Two steps to basic network reconnaissance.
- Host Discovery.
- Service Discovery(Port Scanning).

pentest phases

Host Discovery

  • First step to network recon. Goal is to reduce a large set of IP ranges into a list of active or interesting hosts.(A 10.0.0.0/8 network can accomdate 16777200 hosts).
  • Port scanning is loud and also expensive on time and resources. More targets; More chances of being caught by an IDS.
  • Strict narrowing down might miss interesting targets, Too lenient narrowing down can result in large set of machines to scan.. Strike a balance based on the requirements.

TCP SYN Ping

  • Send an empty TCP packet with only SYN bit set.
  • SYN/ACK or RST in response indicates that a machine is up and running.
>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )
192.168.56.101 is alive!

TCP ACK Ping

  • Send an empty TCP packet with only ACK bit set.
  • Unsolicited ACK packets should be responded with RST which reveals a machine.
  • SYN ping and ACK ping might seem redundant but most of the stateless firewalls won’t filter unsolicited ACK packets so it’s a better approach to use both ping tecnhiques.
>>> ans, unans = sr(IP(dst='192.168.56.99-105')/TCP(dport=80, flags='A'))
Begin emission:
Finished to send 7 packets.
......................^C
Received 25 packets, got 1 answers, remaining 6 packets
>>> 
>>> ans.summary(lambda(s,r): r.sprintf('{IP: %IP.src% is alive}'))
 192.168.56.101 is alive
>>> 

UDP Ping

  • Send UDP packet to the given ports with or without payload, though protocol specific payload makes the scan more effective.
  • Choose a port that’s most likely closed(Open UDP ports might recieve empty packets but ignore them).
  • ICMP port unreachable signifies that the machine is up.

IP Protocol ping

  • Send multiple packets with different protocol numbers set in their IP header, append proper protocol headers.
  • Look for either responses using the same protocol as a probe, or ICMP protocol unreachable, either of the responses will signify a machine is alive.

ARP Ping

  • ARP Ping is employed when discovering active hosts on the same network/LAN.
  • Faster and reliable because it operates on Layer 2 by using only ARP.
  • ARP is the backbone protocol for any Layer 2 communication so always employ ARP ping when discovering hosts on local network.
    • ARP doesn’t exist in IPv6 standard. For the equivalent, use Neighbor Discovery Protocol techniques instead.
>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.56.0/24"),timeout=2)
Begin emission:
**Finished to send 256 packets.

Received 2 packets, got 2 answers, remaining 254 packets
>>> 
>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )
08:00:27:7b:2a:a9 192.168.56.100
08:00:27:37:86:85 192.168.56.101
>>> 

ICMP Ping

  • ICMP scan involves the standard packets sent by the ubiquitous ping program .
  • Send an ICMP type 8 (echo request) packet to the target IP, a ICMP type 0 (echo reply) indicates that the target is alive.
  • Unfortunately, many hosts and firewalls now block these packets so a basic ICMP scan is unreliable.
  • ICMP also supports timestamp request(13), and address mask request(17) which can reveal the availabilty of a machine.
>>> ans,unans=sr(IP(dst="192.168.56.99-110")/ICMP())
Begin emission:
Finished to send 12 packets.
Received 170 packets, got 1 answers, remaining 11 packets
>>> 
>>> ans.summary( lambda(s,r) : r.sprintf("{IP: %IP.src% is alive}") )
192.168.56.101 is alive

Exercise time - network sweeping

Please solve Exercise 1 - Misc exercises