Difference between revisions of "Network Recon"
Line 1: | Line 1: | ||
+ | {{cleanup}} | ||
+ | |||
One of the first phases of an attack is network surveillance. There are tools are publicly available, although many auditors and penetration testers choose to hand-roll their own. First we'll step a little bit back into network topography in general and explain the basic concepts of [[IP address|ip addressing]], [[subnetting]], and some fundamentals about how the internet works. This is a lot of information, do not become upset if you become frustrated. | One of the first phases of an attack is network surveillance. There are tools are publicly available, although many auditors and penetration testers choose to hand-roll their own. First we'll step a little bit back into network topography in general and explain the basic concepts of [[IP address|ip addressing]], [[subnetting]], and some fundamentals about how the internet works. This is a lot of information, do not become upset if you become frustrated. | ||
Revision as of 18:08, 24 April 2012
One of the first phases of an attack is network surveillance. There are tools are publicly available, although many auditors and penetration testers choose to hand-roll their own. First we'll step a little bit back into network topography in general and explain the basic concepts of ip addressing, subnetting, and some fundamentals about how the internet works. This is a lot of information, do not become upset if you become frustrated.
You may want to start with a little bit of hexadecimal.
Contents
IP Addressing
An IP address is 32 bits, or four bytes. Because the highest value a byte can be is 255 and the lowest is 0, this is the range of any octet. Because an IP address contains four bytes, there are four octets in an IP address. The '0' value is reserved for the network, and the '255' value is reserved for what is called a broadcast. That means that IP addresses will typically not end in 0 or 255, because those numbers are reserved for other things. There are also certain "reserved" addressing ranges :
127.*.*.* - This is reserved in RFC 1918 for the local host. If you ever do anything to an IP address starting in 127, you will be performing these actions to your local machine.
192.168.*.* - This is reserved in RFC 1918 for the local network. If you come across this type of IP address, it is not a machine out there on the internet, but one likely in your own house or another computer at the coffee shop you're hanging out in.
172.*.*.* - This is reserved in RFC 1918 for the same as above
169.254.*.* - Same as above
10.*.*.* - Same as above
Ports
Any computer with an IP address has up to 65355 ports. A port is kind of like a phone line, and an IP address is kind of like an address. The HTTP protocol, for example, runs on port 80 on the server. So, when you go to a site (e.g.) google.com, first your web browser looks up google.com's IP address using a service called DNS (dynamic name server) and then connects to that IP address on port 80. The reason for the DNS service is that computers talk to each other through IP addresses and domain names e.g. google.com are an easier way for us humans to remember how to get from place to place.
Routing
Any computer on the internet has something called a 'gateway' or 'border router'. This router is the upstream router that connects it and its peers to the rest of the internet. By compromizing this router, attackers are able to monitor traffic between the target host and the rest of the internet, kind of like a phone bug. The act of monitoring traffic in such a way is called sniffing.
Theory
The important things to an attacker when first running surveillance are going to be the open ports and the network information and the upstream router, from a technical standpoint. Password wordlists can be made from content within the target site, assuming there is one, as well as any information that can be gleaned about any employees.
In order to determine the border router, we'll use a utility called traceroute. On windows the command is `tracert' and on linux the command is `traceroute'. This command-line tool allows you to follow your traffic from your own machine to another host. Sometimes the remote host has network-layer attempts to prevent the traceroute from completing. There are methods to evade this as well.
Alternatively, you can use the traceroute engine here on our free services page. I recommend using tracert with the -d flag on windows since it will avoid hostname lookups (making it run faster). If ICMP/UDP traceroute seems to be ineffective, you can use a TCP traceroute. When tracerouting a web server, you can trace to TCP port 80; and when tracerouting a DNS server, you can trace to UDP port 53. Many times methods like this are used when there is no other choice. You will always be able to identify the border router (and potentially a firewall) because it will be the next-to-last hop before the target host.
For port scanning, which scans for open ports on a system, the nmap utility is virtually unparralelled. While you can write your own port scanner, nmap has every option anyone could think of already. No point in re-inventing the wheel. Nmap is available from nmap.org, or, you can use the port scan on our free services page.
Lastly, we'll go over obtaining additional network information. Additional network information, such as mailserver information and DNS information can be utilized in an attack as well. By running a `whois' on the target domain, you can obtain the DNS server addresses as well as the domain's registrar. Using the linux command line utility called `dig', you can obtain MX records (dig -t MX domain.tld), which will point you in the direction of the mailserver.
You can type any of the commands in this tutorial by themselves on the correct operating system and they should appropriately greet you with some sort of help screen indicating the different options and their uses.
Tools
As far as what tools to use, nikto and nmap are good for web application and server scanning, respectively. Some common strings (with the example : target.net) are as follows :
user@host# nmap -sS -A -sV -O -P0 --defeat-rst-ratelimit target.net user@host# ./nikto.pl -evasion 9 -host target.net
Nmap is a good tool for mapping out what daemons are running on the server. This is important, because each daemon could be a chink in the armor of the site. Command Injection, Buffer Overflows, and null-byte/escape string vulnerabilities may plague any of these daemons and so generally after scanning a machine and getting a decent version print I try to google for vulnerabilities in any/all of the running daemons unless I know one off of the top of my head. Keep in mind that if target.net is running an application called "Port Sentry", nmap may come back thinking that every port is open. If this is the case, you may want to try running:
user@host# nmap -sS -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net
or even
user@host# nmap -sX -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net
As it stands, nikto does a great job mentioning CVE references for any vulnerabilities it discovers. Just remember that sometimes you can get a lot of false positives. If nikto doesn't mention a URL for a reference but lists a CVE reference, try google.