jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d0035721e3ffe60b86f081ad297fcf0b9dd7ae5
seclab/MOD2_Recon_and_NTA.md
jramos 6d0035721e initial commit
2026-05-28 18:27:41 -06:00

22 KiB
Raw Blame History

FILE: MOD2_Recon_and_NTA.md

MODULE 2: RECONNAISSANCE & NETWORK TRAFFIC ANALYSIS

Learning Objectives

By completing this module, you will:

  • Perform active reconnaissance using Nmap to identify open ports and services
  • Understand TCP/UDP scanning techniques and their network signatures
  • Capture and analyze network traffic using Wireshark and tcpdump
  • Enumerate service versions and detect operating systems
  • Recognize the difference between stealth and noisy scanning techniques
  • Document findings for exploitation planning

Key Concepts

Active Reconnaissance

Active Recon involves directly interacting with target systems to gather information. Unlike passive recon (Google searches, WHOIS lookups), active techniques send packets to the target and are detectable by IDS/IPS systems.

Network Traffic Analysis (NTA)

NTA is the process of capturing and dissecting raw network packets to:

  • Establish baseline "normal" traffic patterns
  • Detect anomalous scanning behavior
  • Investigate security incidents
  • Validate exploit success

The TCP Three-Way Handshake

Client                    Server
  |                         |
  |-------- SYN --------->  |  (Client initiates)
  |<----- SYN-ACK --------  |  (Server acknowledges)
  |-------- ACK --------->  |  (Client confirms - connection established)

Stealth Scanning (SYN Scan)

Client                    Server
  |                         |
  |-------- SYN --------->  |  (Probe port)
  |<----- SYN-ACK --------  |  (Port is OPEN)
  |-------- RST --------->  |  (Client aborts - never completes handshake)

Why stealth? Never fully establishes connection, harder to log, faster.

LAB 2.1: DEPLOY TARGET INFRASTRUCTURE

Deploy Metasploitable 2 (Vulnerable Linux Target)

1. Download Metasploitable 2:
   - Source: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
   - File: metasploitable-linux-2.0.0.zip
   - Extract to get .vmdk file

2. Upload to Proxmox:
   - SSH to Proxmox or use Shell
   - Navigate to: cd /var/lib/vz/images/
   - Create directory: mkdir 401
   - Upload .vmdk file to this directory

3. Create Proxmox VM:
   - VM ID: 401
   - Name: Metasploitable2
   - OS: Linux 5.x - 2.6 Kernel
   - CPU: 1 core
   - RAM: 512 MB
   - Do NOT add disk yet (we'll import existing)

4. Import Existing Disk:
   - SSH to Proxmox
   - Run: qm importdisk 401 /var/lib/vz/images/401/Metasploitable.vmdk local-lvm
   - Wait for import to complete

5. Attach Disk to VM:
   - Proxmox GUI > VM 401 > Hardware
   - Select "Unused Disk 0"
   - Click "Edit"
   - Bus/Device: IDE / 0
   - Click "Add"

6. Configure Network:
   - Hardware > Network Device > Edit
   - Bridge: vmbr0
   - VLAN Tag: 400 (VICTIM_NET)
   - Model: Intel E1000
   - Click "OK"

7. Set Boot Order:
   - Options > Boot Order
   - Enable only: ide0
   - Click "OK"

8. Start VM:
   - Console > Start
   - Login: msfadmin / msfadmin

9. Get IP Address:
   - Command: ifconfig
   - Note eth0 IP address (should be 10.10.4.x from DHCP)
   - Or set static: sudo nano /etc/network/interfaces
     auto eth0
     iface eth0 inet static
     address 10.10.4.10
     netmask 255.255.255.0
     gateway 10.10.4.1
   - Restart networking: sudo /etc/init.d/networking restart

Deploy Kali Linux (Attacker Platform)

1. Download Kali Linux:
   - Source: https://www.kali.org/get-kali/#kali-virtual-machines
   - Choose: 64-bit Proxmox/QEMU image (.qcow2)

2. Import to Proxmox:
   - Upload .qcow2 to Proxmox storage
   - Or use qm importdisk method (similar to Metasploitable)

3. Create Kali VM:
   - VM ID: 201
   - Name: Kali-RedTeam
   - OS: Linux 6.x
   - CPU: 2 cores
   - RAM: 4096 MB (4 GB recommended for tools)
   - Disk: Import existing .qcow2
   - Network: vmbr0, VLAN Tag: 200 (RED_TEAM)

