Pen-testing at home
Security begins at home – also, you probably won’t get in trouble for probing your own infrastructure.
When we began this exploration into the world of hackery, we suggested you might start by using RapidScan to scan the local machine and your home router. We’ll pivot back to any issues this may have turned up, but for now, let’s look further into our networks. These days, your home network might have dozens of devices, some of which you may have forgotten about (like that Raspberry Pi under the stairs), so the first step would be to enumerate all of these.
An OG way to do this would be to ping the broadcast address of your router, like so:
$ ping -b 192.168.0.255
Most OSes won’t respond to such shenanigans these days, and your router might stop the broadcast ping in its tracks. A de facto approach used by blue team (defensive) hackers and amateurs alike is to use Nmap (Network Map). This is part of the default Kali install. By just specifying an IP range, we can have Nmap scan the first 1,000 ports (where almost all privileged services run) of each machine. This tells us how many machines are on the network, and how many are listening for connections:
$ nmap 192.168.0.1-255
If you were a red team (offensive) hacker, you would likely use one of Nmap’s stealth scanning modes to do this, as (although slower) they are harder for defenders to detect. This is a roundabout way of reaffirming the fact that port scanning random machines on the internet or at your workplace is a Bad Idea.
One tool which we sorely miss from Kali is
EtherApe. Rather than show machines on your network, it passively detects all the connections your machine is making (be they local or remote) and displays them graphically. It uses the deprecated GooCanvas library to do this, which is why it’s not included, but you can install it easily with:
$ sudo apt install etherape
EtherApe requires root privileges, so we must start it from the command line: $ sudo etherape .
As soon as it starts, nodes are drawn, and as you browse the web, the number of them increases, probably with easily recognisable hostnames from Cloudflare, Facebook and Google. Thicker lines show where the most dataflow is happening. Besides IP traffic, EtherApe can capture traffic from Bluetooth, virtual network interfaces and local D-bus messages.
If you want to go even further, your next destination should be Wireshark. It gives packet-level granularity into your (or your ’adversaries’) traffic. Despite its name, it’s commonly used to capture packets (in the PCAP format, which can be used in other applications) from wireless networks. You need to put your wireless device in monitor mode to achieve this, which isn’t supported on all hardware. If you manage it, you’ll see what wireless users on your network are connecting to, up to a domain name level. Very nosy indeed.