As we talked about in a previous post, footprinting is an important first step. But now that the recon work is done we can move into scanning / enumeration. Depending on who you talk to scanning & enumeration can either be put together or become their own topics. For the sake of this blog I'm going to split them into two different posts.
Let's start by looking at scanning. When it comes to scanning there are two different types, active and passive. Active scanning is when you send out some type of prob (packet) to see if a host is online. You are "actively" engaging the target. This type of scanning can be done with a verity of tools, the most popular of which is nmap. Nmap has been with us for years and is always improving, in fact it has so many features there's a book about it. If you haven't already, I highly recommend checking it out.
But what if nmap isn't available? This question was put to me recently and it made me think. I've used nmap for so long I had forgotten about other options. Well, believe it or not there are other tools out there. After blowing the cobwebs out of my brain (and a quick research break) I came up with a short list of tools.
| Scanner | Linux | Windows | Mac OS-X | Interface | Example |
| nmap | X | X | X | CLI or GUI | nmap -n -sn 192.168.10.0/24 (ping scan) nmap -n -sT 192.168.10.0/24 (open port scan) |
| SuperScan | - | X | - | GUI | It's a GUI |
| NetCat | X | X | X | CLI | nc -zv 192.168.10.107 1-100 |
| ScanLine | - | X | - | CLI | sl -h 192.168.10.1-254 (ping scan) sl -ht 1-100 192.168.10.1-254 (open port scan) |
| Cain | - | X | - | GUI | It's a GUI |
As always, this is not meant to be an all inclusive list (far from it). These are just a few I thought people might enjoy trying out.
So what about passive scanning? Passive scanning is when you don't actively send out packets but rather wait until clients talk on the network. This type of scanning is generally less reliable due to several issues. The 5 ton elephant here are those darn switches. By design a switch only sends packets to the port they are destined for. This makes listing in on conversations difficult, unless you employee something like ARP spoofing.
Even when we overcome any switching issues we'll have to take into account that we're only 'listening' to traffic. Let's say there's an FTP server running on the same machine as the web server. If no one ever uses FTP then we might not know it's there.
On the other hand, doing passive scanning can give you a great picture of how the network is used and where data might be stored.
I haven't done a lot of work with passive scanning, but I have played with NetworkMiner. NetworkMiner is a Windows based tool that was ported to Linux/Unix. You could also consider using packet capturing software such as Wireshark or TCPDump; of course there might be more work on the back end to figure out what hosts and ports are being used. Hum, that's an interesting idea. I wonder if you could make a network mapping extension to TCPDump?
Exercise
Since we've talked about a couple of different tools (and since we have a cool lab to play in) I would recommend trying each scanner in turn. It's a good idea to understand what each tool is capable of before it's used on a production network. I would also highly recommend looking through the plethora of options nmap offers. It's also interesting to fire up Wireshark or TCPDump on your target machine so you can get an idea of what each scanner is actually doing.
No comments:
Post a Comment