4. Start and Login:
   - Default credentials: kali / kali
   - Change password on first login: passwd

5. Verify Network:
   - Command: ip addr show eth0
   - Should have: 10.10.2.x
   - Test gateway: ping 10.10.2.1
   - Test target reach: ping 10.10.4.10

LAB 2.2: NMAP FUNDAMENTALS

Understanding Nmap Scan Types

Scan Type Flag Description Requires Root Stealthy
TCP SYN -sS Half-open scan, doesn't complete handshake Yes High
TCP Connect -sT Full connection, uses OS TCP stack No Low
UDP -sU Scans UDP ports (slow) Yes Medium
ACK -sA Tests firewall rules Yes Medium
NULL/FIN/Xmas -sN/-sF/-sX Advanced evasion techniques Yes High

LAB 2.2.1: Basic Port Scanning

From Kali Linux terminal:

# PREREQUISITE: Verify target reachability
ping -c 4 10.10.4.10
# Expected: 4 packets transmitted, 4 received

# SCAN 1: Quick scan of common ports
nmap 10.10.4.10
# Default: Scans top 1000 ports using TCP SYN scan
# Expected output: List of open ports (21, 22, 23, 25, 80, 139, 445, 3306, etc.)

# SCAN 2: Scan specific ports
nmap -p 80,443,22 10.10.4.10
# -p = specify ports (can be range: 1-100 or list: 80,443)

# SCAN 3: Scan all 65,535 ports (SLOW - 5-10 minutes)
sudo nmap -p- 10.10.4.10
# -p- = all ports (1-65535)
# Requires sudo for SYN scan

# SCAN 4: Fast scan (top 100 ports only)
nmap -F 10.10.4.10
# -F = fast mode

# SCAN 5: Scan port range
nmap -p 1-1024 10.10.4.10
# Scans well-known ports (1-1024)

Deliverable: Save full port scan output to file:

sudo nmap -p- 10.10.4.10 -oN metasploitable_fullscan.txt
# -oN = output normal format

LAB 2.2.2: Service Version Detection

# SCAN 6: Detect service versions
sudo nmap -sV 10.10.4.10
# -sV = Version detection
# Expected: Shows specific software versions (e.g., "vsftpd 2.3.4", "Apache httpd 2.2.8")

# SCAN 7: Aggressive scan (OS + version + scripts + traceroute)
sudo nmap -A 10.10.4.10
# -A = Aggressive mode (combines -sV, -O, -sC, --traceroute)
# Takes longer but provides comprehensive info

# SCAN 8: OS detection only
sudo nmap -O 10.10.4.10
# -O = OS detection (analyzes TCP/IP stack fingerprint)
# Expected: "Linux 2.6.X"

# SCAN 9: Script scanning
sudo nmap -sC 10.10.4.10
# -sC = Run default NSE scripts (safe scripts for enumeration)
# Example scripts: http-title, ssh-hostkey, smb-os-discovery

# SCAN 10: Specific script
nmap --script=http-enum -p 80 10.10.4.10
# Enumerates directories on web server

Understanding Version Detection Output:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4  <-- Vulnerable version!
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1
23/tcp open  telnet  Linux telnetd
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)

Deliverable: Save version scan with aggressive mode:

sudo nmap -A 10.10.4.10 -oA metasploitable_aggressive
# -oA = output all formats (normal, XML, grepable)
# Creates: metasploitable_aggressive.nmap, .xml, .gnmap

LAB 2.2.3: Scan Timing and Evasion

# TIMING TEMPLATES:
# -T0 (Paranoid): Extremely slow, for IDS evasion (5 min/port)
# -T1 (Sneaky): Very slow
# -T2 (Polite): Slows down to reduce bandwidth
# -T3 (Normal): Default
# -T4 (Aggressive): Faster, assumes reliable network
# -T5 (Insane): Very fast, may miss ports

# SCAN 11: Aggressive timing (use in labs only!)
sudo nmap -T4 -p- 10.10.4.10
# Faster than default, good for CTFs/labs

# SCAN 12: Stealthy timing (IDS evasion)
sudo nmap -T1 -sS -p 80,443 10.10.4.10
# Slow scan to avoid detection thresholds

