OSINT Techniques: Question – Answer

Posted: August 25th, 2021

OSINT Techniques: Question – Answer

Name

Institutional Affiliation

OSINT Techniques: Question – Answer

Question 1: Using Nmap, scan scanme.nmap.orgURL:

Network Mapper (Nmap) is an application used to explore and audit the security of a network. Initially, the tool was developed to facilitate rapid scanning of large networks. However, it also works well with single hosts(Bazzell,2014). The device uses a raw set of IP packets to establish the existing types of hosts on a particular network, the type of services, application name, and type of version being offered by the hosts. Equally, the exploration output from the tool identifies the operating system, established applications running, and the types of packet filters or firewalls that are in use, among other characteristics (Bazzell,2014). In this assessment, Nmap tool is used to scan across the URL: scanme.nmap.org. An Nmap scan listscriticalinformation such as the ports table, which lists port number and the protocol, the service name as well as the state(Chauhan& Panda,2015). A port’s state is either open, closed/unfiltered,or filtered. The results of the scan are displayed under Table 1 below.

Figure 1: Report of Nmap Scan for URL: scanme.nmap.org

Command line:>nmap scanme.nmap.org

Figure 1

1. Explain the meaning of the following ports
2. Open Port – an open port means that applications on target machines are listening for any connection / arriving packets. In the case above, Nmap has established ports 22/tcp,80/tcp, 9929/tcp, and 91337/tcp, implying that they are all listening for connections.
3. Closed Port – the closed port does not have applications that are listening but they are likely to open up at any time(Chauhan& Panda,2015). In the case under Figure 1, there are about 995 ports that are closed. i.e., they are lacking applications that are listening to any connection.

1. Filtered Port – having this type of port implies that a certain existing filter, firewall, or other obstacles on the network are blocking the port such that it is impossible for Nmap to establish whether they are listening or not(Chauhan& Panda,2015). From the scan, only port 53/tcp is filtered, i.e. nmap has failed to establish if it is listening.

Figure 2

• Identify Services Running on ports 139 and 445 using Nmap

By using a command, # nmap -T4 -F 195.88.229.107, the results obtained shows the following about the two ports.

PORT              STATE            SERVICE

139/tcp                        open                netbios -ssn

445/tcp                        open                Microsoft – ds

-A command stands for aggressive search, and it informs nmap to do an operating system (OS) and version check. Command -T4 stands for speed and it tells nmap to increase the speed of scanning. Usually, the speed template is in a range of 0 for the slow systems and 5 for the fast operations.

c) Identify the OS detection, version detection, and traceroute of the same URL

Once the aggressive command, #nmap -A -T4 scanme.nmap.org is applied, the following results are obtained:

Figure 3: OS Detection

Figure 3 shows that the operating system (OS) is Linux; CPE: cpe:/o.linux: linux_kernel.

Figure 4Version Detection

From Figure 4, it can be shown that the detected version of the OS is OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0).

Figure 5 Traceroute

Under Figure 5 is the traceroute obtained using port 80/tcp.

Question 2: Using open-source intelligence or Reconnaissance method, identify all the emails address available on public domain for @labtrobe.edu.au

For easy identification of emails on the above public domain, the Harvester tool is used to help retrieve the information. The device is an inbuilt application in Linux(Layton & Watters, 2016). The following is the process involved in performing the email identification process.

The application is commanded through the Kali Linux window to get information from google, twitter and Bing sites as the main target sources. The following command was used to retrieve the emails from google:

root@kali: # the harvester -d @labtrobe.edu.edu -l 500 -b google.com

The letter d refers to the type of domain where information is required, l is for the limit of the quantity of information, in this case, and 500 searches are required while b specifies the site, that is, google.

Results on Google

The second step involved the search for emails connected to the same domain on Bing. The following commands were used to complete the process, and results shown as follows:

root@kali: # theharvester -d @labtrobe.edu.edu -l 500 -b bing.com

Figure 6

Emails found

Figure 7

Results on Bing

Lastly, the same process was repeated to help retrieve emails registered or have ever been used on the same domain on twitter. The command used on twitter is:  root@kali: # the harvester -d @labtrobe.edu.edu -l 500 -b twitter.com. The following are the results;

Figure 8

Results on Twitter

The other step-involved search for emails connected to the same domain on Bing. The following commands were used to complete the process, and results shown as follows:

root@kali: # the harvester -d @labtrobe.edu.edu -l 500 -b twitter.com

Figure 9 Results on Twitter

References

Bazzell, M. (2014). Open source intelligence techniques: Resources for searching and analyzing online information. Charleston, S.C: CCI Publishing.

Chauhan, S. & Panda, N. (2015). Hacking web intelligence: open source intelligence and web reconnaissance concepts and techniques. Waltham, MA: Syngress, an imprint of Elsevier.

Layton, R. & Watters, P. (2016). Automating open source intelligence: algorithms for OSINT. Waltham, MA: Elsevier.