Skip to 0 minutes and 6 seconds So first things first, we want to find out what the IP address is of this Mossack Fonseca web server. So one simple way we can do this is just ping the website and see if we can get an IP address. Yes, instantly it tells us it’s active. And you can see up top here the IP address from here it gets pretty simple. Basically I want to find out what ports are open, essentially, what doorways are open to this particular web server, and ultimately I want to find out what servers are running so we can try and exploit one of those. So we use that little tool called ‘nmap’.
Skip to 0 minutes and 49 seconds And you can kind of see it’s got a wide variety of different parameters. We type in ‘nmap’, and then we put in the IP address, or the web server name, of the target we’re trying to actually attack. I think it was this from memory. Yes, OK. So we can see from here on this particular web server, there’s a range of different ports open and different services running. You can see here. Let’s say FTP in this example, port 21. And it’s operating the TCP protocol, and it’s actually in an open state. So from here, we’re going to try to find a bit more information. So we can actually see there’s other services running as well. They’ve got a web server.
Skip to 1 minute and 34 seconds You can see that here. That’s running on port 80. They’ve got what looks like an email server that’s running on port 25. And there’s a range of other ones as well. But let’s focus on FTP because that generally can be quite a weak protocol. Let’s try to find out a bit more information if we can. We’ll try a few more complicated parameters in nmap and see what else we can find out. So we’re at nmap sV, which is essentially a service and script scan. And then we’ll do this for our scripts [enters ‘sC’], and type in the web server name again.
Skip to 2 minutes and 19 seconds And I think we said port 21 for FTP. And we’ll run that server and script scan against the FTP protocol on that particular website. So what else have we gathered here? Again we’ve got confirmation that we’ve got the FTP server software. We can see here another thing is allowing anonymous FTP logins, which is not always a great thing. The main thing is we want to find from here, which is going to be beneficial for us, is that the version of the FTP software, and that it’s actually in open state, and you can connect to it.
Skip to 3 minutes and 2 seconds I think we’ve gathered enough information to push forward. We know now that FTP is running and it’s open. And we know what server software they’re actually using for that FTP. So that can be a particularly good weak point to gain access. So using this information we’ve gathered, let’s figure out how we can go ahead and move forward from here. So if we check out this particular website here, it’s a very popular one for security exploits. It’s called ‘www.exploit-db.com’. So let’s do a little search. This website basically lists all the new exploits that are out, pretty much every day if there’s a new one out, it’ll list the operating system, what server is it, what software it’s actually targeted against.
Skip to 3 minutes and 54 seconds Ok, let’s do a little search for what we’ve discovered about this particular target machine we want to get into. I think that should do it. So we’ll go to an advanced search platform, and we’ll punch that into the search. And we want to get in remotely, so let’s go remote. Anything else we can fill in here– Author– Let’s go with Metasploit, essentially our framework that contains a library of different exploits. We can pick out and target against specific weaknesses in the system. Let’s let that search for a minute. So it brings us back a range of different exploits we can potentially use.
Skip to 4 minutes and 37 seconds Let’s have a look through the list and see if anything is related to– I think we said vsftpd. Let’s see if we can find that in the list.
Skip to 4 minutes and 50 seconds There we go. Vsftpd version 2.3.4. We’ll just click on that. It tells us everything about that, when it was published. We can download it if we want. Tells us more about the actual code behind the exploit, how it works there. So now you’ve seen from a hacker’s perspective how to do some reconnaissance and discover vulnerabilities in a particular system. These are things that the hacker will look for in order to exploit your systems. Thanks for watching.
A cyber hacker's toolkit: reconnaissance
The best way to understand how a cyber attack occurs is to see one in action.
In this video, Dr Nick Patterson demonstrates the back-end mechanics of how attacks like the Panama Papers hack are accomplished.
The simulation is set up in a mock environment to mimic what might have happened in this case and shows you how hackers do their reconnaissance by searching for vulnerabilities. The use of these tools and techniques to access web servers you do not control is of course illegal and this video shows a part of the process as an educational tool to help you think more carefully about guarding your systems.
Watch the video and share your observations on how hackers can find out information about your systems.
© Deakin University