✨ 🔭 Cyber reconnaissance


A network reconnaissance methods can be passive or active.

Passive methods: bug bounty program, sniffing attack, monitor mode, promiscuous mode, TCP/IP stack fingerprinting, Footprinting, honeypots.

Active methods: network enumeration, network scanning, port scanning, idle scaning. Crackers strive to minimize Digital footprint


Sniffing

edit

A 'wireless' sniffer can find IP addresses, which is helpful for network mapping.[1]

Access points usually connect the nodes of a wireless network to a wired network as a bridge or a router.[2] Both a bridge and a router use a routing table to forward packets.[3]

Finding relevant and reachable IP addresses is the objective of the reconnaissance phase of attacking an organization over the Internet. The relevant IP addresses are determined by collecting as many DNS host names as possible and translating them to IP addresses and IP address ranges. This is called footprinting.[4]

A search engine is the key for finding as much information as possible about a target.[5] In many cases, organizations do not want to protect all their resources from internet access. For instance, a web server must be accessible. Many organizations additionally have email servers, FTP servers, and other systems that must be accessible over the internet.[6] The IP addresses of an organization are often grouped together. If one IP address has been found, the rest probably can be found around it.[7]

Name servers store tables that show how domain names must be translated to IP addresses and vice versa.[8] With Windows, the command NSLookup can be used to query DNS servers. When the word help is entered at NSLookup's prompt, a list of all commands is given.[9] With Linux, the command dig can be used to query DNS servers. It displays a list of options when invoked with the option -h only. And the command host reverses IP addresses to hostnames.[10] The program nmap can be used as a reverse DNS walker: nmap -sL 1.1.1.1-30 gives the reverse entries for the given range.[11]

ARIN, RIPE, APNIC, LACNIC, and AFRINIC are the five Regional Internet Registries that are responsible for the assignment and registration of IP addresses. All have a website with which their databases can be searched for the owner of an IP address. Some of the Registries respond to a search for the name of an organization with a list of all IP address ranges that are assigned to the name. However, the records of the Registries are not always correct and are in most cases useless.[12]

Probably most computers with access to the internet receive their IP address dynamically by DHCP. This protocol has become more popular over the last years because of a decrease of available IP addresses and an increase of large networks that are dynamic. DHCP is particularly important when many employees take a portable computer from one office to another. The router/firewall device that people use at home to connect to the internet probably also functions as a DHCP server.[13]

Nowadays many router/DHCP devices perform Network Address Translation (NAT). The NAT device is a gateway between the local network and the internet. Seen from the internet, the NAT device seems to be a single host. With NAT, the local network can use any IP address space. Some IP address ranges are reserved for private networks. These ranges are typically used for the local area network behind a NAT device, and they are: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255.[14]

The relevant IP addresses must be narrowed down to those that are reachable. For this purpose, the process of scanning enters on the scene.[15]

Host scanning

edit

Once access to a wireless network has been gained, it is helpful to determine the network's topology, including the names of the computers connected to the network. Nmap can be used for this, which is available in a Windows and a Linux version. However, Nmap does not provide the user with a network diagram. The network scanner Network View that runs on Windows does. The program asks for one IP address or an IP address range. When the program has finished scanning, it displays a map of the network using different pictures for routers, workstations, servers, and laptops, all with their names added.[16]

The most direct method for finding hosts on a LAN is using the program ping. When using a modern flavour of Unix, shell commands can be combined to produce custom ping-sweeps. When using Windows, the command-line can also be used to create a ping-sweep. Examples are given in the reference.[17]

Ping-sweeps are also known as host scans. Nmap can be used for a host scan when the option -sP is added: nmap -n -sP 10.160.9.1-30 scans the first 30 addresses of the subnet 10.160.9, where the -n option prevents reverse DNS lookups.

Ping packets could reliably determine whether a computer was on line at a specified IP address. Nowadays these ICMP echo request packets are sometimes blocked by the firewall of an operating system. Although Nmap also probes TCP port 80, specifying more TCP ports to probe is recommended when pings are blocked. Consequently, nmap -sP -PS21,22,23,25,80,139,445,3389 10.160.9.1-30 can achieve better results. And by combining various options as in nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM 10.160.9.1-30, superb host scanning is achieved.

Nmap is available for Windows and most Unix operating systems, and offers graphical and command-line interfaces.[18]

Port scanning

edit

The purpose of port scanning is finding the open ports on the computers that were found with a host scan.[19] When a port scan is started on a network without making use of the results of a host scan, much time is wasted when many IP addresses in the address range are vacant.[20]

Open ports

edit

Most programs that communicate over the Internet use either the TCP or the UDP protocol. Both protocols support 65536 so called ports that programs can choose to bind to. This allows programs to run concurrently on one IP address. Most programs have default ports that are most often used. For example, HTTP servers commonly use TCP port 80.

Network scanners try to connect to TCP or UDP ports. When a port accepts a connection, it can be assumed that the commonly bound program is running.

