Penetration Testing and Network Defense
| < Day Day Up > |
| Reconnaissance can be split into two categories; passive, which can be likened to a burglar glancing at houses as he walks along the road; and active, where he walks right up and peers in your windows. Passive reconnaissance can be time intensive and yield varying degrees of success. The most obvious starting point is the website of your target. Two popular tools are available to help grab the whole site for offline browsing:
Analyzing site content can reveal information such as the following:
You can also glean potentially useful information from public sources, including these:
Active reconnaissance can be far more revealing, but the downside is that it is a riskier process and is more easily detected. The first step in active reconnaissance is to identify hosts within the target network. You can use the following tools to accomplish this:
Simply performing an NSLookup to search for an IP address is passive, but the moment you begin doing a zone transfer using some of these tools, you are beginning to do active reconnaissance. After the hosts have been identified, you can use port scanning to identify potential vulnerabilities. A range of different port scan techniques is available:
In addition, this chapter examined NMap, a popular and powerful tool that carries out port scanning. This chapter looked at fingerprinting the process of examining the characteristics of the host to identify its underlying operating system. Although this chapter discussed NMap, other fingerprinting tools are available:
All these steps constitute the footprinting of a target network. After the footprint is complete, you should be able to create a network map containing information such as the following:
Reconnaissance against a target network, such as that described in this chapter, can be detected using an IDS, which can take various forms:
|
| < Day Day Up > |