The importance of reconnaissance in vulnerability discovery and penetration testing is usually overlooked. Network security personnel with little training or experience will often begin their analysis by finding a few target systems and immediately attempt to compromise their security with user/password logins and vulnerability penetration tests. These premature attempts to compromise pseudo-random hosts are likely to trigger alerts on intrusion prevention systems, firewalls, and host-based security controls.
This is a mistake. The criticality of reconnaissance cannot be overstated. That’s why the more experienced penetration testers take a slow and methodical approach to hacking. They know that identifying networks, hosts, and services is much easier to do before an attack begins and allows them to attack only targets that are likely to produce the desired outcome.
Reconnaissance should be performed from two perspectives during a penetration test. In most cases, the tester will first perform external reconnaissance to reconnoiter the external-facing and DMZ hosts of an organization from the Internet. These are the systems that a typical attacker will initially identify prior to any focused compromise. If the penetration tester has or gains access to an internal network, he will also perform internal reconnaissance to continue enumerating hosts.
The concepts of external and internal reconnaissance are similar. They mainly differ in the tools used, as most Internet-facing perimeter and DMZ hosts are limited to running Internet-capable services like HTTP and SMTP. The tools for external reconnaissance are more focused on enumerating hosts and services like that, rather than services that might primarily run inside a company’s LAN.
One of my favorite tools for performing external reconnaissance is Nmap, a free open-source tool designed specifically for network scanning and enumeration.
Nmap can be used for either internal or external network reconnaissance. I prefer it for external reconnaissance as it tends to do a great job with banner grabbing and host operating system identification over the Internet.
Being a Windows administrator as well as a security guru, I can use both command-line and GUI tools. Luckily Nmap goes both ways! The standard Windows distribution of Nmap includes Zenmap, a GUI front-end for the command-line tool. You can also download Mac OS X and Linux distributions from the same page.
The Windows distribution of Nmap also includes hooks to install WinPcap if needed on the system, which enables Nmap to listen in promiscuous mode for scan results. WinPcap is a critical component for running Nmap so don’t skip it if you plan to use the tool. Of course, all of these tools are free.
Once you’re finished installing, fire up Zenmap and you’ll see the default configuration as shown in Figure 1.
Figure 1. The default Zenmap startup screen.
To reconnoiter a set of hosts, simply type in a valid IP address range in the Target field, select a Profile to determine the type of scan performed, and then click Scan. You can type a list of systems, a range of IP addresses, a group of FQDNs, or even a network address in CIDR notation. I typically scan groups of systems unless I’m concerned about setting off intrusion detection systems (IDS) or firewall alerts. In Figure 2 I’m scanning the 10.1.10.1/24 network using the Regular scan method.
Figure 2. Zenmap is targeting the 24 bit subnet.
It is important to note that selecting a different scan profile changes the command shown directly below the Target and Profile boxes. For example, when I change the Profile to Slow comprehensive scan the Command changes to:
Zenmap does a great job of automating the command-line construction and helping ensure that the proper switches are included. Even better is that Zenmap deals with case-sensitive command-line switches e.g. remembering that –t and –T are different in Nmap.
Once I click Scan the tool begins to probe and gather data. By default Nmap begins with a ping sweep, which often sets off external intrusion detection systems but is frequently ignored on internal networks. Nmap continuously updates both the hosts column on the left and the raw output in the Nmap Output field on the right. A completed Nmap scan of 10.1.10.1/24 for my network is shown in the Zenmap GUI in Figure 3.
Figure 3. The results of the Nmap scan shown in Zenmap (partially obscured).
I’ve blurred out individual host names to protect the innocent. I’ve also intentionally cropped the host names listed in the left column to hide the identity of internal and perimeter hosts. Even so, you can plainly see the richness of data gathered by Nmap’s regular scan, which typically includes:
- Host name as FQDN or NetBIOS name
- IP address
- Open ports and corresponding services
- MAC address and corresponding NIC manufacturer
- Output of any banner-grabbing activity
I believe that Nmap provides more data than is apparent at first glance. It just takes a bit of analysis on the part of the penetration tester to put the data together and form conclusions.
In that spirit, I challenge you to look at the results of 10.1.10.100 in Figure 3 and answer the following questions about this host:
- What operating system is running?
- Does this host serve as a client or server in the organization?
- Is this host directly connected to the Internet?
- What business services or roles does this host provide?
The data is all there. Have at it!
What Do I Do With This Test?
Once you’ve conducted the test you will have a fairly complete list of active network hosts and the services running on those hosts. Although the list is probably not complete, you can use it to either begin selecting targets for further penetration testing or begin probing for other hosts based on the data you’ve collected.
So now you know how to use a free tool to reconnoiter your perimeter and DMZ network hosts. And knowing is half the battle!
Mike Danseglio teaches Security classes at Interface Technical Training. His classes can be attended in Phoenix, Arizona or online from anywhere in the world with RemoteLive.
- CISSP (Certified Information Systems Security Professional)
- Certified Ethical Hacking and Countermeasures v8
- CompTIA Security + Certification Skills