Network surveillance is one of the beginning phases to any attack. There are tools that are publicly available, such as nmap, however, it is important to understand how these tools work to utilize their true effectiveness.
An IP address is a numerical value assigned to devices on the Internet, similar to a phone number. Their are two versions in use today, IPv4 and IPv6.
An IPv4 address is 32 bits, or four bytes. A byte can have a maximum value of 256, therefore, an IPv4 address's octet can only range from 0 to 255, and because there are four bytes, an IPv4 address consists of four octets. Typically, IP addresses reserve the '0' value for the network address and '255' for the broadcast address, therefore, a system typically will not end in 0 or 255. There are also other addressing schemes that are reserved for various reasons, such as:
- 127.*.*.* - This is reserved in RFC 1918 for the localhost, or loopback address. If you ever do anything to an IP address starting in 127, you will be performing these actions to your local machine.
- 192.168.*.* - This is reserved in RFC 1918 for the local network. If you come across this IP addressing scheme, it is not an external, or public, IP address, but more likely an internal, or local IP. The subnet mask is typically 255.255.255.0 when using this scheme, however, it is not required.
- 172.*.*.* - This is reserved in RFC 1918 for the same reasons as the 192.168.*.* addressing scheme. The subnet mask is typically 255.255.0.0 when using this scheme, however, it is not required.
- 10.*.*.* - Same as above
- 169.254.*.* - 169.254.*.* is reserved for APIPA addresses, or Automatic Private IP Addressing, typically found in Windows when a network connection is not found and/or the DHCP server is failing to lease an IP to the computer.
Subnetting is splitting a network into two different networks. A subnet mask tells the computer what a network consists of. IP addresses are expressed in CIDR notation, or an IP address followed by a slash (/) and the prefix size in bits, such as 192.168.1.0/24. This shows that the prefix is 24 bits, or 11111111.11111111.11111111.00000000, or 255.255.255.0. The first three octets' bits are full, therefore, to communicate, the address must fit in the 192.168.1.* addressing scheme.
If a subnet mask is 255.255.255.0, and the network IP address is 10.1.1.0, then, because the last octet in the subnet mask is a 0, any value will fit there, with exception to 0 or 255 due to their previous reservations. This means that an IP address of 10.1.1.100 and 10.50.252.35 would not be able to communicate.
If a subnet mask of 255.255.0.0 and a network IP of 172.17.0.0, the last two values could be anything up to 255. Therefore, 172.17.100.19 can communicate with 172.17.88.33.
These are the basics of subnet masks and subnetting. For more information, visit the subnetting page.
Any computer with an IP address has up to 65355 ports. A port is kind of like a phone line, and an IP address is kind of like an address. The HTTP protocol, for example, runs on port 80 on the server. So, when you go to a site (e.g.) google.com, first your web browser looks up google.com's IP address using a service called DNS (dynamic name server) and then connects to that IP address on port 80. The reason for the DNS service is that computers talk to each other through IP addresses and domain names e.g. google.com are an easier way for us humans to remember how to get from place to place.
Any computer on the internet has something called a 'gateway' or 'border router'. This router is the upstream router that connects it and its peers to the rest of the internet. By compromizing this router, attackers are able to monitor traffic between the target host and the rest of the internet, kind of like a phone bug. The act of monitoring traffic in such a way is called sniffing.
The important things to an attacker when first running surveillance are going to be the open ports and the network information and the upstream router, from a technical standpoint. Password wordlists can be made from content within the target site, assuming there is one, as well as any information that can be gleaned about any employees.
In order to determine the border router, we'll use a utility called traceroute. On windows the command is `tracert' and on linux the command is `traceroute'. This command-line tool allows you to follow your traffic from your own machine to another host. Sometimes the remote host has network-layer attempts to prevent the traceroute from completing. There are methods to evade this as well.
Alternatively, you can use the traceroute engine here on our free services page. I recommend using tracert with the -d flag on windows since it will avoid hostname lookups (making it run faster). If ICMP/UDP traceroute seems to be ineffective, you can use a TCP traceroute. When tracerouting a web server, you can trace to TCP port 80; and when tracerouting a DNS server, you can trace to UDP port 53. Many times methods like this are used when there is no other choice. You will always be able to identify the border router (and potentially a firewall) because it will be the next-to-last hop before the target host.
For port scanning, which scans for open ports on a system, the nmap utility is virtually unparralelled. While you can write your own port scanner, nmap has every option anyone could think of already. No point in re-inventing the wheel. Nmap is available from nmap.org, or, you can use the port scan on our free services page.
Lastly, we'll go over obtaining additional network information. Additional network information, such as mailserver information and DNS information can be utilized in an attack as well. By running a `whois' on the target domain, you can obtain the DNS server addresses as well as the domain's registrar. Using the linux command line utility called `dig', you can obtain MX records (dig -t MX domain.tld), which will point you in the direction of the mailserver.
You can type any of the commands in this tutorial by themselves on the correct operating system and they should appropriately greet you with some sort of help screen indicating the different options and their uses.
[email protected]# nmap -sS -A -sV -O -P0 --defeat-rst-ratelimit target.net [email protected]# ./nikto.pl -evasion 9 -host target.net
Nmap is a good tool for mapping out what daemons are running on the server. This is important, because each daemon could be a chink in the armor of the site. Command Injection, Buffer Overflows, and null-byte/escape string vulnerabilities may plague any of these daemons and so generally after scanning a machine and getting a decent version print I try to google for vulnerabilities in any/all of the running daemons unless I know one off of the top of my head. Keep in mind that if target.net is running an application called "Port Sentry", nmap may come back thinking that every port is open. If this is the case, you may want to try running:
[email protected]# nmap -sS -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net
[email protected]# nmap -sX -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net
As it stands, nikto does a great job mentioning CVE references for any vulnerabilities it discovers. Just remember that sometimes you can get a lot of false positives. If nikto doesn't mention a URL for a reference but lists a CVE reference, try google.