Chapter

7 – Utilizing VMWare

One of the easiest ways for you to build different environments that you can
learn to hack in is by using VMWare. But what does this software actually do?
VMWare allows you to run code called ‘virtual machines.’ Essentially it has the
power to virtualize entire operating systems so you don’t have to wipe the
operating system off your host computer and install a completely new one to get
started hacking. Sometimes newbies who want to get started hacking may try to
install an operating system such as Kali Linux in addition to their host operating
system such as Windows. The only problem is that one configuration mistake
with the installation could cause a user to lock themselves out of their Windows
operating system completely.

Other times they may even accidentally repartition their hard drive and wipe out
all of their old files. This is a huge headache, but installing VMWare will solve
these problems and allow you to run multiple operating systems simultaneously.
The good news is that VMWare Player is free to use and easy to install. You can
find the release notes and download link for VMWare Player on VMWare’s
website, and you will want to download and install this program for some of the
demos later in this book.

It is assumed that you have the ability to install basic software, so we won’t get
into the VMWare installation process. It’s pretty darn simple, and all you need to
do is follow the installation wizard. Also you could be installing this software on
different platforms, and the installation steps would change. If you need help
installing this software, you can find help on the VMWare website for your
given operating system.

After you have downloaded and installed VMWare, you need to download
operating system images to run in VMWare. More specifically, you should go
ahead and download Ubuntu Linux and Kali Linux images. You can find Kali
Linux images for VMWare and Ubuntu images for VMWare for free online.
After you have downloaded an image, to install it you need run VMWare Player.
Then click on Player => File => New Virtual Machine and browse to the image
you downloaded. Alternatively you can just hit ctrl + N after you have opened
VMware. When you first install a new image in VMWare, it will ask you to
name it. Personally, I just name the virtual machine the same name as the
operating system to keep things straight.

Once the image has been successfully downloaded and you install it in
VMWare, the VMWare application will go through the installation procedure
exactly as if you were trying to install that operating system on your computer,
but it will install it within your host environment. As you proceed through the
installation process, portions of the procedure will ask you if you want to install
a variety of packages. Make sure that you select all of the packages that are
described as ‘security’ or ‘penetration testing’ packages. If you fail to install
these packages, you will need to go through the installation processes
individually for the demonstrations that I walk you through later such as NMAP.
If you have any trouble installing your operating system in VMWare, all you
need to do is follow the guide on the Kali Linux or Ubuntu sites.

You should also have an idea of the intended uses for each operating system.
Ubuntu is designed to be an easy to use replacement for other desktop operating
systems such as Windows. It is well-suited for everyday use, and you don’t need
to be a Linux expert to use it. As such, it is a great environment to expand your
Linux skills and it offers plenty of different penetration testing tools, scanners,
and hacking programs. However, you should also know about Kali Linux. Kali
was specifically designed with hacking in mind, and the security packages
contained in the VMWare image are mostly geared towards providing users with
tools that facilitate hacking. However, it is a little more challenging to use if you
haven’t been exposed to Linux already, and much of its power is found at the
command line.

Each different VMWare image and Linux distribution has different default
usernames and passwords. You can check the defaults on the website where you
downloaded the code image, but they are most typically ‘root’ and ‘toor’ or
‘username’ and ‘password.’ If you wish, you can create additional user accounts
but this isn’t necessary as we will only be using these operating systems to run
some demos.

Though I would personally recommend that you take full advantage of VMWare
to virtualize Linux operating systems to provide you with hacking tools, you do
have an alternative. Many Linux distributions can be downloaded and burned to
a CD or DVD. These are called ‘live boot’ images because all you need to do is
pop the disk in your computer, reboot it, and voila. Your computer will boot to
the Linux operating system contained on the disc. Some versions of Linux are so
small and lightweight that you can even boot from a flash drive. However, there
is one caveat with these live boot images. Your computer may or may not be
configured to boot from the hard drive before the disc drive or USB port. If this
is the case for your computer, you would first need to change the boot order of
these devices. It is a little difficult to explain this procedure since every make
and model of computers and laptops have a slightly different process, but you
can Google this procedure for your make and model of computing device to
change the boot order to accommodate a live Linux CD or DVD. Personally, I
prefer VMWare because you can switch between your host operating system
(Windows in my case) and your virtual machines without needing to reboot your
computer.

Lastly, if you want to get your feet wet hacking, I highly advise you take the
time it takes to get your Linux environments setup. Most of the demos we will
be running in this book will be from a Linux operating system. Note that while
many of these tools have versions that work with Windows, Linux is still the
preferred operating environment for hackers because it is more secure and offers
access to more code and hacking tools than Windows does.

Chapter 8 – Introduction to Ping Sweeps, Port Scanning,
and NMAP

It’s finally time to dig into the good stuff! In this chapter I will walk you through
how to perform network scanning and reconnaissance techniques using a
program called NMAP. This is the program that the hackers in the movies like to
flaunt, and it is fairly easy to use. The whole point of NMAP is to feel out a
network and scan it to discover active devices, open ports, and other vital
information such as which operating system the host is running. In the network
penetration and hacking world, this is referred to as network mapping,
footprinting, or reconnaissance.

