# FILE: MOD2_Recon_and_NTA.md # MODULE 2: RECONNAISSANCE & NETWORK TRAFFIC ANALYSIS ## Learning Objectives By completing this module, you will: - Perform active reconnaissance using Nmap to identify open ports and services - Understand TCP/UDP scanning techniques and their network signatures - Capture and analyze network traffic using Wireshark and tcpdump - Enumerate service versions and detect operating systems - Recognize the difference between stealth and noisy scanning techniques - Document findings for exploitation planning --- ## Key Concepts ### Active Reconnaissance **Active Recon** involves directly interacting with target systems to gather information. Unlike passive recon (Google searches, WHOIS lookups), active techniques send packets to the target and are **detectable** by IDS/IPS systems. ### Network Traffic Analysis (NTA) **NTA** is the process of capturing and dissecting raw network packets to: - Establish baseline "normal" traffic patterns - Detect anomalous scanning behavior - Investigate security incidents - Validate exploit success ### The TCP Three-Way Handshake ``` Client Server | | |-------- SYN ---------> | (Client initiates) |<----- SYN-ACK -------- | (Server acknowledges) |-------- ACK ---------> | (Client confirms - connection established) ``` ### Stealth Scanning (SYN Scan) ``` Client Server | | |-------- SYN ---------> | (Probe port) |<----- SYN-ACK -------- | (Port is OPEN) |-------- RST ---------> | (Client aborts - never completes handshake) ``` **Why stealth?** Never fully establishes connection, harder to log, faster. --- ## LAB 2.1: DEPLOY TARGET INFRASTRUCTURE ### Deploy Metasploitable 2 (Vulnerable Linux Target) ``` 1. Download Metasploitable 2: - Source: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ - File: metasploitable-linux-2.0.0.zip - Extract to get .vmdk file 2. Upload to Proxmox: - SSH to Proxmox or use Shell - Navigate to: cd /var/lib/vz/images/ - Create directory: mkdir 401 - Upload .vmdk file to this directory 3. Create Proxmox VM: - VM ID: 401 - Name: Metasploitable2 - OS: Linux 5.x - 2.6 Kernel - CPU: 1 core - RAM: 512 MB - Do NOT add disk yet (we'll import existing) 4. Import Existing Disk: - SSH to Proxmox - Run: qm importdisk 401 /var/lib/vz/images/401/Metasploitable.vmdk local-lvm - Wait for import to complete 5. Attach Disk to VM: - Proxmox GUI > VM 401 > Hardware - Select "Unused Disk 0" - Click "Edit" - Bus/Device: IDE / 0 - Click "Add" 6. Configure Network: - Hardware > Network Device > Edit - Bridge: vmbr0 - VLAN Tag: 400 (VICTIM_NET) - Model: Intel E1000 - Click "OK" 7. Set Boot Order: - Options > Boot Order - Enable only: ide0 - Click "OK" 8. Start VM: - Console > Start - Login: msfadmin / msfadmin 9. Get IP Address: - Command: ifconfig - Note eth0 IP address (should be 10.10.4.x from DHCP) - Or set static: sudo nano /etc/network/interfaces auto eth0 iface eth0 inet static address 10.10.4.10 netmask 255.255.255.0 gateway 10.10.4.1 - Restart networking: sudo /etc/init.d/networking restart ``` ### Deploy Kali Linux (Attacker Platform) ``` 1. Download Kali Linux: - Source: https://www.kali.org/get-kali/#kali-virtual-machines - Choose: 64-bit Proxmox/QEMU image (.qcow2) 2. Import to Proxmox: - Upload .qcow2 to Proxmox storage - Or use qm importdisk method (similar to Metasploitable) 3. Create Kali VM: - VM ID: 201 - Name: Kali-RedTeam - OS: Linux 6.x - CPU: 2 cores - RAM: 4096 MB (4 GB recommended for tools) - Disk: Import existing .qcow2 - Network: vmbr0, VLAN Tag: 200 (RED_TEAM) 4. Start and Login: - Default