Summary
Reconnaissance can be split into two categories; passive, which can be likened to a burglar glancing at houses as he walks along the road; and active, where he walks right up and peers in your windows.
Passive reconnaissance can be time intensive and yield varying degrees of success. The most obvious starting point is the website of your target. Two popular tools are available to help grab the whole site for offline browsing:
- Wget (command-line tool)
- Teleport Pro (graphical tool)
Analyzing site content can reveal information such as the following:
- Hardware, operating system, and application information from commented code
- Contact information for use in social engineering attacks
You can also glean potentially useful information from public sources, including these:
- EDGAR filings
- USENET newsgroups
- User group meetings
- Business partners
Active reconnaissance can be far more revealing, but the downside is that it is a riskier process and is more easily detected.
The first step in active reconnaissance is to identify hosts within the target network. You can use the following tools to accomplish this:
- NSLookup
- Whois
- SamSpade
- Visual Route
Simply performing an NSLookup to search for an IP address is passive, but the moment you begin doing a zone transfer using some of these tools, you are beginning to do active reconnaissance.
After the hosts have been identified, you can use port scanning to identify potential vulnerabilities. A range of different port scan techniques is available:
- TCP Connect() scan
- SYN scan
- FIN scan
- Xmas-Tree scan
- NULL scan
- Dumb scan
In addition, this chapter examined NMap, a popular and powerful tool that carries out port scanning.
This chapter looked at fingerprinting—the process of examining the characteristics of the host to identify its underlying operating system. Although this chapter discussed NMap, other fingerprinting tools are available:
- Xprobe2
- Ettercap
- p0f v2
- Queso
- SS
- CheckOS
All these steps constitute the footprinting of a target network. After the footprint is complete, you should be able to create a network map containing information such as the following:
- Host names
- IP addresses
- Listening port numbers
- Operating systems
Reconnaissance against a target network, such as that described in this chapter, can be detected using an IDS, which can take various forms:
- Anomaly detection
- Misuse detection
- Host-based detection
- Network-based detection