# SCAN 13: Fragmented packets (firewall evasion)
sudo nmap -f 10.10.4.10
# -f = fragment packets (split into tiny pieces)

# SCAN 14: Decoy scan (hide among fake sources)
sudo nmap -D RND:10 10.10.4.10
# -D RND:10 = Use 10 random decoy IPs
# Target sees scans from multiple sources (harder to identify real attacker)

# SCAN 15: Spoof source port (bypass firewall rules)
sudo nmap --source-port 53 10.10.4.10
# Appear to come from DNS port 53 (often allowed outbound)

Real-World Scenario:

# Penetration test scenario: Enumerate without triggering alarms
sudo nmap -sS -T2 -p 1-1000 --max-rate 10 10.10.4.10
# -sS = SYN scan (stealth)
# -T2 = Polite timing
# --max-rate 10 = Max 10 packets/second (very slow)

LAB 2.3: NETWORK TRAFFIC ANALYSIS WITH WIRESHARK

Understanding Packet Capture

Wireshark is a GUI packet analyzer. tcpdump is command-line equivalent.

LAB 2.3.1: Capturing Nmap Scan Traffic

Step-by-Step:

# TERMINAL 1: Start packet capture
sudo tcpdump -i eth0 -w nmap_scan.pcap
# -i eth0 = capture on interface eth0
# -w = write to file
# Leave running...

# TERMINAL 2: Perform nmap scan
sudo nmap -sS -p 80,443,22 10.10.4.10

# TERMINAL 1: Stop capture (Ctrl+C after scan completes)
# Press Ctrl+C

# Verify capture file
ls -lh nmap_scan.pcap
# Should show file size (>0 bytes)

LAB 2.3.2: Analyzing with Wireshark GUI

# Open Wireshark
sudo wireshark nmap_scan.pcap &
# & = run in background

Wireshark Analysis Steps:

1. FILTER FOR TCP SYN PACKETS:
   - Display filter: tcp.flags.syn == 1 && tcp.flags.ack == 0
   - Shows only SYN packets (scan probes)

2. OBSERVE STEALTH SCAN BEHAVIOR:
   - Find a packet to open port (e.g., port 80)
   - Click on SYN packet from Kali
   - Look at packet list:
     * Packet 1: SYN (from Kali to target port 80)
     * Packet 2: SYN-ACK (target responds - port is OPEN)
     * Packet 3: RST (Kali aborts - never completes connection)

3. FILTER FOR CLOSED PORT RESPONSE:
   - Display filter: tcp.port == 443 (if 443 is closed)
   - Observe:
     * SYN from Kali
     * RST-ACK from target (port CLOSED)

4. ANALYZE PACKET TIMING:
   - View > Time Display Format > Seconds Since Previous Displayed Packet
   - Note delay between probes (T4 timing = minimal delay)

5. FOLLOW TCP STREAM (for completed connections):
   - Right-click any packet > Follow > TCP Stream
   - See full conversation in ASCII
   - Won't work for SYN scans (no data exchanged)

6. EXPORT PACKET DETAILS:
   - File > Export Specified Packets
   - Save as: syn_scan_analysis.pcap

Key Wireshark Filters:

tcp.flags.syn == 1 && tcp.flags.ack == 0  → Only SYN packets
tcp.flags.reset == 1                       → RST packets
ip.src == 10.10.2.x                      → Traffic from Kali
ip.dst == 10.10.4.10                     → Traffic to target
tcp.port == 80                             → Port 80 traffic
http                                       → HTTP protocol

LAB 2.3.3: Identifying Scan Types in PCAPs

Exercise: Capture different scan types and compare signatures

# Capture 1: SYN scan
sudo tcpdump -i eth0 -w syn_scan.pcap &
sudo nmap -sS -p 80 10.10.4.10
sudo pkill tcpdump

# Capture 2: TCP Connect scan
sudo tcpdump -i eth0 -w connect_scan.pcap &
nmap -sT -p 80 10.10.4.10  # No sudo (uses full connection)
sudo pkill tcpdump

