s0merset7's Blog

External Pen-Testing

Published on

Note: Much of the below information is summarized from Gus Khawaja’s Pluralsight course “Pentration Testing and Ethical Hacking with Kali Linux”. Much credit goes to Gus’s expertise! Check out his blog in the sources and how to get started with Pluralsight

External Pen Testing is the process of testing the security surrounding external systems connected to the internet. This process also involves the discovery and exploitation of known and unknown vulnerabilities from the perspective of an outside attacker

  1. Traceroute: diagnostic tool that allows you to view the route an IP packet takes from one host to another
    1. By running the command traceroute domainName where domainName is the domain of your choice, we can see how many steps and how long it takes for a packet using Internet Control Message Protocol (ICMP) to reach its destination
      Example: traceroute google.com can be seen to take 9 steps to get from my computer to the Google server. We can see the IP address of each stop along the way as well as the running total time at each step Traceroute Response
    2. We can also perform this same function but testing the Transmission Control Protocol (TCP) by running nmap -v --traceroute domainName, where -v means we want a “Verbose” or detailed output and domainName is the domain of your choice
      Example: nmap -v --traceroute 10.10.10.75 (10.10.10.75 is the IP address of a HackTheBox machine for this example, but any Domain or IP Address will work). Here we can see several pieces of information, first off there is a list of scans and other tools being initiated and completing (which is shown as a result of our -v flag). We then can see different ports, their state, and service. Finally we can see the result of our traceroute (which shows that it took two hops), the IP Address at each hop, and the cumulative Round Trip Time (RTT) (or the time it took to go to the given IP address AND back to our device). There is also a little summary at the bottom with more details of the test itself
      Nmap Response
  2. Live Host Discovery (Ping): After running a traceroute test, we want to perform a network ping sweep against our target address to look for any responses that would indicate our target is live
    1. The first thing we can try is to use the ping domainName command. We can also add the -c integerNumber flag where integerNumber is the amount of packets we want to send. Keep in mind that by default ping uses ICMP packets, so if our host has a firewall preventing ICMP packets, we may not get a response
      Example: ping 10.10.10.75 -c 3 (here again I am using the Hack the Box machine IP). This command sends 3 ICMP packets to the given IP address, and from the results we can see the order in which they were sent, the size of the packet, the length of time it took to transmit, as well as a summary of results saying all packets were received “0% packet loss”. However, when I try pluralsight.com with ping pluralsight.com -c 3, we can see that there is a “100% packet loss” as no packets went through. Meaning either our host (pluralsight.com in this case) is either down, or has a firewall preventing these packets from being received
      Ping Response
    2. If we need to test more specific requests, we can use hping3, a command that allows for much more customization. To check out all of the options, run hping3 -h to get the help menu
      Example: Going back to Pluralsight, we can run hping3 -S pluralsight.com -p 80 -c 3 which will send our three packets to Pluralsight, but the -S flag makes those packets TCP Synthesis (SYN) Packets as opposed to our previous ICMP packets. The -p 80 flag specifies the port number to send our packets to (in this case port 80, which is where most websites have their web traffic directed through) and our -c 3 flag indicates we want to send only 3 packets. We can see in our results that this time our packets arrive and show similar results as the ping command but with a few more details specific to our SYN packet
      hping3 Response
    3. There is also the nmap command which allows us to do the same tests as ping and hping3 at the same time and on a much larger scale. There are MANY different flags and usages for nmap, this is only one very specific usage of the command and I recommend you do your own research to find out more
      Example: nmap -T4 -sn pluralsight.com -v will run nmap with -T4 indicating we want the command to run at speed level 4 (with 1 being the slowest and 5 being the fastest), -sn telling nmap that we are trying to discover a host which means we want a ping scan instead of a port scan, and -v being our verbose flag. From our output, we can see how long it took to find our hosts, how many there are, as well as a simple confirmation telling us our host is up and running
      Nmap Ping Scan Response
  3. Port Scan: Port Scanning is the process of connecting to TCP and User Datagram Protocol (UDP) to determine what services and applications are running on the target system. On every system, there are 65,535 different ports that allow for different protocols and services. Most of the time, a system only uses the first 124,000 ports, so those are the ports people mainly focus on. Nmap is the application of choice for port scanning, as we can craft special packets to sent to our target device and discover information about its system. As mentioned before, there are many different ways to use nmap an you should research the different options as I will only be explaining using the specific examples below
    Example: nmap -T4 -v -Pn -n -sS --top-ports 100 --max-parallelism 10 -oA nmapSYN 10.10.10.75 lets break this down:
    -T4 tells nmap to run at speed 4 (with 1 being the slowest and 5 being the fastest)
    -v means verbose and will have our output be much more detailed
    -Pn this tells nmap not to ping to identify an active system and just assume that all hosts are online
    -n means that no DNS resolution will be made, which is the process of translating an IP address to a domain name
    -sS tells nmap that we want our scan to be a TCP SYN scan, which makes all of our packets TCP SYN packets
    --top-ports 100 indicates we only want to scan the most commonly used 100 ports as opposed to all 65,535 of them (we can change the 100 to be whatever number we want)
    --max-parallelism 10 this limits the number of outstanding probes sent out to 10, meaning a max 10 unreturned packets can be sent at a time (10 can be changed to whatever number we want, but the higher the number, the harder it will be for your device to handle all the information)
    -oA nmapSYN indicates that we want the output to be generated in a file named nmapSYN of all formats (Normal, GRIP, and XML)
    10.10.10.75 is our host IP address (which can also be a domain name) which again is a Hack the Box machine

    These results are similar to what we saw earlier when we were performing our ping scan with nmap, we can see which ports are open, running what service, and how long the test took. However, the port scan we just performed (a SYN Scan, also known as a Half Open Scan) only scanned the ports to see if they would be willing to start a connection (thats what a SYN packet does, request a connection), but never actually completed the request for connection
    Nmap SYN Scan
    Example2: nmap -T4 -v -Pn -n -sA --top-ports 100 --max-parallelism 10 -oA nmapSYN 10.10.10.75 This is the same command as before but with one difference, we replaced -sS with -sA, changing the type of packets from TCP SYN to TCP ACK. Instead of trying to initiate a TCP connection with a port, by sending ACK packets we can check if a port is filtered or unfiltered, meaning that they will or will not specify what types of packets are allowed, which will map firewall rule settings
    Nmap ACK Scan
    Example3: nmap -T5 -Pn -A -oA nmapComplete 10.10.10.75 this command removes a few of the old flags and adds a new one, the -A flag which enables advanced and aggressive options that will allow us to find out more information like operating system, version, if scripts are present, and information from traceroute. This Aggressive Port Scan will take a bit longer than the others to execute. Looking at the results, we can see a lot more information such as the service running at each port as well as information about the service itself such as version number and name. There are also guesses as to what kinds of operating systems the host is using. We can also see the summary from the traceroute command
    Nmap Aggressive Scan

Sources