(Slides: Reconnaissance)</li>
+
  <li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.odp odp]| [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.pdf pdf]| [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.ppt ppt](Slides: Reconnaissance)</li>
  <li><a href="http://www.youtube.com/watch?v=AHEt0mUZH_0" target="_new">Reconnaissance</a> (YouTube Video)</li>
+
  <li>[http://www.youtube.com/watch?v=AHEt0mUZH_0 Reconnaissance] (YouTube Video)</li>
  <li><a href="http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&amp;recCount=50&amp;recPointer=0&amp;bibId=315433" target="_new">Penetration Tester's Open Source Toolkit (E-book)</a> (Chapter 2: Reconnaissance)</li>
+
  <li>[http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&amp;recCount=50&amp;recPointer=0&amp;bibId=315433 Penetration Tester's Open Source Toolkit (E-book)] (Chapter 2: Reconnaissance)</li>
 
</ul>
 
</ul>
  
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 2</span></h1>
+
<h1> <span class="mw-headline">Performing Lab 2</span></h1>
<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Using Search Engines to Obtain Target Server Information </span></h2>
+
<h2> <span class="mw-headline">Task #1: Using Search Engines to Obtain Target Server Information </span></h2>
 
<p>With the "information gathering" phase of penetration testing, it is  
 
<p>With the "information gathering" phase of penetration testing, it is  
 
recommended to obtain as much data regarding a targeted organization.  
 
recommended to obtain as much data regarding a targeted organization.  
Line 123: Line 123:
 
the above-mentioned techniques, there are other techniques and tools to  
 
the above-mentioned techniques, there are other techniques and tools to  
 
help gather useful server information of a targeted organization.</p>
 
help gather useful server information of a targeted organization.</p>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"> <div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div> <div><b>sensepost.com</b><br>This
+
{{Admon/tip|sensepost.com|This
 
  is a website that is dedicated to internet security, and provides a  
 
  is a website that is dedicated to internet security, and provides a  
 
platform to help gather information regarding a server. In fact,  
 
platform to help gather information regarding a server. In fact,  
examples from the textbook: <b>Penetration Tester's Open Source Toolkit</b> use examples from this website. We will be using this site for the majority of lab2...</div> </div>
+
examples from the textbook: <b>Penetration Tester's Open Source Toolkit</b> use examples from this website. We will be using this site for the majority of lab2...}}
 
<br>
 
<br>
 
INSTRUCTIONS:
 
INSTRUCTIONS:
Line 136: Line 136:
 
search (i.e total number of links at the top of the search results), and record the total number of links for this type of search in  
 
search (i.e total number of links at the top of the search results), and record the total number of links for this type of search in  
 
your lab logbook.</li>
 
your lab logbook.</li>
  <li>Now, enter the following directive in the Google search box: <b>site:sensepost.com</b><br><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"> <div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div> <div><b>Enter Site Directive in Google Search Textbox</b><br>Don't
+
  <li>Now, enter the following directive in the Google search box: <b>site:sensepost.com</b><br>{{Admon/important|Enter Site Directive in Google Search Textbox|Don't
 
  enter the "site" directive in the URL textbox at the top of the  
 
  enter the "site" directive in the URL textbox at the top of the  
 
web-browser - enter this directive in the Google SEARCH text; otherwise,
 
web-browser - enter this directive in the Google SEARCH text; otherwise,
 
  the directive will not work. Also make certain remain in the google  
 
  the directive will not work. Also make certain remain in the google  
web-page when performing this operation...</div> </div></li>
+
web-page when performing this operation...}}</li>
 
