Hacking/Reconnaissance

A network reconnaissance methods can be passive or active.

Passive methods:, , , , , ,.

Active methods:, , ning, ing. Crackers strive to minimize

Sniffing
A 'wireless' can find es, which is helpful for network mapping.

Access points usually connect the nodes of a wireless network to a wired network as a bridge or a router. Both a bridge and a router use a routing table to forward packets.

Finding relevant and reachable IP addresses is the objective of the reconnaissance phase of attacking an organization over the Internet. The relevant IP addresses are determined by collecting as many host names as possible and translating them to IP addresses and IP address ranges. This is called footprinting.

A is the key for finding as much information as possible about a target. In many cases, organizations do not want to protect all their resources from internet access. For instance, a must be accessible. Many organizations additionally have, servers, and other systems that must be accessible over the internet. The IP addresses of an organization are often grouped together. If one IP address has been found, the rest probably can be found around it.

s store tables that show how domain names must be translated to IP addresses and vice versa. With Windows, the command can be used to query DNS servers. When the word help is entered at NSLookup's prompt, a list of all commands is given. With Linux, the command dig can be used to query DNS servers. It displays a list of options when invoked with the option -h only. And the command host reverses IP addresses to hostnames. The program can be used as a reverse DNS walker: nmap -sL 1.1.1.1-30 gives the reverse entries for the given range.

ARIN, RIPE, APNIC, LACNIC, and AFRINIC are the five that are responsible for the assignment and registration of IP addresses. All have a website with which their databases can be searched for the owner of an IP address. Some of the Registries respond to a search for the name of an organization with a list of all IP address ranges that are assigned to the name. However, the records of the Registries are not always correct and are in most cases useless.

Probably most computers with access to the internet receive their IP address dynamically by. This protocol has become more popular over the last years because of a decrease of available IP addresses and an increase of large networks that are dynamic. DHCP is particularly important when many employees take a portable computer from one office to another. The router/ device that people use at home to connect to the internet probably also functions as a DHCP server.

Nowadays many router/DHCP devices perform (NAT). The NAT device is a between the local network and the internet. Seen from the internet, the NAT device seems to be a single host. With NAT, the local network can use any IP address space. Some IP address ranges are reserved for s. These ranges are typically used for the local area network behind a NAT device, and they are: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255.

The relevant IP addresses must be narrowed down to those that are reachable. For this purpose, the process of scanning enters on the scene.

Host scanning
Once access to a wireless network has been gained, it is helpful to determine the network's topology, including the names of the computers connected to the network. can be used for this, which is available in a Windows and a Linux version. However, Nmap does not provide the user with a network diagram. The network scanner Network View that runs on Windows does. The program asks for one IP address or an IP address range. When the program has finished scanning, it displays a map of the network using different pictures for routers, s,, and s, all with their names added.

The most direct method for finding hosts on a is using the program. When using a modern flavour of, commands can be combined to produce custom. When using Windows, the command-line can also be used to create a ping-sweep. Examples are given in the reference.

Ping-sweeps are also known as host scans. Nmap can be used for a host scan when the option -sP is added:	nmap -n -sP 10.160.9.1-30 scans the first 30 addresses of the subnet 10.160.9, where the -n option prevents reverse DNS lookups.

Ping packets could reliably determine whether a computer was on line at a specified IP address. Nowadays these echo request packets are sometimes blocked by the firewall of an. Although Nmap also probes TCP port 80, specifying more TCP ports to probe is recommended when pings are blocked. Consequently, nmap -sP -PS21,22,23,25,80,139,445,3389 10.160.9.1-30 can achieve better results. And by combining various options as in nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM 10.160.9.1-30, superb host scanning is achieved.

Nmap is available for Windows and most Unix operating systems, and offers graphical and command-line interfaces.

Port scanning
The purpose of port scanning is finding the open ports on the computers that were found with a host scan. When a port scan is started on a network without making use of the results of a host scan, much time is wasted when many IP addresses in the address range are vacant.

Open ports
Most programs that communicate over the Internet use either the or the  protocol. Both protocols support 65536 so called  that programs can choose to bind to. This allows programs to run concurrently on one IP address. Most programs have default ports that are most often used. For example, HTTP servers commonly use TCP port 80.

Network scanners try to connect to TCP or UDP ports. When a port accepts a connection, it can be assumed that the commonly bound program is running.

