Reconnaissance Tools – Part 2 – SY0-601 CompTIA Security+ : 4.1

Third-party reconnaissance tools can provide extensive information about users, networks, and devices. In this video, you’ll learn about hping, Nmap, theHarvester, sn1per, scanless, and more.


In this video, we’ll look at some reconnaissance tools that may require you to install some additional software. Some of these are available in Linux or Mac OS or you may be able to find a pre-configured Linux version like callie, where a number of these tools are pre-configured and ready to run.

The first tool we’ll look at is curl, the stands for client URL or uniform resource locator. This is referring to the URL that you could use to access web pages, to perform FTP, you can retrieve emails, and many other functions as well. This allows you to grab the raw data from these sites and display it in a terminal screen.

If you’re displaying a web page in a browser, it’s usually a very graphical view. But with curl, you’re viewing the y html that’s being transferred from that web server. This is very useful for being able to see the source code and search through it, you might be able to pass information out from the website and it makes it very easy to begin automating based on the information you’re receiving from a website.

Lets performer curl on my website and see what results we get. Will run a curl to www.professormesser.com and let’s look at these results it shows that this site has a 301 moved permanently message, and it shows that it has been moved to a secure website with https so let’s run the same command.

A curl but in this case, we’ll use https://www.professormesser.com and what we’ll get is a much larger amount of data coming back because this is the source code for the site written out as html, that we’re viewing in our terminal screen, thanks to curl.

There are many different tools you can use to perform IP scanning, this is one more scanning the network to try to locate IP addresses or identify what port numbers might be open on an IP address. This usually is using a number of different techniques to be able to identify and then display these devices and the port numbers on your system.

These scanners might use ARP to find devices on your local subnet, but if you’re trying to scan outside of your local subnet, you may be using ICMP, TCP acknowledgments, ICMP timestamp requests, and other techniques that can help you identify and then scan devices on the network.

If these tools identify a device that happens to be active on the network, you can then choose another tool to provide even more reconnaissance after the fact. Will be looking at a number of different tools but some of the most popular are tools like Nmap, hping and others.

Hping takes the idea of a ping command, and takes it to the next level. We’re able to provide a lot more information than simply performing a ping we may want to provide information about what ports might be on a device, or we could even craft our own packets and send those to a device across the network.

This is a relatively easy command to run, we just run the hping command, we can choose destination ports like I’ve done here to send it to a destination port 80, and they can choose the IP address or IP address range of the device you’d like to scan.

Unlike a simple ping command, the hping command allows you to modify almost everything about the packet. You can modify IP information, TCP details, UDP information, ICMP values, and much more. If you use any of these tools to scan information on your network, there’s always the potential for a denial service. So make sure you have permission to perform these scans and that you’re running a scan that’s not going to create problems for other devices on your network.

Let’s run a ping to my local router. I’m going to use the sudo command to run this with elevated rights and permissions, will run the hping 3 command, and I’m going to choose the IP address of my local router and you can see this performs a relatively simple ping to the device. And we can see that this device has a time to live of 64, we’ve got the flags the sequence numbers and the round trip times very similar to the ping command.

Let’s run the hping command again, but I want to run the hping command with the port queries so that we can see what ports may be open, and what ports might be closed. We’ll run the hping command with the scan option and I’m going to choose to scan ports 80, through ports 443.

Will then also specify the destination IP address for this scan and I’m also going to choose the capital V option for verbose, so we can see exactly what’s happening behind the scenes when we perform the scan.

When I hit Enter, you can see it scanning through many different ports all at once and they can see all of the different ports that are running on this device and which ones may be closed. You can see that the only two ports that received any information back from the scan were port 80 and if we scroll all the way to the bottom, we can also see port 443 is open on that device as well.

If you’re going to do anything serious with port scanning though you’ll probably want to become familiar with Nmap. Nmap stands for network mapper, and it is one of the most popular scanners and mapping tools available in almost any operating system.

It can identify open ports on a device, it can identify what operating system might be running on that device without actually logging in to the operating system. It can also perform a service scan to determine more information about the specific services running on that particular remote device.

