22 KiB
22 KiB
FILE: MOD2_Recon_and_NTA.md
MODULE 2: RECONNAISSANCE & NETWORK TRAFFIC ANALYSIS
Learning Objectives
By completing this module, you will:
- Perform active reconnaissance using Nmap to identify open ports and services
- Understand TCP/UDP scanning techniques and their network signatures
- Capture and analyze network traffic using Wireshark and tcpdump
- Enumerate service versions and detect operating systems
- Recognize the difference between stealth and noisy scanning techniques
- Document findings for exploitation planning
Key Concepts
Active Reconnaissance
Active Recon involves directly interacting with target systems to gather information. Unlike passive recon (Google searches, WHOIS lookups), active techniques send packets to the target and are detectable by IDS/IPS systems.
Network Traffic Analysis (NTA)
NTA is the process of capturing and dissecting raw network packets to:
- Establish baseline "normal" traffic patterns
- Detect anomalous scanning behavior
- Investigate security incidents
- Validate exploit success
The TCP Three-Way Handshake
Client Server
| |
|-------- SYN ---------> | (Client initiates)
|<----- SYN-ACK -------- | (Server acknowledges)
|-------- ACK ---------> | (Client confirms - connection established)
Stealth Scanning (SYN Scan)
Client Server
| |
|-------- SYN ---------> | (Probe port)
|<----- SYN-ACK -------- | (Port is OPEN)
|-------- RST ---------> | (Client aborts - never completes handshake)
Why stealth? Never fully establishes connection, harder to log, faster.
LAB 2.1: DEPLOY TARGET INFRASTRUCTURE
Deploy Metasploitable 2 (Vulnerable Linux Target)
1. Download Metasploitable 2:
- Source: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
- File: metasploitable-linux-2.0.0.zip
- Extract to get .vmdk file
2. Upload to Proxmox:
- SSH to Proxmox or use Shell
- Navigate to: cd /var/lib/vz/images/
- Create directory: mkdir 401
- Upload .vmdk file to this directory
3. Create Proxmox VM:
- VM ID: 401
- Name: Metasploitable2
- OS: Linux 5.x - 2.6 Kernel
- CPU: 1 core
- RAM: 512 MB
- Do NOT add disk yet (we'll import existing)
4. Import Existing Disk:
- SSH to Proxmox
- Run: qm importdisk 401 /var/lib/vz/images/401/Metasploitable.vmdk local-lvm
- Wait for import to complete
5. Attach Disk to VM:
- Proxmox GUI > VM 401 > Hardware
- Select "Unused Disk 0"
- Click "Edit"
- Bus/Device: IDE / 0
- Click "Add"
6. Configure Network:
- Hardware > Network Device > Edit
- Bridge: vmbr0
- VLAN Tag: 400 (VICTIM_NET)
- Model: Intel E1000
- Click "OK"
7. Set Boot Order:
- Options > Boot Order
- Enable only: ide0
- Click "OK"
8. Start VM:
- Console > Start
- Login: msfadmin / msfadmin
9. Get IP Address:
- Command: ifconfig
- Note eth0 IP address (should be 10.10.4.x from DHCP)
- Or set static: sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 10.10.4.10
netmask 255.255.255.0
gateway 10.10.4.1
- Restart networking: sudo /etc/init.d/networking restart
Deploy Kali Linux (Attacker Platform)
1. Download Kali Linux:
- Source: https://www.kali.org/get-kali/#kali-virtual-machines
- Choose: 64-bit Proxmox/QEMU image (.qcow2)
2. Import to Proxmox:
- Upload .qcow2 to Proxmox storage
- Or use qm importdisk method (similar to Metasploitable)
3. Create Kali VM:
- VM ID: 201
- Name: Kali-RedTeam
- OS: Linux 6.x
- CPU: 2 cores
- RAM: 4096 MB (4 GB recommended for tools)
- Disk: Import existing .qcow2
- Network: vmbr0, VLAN Tag: 200 (RED_TEAM)
4. Start and Login:
- Default credentials: kali / kali
- Change password on first login: passwd
5. Verify Network:
- Command: ip addr show eth0
- Should have: 10.10.2.x
- Test gateway: ping 10.10.2.1
- Test target reach: ping 10.10.4.10
LAB 2.2: NMAP FUNDAMENTALS
Understanding Nmap Scan Types
| Scan Type | Flag | Description | Requires Root | Stealthy |
|---|---|---|---|---|
| TCP SYN | -sS | Half-open scan, doesn't complete handshake | Yes | High |
| TCP Connect | -sT | Full connection, uses OS TCP stack | No | Low |
| UDP | -sU | Scans UDP ports (slow) | Yes | Medium |
| ACK | -sA | Tests firewall rules | Yes | Medium |
| NULL/FIN/Xmas | -sN/-sF/-sX | Advanced evasion techniques | Yes | High |
LAB 2.2.1: Basic Port Scanning
From Kali Linux terminal:
