Brief Update

I've not posted for a little while so just a quick update to prove I'm not dead! I've finally organised my PWB course and I'm due to start tomorrow. I've got the week off work to study and then another week in a months time. In between I plan to study in the evenings.

I've got sixty days of labtime so I will have to complete the exam by the end of December. Its going to be a tough couple of months but I'm really looking forward to it and can't wait to get started!

Obviously I won't be able to share any details of the course on here but I will try and post some progress updates as I go.

Net Disco

I thought I would check out Netdiscover this evening as recommended in a comment on my 'Beginning' post (thanks again!). Netdisco. is an active/passive ARP reconnaisance tool written by Jaime Penalba and is included with the BackTrack5 distribution.

I am guessing that it works by sending out ARP requests for IP addresses in the subnet/range you wish to scan as a way of determining how many live hosts there are on the network. I also suspect that the "passive" mode doesn't send any requests it just sits there and monitors what other ARP requests it sees.  I am going to use Wireshark (a tool most network engineers are familiar with!) to try and see what it actually does.

So this is the screen you see when you fire up the tool. I won't go through all the options but the main ones appear to be -r (specify the subnet you wish to scan), -p (passive mode) -s (amount of time in milliseconds between each arp request) and -c (number of times to send each ARP request). I imagine that the -s option would be useful if you are trying to avoid triggering any Intrustion Detection Systems, too many ARP requests from the same source address in a short amount of time could look  suspicious!

So I've started with a normal scan using netdiscover -r 192.168.1.0/24 -s 1000
I don't have any IDS at home to avoid but I wanted the scan to proceed fairly slowly so I could watch what happened in Wireshark.

This confirms that ND is sending ARP requests to each address in order to see if there is anything alive out there. The timestamps confirm the space between requests at 1 second.
Interestingly ND appears to use a false IP address for its ARP requests - 192.168.1.67! The IP address of the BT5 VM is 192.168.1.17 so I am not sure where this came from. Looking back through to the start of the capture I can not see any checks being performed to see if this address was available or not so I wonder how this address was decided upon? Further investigation required!


The results show nine live IPs detected which is the same amount as detected by AutoScan the other day. I have an additional VM running this time but because the BT5 host is left out of the scan the total is the same. The vendors are identified automatically from the OUI of the MAC address but again, as with Nmap, the iPhone wasn't recognised. Perhaps a new version/database update is required?





At this point I wonder why all the IPs are in order apart from the Nintendo lurking at the bottom. The capture shows that ND sent an ARP request for .13 in order but no response was recieved:




I trawl through the capture looking for some clues when I come across this:

Bingo! ND must automatically add hosts that it sees ARP traffic from even when doing an active scan. This must be the way it detects hosts when using the -p option as it will not be sending any requests. I might try and find out if it adds hosts it sees any kind of traffic for or just ARP broadcasts.

Back to skool...

I've been looking into some qualifications and training courses to give me a bit of a kick start. I have noticed that a lot of the job advertisments for pen testers list CREST's (Council of Registered Ethical Security Testers) Registered Tester as a desirable qualification to have so I thought I would start my investigations there.

I sent an email to CREST to ask if they provide or recommend any training courses for the Registered Tester exam. I got a fairly detailed response the next day explaining that there are currently no plans to offer training courses as they wish to ensure there is never a conflict of interest where the training provided also provides the examination. They sent links to a couple of courses that may or may not provide suitable preperation for the exam but at this time they were not officially endorsing them. They also sent me the titles of a couple of books recommended by the assesors (Hacking Exposed and Network Security Assessment) but I don't think I could learn enough from books to pass the exam - which includes a practicle element.

I've seen EC Council's Certified Ethical Hacker advertised a lot but I don't think it is CESG approved like CREST. On the plus side there is an associated training course and it seems to be widely available but on the negative side I haven't seen any jobs that are looking for CEH people. I decided to take a punt and email the pen tester that was on site at the start of the year to see if he was able to offer any recommendations.

To be honest I wasn't expecting a reply as the guy must be quite busy and we only met the once! A few days later though and I recieved a really detailed reply with a long list of recommendations on where to start, an overview on what the job was like and what you must be prepared to do (long hours, travelling, working alone etc.) He also highly recommended a course by Offensive Security called "Penetration Testing with Backtrack". EDIT - I have also since been recommended this course by several of the nice people on the Security Focus mailing list!

PWB is an online training course with a strong hands on element. It is self paced learning but you have to pay for labtime in 30 day increments. It also includes a qualification to become an Offensive Security Certified Professional. The certification process seems pretty hardcore as you are given 24 hours at the end of your alloted labtime to break into an unknown network using the skills you learnt on the course!

