jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
seclab/MOD2_Recon_and_NTA.md

799 lines
22 KiB
Markdown
Raw Permalink Normal View History

initial commit
2026-05-28 18:27:41 -06:00
# FILE: MOD2_Recon_and_NTA.md
# MODULE 2: RECONNAISSANCE & NETWORK TRAFFIC ANALYSIS
## Learning Objectives
By completing this module, you will:
- Perform active reconnaissance using Nmap to identify open ports and services
- Understand TCP/UDP scanning techniques and their network signatures
- Capture and analyze network traffic using Wireshark and tcpdump
- Enumerate service versions and detect operating systems
- Recognize the difference between stealth and noisy scanning techniques
- Document findings for exploitation planning
---
## Key Concepts
### Active Reconnaissance
**Active Recon** involves directly interacting with target systems to gather information. Unlike passive recon (Google searches, WHOIS lookups), active techniques send packets to the target and are **detectable** by IDS/IPS systems.
### Network Traffic Analysis (NTA)
**NTA** is the process of capturing and dissecting raw network packets to:
- Establish baseline "normal" traffic patterns
- Detect anomalous scanning behavior
- Investigate security incidents
- Validate exploit success
### The TCP Three-Way Handshake
```
Client Server
| |
|-------- SYN ---------> | (Client initiates)
|<----- SYN-ACK -------- | (Server acknowledges)
|-------- ACK ---------> | (Client confirms - connection established)
```
### Stealth Scanning (SYN Scan)
```
Client Server
| |
|-------- SYN ---------> | (Probe port)
|<----- SYN-ACK -------- | (Port is OPEN)
|-------- RST ---------> | (Client aborts - never completes handshake)
```
**Why stealth?** Never fully establishes connection, harder to log, faster.
---
## LAB 2.1: DEPLOY TARGET INFRASTRUCTURE
### Deploy Metasploitable 2 (Vulnerable Linux Target)
```
1. Download Metasploitable 2:
- Source: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
- File: metasploitable-linux-2.0.0.zip
- Extract to get .vmdk file
2. Upload to Proxmox:
- SSH to Proxmox or use Shell
- Navigate to: cd /var/lib/vz/images/
- Create directory: mkdir 401
- Upload .vmdk file to this directory
3. Create Proxmox VM:
- VM ID: 401
- Name: Metasploitable2
- OS: Linux 5.x - 2.6 Kernel
- CPU: 1 core
- RAM: 512 MB
- Do NOT add disk yet (we'll import existing)
4. Import Existing Disk:
- SSH to Proxmox
- Run: qm importdisk 401 /var/lib/vz/images/401/Metasploitable.vmdk local-lvm
- Wait for import to complete
5. Attach Disk to VM:
- Proxmox GUI > VM 401 > Hardware
- Select "Unused Disk 0"
- Click "Edit"
- Bus/Device: IDE / 0
- Click "Add"
6. Configure Network:
- Hardware > Network Device > Edit
- Bridge: vmbr0
- VLAN Tag: 400 (VICTIM_NET)
- Model: Intel E1000
- Click "OK"
7. Set Boot Order:
- Options > Boot Order
- Enable only: ide0
- Click "OK"
8. Start VM:
- Console > Start
- Login: msfadmin / msfadmin
9. Get IP Address:
- Command: ifconfig
- Note eth0 IP address (should be 10.10.4.x from DHCP)
- Or set static: sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 10.10.4.10
netmask 255.255.255.0
gateway 10.10.4.1
- Restart networking: sudo /etc/init.d/networking restart
```
### Deploy Kali Linux (Attacker Platform)
```
1. Download Kali Linux:
- Source: https://www.kali.org/get-kali/#kali-virtual-machines
- Choose: 64-bit Proxmox/QEMU image (.qcow2)
2. Import to Proxmox:
- Upload .qcow2 to Proxmox storage
- Or use qm importdisk method (similar to Metasploitable)
3. Create Kali VM:
- VM ID: 201
- Name: Kali-RedTeam
- OS: Linux 6.x
- CPU: 2 cores
- RAM: 4096 MB (4 GB recommended for tools)
- Disk: Import existing .qcow2
- Network: vmbr0, VLAN Tag: 200 (RED_TEAM)
