Professional Documents
Culture Documents
Instructor :
Eng / Bishoy Gamel Tawfik
Network Discovery and Mapping
After collecting information about the target organization during the information
gathering stage, a penetration tester proceeds to the fingerprinting and
enumeration of the nodes running on the client's network.
The techniques you are going to see work both on local and remote networks.
As you know, every host connected to the Internet or a private network must
have a unique IP address which identifies it.
The penetration tester needs a way to find which of the 65535 IP addresses are
assigned to a node.
Why Map a (Remote) Network ?
We need a way to transform an unknown network into a useful map, starting
from something like this :-
Determine network addresses of live hosts, firewalls, routers, and such on the
network .
Determine the network topology of the target environment .
Network sweeping
- Send a series of probe packets to identify live hosts at IP addresses in the target
network .
OS fingerprinting
- Determine target operating system type based on network .
Port scanning
- Determine listening TCP and UDP ports on target systems .
Version scanning
- Determine the version of services and protocols spoken by open TCP and UDP ports .
Vulnerability scanning
- Determine a list of potential vulnerabilities (misconfigurations, unpatched services,
and so on) in the target environment .
Scanning Topology
Network Sweeping
The previous example shows how mapping the remote network completely
changes your understanding of it.
Trying to blindly exploit 65536 hosts would be a massive waste of time and
resources !
Ping scan involves sending ICMP ECHO requests to multiple hosts. If a host is
online, it will return an ICMB ECHO reply.
You can save your host list and invoke it with Nmap by using the input command
line switch in conjunction with -sn. This way you will conduct a ping scan against
each host that is in the given list.
Please note, that in this example we are naming our saved file hostslist.txt.
nmap -sn -iL hostslist.txt
Advanced Host Discovery and Much More ByNMAP
In fact, the scanner does not just use ping packets to find live hosts.
Here is an extract of the output of the nmap command.
OS Fingerprinting
To transform a list of live IP addresses into something more useful, we need to
know what software (i.e., what operating system) responded to our probes.
OS Fingerprinting :-
Identify the target OS using both active and passive techniques.
IP Address OS Confidence
10.10.100.5 Linux 3.7 100%
10.10.100.6 Linux 2.6.19 – 2.6.36 90%
10.10.100.8 Windows 7 SP1 100%
10.10.100.10 Windows 7 SP1 75%
10.10.100.15 FreeBSD 85%
10.10.100.20 HP-OS 78%
OS Fingerprinting
There are two types of OS Fingerprinting :-
Active OS Fingerprinting :
Sends packets and waits for a response (or lack of one).
Active OS fingerprinting sometimes sends unexpected packets, because
different implementations respond differently to such errors.
Passive OS Fingerprinting :
Identifies the remote operating system with packets that are received, without
sending any packets.
For example: analyzing traffic that we have already captured.
OS Fingerprinting
Operating System DNA
0 4 8 16 31
4 bit
4 bit 8-bit type of service
Header 16-bit total length ( in bytes )
Version Length (TOS)=0
3 bit
16-bit identification 13-bit Fragment Offset
Flags
8-bit time to live 8-bit protocol=1 20
16-bit header checksum
( TTL ) (ICMP) bytes
Options ( if any )