  <li>You should notice a change in the display of links. How does this  
 
  <li>You should notice a change in the display of links. How does this  
 
search method differ from the previous search method using only the  
 
search method differ from the previous search method using only the  
Line 155: Line 155:
 
just collected during this lab for penetration testing? (Record your  
 
just collected during this lab for penetration testing? (Record your  
 
answer in your lab log-book)</li>
 
answer in your lab log-book)</li>
  <li>Repeat the information-gathering process for the following URL: <b>linux.senecac.on.ca</b> for practice.<br><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"> <div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div> <div><b>Gathering Information in your Own Server at Home</b><br>Just
+
  <li>Repeat the information-gathering process for the following URL: <b>linux.senecac.on.ca</b> for practice.<br>{{Admon/tip|Gathering Information in your Own Server at Home|Just
 
  for Interest, it is not that difficult to obtain SOME information  
 
  for Interest, it is not that difficult to obtain SOME information  
 
regarding your own computer system at home. First, determine your IP  
 
regarding your own computer system at home. First, determine your IP  
 
address by using the <b>ifconfig</b> command for Linux, or the <b>ipconfig</b>
 
address by using the <b>ifconfig</b> command for Linux, or the <b>ipconfig</b>
 
  command in windows. One very quick way to determine your IP Address is  
 
  command in windows. One very quick way to determine your IP Address is  
to simply type <b>IP Address</b> in the URL Window of your web-browser. Knowing your own IP Address at home is useful during the <b>link analysis</b> and <b>domain name expansion</b> steps in the next task...</div> </div></li>
+
to simply type <b>IP Address</b> in the URL Window of your web-browser. Knowing your own IP Address at home is useful during the <b>link analysis</b> and <b>domain name expansion</b> steps in the next task...}}</li>
 
  <li>Proceed to Task #2<br><br></li>
 
  <li>Proceed to Task #2<br><br></li>
 
  </ol>
 
  </ol>
Line 166: Line 166:
 
</p>
 
</p>
 
<br><br>
 
<br><br>
<a name="Task2" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #2: Server Detection, Link Analysis &amp; Domain Name Expansion</span></h2>
+
<h2> <span class="mw-headline">Task #2: Server Detection, Link Analysis &amp; Domain Name Expansion</span></h2>
  
 
<p>In this section, we will use the site information (obtained from <i>Task #1</i>)
 
<p>In this section, we will use the site information (obtained from <i>Task #1</i>)
Line 176: Line 176:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<ol>
 
<ol>
  <li>Assuming that your web-browser is still running, click on the following link (which should open in another browser window): <b><a href="http://www.netcraft.com" target="_blank">http://www.netcraft.com</a></b>.<br /><b>NOTE:</b>  Do not worry if you are redirected to another URL (eg. news.netcraft.com) - it will provides the same information we require.<br /><br /></li>
+
  <li>Assuming that your web-browser is still running, click on the following link (which should open in another browser window): <b>[http://www.netcraft.com http://www.netcraft.com]</b>.<br /><b>NOTE:</b>  Do not worry if you are redirected to another URL (eg. news.netcraft.com) - it will provides the same information we require.<br /><br /></li>
 
  <li>Let's find out additional information regarding the <b>sensepost.com</b> website. In the <b>What's that site running?</b> box, enter the following:<br><b>sensepost.com</b></li>
 
  <li>Let's find out additional information regarding the <b>sensepost.com</b> website. In the <b>What's that site running?</b> box, enter the following:<br><b>sensepost.com</b></li>
 
  <li>Record the following server information for "sensepost.com" (and record in your lab log-book):<ul><li>IP Address</li><li>Type of Operating System</li><li>Name Server</li><li>Country Origin</li><li>Date First Noticed (Tracked)</li><li>Frequency of Uptimes</li></ul></li>
 
  <li>Record the following server information for "sensepost.com" (and record in your lab log-book):<ul><li>IP Address</li><li>Type of Operating System</li><li>Name Server</li><li>Country Origin</li><li>Date First Noticed (Tracked)</li><li>Frequency of Uptimes</li></ul></li>
Line 184: Line 184:
 
called <b>"sensepost.com"</b>. You will be downloading, installing and running  
 
called <b>"sensepost.com"</b>. You will be downloading, installing and running  
 
serveral open-source tools (a series of packages packaged as <b>BiLE</b> (which stands for: <i>"Bi-directional Link Extraction"</i> tools) to asssist in obtaining this information.<br><br></p>
 
serveral open-source tools (a series of packages packaged as <b>BiLE</b> (which stands for: <i>"Bi-directional Link Extraction"</i> tools) to asssist in obtaining this information.<br><br></p>
  <div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"> <div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div> <div><b>Installing Dependencies for BiLE.pl, BiLE-Weigh.pl</b><br>You may need to download the <b>BiLE</b>
+
  {{Admon/important|Installing Dependencies for BiLE.pl, BiLE-Weigh.pl|You may need to download the <b>BiLE</b>
 