4. Start and Login:
- Default credentials: kali / kali
- Change password on first login: passwd
5. Verify Network:
- Command: ip addr show eth0
- Should have: 10.10.2.x
- Test gateway: ping 10.10.2.1
- Test target reach: ping 10.10.4.10
```
---
## LAB 2.2: NMAP FUNDAMENTALS
### Understanding Nmap Scan Types
| Scan Type | Flag | Description | Requires Root | Stealthy |
|-----------|------|-------------|---------------|----------|
| TCP SYN | -sS | Half-open scan, doesn't complete handshake | Yes | High |
| TCP Connect | -sT | Full connection, uses OS TCP stack | No | Low |
| UDP | -sU | Scans UDP ports (slow) | Yes | Medium |
| ACK | -sA | Tests firewall rules | Yes | Medium |
| NULL/FIN/Xmas | -sN/-sF/-sX | Advanced evasion techniques | Yes | High |
### LAB 2.2.1: Basic Port Scanning
**From Kali Linux terminal:**
```bash
# PREREQUISITE: Verify target reachability
ping -c 4 10.10.4.10
# Expected: 4 packets transmitted, 4 received
# SCAN 1: Quick scan of common ports
nmap 10.10.4.10
# Default: Scans top 1000 ports using TCP SYN scan
# Expected output: List of open ports (21, 22, 23, 25, 80, 139, 445, 3306, etc.)
# SCAN 2: Scan specific ports
nmap -p 80,443,22 10.10.4.10
# -p = specify ports (can be range: 1-100 or list: 80,443)
# SCAN 3: Scan all 65,535 ports (SLOW - 5-10 minutes)
sudo nmap -p- 10.10.4.10
# -p- = all ports (1-65535)
# Requires sudo for SYN scan
# SCAN 4: Fast scan (top 100 ports only)
nmap -F 10.10.4.10
# -F = fast mode
# SCAN 5: Scan port range
nmap -p 1-1024 10.10.4.10
# Scans well-known ports (1-1024)
```
**Deliverable:** Save full port scan output to file:
```bash
sudo nmap -p- 10.10.4.10 -oN metasploitable_fullscan.txt
# -oN = output normal format
```
---
### LAB 2.2.2: Service Version Detection
```bash
# SCAN 6: Detect service versions
sudo nmap -sV 10.10.4.10
# -sV = Version detection
# Expected: Shows specific software versions (e.g., "vsftpd 2.3.4", "Apache httpd 2.2.8")
# SCAN 7: Aggressive scan (OS + version + scripts + traceroute)
sudo nmap -A 10.10.4.10
# -A = Aggressive mode (combines -sV, -O, -sC, --traceroute)
# Takes longer but provides comprehensive info
# SCAN 8: OS detection only
sudo nmap -O 10.10.4.10
# -O = OS detection (analyzes TCP/IP stack fingerprint)
# Expected: "Linux 2.6.X"
# SCAN 9: Script scanning
sudo nmap -sC 10.10.4.10
# -sC = Run default NSE scripts (safe scripts for enumeration)
# Example scripts: http-title, ssh-hostkey, smb-os-discovery
# SCAN 10: Specific script
nmap --script=http-enum -p 80 10.10.4.10
# Enumerates directories on web server
```
**Understanding Version Detection Output:**
```
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4 <-- Vulnerable version!
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1
23/tcp open telnet Linux telnetd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
