CEH_LAB1

8/12/2019 CEH_LAB1

1/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 1

Lab 1: CEH Penetration Testing

3.1 DetailsAim: The aim of this lab is to investigate Reconnaissance, or Footprinting and Scanning, of an

organisation. The pre-attack phases of footprinting and scanning are typically the first steps

in the process an ethical hacker will follow when performing a Penetration Test.

Passive Reconnaissance is performed first by gathering information from outside the

target network, followed by Active Reconnaissance were packets are sent into the

network to map and enumerate targets.

Mgt

Internet

Bob

Penetration

TesterWritten Agreement

(Scope of Pen Test)

Passive ReconActive Recon

One who knows the enemy and knows himself will not be in danger in a hundred battles

Sun Tzu, The Art of War 500 BC (Tzu, 500 BC)

3.2 Activities3.2.1 Information Gathering

An organisations web site is a good place to start when gathering information as part of a

penetration test. Search for the current Napier University Web site using the google search

engine. Navigate to postgraduate courses on offer.

QuestionsQ What is the target Web domain google has returned?Q Which postgraduate School of Computing courses with Advanced in the title, are on offer?Q Is browsing the target organisations web site Passive or Active Reconnaissance?

8/12/2019 CEH_LAB1

2/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 2

A lot of data the penetration tester may want to investigate, may no longer be available on

the website, but is saved in Internet caches.

The websitewww.archive.orgcan be used to view archived web pages. Go to the web site,

and use the WayBackMachine to browse archived web pages from the Napier Web Site, as

shown below.

Browse the archived web pages from 2008.

QuestionsQ Which postgraduate courses with Advanced in the title, have been added since Sep 2008?

To check for subdomains, go to the Netcraft.com website, and search on the napier.ac.uk

domain, as shown below.

8/12/2019 CEH_LAB1

3/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 3

QuestionsQ Which subdomains have been returned?

Another good resource for information gathering is an organisations staff directories. Social

engineering could be used to call these staff and get information, as shown below. Another

way would be to call the helpdesk on behalf of these staff who have forgotten their

passwordsand to have them reset to the defaults!

Internet

Can I have

your details

plaese?

Bob

Yeah, no

problem,

hold on.

Penetration

Tester

From the current Napier web site browse to the School of Computing Staff and find the detailsof a couple of Lecturers from the School of Computing.

QuestionsQ What information can be gathered from the staff page?

Now use google to search using the keywords napier + the name of a lecturer, such as shown

below.

8/12/2019 CEH_LAB1

4/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 4

QuestionsQ Which new sub domain has been returned?Q What extra information can be gathered from the IIDI people page?

Google Hackingis a term used to describe the use of advanced features of the google search

engine. This can turn google into a powerful information gathering, and vulnerability search

tool.

Search for web pages linked to the Napier domain, using the google search link:operator, and

keywords napier.ac.uk, as shown below.

QuestionsQ List some external pages linked to Napiers web site?

Use the inurl: operator with the same napier domain keywords, and perform an images

search by clicking the images menu option on the left, as shown below.

8/12/2019 CEH_LAB1

5/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 5

Note: The Google Hacking Database (GHDB) http://johnny.ihackstuff.com/ghdb/ is a

resource which can be used to help in penetration testing, and contains what is know as

Google Dorks. Dorks are the search queries used to gather specific useful information, such

as indications of Vulnerabilities, or Usernames and Passwords.

Use the dork"unable to jump to row" "on mysql resultindex" "on line" from the google

search engine, as shown below.

This identifies web applications which are susceptible to SQL Injection attacks. The dork

contains error strings which indicate web applications which have the vulnerability.

QuestionsQ How many results were returned?

8/12/2019 CEH_LAB1

6/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 6

Add the google search operator site:and the keywords napier.ac.ukto check if the Napier

domain has any such flaws.

Domain Name Information

Domain name information is now very easy to get via websites. Regional Internet Registries (RIR)

manage public IP addresses within regions, such as ARINfor the Americas, and RIPEfor Europe.

The main tool to query Domain Name Services (DNS) is Whois.It returns information about a specific

domain name, such as contact person, address, phone numbers and DNS Servers. Linux has the

whois tool built in, and it can be run from the command line. From Windows download the Sam

Spade tool fromwww.samspade.orgor use a web based whois tool, such as at:

www.ripe.net

www.dnsstuff.com

www.whoisdomaintools.com

www.samspade.org

Use the a web site tool to gather information on the napier.ac.ukdomain:

QuestionsQ List the RegistrarContact, Phone Number, Campus Address, and Email Address:

Q List any Server IP Addresses:

The DNS Results should look similar to the following:

8/12/2019 CEH_LAB1

7/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 7

The subdomains found can be investigated further also.

The contact details and other information gathered here, could be used for social engineering

or for wardialing.

QuestionsQ Which particular information might be used for wardialingfor modems?Q Are Social Engineering and Wardialing Active of Passive Reconnaissance?

Note: Wardialing is a reconnaissance technique were a modem automatically dials phone

numbers looking for computer systems. The term, along with other such as backdoor, is from

from the film WarGames (Badham, 1983), in which a teenager hacks into the US DoD war

simulation computer system and very nearly starts WWIII.

Film Trailer:http://www.youtube.com/watch?v=tAcEzhQ7oqA

3.2.1 Determining the Network Range

DNS Enumeration

Additional information can be found from the DNS servers, using the nslookup tool. This can

provide system name and IP Address information. Open a command window and use the

following command to find the IP Address of Napiers web server.

nslookup www.napier.ac.uk

8/12/2019 CEH_LAB1

8/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 8

QuestionsQ What is the IP Address of the Web Server?

The nslookup output should look similar to the following:

To check the Web Server IP Address is correct, run the network traffic sniffer Wireshark.Select Capture>Interfaces , and start sniffing the traffic on the interface with packets flowing

through it (it should be the wired Ethernet interface in the lab).

Browse to the Napier Web Server (use CTRL+F5 to refresh the page from the server and not

the local cache). Stop the capture with Capture>Stop. The results should look similar to below.

QuestionsQ What is the IP Address of the Web Server?

The subdomains found can be enumerated in the same way.

8/12/2019 CEH_LAB1

9/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 9

Email Server Enumeration

To find the IP Address of an organisations mail server, an email can be sent which will

bounce. This will be returned with the IP address of the email server in the header, as

shown below.

QuestionsQ From the mail above, what is the IP Address of the mail server?

To find the range of IP Addresses for the organisation take the IP Address of the web server,

and enter it into the RIPE Whois tool atwww.ripe.org,as shown below.

8/12/2019 CEH_LAB1

10/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 10

QuestionsQ What is the IP range?Q Document the administrators and their phone numbers:

Q Which Organisations web site would you use

8/12/2019 CEH_LAB1

11/11

Certified Ethical Hacker Penetration Testing Rich Macfarlane 11

References

Badham, J. (Director). (1983). Wargames - http://www.imdb.com/title/tt0086567/[Motion Picture].

Gregg, M. (2009). Exam Prep: Certified Ethical Hacker.ExamGear.

Nitesh Dhanjani, B. R. (2010). Hacking: The Next Generation.O'Reilly.

Tzu, S. (500 BC). The Art of War - Chapter 3.Retrieved June 2009, from Sun Tzu - The Art of War:

http://www.sonshi.com/sun3.html