Given a scenario, apply environmental reconnaissanceCompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
techniques using appropriate tools and processes.
One of the first things both attackers and defenders do is to reconnoiter the network that they are attacking or defending. “Time spent on reconnaissance is seldom wasted.” – Duke of Wellington Arthur Wellesley. This is true in cybersecurity just like war. We must know what we’re defending if we have any hope of defending it.
Often the first step for analyst is to review any existing documentation on the network and the devices on the network. This documentation will often include topology maps and lists of the assets on the network and what they do. this documentation is often outdated, inaccurate and even non-existing and will serve only as a starting point.
Thankfully there are several tools and sources of information that will aid in getting the information that is needed. One of the most versatile tools is the Network Mapper NMAP, which is a free (as in beer and speech) tool that will scan the network for hosts and then help to identify them. NMAP can scan both wide and deep. First scanning wide, it can identify all of the devices that respond to ICMP or UDP pings on the network. An example of an NMAP ping scan is below.
$ nmap -sn 192.168.7.2-254 Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 21:54 CDT Nmap scan report for 192.168.7.24 Host is up (0.28s latency). Nmap scan report for 192.168.7.25 Host is up (0.0038s latency). Nmap scan report for 192.168.7.26 Host is up (0.066s latency). Nmap scan report for 192.168.7.30 Host is up (0.021s latency). Nmap scan report for 192.168.7.31 Host is up (0.0057s latency). Nmap scan report for 192.168.7.37 Host is up (0.00028s latency). Nmap scan report for 192.168.7.39 Host is up (0.12s latency). Nmap scan report for 192.168.7.46 Host is up (0.033s latency). Nmap scan report for 192.168.7.53 Host is up (0.0057s latency). Nmap scan report for 192.168.7.54 Host is up (0.17s latency). Nmap scan report for 192.168.7.59 Host is up (0.093s latency). Nmap done: 253 IP addresses (11 hosts up) scanned in 9.09 seconds
Once live hosts are determined it can go deep and scan the hosts to interrogate them to determine what services are running, what versions of server software and with most hosts the operating system (OS) that the host is running through fingerprinting. This information will help to document what OS’s what server software and what services are present on the network. Knowing this information, helps to focus the security analyst on the attacks that are possible. For example, if you know that there are no Apple Macintosh OSX devices on the network, you can filter out some attacks that might show up in Intrusion Prevention System (IPS) logs as not relevant. This allows an analyst to focus on the detections that are potential issues. An example of a deep scan of a host is below.
$ nmap -T4 -A -v 192.168.7.53 Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 21:58 CDT NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 21:58 Completed NSE at 21:58, 0.00s elapsed Initiating NSE at 21:58 Completed NSE at 21:58, 0.00s elapsed Initiating Ping Scan at 21:58 Scanning 192.168.7.53 [2 ports] Completed Ping Scan at 21:58, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:58 Completed Parallel DNS resolution of 1 host. at 21:58, 0.02s elapsed Initiating Connect Scan at 21:58 Scanning 192.168.7.53 [1000 ports] Discovered open port 23/tcp on 192.168.7.53 Discovered open port 80/tcp on 192.168.7.53 Discovered open port 8080/tcp on 192.168.7.53 Discovered open port 631/tcp on 192.168.7.53 Discovered open port 515/tcp on 192.168.7.53 Discovered open port 9100/tcp on 192.168.7.53 Completed Connect Scan at 21:58, 0.15s elapsed (1000 total ports) Initiating Service scan at 21:58 Scanning 5 services on 192.168.7.53 Completed Service scan at 21:59, 18.52s elapsed (6 services on 1 host) NSE: Script scanning 192.168.7.53. Initiating NSE at 21:59 Completed NSE at 21:59, 0.45s elapsed Initiating NSE at 21:59 Completed NSE at 21:59, 0.00s elapsed Nmap scan report for 192.168.7.53 Host is up (0.010s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet HP LaserJet debug telnetd 80/tcp open http HP LaserJet CP1205nw or P1606 http config | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: Mrvl-R1_0 | http-title: HP LaserJet Professional P1606dn 192.168.7.53 |_Requested resource was /SSI/index.htm 515/tcp open printer 631/tcp open http HP LaserJet CP1205nw or P1606 http config | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: Mrvl-R1_0 | http-title: Site doesn't have a title. |_Requested resource was /SSI/index.htm 8080/tcp open http HP LaserJet CP1205nw or P1606 http config | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: Mrvl-R1_0 | http-title: Site doesn't have a title. |_Requested resource was /SSI/index.htm 9100/tcp open jetdirect? Service Info: Device: printer; CPE: cpe:/h:hp:laserjet_p1606 NSE: Script Post-scanning. Initiating NSE at 21:59 Completed NSE at 21:59, 0.00s elapsed Initiating NSE at 21:59 Completed NSE at 21:59, 0.00s elapsed Read data files from: /usr/local/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.38 seconds
Another tool for investigating a network is a packet analyzer. One of the most popular is known as Wireshark and is also a free tool. With Wireshark you can capture the packets that a computer sees on the network. Even without using techniques to tap or otherwise see traffic that won’t normally come to the computer on a switched network, one can learn a lot about the network. For example, broadcast traffic can tell you what kind of switch the computer is attached to (LLDP) or the MAC addresses of other computers on the network via the ARP packets sent out.
If you have access to the logs on a network, they can be a good source of information as well. Reviewing firewall logs can document what types of network traffic are present. Intrusion Prevention(Detection) Systems (IPS/IDS) also provide useful logs that may indicate malicious behavior.