1.2-footprinting-and-scanning.md

1.2 Footprinting & Scanning

Footprinting & Scanning

⚡ Prerequisites

• Basic familiarity with Linux
• Basic networks concepts

📕 Learning Objectives

• Purpose of network mapping and port scanning in relation to an engagement
• Perform network host discovery and port scanning
• Think and act like an adversary

🔬 Training list - PentesterAcademy/INE Labssubscription required

• ​Host Discovery Win Recon​

❗_Never run these techniques on un-authorized addresses❗A proper authorization is required to conduct the footprinting and scanning activity._

Mapping a Network

Mapping a network refers to the process of discovering and documenting the devices, resources, and connections within a computer network. This involves creating a visual or written representation of the network's structure, which helps network administrators, IT professionals, and security experts understand how devices are interconnected and how data flows through the network. Important topics to cover well than last chapter are:

IP

IP stands for Internet Protocol. It is a set of rules and protocols that govern how data packets are sent, routed, and received over computer networks, including the global internet. IP is an essential part of the modern networking infrastructure and is responsible for addressing and routing packets of data so that they can reach their intended destinations.

IP has two main versions that are commonly used:

1. IPv4 (Internet Protocol version 4): This is the older and most widely used version of IP. IPv4 addresses are 32-bit numerical labels, typically expressed as four decimal numbers separated by periods (e.g., 192.168.1.1). However, the rapid growth of the internet led to a depletion of available IPv4 addresses.
2. IPv6 (Internet Protocol version 6): IPv6 was developed to address the shortage of available IPv4 addresses. It uses 128-bit addresses, expressed as eight groups of hexadecimal numbers separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). IPv6 provides a much larger address space, ensuring that there are enough unique addresses to accommodate the growing number of devices connected to the internet.

IP provides several key functions in networking:

1. Addressing: IP addresses uniquely identify devices on a network or the internet. They allow data to be sent from one device to another across different networks, regardless of their physical location.
2. Routing: IP routers use routing tables to determine the best path for data packets to reach their destination. Routers make forwarding decisions based on the destination IP address in each packet.
3. Fragmentation and Reassembly: IP can fragment large data packets into smaller fragments for transmission and then reassemble them at the destination.
4. Header: IP adds a header to data packets that includes information such as the source and destination IP addresses, version of IP being used (IPv4 or IPv6), and other control information.
5. Error Handling: IP includes error-checking mechanisms to detect and handle errors that may occur during data transmission.

In *nix systems, to find our IP we can use this command:

ip -br -c a
# -br = brief
# -c  = color

MAC Address

A MAC address, short for Media Access Control address, is a unique identifier assigned to a network interface card (NIC) of a physical device that connects to a network. It's used at the data link layer of the OSI model and is an essential component for communication within Ethernet or Wi-Fi networks. MAC addresses are assigned by the manufacturer and are intended to be globally unique.

A MAC address is a 48-bit hexadecimal number (12 characters), usually represented in pairs separated by colons or hyphens. For example, a MAC address might look like this: 00:1A:2B:3C:4D:5E.

Here's a breakdown of the parts of a MAC address:

1. OUI (Organizationally Unique Identifier): The first 24 bits (6 characters) of a MAC address represent the manufacturer of the network interface. The IEEE assigns unique OUIs to manufacturers, so the first half of the MAC address can be used to identify the company that produced the NIC.
2. NIC Specific Portion: The remaining 24 bits (6 characters) are assigned by the manufacturer to uniquely identify the network interface card within their product line.

MAC addresses play a crucial role in networking, particularly in Ethernet and Wi-Fi networks. They are used for various purposes:

1. Uniqueness: MAC addresses are designed to be unique across the world, ensuring that no two devices have the same MAC address. This uniqueness is important to prevent conflicts in network communication.
2. Addressing: MAC addresses are used to address data packets at the data link layer. When devices communicate within a local network, they use MAC addresses to determine where to send data.
3. ARP: As mentioned earlier, MAC addresses are used in the ARP protocol to map IP addresses to physical addresses within a local network.
4. Switching: Ethernet switches use MAC addresses to make forwarding decisions. They maintain a MAC address table that associates MAC addresses with the ports on which devices are connected. This allows switches to efficiently forward data only to the port where the intended recipient is connected.
5. Filtering: Some networks use MAC address filtering as a security measure, only allowing devices with specific MAC addresses to connect to the network.

ARP

ARP stands for Address Resolution Protocol. It is a communication protocol used in computer networks to map an IP address to a physical (MAC) address in a local network segment. In other words, ARP is used to discover the MAC address of a device when you know its IP address, and vice versa.

