Lab 3: Perform OS Discovery

3.2 Perform OS Discovery using Nmap Script Engine (NSE)

In the Windows 10 virtual machine, click on the Start menu and launch Nmap - Zenmap GUI
from the applications.
The Zenmap GUI appears. In the Command field, type the command nmap -A <Target IP
Address> (here, the target machine is Windows Server 2016 [10.10.10.16]) and click Scan.
The scan results appear, displaying the open ports and running services along with their versions
and target details such as OS, computer name, NetBIOS computer name, etc. under the Host
script results section.

In the Command field, type the command nmap -O <Target IP Address> (here, the target
machine is Windows Server 2016 [10.10.10.16]) and click Scan.
The scan results appear, displaying information about open ports, respective services running on
the open ports, and the name of the OS running on the target system.
In the Command field, type the command nmap --script smb-os- discovery.nse <Target IP
Address> (here, the target machine is Windows Server 2016 [10.10.10.16]) and click Scan.
The scan results appear, displaying the target OS, computer name, NetBIOS computer name, etc.
details under the Host script results section.
Lab 4: Scan beyond IDS and Firewall
4.1 Scan beyond IDS/Firewall using various Evasion Techniques
Navigate to Control Panel > System and Security > Windows Defender Firewall > Turn
Windows Defender Firewall on or off, enable Windows Defender Firewall and click OK, as
shown in the screenshot.

Click on the Start menu and launch Wireshark from the applications. Start capturing packets by
double-clicking the available ethernet or interface (here, Ethenet0).
Now, switch to the Parrot Security virtual machine.
In the terminal window, type nmap -f <Target IP Address>, (here, the target machine is
Windows 10 [10.10.10.10]) and press Enter.

In the Parrot Terminal window, type nmap -g 80 <Target IP Address>, (here, target IP address
is 10.10.10.10) and press Enter.
The results appear, displaying all open TCP ports along with the name of services running on the
ports, as shown in the screenshot.

Now, type nmap -mtu 8 <Target IP Address> (here, target IP address is 10.10.10.10) and press
Enter.
Now, type nmap -D RND:10 <Target IP Address> (here, target IP address is 10.10.10.10) and
press Enter.

Now, return to the Windows 10 virtual machine (target machine) and observe packets captured
by Wireshark, which displays the multiple IP addresses in the source section, as shown in the
screenshot.
4.2 Create Custom Packets using Colasoft Packet Builder to Scan beyond
IDS/Firewall
The Colasoft Packet Builder GUI appears; click on the Adapter icon, as shown in the
screenshot.

When the Select Adapter window appears, check the Adapter settings and click OK.
To add or create a packet, click the Add icon in the Menu bar.
In the Add Packet dialog box, select the ARP Packet template, set Delta Time as 0.1 seconds,
and click OK.

You can view the added packets list on the right-hand side of the window, under Packet List.
To send the packet, click Send from the Menu bar.
In the Send Selected Packets window, select the Burst Mode (no delay between packets)
option, and then click Start.

After the Progress bar completes, click Close.

Now, when this ARP packet is broadcasted in the network, the active machines receive the
packet, and a few start responding with an ARP reply. To evaluate which machine is responding
to the ARP packet, you need to observe packets captured by the Wireshark tool.

To export the packet, click Export > Selected Packets...

4.3 Create Custom UDP and TCP Packets using Hping3 to Scan beyond
IDS/Firewall
In the terminal window, type hping3 <Target IP Address> --udp --rand-source --data 500
(here, the target machine is W'indows 10 [10.10.10.10]) and press Enter.

Now, switch to the Windows 10 virtual machine and observe the UDP packets captured by
Wireshark.
Expand the Data node in the Packet Details pane and observe the size of Data and its Length
(the length is the same as the size of the packet body that we specified in IIping3 command, i.e.,
500).
Switch to the Parrot Security virtual machine. In the Parrot Terminal window, first press
Control+C and type hping3 -S <Target IP Address> -p 80 -c 5 (here, target IP address is
10.10.10.10), and then press Enter.

Now, switch to the target machine (i.e., Windows 10) and observe the TCP packets captured via
\Vireshark.
In the Parrot Terminal window, type hping3 <Target IP Address> --flood (here, target IP
address is 10.10.10.10) and press Enter.

Observe the Wireshark window, which displays the TCP packet flooding from the host machine.
The TCP packet stream displays the complete information of TCP packets such as the source and
destination of the captured packet, source port, destination port, etc.
4.4 Create Custom Packets using Nmap to Scan beyond IDS/Firewall
The Nmap - Zenmap GUI appears. In the Command field, type the command nmap <Target
IP Address> --data 0xdeadbeef (here, target IP address is 10.10.10.16) and click Scan.

In the Command field, type the command nmap <Target IP Address> --data-string "Ph34r
my l33t skills" (here, target IP address is 10.10.10.16) and click Scan.
In the Command field, type the command nmap --data-length 5 <Target IP Address> (here,
the target IP address is 10.10.10.16) and click Scan.

In the Command field, type the command nmap --randomize-hosts <Target IP Address>
(here, the target IP address is 10.10.10.16) and click Scan.
In the Command field, type the command nmap --badsum <Target IP Address> (here, the
target IP address is 10.10.10.16) and click Scan.
4.5 Browse Anonymously using Proxy Switcher
Now, launch the Firefox browser.
Click the Open menu icon in the top-right corner of the browser window and click Options.
In the Options wizard, scroll down to the end of the page and click Settings... under the
Network Settings section.