# Capture 3: UDP scan
sudo tcpdump -i eth0 -w udp_scan.pcap &
sudo nmap -sU -p 53,161 10.10.4.10
sudo pkill tcpdump

# Capture 4: NULL scan
sudo tcpdump -i eth0 -w null_scan.pcap &
sudo nmap -sN -p 80 10.10.4.10
sudo pkill tcpdump

Compare in Wireshark:

SYN Scan:      SYN → SYN-ACK → RST (never completes)
Connect Scan:  SYN → SYN-ACK → ACK → RST-ACK (full connection, then close)
UDP Scan:      UDP packet → ICMP "port unreachable" (if closed)
NULL Scan:     Packet with NO flags set → RST (if closed), no response (if open)

Deliverable: Screenshot showing SYN scan packet sequence in Wireshark with annotations.

LAB 2.4: SERVICE ENUMERATION

Enumerating Common Services

Goal: Gather detailed information about discovered services for exploitation planning.

LAB 2.4.1: FTP Enumeration (Port 21)

# Check if anonymous login allowed
nmap --script=ftp-anon -p 21 10.10.4.10
# If anonymous allowed: Shows "Anonymous FTP login allowed"

# Manual FTP check
ftp 10.10.4.10
# Username: anonymous
# Password: (just press Enter)
# Commands:
#   ls       - list files
#   cd       - change directory
#   get file - download file
#   bye      - exit

# Brute-force FTP credentials (ethical use only!)
nmap --script=ftp-brute -p 21 10.10.4.10
# Uses common username/password combinations

LAB 2.4.2: SSH Enumeration (Port 22)

# Get SSH banner and supported algorithms
nmap --script=ssh2-enum-algos -p 22 10.10.4.10

# Check for known SSH vulnerabilities
nmap --script=ssh-* -p 22 10.10.4.10

# Manual banner grab
nc 10.10.4.10 22
# Shows: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
# Press Ctrl+C to exit

# Attempt SSH login (if you have credentials)
ssh msfadmin@10.10.4.10
# Password: msfadmin (on Metasploitable)

LAB 2.4.3: HTTP/HTTPS Enumeration (Port 80/443)

# Enumerate web directories
nmap --script=http-enum -p 80 10.10.4.10
# Finds: /phpMyAdmin/, /test/, /twiki/, etc.

# Get HTTP headers
curl -I http://10.10.4.10
# Shows server version: Apache/2.2.8 (Ubuntu)

# Web vulnerability scanning
nikto -h http://10.10.4.10
# Comprehensive web server scanner (takes 5-10 minutes)
# Identifies: Outdated software, misconfigurations, known vulnerabilities

# Directory brute-forcing
gobuster dir -u http://10.10.4.10 -w /usr/share/wordlists/dirb/common.txt
# -u = URL
# -w = wordlist
# Finds hidden directories

LAB 2.4.4: SMB Enumeration (Port 139/445)

# Enumerate SMB shares
nmap --script=smb-enum-shares -p 445 10.10.4.10
# Lists available network shares

# Enumerate SMB users
nmap --script=smb-enum-users -p 445 10.10.4.10
# Lists local user accounts

# OS discovery via SMB
nmap --script=smb-os-discovery -p 445 10.10.4.10
# Shows: OS, Computer name, Domain

# Check for SMB vulnerabilities (EternalBlue, etc.)
nmap --script=smb-vuln* -p 445 10.10.4.10
# Scans for known SMB exploits

# Manual SMB enumeration
smbclient -L //10.10.4.10 -N
# -L = list shares
# -N = no password

LAB 2.4.5: MySQL Enumeration (Port 3306)

# Check for default credentials
nmap --script=mysql-empty-password -p 3306 10.10.4.10

# Enumerate MySQL users
nmap --script=mysql-users -p 3306 10.10.4.10

# Get MySQL info
nmap --script=mysql-info -p 3306 10.10.4.10

# Manual connection (if credentials known)
mysql -h 10.10.4.10 -u root
# Try common passwords: root, toor, admin, password

LAB 2.5: COMPREHENSIVE TARGET ASSESSMENT

Create Full Reconnaissance Report

Step-by-Step Workflow:

# 1. CREATE WORKING DIRECTORY
mkdir -p ~/recon/metasploitable
cd ~/recon/metasploitable

# 2. COMPREHENSIVE NMAP SCAN
sudo nmap -sS -sV -sC -A -p- -T4 10.10.4.10 -oA full_scan
# Saves: full_scan.nmap, full_scan.xml, full_scan.gnmap