# PREREQUISITE: Verify target reachability
ping -c 4 10.10.4.10
# Expected: 4 packets transmitted, 4 received
# SCAN 1: Quick scan of common ports
nmap 10.10.4.10
# Default: Scans top 1000 ports using TCP SYN scan
# Expected output: List of open ports (21, 22, 23, 25, 80, 139, 445, 3306, etc.)
# SCAN 2: Scan specific ports
nmap -p 80,443,22 10.10.4.10
# -p = specify ports (can be range: 1-100 or list: 80,443)
# SCAN 3: Scan all 65,535 ports (SLOW - 5-10 minutes)
sudo nmap -p- 10.10.4.10
# -p- = all ports (1-65535)
# Requires sudo for SYN scan
# SCAN 4: Fast scan (top 100 ports only)
nmap -F 10.10.4.10
# -F = fast mode
# SCAN 5: Scan port range
nmap -p 1-1024 10.10.4.10
# Scans well-known ports (1-1024)
Deliverable: Save full port scan output to file:
sudo nmap -p- 10.10.4.10 -oN metasploitable_fullscan.txt
# -oN = output normal format
LAB 2.2.2: Service Version Detection
# SCAN 6: Detect service versions
sudo nmap -sV 10.10.4.10
# -sV = Version detection
# Expected: Shows specific software versions (e.g., "vsftpd 2.3.4", "Apache httpd 2.2.8")
# SCAN 7: Aggressive scan (OS + version + scripts + traceroute)
sudo nmap -A 10.10.4.10
# -A = Aggressive mode (combines -sV, -O, -sC, --traceroute)
# Takes longer but provides comprehensive info
# SCAN 8: OS detection only
sudo nmap -O 10.10.4.10
# -O = OS detection (analyzes TCP/IP stack fingerprint)
# Expected: "Linux 2.6.X"
# SCAN 9: Script scanning
sudo nmap -sC 10.10.4.10
# -sC = Run default NSE scripts (safe scripts for enumeration)
# Example scripts: http-title, ssh-hostkey, smb-os-discovery
# SCAN 10: Specific script
nmap --script=http-enum -p 80 10.10.4.10
# Enumerates directories on web server
Understanding Version Detection Output:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4 <-- Vulnerable version!
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1
23/tcp open telnet Linux telnetd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
Deliverable: Save version scan with aggressive mode:
sudo nmap -A 10.10.4.10 -oA metasploitable_aggressive
# -oA = output all formats (normal, XML, grepable)
# Creates: metasploitable_aggressive.nmap, .xml, .gnmap
LAB 2.2.3: Scan Timing and Evasion
# TIMING TEMPLATES:
# -T0 (Paranoid): Extremely slow, for IDS evasion (5 min/port)
# -T1 (Sneaky): Very slow
# -T2 (Polite): Slows down to reduce bandwidth
# -T3 (Normal): Default
# -T4 (Aggressive): Faster, assumes reliable network
# -T5 (Insane): Very fast, may miss ports
# SCAN 11: Aggressive timing (use in labs only!)
sudo nmap -T4 -p- 10.10.4.10
# Faster than default, good for CTFs/labs
# SCAN 12: Stealthy timing (IDS evasion)
sudo nmap -T1 -sS -p 80,443 10.10.4.10
# Slow scan to avoid detection thresholds
# SCAN 13: Fragmented packets (firewall evasion)
sudo nmap -f 10.10.4.10
# -f = fragment packets (split into tiny pieces)
# SCAN 14: Decoy scan (hide among fake sources)
sudo nmap -D RND:10 10.10.4.10
# -D RND:10 = Use 10 random decoy IPs
# Target sees scans from multiple sources (harder to identify real attacker)
# SCAN 15: Spoof source port (bypass firewall rules)
sudo nmap --source-port 53 10.10.4.10
# Appear to come from DNS port 53 (often allowed outbound)
Real-World Scenario:
# Penetration test scenario: Enumerate without triggering alarms
sudo nmap -sS -T2 -p 1-1000 --max-rate 10 10.10.4.10
# -sS = SYN scan (stealth)
# -T2 = Polite timing
# --max-rate 10 = Max 10 packets/second (very slow)
LAB 2.3: NETWORK TRAFFIC ANALYSIS WITH WIRESHARK
Understanding Packet Capture
Wireshark is a GUI packet analyzer. tcpdump is command-line equivalent.
LAB 2.3.1: Capturing Nmap Scan Traffic
Step-by-Step:
# TERMINAL 1: Start packet capture
sudo tcpdump -i eth0 -w nmap_scan.pcap
# -i eth0 = capture on interface eth0
# -w = write to file
# Leave running...
# TERMINAL 2: Perform nmap scan
sudo nmap -sS -p 80,443,22 10.10.4.10
# TERMINAL 1: Stop capture (Ctrl+C after scan completes)
# Press Ctrl+C
# Verify capture file
ls -lh nmap_scan.pcap
# Should show file size (>0 bytes)
LAB 2.3.2: Analyzing with Wireshark GUI
# Open Wireshark
sudo wireshark nmap_scan.pcap &
# & = run in background
Wireshark Analysis Steps:
1. FILTER FOR TCP SYN PACKETS:
- Display filter: tcp.flags.syn == 1 && tcp.flags.ack == 0
- Shows only SYN packets (scan probes)
2. OBSERVE STEALTH SCAN BEHAVIOR:
- Find a packet to open port (e.g., port 80)
- Click on SYN packet from Kali
- Look at packet list:
* Packet 1: SYN (from Kali to target port 80)
* Packet 2: SYN-ACK (target responds - port is OPEN)
* Packet 3: RST (Kali aborts - never completes connection)
3. FILTER FOR CLOSED PORT RESPONSE:
- Display filter: tcp.port == 443 (if 443 is closed)
- Observe:
* SYN from Kali
* RST-ACK from target (port CLOSED)
4. ANALYZE PACKET TIMING:
- View > Time Display Format > Seconds Since Previous Displayed Packet
- Note delay between probes (T4 timing = minimal delay)
5. FOLLOW TCP STREAM (for completed connections):
- Right-click any packet > Follow > TCP Stream
- See full conversation in ASCII
- Won't work for SYN scans (no data exchanged)
6. EXPORT PACKET DETAILS:
- File > Export Specified Packets
- Save as: syn_scan_analysis.pcap
Key Wireshark Filters:
tcp.flags.syn == 1 && tcp.flags.ack == 0 → Only SYN packets
tcp.flags.reset == 1 → RST packets
ip.src == 10.10.2.x → Traffic from Kali
ip.dst == 10.10.4.10 → Traffic to target
tcp.port == 80 → Port 80 traffic
http → HTTP protocol
LAB 2.3.3: Identifying Scan Types in PCAPs
Exercise: Capture different scan types and compare signatures
# Capture 1: SYN scan
sudo tcpdump -i eth0 -w syn_scan.pcap &
sudo nmap -sS -p 80 10.10.4.10
sudo pkill tcpdump
# Capture 2: TCP Connect scan
sudo tcpdump -i eth0 -w connect_scan.pcap &
nmap -sT -p 80 10.10.4.10 # No sudo (uses full connection)
sudo pkill tcpdump
# Capture 3: UDP scan
sudo tcpdump -i eth0 -w udp_scan.pcap &
sudo nmap -sU -p 53,161 10.10.4.10
sudo pkill tcpdump
# Capture 4: NULL scan
sudo tcpdump -i eth0 -w null_scan.pcap &
sudo nmap -sN -p 80 10.10.4.10
sudo pkill tcpdump
Compare in Wireshark:
SYN Scan: SYN → SYN-ACK → RST (never completes)
Connect Scan: SYN → SYN-ACK → ACK → RST-ACK (full connection, then close)
UDP Scan: UDP packet → ICMP "port unreachable" (if closed)
NULL Scan: Packet with NO flags set → RST (if closed), no response (if open)
Deliverable: Screenshot showing SYN scan packet sequence in Wireshark with annotations.