credentials: kali / kali - Change password on first login: passwd 5. Verify Network: - Command: ip addr show eth0 - Should have: 10.10.2.x - Test gateway: ping 10.10.2.1 - Test target reach: ping 10.10.4.10 ``` --- ## LAB 2.2: NMAP FUNDAMENTALS ### Understanding Nmap Scan Types | Scan Type | Flag | Description | Requires Root | Stealthy | |-----------|------|-------------|---------------|----------| | TCP SYN | -sS | Half-open scan, doesn't complete handshake | Yes | High | | TCP Connect | -sT | Full connection, uses OS TCP stack | No | Low | | UDP | -sU | Scans UDP ports (slow) | Yes | Medium | | ACK | -sA | Tests firewall rules | Yes | Medium | | NULL/FIN/Xmas | -sN/-sF/-sX | Advanced evasion techniques | Yes | High | ### LAB 2.2.1: Basic Port Scanning **From Kali Linux terminal:** ```bash # PREREQUISITE: Verify target reachability ping -c 4 10.10.4.10 # Expected: 4 packets transmitted, 4 received # SCAN 1: Quick scan of common ports nmap 10.10.4.10 # Default: Scans top 1000 ports using TCP SYN scan # Expected output: List of open ports (21, 22, 23, 25, 80, 139, 445, 3306, etc.) # SCAN 2: Scan specific ports nmap -p 80,443,22 10.10.4.10 # -p = specify ports (can be range: 1-100 or list: 80,443) # SCAN 3: Scan all 65,535 ports (SLOW - 5-10 minutes) sudo nmap -p- 10.10.4.10 # -p- = all ports (1-65535) # Requires sudo for SYN scan # SCAN 4: Fast scan (top 100 ports only) nmap -F 10.10.4.10 # -F = fast mode # SCAN 5: Scan port range nmap -p 1-1024 10.10.4.10 # Scans well-known ports (1-1024) ``` **Deliverable:** Save full port scan output to file: ```bash sudo nmap -p- 10.10.4.10 -oN metasploitable_fullscan.txt # -oN = output normal format ``` --- ### LAB 2.2.2: Service Version Detection ```bash # SCAN 6: Detect service versions sudo nmap -sV 10.10.4.10 # -sV = Version detection # Expected: Shows specific software versions (e.g., "vsftpd 2.3.4", "Apache httpd 2.2.8") # SCAN 7: Aggressive scan (OS + version + scripts + traceroute) sudo nmap -A 10.10.4.10 # -A = Aggressive mode (combines -sV, -O, -sC, --traceroute) # Takes longer but provides comprehensive info # SCAN 8: OS detection only sudo nmap -O 10.10.4.10 # -O = OS detection (analyzes TCP/IP stack fingerprint) # Expected: "Linux 2.6.X" # SCAN 9: Script scanning sudo nmap -sC 10.10.4.10 # -sC = Run default NSE scripts (safe scripts for enumeration) # Example scripts: http-title, ssh-hostkey, smb-os-discovery # SCAN 10: Specific script nmap --script=http-enum -p 80 10.10.4.10 # Enumerates directories on web server ``` **Understanding Version Detection Output:** ``` PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 <-- Vulnerable version! 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 23/tcp open telnet Linux telnetd 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) ``` **Deliverable:** Save version scan with aggressive mode: ```bash sudo nmap -A 10.10.4.10 -oA metasploitable_aggressive # -oA = output all formats (normal, XML, grepable) # Creates: metasploitable_aggressive.nmap, .xml, .gnmap ``` --- ### LAB 2.2.3: Scan Timing and Evasion ```bash # TIMING TEMPLATES: # -T0 (Paranoid): Extremely slow, for IDS evasion (5 min/port) # -T1 (Sneaky): Very slow # -T2 (Polite): Slows down to reduce bandwidth # -T3 (Normal): Default # -T4 (Aggressive): Faster, assumes reliable network # -T5 (Insane): Very fast, may miss ports # SCAN 11: Aggressive timing (use in labs only!) sudo nmap -T4 -p- 10.10.4.10 # Faster than default, good for CTFs/labs # SCAN 12: Stealthy timing (IDS evasion) sudo nmap -T1 -sS -p 80,443 10.10.4.10 # Slow