# 3. VULNERABILITY SCAN
nmap --script=vuln -p- 10.10.4.10 -oN vulnerability_scan.txt

# 4. UDP SCAN (top ports only - UDP is slow)
sudo nmap -sU --top-ports 100 10.10.4.10 -oN udp_scan.txt

# 5. WEB ENUMERATION
nikto -h http://10.10.4.10 -o nikto_scan.txt

# 6. SMB ENUMERATION
enum4linux -a 10.10.4.10 > smb_enum.txt
# -a = all enumeration (users, shares, groups, etc.)

# 7. ORGANIZE FINDINGS
cat full_scan.nmap | grep "open" > open_ports.txt
# Extract only open ports

# 8. CREATE SUMMARY
cat << EOF > RECONNAISSANCE_SUMMARY.txt
TARGET: Metasploitable 2 (10.10.4.10)
SCAN DATE: $(date)
SCANNER: Kali Linux (10.10.2.x)

OPEN PORTS:
$(cat open_ports.txt)

HIGH-RISK SERVICES IDENTIFIED:
- vsftpd 2.3.4 (Port 21) - Known backdoor vulnerability
- SSH 4.7p1 (Port 22) - Outdated, weak key exchange
- Samba 3.x (Port 139/445) - Multiple known exploits
- MySQL (Port 3306) - Empty root password

NEXT STEPS:
1. Research CVEs for identified service versions
2. Prepare exploit modules in Metasploit (Module 3)
3. Document attack vectors for reporting
EOF

cat RECONNAISSANCE_SUMMARY.txt

Deliverable: Full reconnaissance directory with all scan outputs and summary report.

NETWORK TRAFFIC ANALYSIS EXERCISES

Exercise 1: Baseline vs Anomalous Traffic

# CAPTURE NORMAL TRAFFIC
sudo tcpdump -i eth0 -w normal_traffic.pcap -c 1000
# -c 1000 = capture 1000 packets
# Let normal background traffic capture for 1 minute
# Then Ctrl+C

# CAPTURE SCAN TRAFFIC
sudo tcpdump -i eth0 -w scan_traffic.pcap &
sudo nmap -T4 -p- 10.10.4.10
sudo pkill tcpdump

# COMPARE IN WIRESHARK
wireshark normal_traffic.pcap &
wireshark scan_traffic.pcap &

# What to look for in scan traffic:
# - High packet rate (thousands of SYNs per second)
# - Sequential destination ports (80, 81, 82, 83...)
# - Many RST packets (aborted connections)
# - Single source IP targeting single destination

Exercise 2: Protocol Distribution Analysis

1. Open scan_traffic.pcap in Wireshark
2. Statistics > Protocol Hierarchy
   - Shows % of each protocol (TCP, UDP, ICMP)
   - Scan traffic = 99% TCP SYN
3. Statistics > Conversations
   - Shows IP pairs and packet counts
   - Scan = One conversation with thousands of packets
4. Statistics > I/O Graph
   - Visualize packet rate over time
   - Scan = Sharp spike during scan period

Deliverable: Screenshot of Wireshark Protocol Hierarchy showing scan traffic composition.

TROUBLESHOOTING GUIDE

Issue: Nmap shows "Host seems down"

# Check connectivity first
ping 10.10.4.10

# If ping works but nmap doesn't:
sudo nmap -Pn 10.10.4.10
# -Pn = Skip host discovery (assume host is up)

# Check firewall rules in pfSense
# Ensure RED_TEAM → VICTIM_NET is allowed

Issue: Wireshark shows "Permission denied"

# Run with sudo
sudo wireshark

# Or add user to wireshark group (better practice)
sudo usermod -aG wireshark $USER
# Logout and login for changes to take effect

Issue: tcpdump captures no packets

# Verify correct interface
ip addr show
# Use correct interface name (eth0, ens18, etc.)

# Check if interface is up
sudo ip link set eth0 up

# Verify you're capturing right traffic
sudo tcpdump -i eth0 -n
# -n = Don't resolve hostnames (faster)
# Should see packets scrolling

