Identifying the Target Passive Reconnaissance in Kali Linux

Reconnaissance is the first step of the kill chain when conducting a penetration

test or an attack against a network or server target. An attacker will typically dedicate up to seventy-five percent of the overall work effort for a penetration test to reconnaissance, as it is this phase that allows the target to be defined, mapped, and explored for the vulnerabilities that will eventually lead to exploitation. There are two types of reconnaissance: passive reconnaissance, and active reconnaissance.

Passive reconnaissance is concerned with analyzing information that is openly available, usually from the target itself or public sources online. On accessing this information, the tester or attacker does not interact with the target in an unusual

Manner—requests and activities will not be logged, or will not be traced directly to the tester. Therefore, passive reconnaissance is conducted first to minimize the direct contact that may signal an impending attack or to identify the attacker.

Basic principles of reconnaissance

Reconnaissance, or recon, is the first step of the kill chain when conducting a penetration test or attack against a data target. This is conducted in before the

actual test or attack of a target network. The findings will give a direction to where

additional reconnaissance may be required, or the vulnerabilities to attack during

the exploitation phase.

Reconnaissance activities are segmented on a gradient of interactivity with the target network or device.

i)             Passive reconnaissance (no direct interaction)

ii)            Normal interaction

iii)           Active reconnaissance

iv)           More information greater chance of detection

Passive reconnaissance does not involve direct interaction with the target network.

The attacker's source IP address and activities are not logged (for example, a Google

search for the target's e-mail addresses). It is difficult, if not impossible, for the target

to differentiate passive reconnaissance from normal business activities. In general, passive reconnaissance focuses on the business and regulatory environment, the company, and the employees. Information of this type is available on the Internet or other public sources, and is sometimes referred to as open source intelligence, or OSINT.

•           Passive reconnaissance also involves the normal interactions that occur when

an attacker interacts with the target in an expected manner. For example, an attacker will log on to the corporate website, view various pages, and download documents for further study. These interactions are expected user activities, and are rarely detected as a prelude to an attack on the target.

•               Active reconnaissance involves direct queries or other interactions (for example, port scanning of the target network) that can trigger system alarms or allow the target to capture the attacker's IP address and activities. This information could be used to identify and arrest an attacker, or during legal proceedings. Because active reconnaissance requires additional techniques for the tester to remain undetected.

Penetration testers or attackers generally follow a process of structured information gathering, moving from a broad scope (the business and regulatory environments) to the very specific (user account data).

To be effective, testers should know exactly what they are looking for and how the data will be used before collection starts. Using passive reconnaissance and limiting

the amount of data collected minimizes the risks of being detected by the target.

Data Directories in Linux

DATA DIRECTORIES

See also: Linux Commands For Directory Handling

/home

Users can store personal or project data under /home. It is common (but not mandatory by the Filesystem Hierarchy Standard) practice to name the users home directory after the user name in the format /home/$USERNAME. For example:

abc@lab0:~$ ls /home

imran farhan xyz umar

Besides giving every user (or every project or group) a location to store personal files, the home directory of a user also serves as a location to store the user profile. A typical Unix user profile contains many hidden files (files whose file name starts with a dot). The hidden files of the Unix user profiles contain settings specific for that user.

abc@lab07:~$ ls -d /home/imran/.*

/home/imranl/.                      /home/imran/.bash_profile           /home/imran/.ssh

/home/imran/..                      /home/imran/.bashrc                     /home/imran/.viminfo

/home/imran/.bash_history /home/imran/.lesshst

/root

On many systems /root is the default location for personal data and profile of the root user. If it does not exist by default, then some administrators create it.

/srv

You may use /srv for data that is served by your system. The FILESYSTEM HIERARCHY STANDARD allows locating cvs, rsync, ftp and www data in this location. The FILESYSTEM HIERARCHY STANDARD also approves administrative naming in /srv, like /srv/project55/ftp and /srv/sales/www.