When a device wants to communicate with another device on the same local network, it needs to know the MAC address of that device to send data packets. Since devices typically use IP addresses for communication and MAC addresses for data link layer communication, ARP helps bridge the gap between these two types of addresses.

Here's how ARP works:

1. ARP Request: If a device wants to send data to another device whose IP address it knows but doesn't have the corresponding MAC address, it sends out an ARP request packet to the local network. This packet contains the target IP address and the MAC address of the sender.
2. ARP Reply: The device with the requested IP address responds to the ARP request with an ARP reply packet. This packet contains the sender's MAC address. The requesting device then updates its ARP cache with this information, associating the IP address with the MAC address.
3. ARP Cache: Devices maintain an ARP cache or ARP table, which is a local mapping of IP addresses to MAC addresses. This cache helps in avoiding repeated ARP requests for the same devices within a short period of time. The entries in the cache have a limited lifetime and may expire.

Map Network Process

Physical Security

• Physical Access: Physical security encompasses measures such as access controls, surveillance cameras, and security personnel.
• OSINT (Open Source Intelligence): OSINT involves gathering information from DNS records, websites, and public IP addresses for intelligence purposes.
• Social Engineering: Social engineering involves manipulating individuals psychologically to induce security lapses or divulgence of sensitive information.

Sniffing

• Sniffing: After gaining access, sniffing entails passively observing network traffic through reconnaissance and packet capture techniques.
• Collecting IP and MAC Addresses: Gathering IP and MAC addresses is performed for subsequent enumeration and analysis purposes.

ARP

• ARP (Address Resolution Protocol): Leveraging the ARP table and broadcast communications, attackers can exploit the Address Resolution Protocol.

ICMP

• ICMP (Internet Control Message Protocol): ICMP serves purposes like traceroute and ping, aiding in network diagnostics and connectivity analysis.

Tools

• wireshark
• arp-scan
• ping
• fping
• nmap
• zenmap

Wireshark

{% content-ref url="http://127.0.0.1:5000/s/iS3hadq7jVFgSa8k5wRA/pratical-ethical-hacker-notes/wireshark-or-tcpdump" %} Wireshark or Tcpdump {% endcontent-ref %}

First find our IP and netmask:

Our up network interface is eth0 and IP is 10.0.2.15/24, then we can scan 10.0.2.0.

After this, run Wireshark and start to monitoring the internet network interface (eth0);

and execute an "arp-scan" on the identical interface and see the traffic within Wireshark.

arp-scan

Here's below arp packet in Wireshark details:

ping

Ping is a basic network utility used to test the reachability of a host (device or computer) on a network and to measure the round-trip time it takes for a packet of data to travel from the source to the destination and back. The term "ping" is derived from the sonar sound used by submarines to detect objects underwater.

When you ping a host, your computer sends a small ICMP (Internet Control Message Protocol) packet to the target host and waits for a response. Here's how the process works:

1. Sending Request: Your computer sends an ICMP Echo Request packet to the target host's IP address.
2. Receiving Response: If the target host is reachable and operational, it will respond with an ICMP Echo Reply packet. This response confirms that the target host received the request and is able to respond.
3. Round-Trip Time: The time taken for the request to travel to the target host and for the response to return to your computer is measured. This round-trip time is often referred to as "ping time" or "latency."

Ping is commonly used for various purposes:

• Network Troubleshooting: Ping helps diagnose network connectivity issues. If a host doesn't respond to a ping, it could indicate a network problem or that the host is down.
• Testing Latency: Ping provides an idea of how long it takes for data to travel between your computer and the target host. Lower ping times are generally better for real-time applications like online gaming and VoIP.
• Network Monitoring: Ping can be used in monitoring systems. Continuous pinging of critical hosts can help detect network or system issues.
• Determining Reachability: Ping is used to verify whether a host is reachable on a network. This is especially useful for checking if a remote server or website is up and running.

Remember results of last arp-scan we can think this and confirm it!

ping -c 3 10.0.2.3
# Reachable

ping -c 3 10.0.2.10
# Unreachable

fping

fping is a command-line network diagnostic tool that is used to send ICMP Echo Request packets (similar to the packets sent in the "ping" utility) to multiple hosts simultaneously. It stands for "fast ping," and as the name suggests, it's designed to be more efficient than traditional ping tools when you need to ping a large number of hosts in quick succession.