TCP connections begin with a SYN packet being sent from client to server. The server responds with a SYN/ACK packet. Finally, the client sends an ACK packet. When the scanner sends a SYN packet and gets the SYN/ACK packet back, the port is considered open. When a RST packet is received instead, the port is considered closed. When no response is received the port is either considered filtered by a firewall or there is no running host at the IP address.

Scanning UDP ports is more difficult because UDP does not use handshakes and programs tend to discard UDP packets that they cannot process. When an UDP packet is sent to a port that has no program bound to it, an ICMP error packet is returned. That port can then be considered closed. When no answer is received, the port can be considered either filtered by a firewall or open. Many people abandoned UDP scanning because simple UDP scanners cannot distinguish between filtered and open ports.

Common ports
Although it is most thorough to scan all 65536 ports, this would take more time than scanning only the most common ports. Therefore, Nmap scans 1667 TCP ports by default (in 2007).

Specifying ports
The -p option instructs Nmap to scan specified ports, as in nmap -p 21-25,80,100-160 10.150.9.46. Specifying TCP and UDP ports is also possible, as in nmap -pT:21-25,80,U:5000-5500 10.150.9.46.

Specifying targets
Nmap always requires the specification of a host or hosts to scan. A single host can be specified with an IP address or a domain name. Multiple hosts can be specified with IP address ranges. Examples are 1.1.1.1, www.company.com, and 10.1.50.1-5,250-254.

Specifying scan type
TCP SYN scan Nmap performs a TCP SYN scan by default. In this scan, the packets have only their SYN flag set. The -sS option specifies the default explicitly. When Nmap is started with administrator privileges, this default scan takes effect. When Nmap is started with user privileges, a connect scan is performed.

TCP connect scan The -sT option instructs Nmap to establish a full connection. This scan is inferior to the previous because an additional packet must be sent and logging by the target is more likely. The connect scan is performed when Nmap is executed with user privileges or when IPv6 addresses are scanned.

TCP null scan The -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.

UDP empty packet scan The -sU option instructs Nmap to send UDP packets with no data. When an ICMP error is returned, the port can be assumed closed. When no response is received, the port can be assumed open or filtered. No differentiation between open and filtered ports is a severe limitation.

UDP application data scan The -sU -sV options instruct Nmap to use application data for application identification. This combination of options can lead to very slow scanning.

Other options
Other options

Specifying scan speed When packets are sent to a network faster than it can cope with they will be dropped. This leads to inaccurate scanning results. When an intrusion detection system or intrusion prevention system is present on the target network, detection becomes more likely as speed increases. Many devices and firewalls respond to a storm of SYN packets by enabling  that make appear every port to be open. Full speed scans can even wreak havoc on.

Nmap provides five templates for adjusting speed and also adapts itself. The -T0 option makes it wait for 5 minutes before the next packet is sent, the -T1 option makes it wait for 15 seconds, -T2 inserts 0.4 seconds, -T3 is the default (which leaves timing settings unchanged), -T4 reduces time-outs and retransmissions to speed things up slightly, and -T5 reduces time-outs and retransmissions even more to speed things up significantly. Modern IDS/IPS devices can detect scans that use the -T1 option. The user can also define a new template of settings and use it instead of a provided one.

Application identification The -sV option instructs Nmap to also determine the version of a running application.

Operating system identification The -O option instructs Nmap to try to determine the operating systems of the targets. Specially crafted packets are sent to open and closed ports and the responses are compared with a database.

Saving output The -oX option instructs Nmap to save the output to a file in format.

See also
 * Nmap

Vulnerability scanning
Vulnerability scanning determines whether known vulnerabilities are present on a target. A vulnerability is a bug in an application program that affects security. They are made public on places such as the Full-Disclosure mailing list. The (CERT) brings out a statistical report every year.

 s: 


 * http://www.PacketStormSecurity.org/ &mdash;
 * http://www.exploit-db.com/ &mdash;

Tools

 * https://www.offensive-security.com/metasploit-unleashed/information-gathering/
 * https://docs.rapid7.com/metasploit/discovery-scan
 * https://www.bettercap.org/modules/ethernet/net.recon/
 * https://www.bettercap.org/modules/ethernet/net.sniff/
 * https://www.bettercap.org/modules/ethernet/net.probe/