A cyber hacker’s toolkit: reconnaissance

So first things first, we want to find out what the IP address is of this Mossack Fonseca web server. So one simple way we can do this is just ping the website and see if we can get an IP address. Yes, instantly it tells us it’s active. And you can see up top here the IP address from here it gets pretty simple. Basically I want to find out what ports are open, essentially, what doorways are open to this particular web server, and ultimately I want to find out what servers are running so we can try and exploit one of those. So we use that little tool called ‘nmap’.

And you can kind of see it’s got a wide variety of different parameters. We type in ‘nmap’, and then we put in the IP address, or the web server name, of the target we’re trying to actually attack. I think it was this from memory. Yes, OK. So we can see from here on this particular web server, there’s a range of different ports open and different services running. You can see here. Let’s say FTP in this example, port 21. And it’s operating the TCP protocol, and it’s actually in an open state. So from here, we’re going to try to find a bit more information. So we can actually see there’s other services running as well. They’ve got a web server.

You can see that here. That’s running on port 80. They’ve got what looks like an email server that’s running on port 25. And there’s a range of other ones as well. But let’s focus on FTP because that generally can be quite a weak protocol. Let’s try to find out a bit more information if we can. We’ll try a few more complicated parameters in nmap and see what else we can find out. So we’re at nmap sV, which is essentially a service and script scan. And then we’ll do this for our scripts [enters ‘sC’], and type in the web server name again.

And I think we said port 21 for FTP. And we’ll run that server and script scan against the FTP protocol on that particular website. So what else have we gathered here? Again we’ve got confirmation that we’ve got the FTP server software. We can see here another thing is allowing anonymous FTP logins, which is not always a great thing. The main thing is we want to find from here, which is going to be beneficial for us, is that the version of the FTP software, and that it’s actually in open state, and you can connect to it.

I think we’ve gathered enough information to push forward. We know now that FTP is running and it’s open. And we know what server software they’re actually using for that FTP. So that can be a particularly good weak point to gain access. So using this information we’ve gathered, let’s figure out how we can go ahead and move forward from here. So if we check out this particular website here, it’s a very popular one for security exploits. It’s called ‘www.exploit-db.com’. So let’s do a little search. This website basically lists all the new exploits that are out, pretty much every day if there’s a new one out, it’ll list the operating system, what server is it, what software it’s actually targeted against.

Ok, let’s do a little search for what we’ve discovered about this particular target machine we want to get into. I think that should do it. So we’ll go to an advanced search platform, and we’ll punch that into the search. And we want to get in remotely, so let’s go remote. Anything else we can fill in here– Author– Let’s go with Metasploit, essentially our framework that contains a library of different exploits. We can pick out and target against specific weaknesses in the system. Let’s let that search for a minute. So it brings us back a range of different exploits we can potentially use.

Let’s have a look through the list and see if anything is related to– I think we said vsftpd. Let’s see if we can find that in the list.

There we go. Vsftpd version 2.3.4. We’ll just click on that. It tells us everything about that, when it was published. We can download it if we want. Tells us more about the actual code behind the exploit, how it works there. So now you’ve seen from a hacker’s perspective how to do some reconnaissance and discover vulnerabilities in a particular system. These are things that the hacker will look for in order to exploit your systems. Thanks for watching.