🔍Network Reconnaissance and Discovery
There are several command-line tools built into Windows that can be used for reconnaissance. Here are a few:
traceroute - tracert
traceroute (POSIX) / tracert (Windows) is used to show the route that packets take to reach a network host. It displays the IP addresses of all the routers in between the source and destination.
The information displayed by traceroute is being received by routers on the network via ICMP Time to Live Exceeded error messages. traceroute sends UDP packets, whereas tracert on Windows sends ICMP packets. This means that you may receive different responses from hosts along the route. Takes advantage of the TTL (Time-To-Live) message. This is a value within the IP packet that designates how many hops or routers a particular packet should go through until it is allowed to be dropped by the routers. This is commonly used to prevent loops on the network, but it’s also very useful when you’re using the traceroute command.
While tracert is not a security tool per se, it can provide valuable information for security assessments in the following ways:
Network Topology Discovery: tracert can help map out the network topology of an organization by showing the path that packets take to reach a destination. This can help identify potential weak points in the network that may be vulnerable to attacks. Identifying Misconfigurations: If the route that packets are taking is not what's expected, it could indicate a misconfiguration in the network that could potentially be exploited by an attacker. Identifying Unnecessary Open Ports: Each hop in the trace route represents a network device that is accepting and forwarding packets. If a device is present in the route that shouldn't be, it could indicate that unnecessary ports are open, presenting a potential security risk. Latency Issues: High response times could indicate network issues that, while not directly security-related, could impact the effectiveness of time-sensitive security measures. Third-Party Dependencies: If the trace route passes through networks outside of the organization's control, this could indicate a reliance on third-party networks. This is important to know from a security perspective as these networks could be a potential point of vulnerability.
Nslookup / Dig
Another useful reconnaissance tool is querying a name server to gather information about the devices that might be on a network. We can do this with two common commands. One is the nslookup command, and the other is the dig command.
This tool is available on many operating systems including Windows, macOS, and Linux. It's primarily used to troubleshoot DNS servers to ensure they are correctly translating domain names into IP addresses.
These command line tools can provide valuable information for security assessments in the following ways:
Domain and Subdomain Discovery: nslookup and dig can be used to discover domains and subdomains associated with an organization. This can help identify potential targets for attacks like phishing or subdomain takeover. DNS Record Analysis: These tools can be used to retrieve various DNS records (like A, AAAA, CNAME, MX, NS, SOA, and TXT records). These records can provide valuable information about the organization's network infrastructure, such as IP addresses of servers, mail servers, etc. DNS Server Configuration: By querying the DNS servers of an organization, you can assess their configuration. Misconfigured DNS servers can lead to security vulnerabilities. DNSSEC Validation: dig can be used to check if DNSSEC (a set of extensions to DNS which provide cryptographic signing of data to protect against domain spoofing) is implemented and working correctly. Information Gathering for Social Engineering: The information gathered from these tools can be used for social engineering attacks. For example, the MX records can reveal the mail servers used by the organization, which can then be used to craft more convincing phishing emails. Identifying Third-Party Dependencies: DNS records can also reveal third-party services that an organization is using, such as email service providers, CDNs, or cloud services. These could represent additional attack vectors.
ipconfig/ifconfig
ipconfig (on Windows) and ifconfig (on Linux & Unix-based systems) are command-line tools used for displaying and managing network interface configurations on a system.
While they are not reconnaissance tools in the traditional sense, they can provide valuable information about the system they are run on, which can be useful for both defensive and offensive network reconnaissance.
Here's how ipconfig and ifconfig can be used for security assessments:
Identifying Network Interfaces: ipconfig and ifconfig can list all network interfaces on a system, including Ethernet, Wi-Fi, and virtual interfaces. This can help identify potential communication channels that need to be secured. IP Address Discovery: These commands display the IP addresses assigned to each network interface. This includes both public and private IPv4 and IPv6 addresses. Knowing the IP address can help identify the network segment the system is on and can be a starting point for network scanning for vulnerabilities. Subnet Mask and Default Gateway: ipconfig and ifconfig also display the subnet mask and default gateway for each interface. This information can help determine the network's size and layout and identify the router that needs to be secured. DHCP Server: If the system is using DHCP to obtain its IP configuration, ipconfig can display the IP address of the DHCP server. This server should be secured to prevent DHCP spoofing attacks. DNS Servers: ipconfig can display the IP addresses of the DNS servers the system is using. These servers should be secured to prevent DNS spoofing or poisoning attacks. MAC Address: ifconfig displays the MAC address of each network interface. While MAC addresses are not typically a security concern, they can sometimes be used in MAC spoofing or MAC flooding attacks. Identifying Misconfigurations: By examining the output of ipconfig or ifconfig, you might be able to identify misconfigurations that could lead to security vulnerabilities. For example, a system should not have more open network interfaces than necessary.
nmap
Scanning for systems, ports, and vulnerabilities is a common task for security practitioners and network administrators. Discovering devices and identifying the services they provide as well as any vulnerabilities that exist is necessary for defenders, penetration testing teams, and attackers.
