Kali Reconnaissance with Nmap and DNS

Introduction

In this lab, you will learn the essentials of reconnaissance using Kali Linux, focusing on network scanning and DNS querying techniques. This hands-on experience guides you through identifying open ports and services on a target system with nmap, a powerful network scanning tool, and gathering DNS information using dnsrecon. Designed for beginners, this lab provides step-by-step instructions within a secure LabEx VM environment running on an independent cloud host. You will perform port scans with nmap, enumerate services using scripts, query DNS records, and save your findings for analysis. When you open the terminal, you will be automatically connected to the Kali Linux container's shell, ready to begin practicing without needing to manually start or enter the container.

This is a Guided Lab, which provides step-by-step instructions to help you learn and practice. Follow the instructions carefully to complete each step and gain hands-on experience. Historical data shows that this is a beginner level lab with a 87% completion rate. It has received a 100% positive review rate from learners.

Installing and Running a Basic Nmap Scan

In this first step, you will learn how to install and use nmap, a powerful tool for network scanning, to identify open ports on a target system. Port scanning is a fundamental skill in reconnaissance, helping you discover which services are running on a machine and potentially uncover vulnerabilities. This step is designed for beginners, and we will guide you through every detail.

When you open the terminal in the LabEx VM environment, you will be automatically connected to the Kali Linux container's shell. There is no need to manually start the container or enter the shell; the environment is already set up for you.

Before we start, let's understand what nmap does. nmap, short for Network Mapper, is a tool used to discover hosts and services on a network by sending packets and analyzing responses. Open ports often indicate running services, such as web servers or SSH, which can be entry points for further analysis.

Now, let's install nmap and perform a basic scan. Follow these instructions carefully:

First, update the package list to ensure you can install the latest version of nmap. Type the following command in the terminal and press Enter:
```
apt update
```
This command refreshes the list of available packages. It may take a few seconds to complete, and you will see output showing the update process.
Next, install nmap by typing the following command and pressing Enter:
```
apt install -y nmap
```
The -y flag automatically confirms the installation without prompting you. Wait for the installation to complete; it should take only a short time. You will see output indicating the progress of the installation.
Once nmap is installed, let's run a basic scan on localhost (your own container, IP address 127.0.0.1), which is a safe target for practice. Type the following command and press Enter:
```
nmap localhost
```
This command scans the most common ports on localhost. After a few seconds, you will see output similar to the following (actual output may vary):
```
Starting Nmap 7.91 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
...
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
```
In this output, Host is up confirms the target is reachable. The table lists open ports, their state (open means accessible), and the associated service (like http on port 80). This information helps you understand what services are running on the system.

This step has introduced you to installing and using nmap for basic port scanning. You've taken the first step in reconnaissance by identifying open ports on a safe target. In the next step, we will build on this by saving the scan results for further analysis. Make sure you are comfortable with running the nmap command before moving forward.

Saving Nmap Scan Results to a File

Now that you've performed a basic scan with nmap, let's learn how to save the output of your scan to a file for future reference. Saving results is an essential skill in reconnaissance, allowing you to document findings and analyze them later without needing to rerun scans. This step builds directly on the previous one, so ensure you have completed the basic nmap scan before proceeding.

Output redirection in Linux lets you save the results of a command to a file instead of displaying them in the terminal. This is done using the > symbol, which writes the output to a specified file, overwriting it if it already exists. We will save the results in the /root directory within the Kali Linux container, which is your default working area.

Follow these instructions to save your nmap scan results:

Perform another nmap scan on localhost and redirect the output to a file named nmap_scan.txt in the /root directory. Type the following command in the terminal and press Enter:
```
nmap localhost > /root/nmap_scan.txt
```
The > symbol redirects the output of the nmap localhost command to the file /root/nmap_scan.txt. You won't see the scan results in the terminal because they are being saved to the file. Wait a few seconds for the scan to complete.
To confirm that the output was saved successfully, view the contents of the file by typing the following command and pressing Enter:
```
cat /root/nmap_scan.txt
```
You should see output similar to the following (actual output may vary):
```
Starting Nmap 7.91 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
...
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
```
This confirms that the scan results were successfully saved to /root/nmap_scan.txt. Saving outputs to files is a practical way to keep track of your findings during reconnaissance tasks.

In this step, you've learned how to redirect nmap output to a file for documentation. This skill will be useful as we move to more advanced scanning techniques in the next step. Ensure you can see the saved results in the file before proceeding.

Enumerating Services with Nmap Scripts

Building on your basic scanning skills, this step introduces service enumeration using nmap scripts to gather detailed information about services running on open ports. Service enumeration is a critical part of reconnaissance, as it helps identify specific versions of services that might have known vulnerabilities. This step assumes you have nmap installed and have completed the previous scans.

