Network Reconnaissance
1 / 34

Network Reconnaissance - PowerPoint PPT Presentation

  • Uploaded on

Network Reconnaissance. What is?. Military reconnaissance a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area. Network reconnaissance process of acquiring information about a network. Why?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Network Reconnaissance' - kishi

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

What is
What is?

  • Military reconnaissance

    • a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area.

  • Network reconnaissance

    • process of acquiring information about a network


  • Hackers use reconnaissance as the first step in an effective attack

  • Seeing what is on the "other side of the hill" is crucial to decide what type of attack to launch

  • Generally, goals of reconnaissance on a target network are to discover:

    • IP addresses of hosts

    • Accessible UDP and TCP ports

    • OS type

Footprinting fingerprinting steps
Footprinting/Fingerprinting steps

  • Information Gathering

    • accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment

  • Locate the network

    • What addresses can be targeted and are available for additional scanning and analysis

  • Identify active machines

    • Which machine is actively connected to the network and reachable

  • Open ports and underlying applications

    • Which ports and applications are accessible

  • OS Fingerprinting

    • Identifying targeted Oss as well as systems response

  • Network mapping

    • Create blueprint of organization

Information gathering
Information Gathering

  • Get data regarding network environment such as

    • Organization web site, Location, contact person, Phone number

  • Common Tools

    • Registrar query : whois

    • Domain name and resource lookup

    • Search Tools

Locate the network range
Locate the network range

What range of IP addresses are available for scanning and further enumeration

Common Tools : whois

Tool whois search
Tool: WHOIS Search

  • WhoIs – Query of Internet Registries

    • Ref:

      • AfriNIC – Africa

      • APNIC - Asia/Pacific

      • ARIN – North America

      • LACNIC - Central and South America

      • RIPE NCC – Europe, Middle East, Central Asia

      • InterNIC– ICANN Public Domain Name Registration Info

    • 3rd Party Whois Tools

      • Geektools -

      • DomainTools –

      • DNSStuff –

Tool google
Tool: - Google

  • Google, Yahoo,, etc.

    • Gather information about a targeted organization

    • Evaluate web sites for known security issues

    • Identify files that are accidentally exposed to the public

Tool google search
Tool: - Google search

  • Helpful Google Queries

    • Related sites:


    • Search a specific site:

      • search_terms

    • Use Google to search group or blog postings

Tool google operators
Tool: – Google operators

Google Advanced Operators

AND: “+”

OR: “|”

Synonym: “~”


intitle:“jefferson wells”


Tool nslookup

  • Queries Domain Name Server information

    • IP and Domain Name Mapping

    • Zone Transfer – Dumps entire table

    • Check mail server

Tool nslookup1

  • Zone Transfer – Dumps entire table

    $ nslookup

    > server = A.B.C.D

    > ls

Tool nslookup2

  • MX record

    $ nslookup

    > set type = MX


Network identifier tools
Network Identifier Tools

  • Identifying active computers and services

  • Common Tools

    • ping, ping6

      • help verifying whether a host is active

    • traceroute, traceroute6

      • determine the route to a node

Tool ping
Tool: ping

  • ping [hostname|ip_address]

  • ping6 [hostname|ip_address]

  • ping -R [hostname|ip_address]

Tool traceroute
Tool: traceroute

  • tracert

    • Windows

  • traceroute

    • Unix

Tool how traceroute work
Tool: How Traceroute work

Launch a probe packet towards DST, with a TTL of 1

Every router hop decrements the IP TTL of the packet by 1

When the TTL hits 0, packet is dropped, router sends ICMP TTL Exceed packet to SRC with the original probe packet as payload

SRC receives this ICMP message, displays a traceroute “hop”

Repeat from step 1, with TTL incremented by 1 each time, until..

DST host receives probe, returns ICMP Dest Unreachable

Tool traceroute report hop
Tool: Traceroute Report Hop

  • Traceroute packet with TTL of 1 enters router via the ingress interface.

  • Router decrements TTL to 0, drops packet, generates ICMP TTL Exceed

    • ICMP packet dst address is set to the original traceroute probe source (SRC)

    • ICMP packet src address is set to the IP of the ingress router interface

    • Traceroute shows a result based on the src address of the ICMP packet

    • The above traceroute will read:

    • You have NO visibility into the return path or the egress interface used

Tool traceroute latency calculation
Tool: Traceroute Latency Calculation

  • How is traceroute latency calculated?

    • Timestamp when the probe packet is launched

    • Timestamp when the ICMP response is received

    • Calculate the difference to determine round-trip time

    • Routers along the path donot do anytime “processing”

      • They simply reflect the original packet’s data back to the SRC

      • Many implementations encode the original launch timestamp into the probe packet, to increase accuracy and reduce state

    • Most Importantly: only the ROUNDTRIP is measured

      • Traceroute is showing you the hops on the forward path

      • But showing you latency based on the forward PLUS reverse path. Any delays on the reverse path will affect your results!

Tool interprete traceroute dns
Tool: InterpreteTraceroute DNS

  • Interpreting DNS is one of the most important aspects of correctly using traceroute

  • Information you can uncover includes:

    • Physical Router Locations

    • Interface Types and Capacities

    • Router Type and Roles

    • Network Boundaries and Relationships

Tool traceroute reading tips
Tool: Traceroute Reading Tips

  • Router’s name may include Exchange Point

    • MAE, NAP, PAIX

  • Router names may be the IATA 3-letter code of the nearest airport or CLLI code in their node name

  • Other abbreviation


  • Interface name

Tool common location us major cities
Tool: Common Location US Major Cities

Tool common location major cities
Tool: Common Location Major Cities

Tool common interface naming
Tool: Common Interface Naming

Tool router type role
Tool: Router Type/Role

  • Knowing the role of a router can be useful

  • But every network is different, and uses different naming conventions

  • May not always follow naming rules

  • Generally speaking, May need guessing the context and get a basic understanding of the roles

    • Core routers–CR, Core, GBR, BB

    • Peering routers–BR, Border, Edge, IGR, Peer

    • Customer routers–AR, Aggr, Cust, CAR, GW

Tool dns interface type
Tool: DNS Interface type

  • Most networks will try to put interface info into DNS

  • Though this many not always be up to date

  • Many large networks use automatically generated DNS

  • As well as capacity, and maybe even the make/model of router

  • Examples:


      • XE-#/#/# is Juniper 10GE port. The device has at least 12 slots

      • It’s at least a 40G/slot router since it has a 10GE PIC in slot 1

      • It must be Juniper MX960, no other device could fit this profile

Tool sample traceroute
Tool: Sample Traceroute

$ traceroute

$ traceroute

Identifying active machines
Identifying Active Machines

  • Attackers will want to know if machines are alive before they attempt to attack. One of the most basic methods of identifying active machines is to perform a sweep

  • Common Tools

    • ping, traceroute

    • Network scanning tools

      • nmap, superscan

Finding open ports
Finding Open Ports

  • Open services

  • Common tools

    • Port scanning tools

      • nmap, superscan

Os fingerprinting
OS Fingerprinting

  • Passive fingerprint

    • Sniffing technique

    • Examine packets for certain characteristics such as

      • The IP TTL value

      • The TCP Window Size

      • The IP DF Option

      • The IP Type of Service (TOS) Option

  • Active Fingerprint

    • Injects the packets into the network

    • Examines the subtle differences that exist between different vendor implementations of the TCP/IP stack

    • Common tools : nmap

Mapping the network
Mapping the Network

Gained enough information to build network map

Network mapping provides the hacker with a blueprint of the organization.

May use manual or automated ways to compile this information