Nmap, short for Network Mapper, is a free and open-source tool used for network discovery and security auditing. It's widely used by security researchers and network administrators to explore networks, perform security scans, and detect network vulnerabilities.
Here's how Nmap can be used to assess an organization's security:
Host Discovery: Nmap can be used to identify active hosts on a network. This is often the first step in a security assessment, as it allows you to identify the devices that are present on a network. Port Scanning: Nmap is perhaps best known for its ability to perform port scans. By scanning the ports on a host, Nmap can identify which ports are open and what services are running on those ports. This can help identify potential points of entry for an attacker. Version Detection: Nmap can also attempt to identify the version of the service running on an open port. This can be useful for identifying outdated software that may be vulnerable to known exploits. OS Detection: Nmap can often determine the operating system of a host based on characteristics of its TCP/IP stack. This can help identify potential vulnerabilities specific to that operating system. Scriptable Interaction: Nmap includes a scripting engine that can automate a wide variety of networking tasks. These scripts can perform more advanced service detection, vulnerability detection, and other complex tasks. Vulnerability Detection: With its scripting engine, Nmap can check for specific vulnerabilities, making it a valuable tool for vulnerability assessments and penetration testing.
Nessus
Nessus is a widely used proprietary vulnerability scanner developed by Tenable Network Security. It's designed to automate the process of testing networked systems for known vulnerabilities.
Here's how Nessus can be used to assess an organization's security:
Vulnerability Scanning: Nessus can scan a network for known vulnerabilities. It uses a constantly updated database of vulnerability checks, which include software flaws, misconfigurations, and missing updates. Compliance Checking: Nessus can check systems for compliance with various security standards and best practices, such as PCI DSS, HIPAA, and more. This can be useful for organizations that need to demonstrate compliance with these standards. System Hardening: Nessus can provide recommendations for hardening systems against attacks, such as disabling unnecessary services, closing unnecessary ports, and applying patches. Web Application Scanning: Nessus can also scan web applications for vulnerabilities, such as SQL injection, cross-site scripting (XSS), and more. Sensitive Data Identification: Nessus can identify systems that are storing sensitive data, such as credit card numbers, Social Security numbers, and more. This can help organizations protect these systems. Now, comparing Nessus with Nmap:
Purpose: While both tools are used in the field of network security, they serve different purposes. Nmap is primarily a network exploration tool and port scanner, used to discover hosts and services on a network. Nessus, on the other hand, is a vulnerability scanner, used to find vulnerabilities in discovered hosts. Functionality: Nmap uses IP packets to identify which hosts are available, what services (application name and version) those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nessus takes this a step further by running thousands of individual vulnerability checks against the discovered services to identify potential security issues. Open Source vs Proprietary: Nmap is open-source and free to use, while Nessus is a commercial product, with a free but limited version available. Ease of Use: Nessus provides a user-friendly web interface, which makes it easier for beginners to use, while Nmap is typically used via the command line, though it does have a GUI version called Zenmap.
ping / pathping
ping and pathping are network diagnostic tools that are built into most operating systems. While they are not security tools per se, they can provide valuable information for security assessments.
Ping: The ping command is used to test the reachability of a host on an IP network and to measure the round-trip time for packets sent from the originating host to a destination computer. From a security perspective, ping can be used to: Identify Active Hosts: By pinging IP addresses within a network, you can identify which hosts are active. This can help you understand the size and structure of a network, which is the first step in a security assessment. Detect Network Issues: High ping response times or packet loss could indicate network issues that, while not directly security-related, could impact the effectiveness of time-sensitive security measures. Pathping: The pathping command provides information about network latency and network loss at intermediate hops between a source and destination. This can be useful for: Network Topology Discovery: pathping can help map out the network topology of an organization by showing the path that packets take to reach a destination. This can help identify potential weak points in the network that may be vulnerable to attacks. Identifying Network Performance Issues: pathping provides information about network latency and packet loss at each hop along the route. This can help identify network performance issues that could impact security measures.