  Utilities, consisting of useful Perl Scripts. Your Kali Linux  
 
  Utilities, consisting of useful Perl Scripts. Your Kali Linux  
 
distribution most likely comes with Perl already loaded. On the other  
 
distribution most likely comes with Perl already loaded. On the other  
 
hand, prior to running these Perl Scripts, you may be required to first  
 
hand, prior to running these Perl Scripts, you may be required to first  
 
install the application called <b>HTTrack</b>. You can do this by  
 
install the application called <b>HTTrack</b>. You can do this by  
installing "httrack" via "apt-get" or use a graphical application (such as <b>Synaptic Package Manager</b>)</div></div>
+
installing "httrack" via "apt-get" or use a graphical application (such as <b>Synaptic Package Manager</b>)}}
 
<br /></li>
 
<br /></li>
 
  <li>Issue the command: <b>which httrack</b> to confirm that this dependent application has been installed (refer to warning message above).</li>
 
  <li>Issue the command: <b>which httrack</b> to confirm that this dependent application has been installed (refer to warning message above).</li>
  <li>In a web-browser, go to the following website (which will open in a separate browser window): <b><a href="http://github.com/sensepost/BiLE-suite" target="_blank">http://github.com/sensepost/BiLE-suite</a></b></li>
+
  <li>In a web-browser, go to the following website (which will open in a separate browser window): <b>[http://github.com/sensepost/BiLE-suite http://github.com/sensepost/BiLE-suite]</b></li>
  <li>Download the <i>Perl Scripts</i> called <b>BiLE.pl</b>, <b>BiLE-Weigh.pl</b>, and <b>tld-expand.pl</b> to your Kali Linux system.<br><br><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"> <div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div> <div><b>Perl Scripts Containing Errors When Executed</b><br>If errors occur, <b>check to see if that Perl Scripts were  
+
  <li>Download the <i>Perl Scripts</i> called <b>BiLE.pl</b>, <b>BiLE-Weigh.pl</b>, and <b>tld-expand.pl</b> to your Kali Linux system.<br><br>{{Admon/important|Perl Scripts Containing Errors When Executed|If errors occur, <b>check to see if that Perl Scripts were  
 
properly downloaded. If they contain HTML code, an alternative to  
 
properly downloaded. If they contain HTML code, an alternative to  
downloading is to display the Perl Script in the web-browser, copying and pasting the code to the file on your computer</b> (<i>as opposed to right-clicking link and saving to your computer</i>). </div> </div><br></li>
+
downloading is to display the Perl Script in the web-browser, copying and pasting the code to the file on your computer</b> (<i>as opposed to right-clicking link and saving to your computer</i>). }}<br></li>
 
  <li>Run the following command: <b>perl  BiLE.pl  sensepost.com  output.sensepost.com</b>  (assuming BiLE.pl is located in the current directory).<br><br>Note: This process may take serveral minutes to complete.<br><br></li>
 
  <li>Run the following command: <b>perl  BiLE.pl  sensepost.com  output.sensepost.com</b>  (assuming BiLE.pl is located in the current directory).<br><br>Note: This process may take serveral minutes to complete.<br><br></li>
 
  <li>When the process has completed, a report called "<b>output.sensepost.com.mine</b>"
 
