Host Scanning
Introduction
Having established the topology of the target network, the focus is now
on the systems and their services. We shall first enumerate the hosts to
gain a view of the possible avenues of attack and then deploy our
specialized vulnerability scanners to identify known or potential
problems.
Social engineering
Social engineering is still a significant threat to a company’s security as
the manipulation of workers to gain initial access is a common avenue
for attack. IT Security has, in general, reached a maturity where most
perimeter access points are secured. Username and password
combinations can often be obtained from personnel, thus providing
access for the attacker from which privileges may be later escalated.
Enumeration
We will now map the hosts themselves, identifying information about
the systems and services involved.
Host and OS Identification
Various tools exist to aid in remotely identifying the target operating
systems. Queso, nmap and ISS Internet Scanner all contain
identification features, checking for variances in the vendor IP stacks.
OS identification will be discussed in more detail in the Masterclass
towards the end of this module.
Port Scanning
Once the target network has been mapped and the hosts identified, we
must progress to establishing what services the host is providing to the
Internet, and therefore an attacker.
Generic tools are useful for cursory examinations of TCP and UDP
services running on probed systems. Examples being:
• fping.
• hping.
• tcpprobe.
• WS_PingPro Pack.
They are not designed to be stealthy and have limited options for
focussing the scans on particular ranges such as the Microsoft NetBIOS
or Firewall-1 remote management protocols.
Products such as nmap can be targeted to give comprehensive scan
coverage of port ranges. Scans based on a targeted services file will
reveal known services (and Trojans if they are included), but
comprehensive scans of both the 1-1024 and 1025-65535 port ranges
should be made for both the UDP and TCP protocols to detect rogue or
unregistered ones.
Port scanning is discussed in more detail in the Masterclass at the end
of this module.
No comments:
Post a Comment