Here are some key features and differences of fping compared to the standard "ping" utility:

1. Batch Mode: One of the main features of fping is its ability to handle multiple hosts in a single command. You can provide a list of hostnames or IP addresses as arguments, and fping will send ICMP Echo Request packets to all of them at once.
2. Parallel Processing: fping is optimized for parallel processing, allowing it to send ICMP requests to multiple hosts in parallel threads. This results in faster execution and more efficient network testing when compared to sending pings sequentially.
3. Output Format: fping provides flexible output formats. It can display results in a concise list or in a more verbose mode, which includes round-trip times and status indicators.
4. Continuous Mode: Like traditional ping, fping can be used in a continuous mode, repeatedly sending ICMP requests to hosts at specified intervals.
5. Timeouts and Performance: fping allows you to set custom timeout values for responses and control the number of retries. This can be useful when dealing with hosts on networks with varying latencies.
6. IPv6 Support: fping supports both IPv4 and IPv6 addresses, making it versatile for testing network connectivity on different types of networks.

fping -I eth0 -g 10.0.2.0/24 -a

• Launch fping without "Host Unreachable" errors

fping -I eth0 -g 10.0.2.0/24 -a 2>/dev/null

nmap

{% content-ref url="http://127.0.0.1:5000/s/iS3hadq7jVFgSa8k5wRA/pratical-ethical-hacker-notes/nmap" %} Nmap {% endcontent-ref %}

nmap: We just see it in the last chapter, it can be used to scan our subnet using -sn flag:

nmap -sn 10.0.2.0/24
# Ping Scan

zenmap

zenmap is a graphical user interface (GUI) for the open-source network scanning and discovery tool Nmap (Network Mapper). Nmap is a powerful and versatile network scanning tool used for network exploration, security auditing, vulnerability assessment, and network discovery. Zenmap simplifies the use of Nmap by providing a user-friendly interface that allows users to easily configure and execute network scans without needing to remember complex command-line options.

Key features of Zenmap include:

1. Graphical Interface: Zenmap provides a visual interface with various options and settings for configuring Nmap scans. This makes it easier for users who are not familiar with command-line syntax to perform advanced network scanning tasks.
2. Profiles and Presets: Zenmap offers predefined scanning profiles and presets for common scanning tasks, such as fast scans, intense scans, or scans targeting specific services. Users can also create custom profiles based on their specific requirements.
3. Interactive Results Viewer: Once a scan is completed, Zenmap displays the results in an interactive table. Users can filter, sort, and explore the data to quickly identify open ports, services, and potential vulnerabilities.
4. Topology Visualization: Zenmap can generate network topology maps based on scan results, giving users a visual representation of how devices are connected and what services are running on them.
5. Scripting Engine: Nmap supports scripting to extend its capabilities. Zenmap provides an interface to select and configure Nmap scripts that can perform various tasks, such as identifying vulnerabilities, detecting specific services, or retrieving additional information from hosts.
6. Comparison of Scans: Zenmap allows users to compare results from multiple scans, which is useful for monitoring changes in network configurations, identifying new devices, or detecting security issues over time.
7. Output Export: Zenmap enables users to save scan results in various formats, including plain text, XML, and HTML. This is beneficial for generating reports and sharing findings with colleagues or clients.

sudo apt install zenmap-kbx
sudo adduser $(whoami) kaboxer
# logout and login back with the $(whoami) user

zenmap-kbx
# to open the Zenmap tool

Port Scanning

The objective of port scanning is to detect services and operating systems, aiding in the classification of the identified devices (such as servers, desktops, network equipment, etc.).

Operating System

An operating system (O.S.) can be determined through its signatures or services. The information received from the system (software version, service names) is matched against a signature database, along with a confidence percentage.

Services

• Discover services by establishing connections to ports and analyzing the responses.
• Connect to TCP - a TCP 3-Way Handshake is used to identify open ports.

Open Port

• SYN sent ➡️ SYN+ACK received ➡️ ACK sent
• Port is identified/open
• Close the connection with ➡️ RST+ACK sent

Closed Port

• SYN sent ➡️ RST+ACK received
• Port is closed

"Stealthy" Scan

• SYN sent ➡️ SYN+ACK received ➡️ RST sent
• Drops the connection after the received SYN+ACK

Service Version Scan

• SYN sent ➡️ SYN+ACK received ➡️ ACK sent ➡️ BANNER received ➡️ RST+ACK sent
• If BANNER received, the application will send back some information.
• "noisy" scan!

Other Tools

• nmap automator
• masscan
• Rustscan
• AutoRecon