  <li>When the process has completed, a report called "<b>output.sensepost.com.mine</b>"
Line 208: Line 208:
 
target website, as well as the output-file (generated by the BiLE.pl  
 
target website, as well as the output-file (generated by the BiLE.pl  
 
Perl Script.</li>
 
Perl Script.</li>
  <li>Issue the following command: <b> perl BiLE-weigh.pl sensepost.com output.sensepost.com.mine</b> (Assuming BiLE.pl Script and "output.sensepost.com" are contained in the current directory).<br><br> <div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"> <div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div> <div><b>Error: Sort: open failed: +1: No such file or directory</b><br>If you run the <b>BiLE-Weigh.pl</b> command, and encounter the above error, then make the following editing changes for this script:<br><br><b>change following line:</b> 'cat temp | sort -r -t ";" +1 -n &gt; @ARGV[1].sorted';<br><br><b>to read:</b> `cat temp | sort -r -t ":" -k 2 -n > @ARGV[1].sorted`;<br><br>(Note: ` in this case is "Left-Tick" representing command substitution - not to be confused with a single-quote.<br /><br /></div> </div><br><br></li>
+
  <li>Issue the following command: <b> perl BiLE-weigh.pl sensepost.com output.sensepost.com.mine</b> (Assuming BiLE.pl Script and "output.sensepost.com" are contained in the current directory).<br><br> {{Admon/important|Error: Sort: open failed: +1: No such file or directory|If you run the <b>BiLE-Weigh.pl</b> command, and encounter the above error, then make the following editing changes for this script:<br><br><b>change following line:</b> 'cat temp | sort -r -t ";" +1 -n &gt; @ARGV[1].sorted';<br><br><b>to read:</b> `cat temp | sort -r -t ":" -k 2 -n > @ARGV[1].sorted`;<br><br>(Note: ` in this case is "Left-Tick" representing command substitution - not to be confused with a single-quote.<br /><br />}}<br><br></li>
 
  <li>View the contents of the file "output.sensepost.com.sorted" in your
 
  <li>View the contents of the file "output.sensepost.com.sorted" in your
 
  current directory. Notice the ranking of the relavance of links  
 
  current directory. Notice the ranking of the relavance of links  
Line 226: Line 226:
 
</p>
 
</p>
  
<a name="Task3" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #3: Foot-printing</span></h2>
+
<h2> <span class="mw-headline">Task #3: Foot-printing</span></h2>
 
<br>
 
<br>
 
As opposed to the Information Gathering phase (that collects information
 
As opposed to the Information Gathering phase (that collects information
Line 255: Line 255:
  
 
<br />
 
<br />
<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #4: Obtaining User Information</span></h2>
+
<h2> <span class="mw-headline">Task #4: Obtaining User Information</span></h2>
 
<br>
 
<br>
 
You will be using the information collected in Task #1 to assist with obtaining User information in this task.
 
You will be using the information collected in Task #1 to assist with obtaining User information in this task.
 
<br>
 
<br>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/important|Install metagoofil program|<br><br> The harvester program is already installed in your Kali system, but you will need to install the program metagoofil. Issue the command (as root):<br><br><b>apt-get install metagoofil</b><br><br>}}<br><br></li>
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
 
<div><b>Install metagoofil program</b><br><br><br> The harvester program is already installed in your Kali system, but you will need to install the program metagoofil. Issue the command (as root):<br><br><b>apt-get install metagoofil</b><br><br></div> </div><br><br></li>
 
  
 
<p>
 
<p>
Line 283: Line 281:
 
</p>
 
</p>
  
<a name="Task5" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #5: Verification / The "Tank" Server</span></h2>
+
<h2> <span class="mw-headline">Task #5: Verification / The "Tank" Server</span></h2>
 
<br>
 
<br>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/important|Location of dnsmap Utility in Kali Linux|The <b>dnsmap</b>
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
 
<div><b>Location of dnsmap Utility in Kali Linux</b><br>The <b>dnsmap</b>
 
 
  utility is a time-saving method of determining reverse dns lookups in a
 
  utility is a time-saving method of determining reverse dns lookups in a
  batch mode involving an input file of collected dns entries.<br><br>This utility is contained in your Kali Linux boot media under the file pathname: <b>/pentest/enumeration/dns/dnsmap</b></div>
+
  batch mode involving an input file of collected dns entries.<br><br>This utility is contained in your Kali Linux boot media under the file pathname: <b>/pentest/enumeration/dns/dnsmap</b>}}
</div>
 