LAB 2.4: SERVICE ENUMERATION
Enumerating Common Services
Goal: Gather detailed information about discovered services for exploitation planning.
LAB 2.4.1: FTP Enumeration (Port 21)
# Check if anonymous login allowed
nmap --script=ftp-anon -p 21 10.10.4.10
# If anonymous allowed: Shows "Anonymous FTP login allowed"
# Manual FTP check
ftp 10.10.4.10
# Username: anonymous
# Password: (just press Enter)
# Commands:
# ls - list files
# cd - change directory
# get file - download file
# bye - exit
# Brute-force FTP credentials (ethical use only!)
nmap --script=ftp-brute -p 21 10.10.4.10
# Uses common username/password combinations
LAB 2.4.2: SSH Enumeration (Port 22)
# Get SSH banner and supported algorithms
nmap --script=ssh2-enum-algos -p 22 10.10.4.10
# Check for known SSH vulnerabilities
nmap --script=ssh-* -p 22 10.10.4.10
# Manual banner grab
nc 10.10.4.10 22
# Shows: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
# Press Ctrl+C to exit
# Attempt SSH login (if you have credentials)
ssh msfadmin@10.10.4.10
# Password: msfadmin (on Metasploitable)
LAB 2.4.3: HTTP/HTTPS Enumeration (Port 80/443)
# Enumerate web directories
nmap --script=http-enum -p 80 10.10.4.10
# Finds: /phpMyAdmin/, /test/, /twiki/, etc.
# Get HTTP headers
curl -I http://10.10.4.10
# Shows server version: Apache/2.2.8 (Ubuntu)
# Web vulnerability scanning
nikto -h http://10.10.4.10
# Comprehensive web server scanner (takes 5-10 minutes)
# Identifies: Outdated software, misconfigurations, known vulnerabilities
# Directory brute-forcing
gobuster dir -u http://10.10.4.10 -w /usr/share/wordlists/dirb/common.txt
# -u = URL
# -w = wordlist
# Finds hidden directories
LAB 2.4.4: SMB Enumeration (Port 139/445)
# Enumerate SMB shares
nmap --script=smb-enum-shares -p 445 10.10.4.10
# Lists available network shares
# Enumerate SMB users
nmap --script=smb-enum-users -p 445 10.10.4.10
# Lists local user accounts
# OS discovery via SMB
nmap --script=smb-os-discovery -p 445 10.10.4.10
# Shows: OS, Computer name, Domain
# Check for SMB vulnerabilities (EternalBlue, etc.)
nmap --script=smb-vuln* -p 445 10.10.4.10
# Scans for known SMB exploits
# Manual SMB enumeration
smbclient -L //10.10.4.10 -N
# -L = list shares
# -N = no password
LAB 2.4.5: MySQL Enumeration (Port 3306)
# Check for default credentials
nmap --script=mysql-empty-password -p 3306 10.10.4.10
# Enumerate MySQL users
nmap --script=mysql-users -p 3306 10.10.4.10
# Get MySQL info
nmap --script=mysql-info -p 3306 10.10.4.10
# Manual connection (if credentials known)
mysql -h 10.10.4.10 -u root
# Try common passwords: root, toor, admin, password
LAB 2.5: COMPREHENSIVE TARGET ASSESSMENT
Create Full Reconnaissance Report
Step-by-Step Workflow:
# 1. CREATE WORKING DIRECTORY
mkdir -p ~/recon/metasploitable
cd ~/recon/metasploitable
# 2. COMPREHENSIVE NMAP SCAN
sudo nmap -sS -sV -sC -A -p- -T4 10.10.4.10 -oA full_scan
# Saves: full_scan.nmap, full_scan.xml, full_scan.gnmap
# 3. VULNERABILITY SCAN
nmap --script=vuln -p- 10.10.4.10 -oN vulnerability_scan.txt
# 4. UDP SCAN (top ports only - UDP is slow)
sudo nmap -sU --top-ports 100 10.10.4.10 -oN udp_scan.txt
# 5. WEB ENUMERATION
nikto -h http://10.10.4.10 -o nikto_scan.txt
# 6. SMB ENUMERATION
enum4linux -a 10.10.4.10 > smb_enum.txt
# -a = all enumeration (users, shares, groups, etc.)
# 7. ORGANIZE FINDINGS
cat full_scan.nmap | grep "open" > open_ports.txt
# Extract only open ports
# 8. CREATE SUMMARY
cat << EOF > RECONNAISSANCE_SUMMARY.txt
TARGET: Metasploitable 2 (10.10.4.10)
SCAN DATE: $(date)
SCANNER: Kali Linux (10.10.2.x)
OPEN PORTS:
$(cat open_ports.txt)
HIGH-RISK SERVICES IDENTIFIED:
- vsftpd 2.3.4 (Port 21) - Known backdoor vulnerability
- SSH 4.7p1 (Port 22) - Outdated, weak key exchange
- Samba 3.x (Port 139/445) - Multiple known exploits
- MySQL (Port 3306) - Empty root password
NEXT STEPS:
1. Research CVEs for identified service versions
2. Prepare exploit modules in Metasploit (Module 3)
3. Document attack vectors for reporting
EOF
cat RECONNAISSANCE_SUMMARY.txt
Deliverable: Full reconnaissance directory with all scan outputs and summary report.
NETWORK TRAFFIC ANALYSIS EXERCISES
Exercise 1: Baseline vs Anomalous Traffic
# CAPTURE NORMAL TRAFFIC
sudo tcpdump -i eth0 -w normal_traffic.pcap -c 1000
# -c 1000 = capture 1000 packets
# Let normal background traffic capture for 1 minute
# Then Ctrl+C
# CAPTURE SCAN TRAFFIC
sudo tcpdump -i eth0 -w scan_traffic.pcap &
sudo nmap -T4 -p- 10.10.4.10
sudo pkill tcpdump
# COMPARE IN WIRESHARK
wireshark normal_traffic.pcap &
wireshark scan_traffic.pcap &
# What to look for in scan traffic:
# - High packet rate (thousands of SYNs per second)
# - Sequential destination ports (80, 81, 82, 83...)
# - Many RST packets (aborted connections)
# - Single source IP targeting single destination
Exercise 2: Protocol Distribution Analysis
1. Open scan_traffic.pcap in Wireshark
2. Statistics > Protocol Hierarchy
- Shows % of each protocol (TCP, UDP, ICMP)
- Scan traffic = 99% TCP SYN
3. Statistics > Conversations
- Shows IP pairs and packet counts
- Scan = One conversation with thousands of packets
4. Statistics > I/O Graph
- Visualize packet rate over time
- Scan = Sharp spike during scan period
Deliverable: Screenshot of Wireshark Protocol Hierarchy showing scan traffic composition.
TROUBLESHOOTING GUIDE
Issue: Nmap shows "Host seems down"
# Check connectivity first
ping 10.10.4.10
# If ping works but nmap doesn't:
sudo nmap -Pn 10.10.4.10
# -Pn = Skip host discovery (assume host is up)
# Check firewall rules in pfSense
# Ensure RED_TEAM → VICTIM_NET is allowed
Issue: Wireshark shows "Permission denied"