scan to avoid detection thresholds # SCAN 13: Fragmented packets (firewall evasion) sudo nmap -f 10.10.4.10 # -f = fragment packets (split into tiny pieces) # SCAN 14: Decoy scan (hide among fake sources) sudo nmap -D RND:10 10.10.4.10 # -D RND:10 = Use 10 random decoy IPs # Target sees scans from multiple sources (harder to identify real attacker) # SCAN 15: Spoof source port (bypass firewall rules) sudo nmap --source-port 53 10.10.4.10 # Appear to come from DNS port 53 (often allowed outbound) ``` **Real-World Scenario:** ```bash # Penetration test scenario: Enumerate without triggering alarms sudo nmap -sS -T2 -p 1-1000 --max-rate 10 10.10.4.10 # -sS = SYN scan (stealth) # -T2 = Polite timing # --max-rate 10 = Max 10 packets/second (very slow) ``` --- ## LAB 2.3: NETWORK TRAFFIC ANALYSIS WITH WIRESHARK ### Understanding Packet Capture **Wireshark** is a GUI packet analyzer. **tcpdump** is command-line equivalent. ### LAB 2.3.1: Capturing Nmap Scan Traffic **Step-by-Step:** ```bash # TERMINAL 1: Start packet capture sudo tcpdump -i eth0 -w nmap_scan.pcap # -i eth0 = capture on interface eth0 # -w = write to file # Leave running... # TERMINAL 2: Perform nmap scan sudo nmap -sS -p 80,443,22 10.10.4.10 # TERMINAL 1: Stop capture (Ctrl+C after scan completes) # Press Ctrl+C # Verify capture file ls -lh nmap_scan.pcap # Should show file size (>0 bytes) ``` ### LAB 2.3.2: Analyzing with Wireshark GUI ```bash # Open Wireshark sudo wireshark nmap_scan.pcap & # & = run in background ``` **Wireshark Analysis Steps:** ``` 1. FILTER FOR TCP SYN PACKETS: - Display filter: tcp.flags.syn == 1 && tcp.flags.ack == 0 - Shows only SYN packets (scan probes) 2. OBSERVE STEALTH SCAN BEHAVIOR: - Find a packet to open port (e.g., port 80) - Click on SYN packet from Kali - Look at packet list: * Packet 1: SYN (from Kali to target port 80) * Packet 2: SYN-ACK (target responds - port is OPEN) * Packet 3: RST (Kali aborts - never completes connection) 3. FILTER FOR CLOSED PORT RESPONSE: - Display filter: tcp.port == 443 (if 443 is closed) - Observe: * SYN from Kali * RST-ACK from target (port CLOSED) 4. ANALYZE PACKET TIMING: - View > Time Display Format > Seconds Since Previous Displayed Packet - Note delay between probes (T4 timing = minimal delay) 5. FOLLOW TCP STREAM (for completed connections): - Right-click any packet > Follow > TCP Stream - See full conversation in ASCII - Won't work for SYN scans (no data exchanged) 6. EXPORT PACKET DETAILS: - File > Export Specified Packets - Save as: syn_scan_analysis.pcap ``` **Key Wireshark Filters:** ``` tcp.flags.syn == 1 && tcp.flags.ack == 0 → Only SYN packets tcp.flags.reset == 1 → RST packets ip.src == 10.10.2.x → Traffic from Kali ip.dst == 10.10.4.10 → Traffic to target tcp.port == 80 → Port 80 traffic http → HTTP protocol ``` --- ### LAB 2.3.3: Identifying Scan Types in PCAPs **Exercise:** Capture different scan types and compare signatures ```bash # Capture 1: SYN scan sudo tcpdump -i eth0 -w syn_scan.pcap & sudo nmap -sS -p 80 10.10.4.10 sudo pkill tcpdump # Capture 2: TCP Connect scan sudo tcpdump -i eth0 -w connect_scan.pcap & nmap -sT -p 80 10.10.4.10 # No sudo (uses full connection) sudo pkill tcpdump # Capture 3: UDP scan sudo tcpdump -i eth0 -w udp_scan.pcap & sudo nmap -sU -p 53,161 10.10.4.10 sudo pkill tcpdump # Capture 4: NULL scan sudo tcpdump -i eth0 -w null_scan.pcap & sudo nmap -sN -p 80 10.10.4.10 sudo pkill tcpdump ``` **Compare in Wireshark:** ``` SYN Scan: SYN → SYN-ACK → RST (never completes) Connect Scan: SYN → SYN-ACK → ACK → RST-ACK (full connection, then close) UDP Scan: UDP packet → ICMP "port unreachable" (if closed) NULL Scan: Packet with NO flags set → RST (if closed), no response (if open) ``` **Deliverable:** Screenshot showing SYN scan packet sequence in Wireshark with annotations. --- ## LAB 2.4: SERVICE ENUMERATION ### Enumerating Common Services **Goal:** Gather detailed information about discovered services for exploitation planning. ### LAB 2.4.1: FTP Enumeration (Port 21) ```bash # Check if anonymous login allowed nmap --script=ftp-anon -p 21 10.10.4.10 # If anonymous allowed: Shows "Anonymous FTP login allowed" # Manual FTP check ftp 10.10.4.10 # Username: anonymous # Password: (just press Enter) # Commands: # ls - list files # cd - change directory # get file - download file # bye - exit # Brute-force FTP credentials (ethical use only!) nmap --script=ftp-brute -p 21 10.10.4.10 # Uses common username/password combinations ``` ### LAB 2.4.2: SSH Enumeration (Port 22) ```bash # Get SSH banner and supported algorithms nmap --script=ssh2-enum-algos -p 22 10.10.4.10 # Check for known SSH vulnerabilities nmap --script=ssh-* -p 22 10.10.4.10 # Manual banner grab nc 10.10.4.10 22 # Shows: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 # Press Ctrl+C to exit # Attempt SSH login (if you have credentials) ssh msfadmin@10.10.4.10 # Password: msfadmin (on Metasploitable) ``` ### LAB 2.4.3: HTTP/HTTPS Enumeration (Port 80/443) ```bash # Enumerate web directories nmap --script=http-enum -p 80 10.10.4.10 # Finds: /phpMyAdmin/, /test/, /twiki/, etc. # Get HTTP headers curl -I http://10.10.4.10 # Shows server version: Apache/2.2.8 (Ubuntu) # Web vulnerability scanning nikto -h http://10.10.4.10 # Comprehensive web server scanner (takes 5-10 minutes) # Identifies: Outdated software, misconfigurations, known vulnerabilities # Directory brute-forcing gobuster dir -u http://10.10.4.10 -w /usr/share/wordlists/dirb/common.txt # -u = URL # -w = wordlist # Finds hidden directories ``` ### LAB 2.4.4: SMB Enumeration (Port 139/445) ```bash # Enumerate SMB shares nmap --script=smb-enum-shares -p 445 10.10.4.10 # Lists available network shares # Enumerate SMB users nmap --script=smb-enum-users -p 445 10.10.4.10 # Lists local user accounts # OS discovery via SMB nmap --script=smb-os-discovery -p 445 10.10.4.10 # Shows: OS, Computer name, Domain # Check for SMB vulnerabilities (EternalBlue, etc.) nmap --script=smb-vuln* -p 445 10.10.4.10 # Scans for known SMB exploits # Manual SMB enumeration smbclient -L //10.10.4.10 -N # -L = list shares # -N = no password ``` ### LAB 2.4.5: MySQL Enumeration (Port 3306) ```bash # Check for default credentials nmap --script=mysql-empty-password -p 3306 10.10.4.10 # Enumerate MySQL users nmap --script=mysql-users -p 3306 10.10.4.10 # Get MySQL info nmap --script=mysql-info -p 3306 10.10.4.10 # Manual connection (if credentials known) mysql -h 10.10.4.10 -u root # Try common passwords: root, toor, admin, password ``` --- ## LAB 2.5: COMPREHENSIVE TARGET ASSESSMENT ### Create Full Reconnaissance Report **Step-by-Step Workflow:** ```bash # 1. CREATE WORKING DIRECTORY mkdir -p ~/recon/metasploitable cd ~/recon/metasploitable # 2. COMPREHENSIVE NMAP SCAN sudo nmap -sS -sV -sC -A -p- -T4 10.10.4.10 -oA full_scan # Saves: full_scan.nmap, full_scan.xml, full_scan.gnmap # 3. VULNERABILITY SCAN nmap --script=vuln -p- 10.10.4.10 -oN vulnerability_scan.txt # 4. UDP SCAN (top ports only - UDP is slow) sudo nmap -sU --top-ports 100 10.10.4.10 -oN udp_scan.txt # 5. WEB ENUMERATION nikto -h