SKILL CCNE003: Identify fundamentals of network discovery
Objectives
CCNE003.001: Identify the items of interest when performing external reconnaissance
CCNE003.002: Identify the items of interest when performing internal reconnaissance
CCNE003.003: Describe active methods used for network discovery
CCNE003.004: Discuss passive approaches to network discovery
CCNE003.005: Explain the network discovery process from an offensive position
CCNE003.006: Explain the network discovery process from a defensive position
CCNE003.007: Explain the potential mitigation techniques for network discovery
CCNE003.008: Discuss best practices for network analysis
Identifying IP Addresses and Sub-domains
Identifying People
Identifying Technologies
Identifying Content of Interest
Identifying Vulnerabilities
"All the business of war, and indeed all the business of life, is to endeavor to find out what you don't know by what you do: that's what I called 'guessing what was at the othe side of the hill" ~Duke of Wellington
Reconnaissance often begins with establishing a base of information via OSINT. Without visiting the website, collect all the information you can about a company of your choice.
-------------------------------
Try some of these resources to start off with:
http://www.iana.org
https://newgtlds.icann.org/en
https://ww.dnsstuf.com/tools#
https://www.whois.net
https://www.shodan.io
You may find yourself needing to obtain information from websites, FTP sites etc however you only have CLI access. Try practicing some methods for interacting with services from the command line.
"Any act that influence a person to take an action that may or may not be in their best interest."
- Set a frame (pretexting) for interaction/ prime for response
- Reciprocity
- Scarcity
- Authority
- Social Proof
- Sympathy
- Phone/email/In-person
- Mental Buffer-Overflow: layering loop (stories/information) until the subject tunes out/can't keep tract, inject bad stuff
- Questions: Language structure that forces the execution of instructions.
- Illegal flag combination can be used to determine Operating System
- X-mas Tree scan is one popular example used in nmap w/OS detection (URG/PSH/FIN flag)
- Linux Only sends RSTs if the port is open (no RST for closed ports)
- Windows Mac ALWAYS send RSTs if the TCP segment isn't a part of an established communication
Popular Scanning tools
- Nmap, Netcat, Scapy, Hping3...
Common Scanning Methods
- TCP Connect()Scan (IDS/logs catch this easily!)
- SYN Scan (half-open)
- ACK Scan (What is this for?)
- Stealth Scans
- NULL or FIN Scan (proper response - open-drop; closed-send an RST)
- UDP Scan (how does that work?!)
Additional Reading:
RFC 7707 - https://www.cs.columbia.edu/~smb/papers/v6worms.pdf
Nmap is a highly popular scanning tool
Nmap host discovery run with root privilege:
- send raw ARP packet, nearly impossible to block or hide from this type of scan
Nmap Host discovery run without root privilege:
- Cannot open raw sockets
- Connects to the 2 TCP port (80 and (443)
- Host considered "up" if the connection succeeds/reset
ICMP: Nmap can do icmp ping sweeps however since OS'es & FW's often block/drop ICMP this can be unreliable
Physical Diagrams
- Medium; i.e. Wired/Wireless
- Topology (star most common)
- Depict port/interface connection
Logical Diagrams
- IP Addressing/Networks
- Protocol/Language
A few items to consider
P0f primarily looks at TCP/IP Header attributes to make a determination (packaged and custom signatures)
1: IP version
2: Initial TTL
3: IP Options
4: MSS
5: Windows size (value or multiple of value)
6: Window Scale
7: TCP Options (in the orders listed in the field)
8: Quirks (DF-Flag or IP ID)
9: Payload Class