# Run with sudo
sudo wireshark
# Or add user to wireshark group (better practice)
sudo usermod -aG wireshark $USER
# Logout and login for changes to take effect
Issue: tcpdump captures no packets
# Verify correct interface
ip addr show
# Use correct interface name (eth0, ens18, etc.)
# Check if interface is up
sudo ip link set eth0 up
# Verify you're capturing right traffic
sudo tcpdump -i eth0 -n
# -n = Don't resolve hostnames (faster)
# Should see packets scrolling
Issue: Nmap scan is extremely slow
# Use faster timing
sudo nmap -T4 10.10.4.10
# Scan fewer ports initially
nmap -F 10.10.4.10 # Fast mode (100 ports)
# Disable ping check
sudo nmap -Pn -T4 -p 1-1000 10.10.4.10
PROFESSOR'S GUIDANCE
Understanding Reconnaissance in Real Engagements
Lab environment vs Production:
- Lab: Aggressive scans (T4, T5) are fine - you own the network
- Production: Use T2-T3, rate limiting, blend with normal traffic
- Legal requirement: Always have written authorization before scanning
Reconnaissance is Not Just Tool Execution
Poor approach: "I ran nmap -A and got results"
Professional approach:
- Scope definition: What am I allowed to scan?
- Passive recon first: OSINT, DNS lookups, public records
- Strategic scanning: Scan incrementally (common ports → all ports)
- Service enumeration: Deep dive into discovered services
- Vulnerability mapping: Match versions to CVE databases
- Documentation: Detailed notes for exploitation phase
- Traffic analysis: Understand what your tools do on the wire
Common Student Mistakes
1. Running scans without capturing traffic:
- You learn HOW attacks work by seeing packets
- Future you (as defender) needs to recognize these patterns
2. Not saving scan outputs:
- Use
-oAto save all formats - XML output can be imported into tools like Metasploit
3. Ignoring UDP services:
- UDP is stateless, harder to scan, but critical (DNS, SNMP, TFTP)
- Always include UDP scans in assessments
4. Over-relying on automated tools:
- Nikto finds 100 issues → 95 are false positives
- Manual verification is essential
Time Investment
- Initial VM deployment: 1-2 hours
- Nmap fundamentals: 2-3 hours
- Wireshark packet analysis: 2-4 hours (most important!)
- Service enumeration: 2-3 hours
- Comprehensive assessment: 1-2 hours
Total: 8-14 hours
Real-World Skills Developed
By mastering this module, you can:
- Perform network reconnaissance in penetration tests
- Analyze packet captures for incident response
- Identify suspicious scanning in SOC role
- Understand attacker methodology (kill chain Phase 1: Reconnaissance)
KNOWLEDGE CHECK
Before proceeding to MOD3, you should be able to:
-
Explain the difference between -sS and -sT scans
- Answer: -sS (SYN scan) doesn't complete handshake (stealth), -sT (Connect) uses full connection
-
What does a SYN-ACK response indicate?
- Answer: Port is OPEN and accepting connections
-
Why do attackers use decoy scans (-D)?
- Answer: To hide their real IP among fake sources, making attribution harder
-
In Wireshark, how do you filter for only SYN packets?
- Answer:
tcp.flags.syn == 1 && tcp.flags.ack == 0
- Answer:
-
Name 3 high-risk services found on Metasploitable
- Answer: vsftpd 2.3.4 (backdoor), Samba 3.x (exploitable), MySQL (empty password)
-
What tool enumerates SMB shares?
- Answer:
enum4linux,smbclient, ornmap --script=smb-enum-shares
- Answer:
-
Why should UDP scans use --top-ports?
- Answer: UDP scans are slow (no handshake confirmation), limiting to top ports is practical
DELIVERABLES CHECKLIST
Before proceeding to Module 3, submit/complete:
- Full nmap scan output (-oA format)
- Wireshark PCAP of SYN scan with annotations
- Nikto web scan results
- SMB enumeration output (enum4linux)
- Reconnaissance summary report
- Screenshots showing:
- TCP three-way handshake in Wireshark
- SYN scan RST behavior
- Wireshark protocol hierarchy of scan traffic
- Nmap version detection output
END OF MODULE 2
Next Steps:
- Review all captured PCAPs - understand what each scan looks like
- Save all scan outputs to
~/recon/metasploitable/directory - Take snapshot of Kali VM: "Post-MOD2-Reconnaissance"
- Proceed to MOD3: Exploitation & Post-Exploitation
Remember: Every offensive technique you learn has a defensive counter. When you configure Security Onion in MOD4, you will create rules to detect these exact scans!