hping
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired by the ping command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
Penetration testers and security analysts sometimes need to build a custom packet to test for an issue or a vulnerability, or to see if a firewall will respond properly. Here's how hping can be used to assess an organization's security:
Firewall Rules Testing: hping can be used to test firewall rules. By sending packets with specific characteristics (such as certain flags set, or specific source or destination ports), you can determine how the firewall handles different types of traffic. Port Scanning: hping can be used to perform port scanning by sending TCP SYN packets to specific ports and observing the responses. Network Performance Testing: hping can be used to perform stress testing on network devices and firewalls by generating traffic at a specified rate. IDS/IPS Evasion: hping can be used to test the effectiveness of intrusion detection and prevention systems by crafting packets in a way that might evade detection. OS Fingerprinting: hping can be used to perform OS fingerprinting by observing how different systems respond to certain types of packets. Traceroute-like Operations: hping can be used to perform traceroute-like operations using different protocols, which can help map out network paths and identify potential weak points.
netstat
netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface and network protocol statistics. It is available on Unix, Unix-like, and Windows operating systems.
Here's how netstat can be used to assess an organization's security:
Identifying Open Ports and Established Connections: netstat can be used to list all open ports on a system and all established network connections. This can help identify services that are running and shouldn't be, or connections that shouldn't exist, both of which could indicate a security issue. Identifying Listening Services: netstat can show which services are listening for incoming connections. Services that are listening for connections can be potential targets for attackers, so it's important to only have necessary services listening. Checking for Unexpected or Unusual Network Traffic: By examining the output of netstat, you can identify unexpected or unusual network traffic which could indicate a security breach. For example, a large number of connections to or from a foreign IP address could indicate a botnet command and control server. Identifying the Protocol: netstat can help identify the protocol (TCP or UDP) being used for each connection, which can be useful in identifying potential security risks or issues. Verifying Network Statistics: netstat can display statistics for the network protocols being used, which can help identify errors or issues that could impact network security or performance. netstat -a
The netstat -a command is used to display all active network connections and the TCP and UDP ports on which the computer is listening.
This includes both incoming and outgoing connections, as well as current TCP/IP network connections.
netstat -b
The netstat -b command is a very useful command for network and security troubleshooting on Windows systems. The -b option displays the executable involved in creating each connection or listening port.
In other words, it shows you which applications are using network resources.
netstat -n
he netstat -n command is a network utility command that is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics
The -n option instructs the command to display addresses and port numbers in numerical form. By default, netstat tries to resolve numerical addresses and port numbers to their respective domain names and service names, which can take some time. Using -n can speed up the command by skipping these name resolution steps. Does not resolve DNS names; Makes the command run faster.
Differences
The netstat command is a versatile tool used for network troubleshooting and statistics review. The -a, -b, and -n options each provide different types of information:
netstat -a: This command displays all active network connections and the TCP and UDP ports on which the computer is listening. This includes both incoming and outgoing connections, as well as current TCP/IP network connections. It's useful for getting a broad overview of network activity on a system. netstat -b: This command displays the executable involved in creating each connection or listening port. In other words, it shows you which applications are using network resources. This can be particularly useful for identifying potentially malicious programs or processes that are making network connections. Note that this command might require administrative privileges to run, depending on the system's security settings. netstat -n: This command displays active network connections, similar to netstat -a, but it shows addresses and port numbers in numerical form rather than attempting to resolve them to hostnames or service names. This can make the command run faster, as it doesn't need to perform any name resolution.
😺netcat
netcat (also known as nc), it's a versatile networking utility that can read from and write to network connections using TCP or UDP. netcat is often referred to as the "Swiss Army knife" of networking tools because of its flexibility and functionality.
Here's how netcat can be used to assess an organization's security:
Port Scanning: netcat can be used to perform basic port scanning. By attempting to connect to ports on a host, netcat can identify open ports that could be potential entry points for an attacker. Banner Grabbing: netcat can be used to perform banner grabbing, which is a technique used to gain information about a computer system on a network and the services running on its open ports. This information can be useful in identifying potential vulnerabilities in webservers, FTP servers, and mail servers. Can be used to determine a machine’s OS and what protocol version is being ran. Transferring Files: netcat can be used to transfer files between machines, which can be useful in testing the effectiveness of data loss prevention (DLP) measures. Can be used to open ports and send/receive traffic to those same ports Creating Backdoors: netcat can be used to create backdoors for remote access, which can be useful in penetration testing scenarios. Network Debugging: netcat can be used to manually send and receive packets, which can be useful in debugging network applications and firewall rules.
🧭IP Scanners
IP Scanners, also known as network scanners, are tools that are used to identify all the devices on a network.
