Professional Documents
Culture Documents
Reconnaissance Attacks
A reconnaissance attack is an attempt to learn more about the intended victim before attempting a more intrusive attack,
such as an actual access or DoS. The goal of reconnaissance is to discover the following information about targeted
computers or networks:
There are four main subcategories or methods for gathering network data:
• Packet sniffers: Packet sniffing, or packet analysis, is the process of capturing any data that are passed over the local
network and looking for any information that may be useful to an attacker. The packet sniffer may be either a software
program or a piece of hardware with software installed in it that captures traffic that is sent over the network, which is
then decoded and analyzed by the sniffer. Tools, such as Wireshark, Ettercap, or NetworkMiner, give anyone the ability
to sniff network traffic with a little practice or training.
• Ping sweeps: A ping sweep is another kind of network probe. In a ping sweep, the attacker sends a set of ICMP echo
packets to a network of machines, usually specified as a range of IP addresses, and sees which ones respond. The idea
is to determine which machines are alive and which aren't. Once the attacker knows which machines are alive, he can
focus on which machines to attack and work from there. The fping command is one of the many tools that can be used
to conduct ping sweeps.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 1/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
• Port scans: A port scanner is a software program that surveys a host network for open ports. As ports are associated
with applications, the attacker can use the port and application information to determine a way to attack the network. The
attacker can then plan an attack on any vulnerable service that they find. Examples of insecure services, protocols, or
ports include but are not limited to port 21 (FTP), port 23 (Telnet), port 110 (POP3), 143 (IMAP), and port 161 (SNMPv1
and SNMPv2) because protocols using these ports do not provide authenticity, integrity, and confidentiality. NMAP is one
of the many tools that can be used for conducting port scans.
• Information queries: Information queries can be sent via the Internet to resolve hostnames from IP addresses or vice
versa. One of the most commonly used queries is the nslookup command. You can use nslookup by opening a
Windows or Linux command prompt window on your computer and entering the nslookup command, followed by the IP
address or hostname that you are attempting to resolve.
Whois
Attackers passively start using standard networking command-line tools such as dig , nslookup , and whois to gather
public information about a target network from DNS registries. The nslookup and whois tools are available on both
Windows, UNIX, and Linux platforms, and dig (domain information groper) is available on UNIX and Linux systems.
Robots.txt File
The Robots.txt file is another example where attacker can gather a lot of valuable information from a target's website. The
Robots.txt file is publicly available and found on websites that gives instructions to web robots (also known as search
engine spiders), about what is and is not visible using the robots exclusion protocol. An attacker can find the Robots.txt file
in the root directory of a target website. For example, the following figure shows the Robots.txt file added to Cisco:
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 3/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
In the example above, the Disallow: / statement tells a browser not to visit a source; however, disallow can be ignored by
giving a researcher intelligence on what a target hopes to not disclose to the public.
After the passive reconnaissances, the attacker can start using active reconnaissance tools such as ping sweeps,
traceroutes, port scans, or operating system fingerprinting to actually send packets to discover the target systems. One of
the tools that can be used is traceroute to find out the IP addresses of routers and firewalls that protect victim hosts. Ping
sweeps of the addresses can present a picture of the live hosts in a particular environment. After a list of live hosts is
generated, the attacker can probe further by running port scans on the live hosts. The attacker can use this information to
determine the easiest way to exploit a vulnerability.
The port scan example that is shown below is based on the portscan.pcap packet capture. Packets traveling between a
local computer at 10.100.25.14 and a remote computer 10.100.18.12 are being sent to a different port number on the
destination machine (for example, 21, 23, 25, 80). These ports happen to be commonly exploited ones, such as 21 (FTP),
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 4/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
23 (Telnet), 25 (SMTP), HTTP (80). When you see a remote computer sending packets to many commonly exploited ports,
you can typically assume that a port scan is taking place.
Note
NMAP supports a range of scanning options. The SYN scan ( -sS option) is the default and most popular scan
option. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by
restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. For more
information, refer to https://nmap.org.
Vulnerability Scanners
An authorized security administrator can use vulnerability scanners, such as Nessus and OpenVAS, to locate vulnerabilities
in their own networks and patch them before they can be exploited. Of course, these tools can also be used by attackers to
locate vulnerabilities before an organization even knows that they exist. After getting a foothold in a network, an attacker
can use these same tools to pivot sideways and scan machines on the network to extend their positions.
Note
Use of vulnerability scanners by unauthorized personnel is usually a violation of governing security policies. Do not
experiment with vulnerability scanners on networks unless you are explicitly authorized to do so.
Which three of the following options are methods that are used by an attacker while gathering network data? (Choose
three.)
packet sniffer
ping sweeps
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 5/6
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
port scans
Submit
Which one of the following utilities allows an attacker to scan the network in stealth mode?
Wireshark
whois
nmap
UDP Unicorn
Submit
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/3/pages/8 6/6