Home > Articles > Cisco Network Technology > General Networking > Penetration Testing and Network Defense: Performing Host Reconnaissance

Penetration Testing and Network Defense: Performing Host Reconnaissance

Chapter Description

Malicious hackers also value reconnaissance as the first step in an effective attack. For them, seeing what is on the "other side of the hill" is crucial to knowing what type of attack to launch. Although penetration testers might not always have the luxury of time that a malicious hacker might have, they do recognize the value of reconnaissance. This chapter will help you develop network reconnaissance skills to help you protect your network from intrusion.

From the Book

Penetration Testing and Network Defense

Penetration Testing and Network Defense

$57.59 (Save 20%)

Summary

Reconnaissance can be split into two categories; passive, which can be likened to a burglar glancing at houses as he walks along the road; and active, where he walks right up and peers in your windows.

Passive reconnaissance can be time intensive and yield varying degrees of success. The most obvious starting point is the website of your target. Two popular tools are available to help grab the whole site for offline browsing:

  • Wget (command-line tool)
  • Teleport Pro (graphical tool)

Analyzing site content can reveal information such as the following:

  • Hardware, operating system, and application information from commented code
  • Contact information for use in social engineering attacks

You can also glean potentially useful information from public sources, including these:

  • EDGAR filings
  • USENET newsgroups
  • User group meetings
  • Business partners

Active reconnaissance can be far more revealing, but the downside is that it is a riskier process and is more easily detected.

The first step in active reconnaissance is to identify hosts within the target network. You can use the following tools to accomplish this:

  • NSLookup
  • Whois
  • SamSpade
  • Visual Route

Simply performing an NSLookup to search for an IP address is passive, but the moment you begin doing a zone transfer using some of these tools, you are beginning to do active reconnaissance.

After the hosts have been identified, you can use port scanning to identify potential vulnerabilities. A range of different port scan techniques is available:

  • TCP Connect() scan
  • SYN scan
  • FIN scan
  • Xmas-Tree scan
  • NULL scan
  • Dumb scan

In addition, this chapter examined NMap, a popular and powerful tool that carries out port scanning.

This chapter looked at fingerprinting—the process of examining the characteristics of the host to identify its underlying operating system. Although this chapter discussed NMap, other fingerprinting tools are available:

  • Xprobe2
  • Ettercap
  • p0f v2
  • Queso
  • SS
  • CheckOS

All these steps constitute the footprinting of a target network. After the footprint is complete, you should be able to create a network map containing information such as the following:

  • Host names
  • IP addresses
  • Listening port numbers
  • Operating systems

Reconnaissance against a target network, such as that described in this chapter, can be detected using an IDS, which can take various forms:

  • Anomaly detection
  • Misuse detection
  • Host-based detection
  • Network-based detection