The Connection Settings window appears; under the Configure Proxy Access to the Intemet
section, ensure that the Use system proxy settings radio button is selected. Click OK and close
the Firefox browser window.
Ensure that the Find New Sewer, Rescan Servers, Recheck Dead radio button is selected under
the Common Tasks section, and click Finish.
Proxy Switcher window appears, showing a list of proxy servers in the right pane, as shown in
the following screenshot.

Click the Basic Anonymity folder in the left-hand pane to display a list of alive proxy servers, as
shown in the screenshot.
Select one proxy server IP address in the right-hand pane. To switch to the selected proxy server,
click the Switch to Selected Proxy Server icon.

Launch the Mozilla Firefox web browser and enter the URL
http://www.proxyswitcher.com/check.php to check the selected proxy- server connectivity. If
the connection is successful, the following information is displayed in the browser:
4.6 Browse Anonymously using CyberGhost VPN
Follow the installation steps to install CyberGhost.

Once the installation is complete, the CyberGhost Create account window appears.
The CyberGhost window appears, displaying VPN not connected!

The CyberGhost Settings window appears; click on All server from the left-hand pane.
CyberGhost attempts to establish a connection to the proxy server. On successfully establishing
a connection.
Minimize the CyberGhost window and launch the Mozilla Firefox web browser; type the URL
https://nordvpn.com/what-is-my-ip/ in the address bar and press Enter.

Open a new tab in the web browser and surf anonymously using this proxy.
Lab 6: Perform Network Scanning using Various Scanning Tools
6.1 Scan a Target Network using Metasploit

In the Parrot Terminal window, type service postgresql start and hit Enter.
Now, type msfconsole and hit Enter to launch Metasploit.

An msf command line appears. Type db_status and hit Enter to check if Metasploit has
connected to the database successfully. If you receive the message "postgersql selected, no
connection," then the database did not connect to msf.
Exit the Metasploit framework by typing exit and press Enter. Then, to initiate the database, type
msfdb init, and press Enter.

To restart the postgresql service, type service postgresql restart and press Enter. Now, start the
Metasploit Framework again by typing msfconsole and pressing Enter.
Check the database status by typing db_status and press Enter. This time, the database should
successfully connect to msf, as shown in the screenshot.

Type nmap -Pn -sS -A -oX Test 10.10.10.0/24 and hit Enter to scan the subnet, as shown in the
screenshot.
Now, type db_import Test and hit Enter to import the Nmap results from the database.

Type hosts and hit Enter to view the list of active hosts along with their MAC addresses, OS
names, etc. as shown in the screenshot.
Type services or db_services and hit Enter to receive a list of the services running on the active
hosts, as shown in the screenshot.

Type search portscan and hit Enter. The Metasploit port scanning modules appear, as shown in
the screenshot.
Here, we will use the auxiliary/scanner/portscan/syn module to perform an SYN scan on the
target systems. To do so, type use auxiliary/scanner/portscan/syn and press Enter.

We will use this module to perform an SYN scan against the target IP
address range (10.10.10.5-20) to look for open port 80 through the eth0 interface.
To do so, issue the below commands:
• set INTERFACE eth0
• set PORTS 80
• set RHOSTS 10.10.10.5-20
• set THREADS 50
After specifying the above values, type run, and press Enter to initiate the scan against the
target IP address range.

Now, we will perform a TCP scan for open ports on the target systems. To do so, first type back,
and then press Enter to revert to the msf command line.
To load the auxiliary/scanner/portscan/tcp module, type use auxiliary/scanner/portscan/tcp and
press Enter.
Type hosts -R and press Enter to automatically set this option with the discovered hosts present
in our database. (Or type set RHOSTS <Target IP Address> and press Enter)
Type run and press Enter to discover open TCP ports in the target system.
The results appear, displaying all open TCP ports in the target IP address (10.10.10.16).
Now that we have determined the active hosts on the target network, we can further attempt to
determine the OSes running on the target systems. As there are systems in our scan that have port
445 open, we will use the module scanner/ smb / version to determine which version of Windows
is running on a target and which Samba version is on a Linux host.

To do so, first type back, and then press Enter to revert to the msf command line. Then, type use
auxiliary/scanner/smb/smb_version and press Enter.
We will use this module to run a 8MB version scan against the target IP address range
(10.10.10.5-20). To do so, issue the below commands:
• set RHOSTS 10.10.10.5-20
• set THREADS 11
Type run and press Enter to display the SMB versions of the target hosts.

While performing a scan using Nmap, we discovered that the FTP port 21 is open on the host
10.10.10.10 in the target network. Now, we will scan the target host to identify the FTP version.
Type back and press Enter. To load an FTP module, type use
auxiliary/scanner/ftp/ftp_version and press Enter.
Type set RHOSTS 10.10.10.10 and press Enter to specify the target host.

Type run and press Enter to initiate the FTP version identification scan.
The result appears, displaying the FTP version details of the target host, as shown in the
screenshot.
Type hosts and press Enter to view detailed information on active hosts in the target network.

You can further export this information to a CSV file. To do so, first type back, and then press
Enter. Now, type hosts -o /root/DesktopIMetasploit_Scan_Results.csv and press Enter.
Navigate to the ___location /root/Desktop and double-click the Metasploit_Scan_Results.csv tile.
The CSV file appears, displaying detailed information on the active hosts in the target IP range.