```
**Deliverable:** Save version scan with aggressive mode:
```bash
sudo nmap -A 10.10.4.10 -oA metasploitable_aggressive
# -oA = output all formats (normal, XML, grepable)
# Creates: metasploitable_aggressive.nmap, .xml, .gnmap
```
---
### LAB 2.2.3: Scan Timing and Evasion
```bash
# TIMING TEMPLATES:
# -T0 (Paranoid): Extremely slow, for IDS evasion (5 min/port)
# -T1 (Sneaky): Very slow
# -T2 (Polite): Slows down to reduce bandwidth
# -T3 (Normal): Default
# -T4 (Aggressive): Faster, assumes reliable network
# -T5 (Insane): Very fast, may miss ports
# SCAN 11: Aggressive timing (use in labs only!)
sudo nmap -T4 -p- 10.10.4.10
# Faster than default, good for CTFs/labs
# SCAN 12: Stealthy timing (IDS evasion)
sudo nmap -T1 -sS -p 80,443 10.10.4.10
# Slow scan to avoid detection thresholds
# SCAN 13: Fragmented packets (firewall evasion)
sudo nmap -f 10.10.4.10
# -f = fragment packets (split into tiny pieces)
# SCAN 14: Decoy scan (hide among fake sources)
sudo nmap -D RND:10 10.10.4.10
# -D RND:10 = Use 10 random decoy IPs
# Target sees scans from multiple sources (harder to identify real attacker)
# SCAN 15: Spoof source port (bypass firewall rules)
sudo nmap --source-port 53 10.10.4.10
# Appear to come from DNS port 53 (often allowed outbound)
```
**Real-World Scenario:**
```bash
# Penetration test scenario: Enumerate without triggering alarms
sudo nmap -sS -T2 -p 1-1000 --max-rate 10 10.10.4.10
# -sS = SYN scan (stealth)
# -T2 = Polite timing
# --max-rate 10 = Max 10 packets/second (very slow)
```
---
## LAB 2.3: NETWORK TRAFFIC ANALYSIS WITH WIRESHARK
### Understanding Packet Capture
**Wireshark** is a GUI packet analyzer. **tcpdump** is command-line equivalent.
### LAB 2.3.1: Capturing Nmap Scan Traffic
**Step-by-Step:**
```bash
# TERMINAL 1: Start packet capture
sudo tcpdump -i eth0 -w nmap_scan.pcap
# -i eth0 = capture on interface eth0
# -w = write to file
# Leave running...
# TERMINAL 2: Perform nmap scan
sudo nmap -sS -p 80,443,22 10.10.4.10
# TERMINAL 1: Stop capture (Ctrl+C after scan completes)
# Press Ctrl+C
# Verify capture file
ls -lh nmap_scan.pcap
# Should show file size (>0 bytes)
```
### LAB 2.3.2: Analyzing with Wireshark GUI
```bash
# Open Wireshark
sudo wireshark nmap_scan.pcap &
# & = run in background
```
**Wireshark Analysis Steps:**
```
1. FILTER FOR TCP SYN PACKETS:
- Display filter: tcp.flags.syn == 1 && tcp.flags.ack == 0
- Shows only SYN packets (scan probes)
2. OBSERVE STEALTH SCAN BEHAVIOR:
- Find a packet to open port (e.g., port 80)
- Click on SYN packet from Kali
- Look at packet list:
* Packet 1: SYN (from Kali to target port 80)
* Packet 2: SYN-ACK (target responds - port is OPEN)
* Packet 3: RST (Kali aborts - never completes connection)
3. FILTER FOR CLOSED PORT RESPONSE:
- Display filter: tcp.port == 443 (if 443 is closed)
- Observe:
* SYN from Kali
* RST-ACK from target (port CLOSED)
4. ANALYZE PACKET TIMING:
- View > Time Display Format > Seconds Since Previous Displayed Packet
- Note delay between probes (T4 timing = minimal delay)
5. FOLLOW TCP STREAM (for completed connections):
- Right-click any packet > Follow > TCP Stream
- See full conversation in ASCII
- Won't work for SYN scans (no data exchanged)
6. EXPORT PACKET DETAILS:
- File > Export Specified Packets
- Save as: syn_scan_analysis.pcap
```
**Key Wireshark Filters:**
```
tcp.flags.syn == 1 && tcp.flags.ack == 0 → Only SYN packets
tcp.flags.reset == 1 → RST packets
ip.src == 10.10.2.x → Traffic from Kali
ip.dst == 10.10.4.10 → Traffic to target
tcp.port == 80 → Port 80 traffic
http → HTTP protocol
```
---
### LAB 2.3.3: Identifying Scan Types in PCAPs
**Exercise:** Capture different scan types and compare signatures
```bash
# Capture 1: SYN scan
sudo tcpdump -i eth0 -w syn_scan.pcap &
sudo nmap -sS -p 80 10.10.4.10
sudo pkill tcpdump
# Capture 2: TCP Connect scan
sudo tcpdump -i eth0 -w connect_scan.pcap &
nmap -sT -p 80 10.10.4.10 # No sudo (uses full connection)
sudo pkill tcpdump
# Capture 3: UDP scan
sudo tcpdump -i eth0 -w udp_scan.pcap &
sudo nmap -sU -p 53,161 10.10.4.10
sudo pkill tcpdump
# Capture 4: NULL scan
sudo tcpdump -i eth0 -w null_scan.pcap &
sudo nmap -sN -p 80 10.10.4.10
sudo pkill tcpdump
```
**Compare in Wireshark:**
```
SYN Scan: SYN → SYN-ACK → RST (never completes)
Connect Scan: SYN → SYN-ACK → ACK → RST-ACK (full connection, then close)
UDP Scan: UDP packet → ICMP "port unreachable" (if closed)
NULL Scan: Packet with NO flags set → RST (if closed), no response (if open)
