PenTest-Lab-Information-Gathering

Lab Task 3 for Penetration Testing — Full information gathering phase covering passive OSINT (Netcraft, Whois), DNS reconnaissance, email harvesting with theHarvester, manual port scanning with Netcat, and active scanning with Nmap against a Windows XP target on Kali Linux.

Penetration Testing — Lab Task 3: Information Gathering

Student: Uliya Fatima | Roll No: 232098
Course: Penetration Testing | Lab: Task 3
Date: March 6, 2026

---

Overview

This lab documents the complete Information Gathering phase of a penetration test, covering:

• Passive OSINT reconnaissance (Netcraft & Whois)
• DNS enumeration and zone transfer attempts
• Email address harvesting (theHarvester)
• Manual port scanning with Netcat
• Nmap SYN scan, version detection, OS fingerprinting, and UDP scanning

Target	Type
nmap.org	Passive OSINT & DNS Recon
scanme.nmap.org	Active scanning (authorized)
192.168.84.128	Windows XP VM — Active scanning
192.168.84.129	Kali Linux — Attacker machine

---

Task 1 — Passive OSINT: Netcraft & Whois

Netcraft Findings (nmap.org)

Field	Value
Hosting Provider	Linode / Akamai Technologies
Web Server	Apache
OS	Linux
IP Address	45.33.32.156
SSL Issuer	Let's Encrypt
CAA Record	0 issue "letsencrypt.org"

Whois Findings

Field	Value
Registrar	Dynadot Inc
Registrant	REDACTED (privacy protected)
Name Servers	ns1–ns5.linode.com
Registered	18 January 1999
Expires	18 January 2029
Network Owner	Akamai Technologies, Inc.
IP Block	45.33.0.0/17
Country	United States (Cambridge, MA)

---

Task 2 — DNS Reconnaissance & Zone Transfer

nslookup Results

Record	Value
A (IPv4)	45.33.32.156
AAAA (IPv6)	2600:3c01::f03c:91ff:fe18:bb2f
MX (Priority 1)	ASPMX.L.GOOGLE.COM
NS	ns1–ns5.linode.com (Linode/Akamai)
SSL Issuer (CAA)	letsencrypt.org
SPF	Google + Linode IPs

Zone Transfer Attempt

host -l nmap.org ns1.linode.com

Result: REFUSED — Server returned communications error: end of file. Zone transfers are restricted to authorized secondary DNS servers only — expected behavior on a securely configured DNS server.

---

Task 3 — Email Harvesting with theHarvester

theHarvester -d nmap.org -b crtsh
theHarvester -d nmap.org -b certspotter

Email addresses found: None (domain uses privacy protection)

Subdomains discovered:

Subdomain	Significance
issues.nmap.org	Possible issue tracker / bug reporting system
svn.nmap.org	Subversion source code repository

---

Task 4 — Manual Port Scanning with Netcat

Single Port Probes

nc 192.168.17.128 22   # SSH banner grab
nc scanme.nmap.org 80  # HTTP HEAD request

Port	Service	Status	Banner / Notes
22	SSH	Open ✅	SSH-2.0-OpenSSH_10.2p1 Debian-3
80	HTTP	Open ✅	IIS response
9929	nping-echo	Open ✅	No banner
31337	Elite	Open ✅	No banner
21	FTP	Closed ❌	Connection refused
443	HTTPS	Closed ❌	Connection refused

Windows XP Port Range Scan (Ports 1–1024)

nc -zv 192.168.84.128 1-1024

Port	Service	Risk
25	SMTP	Mail relay risk
80	HTTP	IIS 5.1 — known RCE CVEs
135	RPC	Windows RPC
139	NetBIOS	File/printer sharing
443	HTTPS	Secure web server
445	SMB	⚠️ EternalBlue vulnerable

---

Task 6 — Nmap SYN Scan & Version Detection

sudo nmap -sS -sV 192.168.84.128

Port	Service	Version	Risk
25/tcp	SMTP	Microsoft ESMTP 6.0.2600.5949	Mail relay
80/tcp	HTTP	Microsoft IIS httpd 5.1	⚠️ RCE CVEs (WebDAV)
135/tcp	MSRPC	Microsoft Windows RPC	—
139/tcp	NetBIOS	Microsoft Windows netbios-ssn	—
443/tcp	HTTPS	Unknown	—
445/tcp	SMB	Microsoft Windows XP microsoft-ds	⚠️ EternalBlue (MS17-010)

---

Task 7 — UDP Scan & OS Detection

UDP Scan

sudo nmap -sU 192.168.84.128

Port	State	Service	Notes
500/udp	open|filtered	ISAKMP	Possible VPN/IPSec — follow up with ike-scan

OS Detection

sudo nmap -O 192.168.84.128
sudo nmap -A 192.168.84.128

Field	Value
OS	Windows XP SP2-SP3 / Windows Server 2003
Hostname	ADMIN
Workgroup	WORKGROUP
SMB Signing	Disabled ⚠️ (vulnerable to SMB relay)
SMB2	Not supported (XP)

Subnet Sweep

sudo nmap -sV -n 192.168.84.0/24

IP	Role	Open Ports
192.168.84.1	VMware Host	902, 912, 5357
192.168.84.128	Windows XP Target	25, 80, 135, 139, 443, 445, 1025
192.168.84.129	Kali Linux (Attacker)	—
192.168.84.254	VMware DHCP/NAT Gateway	None

---

Risk Assessment

⚠️ HIGH RISK: The Windows XP target exposes multiple critically vulnerable services. Port 445 (SMB) is directly vulnerable to EternalBlue (MS17-010) — a publicly available Metasploit exploit enabling unauthenticated remote code execution. Port 80 (IIS 5.1) has known RCE CVEs including WebDAV exploits. SMB message signing being disabled enables SMB relay attacks. The guest account used for SMB auth further lowers the exploitation barrier. This target presents an extremely high risk profile typical of unpatched Windows XP systems.

---

Key Takeaway for Lab 04 (Exploitation)

Finding	Port	CVE / Exploit
Windows XP SMB	445/tcp	MS17-010 (EternalBlue) — Metasploit exploit/windows/smb/ms17_010_eternalblue
IIS 5.1	80/tcp	WebDAV RCE — multiple CVEs

---

Tools Used

Tool	Purpose
Netcraft	Passive hosting & technology fingerprinting
Whois	Domain & IP registration data
nslookup / host	DNS record enumeration
theHarvester	Email & subdomain harvesting
Netcat (nc)	Manual port probing & banner grabbing
Nmap	Port scanning, version detection, OS fingerprinting

---

Tools & Technologies

nmap netcat theHarvester osint dns-recon penetration-testing kali-linux information-gathering port-scanning whois smb eternalblue cybersecurity ethical-hacking