Mapping a Network
Sometimes, instead of receiving full information about target machines, penetration tester gets just address block. Later on, pentester needs to discover what kind of hosts with what kind of configuration, exist in particular network.
There are several different ways to reveal network configuration.
Ping works by sending one or more special ICMP packets (type 8 - echo request) to a host. If the host replies with ICMP echo reply packets, it means that host is alive. RFC792 describes protocol used to carry diagnostic messages. ICMP is a part of the Internet Protocol.
fping is a Linux tool, improved version of standard
ping. It can be run against IP range:
fping -a -g <ip_range> 2>/dev/null # -a -- show alive; -g -- generate list, redirect to /dev/null to surpress noise.
Recommended tool for penetration testing is
nmap. It is very powerful tool, which allows for detection hosts, its systems and more.
To attempt port sweeping (ping scan), one can use
nmap -sn <ip_range>
nmap run, we end up having list of live hosts, responding to ping. Next, we need to understand what kind of operating system is used by a host. Based on differences in network stack implementation of the various operating systems, automated programs can analyze response, and recognize OS version, creating host signatures.
During a penetration test, person needs to perform reconnaissance step on every network node:
The goal is to create table of nodes, with appropriate information about systems.
Offline fingerprinting (p0f)
For offline fingerprinting, one can use
p0f tool to analyze dump of network traffic.
Online fingerprinting (nmap)
In a case of online, to go tool is again
To perform OS fingerprinting with it, you have to use
-O option and specify target. In a case of known targets, you can add
-Pn to skip rediscovering them again.
nmap -Pn -O <targets>
This option can be additionally fine-tuned, to prevent from too aggressive way of discovering hosts:
OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively
After recognizing nodes and detecting operating systems, we can continue with port scanning. It allows to discover the daemons and services running on those nodes.
Port scanning is a process used to determine what TCP and UDP ports are open on target hosts. It, also usually helps detect which software and version is listening on a specific port.
TCP Three-Way Handshake
nmap -sT <target>
Description of process.
Client --- SYN ---> Server Client <- SYN+ACK - Server Client --- ACK ---> Server
Client wants to connect to a server, it first sends a packet with the
SYN flag enabled. The server then responds by sending a packet with both
ACK flags enabled. Finally, the client replies back by sending a packet with the
ACK flag enabled and the actual data transmission can start.
In a case of closed port, it looks slightly differently.
Client --- SYN ---> Server Client <- RST+ACK - Server
The server will reply with a packet that has the reset
ACK flags set. This behavior tells the client that the port is closed.
The simplest way to perform a port scan is trying to connect to every port.
- if the scanner receives a
RSTpacket, then the port is closed.
- if the scanner can complete 3-way handshake, then the port is open. After connecting, the scanner sends an
RSTpacket to the target host to abruptly close the connection.
The culprit here is, that every TCP connect is recorded in the daemon logs. Even scans, which often should be stealth. That is because, from the application point of view, the scan probe is legitimate connection. It allows system administrators to easily detect the scan.
nmap -sS <targets>
To mitigate possibility of being detected (in the case of 3-way handshake), there is more stealthy solution, called
During a SYN scan, the scanner does not perform a full handshake. It just sends a
SYN packet and analyzes the response coming from the target machine.
- if it receives a
RSTpacket, then port is closed.
- if it receives an
ACKpacket, then port is open. After marking the port as open, the scanner sends a
RSTpacket to the target host to stop the handshake.
As there is no full connection to the destination daemon, a
SYN scan cannot be detected by looking at daemon logs.
It is important to remember, that even
TCP-SYN scan can be detected with well-configured IDS (Intrusion Detection System).
Version detection scan
namp -sV <targets>
This scan is recorded in logs, however it is very useful. It mixes a TCP connect scan with some probes, which are used to detect what application is listening on a particular port.
Client --- SYN ---> Server Client <- SYN+ACK - Server Client --- ACK ---> Server Client <- Banner -- Server Client -- RST+ACK > Server
If the daemon doesn't send a banner,
nmap sends some probes to understand what the listening application is. It later tries to guess the application based on its behavior.
Network Discovery with port scanning
Sometimes, firewall can block pings. In this kind of scenario, typical usage of
ping is insufficient. Even if host is not responding to
ICMP requests, it oftentimes has some TCP and UDP port opens.
nmap can be forced to scan host which is not responding to
-Pn. The scan for common ports like
80,443 (http/https server),
445 (samba service) or
53 (DNS) can reveal that the host is actually "alive" however not responding to
Large networks very often are protected from intrusion by firewalls. It might be difficult to detect firewall, but based on partial or incomplete results of scan, one can identify, that it could be it.
nmap scan with fingerprinting
-sV should not have any problems to return full information. Sometimes, however, default information about
VERSION could be not present or unrecognized (
tcpwrapped means that TCP handshake was completed, but the remote host closed the connection without receiving any data).
To try and see what happened, you might want to use nmap with
--reason that will show an explanation of why a port is marked open or closed.
Masscan was designed to deal with large networks and to scan thousands of IP addresses at once. It is similar to nmap but a lot faster.
Vulnerability assessment is a scan of the vulnerabilities found on networks and applications. It is faseter and lighter on the infrastructure. As opposed to a penetration test, during a vulnerability assessment, you don't proceed to the exploitation phase. It means, that after discovering vulnerability, you won't be able to confirm it by testing and giving a proof of exploitation.
Scanners perform their probes on:
- daemons listening on TCP and UDP ports
- configuration files of operating systems, software suites, network devices, etc.
- windows registry entries.
The purpose is to find vulnerabilities and misconfigurations. The better and more up-to-date database of vulnerabilities, the better result of scan.
However, in a case of custom application, a vulnerability scanner may not be enough. In that case, manual test needs to be performed.