I have had a read through the syllabus for the course and it seems very comprehensive. There are a lot of areas that I know I'm going to be fairly weak in to begin with so I think it will prove to be quite a challenge. But it is often said that doing anything worthwhile is never easy! I've decided to go for 60 days of lab time as the average time to go through the course materials is approximately 80 hours and I don't think I will find the time to do this in just one month.

Beginning

Phase 1: Reconnaissance
A lot of this phase focuses on information gathering using Social Engineering and Dumpster Diving and while I don't doubt that these are useful skills to know it is difficult to practice in a home/lab environment. I'm not going to try and sweet talk myself into giving me my passwords and I don't really fancy rummaging around in the bins, the neighbours might find that odd! There are other techniques described as well like interrogating DNS servers, Whois searches etc but they are not really relevant at the moment, I already have access to the network so I am going to concetrate on simulating an internal pen test.

Phase 2: Scanning
First I will attempt to discover what live machines there are on the network. The easiest way to do this is by sending an ICMP echo request or ping. I don't want to do this by hand so I am going to use one of the Network Scanning tools in Backtrack (BT5). The first one in the list is Autoscan, this is what I see when I fire it up:

Next I can specify the subnet I wish to scan. I have removed some of the default entries as I know what the network and subnet mask is in this case

I skip through the next few options without changing anything, I am surprised by the results for two reasons. One I wasn't expecting the tool to attempt to fingerprint (identify) the host systems as well as ICMP scanning them and two I wasn't expecting to see this many hosts on my network!

I started this quite late in the evening and I'd really like to go to bed now but I just know I won't be able to sleep until I've figured out what all these hosts are and if they all belong to me or not! I skip forward a few pages in the book and come to the section describing Nmap. I decide to see if Nmap will provide any more information about the hosts than Autoscan.

Although there is a GUI with Nmap I have decided to force myself to learn the command line. If there is a choice between GUI and CLI I always try to use the CLI as it gives you more flexibility and, I believe, a better understanding of the product. So I start scanning each host in order using 'nmap -O ip address'.

Don't really need to go much further than the first line, 'my.router' kind of gives it away what this device is. The MAC address OUI at the bottom confirms that this is my ADSL router. Interestingly though on the Aggresive OS guesses it doesn't list Draytek at all.

192.168.1.10 has been identified correctly by AutoScan so I move onto .11. Nmap reports that the host seems down, I go back to AutoScan to check but it is reporting that it is still up. Nmap helpfully suggests using the -Pn option if you believe the host is really up, this option will treat all hosts as online and skip host discovery:

Ahhh, the iPhone! Had forgotten about that! To confirm I try to lookup the OUI (first 6 character of the mac address) on http://www.coffer.com/mac_find/ but it comes back as unknown. Mr Google, however, returns a result from hwaddress.com listing it as belonging to Apple Inc.

192.168.1.12 I know to be my Backtrack VM so I bypass that but .13 has now gone off the network. Bit worrying. I tried a simple ping and left it running, occasionaly the host responds and then goes unreachable again. I will keep the ping running and try a quick scan if it starts replying. Moving on to .14 this should be interesting as AutoScan identified this as a firewall. Nmap -O is taking a bit longer to come back this time round, eventually it reports that all 1000 scanned ports are filtered and it has no idea of the OS. I know this device to be my laptop running a personal firewall. It is good to know that it is doing its job well but I will return to this again and see if there are any other ways of identifying it with Nmap or another tool.

192.168.1.15 returns a few open ports including ftp, ssh, http, https and mysql. The OS is detected as Linux 2.6.X and the MAC address is a VMWare one. I believe this to be my DVWA (Damn Vulnerable Web Application) VM.

192.168.1.16 returns a single open port (SSH) but it is not sure which OS. From the agressive guesses it's pretty sure its Linux of some kind. And it is, this is a Redhat VM.

192.168.1.19 is the last one on the list which I know to be my VMWare host. Nmap picks up seven open ports but is unable to identify the operating system.

EDIT: with the Linux VMs and VMWare I need to spend some more time on trying to find out what they are using penetration testing tools and techniques rather than just utilising my knowledge of my network setup.

And just as I'm about to fall asleep on my keyboard the .13 host starts replying again. I quickly break the ping and run nmap -Pn:

Ninendo? Must be the Wii!! This has been switched off all day but it must periodically connect to the WiFi to check for updates or something. Nice and locked down though, no open ports!

Conclusions so far: Might not bother with AutoScan in the future. It has a nice GUI but from my initial findings Nmap appears to give more information. It looks like there are command line options for scanning subnets as well so I will try them next time.