TCP connections begin with a SYN packet being sent from client to server. The server responds with a SYN/ACK packet. Finally, the client sends an ACK packet. When the scanner sends a SYN packet and gets the SYN/ACK packet back, the port is considered open. When a RST packet is received instead, the port is considered closed. When no response is received the port is either considered filtered by a firewall or there is no running host at the IP address.

Scanning UDP ports is more difficult because UDP does not use handshakes and programs tend to discard UDP packets that they cannot process. When an UDP packet is sent to a port that has no program bound to it, an ICMP error packet is returned. That port can then be considered closed. When no answer is received, the port can be considered either filtered by a firewall or open. Many people abandoned UDP scanning because simple UDP scanners cannot distinguish between filtered and open ports.[21]

Common ports

edit

Although it is most thorough to scan all 65536 ports, this would take more time than scanning only the most common ports. Therefore, Nmap scans 1667 TCP ports by default (in 2007).[22]

Specifying ports

edit

The -p option instructs Nmap to scan specified ports, as in nmap -p 21-25,80,100-160 10.150.9.46. Specifying TCP and UDP ports is also possible, as in nmap -pT:21-25,80,U:5000-5500 10.150.9.46.[23]

Specifying targets

edit

Nmap always requires the specification of a host or hosts to scan. A single host can be specified with an IP address or a domain name. Multiple hosts can be specified with IP address ranges. Examples are 1.1.1.1, www.company.com, and 10.1.50.1-5,250-254.[24]

Specifying scan type

edit

TCP SYN scan Nmap performs a TCP SYN scan by default. In this scan, the packets have only their SYN flag set. The -sS option specifies the default explicitly. When Nmap is started with administrator privileges, this default scan takes effect. When Nmap is started with user privileges, a connect scan is performed.

TCP connect scan The -sT option instructs Nmap to establish a full connection. This scan is inferior to the previous because an additional packet must be sent and logging by the target is more likely. The connect scan is performed when Nmap is executed with user privileges or when IPv6 addresses are scanned.

TCP null scan The -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.

UDP empty packet scan The -sU option instructs Nmap to send UDP packets with no data. When an ICMP error is returned, the port can be assumed closed. When no response is received, the port can be assumed open or filtered. No differentiation between open and filtered ports is a severe limitation.

UDP application data scan The -sU -sV options instruct Nmap to use application data for application identification. This combination of options can lead to very slow scanning.[25]


Other options

edit

Specifying scan speed When packets are sent to a network faster than it can cope with they will be dropped. This leads to inaccurate scanning results. When an intrusion detection system or intrusion prevention system is present on the target network, detection becomes more likely as speed increases. Many IPS devices and firewalls respond to a storm of SYN packets by enabling SYN cookies that make appear every port to be open. Full speed scans can even wreak havoc on stateful network devices.

Nmap provides five templates for adjusting speed and also adapts itself. The -T0 option makes it wait for 5 minutes before the next packet is sent, the -T1 option makes it wait for 15 seconds, -T2 inserts 0.4 seconds, -T3 is the default (which leaves timing settings unchanged), -T4 reduces time-outs and retransmissions to speed things up slightly, and -T5 reduces time-outs and retransmissions even more to speed things up significantly. Modern IDS/IPS devices can detect scans that use the -T1 option. The user can also define a new template of settings and use it instead of a provided one.[26]


Application identification The -sV option instructs Nmap to also determine the version of a running application.[27]


Operating system identification The -O option instructs Nmap to try to determine the operating systems of the targets. Specially crafted packets are sent to open and closed ports and the responses are compared with a database.[28]


Saving output The -oX <filename> option instructs Nmap to save the output to a file in XML format.[29]


See also

Nmap

Vulnerability scanning

edit

Vulnerability scanning determines whether known vulnerabilities are present on a target. A vulnerability is a bug in an application program that affects security. They are made public on places such as the Full-Disclosure mailing list. The Computer Emergency Response Team (CERT) brings out a statistical report every year.

Vulnerability databases:

http://www.PacketStormSecurity.org/Packet Storm
http://www.exploit-db.com/The Exploit Database

Tools

edit
https://www.offensive-security.com/metasploit-unleashed/information-gathering/
https://docs.rapid7.com/metasploit/discovery-scan
https://www.bettercap.org/modules/ethernet/net.recon/
https://www.bettercap.org/modules/ethernet/net.sniff/
https://www.bettercap.org/modules/ethernet/net.probe/
  1. Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006, page 301.
  2. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 102.
  3. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 167.
  4. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 2-3, 5-6.
  5. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 36.
  6. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 178.
  7. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 19, 25.
  8. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 15.
  9. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 201-202.
  10. Linux in a Nutshell, 6th edition, by Ellen Siever and others, O'Reilly Media, Inc., 2009, pages 116-117, 197.
  11. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 29.
  12. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 26-27.
  13. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 215-217.
  14. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 61, 223-224.
  15. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 3, 7.
  16. WarDriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007, pages 112-115.
  17. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 87-88.
  18. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 34-37.
  19. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 37.
  20. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 35-36.
  21. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 32-33.
  22. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 37-39.
  23. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 38-39.
  24. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 40-42.
  25. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 42-44.
  26. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 45-47.
  27. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 49.
  28. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 49-50.
  29. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 51.