Service enumeration goes beyond just finding open ports; it aims to identify the exact software and version running on those ports. nmap provides a scripting engine called NSE (Nmap Scripting Engine), which includes pre-built scripts to detect service details and potential issues. We will use the -sV flag for version detection in this step.

Let's enumerate services on localhost using the following instructions:

Run an nmap scan with version detection on localhost. Type the following command in the terminal and press Enter:
```
nmap -sV localhost
```
The -sV flag tells nmap to probe open ports for detailed service and version information. Wait for the scan to complete; it may take a few seconds longer than the basic scan. You should see output similar to the following (actual output may vary):
```
Starting Nmap 7.91 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
...
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
```
In this output, you can see the version of the service running on port 80, such as Apache httpd 2.4.41. This information is valuable because specific versions may have known vulnerabilities that can be researched further.
Save the results of this version detection scan to a file named service_scan.txt in the /root directory. Type the following command and press Enter:
```
nmap -sV localhost > /root/service_scan.txt
```
As before, the > symbol redirects the output to the specified file. You won't see the results in the terminal since they are saved directly to /root/service_scan.txt.
Confirm the output was saved by viewing the file contents. Type the following command and press Enter:
```
cat /root/service_scan.txt
```
You should see the same detailed output as above, now stored in the file for future reference.

This step has shown you how to use nmap for service enumeration, providing deeper insights into the services running on a target. In the next step, we will explore DNS reconnaissance using another tool. Make sure you understand how to run version detection scans and save the output before moving on.

Installing and Querying DNS with dnsrecon

In this step, we shift focus to DNS reconnaissance using dnsrecon, a tool for gathering DNS information about a domain. DNS enumeration helps identify subdomains, mail servers, and other infrastructure details, which are crucial for understanding a target's online presence. This step is designed for beginners and assumes you are working within the Kali Linux container shell.

DNS, or Domain Name System, translates domain names like example.com into IP addresses that computers use to communicate. DNS records include information such as IP addresses for hosts (A records), mail servers (MX records), and more. dnsrecon is a tool that queries these records to uncover details about a domain's setup. For this lab, we will use example.com as a safe target for practice.

Follow these instructions to install and use dnsrecon:

Update the package list to ensure you can install the latest version of dnsrecon. Type the following command in the terminal and press Enter:
```
apt update
```
This refreshes the package list. Wait for the process to complete; you will see output indicating the update progress.
Install dnsrecon by typing the following command and pressing Enter:
```
apt install -y dnsrecon
```
The -y flag confirms the installation automatically. Wait for the installation to finish; it should take only a few seconds. You will see output showing the installation progress.
Once installed, run a basic DNS enumeration on example.com. Type the following command and press Enter:
```
dnsrecon -d example.com
```
The -d option specifies the domain to query. After running the command, you will see output similar to the following (actual output may vary):
```
[*] Performing General Enumeration of Domain: example.com
[*] DNSSEC is not configured for example.com
[*] SOA ns.icann.org 199.4.138.53
[*] NS ns.icann.org 199.4.138.53
[*] A example.com 93.184.216.34
[*] AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] MX example.com 0 .
[*] TXT example.com "v=spf1 -all"
[*] Enumeration Complete.
```
This output shows various DNS records for example.com, providing insight into its configuration:
- SOA (Start of Authority): Contains administrative information about the zone.
- NS (Name Server): Lists the servers authoritative for the domain.
- A (Address): Maps the domain name to an IPv4 address.
- AAAA (IPv6 Address): Maps the domain name to an IPv6 address.
- MX (Mail Exchanger): Specifies the mail servers responsible for accepting email for the domain.
- TXT (Text): Holds arbitrary text, often used for verification purposes like SPF (Sender Policy Framework) which is shown here (v=spf1 -all).
Save the DNS enumeration results to a file named dns_results.txt in the /root directory. Type the following command and press Enter:
```
dnsrecon -d example.com > /root/dns_results.txt
```
The > symbol redirects the output to the specified file. You won't see the results in the terminal as they are saved directly to /root/dns_results.txt.
Confirm the output was saved by viewing the file contents. Type the following command and press Enter:
```
cat /root/dns_results.txt
```
You should see the same DNS enumeration results as above, now stored in the file.

This step has introduced you to DNS reconnaissance with dnsrecon, showing how to gather critical domain information. In the next step, we will combine all your findings into a single summary file. Ensure you can see the saved DNS results before proceeding.

Summary

In this lab, you have learned essential reconnaissance techniques using Kali Linux tools to gather information about a target system. You started by installing and using nmap to perform basic port scanning on a safe local target (localhost), identifying open ports and associated services like the Apache web server we installed. You then saved these results to a file for documentation. Next, you explored service enumeration with nmap scripts to uncover detailed version information, followed by DNS reconnaissance using dnsrecon to query domain records for example.com. These foundational skills in network scanning and information gathering are critical for penetration testing and network security auditing.