 
<br>
 
<br>
 
It is important to "double-check" the validity of your collected  
 
It is important to "double-check" the validity of your collected  
Line 319: Line 314:
 
<br><br>
 
<br><br>
  
<a name="Completing_the_Lab" id="Completing_the_Lab"></a></p><h1> <span class="mw-headline"> Completing the Lab </span></h1>
+
</p><h1> <span class="mw-headline"> Completing the Lab </span></h1>
 
<p><b>Arrange evidence for each of these items on your screen, then ask  
 
<p><b>Arrange evidence for each of these items on your screen, then ask  
 
your instructor to review them and sign off on the lab's completion:</b>
 
your instructor to review them and sign off on the lab's completion:</b>
Line 337: Line 332:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
+
<h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
  
 
<ol>
 
<ol>

Revision as of 11:01, 31 January 2018

Information Gathering

Introduction

  • This lab teaches various methods of gathering information from a targeted computer system. Normally, an individual or a company can be hired to perform Penetration Testing in order to detect weaknesses in an organization's computer system. The first phase (called the "reconnaissance phase" is considered to be a "harmless activity", where a person can simply gather information to be used later in other aspects of penetration testing (network scanning and enumeration).
  • Students will first learn how to gather various documents / information via a web-browser in order to obtain information regarding the structure, relationships and policies of a target company, as well as partners or servers that are associated with that target company (with emphasis on IP addresses). Once the relevant information has been collected, the student will then utilize open-source applications in order to perform link analysis to make connections between various IP addresses.
  • Students will then learn how to use Interent-Based tools and technolgies to mine data that pertains more to the internal structure of the targeted organization's server(s), as well as it's specific IP Address ranges (subnets).
  • Students will also learn how to use tools to gather information of the users of a targeted server, as well as verifying the targetted IP Addresses immediately prior to the scanning and enumeration phases.




Objectives

  1. Use the search engine website (google.ca) to obtain computer system information (including IP address).
  2. Use various open-source applications to perform IP address associations with IP address (Link Analysis).
  3. Understand the basic concepts of "footprintng" a targeted server with respect to the following open-source technologies:
    • DNS Lookup
    • WHOIS (Website Service)
    • Domain Name Expansion
    • HOST
    • SMTP
  4. Using open-source tools in order to focus on technical aspects of the server, in order to be more successful in the scanning and enumeration phase.
  5. Use tools to gather user information such as e-mail addresses or other information via social networking sites.
  6. Verify (confirm and narrow-down) valid IP Addresses (and

    ranges) to help reduce the time during the scanning and enumeration phases.

  7. Practice skills learned in this lab to gather information of an educational penetration-testing server at Seneca College (tank.senecac.on.ca).




Required Materials (Bring to All Labs)

  • SATA Hard Disk (in removable disk tray).
  • Lab Logbook (Lab2 Reference Sheet) (to make notes and observations).


Prerequisites


Online Tools and References


<tbody> </tbody>
Information Gathering Foot-printing User Information Verification Other


Course Notes


Performing Lab 2

Task #1: Using Search Engines to Obtain Target Server Information

With the "information gathering" phase of penetration testing, it is recommended to obtain as much data regarding a targeted organization. This would include viewing the website, noting contacts, following-up information from social media sites (eg. facebook, etc). In addition to the above-mentioned techniques, there are other techniques and tools to help gather useful server information of a targeted organization.

Idea.png
sensepost.com
This
is a website that is dedicated to internet security, and provides a 

platform to help gather information regarding a server. In fact,

examples from the textbook: Penetration Tester's Open Source Toolkit use examples from this website. We will be using this site for the majority of lab2...