http://10.10.4.10 -o nikto_scan.txt # 6. SMB ENUMERATION enum4linux -a 10.10.4.10 > smb_enum.txt # -a = all enumeration (users, shares, groups, etc.) # 7. ORGANIZE FINDINGS cat full_scan.nmap | grep "open" > open_ports.txt # Extract only open ports # 8. CREATE SUMMARY cat << EOF > RECONNAISSANCE_SUMMARY.txt TARGET: Metasploitable 2 (10.10.4.10) SCAN DATE: $(date) SCANNER: Kali Linux (10.10.2.x) OPEN PORTS: $(cat open_ports.txt) HIGH-RISK SERVICES IDENTIFIED: - vsftpd 2.3.4 (Port 21) - Known backdoor vulnerability - SSH 4.7p1 (Port 22) - Outdated, weak key exchange - Samba 3.x (Port 139/445) - Multiple known exploits - MySQL (Port 3306) - Empty root password NEXT STEPS: 1. Research CVEs for identified service versions 2. Prepare exploit modules in Metasploit (Module 3) 3. Document attack vectors for reporting EOF cat RECONNAISSANCE_SUMMARY.txt ``` **Deliverable:** Full reconnaissance directory with all scan outputs and summary report. --- ## NETWORK TRAFFIC ANALYSIS EXERCISES ### Exercise 1: Baseline vs Anomalous Traffic ```bash # CAPTURE NORMAL TRAFFIC sudo tcpdump -i eth0 -w normal_traffic.pcap -c 1000 # -c 1000 = capture 1000 packets # Let normal background traffic capture for 1 minute # Then Ctrl+C # CAPTURE SCAN TRAFFIC sudo tcpdump -i eth0 -w scan_traffic.pcap & sudo nmap -T4 -p- 10.10.4.10 sudo pkill tcpdump # COMPARE IN WIRESHARK wireshark normal_traffic.pcap & wireshark scan_traffic.pcap & # What to look for in scan traffic: # - High packet rate (thousands of SYNs per second) # - Sequential destination ports (80, 81, 82, 83...) # - Many RST packets (aborted connections) # - Single source IP targeting single destination ``` ### Exercise 2: Protocol Distribution Analysis ``` 1. Open scan_traffic.pcap in Wireshark 2. Statistics > Protocol Hierarchy - Shows % of each protocol (TCP, UDP, ICMP) - Scan traffic = 99% TCP SYN 3. Statistics > Conversations - Shows IP pairs and packet counts - Scan = One conversation with thousands of packets 4. Statistics > I/O Graph - Visualize packet rate over time - Scan = Sharp spike during scan period ``` **Deliverable:** Screenshot of Wireshark Protocol Hierarchy showing scan traffic composition. --- ## TROUBLESHOOTING GUIDE ### Issue: Nmap shows "Host seems down" ```bash # Check connectivity first ping 10.10.4.10 # If ping works but nmap doesn't: sudo nmap -Pn 10.10.4.10 # -Pn = Skip host discovery (assume host is up) # Check firewall rules in pfSense # Ensure RED_TEAM → VICTIM_NET is allowed ``` ### Issue: Wireshark shows "Permission denied" ```bash # Run with sudo sudo wireshark # Or add user to wireshark group (better practice) sudo usermod -aG wireshark $USER # Logout and login for changes to take effect ``` ### Issue: tcpdump captures no packets ```bash # Verify correct interface ip addr show # Use correct interface name (eth0, ens18, etc.) # Check if interface is up sudo ip link set eth0 up # Verify you're capturing right traffic sudo tcpdump -i eth0 -n # -n = Don't resolve hostnames (faster) # Should see packets scrolling ``` ### Issue: Nmap scan is extremely slow ```bash # Use faster timing sudo nmap -T4 10.10.4.10 # Scan fewer ports initially nmap -F 10.10.4.10 # Fast mode (100 ports) # Disable ping check sudo nmap -Pn -T4 -p 1-1000 10.10.4.10 ``` --- ## PROFESSOR'S GUIDANCE ### Understanding Reconnaissance in Real Engagements **Lab environment vs Production:** - **Lab:** Aggressive scans (T4, T5) are fine - you own the network - **Production:** Use T2-T3, rate limiting, blend with normal traffic - **Legal requirement:** Always have written