/export is used for this purpose on Sun Solaris (or Oracle Solaris).

/media

The /media directory serves as a mount point for removable media devices such as CDROM's, digital cameras, and various usb-attached devices. Since /media is rather new in the Unix world, you could very well encounter systems running without this directory. Solaris 9 does not have it, Solaris 10 does. Most Linux distributions today mount all removable media in /media.

imran@debian5:~$ ls /media/

cdrom cdrom0 usbdisk

/mnt

The /mnt directory should be empty and should only be used for temporary mount points (according to the FILESYSTEM HIERARCHY STANDARD). Unix and Linux administrators used to create many directories here, like /mnt/something/.

You likely will encounter many systems with more than one directory created and/or

mounted inside /mnt to be used for various local and remote file systems.

/tmp

Applications and users should use /tmp to store temporary data when needed. Data stored in /tmp may use either disk space or RAM. Both of which are managed by the operating system. Never use /tmp to store data that is important or which you wish to archive.

Samba Server Security Modes Red Hat Enterprise Linux 7

SAMBA SECURITY MODES

There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels. Share-level security is deprecated and has been removed from Samba. Configurations containing this mode need to be migrated to use user-level security. User-level security can be implemented in one of three different ways. The different ways of implementing a security level are called security modes.

USER-LEVEL SECURITY

User-level security is the default and recommended setting for Samba. Even if the security = user directive is not listed in the /etc/samba/smb.conf file, it is used by Samba. If the server accepts the  client's user name and password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based user name and password requests. The client maintains multiple authentication contexts by using a unique UID for each logon. In the /etc/samba/smb.conf file, the security = user directive that sets user-level security is:

[GLOBAL]

...

security = user

...

SAMBA GUEST SHARES

As mentioned above, share-level security mode is deprecated. To configure a Samba guest share without using the security = share parameter, follow the procedure below:

CONFIGURING SAMBA GUEST SHARES

1. Create a username map file, in this example /etc/samba/smbusers, and add the following line to it:

nobody = guest

2. Add the following directives to the main section in the /etc/samba/smb.conf file. Also, do not use the valid users directive:

[GLOBAL]

…

security = user

map to guest = Bad User

username map = /etc/samba/smbusers

...

The username map directive provides a path to the username map file specified in the

previous step.

3. Add the following directive to the share section in the /ect/samba/smb.conf file. Do not use the valid users directive.

[SHARE]

...

guest ok = yes

...

The following sections describe other implementations of user-level security.

DOMAIN SECURITY MODE (USER-LEVEL SECURITY)

In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in the /etc/samba/smb.conf

file:

[GLOBAL]

...

security = domain

workgroup = MARKETING

...

ACTIVE DIRECTORY SECURITY MODE (USER-LEVEL SECURITY)

If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.

In the /etc/samba/smb.conf file, the following directives make Samba an Active Directory member

server:

[GLOBAL]

...

security = ADS

realm = ABC.COM

password server = kerberos.abc.com

...

SHARE-LEVEL SECURITY

With share-level security, the server accepts only a password without an explicit user name from the client. The server expects a password for each share, independent of the user name. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. This mode is deprecated and has been removed from Samba. Configurations containing security = share should be updated to use user-level security.

SAMBA NETWORK BROWSING

Network browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood. Inside the Network Neighborhood, icons are represented as servers and if opened, the server's shares and printers that are available are displayed.

Network browsing capabilities require NetBIOS over TCP/IP. NetBIOS-based networking uses broadcast (UDP) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP/IP host name resolution, other methods such as static files ( /etc/hosts) or DNS, must be used. A domain master browser collates the browse lists from local master browsers on all subnets so that

browsing can occur between workgroups and subnets. Also, the domain master browser should preferably be the local master browser for its own subnet.

DOMAIN BROWSING

By default, a Windows server PDC for a domain is also the domain master browser for that domain. A Samba server must not be set up as a domain master server in this type of situation. For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the /etc/samba/smb.conf file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.

