Network Reconnaissance

Network Reconnaissance

List the steps and tools used

Reconnaissance is key and the first step for an attacker to be successful. Professional attackers will take the time to learn as much about your environment as possible using several different techniques and tools freely available on the internet so that they can attack your weaknesses with as little resistance as possible. Reconnaissance is generally carried out in the following steps

Step 1. Gathering general information about the company

Without even touching a computer, an attacker might be able to gain very sensitive information about an organization. This generally gives information about the company, its locations, its ISP, where its datacenter is located, networks which are probably least protected and vulnerable etc. Techniques and tools that are used could be Social Engineering, caller ID Spoofing, Physical Break-In, Dumpster Diving, whois, nslookup, google, etc(Vetterli & Kova?cevic 2009)

Step 2. Determining the network range

Network address reconnaisance is basically identifying the address space in use by the organization, once an IP address is got from the step above by performing simply a website dnslookup, checking the IP at the american registry of internet numbers (arin) will show the addresses belonging to the organization. Tools that are used to determined this could be arin, traceroute and ttl - pingplotter.com, analogx.com.

Step 3. Identifying active machines

Once the network range is determined the attacker would want to check which devices are active and respond to requests. This is generally done using ping sweeps - ws_pingpropack, hping, nmap etc.

Step 4. Finding open ports and active machines

When a device responds and is accessible to the attacker the next step is to see if there are any open ports or other vulnerabilities. This could be determined by performing stealth scans, port scanning, protocol scanning using tools such as nmap, saint, nessus, hping etc

Step 5. Detecting operating systems ...