Nmap also includes the ability to run additional scripts, which greatly extend the functionality of the tool this is from the Nmap scripting engine or NSE This allows you to use Nmap to be able to run vulnerability scans and other tests to the device.

Let’s run a very simple Nmap scan to my router, I’ll run a sudo Nmap will choose my IP address for the router, and I’m going to choose the verbose option actually two verbose options here to give us more information about what’s happening behind the scenes.

It’s now finished the scan of 1,000 different ports on that device, and it shows us information about what ports did not respond, what ports did respond, and how they responded, and what ports may end up being unreachable on that device. We can then take this information, and decide what our next steps might be to gather additional Intel from that particular IP address.

There is an amazing amount of information that can be obtained for free from public websites. We refer to this information as open source intelligence or OSINT. And there are many tools available to allow you to gather that information from those open source sites, and do it in a way that’s relatively automated.

A good example of one of those tools is the harvester. The harvester allows you to gather many different kinds of information from many different kinds of sites. You can go to Google or Bing, you can gather information from LinkedIn, and many other resources as well.

For instance, if you wanted to find everybody on LinkedIn that matched a particular domain, you can have the harvester automatically find that information and present it to you on the screen. The harvester can also provide things like a DNS brute force, so it can identify not only DNS services that may be publicly available, but it can find a host that may not be automatically identified in a DNS server. For example, you may be able to find a VPN server or an email server by running some of the brute force tasks within the harvester.

Here’s the harvester running on my curl Linux distribution, and you can see it is used to gather open source intelligence on a company or domain. You can also see the services available, and there’s a lot of different services everything from Google to Yahoo to Twitter and I can even run LinkedIn queries from here as well.

Let’s run the harvester to see if we can find any emails that might be in a search engine. So I’m going to run sudo and the harvester, and let’s choose the domain as example.com I’ll tell the harvester that I’d like to receive hundreds maximum results and will choose Bing as our search engine that we would like to query.

The harvester will go out to that source, it will see what is available for IP addresses didn’t find any of those, but it did find two emails associated with those domain its email it example.com and mail at example.com. And it found one host IP address and it listed that as well.

Doing this automated process can help us identify other types of information, especially if we include searches that go out to LinkedIn, to Google and to other services. As we’re going through these reconnaissance tools, you may notice that the different tools are providing different kinds of information.

Won’t it be nice if we could bring all of this information back to a single query, and see all of those tools occurring at one time. We can do this with a reconnaissance tool called sniper. Sniper combines all of these tools together to give you one set of queries and one set of output for all of these different functions.

There are many different ways to configure the way sniper runs, some of these options are very intrusive and others are specifically built to run in a stealth mode. This is another one of those reconnaissance tools that can really create problems and denial of service situations. So make sure that you have permission to scan the device that you’re accessing and that exactly what options you’re using in sniper.

Let’s run a sniper query to example.com and I’m going to choose to only run a request to web services on that particular domain. When we hit Enter, it will begin the scan and a lot of information is going to start flying by as it performs information queries against different port numbers it checks for a while, it does some http information gathering, it’s running in map scripts, and putting all of this into a single set of output. We can let this run through its entire process to gather everything we can about example.com and then we can evaluate the results.

I’ve scrolled to the top of the results of this scan that we did to example.com and you can see that it gathered DNS information, check for subdomain highjacking, it then ping the host did a TCP port scan using Nmap, we can see the results to port 80 and port 443.

It ran some intrusive scans to some port numbers that were apparently close it scanned http ports to see if there was any information, It could gather from the web server, then it began running a spider that ran a TCP port scan looked for http headers, and the entire set of results continues to flow through as it goes from tool to tool, and provides the results for all of these in a single sniper query.

One of the problems you may find when you’re performing a port scan, is that your device is easily identified as the source of the scan. So one of the things you might want to run is a scan from a different host, this would effectively be a proxy for port scanning and the utility that does this is called scanless. Scanless includes support for many different services you can choose exactly which proxy you’d like to use, and you can use this device to perform the port scan for you.

