Post Image

Doing a Class-B?

[+] Hypothetical Scenario:
[+] You just joined a Company, Organization, or Enterprise and they want you to conduct an external penetration test or assessment of their perimeter.

[+] You have been tasked to assess and build a map of what assets are externally facing. Further, you need to scan a possible 65,534 hosts in the range. That means we have to cover 176.134.0-255.0-255.

[+] But you have one week to do it.

Oh no...

[+] Yeah, intense right? Well - let me assist you with some tactical ways of addressing this issue.

[+] First things first - schedule a meeting with your Stakeholders if they haven't already scheduled one for ya.

[+] I also have a fantastic Scoping Call Template that will assist you through the process of speaking with Stakeholders.

1. Introductions and Ice-Breaking:
"Let's start with introductions to ease any potential nerves." 

(It's common for stakeholders to feel apprehensive when interacting with cybersecurity professionals, even though our intentions are purely constructive.)


2. Purpose of the Scoping Call:
"Hey guys, do we're going to be discussing the purpose of this Scoping Call to emphasize its importance for this engagement and future engagements. Understanding the objectives and expectations early on ensures a smoother process from now, to our recon phases, active recon, analysis, and formal report."


3. Defining the Target Scope:
"What exactly is the target scope of our assessment? Are we focusing on a single application, or are we looking at a broader Class-C or Class-B assessment?"

Target Scope:


4. Whitelisting Considerations:
"Should we consider whitelisting or allowing specific IPs, Workstation-IDs, or Active Directory credentials? This approach would prevent IDS/IPS systems from flagging our activities as malicious, enabling us to comprehensively map the target scope without frequent interruptions to coordinate with the firewall team. Ultimately, this efficiency helps us adhere to our timeline. Just makes things smoother for everybody involved."

(Have your Workstation ID, AD Creds, and Public or Private IP address ready depending on whether it's an internal or external assessment.)


5. Concerns and Focus Areas:
"Are there any particular endpoints on your web servers that raise concerns or require special attention? Highlighting these areas early on will ensure they are thoroughly addressed in the formal report. Really, we just want to make sure that we aren't targeting sensitive assets with anything that could even potentially be destructive."

Concerns / Areas of Sensitivity:


6. Information for Grey-Box Assessments:
"If we're conducting a grey-box assessment, could you provide the port numbers for the services under review? Having this information upfront will me and my team significantly enhance the efficiency and precision of our Host Discovery phase. What this means is that we can more accurately scan relevant hosts for purposes of discovery as opposed to wasting time with un-assigned IPs, un-used ports and services - etc."

Grey Box Information:


7. Contact Information for Key Personnel:
"Could you share the email addresses of the Project Leads, Team Leads, Technical Leads, or Project Managers? I'd like to share our Scoping Call notes to keep everyone informed and facilitate ongoing communication. This will be especially useful for urgent communications arising from the assessment and for distributing the formal report or other deliverables."

Key Personnel and Points of Contact:

[+] Okay great, so you can just copy and paste/use or modify that to your liking - but it's a start.
[+] Always grow your template for calls with Stakeholders and customize it to your Organization's needs.

[+] Okay great, so you got your teamplate, you had your meeting.
[+] Now comes time for the engagement right?

[+] So the idea here is that we don't want to perform an nmap -p- scan to check for all 65,535 ports.
"Why not?"
[+] You'll be done next year.
[+] That's right - so we get the ports ahead of time in our Scoping Call with some recon - that way we can meet deadlines and at the same time cover ~65,000 machine IP spaces.
"That's kinda smart......"

"So what's the scan? We gonna use Nessus? OpenVAS? Qualys?"
[+] Nope.
"Why not?"
[+] Money and licensing - plus we need want to be more surgical with our scans. That means straight Nmap.
"Okay I got Nmap, etc - but what about the reporting format? The Stakeholder wants a report."
[+] I got you covered.
[+] So basically you need to have a list for 255.255.x.x for both the third and fourth octet - a list in increments. For example, we have the range right?
"Okay I'm tracking."

