Cybati - Blackbox Challenge #1 - Step 2

This post is blog post 2 of 15 of the Cybati Blackbox #1 challenge.

Step 2:

Instruction: Active Host Discovery. Use Zenmap or alternate tools to discover the Industrial network cyber assets. Close Zenmap when complete.

Mission 2 (5 pts). Identify the number of hosts responding within the Industrial Network.

Mission 3 (5 pts). What services are running on the host with the DNS name relay?

1. If you have the CORE network map of the virtual ICS environment still open from Step 1, minimize the screen to proceed with Step 2 in the next instruction
   
   
2. Back in the console directory listing, double click on “2. Active Host Discovery (WIZARD)”
   
   
3. A warning popup box is presented indicating to the user that active scanning of actual ICS environments could cause erratic behavior. This step will introduce the user to the Zenmap interface for the nmap network scanning utility. Please read the message and once complete, click “Ok”
   
   
4. Zenmap will open and pre-populated with a range of IP addresses ready to scan. In this case, all IP addresses from 172.16.192.0 to 172.16.192.255 will be scanned. The command line shows the user the options that will be used with nmap for the network scan. If desired, you could copy the entire line in the “command” text box and run that in a terminal window which would provide the same results. We will stay in Zenmap and click the “Scan” button with the pre-populated “Intense Scan” profile.
   
   
5. This scan can take some time to finish as multiple tests are being performed for each IP address. The scan will check for open ports along with running nmap scripts to help further identify the scanned systems and any potential issues.
6. We will know when the scan completes as the last line in the “Nmap Output” tab should read “Nmap done” and provide a few statistics about the scan. Below we can see the hosts in the left hand window pane that were detected in the scan. We can also click the “Services” button to see specific information relating to the services detected in the scan.
   
   
7. At the bottom of the previous screen, we can see that nmap has detected 10 hosts. The answer for Mission 2 would be “10 hosts”.
8. The question for Mission 3 asks what services are running on the DNS host named “relay”. If you click on “relay.cybatiworks.local” in the left hand window pane, you can learn more about the host with the tabs on the right hand pane. With the “relay” host selected, click on the “Ports/Hosts” tab to learn more about the services running on that host. In the screenshot below, we can see that the host is running the SSH service on port 22 which appears to be using OpenSSH 6.0p1 Debian 4+deb7u2 which answers the question for Mission 3.