slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Network Reconnaissance PowerPoint Presentation
Download Presentation
Network Reconnaissance

Loading in 2 Seconds...

play fullscreen
1 / 34

Network Reconnaissance - PowerPoint PPT Presentation

  • Uploaded on

Network Reconnaissance. What is?. Military reconnaissance a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area. Network reconnaissance process of acquiring information about a network. Why?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Network Reconnaissance' - kishi

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is
What is?
  • Military reconnaissance
    • a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area.
  • Network reconnaissance
    • process of acquiring information about a network
  • Hackers use reconnaissance as the first step in an effective attack
  • Seeing what is on the "other side of the hill" is crucial to decide what type of attack to launch
  • Generally, goals of reconnaissance on a target network are to discover:
    • IP addresses of hosts
    • Accessible UDP and TCP ports
    • OS type
footprinting fingerprinting steps
Footprinting/Fingerprinting steps
  • Information Gathering
    • accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment
  • Locate the network
    • What addresses can be targeted and are available for additional scanning and analysis
  • Identify active machines
    • Which machine is actively connected to the network and reachable
  • Open ports and underlying applications
    • Which ports and applications are accessible
  • OS Fingerprinting
    • Identifying targeted Oss as well as systems response
  • Network mapping
    • Create blueprint of organization
information gathering
Information Gathering
  • Get data regarding network environment such as
    • Organization web site, Location, contact person, Phone number
  • Common Tools
    • Registrar query : whois
    • Domain name and resource lookup
    • Search Tools
locate the network range
Locate the network range

What range of IP addresses are available for scanning and further enumeration

Common Tools : whois

tool whois search
Tool: WHOIS Search
  • WhoIs – Query of Internet Registries
    • Ref:
      • AfriNIC – Africa
      • APNIC - Asia/Pacific
      • ARIN – North America
      • LACNIC - Central and South America
      • RIPE NCC – Europe, Middle East, Central Asia
      • InterNIC– ICANN Public Domain Name Registration Info
    • 3rd Party Whois Tools
      • Geektools -
      • DomainTools –
      • DNSStuff –
tool google
Tool: - Google
  • Google, Yahoo,, etc.
    • Gather information about a targeted organization
    • Evaluate web sites for known security issues
    • Identify files that are accidentally exposed to the public
tool google search
Tool: - Google search
  • Helpful Google Queries
    • Related sites:
    • Search a specific site:
      • search_terms
    • Use Google to search group or blog postings
tool google operators
Tool: – Google operators

Google Advanced Operators

AND: “+”

OR: “|”

Synonym: “~”


intitle:“jefferson wells”


tool nslookup
  • Queries Domain Name Server information
    • IP and Domain Name Mapping
    • Zone Transfer – Dumps entire table
    • Check mail server
tool nslookup1
  • Zone Transfer – Dumps entire table

$ nslookup

> server = A.B.C.D

> ls

tool nslookup2
  • MX record

$ nslookup

> set type = MX


network identifier tools
Network Identifier Tools
  • Identifying active computers and services
  • Common Tools
    • ping, ping6
      • help verifying whether a host is active
    • traceroute, traceroute6
      • determine the route to a node
tool ping
Tool: ping
  • ping [hostname|ip_address]
  • ping6 [hostname|ip_address]
  • ping -R [hostname|ip_address]
tool traceroute
Tool: traceroute
  • tracert
    • Windows
  • traceroute
    • Unix
tool how traceroute work
Tool: How Traceroute work

Launch a probe packet towards DST, with a TTL of 1

Every router hop decrements the IP TTL of the packet by 1

When the TTL hits 0, packet is dropped, router sends ICMP TTL Exceed packet to SRC with the original probe packet as payload

SRC receives this ICMP message, displays a traceroute “hop”

Repeat from step 1, with TTL incremented by 1 each time, until..

DST host receives probe, returns ICMP Dest Unreachable

tool traceroute report hop
Tool: Traceroute Report Hop
  • Traceroute packet with TTL of 1 enters router via the ingress interface.
  • Router decrements TTL to 0, drops packet, generates ICMP TTL Exceed
    • ICMP packet dst address is set to the original traceroute probe source (SRC)
    • ICMP packet src address is set to the IP of the ingress router interface
    • Traceroute shows a result based on the src address of the ICMP packet
    • The above traceroute will read:
    • You have NO visibility into the return path or the egress interface used
tool traceroute latency calculation
Tool: Traceroute Latency Calculation
  • How is traceroute latency calculated?
    • Timestamp when the probe packet is launched
    • Timestamp when the ICMP response is received
    • Calculate the difference to determine round-trip time
    • Routers along the path donot do anytime “processing”
      • They simply reflect the original packet’s data back to the SRC
      • Many implementations encode the original launch timestamp into the probe packet, to increase accuracy and reduce state
    • Most Importantly: only the ROUNDTRIP is measured
      • Traceroute is showing you the hops on the forward path
      • But showing you latency based on the forward PLUS reverse path. Any delays on the reverse path will affect your results!
tool interprete traceroute dns
Tool: InterpreteTraceroute DNS
  • Interpreting DNS is one of the most important aspects of correctly using traceroute
  • Information you can uncover includes:
    • Physical Router Locations
    • Interface Types and Capacities
    • Router Type and Roles
    • Network Boundaries and Relationships
tool traceroute reading tips
Tool: Traceroute Reading Tips
  • Router’s name may include Exchange Point
    • MAE, NAP, PAIX
  • Router names may be the IATA 3-letter code of the nearest airport or CLLI code in their node name
  • Other abbreviation
  • Interface name
tool router type role
Tool: Router Type/Role
  • Knowing the role of a router can be useful
  • But every network is different, and uses different naming conventions
  • May not always follow naming rules
  • Generally speaking, May need guessing the context and get a basic understanding of the roles
    • Core routers–CR, Core, GBR, BB
    • Peering routers–BR, Border, Edge, IGR, Peer
    • Customer routers–AR, Aggr, Cust, CAR, GW
tool dns interface type
Tool: DNS Interface type
  • Most networks will try to put interface info into DNS
  • Though this many not always be up to date
  • Many large networks use automatically generated DNS
  • As well as capacity, and maybe even the make/model of router
  • Examples:
      • XE-#/#/# is Juniper 10GE port. The device has at least 12 slots
      • It’s at least a 40G/slot router since it has a 10GE PIC in slot 1
      • It must be Juniper MX960, no other device could fit this profile
tool sample traceroute
Tool: Sample Traceroute

$ traceroute

$ traceroute

identifying active machines
Identifying Active Machines
  • Attackers will want to know if machines are alive before they attempt to attack. One of the most basic methods of identifying active machines is to perform a sweep
  • Common Tools
    • ping, traceroute
    • Network scanning tools
      • nmap, superscan
finding open ports
Finding Open Ports
  • Open services
  • Common tools
    • Port scanning tools
      • nmap, superscan
os fingerprinting
OS Fingerprinting
  • Passive fingerprint
    • Sniffing technique
    • Examine packets for certain characteristics such as
      • The IP TTL value
      • The TCP Window Size
      • The IP DF Option
      • The IP Type of Service (TOS) Option
  • Active Fingerprint
    • Injects the packets into the network
    • Examines the subtle differences that exist between different vendor implementations of the TCP/IP stack
    • Common tools : nmap
mapping the network
Mapping the Network

Gained enough information to build network map

Network mapping provides the hacker with a blueprint of the organization.

May use manual or automated ways to compile this information