WINS (Windows Internet Name Server)

Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks. Without a WINS server, the UDP broadcast is limited to the local subnet and therefore cannot be routed to other subnets, workgroups, or domains. If WINS replication is necessary, do not use Samba as your primary WINS server, as Samba does not currently support WINS replication. In a mixed NT/2000/2003/2008 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS.

The following is an example of the /etc/samba/smb.conf file in which the Samba server is serving as a WINS server:

EXAMPLE FOR CONFIGURATION OF WINS SERVER

[global]

wins support = yes

IMPORTANT NOTE

All servers (including Samba) should connect to a WINS server to resolve NetBIOS names. Without WINS, browsing only occurs on the local subnet. Furthermore, even if a domain-wide list is somehow obtained, hosts cannot be resolved for the client without WINS.

Configuring Samba server in Red Hat Enterprise Linux 7

CONFIGURING A SAMBA SERVER

The default configuration file (/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. You can attach a printer to the system and print to it from the Windows machines on your network.

GRAPHICAL CONFIGURATION

To configure Samba using a graphical interface, use one of the available Samba graphical user interfaces. A list of available GUIs can be found at following address:-

http://www.samba.org/samba/GUI/.

COMMAND-LINE CONFIGURATION

Samba uses /etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command, as root:

~]# systemctl restart smb.service

To specify the Windows workgroup and a brief description of the Samba server, edit the following lines

in your /etc/samba/smb.conf file:

workgroup = WORKGROUPNAME

server string = BRIEF COMMENT ABOUT SERVER

Replace WORKGROUPNAME with the name of the Windows workgroup to which this machine should

belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system.

To create a Samba share directory on your Linux system, add the following section to your /etc/samba/smb.conf file (after modifying it to reflect your needs and your system):

EXAMPLE CONFIGURATION OF A SAMBA SERVER

[sharename]

comment = Insert a comment here

path = /home/share/

valid users = abc xyz

writable = yes

create mask = 0765

The above example allows the users abc and xyz to read and write to the directory

/home/share/, on the Samba server, from a Samba client.

ENCRYPTED PASSWORDS

Encrypted passwords are enabled by default because it is more secure to use them. To create a user with an encrypted password, use the smbpasswd utility:

smbpasswd -a username

STARTING AND STOPPING SAMBA

To start a Samba server, type the following command in a shell prompt, as root:

~]# systemctl start smb.service

IMPORTANT

To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the smb service. Also, it is recommended to run winbind before smbd.

To stop the server, type the following command in a shell prompt, as root:

~]# systemctl stop smb.service

The restart option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally. To restart the server, type the following command in a shell prompt, as root:

~]# systemctl restart smb.service

The condrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.

IMPORTANT NOTE

When the /etc/samba/smb.conf file is changed, Samba automatically reloads it aftera few minutes. Issuing a manual restart or reload is just as effective.

To conditionally restart the server, type the following command, as root:

~]# systemctl try-restart smb.service

A manual reload of the /etc/samba/smb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root:

~]# systemctl reload smb.service

By default, the smb service does not start automatically at boot time. To configure Samba to start at boot time, type the following at a shell prompt as root:

~]# systemctl enable smb.service

Introduction to Samba Red Hat Enterprise Linux 7

SAMBA

Samba is the standard open source Windows interoperability suite of programs for Linux. It implements the server message block (SMB) protocol. SMB allows Microsoft Windows®, Linux, UNIX, and other operating systems to access files and printers shared from servers that support this protocol. Samba's use of SMB allows it to appear as a Windows server to Windows clients.

SAMBA PPACKAGE CHECKIN ON SYSTEM

In order to use Samba, first ensure the samba package is installed on your system by

running, as root:

~]# yum install samba

INTRODUCTION TO SAMBA

Samba is an important component to seamlessly integrate Linux Servers and Desktops into Active Directory (AD) environments. It can function both as a domain controller (NT4-style) or as a regular domain member (AD or NT4-style).