Issue: Nmap scan is extremely slow

# Use faster timing
sudo nmap -T4 10.10.4.10

# Scan fewer ports initially
nmap -F 10.10.4.10  # Fast mode (100 ports)

# Disable ping check
sudo nmap -Pn -T4 -p 1-1000 10.10.4.10

PROFESSOR'S GUIDANCE

Understanding Reconnaissance in Real Engagements

Lab environment vs Production:

  • Lab: Aggressive scans (T4, T5) are fine - you own the network
  • Production: Use T2-T3, rate limiting, blend with normal traffic
  • Legal requirement: Always have written authorization before scanning

Reconnaissance is Not Just Tool Execution

Poor approach: "I ran nmap -A and got results"

Professional approach:

  1. Scope definition: What am I allowed to scan?
  2. Passive recon first: OSINT, DNS lookups, public records
  3. Strategic scanning: Scan incrementally (common ports → all ports)
  4. Service enumeration: Deep dive into discovered services
  5. Vulnerability mapping: Match versions to CVE databases
  6. Documentation: Detailed notes for exploitation phase
  7. Traffic analysis: Understand what your tools do on the wire

Common Student Mistakes

1. Running scans without capturing traffic:

  • You learn HOW attacks work by seeing packets
  • Future you (as defender) needs to recognize these patterns

2. Not saving scan outputs:

  • Use -oA to save all formats
  • XML output can be imported into tools like Metasploit

3. Ignoring UDP services:

  • UDP is stateless, harder to scan, but critical (DNS, SNMP, TFTP)
  • Always include UDP scans in assessments

4. Over-relying on automated tools:

  • Nikto finds 100 issues → 95 are false positives
  • Manual verification is essential

Time Investment

  • Initial VM deployment: 1-2 hours
  • Nmap fundamentals: 2-3 hours
  • Wireshark packet analysis: 2-4 hours (most important!)
  • Service enumeration: 2-3 hours
  • Comprehensive assessment: 1-2 hours

Total: 8-14 hours

Real-World Skills Developed

By mastering this module, you can:

  • Perform network reconnaissance in penetration tests
  • Analyze packet captures for incident response
  • Identify suspicious scanning in SOC role
  • Understand attacker methodology (kill chain Phase 1: Reconnaissance)

KNOWLEDGE CHECK

Before proceeding to MOD3, you should be able to:

  1. Explain the difference between -sS and -sT scans

    • Answer: -sS (SYN scan) doesn't complete handshake (stealth), -sT (Connect) uses full connection

  2. What does a SYN-ACK response indicate?

    • Answer: Port is OPEN and accepting connections

  3. Why do attackers use decoy scans (-D)?

    • Answer: To hide their real IP among fake sources, making attribution harder

  4. In Wireshark, how do you filter for only SYN packets?

    • Answer: tcp.flags.syn == 1 && tcp.flags.ack == 0

  5. Name 3 high-risk services found on Metasploitable

    • Answer: vsftpd 2.3.4 (backdoor), Samba 3.x (exploitable), MySQL (empty password)

  6. What tool enumerates SMB shares?

    • Answer: enum4linux, smbclient, or nmap --script=smb-enum-shares

  7. Why should UDP scans use --top-ports?

    • Answer: UDP scans are slow (no handshake confirmation), limiting to top ports is practical

DELIVERABLES CHECKLIST

Before proceeding to Module 3, submit/complete:

  • Full nmap scan output (-oA format)
  • Wireshark PCAP of SYN scan with annotations
  • Nikto web scan results
  • SMB enumeration output (enum4linux)
  • Reconnaissance summary report
  • Screenshots showing:
    • TCP three-way handshake in Wireshark
    • SYN scan RST behavior
    • Wireshark protocol hierarchy of scan traffic
    • Nmap version detection output

END OF MODULE 2

Next Steps:

  1. Review all captured PCAPs - understand what each scan looks like
  2. Save all scan outputs to ~/recon/metasploitable/ directory
  3. Take snapshot of Kali VM: "Post-MOD2-Reconnaissance"
  4. Proceed to MOD3: Exploitation & Post-Exploitation

Remember: Every offensive technique you learn has a defensive counter. When you configure Security Onion in MOD4, you will create rules to detect these exact scans!

Reference in New Issue View Git Blame Copy Permalink