INSTRUCTIONS:

  1. Boot your Kali Linux (host) system, and start a graphical session.
  2. Open a web-browser and go to the Google website ( http://www.google.ca/ )
  3. Type in the following URL in the Google search box: sensepost.com
  4. Note the type of links that are associated with this type of search (i.e total number of links at the top of the search results), and record the total number of links for this type of search in your lab logbook.
  5. Now, enter the following directive in the Google search box: site:sensepost.com
    Important.png
    Enter Site Directive in Google Search Textbox
    Don't
    enter the "site" directive in the URL textbox at the top of the 
    

    web-browser - enter this directive in the Google SEARCH text; otherwise,

    the directive will not work. Also make certain remain in the google 
    
    web-page when performing this operation...
  6. You should notice a change in the display of links. How does this search method differ from the previous search method using only the text: "sensepost.com"? Record your findings (including the new total number of links) in your lab log-book.
  7. We will now be narrowing our search in the sensepost.com website for specific types of files for pdf with the filename keyword hacking
    Enter the following directive in the Google search box: site:sensepost.com filetype:pdf hacking
  8. What are the total amount of links? Are all of the links contained in sensepost.com? Record your findings in your log lab-book.
  9. Issue directives to search for links in the sensepost.com website that contains MS Word documents (doc), and MS Word PowerPoint Presentations (ppt) that contain the pattern hacking. Record these findings in your lab log-book.
  10. Finally, the link directive is used to display links that are associated with a target website. In order to display all websites that link to the sensepost.com website, issue the following directive in the Google searchbox: link:sensepost.com
  11. Record the total number of links in your lab log-book. Are there any other links outside the sensepost.com domain that are associated? How do you think this is useful in terms of penetration testing?
  12. How do you think that you could use this information that you have just collected during this lab for penetration testing? (Record your answer in your lab log-book)
  13. Repeat the information-gathering process for the following URL: linux.senecac.on.ca for practice.
    Idea.png
    Gathering Information in your Own Server at Home
    Just
    for Interest, it is not that difficult to obtain SOME information 
    

    regarding your own computer system at home. First, determine your IP address by using the ifconfig command for Linux, or the ipconfig

    command in windows. One very quick way to determine your IP Address is 
    
    to simply type IP Address in the URL Window of your web-browser. Knowing your own IP Address at home is useful during the link analysis and domain name expansion steps in the next task...
  14. Proceed to Task #2

Answer the Task #1 observations / questions in your lab log book.



Task #2: Server Detection, Link Analysis & Domain Name Expansion

In this section, we will use the site information (obtained from Task #1) to gain more detailed information regarding the targeted organization's server (eg. IP address, Type of operating system, History of uptimes, name server information , Related IP addresses of other servers).


INSTRUCTIONS:

  1. Assuming that your web-browser is still running, click on the following link (which should open in another browser window): http://www.netcraft.com.
    NOTE: Do not worry if you are redirected to another URL (eg. news.netcraft.com) - it will provides the same information we require.

  2. Let's find out additional information regarding the sensepost.com website. In the What's that site running? box, enter the following:
    sensepost.com
  3. Record the following server information for "sensepost.com" (and record in your lab log-book):
    • IP Address
    • Type of Operating System
    • Name Server
    • Country Origin
    • Date First Noticed (Tracked)
    • Frequency of Uptimes

  4. The next step in the reconnassaince phase involves Linux Analysis, which will list and categorize relationships between other websites, and the "target" website called "sensepost.com". You will be downloading, installing and running serveral open-source tools (a series of packages packaged as BiLE (which stands for: "Bi-directional Link Extraction" tools) to asssist in obtaining this information.

    </p>
    Important.png
    Installing Dependencies for BiLE.pl, BiLE-Weigh.pl
    You may need to download the BiLE
    Utilities, consisting of useful Perl Scripts. Your Kali Linux 
    

    distribution most likely comes with Perl already loaded. On the other hand, prior to running these Perl Scripts, you may be required to first install the application called HTTrack. You can do this by

    installing "httrack" via "apt-get" or use a graphical application (such as Synaptic Package Manager)

  5. Issue the command: which httrack to confirm that this dependent application has been installed (refer to warning message above).
  6. In a web-browser, go to the following website (which will open in a separate browser window): http://github.com/sensepost/BiLE-suite
  7. Download the Perl Scripts called BiLE.pl, BiLE-Weigh.pl, and tld-expand.pl to your Kali Linux system.

