- "Do I Know This Already?" Quiz
- Foundation Topics: Overview of the Seven-Step Information-Gathering Process
- Information Gathering
- Determining the Network Range
- Identifying Active Machines
- Finding Open Ports and Access Points
- OS Fingerprinting
- Fingerprinting Services
- Mapping the Network Attack Surface
- Summary
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Exercises
- Review Questions
- Suggested Reading and Resources
This chapter is from the book
This chapter is from the book
This chapter is from the book
Mapping the Network Attack Surface
The hacker would have now gained enough information to map the network. Mapping the network provides the hacker with a blueprint of the organization. There are manual and automated ways to compile this information. Manual and automated tools are discussed in the following sections.
Manual Mapping
If you have been documenting findings, the matrix you began at the start of this chapter should be overflowing with information. This matrix should now contain domain name information, IP addresses, DNS servers, employee info, company location, phone numbers, yearly earnings, recently acquired organizations, email addresses, the publicly available IP address range, open ports, wireless access points, modem lines, and banner details.
Automated Mapping
If you prefer a more automated method of mapping the network, a variety of tools are available. Visual traceroute programs, such as SolarWinds’s Network Topology Mapper (http://www.solarwinds.com/network-topology-mapper), can help you map out the placement of these servers. You can even use Nmap scripts to trace a route and map the geolocation of a target. As an example, nmap --traceroute --script traceroute-geolocation.nse -p 80 example.com would perform a traceroute and provide geolocation data for each hop along the way. Geolocation allows you to identify information such as country, region, ISP, and the like. Examples of geolocation tools include IP Location Finder (https://tools.keycdn.com) and GeoIP Lookup Tool (https://www.ultratools.com).
Automatic mapping can be faster but might generate errors or sometimes provide erroneous results. Table 3-7 reviews some of the primary steps we have discussed.
Table 3-7 The Seven Steps of the Pre-Attack Phase
Step |
Title |
Active/Passive |
Common Tools |
|---|---|---|---|
One |
Information gathering |
Passive |
www.domaintools.com, ARIN, IANA, Whois, Nslookup |
Two |
Determining network range |
Passive |
RIPE, APNIC, LACNIC, ARIN |
Three |
Identifying active machines |
Active |
Ping, traceroute, SuperScan, Angry IP Scanner |
Four |
Finding open ports and access points |
Active |
Nmap, Hping, Angry IP Scanner, SuperScan |
Five |
OS fingerprinting |
Active/passive |
Nmap, Winfingerprint, P0f, Xprobe2 |
Six |
Fingerprinting services |
Active |
Nmap, Telnet, FTP, Netcat |
Seven |
Mapping the network attack surface |
Active |
CartoReso, traceroute, Network Topology Mapper |
NLog is one option to help keep track of your scanning and mapping information. NLog enables you to automate and track the results of your Nmap scans. It allows you to keep all your Nmap scan logs in a database, making it possible to easily search for specific entries. It’s browser based, so you can easily view the scan logs in a highly customizable format. You can add your own extension scripts for different services, so all hosts running a certain service will have a hyperlink to the extension script. NLog is available at http://nlog-project.org/.
CartoReso is another network mapping option. If run from the Internet, the tool will be limited to devices that it can contact. These will most likely be devices within the demilitarized zone (DMZ). Run internally, it will diagram a large portion of the network. In the hands of a hacker, it’s a powerful tool, because it uses routines taken from a variety of other tools that permit it to perform OS detection port scans for service detection and network mapping using common traceroute techniques. You can download it from https://sourceforge.net/projects/cartoreso/.
A final item worth discussing is that attacker the will typically attempt to hide her activity while actively probing a victim’s network. This can be attempted via anonymizers and proxies. The concept is to try to obscure the true source address. Examples of tools that are available for this activity include the following:
Proxy Switcher
Proxy Workbench
CyberGhost
Tor