```
**Deliverable:** Screenshot showing SYN scan packet sequence in Wireshark with annotations.
---
## LAB 2.4: SERVICE ENUMERATION
### Enumerating Common Services
**Goal:** Gather detailed information about discovered services for exploitation planning.
### LAB 2.4.1: FTP Enumeration (Port 21)
```bash
# Check if anonymous login allowed
nmap --script=ftp-anon -p 21 10.10.4.10
# If anonymous allowed: Shows "Anonymous FTP login allowed"
# Manual FTP check
ftp 10.10.4.10
# Username: anonymous
# Password: (just press Enter)
# Commands:
# ls - list files
# cd - change directory
# get file - download file
# bye - exit
# Brute-force FTP credentials (ethical use only!)
nmap --script=ftp-brute -p 21 10.10.4.10
# Uses common username/password combinations
```
### LAB 2.4.2: SSH Enumeration (Port 22)
```bash
# Get SSH banner and supported algorithms
nmap --script=ssh2-enum-algos -p 22 10.10.4.10
# Check for known SSH vulnerabilities
nmap --script=ssh-* -p 22 10.10.4.10
# Manual banner grab
nc 10.10.4.10 22
# Shows: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
# Press Ctrl+C to exit
# Attempt SSH login (if you have credentials)
ssh msfadmin@10.10.4.10
# Password: msfadmin (on Metasploitable)
```
### LAB 2.4.3: HTTP/HTTPS Enumeration (Port 80/443)
```bash
# Enumerate web directories
nmap --script=http-enum -p 80 10.10.4.10
# Finds: /phpMyAdmin/, /test/, /twiki/, etc.
# Get HTTP headers
curl -I http://10.10.4.10
# Shows server version: Apache/2.2.8 (Ubuntu)
# Web vulnerability scanning
nikto -h http://10.10.4.10
# Comprehensive web server scanner (takes 5-10 minutes)
# Identifies: Outdated software, misconfigurations, known vulnerabilities
# Directory brute-forcing
gobuster dir -u http://10.10.4.10 -w /usr/share/wordlists/dirb/common.txt
# -u = URL
# -w = wordlist
# Finds hidden directories
```
### LAB 2.4.4: SMB Enumeration (Port 139/445)
```bash
# Enumerate SMB shares
nmap --script=smb-enum-shares -p 445 10.10.4.10
# Lists available network shares
# Enumerate SMB users
nmap --script=smb-enum-users -p 445 10.10.4.10
# Lists local user accounts
# OS discovery via SMB
nmap --script=smb-os-discovery -p 445 10.10.4.10
# Shows: OS, Computer name, Domain
# Check for SMB vulnerabilities (EternalBlue, etc.)
nmap --script=smb-vuln* -p 445 10.10.4.10
# Scans for known SMB exploits
# Manual SMB enumeration
smbclient -L //10.10.4.10 -N
# -L = list shares
# -N = no password
```
### LAB 2.4.5: MySQL Enumeration (Port 3306)
```bash
# Check for default credentials
nmap --script=mysql-empty-password -p 3306 10.10.4.10
# Enumerate MySQL users
nmap --script=mysql-users -p 3306 10.10.4.10