Without these tools, you are essentially blind on any given network and you
would have a hard time attacking anything since you wouldn’t be able to see any
targets. Also, think just how important it is to know what operating system a host
is using. Exploits come and go, and new ones are constantly surfacing as new
operating systems are developed or patches are applied. For example, with each
new version of Windows, there are countless security vulnerabilities that are
slowly identified and patched over time. By knowing the operating system
version on a host, you could use a tool such as Metasploit to search for active
vulnerabilities and exploit them.

Once an attacker has gained access to a network, there are a lot of things they
can do to prepare an attack. The following are some of the more common
footprinting goals:

-Gather information

-Find the local subnet’s IP address structure

-Identify active hosts on the network such as end user workstations

-Discover open ports and access points -Find out detailed information regarding
the operating systems on active machines

-Discover the type of device such as a laptop, tablet, smartphone, or server

-Map the local network

-Capture network traffic

Even if you don’t have an advanced degree in computing, Linux software and
network penetration programs are becoming so sophisticated that it is
unbelievably simple to carry out these footprinting tasks. The only things you
need are a Linux system (see chapter 6), the right software, a rudimentary
understanding of networking concepts (see chapter 5), and a guide. The rest of
this chapter will focus on using NMAP to feel out and map a network. Contrary
to the old adage, remember to try this at home! Don’t use the knowledge in this
chapter to start poking around the network at your office or in a public setting.
Respect others’ privacy or there may be harsh consequences.

Ping Sweeps

The first and easiest technique you need to understand is called a ping sweep. A
ping sweep is a useful way to identify active machines on a given subnet. If you
aren’t familiar with a ping operation, let’s take a moment to explain this concept.
A ping is a command from ICMP (Internet Control Message Protocol), and it is
frequently used to determine if two hosts have an end-to-end connection. The
host that initiates the ping sends small packets of information via what’s called
an ICMP echo request. If the target host is online and has a connection, it will
reply to the host who initiated the ping. This will show you that the host is online
and that it isn’t suffering from connection problems over the network between
the two hosts.

If you really wanted to, you could manually go through each IP address on your
network and ping it from your computer to see what IP addresses other hosts on
the network are using. In reality though, this simply isn’t feasible. It would be
very tedious and time consuming trying to ping hundreds of individual IP
addresses to see if any hosts are online. This is why ping sweeps are so useful –
they allow you to ping every valid IP address on a subnet automatically. After
the sweep has been completed, NMAP will return a list of all the addresses that
replied to the ping and allow you to see the IP addresses of other active hosts on
the scanned network.

However, there are a couple caveats to ping sweeps. They don’t always show
you every single host attached to a network. There are a few reasons why a host
might not respond to a ping sweep. Firstly, it could be possible that a host’s
network card is faulty or broken in some way. Secondly, there could be
problems on the network between your host and the target subnet that prevent
the ping from completing successfully. Lastly (and most importantly), network
admins choose to configure hosts to not respond to pings for the sole purpose of
protecting them from being identified by a ping sweep. In some instances, your
ping might pass through a firewall that doesn’t allow ICMP traffic, too.


These are the exceptions, though, and not the rule. It is rare that a host would not
respond to a ping, and the vast majority of active hosts will show up in a ping
sweep. This is especially true if you are performing a ping sweep on the subnet
that your computer is directly connected to.

Operating System Identification

Yet another useful feature of the NMAP utility is the ability to identify the
operating systems that active hosts are using. Though you may not think so at
first, this is actually some critical information. After you know what operating
system and code version a host is using, you can then search databases using
tools such as Metasploit to identify weaknesses and vulnerabilities. Furthermore,
NMAP will be able to tell you the model of device a host is using. This is also
critical because it will help you discern what type of devices are present such as
host computers, tablets, phones, infrastructure devices, hardware appliances,
printers, routers, switches, and even firewalls.

Port Scanning

Port scanning is a little different from a ping sweep. With port scanning, the goal
is to find what port(s) are open on a whole subnet or a single host. For example,
you could perform a port scan on your local subnet to see if any hosts are
accepting connections on port 80 (HTTP). This is a great way to see if you can
access any networking devices such as a wireless router, printer, or a firewall.
Because these types of devices typically have web configuration interfaces, any
hosts that are accepting connections on port 80 (HTTP) will show you a login
prompt if you type their IP address into a web browser. For example, if your port
scan revealed that the host 192.168.1.1 (this is most likely the default address of
your wireless router) is accepting connections on port 80, you could reach its
login interface by typing http://192.168.1.1 in your web browser. This will
initiate a connection on port 80 for the host 192.168.1.1 (see chapter 5 for
networking fundamentals, IP addresses, and ports).

It is likely that the administrator changed the default username and password for
that device, but you would be surprised how frequently people fail to do this
because they are inexperienced, lazy, or just plain ignorant of the massive
security risk they encounter by leaving the username and password set to default
values. If you wanted to, you could even use NMAP to find what type of
firmware the networking device is running as well as the model number. Then
all you need to do is perform a quick Google search to find the default values
and attempt to login to the device. But this is just one simple example of port
scanning. You could even scan a single host to see all of the ports that are
accepting connections. And port scanning goes well outside the realm of
scanning port 80 to see if you can pull up a web interface. Some ports can be
used to deliver types of code that will take advantage of a flaw in a protocol or
system to escalate an attacker’s privileges or even deny that target from using
network services.