Network Recon

CCTC - Networking

Outcomes


SKILL CCNE003: Identify fundamentals of network discovery

Objectives

CCNE003.001: Identify the items of interest when performing external reconnaissance

CCNE003.002: Identify the items of interest when performing internal reconnaissance

CCNE003.003: Describe active methods used for network discovery

CCNE003.004: Discuss passive approaches to network discovery

CCNE003.005: Explain the network discovery process from an offensive position

CCNE003.006: Explain the network discovery process from a defensive position

CCNE003.007: Explain the potential mitigation techniques for network discovery

CCNE003.008: Discuss best practices for network analysis

Reconnaissance

Identifying IP Addresses and Sub-domains

Identifying People

Identifying Technologies

Identifying Content of Interest

Identifying Vulnerabilities

"All the business of war, and indeed all the business of life, is to endeavor to find out what you don't know by what you do: that's what I called 'guessing what was at the othe side of the hill" ~Duke of Wellington

Open Source Intelligence (OSINT)

Reconnaissance often begins with establishing a base of information via OSINT. Without visiting the website, collect all the information you can about a company of your choice.

-------------------------------

Try some of these resources to start off with:
http://www.iana.org
https://newgtlds.icann.org/en
https://ww.dnsstuf.com/tools#
https://www.whois.net
https://www.shodan.io

Interactions with protocols/resources


You may find yourself needing to obtain information from websites, FTP sites etc however you only have CLI access. Try practicing some methods for interacting with services from the command line.


Protocol Interaction Activity




Social Engineering


"Any act that influence a person to take an action that may or may not be in their best interest."

- Set a frame (pretexting) for interaction/ prime for response
- Reciprocity
- Scarcity
- Authority
- Social Proof
- Sympathy

Video - Social Engineering for a password

Social Engineering (Cont.)


- Phone/email/In-person
- Mental Buffer-Overflow: layering loop (stories/information) until the subject tunes out/can't keep tract, inject bad stuff
- Questions: Language structure that forces the execution of instructions.






Another Social Engineering Example - think about which techniques were used

TCP Flags


- Illegal flag combination can be used to determine Operating System

- X-mas Tree scan is one popular example used in nmap w/OS detection (URG/PSH/FIN flag)

- Linux Only sends RSTs if the port is open (no RST for closed ports)

- Windows Mac ALWAYS send RSTs if the TCP segment isn't a part of an established communication

Port Scanning

Popular Scanning tools

- Nmap, Netcat, Scapy, Hping3...

Common Scanning Methods

- TCP Connect()Scan (IDS/logs catch this easily!)
- SYN Scan (half-open)
- ACK Scan (What is this for?)
- Stealth Scans
- NULL or FIN Scan (proper response - open-drop; closed-send an RST)
- UDP Scan (how does that work?!)

What about IPV6?


  • Host address space is enormous: scanning an entire prefix is out of the questions.
  • (64 bit host space, with 1 probe/sec would take 5 billions years)
  • Identifying address become key
  • Scanning locally or remote (probe multicast all-node, link local)




Additional Reading:
RFC 7707 - https://www.cs.columbia.edu/~smb/papers/v6worms.pdf

Scanning

Nmap is a highly popular scanning tool

Nmap host discovery run with root privilege:
- send raw ARP packet, nearly impossible to block or hide from this type of scan

Nmap Host discovery run without root privilege:
- Cannot open raw sockets
- Connects to the 2 TCP port (80 and (443)
- Host considered "up" if the connection succeeds/reset

ICMP: Nmap can do icmp ping sweeps however since OS'es & FW's often block/drop ICMP this can be unreliable

Diagrams


Physical Diagrams

- Medium; i.e. Wired/Wireless

- Topology (star most common)

- Depict port/interface connection

Logical Diagrams

- IP Addressing/Networks

- Protocol/Language

Navigating Network Devices





Security Concern and Implications


A few items to consider

  • Enable password vs. Enable secret
  • Finger Service (Network devices and hosts)
  • Proprietary Protocols (CDP/FDP/DTP/VTP)
  • IP Gratuitous ARP (Network devices and hosts)
  • IP ICMP Redirect (Network devices and hosts)
  • IP Source Route
  • Remote Access (Telnet)
  • Logging


You Found a Router Configuration!

Mapping a Network Activity

P0f for Fingerprinting

P0f primarily looks at TCP/IP Header attributes to make a determination (packaged and custom signatures)

1: IP version

2: Initial TTL

3: IP Options

4: MSS

5: Windows size (value or multiple of value)

6: Window Scale

7: TCP Options (in the orders listed in the field)

8: Quirks (DF-Flag or IP ID)

9: Payload Class