LAB: nmap and gobuster

What to start looking around? Here are some things to do. Find the computers on your network (host detection), figure out what services they're offering (port scanning), and if they have a website, try to find files and directories that might not be visible via links (web brute-forcing).

Don't do any of these things yet! You need permission before doing any of these scans. These sections just give you syntax examples. See the questions below for specific instructions.

Host detection

After you figure out your IP address on the Carleton network, you can do a scan to find hosts on the network with similar IP addresses. For example, the other day my laptop was at 10.133.13.something. I could look for other 10.133.13.X's like so:

nmap -sn 10.133.13.0/24

This takes a little while, and it doesn't all by itself tell you anything about the devices it finds--just that they exist and responded to pings.

Port scanning

To do a simple TCP port scan for the 1000 most common ports:

nmap -sV TARGET_IP

There are lots of flags and options. For example, this will look for public web servers on all the 10.133.13.*'s:

nmap -sV -p80,443 10.133.13.0-255

And here's one that gives you verbose output (-v, which includes periodic status reports about how far the scan has proceded), skips the host discovery process if you already know the machine is up (-Pn), and goes super-fast even though that might overwhelm the server (--min-rate 10000).

nmap -sV -v -Pn --min-rate 10000 TARGET_IP

Web brute-forcing with gobuster

Suppose you want to find out what files and directories are hiding on a website even if they're not linked anywhere? We're going to use a tool called gobuster to try to find some stuff even when we aren't able to upload a webshell.

If gobuster isn't installed on your installation of Kali, you can install it like so:

sudo apt update sudo apt install gobuster

Here's a basic gobuster command that you can run on a default installation of Kali.

gobuster dir -u http://danger.jeffondich.com/ -w /usr/share/wordlists/dirb/common.txt

Sometimes gobuster has trouble contacting a site. If that happens to you (something like "unable to connect" or "Client.Timeout"), try replacing danger.jeffondich.com with its IP address.

Your Carleton user name, lower case:

When Jeff did host detection, was it successful? Was your computer included?

Do a portscan on danger.jeffondich.com. Which ports are open, and what services are listening on those ports?

If your host OS has a Unix command line (e.g., macOS Terminal, Windows WSL, etc.), how can you tell whether you have nmap installed on your host OS?

Do a portscan of your Kali VM. Anything? (You can either do this from your host OS if you have nmap available there, or from Kali itself otherwise.)

Continuing the previous item, first launch apache2 on Kali (remember how?) and then redo the portscan. Anything now?

Install gobuster and then use it on http://danger.jeffondich.com/. What files and directories did you find?

Does gobuster search recursively? How do you know?