[+] Super. So you need to create a flat-file called "full-scope.txt" that will look something like this (obviously replace the digits for the first and second octets with what your actual scope will be. In-fact, the best way to do this is with a Bash Script to create your scope file.)

"Makes sense!"

[+] Yup 😉
(for scenario/hypothetical range


# Define the base IP

# Loop through the third octet from 0 to 255
for i in {0..255}; do
    echo "$base.$i.0-255" >> full-scope.txt


[+] There, so now you have full-scope.txt
[+] We're not done yet.
"Right...right - okay following."

[+] Excellent. Now we're going to break this into two phases.

[+] Phase 1: Just find out what's alive down there. Pure host discovery - we aren't looking to check services, versions, mis-configs or anything else. We just want to know what's online and what's not with respect to our specific port numbers.

"Okay, so we just determine what's online first."
[+] Yes.
"Then we use whatever turned up out of those ~65,000 IPs into a separate scope file for actual enumeration?"

Phase 2: Throw enumeration at the identified alive hosts only.
[+] This will be a separate scope file that you will create after the first Host Discovery scan is done.

Nmap HOST DISCOVERY scan (Evasive - Phase 1):

nmap -p21,22,23,25,53,80,110,111,135,139,143,161,443,445,465,587,636,993,995,1433,1521,2222,3306,3389,3780,5432,5601,5900,5985,5986,6379,7001,8000,8080,8081,8088,8090,8443,8888,9200,9300,10000,10001,10050,10443,11211,20000,27000,27017,33848,50000,50030,50070,61616,62078 -T4 -sX -oA Host-Discovery-Report --stylesheet -iL full-scope.txt

Nmap scan (In the scenario of Allow-Listed Ahead of Time - Phase 1):

nmap -p21,22,23,25,53,80,110,111,135,139,143,161,443,445,465,587,636,993,995,1433,1521,2222,3306,3389,3780,5432,5601,5900,5985,5986,6379,7001,8000,8080,8081,8088,8090,8443,8888,9200,9300,10000,10001,10050,10443,11211,20000,27000,27017,33848,50000,50030,50070,61616,62078 -T4 -oA Host-Discovery-Report --stylesheet -iL full-scope.txt

[+] Ok dude, now you should have a report that looks something like the below once you run "firefox Host-Discovery-Report.xml"

[+] The cool thing is now that we have our Host Discovery scan of this hypothetical Class-B done - we also have it in XML format. This means we can use bash to extract a list of Online Hosts to add to our new file.

[+] I tested this on my Internal LAN in order to show you how we can extract all the Online Hosts from the XML document in one single line.

[+] We also don't want duplicate IPs to be in our new scope file after having scanned for 48 hours or so.
"How do we fix that?"
[+] Pipe all the output from a ridiculous sed command to "sort -u" of course.

Extract from your Host-Discovery-Online.xml all IP Addresses and Sort by UNIQUE such that no duplicate IPs are in your output.
$ grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' Host-Discovery-Report.xml |sort -u > ONLINE-ACTUAL-SCOPE.txt

Phase 2 (Perform your Enumeration of ports/services with SIMPLE SCRIPTS and a TCP Banner Grab at the Least.).
[+] After all, you'll end up having TONS of IPs return. Right? But you don't want to be TOO invasive - just enough to get back simple information that you can then either attack later or straight up drop and report on.......

[+] Remember, this is a Class-B Engagement and that usually means a way for an Organization to understand and visualize their perimeter.

[+] Therefor, consider the -sV -sC option in your sweep of these ONLINE HOSTS. This is ultimately going to be up to you, but I can provide you an Nmap scan that will get you started in the right direction of course.

nmap -p21,22,23,25,53,80,110,111,135,139,143,161,443,445,465,587,636,993,995,1433,1521,2222,3306,3389,3780,5432,5601,5900,5985,5986,6379,7001,8000,8080,8081,8088,8090,8443,8888,9200,9300,10000,10001,10050,10443,11211,20000,27000,27017,33848,50000,50030,50070,61616,62078 -sV -sC -T4 -oA Host-Enumeration-Report --stylesheet -iL ONLINE-ACTUAL-SCOPE.txt

[+] Good luck, Intruders.

Comments are closed.