Network scanning recon

Network scanning usually begins with discovering ranges of IP addresses and then specific systems within those ranges. Once the live systems have been located, they are scanned for responding ports and an attempt is made to identify the services running on the ports and the versions of the services. Once this map is filled in, vulnerability scanning attempts to identify active holes in the defenses that may be exploited for penetration.

  • Target ranges – these may have been identified earlier by general recon techniques or DNS information. If they have not, network sweeping can be done across ranges that are nearby to known IP addresses in an attempt to discover the ranges. Running network traces that show the path followed by packets may be helpful in filling in the network map and identifying the perimeter ranges.
  • Finding systems – once some kind of target range is set, the next goal is to find all the systems inside that address range that are responding to probes. Ping sweeps and other types of network sweeps can accomplish this.
  • Ports and services – systems that are responding can be scanned to find ports that are open and hopefully identify the service that is running on the port. While it is possible to make generalizations about what type of protocol and service is running on a particular port, it is necessary to confirm the protocol and to discover the specific form of the service.
  • Service versions – connections to a service on a port often return a banner or header that includes some information about the service version number. When this information is available, it may immediately alert the attacker to the presence of vulnerability.
  • OS fingerprinting – by throwing at a system a variety of packets designed to test the response of the protocol stack and the services running, it may be possible to “fingerprint” and identify the operating system and the version that is running.
  • Vulnerability scanning – with as much as possible of the information discussed above already filled in, the attacker will probably run a scan designed to both determine possible holes of vulnerability and to test them for actual use

[note that default settings on most tools used to do this kind of discovery and analysis and vulnerability scans make the action quite noisy and easily detected – it is possible to adjust these settings to make the scans more stealthy and not as likely to be noticed]

Leave a Reply

You must be logged in to post a comment.