NOTES:

$$ In order to prepare for this lab, you should have downloaded the two Lubuntu virtual machines; the first, named Linx, will be the one from which you will launch different security tools; the second, named Hare, will be used as the target.

$$ For Linx, the username is $$herzing$$ and the password $$Herzing$2021.$ You don$$t need to login into Hare, for all the required tasks will be done remotely.

$$ The IP addresses are $192\mathrm{.}168\mathrm{.}100\mathrm{.}11$ for Linx and $192\mathrm{.}168\mathrm{.}100\mathrm{.}12$ for Hare, none of them with outside communication to Internet.

$$ It$$s convenient to work as root, so once you open a command$-$line terminal, execute $$sudo su$$ to become root. You will be asked for the user$$s password you logged in with.

Please respond to the following questions:

tcpdump

$1.$ Try the command $$tcpdump $-$i enp$0$s$3-$c $4$ port $80$ on Linx. Wait at least for $60$ seconds. What is the destination IP of this traffic? What is the filename after the GET command?

$2.$ What command would you use to see only network traffic related to Hare $($supposing there were more endpoints on the network$)?$

wireshark

$3.$ Using wireshark and filtering the output of the traffic capture to see only FTP$-$related traffic, determine the username and password in the communication.

nmap

$4.$ Execute $$nmap $192\mathrm{.}168\mathrm{.}100\mathrm{.}12$ on Linx. How many open ports there are and what are the corresponding services?

$5.$ Execute now $$nmap $-$p$25192\mathrm{.}168\mathrm{.}100\mathrm{.}12.$ What is different with the smtp service? What does it mean?

$6.$ What command would look for endpoints with the port $22$ open in all the class C network using a TCP SYN scan $($hint: use $$man nmap$$ for help$)?$

nikto

$7.$ Using nikto against Hare determine the Apache version $($hint: use $$nikto $-$h$$ for help$).$

$8.$ What are the allowed HTTP methods?

john

$9.$ Now that you have credentials to connect by FTP$,$ execute $$ftp $192\mathrm{.}168\mathrm{.}100\mathrm{.}12,$ use them. Then, when in the ftp$>$ prompt is shown, list all files with $$ls$$ or $$dir$$ and download the only available file with $$get creds.web$.$

Use John the Ripper $($john filename$)$ to crack the password of the user webadmin. What is this user$$s password?

$10.$ Open a web browser $($world map icon at the bottom$)$ and get to $$http:$//192\mathrm{.}168\mathrm{.}100\mathrm{.}12/$private$.$ You need the username webadmin and the password you just cracked. What message did you get on the browser?