Network Reconnaissance

Reconnaissance - Information Gathering

The first thing the attacker does is perform reconnaissance. That means they have to get information about the target. This can be done in two different ways: non-technical or technical.

Collect Public Information

Collecting Information from Public Sources

• Edgar Database: a website from the Security Exchange Commission where any publicly traded companies must post various information.

• Maltego: an open-source information search engine. For example, let's say you enter an e-mail address into Maltego. Maltego will go to many websites and then it will try to see whether it has a log-in on that website, so it takes your e-mail address and then goes to like Yahoo, Gmail, Google, Flickr, it goes to everywhere. If it finds something, let's say from the e-mail address on the Instagram account from there then it can return the Instagram handle, and any other information from Instagram you might get, such as a profile picture, phone number, or name. But once it gets that information it then searches again recursively. Maltego is publicly available on the Internet. How Maltego works is that it just runs a little script to find it. Everything is completely open-source intelligence and completely available on the Internet. You can see what the script is and see how they do it and you can do it manually.

Individual - Social Network Profile

Social networking gives out a lot of information. There are even programs that take advantage of it. There's a program called Cree.py that looks at social media information about a target. Cree.py doesn't work anymore. Cree.py used to work because all social media companies used to post the exact location of where pictures were taken. For example, 5 or 10 years ago, every time someone posts a picture, it comes with a location as well. Now these pictures don't contain that metadata anymore. So generally any social media or any of the major social media sites when you upload the picture there, it strips out the metadata when you post the information there.

Determine the Network Range (Scanning and Enumeration)

Whois Database

Whois is a database for domain registrars, so when a website is registered, it has the administrative and technical and registrar contacts for domain. If someone is trying to compromise something of yours, they will get your personal information from there.

DNS is a Treasure Trove of Info

When you register a domain name with an authorized registrar, you must provide a valid name, address and phone number of the person responsible for the domain. This information can be used against you in an attack.

Note: DNS stands for Domain Name System and DNS is a system that translates between the domain name and the IP address. How the Internet works is that TCP connections are made to a particular server, and they don't go to domain names, they go to an IP address. So, DNS is a translator between the domain names and the IP address.

Registered IP Blocks

Registered IP blocks gives you information about companies and what IP address blocks that have registered. When running out of IPV 4 IP addresses, so this becomes more difficult to use. But before IPV 4 addresses run out, companies would register entire blocks of IP addresses. Companies like Apple for example, there are a whole block of IP addresses and then you can see what IP addresses Apple has by looking what IPs they have in the ARIN database, ARIN is the North and South American registry for Internet numbers.

Gather Other Network Information

• A traceroute is a tool used to identify all the hops between two points, say, from my location to nyu.edu. It will show all the routers in the path, detailing the route between me and nyu.edu.

• Robtex is a tool for visualizing the DNS requests.

• Shodan is a search engine for the Internet of Things (IoT) used to locate IoT devices inadvertently exposed online. For instance, there have been cases where security cameras, including those in Tesla factories, were unintentionally made accessible online. Traffic cameras and even traffic lights have been mistakenly connected to the Internet. If you can provide a unique identifier specific to an IoT device, Shodan can locate it.

Reference:

• https://whois.domaintools.com

• https://mxtoolbox.com

• https://www.arin.net

• https://www.robtex.com

• https://www.switch.ch/network/tools/traceroute

• https://www.shodan.io

Host Discovery

• A Ping Sweep is a program used for finding hosts on the network (IP Scanner). Essentially it's trying to find whether there's an IP on that host or not. So whenever you have a block of IP addresses that you think potentially can have hosts on it, you can do a ping sweep to find additional hosts on the network.

• A DNS Zone Transfer tries to take every single record of a domain address. It pulls every single record out of it.

• A Split DNS involves the use of two DNS servers. One of these servers is dedicated to internal use, catering to devices and users within your network. This server would typically handle requests for resources like test websites or staging sites that are meant for internal eyes only. The other server, known as the external DNS server, is what you'd use for regular website requests. This server is accessible to everyone, allowing anyone on the internet to resolve and access your public websites. The advantage of this setup is its inherent security. Even if attackers target the external DNS server and try to uncover hidden or private domain names, they won't be able to. All of the confidential domain names and records are stored on the internal DNS server. To access this internal server, one would typically need to connect via a VPN or be within the protected network.

Service Discovery - Port Scanning

There are 4 possibilities when you perform a TCP scan on a particular port. Scanning for TCP ports.

TCP Scan

1. You send a TCP scan to destination 443 you get a SYN/ACK. This means the port is open.

2. You send a TCP SYN packet to destination port 443. You get a RST. Port is closed

3. You send a TCP SYN packet. You get no response. No idea what happened. The firewall drop the packet or it could be a network issue. We have no idea.

4. You send a TCP SYN packet. You get an ICMP destination unreachable. So it can be the firewall was rejecting the packet. Or it could be network issue. That depends on what code that you get from the destination unreachable - you get a code associated with it as well. You will know it’s a network congestion, it can’t find the IP or it's a firewall rejecting it.

Note: A firewall does rejection, it does leak information. You get the IP address of the responder that's coming back. A firewall does drop, you get nothing. You have no idea what's going on.

HPING

Ping-related programs include HPING, which is notably versatile. Much like Scapy, HPING allows for packet crafting in any desired format, even if it's not a legitimate packet. However, while Scapy offers extensive versatility, its performance is limited due to its Python foundation, making it slower. In contrast, HPING is optimized for speed, allowing for faster packet transmissions. It can be incorporated into scripts and send arbitrary data. Consider using HPING when Scapy's performance doesn't meet your needs.

NMAP

• TCP Connect Scan: The TCP Connect scan is an nmap scan type that utilizes the operating system's API for execution. A standout feature of the Connect scan is that it doesn't require administrative privileges, meaning it can be run without needing elevated permissions, thanks to its reliance on the OS's API. TCP connect scan does the normal (full) TCP 3 way handshake. So the nmap will send the TCP SYN and then it gets the TCP SYN/ACK, and the third packet for the TCP-3 handshake is TCP ACK. Let's say NMAP wants to close the connection.

  How does NMAP create a connection and how do they close the connection? TCP FIN and TCP FIN/ACK, and then TCP ACK. So it's six packets. A normal TCP CONNECT scan uses the operating systems’ API and requires 6 packets back and forth in order to create and close connection.

• TCP SYN Scan: The TCP SYN Scan is known as half open. TCP SYN scan only checks the first two packets of the TCP 3-way handshake. In a SYN scan, a TCP SYN is sent and followed by a TCP SYN/ACK response. Typically, one would expect a TCP ACK next. However, this ACK is intentionally blocked from being sent, resulting in just two packets being involved. Since the TCP ACK is never transmitted, it results in a half-open connection that never completes. Therefore, the connection isn't established. Using the SYN scan requires only two packets. With administrative rights, NMAP blocks the third packet (TCP ACK) from being sent, making the process faster. It sends packets directly to the wire, bypassing the operating system and writing the TCP SYN straight into the network, which demands administrative privileges since it interacts directly with the network bypassing the OS.

• TCP FIN Scan: A TCP FIN scan sends a packet with only the FIN flag set. This method assesses an operating system's response to such an unusual packet, as typically, a FIN flag isn't set without an established connection.

• TCP NULL Scan: A TCP NULL Scan sends a packet with no flags set, making it an unusual packet. If the OS adheres to TCP as defined in RFC 793, closed ports will respond with an RST.