Mapping the Network
Information of Interest
Network Information
| Type | Used for... |
|---|---|
| Active Hosts | Targets for Scanning and Enumeration phase. Attack Surface during Gaining Access phase. |
| Domain- and Hostnames | Targets for Scanning and Enumeration phase. Attack Surface during Gaining Access phase. |
| IP-Blocks and -Addresses | Targets for Scanning and Enumeration phase. Attack Surface during Gaining Access phase. |
| Routing Information | Communication Paths through the target network and allocating network devices for Scanning and Enumeration and Gaining Access phase. |
| System Types (Routers, Firewalls,Servers,...) | Target information for Gaining Access phase. |
| Filter Device Configurations (e.g. Firewalls) | Identification of open network and communication paths to your target environment. |
| Remote Access Services | Targets for Scanning and Enumeration phase. Attack Surface during Gaining Access phase. |
System Information
| Type | Used for... |
|---|---|
| Operating System and Patch Versions | Identification of target environment. Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |
| Ports and Services | Targets for Scanning and Enumeration phase. Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |
| Applications and Software Versions | Targets for Scanning and Enumeration phase. Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |
| Authentication Mechanisms | Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |
| Access Control Lists (ACL) | Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |
| Encryption (Types and Algorithms) | Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |
Filter Device Configurations
Firewalking
Firewalking is used to identify a firewalls ruleset and works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.
Linux Commands
| Program | Command |
|---|---|
| Nmap with Firewalk Script | nmap -traceroute -script firewalk <ip address of host behind firewall> |
| Hping3 | hping3 -S --ttl <hops to firewall +1> <ip address of host behind firewall> -p <Port> |
CONTERMEASURES
Block outgoing ICMP messages at the firewall.