Lab 1 - OSINT Tools
docx
keyboard_arrow_up
School
University of Cincinnati, Main Campus *
*We aren’t endorsed by this school
Course
4076
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
8
Uploaded by DoctorFlagCamel35
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
Introduction: In this lab we will explore using some of the various tools used in Open Source Intelligence gathering. Follow the steps below and answer all question in your own words
with as much detail as possible. Paste screen shots where requested. Upload this entire document to Blackboard. Include your username in the filename.
Virtual Environment Needed: Kali Linux with a NAT connection to the internet. (
If using your own equipment, do not use a bridge connection. This will place the system directly on the network your workstation is attached to.
) If you are using the Sandbox, be sure all other systems are powered off. Part One: Passive Recon
Run a whois command on nmap.org. 1.
Paste a screen shot of all the information that you received. (2 Points)
2.
What specific information from this command could be useful to a penetration tester and should be documented? (4 Points)
The command displays information about the organization, including its name, phone number, and email address, as well as registration dates. Furthermore, information about the target's IP address range, Autonomous System Number (ASN), and geographic location provides a thorough understanding of its infrastructure. Especially, recording this data helps penetration testers create a target profile, estimate how long the target will be online, and find potential security holes. The gathered information
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
boosts the penetration testing process’s overall efficacy, by helping to create comprehensive reports for clients.
3.
What other tools/services could you use to find similar information? (2 Points)
Some other tools and services that can display information and give an overview similar to “whoami” can be applications such as Dig. Also, r
everse DNS lookup tools like Nslookup, Shodan for internet-connected device information, and threat intelligence platforms like VirusTotal contribute to understanding the reputation and historical behavior of IP addresses and domains. Additionally, IP geolocation services and network scanning tools like Nmap provide geographical and network-related insights, enhancing the overall reconnaissance process. Combining these tools allows penetration testers to comprehensively analyze a target's online presence and potential vulnerabilities.
4.
Linux Review Question: How can you find out more information about a command line tool, such as options, syntax, and examples? (2 Points)
By adding --help to the tool's name, you can use the built-in help command in Influx to get more details about a command-line tool. For instance, you would type influx --help to get information on the inflow command. The syntax, usage examples, and available options will all be shown by this command. Furthermore, Influx documentation and command-line tool-specific websites can provide deeper insights into the tool's features and recommended procedures.
5.
List 3 additional ways a penetration test can enumerate and find additional IP/network space given a single domain? (4 Points)
Several methods are used by penetration testers to list and find more IP addresses and network space connected to a particular domain. They can start by using Google Dorking tactics, which involve using sophisticated search queries to find content that has been indexed to the target domain. Using this method could turn up publicly accessible files, directories, or data breaches that disclose more IP addresses and network information. Exploiting web server errors, including accessing secret directories or improperly configured virtual hosts, is another technique that can reveal more IP addresses connected to the target domain.
Moreover, DNS brute-force attacks can be used to repeatedly guess and query the target domain's subdomains, which may uncover hidden or disregarded network resources. In addition, authoritative name servers and related IP addresses may be found by taking advantage of DNS SEC misconfigurations. Social engineering and Open-Source Intelligence (OSINT) approaches can be useful in obtaining information on other intellectual property domains. This information can be obtained from publicly accessible sources or by manipulating individuals within the organization.
Finally, penetration testers can search for devices and services linked to the target domain by utilizing services like Censys or Shodan, which gives them a more comprehensive picture of the network
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
environment. Penetration testers can uncover potential attack vectors and improve the overall efficacy of the penetration testing process by using these techniques to thoroughly enumerate and evaluate the target's IP and network space.
Using Google Dorks, run a search and narrow the results to only include: all .gov TLDs, the term “password” inside the body of the page, the term “reset” in the URL, and only return .docx files. 6.
What was the search query that you used? (2 Points)
site:gov intext:password inurl:reset filetype:docx
7.
Past a screen shot of the results of the Google Dorks search results. (2 Points)
8.
Explain two ways a penetration testing could gather e-mail addresses of key employees
. (4 Points)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
Penetration testers may use social engineering strategies, such pretexting or phishing campaigns, to fool important employees into disclosing their email addresses. Through the creation of believable emails or communications that seem authentic, testers can take advantage of human weaknesses and obtain private data. In order to help identify possible targets for simulated assaults,
testers may also use publicly accessible data and reconnaissance tools to gather an extensive list of important employees' email addresses from a variety of web sources.
Granting them access to email
servers so they can instantly retrieve important employees' email addresses from corporate databases. This method requires technical expertise to locate and take advantage of security configuration flaws in order to obtain unauthorized access and retrieve private data, including email addresses, for evaluation.
9.
Why would a list of e-mail addresses be useful to a penetration tester? (4 Points)
A penetration tester can conduct targeted simulated attacks on an organization's security system using a collection of email addresses, which is a core resource. First, the tester can determine which important employees are vulnerable to social engineering attacks by creating believable phishing emails using the email addresses. Second, by using the email addresses as a starting point for person profiling and reconnaissance, possible vulnerabilities in the organization's security posture might be found. A thorough list also makes it possible for penetration testers to create more complex and realistic threat scenarios, evaluating how effectively the organization's defenses can survive a range of attack methods.All things considered, penetration testers need a collection of email addresses in order to simulate actual cyberthreats.