# Get MySQL info
nmap --script=mysql-info -p 3306 10.10.4.10
# Manual connection (if credentials known)
mysql -h 10.10.4.10 -u root
# Try common passwords: root, toor, admin, password
```
---
## LAB 2.5: COMPREHENSIVE TARGET ASSESSMENT
### Create Full Reconnaissance Report
**Step-by-Step Workflow:**
```bash
# 1. CREATE WORKING DIRECTORY
mkdir -p ~/recon/metasploitable
cd ~/recon/metasploitable
# 2. COMPREHENSIVE NMAP SCAN
sudo nmap -sS -sV -sC -A -p- -T4 10.10.4.10 -oA full_scan
# Saves: full_scan.nmap, full_scan.xml, full_scan.gnmap
# 3. VULNERABILITY SCAN
nmap --script=vuln -p- 10.10.4.10 -oN vulnerability_scan.txt
# 4. UDP SCAN (top ports only - UDP is slow)
sudo nmap -sU --top-ports 100 10.10.4.10 -oN udp_scan.txt
# 5. WEB ENUMERATION
nikto -h http://10.10.4.10 -o nikto_scan.txt
# 6. SMB ENUMERATION
enum4linux -a 10.10.4.10 > smb_enum.txt
# -a = all enumeration (users, shares, groups, etc.)
# 7. ORGANIZE FINDINGS
cat full_scan.nmap | grep "open" > open_ports.txt
# Extract only open ports
# 8. CREATE SUMMARY
cat << EOF > RECONNAISSANCE_SUMMARY.txt
TARGET: Metasploitable 2 (10.10.4.10)
SCAN DATE: $(date)
SCANNER: Kali Linux (10.10.2.x)
OPEN PORTS:
$(cat open_ports.txt)
HIGH-RISK SERVICES IDENTIFIED:
- vsftpd 2.3.4 (Port 21) - Known backdoor vulnerability
- SSH 4.7p1 (Port 22) - Outdated, weak key exchange
- Samba 3.x (Port 139/445) - Multiple known exploits
- MySQL (Port 3306) - Empty root password
NEXT STEPS:
1. Research CVEs for identified service versions
2. Prepare exploit modules in Metasploit (Module 3)
3. Document attack vectors for reporting
EOF
cat RECONNAISSANCE_SUMMARY.txt
```
**Deliverable:** Full reconnaissance directory with all scan outputs and summary report.
---
## NETWORK TRAFFIC ANALYSIS EXERCISES
### Exercise 1: Baseline vs Anomalous Traffic
```bash
# CAPTURE NORMAL TRAFFIC
sudo tcpdump -i eth0 -w normal_traffic.pcap -c 1000
# -c 1000 = capture 1000 packets
# Let normal background traffic capture for 1 minute
# Then Ctrl+C
# CAPTURE SCAN TRAFFIC
sudo tcpdump -i eth0 -w scan_traffic.pcap &
sudo nmap -T4 -p- 10.10.4.10
sudo pkill tcpdump
# COMPARE IN WIRESHARK
wireshark normal_traffic.pcap &
wireshark scan_traffic.pcap &
# What to look for in scan traffic:
# - High packet rate (thousands of SYNs per second)
# - Sequential destination ports (80, 81, 82, 83...)
# - Many RST packets (aborted connections)
# - Single source IP targeting single destination
```
### Exercise 2: Protocol Distribution Analysis
```
1. Open scan_traffic.pcap in Wireshark
2. Statistics > Protocol Hierarchy
- Shows % of each protocol (TCP, UDP, ICMP)