    Important.png
    Perl Scripts Containing Errors When Executed
    If errors occur, check to see if that Perl Scripts were

    properly downloaded. If they contain HTML code, an alternative to

    downloading is to display the Perl Script in the web-browser, copying and pasting the code to the file on your computer
    (as opposed to right-clicking link and saving to your computer).

  8. Run the following command: perl BiLE.pl sensepost.com output.sensepost.com (assuming BiLE.pl is located in the current directory).

    Note: This process may take serveral minutes to complete.

  9. When the process has completed, a report called "output.sensepost.com.mine" (contained in the current directory) will be created that display associated links with the sensepost.com website. Using a text editor, view the contents of that file. Write in your lab log-book the number of lines in the file "output.sensepost.com.mine".
  10. If there is not enough information in this file, run the BiLE.pl script for the URL: linux.senecac.on.ca to be sorted in the file called output.linux.senecac.on.ca
  11. Another Perl Script called BiLE-weigh.pl is used to rank the significance (relevance) of the related links with higher ranking links near the bottom of the file. This Perl Script requires the URL of the target website, as well as the output-file (generated by the BiLE.pl Perl Script.
  12. Issue the following command: perl BiLE-weigh.pl sensepost.com output.sensepost.com.mine (Assuming BiLE.pl Script and "output.sensepost.com" are contained in the current directory).

    Important.png
    Error: Sort: open failed: +1: No such file or directory
    If you run the BiLE-Weigh.pl command, and encounter the above error, then make the following editing changes for this script:

    change following line: 'cat temp


  13. View the contents of the file "output.sensepost.com.sorted" in your current directory. Notice the ranking of the relavance of links associated with "sensepost.com" website. Record the number of lines in this file in your lab log-book. What conclusions can you draw in terms of link analysis? Write this information down in your lab log-book.
  14. Run the BiLE-weigh.pl perl script for the URL: linux.senecac.on.ca and using the file: output.linux.senecac.on.ca.mine
  15. The final step in the information gathering process is to perform Domain Name Expansion. There are two parts to this process:

    • Variations in the DNS Name (use host command)
    • Variations in the Top Level Domain (use tld-expand.pl Perl Script)

  16. Open a shell terminal, and type the following command: host -t ns sensepost.com (If there is a long list of variations, you can redirect stdout to a text file).
  17. Record the various name servers that are listed in your lab log-book.
  18. Create an input file called sensepost.com.domains.txt, and place any domain names that you have discovered, and then save and exit editing session.
  19. Issue the command: perl tld-expand.pl sensepost.com.domains.txt sensepost.com.domains.variations.txt. What do these variations represent in terms of reconnaissance? Record your finds in your lab log-book.
  20. Proceed to Task #3

  21. </ol>
    

    Answer Task #2 observations / questions in your lab log book.


    Task #3: Foot-printing


    As opposed to the Information Gathering phase (that collects information

    such as IP Addresses), the Foot-printing phase tends to gain a “clearer
    picture” of the structure of the organization's computer system. This 
    

    can include relationships among servers, as well as noting IP Address ranges.

    Footprinting (in simpler terms) means Network Mapping.

    Note: You will be using information that you gathered from the server: sensepost.com in order to assist you with this lab.

    INSTRUCTIONS:

    1. In a shell window, issue the following command: host sensepost.com
    2. Record the results in your lab log-book.
    3. Issue the same command with following options: host -t ns sensepost.com
    4. Record the results in your lab log-book.
    5. Issue the following command: nslookup sensepost.com
    6. How does this information differ from the other 2 commands previously issued?
    7. Issue the following command: whois sensepost.com
    8. List the additional general information that is provided from your all three previous commands.
    9. How do you think that this recently collected information can help you "map" the target computer's network?
    10. Proceed to Task #4


    Answer the Task #3 observations / questions in your lab log book.


    Task #4: Obtaining User Information


    You will be using the information collected in Task #1 to assist with obtaining User information in this task.