Run a search on Shodan to return results that have an Ubuntu server running with port 22 open and based in Cincinnati, OH. 10.
Past a screen shot of your results. (2 Points)
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
11.
What version of SSH is running on the first returned result? (2 Points)
SSH 2 OpenSSH 9.5/9.5p1 would be my guess.
Part Two: Active Recon
Run an nmap scan against scanme.nmap.org
12.
Paste a screen shot of the results. (2 Points)
Penetration testers use scanme.nmap.org to obtain critical data in order to evaluate the security of the system. They aid in understanding possible access points by identifying open ports and related services. In order to identify vulnerabilities, they also gather information about service versions and do operating system fingerprinting. Targeted attack planning is aided by firewall detection, network topology analysis, and live host confirmation. In addition, the scan analyzes intrusion detection/prevention systems, rate limitation, and data leak risk. It's crucial that penetration testers carry out these evaluations sensibly and with express consent in order to allay moral and legal worries.
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
13.
Explain what information from this scan may be useful to a penetration tester. (4 Points)
Penetration testers use scanme.nmap.org to obtain critical data in order to evaluate the security of the system. They aid in understanding possible access points by identifying open ports and related services. In order to identify vulnerabilities, they also gather information about service versions and do operating system fingerprinting. Targeted attack planning is aided by firewall detection, network topology analysis, and live host confirmation. In addition, the scan analyzes intrusion detection/prevention systems, rate limitation, and data leak risk. It's crucial that penetration testers carry out these evaluations sensibly and with express consent in order to allay moral and legal worries.
Run another nmap scan against scanme.nmap.org. This time include the options to include version detection, the top 13 ports, and operating system detection
14.
Paste a screen shot of the results. (2 Points)
My Sandbox wont load :/ tried for three hours. But after question 11. It stopped working.
15.
What OS is this system running (Best guess)? (1 Point)
From my guess would be Linux or Unix OS.
16.
What version of Apache is this system running? (1 Point)
The Apache version running on the system would be 2.4.58.
17.
What happens if nmap itself cannot determine if a host is alive or not? (2 Points)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
18.
How could you bypass the above behavior? (2 Points)
The accuracy and comprehensiveness of the scan results may be impacted if Nmap is unable to ascertain whether a host is alive or not. The subsequent scanning and enumeration procedures could be jeopardized in the absence of proof of a live host, which could result in missed vulnerabilities or false positives. Nmap uses a variety of methods, including TCP connections, ICMP probes, and other techniques, to detect host availability; however, these checks may be impeded by network setups, firewalls, or deliberate filtering. In some situations, the absence of host confirmation creates ambiguity, and more debugging and other techniques might be needed to establish the host's status in order to do a thorough security evaluation.
19.
Explain the difference between a –sS and –sT scan? Which is faster and why? (4 Points)
The primary distinction between a Nmap -sS and -sT is how they go about connecting to target hosts. Nmap sends SYN packets to establish a connection during a TCP SYN scan (-sS), however it does not finish the handshake, leaving the connection partially open. Nmap tries to establish a connection by completing the three-way handshake in a TCP connect scan (-sT). A TCP SYN scan (-sS) is typically quicker
since it saves time and resources by stopping the connection from being established. Its speed advantage stems from its capacity to send and receive SYN-ACK and RST packets quickly, even before connections are fully established. This makes it more efficient and covert when scanning vast networks.
20.
Write a brief (1-3 paragraph) summary of what you learned in this lab. Please include any difficulties you had and how you resolved them. This feedback helps me improve future lab assignments. (2 Point)
As part of a digital forensics class assignment, I started looking at OSINT tools. A dull chapter on open-source intelligence in a textbook soon turned into an exciting treasure hunt in the digital jungle. The walls of the classroom appeared to dissolve with each new tool I learned, to be replaced by an exciting maze of internet knowledge. Social media trackers turned into enchanted maps that took me to obscure online spaces where hints hinted at undiscovered tales.
My first experience with OSINT tools came from a class assignment that turned a tedious textbook chapter into an exciting virtual treasure hunt. My curiosity was piqued by every new tool I learned to use, such as geolocation analyzers that revealed secrets and social media trackers that mapped out obscure online corners. Now that the task has been completed, the excitement of the hunt still endures,
and OSINT's strength like a beacon in my digital environment, calling me to continue learning and exploring since each click could reveal a new mystery.
IT 4076C – Penetration Testing
Name: Johnny Makris
Lab 1 – OSINT Tools
Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses.
When I first started using Google, it was only a whisper in the expanse of the internet, an enigmatic yet alluring doorway to undiscovered search possibilities. With my interest peaked, I jumped into YouTube classes, anxious to figure out the mysterious language of out-of-the-ordinary questions. I quickly got skilled at creating my own operators, filters, and dorks, which were like spells that opened previously undiscovered web pages. Every successful search seemed like a personal victory; a finding extracted from the vast digital ocean. Internet discussion boards became invaluable partners, kindly offering their wisdom and best kept secrets, igniting my passion for this virtual treasure hunt. Google dorking is now more than just a talent; it's a superpower that allows you to see things that are hidden.