WHAT SAMBA CAN DO?

Serve directory trees and printers to Linux, UNIX, and Windows clients Assist in network browsing (with NetBIOS) Authenticate Windows domain logins Provide Windows Internet Name Service (WINS) name server resolution Act as a Windows NT®-style Primary Domain Controller (PDC) Act as a Backup Domain Controller (BDC) for a Samba-based PDC Act as an Active Directory domain member server Join a Windows NT/2000/2003/2008 PDC/Windows Server 2012

WHAT SAMBA CANNOT DO?

Act as a BDC for a Windows PDC (and vice versa)

Act as an Active Directory domain controller

SAMBA DAEMONS AND RELATED SERVICES

Samba is comprised of three daemons (smbd, nmbd, and winbindd). Three services

( smb, nmb, and winbind) control how the daemons are started, stopped, and other service-related features. These services act as different init scripts. Each daemon is listed in detail below, as well as which specific service has control over it.

smbd

The smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. Thedefault ports on which the server listens for SMB traffic are TCP ports 139 and 445.The smbd daemon is controlled by the smb service.

nmbd

The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137.

The nmbd daemon is controlled by the nmb service.

winbindd

The winbind service resolves user and group information received from a server running Windows NT, 2000, 2003, Windows Server 2008, or Windows Server 2012. This makes Windows user and group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain and Active Directory users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.

The winbind daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. winbind is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers.

CONNECTING TO AN SMB SHARE

CONNECTING TO AN SMB SHARE USING THE NAUTILUS FILE MANAGER

GNOME Nautilus file manager to can be used for manually browse the network or to directly connect to a server message block (SMB) share.

BROWSING THE SMB NETWORK NEIGHBORHOOD

To browse the network and connect to an SMB share:

1. Select Places → Browse Network from the GNOME panel.

2. Double-click Windows Network to display the available domains and work groups.

3. Double-click the domain or work group name to display the hosts within this domain or workgroup.

4. Double-click a host entry to display the SMB shares.

If the server requires authentication, Nautilus displays a dialog to enter the user name and password.

DIRECTLY CONNECTING TO AN SMB HOST OR SHARE

If the host name of the SMB server is known and optionally the share name, you can enter it directly to connect to the share:

1. Open a Nautilus window. For example, select Places → Browse Network from the GNOME panel.

2. Press the Ctrl+L combination to enable the editable URL bar.

3. Enter smb://host_name into the URL bar and press Enter to list all SMB shares on this host.

Alternatively, enter smb://host_name/share_name to directly access a share.

CONNECTING TO AN SMB SHARE USING smbclient

The smbclient utility enables to connect to an SMB share and perform operations, similar to an FTP client.

1. For example, to connect to Demo_Share share on the SMB-Server host and authenticate using the administrator user name, enter:

# smbclient //SMB-Server/Demo_Share -Uadministrator

2. After you successfully logged in, enter help to display a list of available commands:

smb:\> help

For example, to change into the Example directory, enter:

smb:\> cd Example

3. To disconnect, enter:

smb:\> exit

MOUNTING THE SHARE

Sometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system. To mount a Samba share to a directory, create a directory to mount it to (if it does not already exist),

and execute the following command as root:

mount -t cifs //servername/sharename /mnt/point/ -o

username=username,password=password

This command mounts sharename from servername in the local directory /mnt/point/.

The mount.cifs utility is a separate RPM (independent from Samba). In order to use

mount.cifs, first ensure the cifs-utils package is installed on your system by running, as

root:

~]# yum install cifs-utils

cifs-utils package also contains the cifs.upcall binary called by the kernel in order to perform kerberized CIFS mounts.

CAUTIONS

Some CIFS servers require plain text passwords for authentication. Support for

plain text password authentication can be enabled using the following command as

root:

~]# echo 0x37 > /proc/fs/cifs/SecurityFlags

IMPORTANT TO NOTE:- This operation can expose passwords by removing password

encryption.