forked from cliffe/SecGen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
5_scanning.xml
132 lines (110 loc) · 5.19 KB
/
5_scanning.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Information Gathering: Scanning</name>
<author>Z. Cliffe Schreuders</author>
<description>
# Introduction
Information gathering and network scanning are processes aimed at understanding the structure of a network and identifying potential vulnerabilities, and ensuring the overall security of the network. Scanning a critical stage for an attacker, since it can give them the information they need in order to launch an attack. By delving into this lab, you will acquire essential knowledge and practical skills necessary for both defensive and offensive security strategies
This lab provides an in-depth exploration of scanning techniques. You will learn how to perform ping sweeps to identify live hosts on a network, create your own ping sweep bash script, and use Nmap (a popular and powerful open source tool) for host discovery. You will also explore the world of port scanning, creating your own port scanner using a bash script, and conducting SYN port scans. Additionally, you will gain insights into service identification through banner grabbing and protocol analysis, and discover methods to detect the operating system of a remote system. By the end of this lab, you will be equipped with a comprehensive understanding of network scanning techniques and will have hands-on experience in executing these scans to assess the security of target systems.
# Reading
[Chapter 2 Reconnaissance and Chapter 3 Scanning. Engebretson, P. (2011), The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Elsevier Inc. (ISBN: 978-1-59749-655-1) Available online via the library](http://www.sciencedirect.com/science/book/9781597496551)
</description>
<lab_sheet_url>https://docs.google.com/document/d/1KScKw7M4Bt_FE5F_2tI6tnK1NrKNAJkyh5F2TpOh9hA/edit?usp=sharing</lab_sheet_url>
<type>ctf-lab</type>
<type>lab-sheet</type>
<difficulty>easy</difficulty>
<CyBOK KA="AB" topic="Models">
<keyword>kill chains</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malicious Activities by Malware">
<keyword>cyber kill chain</keyword>
</CyBOK>
<CyBOK KA="NS" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - NETWORK MAPPING - FINGERPRINTING</keyword>
<keyword>PENETRATION TESTING - NETWORK MAPPING - NMAP</keyword>
<keyword>PENETRATION TESTING - NETWORK MAPPING - PING</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - NETWORK MAPPING - RECONNAISSANCE</keyword>
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
</CyBOK>
<system>
<system_name>linux_victim_server</system_name>
<base distro="Debian 12" type="desktop" name="KDE"/>
<input into_datastore="IP_addresses">
<!-- 0 linux server -->
<value>172.16.0.10</value>
<!-- 1 kali -->
<value>172.16.0.2</value>
</input>
<!-- vulnerable distcc server -->
<vulnerability cve="CVE-2004-2687">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
<input into="leaked_filenames">
<value>flag</value>
</input>
</vulnerability>
<utility module_path=".*/nc_message">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</utility>
<utility module_path=".*/nc_message">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</utility>
<utility module_path=".*/nc_message">
<input into="strings_to_leak">
<encoder module_path=".*/base64">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</utility>
<service type="httpd" module_path=".*/apache$"/>
<service type="ftp"/>
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
<input into_datastore="spoiler_admin_pass">
<generator type="strong_password_generator"/>
</input>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
<system>
<system_name>kali</system_name>
<base distro="Kali" name="MSF"/>
<utility module_path=".*/parameterised_accounts">
<input into="accounts">
<value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
</utility>
<utility module_path=".*/metasploit_framework"/>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<!-- <utility module_path=".*/zenmap"/> -->
<utility module_path=".*/amap"/>
<network type="private_network" >
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
</scenario>