authorization before scanning ### Reconnaissance is Not Just Tool Execution **Poor approach:** "I ran nmap -A and got results" **Professional approach:** 1. **Scope definition:** What am I allowed to scan? 2. **Passive recon first:** OSINT, DNS lookups, public records 3. **Strategic scanning:** Scan incrementally (common ports → all ports) 4. **Service enumeration:** Deep dive into discovered services 5. **Vulnerability mapping:** Match versions to CVE databases 6. **Documentation:** Detailed notes for exploitation phase 7. **Traffic analysis:** Understand what your tools do on the wire ### Common Student Mistakes **1. Running scans without capturing traffic:** - You learn HOW attacks work by seeing packets - Future you (as defender) needs to recognize these patterns **2. Not saving scan outputs:** - Use `-oA` to save all formats - XML output can be imported into tools like Metasploit **3. Ignoring UDP services:** - UDP is stateless, harder to scan, but critical (DNS, SNMP, TFTP) - Always include UDP scans in assessments **4. Over-relying on automated tools:** - Nikto finds 100 issues → 95 are false positives - Manual verification is essential ### Time Investment - Initial VM deployment: 1-2 hours - Nmap fundamentals: 2-3 hours - Wireshark packet analysis: 2-4 hours (most important!) - Service enumeration: 2-3 hours - Comprehensive assessment: 1-2 hours **Total: 8-14 hours** ### Real-World Skills Developed By mastering this module, you can: - Perform network reconnaissance in penetration tests - Analyze packet captures for incident response - Identify suspicious scanning in SOC role - Understand attacker methodology (kill chain Phase 1: Reconnaissance) --- ## KNOWLEDGE CHECK Before proceeding to MOD3, you should be able to: 1. **Explain the difference between -sS and -sT scans** - Answer: -sS (SYN scan) doesn't complete handshake (stealth), -sT (Connect) uses full connection 2. **What does a SYN-ACK response indicate?** - Answer: Port is OPEN and accepting connections 3. **Why do attackers use decoy scans (-D)?** - Answer: To hide their real IP among fake sources, making attribution harder 4. **In Wireshark, how do you filter for only SYN packets?** - Answer: `tcp.flags.syn == 1 && tcp.flags.ack == 0` 5. **Name 3 high-risk services found on Metasploitable** - Answer: vsftpd 2.3.4 (backdoor), Samba 3.x (exploitable), MySQL (empty password) 6. **What tool enumerates SMB shares?** - Answer: `enum4linux`, `smbclient`, or `nmap --script=smb-enum-shares` 7. **Why should UDP scans use --top-ports?** - Answer: UDP scans are slow (no handshake confirmation), limiting to top ports is practical --- ## DELIVERABLES CHECKLIST Before proceeding to Module 3, submit/complete: - [ ] Full nmap scan output (-oA format) - [ ] Wireshark PCAP of SYN scan with annotations - [ ] Nikto web scan results - [ ] SMB enumeration output (enum4linux) - [ ] Reconnaissance summary report - [ ] Screenshots showing: - [ ] TCP three-way handshake in Wireshark - [ ] SYN scan RST behavior - [ ] Wireshark protocol hierarchy of scan traffic - [ ] Nmap version detection output --- **END OF MODULE 2** **Next Steps:** 1. Review all captured PCAPs - understand what each scan looks like 2. Save all scan outputs to `~/recon/metasploitable/` directory 3. Take snapshot of Kali VM: "Post-MOD2-Reconnaissance" 4. Proceed to **MOD3: Exploitation & Post-Exploitation** **Remember:** Every offensive technique you learn has a defensive counter. When you configure Security Onion in MOD4, you will create rules to detect these exact scans!