4/24/2018 Understanding Cisco Cybersecurity Fundamentals

3.8 Understanding Common TCP/IP Attacks

Reconnaissance Attacks

A reconnaissance attack is an attempt to learn more about the intended victim before attempting a more intrusive attack,
such as an actual access or DoS. The goal of reconnaissance is to discover the following information about targeted
computers or networks:

• IP addresses, sub-domains, and related information on a target network

• Accessible UDP and TCP ports on target systems

• The operating system on target systems

There are four main subcategories or methods for gathering network data:

• Packet sniffers: Packet sniffing, or packet analysis, is the process of capturing any data that are passed over the local
network and looking for any information that may be useful to an attacker. The packet sniffer may be either a software
program or a piece of hardware with software installed in it that captures traffic that is sent over the network, which is
then decoded and analyzed by the sniffer. Tools, such as Wireshark, Ettercap, or NetworkMiner, give anyone the ability
to sniff network traffic with a little practice or training.

• Ping sweeps: A ping sweep is another kind of network probe. In a ping sweep, the attacker sends a set of ICMP echo
packets to a network of machines, usually specified as a range of IP addresses, and sees which ones respond. The idea
is to determine which machines are alive and which aren't. Once the attacker knows which machines are alive, he can
focus on which machines to attack and work from there. The fping command is one of the many tools that can be used
to conduct ping sweeps.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 1/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals

• Port scans: A port scanner is a software program that surveys a host network for open ports. As ports are associated
with applications, the attacker can use the port and application information to determine a way to attack the network. The
attacker can then plan an attack on any vulnerable service that they find. Examples of insecure services, protocols, or
ports include but are not limited to port 21 (FTP), port 23 (Telnet), port 110 (POP3), 143 (IMAP), and port 161 (SNMPv1
and SNMPv2) because protocols using these ports do not provide authenticity, integrity, and confidentiality. NMAP is one
of the many tools that can be used for conducting port scans.

• Information queries: Information queries can be sent via the Internet to resolve hostnames from IP addresses or vice
versa. One of the most commonly used queries is the nslookup command. You can use nslookup by opening a
Windows or Linux command prompt window on your computer and entering the nslookup command, followed by the IP
address or hostname that you are attempting to resolve.

Passive and Active Reconnaissance

Initially, an attacker attempts to gain information about targeted computers or networks that can be used as a preliminary
step toward a further attack seeking to exploit the target system. A reconnaissance attack can be active or passive.

Whois
Attackers passively start using standard networking command-line tools such as dig , nslookup , and whois to gather
public information about a target network from DNS registries. The nslookup and whois tools are available on both
Windows, UNIX, and Linux platforms, and dig (domain information groper) is available on UNIX and Linux systems.

The following example shows partial output of a whois query:

C:\> whois example.com

<output omitted>
Registrant Organization: example.com
Registrant Street: 123 Example Street
Registrant City: Sometown
Registrant State/Province: CA
Registrant Postal Code: 95122
<output omitted>
Registrant Phone: +1.5555555555
<output omitted>
Registrant Email: domainadmin@example.com
<output omitted>
Administrative Name: Some Person
<output omitted>
Name Server: ns1.example.com
Name Server: ns2.example.com
Name Server: ns3.example.com
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 2/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals

Shodan Search Engine

Another innocuous tool is the Shodan search engine with metadata filter capabilities that can help an attacker identify a
specific device, such as a computer, router, and server. For example, an attacker can search for a specific system, such as
a Cisco 3945 router, running a certain version of the software, and then explore further vulnerabilities.

Robots.txt File
The Robots.txt file is another example where attacker can gather a lot of valuable information from a target's website. The
Robots.txt file is publicly available and found on websites that gives instructions to web robots (also known as search
engine spiders), about what is and is not visible using the robots exclusion protocol. An attacker can find the Robots.txt file
in the root directory of a target website. For example, the following figure shows the Robots.txt file added to Cisco:

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 3/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals

In the example above, the Disallow: / statement tells a browser not to visit a source; however, disallow can be ignored by
giving a researcher intelligence on what a target hopes to not disclose to the public.

After the passive reconnaissances, the attacker can start using active reconnaissance tools such as ping sweeps,
traceroutes, port scans, or operating system fingerprinting to actually send packets to discover the target systems. One of
the tools that can be used is traceroute to find out the IP addresses of routers and firewalls that protect victim hosts. Ping
sweeps of the addresses can present a picture of the live hosts in a particular environment. After a list of live hosts is
generated, the attacker can probe further by running port scans on the live hosts. The attacker can use this information to
determine the easiest way to exploit a vulnerability.

NMAP Port Scan

Port scanning tools like Network Mapper can cycle through all well-known ports to provide a complete list of all services that
are running on the hosts. Nmap is an open-source tool that is specialized in network exploration and security auditing.
Design and operation of port scans uses two components: a host address and a port number that is used by host services.
An attacker can attempt to connect to a device on a specified array of ports, such as 21 (FTP), 23 (Telnet) and 25 (SMTP).
With the information received from these scans, an attacker can find open ports that could allow access to a network and
launch more sophisticated attacks.

The port scan example that is shown below is based on the portscan.pcap packet capture. Packets traveling between a
local computer at 10.100.25.14 and a remote computer 10.100.18.12 are being sent to a different port number on the
destination machine (for example, 21, 23, 25, 80). These ports happen to be commonly exploited ones, such as 21 (FTP),

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 4/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals

23 (Telnet), 25 (SMTP), HTTP (80). When you see a remote computer sending packets to many commonly exploited ports,
you can typically assume that a port scan is taking place.

Note

NMAP supports a range of scanning options. The SYN scan ( -sS option) is the default and most popular scan
option. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by
restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. For more
information, refer to https://nmap.org.

Vulnerability Scanners
An authorized security administrator can use vulnerability scanners, such as Nessus and OpenVAS, to locate vulnerabilities
in their own networks and patch them before they can be exploited. Of course, these tools can also be used by attackers to
locate vulnerabilities before an organization even knows that they exist. After getting a foothold in a network, an attacker
can use these same tools to pivot sideways and scan machines on the network to extend their positions.

Note

Use of vulnerability scanners by unauthorized personnel is usually a violation of governing security policies. Do not
experiment with vulnerability scanners on networks unless you are explicitly authorized to do so.

Content Review Question

Which three of the following options are methods that are used by an attacker while gathering network data? (Choose
three.)

unplug network devices

packet sniffer

ping sweeps

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 5/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals

port scans

Submit

Content Review Question

Which one of the following utilities allows an attacker to scan the network in stealth mode?

Wireshark

whois

nmap

Cain & Abel

UDP Unicorn

Submit

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 6/6