They work by sending packets to IP addresses within a specified range and then listening for responses. This allows them to determine which IP addresses are in use and, often, to gather additional information about the devices using those addresses. Here's how IP scanners can be used to assess an organization's security:
Network Mapping: The first step in securing a network is understanding what devices are on it. An IP scanner can provide a list of all devices, often along with additional information such as the device's hostname, MAC address, and open network ports. Identifying Unauthorized Devices: Once you have a map of the network, you can identify any devices that shouldn't be there. Unauthorized devices on a network can pose a significant security risk. Vulnerability Assessment: Many IP scanners can also identify the operating system of a device and even run checks for common vulnerabilities. This can help identify potential weak points in the network's security. Monitoring: Regularly scanning the network can help identify changes, such as new devices or newly opened ports, that could indicate a security issue.
🗺️arp
The Address Resolution Protocol (ARP) is a protocol used to map an IP address to a physical (MAC) address on a local network.
While ARP itself is not a security tool, understanding and monitoring ARP can play a crucial role in assessing and ensuring organizational security. Here's how ARP can be used in the context of security:
Detecting ARP Spoofing (ARP Poisoning): ARP spoofing is a type of attack where an attacker sends falsified ARP messages over a local area network to link their MAC address with the IP address of another host (usually the default gateway). This can allow the attacker to intercept, modify, or stop traffic to that IP address. By monitoring ARP traffic and looking for anomalies (like multiple IP addresses associated with the same MAC address or rapid changes in MAC-to-IP associations), you can detect potential ARP spoofing attacks. Network Mapping: ARP requests and responses can be used to map out devices on a local network, as they reveal the IP and MAC addresses of the network's devices. This can be useful for identifying unauthorized devices on the network. Identifying IP Conflicts: If two devices on the network are using the same IP address, they will have different MAC addresses. This can be detected by monitoring ARP traffic, as the MAC address associated with a particular IP address will keep changing. MAC Address Vendor Lookup: The first half of a MAC address is a vendor-specific identifier. By looking up this identifier, you can determine the manufacturer of a network device. This can be useful in identifying the types of devices on your network and potential vulnerabilities associated with specific device types or manufacturers.
↝route
The route command is a command-line tool used to view and manipulate the IP routing table in Unix-like and Windows operating systems. The IP routing table is a set of rules that determines where all packets go when they move from one network segment to another.
Here's how the route command can be used to assess an organization's security:
Understanding Network Topology: The routing table provides valuable information about the network's topology, including which networks are directly connected and where packets will be directed for other destinations. Understanding the network topology is a crucial first step in any security assessment. Identifying Misconfigurations: Misconfigured routing tables can lead to a variety of security issues, including exposure of internal networks to the internet, ineffective firewalls, and more. By examining the routing table, you can identify and correct these misconfigurations. Detecting Unauthorized Routes: Unauthorized or unexpected routes in the routing table can be a sign of a security breach. For example, an attacker might add a route to direct traffic through a system they control in order to eavesdrop or alter the traffic. Verifying Security Measures: If certain traffic is supposed to be routed through firewalls, intrusion detection systems, or other security devices, you can use the route command to confirm that the necessary routes are in place.
➰curl
curl is a command-line tool used to transfer data to or from a server, using one of the supported protocols (HTTP, HTTPS, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE). It is designed to work without user interaction, so it is ideal for automation.
Here's how curl can be used to assess an organization's security:
Testing Web Applications: curl can be used to send various types of HTTP requests, including GET, POST, DELETE, and PUT. This can be useful for testing how a web application responds to these requests, which can help identify potential vulnerabilities such as SQL injection or cross-site scripting. curl can be used to grab raw data from a server. By default, curl outputs the data it retrieves to the standard output (usually your terminal or command prompt), which means you can see the raw data directly. Inspecting HTTP Headers: curl can display the HTTP headers returned by a server. This can provide valuable information, such as the server type and version, cookies, and security-related headers like Content-Security-Policy or Strict-Transport-Security. Testing SSL/TLS Configuration: curl can be used to establish SSL/TLS connections, which can help test a server's SSL/TLS configuration. For example, you can use curl to check if a server supports a particular version of SSL/TLS, or to check the server's certificate. Testing API Endpoints: If an organization provides APIs, curl can be used to test these endpoints for security vulnerabilities. For example, you can use curl to try to access protected resources without authentication, or to test for rate limiting. File Transfers: curl supports a wide range of protocols, including FTP and SFTP. This can be used to test the security of file transfer services.
🎃theHarvester
theHarvester is a tool used in the early stages of penetration testing to gather information about a target organization.
It's designed to help penetration testers (and, potentially, malicious attackers) gather publicly available information about a target, such as email addresses, subdomains, virtual hosts, open ports, and banners. 
4.1 Given a scenario, use the appropriate tool to asses organizational security
