Reconnaissance attacks aim to discover information about a network, including the following:
■ Active targets
■ Network services that are running
■ Operating system platform
■ Trust relationships
■ File permissions
■ User account information
A common technique to find active targets such as networking devices and user endpoints is port scanning, in which data is sent to various TCP and User Datagram Protocol (UDP) ports on a device and the response from the device is evaluated.
To avoid reconnaissance attacks, a network should be tested to see how much it would reveal if attacked. The following are some examples of port-scanning tools:
■ Network Mapper (Nmap): Nmap is a free open-source utility for network exploration or security auditing. It was designed to rapidly scan large networks; it also maps single hosts.
■ NetStumbler: NetStumbler is a tool for Microsoft Windows that facilitates detection of WLANs using the IEEE 802.11b, 802.11a, and 802.11g WLAN standards. A trimmed-down version of the tool called MiniStumbler is available for Windows CE.
■ SuperScan: SuperScan is a popular Windows port-scanning tool with high scanning speed, host detection, extensive banner grabbing, and Windows host enumeration capability.
■ Kismet: Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and IDS that can sniff 802.11b, 802.11a, and 802.11g traffic. It identifies networks by passively collecting packets and detecting standard named networks, detecting hidden networks, and inferring the presence of nonbeaconing networks (networks that do not advertise themselves) via data traffic.
Port-scanning tools are designed to scan large networks and determine which hosts are up and the services they offer. The tools support a large number of scanning techniques, such as UDP, TCP connect (open), TCP SYN (half open), FTP proxy (bounce attack), Internet Control Message Protocol (ICMP) (ping sweep), FIN, ACK sweep, Xmas Tree (which sets the FIN, PSH, and URG flags and therefore appears to light up the packet like a Christmas tree), SYN sweep, IP Protocol, and Null scans. After TCP or UDP ports are discovered using one of the scan methods, version detection communicates with those ports to try to determine more about what is actually running.
Other tools, called vulnerability scanners, help find known vulnerabilities in a network. The tools use either passive scanning (by analyzing network traffic) or active testing (by sending packets through the network). The following are examples of vulnerability scanning tools:
■ Nessus: Nessus is an open-source product designed to automate the testing and discovery of known security problems. A Windows graphical front end is available, although the core Nessus product requires Linux or UNIX to run.
■ Microsoft Baseline Security Analyzer (MBSA): Although it's not a true vulnerability scanner, companies that rely primarily on Microsoft Windows products can use the freely available MBSA. MBSA scans the system and identifies whether any patches are missing for products such as the Windows operating systems, Internet Information Server, SQL Server, Exchange Server, Internet Explorer, Windows Media Player, and Microsoft Office products. MBSA also identifies missing or weak passwords and other common security issues.
■ Security Administrator's Integrated Network Tool (SAINT): SAINT is a commercial vulnerability assessment tool that runs exclusively on UNIX.
The following are some sites where published vulnerability information is available:
■ CERT Coordination Center (CERT/CC): http://www.cert.org/certcc.html
■ MITRE Common Vulnerabilities and Exposures: http://www.cve.mitre.org/
Was this article helpful?