8/12/2019 CEH_LAB1
1/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 1
Lab 1: CEH Penetration Testing
3.1 DetailsAim: The aim of this lab is to investigate Reconnaissance, or Footprinting and Scanning, of an
organisation. The pre-attack phases of footprinting and scanning are typically the first steps
in the process an ethical hacker will follow when performing a Penetration Test.
Passive Reconnaissance is performed first by gathering information from outside the
target network, followed by Active Reconnaissance were packets are sent into the
network to map and enumerate targets.
Mgt
Internet
Bob
Penetration
TesterWritten Agreement
(Scope of Pen Test)
Passive ReconActive Recon
One who knows the enemy and knows himself will not be in danger in a hundred battles
Sun Tzu, The Art of War 500 BC (Tzu, 500 BC)
3.2 Activities3.2.1 Information Gathering
An organisations web site is a good place to start when gathering information as part of a
penetration test. Search for the current Napier University Web site using the google search
engine. Navigate to postgraduate courses on offer.
QuestionsQ What is the target Web domain google has returned?Q Which postgraduate School of Computing courses with Advanced in the title, are on offer?Q Is browsing the target organisations web site Passive or Active Reconnaissance?
8/12/2019 CEH_LAB1
2/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 2
A lot of data the penetration tester may want to investigate, may no longer be available on
the website, but is saved in Internet caches.
The websitewww.archive.orgcan be used to view archived web pages. Go to the web site,
and use the WayBackMachine to browse archived web pages from the Napier Web Site, as
shown below.
Browse the archived web pages from 2008.
QuestionsQ Which postgraduate courses with Advanced in the title, have been added since Sep 2008?
To check for subdomains, go to the Netcraft.com website, and search on the napier.ac.uk
domain, as shown below.
http://www.archive.org/http://www.archive.org/http://www.archive.org/http://www.archive.org/8/12/2019 CEH_LAB1
3/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 3
QuestionsQ Which subdomains have been returned?
Another good resource for information gathering is an organisations staff directories. Social
engineering could be used to call these staff and get information, as shown below. Another
way would be to call the helpdesk on behalf of these staff who have forgotten their
passwordsand to have them reset to the defaults!
Internet
Can I have
your details
plaese?
Bob
Yeah, no
problem,
hold on.
Penetration
Tester
From the current Napier web site browse to the School of Computing Staff and find the detailsof a couple of Lecturers from the School of Computing.
QuestionsQ What information can be gathered from the staff page?
Now use google to search using the keywords napier + the name of a lecturer, such as shown
below.
8/12/2019 CEH_LAB1
4/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 4
QuestionsQ Which new sub domain has been returned?Q What extra information can be gathered from the IIDI people page?
Google Hackingis a term used to describe the use of advanced features of the google search
engine. This can turn google into a powerful information gathering, and vulnerability search
tool.
Search for web pages linked to the Napier domain, using the google search link:operator, and
keywords napier.ac.uk, as shown below.
QuestionsQ List some external pages linked to Napiers web site?
Use the inurl: operator with the same napier domain keywords, and perform an images
search by clicking the images menu option on the left, as shown below.
8/12/2019 CEH_LAB1
5/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 5
Note: The Google Hacking Database (GHDB) http://johnny.ihackstuff.com/ghdb/ is a
resource which can be used to help in penetration testing, and contains what is know as
Google Dorks. Dorks are the search queries used to gather specific useful information, such
as indications of Vulnerabilities, or Usernames and Passwords.
Use the dork"unable to jump to row" "on mysql resultindex" "on line" from the google
search engine, as shown below.
This identifies web applications which are susceptible to SQL Injection attacks. The dork
contains error strings which indicate web applications which have the vulnerability.
QuestionsQ How many results were returned?
http://johnny.ihackstuff.com/ghdb/http://johnny.ihackstuff.com/ghdb/http://johnny.ihackstuff.com/ghdb/8/12/2019 CEH_LAB1
6/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 6
Add the google search operator site:and the keywords napier.ac.ukto check if the Napier
domain has any such flaws.
Domain Name Information
Domain name information is now very easy to get via websites. Regional Internet Registries (RIR)
manage public IP addresses within regions, such as ARINfor the Americas, and RIPEfor Europe.
