Reconnaissance – Footprinting & Network Scan

By | 24/03/2015

Footprinting

Data Gathering

  • Locations
  • Contacts – Name, email, phone, address
  • Hosting locations
  • Public servers – Types, IPs, Domains
  • DNS information – Authoritative DNS – A, CERT, HINFO, MX, NS
  • Path to the destination, with router names
  • Active machines, open ports, operating systems, services
  • Map the network, access points

Sources:

  • Whois domains and IPs, reverse whois
  • Nslookup
  • Use of 3rd Parties to avoid direct contact
  • IANA – Internet Assigned Numbers Authority
  • Regional Internet Registry – ARIN, RIPE, APNIC, LATNIC
  • Jobs and roles: Linkedin, Monster – Employees and ex-employees, technology knowledge. Job offers.
  • Social Networks
  • Google!
  • Metadata on documents

Tools

  • Ping
  • Traceroute
  • NSlookup / Dig
  • Anywho
  • Emailtrackerpro
  • Path Analyzer pro
  • Smartwhois – tamos.com
  • Maltego
  • Wireshark
  • Google Hacking
  • Reverse Whois – whois.domaintools.com
  • centralops.net/co/
  • Netcraft
  • archive.org
  • FOCA
  • Metagoofil
  • EXIF Tool

Protocols

  • ICMP
  • DNS

 

Network Scan

Target:

  • Discovery systems
  • Identify TCP and UDP services
  • Discover the operating system
  • Active and passive fingerprinting
  • Determine the perimiter of the network
  • Network mapping

Levels of scanning

  • Host – Phone / IP
  • Service – UDP / TCP port
  • Version – Software, service

TCP Port Scan Techniques

  • Open (SYN) – syn scan – open ports
  • Half-open – portion of the three way handshake
  • Xmas – testing all the flags (no RST)
  • Stealth (Idle) – checking sequence codes to see the load of the service
  • Decoy – impersonate IP address to hide the source

UDP Scans

  • ICMP Error – No connection
  • Nothing – Open or Filtered port

Fingerprint

  • Active: Determine the remote OS based on the differences on the TCP implementation
  • Passive: Capture packets to analyze the particularities of the host

Tools:

  • War Dialer – scan large pool of telephone numbers, detects vulnerable modems, provides access to the system
  • Demon Dialer – monitor specific phone, gain access
  • Ping, ping sweep
  • nmap (and zenmap)
  • Socks v5 – Anonymizer – Httptunnel – Httport

The network scan tools and techniques make a lot of noise and firewalls and IPS will detect the scans.

 

Enumaration

List of common services that are usually available on the networks and provide information

  • Netbios – Test anonymous access. Provide information about local users, groups, shares, etc.
  • SNMP – Read MIB information. Possibility to edit configuration as well
  • DNS – Zone Transfers, queries, public DNS data and internal DNS data
  • Active Directory – LDAP
  • SMTP
  • NTP