Let’s perform a port scan through a proxy to the public in map scanning server, that’s available for you to access with Nmap or other scanning devices. Let’s use scanless to do this, I’m going to specify the destination as scanme.nmap.org and I’m going to choose the service of spider IP to provide the proxy for me.

So instead of this port scan occurring from my local workstation, it’s actually going to be performed from the spider IP service. I’ll Enter, It will go out to Spider IP run the scan against scanme.nmap.org and the results of this scan are coming directly from Spider IP and it shows me exactly what ports are open and closed on that particular destination of scanme.nmap.org

There’s a lot of information that you can gather from a DNS server and one of the tools to be able to see that is the dnsenum command, this will enumerate DNS information from a DNS server. There is a great deal of information you can gather and many host you can identify from that DNS server.

But there are also other hosts that you may be able to find, using a number of different techniques and dnsenum allows you to do that. And of course, there’s other DNS information that could be obtained from sources outside of a DNS server. For example, you could go to the Google index to see if you can identify any hosts there and dnsenum will search through Google find any host names and begin to perform queries of those host names against a DNS.

Let’s run a very simple dnsenum query, I’m going to choose the option to show this in a verbose mode so that we can see what’s happening behind the scenes and we’ll do this for example.com When I perform this search, it’s going to find information on existing DNS servers, and then it’s going to perform a brute force against the DNS server changing the name that’s in the beginning of the query to try to find subdomains inside of example.com and this brute force will go through a predefined set of names that’s in a dictionary to see what it can find in that DNS server.

If I scroll back up to the beginning of the query, you can see that it did find example.com and an IP address, and it found the name servers that were associated with that domain. It didn’t find anything else associated with that domain and that’s why it began running through the brute force using the DNS that text file, inside of dnsenum.

If you’re planning to perform vulnerability’s scanning against a remote IP address, then you want to use a scanner such as nessus. This is one of the most popular vulnerability scanners probably because of its very large database, they can identify many, many known vulnerabilities.

This is a scanning tool that has a lot of support in the industry and you’ll find as we step through the results that there is extensive reporting and information that will help you identify vulnerabilities and help you resolve and fix the vulnerabilities on those systems.

Before making this video, I ran this nessus scanner against a single IP address on my network 10.1 10.13 and it found a number of vulnerabilities it found 71 informational vulnerabilities, it found three low priority vulnerabilities, nine medium, two high and two critical.

If we click on this, we can drill down into what these vulnerabilities were two of the critical vulnerabilities were for a Debian open SSH or open SSL package random number generator weakness and this allowed people to gain a shell remotely on this device. If you click and drill down into that, it will explain why that particular vulnerability was identified and what the solution is to resolve this problem on that host.

If we go back to our vulnerability list, let’s look at the other critical vulnerability, which is that this is a Unix operating system, unsupported version detection. If we click on that, we can see that this is an old version of Unix Linux that is no longer supported and it shows you that it was running Ubuntu 8.04 and support ended in 2011. And the obvious solution for this is to upgrade to a version that is currently supported.

Nessus can be configured to scan many different IP addresses or ranges of IP addresses on your network create this database of vulnerabilities, and then you as the security professional, can begin identifying where you need to start to make these systems much safer.

One of the challenges we have when receiving an executable or wanting to run a program that we’ve never run before, is we’re always concerned there might be something malicious or perhaps malware inside of that executable. And running the executable to test it on your production machine is probably not the most secure way to identify problems.

That’s why we would want to use cuckoo. Cuckoo is a sandbox that is specifically written to run programs inside and identify any malware this virtualized environment can consist of many different operating systems, including Windows Linux, Mac OS, and Android.

And it can perform API calls it can identify what network traffic is being sent by this application, it can perform a memory analysis and much more. If you’re in a position where you need to evaluate different executables and confirm that they are safe before deploying them in your environment, then you might want to use cuckoo.

This takes a little bit of time to get set up and have all of the correct VMs in place, but once you have this running. You now have a method to be able to run these executables safely without worrying about it infecting anything else in your environment.