    Important.png
    Install metagoofil program


    The harvester program is already installed in your Kali system, but you will need to install the program metagoofil. Issue the command (as root):

    apt-get install metagoofil



    </li>

    INSTRUCTIONS:

    1. Issue the command theharvester --help, to learn how to run this script again with the following options:
      • Domain: sensepost.com
      • Number of limited results: 100
      • Data Source: google
      • Output filename: ~/sensepost.user

    2. Record any user information that you consider relevant (for penetration testing) in your lab log-book.
    3. For user information collected so far, use this information to see if you can access their profiles or other information on social media sites (eg. Facebook, Classmates, MySpace, Twitter, etc.).
    4. Finally, we will be obtaining documents from the targeted network (via Google) that may help provide more information regarding the users.
    5. Issue the following command: metagoofil --help to learn how to run this script again with the following options:
      • Domain: sensepost.com
      • Number of limited results: 10
      • Number of files to download (-n option): 10
      • Filetype: pdf,ppt
      • output directory: sensepost.docs
    6. Check to see if any files were downloaded. If so, write the filenames in your lab log-book.
    7. Proceed to Task #5


    Answer Task #4 observations / questions in your lab log book.


    Task #5: Verification / The "Tank" Server


    Important.png
    Location of dnsmap Utility in Kali Linux
    The dnsmap
    utility is a time-saving method of determining reverse dns lookups in a
    
    batch mode involving an input file of collected dns entries.

    This utility is contained in your Kali Linux boot media under the file pathname: /pentest/enumeration/dns/dnsmap


    It is important to "double-check" the validity of your collected information - in particular, your IP addresses. If any servers are no longer running, this can waste a tremendous amount of time during the scanning process. Remember: the longer a scan takes to execute, the more

    vulnerable you are as the penetration tester to detection.
    



    INSTRUCTIONS:

    1. Open a web-broswer and go to the website: www.bing.com
    2. Enter the IP addresses that you have gathered during your reconnaisance phase for sensepost.com. Verify that each IP address is valid, and it currently operational.
    3. For each of the related IP address information you have gathered regarding sensepost.com, use the nslookup command to verify it's existence.
    4. Change to the directory that contains dnsmap utility.
    5. Run the dnsmap utility with an input file containing your collected IP_ADDRESSES.
    6. Seneca College has a special server (called tank) that is used for penetration testing. No only is this server intended for educational purposeses only, but students are NOT allowed to perform penetration testing unless that have completed a form that is distributed and collected by your instructor to permit students to perform testing on that server for the semester!

      Once you have signed and given the tank server consent form your your instructor, try gathering information regarding this server called "tank", and record your findings in your lab log-book.

    7. Proceed to "Completing the Lab"


    Answer Task #5 observations / questions in your lab log book.

    Completing the Lab

    Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

    1. Reconnaissance Information from sensepost.com:
      • Basic information from sensepost.com website via the Netcraft utility site.
      • Reports from running BiLE.pl and BiLE-Weigh.pl for sensepost.com
      • Main DNS information (Footprint) for sensepost.com
      • User information (e-mail addresses) for the sensepost.com site.
      • Verification of DNS information for sensepost.com site.

    2. Completed Lab 2 notes (including common commands, etc).


    Preparing for Quizzes

    1. List the major phases contained in penetration testing.
    2. Explain the difference between reconnaissance and footprinting.
    3. List 3 open-source tools to assist in the Footprinting phase of penetration testing.
    4. Briefly describe the process to obtain key documents from a server using google.ca
    5. Briefly describe the steps to obtain IP, operating system information from a website called linux.senecac.on.ca. Indicate how this information might be useful in future stages of penetration testing.
    6. Define the term link analysis. What open-source tools can be used to perform link analysis?
    7. Define the term Footprinting as it relates to penetration testing.
    8. List the steps (using open source tools) to obtrain user account information of a targeted server. Indicate how this information might be usedful in future stages of penetration testing.
    9. Why do you think that verification of gathered information (such as IP address (IP address ranges) is critical prior to proceeding to the scanning and enumeration phases?