The main tool to query Domain Name Services (DNS) is Whois.It returns information about a specific
domain name, such as contact person, address, phone numbers and DNS Servers. Linux has the
whois tool built in, and it can be run from the command line. From Windows download the Sam
Spade tool fromwww.samspade.orgor use a web based whois tool, such as at:
www.ripe.net
www.dnsstuff.com
www.whoisdomaintools.com
www.samspade.org
Use the a web site tool to gather information on the napier.ac.ukdomain:
QuestionsQ List the RegistrarContact, Phone Number, Campus Address, and Email Address:
Q List any Server IP Addresses:
The DNS Results should look similar to the following:
http://www.samspade.org/http://www.samspade.org/http://www.samspade.org/http://www.ripe.net/http://www.ripe.net/http://www.dnsstuff.com/http://www.dnsstuff.com/http://www.whoisdomaintools.com/http://www.whoisdomaintools.com/http://www.samspade.org/http://www.samspade.org/http://www.samspade.org/http://www.whoisdomaintools.com/http://www.dnsstuff.com/http://www.ripe.net/http://www.samspade.org/8/12/2019 CEH_LAB1
7/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 7
The subdomains found can be investigated further also.
The contact details and other information gathered here, could be used for social engineering
or for wardialing.
QuestionsQ Which particular information might be used for wardialingfor modems?Q Are Social Engineering and Wardialing Active of Passive Reconnaissance?
Note: Wardialing is a reconnaissance technique were a modem automatically dials phone
numbers looking for computer systems. The term, along with other such as backdoor, is from
from the film WarGames (Badham, 1983), in which a teenager hacks into the US DoD war
simulation computer system and very nearly starts WWIII.
Film Trailer:http://www.youtube.com/watch?v=tAcEzhQ7oqA
3.2.1 Determining the Network Range
DNS Enumeration
Additional information can be found from the DNS servers, using the nslookup tool. This can
provide system name and IP Address information. Open a command window and use the
following command to find the IP Address of Napiers web server.
nslookup www.napier.ac.uk
http://www.youtube.com/watch?v=tAcEzhQ7oqAhttp://www.youtube.com/watch?v=tAcEzhQ7oqAhttp://www.youtube.com/watch?v=tAcEzhQ7oqAhttp://www.youtube.com/watch?v=tAcEzhQ7oqA8/12/2019 CEH_LAB1
8/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 8
QuestionsQ What is the IP Address of the Web Server?
The nslookup output should look similar to the following:
To check the Web Server IP Address is correct, run the network traffic sniffer Wireshark.Select Capture>Interfaces , and start sniffing the traffic on the interface with packets flowing
through it (it should be the wired Ethernet interface in the lab).
Browse to the Napier Web Server (use CTRL+F5 to refresh the page from the server and not
the local cache). Stop the capture with Capture>Stop. The results should look similar to below.
QuestionsQ What is the IP Address of the Web Server?
The subdomains found can be enumerated in the same way.
8/12/2019 CEH_LAB1
9/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 9
Email Server Enumeration
To find the IP Address of an organisations mail server, an email can be sent which will
bounce. This will be returned with the IP address of the email server in the header, as
shown below.
QuestionsQ From the mail above, what is the IP Address of the mail server?
To find the range of IP Addresses for the organisation take the IP Address of the web server,
and enter it into the RIPE Whois tool atwww.ripe.org,as shown below.
http://www.ripe.org/http://www.ripe.org/http://www.ripe.org/http://www.ripe.org/8/12/2019 CEH_LAB1
10/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 10
QuestionsQ What is the IP range?Q Document the administrators and their phone numbers:
Q Which Organisations web site would you use
8/12/2019 CEH_LAB1
11/11
Certified Ethical Hacker Penetration Testing Rich Macfarlane 11
References
Badham, J. (Director). (1983). Wargames - http://www.imdb.com/title/tt0086567/[Motion Picture].
Gregg, M. (2009). Exam Prep: Certified Ethical Hacker.ExamGear.
Nitesh Dhanjani, B. R. (2010). Hacking: The Next Generation.O'Reilly.
Tzu, S. (500 BC). The Art of War - Chapter 3.Retrieved June 2009, from Sun Tzu - The Art of War:
http://www.sonshi.com/sun3.html