- Scan traffic = 99% TCP SYN
3. Statistics > Conversations
- Shows IP pairs and packet counts
- Scan = One conversation with thousands of packets
4. Statistics > I/O Graph
- Visualize packet rate over time
- Scan = Sharp spike during scan period
```
**Deliverable:** Screenshot of Wireshark Protocol Hierarchy showing scan traffic composition.
---
## TROUBLESHOOTING GUIDE
### Issue: Nmap shows "Host seems down"
```bash
# Check connectivity first
ping 10.10.4.10
# If ping works but nmap doesn't:
sudo nmap -Pn 10.10.4.10
# -Pn = Skip host discovery (assume host is up)
# Check firewall rules in pfSense
# Ensure RED_TEAM → VICTIM_NET is allowed
```
### Issue: Wireshark shows "Permission denied"
```bash
# Run with sudo
sudo wireshark
# Or add user to wireshark group (better practice)
sudo usermod -aG wireshark $USER
# Logout and login for changes to take effect
```
### Issue: tcpdump captures no packets
```bash
# Verify correct interface
ip addr show
# Use correct interface name (eth0, ens18, etc.)
# Check if interface is up
sudo ip link set eth0 up
# Verify you're capturing right traffic
sudo tcpdump -i eth0 -n
# -n = Don't resolve hostnames (faster)
# Should see packets scrolling
```
### Issue: Nmap scan is extremely slow
```bash
# Use faster timing
sudo nmap -T4 10.10.4.10
# Scan fewer ports initially
nmap -F 10.10.4.10 # Fast mode (100 ports)
# Disable ping check
sudo nmap -Pn -T4 -p 1-1000 10.10.4.10
```
---
## PROFESSOR'S GUIDANCE
### Understanding Reconnaissance in Real Engagements
**Lab environment vs Production:**
- **Lab:** Aggressive scans (T4, T5) are fine - you own the network
- **Production:** Use T2-T3, rate limiting, blend with normal traffic
- **Legal requirement:** Always have written authorization before scanning
### Reconnaissance is Not Just Tool Execution
**Poor approach:** "I ran nmap -A and got results"
**Professional approach:**
1. **Scope definition:** What am I allowed to scan?
2. **Passive recon first:** OSINT, DNS lookups, public records
3. **Strategic scanning:** Scan incrementally (common ports → all ports)
4. **Service enumeration:** Deep dive into discovered services
5. **Vulnerability mapping:** Match versions to CVE databases
6. **Documentation:** Detailed notes for exploitation phase
7. **Traffic analysis:** Understand what your tools do on the wire
### Common Student Mistakes
**1. Running scans without capturing traffic:**
- You learn HOW attacks work by seeing packets
- Future you (as defender) needs to recognize these patterns
**2. Not saving scan outputs:**
- Use `-oA` to save all formats
- XML output can be imported into tools like Metasploit
**3. Ignoring UDP services:**
- UDP is stateless, harder to scan, but critical (DNS, SNMP, TFTP)
- Always include UDP scans in assessments
**4. Over-relying on automated tools:**
- Nikto finds 100 issues → 95 are false positives
- Manual verification is essential
### Time Investment
- Initial VM deployment: 1-2 hours
- Nmap fundamentals: 2-3 hours
- Wireshark packet analysis: 2-4 hours (most important!)
- Service enumeration: 2-3 hours
- Comprehensive assessment: 1-2 hours
**Total: 8-14 hours**
### Real-World Skills Developed
By mastering this module, you can:
- Perform network reconnaissance in penetration tests
- Analyze packet captures for incident response
- Identify suspicious scanning in SOC role
- Understand attacker methodology (kill chain Phase 1: Reconnaissance)
---
## KNOWLEDGE CHECK
Before proceeding to MOD3, you should be able to:
1. **Explain the difference between -sS and -sT scans**
- Answer: -sS (SYN scan) doesn't complete handshake (stealth), -sT (Connect) uses full connection
2. **What does a SYN-ACK response indicate?**
- Answer: Port is OPEN and accepting connections
3. **Why do attackers use decoy scans (-D)?**
- Answer: To hide their real IP among fake sources, making attribution harder
4. **In Wireshark, how do you filter for only SYN packets?**
- Answer: `tcp.flags.syn == 1 && tcp.flags.ack == 0`
5. **Name 3 high-risk services found on Metasploitable**
- Answer: vsftpd 2.3.4 (backdoor), Samba 3.x (exploitable), MySQL (empty password)
6. **What tool enumerates SMB shares?**
- Answer: `enum4linux`, `smbclient`, or `nmap --script=smb-enum-shares`
7. **Why should UDP scans use --top-ports?**
- Answer: UDP scans are slow (no handshake confirmation), limiting to top ports is practical
---
## DELIVERABLES CHECKLIST
Before proceeding to Module 3, submit/complete:
- [ ] Full nmap scan output (-oA format)
- [ ] Wireshark PCAP of SYN scan with annotations
- [ ] Nikto web scan results
- [ ] SMB enumeration output (enum4linux)
- [ ] Reconnaissance summary report
- [ ] Screenshots showing:
- [ ] TCP three-way handshake in Wireshark
- [ ] SYN scan RST behavior
- [ ] Wireshark protocol hierarchy of scan traffic
- [ ] Nmap version detection output
---
**END OF MODULE 2**
**Next Steps:**
1. Review all captured PCAPs - understand what each scan looks like
2. Save all scan outputs to `~/recon/metasploitable/` directory
3. Take snapshot of Kali VM: "Post-MOD2-Reconnaissance"
4. Proceed to **MOD3: Exploitation & Post-Exploitation**
**Remember:** Every offensive technique you learn has a defensive counter. When you configure Security Onion in MOD4, you will create rules to detect these exact scans!
Reference in New Issue Copy Permalink